chore(charts): remove k3s platform chart

.github/workflows/release-oci-charts.yml

@@ -6,7 +6,6 @@ on:
       - main
     paths:
       - "oci/charts/apps/app-service/**"
-      - "oci/charts/infra/platform/k3s/**"
       - "oci/charts/postgresql/**"
       - "oci/charts/observability/**"
       - ".github/workflows/release-oci-charts.yml"
@@ -40,7 +39,6 @@ jobs:
           set -euo pipefail
           charts=(
             "oci/charts/apps/app-service"
-            "oci/charts/infra/platform/k3s"
             "oci/charts/postgresql"
             "oci/charts/observability"
           )
@@ -54,7 +52,6 @@ jobs:
           mkdir -p dist
           charts=(
             "oci/charts/apps/app-service"
-            "oci/charts/infra/platform/k3s"
             "oci/charts/postgresql"
             "oci/charts/observability"
           )

oci/charts/README.md

@@ -5,7 +5,6 @@ This repository stores reusable Helm charts published to `ghcr.io/x-evor`.
 ## Layout
 
 - `apps/app-service`: reusable runtime chart for application services
-- `infra/platform/k3s`: platform composition chart for `caddy`, `apisix`, `external-dns`, `external-secrets`, and `vault`
 - `postgresql`: PostgreSQL service chart with optional `stunnel` server/client
 - `observability`: observability composition chart for server and agent components
 

oci/charts/infra/platform/k3s/Chart.yaml

@@ -1,6 +0,0 @@
-apiVersion: v2
-name: k3s-platform-chart
-description: Composes Flux-managed platform components for the k3s platform
-type: application
-version: 0.1.9
-appVersion: "1.0.0"

oci/charts/infra/platform/k3s/templates/apisix-helmrelease.yaml

@@ -1,44 +0,0 @@
-{{- if .Values.components.apisix.enabled }}
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: {{ .Values.components.apisix.releaseName }}
-  namespace: {{ .Values.namespaces.platform }}
-spec:
-  interval: 10m0s
-  releaseName: {{ .Values.components.apisix.releaseName }}
-  chart:
-    spec:
-      chart: {{ .Values.components.apisix.chart.name }}
-      version: {{ .Values.components.apisix.chart.version | quote }}
-      sourceRef:
-        kind: {{ .Values.components.apisix.sourceRef.kind }}
-        name: {{ .Values.components.apisix.sourceRef.name }}
-        namespace: {{ .Values.components.apisix.sourceRef.namespace }}
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  postRenderers:
-    - kustomize:
-        patches:
-          - target:
-              group: apps
-              version: v1
-              kind: Deployment
-              name: {{ .Values.components.apisix.releaseName }}
-            patch: |
-              - op: replace
-                path: /spec/template/spec/containers/0/command
-                value:
-                  - sh
-                  - -c
-                  - |
-                    export APISIX_STAND_ALONE=true
-                    ln -sf /apisix-config/apisix.yaml /usr/local/apisix/conf/apisix.yaml
-                    exec /docker-entrypoint.sh docker-start
-  values:
-    {{- toYaml .Values.components.apisix.values | nindent 4 }}
-{{- end }}

oci/charts/infra/platform/k3s/templates/apisix-ingress.yaml

@@ -1,30 +0,0 @@
-{{- if .Values.apisixIngress.enabled }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ .Values.apisixIngress.name }}
-  namespace: {{ .Values.apisixIngress.namespace }}
-  {{- with .Values.apisixIngress.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  ingressClassName: {{ .Values.apisixIngress.className }}
-  tls:
-    - hosts:
-        {{- toYaml .Values.apisixIngress.tls.hosts | nindent 8 }}
-      secretName: {{ .Values.apisixIngress.tls.secretName }}
-  rules:
-    {{- range .Values.apisixIngress.hosts }}
-    - host: {{ .host }}
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: {{ .serviceName }}
-                port:
-                  number: {{ .servicePort }}
-    {{- end }}
-{{- end }}

oci/charts/infra/platform/k3s/templates/caddy-helmrelease.yaml

@@ -1,27 +0,0 @@
-{{- if .Values.components.caddy.enabled }}
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: {{ .Values.components.caddy.releaseName }}
-  namespace: {{ .Values.namespaces.platform }}
-spec:
-  interval: 10m0s
-  releaseName: {{ .Values.components.caddy.releaseName }}
-  chart:
-    spec:
-      chart: {{ .Values.components.caddy.chart.name }}
-      version: {{ .Values.components.caddy.chart.version | quote }}
-      sourceRef:
-        kind: {{ .Values.components.caddy.sourceRef.kind }}
-        name: {{ .Values.components.caddy.sourceRef.name }}
-        namespace: {{ .Values.components.caddy.sourceRef.namespace }}
-  install:
-    createNamespace: false
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  values:
-    {{- toYaml .Values.components.caddy.values | nindent 4 }}
-{{- end }}

oci/charts/infra/platform/k3s/templates/clustersecretstore.yaml

@@ -1,19 +0,0 @@
-{{- if .Values.components.externalSecretsStore.enabled }}
-apiVersion: external-secrets.io/v1
-kind: ClusterSecretStore
-metadata:
-  name: {{ .Values.components.externalSecretsStore.name }}
-spec:
-  provider:
-    vault:
-      server: {{ .Values.components.externalSecretsStore.vault.server }}
-      path: {{ .Values.components.externalSecretsStore.vault.path }}
-      version: {{ .Values.components.externalSecretsStore.vault.version }}
-      auth:
-        kubernetes:
-          mountPath: {{ .Values.components.externalSecretsStore.vault.auth.kubernetes.mountPath }}
-          role: {{ .Values.components.externalSecretsStore.vault.auth.kubernetes.role }}
-          serviceAccountRef:
-            name: {{ .Values.components.externalSecretsStore.vault.auth.kubernetes.serviceAccountRef.name }}
-            namespace: {{ .Values.components.externalSecretsStore.vault.auth.kubernetes.serviceAccountRef.namespace }}
-{{- end }}

oci/charts/infra/platform/k3s/templates/external-dns.yaml

@@ -1,46 +0,0 @@
-{{- if .Values.components.externalDns.enabled }}
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: {{ .Values.components.externalDns.secret.name }}
-  namespace: {{ .Values.namespaces.platform }}
-spec:
-  refreshInterval: {{ .Values.components.externalDns.secret.refreshInterval }}
-  secretStoreRef:
-    kind: {{ .Values.components.externalDns.secret.secretStoreRef.kind }}
-    name: {{ .Values.components.externalDns.secret.secretStoreRef.name }}
-  target:
-    name: {{ .Values.components.externalDns.secret.target.name }}
-    creationPolicy: {{ .Values.components.externalDns.secret.target.creationPolicy }}
-  data:
-    - secretKey: {{ .Values.components.externalDns.secret.data.secretKey }}
-      remoteRef:
-        key: {{ .Values.components.externalDns.secret.data.remoteRef.key }}
-        property: {{ .Values.components.externalDns.secret.data.remoteRef.property }}
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: {{ .Values.components.externalDns.releaseName }}
-  namespace: {{ .Values.namespaces.platform }}
-spec:
-  interval: 10m0s
-  releaseName: {{ .Values.components.externalDns.releaseName }}
-  chart:
-    spec:
-      chart: {{ .Values.components.externalDns.chart.name }}
-      version: {{ .Values.components.externalDns.chart.version | quote }}
-      sourceRef:
-        kind: {{ .Values.components.externalDns.sourceRef.kind }}
-        name: {{ .Values.components.externalDns.sourceRef.name }}
-        namespace: {{ .Values.components.externalDns.sourceRef.namespace }}
-  install:
-    createNamespace: false
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  values:
-    {{- toYaml .Values.components.externalDns.values | nindent 4 }}
-{{- end }}

oci/charts/infra/platform/k3s/templates/extra-objects.yaml

@@ -1,4 +0,0 @@
-{{- range .Values.extraObjects }}
----
-{{ toYaml . }}
-{{- end }}

oci/charts/infra/platform/k3s/templates/postgresql-tls-ingress.yaml

@@ -1,39 +0,0 @@
-{{- with .Values.components.postgresqlTlsIngress }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ .serviceName }}
-  namespace: {{ .namespace }}
-spec:
-  type: ClusterIP
-  ports:
-    - port: {{ .servicePort }}
-      targetPort: {{ .servicePort }}
-      protocol: TCP
-      name: http
-  selector:
-    app.kubernetes.io/name: {{ .serviceName }}
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ .name }}
-  namespace: {{ .namespace }}
-spec:
-  ingressClassName: {{ .className }}
-  tls:
-    - hosts:
-        - {{ .host }}
-      secretName: {{ .secretName }}
-  rules:
-    - host: {{ .host }}
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: {{ .serviceName }}
-                port:
-                  number: {{ .servicePort }}
-{{- end }}

oci/charts/infra/platform/k3s/templates/shared-tls-secret-sync.yaml

@@ -1,83 +0,0 @@
-{{- with .Values.components.sharedTlsSecretSync }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .name }}
-  namespace: {{ $.Values.namespaces.platform }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ .name }}-source
-  namespace: {{ .sourceNamespace }}
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    resourceNames: ["{{ .sourceSecretName }}"]
-    verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ .name }}-target
-  namespace: {{ .targetNamespace }}
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    resourceNames: ["{{ .targetSecretName }}"]
-    verbs: ["get", "create", "update", "patch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ .name }}-source
-  namespace: {{ .sourceNamespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ .name }}-source
-subjects:
-  - kind: ServiceAccount
-    name: {{ .name }}
-    namespace: {{ $.Values.namespaces.platform }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ .name }}-target
-  namespace: {{ .targetNamespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ .name }}-target
-subjects:
-  - kind: ServiceAccount
-    name: {{ .name }}
-    namespace: {{ $.Values.namespaces.platform }}
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: {{ .name }}
-  namespace: {{ $.Values.namespaces.platform }}
-spec:
-  schedule: {{ .refreshSchedule | quote }}
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          serviceAccountName: {{ .name }}
-          restartPolicy: OnFailure
-          containers:
-            - name: sync
-              image: bitnami/kubectl:latest
-              command:
-                - /bin/sh
-                - -ec
-                - |
-                  tmp=$(mktemp)
-                  kubectl -n {{ .sourceNamespace }} get secret {{ .sourceSecretName }} -o yaml \
-                    | sed '/^  resourceVersion:/d;/^  uid:/d;/^  creationTimestamp:/d;/^  managedFields:/d;/^  annotations:/d;/^  ownerReferences:/d;/^  namespace:/d;/^  selfLink:/d' \
-                    | kubectl -n {{ .targetNamespace }} apply -f -
-{{- end }}

oci/charts/infra/platform/k3s/templates/vault-bootstrap.yaml

@@ -1,75 +0,0 @@
-{{- if .Values.vaultBootstrap.enabled }}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: vault-bootstrap
-  namespace: {{ .Values.namespaces.vault }}
-spec:
-  template:
-    spec:
-      serviceAccountName: {{ .Values.vaultBootstrap.serviceAccountName }}
-      restartPolicy: OnFailure
-      containers:
-        - name: bootstrap
-          image: {{ .Values.vaultBootstrap.image }}
-          env:
-            - name: VAULT_ADDR
-              value: http://vault.{{ .Values.namespaces.vault }}.svc.cluster.local:8200
-            - name: VAULT_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.vaultBootstrap.rootTokenSecretName }}
-                  key: {{ .Values.vaultBootstrap.rootTokenSecretKey }}
-            - name: CLOUDFLARE_API_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.vaultBootstrap.cloudflareSecretName }}
-                  key: {{ .Values.vaultBootstrap.cloudflareSecretKey }}
-          command:
-            - /bin/sh
-            - -ec
-            - |
-              until vault status >/dev/null 2>&1; do
-                sleep 5
-              done
-              vault secrets enable -path=secret kv-v2 || true
-              cat <<'EOF' >/tmp/eso-policy.hcl
-              path "secret/data/*" {
-                capabilities = ["read"]
-              }
-              path "secret/metadata/*" {
-                capabilities = ["read", "list"]
-              }
-              EOF
-              vault policy write eso-read /tmp/eso-policy.hcl
-              vault auth enable kubernetes || true
-              vault write auth/kubernetes/config \
-                kubernetes_host="https://kubernetes.default.svc:443" \
-                kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-                token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
-              vault write auth/kubernetes/role/external-secrets \
-                bound_service_account_names="external-secrets" \
-                bound_service_account_namespaces="{{ .Values.vaultBootstrap.externalSecretsRoleNamespace }}" \
-                policies="eso-read" \
-                ttl="1h"
-              vault kv put secret/platform/cloudflare api-token="${CLOUDFLARE_API_TOKEN}"
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Values.vaultBootstrap.serviceAccountName }}
-  namespace: {{ .Values.namespaces.vault }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: vault-bootstrap-auth-delegator
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-  - kind: ServiceAccount
-    name: {{ .Values.vaultBootstrap.serviceAccountName }}
-    namespace: {{ .Values.namespaces.vault }}
-{{- end }}

oci/charts/infra/platform/k3s/templates/vault-helmrelease.yaml

@@ -1,26 +0,0 @@
-{{- if .Values.components.vault.enabled }}
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: {{ .Values.components.vault.releaseName }}
-  namespace: {{ .Values.namespaces.vault }}
-spec:
-  interval: 10m0s
-  releaseName: {{ .Values.components.vault.releaseName }}
-  chart:
-    spec:
-      chart: {{ .Values.components.vault.chart.name }}
-      version: {{ .Values.components.vault.chart.version | quote }}
-      sourceRef:
-        kind: {{ .Values.components.vault.sourceRef.kind }}
-        name: {{ .Values.components.vault.sourceRef.name }}
-        namespace: {{ .Values.components.vault.sourceRef.namespace }}
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  values:
-    {{- toYaml .Values.components.vault.values | nindent 4 }}
-{{- end }}

oci/charts/infra/platform/k3s/values.yaml

@@ -1,204 +0,0 @@
-namespaces:
-  platform: platform
-  vault: extsvc
-
-components:
-  caddy:
-    enabled: true
-    releaseName: caddy
-    sourceRef:
-      kind: HelmRepository
-      name: caddy-ingress
-      namespace: flux-system
-    chart:
-      name: caddy-ingress-controller
-      version: ">=1.0.0 <2.0.0"
-    values:
-      ingressController:
-        enabled: true
-      ingressClass:
-        create: true
-        name: caddy
-        default: false
-      service:
-        type: LoadBalancer
-  apisix:
-    enabled: true
-    releaseName: apisix
-    sourceRef:
-      kind: HelmRepository
-      name: apisix
-      namespace: flux-system
-    chart:
-      name: apisix
-      version: ">=2.7.0 <3.0.0"
-    values:
-      etcd:
-        enabled: false
-      externalEtcd:
-        user: ""
-      ingress-controller:
-        enabled: false
-      dashboard:
-        enabled: false
-      gateway:
-        enabled: true
-        type: ClusterIP
-      control:
-        enabled: false
-      apisix:
-        admin:
-          enabled: false
-        deployment:
-          mode: standalone
-          role: data_plane
-          standalone:
-            config: |
-              routes:
-                - id: 1
-                  uri: "/*"
-                  hosts:
-                    - api.svc.plus
-                  name: api-gateway-prod
-                  upstream:
-                    type: roundrobin
-                    nodes:
-                      "accounts.core-prod.svc.cluster.local:80": 1
-                - id: 2
-                  uri: "/*"
-                  hosts:
-                    - api-pre.svc.plus
-                  name: api-gateway-pre
-                  upstream:
-                    type: roundrobin
-                    nodes:
-                      "accounts.core-pre.svc.cluster.local:80": 1
-  externalDns:
-    enabled: true
-    releaseName: external-dns
-    sourceRef:
-      kind: HelmRepository
-      name: external-dns
-      namespace: flux-system
-    chart:
-      name: external-dns
-      version: ">=1.14.0 <2.0.0"
-    secret:
-      name: cloudflare-api-token
-      refreshInterval: 1m
-      secretStoreRef:
-        kind: ClusterSecretStore
-        name: ""
-      target:
-        name: cloudflare-api-token
-        creationPolicy: Owner
-      data:
-        secretKey: api-token
-        remoteRef:
-          key: platform/cloudflare
-          property: api-token
-    values:
-      provider: cloudflare
-      policy: sync
-      registry: txt
-      txtOwnerId: svc-plus-k3s
-      sources:
-        - ingress
-      domainFilters:
-        - svc.plus
-      env:
-        - name: CF_API_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: cloudflare-api-token
-              key: api-token
-  externalSecretsStore:
-    enabled: false
-    name: ""
-    vault:
-      server: http://vault.extsvc.svc.cluster.local:8200
-      path: secret
-      version: v2
-      auth:
-        kubernetes:
-          mountPath: kubernetes
-          role: external-secrets
-          serviceAccountRef:
-            name: external-secrets
-            namespace: platform
-  sharedTlsSecretSync:
-    enabled: true
-    name: postgresql-tls-sync
-    sourceNamespace: platform
-    sourceSecretName: postgresql-tls
-    targetNamespace: database
-    targetSecretName: postgresql-tls
-    refreshSchedule: "*/5 * * * *"
-  postgresqlTlsIngress:
-    enabled: true
-    name: postgresql-tls
-    namespace: platform
-    className: caddy
-    serviceName: postgresql-tls-placeholder
-    servicePort: 80
-    host: "postgresql-<node-or-cluster>.svc.plus"
-    secretName: postgresql-tls
-  vault:
-    enabled: false
-    releaseName: vault
-    sourceRef:
-      kind: HelmRepository
-      name: hashicorp
-      namespace: flux-system
-    chart:
-      name: vault
-      version: ">=0.28.0 <1.0.0"
-    values:
-      injector:
-        enabled: false
-      server:
-        standalone:
-          enabled: false
-        dataStorage:
-          enabled: true
-          size: 8Gi
-        ha:
-          enabled: true
-          replicas: 1
-          raft:
-            enabled: true
-            setNodeId: true
-        service:
-          enabled: true
-
-apisixIngress:
-  enabled: true
-  name: apisix-gateway
-  namespace: platform
-  className: caddy
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: api.svc.plus,api-pre.svc.plus
-  tls:
-    secretName: apisix-gateway-tls
-    hosts:
-      - api.svc.plus
-      - api-pre.svc.plus
-  hosts:
-    - host: api.svc.plus
-      serviceName: apisix-gateway
-      servicePort: 80
-    - host: api-pre.svc.plus
-      serviceName: apisix-gateway
-      servicePort: 80
-
-vaultBootstrap:
-  enabled: false
-  image: hashicorp/vault:1.16.3
-  serviceAccountName: vault-bootstrap
-  cloudflareSecretName: vault-bootstrap
-  cloudflareSecretKey: cloudflareApiToken
-  rootTokenSecretName: vault-bootstrap
-  rootTokenSecretKey: rootToken
-  externalSecretsRoleNamespace: platform
-
-extraObjects: []