https://github.com/mtrnord/cluster

Infrastructure files for Nordgedanken and Midnightthoughts.
https://github.com/mtrnord/cluster

gitops helm k8s kubernetes

Last synced: 21 days ago
JSON representation

Infrastructure files for Nordgedanken and Midnightthoughts.

• Host: GitHub
• URL: https://github.com/mtrnord/cluster
• Owner: MTRNord
• Created: 2023-03-17T00:57:10.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2024-10-13T15:08:50.000Z (24 days ago)
• Last Synced: 2024-10-14T15:14:12.938Z (23 days ago)
• Topics: gitops, helm, k8s, kubernetes
• Language: Shell
• Homepage:
• Size: 3.45 MB
• Stars: 2
• Watchers: 3
• Forks: 0
• Open Issues: 1
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# Cluster Configs for Midnightthoughts and Nordgedanken

These are the current running setups at Midnightthoughts and Nordegedanken.

This is based on 

## Prerequisites

You will need a Kubernetes cluster version 1.21 or newer.

For a quick local test, you can use [Kubernetes kind](https://kind.sigs.k8s.io/docs/user/quick-start/).

Any other Kubernetes setup will work as well though.

Install the Flux CLI on MacOS or Linux using Homebrew:

```sh

brew install fluxcd/tap/flux

```

Or install the CLI by downloading precompiled binaries using a Bash script:

```sh

curl -s https://fluxcd.io/install.sh | sudo bash

```

## Repository structure

The Git repository contains the following top directories:

- **apps** dir contains Helm releases with a custom configuration per cluster

- **infrastructure** dir contains common infra tools such as ingress-nginx and cert-manager

- **clusters** dir contains the Flux configuration per cluster (Note that staging isn't deployed anywhere at this time)

```

├── apps

│   ├── base

│   ├── production 

│   └── staging

├── infrastructure

│   ├── configs

│   └── controllers

└── clusters

    ├── production

    └── staging

```

### Applications

The apps configuration is structured into:

- **apps/base/** dir contains namespaces and Helm release definitions

- **apps/production/** dir contains the production Helm release values

- **apps/staging/** dir contains the staging values

```

./apps/

├── base

│   └── podinfo

│       ├── kustomization.yaml

│       ├── namespace.yaml

│       ├── release.yaml

│       └── repository.yaml

├── production

│   ├── kustomization.yaml

│   └── podinfo-patch.yaml

└── staging

    ├── kustomization.yaml

    └── podinfo-patch.yaml

```

### Infrastructure

The infrastructure is structured into:

- **infrastructure/controllers/** dir contains namespaces and Helm release definitions for Kubernetes controllers

- **infrastructure/configs/** dir contains Kubernetes custom resources such as cert issuers and networks policies

```

./infrastructure/

├── configs

│   ├── cluster-issuers.yaml

│   ├── network-policies.yaml

│   └── kustomization.yaml

└── controllers

    ├── cert-manager.yaml

    ├── ingress-nginx.yaml

    ├── weave-gitops.yaml

    └── kustomization.yaml

```

In **clusters/production/infrastructure.yaml** we replace the Let's Encrypt server value to point to the production API:

```yaml

apiVersion: kustomize.toolkit.fluxcd.io/v1beta2

kind: Kustomization

metadata:

  name: infra-configs

  namespace: flux-system

spec:

  # ...omitted for brevity

  dependsOn:

    - name: infra-controllers

  patches:

    - patch: |

        - op: replace

          path: /spec/acme/server

          value: https://acme-v02.api.letsencrypt.org/directory

      target:

        kind: ClusterIssuer

        name: letsencrypt

```

Note that with `dependsOn` we tell Flux to first install or upgrade the controllers and only then the configs.

This ensures that the Kubernetes CRDs are registered on the cluster, before Flux applies any custom resources.

## Useful things

Watch for the Helm releases being installed:

```console

$ watch flux get helmreleases --all-namespaces

NAMESPACE     NAME          REVISION SUSPENDED READY MESSAGE 

flux-system   weave-gitops  4.0.12    False     True  Release reconciliation succeeded

```

Watch kustomizations getting deployed:

```console

$ flux get kustomizations -w

NAME            REVISION                SUSPENDED       READY   MESSAGE                              

flux-system     main@sha1:21ebd912      False           True    Applied revision: main@sha1:21ebd912

infra-controllers       main@sha1:21ebd912      False   True    Applied revision: main@sha1:21ebd912

```

## TODOs

- [ ] Migrate old deployments here

  - [ ] ~~Gitea~~

  - [x] Woodpecker

  - [ ] ~~Docker repo~~ (Part of gitea now)

  - [ ] Traefik

  - [x] Certmanager

  - [ ] External DNS

  - [ ] Matrix

    - [x] Media Repo

      - [x] Move DB to DB Cluster

    - [x] Synapse

      - [x] Prepare DB in DB Cluster

      - [x] Move DB to DB Cluster

    - [x] Sliding Proxy

      - [x] Prepare DB in DB Cluster

      - [x] Move DB to DB Cluster

    - [x] Mjolnir (important ones)

    - [ ] ~~Bridges~~

      - [x] ~~Prepare DBs in DB Cluster~~

      - [ ] ~~Move DBs to DB Cluster~~

  - [ ] Keycloak

  - [x] Prometheus/grafana

  - [x] Cosign

  - [ ] Mailu ( with )

    - [ ] Imapsync from old server to new server

  - [ ] ...

- [ ]  Port validate script

- [x] ~~Setup CI for github and woodpecker~~ (Fluxcd can pull it)

- [x] Verify sops is working as expected and then publish repo

## Kubeaudit

`find ./  | grep .yaml | xargs -I{} -d'\n' kubeaudit all -k ./kubeaudit-config.yml -f {} > audit.txt`