feat: migrate cattle-system (Rancher) from Terraform to ArgoCD (#39)
- Add cattle-system base ArgoCD application with namespace, Vault integration, and ingress - Create cattle-system overlay for au-syd1 with Rancher Helm chart configuration - Update platform ApplicationSet to include cattle-system deployment - Update platform project to include Rancher Helm repository as source - Configure Rancher v2.13.1 with HA, TLS, audit logging, and bootstrap secret from Vault - Maintain one-to-one migration from Terraform configuration Reviewed-on: #39
This commit was merged in pull request #39.
This commit is contained in:
@@ -0,0 +1,29 @@
|
|||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: rancher
|
||||||
|
namespace: cattle-system
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: vault-issuer
|
||||||
|
cert-manager.io/common-name: rancher.k8s.syd1.au.unkin.net
|
||||||
|
cert-manager.io/private-key-size: "4096"
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: rancher.k8s.syd1.au.unkin.net
|
||||||
|
external-dns.alpha.kubernetes.io/target: "198.18.200.0"
|
||||||
|
spec:
|
||||||
|
ingressClassName: nginx
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- rancher.k8s.syd1.au.unkin.net
|
||||||
|
secretName: rancher-tls
|
||||||
|
rules:
|
||||||
|
- host: rancher.k8s.syd1.au.unkin.net
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
pathType: Prefix
|
||||||
|
backend:
|
||||||
|
service:
|
||||||
|
name: rancher
|
||||||
|
port:
|
||||||
|
number: 80
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- namespace.yaml
|
||||||
|
- vaultauth.yaml
|
||||||
|
- vaultstaticsecret.yaml
|
||||||
|
- ingress.yaml
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: cattle-system
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: rancher
|
||||||
|
namespace: cattle-system
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: k8s/au/syd1
|
||||||
|
vaultConnectionRef: vso-system/default
|
||||||
|
allowedNamespaces:
|
||||||
|
- cattle-system
|
||||||
|
kubernetes:
|
||||||
|
role: rancher
|
||||||
|
serviceAccount: rancher
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
|
tokenExpirationSeconds: 600
|
||||||
@@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: rancher-bootstrap-secret
|
||||||
|
namespace: cattle-system
|
||||||
|
spec:
|
||||||
|
vaultAuthRef: rancher
|
||||||
|
mount: kv
|
||||||
|
type: kv-v2
|
||||||
|
path: service/kubernetes/au/syd1/rancher/bootstrap-password
|
||||||
|
refreshAfter: 5m
|
||||||
|
destination:
|
||||||
|
name: rancher-bootstrap-secret
|
||||||
|
create: true
|
||||||
@@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- ../../../base/cattle-system
|
||||||
|
|
||||||
|
helmCharts:
|
||||||
|
- name: rancher
|
||||||
|
repo: https://releases.rancher.com/server-charts/stable
|
||||||
|
version: "2.13.1"
|
||||||
|
releaseName: rancher
|
||||||
|
namespace: cattle-system
|
||||||
|
valuesFile: values.yaml
|
||||||
@@ -0,0 +1,40 @@
|
|||||||
|
hostname: rancher.k8s.syd1.au.unkin.net
|
||||||
|
|
||||||
|
bootstrapPassword: ""
|
||||||
|
|
||||||
|
extraEnv:
|
||||||
|
- name: CATTLE_BOOTSTRAP_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: rancher-bootstrap-secret
|
||||||
|
key: password
|
||||||
|
|
||||||
|
ingress:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
tls: external
|
||||||
|
|
||||||
|
replicas: 3
|
||||||
|
|
||||||
|
priorityClassName: rancher-critical
|
||||||
|
|
||||||
|
# Resource limits for production
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 2000m
|
||||||
|
memory: 8Gi
|
||||||
|
requests:
|
||||||
|
cpu: 50m
|
||||||
|
memory: 256Mi
|
||||||
|
|
||||||
|
# Additional security settings
|
||||||
|
antiAffinity: preferred
|
||||||
|
|
||||||
|
# Audit logging configuration
|
||||||
|
auditLog:
|
||||||
|
enabled: true
|
||||||
|
destination: sidecar
|
||||||
|
level: 1
|
||||||
|
maxAge: 7
|
||||||
|
maxBackup: 3
|
||||||
|
maxSize: 100
|
||||||
@@ -11,6 +11,7 @@ spec:
|
|||||||
revision: HEAD
|
revision: HEAD
|
||||||
directories:
|
directories:
|
||||||
- path: apps/overlays/*/artifactapi
|
- path: apps/overlays/*/artifactapi
|
||||||
|
- path: apps/overlays/*/cattle-system
|
||||||
- path: apps/overlays/*/certificates
|
- path: apps/overlays/*/certificates
|
||||||
- path: apps/overlays/*/reflector-system
|
- path: apps/overlays/*/reflector-system
|
||||||
- path: apps/overlays/*/reloader-system
|
- path: apps/overlays/*/reloader-system
|
||||||
|
|||||||
@@ -10,6 +10,7 @@ spec:
|
|||||||
- https://git.unkin.net/unkin/argocd-apps
|
- https://git.unkin.net/unkin/argocd-apps
|
||||||
- oci://ghcr.io/emberstack/helm-charts
|
- oci://ghcr.io/emberstack/helm-charts
|
||||||
- oci://ghcr.io/woodpecker-ci/helm/woodpecker
|
- oci://ghcr.io/woodpecker-ci/helm/woodpecker
|
||||||
|
- https://releases.rancher.com/server-charts/stable
|
||||||
destinations:
|
destinations:
|
||||||
- namespace: '*-system'
|
- namespace: '*-system'
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
|
|||||||
Reference in New Issue
Block a user