From 8449839a9894b01b9f2836608d465cf8a34606bd Mon Sep 17 00:00:00 2001 From: Aaron Riedel Date: Tue, 27 May 2025 21:27:28 +0200 Subject: [PATCH] add fip-controller --- app-files/core-deployments.yaml | 20 ++++++++ fip-controller/0-namespace.yaml | 5 ++ fip-controller/1-rbac.yaml | 43 +++++++++++++++++ fip-controller/2-configmap.yaml | 10 ++++ fip-controller/3-secret.env.yaml | 44 +++++++++++++++++ fip-controller/4-deployment.yaml | 71 ++++++++++++++++++++++++++++ fip-controller/kustomization.yaml | 10 ++++ fip-controller/secret-generator.yaml | 11 +++++ 8 files changed, 214 insertions(+) create mode 100644 fip-controller/0-namespace.yaml create mode 100644 fip-controller/1-rbac.yaml create mode 100644 fip-controller/2-configmap.yaml create mode 100644 fip-controller/3-secret.env.yaml create mode 100644 fip-controller/4-deployment.yaml create mode 100644 fip-controller/kustomization.yaml create mode 100644 fip-controller/secret-generator.yaml diff --git a/app-files/core-deployments.yaml b/app-files/core-deployments.yaml index e03f54e..43809a3 100644 --- a/app-files/core-deployments.yaml +++ b/app-files/core-deployments.yaml @@ -503,3 +503,23 @@ spec: automated: selfHeal: true prune: true +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: fip-controller + namespace: argocd +spec: + project: default + sources: + - repoURL: https://git.ar21.de/yolokube/core-deployments.git + targetRevision: HEAD + path: fip-controller + destination: + server: https://kubernetes.default.svc + namespace: fip-controller + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: false diff --git a/fip-controller/0-namespace.yaml b/fip-controller/0-namespace.yaml new file mode 100644 index 0000000..184c4eb --- /dev/null +++ b/fip-controller/0-namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: fip-controller diff --git a/fip-controller/1-rbac.yaml b/fip-controller/1-rbac.yaml new file mode 100644 index 0000000..eaf6895 --- /dev/null +++ b/fip-controller/1-rbac.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: fip-controller + namespace: fip-controller + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: fip-controller +rules: + - apiGroups: + - "" + resources: + - nodes + - pods + verbs: + - get + - list + - apiGroups: + - "coordination.k8s.io" + resources: + - "leases" + verbs: + - "get" + - "list" + - "update" + - "create" + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: fip-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: fip-controller +subjects: + - kind: ServiceAccount + name: fip-controller + namespace: fip-controller diff --git a/fip-controller/2-configmap.yaml b/fip-controller/2-configmap.yaml new file mode 100644 index 0000000..55a4842 --- /dev/null +++ b/fip-controller/2-configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: hcloud-fip-controller +data: + config.json: | + { + "floating_ip_label_selector": "cluster_name==yolokube", + "lease_duration": 30 + } diff --git a/fip-controller/3-secret.env.yaml b/fip-controller/3-secret.env.yaml new file mode 100644 index 0000000..a1bc6ad --- /dev/null +++ b/fip-controller/3-secret.env.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: Secret +metadata: + name: hcloud-fip-controller +stringData: + HCLOUD_API_TOKEN: ENC[AES256_GCM,data:w9KJ4PNwP93yxO5WfHy18mCjgS2eUkwi27NFVPBdlnY6TmrxdGh4F7r5gdlWCZdaR58DSmTz4joW2K5K9TOnzg==,iv:2p5zhCqQ4Z6nfbIuXLidgTIa9rfaL1UjeDxZN7/49G8=,tag:uRP/4A2FOy1Hxy15Da7jbQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVmRsRHUxWWUrWlQyaFBh + NWl0bm1VWlBFZFYwR2hkalhVSk1aeG1ZOFZzCjlqZHg2eW1SNDhUcS9FZWVITTNY + YWhuUVRHb3VyYUl3YmV5ZElHaS9henMKLS0tIHYwTENXUjVmUktXNkE4eFBieXlV + TjV1dFlRaForN0E2eXpsQ0FuZ1R1T0UKg8TzYSd+uT8YUcDeDkHvpX2HelTFTxbx + dYtBGiCDJoU7K3Gd/JHsnwPfhojOIJ4dvye35CkXf4/oMG6I2WEpjw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1s9nvc4rxj3kaj4apmzzn8fmjrudrvdhgu70rg04we9hyse5aadsq7kmckn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2eS9LMmpMbjZzMkQxYm9D + eVYxQ3o2L2ZqMGRJaGMyeXVpcU1qNVppN2pNCnAzK2dSdkFPblBvWG50dWtXdlhs + YndHR0M4TXhHOElIaHgybUl1bDVPb1UKLS0tIDJOaTNXUEdkazlXS2Y4M2hWSW8z + TkZCOGNSTjkwZlJHZys3cnBnUWNFRW8KrOX56AFms2yjAmkerJZRQ1UsW4ID98rb + bQAD2UQhVSKwLjqnu0/FCCAMfL9IsRUfbG7grzURHQKp1QyK+U6ZMQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0dUcxV2FDdTVMRzdUaXNs + REpWRnhPeHpNMllaeTc1ZXlVYmF2bVpZTHlzCmNKbERXY1FhRDE0L1RIbHNab1pL + cTA2OHQyT1JYYTNmaDY5dE1RL0pCTmsKLS0tIHJLYVRxRk1xS0llQ0t2M0pIcytn + VWRqclRmL1VkaTBNemliTmFSeVBkYmcKZFm/dDryjdEtd/6YmiVt60eGf9/WgIZ9 + W9yAW+Menbi3j9HG4ZTahASBfOjwV0iw0TJHCyDxXLgGH2ifPPMqNQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-05-27T19:26:05Z" + mac: ENC[AES256_GCM,data:qqYEFU1EmK8hbMOJG3cvIQfNwpc6IB78F8Vyg8pJJZXBZoBElL/uTUw6P7Afp2S/8aq5+oqndB7zv4LYZqiSNK43BORXB8/ffT/P2qBv5lKDgtZrma7txbWiMgGN6jkrjcNnKdLxh+PMWrkz4Drxy6sv9jHuB+W6R5efid5V/1M=,iv:1W8l/UzTL5OoRpKBP7IDGjto1qtA+A7qbzY0ZX9qT7Q=,tag:jXL3TiLt/RqNYNIh+/IQRg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.4 diff --git a/fip-controller/4-deployment.yaml b/fip-controller/4-deployment.yaml new file mode 100644 index 0000000..0fefa44 --- /dev/null +++ b/fip-controller/4-deployment.yaml @@ -0,0 +1,71 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: fip-controller + namespace: fip-controller +spec: + replicas: 3 + selector: + matchLabels: + app: fip-controller + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + template: + metadata: + labels: + app: fip-controller + spec: + tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - fip-controller + topologyKey: kubernetes.io/hostname + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + serviceAccountName: fip-controller + containers: + - name: fip-controller + image: yolokube/hcloud-fip-controller:v0.6.0 # cbeneke/hcloud-fip-controller:v0.4.0 + imagePullPolicy: IfNotPresent + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - secretRef: + name: hcloud-fip-controller + volumeMounts: + - name: config + mountPath: /app/config + volumes: + - name: config + configMap: + name: hcloud-fip-controller diff --git a/fip-controller/kustomization.yaml b/fip-controller/kustomization.yaml new file mode 100644 index 0000000..d6015a6 --- /dev/null +++ b/fip-controller/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +generators: + - ./secret-generator.yaml +resources: + - ./0-namespace.yaml + - ./1-rbac.yaml + - ./2-configmap.yaml + - ./4-deployment.yaml diff --git a/fip-controller/secret-generator.yaml b/fip-controller/secret-generator.yaml new file mode 100644 index 0000000..7d9f42a --- /dev/null +++ b/fip-controller/secret-generator.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: secret-generator + annotations: + config.kubernetes.io/function: | + exec: + path: ksops +files: + - ./3-secret.enc.yaml