all: remove bootstrapping of namespaces

This commit removes the bootstrap step used to install namespaces in a
cluster. The step has been integrated into the new helmfile setup and
namespaces are now managed by helm.

Two new releases are added: "admin-namespaces" and
"dev-namespaces", the latter of which is only relevant for wc clusters
and it only includes the "alertmanager" namespace as of now. The
"admin-namespace" includes all admin namespaces execpt for the "kube-*"
namespaces. The "kube-*" namespaces are not managed by helm nor do they
get and PSA annotations set. Futhermore those namespaces are exempted
from the OPA-Gatekeeper validating and mutating webhooks!

DEVELOPMENT.md

@@ -52,9 +52,6 @@ The configuration contains some `set-me`'s that must be configured manually.
 > [!important]
 > Setting up ingresses properly requires some additional steps documented later in this section.
 
-> [!important]
-> Namespaces are not yet managed by `helmfile` so you must first run `./bin/ck8s bootstrap sc|wc`.
-
 Manage apps by using `helmfile` directly and with needs it will pull in all required releases:
 
 ```sh

README.md

@@ -394,7 +394,7 @@ Run the script to see what options are available.
 
 #### Examples
 
-- Bootstrap and deploy apps to the workload cluster:
+- Deploy apps to the workload cluster:
 
  ```bash
  ./bin/ck8s apply wc

bin/apps.bash

@@ -63,8 +63,7 @@ apps_sc() {
  #
  # The first few Charts install CRDs, which will make template validation
  # fail. CRDs are "changes" to the Kubernetes API, hence validation against
- # the Kubernetes API cannot be done. OTOH, manually adding the CRDs during
- # bootstrap is error-prone and adds maintenance burden.
+ # the Kubernetes API cannot be done.
  #
  # While it would be nice to have some template validation before `helmfile apply`,
  # at least Helmfile does "just in time" template validation. Not as nice,

bin/ck8s

@@ -11,9 +11,7 @@ source "${here}/common.bash"
 usage() {
  echo "COMMANDS:" 1>&2
  echo " init <wc|sc|both> [--generate-new-secrets] initialize the config path" 1>&2
- echo " bootstrap <wc|sc> bootstrap the cluster" 1>&2
- echo " apps <wc|sc> [--sync] [--skip-template-validate] [--concurrency=<num>] deploy the applications" 1>&2
- echo " apply <wc|sc> [--sync] [--skip-template-validate] [--concurrency=<num>] bootstrap and apps" 1>&2
+ echo " apply <wc|sc> [--sync] [--skip-template-validate] [--concurrency=<num>] deploy the apps" 1>&2
  echo " test <wc|sc> [--logging-enabled] test the applications" 1>&2
  echo " dry-run <wc|sc> [--kubectl] runs helmfile diff" 1>&2
  echo " fix-psp-violations <wc|sc> Checks and restarts pods that violates Pod Security Polices, applicable for new environments" 1>&2
@@ -65,20 +63,9 @@ case "${1}" in
  export CK8S_CLUSTER="${2}"
  "${here}/init.bash" "${GEN_NEW_SECRETS}"
  ;;
- bootstrap)
- [[ "${2}" =~ ^(wc|sc)$ ]] || usage
- check_tools
- "${here}/bootstrap.bash" "${2}"
- ;;
- apps)
- [[ "${2}" =~ ^(wc|sc)$ ]] || usage
- check_tools
- "${here}/apps.bash" "${2}" "${SKIP}" "${SYNC}" "${CONCURRENCY}"
- ;;
  apply)
  [[ "${2}" =~ ^(wc|sc)$ ]] || usage
  check_tools
- "${here}/bootstrap.bash" "${2}"
  "${here}/apps.bash" "${2}" "${SKIP}" "${SYNC}" "${CONCURRENCY}"
  ;;
  test)

completion/bash

@@ -2,8 +2,6 @@
 
 _ck8s_command_ck8s() {
  opts+=("init")
- opts+=("bootstrap")
- opts+=("apps")
  opts+=("apply")
  opts+=("test")
  opts+=("dry-run")
@@ -18,20 +16,6 @@ _ck8s_command_ck8s() {
  COMPREPLY=($(compgen -W "${opts[*]}" -- ${cur}))
 }
 
-_ck8s_command_ck8s_bootstrap() {
- local opts=()
- opts+=("sc")
- opts+=("wc")
- COMPREPLY=( $(compgen -W "${opts[*]}" -- ${cur}) )
-}
-
-_ck8s_command_ck8s_apps() {
- local opts=()
- opts+=("sc")
- opts+=("wc")
- COMPREPLY=( $(compgen -W "${opts[*]}" -- ${cur}) )
-}
-
 _ck8s_command_ck8s_apply() {
  local opts=()
  opts+=("sc")

helmfile.d/stacks/harbor.yaml

@@ -13,6 +13,8 @@ templates:
  installed: {{ and (.Values | get "harbor.enabled" false) (.Values | get "networkPolicies.harbor.enabled" false) }}
  labels:
  netpol: harbor
+ needs:
+ - kube-system/admin-namespaces
  values:
  - values/networkpolicies/common/common.yaml.gotmpl
  - values/networkpolicies/service/harbor.yaml.gotmpl

helmfile.d/stacks/hnc.yaml

@@ -13,6 +13,8 @@ templates:
  - template: networkpolicies
  labels:
  netpol: hnc
+ needs:
+ - kube-system/admin-namespaces
  values:
  - values/networkpolicies/common/common.yaml.gotmpl
  - values/networkpolicies/workload/hnc.yaml.gotmpl
@@ -23,6 +25,8 @@ templates:
  chart: charts/hnc/config-and-crds
  version: 0.1.0
  name: hnc-config-and-crds
+ needs:
+ - kube-system/admin-namespaces
  values:
  - values/hnc/controller.yaml.gotmpl