Change Details

As of this ticket, some core Toolforge k8s component configuration live in the ops/puppet.git tree. We're expected to load them all by hand into k8s. Puppet doesn't do it. List of stuff (probably not complete): [] RBAC (`toolforge::k8s::config` i.e, `modules/toolforge/files/k8s/toolforge-tool-roles.yaml`) [] PSP (i.e ` modules/kubeadm/files/psp/base-pod-security-policies.yaml`) [x] calico (i.e `modules/kubeadm/templates/calicoctl.yaml.erb`) I don't think we have a lot of value having all that YAML coupled to the puppet git tree. Like what happened with [[https://gitlab.wikimedia.org/repos/cloud/toolforge/ingress-nginx | the ingress component]], we could move all that to a separate repository maintained as helm charts or whatever. Some docs: * https://wikitech.wikimedia.org/wiki/Portal:Toolforge/Admin/Kubernetes/RBAC_and_PSP * https://wikitech.wikimedia.org/wiki/Portal:Toolforge/Admin/Kubernetes/Deploying#bootstrap

As of this ticket, some core Toolforge k8s component configuration live in the ops/puppet.git tree. We're expected to load them all by hand into k8s. Puppet doesn't do it. List of stuff (probably not complete): [] RBAC (`toolforge::k8s::config` i.e, `modules/toolforge/files/k8s/toolforge-tool-roles.yaml`) [] PSP (i.e ` modules/kubeadm/files/psp/base-pod-security-policies.yaml`) [x] calico (i.e `modules/kubeadm/templates/calicoctl.yaml.erb`) now live at https://gitlab.wikimedia.org/repos/cloud/toolforge/calico I don't think we have a lot of value having all that YAML coupled to the puppet git tree. Like what happened with [[https://gitlab.wikimedia.org/repos/cloud/toolforge/ingress-nginx | the ingress component]], we could move all that to a separate repository maintained as helm charts or whatever. Some docs: * https://wikitech.wikimedia.org/wiki/Portal:Toolforge/Admin/Kubernetes/RBAC_and_PSP * https://wikitech.wikimedia.org/wiki/Portal:Toolforge/Admin/Kubernetes/Deploying#bootstrap

As of this ticket, some core Toolforge k8s component configuration live in the ops/puppet.git tree. We're expected to load them all by hand into k8s. Puppet doesn't do it. List of stuff (probably not complete): [] RBAC (`toolforge::k8s::config` i.e, `modules/toolforge/files/k8s/toolforge-tool-roles.yaml`) [] PSP (i.e ` modules/kubeadm/files/psp/base-pod-security-policies.yaml`) [x] calico (i.e `modules/kubeadm/templates/calicoctl.yaml.erb`) now live at https://gitlab.wikimedia.org/repos/cloud/toolforge/calico I don't think we have a lot of value having all that YAML coupled to the puppet git tree. Like what happened with [[https://gitlab.wikimedia.org/repos/cloud/toolforge/ingress-nginx | the ingress component]], we could move all that to a separate repository maintained as helm charts or whatever. Some docs: * https://wikitech.wikimedia.org/wiki/Portal:Toolforge/Admin/Kubernetes/RBAC_and_PSP * https://wikitech.wikimedia.org/wiki/Portal:Toolforge/Admin/Kubernetes/Deploying#bootstrap