Skip to content

feat: hegerdes kubernetes service #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hegerdes wants to merge 57 commits into
base: main
Choose a base branch
from
Open

feat: hegerdes kubernetes service #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
57 commits
Select commit Hold shift + click to select a range
8a67ac8
feat: add hks chart
hegerdes Jan 3, 2026
4810afc
fix(hks): eso secret store ref
hegerdes Jan 3, 2026
335fc7f
feat: add demo clusters
hegerdes Jan 3, 2026
0cac235
fix(hks): correct dir name
hegerdes Jan 3, 2026
bec3bdc
fix(hks): correct sync wave for pro job rbac
hegerdes Jan 3, 2026
4c408f0
feat: add hks shared res
hegerdes Jan 3, 2026
54fa92f
fix(hks): correct dir name
hegerdes Jan 3, 2026
eb642a3
feat: add ca singed serving certs to scheduler & controller
hegerdes Jan 3, 2026
ad702a2
feat(hks): support extra helm objects
hegerdes Jan 3, 2026
729d8ac
fix(hks): ca init rbac
hegerdes Jan 3, 2026
0e75080
fix(hks): encryption conf
hegerdes Jan 3, 2026
6f6a7af
feat(hks): add tls-route
hegerdes Jan 3, 2026
6162017
feat(hks): secure deployments
hegerdes Jan 3, 2026
08caf84
feat(hks): allow to set hks hostname via argo
hegerdes Jan 4, 2026
e9a22e2
fix: also manage cilium-secrets ns
hegerdes Jan 4, 2026
b9c3a6b
feat(hks): ha etcd
hegerdes Jan 5, 2026
5d3799b
fix(hks): etcd cluster conf
hegerdes Jan 5, 2026
7be4288
feat(hks): support etcd backups
hegerdes Jan 8, 2026
e0537bf
fix(hks): prefix etcd backups with cluster id
hegerdes Jan 8, 2026
d959ea9
feat(hks): add hks manager chart
hegerdes Jan 11, 2026
ffcec3b
feat(hks): add argo appsets for cilium & metrics
hegerdes Jan 11, 2026
dd69e89
fix(hks) set fsgroup for etcd
hegerdes Jan 11, 2026
fcc30aa
fix(hks) set fsgroup for kube-apiserver
hegerdes Jan 11, 2026
5352838
fix(hks) use empty dir for audit-log for now
hegerdes Jan 11, 2026
c31a981
fix(hks): turn off proxy proto
hegerdes Jan 11, 2026
fd3cb6c
fix(hks): debug tls route
hegerdes Jan 11, 2026
9aeddb6
debug(hks): test cilium tls gw
hegerdes Jan 11, 2026
6812dda
feat:(hks) add shared conf dir
hegerdes Jan 11, 2026
f42075d
fix(hks): also manage ns kube-public with argo
hegerdes Jan 11, 2026
f71ed0b
fix(hks): use cilium gateway
hegerdes Jan 11, 2026
38070f7
chore: delete test1 cluster for now
hegerdes Jan 16, 2026
78bb754
fix(hks): add cilium gateway
hegerdes Jan 16, 2026
efe713d
fix(hks): debug manager
hegerdes Jan 17, 2026
8f42f8c
fix(hks): add kubeadm conf
hegerdes Jan 17, 2026
5f8e502
fix(hks): kubeadm conf rbac
hegerdes Jan 17, 2026
b56076c
fix(hks): kubeadm conf rbac
hegerdes Jan 17, 2026
9b5c0b2
fix(hks): add kubelet conf
hegerdes Jan 17, 2026
65b3571
fix(hks): add kubeadm node rbac
hegerdes Jan 17, 2026
8ad261a
fix(hks): add kubeadm node tls rbac
hegerdes Jan 17, 2026
1f0d766
fix(hks): set correct coredns params
hegerdes Jan 17, 2026
9b964ab
fix(hks): set coredns kube endpoint
hegerdes Jan 17, 2026
d4645de
fix(hks): coredns conf quote
hegerdes Jan 17, 2026
9bbc7cf
fix(hks): coredns create serviceaccount
hegerdes Jan 17, 2026
4376b4c
fix(hks): coredns create serviceaccount
hegerdes Jan 17, 2026
4fac0e0
fix(hks): coredns extra rbac
hegerdes Jan 17, 2026
956b912
fix(hks): set coredns kube endpoint
hegerdes Jan 17, 2026
1ba51bb
debug(hks): cordns
hegerdes Jan 17, 2026
8345d33
debug(hks): cordns
hegerdes Jan 17, 2026
4b1f04a
debug(hks): coredns
hegerdes Jan 17, 2026
4aaea90
feat(hks): add helm template chart
hegerdes Jan 17, 2026
e9f3708
feat(hks): inject cluster version to argo secret
hegerdes Jan 17, 2026
ac5660b
feat(hks): updates to latest working version
hegerdes Jan 17, 2026
a857289
deps: bump coredns
hegerdes Jan 21, 2026
1e6ed10
feat(hks): add ip ref to cluster
hegerdes Jan 21, 2026
b44ffba
chore: update gitignore
hegerdes Jan 24, 2026
00343ab
feat(hks) set cluster advertise address
hegerdes Jan 24, 2026
8ebc11f
feat: switch to hks docker repo
hegerdes Jan 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,6 @@ infra/hcloud-tf-k8s-talos/data/k8s-secret-external-secret.yml
k8s-apps/linkerd/
infra/test
*.log
k8s-apps/hegerdes-kubernetes-service/generated
k8s-apps/hegerdes-kubernetes-service/helper/generated
k8s-apps/hegerdes-kubernetes-service/helper/
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ repos:
hooks:
- id: check-yaml
args: [--allow-multiple-documents]
exclude: .gitlab-ci.yml|infra/.*/cloud-init.yml
exclude: .gitlab-ci.yml|infra/.*/cloud-init.yml|k8s-apps/hegerdes-kubernetes-service/hks/templates/extra-manifests.yaml|k8s-apps/hegerdes-kubernetes-service/hks/templates/pdb.yaml|k8s-apps/hegerdes-kubernetes-service/hks-manager/templates/.*|k8s-apps/hegerdes-kubernetes-service/shared/helm-rendering/templates/extra-manifests.yaml|k8s-apps/hegerdes-kubernetes-service/hks/templates/eso.yaml|k8s-apps/hegerdes-kubernetes-service/hks/templates/tls-route.yaml
- id: check-json
- id: pretty-format-json
args: [--autofix, --no-sort-keys, --no-ensure-ascii]
Expand Down
40 changes: 40 additions & 0 deletions k8s-apps/hegerdes-kubernetes-service/Kube-tasks.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
Hennes Kubernes Service

Tasks:
* Create deploymets for:
* kube-apiserver ✅
* kube-controller ✅
* etcd ✅
* Create certs - hacky ✅
* Ensure communication ✅
* Refine Deployments ✅
* Create certs - prod ✅
* GitOps:
* HKS ✅
* Slave Cluster
* Generate join token
* POC ✅
* Service-Controller
* Join Worker
* Ensure Connectivity
* Worker -> CP
* CP -> Worker
* Worker Apps
* CoreDNS
* Cilium


```bash
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.19.2/cert-manager.yaml
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.3/manifests/install.yaml
# kubectl apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.1/standard-install.yaml
kubectl apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.1/experimental-install.yaml
kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/experimental?ref=v2.3.0" | kubectl apply -f - --server-side
helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway --set nginxGateway.gwAPIExperimentalFeatures.enable=true

kaf argo-hks-shared.yaml
kaf ../../k8s-cluster-hcloud-critical/argo-external-secrets.yml
kaf ../argo-nginx-gateway-fabric.yml
kaf argo-appset-hks.yaml
```
48 changes: 48 additions & 0 deletions k8s-apps/hegerdes-kubernetes-service/argo-appset-hks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: hks-appset
namespace: argocd
spec:
goTemplate: true
goTemplateOptions: ["missingkey=error"]
generators:
- git:
repoURL: https://github.com/hegerdes/GitOps.git
revision: feat/hks
directories:
- path: k8s-apps/hegerdes-kubernetes-service/clusters/*
template:
metadata:
name: "hks-{{.path.basename}}"
labels:
name: hks
finalizers:
- resources-finalizer.argocd.argoproj.io/background
spec:
project: default
source:
repoURL: https://github.com/hegerdes/GitOps.git
targetRevision: feat/hks
path: k8s-apps/hegerdes-kubernetes-service/hks
helm:
valuesObject:
extraObjects: []
destination:
server: https://kubernetes.default.svc
namespace: "{{.path.basename}}"
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- kind: StatefulSet
group: apps
jqPathExpressions:
- .spec.updateStrategy.rollingUpdate.maxUnavailable
- kind: ConfigMap
name: cluster-data
jqPathExpressions:
- .data.advertiseIP
25 changes: 25 additions & 0 deletions k8s-apps/hegerdes-kubernetes-service/argo-hks-manager.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: hks-manager
namespace: argocd
labels:
name: hks-manager
spec:
project: default
source:
repoURL: https://github.com/hegerdes/GitOps.git
targetRevision: feat/hks
path: k8s-apps/hegerdes-kubernetes-service/hks-manager
helm:
valuesObject:
extraObjects: []
destination:
server: https://kubernetes.default.svc
namespace: hks-manager
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
24 changes: 24 additions & 0 deletions k8s-apps/hegerdes-kubernetes-service/argo-hks-shared.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: hks-shared
namespace: argocd
labels:
name: hks
spec:
project: default
source:
repoURL: https://github.com/hegerdes/GitOps.git
targetRevision: feat/hks
path: k8s-apps/hegerdes-kubernetes-service/shared
directory:
recurse: false
destination:
server: https://kubernetes.default.svc
namespace: argocd
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
Empty file added k8s-apps/hegerdes-kubernetes-service/clusters/test1/values.yaml
View file
Open in desktop
Empty file.
70 changes: 70 additions & 0 deletions k8s-apps/hegerdes-kubernetes-service/clustes-shared/cm-kubelet-conf.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: kubelet-config
namespace: kube-system
data:
kubelet: |
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 0s
cacheUnauthorizedTTL: 0s
cgroupDriver: systemd
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
containerRuntimeEndpoint: unix:///run/containerd/containerd.sock
cpuManagerReconcilePeriod: 0s
crashLoopBackOff: {}
enableDebugFlagsHandler: false
enableProfilingHandler: false
evictionPressureTransitionPeriod: 0s
failCgroupV1: true
failSwapOn: true
featureGates:
ClusterTrustBundle: true
ClusterTrustBundleProjection: true
fileCheckFrequency: 0s
healthzBindAddress: 0.0.0.0
healthzPort: 10248
httpCheckFrequency: 0s
imageMaximumGCAge: 1h0m0s
imageMinimumGCAge: 5m0s
kind: KubeletConfiguration
logging:
flushFrequency: 0
options:
json:
infoBufferSize: "0"
text:
infoBufferSize: "0"
verbosity: 0
maxParallelImagePulls: 8
maxPods: 220
memorySwap: {}
nodeStatusMaxImages: -1
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
protectKernelDefaults: true
resolvConf: /etc/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 0s
seccompDefault: true
serializeImagePulls: false
serverTLSBootstrap: true
shutdownGracePeriod: 0s
shutdownGracePeriodCriticalPods: 0s
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 5m0s
31 changes: 31 additions & 0 deletions k8s-apps/hegerdes-kubernetes-service/clustes-shared/rbac-super-user.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kube-apiserver-kubelet-client-extra
rules:
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["nodes/proxy"]
verbs: ["get", "create"]
- apiGroups: [""]
resources:
- pods/exec
- pods/attach
- pods/portforward
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube-apiserver-kubelet-client-extra-binding
subjects:
- kind: User
name: kube-apiserver-kubelet-client
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: kube-apiserver-kubelet-client-extra
apiGroup: rbac.authorization.k8s.io
Loading