From 223149ecdd0ddb4863bafd812e40eacc49980c92 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Fri, 16 May 2025 15:30:01 +0200 Subject: [PATCH] wip: more or less working argo and cilium helmfile setup --- argocd/helmfile-cmp/Dockerfile | 2 +- .../argo-repo-server.yaml | 425 ++++++++++++++++++ envs/environments.yaml.gotmpl | 2 +- helmfile.d/argo.yaml.gotmpl | 19 +- helmfile.d/cilium.yaml.gotmpl | 56 +++ values/argo/helmfile.yaml | 59 --- .../argo/manifests/argo.yaml | 13 +- ...rkPolicy-allow-applicationset-ingress.yaml | 0 ...etworkPolicy-allow-argo-notifications.yaml | 0 ...allow-argo-repo-access-applicationset.yaml | 0 ...mNetworkPolicy-allow-argo-repo-access.yaml | 0 ...tworkPolicy-allow-chartmuseum-ingress.yaml | 0 ...olicy-allow-image-updater-repo-access.yaml | 0 .../CiliumNetworkPolicy-allow-ingress.yaml | 0 .../CiliumNetworkPolicy-allow-kube-api.yaml | 0 ...liumNetworkPolicy-allow-microsoft-sso.yaml | 0 ...licy-allow-prometheus-metrics-rollout.yaml | 0 ...cy-allow-prometheus-metrics-workflows.yaml | 0 ...etworkPolicy-allow-prometheus-metrics.yaml | 0 values/argo/values.yaml.gotmpl | 9 + .../CiliumNetworkPolicy-allow-api-server.yaml | 0 .../cilium/cilium-manifests}/cilium.yaml | 24 +- .../dashboards/cilium-policy-verdicts.yaml | 6 +- .../cilium/cilium-manifests/loadbalancer.yaml | 4 +- ...rwideNetworkPolicy-allow-acme-solvers.yaml | 0 ...iumClusterwideNetworkPolicy-allow-dns.yaml | 0 ...eNetworkPolicy-allow-mariadb-operator.yaml | 0 ...liumClusterwideNetworkPolicy-allow-s3.yaml | 6 +- ...ideNetworkPolicy-cilium-health-checks.yaml | 0 ...liumClusterwideNetworkPolicy-deny-all.yaml | 0 .../CiliumNetworkPolicy-allow-api-server.yaml | 0 ...orkPolicy-allow-remote-node-to-server.yaml | 0 values/cilium/values-oceanbox.yaml.gotmpl | 15 + values/cilium/values.yaml.gotmpl | 32 ++ .../cilium.yaml.gotmpl} | 0 values/values-oceanbox.yaml | 6 + values/values.yaml | 4 + 37 files changed, 582 insertions(+), 100 deletions(-) create mode 100644 argocd/kustomize-helm-with-rewrite/argo-repo-server.yaml create mode 100644 helmfile.d/cilium.yaml.gotmpl delete mode 100644 values/argo/helmfile.yaml rename apps/templates/argocd.yaml => values/argo/manifests/argo.yaml (63%) rename values/argo/manifests/{ => cilium}/CiliumNetworkPolicy-allow-applicationset-ingress.yaml (100%) rename values/argo/manifests/{ => cilium}/CiliumNetworkPolicy-allow-argo-notifications.yaml (100%) rename values/argo/manifests/{ => cilium}/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml (100%) rename values/argo/manifests/{ => cilium}/CiliumNetworkPolicy-allow-argo-repo-access.yaml (100%) rename values/argo/manifests/{ => cilium}/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml (100%) rename values/argo/manifests/{ => cilium}/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml (100%) rename values/argo/manifests/{ => cilium}/CiliumNetworkPolicy-allow-ingress.yaml (100%) rename values/argo/manifests/{ => cilium}/CiliumNetworkPolicy-allow-kube-api.yaml (100%) rename values/argo/manifests/{ => cilium}/CiliumNetworkPolicy-allow-microsoft-sso.yaml (100%) rename values/argo/manifests/{ => cilium}/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml (100%) rename values/argo/manifests/{ => cilium}/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml (100%) rename values/argo/manifests/{ => cilium}/CiliumNetworkPolicy-allow-prometheus-metrics.yaml (100%) rename {apps/charts/sys-cilium-policies/templates => values/cilium/cilium-manifests}/cilium-test/CiliumNetworkPolicy-allow-api-server.yaml (100%) rename {apps/templates => values/cilium/cilium-manifests}/cilium.yaml (65%) rename {apps/templates/resources => values/cilium/cilium-manifests}/dashboards/cilium-policy-verdicts.yaml (99%) rename apps/templates/resources/pre-cilium.yaml => values/cilium/cilium-manifests/loadbalancer.yaml (76%) rename {apps/charts/sys-cilium-policies/templates/clusterwide => values/cilium/cilium-manifests/policies}/CiliumClusterwideNetworkPolicy-allow-acme-solvers.yaml (100%) rename {apps/charts/sys-cilium-policies/templates/clusterwide => values/cilium/cilium-manifests/policies}/CiliumClusterwideNetworkPolicy-allow-dns.yaml (100%) rename {apps/charts/sys-cilium-policies/templates/clusterwide => values/cilium/cilium-manifests/policies}/CiliumClusterwideNetworkPolicy-allow-mariadb-operator.yaml (100%) rename {apps/charts/sys-cilium-policies/templates/clusterwide => values/cilium/cilium-manifests/policies}/CiliumClusterwideNetworkPolicy-allow-s3.yaml (71%) rename {apps/charts/sys-cilium-policies/templates/clusterwide => values/cilium/cilium-manifests/policies}/CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml (100%) rename {apps/charts/sys-cilium-policies/templates/clusterwide => values/cilium/cilium-manifests/policies}/CiliumClusterwideNetworkPolicy-deny-all.yaml (100%) rename {apps/charts/sys-cilium-policies/templates/cilium-spire => values/cilium/spire-manifests}/CiliumNetworkPolicy-allow-api-server.yaml (100%) rename {apps/charts/sys-cilium-policies/templates/cilium-spire => values/cilium/spire-manifests}/CiliumNetworkPolicy-allow-remote-node-to-server.yaml (100%) create mode 100644 values/cilium/values-oceanbox.yaml.gotmpl create mode 100644 values/cilium/values.yaml.gotmpl rename values/cilium/{values.yaml => values/cilium.yaml.gotmpl} (100%) diff --git a/argocd/helmfile-cmp/Dockerfile b/argocd/helmfile-cmp/Dockerfile index 1c8e31b5..3eb7df74 100644 --- a/argocd/helmfile-cmp/Dockerfile +++ b/argocd/helmfile-cmp/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/helmfile/helmfile:v0.157.0 +FROM ghcr.io/helmfile/helmfile:v1.0.0 RUN mkdir -p /home/argocd/cmp-server/config/ COPY plugin.yaml /home/argocd/cmp-server/config/ diff --git a/argocd/kustomize-helm-with-rewrite/argo-repo-server.yaml b/argocd/kustomize-helm-with-rewrite/argo-repo-server.yaml new file mode 100644 index 00000000..325afb26 --- /dev/null +++ b/argocd/kustomize-helm-with-rewrite/argo-repo-server.yaml @@ -0,0 +1,425 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + argocd.argoproj.io/tracking-id: argocd:apps/Deployment:argocd/argocd-repo-server + labels: + app.kubernetes.io/component: repo-server + app.kubernetes.io/instance: argocd + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: argocd-repo-server + app.kubernetes.io/part-of: argocd + app.kubernetes.io/version: v2.10.4 + helm.sh/chart: argo-cd-6.7.3 + name: argocd-repo-server + namespace: argocd +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 3 + selector: + matchLabels: + app.kubernetes.io/instance: argocd + app.kubernetes.io/name: argocd-repo-server + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + annotations: + checksum/cm: 3d88c02b8c8e470b75262aae39da4b4bc6f29a02d2a6c7a9e0d44d2d69aa908b + checksum/cmd-params: d76791b7d65a3839bc44b46b65ecfecb5be7ac834b4915b0dea1577f524ea687 + creationTimestamp: null + labels: + app.kubernetes.io/component: repo-server + app.kubernetes.io/instance: argocd + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: argocd-repo-server + app.kubernetes.io/part-of: argocd + app.kubernetes.io/version: v2.10.4 + helm.sh/chart: argo-cd-6.7.3 + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: argocd-repo-server + topologyKey: kubernetes.io/hostname + weight: 100 + containers: + - args: + - /usr/local/bin/argocd-repo-server + - --port=8081 + - --metrics-port=8084 + env: + - name: ARGOCD_REPO_SERVER_NAME + value: argocd-repo-server + - name: ARGOCD_RECONCILIATION_TIMEOUT + valueFrom: + configMapKeyRef: + key: timeout.reconciliation + name: argocd-cm + optional: true + - name: ARGOCD_REPO_SERVER_LOGFORMAT + valueFrom: + configMapKeyRef: + key: reposerver.log.format + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_LOGLEVEL + valueFrom: + configMapKeyRef: + key: reposerver.log.level + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT + valueFrom: + configMapKeyRef: + key: reposerver.parallelism.limit + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS + valueFrom: + configMapKeyRef: + key: reposerver.listen.address + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS + valueFrom: + configMapKeyRef: + key: reposerver.metrics.listen.address + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_DISABLE_TLS + valueFrom: + configMapKeyRef: + key: reposerver.disable.tls + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_TLS_MIN_VERSION + valueFrom: + configMapKeyRef: + key: reposerver.tls.minversion + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_TLS_MAX_VERSION + valueFrom: + configMapKeyRef: + key: reposerver.tls.maxversion + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_TLS_CIPHERS + valueFrom: + configMapKeyRef: + key: reposerver.tls.ciphers + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_CACHE_EXPIRATION + valueFrom: + configMapKeyRef: + key: reposerver.repo.cache.expiration + name: argocd-cmd-params-cm + optional: true + - name: REDIS_SERVER + valueFrom: + configMapKeyRef: + key: redis.server + name: argocd-cmd-params-cm + optional: true + - name: REDIS_COMPRESSION + valueFrom: + configMapKeyRef: + key: redis.compression + name: argocd-cmd-params-cm + optional: true + - name: REDISDB + valueFrom: + configMapKeyRef: + key: redis.db + name: argocd-cmd-params-cm + optional: true + - name: REDIS_USERNAME + valueFrom: + secretKeyRef: + key: redis-username + name: argocd-redis + optional: true + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + key: redis-password + name: argocd-redis + optional: true + - name: ARGOCD_DEFAULT_CACHE_EXPIRATION + valueFrom: + configMapKeyRef: + key: reposerver.default.cache.expiration + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS + valueFrom: + configMapKeyRef: + key: otlp.address + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_OTLP_INSECURE + valueFrom: + configMapKeyRef: + key: otlp.insecure + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_OTLP_HEADERS + valueFrom: + configMapKeyRef: + key: otlp.headers + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE + valueFrom: + configMapKeyRef: + key: reposerver.max.combined.directory.manifests.size + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS + valueFrom: + configMapKeyRef: + key: reposerver.plugin.tar.exclusions + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS + valueFrom: + configMapKeyRef: + key: reposerver.allow.oob.symlinks + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE + valueFrom: + configMapKeyRef: + key: reposerver.streamed.manifest.max.tar.size + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE + valueFrom: + configMapKeyRef: + key: reposerver.streamed.manifest.max.extracted.size + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE + valueFrom: + configMapKeyRef: + key: reposerver.helm.manifest.max.extracted.size + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE + valueFrom: + configMapKeyRef: + key: reposerver.disable.helm.manifest.max.extracted.size + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_GIT_MODULES_ENABLED + valueFrom: + configMapKeyRef: + key: reposerver.enable.git.submodule + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT + valueFrom: + configMapKeyRef: + key: reposerver.git.lsremote.parallelism.limit + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_GIT_REQUEST_TIMEOUT + valueFrom: + configMapKeyRef: + key: reposerver.git.request.timeout + name: argocd-cmd-params-cm + optional: true + - name: HELM_CACHE_HOME + value: /helm-working-dir + - name: HELM_CONFIG_HOME + value: /helm-working-dir + - name: HELM_DATA_HOME + value: /helm-working-dir + image: quay.io/argoproj/argocd:v2.10.4 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz?full=true + port: metrics + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: repo-server + ports: + - containerPort: 8081 + name: repo-server + protocol: TCP + - containerPort: 8084 + name: metrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: metrics + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /app/config/ssh + name: ssh-known-hosts + - mountPath: /app/config/tls + name: tls-certs + - mountPath: /app/config/gpg/source + name: gpg-keys + - mountPath: /app/config/gpg/keys + name: gpg-keyring + - mountPath: /app/config/reposerver/tls + name: argocd-repo-server-tls + - mountPath: /helm-working-dir + name: helm-working-dir + - mountPath: /home/argocd/cmp-server/plugins + name: plugins + - mountPath: /tmp + name: tmp + - command: + - /var/run/argocd/argocd-cmp-server + image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest + imagePullPolicy: Always + name: kustomize-helm-with-rewrite + resources: {} + securityContext: + runAsNonRoot: true + runAsUser: 999 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /var/run/argocd + name: var-files + - mountPath: /home/argocd/cmp-server/plugins + name: plugins + - mountPath: /tmp + name: cmp-tmp + - mountPath: /helm-working-dir + name: helm-working-dir + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: gitlab-pull-secret + initContainers: + - command: + - /bin/cp + - -n + - /usr/local/bin/argocd + - /var/run/argocd/argocd-cmp-server + image: quay.io/argoproj/argocd:v2.10.4 + imagePullPolicy: IfNotPresent + name: copyutil + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /var/run/argocd + name: var-files + - command: + - /bin/sh + - /plugin/init-helm-repos.sh + image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest + imagePullPolicy: Always + name: init-helm-repos + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 999 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + env: + - name: OCEANBOX_HELM_ACCESS_TOKEN + valueFrom: + secretKeyRef: + key: token + name: oceanbox-helm + optional: false + volumeMounts: + - mountPath: /helm-working-dir + name: helm-working-dir + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: argocd-repo-server + serviceAccountName: argocd-repo-server + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: cmp-tmp + - emptyDir: {} + name: helm-working-dir + - emptyDir: {} + name: plugins + - emptyDir: {} + name: var-files + - emptyDir: {} + name: tmp + - configMap: + defaultMode: 420 + name: argocd-ssh-known-hosts-cm + name: ssh-known-hosts + - configMap: + defaultMode: 420 + name: argocd-tls-certs-cm + name: tls-certs + - configMap: + defaultMode: 420 + name: argocd-gpg-keys-cm + name: gpg-keys + - emptyDir: {} + name: gpg-keyring + - name: argocd-repo-server-tls + secret: + defaultMode: 420 + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + - key: ca.crt + path: ca.crt + optional: true + secretName: argocd-repo-server-tls + diff --git a/envs/environments.yaml.gotmpl b/envs/environments.yaml.gotmpl index 4ca2e101..26ac52ff 100644 --- a/envs/environments.yaml.gotmpl +++ b/envs/environments.yaml.gotmpl @@ -1,4 +1,3 @@ ---- environments: default: values: @@ -21,3 +20,4 @@ environments: - ../values/*/values.yaml.gotmpl - ../values/*/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl missingFileHandler: Info + diff --git a/helmfile.d/argo.yaml.gotmpl b/helmfile.d/argo.yaml.gotmpl index 3d0c034a..53deac32 100644 --- a/helmfile.d/argo.yaml.gotmpl +++ b/helmfile.d/argo.yaml.gotmpl @@ -5,12 +5,15 @@ repositories: - name: argo url: https://argoproj.github.io/argo-helm +commonLabels: + tier: system + releases: - name: argocd namespace: argocd chart: argo/argo-cd version: 7.5.2 - condition: install.argo.argocd.enabled + condition: argo.enabled values: - ../values/argo/values/argocd.yaml.gotmpl - ../values/argo/values/argocd-{{ .Environment.Name }}.yaml.gotmpl @@ -22,7 +25,7 @@ releases: namespace: argocd chart: argo/argocd-apps version: 0.0.1 - condition: install.argo.apps.enabled + condition: argo.apps.enabled values: - ../values/argo/values/apps.yaml.gotmpl missingFileHandler: Info @@ -30,7 +33,7 @@ releases: namespace: argocd chart: argo/argo-rollouts version: 2.35.2 - condition: install.argo.rollouts.enabled + condition: argo.rollouts.enabled values: - ../values/argo/values/rollouts.yaml.gotmpl missingFileHandler: Info @@ -38,13 +41,17 @@ releases: namespace: argocd chart: argo/argo-workflows version: 0.45.0 - condition: install.argo.workflows.enabled - values: - - ../values/argo/values/workflows.yaml.gotmpl + condition: argo.workflows.enabled missingFileHandler: Info - name: argo-manifests namespace: argocd chart: _argo + condition: argo.enabled + values: + - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml + - ../values/argo/values.yaml.gotmpl + - ../values/argo/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl + missingFileHandler: Info hooks: - events: [ prepare, cleanup ] showlogs: true diff --git a/helmfile.d/cilium.yaml.gotmpl b/helmfile.d/cilium.yaml.gotmpl new file mode 100644 index 00000000..3f15c0b3 --- /dev/null +++ b/helmfile.d/cilium.yaml.gotmpl @@ -0,0 +1,56 @@ +bases: + - ../envs/environments.yaml.gotmpl + +repositories: +- name: cilium + url: 'https://helm.cilium.io' + +commonLabels: + tier: system + +apiVersions: +- monitoring.coreos.com/v1 + +releases: +- name: cilium + namespace: kube-system + chart: cilium/cilium + version: 1.16.2 + condition: cilium.enabled + values: + - ../values/cilium/values/cilium.yaml.gotmpl + - ../values/cilium/values/cilium-{{ .Environment.Name }}.yaml.gotmpl + missingFileHandler: Info +- name: spire-manifests + namespace: cilium + chart: _sprire-manifests + condition: cilium.spire.enabled + hooks: + - events: [ prepare, cleanup ] + showlogs: true + command: ../bin/helmify + args: + - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' + - '{{`{{ .Release.Chart }}`}}' + - '{{`{{ .Environment.Name }}`}}' + - ../values/cilium/spire-manifests + - _spire-manifests +- name: cilium-manifests + namespace: cilium + chart: _cilium-manifests + condition: cilium.enabled + values: + - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml + - ../values/cilium/values.yaml.gotmpl + - ../values/cilium/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl + hooks: + - events: [ prepare, cleanup ] + showlogs: true + command: ../bin/helmify + args: + - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' + - '{{`{{ .Release.Chart }}`}}' + - '{{`{{ .Environment.Name }}`}}' + - ../values/cilium/cilium-manifests + - _cilium-manifests + diff --git a/values/argo/helmfile.yaml b/values/argo/helmfile.yaml deleted file mode 100644 index 99353b7a..00000000 --- a/values/argo/helmfile.yaml +++ /dev/null @@ -1,59 +0,0 @@ -bases: - - ../base/environments.yaml.gotmpl - -repositories: -- name: argo - url: https://argoproj.github.io/argo-helm - -releases: -- name: argocd - namespace: argocd - chart: argo/argo-cd - version: 7.5.2 - values: - - values/argocd.yaml.gotmpl - - values/argocd-{{ .Environment.Name }}.yaml.gotmpl - - values/argocd-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl - postRenderer: ../../bin/kustomizer - postRendererArgs: - - kustomize/{{ .Environment.Name }} - missingFileHandler: Info -- name: argocd-apps - namespace: argocd - chart: argo/argocd-apps - version: 0.0.1 - condition: install.argo.apps.enabled - values: - - values/apps.yaml.gotmpl - - values/apps-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl - missingFileHandler: Info -- name: argo-rollouts - namespace: argocd - chart: argo/argo-rollouts - version: 2.35.2 - condition: install.argo.rollouts.enabled - values: - - values/rollouts.yaml.gotmpl - - values/rollouts-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl - missingFileHandler: Info -- name: argo-workflows - namespace: argocd - chart: argo/argo-workflows - version: 0.45.0 - condition: install.argo.workflows.enabled - values: - - values/workflows.yaml.gotmpl - - values/workflows-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl - missingFileHandler: Info -- name: manifests - namespace: argocd - chart: _manifests - hooks: - - events: [ prepare, cleanup ] - showlogs: true - command: ../../bin/helmify - args: - - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' - - '{{`{{ .Release.Chart }}`}}' - - '{{`{{ .Environment.Name }}`}}' - diff --git a/apps/templates/argocd.yaml b/values/argo/manifests/argo.yaml similarity index 63% rename from apps/templates/argocd.yaml rename to values/argo/manifests/argo.yaml index 2227dcef..af71c037 100644 --- a/apps/templates/argocd.yaml +++ b/values/argo/manifests/argo.yaml @@ -1,3 +1,4 @@ +{{- if .Values.clusterConfig.argo.enabled }} apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -10,19 +11,14 @@ spec: namespace: argocd server: 'https://kubernetes.default.svc' sources: - - repoURL: {{ .Values.cluster_config.manifests }} + - repoURL: {{ .Values.clusterConfig.manifests }} targetRevision: HEAD path: helmfiles/argocd plugin: name: helmfile env: - - name: CLUSTER_NAME - value: {{ .Values.cluster_config.name }} - - name: HELMFILE_ENVIRONMENT - value: {{ .environment }} - {{/* - repoURL: {{ .Values.cluster_config.manifests }} */}} - {{/* path: {{ .Values.cluster_config.policies }}/argocd */}} - {{/* targetRevision: HEAD */}} + - name: CLUSTER_NAME + value: {{ .Values.clusterConfig.cluster }} project: sys syncPolicy: managedNamespaceMetadata: @@ -36,3 +32,4 @@ spec: prune: true # selfHeal: false {{- end }} +{{- end }} diff --git a/values/argo/manifests/CiliumNetworkPolicy-allow-applicationset-ingress.yaml b/values/argo/manifests/cilium/CiliumNetworkPolicy-allow-applicationset-ingress.yaml similarity index 100% rename from values/argo/manifests/CiliumNetworkPolicy-allow-applicationset-ingress.yaml rename to values/argo/manifests/cilium/CiliumNetworkPolicy-allow-applicationset-ingress.yaml diff --git a/values/argo/manifests/CiliumNetworkPolicy-allow-argo-notifications.yaml b/values/argo/manifests/cilium/CiliumNetworkPolicy-allow-argo-notifications.yaml similarity index 100% rename from values/argo/manifests/CiliumNetworkPolicy-allow-argo-notifications.yaml rename to values/argo/manifests/cilium/CiliumNetworkPolicy-allow-argo-notifications.yaml diff --git a/values/argo/manifests/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml b/values/argo/manifests/cilium/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml similarity index 100% rename from values/argo/manifests/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml rename to values/argo/manifests/cilium/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml diff --git a/values/argo/manifests/CiliumNetworkPolicy-allow-argo-repo-access.yaml b/values/argo/manifests/cilium/CiliumNetworkPolicy-allow-argo-repo-access.yaml similarity index 100% rename from values/argo/manifests/CiliumNetworkPolicy-allow-argo-repo-access.yaml rename to values/argo/manifests/cilium/CiliumNetworkPolicy-allow-argo-repo-access.yaml diff --git a/values/argo/manifests/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml b/values/argo/manifests/cilium/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml similarity index 100% rename from values/argo/manifests/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml rename to values/argo/manifests/cilium/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml diff --git a/values/argo/manifests/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml b/values/argo/manifests/cilium/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml similarity index 100% rename from values/argo/manifests/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml rename to values/argo/manifests/cilium/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml diff --git a/values/argo/manifests/CiliumNetworkPolicy-allow-ingress.yaml b/values/argo/manifests/cilium/CiliumNetworkPolicy-allow-ingress.yaml similarity index 100% rename from values/argo/manifests/CiliumNetworkPolicy-allow-ingress.yaml rename to values/argo/manifests/cilium/CiliumNetworkPolicy-allow-ingress.yaml diff --git a/values/argo/manifests/CiliumNetworkPolicy-allow-kube-api.yaml b/values/argo/manifests/cilium/CiliumNetworkPolicy-allow-kube-api.yaml similarity index 100% rename from values/argo/manifests/CiliumNetworkPolicy-allow-kube-api.yaml rename to values/argo/manifests/cilium/CiliumNetworkPolicy-allow-kube-api.yaml diff --git a/values/argo/manifests/CiliumNetworkPolicy-allow-microsoft-sso.yaml b/values/argo/manifests/cilium/CiliumNetworkPolicy-allow-microsoft-sso.yaml similarity index 100% rename from values/argo/manifests/CiliumNetworkPolicy-allow-microsoft-sso.yaml rename to values/argo/manifests/cilium/CiliumNetworkPolicy-allow-microsoft-sso.yaml diff --git a/values/argo/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml b/values/argo/manifests/cilium/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml similarity index 100% rename from values/argo/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml rename to values/argo/manifests/cilium/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml diff --git a/values/argo/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml b/values/argo/manifests/cilium/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml similarity index 100% rename from values/argo/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml rename to values/argo/manifests/cilium/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml diff --git a/values/argo/manifests/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/values/argo/manifests/cilium/CiliumNetworkPolicy-allow-prometheus-metrics.yaml similarity index 100% rename from values/argo/manifests/CiliumNetworkPolicy-allow-prometheus-metrics.yaml rename to values/argo/manifests/cilium/CiliumNetworkPolicy-allow-prometheus-metrics.yaml diff --git a/values/argo/values.yaml.gotmpl b/values/argo/values.yaml.gotmpl index 3269c570..f9c189e1 100644 --- a/values/argo/values.yaml.gotmpl +++ b/values/argo/values.yaml.gotmpl @@ -1,3 +1,12 @@ +argo: + enabled: true + apps: + enabled: true + rollouts: + enabled: false + workflows: + enabled: false + argocd: anyNamespaces: enabled: false diff --git a/apps/charts/sys-cilium-policies/templates/cilium-test/CiliumNetworkPolicy-allow-api-server.yaml b/values/cilium/cilium-manifests/cilium-test/CiliumNetworkPolicy-allow-api-server.yaml similarity index 100% rename from apps/charts/sys-cilium-policies/templates/cilium-test/CiliumNetworkPolicy-allow-api-server.yaml rename to values/cilium/cilium-manifests/cilium-test/CiliumNetworkPolicy-allow-api-server.yaml diff --git a/apps/templates/cilium.yaml b/values/cilium/cilium-manifests/cilium.yaml similarity index 65% rename from apps/templates/cilium.yaml rename to values/cilium/cilium-manifests/cilium.yaml index 580ed9be..b58f5223 100644 --- a/apps/templates/cilium.yaml +++ b/values/cilium/cilium-manifests/cilium.yaml @@ -1,4 +1,4 @@ -{{- if .Values.cilium.enabled }} +{{- if .Values.clusterConfig.argo.enabled }} apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -11,22 +11,14 @@ spec: namespace: kube-system server: 'https://kubernetes.default.svc' sources: - - repoURL: {{ .Values.cluster_config.manifests }} + - repoURL: {{ .Values.clusterConfig.manifests }} targetRevision: HEAD - ref: manifests - {{- if .Values.cilium.spire.enabled }} - - repoURL: {{ .Values.cluster_config.manifests }} - path: {{ .Values.cluster_config.policies }}/cilium-spire - targetRevision: HEAD - {{- end }} - - repoURL: 'https://helm.cilium.io' - targetRevision: {{ .Values.cilium.version }} - chart: cilium - helm: - valuesFiles: - - $manifests/values/cilium/values.yaml - - $manifests/values/cilium/values-{{ .Values.cluster_config.name }}.yaml - ignoreMissingValueFiles: true + path: helmfiles/cilium + plugin: + name: helmfile + env: + - name: CLUSTER_NAME + value: {{ .Values.clusterConfig.cluster }} project: sys syncPolicy: syncOptions: diff --git a/apps/templates/resources/dashboards/cilium-policy-verdicts.yaml b/values/cilium/cilium-manifests/dashboards/cilium-policy-verdicts.yaml similarity index 99% rename from apps/templates/resources/dashboards/cilium-policy-verdicts.yaml rename to values/cilium/cilium-manifests/dashboards/cilium-policy-verdicts.yaml index 1cf5c8de..7ec5aa19 100644 --- a/apps/templates/resources/dashboards/cilium-policy-verdicts.yaml +++ b/values/cilium/cilium-manifests/dashboards/cilium-policy-verdicts.yaml @@ -1,4 +1,3 @@ -{{ if .Values.cilium.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -711,7 +710,7 @@ data: { "targetBlank": true, "title": "live view in hubble", - "url": "https://hubble.{{.Values.cluster_config.domain}}/?namespace=${__data.fields[\"destination namespace\"]}" + "url": "https://hubble.{{.Values.clusterConfig.domain}}/?namespace=${__data.fields[\"destination namespace\"]}" } ], "mappings": [], @@ -834,7 +833,7 @@ data: { "targetBlank": true, "title": "show live view in hubble", - "url": "https://hubble.{{.Values.cluster_config.domain}}/?namespace=${__data.fields[\"source namespace\"]}" + "url": "https://hubble.{{.Values.clusterConfig.domain}}/?namespace=${__data.fields[\"source namespace\"]}" } ], "mappings": [], @@ -1113,4 +1112,3 @@ data: "version": 1, "weekStart": "" } -{{- end }} diff --git a/apps/templates/resources/pre-cilium.yaml b/values/cilium/cilium-manifests/loadbalancer.yaml similarity index 76% rename from apps/templates/resources/pre-cilium.yaml rename to values/cilium/cilium-manifests/loadbalancer.yaml index f04d9fd7..3f5af939 100644 --- a/apps/templates/resources/pre-cilium.yaml +++ b/values/cilium/cilium-manifests/loadbalancer.yaml @@ -1,11 +1,11 @@ -{{if and (.Values.cilium.enabled) (.Values.cilium.loadbalancerPool.enabled )}} +{{if .Values.cilium.loadbalancerPool.enabled }} apiVersion: "cilium.io/v2alpha1" kind: CiliumLoadBalancerIPPool metadata: name: "loadbalancer" spec: blocks: - {{- range .Values.cilium.loadbalancerPool.cidr}} + {{- range .Values.cilium.loadbalancerPool.cidr }} - cidr: {{ . }} {{- end }} --- diff --git a/apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-acme-solvers.yaml b/values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-acme-solvers.yaml similarity index 100% rename from apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-acme-solvers.yaml rename to values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-acme-solvers.yaml diff --git a/apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-dns.yaml b/values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-dns.yaml similarity index 100% rename from apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-dns.yaml rename to values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-dns.yaml diff --git a/apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-mariadb-operator.yaml b/values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-mariadb-operator.yaml similarity index 100% rename from apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-mariadb-operator.yaml rename to values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-mariadb-operator.yaml diff --git a/apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-s3.yaml b/values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-s3.yaml similarity index 71% rename from apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-s3.yaml rename to values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-s3.yaml index 43fed561..eb551ed8 100644 --- a/apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-s3.yaml +++ b/values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-s3.yaml @@ -6,14 +6,14 @@ spec: description: Policy for egress for CNPG Backups. egress: - toFQDNs: - {{- range .Values.s3.hosts }} + {{- range .Values.clusterConfig.s3.hosts }} - matchName: {{ . | quote }} {{- end }} - {{- range .Values.s3.patterns }} + {{- range .Values.clusterConfig.s3.patterns }} - matchPattern: {{ . | quote }} {{- end }} - toCIDR: - {{- range .Values.s3.cidr }} + {{- range .Values.clusterConfig.s3.cidr }} - {{ . | quote }} {{- end }} endpointSelector: diff --git a/apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml b/values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml similarity index 100% rename from apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml rename to values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml diff --git a/apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-deny-all.yaml b/values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-deny-all.yaml similarity index 100% rename from apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-deny-all.yaml rename to values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-deny-all.yaml diff --git a/apps/charts/sys-cilium-policies/templates/cilium-spire/CiliumNetworkPolicy-allow-api-server.yaml b/values/cilium/spire-manifests/CiliumNetworkPolicy-allow-api-server.yaml similarity index 100% rename from apps/charts/sys-cilium-policies/templates/cilium-spire/CiliumNetworkPolicy-allow-api-server.yaml rename to values/cilium/spire-manifests/CiliumNetworkPolicy-allow-api-server.yaml diff --git a/apps/charts/sys-cilium-policies/templates/cilium-spire/CiliumNetworkPolicy-allow-remote-node-to-server.yaml b/values/cilium/spire-manifests/CiliumNetworkPolicy-allow-remote-node-to-server.yaml similarity index 100% rename from apps/charts/sys-cilium-policies/templates/cilium-spire/CiliumNetworkPolicy-allow-remote-node-to-server.yaml rename to values/cilium/spire-manifests/CiliumNetworkPolicy-allow-remote-node-to-server.yaml diff --git a/values/cilium/values-oceanbox.yaml.gotmpl b/values/cilium/values-oceanbox.yaml.gotmpl new file mode 100644 index 00000000..6ae6980a --- /dev/null +++ b/values/cilium/values-oceanbox.yaml.gotmpl @@ -0,0 +1,15 @@ +cilium: + enabled: true + nodePort: + enable: true + l2announcement: + enable: true + loadbalancerPool: + enabled: true + cidr: + - 10.255.241.11/32 + - 10.255.241.12/32 + - 10.255.241.13/32 + - 10.255.241.14/32 + - 10.255.241.15/32 + diff --git a/values/cilium/values.yaml.gotmpl b/values/cilium/values.yaml.gotmpl new file mode 100644 index 00000000..6163164c --- /dev/null +++ b/values/cilium/values.yaml.gotmpl @@ -0,0 +1,32 @@ +cilium: + enabled: false + autosync: true + spire: + enabled: false + envoy: + enabled: false + hubble: + ui: true + enabled: false + encryption: + enabled: true + type: wireguard + kubeProxyReplacement: true + l2announcement: + enabled: false + nodePort: + enabled: false + gatewayAPI: + enabled: false + ingressController: + enabled: false + defaultClass: false + loadbalancerMode: shared + policyAuditMode: false + upgradeCompatability: 1.15 + k8sServiceHost: localhost + k8sServicePort: 7445 + loadbalancerPool: + enabled: false + cidr: [] + diff --git a/values/cilium/values.yaml b/values/cilium/values/cilium.yaml.gotmpl similarity index 100% rename from values/cilium/values.yaml rename to values/cilium/values/cilium.yaml.gotmpl diff --git a/values/values-oceanbox.yaml b/values/values-oceanbox.yaml index 81c64c49..4e2d2d2d 100644 --- a/values/values-oceanbox.yaml +++ b/values/values-oceanbox.yaml @@ -1,4 +1,6 @@ clusterConfig: + argo: + enabled: true env: "prod" distro: "talos" domain: "adm.oceanbox.io" @@ -27,6 +29,10 @@ clusterConfig: secret_ref: name: oceanbox-oidc group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479" + s3: + hosts: [] + patterns: [] + cidr: [] nodes: [] ingress_whitelist_ips: #itp internal diff --git a/values/values.yaml b/values/values.yaml index bda33a71..6e88de4d 100644 --- a/values/values.yaml +++ b/values/values.yaml @@ -17,6 +17,10 @@ clusterConfig: acme_email: "" nodenames: [] nodes: [] + s3: + hosts: [] + patterns: [] + cidr: [] ingress_clusterissuer: "letsencrypt-production" ingress_whitelist_ips: - 10.0.0.0/8