Shivering-Isles GitOps Infrastructure
===

This repository has become the center of Shivering-Isles Infrastructure. It homes basically all deployments of software, various custom container images,  various self-maintained helm charts and more.

Usage
---

For SI-GitLab this would look like this:

```
export GITLAB_TOKEN=<project access token able to write the API and repository>
flux bootstrap gitlab \
  --hostname=git.shivering-isles.com \
  --ssh-hostname=git.shivering-isles.com:2222 \
  --ssh-key-algorithm ed25519 \
  --owner=<your user / team> \
  --repository=<your repository name> \
  --path=clusters/<your cluster name>
```

Ideas & ToDo's
---

This toolchain is still under development. Before it will be used in production there are still some things left to do:

- [x] Buy hardware for the project.
- [x] Provide CLI container that contains all tools.
- [x] Automate overlay network deployment (calico)
- [x] Use encrypted overlay network (calico+wireguard)
- [x] Automate cluster monitoring deployment (kube-prometheus)
- [x] Automate ingress-controller deployment (ingress-nginx)
- [x] Automate policy enforcement (kyverno) deployment
- [x] Encrypt root filesystems for all nodes (LUKS + clevis)
- [x] Enforce SELinux on the deployed machines 
- [x] Automate system upgrades using Kubernetes (system-upgrade-controller)
- [x] Automate system configuration using Kubernetes (system-upgrade-controller)
- [x] Provide an fully encrypted (handled on host level) storage class (longhorn)
- [x] Deploy cert-manager
- [x] Deploy credentials for cert-manager
- [x] Automate ingress-controller default certificate deployment
- [x] Add encrypted deployment instructions (SOPS + fluxcd)
- [x] Integrate [Renovatebot](https://git.shivering-isles.com/shivering-isles/renovate-bot) with this repository to manage updates.
- [x] Automate Kubernetes upgrades
- [x] Automate ingress-controller configuration for proxy-protocol
- [x] Migrate [apps](https://git.shivering-isles.com/shivering-isles/infrastructure/) to gitops and Kubernetes
- [ ] Deploy kubelet with proper certificates
- [ ] Move to immutable base-system