easylinux/proxmox-tofu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added Kubernetes resources for TLS setup, updated docs

Browse Source
This commit is contained in:
Max Pfeiffer
2026-01-11 10:03:59 +01:00
parent f9b22430f2
commit f8314c84fa
15 changed files with 270 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
README.md
View File

@@ -23,7 +23,7 @@ You need to have installed on your local machine:
* [kubectl](https://kubernetes.io/docs/reference/kubectl/) (for testing and cluster interaction) * [kubectl](https://kubernetes.io/docs/reference/kubectl/) (for testing and cluster interaction)
## Provisioning ## Provisioning
The project is grouped in two sections: The project is grouped in three sections:
* proxmox: provisioning of virtual machines, operating systems and Kubernetes cluster * proxmox: provisioning of virtual machines, operating systems and Kubernetes cluster
* kubernetes: provisioning of Kubernetes cluster resources * kubernetes: provisioning of Kubernetes cluster resources
* argocd: provisioning of Kubernetes resources using GitOps, can be installed with `install_argocd_app_of_apps` flag * argocd: provisioning of Kubernetes resources using GitOps, can be installed with `install_argocd_app_of_apps` flag
@@ -73,7 +73,7 @@ You might need to wait a bit until the nodes come up. Proceed with the next step
state. state.
### Kubernetes ### Kubernetes
Secondly, you can provision the Resources inside the Kubernetes cluster. Here you have a couple of options to choose Secondly, you can provision the resources inside the Kubernetes cluster. You have a couple of options to choose
from. All options can be configured using variables in `configuration.auto.tfvars`: from. All options can be configured using variables in `configuration.auto.tfvars`:
1. **Quick start**: installs Cilium LB config, ArgoCD, Ingress without TLS (default settings) with OpenTofu. [ArgoCD](https://argoproj.github.io/cd/) is 1. **Quick start**: installs Cilium LB config, ArgoCD, Ingress without TLS (default settings) with OpenTofu. [ArgoCD](https://argoproj.github.io/cd/) is
available on http://argocd.local. available on http://argocd.local.
@@ -83,16 +83,7 @@ from. All options can be configured using variables in `configuration.auto.tfvar
* argocd_ingress_enabled = true * argocd_ingress_enabled = true
* install_argocd_app_of_apps = false * install_argocd_app_of_apps = false
* install_argocd_app_of_apps_git_repo_secret = false * install_argocd_app_of_apps_git_repo_secret = false
2. **GitOps quick start**: installs ArgoCD, no Cilium LB config, no Ingress and the Kubernetes resources 2. **GitOps using your own repository**: installs ArgoCD, no Cilium LB config, no Ingress and the Kubernetes resources in
in `argocd` directory (App of Apps) with OpenTofu: cert-manager, Gateway, HTTPRoute, External Secrets Operator etc.
[ArgoCD](https://argoproj.github.io/cd/) is available on https://yourpublicdomain.com:
* install_cilium_lb_config = false
* argocd_domain = "yourpublicdomain.com"
* argocd_server_insecure = true
* argocd_ingress_enabled = false
* install_argocd_app_of_apps = true
* install_argocd_app_of_apps_git_repo_secret = false
3. **GitOps using your own repository**: installs ArgoCD, no Cilium LB config, no Ingress and the Kubernetes resources in
the repository you specify in `argocd_app_of_apps_source`. Credentials for a private repository can be configured the repository you specify in `argocd_app_of_apps_source`. Credentials for a private repository can be configured
and installed with OpenTofu using `install_argocd_app_of_apps_git_repo_secret` and the related variables: and installed with OpenTofu using `install_argocd_app_of_apps_git_repo_secret` and the related variables:
* install_cilium_lb_config = false * install_cilium_lb_config = false
@@ -105,7 +96,12 @@ from. All options can be configured using variables in `configuration.auto.tfvar
* argocd_app_of_apps_git_repo_secret_url = "https://github.com/you/yourrepo.git" * argocd_app_of_apps_git_repo_secret_url = "https://github.com/you/yourrepo.git"
* argocd_app_of_apps_git_repo_secret_password_or_token = "github_pat_OLImf09435459hfjoi9m435298524jtfjn45i8tmnmds329023jdhn" * argocd_app_of_apps_git_repo_secret_password_or_token = "github_pat_OLImf09435459hfjoi9m435298524jtfjn45i8tmnmds329023jdhn"
These are three use cases I envision here. Of course can combine the variables to any other setup which suits your needs. These are two use cases I envision here. Please regard them as examples. Of course, you can combine the variables to
any other setup which suits your needs.
For doing a **GitOps quick start** you can fork this repository and point the `argocd_app_of_apps_source` to the
`argocd` directory of your newly forked repository. This way you can make use of the example Kubernetes resources in
`argocd` directory and edit them to match your infrastructure.
Create a `configuration.auto.tfvars` like so and edit it to your liking: Create a `configuration.auto.tfvars` like so and edit it to your liking:
```shell ```shell
@@ -113,7 +109,7 @@ $ cd kubernetes
$ cope configuration.auto.tfvars.example configuration.auto.tfvars $ cope configuration.auto.tfvars.example configuration.auto.tfvars
$ vim configuration.auto.tfvars $ vim configuration.auto.tfvars
``` ```
Then do the provisiong with OpenTofu: Then do the provisioning with OpenTofu:
```shell ```shell
$ tofu init $ tofu init
$ tofu plan $ tofu plan
@@ -125,13 +121,19 @@ $ kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.p
``` ```
## Roadmap ## Roadmap
My todo list for the GitOps part: Proxmox part:
* add storage options i.e. NFS, Ceph, local * make node resources configurable (CPU, memory, etc.)
* make version upgrades possible for Kubernetes Nodes with OpenTofu
GitOps part:
* add storage options i.e. Ceph, local
* add Keycloak operator and Keycloak instance for SSO * add Keycloak operator and Keycloak instance for SSO
* add Prometheus/Grafana for monitoring * add Prometheus/Grafana for monitoring
* add Alloy/Loki for logging * add Alloy/Loki for logging
* add Velero for disaster recovery * add Velero for disaster recovery
I am happy to receive pull requests for any improvements.
## Information Sources ## Information Sources
* [Talos Linux documentation](https://www.talos.dev/v1.8/) * [Talos Linux documentation](https://www.talos.dev/v1.8/)
* [Talos Linux Image Factory](https://factory.talos.dev/) * [Talos Linux Image Factory](https://factory.talos.dev/)

11
argocd/cluster-resources/cilium-load-balancer-ip-pool.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: cilium.io/v2
kind: CiliumLoadBalancerIPPool
metadata:
name: default
annotations:
argocd.argoproj.io/sync-wave: "-1000"
spec:
blocks:
# Configure your IP pool here
- start: "192.168.10.95"
stop: "192.168.10.99"

23
argocd/cluster-resources/cluster-issuers.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-http01
annotations:
argocd.argoproj.io/sync-wave: "20"
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
# Add your email address here
email: you@yourdomain.com
privateKeySecretRef:
name: letsencrypt-http01-cluster-issuer-account-key
solvers:
- http01:
gatewayHTTPRoute:
parentRefs:
- name: acme
namespace: network
sectionName: http
kind: Gateway
---

18
argocd/cluster-resources/storageclasses.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: csi-nfs
annotations:
argocd.argoproj.io/sync-wave: "-700"
storageclass.kubernetes.io/is-default-class: "true"
provisioner: nfs.csi.k8s.io
parameters:
# Configure you NFS server here
server: "your-nfs-server.com"
share: "/mnt/big-storage-pool/nfs"
reclaimPolicy: Delete
volumeBindingMode: Immediate
allowVolumeExpansion: true
mountOptions:
- nfsvers=4.1
---

23
argocd/namespaces/argocd/http-routes.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: argocd
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "30"
spec:
parentRefs:
- name: public
namespace: network
sectionName: argocd
hostnames:
# Configure the FQDN for ArgoCD here
- "argocd.yourdomain.com"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: argo-cd-argocd-server
port: 80

2
argocd/namespaces/cert/applications/cert-manager.yaml
View File

@@ -4,7 +4,7 @@ metadata:
name: cert-manager name: cert-manager
namespace: argocd namespace: argocd
annotations: annotations:
argocd.argoproj.io/sync-wave: "100" argocd.argoproj.io/sync-wave: "10"
finalizers: finalizers:
- resources-finalizer.argocd.argoproj.io - resources-finalizer.argocd.argoproj.io
spec: spec:

29
argocd/namespaces/external-secrets/applications/external-secrets-operator.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: external-secrets-operator
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "10"
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: external-secrets
ignoreDifferences:
- group: apiextensions.k8s.io
kind: CustomResourceDefinition
jsonPointers:
- /metadata/annotations
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- ServerSideApply=true
destination:
namespace: external-secrets
server: https://kubernetes.default.svc
source:
chart: external-secrets
repoURL: https://charts.external-secrets.io
targetRevision: 0.19.2

9
argocd/namespaces/external-secrets/namespace.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: Namespace
metadata:
name: external-secrets
annotations:
argocd.argoproj.io/sync-wave: "-1000"
labels:
name: external-secrets
spec: {}

25
argocd/namespaces/external-secrets/project.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: external-secrets
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "-900"
spec:
description: External Secrets
clusterResourceWhitelist:
- group: apiextensions.k8s.io
kind: CustomResourceDefinition
- group: rbac.authorization.k8s.io
kind: ClusterRole
- group: rbac.authorization.k8s.io
kind: ClusterRoleBinding
- group: admissionregistration.k8s.io
kind: ValidatingWebhookConfiguration
- group: external-secrets.io
kind: ClusterSecretStore
sourceRepos:
- '*'
destinations:
- namespace: external-secrets
server: '*'

29
argocd/namespaces/kube-system/applications/csi-driver-nfs.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: csi-driver-nfs
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "-800"
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
syncPolicy:
automated:
prune: true
selfHeal: true
destination:
namespace: kube-system
server: https://kubernetes.default.svc
source:
chart: csi-driver-nfs
repoURL: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts
targetRevision: 4.12.1
helm:
valuesObject:
externalSnapshotter:
enabled: true
controller:
runOnControlPlane: true

10
argocd/namespaces/kube-system/cilium-l2-announcement-policy.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: cilium.io/v2alpha1
kind: CiliumL2AnnouncementPolicy
metadata:
name: default
namespace: kube-system
annotations:
argocd.argoproj.io/sync-wave: "-1000"
spec:
externalIPs: true
loadBalancerIPs: true

2
argocd/namespaces/project.yaml
View File

@@ -4,7 +4,7 @@ metadata:
name: cert name: cert
namespace: argocd namespace: argocd
annotations: annotations:
argocd.argoproj.io/sync-wave: "0" argocd.argoproj.io/sync-wave: "-900"
spec: spec:
description: Certs description: Certs
clusterResourceWhitelist: clusterResourceWhitelist:

16
argocd/network/certificates.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: argocd
namespace: network
annotations:
argocd.argoproj.io/sync-wave: "25"
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
secretName: argocd-tls
issuerRef:
name: letsencrypt-http01
kind: ClusterIssuer
dnsNames:
# Configure the FQDN for ArgoCD here
- "argocd.yourdomain.com"

48
argocd/network/gateways.yaml Normal file
View File

@@ -0,0 +1,48 @@
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: acme
namespace: network
annotations:
argocd.argoproj.io/sync-wave: "30"
spec:
gatewayClassName: cilium
addresses:
- type: IPAddress
# Configure your IP address here
value: 192.168.10.96
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: public
namespace: network
annotations:
argocd.argoproj.io/sync-wave: "30"
spec:
gatewayClassName: cilium
addresses:
- type: IPAddress
# Configure your IP address here
value: 192.168.10.97
listeners:
- name: argocd
protocol: HTTPS
port: 443
# Configure the FQDN for ArgoCD here
hostname: "argocd.yourdomain.com"
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: argocd-tls
allowedRoutes:
namespaces:
from: All

9
argocd/network/namespace.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: Namespace
metadata:
name: network
annotations:
argocd.argoproj.io/sync-wave: "-1000"
labels:
name: network
spec: {}