From a839fb6db60bcf54aad58e61403bd05413071450 Mon Sep 17 00:00:00 2001 From: Ryan Cavicchioni Date: Mon, 28 Jul 2025 15:49:10 -0500 Subject: [PATCH] add argocd --- argocd/apps/aws-load-balancer-controller.yaml | 43 +++++ argocd/apps/cert-manager.yaml | 46 +++++ argocd/apps/cluster-autoscaler.yaml | 31 +++ argocd/apps/external-dns.yaml | 47 +++++ argocd/apps/ingress-nginx.yaml | 56 ++++++ .../base/cluster-autoscaler-autodiscover.yaml | 180 ++++++++++++++++++ .../base/kustomization.yaml | 7 + .../envs/development/kustomization.yaml | 38 ++++ 8 files changed, 448 insertions(+) create mode 100644 argocd/apps/aws-load-balancer-controller.yaml create mode 100644 argocd/apps/cert-manager.yaml create mode 100644 argocd/apps/cluster-autoscaler.yaml create mode 100644 argocd/apps/external-dns.yaml create mode 100644 argocd/apps/ingress-nginx.yaml create mode 100644 argocd/cluster-autoscaler/base/cluster-autoscaler-autodiscover.yaml create mode 100644 argocd/cluster-autoscaler/base/kustomization.yaml create mode 100644 argocd/cluster-autoscaler/envs/development/kustomization.yaml diff --git a/argocd/apps/aws-load-balancer-controller.yaml b/argocd/apps/aws-load-balancer-controller.yaml new file mode 100644 index 0000000..da92a3c --- /dev/null +++ b/argocd/apps/aws-load-balancer-controller.yaml @@ -0,0 +1,43 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: aws-load-balancer-controller + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + goTemplate: true + goTemplateOptions: ["missingkey=error"] + generators: + - list: + elements: + - cluster: devel + url: https://kubernetes.default.svc + template: + metadata: + name: 'aws-load-balancer-controller-{{.cluster}}' + spec: + project: default + source: + chart: aws-load-balancer-controller + repoURL: https://aws.github.io/eks-charts + targetRevision: 1.13.2 + helm: + releaseName: aws-load-balancer-controller + values: | + clusterName: eks1-devel + serviceAccount: + create: true + name: aws-load-balancer-controller + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::273729230602:role/eks1-devel-aws-load-balancer-controller + destination: + server: '{{.url}}' + namespace: kube-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/argocd/apps/cert-manager.yaml b/argocd/apps/cert-manager.yaml new file mode 100644 index 0000000..db317da --- /dev/null +++ b/argocd/apps/cert-manager.yaml @@ -0,0 +1,46 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: cert-manager + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + goTemplate: true + goTemplateOptions: ["missingkey=error"] + generators: + - list: + elements: + - cluster: devel + url: https://kubernetes.default.svc + template: + metadata: + name: 'cert-manager-{{.cluster}}' + spec: + project: default + source: + chart: cert-manager + repoURL: https://charts.jetstack.io + targetRevision: 1.18.2 + helm: + releaseName: cert-manager + values: | + crds: + enabled: true + serviceAccount: + create: true + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::273729230602:role/eks1-devel-cert-manager + config: + featureGates: + ACMEHTTP01IngressPathTypeExact: false + destination: + server: '{{.url}}' + namespace: cert-manager + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/argocd/apps/cluster-autoscaler.yaml b/argocd/apps/cluster-autoscaler.yaml new file mode 100644 index 0000000..cdfff51 --- /dev/null +++ b/argocd/apps/cluster-autoscaler.yaml @@ -0,0 +1,31 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: cluster-autoscaler + namespace: argocd +spec: + goTemplate: true + goTemplateOptions: ["missingkey=error"] + generators: + - list: + elements: + - cluster: development + url: https://kubernetes.default.svc + template: + metadata: + name: 'cluster-autoscaler-{{.cluster}}' + spec: + project: default + source: + repoURL: https://github.com/ryanc/argocd.git + targetRevision: HEAD + path: cluster-autoscaler/envs/{{.cluster}} + destination: + server: '{{.url}}' + namespace: kube-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/argocd/apps/external-dns.yaml b/argocd/apps/external-dns.yaml new file mode 100644 index 0000000..dfde073 --- /dev/null +++ b/argocd/apps/external-dns.yaml @@ -0,0 +1,47 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: external-dns + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + goTemplate: true + goTemplateOptions: ["missingkey=error"] + generators: + - list: + elements: + - cluster: devel + url: https://kubernetes.default.svc + template: + metadata: + name: 'external-dns-{{.cluster}}' + spec: + project: default + source: + chart: external-dns + repoURL: https://kubernetes-sigs.github.io/external-dns + targetRevision: 1.18.0 + helm: + releaseName: external-dns + values: | + provider: + name: aws + env: + - name: AWS_DEFAULT_REGION + value: us-east-1 + serviceAccount: + create: true + name: external-dns + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::273729230602:role/eks1-devel-external-dns + destination: + server: '{{.url}}' + namespace: kube-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/argocd/apps/ingress-nginx.yaml b/argocd/apps/ingress-nginx.yaml new file mode 100644 index 0000000..04d5380 --- /dev/null +++ b/argocd/apps/ingress-nginx.yaml @@ -0,0 +1,56 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: ingress-nginx + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + goTemplate: true + goTemplateOptions: ["missingkey=error"] + generators: + - list: + elements: + - cluster: devel + url: https://kubernetes.default.svc + template: + metadata: + name: 'ingress-nginx-{{.cluster}}' + spec: + project: default + source: + chart: ingress-nginx + repoURL: https://kubernetes.github.io/ingress-nginx + targetRevision: 4.13.0 + helm: + releaseName: ingress-nginx + values: | + controller: + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: deregistration_delay.timeout_seconds=270 + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip + service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz + service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "10254" + service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http + service.beta.kubernetes.io/aws-load-balancer-healthcheck-success-codes: 200-299 + service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-type: nlb + # service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: "true" + # service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: "true" + # service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-something1 sg-something2" + # service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: "somebucket" + service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix: "ingress-nginx" + service.beta.kubernetes.io/aws-load-balancer-access-log-emit-interval: "5" + destination: + server: '{{.url}}' + namespace: ingress-nginx + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + diff --git a/argocd/cluster-autoscaler/base/cluster-autoscaler-autodiscover.yaml b/argocd/cluster-autoscaler/base/cluster-autoscaler-autodiscover.yaml new file mode 100644 index 0000000..9299742 --- /dev/null +++ b/argocd/cluster-autoscaler/base/cluster-autoscaler-autodiscover.yaml @@ -0,0 +1,180 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-addon: cluster-autoscaler.addons.k8s.io + k8s-app: cluster-autoscaler + name: cluster-autoscaler + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-autoscaler + labels: + k8s-addon: cluster-autoscaler.addons.k8s.io + k8s-app: cluster-autoscaler +rules: + - apiGroups: [""] + resources: ["events", "endpoints"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods/eviction"] + verbs: ["create"] + - apiGroups: [""] + resources: ["pods/status"] + verbs: ["update"] + - apiGroups: [""] + resources: ["endpoints"] + resourceNames: ["cluster-autoscaler"] + verbs: ["get", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["watch", "list", "get", "update"] + - apiGroups: [""] + resources: + - "namespaces" + - "pods" + - "services" + - "replicationcontrollers" + - "persistentvolumeclaims" + - "persistentvolumes" + verbs: ["watch", "list", "get"] + - apiGroups: ["extensions"] + resources: ["replicasets", "daemonsets"] + verbs: ["watch", "list", "get"] + - apiGroups: ["policy"] + resources: ["poddisruptionbudgets"] + verbs: ["watch", "list"] + - apiGroups: ["apps"] + resources: ["statefulsets", "replicasets", "daemonsets"] + verbs: ["watch", "list", "get"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses", "csinodes", "csidrivers", "csistoragecapacities", "volumeattachments"] + verbs: ["watch", "list", "get"] + - apiGroups: ["batch", "extensions"] + resources: ["jobs"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create"] + - apiGroups: ["coordination.k8s.io"] + resourceNames: ["cluster-autoscaler"] + resources: ["leases"] + verbs: ["get", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cluster-autoscaler + namespace: kube-system + labels: + k8s-addon: cluster-autoscaler.addons.k8s.io + k8s-app: cluster-autoscaler +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "list", "watch"] + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["cluster-autoscaler-status", "cluster-autoscaler-priority-expander"] + verbs: ["delete", "get", "update", "watch"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-autoscaler + labels: + k8s-addon: cluster-autoscaler.addons.k8s.io + k8s-app: cluster-autoscaler +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-autoscaler +subjects: + - kind: ServiceAccount + name: cluster-autoscaler + namespace: kube-system + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cluster-autoscaler + namespace: kube-system + labels: + k8s-addon: cluster-autoscaler.addons.k8s.io + k8s-app: cluster-autoscaler +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cluster-autoscaler +subjects: + - kind: ServiceAccount + name: cluster-autoscaler + namespace: kube-system + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cluster-autoscaler + namespace: kube-system + labels: + app: cluster-autoscaler +spec: + replicas: 1 + selector: + matchLabels: + app: cluster-autoscaler + template: + metadata: + labels: + app: cluster-autoscaler + annotations: + prometheus.io/scrape: 'true' + prometheus.io/port: '8085' + spec: + priorityClassName: system-cluster-critical + securityContext: + runAsNonRoot: true + runAsUser: 65534 + fsGroup: 65534 + seccompProfile: + type: RuntimeDefault + serviceAccountName: cluster-autoscaler + containers: + - image: registry.k8s.io/autoscaling/cluster-autoscaler:v1.32.1 + name: cluster-autoscaler + resources: + limits: + cpu: 100m + memory: 600Mi + requests: + cpu: 100m + memory: 600Mi + command: + - ./cluster-autoscaler + - --v=4 + - --stderrthreshold=info + - --cloud-provider=aws + - --skip-nodes-with-local-storage=false + - --expander=least-waste + - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/ + volumeMounts: + - name: ssl-certs + mountPath: /etc/ssl/certs/ca-certificates.crt # /etc/ssl/certs/ca-bundle.crt for Amazon Linux Worker Nodes + readOnly: true + imagePullPolicy: "Always" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumes: + - name: ssl-certs + hostPath: + path: "/etc/ssl/certs/ca-bundle.crt" diff --git a/argocd/cluster-autoscaler/base/kustomization.yaml b/argocd/cluster-autoscaler/base/kustomization.yaml new file mode 100644 index 0000000..cfabc01 --- /dev/null +++ b/argocd/cluster-autoscaler/base/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +metadata: + name: cluster-autoscaler +resources: + - cluster-autoscaler-autodiscover.yaml diff --git a/argocd/cluster-autoscaler/envs/development/kustomization.yaml b/argocd/cluster-autoscaler/envs/development/kustomization.yaml new file mode 100644 index 0000000..f75185c --- /dev/null +++ b/argocd/cluster-autoscaler/envs/development/kustomization.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +metadata: + name: cluster-autoscaler +resources: + - ../../base +patches: + - patch: | + apiVersion: apps/v1 + kind: Deployment + metadata: + name: cluster-autoscaler + namespace: kube-system + spec: + template: + spec: + containers: + - name: cluster-autoscaler + command: + - ./cluster-autoscaler + - --v=4 + - --stderrthreshold=info + - --cloud-provider=aws + - --skip-nodes-with-local-storage=false + - --expander=least-waste + - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/eks1-devel + env: + - name: AWS_REGION + value: us-east-1 + - patch: | + apiVersion: v1 + kind: ServiceAccount + metadata: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::273729230602:role/eks1-devel-cluster-autoscaler + name: cluster-autoscaler + namespace: kube-system