Add upstream Istio and monitoring resources

argocd-applications/istio-operator.yaml

@@ -0,0 +1,26 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: istio-operator
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: 'https://github.com/istio/istio'
+    targetRevision: HEAD
+    path: manifests/charts/istio-operator
+    helm:
+      parameters:
+      - name: hub
+        value: docker.io/istio
+      - name: tag
+        value: 1.9.3
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: istio-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

argocd-applications/istio-upstream.yaml

@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: istio
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/DavidSpek/argoflow
+    targetRevision: HEAD
+    path: istio
+    kustomize:
+      version: v4.0.5
+  destination:
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

argocd-applications/kiali.yaml

@@ -0,0 +1,72 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kiali
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://kiali.org/helm-charts
+    targetRevision: 1.33.1
+    chart: kiali-operator
+    helm:
+     parameters:
+      - name : cr.create
+        value : "true"
+      - name : cr.namespace
+        value : "istio-system"
+      - name: cr.spec.api.namespaces.exclude[0]
+        value: "istio-operator"
+      - name: cr.spec.api.namespaces.exclude[1]
+        value: "kube-.*"
+      - name: cr.spec.api.namespaces.exclude[2]
+        value: "openshift.*"
+      - name: cr.spec.api.namespaces.exclude[3]
+        value: "ibm.*"
+      - name: cr.spec.api.namespaces.exclude[4]
+        value: "kiali-operator"
+      - name: cr.spec.deployment.override_ingress_yaml.spec.tls[0].hosts[0]
+        value: kiali.example.com
+      - name: cr.spec.deployment.override_ingress_yaml.spec.tls[0].secretName
+        value: kiali-abs-cloud-nl
+      - name: cr.spec.deployment.override_ingress_yaml.spec.rules[0].host
+        value: kiali.example.com
+      - name: cr.spec.deployment.override_ingress_yaml.spec.rules[0].http.paths[0].path
+        value: "/"
+      - name: cr.spec.deployment.override_ingress_yaml.spec.rules[0].http.paths[0].backend.serviceName
+        value: kiali
+      - name: cr.spec.deployment.override_ingress_yaml.spec.rules[0].http.paths[0].backend.servicePort
+        value: "20001"
+      - name: cr.spec.external_services.prometheus.url
+        value: http://kube-prometheus-stack-prometheus.monitoring:9090
+      - name: cr.spec.external_services.grafana.in_cluster_url
+        value: http://kube-prometheus-stack-grafana.monitoring:80
+      - name: cr.spec.external_services.grafana.dashboards[0].name
+        value: "Istio Service Dashboard"
+      - name: cr.spec.external_services.grafana.dashboards[0].variables.namespace
+        value: var-namespace
+      - name: cr.spec.external_services.grafana.dashboards[0].variables.service
+        value: var-service
+      - name: cr.spec.external_services.grafana.dashboards[1].name
+        value: "Istio Workload Dashboard"
+      - name: cr.spec.external_services.grafana.dashboards[1].variables.namespace
+        value: var-namespace
+      - name: cr.spec.external_services.grafana.dashboards[1].variables.service
+        value: var-service
+      - name: cr.spec.external_services.grafana.dashboards[2].name
+        value: "Kubernetes / API server"
+      - name: cr.spec.external_services.grafana.dashboards[2].variables.var-datasource
+        value: default
+      - name: cr.spec.external_services.grafana.dashboards[2].variables.var-cluster
+        value: ""
+      - name: cr.spec.external_services.grafana.dashboards[2].variables.var-instance
+        value: "All"
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kiali-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true

argocd-applications/kube-prometheus-stack.yaml

@@ -0,0 +1,66 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kube-prometheus-stack
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://prometheus-community.github.io/helm-charts
+    targetRevision: 14.9.0
+    chart: kube-prometheus-stack
+    helm:
+     parameters:
+      - name : grafana.ingress.enabled
+        value : "true"
+      - name: grafana.ingress.hosts[0]
+        value: grafana.example.com
+      - name: grafana.ingress.tls[0].secretName
+        value: grafana-example-com
+      - name: grafana.ingress.tls[0].hosts[0]
+        value: grafana-example-com
+      - name: grafana.persistence.type
+        value: pvc
+      - name: grafana.persistence.enabled
+        value: "true"
+      - name: grafana.persistence.storageClassName
+        value: rook-ceph-block
+      - name: grafana.persistence.accessModes[0]
+        value: ReadWriteOnce
+      - name:  grafana.persistence.size
+        value: 20Gi
+      - name: grafana.grafana\.ini.server.root_url
+        value: https://grafana.example.com
+      - name: grafana.plugins[0]
+        value: vonage-status-panel
+      - name: grafana.sidecar.dashboards.provider.foldersFromFilesStructure
+        value: "true"
+      - name: grafana.sidecar.dashboards.folderAnnotation
+        value: k8s-sidecar-target-directory
+      - name: grafana.sidecar.dashboards.annotations.k8s-sidecar-target-directory
+        value: /tmp/dashboards/kubernetes
+      - name: grafana.grafana\.ini.auth\.anonymous.enabled
+        value: "true"
+      - name: grafana.grafana\.ini.auth\.anonymous.org_name
+        value: "Main Org."
+      - name: grafana.grafana\.ini.auth\.anonymous.org_role
+        value: Viewer
+      - name: grafana.grafana\.ini.security.allow_embedding
+        value: "true"
+      - name: prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.storageClassName
+        value: rook-ceph-block
+      - name: prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.accessModes[0]
+        value: ReadWriteOnce
+      - name: prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage
+        value: 50Gi
+      - name: prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues
+        value: "false"
+      - name: prometheus.prometheusSpec.serviceMonitorSelector
+        value: ""
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: monitoring
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

argocd-applications/loki-stack.yaml

@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: loki-stack
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://grafana.github.io/helm-charts
+    targetRevision: 2.3.1
+    chart: loki-stack
+    helm:
+     parameters:
+      - name : loki.persistence.enabled
+        value : "true"
+      - name: loki.persistence.accessModes[0]
+        value: ReadWriteOnce
+      - name: loki.persistence.size
+        value: 30Gi
+      - name: loki.config.table_manager.retention_deletes_enabled
+        value: "true"
+      - name: loki.config.table_manager.retention_period
+        value: 168h
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: monitoring
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

argocd-applications/monitoring-resources.yaml

@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: monitoring-resources
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/DavidSpek/argoflow
+    targetRevision: HEAD
+    path: monitoring-resources
+    kustomize:
+      version: v4.0.5
+  destination:
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

argocd-applications/nginx.yaml

@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nginx
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/DavidSpek/argoflow
+    targetRevision: HEAD
+    path: nginx
+    kustomize:
+      version: v4.0.5
+  destination:
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

argocd-applications/nvidia-gpu-operator.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nvidia-gpu-operator
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://nvidia.github.io/gpu-operator
+    targetRevision: 1.6.2
+    chart: gpu-operator
+    helm:
+     parameters:
+      - name : operator.defaultRuntime
+        value : containerd
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

istio/deny_all_authorizationpolicy.yaml

@@ -0,0 +1,9 @@
+# Enforce an explicit deny-by-default authorization model, similar to
+# the deprecated Istio RBAC
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: global-deny-all
+  namespace: istio-system
+spec:
+  {}

istio/gateway_authorizationpolicy.yaml

@@ -0,0 +1,15 @@
+# Allow all traffic to the istio-ingressgateway
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: istio-ingressgateway
+  namespace: istio-system
+spec:
+  action: ALLOW
+  selector:
+    # Same as the istio-ingressgateway Service selector
+    matchLabels:
+      app: istio-ingressgateway
+      istio: ingressgateway
+  rules:
+  - {}

istio/ingress-certificate.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: istio-ingressgateway-certs
+  namespace: istio-system
+spec:
+  secretName: istio-ingressgateway-certs
+  issuerRef:
+    name: kubeflow-self-signing-issuer
+    kind: ClusterIssuer
+  commonName: kubeflow.example.com
+  dnsNames:
+    - kubeflow.example.com

istio/istio-spec.yaml

@@ -0,0 +1,12 @@
+apiVersion: install.istio.io/v1alpha1
+kind: IstioOperator
+metadata:
+  namespace: istio-system
+  name: istio
+spec:
+  profile: default
+  tag: 1.9.3
+  hub: docker.io/istio
+  meshConfig:
+    accessLogFile: /dev/stdout
+    enablePrometheusMerge: true

istio/kubeflow-gateway.yaml

@@ -0,0 +1,28 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: kubeflow-gateway
+  namespace: kubeflow
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - hosts:
+    - '*'
+    port:
+      name: http
+      number: 80
+      protocol: HTTP
+    # Upgrade HTTP to HTTPS
+    tls:
+      httpsRedirect: true
+  - hosts:
+    - '*'
+    port:
+      name: https
+      number: 443
+      protocol: HTTPS
+    tls:
+      mode: SIMPLE
+      privateKey: /etc/istio/ingressgateway-certs/tls.key
+      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

istio/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- istio-spec.yaml
+- namespace.yaml
+- ingress-certificate.yaml
+- kubeflow-gateway.yaml
+- deny_all_authorizationpolicy.yaml
+- gateway_authorizationpolicy.yaml
+- monitoring/