Shivering-Isles GitOps Infrastructure
===

This repository contains the Kubernetes objects that are synced and managed by [flux](https://fluxcd.io) in order to be deployed.

Usage
---

Finally in order to boostrap fluxcd in your cluster. For SI-GitLab this would look like this:

```
export GITLAB_TOKEN=<project access token able to write the API and repository>
flux bootstrap gitlab \
  --hostname=git.shivering-isles.com \
  --ssh-hostname=git.shivering-isles.com:2222 \
  --ssh-key-algorithm ed25519 \
  --owner=<your user / team> \
  --repository=<your repository name> \
  --path=clusters/<your cluster name>
```

Ideas & ToDo's
---

This toolchain is still under development. Before it will be used in production there are still some things left to do:

- [x] Buy hardware for the project.
- [x] Provide CLI container that contains all tools.
- [x] Automate overlay network deployment (calico)
- [x] Use encrypted overlay network (calico+wireguard)
- [x] Automate cluster monitoring deployment (kube-prometheus)
- [x] Automate ingress-controller deployment (ingress-nginx)
- [x] Automate policy enforcement (kyverno) deployment
- [x] Encrypt root filesystems for all nodes (LUKS + clevis)
- [x] Enforce SELinux on the deployed machines 
- [x] Automate system upgrades using Kubernetes (system-upgrade-controller)
- [x] Automate system configuration using Kubernetes (system-upgrade-controller)
- [x] Provide an fully encrypted (handled on host level) storage class (longhorn)
- [x] Deploy cert-manager
- [x] Deploy credentials for cert-manager
- [x] Automate ingress-controller default certificate deployment
- [x] Add encrypted deployment instructions (SOPS + fluxcd)
- [x] Integrate [Renovatebot](https://git.shivering-isles.com/shivering-isles/renovate-bot) with this repository to manage updates.
- [x] Automate Kubernetes upgrades
- [x] Automate ingress-controller configuration for proxy-protocol
- [ ] Deploy kubelet with proper certificates
- [ ] Document usage and thoughts in repository and blog posts
- [ ] Automate flux OpenPGP bootstrap
- [ ] Migrate [apps](https://git.shivering-isles.com/shivering-isles/infrastructure/) to gitops and Kubernetes
- [ ] Move to immutable base-system

Tools
---

To handle things properly, try to get the following tools (all included in `koolbox`):

- kubectl
- flux
- [sops](https://github.com/mozilla/sops/releases/) (for secret handling)
- [helm](https://helm.sh/) (just for sake of completeness and validation)
- make
- git