feat: refactor kubernetes app to allow syncing through argocd

Signed-off-by: Ludovic Ortega <ludovic.ortega@adminafk.fr>

.devcontainer/devcontainer.json

@@ -11,7 +11,7 @@
         },
         "ghcr.io/devcontainers-contrib/features/packer-asdf:2": {
             // datasource=github-tags depName=hashicorp/packer
-            "version": "1.11.0"
+            "version": "1.11.2"
         },
         "ghcr.io/devcontainers/features/terraform:1": {
             // datasource=github-tags depName=hashicorp/terraform

.github/renovate/devContainers.json5

@@ -8,7 +8,7 @@
       "matchStrings": [
         'datasource=(?<datasource>\\S*)[\\s]+depName=(?<depName>\\S*)[\\s]+"\\w+":[\\s]+"(?<currentValue>[a-zA-Z0-9-_.]+)"'
       ],
-      "versioningTemplate": 'regex:^v(?<major>\\d+)\\.(?<minor>\\d+)\\.?(?<patch>\\d+)?-?(?<compatibility>\\S+)?$',
+      "versioningTemplate": 'regex:^v?(?<major>\\d+)\\.(?<minor>\\d+)\\.?(?<patch>\\d+)?-?(?<compatibility>\\S+)?$',
     },
   ]
 }

.gitignore

@@ -25,4 +25,6 @@ vault.json.secrets
 *.img
 inventory.proxmox.yml
 # Doc
-.cache
+.cache
+# argocd
+argocd/**/charts/

ansible/deploy_infra.yml

@@ -59,50 +59,47 @@
 - name: Deploy kubernetes services
   hosts: kubernetes_master[0]
   become: true
-  roles:
-    - prometheus_operator_crds
-    - cilium
-    - metallb
-    - external_secrets
-    - role: traefik
-    - role: traefik
-      vars:
-        traefik_external_ips:
-          - 192.168.10.101
-          - 2a0c:b641:2c0:110::101
-        traefik_namespace: ingress-internal
-        traefik_default_ingress_class: true
-        traefik_ingress_class_name: ingress-internal
-        traefik_create_prometheus_rule: false
-    - rook_operator
-    - rook_cluster
-    - cert_manager
-    - trust_manager
-    - vault
-    - cert_manager_scaleway
-    - role: external_dns
-    - role: external_dns
-      vars:
-        external_dns_namespace: "external-dns-internal"
-        external_dns_provider: pdns
-        external_dns_txt_owner_id: homelab.kubernetes
-        external_dns_domain_filters: "{{ local_domains }}"
-        external_dns_envs:
-          EXTERNAL_DNS_INGRESS_CLASS: ingress-internal
-          EXTERNAL_DNS_DEFAULT_TARGETS: |-
-            |-
-            {{ "192.168.10.101" | indent(6, true) }}
-            {{ "2a0c:b641:2c0:110::101" | indent(6, true) }}
-        external_dns_ca: "{{ kubernetes_homelab_ca_config_map }}"
-        external_dns_vault_secrets:
-          - key: secret/data/homelab/prod/external_dns/internal
-            property: EXTERNAL_DNS_PDNS_SERVER
-          - key: secret/data/homelab/prod/external_dns/internal
-            property: EXTERNAL_DNS_PDNS_API_KEY
-        external_dns_vault_ca: "{{ kubernetes_homelab_ca_config_map }}"
-        external_dns_vault_role: external-dns-internal
-        external_dns_create_prometheus_rule: false
-    - argocd
+  tasks:
+    - name: "Install kubernetes base infra first part"
+      kubernetes.core.k8s:
+        definition: "{{ lookup('kubernetes.core.kustomize', dir='../argocd/' + item, enable_helm=True) }}"
+        wait: true
+        wait_timeout: 300
+        kubeconfig: "{{ kubernetes_localhost_kubeconfig_path }}"
+        validate_certs: true
+      with_items:
+        - monitoring/prometheus-operator-crds
+        - infra/cilium
+        - infra/metallb
+        - infra/external-secrets
+        - infra/ingress-internal
+        - infra/ingress-external
+        - storage/rook-operator
+        - storage/rook-cluster
+        - infra/cert-manager
+        - infra/trust-manager
+      delegate_to: localhost
+
+    - name: Install vault
+      ansible.builtin.include_role:
+        name: vault
+
+    - name: "Install kubernetes base infra last part"
+      kubernetes.core.k8s:
+        definition: "{{ lookup('kubernetes.core.kustomize', dir='../argocd/' + item, enable_helm=True) }}"
+        wait: true
+        wait_timeout: 300
+        kubeconfig: "{{ kubernetes_localhost_kubeconfig_path }}"
+        validate_certs: true
+      with_items:
+        - infra/cert-manager-scaleway
+        - infra/external-dns-internal
+        - infra/external-dns-external
+      delegate_to: localhost
+
+    - name: Install argocd
+      ansible.builtin.include_role:
+        name: argocd
 
 - name: Configure Vault unseal
   hosts: dns,vpn

ansible/group_vars/kubernetes_master/all.yml

@@ -3,37 +3,12 @@ kube_vip_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
 kube_vip_master_group: kubernetes_master
 kube_vip_address: "192.168.10.80,2a0c:b641:2c0:110::80"
 kube_vip_interface: enp6s18
-prometheus_operator_crds_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
-cilium_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
-cilium_service_host: "{{ kube_vip_address.split(',')[0] }}"
-traefik_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
-traefik_external_ips:
-  - 192.168.10.100
-  - 2a0c:b641:2c0:110::100
-traefik_namespace: ingress-external
-traefik_default_ingress_class: false
-traefik_ingress_class_name: ingress-external
-longhorn_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
-metallb_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
-metallb_ip_address_pools:
-  - name: private
-    pools:
-      - 192.168.10.100-192.168.10.120
-      - 2a0c:b641:02c0:110::100-2a0c:b641:02c0:110::120
-    auto_assign: true
-rook_operator_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
-rook_cluster_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
-rook_cluster_vault_ca: "{{ kubernetes_homelab_ca_config_map }}"
-rook_cluster_vault_secret_key: "secret/data/homelab/prod/rook-ceph-cluster"
 vault_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
 vault_init_output_file_path: "{{ root_dir_role_path }}/vault.json.secrets"
 vault_ca_filename: "{{ ca_certificates_local_path_ca_certificate }}"
 vault_cert_filename: "{{ certs_dir_role_path }}homelab/vault.unicornafk.fr/vault.unicornafk.fr-fullchain.crt"
 vault_key_filename: "{{ certs_dir_role_path }}homelab/vault.unicornafk.fr/vault.unicornafk.fr.key"
 vault_ca_path: "{{ ca_certificates_local_path_ca_certificate }}"
-vault_loadbalancer_ips:
-  - 192.168.10.102
-  - 2a0c:b641:2c0:110::102
 vault_secrets_engine:
   - name: kv-v2
     path: secret
@@ -323,41 +298,6 @@ public_vault_datas:
       policies: recyclarr
       ttl: 1h
 vault_datas: "{{ public_vault_datas + secret_vault_datas }}"
-external_secrets_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
-cert_manager_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
-cert_manager_vault_ingress_class: ingress-internal
-cert_manager_vault_sign: cert-manager
-cert_manager_vault_ca_path: "{{ ca_certificates_local_path_ca_certificate }}"
-cert_manager_scaleway_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
-cert_manager_scaleway_email: "{{ monitoring_email }}"
-cert_manager_scaleway_vault_ca: "{{ kubernetes_homelab_ca_config_map }}"
-cert_manager_scaleway_vault_secret_key: "secret/data/homelab/prod/cert_manager_scaleway"
-trust_manager_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
-trust_manager_certificates:
-  - name: "{{ kubernetes_homelab_ca_config_map }}"
-    key: ca.crt
-    sources:
-      - inLine: |
-          {{ lookup('ansible.builtin.file', vault_ca_filename) }}
-external_dns_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
-external_dns_namespace: "external-dns-external"
-external_dns_provider: scaleway
-external_dns_txt_owner_id: homelab.kubernetes
-external_dns_domain_filters: "{{ external_domains }}"
-external_dns_envs:
-  EXTERNAL_DNS_INGRESS_CLASS: ingress-external
-  EXTERNAL_DNS_DEFAULT_TARGETS: |-
-    |-
-    {{ public_ipv4 | indent(6, true) }}
-    {{ "2a0c:b641:2c0:110::100" | indent(6, true) }}
-external_dns_ca: ""
-external_dns_vault_secrets:
-  - key: secret/data/homelab/prod/external_dns/external
-    property: SCW_ACCESS_KEY
-  - key: secret/data/homelab/prod/external_dns/external
-    property: SCW_SECRET_KEY
-external_dns_vault_ca: "{{ kubernetes_homelab_ca_config_map }}"
-external_dns_vault_role: external-dns-external
 argocd_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
 argocd_oidc_issuer_url: "{{ oidc_issuer_url }}/application/o/argocd/"
 argocd_hostname: argocd.unicornafk.fr

ansible/group_vars/kubernetes_master/secrets.example

@@ -52,7 +52,6 @@ secret_vault_datas:
         AUTHENTIK_SECRET_KEY:
         AUTHENTIK_BOOTSTRAP_EMAIL:
         AUTHENTIK_BOOTSTRAP_PASSWORD:
-        homelab.yaml: "{{ authentik_homelab_config }}"
   - path: secret/data/homelab/prod/rook-ceph-cluster
     data:
       data: