Skip to content

Commit

Permalink
k8s-on-prem-core chart
Browse files Browse the repository at this point in the history
@karlivory
karlivory committed Sep 6, 2023
1 parent 1f6a923 commit ae7cb8d
Showing 4 changed files with 283 additions and 0 deletions.
6 changes: 6 additions & 0 deletions charts/k8s-on-prem-core/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v2
name: k8s-on-prem-core
description: core apps to deploy k8s on premises
type: application
version: 0.1.1
appVersion: "0.1"
36 changes: 36 additions & 0 deletions charts/k8s-on-prem-core/templates/applications.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{{- range $appname, $app := .Values.argocdApplications }}
{{- if $app.enabled }}
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: "{{ $app.name }}"
namespace: argocd
spec:
project: "{{ $.Values.argocdProjectName }}"
source:
chart: {{ $app.helm.chart }}
repoURL: {{ $app.helm.repoURL }}
targetRevision: {{ $app.helm.targetRevision }}
helm:
values: |
{{- tpl (toYaml $app.helm.values | nindent 8) $ }}
destination:
server: "https://kubernetes.default.svc"
namespace: {{ $app.namespace }}
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
{{- if $app.ignoreDifferences }}
ignoreDifferences:
{{- toYaml $app.ignoreDifferences | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}


20 changes: 20 additions & 0 deletions charts/k8s-on-prem-core/templates/secrets.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
apiVersion: v1
kind: Secret
metadata:
name: tsig-secret
namespace: external-dns
type: Opaque
stringData:
rfc2136_tsig_secret: "{{ .Values.secrets.bind9tsigKey }}"

---
apiVersion: v1
kind: Secret
metadata:
name: tsig-secret
namespace: cert-manager
type: Opaque
stringData:
rfc2136_tsig_secret: "{{ .Values.secrets.bind9tsigKey }}"

221 changes: 221 additions & 0 deletions charts/k8s-on-prem-core/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,221 @@
---
global:
domain: ""
ingressIP1: ""
ingressIP2: ""
externalIP: ""
# acmeEmailAddress: ""

secrets:
# A valid hmac-sha512 tsig key. To generate, you can run:
# $ tsig-keygen -a hmac-sha512 | grep "secret" | cut -d'"' -f2
bind9tsigKey: "yOQnD4gYPs1MJiDpVdRB1Ws54PjHdvJrUVCAtn0UUTaQoRNAGcvgulMX8ZDK6Yo3+SUI0QuUos1f2jDgIyhBrQ=="
# Admin password for grafana
grafanaAdminPassword: "changeme"

# Destination of all the argocdApplications
argocdProjectName: default
# Dictionary of argocd helm Applications; for each the helm.values dict is passed through tpl
argocdApplications:
argocd:
enabled: true
name: argocd
namespace: argocd
helm:
repoURL: https://argoproj.github.io/argo-helm
chart: argo-cd
targetRevision: v5.41.0
# https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml
values:
redis-ha:
enabled: true
controller:
replicas: 1
server:
replicas: 2
repoServer:
replicas: 2
applicationSet:
replicaCount: 2
configs:
params:
# tls is handled by ingress controller
server.insecure: true
certManager:
enabled: true
name: cert-manager
namespace: cert-manager
helm:
repoURL: https://charts.jetstack.io
chart: cert-manager
targetRevision: v1.12.2
# https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml
values:
installCRDs: true
longhorn:
enabled: true
name: longhorn
namespace: longhorn-system
helm:
chart: longhorn
repoURL: https://charts.longhorn.io
targetRevision: v1.4.3
# https://github.com/longhorn/charts/blob/master/charts/longhorn/values.yaml
values: {}
metallb:
enabled: true
name: metallb
namespace: metallb-system
helm:
chart: metallb
repoURL: https://metallb.github.io/metallb
targetRevision: v0.13.10
# https://github.com/metallb/metallb/blob/main/charts/metallb/values.yaml
values: {}
externalDns:
enabled: true
name: external-dns
namespace: external-dns
helm:
chart: external-dns
repoURL: https://kubernetes-sigs.github.io/external-dns
targetRevision: v1.12.2
# https://github.com/kubernetes-sigs/external-dns/blob/master/charts/external-dns/values.yaml
values:
provider: rfc2136
interval: "3s"
txtPrefix: "external-dns-"
txtOwnerId: k8s
domainFilters: ["{{ .Values.global.domain }}"]
extraArgs:
- --rfc2136-min-ttl=900s
- --rfc2136-host=bind-primary.bind9.svc.cluster.local
- --rfc2136-port=53
- --rfc2136-zone={{ .Values.global.domain }}
- --rfc2136-tsig-secret-alg=hmac-sha512
- --rfc2136-tsig-keyname=tsigkey
- --rfc2136-tsig-axfr
env:
- name: EXTERNAL_DNS_RFC2136_TSIG_SECRET
valueFrom:
secretKeyRef:
name: tsig-secret
key: rfc2136_tsig_secret
reloader:
enabled: true
name: reloader
namespace: reloader
helm:
chart: reloader
repoURL: https://stakater.github.io/stakater-charts
targetRevision: v1.0.31
# https://github.com/stakater/Reloader/blob/master/deployments/kubernetes/chart/reloader/values.yaml
values: {}
ingress1:
enabled: true
name: ingress1
namespace: ingress1
helm:
chart: ingress-nginx
repoURL: https://kubernetes.github.io/ingress-nginx
targetRevision: v4.7.0
# https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml
values:
controller:
extraArgs:
default-ssl-certificate: cert-manager/wildcard-tls
ingressClassResource:
name: ingress1
default: false
service:
loadBalancerIP: "{{ .Values.global.ingressIP1 }}"
annotations:
metallb.universe.tf/allow-shared-ip: "shared-ip"
resources:
requests:
cpu: 300m
memory: 300Mi
replicaCount: 3
ingress2:
enabled: true
name: ingress2
namespace: ingress2
helm:
chart: ingress-nginx
repoURL: https://kubernetes.github.io/ingress-nginx
targetRevision: v4.7.0
# https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml
values:
controller:
extraArgs:
default-ssl-certificate: cert-manager/wildcard-tls
ingressClassResource:
name: ingress2
default: true
service:
loadBalancerIP: "{{ .Values.global.ingressIP2 }}"
resources:
requests:
cpu: 300m
memory: 300Mi
replicaCount: 3
bind9:
enabled: true
name: bind9
namespace: bind9
helm:
chart: bind9
repoURL: https://karlivory.github.io/helm-charts
targetRevision: v0.1.4
# https://github.com/karlivory/helm-charts/blob/main/charts/bind9/values.yaml
values:
secondary:
service:
loadBalancerIP: "{{ .Values.global.ingressIP1 }}"
annotations:
metallb.universe.tf/allow-shared-ip: "shared-ip"
domain: "{{ .Values.global.domain }}"
# A valid hmac-sha512 tsig key. To generate, you can run:
# $ tsig-keygen -a hmac-sha512 | grep "secret" | cut -d'"' -f2
tsigKey: "{{ .Values.secrets.bind9tsigKey }}"
zone:
refresh: 10 # 10 second refresh: this lets the external-dns entries propagate quickly
retry: 10
expire: 1209600 # 14 days
negativeCacheTtl: 300
# passed through tpl
dnsRecords:
- name: ns
type: A
value: "{{ .Values.global.externalIP }}"
- name: ingress1
type: A
value: "{{ .Values.global.externalIP }}"
- name: ingress2
type: A
value: "{{ .Values.global.ingressIP2 }}"

#
# ===== docs =====
#
# Given
#
# global.externalDomainName = k8s.example.com
# global.externalIP = 1.2.3.4
# global.ingressIP1 = 192.168.0.4
# global.ingressIP2 = 192.168.0.5
#
# then there should be DNS records:
#
# k8s.example.com in NS ns.k8s.example.com
# ns.k8s.example.com in A 1.2.3.4
#
# Additionally, ingressIP1 != externalIP, then the
# following routing rules (e.g. gateway port-forwards) should be in place:
#
# 1.2.3.4 -> 80/tcp -> 192.168.0.4 (80/tcp)
# 1.2.3.4 -> 443/tcp -> 192.168.0.4 (443/tcp)
# 1.2.3.4 -> 53/tcp -> 192.168.0.4 (53/tcp)
# 1.2.3.4 -> 53/udp -> 192.168.0.4 (53/udp)
#

0 comments on commit ae7cb8d

Please sign in to comment.