feat: migrate GCP account and update cluster (#28)

* add gcp infra for remote-state and user access

Signed-off-by: Alexandre Gaudreault <[email protected]>

* add gke and networking

Signed-off-by: Alexandre Gaudreault <[email protected]>

* update cert-manager

Signed-off-by: Alexandre Gaudreault <[email protected]>

* update ingress to use ingressClassName

Signed-off-by: Alexandre Gaudreault <[email protected]>

* kustomize fix

Signed-off-by: Alexandre Gaudreault <[email protected]>

* add dns and external-dns

Signed-off-by: Alexandre Gaudreault <[email protected]>

* info logs

Signed-off-by: Alexandre Gaudreault <[email protected]>

* add external-dns to argo

Signed-off-by: Alexandre Gaudreault <[email protected]>

* fix Jenkins sync

Signed-off-by: Alexandre Gaudreault <[email protected]>

* update jenkins to v2

Signed-off-by: Alexandre Gaudreault <[email protected]>

* update cert-manager resources

Signed-off-by: Alexandre Gaudreault <[email protected]>

* missing one

Signed-off-by: Alexandre Gaudreault <[email protected]>

* update prometheus

Signed-off-by: Alexandre Gaudreault <[email protected]>

* update upstream

Signed-off-by: Alexandre Gaudreault <[email protected]>

* fix prometheus sync crds

Signed-off-by: Alexandre Gaudreault <[email protected]>

* update istio

Signed-off-by: Alexandre Gaudreault <[email protected]>

* fix governor

Signed-off-by: Alexandre Gaudreault <[email protected]>

* fix cert-manager

Signed-off-by: Alexandre Gaudreault <[email protected]>

* update rollout

Signed-off-by: Alexandre Gaudreault <[email protected]>

* fix ingress and use less resources

Signed-off-by: Alexandre Gaudreault <[email protected]>

* remove Jenkins

Signed-off-by: Alexandre Gaudreault <[email protected]>

* update governor image

Signed-off-by: Alexandre Gaudreault <[email protected]>

* refactor argo-events

Signed-off-by: Alexandre Gaudreault <[email protected]>

* update dex to newer version

Signed-off-by: Alexandre Gaudreault <[email protected]>

* fix cert-manager wrong namespace

Signed-off-by: Alexandre Gaudreault <[email protected]>

* prometheus deployment doc

Signed-off-by: Alexandre Gaudreault <[email protected]>

* update issuer email

Signed-off-by: Alexandre Gaudreault <[email protected]>

* add dex config

Signed-off-by: Alexandre Gaudreault <[email protected]>

* dex docs

Signed-off-by: Alexandre Gaudreault <[email protected]>

* dns setup

Signed-off-by: Alexandre Gaudreault <[email protected]>

* fix image name for governor

Signed-off-by: Alexandre Gaudreault <[email protected]>

* add argocd auth secret

Signed-off-by: Alexandre Gaudreault <[email protected]>

* update argo base

Signed-off-by: Alexandre Gaudreault <[email protected]>

* revert secret in app

Signed-off-by: Alexandre Gaudreault <[email protected]>

* argocd rbac as code

Signed-off-by: Alexandre Gaudreault <[email protected]>

* fix argo dex config

Signed-off-by: Alexandre Gaudreault <[email protected]>

* add external-dns app

Signed-off-by: Alexandre Gaudreault <[email protected]>

* remove dns logging

Signed-off-by: Alexandre Gaudreault <[email protected]>

* add codeowners

Signed-off-by: Alexandre Gaudreault <[email protected]>

* add docs about workflow secrets

Signed-off-by: Alexandre Gaudreault <[email protected]>

* dex HA-er

Signed-off-by: Alexandre Gaudreault <[email protected]>

* add service account token for workflow

Signed-off-by: Alexandre Gaudreault <[email protected]>

* fix kustomize for workflow

Signed-off-by: Alexandre Gaudreault <[email protected]>

* dex would need a shared state to be HA

Signed-off-by: Alexandre Gaudreault <[email protected]>

* add missing default token for workflows rbac

Signed-off-by: Alexandre Gaudreault <[email protected]>

* typo

Signed-off-by: Alexandre Gaudreault <[email protected]>

* use another sa as default login

Signed-off-by: Alexandre Gaudreault <[email protected]>

* workflow: add real read-only role

Signed-off-by: Alexandre Gaudreault <[email protected]>

* split workflows in 2 folder to make it easier to follow

Signed-off-by: Alexandre Gaudreault <[email protected]>

* use proper namespace

Signed-off-by: Alexandre Gaudreault <[email protected]>

* fix

Signed-off-by: Alexandre Gaudreault <[email protected]>

* workflow split namespace

Signed-off-by: Alexandre Gaudreault <[email protected]>

* switch to clusterRole for multi-ns binding

Signed-off-by: Alexandre Gaudreault <[email protected]>

* move sa to playground ns

Signed-off-by: Alexandre Gaudreault <[email protected]>

* update binding

Signed-off-by: Alexandre Gaudreault <[email protected]>

* workflow token not necessary

Signed-off-by: Alexandre Gaudreault <[email protected]>

* move artifact config in ns

Signed-off-by: Alexandre Gaudreault <[email protected]>

* move auth to managed namespace... weird

Signed-off-by: Alexandre Gaudreault <[email protected]>

* move events to playground. does not seem to support split controller

Signed-off-by: Alexandre Gaudreault <[email protected]>

* manifest have namespace hardcoded

Signed-off-by: Alexandre Gaudreault <[email protected]>

* base apps

Signed-off-by: Alexandre Gaudreault <[email protected]>

* reorder

Signed-off-by: Alexandre Gaudreault <[email protected]>

* Update docs & code review

Signed-off-by: Alexandre Gaudreault <[email protected]>

---------

Signed-off-by: Alexandre Gaudreault <[email protected]>

.github/CODEOWNERS

@@ -0,0 +1,4 @@
+# # Infrastructure
+# /infrastructure/                                      @agaudreault @leoluz
+# /argocd/overlays/production/argocd-rbac-cm.yaml       @agaudreault @leoluz
+# /external-dns/values.yaml                             @agaudreault @leoluz

argo-events/kustomization.yaml

@@ -4,10 +4,10 @@ kind: Kustomization
 resources:
   - https://github.com/argoproj/argo-events/manifests/namespace-install
   - https://raw.githubusercontent.com/argoproj/argo-events/master/examples/eventbus/native.yaml
-  - operate-workflow-sa.yaml
-  - operate-wf-rbac.yaml
-  - calendar-eventsource.yaml
-  - workflow-sensor.yaml
-  - log-sensor.yaml
+  - base/operate-workflow-sa.yaml
+  - base/operate-wf-rbac.yaml
+  - base/calendar-eventsource.yaml
+  - base/workflow-sensor.yaml
+  - base/log-sensor.yaml
 
-namespace: argo
+namespace: workflow-playground

argo-rollouts/kustomization.yaml

@@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- https://github.com/argoproj/argo-rollouts/releases/download/v1.1.1/install.yaml
+  - https://github.com/argoproj/argo-rollouts/releases/download/v1.6.6/install.yaml

argo-workflows/README.md

@@ -0,0 +1,10 @@
+# Argo Workflows
+
+### Initial deployment
+
+You currently have to create secrets manually
+
+```
+kubectl apply -n argo -f resources/argo-server-sso-secret.yaml
+kubectl apply -n argo -f resources/argo-workflows-webhook-clients-secret.yaml
+```

argo-workflows/kustomization.yaml

@@ -2,40 +2,46 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - resources/argo-ns.yaml
   - https://github.com/argoproj/argo-workflows/manifests/namespace-install
-  - https://github.com/argoproj/argo-workflows/manifests/quick-start/base/minio
-  - https://raw.githubusercontent.com/argoproj/argo-workflows/master/manifests/quick-start/base/artifact-repositories-configmap.yaml
+  - resources/argo-ns.yaml
+  - resources/argo-rolebinding.yaml
   - resources/argo-server-ingress.yaml
+  - resources/argo-server-rolebinding.yaml
   - resources/argo-workflows-certificate.yaml
   - resources/argo-workflows-issuer.yaml
-  - resources/coinflip-workflowtemplate.yaml
-  - resources/coinflip-cronworkflow.yaml
-  - resources/workflow-role.yaml
-  - resources/workflow-sa.yaml
-  - resources/workflow-rolebinding.yaml
-  - resources/read-write-role.yaml
-  - resources/read-write-sa.yaml
-  - resources/read-write-rolebinding.yaml
-  - resources/submit-workflow-template-role.yaml
-  - resources/github.com-sa.yaml
-  - resources/github.com-rolebinding.yaml
-  - resources/github-event-workflowtemplate.yaml
-  - resources/event-consumer-workfloweventbinding.yaml
   - resources/workflow-count-resourcequota.yaml
-  - https://raw.githubusercontent.com/argoproj-labs/argo-workflows-catalog/master/templates/buildkit/manifests.yaml
-  - https://raw.githubusercontent.com/argoproj-labs/argo-workflows-catalog/master/templates/slack/manifests.yaml
-  - https://raw.githubusercontent.com/argoproj-labs/argo-workflows-catalog/master/templates/sendmail/manifests.yaml
-  - https://raw.githubusercontent.com/argoproj-labs/argo-workflows-catalog/master/templates/distro/manifests.yaml
-  - https://raw.githubusercontent.com/argoproj/argo-workflows/master/examples/artifacts-workflowtemplate.yaml
-  - resources/artifacts-cronworkflow.yaml
-  - https://raw.githubusercontent.com/argoproj/argo-workflows/master/examples/ci-workflowtemplate.yaml
-  - resources/ci-cronworkflow.yaml
-
-patchesStrategicMerge:
-  - overlays/workflow-controller-configmap.yaml
-  - overlays/argo-server-role.yaml
-  - overlays/argo-server-sa.yaml
-  - overlays/argo-server-deploy.yaml
+  - resources/rbac/read-only-clusterrole.yaml
+  - resources/rbac/read-only-namespaced-clusterrole.yaml
+  - resources/rbac/read-write-namespaced-clusterrole.yaml
 
-namespace: argo
+patches:
+  - path: overlays/argo-server-deploy.yaml
+  - path: overlays/argo-server-sa.yaml
+  - path: overlays/workflow-controller-configmap.yaml
+  - path: overlays/workflow-controller-deploy.yaml
+  - path: overlays/argo-role.yaml
+    options:
+      allowKindChange: true
+      allowNameChange: true
+    target:
+      group: rbac.authorization.k8s.io
+      kind: Role
+      name: argo-role
+  - path: overlays/argo-rolebinding.yaml
+    target:
+      group: rbac.authorization.k8s.io
+      kind: RoleBinding
+      name: argo-binding
+  - path: overlays/argo-server-role.yaml
+    options:
+      allowKindChange: true
+      allowNameChange: true
+    target:
+      group: rbac.authorization.k8s.io
+      kind: Role
+      name: argo-server-role
+  - path: overlays/argo-server-rolebinding.yaml
+    target:
+      group: rbac.authorization.k8s.io
+      kind: RoleBinding
+      name: argo-server-binding

argo-workflows/overlays/argo-role.yaml

@@ -0,0 +1,6 @@
+- op: replace
+  path: /kind
+  value: ClusterRole
+- op: replace
+  path: /metadata/name
+  value: argo-workflows-argo-role

argo-workflows/overlays/argo-rolebinding.yaml

@@ -0,0 +1,6 @@
+- op: replace
+  path: /roleRef/kind
+  value: ClusterRole
+- op: replace
+  path: /roleRef/name
+  value: argo-workflows-argo-role

argo-workflows/overlays/argo-server-deploy.yaml

@@ -12,6 +12,8 @@ spec:
           args:
             - server
             - --namespaced
+            - --managed-namespace
+            - workflow-playground
             - --auth-mode=sso
             - --auth-mode=client
             - --x-frame-options=SAMEORIGIN

argo-workflows/overlays/argo-server-role.yaml

@@ -1,61 +1,6 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: argo-server-role
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - configmaps
-    verbs:
-      - get
-      - watch
-      - list
-  - apiGroups:
-      - ''
-    resources:
-      - secrets
-    verbs:
-      - get
-      - create
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - pods
-      - pods/exec
-      - pods/log
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - events
-    verbs:
-      - patch
-      - watch
-  - apiGroups:
-      - ''
-    resources:
-      - serviceaccounts
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - argoproj.io
-    resources:
-      - eventsources
-      - sensors
-      - workflows
-      - workfloweventbindings
-      - workflowtemplates
-      - cronworkflows
-      - cronworkflows/finalizers
-    verbs:
-      - get
-      - list
-      - watch
+- op: replace
+  path: /kind
+  value: ClusterRole
+- op: replace
+  path: /metadata/name
+  value: argo-workflows-argo-server-role

argo-workflows/overlays/argo-server-rolebinding.yaml

@@ -0,0 +1,6 @@
+- op: replace
+  path: /roleRef/kind
+  value: ClusterRole
+- op: replace
+  path: /roleRef/name
+  value: argo-workflows-argo-server-role

argo-workflows/overlays/argo-server-sa.yaml

@@ -2,5 +2,3 @@ kind: ServiceAccount
 apiVersion: v1
 metadata:
   name: argo-server
-  annotations:
-    workflows.argoproj.io/rbac-rule: "true"

argo-workflows/overlays/workflow-controller-deploy.yaml

@@ -0,0 +1,13 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: workflow-controller
+spec:
+  template:
+    spec:
+      containers:
+        - name: workflow-controller
+          args:
+            - --namespaced
+            - --managed-namespace
+            - workflow-playground

argo-workflows/resources/argo-rolebinding.yaml

@@ -2,10 +2,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: argo
+  namespace: workflow-playground # Gives permission in the managed namespace
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: workflow-role
+  kind: ClusterRole
+  name: argo-workflows-argo-role
 subjects:
   - kind: ServiceAccount
     name: argo
+    namespace: argo

argo-workflows/resources/argo-server-ingress.yaml

@@ -5,10 +5,10 @@ metadata:
   annotations:
     # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
     ingress.kubernetes.io/proxy-body-size: 100M
-    kubernetes.io/ingress.class: "nginx"
     ingress.kubernetes.io/app-root: "/"
     nginx.ingress.kubernetes.io/backend-protocol: HTTPS
 spec:
+  ingressClassName: nginx
   tls:
   - hosts:
     - workflows.apps.argoproj.io

argo-workflows/resources/argo-server-rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argo-server-binding
+  namespace: workflow-playground # Gives permission in the managed namespace
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-workflows-argo-server-role
+subjects:
+  - kind: ServiceAccount
+    name: argo-server
+    namespace: argo

argo-workflows/resources/argo-workflows-certificate.yaml

@@ -1,4 +1,4 @@
-apiVersion: cert-manager.io/v1alpha2
+apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: argo-workflows-cert
@@ -9,4 +9,4 @@ spec:
     kind: Issuer
   commonName: workflows.apps.argoproj.io
   dnsNames:
-  - workflows.apps.argoproj.io
+    - workflows.apps.argoproj.io

argo-workflows/resources/argo-workflows-issuer.yaml

@@ -1,16 +1,16 @@
-apiVersion: cert-manager.io/v1alpha2
+apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: argo-workflows-issuer
 spec:
   acme:
     server: https://acme-v02.api.letsencrypt.org/directory
-    email: amatyushentsev@gmail.com
+    email: argoproj@gmail.com
     privateKeySecretRef:
       name: letsencrypt
     solvers:
-    # An empty 'selector' means that this solver matches all domains
-    - selector: {}
-      http01:
-        ingress:
-          class: nginx
+      # An empty 'selector' means that this solver matches all domains
+      - selector: {}
+        http01:
+          ingress:
+            class: nginx

argo-workflows/resources/rbac/read-only-clusterrole.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-workflows-read-only
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - clusterworkflowtemplates
+      - clusteranalysistemplates
+    verbs:
+      - get
+      - list
+      - watch

argo-workflows/resources/rbac/read-only-namespaced-clusterrole.yaml

@@ -0,0 +1,32 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-workflows-read-only-namespaced
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+      - pods/log
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - ''
+    resources:
+      - events
+    verbs:
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - eventsources
+      - sensors
+      - workflows
+      - workfloweventbindings
+      - workflowtemplates
+      - cronworkflows
+    verbs:
+      - get
+      - list
+      - watch

argo-workflows/resources/read-write-role.yaml → argo-workflows/resources/rbac/read-write-namespaced-clusterrole.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
 metadata:
-  name: read-write
+  name: argo-workflows-read-write-namespaced
 rules:
   - apiGroups:
       - ''

argocd/.gitignore

@@ -0,0 +1 @@
+/argo-cd-auth-secret.yaml

argocd/base/argo-cd-issuer.yaml

@@ -5,12 +5,12 @@ metadata:
 spec:
   acme:
     server: https://acme-v02.api.letsencrypt.org/directory
-    email: amatyushentsev@gmail.com
+    email: argoproj@gmail.com
     privateKeySecretRef:
       name: letsencrypt
     solvers:
-    # An empty 'selector' means that this solver matches all domains
-    - selector: {}
-      http01:
-        ingress:
-          class: nginx
+      # An empty 'selector' means that this solver matches all domains
+      - selector: {}
+        http01:
+          ingress:
+            class: nginx