From bed8e4afc86c237477babe81188843026989982c Mon Sep 17 00:00:00 2001 From: MichaelFisher1997 Date: Wed, 11 Mar 2026 17:43:35 +0000 Subject: [PATCH] feat: migrate core addons toward flux --- .../addon-secrets-bootstrap/tasks/main.yml | 22 +++++++++++ ansible/site.yml | 16 ++++++-- .../addons/ccm/helmrelease-hcloud-ccm.yaml | 34 ++++++++++++++++ .../addons/ccm/helmrepository-hcloud.yaml | 8 ++++ infrastructure/addons/ccm/kustomization.yaml | 4 +- .../addons/csi/helmrelease-hcloud-csi.yaml | 36 +++++++++++++++++ .../addons/csi/helmrepository-hcloud.yaml | 8 ++++ infrastructure/addons/csi/kustomization.yaml | 4 +- .../kustomization-tailscale-proxyclass.yaml | 17 ++++++++ infrastructure/addons/kustomization.yaml | 1 + .../helmrelease-tailscale-operator.yaml | 39 +++++++++++++++++++ .../helmrepository-tailscale.yaml | 8 ++++ .../tailscale-operator/kustomization.yaml | 5 ++- .../addons/tailscale-operator/namespace.yaml | 4 ++ .../tailscale-proxyclass/kustomization.yaml | 4 ++ .../proxyclass-infra-stable.yaml | 13 +++++++ 16 files changed, 217 insertions(+), 6 deletions(-) create mode 100644 ansible/roles/addon-secrets-bootstrap/tasks/main.yml create mode 100644 infrastructure/addons/ccm/helmrelease-hcloud-ccm.yaml create mode 100644 infrastructure/addons/ccm/helmrepository-hcloud.yaml create mode 100644 infrastructure/addons/csi/helmrelease-hcloud-csi.yaml create mode 100644 infrastructure/addons/csi/helmrepository-hcloud.yaml create mode 100644 infrastructure/addons/kustomization-tailscale-proxyclass.yaml create mode 100644 infrastructure/addons/tailscale-operator/helmrelease-tailscale-operator.yaml create mode 100644 infrastructure/addons/tailscale-operator/helmrepository-tailscale.yaml create mode 100644 infrastructure/addons/tailscale-operator/namespace.yaml create mode 100644 infrastructure/addons/tailscale-proxyclass/kustomization.yaml create mode 100644 infrastructure/addons/tailscale-proxyclass/proxyclass-infra-stable.yaml diff --git a/ansible/roles/addon-secrets-bootstrap/tasks/main.yml b/ansible/roles/addon-secrets-bootstrap/tasks/main.yml new file mode 100644 index 0000000..e6824dc --- /dev/null +++ b/ansible/roles/addon-secrets-bootstrap/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- name: Apply Hetzner cloud secret + shell: >- + kubectl -n kube-system create secret generic hcloud + --from-literal=token='{{ hcloud_token }}' + --from-literal=network='{{ cluster_name }}-network' + --dry-run=client -o yaml | kubectl apply -f - + changed_when: true + no_log: true + when: hcloud_token | default('') | length > 0 + +- name: Apply Tailscale operator OAuth secret + shell: >- + kubectl -n {{ tailscale_operator_namespace | default('tailscale-system') }} create secret generic operator-oauth + --from-literal=client_id='{{ tailscale_oauth_client_id }}' + --from-literal=client_secret='{{ tailscale_oauth_client_secret }}' + --dry-run=client -o yaml | kubectl apply -f - + changed_when: true + no_log: true + when: + - tailscale_oauth_client_id | default('') | length > 0 + - tailscale_oauth_client_secret | default('') | length > 0 diff --git a/ansible/site.yml b/ansible/site.yml index a504517..25eee6b 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -80,21 +80,31 @@ become: true roles: - - ccm + - role: ccm + when: not (ccm_gitops_enabled | default(true) | bool) - name: Deploy Hetzner CSI hosts: control_plane[0] become: true roles: - - csi + - role: csi + when: not (csi_gitops_enabled | default(true) | bool) - name: Deploy Tailscale Kubernetes Operator hosts: control_plane[0] become: true roles: - - tailscale-operator + - role: tailscale-operator + when: not (tailscale_operator_gitops_enabled | default(true) | bool) + +- name: Bootstrap addon prerequisite secrets + hosts: control_plane[0] + become: true + + roles: + - addon-secrets-bootstrap - name: Deploy observability stack hosts: control_plane[0] diff --git a/infrastructure/addons/ccm/helmrelease-hcloud-ccm.yaml b/infrastructure/addons/ccm/helmrelease-hcloud-ccm.yaml new file mode 100644 index 0000000..08fa995 --- /dev/null +++ b/infrastructure/addons/ccm/helmrelease-hcloud-ccm.yaml @@ -0,0 +1,34 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: hcloud-cloud-controller-manager + namespace: flux-system +spec: + interval: 10m + targetNamespace: kube-system + chart: + spec: + chart: hcloud-cloud-controller-manager + version: 1.30.1 + sourceRef: + kind: HelmRepository + name: hcloud + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + values: + args: + secure-port: "0" + networking: + enabled: true + nodeSelector: + kubernetes.io/hostname: k8s-cluster-cp-1 + additionalTolerations: + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule diff --git a/infrastructure/addons/ccm/helmrepository-hcloud.yaml b/infrastructure/addons/ccm/helmrepository-hcloud.yaml new file mode 100644 index 0000000..2774043 --- /dev/null +++ b/infrastructure/addons/ccm/helmrepository-hcloud.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: hcloud + namespace: flux-system +spec: + interval: 1h + url: https://charts.hetzner.cloud diff --git a/infrastructure/addons/ccm/kustomization.yaml b/infrastructure/addons/ccm/kustomization.yaml index b83b23e..52b8d52 100644 --- a/infrastructure/addons/ccm/kustomization.yaml +++ b/infrastructure/addons/ccm/kustomization.yaml @@ -1,3 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -resources: [] +resources: + - helmrepository-hcloud.yaml + - helmrelease-hcloud-ccm.yaml diff --git a/infrastructure/addons/csi/helmrelease-hcloud-csi.yaml b/infrastructure/addons/csi/helmrelease-hcloud-csi.yaml new file mode 100644 index 0000000..3bd4ab8 --- /dev/null +++ b/infrastructure/addons/csi/helmrelease-hcloud-csi.yaml @@ -0,0 +1,36 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: hcloud-csi + namespace: flux-system +spec: + interval: 10m + targetNamespace: kube-system + chart: + spec: + chart: hcloud-csi + version: 2.20.0 + sourceRef: + kind: HelmRepository + name: hcloud + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + values: + controller: + nodeSelector: + kubernetes.io/hostname: k8s-cluster-cp-1 + tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + hcloudVolumeDefaultLocation: nbg1 + storageClasses: + - name: hcloud-volumes + defaultStorageClass: true + reclaimPolicy: Delete diff --git a/infrastructure/addons/csi/helmrepository-hcloud.yaml b/infrastructure/addons/csi/helmrepository-hcloud.yaml new file mode 100644 index 0000000..2774043 --- /dev/null +++ b/infrastructure/addons/csi/helmrepository-hcloud.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: hcloud + namespace: flux-system +spec: + interval: 1h + url: https://charts.hetzner.cloud diff --git a/infrastructure/addons/csi/kustomization.yaml b/infrastructure/addons/csi/kustomization.yaml index b83b23e..8585a8c 100644 --- a/infrastructure/addons/csi/kustomization.yaml +++ b/infrastructure/addons/csi/kustomization.yaml @@ -1,3 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -resources: [] +resources: + - helmrepository-hcloud.yaml + - helmrelease-hcloud-csi.yaml diff --git a/infrastructure/addons/kustomization-tailscale-proxyclass.yaml b/infrastructure/addons/kustomization-tailscale-proxyclass.yaml new file mode 100644 index 0000000..7154a76 --- /dev/null +++ b/infrastructure/addons/kustomization-tailscale-proxyclass.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: addon-tailscale-proxyclass + namespace: flux-system +spec: + interval: 10m + prune: true + sourceRef: + kind: GitRepository + name: platform + path: ./infrastructure/addons/tailscale-proxyclass + dependsOn: + - name: addon-tailscale-operator + wait: true + timeout: 5m + suspend: true diff --git a/infrastructure/addons/kustomization.yaml b/infrastructure/addons/kustomization.yaml index d692f0c..29a8970 100644 --- a/infrastructure/addons/kustomization.yaml +++ b/infrastructure/addons/kustomization.yaml @@ -6,5 +6,6 @@ resources: - kustomization-external-secrets.yaml - kustomization-flux-ui.yaml - kustomization-tailscale-operator.yaml + - kustomization-tailscale-proxyclass.yaml - kustomization-observability.yaml - kustomization-observability-content.yaml diff --git a/infrastructure/addons/tailscale-operator/helmrelease-tailscale-operator.yaml b/infrastructure/addons/tailscale-operator/helmrelease-tailscale-operator.yaml new file mode 100644 index 0000000..6be113f --- /dev/null +++ b/infrastructure/addons/tailscale-operator/helmrelease-tailscale-operator.yaml @@ -0,0 +1,39 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: tailscale-operator + namespace: flux-system +spec: + interval: 10m + targetNamespace: tailscale-system + chart: + spec: + chart: tailscale-operator + version: 1.95.91 + sourceRef: + kind: HelmRepository + name: tailscale + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + values: + installCRDs: true + apiServerProxyConfig: + mode: "true" + operatorConfig: + defaultTags: + - tag:k8s + nodeSelector: + kubernetes.io/hostname: k8s-cluster-cp-1 + tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + proxyConfig: + defaultTags: tag:k8s + defaultProxyClass: infra-stable diff --git a/infrastructure/addons/tailscale-operator/helmrepository-tailscale.yaml b/infrastructure/addons/tailscale-operator/helmrepository-tailscale.yaml new file mode 100644 index 0000000..bc283f7 --- /dev/null +++ b/infrastructure/addons/tailscale-operator/helmrepository-tailscale.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: tailscale + namespace: flux-system +spec: + interval: 1h + url: https://pkgs.tailscale.com/unstable/helmcharts diff --git a/infrastructure/addons/tailscale-operator/kustomization.yaml b/infrastructure/addons/tailscale-operator/kustomization.yaml index b83b23e..fede2bc 100644 --- a/infrastructure/addons/tailscale-operator/kustomization.yaml +++ b/infrastructure/addons/tailscale-operator/kustomization.yaml @@ -1,3 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -resources: [] +resources: + - namespace.yaml + - helmrepository-tailscale.yaml + - helmrelease-tailscale-operator.yaml diff --git a/infrastructure/addons/tailscale-operator/namespace.yaml b/infrastructure/addons/tailscale-operator/namespace.yaml new file mode 100644 index 0000000..76adf33 --- /dev/null +++ b/infrastructure/addons/tailscale-operator/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: tailscale-system diff --git a/infrastructure/addons/tailscale-proxyclass/kustomization.yaml b/infrastructure/addons/tailscale-proxyclass/kustomization.yaml new file mode 100644 index 0000000..499d67d --- /dev/null +++ b/infrastructure/addons/tailscale-proxyclass/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - proxyclass-infra-stable.yaml diff --git a/infrastructure/addons/tailscale-proxyclass/proxyclass-infra-stable.yaml b/infrastructure/addons/tailscale-proxyclass/proxyclass-infra-stable.yaml new file mode 100644 index 0000000..7dc03cc --- /dev/null +++ b/infrastructure/addons/tailscale-proxyclass/proxyclass-infra-stable.yaml @@ -0,0 +1,13 @@ +apiVersion: tailscale.com/v1alpha1 +kind: ProxyClass +metadata: + name: infra-stable +spec: + statefulSet: + pod: + nodeSelector: + kubernetes.io/hostname: k8s-cluster-cp-1 + tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule