feat(flux): add initial boilerplate and kustomization for flux

.envrc

@@ -0,0 +1,5 @@
+# Kubernetes
+export KUBECONFIG="$(expand_path ./openshift/kubeconfig)"
+export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
+# Minijinja
+export MINIJINJA_CONFIG_FILE="$(expand_path ./.minijinja.toml)"

.gitignore

@@ -0,0 +1,4 @@
+.decrypted~*
+.DS_Store
+*.key
+kubeconfig

.minijinja.toml

@@ -0,0 +1,5 @@
+autoescape = "none"
+newline = true
+trim-blocks = true
+lstrip-blocks = true
+env = true

.taskfiles/bootstrap/Taskfile.yaml

@@ -0,0 +1,24 @@
+---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
+version: "3"
+
+tasks:
+  apps:
+    desc: "Bootstrap applications on the cluster"
+    env: { NS: flux-system }
+    cmds:
+      - oc get namespace ${NS} >/dev/null 2>&1 || oc create namespace ${NS}
+      - oc adm policy add-scc-to-user nonroot system:serviceaccount:${NS}:helm-controller
+      - oc adm policy add-scc-to-user nonroot system:serviceaccount:${NS}:image-automation-controller
+      - oc adm policy add-scc-to-user nonroot system:serviceaccount:${NS}:image-reflector-controller
+      - oc adm policy add-scc-to-user nonroot system:serviceaccount:${NS}:kustomize-controller
+      - oc adm policy add-scc-to-user nonroot system:serviceaccount:${NS}:notification-controller
+      - oc adm policy add-scc-to-user nonroot system:serviceaccount:${NS}:source-controller
+      - op run --env-file {{.OPENSHIFT_DIR}}/bootstrap/apps/.secrets.env --no-masking -- minijinja-cli {{.OPENSHIFT_DIR}}/bootstrap/apps/templates/resources.yaml.j2 | oc apply --server-side --filename -
+      - kubectl apply --server-side --kustomize {{.OPENSHIFT_DIR}}/bootstrap/apps
+    preconditions:
+      - op user get --me
+      - oc config view
+      - test -f {{.OPENSHIFT_DIR}}/kubeconfig
+      - test -f {{.OPENSHIFT_DIR}}/bootstrap/apps/templates/resources.yaml.j2
+      - which op oc minijinja-cli

Taskfile.yaml

@@ -0,0 +1,14 @@
+---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
+version: "3"
+
+vars:
+  OPENSHIFT_DIR: "{{.ROOT_DIR}}/openshift"
+
+includes:
+  bootstrap: .taskfiles/bootstrap
+
+tasks:
+  default:
+    cmd: task --list
+    silent: true

openshift/bootstrap/apps/.secrets.env

@@ -0,0 +1,3 @@
+FLUX_SOPS_PRIVATE_KEY=op://ocp-neptune/sops/SOPS_PRIVATE_KEY
+ONEPASSWORD_CREDENTIALS=op://ocp-neptune/1password/OP_CREDENTIALS_JSON
+ONEPASSWORD_CONNECT_TOKEN=op://ocp-neptune/1password/OP_CONNECT_TOKEN

openshift/bootstrap/apps/kustomization.yaml

@@ -0,0 +1,162 @@
+# IMPORTANT: This file is not tracked by flux and should never be. Its
+# purpose is to only install the Flux components & CRDs into your cluster.
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - github.com/fluxcd/flux2/manifests/install?ref=v2.4.0
+patches:
+  - patch: |
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: all
+      spec:
+        template:
+          spec:
+            containers:
+              - name: manager
+                securityContext:
+                  runAsUser: 65534
+                  seccompProfile:
+                    $patch: delete
+    target:
+      kind: Deployment
+      labelSelector: app.kubernetes.io/part-of=flux
+  # Remove image automation and image reflector controllers
+  - patch: |
+      $patch: delete
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: all
+    target:
+      kind: Deployment
+      name: (image-automation-controller|image-reflector-controller)
+  # Remove the built-in network policies
+  - patch: |
+      $patch: delete
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        name: all
+    target:
+      group: networking.k8s.io
+      kind: NetworkPolicy
+  # Increase the number of workers and limits
+  # Ref: https://fluxcd.io/flux/installation/configuration/vertical-scaling/#increase-the-number-of-workers-and-limits
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --concurrent=10
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --requeue-dependency=5s
+    target:
+      kind: Deployment
+      name: (kustomize-controller|helm-controller|source-controller)
+  - patch: |
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: all
+      spec:
+        template:
+          spec:
+            containers:
+              - name: manager
+                resources:
+                  limits:
+                    memory: 2Gi
+    target:
+      kind: Deployment
+      name: (kustomize-controller|helm-controller|source-controller)
+  # Enable in-memory kustomize builds
+  # Ref: https://fluxcd.io/flux/installation/configuration/vertical-scaling/#enable-in-memory-kustomize-builds
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --concurrent=20
+      - op: replace
+        path: /spec/template/spec/volumes/0
+        value:
+          name: temp
+          emptyDir:
+            medium: Memory
+    target:
+      kind: Deployment
+      name: kustomize-controller
+  # Enable Helm repositories caching
+  # Ref: https://fluxcd.io/flux/installation/configuration/vertical-scaling/#enable-helm-repositories-caching
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --helm-cache-max-size=10
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --helm-cache-ttl=60m
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --helm-cache-purge-interval=5m
+    target:
+      kind: Deployment
+      name: source-controller
+  # Flux near OOM detection for Helm
+  # Ref: https://fluxcd.io/flux/installation/configuration/helm-oom-detection/
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --feature-gates=OOMWatch=true
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --oom-watch-memory-threshold=95
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --oom-watch-interval=500ms
+    target:
+      kind: Deployment
+      name: helm-controller
+  # Resources renamed to match those installed by oci://ghcr.io/fluxcd/flux-manifests
+  - target:
+      kind: ResourceQuota
+      name: critical-pods
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: critical-pods-flux-system
+  - target:
+      kind: ClusterRoleBinding
+      name: cluster-reconciler
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: cluster-reconciler-flux-system
+  - target:
+      kind: ClusterRoleBinding
+      name: crd-controller
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: crd-controller-flux-system
+  - target:
+      kind: ClusterRole
+      name: crd-controller
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: crd-controller-flux-system
+  - target:
+      kind: ClusterRole
+      name: flux-edit
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: flux-edit-flux-system
+  - target:
+      kind: ClusterRole
+      name: flux-view
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: flux-view-flux-system

openshift/bootstrap/apps/templates/resources.yaml.j2

@@ -0,0 +1,28 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: external-secrets
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: onepassword-secret
+  namespace: external-secrets
+stringData:
+  1password-credentials.json: {{ ENV.ONEPASSWORD_CREDENTIALS }}
+  token: {{ ENV.ONEPASSWORD_CONNECT_TOKEN }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: flux-system
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sops-age
+  namespace: flux-system
+stringData:
+  age.agekey: |
+    {{ ENV.FLUX_SOPS_PRIVATE_KEY | indent(4) }}