cleanup, separate some apps

Makefile

@@ -9,16 +9,20 @@ KUBECTLAPPLYFLAGS = -l managed-by=kustomize --prune
 SRC := $(shell find kustomize/ -type f)
 OUTDIR = build
 
+# all environments
+KUSTOMIZEDIRALL =  kustomize/environment/all
+KUSTOMIZEOUTALL = $(OUTDIR)/all/manifest.yaml
+
 ifeq ($(environment),prod)
 	# prod
 	KUSTOMIZEDIR = kustomize/environment/prod
-	KUSTOMIZEOUT = $(OUTDIR)/prod/out.yaml
+	KUSTOMIZEOUT = $(OUTDIR)/prod/manifest.yaml
 else
 	# dev
 	environment = dev
 	KUBECTLFLAGS += --kubeconfig kubectl/kubeconfig.yaml
 	KUSTOMIZEDIR = kustomize/environment/dev
-	KUSTOMIZEOUT = $(OUTDIR)/dev/out.yaml
+	KUSTOMIZEOUT = $(OUTDIR)/dev/manifest.yaml
 endif
 
 .PHONY: info clean diff apply
@@ -32,7 +36,9 @@ clean:
 	rm -r $(OUTDIR)
 
 $(KUSTOMIZEOUT): $(SRC)
+	@mkdir -p $(dir $(KUSTOMIZEOUTALL))
 	@mkdir -p $(dir $(KUSTOMIZEOUT))
+	$(KUSTOMIZE) build $(KUSTOMIZEFLAGS) $(KUSTOMIZEDIRALL) >$(KUSTOMIZEOUTALL) || (rm $(KUSTOMIZEOUTALL); exit 1)
 	$(KUSTOMIZE) build $(KUSTOMIZEFLAGS) $(KUSTOMIZEDIR) >$(KUSTOMIZEOUT) || (rm $(KUSTOMIZEOUT); exit 1)
 
 diff: $(KUSTOMIZEOUT)

docker-compose.yml

@@ -1,39 +1,50 @@
 version: '3'
 services:
+  # startup:
+  #   image: bash:5
+  #   command: -xe /host/startup.sh
+  #   volumes:
+  #     - manifests:/manifests
+  #     - .:/host:ro
   server:
-    image: "rancher/k3s"
+    image: rancher/k3s
     restart: always
     command: server --disable traefik --disable local-storage --kubelet-arg authentication-token-webhook --kubelet-arg authorization-mode=Webhook
     tmpfs:
-    - /run
-    - /var/run
+      - /run
+      - /var/run
     privileged: true
     environment:
-    - K3S_CLUSTER_SECRET=${K3S_CLUSTER_SECRET:-replaceme}
-    - K3S_KUBECONFIG_OUTPUT=/host/kubectl/kubeconfig.yaml
-    - K3S_KUBECONFIG_MODE=666
+      - K3S_CLUSTER_SECRET=${K3S_CLUSTER_SECRET:-replaceme}
+      - K3S_KUBECONFIG_OUTPUT=/host/kubectl/kubeconfig.yaml
+      - K3S_KUBECONFIG_MODE=666
     volumes:
-    - k3s_data:/var/lib/rancher/k3s
-    - nfs_data:/srv/nfs
-    - .:/host
+      - k3s_data:/var/lib/rancher/k3s
+      - nfs_data:/srv/nfs
+      - manifests:/var/lib/rancher/k3s/server/manifests/manifests:ro
+      - .:/host
     ports:
       - 80:30080
       - 443:30443
       - 6443:6443
   agent:
-    image: "rancher/k3s"
+    image: rancher/k3s
     restart: always
     command: agent --kubelet-arg authentication-token-webhook --kubelet-arg authorization-mode=Webhook
     tmpfs:
-    - /run
-    - /var/run
+      - /run
+      - /var/run
     privileged: true
     environment:
-    - K3S_URL=https://server:6443
-    - K3S_CLUSTER_SECRET=${K3S_CLUSTER_SECRET:-replaceme}
+      - K3S_URL=https://server:6443
+      - K3S_CLUSTER_SECRET=${K3S_CLUSTER_SECRET:-replaceme}
     volumes:
       - nfs_data:/srv/nfs
 
 volumes:
   k3s_data:
-  nfs_data:
+  nfs_data:
+  manifests:
+    driver_opts:
+      type: tmpfs
+      device: tmpfs

kustomize/base/gitea/drone-runner-deployment.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: drone-runner-deployment
+  name: drone-runner
   labels:
     app: drone
     component: runner

kustomize/base/gitea/drone-server-deployment.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: drone-server-deployment
+  name: drone-server
   labels:
     app: drone
     component: server
@@ -62,7 +62,7 @@ spec:
 apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
-  name: drone-ingress
+  name: drone
   labels:
     app: drone
   annotations:

kustomize/base/gitea/gitea-deployment.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: gitea-deployment
+  name: gitea
   labels:
     app: gitea
 spec:
@@ -113,7 +113,7 @@ spec:
 apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
-  name: gitea-ingress
+  name: gitea
   labels:
     app: gitea
   annotations:

kustomize/base/gitea/kustomization.yaml

@@ -32,13 +32,13 @@ vars:
     objref:
       apiVersion: networking.k8s.io/v1beta1
       kind: Ingress
-      name: gitea-ingress
+      name: gitea
     fieldref:
       fieldpath: spec.rules[0].host
   - name: DRONE_EXTERNAL_HOST
     objref:
       apiVersion: networking.k8s.io/v1beta1
       kind: Ingress
-      name: drone-ingress
+      name: drone
     fieldref:
       fieldpath: spec.rules[0].host

kustomize/base/ingress-nginx/kustomization.yaml

@@ -2,8 +2,8 @@ generators:
   - nginx-ingress-controller.yaml
 
 patchesStrategicMerge:
-  - nodeselector-patch.yaml
-  - nodeport-patch.yaml
+  - nginx-ingress-controller-nodeselector-patch.yaml
+  - nginx-ingress-controller-nodeport-patch.yaml
 
 namespace: ingress-nginx
 

kustomize/base/kubernetes-dashboard/kubernetes-dashboard-ingress.yaml

@@ -1,7 +1,7 @@
 apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
-  name: kubernetes-dashboard-ingress
+  name: kubernetes-dashboard
   labels:
     app: kubernetes-dashboard
   annotations:

kustomize/base/kubernetes-dashboard/kustomization.yaml

@@ -1,6 +1,6 @@
 resources:
-  - admin-user.yaml
-  - ingress.yaml
+  - kubernetes-dashboard-admin-user.yaml
+  - kubernetes-dashboard-ingress.yaml
 
 generators:
   - kubernetes-dashboard.yaml

kustomize/base/mariadb/mariadb-statefulset.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  name: mariadb-statefulset
+  name: mariadb
 spec:
   selector:
     matchLabels:

kustomize/base/monitoring/grafana/grafana-deployment.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: grafana-deployment
+  name: grafana
 spec:
   selector:
     matchLabels:
@@ -65,7 +65,7 @@ spec:
 apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
-  name: grafana-ingress
+  name: grafana
   annotations:
     nginx.ingress.kubernetes.io/rewrite-target: /
     cert-manager.io/cluster-issuer: letsencrypt

kustomize/base/monitoring/prometheus/prometheus-crd.yaml

@@ -32,7 +32,7 @@ spec:
 apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
-  name: prometheus-ingress
+  name: prometheus
   annotations:
     nginx.ingress.kubernetes.io/rewrite-target: /
     cert-manager.io/cluster-issuer: letsencrypt

kustomize/base/nextcloud/nextcloud-deployment.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: nextcloud-deployment
+  name: nextcloud
   labels:
     app: nextcloud
 spec:
@@ -78,7 +78,7 @@ spec:
 apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
-  name: nextcloud-ingress
+  name: nextcloud
   labels:
     app: nextcloud
   annotations:

kustomize/base/nfs-provisionner/kustomization.yaml

@@ -1,5 +1,5 @@
 resources:
-  - storageclass.yaml
+  - nfs-provisionner-storageclass.yaml
 
 generators:
   - nfs-provisionner.yaml
@@ -7,4 +7,4 @@ generators:
 namespace: kube-system
 
 patchesStrategicMerge:
-  - deployment-patch.yaml
+  - nfs-provisionner-deployment-patch.yaml

kustomize/environment/all/kustomization.yaml

@@ -0,0 +1,8 @@
+bases:
+  - ../../base/nfs-provisionner
+  - ../../base/ingress-nginx
+  - ../../base/cert-manager
+
+# allow "kubectl apply -l managed-by=k3s --prune ..."
+commonlabels:
+  managed-by: k3s

kustomize/environment/dev/kustomization.yaml

@@ -1,7 +1,4 @@
 bases:
-  - ../../base/nfs-provisionner
-  - ../../base/ingress-nginx
-  - ../../base/cert-manager
   - ../../base/kubernetes-dashboard
   - ../../base/gitea
   - ../../base/nextcloud
@@ -30,7 +27,7 @@ patchesJson6902:
       group: networking.k8s.io
       version: v1beta1
       kind: Ingress
-      name: kubernetes-dashboard-ingress
+      name: kubernetes-dashboard
     patch: |-
       - op: replace
         path: /spec/tls/0/hosts/0
@@ -40,7 +37,7 @@ patchesJson6902:
         value: kubernetes-dashboard.staging.badjware.dev
   - target:
       <<: *ingress_target
-      name: prometheus-ingress
+      name: prometheus
     patch: |-
       - op: replace
         path: /spec/tls/0/hosts/0
@@ -50,7 +47,7 @@ patchesJson6902:
         value: prometheus.staging.badjware.dev
   - target:
       <<: *ingress_target
-      name: grafana-ingress
+      name: grafana
     patch: |-
       - op: replace
         path: /spec/tls/0/hosts/0
@@ -60,7 +57,7 @@ patchesJson6902:
         value: grafana.staging.badjware.dev
   - target:
       <<: *ingress_target
-      name: nextcloud-ingress
+      name: nextcloud
     patch: |-
       - op: replace
         path: /spec/tls/0/hosts/0
@@ -70,7 +67,7 @@ patchesJson6902:
         value: nextcloud.staging.badjware.dev
   - target:
       <<: *ingress_target
-      name: gitea-ingress
+      name: gitea
     patch: |-
       - op: replace
         path: /spec/tls/0/hosts/0
@@ -80,7 +77,7 @@ patchesJson6902:
         value: gitea.staging.badjware.dev
   - target:
       <<: *ingress_target
-      name: drone-ingress
+      name: drone
     patch: |-
       - op: replace
         path: /spec/tls/0/hosts/0

kustomize/environment/prod/cert-manager/clusterissuer.yaml

@@ -0,0 +1,25 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+  namespace: cert-manager
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: marchambault@badjware.dev
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: letsencrypt-cert
+    solvers:
+      - selector:
+          dnsZones:
+          - badjware.dev
+        dns01: 
+          cnameStrategy: Follow
+          digitalocean:
+            tokenSecretRef:
+              name: digitalocean-api-key
+              key: access-token

kustomize/environment/prod/cert-manager/kustomizeconfig.yaml

@@ -0,0 +1,6 @@
+nameReference:
+  - version: v1
+    kind: Secret
+    fieldSpecs:
+      - kind: ClusterIssuer
+        path: spec/acme/solvers/dns01/digitalocean/tokenSecretRef/name

startup.sh

@@ -0,0 +1,2 @@
+#/bin/bash
+cp /host/build/all/* /manifests