feat: migrate cattle-system (Rancher) from Terraform to ArgoCD (#39)

- Add cattle-system base ArgoCD application with namespace, Vault integration, and ingress
- Create cattle-system overlay for au-syd1 with Rancher Helm chart configuration
- Update platform ApplicationSet to include cattle-system deployment
- Update platform project to include Rancher Helm repository as source
- Configure Rancher v2.13.1 with HA, TLS, audit logging, and bootstrap secret from Vault
- Maintain one-to-one migration from Terraform configuration

Reviewed-on: #39
This commit was merged in pull request #39.
This commit is contained in:
2026-03-19 00:56:39 +11:00
parent 5255c78927
commit ea71ebb55b
9 changed files with 132 additions and 0 deletions
+29
View File
@@ -0,0 +1,29 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rancher
namespace: cattle-system
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: rancher.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: rancher.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: "198.18.200.0"
spec:
ingressClassName: nginx
tls:
- hosts:
- rancher.k8s.syd1.au.unkin.net
secretName: rancher-tls
rules:
- host: rancher.k8s.syd1.au.unkin.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: rancher
port:
number: 80
@@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- ingress.yaml
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: cattle-system
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: rancher
namespace: cattle-system
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- cattle-system
kubernetes:
role: rancher
serviceAccount: rancher
audiences:
- vault
tokenExpirationSeconds: 600
@@ -0,0 +1,15 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: rancher-bootstrap-secret
namespace: cattle-system
spec:
vaultAuthRef: rancher
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/rancher/bootstrap-password
refreshAfter: 5m
destination:
name: rancher-bootstrap-secret
create: true
@@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/cattle-system
helmCharts:
- name: rancher
repo: https://releases.rancher.com/server-charts/stable
version: "2.13.1"
releaseName: rancher
namespace: cattle-system
valuesFile: values.yaml
@@ -0,0 +1,40 @@
hostname: rancher.k8s.syd1.au.unkin.net
bootstrapPassword: ""
extraEnv:
- name: CATTLE_BOOTSTRAP_PASSWORD
valueFrom:
secretKeyRef:
name: rancher-bootstrap-secret
key: password
ingress:
enabled: false
tls: external
replicas: 3
priorityClassName: rancher-critical
# Resource limits for production
resources:
limits:
cpu: 2000m
memory: 8Gi
requests:
cpu: 50m
memory: 256Mi
# Additional security settings
antiAffinity: preferred
# Audit logging configuration
auditLog:
enabled: true
destination: sidecar
level: 1
maxAge: 7
maxBackup: 3
maxSize: 100
+1
View File
@@ -11,6 +11,7 @@ spec:
revision: HEAD
directories:
- path: apps/overlays/*/artifactapi
- path: apps/overlays/*/cattle-system
- path: apps/overlays/*/certificates
- path: apps/overlays/*/reflector-system
- path: apps/overlays/*/reloader-system
+1
View File
@@ -10,6 +10,7 @@ spec:
- https://git.unkin.net/unkin/argocd-apps
- oci://ghcr.io/emberstack/helm-charts
- oci://ghcr.io/woodpecker-ci/helm/woodpecker
- https://releases.rancher.com/server-charts/stable
destinations:
- namespace: '*-system'
server: https://kubernetes.default.svc