project restructure

kubernetes/apps/capacitor/capacitor.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: capacitor
+  namespace: flux-system
+spec:
+  targetNamespace: flux-system
+  interval: 1h
+  retryInterval: 2m
+  timeout: 5m
+  wait: true
+  prune: true
+  path: "./"
+  sourceRef:
+    kind: OCIRepository
+    name: capacitor

kubernetes/apps/capacitor/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - capacitor.yaml

kubernetes/apps/capacitor/ocirepository.yaml

@@ -0,0 +1,10 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: capacitor
+  namespace: flux-system
+spec:
+  interval: 12h
+  url: oci://ghcr.io/gimlet-io/capacitor-manifests
+  ref:
+    semver: ">=0.1.0"

kubernetes/apps/cert-manager/app/cert-manager-secrets.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cert-manager-secrets
+type: Opaque
+stringData:
+  email: ENC[AES256_GCM,data:CWBTa/CLV0zm+iXsgHCPD5Z3SQ==,iv:fAEIbyjQGlMo6WMzjnTZwIHC4uF/SNKbVV8ipbrKW3U=,tag:y+zkPUEJ0gE2efcxz4ok4g==,type:str]
+  cert-manager-dns01: ENC[AES256_GCM,data:dAWpnTqAFr2WHd83zx+fgij0/phBKsTtQ5sVXGTnG8NX+hhtWNZjRA==,iv:dUnEzF/p2hPlzAkythNpnwFiigWDgFtikopbw4VZec4=,tag:ZdVu+zMbFC24QXylJcOFIg==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1d47q8mlty404pxx378q49hr93aqexca4mkeqtdm00w4gjd09xd0qhxcdcz
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTFNzTWpPMDFPVTM5SkRR
+        d2dZWHNrKzFXa29KSW10MTVyaVJENDFHL3dVClFBWUJMVUVlWlp4c0FRMysvRGFW
+        Z2c5RFlPOXJpaFN4ekE2OTQrK0FWS0UKLS0tIHlESTRCOG1OOVE1V3Qvdm83OExM
+        MEg1WjQ3VVptNEdSWGV6L25yRjBIQ2sKrCPW35t09nMGXAoWuc2WFdsZGgCT8qQW
+        at1j2zrZ0MCD834Fy+mLFYoVmWJMm1fmdmK+upos3lS+BfjT2mEV1A==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-06-10T01:17:17Z"
+  mac: ENC[AES256_GCM,data:njuB3Vjnww581iyVBJEqY5sovvB/pui0IJSPqkkUuSNfQ7FJzYI4PnLTfIUNGFqsxW7VrSP53PZVW0+Yb6ww5FWt7c8TCc7Fi1sogwBNkOozjsWnIJidGTL3EzK9P189SKvnao4goKVNocLGjAtr/ISwzrJxQL2kDXOXca8IIXE=,iv:NXgPVs4OQp9p/PRQA28>
+  pgp: []
+  encrypted_regex: ^(data|stringData)$
+  version: 3.8.1
+

kubernetes/apps/cert-manager/cert-manager.yaml

@@ -0,0 +1,54 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager-secrets
+  namespace: flux-system
+spec:
+  interval: 1h
+  path: ./kubernetes//apps/cert-manager/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 1h
+  targetNamespace: cert-manager
+  path: ./kubernetes//templates/apps/cert-manager/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager-issuers
+  namespace: cert-manager
+spec:
+  interval: 1h
+  targetNamespace: cert-manager
+  path: ./kubernetes/templates/apps/cert-manager/issuers
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops
+  dependsOn:
+    - name: cert-manager-secrets
+    - name: cert-manager
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: cert-manager-secrets

kubernetes/apps/cert-manager/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cert-manager.yaml

kubernetes/apps/cilium/cilium.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cilium-networkpolicies
+  namespace: kube-system
+spec:
+  interval: 1h
+  path: ./kubernetes/rpi5-cluster/apps/cilium/networkpolicies
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops

kubernetes/apps/cilium/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cilium.yaml

kubernetes/apps/cilium/networkpolicies/coredns.yaml

@@ -0,0 +1,21 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: coredns
+  namespace: kube-system
+spec:
+  endpointSelector:
+    matchLabels:
+      k8s-app: kube-dns
+  egress:
+    - toEntities:
+        - world
+      toPorts:
+        - ports:
+            - port: "53"
+    - toEntities:
+        - host
+        - remote-node
+      toPorts:
+        - ports:
+            - port: "6443"

kubernetes/apps/cilium/networkpolicies/egress-kube-dns.yaml

@@ -0,0 +1,19 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: egress-kube-dns
+spec:
+  endpointSelector:
+    matchExpressions:
+      - key: rpi5.cluster.policy/egress-kube-dns
+        operator: NotIn
+        values:
+          - "false"
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"

kubernetes/apps/cilium/networkpolicies/egress-kubeapi.yaml

@@ -0,0 +1,21 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: egress-kubeapi
+spec:
+  endpointSelector:
+    matchLabels:
+      rpi5.cluster.policy/egress-kubeapi: "true"
+  egress:
+    - toEntities:
+        - host
+        - remote-node
+      toPorts:
+        - ports:
+            - port: "6443"
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "443"
+            - port: "6443"

kubernetes/apps/cilium/networkpolicies/egress-namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: egress-namespace
+spec:
+  endpointSelector:
+    matchLabels:
+      rpi5.cluster.policy/egress-namespace: "true"
+  egress:
+    - toEndpoints:
+        - {}

kubernetes/apps/cilium/networkpolicies/egress-nodes.yaml

@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: egress-nodes
+spec:
+  endpointSelector:
+    matchLabels:
+      rpi5.cluster.policy/egress-nodes: "true"
+  egress:
+    - toEntities:
+        - host
+        - remote-node

kubernetes/apps/cilium/networkpolicies/egress-world-with-lan.yaml

@@ -0,0 +1,11 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: egress-world-with-lan
+spec:
+  endpointSelector:
+    matchLabels:
+      rpi5.cluster.policy/egress-world-with-lan: "true"
+  egress:
+    - toCIDRSet:
+        - cidr: 0.0.0.0/0

kubernetes/apps/cilium/networkpolicies/egress-world.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: egress-world
+spec:
+  endpointSelector:
+    matchLabels:
+      rpi5.cluster.policy/egress-world: "true"
+  egress:
+    - toCIDRSet:
+        - cidr: 0.0.0.0/0
+          except:
+            - 192.168.1.0/24
+            - 192.168.2.0/24
+            - 100.64.0.0/10

kubernetes/apps/cilium/networkpolicies/ingress-namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: ingress-namespace
+spec:
+  endpointSelector:
+    matchLabels:
+      rpi5.cluster.policy/ingress-namespace: "true"
+  ingress:
+    - fromEndpoints:
+        - {}

kubernetes/apps/cilium/networkpolicies/ingress-nginx.yaml

@@ -0,0 +1,65 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: ingress-ingress
+spec:
+  endpointSelector:
+    matchLabels:
+      rpi5.cluster.policy/ingress-ingress: "true"
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx
+            app.kubernetes.io/name: ingress-nginx
+            app.kubernetes.io/component: controller
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: ingress-nginx
+  namespace: ingress-nginx
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: ingress-nginx
+      app.kubernetes.io/component: controller
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            rpi5.cluster.policy/ingress-ingress: "true"
+          matchExpressions:
+            - key: io.kubernetes.pod.namespace
+              operator: Exists
+---
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: egress-ingress
+spec:
+  endpointSelector:
+    matchLabels:
+      rpi5.cluster.policy/egress-ingress: "true"
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx
+            app.kubernetes.io/name: ingress-nginx
+            app.kubernetes.io/component: controller
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: egress-nginx
+  namespace: ingress-nginx
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: ingress-nginx
+      app.kubernetes.io/component: controller
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            rpi5.cluster.policy/egress-ingress: "true"
+          matchExpressions:
+            - key: io.kubernetes.pod.namespace
+              operator: Exists

kubernetes/apps/cilium/networkpolicies/ingress-nodes.yaml

@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: ingress-nodes
+spec:
+  endpointSelector:
+    matchLabels:
+      rpi5.cluster.policy/ingress-nodes: "true"
+  ingress:
+    - fromEntities:
+        - host
+        - remote-node

kubernetes/apps/cilium/networkpolicies/ingress-world.yaml

@@ -0,0 +1,11 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: ingress-world
+spec:
+  endpointSelector:
+    matchLabels:
+      rpi5.cluster.policy/ingress-world: "true"
+  ingress:
+    - fromEntities:
+      - world

kubernetes/apps/cilium/networkpolicies/local-path-provisioner.yaml

@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: local-path-provisioner
+  namespace: kube-system
+spec:
+  endpointSelector:
+    matchLabels:
+      app: local-path-provisioner
+  egress:
+    - toEntities:
+        - host
+        - remote-node
+      toPorts:
+        - ports:
+            - port: "6443"

kubernetes/apps/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./capacitor
+  - ./cert-manager
+  - ./cilium
+  - ./podinfo

kubernetes/apps/podinfo/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - podinfo.yaml

kubernetes/apps/podinfo/podinfo.yaml

@@ -0,0 +1,27 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: podinfo
+  namespace: podinfo
+spec:
+  interval: 5m
+  url: https://github.com/stefanprodan/podinfo
+  ref:
+    branch: master
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: podinfo
+  namespace: podinfo
+spec:
+  interval: 30m0s
+  path: ./kustomize
+  prune: true
+  retryInterval: 2m0s
+  sourceRef:
+    kind: GitRepository
+    name: podinfo
+  targetNamespace: default
+  timeout: 3m0s
+  wait: true