From 4f6c5588fd798c3c27cbfb67644e3f03d101aa23 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Wed, 18 Mar 2026 21:59:25 +1100 Subject: [PATCH] feat: migrate cattle-system (Rancher) from Terraform to ArgoCD - Add cattle-system base ArgoCD application with namespace, Vault integration, and ingress - Create cattle-system overlay for au-syd1 with Rancher Helm chart configuration - Update platform ApplicationSet to include cattle-system deployment - Update platform project to include Rancher Helm repository as source - Configure Rancher v2.13.1 with HA, TLS, audit logging, and bootstrap secret from Vault - Maintain one-to-one migration from Terraform configuration --- apps/base/cattle-system/ingress.yaml | 29 ++++++++++++++ apps/base/cattle-system/kustomization.yaml | 9 +++++ apps/base/cattle-system/namespace.yaml | 5 +++ apps/base/cattle-system/vaultauth.yaml | 18 +++++++++ .../base/cattle-system/vaultstaticsecret.yaml | 15 +++++++ .../au-syd1/cattle-system/kustomization.yaml | 14 +++++++ .../au-syd1/cattle-system/values.yaml | 40 +++++++++++++++++++ argocd/applicationsets/platform.yaml | 1 + argocd/projects/platform.yaml | 1 + 9 files changed, 132 insertions(+) create mode 100644 apps/base/cattle-system/ingress.yaml create mode 100644 apps/base/cattle-system/kustomization.yaml create mode 100644 apps/base/cattle-system/namespace.yaml create mode 100644 apps/base/cattle-system/vaultauth.yaml create mode 100644 apps/base/cattle-system/vaultstaticsecret.yaml create mode 100644 apps/overlays/au-syd1/cattle-system/kustomization.yaml create mode 100644 apps/overlays/au-syd1/cattle-system/values.yaml diff --git a/apps/base/cattle-system/ingress.yaml b/apps/base/cattle-system/ingress.yaml new file mode 100644 index 0000000..46ef0a7 --- /dev/null +++ b/apps/base/cattle-system/ingress.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: rancher + namespace: cattle-system + annotations: + cert-manager.io/cluster-issuer: vault-issuer + cert-manager.io/common-name: rancher.k8s.syd1.au.unkin.net + cert-manager.io/private-key-size: "4096" + external-dns.alpha.kubernetes.io/hostname: rancher.k8s.syd1.au.unkin.net + external-dns.alpha.kubernetes.io/target: "198.18.200.0" +spec: + ingressClassName: nginx + tls: + - hosts: + - rancher.k8s.syd1.au.unkin.net + secretName: rancher-tls + rules: + - host: rancher.k8s.syd1.au.unkin.net + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: rancher + port: + number: 80 diff --git a/apps/base/cattle-system/kustomization.yaml b/apps/base/cattle-system/kustomization.yaml new file mode 100644 index 0000000..4d589ff --- /dev/null +++ b/apps/base/cattle-system/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - vaultauth.yaml + - vaultstaticsecret.yaml + - ingress.yaml diff --git a/apps/base/cattle-system/namespace.yaml b/apps/base/cattle-system/namespace.yaml new file mode 100644 index 0000000..f543fb4 --- /dev/null +++ b/apps/base/cattle-system/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cattle-system diff --git a/apps/base/cattle-system/vaultauth.yaml b/apps/base/cattle-system/vaultauth.yaml new file mode 100644 index 0000000..229d3d8 --- /dev/null +++ b/apps/base/cattle-system/vaultauth.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: rancher + namespace: cattle-system +spec: + method: kubernetes + mount: k8s/au/syd1 + vaultConnectionRef: vso-system/default + allowedNamespaces: + - cattle-system + kubernetes: + role: rancher + serviceAccount: rancher + audiences: + - vault + tokenExpirationSeconds: 600 diff --git a/apps/base/cattle-system/vaultstaticsecret.yaml b/apps/base/cattle-system/vaultstaticsecret.yaml new file mode 100644 index 0000000..1384073 --- /dev/null +++ b/apps/base/cattle-system/vaultstaticsecret.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: rancher-bootstrap-secret + namespace: cattle-system +spec: + vaultAuthRef: rancher + mount: kv + type: kv-v2 + path: service/kubernetes/au/syd1/rancher/bootstrap-password + refreshAfter: 5m + destination: + name: rancher-bootstrap-secret + create: true diff --git a/apps/overlays/au-syd1/cattle-system/kustomization.yaml b/apps/overlays/au-syd1/cattle-system/kustomization.yaml new file mode 100644 index 0000000..d3f4083 --- /dev/null +++ b/apps/overlays/au-syd1/cattle-system/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/cattle-system + +helmCharts: + - name: rancher + repo: https://releases.rancher.com/server-charts/stable + version: "2.13.1" + releaseName: rancher + namespace: cattle-system + valuesFile: values.yaml diff --git a/apps/overlays/au-syd1/cattle-system/values.yaml b/apps/overlays/au-syd1/cattle-system/values.yaml new file mode 100644 index 0000000..29ed596 --- /dev/null +++ b/apps/overlays/au-syd1/cattle-system/values.yaml @@ -0,0 +1,40 @@ +hostname: rancher.k8s.syd1.au.unkin.net + +bootstrapPassword: "" + +extraEnv: + - name: CATTLE_BOOTSTRAP_PASSWORD + valueFrom: + secretKeyRef: + name: rancher-bootstrap-secret + key: password + +ingress: + enabled: false + +tls: external + +replicas: 3 + +priorityClassName: rancher-critical + +# Resource limits for production +resources: + limits: + cpu: 2000m + memory: 8Gi + requests: + cpu: 50m + memory: 256Mi + +# Additional security settings +antiAffinity: preferred + +# Audit logging configuration +auditLog: + enabled: true + destination: sidecar + level: 1 + maxAge: 7 + maxBackup: 3 + maxSize: 100 diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index bc29588..df6994a 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -11,6 +11,7 @@ spec: revision: HEAD directories: - path: apps/overlays/*/artifactapi + - path: apps/overlays/*/cattle-system - path: apps/overlays/*/certificates - path: apps/overlays/*/reflector-system - path: apps/overlays/*/reloader-system diff --git a/argocd/projects/platform.yaml b/argocd/projects/platform.yaml index a7c0cb9..a7f4a33 100644 --- a/argocd/projects/platform.yaml +++ b/argocd/projects/platform.yaml @@ -10,6 +10,7 @@ spec: - https://git.unkin.net/unkin/argocd-apps - oci://ghcr.io/emberstack/helm-charts - oci://ghcr.io/woodpecker-ci/helm/woodpecker + - https://releases.rancher.com/server-charts/stable destinations: - namespace: '*-system' server: https://kubernetes.default.svc