all: remove bootstrapping of namespaces

This commit removes the bootstrap step used to install namespaces in a
cluster. The step has been integrated into the new helmfile setup and
namespaces are now managed by helm.

Two new releases are added: "admin-namespaces" and
"dev-namespaces", the latter of which is only relevant for wc clusters
and it only includes the "alertmanager" namespace as of now. The
"admin-namespace" includes all admin namespaces execpt for the "kube-*"
namespaces. The "kube-*" namespaces are not managed by helm nor do they
get any PSA or "owner=operator" labels set. Furthermore those namespaces
are exempted from the OPA-Gatekeeper validating and mutating webhooks!

Note, namespaces are not removed by Helm! If you destroy the
namespace releases the namespace resources will be left behind.

Furthermore, this commits sets the restricted PSA labels on the "thanos"
namespace and the privileged PSA labels on the "falco" and
"opensearch-system" namespaces.
In order set the restricted labels on the "thanos" namespace, seccomp
profile and drop all capabilities is set on the thanos components.

DEVELOPMENT.md

@@ -52,9 +52,6 @@ The configuration contains some `set-me`'s that must be configured manually.
 > [!important]
 > Setting up ingresses properly requires some additional steps documented later in this section.
 
-> [!important]
-> Namespaces are not yet managed by `helmfile` so you must first run `./bin/ck8s bootstrap sc|wc`.
-
 Manage apps by using `helmfile` directly and with needs it will pull in all required releases:
 
 ```sh

README.md

@@ -394,7 +394,7 @@ Run the script to see what options are available.
 
 #### Examples
 
-- Bootstrap and deploy apps to the workload cluster:
+- Deploy apps to the workload cluster:
 
  ```bash
  ./bin/ck8s apply wc

bin/apps.bash

@@ -63,8 +63,7 @@ apps_sc() {
  #
  # The first few Charts install CRDs, which will make template validation
  # fail. CRDs are "changes" to the Kubernetes API, hence validation against
- # the Kubernetes API cannot be done. OTOH, manually adding the CRDs during
- # bootstrap is error-prone and adds maintenance burden.
+ # the Kubernetes API cannot be done.
  #
  # While it would be nice to have some template validation before `helmfile apply`,
  # at least Helmfile does "just in time" template validation. Not as nice,

bin/ck8s

@@ -11,9 +11,7 @@ source "${here}/common.bash"
 usage() {
  echo "COMMANDS:" 1>&2
  echo " init <wc|sc|both> [--generate-new-secrets] initialize the config path" 1>&2
- echo " bootstrap <wc|sc> bootstrap the cluster" 1>&2
- echo " apps <wc|sc> [--sync] [--skip-template-validate] [--concurrency=<num>] deploy the applications" 1>&2
- echo " apply <wc|sc> [--sync] [--skip-template-validate] [--concurrency=<num>] bootstrap and apps" 1>&2
+ echo " apply <wc|sc> [--sync] [--skip-template-validate] [--concurrency=<num>] deploy the apps" 1>&2
  echo " test <wc|sc> [--logging-enabled] test the applications" 1>&2
  echo " dry-run <wc|sc> [--kubectl] runs helmfile diff" 1>&2
  echo " fix-psp-violations <wc|sc> Checks and restarts pods that violates Pod Security Polices, applicable for new environments" 1>&2
@@ -65,20 +63,9 @@ case "${1}" in
  export CK8S_CLUSTER="${2}"
  "${here}/init.bash" "${GEN_NEW_SECRETS}"
  ;;
- bootstrap)
- [[ "${2}" =~ ^(wc|sc)$ ]] || usage
- check_tools
- "${here}/bootstrap.bash" "${2}"
- ;;
- apps)
- [[ "${2}" =~ ^(wc|sc)$ ]] || usage
- check_tools
- "${here}/apps.bash" "${2}" "${SKIP}" "${SYNC}" "${CONCURRENCY}"
- ;;
  apply)
  [[ "${2}" =~ ^(wc|sc)$ ]] || usage
  check_tools
- "${here}/bootstrap.bash" "${2}"
  "${here}/apps.bash" "${2}" "${SKIP}" "${SYNC}" "${CONCURRENCY}"
  ;;
  test)

completion/bash

@@ -2,8 +2,6 @@
 
 _ck8s_command_ck8s() {
  opts+=("init")
- opts+=("bootstrap")
- opts+=("apps")
  opts+=("apply")
  opts+=("test")
  opts+=("dry-run")
@@ -18,20 +16,6 @@ _ck8s_command_ck8s() {
  COMPREPLY=($(compgen -W "${opts[*]}" -- ${cur}))
 }
 
-_ck8s_command_ck8s_bootstrap() {
- local opts=()
- opts+=("sc")
- opts+=("wc")
- COMPREPLY=( $(compgen -W "${opts[*]}" -- ${cur}) )
-}
-
-_ck8s_command_ck8s_apps() {
- local opts=()
- opts+=("sc")
- opts+=("wc")
- COMPREPLY=( $(compgen -W "${opts[*]}" -- ${cur}) )
-}
-
 _ck8s_command_ck8s_apply() {
  local opts=()
  opts+=("sc")

helmfile.d/stacks/falco.yaml

@@ -13,6 +13,8 @@ templates:
  installed: {{ and (.Values | get "falco.enabled" false) (.Values | get "networkPolicies.falco.enabled" false) }}
  labels:
  netpol: falco
+ needs:
+ - kube-system/admin-namespaces
  values:
  - values/networkpolicies/common/common.yaml.gotmpl
  - values/networkpolicies/common/falco.yaml.gotmpl
@@ -23,6 +25,8 @@ templates:
  - template: podsecuritypolicies
  labels:
  psp: falco
+ needs:
+ - kube-system/admin-namespaces
  values:
  - values/podsecuritypolicies/common/falco.yaml.gotmpl
 

helmfile.d/stacks/harbor.yaml

@@ -13,6 +13,8 @@ templates:
  installed: {{ and (.Values | get "harbor.enabled" false) (.Values | get "networkPolicies.harbor.enabled" false) }}
  labels:
  netpol: harbor
+ needs:
+ - kube-system/admin-namespaces
  values:
  - values/networkpolicies/common/common.yaml.gotmpl
  - values/networkpolicies/service/harbor.yaml.gotmpl