Skip to content
Snippets Groups Projects
Verified Commit d5d2e9c7 authored by Sheogorath's avatar Sheogorath :european_castle:
Browse files

Rework base infrastructure for clusters

parent abafc1d1
Branches
Tags
No related merge requests found
Showing
with 167 additions and 392 deletions
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: openshift-operators
namespace: default
resources:
- subscription.yaml
- repository.yaml
- release.yaml
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: calico
namespace: default
spec:
releaseName: calico
chart:
spec:
chart: tigera-operator
sourceRef:
kind: HelmRepository
name: projectcalico
version: v3.20.1
interval: 15m
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
name: projectcalico
spec:
interval: 30m
url: https://docs.projectcalico.org/charts
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: openshift-operators
namespace: cert-manager
resources:
- subscription.yaml
- namespace.yaml
- repository.yaml
- release.yaml
apiVersion: v1
kind: Namespace
metadata:
name: namespace-configuration-operator
name: cert-manager
labels:
name: namespace-configuration-operator
name: cert-manager
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: cert-manager
namespace: cert-manager
spec:
releaseName: cert-manager
chart:
spec:
chart: cert-manager
sourceRef:
kind: HelmRepository
name: jetstack
version: v1.5.3
interval: 5m
values:
installCRDs: true
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
name: jetstack
spec:
interval: 30m
url: https://charts.jetstack.io
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: cert-manager
namespace: openshift-operators
spec:
channel: stable
name: cert-manager
source: community-operators
sourceNamespace: openshift-marketplace
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: gitlab-runner-operator
namespace: openshift-operators
spec:
channel: stable
installPlanApproval: Automatic
name: gitlab-runner-operator
source: community-operators
sourceNamespace: openshift-marketplace
---
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: csi.hetzner.cloud
spec:
attachRequired: true
podInfoOnMount: true
volumeLifecycleModes:
- Persistent
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
namespace: kube-system
name: hcloud-volumes
provisioner: csi.hetzner.cloud
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: hcloud-csi
namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hcloud-csi
rules:
# attacher
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["csi.storage.k8s.io"]
resources: ["csinodeinfos"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch", "update", "patch"]
# provisioner
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims", "persistentvolumeclaims/status"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
verbs: ["get", "list"]
# node
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hcloud-csi
subjects:
- kind: ServiceAccount
name: hcloud-csi
namespace: kube-system
roleRef:
kind: ClusterRole
name: hcloud-csi
apiGroup: rbac.authorization.k8s.io
---
kind: StatefulSet
apiVersion: apps/v1
metadata:
name: hcloud-csi-controller
namespace: kube-system
spec:
selector:
matchLabels:
app: hcloud-csi-controller
serviceName: hcloud-csi-controller
replicas: 1
template:
metadata:
labels:
app: hcloud-csi-controller
spec:
serviceAccount: hcloud-csi
containers:
- name: csi-attacher
image: quay.io/k8scsi/csi-attacher:v2.2.0
args:
- --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
- --v=5
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
allowPrivilegeEscalation: true
- name: csi-resizer
image: quay.io/k8scsi/csi-resizer:v0.3.0
args:
- --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
- --v=5
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
allowPrivilegeEscalation: true
- name: csi-provisioner
image: quay.io/k8scsi/csi-provisioner:v1.6.0
args:
- --provisioner=csi.hetzner.cloud
- --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
- --feature-gates=Topology=true
- --v=5
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
allowPrivilegeEscalation: true
- name: hcloud-csi-driver
image: image-registry.openshift-image-registry.svc:5000/kube-system/hcloud-csi-driver:latest
imagePullPolicy: Always
env:
- name: CSI_ENDPOINT
value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
- name: METRICS_ENDPOINT
value: 0.0.0.0:9189
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: HCLOUD_TOKEN
valueFrom:
secretKeyRef:
name: hcloud-csi
key: token
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
ports:
- containerPort: 9189
name: metrics
- name: healthz
containerPort: 9808
protocol: TCP
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 2
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
allowPrivilegeEscalation: true
- name: liveness-probe
imagePullPolicy: Always
image: quay.io/k8scsi/livenessprobe:v1.1.0
args:
- --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts:
- mountPath: /var/lib/csi/sockets/pluginproxy/
name: socket-dir
volumes:
- name: socket-dir
emptyDir: {}
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: hcloud-csi-node
namespace: kube-system
labels:
app: hcloud-csi
spec:
selector:
matchLabels:
app: hcloud-csi
template:
metadata:
labels:
app: hcloud-csi
spec:
tolerations:
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
serviceAccount: hcloud-csi
hostNetwork: true
containers:
- name: csi-node-driver-registrar
image: quay.io/k8scsi/csi-node-driver-registrar:v1.3.0
args:
- --v=5
- --csi-address=/csi/csi.sock
- --kubelet-registration-path=/var/lib/kubelet/plugins/csi.hetzner.cloud/csi.sock
env:
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
volumeMounts:
- name: plugin-dir
mountPath: /csi
- name: registration-dir
mountPath: /registration
securityContext:
privileged: true
- name: hcloud-csi-driver
image: image-registry.openshift-image-registry.svc:5000/kube-system/hcloud-csi-driver:latest
imagePullPolicy: Always
env:
- name: CSI_ENDPOINT
value: unix:///csi/csi.sock
- name: METRICS_ENDPOINT
value: 0.0.0.0:9189
- name: HCLOUD_TOKEN
valueFrom:
secretKeyRef:
name: hcloud-csi
key: token
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
volumeMounts:
- name: kubelet-dir
mountPath: /var/lib/kubelet
mountPropagation: "Bidirectional"
- name: plugin-dir
mountPath: /csi
- name: device-dir
mountPath: /dev
securityContext:
privileged: true
ports:
- containerPort: 9189
name: metrics
- name: healthz
containerPort: 9808
protocol: TCP
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 2
- name: liveness-probe
imagePullPolicy: Always
image: quay.io/k8scsi/livenessprobe:v1.1.0
args:
- --csi-address=/csi/csi.sock
volumeMounts:
- mountPath: /csi
name: plugin-dir
volumes:
- name: kubelet-dir
hostPath:
path: /var/lib/kubelet
type: Directory
- name: plugin-dir
hostPath:
path: /var/lib/kubelet/plugins/csi.hetzner.cloud/
type: DirectoryOrCreate
- name: registration-dir
hostPath:
path: /var/lib/kubelet/plugins_registry/
type: Directory
- name: device-dir
hostPath:
path: /dev
type: Directory
---
apiVersion: v1
kind: Service
metadata:
name: hcloud-csi-controller-metrics
namespace: kube-system
labels:
app: hcloud-csi
spec:
selector:
app: hcloud-csi-controller
ports:
- port: 9189
name: metrics
targetPort: metrics
---
apiVersion: v1
kind: Service
metadata:
name: hcloud-csi-node-metrics
namespace: kube-system
labels:
app: hcloud-csi
spec:
selector:
app: hcloud-csi
ports:
- port: 9189
name: metrics
targetPort: metrics
kind: ImageStream
apiVersion: image.openshift.io/v1
metadata:
name: hcloud-csi-driver
namespace: kube-system
spec:
lookupPolicy:
local: false
tags:
- name: latest
annotations: null
from:
kind: DockerImage
name: 'docker.io/hetznercloud/hcloud-csi-driver:latest'
importPolicy:
scheduled: true
referencePolicy:
type: Local
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- hcloud-csi.yaml
- imagestream.yaml
- https://git.shivering-isles.com/github-mirror/hetznercloud/csi-driver/-/raw/v1.6.0/deploy/kubernetes/hcloud-csi.yml
patchesJson6902:
- target:
group: "storage.k8s.io"
version: v1
kind: StorageClass
name: hcloud-volumes
path: remove-default-annotation.yaml
- op: remove
path: metadata/annotations
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- sources
- calico
- kyverno
- hcloud-csi
- cert-manager
- namespace-configuration
- rook
- postgres
- openshift-monitoring
- cert-manager
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: deny-netpol-changes
spec:
validationFailureAction: enforce
background: false
rules:
- name: deny-netpol-changes
match:
resources:
kinds:
- NetworkPolicy
name: "*-managed"
exclude:
clusterRoles:
- cluster-admin
validate:
message: "Changing managed network policies is not allowed."
deny: {}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: deny-system-namespaces
spec:
validationFailureAction: enforce
background: false
rules:
- name: deny-system-namespaces
match:
resources:
kinds:
- Namespace
name: "*-system"
exclude:
clusterRoles:
- cluster-admin
validate:
message: "Creating *-system namespaces is not allowed."
deny: {}
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: namespace-configuration-operator
namespace: kyverno
resources:
- namespace.yaml
- subscription.yaml
- network-policy.yaml
- repository.yaml
- release.yaml
- deny-system-namespaces.yaml
- deny-network-policies.yaml
apiVersion: v1
kind: Namespace
metadata:
name: kyverno
labels:
name: kyverno
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: kyverno-crds
namespace: kyverno
spec:
releaseName: kyverno-crds
chart:
spec:
chart: kyverno-crds
sourceRef:
kind: HelmRepository
name: kyverno
version: v3.20.1
interval: 5m
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: kyverno
namespace: kyverno
spec:
releaseName: kyverno
chart:
spec:
chart: kyverno
sourceRef:
kind: HelmRepository
name: kyverno
version: v3.20.1
interval: 5m
dependsOn:
- name: kyverno-crds
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
name: kyverno
spec:
interval: 30m
url: https://kyverno.github.io/kyverno/
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment