♻️ k8s: Introduce Namespaces + Cleanups

charts/Makefile

@@ -7,51 +7,67 @@ CONFIG_DIR := $(shell dirname $(REPO_CONFIG_LOCATION))
 CHART_DIRS := $(wildcard $(REPO_BASE_DIR)/charts/*/)
 
 .PHONY: .check-helmfile-installed
-.check-helmfile-installed:
+.check-helmfile-installed: ## Checks if helmfile is installed
 	@if ! command -v helmfile >/dev/null 2>&1; then \
 			echo "'helmfile' is not installed. Install it to continue ...";\
 	fi
 
-helmfile.yaml: simcore-charts/helmfile.yaml
+helmfile.yaml: simcore-charts/helmfile.yaml ## Copies the helmfile.yaml to the charts directory
 	cp $(CONFIG_DIR)/$@ $(REPO_BASE_DIR)/charts/helmfile.yaml
 
-simcore-charts/helmfile.yaml:
+simcore-charts/helmfile.yaml: ## Copies the simcore helmfile to the charts directory
 	cp $(CONFIG_DIR)/helmfile.simcore.yaml $(REPO_BASE_DIR)/charts/$@
 
 .PHONY: helmfile-lint
-helmfile-lint: .check-helmfile-installed helmfile.yaml
+helmfile-lint: .check-helmfile-installed helmfile.yaml ## Lints the helmfile
 	set -a; source $(REPO_CONFIG_LOCATION); set +a; \
 	helmfile lint
 
 .PHONY: .helmfile-local-post-install
-.helmfile-local-post-install:
+.helmfile-local-post-install: ## Post install steps for local helmfile deployment
 	@$(MAKE) -s configure-local-hosts
 	@echo "";
-	@echo "Cluster has been deployed locally: http://$(MACHINE_FQDN)";
+	@echo "Cluster has been deployed locally: https://$(MACHINE_FQDN)";
 	@echo "    For secure connections self-signed certificates are used.";
-	@echo "    Install their root-ca certificate in your system for smooth experience.";
-	@echo "    For insecure connections make sure to disable automatic https redirects in your browser.";
+	@echo "";
 
 .PHONY: helmfile-apply
-helmfile-apply: .check-helmfile-installed helmfile.yaml
+helmfile-apply: .check-helmfile-installed helmfile.yaml ## Applies the helmfile configuration
 	set -a; source $(REPO_CONFIG_LOCATION); set +a; \
 	helmfile -f $(REPO_BASE_DIR)/charts/helmfile.yaml apply
 
 	@if [ "$(MACHINE_FQDN)" = "osparc.local" ]; then \
 		$(MAKE) -s .helmfile-local-post-install; \
 	fi
 
+.PHONY: helmfile-sync
+helmfile-sync: .check-helmfile-installed helmfile.yaml ## Syncs the helmfile configuration (use `helmfile-apply` to deploy the app)
+	set -a; source $(REPO_CONFIG_LOCATION); set +a; \
+	helmfile -f $(REPO_BASE_DIR)/charts/helmfile.yaml sync
+
+	@if [ "$(MACHINE_FQDN)" = "osparc.local" ]; then \
+		$(MAKE) -s .helmfile-local-post-install; \
+	fi
+
+
 .PHONY: configure-local-hosts
-configure-local-hosts:
-	@echo "Addings $(MACHINE_FQDN) hosts to /etc/hosts ..."
+configure-local-hosts: ## Adds local hosts entries for the machine
+	@echo "Adding $(MACHINE_FQDN) hosts to /etc/hosts ..."
 	@grep -q '127.0.0.1 k8s.monitoring.$(MACHINE_FQDN)' /etc/hosts || echo '127.0.0.1 k8s.monitoring.$(MACHINE_FQDN)' | sudo tee -a /etc/hosts
 
 .PHONY: helmfile-diff
-helmfile-diff: .check-helmfile-installed helmfile.yaml
+helmfile-diff: .check-helmfile-installed helmfile.yaml ## Shows the differences that would be applied by helmfile
 	@set -a; source $(REPO_CONFIG_LOCATION); set +a; \
 	helmfile -f $(REPO_BASE_DIR)/charts/helmfile.yaml diff
 
 .PHONY: helmfile-delete
-helmfile-delete: .check-helmfile-installed helmfile.yaml
+helmfile-delete: .check-helmfile-installed helmfile.yaml ## Deletes the helmfile configuration
 	@set -a; source $(REPO_CONFIG_LOCATION); set +a; \
 	helmfile -f $(REPO_BASE_DIR)/charts/helmfile.yaml delete
+
+.PHONY: up
+up: helmfile-apply ## Start the stack
+
+.PHONY: leave
+leave: ## Leaves kind cluster
+	kind delete clusters kind

charts/README.md

@@ -23,6 +23,14 @@ source: https://kind.sigs.k8s.io/docs/user/quick-start
 
 Follow the instructions here: https://helm.sh/docs/intro/install/
 
+Install the helm-diff plugin: `helm plugin install https://github.com/databus23/helm-diff`
+
+`via https://doc.traefik.io/traefik/user-guides/crd-acme/#ingressroute-definition`
+Install traefik-v3 CRDs: `kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml`
+
+`via https://doc.traefik.io/traefik/user-guides/crd-acme/#ingressroute-definition`
+Install traefik-v3 RBAC: `kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml`
+
 #### helmfile
 
 If you have a different OS / architecture, pick a different link from [release artifacts](https://github.com/helmfile/helmfile/releases)

charts/adminer/values.yaml.gotmpl

@@ -49,6 +49,7 @@ ingress:
   enabled: true
   className: ""
   annotations:
+    namespace: {{ .Release.Namespace }}
     cert-manager.io/cluster-issuer: "cert-issuer"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
   tls:

charts/cert-manager/values.selfsigned.yaml.gotmpl

@@ -22,6 +22,12 @@ extraObjects:
       "helm.sh/hook": post-install,post-upgrade
       "helm.sh/hook-weight": "1"
   spec:
+    secretTemplate:
+      annotations:
+        reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+        reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: ""  # Control destination namespaces: emptystring means all
+        reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces
+        reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "" # Control auto-reflection namespaces
     isCA: true
     commonName: local-ca
     subject:

charts/traefik/values.insecure.yaml.gotmpl

@@ -3,11 +3,12 @@ extraObjects:
   kind: Service
   metadata:
     name: traefik-api
+    namespace: {{.Release.Namespace}}
   spec:
     type: ClusterIP
     selector:
       app.kubernetes.io/name: traefik
-      app.kubernetes.io/instance: traefik-default
+      app.kubernetes.io/instance: {{.Release.Namespace}}-traefik
     ports:
     - port: 8080
       name: traefik
@@ -17,7 +18,7 @@ extraObjects:
   kind: Secret
   metadata:
     name: traefik-authorized-users
-    namespace: default
+    namespace: {{.Release.Namespace}}
   data:
     users: |2
       {{ requiredEnv "TRAEFIK_K8S_AUTHORIZED_USER" }}
@@ -32,16 +33,18 @@ extraObjects:
   kind: Ingress
   metadata:
     name: traefik-dashboard
+    namespace: {{.Release.Namespace}}
     annotations:
-      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure  # allow http(s) for local deployment
-      traefik.ingress.kubernetes.io/router.middlewares: default-traefik-basic-auth@kubernetescrd  # namespace + middleware name
+      traefik.ingress.kubernetes.io/router.entrypoints: websecure  # allow http(s) for local deployment
+      traefik.ingress.kubernetes.io/router.middlewares: {{.Release.Namespace}}-traefik-basic-auth@kubernetescrd  # namespace + middleware name
+      cert-manager.io/cluster-issuer: "cert-issuer"
   spec:
     tls:
-    - hosts:
-        - k8s.monitoring.{{ requiredEnv "MACHINE_FQDN" }}
-      secretName: monitoring-tls
+      - hosts:
+          - {{ requiredEnv "K8S_MONITORING_FQDN" }}
+        secretName: monitoring-tls
     rules:
-    - host: k8s.monitoring.{{ requiredEnv "MACHINE_FQDN" }}
+    - host: {{ requiredEnv "K8S_MONITORING_FQDN" }}
       http:
         paths:
         - path: /dashboard
@@ -51,7 +54,7 @@ extraObjects:
               name: traefik-api
               port:
                 name: traefik
-    - host: k8s.monitoring.{{ requiredEnv "MACHINE_FQDN" }}
+    - host: {{ requiredEnv "K8S_MONITORING_FQDN" }}
       http:
         paths:
         - path: /api

charts/traefik/values.secure.yaml.gotmpl

@@ -10,11 +10,12 @@ extraObjects:
   kind: Service
   metadata:
     name: traefik-api
+    namespace: {{.Release.Namespace}}
   spec:
     type: ClusterIP
     selector:
       app.kubernetes.io/name: traefik
-      app.kubernetes.io/instance: traefik-default
+      app.kubernetes.io/instance: {{.Release.Namespace}}-traefik
     ports:
     - port: 8080
       name: traefik
@@ -25,7 +26,7 @@ extraObjects:
   kind: Secret
   metadata:
     name: traefik-authorized-users
-    namespace: default
+    namespace: {{.Release.Namespace}}
   data:
     users: |2
       {{ requiredEnv "TRAEFIK_K8S_AUTHORIZED_USER" }}
@@ -53,9 +54,11 @@ extraObjects:
   kind: Ingress
   metadata:
     name: traefik-dashboard
+    namespace: {{.Release.Namespace}}
     annotations:
       traefik.ingress.kubernetes.io/router.entrypoints: websecure
-      traefik.ingress.kubernetes.io/router.middlewares: default-traefik-basic-auth@kubernetescrd
+      traefik.ingress.kubernetes.io/router.middlewares: {{.Release.Namespace}}-traefik-basic-auth@kubernetescrd # namespace + middleware name
+      cert-manager.io/cluster-issuer: "cert-issuer"
   spec:
     tls:
     - hosts:

charts/traefik/values.webinternal.yaml.gotmpl

@@ -9,4 +9,4 @@ ports:
     http3:
       enabled: false
     middlewares:
-      - default-internal-ipallowlist@kubernetescrd
+      - {{.Release.Namespace}}-internal-ipallowlist@kubernetescrd