feat: Migrate sys applications to helmfile

Move most of helmfiles into temp to test only velero. File structure: ```bash / ├── helmfile.d/ # Helmfiles, *.yaml.gotmpl ├── charts/ # Our own charts, e.g `Atlantis` ├── values # Values for helmfiles │ ├── <chart> │ │ ├── values.yaml.gotmpl # Values to be templated in `values/` │ │ ├── kustomize # Kustomizations per environment │ │ ├── manifests # Raw manifests │ │ │ ├── <chart>.yaml # Argo App for bootstrap │ │ │ ├── dashboards # Grafana dashboards │ │ │ │ └── <chart>-metrics.yaml │ │ │ └── policies # Cilium and Kyverno policies │ │ │ ├── CiliumNetworkPolicy-allow-api-server.yaml │ │ │ └── KyvernoPolicy-regred-secret.yaml │ │ └── values # Values for each environment │ │ ├── <chart>-staging.yaml.gotmpl # Values for staging environment │ │ ├── <chart>-prod.yaml.gotmpl # Values for prod environment │ │ └── <chart>.yaml.gotmpl # Standard values for all environments │ │ │ ├── values.yaml # Standard values for all cluster │ ├── values-oceanbox.yaml # Values overrides for oceanbox │ ├── values-ekman.yaml # Values overrides for ekman ```
2025-06-04 13:18:18 +02:00
parent a0a0f8586d
commit 1bb720840d
102 changed files with 9862 additions and 106 deletions
@@ -0,0 +1,476 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    argocd.argoproj.io/tracking-id: argocd:apps/Deployment:argocd/argocd-repo-server
+    deployment.kubernetes.io/revision: "27"
+  labels:
+    app.kubernetes.io/component: repo-server
+    app.kubernetes.io/instance: argocd
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: argocd-repo-server
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/version: v2.12.3
+    helm.sh/chart: argo-cd-7.5.2
+  name: argocd-repo-server
+  namespace: argocd
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: argocd
+      app.kubernetes.io/name: argocd-repo-server
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        checksum/cm: 67d6152e0e3482f9a74a6b570fd32bbec4e7856bffe49f577a2a0d3aeaed6f48
+        checksum/cmd-params: 69ed50e8936f4d6429dc331f782ad0a7d22eb12c318d6800403040352214b781
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/component: repo-server
+        app.kubernetes.io/instance: argocd
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: argocd-repo-server
+        app.kubernetes.io/part-of: argocd
+        app.kubernetes.io/version: v2.12.3
+        helm.sh/chart: argo-cd-7.5.2
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - podAffinityTerm:
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/name: argocd-repo-server
+              topologyKey: kubernetes.io/hostname
+            weight: 100
+      automountServiceAccountToken: true
+      containers:
+      - args:
+        - /usr/local/bin/argocd-repo-server
+        - --port=8081
+        - --metrics-port=8084
+        env:
+        - name: ARGOCD_REPO_SERVER_NAME
+          value: argocd-repo-server
+        - name: ARGOCD_RECONCILIATION_TIMEOUT
+          valueFrom:
+            configMapKeyRef:
+              key: timeout.reconciliation
+              name: argocd-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_LOGFORMAT
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.log.format
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_LOGLEVEL
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.log.level
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.parallelism.limit
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.metrics.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_DISABLE_TLS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.disable.tls
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_TLS_MIN_VERSION
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.tls.minversion
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_TLS_MAX_VERSION
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.tls.maxversion
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_TLS_CIPHERS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.tls.ciphers
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_CACHE_EXPIRATION
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.repo.cache.expiration
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: REDIS_SERVER
+          valueFrom:
+            configMapKeyRef:
+              key: redis.server
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: REDIS_COMPRESSION
+          valueFrom:
+            configMapKeyRef:
+              key: redis.compression
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: REDISDB
+          valueFrom:
+            configMapKeyRef:
+              key: redis.db
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: REDIS_USERNAME
+          valueFrom:
+            secretKeyRef:
+              key: redis-username
+              name: argocd-redis
+              optional: true
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
+        - name: REDIS_SENTINEL_USERNAME
+          valueFrom:
+            secretKeyRef:
+              key: redis-sentinel-username
+              name: argocd-redis
+              optional: true
+        - name: REDIS_SENTINEL_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: redis-sentinel-password
+              name: argocd-redis
+              optional: true
+        - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.default.cache.expiration
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: otlp.address
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_OTLP_INSECURE
+          valueFrom:
+            configMapKeyRef:
+              key: otlp.insecure
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_OTLP_HEADERS
+          valueFrom:
+            configMapKeyRef:
+              key: otlp.headers
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.max.combined.directory.manifests.size
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.plugin.tar.exclusions
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.allow.oob.symlinks
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.streamed.manifest.max.tar.size
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.streamed.manifest.max.extracted.size
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.helm.manifest.max.extracted.size
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.disable.helm.manifest.max.extracted.size
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_GIT_MODULES_ENABLED
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.enable.git.submodule
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.git.lsremote.parallelism.limit
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_GIT_REQUEST_TIMEOUT
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.git.request.timeout
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.revision.cache.lock.timeout
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.include.hidden.directories
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: HELM_CACHE_HOME
+          value: /helm-working-dir
+        - name: HELM_CONFIG_HOME
+          value: /helm-working-dir
+        - name: HELM_DATA_HOME
+          value: /helm-working-dir
+        image: quay.io/argoproj/argocd:v2.12.3
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz?full=true
+            port: metrics
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: repo-server
+        ports:
+        - containerPort: 8081
+          name: repo-server
+          protocol: TCP
+        - containerPort: 8084
+          name: metrics
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: metrics
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /app/config/ssh
+          name: ssh-known-hosts
+        - mountPath: /app/config/tls
+          name: tls-certs
+        - mountPath: /app/config/gpg/source
+          name: gpg-keys
+        - mountPath: /app/config/gpg/keys
+          name: gpg-keyring
+        - mountPath: /app/config/reposerver/tls
+          name: argocd-repo-server-tls
+        - mountPath: /helm-working-dir
+          name: helm-working-dir
+        - mountPath: /home/argocd/cmp-server/plugins
+          name: plugins
+        - mountPath: /tmp
+          name: tmp
+      - command:
+        - /var/run/argocd/argocd-cmp-server
+        image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
+        imagePullPolicy: Always
+        name: kustomize-helm-with-rewrite
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 999
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /var/run/argocd
+          name: var-files
+        - mountPath: /home/argocd/cmp-server/plugins
+          name: plugins
+        - mountPath: /tmp
+          name: cmp-tmp
+        - mountPath: /helm-working-dir
+          name: helm-working-dir
+      - command:
+        - /var/run/argocd/argocd-cmp-server
+        image: registry.gitlab.com/oceanbox/manifests/helm-kustomize-cmp:latest
+        imagePullPolicy: Always
+        name: helm-kustomize-cmp
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 999
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /var/run/argocd
+          name: var-files
+        - mountPath: /home/argocd/cmp-server/plugins
+          name: plugins
+        - mountPath: /tmp
+          name: cmp-tmp
+        - mountPath: /helm-working-dir
+          name: helm-working-dir
+      - command:
+        - /var/run/argocd/argocd-cmp-server
+        image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
+        imagePullPolicy: Always
+        name: helmfile-cmp
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 999
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /var/run/argocd
+          name: var-files
+        - mountPath: /home/argocd/cmp-server/plugins
+          name: plugins
+        - mountPath: /tmp
+          name: cmp-tmp
+        - mountPath: /helm-working-dir
+          name: helm-working-dir
+      dnsPolicy: ClusterFirst
+      imagePullSecrets:
+      - name: gitlab-pull-secret
+      initContainers:
+      - command:
+        - /bin/cp
+        - -n
+        - /usr/local/bin/argocd
+        - /var/run/argocd/argocd-cmp-server
+        image: quay.io/argoproj/argocd:v2.12.3
+        imagePullPolicy: IfNotPresent
+        name: copyutil
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /var/run/argocd
+          name: var-files
+      - command:
+        - /bin/sh
+        - /plugin/init-helm-repos.sh
+        env:
+        - name: OCEANBOX_HELM_ACCESS_TOKEN
+          valueFrom:
+            secretKeyRef:
+              key: token
+              name: oceanbox-helm
+              optional: false
+        image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
+        imagePullPolicy: Always
+        name: init-helm-repos
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 999
+          seccompProfile:
+            type: RuntimeDefault
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /helm-working-dir
+          name: helm-working-dir
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      serviceAccount: argocd-repo-server
+      serviceAccountName: argocd-repo-server
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: cmp-tmp
+      - name: helm-working-dir
+      - name: plugins
+      - name: var-files
+      - name: tmp
+      - configMap:
+          defaultMode: 420
+          name: argocd-ssh-known-hosts-cm
+        name: ssh-known-hosts
+      - configMap:
+          defaultMode: 420
+          name: argocd-tls-certs-cm
+        name: tls-certs
+      - configMap:
+          defaultMode: 420
+          name: argocd-gpg-keys-cm
+        name: gpg-keys
+      - name: gpg-keyring
+      - name: argocd-repo-server-tls
+        secret:
+          defaultMode: 420
+          items:
+          - key: tls.crt
+            path: tls.crt
+          - key: tls.key
+            path: tls.key
+          - key: ca.crt
+            path: ca.crt
+          optional: true
+          secretName: argocd-repo-server-tls
@@ -1,5 +1,8 @@
 #!/bin/sh

+# NOTE: Ensure errors are part of exitcode
+# set -o pipefail
+
 export HOME=/plugin

 export HELM_CACHE_HOME=/tmp/helm/cache
@@ -11,5 +14,5 @@ export HELMFILE_TEMPDIR=/tmp/helmfile/tmp

 env > /tmp/$ARGOCD_APP_NAME.env

-helmfile -n "$ARGOCD_APP_NAMESPACE" $ARGS template --include-crds -q
-
+# helmfile -n "$ARGOCD_APP_NAMESPACE" $ARGS template --include-crds -q
+helmfile -n "$ARGOCD_APP_NAMESPACE" $ARGS template --include-crds --debug
@@ -1,12 +1,10 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ConfigManagementPlugin
 metadata:
-  name: helmfile
+  name: helmfile-cmp
 spec:
  generate:
    command: [ /bin/sh ]
    args:
      - /plugin/generate.sh
-  discover:
-    fileName: helmfile.yaml
  lockRepo: false
@@ -1,5 +1,7 @@
 #!/usr/bin/env bash

+set -o pipefail
+
 cmd=$1
 chart=$2
 env=$3
@@ -8,13 +10,14 @@ outdir=${5:-_manifests}

 build() {
  mkdir -p $outdir/templates
+  echo "Creating $outdir/templates"

  echo "generating $outdir/Chart.yaml" 1>&2

  cat <<EOF > $outdir/Chart.yaml
 apiVersion: v1
 appVersion: "1.0"
-description: A Helm chart for Kubernetes
+# description: A Helm chart for Kubernetes
 name: $chart
 version: 0.1.0
 EOF
@@ -2,22 +2,22 @@ environments:
  default:
    values:
    - ../values/values.yaml
-    - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
+    - ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
    - ../values/*/values.yaml.gotmpl
-    - ../values/*/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+    - ../values/*/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
    missingFileHandler: Info
  prod:
    values:
    - ../values.yaml
-    - ../values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
+    - ../values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
    - ../values/*/values.yaml.gotmpl
-    - ../values/*/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+    - ../values/*/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
    missingFileHandler: Info
  staging:
    values:
    - ../values.yaml
-    - ../values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
+    - ../values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
    - ../values/*/values.yaml.gotmpl
-    - ../values/*/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+    - ../values/*/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
    missingFileHandler: Info

@@ -12,7 +12,7 @@ releases:
 - name: velero
  namespace: velero
  chart: velero/velero
-  version: 0.18.2
+  version: 6.0.0
  condition: velero.enabled
  values:
  - ../values/velero/values/velero.yaml.gotmpl
@@ -27,13 +27,13 @@ releases:
  condition: velero.enabled
  missingFileHandler: Info
  values:
-  - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
+  - ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
  - ../values/velero/values.yaml.gotmpl
-  - ../values/velero/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+  - ../values/velero/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
  hooks:
  - events: [ prepare, cleanup ]
    showlogs: true
-    command: ../bin/helmify
+    command: "../bin/helmify"
    args:
    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
    - '{{`{{ .Release.Chart }}`}}'
@@ -9,5 +9,5 @@ l HELMFILE ENV="default":

 # NOTE: Render a specifc helm chart
 r HELMFILE ENV="default":
-  helmfile --environment={{ENV}} template -q -f helmfile.d/{{HELMFILE}}.yaml.gotmpl --output-dir-template="../_manifests/{{HELMFILE}}/{{ENV}}/{{{{.Release.Name }}"
-
+  helmfile --environment={{ENV}} template -q -f helmfile.d/{{HELMFILE}}.yaml.gotmpl --output-dir-template="../_manifests/{{HELMFILE}}/{{ENV}}"
+  # helmfile --environment={{ENV}} template -q -f helmfile.d/{{HELMFILE}}.yaml.gotmpl #--output-dir-template="../_manifests/{{HELMFILE}}/{{ENV}}/{{{{.Release.Name }}"
@@ -28,7 +28,10 @@ pkgs.mkShellNoCC {
    helmWrap
    helmfileWrap
    helmfile-nix
+
+    kubectl-cnpg
+    kubectl-neat
  ];

-  CLUSTER_NAME = "oceanbox";
+  ARGOCD_ENV_CLUSTER_NAME = "oceanbox";
 }
@@ -1,14 +1,19 @@
 bases:
 - ../envs/environments.yaml.gotmpl

+repositories:
+  - name: cert-manager
+    url: 'https://charts.jetstack.io'
+
 commonLabels:
  tier: sys

 releases:
 - name: cert-manager
-  namespace: {{ .Environment.Name }}-cert-manager
-  chart: ../charts/cert-manager
-  condition: cert-manager.enabled
+  namespace: cert-manager
+  chart: cert-manager/cert-manager
+  version: 1.12.13
+  condition: cert_manager.enabled
  values:
  - ../values/cert-manager/values/cert-manager.yaml.gotmpl
  - ../values/cert-manager/values/cert-manager-{{ .Environment.Name }}.yaml.gotmpl
@@ -17,9 +22,9 @@ releases:
  - ../values/cert-manager/kustomize/{{ .Environment.Name }}
  missingFileHandler: Info
 - name: cert-manager-manifests
-  namespace: {{ .Environment.Name }}-cert-manager
+  namespace: cert-manager
  chart: _cert-manager-manifests
-  condition: cert-manager.enabled
+  condition: cert_manager.enabled
  missingFileHandler: Info
  values:
  - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
@@ -6,7 +6,7 @@ repositories:
  url: 'https://kyverno.github.io/kyverno/'

 commonLabels:
-  tier: system
+  tier: sys

 apiVersions:
 - monitoring.coreos.com/v1
@@ -1,14 +1,20 @@
 bases:
 - ../envs/environments.yaml.gotmpl

+repositories:
+  - name: metricsserver
+    url: 'https://kubernetes-sigs.github.io/metrics-server/'
+
+
 commonLabels:
  tier: sys

 releases:
 - name: metricsserver
-  namespace: {{ .Environment.Name }}-metricsserver
-  chart: ../charts/metricsserver
-  condition: metricsserver.enabled
+  namespace: kube-system
+  chart: metricsserver/metricsserver
+  version: 3.8.2
+  condition: metrics_server.enabled
  values:
  - ../values/metricsserver/values/metricsserver.yaml.gotmpl
  - ../values/metricsserver/values/metricsserver-{{ .Environment.Name }}.yaml.gotmpl
@@ -17,9 +23,9 @@ releases:
  - ../values/metricsserver/kustomize/{{ .Environment.Name }}
  missingFileHandler: Info
 - name: metricsserver-manifests
-  namespace: {{ .Environment.Name }}-metricsserver
+  namespace: kube-system
  chart: _metricsserver-manifests
-  condition: metricsserver.enabled
+  condition: metrics_server.enabled
  missingFileHandler: Info
  values:
  - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
@@ -0,0 +1,43 @@
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+repositories:
+  - name: nfs-provisioner
+    url: 'https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/'
+
+
+commonLabels:
+  tier: sys
+
+releases:
+- name: nfs-provisioner
+  namespace: kube-system 
+  chart: nfs-provisioner/nfs-subdir-external-provisioner
+  version: 4.0.13
+  condition: nfs_provisioner.enabled
+  values:
+  - ../values/nfs-provisioner/values/nfs-provisioner.yaml.gotmpl
+  - ../values/nfs-provisioner/values/nfs-provisioner-{{ .Environment.Name }}.yaml.gotmpl
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/nfs-provisioner/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: nfs-provisioner-manifests
+  namespace: kube-system 
+  chart: _nfs-provisioner-manifests
+  condition: nfs_provisioner.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
+  - ../values/nfs-provisioner/values.yaml.gotmpl
+  - ../values/nfs-provisioner/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/nfs-provisioner/manifests
+    - _nfs-provisioner-manifests
@@ -1,14 +1,18 @@
 bases:
 - ../envs/environments.yaml.gotmpl

+repositories:
+  - name: x509-exporter
+    url: 'https://charts.enix.io'
+
 commonLabels:
  tier: sys

 releases:
 - name: x509-exporter
-  namespace: {{ .Environment.Name }}-x509-exporter
-  chart: ../charts/x509-exporter
-  condition: x509-exporter.enabled
+  namespace: x509-exporter
+  chart: x509-exporter/x509-certificate-exporter
+  condition: x509_exporter.enabled
  values:
  - ../values/x509-exporter/values/x509-exporter.yaml.gotmpl
  - ../values/x509-exporter/values/x509-exporter-{{ .Environment.Name }}.yaml.gotmpl
@@ -17,9 +21,9 @@ releases:
  - ../values/x509-exporter/kustomize/{{ .Environment.Name }}
  missingFileHandler: Info
 - name: x509-exporter-manifests
-  namespace: {{ .Environment.Name }}-x509-exporter
+  namespace: x509-exporter
  chart: _x509-exporter-manifests
-  condition: x509-exporter.enabled
+  condition: x509_exporter.enabled
  missingFileHandler: Info
  values:
  - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
@@ -0,0 +1,38 @@
+{{- if .Values.clusterConfig.argo.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: cert-manager
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.clusterConfig.manifests }}
+    targetRevision: HEAD
+    path: helmfiles/cert-manager
+    plugin:
+      name: helmfile
+      env:
+      - name: CLUSTER_NAME
+        value: {{ .Values.clusterConfig.cluster }}
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      # - ServerSideApply=true
+    {{- if .Values.cert_manager.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{- end }}
@@ -0,0 +1,225 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: letsencrypt-production
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: {{ .Values.cluster_config.acme_email }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-production
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: {{ .Values.cluster_config.acme_email }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: ca-issuer
+spec:
+  ca:
+    secretName: cluster-ca
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: selfsigning-issuer
+spec:
+  selfSigned: {}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: front-proxy-client
+subjects:
+  - kind: User
+    name: front-proxy-client
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: front-proxy-client
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: front-proxy-client
+rules:
+- apiGroups:
+  - "webhook.cert-manager.io"
+  resources:
+  - mutations
+  - validations
+  verbs: [ "*" ]
+- apiGroups:
+  - metrics.k8s.io
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+---
+
+{{ if .Values.cluster_config.initca }}
+
+# Pod to update certificates from master nodes
+# only runs on control plane nodes (etcd)
+# Mounts cert files rotatet by nixos service.mgr and uses it to update cert-manager secret
+# Always create certs on initial creation,
+# Otherwise, cert creation would not happen until cronJob runs
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cert-create
+  namespace: cert-manager
+spec:
+  backoffLimit: 1
+  template:
+    metadata:
+      labels:
+        block-egress: "true"
+      annotations:
+        linkerd.io/inject: disabled
+    spec:
+      restartPolicy: Never
+      serviceAccountName: cert-secret-updater
+      securityContext:
+        runAsUser: 12000
+        runAsGroup: 13000
+        fsGroup: 10000
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io
+                operator: In
+                values:
+                - control-plane
+      tolerations:
+      - key: unschedulable
+        value: "true"
+        effect: NoSchedule
+      containers:
+      - image: bitnami/kubectl:1.24
+        name: kubectl
+        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+        command: 
+        - "/bin/sh" 
+        - -c
+        - /tmp/renew-certs/renew-certs.sh
+        volumeMounts:
+          - name: ca-pem
+            mountPath: /tmp/ca.pem
+          - name: ca-key-pem
+            mountPath: /tmp/ca-key.pem
+          - name: certs-script
+            mountPath: /tmp/renew-certs
+      volumes:
+        - name: ca-pem
+          hostPath:
+            path: {{.Values.cluster_config.initca}}/ca.pem
+            type: File
+        - name: ca-key-pem
+          hostPath:
+            path: {{.Values.cluster_config.initca}}/ca-key.pem
+            type: File
+        - name: certs-script
+          configMap:
+            name: renew-certs-script
+            defaultMode: 0755
+---
+apiVersion: v1
+data:
+  renew-certs.sh: |
+    #! /bin/bash
+    kubectl create secret tls -n cert-manager cluster-ca --cert=/tmp/ca.pem --key=/tmp/ca-key.pem --dry-run=client -o yaml > /tmp/new-secret.yaml
+    kubectl apply -f /tmp/new-secret.yaml
+kind: ConfigMap
+metadata:
+  name: renew-certs-script
+  namespace: cert-manager
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-secret-updater
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-secret-updater-role
+  namespace: cert-manager
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - cluster-ca
+  resources:
+  - secrets
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-secret-updater-rbinding
+  namespace: cert-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-secret-updater-role
+subjects:
+- kind: ServiceAccount
+  name: cert-secret-updater
+  namespace: cert-manager
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-egress
+  namespace: cert-manager
+spec:
+  podSelector: 
+    matchLabels:
+      block-egress: "true"
+  policyTypes:
+  - Egress
+---
+{{ end }}
@@ -0,0 +1,3 @@
+cert_manager:
+ enabled: true
+ autosync: true
@@ -0,0 +1,5 @@
+installCRDs: true
+enableCertificateOwnerRef: true
+startupapicheck:
+  podAnnotations:
+    linkerd.io/inject: disabled
@@ -21,6 +21,9 @@ spec:
          value: {{ .Values.clusterConfig.cluster }}
  project: sys
  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
    syncOptions:
    - ServerSideApply=true
    {{- if .Values.nginx.autosync }}
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-host-traffic
+  namespace: ingress-nginx
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+        - host
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-hubble-traffic
+  namespace: ingress-nginx
+spec:
+  egress:
+    - toFQDNs:
+        - matchPattern: hubble.*.*.*
+        - matchPattern: hubble.*.*.*.*
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: ingress-nginx
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: ingress-nginx
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+    - toPorts:
+        - ports:
+            - port: "9913"
+              protocol: TCP
@@ -0,0 +1,19 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-s3-traffic
+  namespace: ingress-nginx
+spec:
+  egress:
+    - toCIDR:
+        - 10.139.2.10/32
+    - toCIDR:
+        - 10.139.2.11/32
+    - toCIDR:
+        - 10.139.2.20/32
+    - toCIDR:
+        - 10.139.2.21/32
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
@@ -0,0 +1,19 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-world-to-ingress-nginx
+  namespace: ingress-nginx
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: ingress-nginx
+  ingress:
+    - fromEntities:
+        - world
+    - toPorts:
+        - ports:
+            - port: "80"
+              protocol: TCP
+            - port: "443"
+              protocol: TCP
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - _manifest.yaml
@@ -1,4 +0,0 @@
-generatorOptions:
-  disableNameSuffixHash: true
-resources:
-  - ../base
@@ -0,0 +1,17 @@
+{{- if .Values.kyverno.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kyverno:generate-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: kyverno
+  namespace: kyverno
+- kind: ServiceAccount
+  name: kyverno-background-controller
+  namespace: kyverno
+{{- end }}
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: kyverno
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+    - toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels: {}
@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: kyverno
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: kyverno
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+    - toPorts:
+        - ports:
+            - port: "8000"
+              protocol: TCP
@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-kyverno
+  namespace: kyverno
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: kyverno
+  ingress:
+    - fromEntities:
+        - remote-node
@@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-gitlab-secret
+  annotations:
+    policies.kyverno.io/title: Sync Secrets
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/subject: Secret
+    policies.kyverno.io/description: >-
+      Secrets like registry credentials often need to exist in multiple
+      Namespaces so Pods there have access. Manually duplicating those Secrets
+      is time consuming and error prone. This policy will copy a
+      Secret called `regcred` which exists in the `default` Namespace to
+      new Namespaces when they are created. It will also push updates to
+      the copied Secrets should the source Secret be changed.
+spec:
+  rules:
+  - name: sync-image-pull-secret
+    match:
+      resources:
+        kinds:
+        - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: regcred
+      namespace: "{{`{{request.object.metadata.name}}`}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: gitlab-pull-secret
@@ -0,0 +1,33 @@
+{{- if .Values.kyverno.enabled }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-regcred-secret
+  annotations:
+    policies.kyverno.io/title: Sync Secrets
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/subject: Secret
+    policies.kyverno.io/description: >-
+      Secrets like registry credentials often need to exist in multiple
+      Namespaces so Pods there have access. Manually duplicating those Secrets
+      is time consuming and error prone. This policy will copy a
+      Secret called `regcred` which exists in the `default` Namespace to
+      new Namespaces when they are created. It will also push updates to
+      the copied Secrets should the source Secret be changed.            
+spec:
+  rules:
+  - name: sync-image-pull-secret
+    match:
+      resources:
+        kinds:
+        - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: regcred
+      namespace: "{{`{{request.object.metadata.name}}`}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: regcred
+{{- end }}
@@ -0,0 +1,33 @@
+{{- if .Values.kyverno.enabled }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/description: 'This policy will sync the s3 secret in kube-system namespace across namespaces'
+    policies.kyverno.io/subject: Secret
+    policies.kyverno.io/title: Sync s3 Secrets
+  name: sync-s3-credentials
+spec:
+  generateExistingOnPolicyUpdate: true
+  background: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        name: s3-credentials
+        namespace: kube-system
+      kind: Secret
+      name: s3-credentials
+      namespace: '{{`{{request.object.metadata.name}}`}}'
+      synchronize: true
+    match:
+      resources:
+        kinds:
+        - Namespace
+        names:
+        - "velero"
+        - "loki"
+        - "tempo"
+    name: sync-s3-secret
+  validationFailureAction: audit
+{{- end }}
@@ -0,0 +1,73 @@
+{{- if .Values.kyverno.enabled }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: whitelist-internal-ingresses
+  annotations:
+    policies.kyverno.io/title: Concatenate Ingresss
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Ingress
+    policies.kyverno.io/description: >-
+      Ingresses with the label "internal=true" should be whitelisted. 
+      If no whitelist exists, add the default values, otherwise append 
+      whitelist to the already existing ones
+spec:
+  mutateExistingOnPolicyUpdate: false
+  #precondition: has whitelist annotation or 
+  rules:
+  - name: ensure-nginx-whitelist-exists
+    match:
+      resources:
+        kinds:
+          - Ingress
+        selector:
+          matchLabels:
+            internal: "true"
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            +(nginx.ingress.kubernetes.io/whitelist-source-range): ""
+  - name: append-existing-whitelist
+    match:
+      resources:
+        kinds:
+          - Ingress
+        selector:
+          matchLabels:
+            internal: "true"
+    preconditions:
+      any:
+      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
+        operator: NotEquals
+        value: ""
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            {{- with .Values.cluster_config.ingress_whitelist_ips }}
+            nginx.ingress.kubernetes.io/whitelist-source-range: "{{`{{ @ }}`}},{{ join "," . }}"
+            {{- end }}
+  - name: add-nginx-whitelist
+    match:
+      resources:
+        kinds:
+          - Ingress
+        selector:
+          matchLabels:
+            internal: "true"
+    preconditions:
+      any:
+      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
+        operator: Equals
+        value: ""
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            {{- with .Values.cluster_config.ingress_whitelist_ips }}
+            nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," . }}"
+            {{- end }}
+{{- end }}
+
@@ -0,0 +1,36 @@
+{{- if .Values.clusterConfig.argo.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: metricsserver
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: kube-system
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.clusterConfig.manifests }}
+    targetRevision: HEAD
+    path: helmfiles/metricsserver
+    plugin:
+      name: helmfile
+      env:
+      - name: CLUSTER_NAME
+        value: {{ .Values.clusterConfig.cluster }}
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      # - ServerSideApply=true
+    {{- if .Values.metrics_server.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{- end }}
@@ -0,0 +1,4 @@
+metricsserver:
+    enabled: true
+    autosync: true
+    ignoreTLS: false
@@ -0,0 +1,9 @@
+containerPort: 10250
+resources: 
+    requests:
+    cpu: 100m
+    memory: 200Mi
+{{- if .Values.metrics_server.ignoreTLS }}
+args:
+    - "--kubelet-insecure-tls"
+{{- end }}
@@ -0,0 +1,38 @@
+{{- if .Values.clusterConfig.argo.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nfs-provisioner
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: kube-system 
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.clusterConfig.manifests }}
+    targetRevision: HEAD
+    path: helmfiles/nfs-provisioner
+    plugin:
+      name: helmfile
+      env:
+      - name: CLUSTER_NAME
+        value: {{ .Values.clusterConfig.cluster }}
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      # - ServerSideApply=true
+    {{- if .Values.nfs_provisioner.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{- end }}
@@ -0,0 +1,6 @@
+nfs_provisioner:
+  enabled: true
+  autosync: true
+  archiveOnDelete: true
+  defaultClass: true
+  extraMountOpts: []
@@ -0,0 +1,16 @@
+nfs:
+  server: {{ .Values.cluster_config.fileserver }}
+  path: /{{ default (.Values.clusterConfig.cluster) .Values.nfs_provisioner.path }}
+  mountOptions:
+    - nfsvers=4.2
+    {{- range .Values.nfs_provisioner.extraMountOpts }}
+    - {{ . }}
+    {{- end }}
+storageClass:
+  defaultClass: {{ .Values.nfs_provisioner.defaultClass}}
+  name: managed-nfs-storage
+  archiveOnDelete: {{ .Values.nfs_provisioner.archiveOnDelete }}
+tolerations:
+    - key: unschedulable
+      operator: Exists
+      effect: NoSchedule
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - _manifest.yaml
@@ -1,4 +0,0 @@
-generatorOptions:
-  disableNameSuffixHash: true
-resources:
-  - ../base
@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: cnpg
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: postgres-operator
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-webhooks
+  namespace: cnpg
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - kube-apiserver
+    - toPorts:
+        - ports:
+            - port: "9443"
+              protocol: TCP
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-alerting
+  namespace: prometheus
+spec:
+  description: Allow alerting
+  egress:
+    - toEntities:
+        - world
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: prom-alertmanager
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-alertmanager-ingress
+  namespace: prometheus
+spec:
+  description: Allow Nginx ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: alertmanager
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-dns-metrics
+  namespace: prometheus
+spec:
+  description: Allow DNS metrics
+  egress:
+    - toPorts:
+        - ports:
+            - port: "9153"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-etcd-metrics
+  namespace: prometheus
+spec:
+  description: Allow ETCD metrics
+  egress:
+    - toPorts:
+        - ports:
+            - port: "2379"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-ingress
+  namespace: prometheus
+spec:
+  description: Allow Grafana ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx
@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-oidc-login
+  namespace: prometheus
+spec:
+  description: Allow Grafana OIDC login
+  egress:
+    - toFQDNs:
+        - matchName: login.microsoftonline.com
+        - matchPattern: '*.microsoftonline.com'
+        - matchName: api.github.com
+        - matchName: github.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-plugins
+  namespace: prometheus
+spec:
+  description: Allow Grafana Plugins
+  egress:
+    - toFQDNs:
+        - matchName: grafana.com
+        - matchName: storage.googleapis.com
+        - matchName: raw.githubusercontent.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-grafana-secure-gravatar
+  namespace: prometheus
+spec:
+  description: Allow Grafana Secure Gravatar
+  egress:
+    - toFQDNs:
+        - matchName: secure.grafana.com
+        - matchName: secure.gravatar.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-host-traffic
+  namespace: prometheus
+spec:
+  description: Allow Host Traffic
+  egress:
+    - toEntities:
+        - remote-node
+        - host
+        - kube-apiserver
+  endpointSelector:
+    matchLabels: {}
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-nginx-ingress
+  namespace: prometheus
+spec:
+  description: Allow Nginx ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx
@@ -0,0 +1,19 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-opencost-scrape
+  namespace: prometheus
+spec:
+  description: Allow OpenCost scrape
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prometheus
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: opencost
+            io.kubernetes.pod.namespace: opencost
+    - toPorts:
+        - ports:
+            - port: "9090"
+              protocol: TCP
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-metrics-server
+  namespace: prometheus
+spec:
+  description: Allow Remote Metrics Server
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: metrics-server
+  ingress:
+    - fromEntities:
+        - remote-node
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-webhook
+  namespace: prometheus
+spec:
+  description: Allow Remote Web Hook
+  endpointSelector:
+    matchLabels:
+      app: kube-prometheus-stack-operator
+  ingress:
+    - fromEntities:
+        - remote-node
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-robusta-ingress
+  namespace: prometheus
+spec:
+  description: Allow Robusta ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: prom-prometheus
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: robusta
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-stats-grafana
+  namespace: prometheus
+spec:
+  description: Allow stats
+  egress:
+    - toFQDNs:
+        - matchName: stats.grafana.org
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: grafana
@@ -0,0 +1,32 @@
+{{- if and (.Values.kyverno.enabled) (.Values.prometheus.enabled) }}
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: prometheus-stack-default-dashboard-folder
+  namespace: prometheus
+spec:
+  admission: true
+  background: true
+  mutateExistingOnPolicyUpdate: true
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+          selector:
+            matchLabels:
+              app.kubernetes.io/part-of: kube-prometheus-stack
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            grafana_folder: Prometheus-stack
+      targets:
+      - apiVersion: v1
+        kind: ConfigMap        
+        name: "{{`{{ request.object.metadata.name }}`}}"
+    name: generate-dashboard-folder-annotation
+    skipBackgroundRequests: true
+  validationFailureAction: Audit
+{{- end }}
@@ -11,7 +11,7 @@ spec:
  sources:
  - repoURL: {{ .Values.clusterConfig.manifests }}
    targetRevision: HEAD
-    path: helmfiles/cilium
+    path: helmfiles/prometheus
    plugin:
      name: helmfile
      env:
@@ -19,6 +19,9 @@ spec:
          value: {{ .Values.clusterConfig.cluster }}
  project: sys
  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
    syncOptions:
    - ServerSideApply=true
    {{- if .Values.prometheus.autosync }}
@@ -1,32 +1,35 @@
-cilium:
-  enabled: false
+prometheus:
+  enabled: true
  autosync: true
-  spire:
+  # Helm chart version, and app version is different. CRD version MUST be equals to chart's APP version
+  crd_version: 14.0.0
+  certRenewCronEnabled: true
+  snitchUrl: ""
+  oncallUrl: ""
+  pagerdutyRoutingKey: ""
+  fullname: ""
+  # https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/values.yaml#L47
+  defaultRules: {}
+  additionalScrapeConfigs: []
+  additionalDataSources: []
+  enableFeatures: []
+  storage:
+    size: 50Gi
+  grafana:
+    defaultDashboardsEnabled: true
+    persistence: false
+    disable_login_form: true
+    plugins: []
+  coredns:
+    targetPort: ""
+  etcd:
+    targetPort: ""
+  scheduler:
+    targetPort: ""
+  kubelet:
    enabled: false
-  envoy:
+    https: false
+  thanos:
    enabled: false
-  hubble:
-    ui: true
-    enabled: false
-  encryption:
-    enabled: true
-    type: wireguard
-  kubeProxyReplacement: true
-  l2announcement:
-    enabled: false
-  nodePort:
-    enabled: false
-  gatewayAPI:
-    enabled: false
-  ingressController:
-    enabled: false
-    defaultClass: false
-    loadbalancerMode: shared
-  policyAuditMode: false
-  upgradeCompatability: 1.15
-  k8sServiceHost: localhost
-  k8sServicePort: 7445
-  loadbalancerPool:
-    enabled: false
-    cidr: []
-
+    datasource:
+      enabled: false
@@ -1,4 +1,5 @@
 clusterConfig:
+  manifests: https://gitlab.com/oceanbox/manifests.git
  argo:
    enabled: true
  env: "prod"
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - _manifest.yaml
@@ -1,4 +0,0 @@
-generatorOptions:
-  disableNameSuffixHash: true
-resources:
-  - ../base
@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: velero
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: velero
@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-job-api-server
+  namespace: velero
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      batch.kubernetes.io/job-name: velero-upgrade-crds
@@ -0,0 +1,17 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: velero
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: velero
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+    - toPorts:
+        - ports:
+            - port: "8085"
+              protocol: TCP
@@ -0,0 +1,31 @@
+apiVersion: velero.io/v1
+kind: Schedule
+metadata:
+  name: full-backup
+  namespace: velero
+spec:
+  paused: false
+  schedule: '@every 24h'
+  skipImmediately: false
+  template:
+    csiSnapshotTimeout: 10m0s
+    defaultVolumesToRestic: true
+    excludedNamespaces:
+    - cilium-secrets
+    - cilium-spire
+    - grafana
+    - jaeger
+    - kube-system
+    - loki
+    - rabbitmq
+    - prometheus
+    - tempo
+    - test
+    - velero
+    includedNamespaces:
+    - '*'
+    includedResources:
+    - '*'
+    storageLocation: default
+    ttl: 336h0m0s
+  useOwnerReferencesInBackup: false
@@ -10,13 +10,16 @@ spec:
    server: 'https://kubernetes.default.svc'
  sources:
  - repoURL: {{ .Values.clusterConfig.manifests }}
-    targetRevision: HEAD
-    path: helmfiles/velero
+    # targetRevision: HEAD
+    targetRevision: mrtz/helmify
+    path: helmfile.d
    plugin:
-      name: helmfile
+      name: helmfile-cmp
      env:
      - name: CLUSTER_NAME
        value: {{ .Values.clusterConfig.cluster }}
+      - name: HELMFILE_ENVIRONMENT
+        value: default
  project: sys
  syncPolicy:
    managedNamespaceMetadata:
@@ -2,16 +2,16 @@ velero:
  enabled: true
  autosync: true
  kubeletRootDir: "/var/lib/kubernetes/pods"
-  bucket: velero-backup
+  bucket: backup
  bsl: default
  # Opt-in or opt-out pvc backup
  # https://velero.io/docs/main/file-system-backup/#to-back-up
  backupAllVolumes: true
  credentials:
-    secretName: "s3-credentials"
+    secretName: "velero-s3"
  s3:
    region: us-east-1
-    url: "https://nutanix-obj-s3.kube-system"
+    url: "http://10.255.241.30:30080"
    insecureSkipTLSVerify: true
  resources:
    velero:
@@ -28,17 +28,17 @@ configuration:
  uploaderType: kopia
  # Backup all volumes by default
  defaultVolumesToFsBackup: {{ .Values.velero.backupAllVolumes }}
-  ## https://velero.io/docs/v1.6/api-types/backupstoragelocation/
+  # https://velero.io/docs/v1.6/api-types/backupstoragelocation/
  backupStorageLocation:
  - name: {{ .Values.velero.bsl }}
    bucket: {{ .Values.velero.bucket }}
    provider: aws
    default: true
    ## prefix is the directory under which all Velero data should be stored within the bucket. Optional.
-    prefix: {{ .Values.cluster_config.cluster }}/velero
+    prefix: {{ .Values.clusterConfig.cluster }}/velero
    accessMode: ReadWrite
    config:
-      ## ONLY us-east-1 region is supported by nutanix
+      # ONLY us-east-1 region is supported by nutanix
      region: {{ .Values.velero.s3.region }}
      s3ForcePathStyle: "true"
      s3Url: {{ .Values.velero.s3.url }}
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - _manifest.yaml
@@ -1,4 +0,0 @@
-generatorOptions:
-  disableNameSuffixHash: true
-resources:
-  - ../base
--- a/Show More
+++ b/Show More