Refactor noble cluster configurations by removing deprecated Argo CD application management files and transitioning to a streamlined Ansible-driven installation approach. Update kustomization.yaml files to reflect the new structure, ensuring clarity on resource management. Introduce new namespaces and configurations for cert-manager, external-secrets, and logging components, enhancing the overall deployment process. Add detailed README.md documentation for each component to guide users through the setup and management of the noble lab environment.

2026-03-28 17:02:50 -04:00
parent 41841abc84
commit 90fd8fb8a6
59 changed files with 28 additions and 38 deletions
--- a/clusters/noble/bootstrap/kyverno/values.yaml
+++ b/clusters/noble/bootstrap/kyverno/values.yaml
@@ -0,0 +1,22 @@
+# Kyverno — noble (policy engine)
+#
+# helm repo add kyverno https://kyverno.github.io/kyverno/
+# helm repo update
+# kubectl apply -f clusters/noble/apps/kyverno/namespace.yaml
+# helm upgrade --install kyverno kyverno/kyverno -n kyverno \
+#   --version 3.7.1 -f clusters/noble/apps/kyverno/values.yaml --wait --timeout 15m
+#
+# Baseline Pod Security policies (separate chart): see policies-values.yaml + README.md
+#
+# Raise Kubernetes client QPS/burst so under API/etcd load Kyverno does not hit
+# "client rate limiter Wait" / flaky kyverno-health lease (defaults are very low).
+# Two replicas: webhook Service keeps endpoints during rolling restarts (avoids
+# apiserver "connection refused" to kyverno-svc:443 while a single pod cycles).
+admissionController:
+  replicas: 2
+  # Insulate Kyverno API traffic via APF (helps when etcd/apiserver are busy).
+  apiPriorityAndFairness: true
+  container:
+    extraArgs:
+      clientRateLimitQPS: 30
+      clientRateLimitBurst: 60