From 2a89801d5e5981946ddc4663f71b8d8eb9bd73b8 Mon Sep 17 00:00:00 2001
From: Mayne0213 <bluemayne0213@icloud.com>
Date: Wed, 17 Dec 2025 15:04:56 +0900
Subject: [PATCH] INIT(repo): cluster infrastructure setup

---
 external-secrets/argocd/external-secrets.yaml | 46 ++++++++++++++++
 .../helm-values/external-secrets.yaml         | 40 ++++++++++++++
 external-secrets/kustomization.yaml           |  6 ++
 vault/argocd/vault-secrets.yaml               | 32 +++++++++++
 vault/argocd/vault.yaml                       | 46 ++++++++++++++++
 vault/helm-values/vault.yaml                  | 55 +++++++++++++++++++
 vault/kustomization.yaml                      |  7 +++
 7 files changed, 232 insertions(+)
 create mode 100644 external-secrets/argocd/external-secrets.yaml
 create mode 100644 external-secrets/helm-values/external-secrets.yaml
 create mode 100644 external-secrets/kustomization.yaml
 create mode 100644 vault/argocd/vault-secrets.yaml
 create mode 100644 vault/argocd/vault.yaml
 create mode 100644 vault/helm-values/vault.yaml
 create mode 100644 vault/kustomization.yaml

diff --git a/external-secrets/argocd/external-secrets.yaml b/external-secrets/argocd/external-secrets.yaml
new file mode 100644
index 0000000..04a3825
--- /dev/null
+++ b/external-secrets/argocd/external-secrets.yaml
@@ -0,0 +1,46 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-secrets
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+    # Helm chart from external repository
+    - repoURL: https://charts.external-secrets.io
+      chart: external-secrets
+      targetRevision: 0.10.5
+      helm:
+        valueFiles:
+          - $values/external-secrets/helm-values/external-secrets.yaml
+    # Values file from Git repository
+    - repoURL: https://gitea0213.kro.kr/bluemayne/infrastructure.git
+      targetRevision: main
+      ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: external-secrets
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+
+    syncOptions:
+      - CreateNamespace=true
+      - PrunePropagationPolicy=foreground
+      - PruneLast=true
+
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+
+  revisionHistoryLimit: 10
diff --git a/external-secrets/helm-values/external-secrets.yaml b/external-secrets/helm-values/external-secrets.yaml
new file mode 100644
index 0000000..aee6699
--- /dev/null
+++ b/external-secrets/helm-values/external-secrets.yaml
@@ -0,0 +1,40 @@
+# External Secrets Operator Helm Values
+# Chart: https://github.com/external-secrets/external-secrets
+
+# 리소스 제한
+resources:
+  requests:
+    cpu: 20m
+    memory: 64Mi
+  limits:
+    cpu: 200m
+    memory: 256Mi
+
+# Webhook 설정
+webhook:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 32Mi
+    limits:
+      cpu: 100m
+      memory: 128Mi
+
+# CertController 설정
+certController:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 32Mi
+    limits:
+      cpu: 100m
+      memory: 128Mi
+
+# 동시 실행 제한
+concurrent: 3
+
+# 로그 레벨
+logLevel: info
+
+# CRD 자동 설치
+installCRDs: true
diff --git a/external-secrets/kustomization.yaml b/external-secrets/kustomization.yaml
new file mode 100644
index 0000000..cad8be1
--- /dev/null
+++ b/external-secrets/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  # ArgoCD Application 리소스는 infrastructure/kustomization.yaml에서 관리
+  # - argocd/external-secrets.yaml
diff --git a/vault/argocd/vault-secrets.yaml b/vault/argocd/vault-secrets.yaml
new file mode 100644
index 0000000..04a9abf
--- /dev/null
+++ b/vault/argocd/vault-secrets.yaml
@@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault-secrets
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  
+  source:
+    repoURL: https://gitea0213.kro.kr/bluemayne/infrastructure.git
+    targetRevision: main
+    path: vault
+  
+  destination:
+    server: https://kubernetes.default.svc
+  
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+  
+  revisionHistoryLimit: 10
diff --git a/vault/argocd/vault.yaml b/vault/argocd/vault.yaml
new file mode 100644
index 0000000..c7ff10b
--- /dev/null
+++ b/vault/argocd/vault.yaml
@@ -0,0 +1,46 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+    # Helm chart from external repository
+    - repoURL: https://helm.releases.hashicorp.com
+      chart: vault
+      targetRevision: 0.28.1
+      helm:
+        valueFiles:
+          - $values/vault/helm-values/vault.yaml
+    # Values file from Git repository
+    - repoURL: https://gitea0213.kro.kr/bluemayne/infrastructure.git
+      targetRevision: main
+      ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: vault
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+
+    syncOptions:
+      - CreateNamespace=true
+      - PrunePropagationPolicy=foreground
+      - PruneLast=true
+
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+
+  revisionHistoryLimit: 10
diff --git a/vault/helm-values/vault.yaml b/vault/helm-values/vault.yaml
new file mode 100644
index 0000000..6f08855
--- /dev/null
+++ b/vault/helm-values/vault.yaml
@@ -0,0 +1,55 @@
+# HashiCorp Vault Helm Values
+# Chart: https://github.com/hashicorp/vault-helm
+
+global:
+  enabled: true
+  tlsDisable: true  # 내부 클러스터에서는 TLS 비활성화
+
+server:
+  enabled: true
+  
+  # Dev 모드 (시작하기 쉽게, 나중에 production 모드로 변경 가능)
+  dev:
+    enabled: true
+    devRootToken: "root"  # 초기 root 토큰 (나중에 변경 권장)
+  
+  # 리소스 제한
+  resources:
+    requests:
+      cpu: 50m
+      memory: 128Mi
+    limits:
+      cpu: 500m
+      memory: 512Mi
+  
+  # Ingress 설정
+  ingress:
+    enabled: true
+    ingressClassName: nginx
+    hosts:
+      - host: vault0213.kro.kr
+        paths:
+          - /
+    tls:
+      - secretName: vault-tls
+        hosts:
+          - vault0213.kro.kr
+  
+  # 고가용성 비활성화 (단일 인스턴스)
+  ha:
+    enabled: false
+  
+  # 서비스 타입
+  service:
+    enabled: true
+    type: ClusterIP
+    port: 8200
+
+# UI 활성화
+ui:
+  enabled: true
+  serviceType: ClusterIP
+
+# Injector (나중에 필요하면 활성화)
+injector:
+  enabled: false
diff --git a/vault/kustomization.yaml b/vault/kustomization.yaml
new file mode 100644
index 0000000..3307b26
--- /dev/null
+++ b/vault/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  # ArgoCD Application 리소스는 infrastructure/kustomization.yaml에서 관리
+  # - argocd/vault.yaml
+  # - argocd/vault-secrets.yaml
\ No newline at end of file