kubernetes · k8s-ci-robot · Aug 15, 2024 · Apr 26, 2024 · Apr 28, 2024 · Apr 28, 2024
diff --git a/infra/gcp/terraform/kubernetes-public/iam.tf b/infra/gcp/terraform/kubernetes-public/iam.tf
@@ -0,0 +1,31 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+module "iam" {
+  source  = "terraform-google-modules/iam/google//modules/projects_iam"
+  version = "~> 7"
+
+  projects = ["kubernetes-public"]
+
+  mode = "authoritative"
+
+  bindings = {
+    "roles/secretmanager.secretAccessor" = [
+      "serviceAccount:kubernetes-external-secrets@kubernetes-public.iam.gserviceaccount.com",
+      "principal://iam.googleapis.com/projects/16065310909/locations/global/workloadIdentityPools/k8s-infra-prow.svc.id.goog/subject/ns/external-secrets/sa/external-secrets",
+    ]
+  }
+}
diff --git a/kubernetes/apps/README.md b/kubernetes/apps/README.md
diff --git a/kubernetes/apps/argocd.yaml b/kubernetes/apps/argocd.yaml
@@ -0,0 +1,17 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+spec:
+  destination:
+    namespace: argocd
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: kubernetes/gke-utility/argocd
+    repoURL: https://github.com/kubernetes/k8s.io
+    targetRevision: main
+  syncPolicy:
+    automated:
+      prune: false
+      selfHeal: true
diff --git a/kubernetes/apps/cert-manager.yaml b/kubernetes/apps/cert-manager.yaml
@@ -0,0 +1,36 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: cert-manager
+spec:
+  goTemplate: true
+  generators:
+    - clusters:
+        selector:
+          matchLabels:
+            clusterType: 'utility'
+  template:
+    metadata:
+      name: 'cert-manager-{{ .name }}'
+    spec:
+      destination:
+        namespace: cert-manager
+        server: "{{ .server }}"
+      project: default
+      sources:
+        - chart: cert-manager
+          repoURL: 'https://charts.jetstack.io'
+          targetRevision: v1.14.5
+          helm:
+            releaseName: cert-manager
+            valueFiles:
+            - $values/kubernetes/{{ .name }}/helm/cert-manager.yaml
+        - repoURL: 'https://github.com/kubernetes/k8s.io.git'
+          targetRevision: main
+          ref: values
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=true
diff --git a/kubernetes/apps/external-secrets.yaml b/kubernetes/apps/external-secrets.yaml
@@ -0,0 +1,43 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: external-secrets
+spec:
+  goTemplate: true
+  generators:
+    # targets all clusters
+    - clusters:
+        selector:
+          matchExpressions:
+            - key: clusterType
+              operator: Exists
+  template:
+    metadata:
+      name: 'external-secrets-{{ .name }}'
+    spec:
+      destination:
+        namespace: external-secrets
+        server: "{{ .server }}"
+      project: default
+      sources:
+        - chart: external-secrets
+          repoURL: 'https://charts.external-secrets.io'
+          targetRevision: v0.9.18
+          helm:
+            releaseName: external-secrets
+            parameters:
+              - name: installCRDs
+                value: 'true'
+              - name: serviceAccount.name
+                value: external-secrets
+            valueFiles:
+            - $values/kubernetes/{{ .name }}/helm/external-secrets.yaml
+        - repoURL: 'https://github.com/kubernetes/k8s.io.git'
+          targetRevision: main
+          ref: values
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=true
diff --git a/kubernetes/apps/ingress-nginx.yaml b/kubernetes/apps/ingress-nginx.yaml
@@ -0,0 +1,36 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: ingress-nginx
+spec:
+  goTemplate: true
+  generators:
+    - clusters:
+        selector:
+          matchLabels:
+            clusterType: 'utility'
+  template:
+    metadata:
+      name: 'ingress-nginx-{{ .name }}'
+    spec:
+      destination:
+        namespace: ingress-nginx
+        server: "{{ .server }}"
+      project: default
+      sources:
+        - chart: ingress-nginx
+          repoURL: 'https://kubernetes.github.io/ingress-nginx'
+          targetRevision: v4.10.1
+          helm:
+            releaseName: ingress-nginx
+            valueFiles:
+            - $values/kubernetes/{{ .name }}/helm/ingress-nginx.yaml
+        - repoURL: 'https://github.com/kubernetes/k8s.io.git'
+          targetRevision: main
+          ref: values
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=true
diff --git a/kubernetes/apps/kustomization.yaml b/kubernetes/apps/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # - argocd.yaml This has been manually applied to fix sync issues
+  - external-secrets.yaml
+  - cert-manager.yaml
+  - ingress-nginx.yaml
diff --git a/kubernetes/gke-prow/helm/external-secrets.yaml b/kubernetes/gke-prow/helm/external-secrets.yaml
@@ -0,0 +1,25 @@
+extraObjects:
+ -  apiVersion: external-secrets.io/v1beta1
+    kind: ClusterSecretStore
+    metadata:
+      name: k8s-infra-prow
+    spec:
+      provider:
+        gcpsm:
+          projectID: k8s-infra-prow
+ -  apiVersion: external-secrets.io/v1beta1
+    kind: ClusterSecretStore
+    metadata:
+      name: kubernetes-public
+    spec:
+      provider:
+        gcpsm:
+          projectID: kubernetes-public
+ -  apiVersion: external-secrets.io/v1beta1
+    kind: ClusterSecretStore
+    metadata:
+      name: k8s-infra-prow-build-trusted
+    spec:
+      provider:
+        gcpsm:
+          projectID: k8s-infra-prow-build-trusted
diff --git a/kubernetes/gke-utility/argocd/argocd-cm-rbac.yaml b/kubernetes/gke-utility/argocd/argocd-cm-rbac.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+data:
+  policy.default: role:readonly
+  policy.csv: |
+    g, kubernetes:sig-k8s-infra-leads, role:admin
+  scopes: '[groups, email]'
diff --git a/kubernetes/gke-utility/argocd/argocd-cm.yaml b/kubernetes/gke-utility/argocd/argocd-cm.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+data:
+  url: https://argo.k8s.io
+  application.instanceLabelKey: infra.k8s.io/instance
+  resource.compareoptions: |
+    ignoreAggregatedRoles: true
+  resource.customizations: |
+    admissionregistration.k8s.io/MutatingWebhookConfiguration:
+      ignoreDifferences: |
+        jqPathExpressions:
+        - '.webhooks[]?.clientConfig.caBundle'
+  kustomize.buildOptions: --load-restrictor LoadRestrictionsNone --enable-alpha-plugins
+  dex.config: |
+    connectors:
+      - type: github
+        id: github
+        name: GitHub
+        config:
+          clientID: $dex.github.clientId
+          clientSecret: $dex.github.clientSecret
+          orgs:
+          - name: kubernetes
+          useLoginAsID: true
+          loadAllGroups: true
+          teamNameField: slug
diff --git a/kubernetes/gke-utility/argocd/argocd-sa.yaml b/kubernetes/gke-utility/argocd/argocd-sa.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: argocd@k8s-infra-prow.iam.gserviceaccount.com
+  name: argocd-application-controller
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    iam.gke.io/gcp-service-account: argocd@k8s-infra-prow.iam.gserviceaccount.com
+  name: argocd-server
diff --git a/kubernetes/gke-utility/argocd/clusters.yaml b/kubernetes/gke-utility/argocd/clusters.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gke-prow
+  labels:
+    argocd.argoproj.io/secret-type: cluster
+    clusterType: prow
+    environment: prod
+    cloud: gke
+type: Opaque
+stringData:
+  name: gke-prow
+  server: https://10.254.0.18
+  config: |
+    {
+      "execProviderConfig": {
+        "command": "argocd-k8s-auth",
+        "args": ["gcp"],
+        "apiVersion": "client.authentication.k8s.io/v1beta1"
+      },
+      "tlsClientConfig": {
+        "insecure": true
+      }
+    }
+---
diff --git a/kubernetes/gke-utility/argocd/extras.yaml b/kubernetes/gke-utility/argocd/extras.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubernetes-repo
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repository
+stringData:
+  url: https://github.com/kubernetes
+  name: kubernetes
+  type: git
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: apps
+spec:
+  destination:
+    namespace: argocd
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: kubernetes/apps
+    repoURL: https://github.com/borg-land/k8s.io
+    targetRevision: utility-dev
+  syncPolicy:
+    automated:
+      prune: false
+      selfHeal: true
diff --git a/kubernetes/gke-utility/argocd/kustomization.yaml b/kubernetes/gke-utility/argocd/kustomization.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: argocd
+
+resources:
+- github.com/argoproj/argo-cd/manifests/ha/cluster-install?ref=v2.11.2
+- extras.yaml
+
+patches:
+- path: argocd-cm.yaml
+- path: argocd-cm-rbac.yaml
+- path: argocd-sa.yaml
diff --git a/kubernetes/gke-utility/helm/cert-manager.yaml b/kubernetes/gke-utility/helm/cert-manager.yaml
@@ -0,0 +1,17 @@
+installCRDs: true
+extraObjects:
+  - |
+    apiVersion: cert-manager.io/v1
+    kind: ClusterIssuer
+    metadata:
+      name: letsencrypt-prod
+    spec:
+      acme:
+        server: https://acme-v02.api.letsencrypt.org/directory
+        email: sig-k8s-infra-leads+certificates@kubernetes.io
+        privateKeySecretRef:
+          name: letsencrypt-prod
+        solvers:
+          - http01:
+              ingress:
+                ingressClassName: nginx
diff --git a/kubernetes/gke-utility/helm/external-secrets.yaml b/kubernetes/gke-utility/helm/external-secrets.yaml
@@ -0,0 +1,9 @@
+extraObjects:
+ -  apiVersion: external-secrets.io/v1beta1
+    kind: ClusterSecretStore
+    metadata:
+      name: k8s-infra-prow
+    spec:
+      provider:
+        gcpsm:
+          projectID: k8s-infra-prow
diff --git a/kubernetes/gke-utility/helm/ingress-nginx.yaml b/kubernetes/gke-utility/helm/ingress-nginx.yaml
@@ -0,0 +1,12 @@
+controller:
+  publishService:
+    enabled: true
+  service:
+    annotations:
+      networking.gke.io/load-balancer-ip-addresses: utility-ingress-v4,utility-ingress-v6
+      cloud.google.com/l4-rbs: "enabled"
+    externalTrafficPolicy: Local
+    ipFamilyPolicy: RequireDualStack
+    ipFamilies:
+      - IPv6
+      - IPv4