remove Argo

It's using a shitload of bandwidth

apps/kipunji/kustomization.yaml

@@ -1,5 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - https://git.kill0.net/ryanc/kipunji/raw/branch/main/kustomize/kustomization.yaml

clusters/k3s-cluster/flux-system/gotk-components.yaml

@@ -13,6 +13,65 @@ metadata:
     pod-security.kubernetes.io/warn-version: latest
   name: flux-system
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/instance: flux-system
+    app.kubernetes.io/part-of: flux
+    app.kubernetes.io/version: v2.4.0
+  name: allow-egress
+  namespace: flux-system
+spec:
+  egress:
+  - {}
+  ingress:
+  - from:
+    - podSelector: {}
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/instance: flux-system
+    app.kubernetes.io/part-of: flux
+    app.kubernetes.io/version: v2.4.0
+  name: allow-scraping
+  namespace: flux-system
+spec:
+  ingress:
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: 8080
+      protocol: TCP
+  podSelector: {}
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/instance: flux-system
+    app.kubernetes.io/part-of: flux
+    app.kubernetes.io/version: v2.4.0
+  name: allow-webhooks
+  namespace: flux-system
+spec:
+  ingress:
+  - from:
+    - namespaceSelector: {}
+  podSelector:
+    matchLabels:
+      app: notification-controller
+  policyTypes:
+  - Ingress
+---
 apiVersion: v1
 kind: ResourceQuota
 metadata:

clusters/k3s-cluster/flux-system/gotk-sync.yaml

@@ -20,7 +20,7 @@ metadata:
   namespace: flux-system
 spec:
   interval: 10m0s
-  path: ./clusters/my-cluster
+  path: ./clusters/k3s-cluster
   prune: true
   sourceRef:
     kind: GitRepository

clusters/k3s-cluster/flux-system/kustomization.yaml

@@ -17,7 +17,7 @@ patches:
               - name: manager
                 env:
                   - name: "HTTPS_PROXY"
-                    value: "http://proxy-lb.lab.kill0.net:3128"
+                    value: "http://proxy-lb.lab.kill0.net.:3128"
                   - name: "NO_PROXY"
                     value: ".cluster.local.,.cluster.local,.svc,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
     target:

clusters/k3s-cluster/infrastructure.yaml

@@ -19,7 +19,7 @@ spec:
         - op: replace
           path: /spec/addresses
           value:
-            - 10.100.100.210-10.100.100.219
+            - 10.100.101.16/28
       target:
         kind: IPAddressPool
         name: first-pool

clusters/k8s-cluster/apps.yaml

@@ -6,6 +6,8 @@ metadata:
   namespace: flux-system
 spec:
   interval: 10m0s
+  dependsOn:
+    - name: infra-configs
   sourceRef:
     kind: GitRepository
     name: flux-system

clusters/k8s-cluster/flux-system/kustomization.yaml

@@ -17,9 +17,9 @@ patches:
               - name: manager
                 env:
                   - name: "https_proxy"
-                    value: "http://proxy-lb.lab.kill0.net:3128"
+                    value: "http://proxy-lb.lab.kill0.net.:3128"
                   - name: "no_proxy"
-                    value: ".svc, 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, k8s-ctrl-lb.lab.kill0.net, localhost"
+                    value: ".cluster.local., .cluster.local, .svc, 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, k8s-ctrl-lb.lab.kill0.net, localhost, registry.lab.kill0.net"
     target:
       kind: Deployment
       labelSelector: app.kubernetes.io/part-of=flux

clusters/k8s-cluster/infrastructure.yaml

@@ -1,37 +1,10 @@
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
-metadata:
-  name: infra-loadbalancer
-  namespace: flux-system
-spec:
-  interval: 1h
-  retryInterval: 1m
-  timeout: 5m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  path: ./infrastructure/loadbalancer
-  prune: true
-  wait: true
-  patches:
-    - patch: |
-        - op: replace
-          path: /spec/addresses
-          value:
-            - 10.100.100.220-10.100.100.229
-      target:
-        kind: IPAddressPool
-        name: first-pool
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
 metadata:
   name: infra-controllers
   namespace: flux-system
 spec:
-  dependsOn:
-    - name: infra-loadbalancer
   interval: 1h
   retryInterval: 1m
   timeout: 5m

clusters/k8s-cluster/kube-vip-cloud-controller/configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kubevip
+  namespace: kube-system
+data:
+  cidr-global: 10.99.99.10-10.99.99.254

clusters/k8s-cluster/kube-vip-cloud-controller/kube-vip-cloud-controller.yaml

@@ -0,0 +1,88 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-vip-cloud-controller
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: system:kube-vip-cloud-controller-role
+rules:
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "create", "update", "list", "put"]
+  - apiGroups: [""]
+    resources: ["configmaps", "endpoints","events","services/status", "leases"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["nodes", "services"]
+    verbs: ["list","get","watch","update"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: system:kube-vip-cloud-controller-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:kube-vip-cloud-controller-role
+subjects:
+- kind: ServiceAccount
+  name: kube-vip-cloud-controller
+  namespace: kube-system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kube-vip-cloud-provider
+  namespace: kube-system
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: kube-vip
+      component: kube-vip-cloud-provider
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: kube-vip
+        component: kube-vip-cloud-provider
+    spec:
+      containers:
+      - command:
+        - /kube-vip-cloud-provider
+        - --leader-elect-resource-name=kube-vip-cloud-controller
+        image: ghcr.io/kube-vip/kube-vip-cloud-provider:v0.0.11
+        name: kube-vip-cloud-provider
+        imagePullPolicy: Always
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
+      serviceAccountName: kube-vip-cloud-controller
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/control-plane
+        effect: NoSchedule
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 10
+            preference:
+              matchExpressions:
+              - key: node-role.kubernetes.io/control-plane
+                operator: Exists
+          - weight: 10
+            preference:
+              matchExpressions:
+              - key: node-role.kubernetes.io/master
+                operator: Exists

clusters/k8s-cluster/kube-vip-cloud-controller/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - kube-vip-cloud-controller.yaml
+  - configmap.yaml

clusters/k8s-cluster/kube-vip/daemonset.yaml

@@ -0,0 +1,71 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/name: kube-vip-ds
+    app.kubernetes.io/version: v0.8.9
+  name: kube-vip-ds
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kube-vip-ds
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/name: kube-vip-ds
+        app.kubernetes.io/version: v0.8.9
+    spec:
+      containers:
+      - args:
+        - manager
+        env:
+        - name: vip_arp
+          value: "false"
+        - name: port
+          value: "6443"
+        - name: vip_nodename
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: vip_interface
+          value: lo
+        - name: bgp_routerinterface
+          value: "eth0"
+        - name: dns_mode
+          value: first
+        - name: svc_enable
+          value: "true"
+        - name: svc_leasename
+          value: plndr-svcs-lock
+        - name: bgp_enable
+          value: "true"
+        - name: bgp_routerid
+        - name: bgp_as
+          value: "4206942069"
+        - name: bgp_peeraddress
+        - name: bgp_peerpass
+        - name: bgp_peeras
+          value: "65000"
+        - name: bgp_peers
+          value: 10.100.100.1:4206942069::false
+        - name: vip_address
+        - name: vip_cidr
+          value: "32"
+        - name: prometheus_server
+          value: :2112
+        image: ghcr.io/kube-vip/kube-vip:v0.8.9
+        imagePullPolicy: IfNotPresent
+        name: kube-vip
+        resources: {}
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+            - NET_RAW
+      hostNetwork: true
+      serviceAccountName: kube-vip
+  updateStrategy: {}
+

clusters/k8s-cluster/kube-vip/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - rbac.yaml
+  - daemonset.yaml

clusters/k8s-cluster/kube-vip/rbac.yaml

@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-vip
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: system:kube-vip-role
+rules:
+  - apiGroups: [""]
+    resources: ["services/status"]
+    verbs: ["update"]
+  - apiGroups: [""]
+    resources: ["services", "endpoints"]
+    verbs: ["list","get","watch", "update"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["list","get","watch", "update", "patch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["list", "get", "watch", "update", "create"]
+  - apiGroups: ["discovery.k8s.io"]
+    resources: ["endpointslices"]
+    verbs: ["list","get","watch", "update"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["list"]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: system:kube-vip-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:kube-vip-role
+subjects:
+- kind: ServiceAccount
+  name: kube-vip
+  namespace: kube-system

clusters/k8s-cluster/spegel/kustomization.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: goldpinger
+namespace: spegel
 resources:
   - namespace.yaml
   - repository.yaml

clusters/k8s-cluster/spegel/namespace.yaml

@@ -2,4 +2,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: argocd
+  name: spegel

clusters/k8s-cluster/spegel/release.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: spegel
+  namespace: spegel
+spec:
+  interval: 1m
+  chart:
+    spec:
+      chart: spegel
+      version: v0.0.30
+      interval: 5m
+      sourceRef:
+        kind: HelmRepository
+        name: spegel

clusters/k8s-cluster/spegel/repository.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: spegel
+  namespace: spegel
+spec:
+  type: "oci"
+  interval: 5m0s
+  url: oci://ghcr.io/spegel-org/helm-charts

clusters/my-cluster/argo-rollouts/kustomization.yaml

@@ -1,7 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: argo-rollouts
-resources:
-  - namespace.yaml
-  - https://github.com/argoproj/argo-rollouts/releases/download/v1.7.2/install.yaml

clusters/my-cluster/argo-rollouts/namespace.yaml

@@ -1,5 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: argo-rollouts

clusters/my-cluster/argocd/kustomization.yaml

@@ -1,18 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: argocd
-resources:
-  - namespace.yaml
-  - https://raw.githubusercontent.com/argoproj/argo-cd/v2.13.3/manifests/install.yaml
-patches:
-  - patch: |
-      apiVersion: v1
-      kind: Service
-      metadata:
-        name: argocd-server
-      spec:
-        type: LoadBalancer
-    target:
-      kind: Service
-      labelSelector: app.kubernetes.io/name=argocd-server

clusters/my-cluster/goldpinger/release.yaml

@@ -1,21 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: goldpinger
-  namespace: goldpinger
-spec:
-  chart:
-    spec:
-      chart: goldpinger
-      sourceRef:
-        kind: HelmRepository
-        name: goldpinger
-  interval: 50m
-  install:
-    remediation:
-      retries: 3
-  values:
-    goldpinger:
-      isArgoRollouts: true
-      reloadStrategy: annotations

clusters/my-cluster/goldpinger/repository.yaml

@@ -1,9 +0,0 @@
----
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: goldpinger
-  namespace: goldpinger
-spec:
-  interval: 5m
-  url: https://bloomberg.github.io/goldpinger

infrastructure/controllers/envoy-gateway/namespace.yaml

@@ -2,4 +2,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: goldpinger
+  name: envoy-gateway-system

infrastructure/controllers/envoy-gateway/release.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: eg
+  namespace: envoy-gateway-system
+spec:
+  interval: 10m
+  releaseName: eg
+  chartRef:
+    kind: OCIRepository
+    name: envoy-gateway

infrastructure/controllers/envoy-gateway/repository.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: envoy-gateway
+  namespace: envoy-gateway-system
+spec:
+  interval: 10m
+  url: oci://docker.io/envoyproxy/gateway-helm
+  ref:
+    semver: ">=1.3.2"

infrastructure/controllers/flagger/kustomization.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: kube-system
 resources:
+  - namespace.yaml
   - repository.yaml
   - release.yaml

infrastructure/controllers/flagger/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: flagger-system
+  labels:
+    toolkit.fluxcd.io/tenant: sre-team

infrastructure/controllers/flagger/release.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: flagger
+  namespace: flagger-system
+spec:
+  interval: 1h
+  releaseName: flagger
+  install: # override existing Flagger CRDs
+    crds: CreateReplace
+  upgrade: # update Flagger CRDs
+    crds: CreateReplace
+  chart:
+    spec:
+      chart: flagger
+      version: 1.x # update Flagger to the latest minor version
+      interval: 6h # scan for new versions every six hours
+      sourceRef:
+        kind: HelmRepository
+        name: flagger
+      verify: # verify the chart signature with Cosign keyless
+        provider: cosign 
+  values:
+    nodeSelector:
+      kubernetes.io/os: linux

infrastructure/controllers/flagger/repository.yaml

@@ -0,0 +1,9 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: flagger
+  namespace: flagger-system
+spec:
+  interval: 1h
+  url: oci://ghcr.io/fluxcd/charts
+  type: oci

infrastructure/controllers/gateway-api/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml

infrastructure/controllers/kubelet-csr-approver/release.yaml

@@ -1,20 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: kubelet-csr-approver
-  namespace: kube-system
-spec:
-  releaseName: kubelet-csr-approver
-  chart:
-    spec:
-      chart: kubelet-csr-approver
-      sourceRef:
-        kind: HelmRepository
-        name: kubelet-csr-approver
-  values:
-    providerRegex: ^(?:(?:kube|k[038]s))\d+$
-    providerIpPrefixes: 10.100.100.0/24
-    maxExpirationSeconds: 86400
-    bypassDnsResolution: false
-  interval: 1m

infrastructure/controllers/kubelet-csr-approver/repository.yaml

@@ -1,9 +0,0 @@
----
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: kubelet-csr-approver
-  namespace: kube-system
-spec:
-  interval: 5m
-  url: https://postfinance.github.io/kubelet-csr-approver

infrastructure/controllers/sealedsecrets/kustomization.yaml

@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.28.0/controller.yaml
+  - https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.29.0/controller.yaml

infrastructure/controllers/traefik/release.yaml

@@ -17,9 +17,6 @@ spec:
     remediation:
       retries: 3
   values:
-    providers.kubernetesIngress.publishedService.enabled: true
+    ingressClass:
-    additionalArguments:
+      enabled: true
-      - --providers.kubernetesingress.ingressendpoint.publishedservice=traefik/traefik
+      isDefaultClass: false
-    service:
-      spec:
-        externalTrafficPolicy: Local