cilium, argo
This commit is contained in:
@@ -1,136 +1,180 @@
|
||||
# fastpass GitOps Bootstrap
|
||||
# fastpass — ArgoCD Bootstrap
|
||||
|
||||
This document is the complete procedure to go from a freshly provisioned Talos
|
||||
cluster to a fully GitOps-managed platform. After completing these steps, all
|
||||
future changes are made via git — never `kubectl apply` again.
|
||||
This document covers the manual steps required to bootstrap ArgoCD on the
|
||||
`fastpass` cluster. After these steps, all further changes are made via Git.
|
||||
|
||||
## Prerequisites
|
||||
**Prerequisites:**
|
||||
- All 6 Talos nodes `Ready` (`kubectl get nodes`)
|
||||
- Cilium healthy (`cilium status --wait`)
|
||||
- IP pools applied (`kubectl get ciliumloadbalancerippool`)
|
||||
- `city-hall` has `helm`, `kubectl`, and `talosctl` installed
|
||||
- SSH keypair for ArgoCD → Gitea exists at `/home/wed/.ssh/argocd_gitea`
|
||||
|
||||
- Talos cluster running (`space-mountain`, `big-thunder-mountain`, `splash-mountain` CP nodes)
|
||||
- Cilium installed as CNI (done at Talos bootstrap via talhelper)
|
||||
- `kubectl` configured and pointing at `fastpass`
|
||||
- `kubeconfig` on `city-hall` at `~/.kube/config`
|
||||
- 1Password Connect credentials JSON downloaded from your 1Password account
|
||||
(Developer Tools > Connect Servers > New Server)
|
||||
- 1Password Connect token generated for the `mk-labs` vault
|
||||
---
|
||||
|
||||
## Step 1 — Install ArgoCD
|
||||
|
||||
This is the only `kubectl apply` you will ever run against this cluster.
|
||||
## Step 1 — Create the argocd namespace
|
||||
|
||||
```bash
|
||||
kubectl create namespace argocd
|
||||
|
||||
kubectl apply -n argocd \
|
||||
--server-side \
|
||||
--force-conflicts \
|
||||
-f https://raw.githubusercontent.com/argoproj/argo-cd/v3.4.2/manifests/install.yaml
|
||||
|
||||
# Wait for ArgoCD to be healthy
|
||||
kubectl wait --for=condition=available deployment/argocd-server \
|
||||
-n argocd --timeout=120s
|
||||
kubectl apply -f cluster/argocd/namespace.yaml
|
||||
```
|
||||
|
||||
## Step 2 — Bootstrap the 1Password Connect secret
|
||||
---
|
||||
|
||||
This is the only secret you will ever manage manually. Everything else flows
|
||||
through ESO from here.
|
||||
## Step 2 — Add Gitea to ArgoCD known hosts
|
||||
|
||||
ArgoCD refuses SSH connections to unknown hosts. Pre-populate the known hosts
|
||||
configmap before ArgoCD starts:
|
||||
|
||||
```bash
|
||||
# Create the namespace first
|
||||
kubectl create namespace onepassword-connect
|
||||
|
||||
# Apply the credentials file (downloaded from 1Password)
|
||||
kubectl create secret generic op-credentials \
|
||||
--from-file=1password-credentials.json=/path/to/1password-credentials.json \
|
||||
-n onepassword-connect
|
||||
|
||||
# Apply the Connect API token
|
||||
kubectl create secret generic connect-token \
|
||||
--from-literal=token=<your-connect-token> \
|
||||
-n onepassword-connect
|
||||
ssh-keyscan -t ed25519 gitea.mk-labs.cloud | \
|
||||
kubectl create configmap argocd-ssh-known-hosts-cm \
|
||||
--namespace argocd \
|
||||
--from-file=ssh_known_hosts=/dev/stdin \
|
||||
--dry-run=client -o yaml | kubectl apply -f -
|
||||
```
|
||||
|
||||
## Step 3 — Apply the App of Apps
|
||||
---
|
||||
|
||||
This is the second and final manual apply. From this point on, ArgoCD manages
|
||||
everything, including itself.
|
||||
## Step 3 — Create the Gitea repo secret
|
||||
|
||||
This is the only credential that must be manually created. Once ESO is running,
|
||||
secrets will be managed via 1Password. For now, create it directly:
|
||||
|
||||
```bash
|
||||
kubectl create secret generic gitea-repo \
|
||||
--namespace argocd \
|
||||
--from-literal=type=git \
|
||||
--from-literal=url=git@gitea.mk-labs.cloud:rblundon/homelab.git \
|
||||
--from-file=sshPrivateKey=/home/wed/.ssh/argocd_gitea
|
||||
|
||||
kubectl label secret gitea-repo -n argocd \
|
||||
argocd.argoproj.io/secret-type=repository
|
||||
```
|
||||
|
||||
Verify:
|
||||
```bash
|
||||
kubectl -n argocd get secret gitea-repo
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Step 4 — Install ArgoCD via Helm
|
||||
|
||||
```bash
|
||||
helm repo add argo https://argoproj.github.io/argo-helm
|
||||
helm repo update
|
||||
|
||||
helm upgrade --install argocd argo/argo-cd \
|
||||
--namespace argocd \
|
||||
--create-namespace \
|
||||
--version 7.8.23 \
|
||||
--values cluster/argocd/values.yaml \
|
||||
--wait
|
||||
```
|
||||
|
||||
Wait for all ArgoCD pods to be ready:
|
||||
|
||||
```bash
|
||||
kubectl -n argocd get pods --watch
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Step 5 — Get the initial admin password
|
||||
|
||||
```bash
|
||||
kubectl -n argocd get secret argocd-initial-admin-secret \
|
||||
-o jsonpath='{.data.password}' | base64 -d; echo
|
||||
```
|
||||
|
||||
Access the UI via port-forward (ingress-nginx isn't installed yet at this point):
|
||||
|
||||
```bash
|
||||
kubectl port-forward svc/argocd-server -n argocd 8080:80
|
||||
```
|
||||
|
||||
Browse to http://localhost:8080 — login with `admin` and the password above.
|
||||
|
||||
---
|
||||
|
||||
## Step 6 — Apply the app-of-apps
|
||||
|
||||
This is the second and final manual `kubectl apply`. It hands control to ArgoCD:
|
||||
|
||||
```bash
|
||||
kubectl apply -n argocd -f cluster/argocd/apps-of-apps.yaml
|
||||
```
|
||||
|
||||
## Step 4 — Watch it go
|
||||
From this point, all changes are made via Git. ArgoCD will begin syncing
|
||||
`cluster/platform/` and `cluster/applications/` automatically.
|
||||
|
||||
Watch the sync:
|
||||
```bash
|
||||
# Watch all Applications come up in wave order
|
||||
kubectl get applications -n argocd -w
|
||||
|
||||
# Or use the ArgoCD UI
|
||||
kubectl port-forward svc/argocd-server -n argocd 8080:443
|
||||
# Then open https://localhost:8080
|
||||
# Default admin password:
|
||||
kubectl -n argocd get secret argocd-initial-admin-secret \
|
||||
-o jsonpath="{.data.password}" | base64 -d
|
||||
kubectl -n argocd get applications --watch
|
||||
```
|
||||
|
||||
## Step 2.5 — Vendor Gateway API CRDs
|
||||
---
|
||||
|
||||
Before applying the App of Apps, vendor the Gateway API CRDs into git.
|
||||
Run from the repo root on city-hall:
|
||||
## Step 7 — Approve CSRs
|
||||
|
||||
After nodes join and kubelet starts requesting certs, approve pending CSRs:
|
||||
|
||||
```bash
|
||||
curl -L https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yaml \
|
||||
-o cluster/platform/gateway-api/manifests/standard-install.yaml
|
||||
|
||||
curl -L https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/experimental-install.yaml \
|
||||
-o cluster/platform/gateway-api/manifests/experimental-install.yaml
|
||||
|
||||
git add cluster/platform/gateway-api/manifests/
|
||||
git commit -m "feat(platform): vendor gateway-api CRDs v1.2.1"
|
||||
git push
|
||||
kubectl get csr --no-headers | awk '{print $1}' | xargs kubectl certificate approve
|
||||
```
|
||||
|
||||
## Wave Order
|
||||
Run this periodically until no pending CSRs remain.
|
||||
|
||||
| Wave | Application | Depends On |
|
||||
|------|---------------------|---------------------------------|
|
||||
| 1 | external-secrets | (none) |
|
||||
| 2 | onepassword-connect | external-secrets |
|
||||
| 3 | cert-manager | onepassword-connect (CF secret) |
|
||||
| 3 | gateway-api-crds | (none — CRDs only) |
|
||||
| 4 | cilium-config | gateway-api-crds (CRDs exist) |
|
||||
| 5 | ingress-nginx | cilium-config (LB pool) |
|
||||
| 5 | gateway (resource) | cilium-config (GatewayClass) |
|
||||
| 6 | external-dns | ingress-nginx (IP to register) |
|
||||
| 10+ | applications/* | platform complete |
|
||||
---
|
||||
|
||||
## Upgrading ArgoCD
|
||||
## Expected platform sync order
|
||||
|
||||
```bash
|
||||
kubectl apply -n argocd \
|
||||
--server-side \
|
||||
--force-conflicts \
|
||||
-f https://raw.githubusercontent.com/argoproj/argo-cd/v<NEW_VERSION>/manifests/install.yaml
|
||||
```
|
||||
Apps sync in wave order via `argocd.argoproj.io/sync-wave` annotations:
|
||||
|
||||
Update the version comment in `cluster/argocd/install.yaml` to match.
|
||||
| Wave | App |
|
||||
|------|-----|
|
||||
| 0 | apps-of-apps (root) |
|
||||
| 1 | cert-manager CRDs |
|
||||
| 2 | cert-manager, external-secrets |
|
||||
| 3 | ingress-nginx |
|
||||
| 4 | external-dns |
|
||||
| 5+ | application workloads |
|
||||
|
||||
---
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
**ArgoCD can't reach Gitea:**
|
||||
```bash
|
||||
# Check sync status of all apps
|
||||
kubectl get applications -n argocd
|
||||
|
||||
# Check why an app is out of sync
|
||||
kubectl describe application <name> -n argocd
|
||||
|
||||
# Force a sync
|
||||
kubectl patch application <name> -n argocd \
|
||||
--type merge \
|
||||
-p '{"operation": {"initiatedBy": {"username": "admin"}, "sync": {}}}'
|
||||
|
||||
# Check ESO secret sync
|
||||
kubectl get externalsecret -A
|
||||
kubectl describe externalsecret <name> -n <namespace>
|
||||
kubectl -n argocd logs deployment/argocd-repo-server | grep -i "error\|ssh"
|
||||
```
|
||||
Check that the `gitea-repo` secret exists and the known hosts configmap has
|
||||
`gitea.mk-labs.cloud`.
|
||||
|
||||
**App stuck in `Unknown` state:**
|
||||
```bash
|
||||
kubectl -n argocd get application <name> -o yaml | grep -A10 "conditions"
|
||||
```
|
||||
|
||||
**self-reference loop (app syncing itself):**
|
||||
Ensure `apps-of-apps.yaml` uses `include: "*/application.yaml"` with
|
||||
`recurse: true` — this prevents ArgoCD from picking up its own manifest.
|
||||
|
||||
**ArgoCD pruning itself:**
|
||||
The `argocd` namespace Applications must have `prune: false`. Never enable
|
||||
prune on any Application that manages the `argocd` namespace.
|
||||
|
||||
**Helm valueFiles field:**
|
||||
The correct field name is `valueFiles` (plural). `valuesFile` and `valuesFiles`
|
||||
are silently ignored — ArgoCD syncs green but your values aren't applied.
|
||||
|
||||
---
|
||||
|
||||
## Post-bootstrap
|
||||
|
||||
Once ingress-nginx and cert-manager are synced:
|
||||
- ArgoCD UI available at https://argocd.local.mk-labs.cloud
|
||||
- Change the admin password: `argocd account update-password`
|
||||
- Authentik OIDC: uncomment the `oidc.config` block in `values.yaml` once
|
||||
the ArgoCD provider is configured in Authentik
|
||||
- Migrate `gitea-repo` secret to ESO once 1Password Connect is running
|
||||
|
||||
110
cluster/argocd/values.yaml
Normal file
110
cluster/argocd/values.yaml
Normal file
@@ -0,0 +1,110 @@
|
||||
# ─── ArgoCD Helm values — fastpass cluster ───────────────────────────────────
|
||||
# Chart: argo/argo-cd
|
||||
# Version: 7.8.23
|
||||
#
|
||||
# Install:
|
||||
# helm repo add argo https://argoproj.github.io/argo-helm
|
||||
# helm repo update
|
||||
# helm upgrade --install argocd argo/argo-cd \
|
||||
# --namespace argocd \
|
||||
# --create-namespace \
|
||||
# --version 7.8.23 \
|
||||
# --values cluster/argocd/values.yaml \
|
||||
# --wait
|
||||
#
|
||||
# Then apply the root app-of-apps (second and final manual step):
|
||||
# kubectl apply -n argocd -f cluster/argocd/apps-of-apps.yaml
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
|
||||
# ─── Global ──────────────────────────────────────────────────────────────────
|
||||
global:
|
||||
domain: argocd.local.mk-labs.cloud
|
||||
|
||||
# ─── ArgoCD server ───────────────────────────────────────────────────────────
|
||||
server:
|
||||
# Run insecure — TLS is terminated at ingress-nginx, not at ArgoCD itself.
|
||||
# Without this, ArgoCD redirects to HTTPS internally and breaks behind ingress.
|
||||
extraArgs:
|
||||
- --insecure
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: nginx
|
||||
hostname: argocd.local.mk-labs.cloud
|
||||
tls: true
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-production
|
||||
nginx.ingress.kubernetes.io/ssl-passthrough: "false"
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
|
||||
|
||||
# ─── ConfigMap — core ArgoCD settings ────────────────────────────────────────
|
||||
configs:
|
||||
params:
|
||||
# Matches --insecure above — tells the server not to handle TLS
|
||||
server.insecure: "true"
|
||||
|
||||
cm:
|
||||
# Gitea as the source repo — HTTPS with token auth (set in secret below)
|
||||
# SSH alternative is in the repositories section if preferred
|
||||
url: https://argocd.local.mk-labs.cloud
|
||||
|
||||
# Authentik OIDC SSO
|
||||
# Uncomment once Authentik is configured with an ArgoCD OIDC provider
|
||||
# oidc.config: |
|
||||
# name: Authentik
|
||||
# issuer: https://authentik.local.mk-labs.cloud/application/o/argocd/
|
||||
# clientID: <client-id-from-authentik>
|
||||
# clientSecret: $oidc.authentik.clientSecret
|
||||
# requestedScopes:
|
||||
# - openid
|
||||
# - profile
|
||||
# - email
|
||||
# - groups
|
||||
|
||||
# Resource health checks — ignore progressing Cilium CRDs
|
||||
resource.customizations.health.cilium.io_CiliumLoadBalancerIPPool: |
|
||||
hs = {}
|
||||
hs.status = "Healthy"
|
||||
hs.message = "IP pool ready"
|
||||
return hs
|
||||
|
||||
# RBAC — admin gets full access, SSO groups mapped after Authentik integration
|
||||
rbac:
|
||||
policy.default: role:readonly
|
||||
policy.csv: |
|
||||
g, argocd-admins, role:admin
|
||||
|
||||
# Repository credentials — Gitea SSH
|
||||
# Private key is injected via ESO once external-secrets is bootstrapped.
|
||||
# For initial bootstrap, create the secret manually:
|
||||
# kubectl create secret generic gitea-repo \
|
||||
# --namespace argocd \
|
||||
# --from-literal=type=git \
|
||||
# --from-literal=url=git@gitea.mk-labs.cloud:rblundon/homelab.git \
|
||||
# --from-file=sshPrivateKey=/path/to/argocd_gitea_ed25519 \
|
||||
# kubectl label secret gitea-repo -n argocd \
|
||||
# argocd.argoproj.io/secret-type=repository
|
||||
repositories:
|
||||
homelab-repo:
|
||||
url: git@gitea.mk-labs.cloud:rblundon/homelab.git
|
||||
name: homelab
|
||||
type: git
|
||||
insecure: "false"
|
||||
|
||||
# ─── Redis ───────────────────────────────────────────────────────────────────
|
||||
redis:
|
||||
enabled: true
|
||||
|
||||
# ─── Notifications ───────────────────────────────────────────────────────────
|
||||
# Disabled for now — wire into n8n via webhook later
|
||||
notifications:
|
||||
enabled: false
|
||||
|
||||
# ─── ApplicationSet controller ───────────────────────────────────────────────
|
||||
applicationSet:
|
||||
enabled: true
|
||||
|
||||
# ─── Dex (built-in OIDC) ─────────────────────────────────────────────────────
|
||||
# Disabled — using Authentik as the OIDC provider
|
||||
dex:
|
||||
enabled: false
|
||||
@@ -1,46 +0,0 @@
|
||||
# ------------------------------------------------------------------------------
|
||||
# Platform: ArgoCD Configuration (post-bootstrap)
|
||||
# Wave 2 — after ESO (wave 1), needs 1Password for Authentik client secret
|
||||
#
|
||||
# This is NOT the ArgoCD install (that's a manual bootstrap step).
|
||||
# This Application manages ArgoCD's own configuration declaratively:
|
||||
# - argocd-cm (URL, Dex/OIDC config, repo credentials)
|
||||
# - argocd-rbac-cm (RBAC policies mapped from Authentik groups)
|
||||
# - argocd-secret (Authentik client secret via ESO)
|
||||
#
|
||||
# ArgoCD managing its own config is intentional and works cleanly —
|
||||
# it's the "self-managed ArgoCD" pattern.
|
||||
# ------------------------------------------------------------------------------
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: argocd-config
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "2"
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: https://gitea.mk-labs.cloud/rblundon/homelab.git
|
||||
targetRevision: main
|
||||
path: cluster/platform/argocd
|
||||
directory:
|
||||
exclude: "application.yaml"
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: argocd
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: false
|
||||
selfHeal: true
|
||||
syncOptions:
|
||||
- ServerSideApply=true
|
||||
ignoreDifferences:
|
||||
# ArgoCD mutates its own secret — ignore those fields
|
||||
- group: ""
|
||||
kind: Secret
|
||||
name: argocd-secret
|
||||
jsonPointers:
|
||||
- /data/admin.password
|
||||
- /data/admin.passwordMtime
|
||||
- /data/server.secretkey
|
||||
@@ -1,69 +0,0 @@
|
||||
# ------------------------------------------------------------------------------
|
||||
# argocd-cm — ArgoCD Core Configuration
|
||||
#
|
||||
# Configures:
|
||||
# - ArgoCD public URL (used in Dex redirect URIs)
|
||||
# - Dex connector to Authentik OIDC
|
||||
# - Gitea repo credentials reference
|
||||
#
|
||||
# Authentik side setup (manual — do this in guest-relations before bootstrapping):
|
||||
# 1. Admin UI → Applications → Create New Application
|
||||
# 2. Provider type: OAuth2/OpenID Connect
|
||||
# 3. Name: argocd
|
||||
# 4. Authorization flow: default-provider-authorization-explicit-consent
|
||||
# 5. Client type: Confidential
|
||||
# 6. Strict redirect URIs:
|
||||
# https://argocd.local.mk-labs.cloud/api/dex/callback
|
||||
# http://localhost:8085/auth/callback (ArgoCD CLI)
|
||||
# 7. Scopes: openid, profile, email, groups
|
||||
# 8. Note the Client ID and Client Secret → store in 1Password as:
|
||||
# Item: "argocd-oidc"
|
||||
# Fields: client-id, client-secret
|
||||
# 9. Create two groups in Authentik:
|
||||
# - argocd-admins (add your user)
|
||||
# - argocd-viewers (read-only users)
|
||||
# ------------------------------------------------------------------------------
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: argocd-cm
|
||||
namespace: argocd
|
||||
data:
|
||||
# Public URL — must match the HTTPRoute hostname
|
||||
url: https://argocd.local.mk-labs.cloud
|
||||
|
||||
# Dex connector to Authentik
|
||||
# Using Dex (not native OIDC) to preserve ArgoCD CLI functionality
|
||||
dex.config: |
|
||||
connectors:
|
||||
- type: oidc
|
||||
id: authentik
|
||||
name: Authentik
|
||||
config:
|
||||
# Authentik OIDC issuer — slug must match the Application slug in Authentik
|
||||
# Slug is auto-generated from the app name, usually lowercase with hyphens
|
||||
issuer: https://authentik.local.mk-labs.cloud/application/o/argocd/
|
||||
clientID: $dex.authentik.clientID
|
||||
clientSecret: $dex.authentik.clientSecret
|
||||
redirectURI: https://argocd.local.mk-labs.cloud/api/dex/callback
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- email
|
||||
- groups
|
||||
insecureEnableGroups: true
|
||||
groupsKey: groups
|
||||
userIDKey: sub
|
||||
userNameKey: preferred_username
|
||||
emailKey: email
|
||||
|
||||
# Gitea repo — ArgoCD needs credentials to pull from your private repo
|
||||
# Credentials are stored as a Repository secret (see repository-secret.yaml)
|
||||
# This tells ArgoCD to use SSH for the repo
|
||||
repositories: |
|
||||
- url: git@gitea.mk-labs.cloud:rblundon/homelab.git
|
||||
type: git
|
||||
name: homelab
|
||||
|
||||
# Resource tracking via annotation (recommended over label tracking)
|
||||
application.resourceTrackingMethod: annotation
|
||||
@@ -1,11 +0,0 @@
|
||||
# ------------------------------------------------------------------------------
|
||||
# ArgoCD Server Parameters
|
||||
# Sets server.insecure=true so TLS is terminated at ingress, not argocd-server
|
||||
# ------------------------------------------------------------------------------
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: argocd-cmd-params-cm
|
||||
namespace: argocd
|
||||
data:
|
||||
server.insecure: "true"
|
||||
@@ -1,30 +0,0 @@
|
||||
# ------------------------------------------------------------------------------
|
||||
# argocd-rbac-cm — RBAC Policy
|
||||
#
|
||||
# Maps Authentik groups to ArgoCD roles.
|
||||
# Groups must exist in Authentik and be assigned to users there.
|
||||
#
|
||||
# Roles:
|
||||
# role:admin — full access, all operations
|
||||
# role:readonly — read-only, can view but not sync/modify
|
||||
#
|
||||
# Single-user homelab: your user should be in argocd-admins in Authentik.
|
||||
# Add argocd-viewers later when you have guests/collaborators.
|
||||
# ------------------------------------------------------------------------------
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: argocd-rbac-cm
|
||||
namespace: argocd
|
||||
data:
|
||||
# Default policy for any authenticated user not in a mapped group
|
||||
# readonly is safe — they can see but not touch
|
||||
policy.default: role:readonly
|
||||
|
||||
policy.csv: |
|
||||
# Authentik group → ArgoCD role mappings
|
||||
g, argocd-admins, role:admin
|
||||
g, argocd-viewers, role:readonly
|
||||
|
||||
# Tell ArgoCD which OIDC claims to use for group mapping
|
||||
scopes: '[groups, email]'
|
||||
@@ -1,41 +0,0 @@
|
||||
# ------------------------------------------------------------------------------
|
||||
# Certificate — ArgoCD TLS
|
||||
# Issued by cert-manager via letsencrypt-prod + Cloudflare DNS-01
|
||||
#
|
||||
# The secret produced (argocd-tls) is referenced by the Gateway listener
|
||||
# in cluster/platform/gateway-api/gateway.yaml via ReferenceGrant.
|
||||
#
|
||||
# Per the thematic naming convention: argocd.local.mk-labs.cloud is the
|
||||
# service DNS name. No VM hostname alias needed here.
|
||||
# ------------------------------------------------------------------------------
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: argocd-tls
|
||||
namespace: argocd
|
||||
spec:
|
||||
secretName: argocd-tls
|
||||
issuerRef:
|
||||
name: letsencrypt-prod
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
- argocd.local.mk-labs.cloud
|
||||
|
||||
---
|
||||
# ReferenceGrant — allows the Gateway in gateway-system to reference
|
||||
# the TLS secret in the argocd namespace
|
||||
# Without this, cross-namespace secret references are denied
|
||||
apiVersion: gateway.networking.k8s.io/v1beta1
|
||||
kind: ReferenceGrant
|
||||
metadata:
|
||||
name: argocd-tls-grant
|
||||
namespace: argocd
|
||||
spec:
|
||||
from:
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: Gateway
|
||||
namespace: gateway-system
|
||||
to:
|
||||
- group: ""
|
||||
kind: Secret
|
||||
name: argocd-tls
|
||||
@@ -1,49 +0,0 @@
|
||||
# ------------------------------------------------------------------------------
|
||||
# ExternalSecret — ArgoCD Secrets
|
||||
#
|
||||
# Pulls two secrets from 1Password:
|
||||
# 1. Authentik OIDC client ID + secret (for Dex connector)
|
||||
# 2. Gitea personal access token (for repo access)
|
||||
#
|
||||
# In 1Password (mk-labs vault), create:
|
||||
# Item: "argocd-oidc"
|
||||
# Field: client-id → Authentik OAuth2 client ID
|
||||
# Field: client-secret → Authentik OAuth2 client secret
|
||||
#
|
||||
# Item: "gitea-argocd-token"
|
||||
# Field: token → Gitea personal access token with repo read permissions
|
||||
# (Create in Gitea: Settings → Applications → Generate Token)
|
||||
#
|
||||
# These materialize into argocd-secret, which ArgoCD reads natively.
|
||||
# The $dex.authentik.clientID / $dex.authentik.clientSecret references
|
||||
# in argocd-cm.yaml are resolved by ArgoCD from this secret automatically.
|
||||
# ------------------------------------------------------------------------------
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: argocd-secrets
|
||||
namespace: argocd
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: onepassword-connect
|
||||
refreshInterval: "1h"
|
||||
target:
|
||||
# Must be named argocd-secret — ArgoCD reads this specific secret name
|
||||
name: argocd-secret
|
||||
creationPolicy: Merge # Merge into existing argocd-secret, don't replace it
|
||||
data:
|
||||
# Authentik OIDC credentials — referenced as $dex.authentik.* in argocd-cm
|
||||
- secretKey: dex.authentik.clientID
|
||||
remoteRef:
|
||||
key: argocd-oidc
|
||||
property: client-id
|
||||
- secretKey: dex.authentik.clientSecret
|
||||
remoteRef:
|
||||
key: argocd-oidc
|
||||
property: client-secret
|
||||
# Gitea token — used by the Repository credential below
|
||||
- secretKey: sshPrivateKey
|
||||
remoteRef:
|
||||
key: gitea-argocd-ssh
|
||||
property: private-key
|
||||
@@ -1,31 +0,0 @@
|
||||
# ------------------------------------------------------------------------------
|
||||
# Ingress — ArgoCD via ingress-nginx
|
||||
# Temporary until Cilium Gateway API is stable
|
||||
# TLS terminated at ingress, argocd-server runs in insecure mode
|
||||
# ------------------------------------------------------------------------------
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: argocd
|
||||
namespace: argocd
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/ssl-passthrough: "false"
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
|
||||
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
tls:
|
||||
- hosts:
|
||||
- argocd.local.mk-labs.cloud
|
||||
secretName: argocd-tls
|
||||
rules:
|
||||
- host: argocd.local.mk-labs.cloud
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: argocd-server
|
||||
port:
|
||||
number: 80
|
||||
@@ -1,27 +0,0 @@
|
||||
# ------------------------------------------------------------------------------
|
||||
# Repository Credential Secret — Gitea homelab repo
|
||||
#
|
||||
# ArgoCD discovers repository credentials via secrets with the label
|
||||
# argocd.argoproj.io/secret-type: repository
|
||||
#
|
||||
# The actual token value is injected by the ExternalSecret (externalsecret.yaml)
|
||||
# which merges into argocd-secret. This secret references that value.
|
||||
#
|
||||
# NOTE: The token field here uses a placeholder. The ExternalSecret populates
|
||||
# argocd-secret with gitea.token, and ArgoCD resolves it via the
|
||||
# stringData reference below.
|
||||
# ------------------------------------------------------------------------------
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: repo-homelab-gitea
|
||||
namespace: argocd
|
||||
labels:
|
||||
argocd.argoproj.io/secret-type: repository
|
||||
stringData:
|
||||
type: git
|
||||
url: git@gitea.mk-labs.cloud:rblundon/homelab.git
|
||||
sshPrivateKey: |
|
||||
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
# populated by ESO
|
||||
-----END OPENSSH PRIVATE KEY-----
|
||||
@@ -1,43 +0,0 @@
|
||||
# ------------------------------------------------------------------------------
|
||||
# Platform: Cilium — Helm upgrade + LB IPAM + Gateway API
|
||||
# Wave 4 — no dependencies, Cilium is pre-installed via Talos bootstrap
|
||||
#
|
||||
# This Application does two things:
|
||||
# 1. Manages Cilium itself via Helm (enables Gateway API, keeps config in git)
|
||||
# 2. Applies LB pool and L2 announcement manifests from repo
|
||||
#
|
||||
# IP Allocation:
|
||||
# 10.1.71.80-.89 — ingress-nginx LB pool
|
||||
# 10.1.71.90-.99 — Cilium Gateway LB pool
|
||||
# ------------------------------------------------------------------------------
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: cilium-config
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "4"
|
||||
spec:
|
||||
project: default
|
||||
sources:
|
||||
# Source 1: Cilium Helm chart — manages Cilium itself
|
||||
- repoURL: https://helm.cilium.io
|
||||
chart: cilium
|
||||
targetRevision: 1.17.4
|
||||
helm:
|
||||
valueFiles:
|
||||
- $values/cluster/platform/cilium-config/values.yaml
|
||||
# Source 2: Repo — values ref + lb-pool.yaml + GatewayClass manifests
|
||||
- repoURL: https://gitea.mk-labs.cloud/rblundon/homelab.git
|
||||
targetRevision: main
|
||||
path: cluster/platform/cilium-config/manifests
|
||||
ref: values
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: kube-system
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
syncOptions:
|
||||
- ServerSideApply=true
|
||||
@@ -1,41 +0,0 @@
|
||||
# Pool for ingress-nginx
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumLoadBalancerIPPool
|
||||
metadata:
|
||||
name: ingress-nginx-pool
|
||||
namespace: kube-system
|
||||
spec:
|
||||
blocks:
|
||||
- start: 10.1.71.80
|
||||
stop: 10.1.71.89
|
||||
serviceSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: ingress-nginx
|
||||
|
||||
---
|
||||
# Pool for Cilium Gateway API
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumLoadBalancerIPPool
|
||||
metadata:
|
||||
name: cilium-gateway-pool
|
||||
namespace: kube-system
|
||||
spec:
|
||||
blocks:
|
||||
- start: 10.1.71.90
|
||||
stop: 10.1.71.99
|
||||
serviceSelector:
|
||||
matchExpressions:
|
||||
- key: io.cilium.gateway/owning-gateway
|
||||
operator: Exists
|
||||
|
||||
---
|
||||
# L2 Announcement Policy
|
||||
apiVersion: cilium.io/v2alpha1
|
||||
kind: CiliumL2AnnouncementPolicy
|
||||
metadata:
|
||||
name: fastpass-l2-policy
|
||||
namespace: kube-system
|
||||
spec:
|
||||
loadBalancerIPs: true
|
||||
interfaces:
|
||||
- ^eth[0-9]+
|
||||
@@ -1,41 +0,0 @@
|
||||
# ------------------------------------------------------------------------------
|
||||
# Cilium Helm Values — fastpass cluster
|
||||
# Chart: https://helm.cilium.io
|
||||
# Version: 1.17.4
|
||||
# ------------------------------------------------------------------------------
|
||||
|
||||
# Bootstrap values
|
||||
kubeProxyReplacement: true
|
||||
k8sServiceHost: 10.1.71.65
|
||||
k8sServicePort: 6443
|
||||
ipam:
|
||||
mode: kubernetes
|
||||
|
||||
# Routing mode — replaces deprecated tunnel value
|
||||
routingMode: tunnel
|
||||
tunnelProtocol: vxlan
|
||||
|
||||
# L2 announcements
|
||||
l2announcements:
|
||||
enabled: true
|
||||
|
||||
k8sClientRateLimit:
|
||||
qps: 20
|
||||
burst: 40
|
||||
|
||||
externalIPs:
|
||||
enabled: true
|
||||
|
||||
# Hubble observability
|
||||
hubble:
|
||||
enabled: true
|
||||
relay:
|
||||
enabled: true
|
||||
ui:
|
||||
enabled: true
|
||||
|
||||
# Prometheus metrics
|
||||
prometheus:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: false
|
||||
Reference in New Issue
Block a user