helmify bootstrap

bin/ck8s

@@ -11,7 +11,6 @@ source "${here}/common.bash"
 usage() {
  echo "COMMANDS:" 1>&2
  echo " init <wc|sc|both> [--generate-new-secrets] initialize the config path" 1>&2
- echo " bootstrap <wc|sc> bootstrap the cluster" 1>&2
  echo " apps <wc|sc> [--sync] [--skip-template-validate] deploy the applications" 1>&2
  echo " apply <wc|sc> [--sync] [--skip-template-validate] bootstrap and apps" 1>&2
  echo " test <wc|sc> [--logging-enabled] test the applications" 1>&2
@@ -63,11 +62,6 @@ case "${1}" in
  export CK8S_CLUSTER="${2}"
  "${here}/init.bash" "${GEN_NEW_SECRETS}"
  ;;
- bootstrap)
- [[ "${2}" =~ ^(wc|sc)$ ]] || usage
- check_tools
- "${here}/bootstrap.bash" "${2}"
- ;;
  apps)
  [[ "${2}" =~ ^(wc|sc)$ ]] || usage
  check_tools
@@ -76,7 +70,6 @@ case "${1}" in
  apply)
  [[ "${2}" =~ ^(wc|sc)$ ]] || usage
  check_tools
- "${here}/bootstrap.bash" "${2}"
  "${here}/apps.bash" "${2}" "${SKIP}" "${SYNC}"
  ;;
  test)

helmfile.yaml

@@ -24,8 +24,10 @@ bases:
  - helmfile/stacks/system.yaml
  - helmfile/stacks/thanos.yaml
  - helmfile/stacks/velero.yaml
+ - helmfile/stacks/namespaces.yaml
 ---
 releases:
+ - inherit: [ template: ck8s-namespaces ]
  - inherit: [ template: admin-rbac ]
  - inherit: [ template: dev-rbac ]
  - inherit: [ template: dev-rbac-crds ]

helmfile/stacks/cert-manager.yaml

@@ -12,6 +12,7 @@ templates:
  - template: cert-manager-chart
  name: cert-manager
  needs:
+ - kube-system/ck8s-namespaces
  - kube-system/common-np
  values:
  - helmfile/values/cert-manager.yaml.gotmpl

helmfile/stacks/ingress-nginx.yaml

@@ -11,6 +11,8 @@ templates:
  - template: podsecuritypolicies
  labels:
  psp: ingress-nginx
+ needs:
+ - kube-system/ck8s-namespaces
  values:
  - helmfile/values/podsecuritypolicies/common/ingress-nginx.yaml.gotmpl
 

helmfile/stacks/monitoring.yaml

@@ -12,6 +12,8 @@ templates:
  installed: {{ .Values | get "networkPolicies.monitoring.enabled" false }}
  labels:
  netpol: monitoring
+ needs:
+ - kube-system/ck8s-namespaces
  values:
  - helmfile/values/networkpolicies/common/common.yaml.gotmpl
  - helmfile/values/networkpolicies/common/prometheus.yaml.gotmpl
@@ -29,6 +31,8 @@ templates:
  - template: podsecuritypolicies
  labels:
  psp: monitoring
+ needs:
+ - kube-system/ck8s-namespaces
  values:
  - helmfile/values/podsecuritypolicies/common/monitoring.yaml.gotmpl
 

helmfile/stacks/namespaces.yaml

@@ -0,0 +1,15 @@
+---
+templates:
+ ck8s-namespaces:
+ name: ck8s-namespaces
+ namespace: kube-system
+ labels:
+ app: ck8s-namespaces
+ chart: helmfile/charts/namespaces
+ version: 0.1.1
+ values:
+ {{ if .Values.ck8sManagementCluster.enabled }}
+ - helmfile/values/namespaces-sc.yaml.gotmpl
+ {{ else if .Values.ck8sWorkloadCluster.enabled }}
+ - helmfile/values/namespaces-wc.yaml.gotmpl
+ {{ end }}

helmfile/stacks/thanos.yaml

@@ -13,6 +13,8 @@ templates:
  installed: {{ and (.Values | get "thanos.enabled" false) (.Values | get "networkPolicies.thanos.enabled" false) }}
  labels:
  netpol: thanos
+ needs:
+ - kube-system/ck8s-namespaces
  values:
  - helmfile/values/networkpolicies/common/common.yaml.gotmpl
  - helmfile/values/networkpolicies/service/thanos.yaml.gotmpl
@@ -31,6 +33,8 @@ templates:
  app: prometheus
  {{- end }}
  name: thanos-ingress-secret
+ needs:
+ - kube-system/ck8s-namespaces
  values:
  - helmfile/values/thanos/ingress-secret.yaml.gotmpl
 
@@ -40,6 +44,8 @@ templates:
  - template: thanos-chart
  installed: {{ .Values | get "thanos.enabled" false }}
  name: thanos-objectstorage-secret
+ needs:
+ - kube-system/ck8s-namespaces
  values:
  - helmfile/values/thanos/objectstorage-secret.yaml.gotmpl
 

helmfile/stacks/velero.yaml

@@ -23,6 +23,7 @@ templates:
  installed: {{ .Values | get "velero.enabled" false }}
  name: velero
  needs:
+ - kube-system/ck8s-namespaces
  - monitoring/kube-prometheus-stack
  - velero/podsecuritypolicy
  values:

bootstrap/namespaces/helmfile/values/namespaces-sc.yaml.gotmpl → helmfile/values/namespaces-sc.yaml.gotmpl

@@ -18,8 +18,14 @@ namespaces:
  pod-security.kubernetes.io/warn: privileged
 {{- end }}
 - name: kube-node-lease
+ annotations:
+ helm.sh/resource-policy: keep
 - name: kube-public
+ annotations:
+ helm.sh/resource-policy: keep
 - name: kube-system
+ annotations:
+ helm.sh/resource-policy: keep
 - name: monitoring
  labels:
  pod-security.kubernetes.io/audit: privileged

bootstrap/namespaces/helmfile/values/namespaces-wc.yaml.gotmpl → helmfile/values/namespaces-wc.yaml.gotmpl

@@ -17,8 +17,14 @@ namespaces:
  pod-security.kubernetes.io/warn: privileged
 {{- end }}
 - name: kube-node-lease
+ annotations:
+ helm.sh/resource-policy: keep
 - name: kube-public
+ annotations:
+ helm.sh/resource-policy: keep
 - name: kube-system
+ annotations:
+ helm.sh/resource-policy: keep
 - name: monitoring
  labels:
  pod-security.kubernetes.io/audit: privileged

kind/cluster-config.yaml

@@ -0,0 +1,6 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+ - role: control-plane
+ - role: worker
+ - role: worker

migration/template/README.md

@@ -133,14 +133,6 @@ As with all scripts in this repository `CK8S_CONFIG_PATH` is expected to be set.
  export CK8S_CLUSTER=<wc|sc|both>
  ```
 
-1. Rerun bootstrap:
-
- ```bash
- ./bin/ck8s bootstrap {sc|wc}
- # or
- ./migration/${new_version}/apply/20-bootstrap.sh execute
- ```
-
 1. Upgrade applications:
 
  ```bash

migration/v0.34/README.md

@@ -160,14 +160,6 @@ As with all scripts in this repository `CK8S_CONFIG_PATH` is expected to be set.
  ./migration/v0.34/apply/12-hnc-crds.sh execute
  ```
 
-1. Rerun bootstrap:
-
- ```bash
- ./bin/ck8s bootstrap {sc|wc}
- # or
- ./migration/v0.34/apply/20-bootstrap.sh execute
- ```
-
 1. Delete obsolete namespaces:
 
  ```bash
@@ -180,6 +172,12 @@ As with all scripts in this repository `CK8S_CONFIG_PATH` is expected to be set.
  ./migration/v0.34/apply/70-unmanage-user-alertmanager-secret.sh execute
  ```
 
+1. Migrate ck8s-system namespaces to helm
+
+ ```bash
+ ./migration/v0.34/apply/ck8s-namespaces.sh
+ ```
+
 1. Upgrade applications:
 
  ```bash