Refactor structure

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2025-07-27 15:53:19 +00:00 · 2024-04-10 12:55:53 +03:00 · 2024-04-10 12:55:53 +03:00 · 98577807dd
commit 98577807dd
parent 2f9057e96b
17 changed files with 35 additions and 21 deletions
--- a/deploy/apps/kustomization.yaml
+++ b/deploy/apps/kustomization.yaml
@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - podinfo.yaml
--- a/deploy/apps/podinfo.yaml
+++ b/deploy/apps/podinfo.yaml
@ -0,0 +1,34 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: podinfo
+spec:
+  interval: 12h
+  type: oci
+  url: oci://ghcr.io/stefanprodan/charts
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: podinfo
+spec:
+  targetNamespace: podinfo
+  storageNamespace: podinfo
+  releaseName: podinfo
+  chart:
+    spec:
+      chart: podinfo
+      sourceRef:
+        kind: HelmRepository
+        name: podinfo
+  interval: 50m
+  install:
+    remediation:
+      retries: 3
+  # Default values
+  # https://github.com/stefanprodan/podinfo/blob/master/charts/podinfo/values.yaml
+  values:
+    ingress:
+      enabled: true
+      className: nginx
--- a/deploy/infra-configs/cluster-issuers.yaml
+++ b/deploy/infra-configs/cluster-issuers.yaml
@ -0,0 +1,16 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    # Replace the email address with your own contact email
+    email: fluxcdbot@users.noreply.github.com
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-nginx
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
--- a/deploy/infra-configs/kustomization.yaml
+++ b/deploy/infra-configs/kustomization.yaml
@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cluster-issuers.yaml
--- a/deploy/infra-controllers/cert-manager.yaml
+++ b/deploy/infra-controllers/cert-manager.yaml
@ -0,0 +1,28 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: cert-manager
+spec:
+  interval: 24h
+  url: https://charts.jetstack.io
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+spec:
+  targetNamespace: cert-manager
+  storageNamespace: cert-manager
+  releaseName: cert-manager
+  interval: 30m
+  chart:
+    spec:
+      chart: cert-manager
+      version: "1.x"
+      sourceRef:
+        kind: HelmRepository
+        name: cert-manager
+      interval: 12h
+  values:
+    installCRDs: true
--- a/deploy/infra-controllers/ingress-nginx.yaml
+++ b/deploy/infra-controllers/ingress-nginx.yaml
@ -0,0 +1,32 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: ingress-nginx
+spec:
+  interval: 24h
+  url: https://kubernetes.github.io/ingress-nginx
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: ingress-nginx
+spec:
+  targetNamespace: ingress-nginx
+  storageNamespace: ingress-nginx
+  releaseName: ingress-nginx
+  interval: 30m
+  chart:
+    spec:
+      chart: ingress-nginx
+      version: "*"
+      sourceRef:
+        kind: HelmRepository
+        name: ingress-nginx
+      interval: 12h
+  values:
+    controller:
+      service:
+        type: "NodePort"
+    admissionWebhooks:
+      enabled: false
--- a/deploy/infra-controllers/kustomization.yaml
+++ b/deploy/infra-controllers/kustomization.yaml
@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cert-manager.yaml
+  - ingress-nginx.yaml
--- a/deploy/tenants/cert-manager.yaml
+++ b/deploy/tenants/cert-manager.yaml
@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+  labels:
+    toolkit.fluxcd.io/tenant: sre-team
--- a/deploy/tenants/flux.yaml
+++ b/deploy/tenants/flux.yaml
@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "${CLUSTER_NAME}"
+  labels:
+    toolkit.fluxcd.io/tenant: sre-team
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: sre-team
+  name: flux-restricted
+  namespace: "${CLUSTER_NAME}"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: sre-team
+  name: flux-cluster-admin
+  namespace: "${CLUSTER_NAME}"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: sre-team
+  name: flux-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: flux-cluster-admin
+    namespace: "${CLUSTER_NAME}"
--- a/deploy/tenants/ingress-nginx.yaml
+++ b/deploy/tenants/ingress-nginx.yaml
@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx
+  labels:
+    toolkit.fluxcd.io/tenant: sre-team
+
--- a/deploy/tenants/kustomization.yaml
+++ b/deploy/tenants/kustomization.yaml
@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - flux.yaml
+  - cert-manager.yaml
+  - ingress-nginx.yaml
+  - podinfo.yaml
--- a/deploy/tenants/podinfo.yaml
+++ b/deploy/tenants/podinfo.yaml
@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: podinfo
+  labels:
+    toolkit.fluxcd.io/tenant: dev-team
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: dev-team
+  name: flux
+  namespace: podinfo
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  # This binding limits the access to the current namespace
+  # being a RoleBinding instead of a ClusterRoleBinding
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: flux-restricted
+    namespace: "${CLUSTER_NAME}"