REFACTOR(repo): restructure infra folder structure

- Remove argocd/, helm-values/, ingress/ subdirectories - Move files to parent directory with standardized names - Add namespace.yaml to all apps with Goldilocks labels - Preserve vault/ subdirectories (falco, velero) - Update main kustomization.yaml to reference argocd.yaml files directly - Comment out argocd.yaml in each app's kustomization.yaml to prevent circular reference Applications restructured: - cert-manager (2 ArgoCD apps) - external-secrets - reloader - vault (2 ArgoCD apps) - velero (2 ArgoCD apps) - falco - cnpg - haproxy - metallb - vpa - argocd
2025-12-29 02:21:00 +09:00
parent cedb4ec0d4
commit 34a1c9f783
14 changed files with 29 additions and 8 deletions
--- a/falco/argocd.yaml
+++ b/falco/argocd.yaml
@@ -0,0 +1,121 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: falco
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  source:
+    # Helm chart from Falcosecurity repository
+    repoURL: https://falcosecurity.github.io/charts
+    chart: falco
+    targetRevision: 4.20.0
+    helm:
+      values: |
+        # Driver configuration - use modern_ebpf
+        driver:
+          enabled: true
+          kind: modern_ebpf
+
+        # Image configuration - use Falco 0.40.0 for kernel 6.14 support
+        image:
+          registry: docker.io
+          repository: falcosecurity/falco
+          tag: 0.40.0
+
+        # Resource requests
+        resources:
+          requests:
+            cpu: 30m
+            memory: 256Mi
+          limits:
+            cpu: null  # Delete Helm chart default CPU limit
+            memory: 1Gi
+
+        # Falco configuration
+        falco:
+          json_output: true
+          json_include_output_property: true
+          log_stderr: true
+          log_syslog: false
+          log_level: info
+          rules_files:
+            - /etc/falco/falco_rules.yaml
+            - /etc/falco/falco_rules.local.yaml
+
+        # Metrics
+        metrics:
+          enabled: true
+
+        # Service Monitor
+        serviceMonitor:
+          enabled: true
+          interval: 30s
+
+        # Falcosidekick
+        falcosidekick:
+          enabled: true
+          config:
+            debug: false
+          webui:
+            enabled: true
+            replicaCount: 1
+            resources:
+              requests:
+                cpu: 30m
+                memory: 128Mi
+
+        # RBAC
+        rbac:
+          create: true
+
+        serviceAccount:
+          create: true
+          name: falco
+
+        tolerations:
+          - effect: NoSchedule
+            key: node-role.kubernetes.io/master
+          - effect: NoSchedule
+            key: node-role.kubernetes.io/control-plane
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: falco
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+
+    syncOptions:
+      - CreateNamespace=true
+      - PrunePropagationPolicy=foreground
+      - PruneLast=true
+      - ServerSideApply=true
+      - RespectIgnoreDifferences=true
+      - ApplyOutOfSyncOnly=true
+
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+
+  # Ignore StatefulSet differences managed by Kubernetes
+  ignoreDifferences:
+    - group: apps
+      kind: StatefulSet
+      jqPathExpressions:
+        - '.spec.persistentVolumeClaimRetentionPolicy'
+        - '.spec.volumeClaimTemplates[].metadata.creationTimestamp'
+        - '.spec.volumeClaimTemplates[].status'
+        - '.spec.volumeClaimTemplates[].apiVersion'
+        - '.spec.volumeClaimTemplates[].kind'
+
+  revisionHistoryLimit: 10