├── .github └── workflows │ └── test.yaml ├── .gitignore ├── .sourceignore ├── Brewfile ├── LICENSE ├── Makefile ├── README.md ├── apps ├── backend │ ├── kustomization.yaml │ ├── namespace.yaml │ ├── podinfo-canary.yaml │ └── podinfo-sync.yaml └── frontend │ ├── kustomization.yaml │ ├── namespace.yaml │ ├── podinfo-abtest.yaml │ ├── podinfo-ingress.yaml │ └── podinfo-sync.yaml ├── clusters └── my-cluster │ ├── apps.yaml │ ├── flux-system │ ├── gotk-components.yaml │ ├── gotk-sync.yaml │ └── kustomization.yaml │ └── infrastructure.yaml ├── docs └── screens │ ├── linkerd-metrics.png │ ├── wego-apps.png │ ├── wego-deps.png │ └── wego-linkerd.png ├── infrastructure ├── cert-manager │ ├── kustomization.yaml │ ├── namespace.yaml │ ├── release.yaml │ └── repository.yaml ├── flagger │ ├── kustomization.yaml │ ├── loadtester.yaml │ ├── namespace.yaml │ ├── release.yaml │ └── repository.yaml ├── ingress-nginx │ ├── kustomization.yaml │ ├── namespace.yaml │ ├── release.yaml │ └── repository.yaml ├── linkerd │ ├── README.md │ ├── ca.crt │ ├── ca.key │ ├── kustomization.yaml │ ├── kustomizeconfig.yaml │ ├── linkerd-certs.yaml │ ├── linkerd-control-plane.yaml │ ├── linkerd-crds.yaml │ ├── linkerd-smi.yaml │ ├── linkerd-viz.yaml │ ├── namespaces.yaml │ └── repositories.yaml └── weave-gitops │ ├── kustomization.yaml │ ├── release.yaml │ └── repository.yaml └── scripts └── validate.sh /.github/workflows/test.yaml: -------------------------------------------------------------------------------- 1 | name: test 2 | 3 | on: 4 | pull_request: 5 | push: 6 | branches: 7 | - main 8 | 9 | permissions: 10 | contents: read 11 | 12 | jobs: 13 | validate: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Checkout 17 | uses: actions/checkout@v3 18 | - name: Set up Homebrew 19 | uses: Homebrew/actions/setup-homebrew@master 20 | - name: Install tools 21 | run: make tools 22 | - name: Run manifests validation 23 | run: make validate 24 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | bin/ 2 | Brewfile.lock.json -------------------------------------------------------------------------------- /.sourceignore: -------------------------------------------------------------------------------- 1 | # Flux ignore 2 | # https://fluxcd.io/flux/components/source/gitrepositories/#excluding-files 3 | 4 | # Exclude all 5 | /* 6 | 7 | # Include manifest directories 8 | !/apps/ 9 | !/clusters/ 10 | !/infrastructure/ 11 | -------------------------------------------------------------------------------- /Brewfile: -------------------------------------------------------------------------------- 1 | # Kubernetes 2 | brew "kubectl" 3 | brew "kind" 4 | 5 | # Kubernetes tools 6 | brew "yq" 7 | brew "jq" 8 | brew "kustomize" 9 | brew "kubeconform" 10 | 11 | # Flux 12 | tap "fluxcd/tap" 13 | brew "fluxcd/tap/flux" 14 | 15 | # Linkerd 16 | brew "linkerd" 17 | brew "step" -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Flux local dev environment with Docker and Kubernetes KIND 2 | # Requirements: 3 | # - Docker 4 | # - Homebrew 5 | 6 | .PHONY: tools 7 | tools: ## Install Kubernetes kind, kubectl, FLux CLI and other tools with Homebrew 8 | brew bundle 9 | 10 | .PHONY: validate 11 | validate: ## Validate the Kubernetes manifests (including Flux custom resources) 12 | scripts/validate.sh 13 | 14 | .PHONY: help 15 | help: ## Display this help menu 16 | @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-20s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) 17 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # gitops-linkerd 2 | 3 | [![test](https://github.com/stefanprodan/gitops-linkerd/workflows/test/badge.svg)](https://github.com/stefanprodan/gitops-linkerd/actions) 4 | [![license](https://img.shields.io/github/license/stefanprodan/gitops-linkerd.svg)](https://github.com/stefanprodan/gitops-linkerd/blob/main/LICENSE) 5 | 6 | Progressive Delivery workshop with [Linkerd](https://github.com/linkerd/linkerd2), 7 | [Flagger](https://github.com/fluxcd/flagger), [Flux](https://github.com/fluxcd/flux) 8 | and [Weave GitOps](https://github.com/weaveworks/weave-gitops). 9 | 10 | ![flux-ui](docs/screens/wego-apps.png) 11 | 12 | ## Introduction 13 | 14 | ### What is GitOps? 15 | 16 | GitOps is a way to do Continuous Delivery, it works by using Git as a source of truth 17 | for declarative infrastructure and workloads. 18 | For Kubernetes this means using `git push` instead of `kubectl apply/delete` or `helm install/upgrade`. 19 | 20 | In this workshop you'll be using GitHub to host the config repository and [Flux](https://fluxcd.io) 21 | as the GitOps delivery solution. 22 | 23 | ### What is Progressive Delivery? 24 | 25 | Progressive delivery is an umbrella term for advanced deployment patterns like canaries, feature flags and A/B testing. 26 | Progressive delivery techniques are used to reduce the risk of introducing a new software version in production 27 | by giving app developers and SRE teams a fine-grained control over the blast radius. 28 | 29 | In this workshop you'll be using [Flagger](https://flagger.app), [Linkerd](https://github.com/linkerd/linkerd2) and 30 | Prometheus to automate Canary Releases and A/B Testing for your applications. 31 | 32 | ## Prerequisites 33 | 34 | For this workshop you will need a GitHub account and a Kubernetes cluster version 1.21 35 | or newer with **Load Balancer** support. 36 | 37 | In order to follow the guide you'll need a GitHub account and a 38 | [personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) 39 | that can create repositories (check all permissions under `repo`). 40 | 41 | ### Fork the repository 42 | 43 | Start by forking the [gitops-linkerd](https://github.com/stefanprodan/gitops-linkerd) 44 | repository on your own GitHub account. 45 | Then generate a GitHub 46 | [personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) 47 | that can create repositories (check all permissions under `repo`), 48 | and export your GitHub token, username and repo name as environment variables: 49 | 50 | ```sh 51 | export GITHUB_TOKEN= 52 | export GITHUB_USER= 53 | export GITHUB_REPO="gitops-linkerd" 54 | ``` 55 | 56 | Next clone your repository locally with: 57 | 58 | ```shell 59 | git clone https://github.com/${GITHUB_USER}/${GITHUB_REPO}.git 60 | cd ${GITHUB_REPO} 61 | ``` 62 | 63 | ### Install CLI tools 64 | 65 | Install flux, kubectl, linkerd, step and other CLI tools with Homebrew: 66 | 67 | ```shell 68 | brew bundle 69 | ``` 70 | 71 | The complete list of tools can be found in the `Brewfile`. 72 | 73 | ## Cluster bootstrap 74 | 75 | With the `flux bootstrap` command you can install Flux on a Kubernetes cluster and configure 76 | it to manage itself from a Git repository. If the Flux components are present on the cluster, 77 | the bootstrap command will perform an upgrade if needed. 78 | 79 | ```shell 80 | flux bootstrap github \ 81 | --owner=${GITHUB_USER} \ 82 | --repository=${GITHUB_REPO} \ 83 | --branch=main \ 84 | --path=./clusters/my-cluster \ 85 | --personal 86 | ``` 87 | 88 | When Flux has access to your repository it will do the following: 89 | 90 | * installs the Flux UI (Weave GitOps OSS) 91 | * installs cert-manager and generates the Linkerd trust anchor certificate 92 | * installs Linkerd using the `linkerd-crds`, `linkerd-control-plane`, `linkerd-viz` and `linkerd-smi` Helm charts 93 | * waits for the Linkerd control plane to be ready 94 | * installs the Kubernetes NGINX ingress in the `ingress-nginx` namespace 95 | * installs Flagger and configures its load testing service inside the `flagger-system` namespace 96 | * waits for NGINX and Flagger to be ready 97 | * creates the frontend deployment and configures it for A/B testing 98 | * creates the backend deployment and configures it for progressive traffic shifting 99 | 100 | ![flux-ui](docs/screens/wego-deps.png) 101 | 102 | Watch Flux installing Linkerd first, then the demo apps: 103 | 104 | ```bash 105 | flux get kustomizations --watch 106 | ``` 107 | 108 | When bootstrapping a cluster with Linkerd, it is important to control the installation order. 109 | For the applications pods to be injected with Linkerd proxy, 110 | the Linkerd control plane must be up and running before the apps. 111 | For the ingress controller to forward traffic to the apps, NGINX must be injected with the Linker sidecar. 112 | 113 | ## Access the dashboards 114 | 115 | To access the Flux dashboard, start port forwarding with: 116 | 117 | ```sh 118 | kubectl -n flux-system port-forward svc/weave-gitops 9001:9001 & 119 | ``` 120 | 121 | Navigate to `http://localhost:9001` and login using the username `admin` and the password `flux`. 122 | 123 | ![flux-ui](docs/screens/wego-linkerd.png) 124 | 125 | To access the Linkerd dashboard, start port forwarding with: 126 | 127 | ```sh 128 | kubectl -n linkerd-viz port-forward svc/web 8084:8084 & 129 | ``` 130 | 131 | Navigate to `http://localhost:8084` to access the dashboard. 132 | 133 | ![linkerd-ui](docs/screens/linkerd-metrics.png) 134 | 135 | -------------------------------------------------------------------------------- /apps/backend/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: backend 4 | resources: 5 | - namespace.yaml 6 | - podinfo-sync.yaml 7 | - podinfo-canary.yaml 8 | 9 | 10 | -------------------------------------------------------------------------------- /apps/backend/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: backend 5 | annotations: 6 | linkerd.io/inject: enabled 7 | -------------------------------------------------------------------------------- /apps/backend/podinfo-canary.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: flagger.app/v1beta1 2 | kind: Canary 3 | metadata: 4 | name: podinfo 5 | spec: 6 | provider: linkerd 7 | # deployment reference 8 | targetRef: 9 | apiVersion: apps/v1 10 | kind: Deployment 11 | name: podinfo 12 | # HPA reference (optional) 13 | autoscalerRef: 14 | apiVersion: autoscaling/v2 15 | kind: HorizontalPodAutoscaler 16 | name: podinfo 17 | # the maximum time in seconds for the canary deployment 18 | # to make progress before it is rollback (default 600s) 19 | progressDeadlineSeconds: 60 20 | service: 21 | # ClusterIP port number 22 | port: 80 23 | # container port number or name (optional) 24 | targetPort: 9898 25 | analysis: 26 | # schedule interval (default 60s) 27 | interval: 10s 28 | # max number of failed metric checks before rollback 29 | threshold: 3 30 | # max traffic percentage routed to canary 31 | # percentage (0-100) 32 | maxWeight: 50 33 | # canary increment step 34 | # percentage (0-100) 35 | stepWeight: 5 36 | # Linkerd Prometheus checks 37 | metrics: 38 | - name: request-success-rate 39 | # minimum req success rate (non 5xx responses) 40 | # percentage (0-100) 41 | thresholdRange: 42 | min: 99 43 | interval: 1m 44 | - name: request-duration 45 | # maximum req duration P99 46 | # milliseconds 47 | thresholdRange: 48 | max: 500 49 | interval: 30s 50 | # testing (optional) 51 | webhooks: 52 | - name: acceptance-test 53 | type: pre-rollout 54 | url: http://flagger-loadtester.flagger-system/ 55 | timeout: 30s 56 | metadata: 57 | type: bash 58 | cmd: "curl -sd 'test' http://podinfo-canary.backend/token | grep token" 59 | - name: load-test 60 | type: rollout 61 | url: http://flagger-loadtester.flagger-system/ 62 | metadata: 63 | cmd: "hey -z 2m -q 10 -c 2 http://podinfo.backend/" 64 | -------------------------------------------------------------------------------- /apps/backend/podinfo-sync.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1beta2 2 | kind: GitRepository 3 | metadata: 4 | name: podinfo 5 | spec: 6 | interval: 12h 7 | url: https://github.com/stefanprodan/podinfo 8 | ref: 9 | branch: master 10 | ignore: | 11 | /* 12 | !/kustomize/deployment.yaml 13 | !/kustomize/hpa.yaml 14 | --- 15 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 16 | kind: Kustomization 17 | metadata: 18 | name: podinfo 19 | spec: 20 | targetNamespace: backend 21 | interval: 10m 22 | path: "./kustomize/" 23 | prune: true 24 | sourceRef: 25 | kind: GitRepository 26 | name: podinfo 27 | images: 28 | - name: ghcr.io/stefanprodan/podinfo 29 | newTag: 6.2.1 30 | -------------------------------------------------------------------------------- /apps/frontend/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: frontend 4 | resources: 5 | - namespace.yaml 6 | - podinfo-sync.yaml 7 | - podinfo-abtest.yaml 8 | - podinfo-ingress.yaml 9 | -------------------------------------------------------------------------------- /apps/frontend/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: frontend 5 | annotations: 6 | linkerd.io/inject: enabled 7 | -------------------------------------------------------------------------------- /apps/frontend/podinfo-abtest.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: flagger.app/v1beta1 2 | kind: Canary 3 | metadata: 4 | name: podinfo 5 | spec: 6 | provider: nginx 7 | # deployment reference 8 | targetRef: 9 | apiVersion: apps/v1 10 | kind: Deployment 11 | name: podinfo 12 | # HPA reference (optional) 13 | autoscalerRef: 14 | apiVersion: autoscaling/v2 15 | kind: HorizontalPodAutoscaler 16 | name: podinfo 17 | # Ingress reference 18 | ingressRef: 19 | apiVersion: networking.k8s.io/v1 20 | kind: Ingress 21 | name: podinfo 22 | # the maximum time in seconds for the canary deployment 23 | # to make progress before it is rollback (default 600s) 24 | progressDeadlineSeconds: 60 25 | service: 26 | # ClusterIP port number 27 | port: 80 28 | # container port number or name (optional) 29 | targetPort: 9898 30 | analysis: 31 | # schedule interval (default 60s) 32 | interval: 10s 33 | # max number of failed metric checks before rollback 34 | threshold: 3 35 | # A/B test interactions 36 | iterations: 10 37 | # A/B test routing 38 | match: 39 | - headers: 40 | x-user: 41 | exact: "insider" 42 | # Linkerd Prometheus checks 43 | metrics: 44 | - name: request-success-rate 45 | # minimum req success rate (non 5xx responses) 46 | # percentage (0-100) 47 | thresholdRange: 48 | min: 99 49 | interval: 1m 50 | - name: request-duration 51 | # maximum req duration P99 52 | # milliseconds 53 | thresholdRange: 54 | max: 500 55 | interval: 30s 56 | # testing (optional) 57 | webhooks: 58 | - name: acceptance-test 59 | type: pre-rollout 60 | url: http://flagger-loadtester.flagger-system/ 61 | timeout: 30s 62 | metadata: 63 | type: bash 64 | cmd: "curl -sd 'test' http://podinfo-canary.frontend/token | grep token" 65 | - name: load-test 66 | type: rollout 67 | url: http://flagger-loadtester.flagger-system/ 68 | metadata: 69 | cmd: "hey -z 2m -q 10 -c 2 -H 'x-user: insider' -host podinfo.sslip.io http://ingress-nginx-controller.ingress-nginx" 70 | - name: load-test-primary 71 | type: rollout 72 | url: http://flagger-loadtester.flagger-system/ 73 | metadata: 74 | cmd: "hey -z 2m -q 10 -c 2 -H 'x-user: production' -host podinfo.sslip.io http://ingress-nginx-controller.ingress-nginx" 75 | -------------------------------------------------------------------------------- /apps/frontend/podinfo-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: podinfo 5 | labels: 6 | app: podinfo 7 | annotations: 8 | nginx.ingress.kubernetes.io/service-upstream: "true" 9 | spec: 10 | ingressClassName: nginx 11 | rules: 12 | - host: "*.sslip.io" 13 | http: 14 | paths: 15 | - pathType: Prefix 16 | path: "/" 17 | backend: 18 | service: 19 | name: podinfo 20 | port: 21 | number: 80 22 | -------------------------------------------------------------------------------- /apps/frontend/podinfo-sync.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1beta2 2 | kind: GitRepository 3 | metadata: 4 | name: podinfo 5 | spec: 6 | interval: 12h 7 | url: https://github.com/stefanprodan/podinfo 8 | ref: 9 | branch: master 10 | ignore: | 11 | /* 12 | !/kustomize/deployment.yaml 13 | !/kustomize/hpa.yaml 14 | --- 15 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 16 | kind: Kustomization 17 | metadata: 18 | name: podinfo 19 | spec: 20 | targetNamespace: frontend 21 | interval: 10m 22 | path: "./kustomize/" 23 | prune: true 24 | sourceRef: 25 | kind: GitRepository 26 | name: podinfo 27 | images: 28 | - name: ghcr.io/stefanprodan/podinfo 29 | newTag: 6.2.0 30 | -------------------------------------------------------------------------------- /clusters/my-cluster/apps.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 3 | kind: Kustomization 4 | metadata: 5 | name: apps 6 | namespace: flux-system 7 | spec: 8 | dependsOn: 9 | - name: flagger 10 | - name: ingress-nginx 11 | interval: 1h 12 | retryInterval: 1m 13 | timeout: 5m 14 | prune: true 15 | wait: true 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | path: ./apps/ 20 | -------------------------------------------------------------------------------- /clusters/my-cluster/flux-system/gotk-components.yaml: -------------------------------------------------------------------------------- 1 | # This file will be generated automatically by flux boostrap. 2 | -------------------------------------------------------------------------------- /clusters/my-cluster/flux-system/gotk-sync.yaml: -------------------------------------------------------------------------------- 1 | # This file will be generated automatically by flux boostrap. 2 | -------------------------------------------------------------------------------- /clusters/my-cluster/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - gotk-components.yaml 5 | - gotk-sync.yaml 6 | labels: 7 | - pairs: 8 | toolkit.fluxcd.io/tenant: sre-team 9 | patches: 10 | - patch: | 11 | - op: add 12 | path: /spec/template/spec/containers/0/args/- 13 | value: --concurrent=20 14 | - op: add 15 | path: /spec/template/spec/containers/0/args/- 16 | value: --requeue-dependency=5s 17 | target: 18 | kind: Deployment 19 | name: "(kustomize-controller|helm-controller|source-controller)" 20 | -------------------------------------------------------------------------------- /clusters/my-cluster/infrastructure.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 3 | kind: Kustomization 4 | metadata: 5 | name: cert-manager 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | retryInterval: 1m 10 | timeout: 5m 11 | prune: true 12 | wait: true 13 | sourceRef: 14 | kind: GitRepository 15 | name: flux-system 16 | path: ./infrastructure/cert-manager 17 | --- 18 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 19 | kind: Kustomization 20 | metadata: 21 | name: linkerd 22 | namespace: flux-system 23 | spec: 24 | dependsOn: 25 | - name: cert-manager 26 | interval: 1h 27 | retryInterval: 1m 28 | timeout: 5m 29 | prune: true 30 | wait: true 31 | sourceRef: 32 | kind: GitRepository 33 | name: flux-system 34 | path: ./infrastructure/linkerd 35 | --- 36 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 37 | kind: Kustomization 38 | metadata: 39 | name: ingress-nginx 40 | namespace: flux-system 41 | spec: 42 | dependsOn: 43 | - name: linkerd 44 | interval: 1h 45 | retryInterval: 1m 46 | timeout: 5m 47 | sourceRef: 48 | kind: GitRepository 49 | name: flux-system 50 | path: ./infrastructure/ingress-nginx 51 | prune: true 52 | wait: true 53 | --- 54 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 55 | kind: Kustomization 56 | metadata: 57 | name: flagger 58 | namespace: flux-system 59 | spec: 60 | dependsOn: 61 | - name: linkerd 62 | interval: 1h 63 | retryInterval: 1m 64 | timeout: 5m 65 | prune: true 66 | wait: true 67 | sourceRef: 68 | kind: GitRepository 69 | name: flux-system 70 | path: ./infrastructure/flagger 71 | --- 72 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 73 | kind: Kustomization 74 | metadata: 75 | name: weave-gitops 76 | namespace: flux-system 77 | spec: 78 | interval: 1h 79 | retryInterval: 1m 80 | timeout: 5m 81 | prune: true 82 | wait: true 83 | sourceRef: 84 | kind: GitRepository 85 | name: flux-system 86 | path: ./infrastructure/weave-gitops 87 | -------------------------------------------------------------------------------- /docs/screens/linkerd-metrics.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/gitops-linkerd/09e666259ad3c0907c0b8d14258bd37b2ce5b2ee/docs/screens/linkerd-metrics.png -------------------------------------------------------------------------------- /docs/screens/wego-apps.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/gitops-linkerd/09e666259ad3c0907c0b8d14258bd37b2ce5b2ee/docs/screens/wego-apps.png -------------------------------------------------------------------------------- /docs/screens/wego-deps.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/gitops-linkerd/09e666259ad3c0907c0b8d14258bd37b2ce5b2ee/docs/screens/wego-deps.png -------------------------------------------------------------------------------- /docs/screens/wego-linkerd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stefanprodan/gitops-linkerd/09e666259ad3c0907c0b8d14258bd37b2ce5b2ee/docs/screens/wego-linkerd.png -------------------------------------------------------------------------------- /infrastructure/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: cert-manager 4 | resources: 5 | - namespace.yaml 6 | - repository.yaml 7 | - release.yaml 8 | 9 | 10 | -------------------------------------------------------------------------------- /infrastructure/cert-manager/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: cert-manager 6 | labels: 7 | toolkit.fluxcd.io/tenant: sre-team 8 | -------------------------------------------------------------------------------- /infrastructure/cert-manager/release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: cert-manager 6 | namespace: cert-manager 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: cert-manager 12 | version: "*" 13 | sourceRef: 14 | kind: HelmRepository 15 | name: cert-manager 16 | namespace: cert-manager 17 | interval: 12h 18 | values: 19 | installCRDs: true 20 | -------------------------------------------------------------------------------- /infrastructure/cert-manager/repository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: cert-manager 6 | namespace: cert-manager 7 | spec: 8 | interval: 24h 9 | url: https://charts.jetstack.io 10 | 11 | -------------------------------------------------------------------------------- /infrastructure/flagger/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: flagger-system 4 | resources: 5 | - namespace.yaml 6 | - repository.yaml 7 | - release.yaml 8 | - loadtester.yaml 9 | -------------------------------------------------------------------------------- /infrastructure/flagger/loadtester.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1beta2 2 | kind: OCIRepository 3 | metadata: 4 | name: flagger-manifests 5 | spec: 6 | interval: 6h 7 | url: oci://ghcr.io/fluxcd/flagger-manifests 8 | ref: 9 | semver: 1.x 10 | --- 11 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 12 | kind: Kustomization 13 | metadata: 14 | name: loadtester 15 | spec: 16 | interval: 30m 17 | targetNamespace: flagger-system 18 | path: "./tester/" 19 | prune: true 20 | sourceRef: 21 | kind: OCIRepository 22 | name: flagger-manifests 23 | wait: true 24 | -------------------------------------------------------------------------------- /infrastructure/flagger/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: flagger-system 6 | labels: 7 | toolkit.fluxcd.io/tenant: sre-team 8 | annotations: 9 | linkerd.io/inject: enabled 10 | -------------------------------------------------------------------------------- /infrastructure/flagger/release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: flagger 5 | spec: 6 | interval: 1h 7 | releaseName: flagger 8 | install: # override existing Flagger CRDs 9 | crds: CreateReplace 10 | upgrade: # update Flagger CRDs 11 | crds: CreateReplace 12 | chart: 13 | spec: 14 | chart: flagger 15 | version: 1.x # update Flagger to the latest minor version 16 | interval: 6h # scan for new versions every six hours 17 | sourceRef: 18 | kind: HelmRepository 19 | name: flagger 20 | values: 21 | meshProvider: linkerd 22 | metricsServer: http://prometheus.linkerd-viz:9090 23 | linkerdAuthPolicy: 24 | create: true 25 | -------------------------------------------------------------------------------- /infrastructure/flagger/repository.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1beta2 2 | kind: HelmRepository 3 | metadata: 4 | name: flagger 5 | spec: 6 | interval: 6h 7 | type: oci 8 | url: oci://ghcr.io/fluxcd/charts 9 | -------------------------------------------------------------------------------- /infrastructure/ingress-nginx/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ingress-nginx 4 | resources: 5 | - namespace.yaml 6 | - repository.yaml 7 | - release.yaml 8 | 9 | 10 | -------------------------------------------------------------------------------- /infrastructure/ingress-nginx/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: ingress-nginx 6 | labels: 7 | toolkit.fluxcd.io/tenant: sre-team 8 | -------------------------------------------------------------------------------- /infrastructure/ingress-nginx/release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: ingress-nginx 6 | spec: 7 | interval: 30m 8 | chart: 9 | spec: 10 | chart: ingress-nginx 11 | version: "*" 12 | sourceRef: 13 | kind: HelmRepository 14 | name: ingress-nginx 15 | interval: 12h 16 | values: 17 | controller: 18 | service: 19 | type: "NodePort" 20 | podAnnotations: 21 | linkerd.io/inject: enabled 22 | metrics: 23 | port: 10254 24 | enabled: true 25 | service: 26 | annotations: 27 | prometheus.io/scrape: "true" 28 | prometheus.io/port: "10254" 29 | -------------------------------------------------------------------------------- /infrastructure/ingress-nginx/repository.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1beta2 2 | kind: HelmRepository 3 | metadata: 4 | name: ingress-nginx 5 | spec: 6 | interval: 24h 7 | url: https://kubernetes.github.io/ingress-nginx 8 | -------------------------------------------------------------------------------- /infrastructure/linkerd/README.md: -------------------------------------------------------------------------------- 1 | # Generate Linkerd v2 certificates 2 | 3 | Install the step CLI on MacOS and Linux using Homebrew run: 4 | 5 | ```sh 6 | brew install step 7 | ``` 8 | 9 | Generate the Linkerd trust anchor certificate: 10 | 11 | ```sh 12 | step certificate create identity.linkerd.cluster.local ca.crt ca.key \ 13 | --san identity.linkerd.cluster.local \ 14 | --profile root-ca --no-password --insecure \ 15 | --not-after=87600h 16 | ``` 17 | 18 | -------------------------------------------------------------------------------- /infrastructure/linkerd/ca.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIBlTCCATugAwIBAgIQT6MGJhspzxHgMcpywVeC6zAKBggqhkjOPQQDAjApMScw 3 | JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjMwMTE4 4 | MTcwNzE5WhcNMzMwMTE1MTcwNzE5WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r 5 | ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQQ+wT3 6 | UIpI5q8DK2k//gASd5c0rFz83nN0NsNqZGoeT1DeRpy6BxZ8rlSYz8yws5RL7GdJ 7 | TDWJxy3icBlyiyvMo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB 8 | /wIBATAdBgNVHQ4EFgQUi4J4gXk6JfhiUL0cJAoO0KknAAwwCgYIKoZIzj0EAwID 9 | SAAwRQIhAK9VAhIC2ftMtoL/47XRU46/aAr6+NpXAxmrHWuzEuOlAiBEyD18bJzP 10 | 9/lPPcbizhgvHVlc9X2siv4/ehZqfo5BJg== 11 | -----END CERTIFICATE----- 12 | -------------------------------------------------------------------------------- /infrastructure/linkerd/ca.key: -------------------------------------------------------------------------------- 1 | -----BEGIN EC PRIVATE KEY----- 2 | MHcCAQEEIEtL7w+9wARGP9x0WFMPN/dZRxf40CAbacAs3B3NlyDmoAoGCCqGSM49 3 | AwEHoUQDQgAEEPsE91CKSOavAytpP/4AEneXNKxc/N5zdDbDamRqHk9Q3kacugcW 4 | fK5UmM/MsLOUS+xnSUw1icct4nAZcosrzA== 5 | -----END EC PRIVATE KEY----- 6 | -------------------------------------------------------------------------------- /infrastructure/linkerd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | configurations: 4 | - kustomizeconfig.yaml 5 | resources: 6 | - linkerd-crds.yaml 7 | - linkerd-control-plane.yaml 8 | - linkerd-viz.yaml 9 | - linkerd-smi.yaml 10 | - linkerd-certs.yaml 11 | - repositories.yaml 12 | - namespaces.yaml 13 | secretGenerator: 14 | - name: linkerd-trust-anchor 15 | namespace: linkerd 16 | type: kubernetes.io/tls 17 | files: 18 | - tls.crt=ca.crt 19 | - tls.key=ca.key 20 | -------------------------------------------------------------------------------- /infrastructure/linkerd/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | nameReference: 2 | - kind: Secret 3 | version: v1 4 | fieldSpecs: 5 | - path: spec/valuesFrom/name 6 | kind: HelmRelease 7 | - kind: Secret 8 | version: v1 9 | fieldSpecs: 10 | - path: spec/ca/secretName 11 | kind: Issuer 12 | -------------------------------------------------------------------------------- /infrastructure/linkerd/linkerd-certs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Issuer 3 | metadata: 4 | name: linkerd-trust-anchor 5 | namespace: linkerd 6 | spec: 7 | ca: 8 | secretName: linkerd-trust-anchor 9 | --- 10 | apiVersion: cert-manager.io/v1 11 | kind: Certificate 12 | metadata: 13 | name: linkerd-identity-issuer 14 | namespace: linkerd 15 | spec: 16 | secretName: linkerd-identity-issuer 17 | duration: 48h 18 | renewBefore: 25h 19 | issuerRef: 20 | name: linkerd-trust-anchor 21 | kind: Issuer 22 | commonName: identity.linkerd.cluster.local 23 | dnsNames: 24 | - identity.linkerd.cluster.local 25 | isCA: true 26 | privateKey: 27 | algorithm: ECDSA 28 | usages: 29 | - cert sign 30 | - crl sign 31 | - server auth 32 | - client auth 33 | -------------------------------------------------------------------------------- /infrastructure/linkerd/linkerd-control-plane.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: linkerd-control-plane 5 | namespace: linkerd 6 | spec: 7 | interval: 30m 8 | targetNamespace: linkerd 9 | dependsOn: 10 | - name: linkerd-crds 11 | releaseName: linkerd-control-plane 12 | chart: 13 | spec: 14 | version: "1.x" 15 | chart: linkerd-control-plane 16 | sourceRef: 17 | kind: HelmRepository 18 | name: linkerd 19 | interval: 12h 20 | # https://artifacthub.io/packages/helm/linkerd2/linkerd-control-plane 21 | valuesFrom: 22 | - kind: Secret 23 | name: linkerd-trust-anchor 24 | valuesKey: tls.crt 25 | targetPath: identityTrustAnchorsPEM 26 | values: 27 | identity: 28 | issuer: 29 | scheme: "kubernetes.io/tls" 30 | -------------------------------------------------------------------------------- /infrastructure/linkerd/linkerd-crds.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: linkerd-crds 5 | namespace: linkerd 6 | spec: 7 | interval: 30m 8 | targetNamespace: linkerd 9 | releaseName: linkerd-crds 10 | chart: 11 | spec: 12 | version: "1.x" 13 | chart: linkerd-crds 14 | sourceRef: 15 | kind: HelmRepository 16 | name: linkerd 17 | interval: 12h 18 | 19 | 20 | -------------------------------------------------------------------------------- /infrastructure/linkerd/linkerd-smi.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: linkerd-smi 5 | namespace: linkerd-smi 6 | spec: 7 | interval: 30m 8 | targetNamespace: linkerd-smi 9 | dependsOn: 10 | - name: linkerd-control-plane 11 | namespace: linkerd 12 | releaseName: linkerd-smi 13 | chart: 14 | spec: 15 | version: "0.x" 16 | chart: linkerd-smi 17 | sourceRef: 18 | kind: HelmRepository 19 | name: linkerd-smi 20 | interval: 12h 21 | -------------------------------------------------------------------------------- /infrastructure/linkerd/linkerd-viz.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: linkerd-viz 5 | namespace: linkerd-viz 6 | spec: 7 | interval: 30m 8 | targetNamespace: linkerd-viz 9 | dependsOn: 10 | - name: linkerd-control-plane 11 | namespace: linkerd 12 | releaseName: linkerd-viz 13 | chart: 14 | spec: 15 | version: "30.x" 16 | chart: linkerd-viz 17 | sourceRef: 18 | kind: HelmRepository 19 | name: linkerd 20 | namespace: linkerd 21 | interval: 12h 22 | # https://artifacthub.io/packages/helm/linkerd2/linkerd-viz 23 | values: 24 | grafana: 25 | enabled: true 26 | prometheus: 27 | enabled: true 28 | -------------------------------------------------------------------------------- /infrastructure/linkerd/namespaces.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: linkerd 5 | annotations: 6 | linkerd.io/inject: disabled 7 | kustomize.toolkit.fluxcd.io/ssa: merge 8 | labels: 9 | linkerd.io/is-control-plane: "true" 10 | config.linkerd.io/admission-webhooks: disabled 11 | linkerd.io/control-plane-ns: linkerd 12 | toolkit.fluxcd.io/tenant: sre-team 13 | --- 14 | apiVersion: v1 15 | kind: Namespace 16 | metadata: 17 | name: linkerd-smi 18 | annotations: 19 | kustomize.toolkit.fluxcd.io/ssa: merge 20 | labels: 21 | linkerd.io/extension: smi 22 | toolkit.fluxcd.io/tenant: sre-team 23 | --- 24 | apiVersion: v1 25 | kind: Namespace 26 | metadata: 27 | name: linkerd-viz 28 | annotations: 29 | kustomize.toolkit.fluxcd.io/ssa: merge 30 | labels: 31 | linkerd.io/extension: viz 32 | toolkit.fluxcd.io/tenant: sre-team 33 | -------------------------------------------------------------------------------- /infrastructure/linkerd/repositories.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: linkerd 6 | namespace: linkerd 7 | spec: 8 | interval: 1h 9 | url: https://helm.linkerd.io/stable 10 | --- 11 | apiVersion: source.toolkit.fluxcd.io/v1beta2 12 | kind: HelmRepository 13 | metadata: 14 | name: linkerd-smi 15 | namespace: linkerd-smi 16 | spec: 17 | interval: 1h 18 | url: https://linkerd.github.io/linkerd-smi 19 | -------------------------------------------------------------------------------- /infrastructure/weave-gitops/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: flux-system 4 | resources: 5 | - repository.yaml 6 | - release.yaml 7 | 8 | -------------------------------------------------------------------------------- /infrastructure/weave-gitops/release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: weave-gitops 5 | spec: 6 | interval: 50m 7 | chart: 8 | spec: 9 | chart: weave-gitops 10 | version: "*" 11 | sourceRef: 12 | kind: HelmRepository 13 | name: weave-gitops 14 | interval: 65m 15 | # https://github.com/weaveworks/weave-gitops/blob/main/charts/gitops-server/values.yaml 16 | values: 17 | resources: 18 | requests: 19 | cpu: 100m 20 | memory: 64Mi 21 | limits: 22 | cpu: 1 23 | memory: 512Mi 24 | securityContext: 25 | capabilities: 26 | drop: 27 | - ALL 28 | readOnlyRootFilesystem: true 29 | runAsNonRoot: true 30 | runAsUser: 1000 31 | adminUser: 32 | create: true 33 | username: admin 34 | # Change password by generating a new hash on https://bcrypt.online 35 | # bcrypt hash for password "flux" 36 | passwordHash: "$2a$10$P/tHQ1DNFXdvX0zRGA8LPeSOyb0JXq9rP3fZ4W8HGTpLV7qHDlWhe" 37 | --- 38 | apiVersion: networking.k8s.io/v1 39 | kind: NetworkPolicy 40 | metadata: 41 | name: weave-gitops-ingress 42 | spec: 43 | policyTypes: 44 | - Ingress 45 | ingress: 46 | - from: 47 | - namespaceSelector: {} 48 | podSelector: 49 | matchLabels: 50 | app.kubernetes.io/name: weave-gitops 51 | -------------------------------------------------------------------------------- /infrastructure/weave-gitops/repository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: weave-gitops 6 | spec: 7 | type: oci 8 | interval: 60m0s 9 | url: oci://ghcr.io/weaveworks/charts 10 | -------------------------------------------------------------------------------- /scripts/validate.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # This script downloads the Flux OpenAPI schemas, then it validates the 4 | # Flux custom resources and the kustomize overlays using kubeconform. 5 | # This script is meant to be run locally and in CI before the changes 6 | # are merged on the main branch that's synced by Flux. 7 | 8 | # Copyright 2022 The Flux authors. All rights reserved. 9 | # 10 | # Licensed under the Apache License, Version 2.0 (the "License"); 11 | # you may not use this file except in compliance with the License. 12 | # You may obtain a copy of the License at 13 | # 14 | # http://www.apache.org/licenses/LICENSE-2.0 15 | # 16 | # Unless required by applicable law or agreed to in writing, software 17 | # distributed under the License is distributed on an "AS IS" BASIS, 18 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 19 | # See the License for the specific language governing permissions and 20 | # limitations under the License. 21 | 22 | # This script is meant to be run locally and in CI to validate the Kubernetes 23 | # manifests (including Flux custom resources) before changes are merged into 24 | # the branch synced by Flux in-cluster. 25 | 26 | # Prerequisites 27 | # - yq v4.30 28 | # - kustomize v4.5 29 | # - kubeconform v0.5.0 30 | 31 | set -o errexit 32 | 33 | echo "INFO - Downloading Flux OpenAPI schemas" 34 | mkdir -p /tmp/flux-crd-schemas/master-standalone-strict 35 | curl -sL https://github.com/fluxcd/flux2/releases/latest/download/crd-schemas.tar.gz | tar zxf - -C /tmp/flux-crd-schemas/master-standalone-strict 36 | 37 | find . -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file; 38 | do 39 | echo "INFO - Validating $file" 40 | yq e 'true' "$file" > /dev/null 41 | done 42 | 43 | kubeconform_config=("-strict" "-ignore-missing-schemas" "-schema-location" "default" "-schema-location" "/tmp/flux-crd-schemas" "-verbose") 44 | 45 | echo "INFO - Validating clusters" 46 | find ./clusters -maxdepth 2 -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file; 47 | do 48 | kubeconform "${kubeconform_config[@]}" "${file}" 49 | if [[ ${PIPESTATUS[0]} != 0 ]]; then 50 | exit 1 51 | fi 52 | done 53 | 54 | # mirror kustomize-controller build options 55 | kustomize_flags=("--load-restrictor=LoadRestrictionsNone") 56 | kustomize_config="kustomization.yaml" 57 | 58 | echo "INFO - Validating kustomize overlays" 59 | find . -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file; 60 | do 61 | echo "INFO - Validating kustomization ${file/%$kustomize_config}" 62 | kustomize build "${file/%$kustomize_config}" "${kustomize_flags[@]}" | \ 63 | kubeconform "${kubeconform_config[@]}" 64 | if [[ ${PIPESTATUS[0]} != 0 ]]; then 65 | exit 1 66 | fi 67 | done 68 | --------------------------------------------------------------------------------