Rework base infrastructure for clusters

infrastructure/gitlab-runner/kustomization.yaml → infrastructure/calico/kustomization.yaml

 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: openshift-operators
+namespace: default
 resources:
-  - subscription.yaml
+  - repository.yaml
+  - release.yaml

infrastructure/calico/release.yaml

+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: calico
+  namespace: default
+spec:
+  releaseName: calico
+  chart:
+    spec:
+      chart: tigera-operator
+      sourceRef:
+        kind: HelmRepository
+        name: projectcalico
+      version: v3.20.1
+  interval: 15m

infrastructure/calico/repository.yaml

+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: projectcalico
+spec:
+  interval: 30m
+  url: https://docs.projectcalico.org/charts

infrastructure/cert-manager/kustomization.yaml

 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: openshift-operators
+namespace: cert-manager
 resources:
-  - subscription.yaml
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml

infrastructure/namespace-configuration/namespace.yaml → infrastructure/cert-manager/namespace.yaml

 apiVersion: v1
 kind: Namespace
 metadata:
-  name: namespace-configuration-operator
+  name: cert-manager
   labels:
-    name: namespace-configuration-operator
+    name: cert-manager

infrastructure/cert-manager/release.yaml

+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  releaseName: cert-manager
+  chart:
+    spec:
+      chart: cert-manager
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+      version: v1.5.3
+  interval: 5m
+  values:
+    installCRDs: true

infrastructure/cert-manager/repository.yaml

+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: jetstack
+spec:
+  interval: 30m
+  url: https://charts.jetstack.io

infrastructure/cert-manager/subscription.yaml

-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: cert-manager
-  namespace: openshift-operators
-spec:
-  channel: stable
-  name: cert-manager
-  source: community-operators
-  sourceNamespace: openshift-marketplace

infrastructure/gitlab-runner/subscription.yaml

-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: gitlab-runner-operator
-  namespace: openshift-operators
-spec:
-  channel: stable
-  installPlanApproval: Automatic
-  name: gitlab-runner-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace

infrastructure/hcloud-csi/hcloud-csi.yaml

----
-apiVersion: storage.k8s.io/v1
-kind: CSIDriver
-metadata:
-  name: csi.hetzner.cloud
-spec:
-  attachRequired: true
-  podInfoOnMount: true
-  volumeLifecycleModes:
-    - Persistent
----
-kind: StorageClass
-apiVersion: storage.k8s.io/v1
-metadata:
-  namespace: kube-system
-  name: hcloud-volumes
-provisioner: csi.hetzner.cloud
-volumeBindingMode: WaitForFirstConsumer
-allowVolumeExpansion: true
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: hcloud-csi
-  namespace: kube-system
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: hcloud-csi
-rules:
-  # attacher
-  - apiGroups: [""]
-    resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["csi.storage.k8s.io"]
-    resources: ["csinodeinfos"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["csinodes"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["volumeattachments"]
-    verbs: ["get", "list", "watch", "update", "patch"]
-  # provisioner
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list"]
-  - apiGroups: [""]
-    resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch", "create", "delete", "patch"]
-  - apiGroups: [""]
-    resources: ["persistentvolumeclaims", "persistentvolumeclaims/status"]
-    verbs: ["get", "list", "watch", "update", "patch"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["storageclasses"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["list", "watch", "create", "update", "patch"]
-  - apiGroups: ["snapshot.storage.k8s.io"]
-    resources: ["volumesnapshots"]
-    verbs: ["get", "list"]
-  - apiGroups: ["snapshot.storage.k8s.io"]
-    resources: ["volumesnapshotcontents"]
-    verbs: ["get", "list"]
-  # node
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["get", "list", "watch", "create", "update", "patch"]
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: hcloud-csi
-subjects:
-  - kind: ServiceAccount
-    name: hcloud-csi
-    namespace: kube-system
-roleRef:
-  kind: ClusterRole
-  name: hcloud-csi
-  apiGroup: rbac.authorization.k8s.io
----
-kind: StatefulSet
-apiVersion: apps/v1
-metadata:
-  name: hcloud-csi-controller
-  namespace: kube-system
-spec:
-  selector:
-    matchLabels:
-      app: hcloud-csi-controller
-  serviceName: hcloud-csi-controller
-  replicas: 1
-  template:
-    metadata:
-      labels:
-        app: hcloud-csi-controller
-    spec:
-      serviceAccount: hcloud-csi
-      containers:
-        - name: csi-attacher
-          image: quay.io/k8scsi/csi-attacher:v2.2.0
-          args:
-            - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
-            - --v=5
-          volumeMounts:
-            - name: socket-dir
-              mountPath: /var/lib/csi/sockets/pluginproxy/
-          securityContext:
-            privileged: true
-            capabilities:
-              add: ["SYS_ADMIN"]
-            allowPrivilegeEscalation: true
-        - name: csi-resizer
-          image: quay.io/k8scsi/csi-resizer:v0.3.0
-          args:
-            - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
-            - --v=5
-          volumeMounts:
-            - name: socket-dir
-              mountPath: /var/lib/csi/sockets/pluginproxy/
-          securityContext:
-            privileged: true
-            capabilities:
-              add: ["SYS_ADMIN"]
-            allowPrivilegeEscalation: true
-        - name: csi-provisioner
-          image: quay.io/k8scsi/csi-provisioner:v1.6.0
-          args:
-            - --provisioner=csi.hetzner.cloud
-            - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
-            - --feature-gates=Topology=true
-            - --v=5
-          volumeMounts:
-            - name: socket-dir
-              mountPath: /var/lib/csi/sockets/pluginproxy/
-          securityContext:
-            privileged: true
-            capabilities:
-              add: ["SYS_ADMIN"]
-            allowPrivilegeEscalation: true
-        - name: hcloud-csi-driver
-          image: image-registry.openshift-image-registry.svc:5000/kube-system/hcloud-csi-driver:latest
-          imagePullPolicy: Always
-          env:
-            - name: CSI_ENDPOINT
-              value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
-            - name: METRICS_ENDPOINT
-              value: 0.0.0.0:9189
-            - name: KUBE_NODE_NAME
-              valueFrom:
-                fieldRef:
-                  apiVersion: v1
-                  fieldPath: spec.nodeName
-            - name: HCLOUD_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: hcloud-csi
-                  key: token
-          volumeMounts:
-            - name: socket-dir
-              mountPath: /var/lib/csi/sockets/pluginproxy/
-          ports:
-            - containerPort: 9189
-              name: metrics
-            - name: healthz
-              containerPort: 9808
-              protocol: TCP
-          livenessProbe:
-            failureThreshold: 5
-            httpGet:
-              path: /healthz
-              port: healthz
-            initialDelaySeconds: 10
-            timeoutSeconds: 3
-            periodSeconds: 2
-          securityContext:
-            privileged: true
-            capabilities:
-              add: ["SYS_ADMIN"]
-            allowPrivilegeEscalation: true
-        - name: liveness-probe
-          imagePullPolicy: Always
-          image: quay.io/k8scsi/livenessprobe:v1.1.0
-          args:
-            - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
-          volumeMounts:
-            - mountPath: /var/lib/csi/sockets/pluginproxy/
-              name: socket-dir
-      volumes:
-        - name: socket-dir
-          emptyDir: {}
----
-kind: DaemonSet
-apiVersion: apps/v1
-metadata:
-  name: hcloud-csi-node
-  namespace: kube-system
-  labels:
-    app: hcloud-csi
-spec:
-  selector:
-    matchLabels:
-      app: hcloud-csi
-  template:
-    metadata:
-      labels:
-        app: hcloud-csi
-    spec:
-      tolerations:
-        - effect: NoExecute
-          operator: Exists
-        - effect: NoSchedule
-          operator: Exists
-        - key: CriticalAddonsOnly
-          operator: Exists
-      serviceAccount: hcloud-csi
-      hostNetwork: true
-      containers:
-        - name: csi-node-driver-registrar
-          image: quay.io/k8scsi/csi-node-driver-registrar:v1.3.0
-          args:
-            - --v=5
-            - --csi-address=/csi/csi.sock
-            - --kubelet-registration-path=/var/lib/kubelet/plugins/csi.hetzner.cloud/csi.sock
-          env:
-            - name: KUBE_NODE_NAME
-              valueFrom:
-                fieldRef:
-                  apiVersion: v1
-                  fieldPath: spec.nodeName
-          volumeMounts:
-            - name: plugin-dir
-              mountPath: /csi
-            - name: registration-dir
-              mountPath: /registration
-          securityContext:
-            privileged: true
-        - name: hcloud-csi-driver
-          image: image-registry.openshift-image-registry.svc:5000/kube-system/hcloud-csi-driver:latest
-          imagePullPolicy: Always
-          env:
-            - name: CSI_ENDPOINT
-              value: unix:///csi/csi.sock
-            - name: METRICS_ENDPOINT
-              value: 0.0.0.0:9189
-            - name: HCLOUD_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: hcloud-csi
-                  key: token
-            - name: KUBE_NODE_NAME
-              valueFrom:
-                fieldRef:
-                  apiVersion: v1
-                  fieldPath: spec.nodeName
-          volumeMounts:
-            - name: kubelet-dir
-              mountPath: /var/lib/kubelet
-              mountPropagation: "Bidirectional"
-            - name: plugin-dir
-              mountPath: /csi
-            - name: device-dir
-              mountPath: /dev
-          securityContext:
-            privileged: true
-          ports:
-            - containerPort: 9189
-              name: metrics
-            - name: healthz
-              containerPort: 9808
-              protocol: TCP
-          livenessProbe:
-            failureThreshold: 5
-            httpGet:
-              path: /healthz
-              port: healthz
-            initialDelaySeconds: 10
-            timeoutSeconds: 3
-            periodSeconds: 2
-        - name: liveness-probe
-          imagePullPolicy: Always
-          image: quay.io/k8scsi/livenessprobe:v1.1.0
-          args:
-            - --csi-address=/csi/csi.sock
-          volumeMounts:
-            - mountPath: /csi
-              name: plugin-dir
-      volumes:
-        - name: kubelet-dir
-          hostPath:
-            path: /var/lib/kubelet
-            type: Directory
-        - name: plugin-dir
-          hostPath:
-            path: /var/lib/kubelet/plugins/csi.hetzner.cloud/
-            type: DirectoryOrCreate
-        - name: registration-dir
-          hostPath:
-            path: /var/lib/kubelet/plugins_registry/
-            type: Directory
-        - name: device-dir
-          hostPath:
-            path: /dev
-            type: Directory
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: hcloud-csi-controller-metrics
-  namespace: kube-system
-  labels:
-    app: hcloud-csi
-spec:
-  selector:
-    app: hcloud-csi-controller
-  ports:
-    - port: 9189
-      name: metrics
-      targetPort: metrics
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: hcloud-csi-node-metrics
-  namespace: kube-system
-  labels:
-    app: hcloud-csi
-spec:
-  selector:
-    app: hcloud-csi
-  ports:
-    - port: 9189
-      name: metrics
-      targetPort: metrics

infrastructure/hcloud-csi/imagestream.yaml

-kind: ImageStream
-apiVersion: image.openshift.io/v1
-metadata:
-  name: hcloud-csi-driver
-  namespace: kube-system
-spec:
-  lookupPolicy:
-    local: false
-  tags:
-    - name: latest
-      annotations: null
-      from:
-        kind: DockerImage
-        name: 'docker.io/hetznercloud/hcloud-csi-driver:latest'
-      importPolicy:
-        scheduled: true
-      referencePolicy:
-        type: Local

infrastructure/hcloud-csi/kustomization.yaml

 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- hcloud-csi.yaml
-- imagestream.yaml
+- https://git.shivering-isles.com/github-mirror/hetznercloud/csi-driver/-/raw/v1.6.0/deploy/kubernetes/hcloud-csi.yml
+patchesJson6902:
+- target:
+    group: "storage.k8s.io"
+    version: v1
+    kind: StorageClass
+    name: hcloud-volumes
+  path: remove-default-annotation.yaml

infrastructure/hcloud-csi/remove-default-annotation.yaml

+- op: remove
+  path: metadata/annotations

infrastructure/kustomization.yaml

 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - sources
+  - calico
+  - kyverno
   - hcloud-csi
-  - cert-manager
-  - namespace-configuration
   - rook
-  - postgres
-  - openshift-monitoring
-
+  - cert-manager

infrastructure/kyverno/deny-network-policies.yaml

+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: deny-netpol-changes
+spec:
+  validationFailureAction: enforce
+  background: false
+  rules:
+  - name: deny-netpol-changes
+    match:
+      resources:
+        kinds:
+        - NetworkPolicy
+        name: "*-managed"
+    exclude:
+      clusterRoles:
+      - cluster-admin
+    validate:
+      message: "Changing managed network policies is not allowed."
+      deny: {}

infrastructure/kyverno/deny-system-namespaces.yaml

+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: deny-system-namespaces
+spec:
+  validationFailureAction: enforce
+  background: false
+  rules:
+  - name: deny-system-namespaces
+    match:
+      resources:
+        kinds:
+        - Namespace
+        name: "*-system"
+    exclude:
+      clusterRoles:
+      - cluster-admin
+    validate:
+      message: "Creating *-system namespaces is not allowed."
+      deny: {}

infrastructure/namespace-configuration/kustomization.yaml → infrastructure/kyverno/kustomization.yaml

 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: namespace-configuration-operator
+namespace: kyverno
 resources:
   - namespace.yaml
-- subscription.yaml
-- network-policy.yaml
+  - repository.yaml
+  - release.yaml
+  - deny-system-namespaces.yaml
+  - deny-network-policies.yaml

infrastructure/kyverno/namespace.yaml

+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kyverno
+  labels:
+    name: kyverno

infrastructure/kyverno/release.yaml

+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kyverno-crds
+  namespace: kyverno
+spec:
+  releaseName: kyverno-crds
+  chart:
+    spec:
+      chart: kyverno-crds
+      sourceRef:
+        kind: HelmRepository
+        name: kyverno
+      version: v3.20.1
+  interval: 5m
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kyverno
+  namespace: kyverno
+spec:
+  releaseName: kyverno
+  chart:
+    spec:
+      chart: kyverno
+      sourceRef:
+        kind: HelmRepository
+        name: kyverno
+      version: v3.20.1
+  interval: 5m
+  dependsOn:
+    - name: kyverno-crds

infrastructure/kyverno/repository.yaml

+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: kyverno
+spec:
+  interval: 30m
+  url: https://kyverno.github.io/kyverno/