diff --git a/infra/gcp/terraform/kubernetes-public/iam.tf b/infra/gcp/terraform/kubernetes-public/iam.tf new file mode 100644 index 00000000000..b5d45f2d9fb --- /dev/null +++ b/infra/gcp/terraform/kubernetes-public/iam.tf @@ -0,0 +1,31 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +module "iam" { + source = "terraform-google-modules/iam/google//modules/projects_iam" + version = "~> 7" + + projects = ["kubernetes-public"] + + mode = "authoritative" + + bindings = { + "roles/secretmanager.secretAccessor" = [ + "serviceAccount:kubernetes-external-secrets@kubernetes-public.iam.gserviceaccount.com", + "principal://iam.googleapis.com/projects/16065310909/locations/global/workloadIdentityPools/k8s-infra-prow.svc.id.goog/subject/ns/external-secrets/sa/external-secrets", + ] + } +} diff --git a/kubernetes/apps/README.md b/kubernetes/apps/README.md new file mode 100644 index 00000000000..e69de29bb2d diff --git a/kubernetes/apps/argocd.yaml b/kubernetes/apps/argocd.yaml new file mode 100644 index 00000000000..69f73f5304c --- /dev/null +++ b/kubernetes/apps/argocd.yaml @@ -0,0 +1,17 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd +spec: + destination: + namespace: argocd + server: https://kubernetes.default.svc + project: default + source: + path: kubernetes/gke-utility/argocd + repoURL: https://github.com/kubernetes/k8s.io + targetRevision: main + syncPolicy: + automated: + prune: false + selfHeal: true diff --git a/kubernetes/apps/cert-manager.yaml b/kubernetes/apps/cert-manager.yaml new file mode 100644 index 00000000000..aa70301ded0 --- /dev/null +++ b/kubernetes/apps/cert-manager.yaml @@ -0,0 +1,36 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: cert-manager +spec: + goTemplate: true + generators: + - clusters: + selector: + matchLabels: + clusterType: 'utility' + template: + metadata: + name: 'cert-manager-{{ .name }}' + spec: + destination: + namespace: cert-manager + server: "{{ .server }}" + project: default + sources: + - chart: cert-manager + repoURL: 'https://charts.jetstack.io' + targetRevision: v1.14.5 + helm: + releaseName: cert-manager + valueFiles: + - $values/kubernetes/{{ .name }}/helm/cert-manager.yaml + - repoURL: 'https://github.com/kubernetes/k8s.io.git' + targetRevision: main + ref: values + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/kubernetes/apps/external-secrets.yaml b/kubernetes/apps/external-secrets.yaml new file mode 100644 index 00000000000..872cd8b5639 --- /dev/null +++ b/kubernetes/apps/external-secrets.yaml @@ -0,0 +1,43 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: external-secrets +spec: + goTemplate: true + generators: + # targets all clusters + - clusters: + selector: + matchExpressions: + - key: clusterType + operator: Exists + template: + metadata: + name: 'external-secrets-{{ .name }}' + spec: + destination: + namespace: external-secrets + server: "{{ .server }}" + project: default + sources: + - chart: external-secrets + repoURL: 'https://charts.external-secrets.io' + targetRevision: v0.9.18 + helm: + releaseName: external-secrets + parameters: + - name: installCRDs + value: 'true' + - name: serviceAccount.name + value: external-secrets + valueFiles: + - $values/kubernetes/{{ .name }}/helm/external-secrets.yaml + - repoURL: 'https://github.com/kubernetes/k8s.io.git' + targetRevision: main + ref: values + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/kubernetes/apps/ingress-nginx.yaml b/kubernetes/apps/ingress-nginx.yaml new file mode 100644 index 00000000000..9baa9c0999e --- /dev/null +++ b/kubernetes/apps/ingress-nginx.yaml @@ -0,0 +1,36 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: ingress-nginx +spec: + goTemplate: true + generators: + - clusters: + selector: + matchLabels: + clusterType: 'utility' + template: + metadata: + name: 'ingress-nginx-{{ .name }}' + spec: + destination: + namespace: ingress-nginx + server: "{{ .server }}" + project: default + sources: + - chart: ingress-nginx + repoURL: 'https://kubernetes.github.io/ingress-nginx' + targetRevision: v4.10.1 + helm: + releaseName: ingress-nginx + valueFiles: + - $values/kubernetes/{{ .name }}/helm/ingress-nginx.yaml + - repoURL: 'https://github.com/kubernetes/k8s.io.git' + targetRevision: main + ref: values + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/kubernetes/apps/kustomization.yaml b/kubernetes/apps/kustomization.yaml new file mode 100644 index 00000000000..8844ced602e --- /dev/null +++ b/kubernetes/apps/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + # - argocd.yaml This has been manually applied to fix sync issues + - external-secrets.yaml + - cert-manager.yaml + - ingress-nginx.yaml diff --git a/kubernetes/gke-prow/helm/external-secrets.yaml b/kubernetes/gke-prow/helm/external-secrets.yaml new file mode 100644 index 00000000000..a9ed7c7045e --- /dev/null +++ b/kubernetes/gke-prow/helm/external-secrets.yaml @@ -0,0 +1,25 @@ +extraObjects: + - apiVersion: external-secrets.io/v1beta1 + kind: ClusterSecretStore + metadata: + name: k8s-infra-prow + spec: + provider: + gcpsm: + projectID: k8s-infra-prow + - apiVersion: external-secrets.io/v1beta1 + kind: ClusterSecretStore + metadata: + name: kubernetes-public + spec: + provider: + gcpsm: + projectID: kubernetes-public + - apiVersion: external-secrets.io/v1beta1 + kind: ClusterSecretStore + metadata: + name: k8s-infra-prow-build-trusted + spec: + provider: + gcpsm: + projectID: k8s-infra-prow-build-trusted diff --git a/kubernetes/gke-utility/argocd/argocd-cm-rbac.yaml b/kubernetes/gke-utility/argocd/argocd-cm-rbac.yaml new file mode 100644 index 00000000000..743a37c5fbe --- /dev/null +++ b/kubernetes/gke-utility/argocd/argocd-cm-rbac.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-rbac-cm +data: + policy.default: role:readonly + policy.csv: | + g, kubernetes:sig-k8s-infra-leads, role:admin + scopes: '[groups, email]' diff --git a/kubernetes/gke-utility/argocd/argocd-cm.yaml b/kubernetes/gke-utility/argocd/argocd-cm.yaml new file mode 100644 index 00000000000..4811fd5887d --- /dev/null +++ b/kubernetes/gke-utility/argocd/argocd-cm.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cm +data: + url: https://argo.k8s.io + application.instanceLabelKey: infra.k8s.io/instance + resource.compareoptions: | + ignoreAggregatedRoles: true + resource.customizations: | + admissionregistration.k8s.io/MutatingWebhookConfiguration: + ignoreDifferences: | + jqPathExpressions: + - '.webhooks[]?.clientConfig.caBundle' + kustomize.buildOptions: --load-restrictor LoadRestrictionsNone --enable-alpha-plugins + dex.config: | + connectors: + - type: github + id: github + name: GitHub + config: + clientID: $dex.github.clientId + clientSecret: $dex.github.clientSecret + orgs: + - name: kubernetes + useLoginAsID: true + loadAllGroups: true + teamNameField: slug diff --git a/kubernetes/gke-utility/argocd/argocd-sa.yaml b/kubernetes/gke-utility/argocd/argocd-sa.yaml new file mode 100644 index 00000000000..8a447638b54 --- /dev/null +++ b/kubernetes/gke-utility/argocd/argocd-sa.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + iam.gke.io/gcp-service-account: argocd@k8s-infra-prow.iam.gserviceaccount.com + name: argocd-application-controller +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + iam.gke.io/gcp-service-account: argocd@k8s-infra-prow.iam.gserviceaccount.com + name: argocd-server diff --git a/kubernetes/gke-utility/argocd/clusters.yaml b/kubernetes/gke-utility/argocd/clusters.yaml new file mode 100644 index 00000000000..70500c7692f --- /dev/null +++ b/kubernetes/gke-utility/argocd/clusters.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Secret +metadata: + name: gke-prow + labels: + argocd.argoproj.io/secret-type: cluster + clusterType: prow + environment: prod + cloud: gke +type: Opaque +stringData: + name: gke-prow + server: https://10.254.0.18 + config: | + { + "execProviderConfig": { + "command": "argocd-k8s-auth", + "args": ["gcp"], + "apiVersion": "client.authentication.k8s.io/v1beta1" + }, + "tlsClientConfig": { + "insecure": true + } + } +--- diff --git a/kubernetes/gke-utility/argocd/extras.yaml b/kubernetes/gke-utility/argocd/extras.yaml new file mode 100644 index 00000000000..e064952af78 --- /dev/null +++ b/kubernetes/gke-utility/argocd/extras.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Secret +metadata: + name: kubernetes-repo + namespace: argocd + labels: + argocd.argoproj.io/secret-type: repository +stringData: + url: https://github.com/kubernetes + name: kubernetes + type: git +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: apps +spec: + destination: + namespace: argocd + server: https://kubernetes.default.svc + project: default + source: + path: kubernetes/apps + repoURL: https://github.com/borg-land/k8s.io + targetRevision: utility-dev + syncPolicy: + automated: + prune: false + selfHeal: true diff --git a/kubernetes/gke-utility/argocd/kustomization.yaml b/kubernetes/gke-utility/argocd/kustomization.yaml new file mode 100644 index 00000000000..c8bb83ff096 --- /dev/null +++ b/kubernetes/gke-utility/argocd/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: argocd + +resources: +- github.com/argoproj/argo-cd/manifests/ha/cluster-install?ref=v2.11.2 +- extras.yaml + +patches: +- path: argocd-cm.yaml +- path: argocd-cm-rbac.yaml +- path: argocd-sa.yaml diff --git a/kubernetes/gke-utility/helm/cert-manager.yaml b/kubernetes/gke-utility/helm/cert-manager.yaml new file mode 100644 index 00000000000..26c356d8971 --- /dev/null +++ b/kubernetes/gke-utility/helm/cert-manager.yaml @@ -0,0 +1,17 @@ +installCRDs: true +extraObjects: + - | + apiVersion: cert-manager.io/v1 + kind: ClusterIssuer + metadata: + name: letsencrypt-prod + spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: sig-k8s-infra-leads+certificates@kubernetes.io + privateKeySecretRef: + name: letsencrypt-prod + solvers: + - http01: + ingress: + ingressClassName: nginx diff --git a/kubernetes/gke-utility/helm/external-secrets.yaml b/kubernetes/gke-utility/helm/external-secrets.yaml new file mode 100644 index 00000000000..df757e7100a --- /dev/null +++ b/kubernetes/gke-utility/helm/external-secrets.yaml @@ -0,0 +1,9 @@ +extraObjects: + - apiVersion: external-secrets.io/v1beta1 + kind: ClusterSecretStore + metadata: + name: k8s-infra-prow + spec: + provider: + gcpsm: + projectID: k8s-infra-prow diff --git a/kubernetes/gke-utility/helm/ingress-nginx.yaml b/kubernetes/gke-utility/helm/ingress-nginx.yaml new file mode 100644 index 00000000000..18cea2a6838 --- /dev/null +++ b/kubernetes/gke-utility/helm/ingress-nginx.yaml @@ -0,0 +1,12 @@ +controller: + publishService: + enabled: true + service: + annotations: + networking.gke.io/load-balancer-ip-addresses: utility-ingress-v4,utility-ingress-v6 + cloud.google.com/l4-rbs: "enabled" + externalTrafficPolicy: Local + ipFamilyPolicy: RequireDualStack + ipFamilies: + - IPv6 + - IPv4