feat: migrate cattle-system (Rancher) from Terraform to ArgoCD (#39)
- Add cattle-system base ArgoCD application with namespace, Vault integration, and ingress - Create cattle-system overlay for au-syd1 with Rancher Helm chart configuration - Update platform ApplicationSet to include cattle-system deployment - Update platform project to include Rancher Helm repository as source - Configure Rancher v2.13.1 with HA, TLS, audit logging, and bootstrap secret from Vault - Maintain one-to-one migration from Terraform configuration Reviewed-on: #39
This commit was merged in pull request #39.
This commit is contained in:
@@ -0,0 +1,29 @@
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: rancher
|
||||
namespace: cattle-system
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: vault-issuer
|
||||
cert-manager.io/common-name: rancher.k8s.syd1.au.unkin.net
|
||||
cert-manager.io/private-key-size: "4096"
|
||||
external-dns.alpha.kubernetes.io/hostname: rancher.k8s.syd1.au.unkin.net
|
||||
external-dns.alpha.kubernetes.io/target: "198.18.200.0"
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
tls:
|
||||
- hosts:
|
||||
- rancher.k8s.syd1.au.unkin.net
|
||||
secretName: rancher-tls
|
||||
rules:
|
||||
- host: rancher.k8s.syd1.au.unkin.net
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: rancher
|
||||
port:
|
||||
number: 80
|
||||
@@ -0,0 +1,9 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- vaultauth.yaml
|
||||
- vaultstaticsecret.yaml
|
||||
- ingress.yaml
|
||||
@@ -0,0 +1,5 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cattle-system
|
||||
@@ -0,0 +1,18 @@
|
||||
---
|
||||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: rancher
|
||||
namespace: cattle-system
|
||||
spec:
|
||||
method: kubernetes
|
||||
mount: k8s/au/syd1
|
||||
vaultConnectionRef: vso-system/default
|
||||
allowedNamespaces:
|
||||
- cattle-system
|
||||
kubernetes:
|
||||
role: rancher
|
||||
serviceAccount: rancher
|
||||
audiences:
|
||||
- vault
|
||||
tokenExpirationSeconds: 600
|
||||
@@ -0,0 +1,15 @@
|
||||
---
|
||||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: rancher-bootstrap-secret
|
||||
namespace: cattle-system
|
||||
spec:
|
||||
vaultAuthRef: rancher
|
||||
mount: kv
|
||||
type: kv-v2
|
||||
path: service/kubernetes/au/syd1/rancher/bootstrap-password
|
||||
refreshAfter: 5m
|
||||
destination:
|
||||
name: rancher-bootstrap-secret
|
||||
create: true
|
||||
@@ -0,0 +1,14 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- ../../../base/cattle-system
|
||||
|
||||
helmCharts:
|
||||
- name: rancher
|
||||
repo: https://releases.rancher.com/server-charts/stable
|
||||
version: "2.13.1"
|
||||
releaseName: rancher
|
||||
namespace: cattle-system
|
||||
valuesFile: values.yaml
|
||||
@@ -0,0 +1,40 @@
|
||||
hostname: rancher.k8s.syd1.au.unkin.net
|
||||
|
||||
bootstrapPassword: ""
|
||||
|
||||
extraEnv:
|
||||
- name: CATTLE_BOOTSTRAP_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: rancher-bootstrap-secret
|
||||
key: password
|
||||
|
||||
ingress:
|
||||
enabled: false
|
||||
|
||||
tls: external
|
||||
|
||||
replicas: 3
|
||||
|
||||
priorityClassName: rancher-critical
|
||||
|
||||
# Resource limits for production
|
||||
resources:
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 8Gi
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 256Mi
|
||||
|
||||
# Additional security settings
|
||||
antiAffinity: preferred
|
||||
|
||||
# Audit logging configuration
|
||||
auditLog:
|
||||
enabled: true
|
||||
destination: sidecar
|
||||
level: 1
|
||||
maxAge: 7
|
||||
maxBackup: 3
|
||||
maxSize: 100
|
||||
@@ -11,6 +11,7 @@ spec:
|
||||
revision: HEAD
|
||||
directories:
|
||||
- path: apps/overlays/*/artifactapi
|
||||
- path: apps/overlays/*/cattle-system
|
||||
- path: apps/overlays/*/certificates
|
||||
- path: apps/overlays/*/reflector-system
|
||||
- path: apps/overlays/*/reloader-system
|
||||
|
||||
@@ -10,6 +10,7 @@ spec:
|
||||
- https://git.unkin.net/unkin/argocd-apps
|
||||
- oci://ghcr.io/emberstack/helm-charts
|
||||
- oci://ghcr.io/woodpecker-ci/helm/woodpecker
|
||||
- https://releases.rancher.com/server-charts/stable
|
||||
destinations:
|
||||
- namespace: '*-system'
|
||||
server: https://kubernetes.default.svc
|
||||
|
||||
Reference in New Issue
Block a user