diff --git a/.github/workflows/release-oci-charts.yml b/.github/workflows/release-oci-charts.yml index 3456b55..e88bb15 100644 --- a/.github/workflows/release-oci-charts.yml +++ b/.github/workflows/release-oci-charts.yml @@ -6,7 +6,6 @@ on: - main paths: - "oci/charts/apps/app-service/**" - - "oci/charts/infra/platform/k3s/**" - "oci/charts/postgresql/**" - "oci/charts/observability/**" - ".github/workflows/release-oci-charts.yml" @@ -40,7 +39,6 @@ jobs: set -euo pipefail charts=( "oci/charts/apps/app-service" - "oci/charts/infra/platform/k3s" "oci/charts/postgresql" "oci/charts/observability" ) @@ -54,7 +52,6 @@ jobs: mkdir -p dist charts=( "oci/charts/apps/app-service" - "oci/charts/infra/platform/k3s" "oci/charts/postgresql" "oci/charts/observability" ) diff --git a/oci/charts/README.md b/oci/charts/README.md index 25c7c46..de82a43 100644 --- a/oci/charts/README.md +++ b/oci/charts/README.md @@ -5,7 +5,6 @@ This repository stores reusable Helm charts published to `ghcr.io/x-evor`. ## Layout - `apps/app-service`: reusable runtime chart for application services -- `infra/platform/k3s`: platform composition chart for `caddy`, `apisix`, `external-dns`, `external-secrets`, and `vault` - `postgresql`: PostgreSQL service chart with optional `stunnel` server/client - `observability`: observability composition chart for server and agent components diff --git a/oci/charts/infra/platform/k3s/Chart.yaml b/oci/charts/infra/platform/k3s/Chart.yaml deleted file mode 100644 index 48dc508..0000000 --- a/oci/charts/infra/platform/k3s/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -name: k3s-platform-chart -description: Composes Flux-managed platform components for the k3s platform -type: application -version: 0.1.9 -appVersion: "1.0.0" diff --git a/oci/charts/infra/platform/k3s/templates/apisix-helmrelease.yaml b/oci/charts/infra/platform/k3s/templates/apisix-helmrelease.yaml deleted file mode 100644 index a75d92a..0000000 --- a/oci/charts/infra/platform/k3s/templates/apisix-helmrelease.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{- if .Values.components.apisix.enabled }} -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ .Values.components.apisix.releaseName }} - namespace: {{ .Values.namespaces.platform }} -spec: - interval: 10m0s - releaseName: {{ .Values.components.apisix.releaseName }} - chart: - spec: - chart: {{ .Values.components.apisix.chart.name }} - version: {{ .Values.components.apisix.chart.version | quote }} - sourceRef: - kind: {{ .Values.components.apisix.sourceRef.kind }} - name: {{ .Values.components.apisix.sourceRef.name }} - namespace: {{ .Values.components.apisix.sourceRef.namespace }} - install: - remediation: - retries: 3 - upgrade: - remediation: - retries: 3 - postRenderers: - - kustomize: - patches: - - target: - group: apps - version: v1 - kind: Deployment - name: {{ .Values.components.apisix.releaseName }} - patch: | - - op: replace - path: /spec/template/spec/containers/0/command - value: - - sh - - -c - - | - export APISIX_STAND_ALONE=true - ln -sf /apisix-config/apisix.yaml /usr/local/apisix/conf/apisix.yaml - exec /docker-entrypoint.sh docker-start - values: - {{- toYaml .Values.components.apisix.values | nindent 4 }} -{{- end }} diff --git a/oci/charts/infra/platform/k3s/templates/apisix-ingress.yaml b/oci/charts/infra/platform/k3s/templates/apisix-ingress.yaml deleted file mode 100644 index 4f5779d..0000000 --- a/oci/charts/infra/platform/k3s/templates/apisix-ingress.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.apisixIngress.enabled }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Values.apisixIngress.name }} - namespace: {{ .Values.apisixIngress.namespace }} - {{- with .Values.apisixIngress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: {{ .Values.apisixIngress.className }} - tls: - - hosts: - {{- toYaml .Values.apisixIngress.tls.hosts | nindent 8 }} - secretName: {{ .Values.apisixIngress.tls.secretName }} - rules: - {{- range .Values.apisixIngress.hosts }} - - host: {{ .host }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ .serviceName }} - port: - number: {{ .servicePort }} - {{- end }} -{{- end }} diff --git a/oci/charts/infra/platform/k3s/templates/caddy-helmrelease.yaml b/oci/charts/infra/platform/k3s/templates/caddy-helmrelease.yaml deleted file mode 100644 index ab26431..0000000 --- a/oci/charts/infra/platform/k3s/templates/caddy-helmrelease.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if .Values.components.caddy.enabled }} -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ .Values.components.caddy.releaseName }} - namespace: {{ .Values.namespaces.platform }} -spec: - interval: 10m0s - releaseName: {{ .Values.components.caddy.releaseName }} - chart: - spec: - chart: {{ .Values.components.caddy.chart.name }} - version: {{ .Values.components.caddy.chart.version | quote }} - sourceRef: - kind: {{ .Values.components.caddy.sourceRef.kind }} - name: {{ .Values.components.caddy.sourceRef.name }} - namespace: {{ .Values.components.caddy.sourceRef.namespace }} - install: - createNamespace: false - remediation: - retries: 3 - upgrade: - remediation: - retries: 3 - values: - {{- toYaml .Values.components.caddy.values | nindent 4 }} -{{- end }} diff --git a/oci/charts/infra/platform/k3s/templates/clustersecretstore.yaml b/oci/charts/infra/platform/k3s/templates/clustersecretstore.yaml deleted file mode 100644 index 7609401..0000000 --- a/oci/charts/infra/platform/k3s/templates/clustersecretstore.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.components.externalSecretsStore.enabled }} -apiVersion: external-secrets.io/v1 -kind: ClusterSecretStore -metadata: - name: {{ .Values.components.externalSecretsStore.name }} -spec: - provider: - vault: - server: {{ .Values.components.externalSecretsStore.vault.server }} - path: {{ .Values.components.externalSecretsStore.vault.path }} - version: {{ .Values.components.externalSecretsStore.vault.version }} - auth: - kubernetes: - mountPath: {{ .Values.components.externalSecretsStore.vault.auth.kubernetes.mountPath }} - role: {{ .Values.components.externalSecretsStore.vault.auth.kubernetes.role }} - serviceAccountRef: - name: {{ .Values.components.externalSecretsStore.vault.auth.kubernetes.serviceAccountRef.name }} - namespace: {{ .Values.components.externalSecretsStore.vault.auth.kubernetes.serviceAccountRef.namespace }} -{{- end }} diff --git a/oci/charts/infra/platform/k3s/templates/external-dns.yaml b/oci/charts/infra/platform/k3s/templates/external-dns.yaml deleted file mode 100644 index b8eb745..0000000 --- a/oci/charts/infra/platform/k3s/templates/external-dns.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- if .Values.components.externalDns.enabled }} -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: {{ .Values.components.externalDns.secret.name }} - namespace: {{ .Values.namespaces.platform }} -spec: - refreshInterval: {{ .Values.components.externalDns.secret.refreshInterval }} - secretStoreRef: - kind: {{ .Values.components.externalDns.secret.secretStoreRef.kind }} - name: {{ .Values.components.externalDns.secret.secretStoreRef.name }} - target: - name: {{ .Values.components.externalDns.secret.target.name }} - creationPolicy: {{ .Values.components.externalDns.secret.target.creationPolicy }} - data: - - secretKey: {{ .Values.components.externalDns.secret.data.secretKey }} - remoteRef: - key: {{ .Values.components.externalDns.secret.data.remoteRef.key }} - property: {{ .Values.components.externalDns.secret.data.remoteRef.property }} ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ .Values.components.externalDns.releaseName }} - namespace: {{ .Values.namespaces.platform }} -spec: - interval: 10m0s - releaseName: {{ .Values.components.externalDns.releaseName }} - chart: - spec: - chart: {{ .Values.components.externalDns.chart.name }} - version: {{ .Values.components.externalDns.chart.version | quote }} - sourceRef: - kind: {{ .Values.components.externalDns.sourceRef.kind }} - name: {{ .Values.components.externalDns.sourceRef.name }} - namespace: {{ .Values.components.externalDns.sourceRef.namespace }} - install: - createNamespace: false - remediation: - retries: 3 - upgrade: - remediation: - retries: 3 - values: - {{- toYaml .Values.components.externalDns.values | nindent 4 }} -{{- end }} diff --git a/oci/charts/infra/platform/k3s/templates/extra-objects.yaml b/oci/charts/infra/platform/k3s/templates/extra-objects.yaml deleted file mode 100644 index 8dd36ec..0000000 --- a/oci/charts/infra/platform/k3s/templates/extra-objects.yaml +++ /dev/null @@ -1,4 +0,0 @@ -{{- range .Values.extraObjects }} ---- -{{ toYaml . }} -{{- end }} diff --git a/oci/charts/infra/platform/k3s/templates/postgresql-tls-ingress.yaml b/oci/charts/infra/platform/k3s/templates/postgresql-tls-ingress.yaml deleted file mode 100644 index 90594ff..0000000 --- a/oci/charts/infra/platform/k3s/templates/postgresql-tls-ingress.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- with .Values.components.postgresqlTlsIngress }} -apiVersion: v1 -kind: Service -metadata: - name: {{ .serviceName }} - namespace: {{ .namespace }} -spec: - type: ClusterIP - ports: - - port: {{ .servicePort }} - targetPort: {{ .servicePort }} - protocol: TCP - name: http - selector: - app.kubernetes.io/name: {{ .serviceName }} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .name }} - namespace: {{ .namespace }} -spec: - ingressClassName: {{ .className }} - tls: - - hosts: - - {{ .host }} - secretName: {{ .secretName }} - rules: - - host: {{ .host }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ .serviceName }} - port: - number: {{ .servicePort }} -{{- end }} diff --git a/oci/charts/infra/platform/k3s/templates/shared-tls-secret-sync.yaml b/oci/charts/infra/platform/k3s/templates/shared-tls-secret-sync.yaml deleted file mode 100644 index 191e48e..0000000 --- a/oci/charts/infra/platform/k3s/templates/shared-tls-secret-sync.yaml +++ /dev/null @@ -1,83 +0,0 @@ -{{- with .Values.components.sharedTlsSecretSync }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ .name }} - namespace: {{ $.Values.namespaces.platform }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ .name }}-source - namespace: {{ .sourceNamespace }} -rules: - - apiGroups: [""] - resources: ["secrets"] - resourceNames: ["{{ .sourceSecretName }}"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ .name }}-target - namespace: {{ .targetNamespace }} -rules: - - apiGroups: [""] - resources: ["secrets"] - resourceNames: ["{{ .targetSecretName }}"] - verbs: ["get", "create", "update", "patch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ .name }}-source - namespace: {{ .sourceNamespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ .name }}-source -subjects: - - kind: ServiceAccount - name: {{ .name }} - namespace: {{ $.Values.namespaces.platform }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ .name }}-target - namespace: {{ .targetNamespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ .name }}-target -subjects: - - kind: ServiceAccount - name: {{ .name }} - namespace: {{ $.Values.namespaces.platform }} ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: {{ .name }} - namespace: {{ $.Values.namespaces.platform }} -spec: - schedule: {{ .refreshSchedule | quote }} - concurrencyPolicy: Forbid - jobTemplate: - spec: - template: - spec: - serviceAccountName: {{ .name }} - restartPolicy: OnFailure - containers: - - name: sync - image: bitnami/kubectl:latest - command: - - /bin/sh - - -ec - - | - tmp=$(mktemp) - kubectl -n {{ .sourceNamespace }} get secret {{ .sourceSecretName }} -o yaml \ - | sed '/^ resourceVersion:/d;/^ uid:/d;/^ creationTimestamp:/d;/^ managedFields:/d;/^ annotations:/d;/^ ownerReferences:/d;/^ namespace:/d;/^ selfLink:/d' \ - | kubectl -n {{ .targetNamespace }} apply -f - -{{- end }} diff --git a/oci/charts/infra/platform/k3s/templates/vault-bootstrap.yaml b/oci/charts/infra/platform/k3s/templates/vault-bootstrap.yaml deleted file mode 100644 index bdbe1e4..0000000 --- a/oci/charts/infra/platform/k3s/templates/vault-bootstrap.yaml +++ /dev/null @@ -1,75 +0,0 @@ -{{- if .Values.vaultBootstrap.enabled }} -apiVersion: batch/v1 -kind: Job -metadata: - name: vault-bootstrap - namespace: {{ .Values.namespaces.vault }} -spec: - template: - spec: - serviceAccountName: {{ .Values.vaultBootstrap.serviceAccountName }} - restartPolicy: OnFailure - containers: - - name: bootstrap - image: {{ .Values.vaultBootstrap.image }} - env: - - name: VAULT_ADDR - value: http://vault.{{ .Values.namespaces.vault }}.svc.cluster.local:8200 - - name: VAULT_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.vaultBootstrap.rootTokenSecretName }} - key: {{ .Values.vaultBootstrap.rootTokenSecretKey }} - - name: CLOUDFLARE_API_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.vaultBootstrap.cloudflareSecretName }} - key: {{ .Values.vaultBootstrap.cloudflareSecretKey }} - command: - - /bin/sh - - -ec - - | - until vault status >/dev/null 2>&1; do - sleep 5 - done - vault secrets enable -path=secret kv-v2 || true - cat <<'EOF' >/tmp/eso-policy.hcl - path "secret/data/*" { - capabilities = ["read"] - } - path "secret/metadata/*" { - capabilities = ["read", "list"] - } - EOF - vault policy write eso-read /tmp/eso-policy.hcl - vault auth enable kubernetes || true - vault write auth/kubernetes/config \ - kubernetes_host="https://kubernetes.default.svc:443" \ - kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ - token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" - vault write auth/kubernetes/role/external-secrets \ - bound_service_account_names="external-secrets" \ - bound_service_account_namespaces="{{ .Values.vaultBootstrap.externalSecretsRoleNamespace }}" \ - policies="eso-read" \ - ttl="1h" - vault kv put secret/platform/cloudflare api-token="${CLOUDFLARE_API_TOKEN}" ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ .Values.vaultBootstrap.serviceAccountName }} - namespace: {{ .Values.namespaces.vault }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: vault-bootstrap-auth-delegator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: - - kind: ServiceAccount - name: {{ .Values.vaultBootstrap.serviceAccountName }} - namespace: {{ .Values.namespaces.vault }} -{{- end }} diff --git a/oci/charts/infra/platform/k3s/templates/vault-helmrelease.yaml b/oci/charts/infra/platform/k3s/templates/vault-helmrelease.yaml deleted file mode 100644 index a379f12..0000000 --- a/oci/charts/infra/platform/k3s/templates/vault-helmrelease.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.components.vault.enabled }} -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: {{ .Values.components.vault.releaseName }} - namespace: {{ .Values.namespaces.vault }} -spec: - interval: 10m0s - releaseName: {{ .Values.components.vault.releaseName }} - chart: - spec: - chart: {{ .Values.components.vault.chart.name }} - version: {{ .Values.components.vault.chart.version | quote }} - sourceRef: - kind: {{ .Values.components.vault.sourceRef.kind }} - name: {{ .Values.components.vault.sourceRef.name }} - namespace: {{ .Values.components.vault.sourceRef.namespace }} - install: - remediation: - retries: 3 - upgrade: - remediation: - retries: 3 - values: - {{- toYaml .Values.components.vault.values | nindent 4 }} -{{- end }} diff --git a/oci/charts/infra/platform/k3s/values.yaml b/oci/charts/infra/platform/k3s/values.yaml deleted file mode 100644 index f525aee..0000000 --- a/oci/charts/infra/platform/k3s/values.yaml +++ /dev/null @@ -1,204 +0,0 @@ -namespaces: - platform: platform - vault: extsvc - -components: - caddy: - enabled: true - releaseName: caddy - sourceRef: - kind: HelmRepository - name: caddy-ingress - namespace: flux-system - chart: - name: caddy-ingress-controller - version: ">=1.0.0 <2.0.0" - values: - ingressController: - enabled: true - ingressClass: - create: true - name: caddy - default: false - service: - type: LoadBalancer - apisix: - enabled: true - releaseName: apisix - sourceRef: - kind: HelmRepository - name: apisix - namespace: flux-system - chart: - name: apisix - version: ">=2.7.0 <3.0.0" - values: - etcd: - enabled: false - externalEtcd: - user: "" - ingress-controller: - enabled: false - dashboard: - enabled: false - gateway: - enabled: true - type: ClusterIP - control: - enabled: false - apisix: - admin: - enabled: false - deployment: - mode: standalone - role: data_plane - standalone: - config: | - routes: - - id: 1 - uri: "/*" - hosts: - - api.svc.plus - name: api-gateway-prod - upstream: - type: roundrobin - nodes: - "accounts.core-prod.svc.cluster.local:80": 1 - - id: 2 - uri: "/*" - hosts: - - api-pre.svc.plus - name: api-gateway-pre - upstream: - type: roundrobin - nodes: - "accounts.core-pre.svc.cluster.local:80": 1 - externalDns: - enabled: true - releaseName: external-dns - sourceRef: - kind: HelmRepository - name: external-dns - namespace: flux-system - chart: - name: external-dns - version: ">=1.14.0 <2.0.0" - secret: - name: cloudflare-api-token - refreshInterval: 1m - secretStoreRef: - kind: ClusterSecretStore - name: "" - target: - name: cloudflare-api-token - creationPolicy: Owner - data: - secretKey: api-token - remoteRef: - key: platform/cloudflare - property: api-token - values: - provider: cloudflare - policy: sync - registry: txt - txtOwnerId: svc-plus-k3s - sources: - - ingress - domainFilters: - - svc.plus - env: - - name: CF_API_TOKEN - valueFrom: - secretKeyRef: - name: cloudflare-api-token - key: api-token - externalSecretsStore: - enabled: false - name: "" - vault: - server: http://vault.extsvc.svc.cluster.local:8200 - path: secret - version: v2 - auth: - kubernetes: - mountPath: kubernetes - role: external-secrets - serviceAccountRef: - name: external-secrets - namespace: platform - sharedTlsSecretSync: - enabled: true - name: postgresql-tls-sync - sourceNamespace: platform - sourceSecretName: postgresql-tls - targetNamespace: database - targetSecretName: postgresql-tls - refreshSchedule: "*/5 * * * *" - postgresqlTlsIngress: - enabled: true - name: postgresql-tls - namespace: platform - className: caddy - serviceName: postgresql-tls-placeholder - servicePort: 80 - host: "postgresql-.svc.plus" - secretName: postgresql-tls - vault: - enabled: false - releaseName: vault - sourceRef: - kind: HelmRepository - name: hashicorp - namespace: flux-system - chart: - name: vault - version: ">=0.28.0 <1.0.0" - values: - injector: - enabled: false - server: - standalone: - enabled: false - dataStorage: - enabled: true - size: 8Gi - ha: - enabled: true - replicas: 1 - raft: - enabled: true - setNodeId: true - service: - enabled: true - -apisixIngress: - enabled: true - name: apisix-gateway - namespace: platform - className: caddy - annotations: - external-dns.alpha.kubernetes.io/hostname: api.svc.plus,api-pre.svc.plus - tls: - secretName: apisix-gateway-tls - hosts: - - api.svc.plus - - api-pre.svc.plus - hosts: - - host: api.svc.plus - serviceName: apisix-gateway - servicePort: 80 - - host: api-pre.svc.plus - serviceName: apisix-gateway - servicePort: 80 - -vaultBootstrap: - enabled: false - image: hashicorp/vault:1.16.3 - serviceAccountName: vault-bootstrap - cloudflareSecretName: vault-bootstrap - cloudflareSecretKey: cloudflareApiToken - rootTokenSecretName: vault-bootstrap - rootTokenSecretKey: rootToken - externalSecretsRoleNamespace: platform - -extraObjects: []