longhorn: add helm repo and adopt workflow

clusters/atlas/flux-system/platform/kustomization.yaml

@@ -12,6 +12,8 @@ resources:
   - monitoring/kustomization.yaml
   - logging/kustomization.yaml
   - maintenance/kustomization.yaml
+  - longhorn-adopt/kustomization.yaml
+  - longhorn/kustomization.yaml
   - longhorn-ui/kustomization.yaml
   - postgres/kustomization.yaml
   - ../platform/vault-csi/kustomization.yaml

clusters/atlas/flux-system/platform/longhorn-adopt/kustomization.yaml

@@ -0,0 +1,17 @@
+# clusters/atlas/flux-system/platform/longhorn-adopt/kustomization.yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: longhorn-adopt
+  namespace: flux-system
+spec:
+  interval: 30m
+  path: ./infrastructure/longhorn/adopt
+  prune: true
+  force: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  targetNamespace: longhorn-system
+  wait: true

clusters/atlas/flux-system/platform/longhorn-ui/kustomization.yaml

@@ -15,4 +15,5 @@ spec:
     namespace: flux-system
   dependsOn:
     - name: core
+    - name: longhorn
   wait: true

clusters/atlas/flux-system/platform/longhorn/kustomization.yaml

@@ -0,0 +1,20 @@
+# clusters/atlas/flux-system/platform/longhorn/kustomization.yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: longhorn
+  namespace: flux-system
+spec:
+  interval: 30m
+  path: ./infrastructure/longhorn/core
+  prune: true
+  force: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  targetNamespace: longhorn-system
+  dependsOn:
+    - name: helm
+    - name: longhorn-adopt
+  wait: true

infrastructure/longhorn/adopt/kustomization.yaml

@@ -0,0 +1,15 @@
+# infrastructure/longhorn/adopt/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - longhorn-adopt-rbac.yaml
+  - longhorn-helm-adopt-job.yaml
+
+configMapGenerator:
+  - name: longhorn-helm-adopt-script
+    namespace: longhorn-system
+    files:
+      - longhorn_helm_adopt.sh=scripts/longhorn_helm_adopt.sh
+    options:
+      disableNameSuffixHash: true

infrastructure/longhorn/adopt/longhorn-adopt-rbac.yaml

@@ -0,0 +1,56 @@
+# infrastructure/longhorn/adopt/longhorn-adopt-rbac.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: longhorn-helm-adopt
+  namespace: longhorn-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: longhorn-helm-adopt
+rules:
+  - apiGroups: [""]
+    resources:
+      - configmaps
+      - services
+      - serviceaccounts
+      - secrets
+    verbs: ["get", "list", "watch", "patch", "update"]
+  - apiGroups: ["apps"]
+    resources:
+      - deployments
+      - daemonsets
+    verbs: ["get", "list", "watch", "patch", "update"]
+  - apiGroups: ["batch"]
+    resources:
+      - jobs
+    verbs: ["get", "list", "watch", "patch", "update"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources:
+      - roles
+      - rolebindings
+      - clusterroles
+      - clusterrolebindings
+    verbs: ["get", "list", "watch", "patch", "update"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources:
+      - customresourcedefinitions
+    verbs: ["get", "list", "watch", "patch", "update"]
+  - apiGroups: ["scheduling.k8s.io"]
+    resources:
+      - priorityclasses
+    verbs: ["get", "list", "watch", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: longhorn-helm-adopt
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: longhorn-helm-adopt
+subjects:
+  - kind: ServiceAccount
+    name: longhorn-helm-adopt
+    namespace: longhorn-system

infrastructure/longhorn/adopt/longhorn-helm-adopt-job.yaml

@@ -0,0 +1,26 @@
+# infrastructure/longhorn/adopt/longhorn-helm-adopt-job.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: longhorn-helm-adopt
+  namespace: longhorn-system
+spec:
+  backoffLimit: 1
+  template:
+    spec:
+      serviceAccountName: longhorn-helm-adopt
+      restartPolicy: Never
+      containers:
+        - name: adopt
+          image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
+          command: ["/usr/bin/env", "bash"]
+          args: ["/scripts/longhorn_helm_adopt.sh"]
+          volumeMounts:
+            - name: script
+              mountPath: /scripts
+              readOnly: true
+      volumes:
+        - name: script
+          configMap:
+            name: longhorn-helm-adopt-script
+            defaultMode: 0555

infrastructure/longhorn/adopt/namespace.yaml

@@ -0,0 +1,5 @@
+# infrastructure/longhorn/adopt/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: longhorn-system

infrastructure/longhorn/adopt/scripts/longhorn_helm_adopt.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+release_name="longhorn"
+release_namespace="longhorn-system"
+selector="app.kubernetes.io/instance=${release_name}"
+
+annotate_and_label() {
+  local scope="$1"
+  local kind="$2"
+  if [ "${scope}" = "namespaced" ]; then
+    kubectl -n "${release_namespace}" annotate "${kind}" -l "${selector}" \
+      meta.helm.sh/release-name="${release_name}" \
+      meta.helm.sh/release-namespace="${release_namespace}" \
+      --overwrite >/dev/null 2>&1 || true
+    kubectl -n "${release_namespace}" label "${kind}" -l "${selector}" \
+      app.kubernetes.io/managed-by=Helm --overwrite >/dev/null 2>&1 || true
+  else
+    kubectl annotate "${kind}" -l "${selector}" \
+      meta.helm.sh/release-name="${release_name}" \
+      meta.helm.sh/release-namespace="${release_namespace}" \
+      --overwrite >/dev/null 2>&1 || true
+    kubectl label "${kind}" -l "${selector}" \
+      app.kubernetes.io/managed-by=Helm --overwrite >/dev/null 2>&1 || true
+  fi
+}
+
+namespaced_kinds=(
+  configmap
+  service
+  serviceaccount
+  deployment
+  daemonset
+  job
+  role
+  rolebinding
+)
+
+cluster_kinds=(
+  clusterrole
+  clusterrolebinding
+  customresourcedefinition
+  priorityclass
+)
+
+for kind in "${namespaced_kinds[@]}"; do
+  annotate_and_label "namespaced" "${kind}"
+done
+
+for kind in "${cluster_kinds[@]}"; do
+  annotate_and_label "cluster" "${kind}"
+done

infrastructure/longhorn/core/helmrelease.yaml

@@ -0,0 +1,32 @@
+# infrastructure/longhorn/core/helmrelease.yaml
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: longhorn
+  namespace: longhorn-system
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: longhorn
+      version: 1.8.2
+      sourceRef:
+        kind: HelmRepository
+        name: longhorn
+        namespace: flux-system
+  install:
+    crds: Skip
+    remediation: { retries: 3 }
+    timeout: 15m
+  upgrade:
+    crds: Skip
+    remediation:
+      retries: 3
+      remediateLastFailure: true
+    cleanupOnFail: true
+    timeout: 15m
+  values:
+    service:
+      ui:
+        type: NodePort
+        nodePort: 30824

infrastructure/longhorn/core/kustomization.yaml

@@ -0,0 +1,6 @@
+# infrastructure/longhorn/core/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - helmrelease.yaml

infrastructure/longhorn/core/namespace.yaml

@@ -0,0 +1,5 @@
+# infrastructure/longhorn/core/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: longhorn-system

infrastructure/sources/helm/kustomization.yaml

@@ -13,6 +13,7 @@ resources:
   - opentelemetry.yaml
   - opensearch.yaml
   - harbor.yaml
+  - longhorn.yaml
   - prometheus.yaml
   - victoria-metrics.yaml
   - secrets-store-csi.yaml

infrastructure/sources/helm/longhorn.yaml

@@ -0,0 +1,9 @@
+# infrastructure/sources/helm/longhorn.yaml
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: longhorn
+  namespace: flux-system
+spec:
+  interval: 30m
+  url: https://charts.longhorn.io