As of this ticket, some core Toolforge k8s component configuration live in the ops/puppet.git tree. We're expected to load them all by hand into k8s. Puppet doesn't do it.
List of stuff (probably not complete):
- RBAC (toolforge::k8s::config i.e, modules/toolforge/files/k8s/toolforge-tool-roles.yaml)
- PSP (i.e modules/kubeadm/files/psp/base-pod-security-policies.yaml)
- calico (i.e modules/kubeadm/templates/calicoctl.yaml.erb) now live at https://gitlab.wikimedia.org/repos/cloud/toolforge/calico
I don't think we have a lot of value having all that YAML coupled to the puppet git tree. Like what happened with the ingress component, we could move all that to a separate repository maintained as helm charts or whatever.
Some docs: