Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

initial

Browse Source
This commit is contained in:
Danijel Simeunovic
2026-02-07 21:16:15 +01:00
commit a42a07b669
21 changed files with 849 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
.gitignore vendored Normal file
View File

@@ -0,0 +1,18 @@
# User-specific files
*.user
*.lock
*.userosscache
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
.github/
private/
.helm/
temp/
*.orig
CLAUDE.md
.claude/
devbox.d/
devbox.lock
.devbox/

22
argocd/_app-of-apps.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: musicman-app-of-apps
namespace: argocd
labels:
scope: music-man
spec:
project: default
source:
repoURL: https://github.com/snothub/scaling-parakeet.git
targetRevision: HEAD
path: argocd
destination:
server: https://kubernetes.default.svc
namespace: music-man
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

54
argocd/apps/application.yaml Normal file
View File

@@ -0,0 +1,54 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: music-man
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://github.com/snothub/scaling-parakeet.git
targetRevision: HEAD
path: helm-chart
helm:
valueFiles:
- values.yaml
values: |
app:
image:
tag: v3.4.11 # Updated automatically by GitHub Actions on release
parameters:
- name: secrets.databasePassword
value: "change-me-in-production"
destination:
server: https://kubernetes.default.svc
namespace: music-man
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- Validate=true
- ServerSideApply=false
- Replace=false
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m
ignoreDifferences:
- group: apps
kind: Deployment
jsonPointers:
- /spec/replicas

90
argocd/apps/cert-manager-application.yaml Normal file
View File

@@ -0,0 +1,90 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cert-manager
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://charts.jetstack.io
chart: cert-manager
targetRevision: "v1.14.0"
helm:
values: |
# Install CustomResourceDefinitions
installCRDs: true
# Global configuration
global:
leaderElection:
namespace: cert-manager
# Webhook configuration
webhook:
enabled: true
replicaCount: 1
timeoutSeconds: 10
# Disable Istio sidecar injection for webhook to avoid mTLS issues
podAnnotations:
sidecar.istio.io/inject: "false"
# CA Injector
caInjector:
enabled: true
replicaCount: 1
# Disable Istio sidecar injection for CA injector
podAnnotations:
sidecar.istio.io/inject: "false"
# Disable Istio sidecar for main controller pods
podAnnotations:
sidecar.istio.io/inject: "false"
# Security context
podSecurityPolicy:
enabled: false
# Resources
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 100m
memory: 128Mi
# Service account
serviceAccount:
create: true
name: cert-manager
# Enable debug logging if needed (set to false for production)
logLevel: 2
destination:
server: https://kubernetes.default.svc
namespace: cert-manager
# Patch namespace to disable Istio injection
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- Validate=true
- ServerSideApply=false
- Replace=false
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

38
argocd/apps/cluster-resources-application.yaml Normal file
View File

@@ -0,0 +1,38 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cluster-resources
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://github.com/snothub/scaling-parakeet.git
targetRevision: HEAD
path: cluster-resources
destination:
server: https://kubernetes.default.svc
namespace: cert-manager
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- Validate=true
- ServerSideApply=false
- Replace=false
- ApplyOutOfSyncOnly=false
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

41
argocd/apps/fluent-bit.yaml Normal file
View File

@@ -0,0 +1,41 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: fluent-bit
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
sources:
- repoURL: https://fluent.github.io/helm-charts
chart: fluent-bit
targetRevision: 0.47.10
helm:
releaseName: fluent-bit
valueFiles:
- $values/argocd/values/fluent-bit-values.yaml
- repoURL: https://github.com/YOUR_ORG/YOUR_GITOPS_REPO.git
targetRevision: main
ref: values
destination:
server: https://kubernetes.default.svc
namespace: monitoring
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

41
argocd/apps/grafana.yaml Normal file
View File

@@ -0,0 +1,41 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: grafana
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
sources:
- repoURL: https://grafana.github.io/helm-charts
chart: grafana
targetRevision: latest
helm:
releaseName: grafana
valueFiles:
- $values/argocd/values/grafana-values.yaml
- repoURL: https://github.com/YOUR_ORG/YOUR_GITOPS_REPO.git
targetRevision: main
ref: values
destination:
server: https://kubernetes.default.svc
namespace: monitoring
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

35
argocd/apps/kyverno.yaml Normal file
View File

@@ -0,0 +1,35 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kyverno
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
chart: kyverno
repoURL: https://kyverno.github.io/kyverno/
targetRevision: v1.13.0 # Update to latest stable version
helm:
releaseName: kyverno
destination:
server: https://kubernetes.default.svc
namespace: kyverno
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

41
argocd/apps/loki.yaml Normal file
View File

@@ -0,0 +1,41 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: loki
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
sources:
- repoURL: https://grafana.github.io/helm-charts
chart: loki
targetRevision: latest
helm:
releaseName: loki
valueFiles:
- $values/argocd/values/loki-values.yaml
- repoURL: https://github.com/YOUR_ORG/YOUR_GITOPS_REPO.git
targetRevision: main
ref: values
destination:
server: https://kubernetes.default.svc
namespace: monitoring
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

41
argocd/apps/prometheus.yaml Normal file
View File

@@ -0,0 +1,41 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prometheus
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
sources:
- repoURL: https://prometheus-community.github.io/helm-charts
chart: prometheus
targetRevision: latest
helm:
releaseName: prometheus
valueFiles:
- $values/argocd/values/prometheus-values.yaml
- repoURL: https://github.com/YOUR_ORG/YOUR_GITOPS_REPO.git
targetRevision: main
ref: values
destination:
server: https://kubernetes.default.svc
namespace: monitoring
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

38
argocd/apps/sealedsecrets.yaml Normal file
View File

@@ -0,0 +1,38 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: sealed-secrets
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
chart: sealed-secrets
repoURL: https://bitnami-labs.github.io/sealed-secrets
targetRevision: 2.16.2 # Update to latest stable version
helm:
releaseName: sealed-secrets
parameters:
- name: fullnameOverride
value: sealed-secrets-controller
destination:
server: https://kubernetes.default.svc
namespace: kube-system
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=false # kube-system already exists
- ServerSideApply=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

65
argocd/apps/traefik-application.yaml Normal file
View File

@@ -0,0 +1,65 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: traefik
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://traefik.github.io/charts
chart: traefik
targetRevision: "28.0.0"
helm:
values: |
deployment:
replicas: 2
service:
type: LoadBalancer
annotations:
service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /ping
ingressClass:
enabled: true
isDefaultClass: true
# Configure entry points
entryPoints:
web:
address: :80
http:
redirections:
entrypoint:
to: websecure
scheme: https
websecure:
address: :443
http:
tls: {}
destination:
server: https://kubernetes.default.svc
namespace: traefik-system
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- Validate=true
- ServerSideApply=false
- Replace=false
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

38
argocd/apps/trivy.yaml Normal file
View File

@@ -0,0 +1,38 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: trivy
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
chart: trivy-operator
repoURL: https://aquasecurity.github.io/helm-charts
targetRevision: v0.0.7 # Update to latest stable version
helm:
releaseName: trivy-operator
parameters:
- name: trivy.ignoreUnfixed
value: "true"
destination:
server: https://kubernetes.default.svc
namespace: kube-system
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=false # kube-system already exists
- ServerSideApply=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

23
argocd/values/argocd-values.yaml Normal file
View File

@@ -0,0 +1,23 @@
global:
domain: argocd.127.0.0.1.nip.io
configs:
secret:
createSecret: true
cm:
application.resourceTrackingMethod: annotation
timeout.reconciliation: 60s
admin.enabled: "false"
# Add Git configuration for Azure authentication
repositories: |
- type: git
url: https://github.com/snothub
name: github-repo
params:
"server.insecure": true
server:
ingress:
enabled: true
ingressClassName: nginx
extraArgs:
- --insecure
- --disable-auth

37
argocd/values/grafana-values.yaml Normal file
View File

@@ -0,0 +1,37 @@
ingress:
enabled: true
adminUser: admin
adminPassword: "forte"
datasources:
datasources.yaml:
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
url: http://prometheus-server.monitoring.svc.cluster.local
access: proxy
isDefault: true
- name: Loki
type: loki
url: http://loki-gateway.monitoring.svc.cluster.local
access: proxy
dashboardProviders:
dashboardproviders.yaml:
apiVersion: 1
providers:
- name: 'default'
orgId: 1
folder: ''
type: file
disableDeletion: false
editable: true
options:
path: /var/lib/grafana/dashboards/default
dashboards:
default:
kubernetes:
gnetId: 15758
revision: 1
datasource: Prometheus

31
argocd/values/loki-values.yaml Normal file
View File

@@ -0,0 +1,31 @@
deploymentMode: SingleBinary
loki:
auth_enabled: false
commonConfig:
replication_factor: 1
storage:
type: 'filesystem'
schemaConfig:
configs:
- from: "2024-01-01"
store: tsdb
index:
prefix: loki_index_
period: 24h
object_store: filesystem # we're storing on filesystem so there's no real persistence here.
schema: v13
limits_config:
reject_old_samples: true
reject_old_samples_max_age: 168h
ingestion_rate_mb: 10
ingestion_burst_size_mb: 20
chunksCache:
enabled: false
singleBinary:
replicas: 1
read:
replicas: 0
backend:
replicas: 0
write:
replicas: 0

41
argocd/values/prometheus-values.yaml Normal file
View File

@@ -0,0 +1,41 @@
server:
ingress:
enabled: false
service:
servicePort: 80
# Add your custom scrape configurations here
extraScrapeConfigs: |
- job_name: kubernetes-nodes-cadvisor
scrape_interval: 10s
scrape_timeout: 10s
scheme: https # remove if you want to scrape metrics on insecure port
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
# Only for Kubernetes ^1.7.3.
# See: https://github.com/prometheus/prometheus/issues/2916
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
metric_relabel_configs:
- action: replace
source_labels: [id]
regex: '^/machine\.slice/machine-rkt\\x2d([^\\]+)\\.+/([^/]+)\.service$'
target_label: rkt_container_name
replacement: '${2}-${1}'
- action: replace
source_labels: [id]
regex: '^/system\.slice/(.+)\.service$'
target_label: systemd_service_name
replacement: '${1}'
alertmanager:
enabled: false

43
bootstrap.sh Normal file
View File

@@ -0,0 +1,43 @@
#!/bin/zsh
# in case of $'\r': command not found error, run command below first
# sed -i 's/\r$//' ./bootstrap.sh
echo "running $0..."
nsmon=monitoring
nsistio=istio-system
promport=80
helminit=0
############################################################
# Bootstrap #
############################################################
Bootstrap()
{
ArgoCd
}
############################################################
# Github #
############################################################
Github()
{
echo "Installing secret..."
kubectl apply -f github.yaml
}
############################################################
# ArgoCd #
############################################################
ArgoCd()
{
# install argocd
echo "Installing ArgoCD..."
helm upgrade --install argocd argo-cd \
--repo https://argoproj.github.io/argo-helm \
--namespace argocd --create-namespace \
--values argocd-values.yaml \
--timeout 60s --atomic
}
Bootstrap

9
cluster-resources/cert-manager-namespace.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
# Disable Istio sidecar injection for cert-manager namespace
# This is required for cert-manager to function properly with Istio
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager
labels:
istio-injection: disabled

68
cluster-resources/kyverno-config.yaml Normal file
View File

@@ -0,0 +1,68 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:secrets:view
labels:
rbac.kyverno.io/aggregate-to-admission-controller: "true"
rbac.kyverno.io/aggregate-to-reports-controller: "true"
rbac.kyverno.io/aggregate-to-background-controller: "true"
rules:
- apiGroups:
- ''
resources:
- secrets
- namespaces
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:secrets:manage
labels:
rbac.kyverno.io/aggregate-to-background-controller: "true"
rules:
- apiGroups:
- ''
resources:
- secrets
- namespaces
verbs:
- create
- update
- delete
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sync-secret-with-multi-clone
spec:
rules:
- name: sync-secrets
match:
any:
- resources:
kinds:
- Namespace
exclude:
any:
- resources:
namespaces:
- kube-system
- istio-system
- default
- kube-public
- kyverno
generate:
generateExisting: true
namespace: "{{request.object.metadata.name}}"
synchronize: true
cloneList:
namespace: secrets
kinds:
- v1/Secret
selector:
matchLabels:
allowedToBeCloned: "true"

35
cluster-resources/letsencrypt-issuer.yaml Normal file
View File

@@ -0,0 +1,35 @@
---
# Staging ClusterIssuer for testing (higher rate limits, not browser-trusted)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# Let's Encrypt staging server
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: danijels@gmail.com
privateKeySecretRef:
name: letsencrypt-staging-key
solvers:
- http01:
ingress:
class: traefik
---
# Production ClusterIssuer for browser-trusted certificates
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# Let's Encrypt production server
server: https://acme-v02.api.letsencrypt.org/directory
email: danijels@gmail.com
privateKeySecretRef:
name: letsencrypt-prod-key
solvers:
- http01:
ingress:
class: traefik