srx/fab-city-software-kit
1
0
Fork 0
mirror of https://gitlab.fabcity.hamburg/software/fab-city-software-kit.git synced 2024-09-19 20:08:52 +02:00
Code Packages Projects Releases Activity

Merge branch 'fcos-core-intergration' into 'main'

Browse source 
intergration of core and web presents

See merge request software/interfacer-swkit!1
This commit is contained in:
Sebastian Wendel 2022-11-29 15:29:47 +00:00
parent 72321a7994 42567022f0
commit fae1ec8f87
47 changed files with 568 additions and 429 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.editorconfig
View file

@ -8,6 +8,10 @@ indent_style = space
insert_final_newline = true
max_line_length = 120
[Makefile]
indent_size = 4
indent_style = tab
[*.{yml,yaml}]
indent_size = 2
indent_style = space

16
.envrc
View file

@ -1,16 +1,4 @@
if ! has nix_direnv_version || ! nix_direnv_version 2.1.1; then
source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.1.1/direnvrc" "sha256-b6qJ4r34rbE23yWjMqbmu3ia2z4b2wIlZUksBke/ol0="
fi
watch_file **/*.nix
watch_file flake.lock
use flake
if (nix help flake &> /dev/null)
then
use flake
else
use nix
fi
eval "$shellHook"
eval "$shellHook"

5
.gitignore vendored
View file

@ -2,8 +2,11 @@
.*.swp
.direnv
.DS_Store
.pre-commit-config.yaml
*.tgz
/.idea/*
.vscode/*.log
charts
temp
site
!base/charts
.pre-commit-config.yaml

43
.gitlab-ci.yml
View file

@ -1,47 +1,22 @@
---
variables:
NIX_VERSION: "latest"
NIX_CONFIG: "experimental-features = nix-command flakes recursive-nix"
default:
image: nixpkgs/nix-unstable:${NIX_VERSION}
timeout: 1 hours
before_script:
# - nix flake show
# - nix profile install --inputs-from . 'nixpkgs#direnv'
# - direnv hook bash >> ~/.bashrc
# - . ~/.bashrc
# - . /etc/profile
# - env
# - direnv allow
# - direnv status
# - direnv reload
# - cd $(pwd)
- nix profile install --inputs-from . 'nixpkgs#yamllint'
- nix profile install --inputs-from . 'nixpkgs#mdl'
- nix profile install --inputs-from . 'nixpkgs#kubectl'
- nix profile install --inputs-from . 'nixpkgs#kubernetes-helm'
- nix profile install --inputs-from . 'nixpkgs#kustomize'
image: fabcityhamburg/k8s-tools
stages:
- test
- build
- release
- deploy
lint.yaml:
stage: test
script:
- yamllint -f auto .
lint.markdown:
stage: test
script: mdl .
lint.kustomize.dev:
stage: build
script:
- kubectl kustomize overlays/dev --enable-helm >/dev/null
kustomize.dev:
stage: test
script: kubectl kustomize overlays/dev --enable-helm
kustomize.prod:
stage: test
script: kubectl kustomize overlays/prod --enable-helm
lint.kustomize.prod:
stage: build
script:
- kubectl kustomize overlays/prod --enable-helm >/dev/null

2
.vscode/extensions.json vendored
View file

@ -6,5 +6,7 @@
"jnoortheen.nix-ide",
"ms-kubernetes-tools.vscode-kubernetes-tools",
"redhat.vscode-yaml",
"oderwat.indent-rainbow",
"ms-vscode.makefile-tools",
]
}

37
.yamllint.yaml
View file

@ -1,42 +1,7 @@
---
extends: default
yaml-files:
- "*.yaml"
- "*.yml"
- ".yaml*"
ignore: |
**/charts
.direnv
.pre-commit-config.yaml
locale: en_US.UTF-8
rules:
braces:
min-spaces-inside: 1
max-spaces-inside: 1
brackets: enable
colons: enable
commas: enable
comments:
require-starting-space: true
level: warning
comments-indentation:
level: warning
document-start:
level: warning
document-end: disable
empty-lines: disable
empty-values: enable
hyphens: enable
indentation:
spaces: 2
indent-sequences: consistent
level: warning
line-length:
max: 150
allow-non-breakable-words: true
allow-non-breakable-inline-mappings: true
key-duplicates: enable
key-ordering: disable
new-line-at-end-of-file: enable
new-lines: enable
trailing-spaces: enable
truthy: enable

10
Dockerfile Normal file
View file

@ -0,0 +1,10 @@
FROM alpine/helm:latest
RUN apk add --update --no-cache yamllint
RUN set -ex; \
curl -L "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" -o /usr/local/bin/kubectl && \
chmod +x /usr/local/bin/kubectl
CMD [""]
ENTRYPOINT [""]

92
Makefile Normal file
View file

@ -0,0 +1,92 @@
##@ General
# The help target prints out all targets with their descriptions organized
# beneath their categories. The categories are represented by '##@' and the
# target descriptions by '##'. The awk commands is responsible for reading the
# entire set of makefiles included in this invocation, looking for lines of the
# file as xyz: ## something, and then pretty-format the target and help. Then,
# if there's a line with ##@ something, that gets pretty-printed as a category.
# More info on the usage of ANSI control characters for terminal formatting:
# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters
# More info on the awk command:
# http://linuxcommand.org/lc3_adv_awk.php
help: ## Display this help.
@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
##@ Setup
up: ## Create a local K3D development cluster.
@k3d cluster create interfacer-swkit --config k3s-dev.yaml
down: ## Delete the local K3D development cluster
@k3d cluster delete interfacer-swkit
##@ Lint
lint: yaml-lint markdown-lint ## Lint all input files.
yaml-lint: ## Lint all YAML files.
@yamllint -f auto .
markdown-lint: ## Lint all Markdown files.
@mdl .
manifest-lint: ## Lint the Kubenetes manifest.
@kubectl kustomize overlays/dev --enable-helm | kubeconform -ignore-missing-schemas -strict
##@ Build
doc: ## Build the documentation using mkdocs.
mkdocs build
manifest: ## Build Kubernetes manifest using Kustomize and Helm.
@kubectl kustomize overlays/dev --enable-helm
deploy: deploy-dev ## Apply the manifest to the local Kubernetes development cluster.
deploy-dev: ## Apply the manifest to the local Kubernetes development cluster.
@kubectl kustomize overlays/dev/ --enable-helm | kubectl apply --server-side=true -f -
deploy-prod: ## Apply the manifest to the Kubernetes production cluster.
@kubectl kustomize overlays/prod/ --enable-helm | kubectl apply --server-side=true -f -
remove: ## Remove the namespaces from the Kubernetes cluster.
@kubectl delete namespaces \
cert-manager \
gitea \
interfacer-core \
interfacer-webpresence
clean: down up ## Clean the local Kubernetes development cluster.
##@ Show
get: ## Get specific Kubernetes resources from all namespaces.
@kubectl get --all-namespaces $(filter-out $@, $(MAKECMDGOALS))
get-all: ## Get the state of all Kubernetes resources.
@kubectl get all --all-namespaces
get-ns: ## Get all Kubernetes namespaces.
@kubectl get namespaces
get-api: ## Get all Kubernetes api resources.
@kubectl api-resources
get-crd: ## Get all Kubernetes api resources.
@kubectl get crd
get-node: ## Get all Kubernetes nodes.
@kubectl get nodes -o wide
watch-all: ## Watch the state of all Kubernetes resources.
@watch -n 1 kubectl get all --all-namespaces
##@ Log
events: ## Show all Kubernetes cluster events.
@kubectl get events --watch --all-namespaces
%:
@true

96
README.md
View file

@ -1,47 +1,36 @@
<p align="center">
<img src="https://www.fabcity.hamburg/wp-content/uploads/2021/04/cropped-Fab_City_Hamburg@4x-192x192.png" alt="FabCity Hamburg" width="192" height="192" />
<img src="https://raw.githubusercontent.com/dyne/interfacer-docs/main/docs/_media/general/interfacer-logo.png" alt="Interfacer" />
</p>
<h1 align="center">FabCityOS Kubernetes Integration Repo</h1>
<h1 align="center">Interfacer SWKit for Kubernetes ⚓️</h1>
<h4 align="center">
<a href="https://github.com/FabCityOS Core/FabCityOS Core">Helm Chart</a> |
<a href="https://reflowos.dyne.org/docs/what_is_reflowOS">Documentation</a> |
<a href="https://matrix.to/#/#fcos:fabcity.hamburg">Element</a> |
<a href="https://www.interfacerproject.eu/">Website</a> |
<a href="https://www.interfacerproject.eu/#news">Blog</a> |
<a href="https://www.interfacerproject.eu/#news">Blog</a>
</h4>
<p align="center">
<a href="https://gitlab.fabcity.hamburg/software/fabcity-os-core-chart/LICENSE"><img src="https://img.shields.io/badge/license-AGPL-informational" alt="License"></a>
<a href="https://gitlab.fabcity.hamburg/software/fabcity-os-core-chart/-/pipelines"><img src="https://gitlab.fabcity.hamburg/software/fabcity-os-core-chart/badges/main/pipeline.svg" alt="Build status"></a>
<a href="https://matrix.to/#/#fcos:fabcity.hamburg"><img src="https://img.shields.io/badge/Matrix-FCOS-blue.svg?logo=element" alt="Element"></a>
<a href="https://gitlab.fabcity.hamburg/software/interfacer-swkit/LICENSE"><img src="https://img.shields.io/badge/license-AGPL-informational" alt="License"></a>
<a href="https://gitlab.fabcity.hamburg/software/interfacer-swkit/-/pipelines"><img src="https://gitlab.fabcity.hamburg/software/interfacer-swkit/badges/main/pipeline.svg" alt="Pipeline"></a>
<a href="https://matrix.to/#/#fcos:fabcity.hamburg"><img src="https://img.shields.io/badge/Matrix-FCOS-blue.svg?logo=element" alt="Matrix"></a>
</p>
<p align="center">The FabCityOS Integration Repo for Kubernetes ⚓️</p>
This Integration repo is designed to be a lightweight way to configure FabCityOS applications.
**FabCityOS** is an operating system enabling a data-based circular economy via global collaboration and local production.
This Repo is designed to be a lightweight way to configure the Interfacer SWKit applications. Interfacer SWKit is a bundle of Applications to enabling a data-based circular economy via global collaboration and local production.
## Table of Contents <!-- omit in toc -->
- [📖 Documentation](#-documentation)
- [🚀 Getting Started](#-getting-started)
- [Repository structure](#repository-structure)
- [🤖 Compatibility with FabCityOS](#-compatibility-with-fabcityos)
- [Install kubectl](#install-kubectl)
- [Install helm](#install-helm)
- [⚙️ Development Workflow and Contributing](#-development-workflow-and-contributing)
## 📖 Documentation
- [k3d](https://k3d.io/)
- [kubectl](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands)
- [kustomize](https://kubectl.docs.kubernetes.io/guides/)
- [helm](https://helm.sh/docs/)
- [kubectx](https://kubectx.dev/)
- [kube-linter](https://github.com/stackrox/kube-linter)
- [k9s](https://k9scli.io/)
- [sops](https://github.com/mozilla/sops)
- [cert-manager](https://cert-manager.io/docs/)y
## 🚀 Getting Started
@ -53,59 +42,42 @@ First of all, you will need a Kubernetes cluster up and running. If you are not
### Repository structure
```yaml
├── apps # kustomize global applications folder
│   ├── wordpress # kustomize global application folder
│   │ ├── kustomization.yaml # kustomize global application definition
│   │   ├── charts # helm global chart config folder
│   │ └── ... # kustomize global application objects
│   └── ... # kustomize global applications objects
├── base # kustomize global objects folder
│   ├── kustomization.yaml # kustomize global application config
│   └── ... # kustomize global cluster objects
├── overlays # kustomize environment overrides
│   ├── dev # kustomize environment folder
│   │   ├── kustomization.yaml # kustomize environment definition
│   │   └── apps # kustomize applications folder
│   │   └── cert-manager # kustomize application folder
│   │   ├── kustomization.yaml # kustomize application config
│   │   └── ... # kustomize application objects
│   └── ... # kustomize environment folder
├── .envrc # direnv support file
├── default.nix # nixos flake legacy support file
├── flake.lock # nixos flake versions lock file
├── flake.nix # nixos local runtime dependency
├── shell.nix # nixos local development shell
├── base # kustomize global objects folder
│   ├── kustomization.yaml # kustomize global application config
│   └── ... # kustomize global cluster objects
├── apps # kustomize global applications folder
│   ├── gitea # kustomize global application folder
│   │ ├── kustomization.yaml # kustomize global application definition
│   │   ├── charts # helm global chart config folder
│   │ └── ... # kustomize global application objects
│   └── ... # kustomize global applications objects
├── overlays # kustomize environment overrides
│   ├── dev # kustomize environment specific
│   │   ├── kustomization.yaml # kustomize environment definition
│   │   └── cert-manager # kustomize applications folder
│   │   ├── kustomization.yaml # kustomize application config
│   │   └── ... # kustomize application objects
│   └── ... # kustomize environment folder
├── .envrc # direnv support file
└── flake.nix # nix flake for local runtime dependency
```
### Install kubectl <!-- omit in toc -->
### Install kubectl
`kubectl` is the most commonly used CLI to manage a Kubernetes cluster. The installation instructions are [available here](https://kubernetes.io/docs/tasks/tools/install-kubectl/).
### Deploy FabCityOS <!-- omit in toc -->
### Install helm
#### Install Kustomize <!-- omit in toc -->
`helm` is a Command Line Interface which will automate chart management and installation on your Kubernetes cluster. To install Helm, follow the [Helm installation instructions](https://helm.sh/docs/intro/install/).
Kustomize CLI is a Command Line Interface which will automate configuration management on your Kubernetes cluster. To install Kustomize, follow the [Kustomize installation instructions](https://kubectl.docs.kubernetes.io/installation/kustomize/).
#### Install helm <!-- omit in toc -->
Helm CLI is a Command Line Interface which will automate chart management and installation on your Kubernetes cluster. To install Helm, follow the [Helm installation instructions](https://helm.sh/docs/intro/install/).
#### Deploy FabCityOS <!-- omit in toc -->
#### Deploy the SWKit <!-- omit in toc -->
```sh
kubectl kustomize overlays/prod --enable-helm | kubectl apply -f -
git clone https://gitlab.fabcity.hamburg/software/interfacer-swkit.git
cd interfacer-swkit
kubectl kustomize --enable-helm | kubectl apply -f -
```
## 🤖 Compatibility with FabCityOS
We recommend that the Helm chart version is aligned to the version of the product you want to deploy. This will ensure that you are using a chart version that has been tested against the corresponding production version.
This will also ensure that the documentation and examples for the chart will work with the version of the product, you are installing.
For example, if you want to deploy an fcos `0.1.0` cluster, use the corresponding `0.1.0` [tag][fcos-010].
The `master` version of these charts is intended to support the latest pre-release versions of our products, and therefore may or may not work with current released versions.
## ⚙️ Development Workflow and Contributing
Any new contribution is more than welcome in this project!

16
apps/gitea/kustomization.yaml
View file

@ -1,20 +1,10 @@
---
namespace: gitea
resources:
- namespace.yaml
helmCharts:
- name: gitea
version: v5.0.9
releaseName: fcos-gitea
version: 6.0.3
releaseName: interfacer-gitea
namespace: gitea
repo: https://dl.gitea.io/charts/
valuesFile: values.yaml
patches:
- target:
{ kind: ServiceAccount|Secret|Deployment|Service|Pod|StatefulSet|Ingress }
patch: |-
- op: add
path: /metadata/namespace
value: gitea
- op: replace
path: /metadata/namespace
value: gitea

28
apps/gitea/values.yaml
View file

@ -1,30 +1,36 @@
# https://gitea.com/gitea/helm-chart/src/branch/master/values.yaml
---
# https://gitea.com/gitea/helm-chart/#user-content-parameters
service:
http:
type: ClusterIP
port: 3000
clusterIP:
clusterIP: ""
ssh:
type: ClusterIP
port: 22
clusterIP:
clusterIP: ""
ingress:
enabled: true
apiVersion: networking.k8s.io/v1
# className: nginx
# annotations:
# kubernetes.io/ingress.class: nginx
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
hosts:
- host: code.localhost
- host: code.k8s.dev.fabcity-hamburg.de
paths:
- path: /
pathType: Prefix
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 250m
memory: 256Mi
gitea:
# https://docs.gitea.io/en-us/config-cheat-sheet/
config:
APP_NAME: "Fab City Codebase"
APP_NAME: "Interfacer Codebase"
log:
ENABLE_ACCESS_LOG: true
metrics:
enabled: true

10
apps/interfacer-core/kustomization.yaml Normal file
View file

@ -0,0 +1,10 @@
---
namespace: interfacer-core
resources:
- namespace.yaml
helmCharts:
- name: fcoscore
version: 0.1.0
releaseName: interfacer-core
namespace: interfacer-core
repo: https://gitlab.fabcity.hamburg/api/v4/projects/248/packages/helm/alpha

2
apps/keycloak/namespace.yaml → apps/interfacer-core/namespace.yaml
View file

@ -2,4 +2,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager
name: interfacer-core

27
apps/interfacer-webpresence/deployment.yaml Normal file
View file

@ -0,0 +1,27 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: interfacer-webpresence-deployment
spec:
selector:
matchLabels:
app: interfacer-webpresence
replicas: 2
template:
metadata:
labels:
app: interfacer-webpresence
spec:
containers:
- name: webpresence
image: fabcityhamburg/interfacer-webpresence:latest
ports:
- containerPort: 80
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"

6
apps/interfacer-webpresence/kustomization.yaml Normal file
View file

@ -0,0 +1,6 @@
---
namespace: interfacer-webpresence
resources:
- namespace.yaml
- deployment.yaml
- service.yaml

5
apps/interfacer-webpresence/namespace.yaml Normal file
View file

@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: interfacer-webpresence

12
apps/interfacer-webpresence/service.yaml Normal file
View file

@ -0,0 +1,12 @@
---
apiVersion: v1
kind: Service
metadata:
name: interfacer-webpresence
spec:
type: ClusterIP
ports:
- name: http
port: 4141
targetPort: http
protocol: TCP

19
apps/keycloak/kustomization.yaml
View file

@ -1,19 +0,0 @@
---
resources:
- namespace.yaml
helmCharts:
- name: keycloak
version: 18.0.2
releaseName: fcos-keycloak
namespace: keycloak
repo: https://charts.bitnami.com/bitnami
patches:
- target:
{ kind: ServiceAccount|Secret|Deployment|Service|Pod|StatefulSet|Ingress }
patch: |-
- op: add
path: /metadata/namespace
value: keycloak
- op: replace
path: /metadata/namespace
value: keycloak

5
apps/kustomization.yaml Normal file
View file

@ -0,0 +1,5 @@
---
resources:
- gitea
- interfacer-webpresence
- interfacer-core

9
base/cert-manager/kustomization.yaml
View file

@ -1,10 +1,11 @@
---
# namespace: cert-manager
resources:
- https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml
- namespace.yaml
helmCharts:
- name: cert-manager
version: v1.8.2
releaseName: fcos-cert-manager
namespace: security
version: v1.10.1
releaseName: interfacer-cert-manager
repo: https://charts.jetstack.io
namespace: cert-manager
valuesFile: values.yaml

2
base/cert-manager/namespace.yaml
View file

@ -2,4 +2,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: security
name: cert-manager

3
base/cert-manager/values.yaml
View file

@ -1,3 +1,2 @@
---
cert-manager:
namespace: security
installCRDs: true

9
base/ingress-nginx/configmap.yaml
View file

@ -1,9 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
data:
hsts-preload: "true"
enable-brotli: "true"

15
base/ingress-nginx/kustomization.yaml
View file

@ -1,10 +1,11 @@
---
helmCharts:
- name: ingress-nginx
repo: https://kubernetes.github.io/ingress-nginx
namespace: ingress-nginx
version: 4.2.0
releaseName: fcos-ingress-nginx
namespace: ingress-nginx
resources:
- namespace.yaml
# - configmap.yaml
helmCharts:
- name: ingress-nginx
version: 4.4.0
releaseName: interfacer-ingress-nginx
repo: https://kubernetes.github.io/ingress-nginx
namespace: ingress-nginx
valuesFile: values.yaml

22
base/ingress-nginx/values.yaml Normal file
View file

@ -0,0 +1,22 @@
---
controller:
ingressClassResource:
default: true
watchIngressWithoutClass: true
service:
ipFamilyPolicy: PreferDualStack
ipFamilies:
- IPv4
- IPv6
metrics:
enabled: true
service:
annotations:
prometheus.io/port: 10254
prometheus.io/scrape: true
config:
enable-ocsp: true
enable-brotli: true
enable-real-ip: true
enable-modsecurity: true
enable-owasp-modsecurity-crs: true

7
base/kustomization.yaml
View file

@ -1,7 +1,4 @@
---
resources:
# - ./operator-framework
# - ./gatekeeper
- ./ingress-nginx
- ./cert-manager
- ../apps/gitea
- cert-manager
# - ingress-nginx

6
default.nix
View file

@ -1,6 +0,0 @@
(import (let lock = builtins.fromJSON (builtins.readFile ./flake.lock);
in fetchTarball {
url =
"https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash;
}) { src = ./.; }).defaultNix

116
flake.lock
View file

@ -3,11 +3,11 @@
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
@ -18,11 +18,11 @@
},
"flake-utils": {
"locked": {
"lastModified": 1656928814,
"narHash": "sha256-RIFfgBuKz6Hp89yRr7+NR5tzIAbn52h8vT6vXkYjZoM=",
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "7e2a3b3dfd9af950a856d66b0a7d01e3c18aa249",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
@ -31,27 +31,117 @@
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1660459072,
"narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1657425264,
"narHash": "sha256-3aHvoI2e8vJKw3hvnHECaBpSsL5mxVsVtaLCnTdNcH8=",
"lastModified": 1669542132,
"narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "de5b3dd17034e6106e75746e81618e5bd408de8a",
"rev": "a115bb9bd56831941be3776c8a94005867f316a7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1668984258,
"narHash": "sha256-0gDMJ2T3qf58xgcSbYoXiRGUkPWmKyr5C3vcathWhKs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "cf63ade6f74bbc9d2a017290f1b2e33e8fbfa70a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1668994630,
"narHash": "sha256-1lqx6HLyw6fMNX/hXrrETG1vMvZRGm2XVC9O/Jt0T6c=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "af50806f7c6ab40df3e6b239099e8f8385f6c78b",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"gitignore": "gitignore",
"nixpkgs": "nixpkgs_2",
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1669152228,
"narHash": "sha256-FEDReoTLWJHXcNso7aaAlAUU7uOqIR6Hc/C/nqlfooE=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "078b0dee35e2da01334af682ec347463b70a9986",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs",
"pre-commit-hooks": "pre-commit-hooks",
"utils": "utils"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},

93
flake.nix
View file

@ -1,18 +1,87 @@
{
description = "SRX frugal bioreactor";
description = "Interfacer SWKit";
inputs = {
nixpkgs = { url = "github:NixOS/nixpkgs/nixos-unstable-small"; };
flake-compat = {
url = "github:edolstra/flake-compat";
flake = false;
};
flake-utils.url = "github:numtide/flake-utils";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
utils.url = "github:numtide/flake-utils";
pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix";
};
outputs = { self, nixpkgs, flake-utils, ... }@inputs:
flake-utils.lib.eachDefaultSystem (system:
let pkgs = nixpkgs.legacyPackages.${system}; in
{
devShells.default = import ./shell.nix { inherit pkgs; };
outputs = {
self,
nixpkgs,
pre-commit-hooks,
utils,
...
}:
utils.lib.eachDefaultSystem (
system: let
pkgs = nixpkgs.legacyPackages.${system};
in {
checks = {
pre-commit-check = pre-commit-hooks.lib.${system}.run {
src = utils.lib.cleanSource ./.;
hooks = {
alejandra.enable = true;
nix-linter.enable = true;
statix .enable = true;
};
settings.nix-linter.checks = [
"DIYInherit"
"EmptyInherit"
"EmptyLet"
"EtaReduce"
"LetInInheritRecset"
"ListLiteralConcat"
"NegateAtom"
"SequentialLet"
"SetLiteralUpdate"
"UnfortunateArgName"
"UnneededRec"
"UnusedArg"
"UnusedLetBind"
"UpdateEmptySet"
"BetaReduction"
"EmptyVariadicParamSet"
"UnneededAntiquote"
"no-FreeLetInFunc"
"no-AlphabeticalArgs"
"no-AlphabeticalBindings"
];
};
};
devShell = with pkgs;
mkShell {
name = "interfacer.swkit";
nativeBuildInputs = with pkgs; [
alejandra
cmctl
docker
editorconfig-checker
git
gnumake
kube3d
kubectl
kubectx
kubernetes-helm
kustomize
nix-linter
pre-commit
rnix-lsp
vscodium-fhs
yaml-language-server
yamllint
];
postInstall = ''
. <(helm completion $(basename $SHELL))
. <(k3d completion $(basename $SHELL))
. <(kubectl completion $(basename $SHELL))
. <(ct completion $(basename $SHELL))
'';
shellHook = ''
${self.checks.${system}.pre-commit-check.shellHook}
'';
};
}
);
}

8
ci/k3d-fcos-dev.yaml → k3s-dev.yaml
View file

@ -1,16 +1,14 @@
---
apiVersion: k3d.io/v1alpha4
kind: Simple
image: docker.io/rancher/k3s:v1.23.8-k3s1
image: docker.io/rancher/k3s:v1.23.14-k3s1
servers: 1
agents: 2
# network: fcos-dev-net
subnet: "172.23.0.0/16"
ports:
- port: 8080:80
- port: 80:80
nodeFilters:
- loadbalancer
- port: 8443:443
- port: 443:443
nodeFilters:
- loadbalancer
- port: 6443:6443

4
overlays/dev/cert-manager/kustomization.yaml Normal file
View file

@ -0,0 +1,4 @@
---
namespace: cert-manager
resources:
- letsencrypt.yaml

15
overlays/dev/cert-manager/letsencrypt.yaml Normal file
View file

@ -0,0 +1,15 @@
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
email: hostmaster@fabcity-hamburg.de
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-key
solvers:
- http01:
ingress:
class: nginx

13
overlays/prod/apps/gitea/ingress.yaml → overlays/dev/gitea/ingress.yaml
View file

@ -2,24 +2,21 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea-server-ingress
namespace: gitea
name: gitea
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: letsencrypt
spec:
rules:
- host: code.fabcity.hamburg
http:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea-http
name: gitea
port:
name: http
tls:
- hosts:
- code.fabcity.hamburg
secretName: gitea-secret-prod
- code.k8s.dev.fabcity-hamburg.de

24
overlays/dev/gitea/kustomization.yaml Normal file
View file

@ -0,0 +1,24 @@
---
namespace: gitea
# patches:
# - target:
# kind: Ingress
# group: networking.k8s.io
# version: v1
# labelSelector: "app=gitea"
# patch: |-
# - op: replace
# path: /spec/rules
# value:
# - host: code.k8s.dev.fabcity-hamburg.de
# http:
# paths:
# - path: /
# pathType: Prefix
# - op: replace
# path: /spec/tls
# value:
# - secretName: gitea-tls
# hosts:
# - code.k8s.dev.fabcity-hamburg.de

16
overlays/dev/kustomization.yaml
View file

@ -1,16 +1,6 @@
---
resources:
- ../../base
patches:
- target:
kind: Ingress
group: networking.k8s.io
version: v1
patch: |-
- op: replace
path: /metadata/annotations
value:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
- ../../apps
- cert-manager
- gitea

30
overlays/prod/apps/cert-manager/issuer.yaml
View file

@ -1,30 +0,0 @@
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-acme-staging-v02
spec:
acme:
email: hostmaster@fabcity-hamburg.de
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: account-key-acme-staging
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-acme-v02
spec:
acme:
email: hostmaster@fabcity-hamburg.de
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: account-key-acme
solvers:
- http01:
ingress:
class: nginx

3
overlays/prod/apps/cert-manager/kustomization.yaml
View file

@ -1,3 +0,0 @@
---
resources:
- ./issuer.yaml

23
overlays/prod/apps/gitea/kustomization.yaml
View file

@ -1,23 +0,0 @@
---
patches:
- target:
kind: Ingress
group: networking.k8s.io
version: v1
labelSelector: "app=gitea"
patch: |-
- op: replace
path: /spec/rules
value:
- host: code.fabcity-hamburg.de
http:
paths:
- path: /
pathType: Prefix
- op: replace
path: /spec/tls
value:
- secretName: gitea-tls
hosts:
- code.fabcity-hamburg.de

4
overlays/prod/cert-manager/kustomization.yaml Normal file
View file

@ -0,0 +1,4 @@
---
namespace: cert-manager
resources:
- letsencrypt.yaml

15
overlays/prod/cert-manager/letsencrypt.yaml Normal file
View file

@ -0,0 +1,15 @@
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
email: hostmaster@fabcity-hamburg.de
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-key
solvers:
- http01:
ingress:
class: nginx

22
overlays/prod/interfacer-webpresence/ingress.yaml Normal file
View file

@ -0,0 +1,22 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: interfacer-webpresence
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: interfacer-webpresence
port:
name: http
tls:
- hosts:
- www.k8s.dev.fabcity-hamburg.de

3
overlays/prod/interfacer-webpresence/kustomization.yaml Normal file
View file

@ -0,0 +1,3 @@
---
resources:
- ingress.yaml

18
overlays/prod/kustomization.yaml
View file

@ -1,18 +1,6 @@
---
resources:
- ../../base
- ./apps/cert-manager
- ./apps/gitea
patches:
- target:
kind: Ingress
group: networking.k8s.io
version: v1
patch: |-
- op: replace
path: /metadata/annotations
value:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: 'true'
cert-manager.io/cluster-issuer: letsencrypt-acme-staging-v02
cert-manager.io/cluster-issuer: letsencrypt-acme-v02
- ../../apps
- cert-manager
- interfacer-webpresence

44
shell.nix
View file

@ -1,44 +0,0 @@
{ pkgs ? import <nixpkgs> { } }:
with pkgs;
mkShell {
name = "fcos.integration";
buildInputs = with pkgs; [
conftest
editorconfig-checker
git
hadolint
k9s
kube-score
kube3d
kubectl
kubectx
kubernetes-helm
kubeval
kubeval-schema
kustomize
mdl
mdsh
nix-linter
nixpkgs-fmt
open-policy-agent
operator-sdk
pre-commit
rnix-lsp
vscodium-fhs
yamale
yaml-language-server
yamllint
];
postInstall = ''
. <(helm completion $(basename $SHELL))
. <(k3d completion $(basename $SHELL))
. <(k9s completion $(basename $SHELL))
. <(kubectl completion $(basename $SHELL))
. <(kustomize completion $(basename $SHELL))
. <(opa completion $(basename $SHELL))
. <(operator-sdk completion $(basename $SHELL))
'';
}

20
test/labels.rego
View file

@ -1,20 +0,0 @@
package main
import data.kubernetes
name = input.metadata.name
required_deployment_labels {
input.metadata.labels["app.kubernetes.io/name"]
input.metadata.labels["app.kubernetes.io/instance"]
input.metadata.labels["app.kubernetes.io/version"]
input.metadata.labels["app.kubernetes.io/component"]
input.metadata.labels["app.kubernetes.io/part-of"]
input.metadata.labels["app.kubernetes.io/managed-by"]
}
deny[msg] {
kubernetes.is_deployment
not required_deployment_labels
msg = sprintf("%s must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels", [name])
}

7
test/run_as_root.rego
View file

@ -1,7 +0,0 @@
package main
deny[msg] {
input.kind = "Deployment"
not input.spec.template.spec.securityContext.runAsNonRoot = true
msg = sprintf("%s Containers must not run as root", [name])
}

11
test/selector.rego
View file

@ -1,11 +0,0 @@
package main
import data.kubernetes
name = input.metadata.name
deny[msg] {
input.kind = "Deployment"
not input.spec.selector.matchLabels.app
msg = sprintf("%s must provide app label for pod selectors: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels", [name])
}