feat: migrate core addons toward flux

ansible/roles/addon-secrets-bootstrap/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: Apply Hetzner cloud secret
+  shell: >-
+    kubectl -n kube-system create secret generic hcloud
+    --from-literal=token='{{ hcloud_token }}'
+    --from-literal=network='{{ cluster_name }}-network'
+    --dry-run=client -o yaml | kubectl apply -f -
+  changed_when: true
+  no_log: true
+  when: hcloud_token | default('') | length > 0
+
+- name: Apply Tailscale operator OAuth secret
+  shell: >-
+    kubectl -n {{ tailscale_operator_namespace | default('tailscale-system') }} create secret generic operator-oauth
+    --from-literal=client_id='{{ tailscale_oauth_client_id }}'
+    --from-literal=client_secret='{{ tailscale_oauth_client_secret }}'
+    --dry-run=client -o yaml | kubectl apply -f -
+  changed_when: true
+  no_log: true
+  when:
+    - tailscale_oauth_client_id | default('') | length > 0
+    - tailscale_oauth_client_secret | default('') | length > 0

ansible/site.yml

@@ -80,21 +80,31 @@
   become: true
 
   roles:
-    - ccm
+    - role: ccm
+      when: not (ccm_gitops_enabled | default(true) | bool)
 
 - name: Deploy Hetzner CSI
   hosts: control_plane[0]
   become: true
 
   roles:
-    - csi
+    - role: csi
+      when: not (csi_gitops_enabled | default(true) | bool)
 
 - name: Deploy Tailscale Kubernetes Operator
   hosts: control_plane[0]
   become: true
 
   roles:
-    - tailscale-operator
+    - role: tailscale-operator
+      when: not (tailscale_operator_gitops_enabled | default(true) | bool)
+
+- name: Bootstrap addon prerequisite secrets
+  hosts: control_plane[0]
+  become: true
+
+  roles:
+    - addon-secrets-bootstrap
 
 - name: Deploy observability stack
   hosts: control_plane[0]

infrastructure/addons/ccm/helmrelease-hcloud-ccm.yaml

@@ -0,0 +1,34 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: hcloud-cloud-controller-manager
+  namespace: flux-system
+spec:
+  interval: 10m
+  targetNamespace: kube-system
+  chart:
+    spec:
+      chart: hcloud-cloud-controller-manager
+      version: 1.30.1
+      sourceRef:
+        kind: HelmRepository
+        name: hcloud
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    args:
+      secure-port: "0"
+    networking:
+      enabled: true
+    nodeSelector:
+      kubernetes.io/hostname: k8s-cluster-cp-1
+    additionalTolerations:
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule

infrastructure/addons/ccm/helmrepository-hcloud.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: hcloud
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://charts.hetzner.cloud

infrastructure/addons/ccm/kustomization.yaml

@@ -1,3 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: []
+resources:
+  - helmrepository-hcloud.yaml
+  - helmrelease-hcloud-ccm.yaml

infrastructure/addons/csi/helmrelease-hcloud-csi.yaml

@@ -0,0 +1,36 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: hcloud-csi
+  namespace: flux-system
+spec:
+  interval: 10m
+  targetNamespace: kube-system
+  chart:
+    spec:
+      chart: hcloud-csi
+      version: 2.20.0
+      sourceRef:
+        kind: HelmRepository
+        name: hcloud
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    controller:
+      nodeSelector:
+        kubernetes.io/hostname: k8s-cluster-cp-1
+      tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoSchedule
+      hcloudVolumeDefaultLocation: nbg1
+    storageClasses:
+      - name: hcloud-volumes
+        defaultStorageClass: true
+        reclaimPolicy: Delete

infrastructure/addons/csi/helmrepository-hcloud.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: hcloud
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://charts.hetzner.cloud

infrastructure/addons/csi/kustomization.yaml

@@ -1,3 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: []
+resources:
+  - helmrepository-hcloud.yaml
+  - helmrelease-hcloud-csi.yaml

infrastructure/addons/kustomization-tailscale-proxyclass.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: addon-tailscale-proxyclass
+  namespace: flux-system
+spec:
+  interval: 10m
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: platform
+  path: ./infrastructure/addons/tailscale-proxyclass
+  dependsOn:
+    - name: addon-tailscale-operator
+  wait: true
+  timeout: 5m
+  suspend: true

infrastructure/addons/kustomization.yaml

@@ -6,5 +6,6 @@ resources:
   - kustomization-external-secrets.yaml
   - kustomization-flux-ui.yaml
   - kustomization-tailscale-operator.yaml
+  - kustomization-tailscale-proxyclass.yaml
   - kustomization-observability.yaml
   - kustomization-observability-content.yaml

infrastructure/addons/tailscale-operator/helmrelease-tailscale-operator.yaml

@@ -0,0 +1,39 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: tailscale-operator
+  namespace: flux-system
+spec:
+  interval: 10m
+  targetNamespace: tailscale-system
+  chart:
+    spec:
+      chart: tailscale-operator
+      version: 1.95.91
+      sourceRef:
+        kind: HelmRepository
+        name: tailscale
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    installCRDs: true
+    apiServerProxyConfig:
+      mode: "true"
+    operatorConfig:
+      defaultTags:
+        - tag:k8s
+      nodeSelector:
+        kubernetes.io/hostname: k8s-cluster-cp-1
+      tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoSchedule
+    proxyConfig:
+      defaultTags: tag:k8s
+      defaultProxyClass: infra-stable

infrastructure/addons/tailscale-operator/helmrepository-tailscale.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: tailscale
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://pkgs.tailscale.com/unstable/helmcharts

infrastructure/addons/tailscale-operator/kustomization.yaml

@@ -1,3 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: []
+resources:
+  - namespace.yaml
+  - helmrepository-tailscale.yaml
+  - helmrelease-tailscale-operator.yaml

infrastructure/addons/tailscale-operator/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tailscale-system

infrastructure/addons/tailscale-proxyclass/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - proxyclass-infra-stable.yaml

infrastructure/addons/tailscale-proxyclass/proxyclass-infra-stable.yaml

@@ -0,0 +1,13 @@
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyClass
+metadata:
+  name: infra-stable
+spec:
+  statefulSet:
+    pod:
+      nodeSelector:
+        kubernetes.io/hostname: k8s-cluster-cp-1
+      tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoSchedule