feat(argo): app-of-app argo

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>

roles/kubernetes_argocd/defaults/main.yml

@@ -2,3 +2,7 @@
 argocd_version: stable
 argocd_namespace: argocd
 argocd_repo: "https://raw.githubusercontent.com/argoproj/argo-cd/refs/tags/{{ argocd_version }}/manifests/ha/install.yaml"
+
+argocd_git_repository: https://github.com/argocd/argocd
+argocd_git_username: "user"
+argocd_git_pat: "token"

roles/kubernetes_argocd/tasks/main.yml

@@ -48,3 +48,23 @@
   until: apply_manifests is not failed
   retries: 5
   delay: 10
+
+- name: Apply ArgoCD repository
+  kubernetes.core.k8s:
+    definition: "{{ lookup('ansible.builtin.template', 'repository.yml.j2') | from_yaml }}"
+    state: present
+    namespace: "{{ argocd_namespace }}"
+  register: apply_manifests
+  until: apply_manifests is not failed
+  retries: 5
+  delay: 10
+
+- name: Apply ArgoCD Root Application
+  kubernetes.core.k8s:
+    definition: "{{ lookup('ansible.builtin.template', 'root_application.yml.j2') | from_yaml }}"
+    state: present
+    namespace: "{{ argocd_namespace }}"
+  register: apply_manifests
+  until: apply_manifests is not failed
+  retries: 5
+  delay: 10

roles/kubernetes_argocd/templates/app.yaml.j2

@@ -1,19 +0,0 @@
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: "{{ item.name }}"
-  namespace: "{{ argocd_namespace }}"
-spec:
-  project: default
-  source:
-    repoURL: "{{ item.repo_url }}"
-    targetRevision: "{{ item.target_revision }}"
-    path: "{{ item.path }}"
-  destination:
-    server: "{{ item.destination_server }}"
-    namespace: "{{ item.destination_namespace }}"
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true

roles/kubernetes_argocd/templates/ingress.yml.j2

@@ -1,27 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: argocd-ingress
-  namespace: argocd
-  annotations:
-    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: "{{ argocd_cert_resolver }}"
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-spec:
-  rules:
-    - host: {{ argocd_hostname }}
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: argocd-server
-                port:
-                  number: 80
-  tls:
-    - hosts:
-      - {{ argocd_hostname }}
-      secretName: k3s-seyshiro-de-tls

roles/kubernetes_argocd/templates/repository.yml.j2

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-repository-https
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repository
+stringData:
+  url: {{ argocd_git_repository }}
+  username: {{ argocd_git_username }}
+  password: {{ argocd_git_pat }}

roles/kubernetes_argocd/templates/root_application.yml.j2

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: homelab-gitops-root
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-root
+    app.kubernetes.io/instance: homelab
+    app.kubernetes.io/component: gitops-bootstrap
+spec:
+  project: default
+  source:
+    repoURL: {{ argocd_git_repository }}
+    targetRevision: HEAD
+    path: cluster-apps/
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true

roles/kubernetes_cert_manager/defaults/main.yml

@@ -1,5 +0,0 @@
-cert_manager_version: "v1.18.2"
-cert_manager_email: "mail@example.com"
-cert_manager_manifest: "https://github.com/cert-manager/cert-manager/releases/download/{{ cert_manager_version }}/cert-manager.yaml"
-cert_manager_issuer_name: "letsencrypt-prod"
-cert_manager_issuer_env: "staging"

roles/kubernetes_cert_manager/tasks/main.yml

@@ -1,77 +0,0 @@
----
-- name: Ensure cert-manager namespace exists
-  kubernetes.core.k8s:
-    name: cert-manager
-    api_version: v1
-    kind: Namespace
-    state: present
-  tags:
-    - cert_manager
-    - namespace
-
-- name: Create netcup-secret
-  kubernetes.core.k8s:
-    namespace: cert-manager
-    definition: "{{ lookup('ansible.builtin.template', 'netcup.yml.j2') | from_yaml }}"
-
-- name: Add a repository
-  kubernetes.core.helm_repository:
-    name: cert-manager-webhook-netcup
-    repo_url: https://aellwein.github.io/cert-manager-webhook-netcup/charts/
-
-- name: Download cert-manager manifest
-  ansible.builtin.get_url:
-    url: "{{ cert_manager_manifest }}"
-    dest: "/tmp/cert-manager.yaml"
-    mode: "0644"
-    validate_certs: true
-  tags:
-    - cert_manager
-    - download
-
-- name: Apply cert-manager core manifests
-  kubernetes.core.k8s:
-    src: "/tmp/cert-manager.yaml"
-    state: present
-  tags:
-    - cert_manager
-    - apply_manifest
-
-- name: Wait for cert-manager deployments to be ready
-  kubernetes.core.k8s_info:
-    api_version: apps/v1
-    kind: Deployment
-    namespace: cert-manager
-    name: "{{ item }}"
-    wait: true
-    wait_timeout: 300
-  loop:
-    - cert-manager
-    - cert-manager-cainjector
-    - cert-manager-webhook
-  tags:
-    - cert_manager
-    - wait_ready
-
-- name: Create Let's Encrypt ClusterIssuer
-  kubernetes.core.k8s:
-    state: present
-    definition: "{{ lookup('ansible.builtin.template', 'clusterissuer.yml.j2') | from_yaml }}"
-  tags:
-    - cert_manager
-    - cluster_issuer
-
-- name: Create Let's Encrypt Certificate
-  kubernetes.core.k8s:
-    state: present
-    definition: "{{ lookup('ansible.builtin.template', 'certificate.yml.j2') | from_yaml }}"
-  tags:
-    - cert_manager
-    - certificate
-
-- name: Install NetCup Webhook
-  kubernetes.core.helm:
-    name: my-cert-manager-webhook-netcup
-    chart_ref: cert-manager-webhook-netcup/cert-manager-webhook-netcup
-    release_namespace: cert-manager
-    create_namespace: true

roles/kubernetes_cert_manager/templates/certificate.yml.j2

@@ -1,16 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: k3s-seyshiro-de
-  namespace: cert-manager
-spec:
-  secretName: k3s-seyshiro-de-tls
-  issuerRef:
-    name: {{ cert_manager_issuer_name }}
-    kind: ClusterIssuer
-  commonName: "*.k3s.seyshiro.de"
-  dnsNames:
-    - "k3s.seyshiro.de"
-    - "*.k3s.seyshiro.de"
-

roles/kubernetes_cert_manager/templates/clusterissuer.yml.j2

@@ -1,22 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: "{{ cert_manager_issuer_name }}"
-spec:
-  acme:
-    server: "{% if cert_manager_issuer_env == 'production' %}https://acme-v02.api.letsencrypt.org/directory{% else %}https://acme-staging-v02.api.letsencrypt.org/directory{% endif %}"
-    email: "{{ cert_manager_email }}"
-    privateKeySecretRef:
-      name: "{{ cert_manager_issuer_name }}-account-key"
-    solvers:
-    - selector:
-        dnsZones:
-          - 'k3s.seyshiro.de'
-      dns01:
-        webhook:
-            groupName: com.netcup.webhook
-            solverName: netcup
-            config:
-                secretRef: netcup-secret
-                secretNamespace: cert-manager

roles/kubernetes_cert_manager/templates/netcup.yml.j2

@@ -1,11 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: netcup-secret
-type: Opaque
-data:
-  customer-number: {{ netcup_customer_id | b64encode }}
-  api-key: {{ netcup_api_key |b64encode }}
-  api-password: {{ netcup_api_password | b64encode }}
-

roles/kubernetes_metallb/defaults/main.yml

@@ -1,4 +0,0 @@
----
-metallb_version: v0.15.2
-metallb_ip_range: "192.168.178.200-192.168.178.220"
-metallb_manifest_url: "https://raw.githubusercontent.com/metallb/metallb/{{ metallb_version }}/config/manifests/metallb-native.yaml"

roles/kubernetes_metallb/tasks/main.yml

@@ -1,62 +0,0 @@
----
-- name: Ensure metallb-system namespace exists
-  kubernetes.core.k8s:
-    name: metallb-system
-    api_version: v1
-    kind: Namespace
-    state: present
-  tags:
-    - metallb
-    - namespace
-
-- name: Download MetalLB manifest
-  ansible.builtin.get_url:
-    url: "{{ metallb_manifest_url }}"
-    dest: "/tmp/metallb.yaml"
-    mode: "0644"
-    validate_certs: true
-  run_once: true
-  tags:
-    - metallb
-    - download
-
-- name: Apply MetalLB core manifests
-  kubernetes.core.k8s:
-    src: "/tmp/metallb.yaml"
-    state: present
-    namespace: metallb-system
-  tags:
-    - metallb
-    - apply_manifest
-
-- name: Create IPAddressPool for MetalLB
-  kubernetes.core.k8s:
-    state: present
-    namespace: metallb-system
-    definition: "{{ lookup('ansible.builtin.template', 'ipaddresspool.yml.j2') | from_yaml }}"
-  tags:
-    - metallb
-    - ip_pool
-
-- name: Create L2Advertisement for MetalLB
-  kubernetes.core.k8s:
-    state: present
-    namespace: metallb-system
-    definition: "{{ lookup('ansible.builtin.template', 'l2advertisement.yml.j2') | from_yaml }}"
-  tags:
-    - metallb
-    - l2_advertisement
-
-- name: Setup DNS on Netcup
-  community.general.netcup_dns:
-    api_key: "{{ netcup_api_key }}"
-    api_password: "{{ netcup_api_password }}"
-    customer_id: "{{ netcup_customer_id }}"
-    domain: "{{ domain }}"
-    name: "{{ service.name }}.k3s"
-    type: "A"
-    value: "{{ service.ip }}"
-  loop: "{{ services }}"
-  loop_control:
-    loop_var: service
-  delegate_to: localhost

roles/kubernetes_metallb/templates/ipaddresspool.yml.j2

@@ -1,9 +0,0 @@
----
-apiVersion: metallb.io/v1beta1
-kind: IPAddressPool
-metadata:
-  name: default-pool
-  namespace: metallb-system
-spec:
-  addresses:
-    - "{{ metallb_ip_range }}"

roles/kubernetes_metallb/templates/l2advertisement.yml.j2

@@ -1,9 +0,0 @@
----
-apiVersion: metallb.io/v1beta1
-kind: L2Advertisement
-metadata:
-  name: default-l2advertisement
-  namespace: metallb-system
-spec:
-  ipAddressPools:
-    - default-pool

roles/kubernetes_traefik/defaults/main.yml

@@ -1,3 +0,0 @@
----
-traefik_dashboard_hostname: "traefik.example.com"
-traefik_cert_resolver: "cert_resolver-prod"

roles/kubernetes_traefik/tasks/main.yml

@@ -1,12 +0,0 @@
----
-# roles/traefik/tasks/main.yml
-
-- name: "Traefik | Enable dashboard"
-  kubernetes.core.k8s:
-    template: "helmchartconfig.yaml.j2"
-    state: present
-
-- name: "Traefik | Create dashboard ingress"
-  kubernetes.core.k8s:
-    template: "ingress.yaml.j2"
-    state: present

roles/kubernetes_traefik/templates/helmchartconfig.yaml.j2

@@ -1,17 +0,0 @@
----
-apiVersion: helm.cattle.io/v1
-kind: HelmChartConfig
-metadata:
-  name: traefik
-  namespace: kube-system
-spec:
-  valuesContent: |-
-    logs:
-      access:
-        enabled: true
-    ingressRoute:
-      dashboard:
-        enabled: true
-    websecure:
-      tls:
-        enabled: true

roles/kubernetes_traefik/templates/ingress.yaml.j2

@@ -1,27 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: traefik-dashboard
-  namespace: kube-system
-  annotations:
-    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: {{ traefik_cert_resolver }}
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-spec:
-  rules:
-    - host: {{ traefik_dashboard_hostname }}
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: traefik
-                port:
-                  number: 8080
-  tls:
-    - hosts:
-      - {{ traefik_dashboard_hostname }}
-      secretName: k3s-seyshiro-de-tls

roles/kubernets_argo_apps/defaults/main.yml

@@ -1,2 +0,0 @@
-argocd_apps_repo_url: ssh://git@git.tudattr.dev/tudattr/argocd.git
-argocd_apps_target_revision: main

roles/kubernets_argo_apps/tasks/install_argo_app.yml

@@ -1,10 +0,0 @@
-- name: Render Argo CD Application YAML to a variable
-  ansible.builtin.set_fact:
-    argo_app_manifest: "{{ lookup('ansible.builtin.template', '../templates/argo_app.yaml.j2') }}"
-
-- name: Apply Argo CD Application to Kubernetes using k8s module
-  kubernetes.core.k8s:
-    state: present
-    definition: "{{ argo_app_manifest }}"
-  register: k8s_apply_result
-  delegate_to: localhost

roles/kubernets_argo_apps/tasks/main.yml

@@ -1,5 +0,0 @@
-- name: Install Argo Application
-  ansible.builtin.include_tasks: ./install_argo_app.yml
-  loop: argo_apps
-  loop_control:
-    loop_var: app

roles/kubernets_argo_apps/templates/argo-app.yaml.j2

@@ -1,24 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: {{ app.name }}
-  namespace: argocd
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: {{ argocd_apps_repo_url }}
-    targetRevision: {{ argocd_apps_target_revision | default("HEAD") }}
-    path: argocd/{{ app.name }}
-    directory:
-      recurse: true
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: {{ argocd_apps_target_namespace | default(app.name) }}
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true

roles/kubernets_argo_apps/templates/argo_repo.yaml.j2

@@ -1,11 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Repository
-metadata:
-  name: {{ argocd_apps_repo_name }}
-  namespace: argocd
-spec:
-  url: {{ argocd_apps_repo_url }}
-  type: git
-  sshPrivateKeySecret:
-    name: {{ argocd_apps_ssh_private_key_secret_name }}
-    key: {{ argocd_apps_ssh_private_key_secret_key }}