wip: more or less working argo and cilium helmfile setup

2025-05-16 15:30:01 +02:00
parent ddc95aad80
commit 223149ecdd
37 changed files with 582 additions and 100 deletions
@@ -1,4 +1,4 @@
-FROM ghcr.io/helmfile/helmfile:v0.157.0
+FROM ghcr.io/helmfile/helmfile:v1.0.0

 RUN mkdir -p /home/argocd/cmp-server/config/
 COPY plugin.yaml /home/argocd/cmp-server/config/
@@ -0,0 +1,425 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    argocd.argoproj.io/tracking-id: argocd:apps/Deployment:argocd/argocd-repo-server
+  labels:
+    app.kubernetes.io/component: repo-server
+    app.kubernetes.io/instance: argocd
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: argocd-repo-server
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/version: v2.10.4
+    helm.sh/chart: argo-cd-6.7.3
+  name: argocd-repo-server
+  namespace: argocd
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: argocd
+      app.kubernetes.io/name: argocd-repo-server
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        checksum/cm: 3d88c02b8c8e470b75262aae39da4b4bc6f29a02d2a6c7a9e0d44d2d69aa908b
+        checksum/cmd-params: d76791b7d65a3839bc44b46b65ecfecb5be7ac834b4915b0dea1577f524ea687
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/component: repo-server
+        app.kubernetes.io/instance: argocd
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: argocd-repo-server
+        app.kubernetes.io/part-of: argocd
+        app.kubernetes.io/version: v2.10.4
+        helm.sh/chart: argo-cd-6.7.3
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - podAffinityTerm:
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/name: argocd-repo-server
+              topologyKey: kubernetes.io/hostname
+            weight: 100
+      containers:
+      - args:
+        - /usr/local/bin/argocd-repo-server
+        - --port=8081
+        - --metrics-port=8084
+        env:
+        - name: ARGOCD_REPO_SERVER_NAME
+          value: argocd-repo-server
+        - name: ARGOCD_RECONCILIATION_TIMEOUT
+          valueFrom:
+            configMapKeyRef:
+              key: timeout.reconciliation
+              name: argocd-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_LOGFORMAT
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.log.format
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_LOGLEVEL
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.log.level
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.parallelism.limit
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.metrics.listen.address
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_DISABLE_TLS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.disable.tls
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_TLS_MIN_VERSION
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.tls.minversion
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_TLS_MAX_VERSION
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.tls.maxversion
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_TLS_CIPHERS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.tls.ciphers
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_CACHE_EXPIRATION
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.repo.cache.expiration
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: REDIS_SERVER
+          valueFrom:
+            configMapKeyRef:
+              key: redis.server
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: REDIS_COMPRESSION
+          valueFrom:
+            configMapKeyRef:
+              key: redis.compression
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: REDISDB
+          valueFrom:
+            configMapKeyRef:
+              key: redis.db
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: REDIS_USERNAME
+          valueFrom:
+            secretKeyRef:
+              key: redis-username
+              name: argocd-redis
+              optional: true
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: redis-password
+              name: argocd-redis
+              optional: true
+        - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.default.cache.expiration
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
+          valueFrom:
+            configMapKeyRef:
+              key: otlp.address
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_OTLP_INSECURE
+          valueFrom:
+            configMapKeyRef:
+              key: otlp.insecure
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_OTLP_HEADERS
+          valueFrom:
+            configMapKeyRef:
+              key: otlp.headers
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.max.combined.directory.manifests.size
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.plugin.tar.exclusions
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.allow.oob.symlinks
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.streamed.manifest.max.tar.size
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.streamed.manifest.max.extracted.size
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.helm.manifest.max.extracted.size
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.disable.helm.manifest.max.extracted.size
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_GIT_MODULES_ENABLED
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.enable.git.submodule
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.git.lsremote.parallelism.limit
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_GIT_REQUEST_TIMEOUT
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.git.request.timeout
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: HELM_CACHE_HOME
+          value: /helm-working-dir
+        - name: HELM_CONFIG_HOME
+          value: /helm-working-dir
+        - name: HELM_DATA_HOME
+          value: /helm-working-dir
+        image: quay.io/argoproj/argocd:v2.10.4
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz?full=true
+            port: metrics
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        name: repo-server
+        ports:
+        - containerPort: 8081
+          name: repo-server
+          protocol: TCP
+        - containerPort: 8084
+          name: metrics
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: metrics
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /app/config/ssh
+          name: ssh-known-hosts
+        - mountPath: /app/config/tls
+          name: tls-certs
+        - mountPath: /app/config/gpg/source
+          name: gpg-keys
+        - mountPath: /app/config/gpg/keys
+          name: gpg-keyring
+        - mountPath: /app/config/reposerver/tls
+          name: argocd-repo-server-tls
+        - mountPath: /helm-working-dir
+          name: helm-working-dir
+        - mountPath: /home/argocd/cmp-server/plugins
+          name: plugins
+        - mountPath: /tmp
+          name: tmp
+      - command:
+        - /var/run/argocd/argocd-cmp-server
+        image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
+        imagePullPolicy: Always
+        name: kustomize-helm-with-rewrite
+        resources: {}
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 999
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /var/run/argocd
+          name: var-files
+        - mountPath: /home/argocd/cmp-server/plugins
+          name: plugins
+        - mountPath: /tmp
+          name: cmp-tmp
+        - mountPath: /helm-working-dir
+          name: helm-working-dir
+      dnsPolicy: ClusterFirst
+      imagePullSecrets:
+      - name: gitlab-pull-secret
+      initContainers:
+      - command:
+        - /bin/cp
+        - -n
+        - /usr/local/bin/argocd
+        - /var/run/argocd/argocd-cmp-server
+        image: quay.io/argoproj/argocd:v2.10.4
+        imagePullPolicy: IfNotPresent
+        name: copyutil
+        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /var/run/argocd
+          name: var-files
+      - command:
+        - /bin/sh
+        - /plugin/init-helm-repos.sh
+        image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
+        imagePullPolicy: Always
+        name: init-helm-repos
+        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsUser: 999
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        env:
+        - name: OCEANBOX_HELM_ACCESS_TOKEN
+          valueFrom:
+            secretKeyRef:
+              key: token
+              name: oceanbox-helm
+              optional: false
+        volumeMounts:
+        - mountPath: /helm-working-dir
+          name: helm-working-dir
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      serviceAccount: argocd-repo-server
+      serviceAccountName: argocd-repo-server
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - emptyDir: {}
+        name: cmp-tmp
+      - emptyDir: {}
+        name: helm-working-dir
+      - emptyDir: {}
+        name: plugins
+      - emptyDir: {}
+        name: var-files
+      - emptyDir: {}
+        name: tmp
+      - configMap:
+          defaultMode: 420
+          name: argocd-ssh-known-hosts-cm
+        name: ssh-known-hosts
+      - configMap:
+          defaultMode: 420
+          name: argocd-tls-certs-cm
+        name: tls-certs
+      - configMap:
+          defaultMode: 420
+          name: argocd-gpg-keys-cm
+        name: gpg-keys
+      - emptyDir: {}
+        name: gpg-keyring
+      - name: argocd-repo-server-tls
+        secret:
+          defaultMode: 420
+          items:
+          - key: tls.crt
+            path: tls.crt
+          - key: tls.key
+            path: tls.key
+          - key: ca.crt
+            path: ca.crt
+          optional: true
+          secretName: argocd-repo-server-tls
+
@@ -1,4 +1,3 @@
---
 environments:
  default:
    values:
@@ -21,3 +20,4 @@ environments:
    - ../values/*/values.yaml.gotmpl
    - ../values/*/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
    missingFileHandler: Info
+
@@ -5,12 +5,15 @@ repositories:
 - name: argo
  url: https://argoproj.github.io/argo-helm

+commonLabels:
+  tier: system
+
 releases:
 - name: argocd
  namespace: argocd
  chart: argo/argo-cd
  version: 7.5.2
-  condition: install.argo.argocd.enabled
+  condition: argo.enabled
  values:
  - ../values/argo/values/argocd.yaml.gotmpl
  - ../values/argo/values/argocd-{{ .Environment.Name }}.yaml.gotmpl
@@ -22,7 +25,7 @@ releases:
  namespace: argocd
  chart: argo/argocd-apps
  version: 0.0.1
-  condition: install.argo.apps.enabled
+  condition: argo.apps.enabled
  values:
  - ../values/argo/values/apps.yaml.gotmpl
  missingFileHandler: Info
@@ -30,7 +33,7 @@ releases:
  namespace: argocd
  chart: argo/argo-rollouts
  version: 2.35.2
-  condition: install.argo.rollouts.enabled
+  condition: argo.rollouts.enabled
  values:
  - ../values/argo/values/rollouts.yaml.gotmpl
  missingFileHandler: Info
@@ -38,13 +41,17 @@ releases:
  namespace: argocd
  chart: argo/argo-workflows
  version: 0.45.0
-  condition: install.argo.workflows.enabled
-  values:
-  - ../values/argo/values/workflows.yaml.gotmpl
+  condition: argo.workflows.enabled
  missingFileHandler: Info
 - name: argo-manifests
  namespace: argocd
  chart: _argo
+  condition: argo.enabled
+  values:
+  - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
+  - ../values/argo/values.yaml.gotmpl
+  - ../values/argo/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+  missingFileHandler: Info
  hooks:
  - events: [ prepare, cleanup ]
    showlogs: true
@@ -0,0 +1,56 @@
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+repositories:
+- name: cilium
+  url: 'https://helm.cilium.io'
+
+commonLabels:
+  tier: system
+
+apiVersions:
+- monitoring.coreos.com/v1
+
+releases:
+- name: cilium
+  namespace: kube-system
+  chart: cilium/cilium
+  version: 1.16.2
+  condition: cilium.enabled
+  values:
+  - ../values/cilium/values/cilium.yaml.gotmpl
+  - ../values/cilium/values/cilium-{{ .Environment.Name }}.yaml.gotmpl
+  missingFileHandler: Info
+- name: spire-manifests
+  namespace: cilium
+  chart: _sprire-manifests
+  condition: cilium.spire.enabled
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/cilium/spire-manifests
+    - _spire-manifests
+- name: cilium-manifests
+  namespace: cilium
+  chart: _cilium-manifests
+  condition: cilium.enabled
+  values:
+  - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
+  - ../values/cilium/values.yaml.gotmpl
+  - ../values/cilium/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/cilium/cilium-manifests
+    - _cilium-manifests
+
@@ -1,59 +0,0 @@
-bases:
- - ../base/environments.yaml.gotmpl
-
-repositories:
- name: argo
-  url: https://argoproj.github.io/argo-helm
-
-releases:
- name: argocd
-  namespace: argocd
-  chart: argo/argo-cd
-  version: 7.5.2
-  values:
-  - values/argocd.yaml.gotmpl
-  - values/argocd-{{ .Environment.Name }}.yaml.gotmpl
-  - values/argocd-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
-  postRenderer: ../../bin/kustomizer
-  postRendererArgs:
-  - kustomize/{{ .Environment.Name }}
-  missingFileHandler: Info
- name: argocd-apps
-  namespace: argocd
-  chart: argo/argocd-apps
-  version: 0.0.1
-  condition: install.argo.apps.enabled
-  values:
-  - values/apps.yaml.gotmpl
-  - values/apps-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
-  missingFileHandler: Info
- name: argo-rollouts
-  namespace: argocd
-  chart: argo/argo-rollouts
-  version: 2.35.2
-  condition: install.argo.rollouts.enabled
-  values:
-  - values/rollouts.yaml.gotmpl
-  - values/rollouts-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
-  missingFileHandler: Info
- name: argo-workflows
-  namespace: argocd
-  chart: argo/argo-workflows
-  version: 0.45.0
-  condition: install.argo.workflows.enabled
-  values:
-  - values/workflows.yaml.gotmpl
-  - values/workflows-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
-  missingFileHandler: Info
- name: manifests
-  namespace: argocd
-  chart: _manifests
-  hooks:
-  - events: [ prepare, cleanup ]
-    showlogs: true
-    command: ../../bin/helmify
-    args:
-    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
-    - '{{`{{ .Release.Chart }}`}}'
-    - '{{`{{ .Environment.Name }}`}}'
-
@@ -1,3 +1,4 @@
+{{- if .Values.clusterConfig.argo.enabled }}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -10,19 +11,14 @@ spec:
    namespace: argocd
    server: 'https://kubernetes.default.svc'
  sources:
-  - repoURL: {{ .Values.cluster_config.manifests }}
+  - repoURL: {{ .Values.clusterConfig.manifests }}
    targetRevision: HEAD
    path: helmfiles/argocd
    plugin:
      name: helmfile
      env:
      - name: CLUSTER_NAME
-          value: {{ .Values.cluster_config.name }}
-        - name: HELMFILE_ENVIRONMENT
-          value: {{ .environment }}
-  {{/* - repoURL: {{ .Values.cluster_config.manifests }} */}}
-  {{/*   path: {{ .Values.cluster_config.policies }}/argocd */}}
-  {{/*   targetRevision: HEAD */}}
+        value: {{ .Values.clusterConfig.cluster }}
  project: sys
  syncPolicy:
    managedNamespaceMetadata:
@@ -36,3 +32,4 @@ spec:
      prune: true
      # selfHeal: false
    {{- end }}
+{{- end }}
@@ -1,3 +1,12 @@
+argo:
+  enabled: true
+  apps:
+    enabled: true
+  rollouts:
+    enabled: false
+  workflows:
+    enabled: false
+
 argocd:
  anyNamespaces:
    enabled: false
@@ -1,4 +1,4 @@
-{{- if .Values.cilium.enabled }}
+{{- if .Values.clusterConfig.argo.enabled }}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -11,22 +11,14 @@ spec:
    namespace: kube-system
    server: 'https://kubernetes.default.svc'
  sources:
-  - repoURL: {{ .Values.cluster_config.manifests }}
+  - repoURL: {{ .Values.clusterConfig.manifests }}
    targetRevision: HEAD
-    ref: manifests
-  {{- if .Values.cilium.spire.enabled }}
-  - repoURL: {{ .Values.cluster_config.manifests }}
-    path: {{ .Values.cluster_config.policies }}/cilium-spire
-    targetRevision: HEAD
-  {{- end }}
-  - repoURL: 'https://helm.cilium.io'
-    targetRevision: {{ .Values.cilium.version }}
-    chart: cilium
-    helm:
-      valuesFiles:
-      - $manifests/values/cilium/values.yaml
-      - $manifests/values/cilium/values-{{ .Values.cluster_config.name }}.yaml
-      ignoreMissingValueFiles: true
+    path: helmfiles/cilium
+    plugin:
+      name: helmfile
+      env:
+        - name: CLUSTER_NAME
+          value: {{ .Values.clusterConfig.cluster }}
  project: sys
  syncPolicy:
    syncOptions:
@@ -1,4 +1,3 @@
-{{ if .Values.cilium.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -711,7 +710,7 @@ data:
                {
                  "targetBlank": true,
                  "title": "live view in hubble",
-                  "url": "https://hubble.{{.Values.cluster_config.domain}}/?namespace=${__data.fields[\"destination namespace\"]}"
+                  "url": "https://hubble.{{.Values.clusterConfig.domain}}/?namespace=${__data.fields[\"destination namespace\"]}"
                }
              ],
              "mappings": [],
@@ -834,7 +833,7 @@ data:
                {
                  "targetBlank": true,
                  "title": "show live view in hubble",
-                  "url": "https://hubble.{{.Values.cluster_config.domain}}/?namespace=${__data.fields[\"source namespace\"]}"
+                  "url": "https://hubble.{{.Values.clusterConfig.domain}}/?namespace=${__data.fields[\"source namespace\"]}"
                }
              ],
              "mappings": [],
@@ -1113,4 +1112,3 @@ data:
      "version": 1,
      "weekStart": ""
    }
-{{- end }}
@@ -1,11 +1,11 @@
-{{if and (.Values.cilium.enabled) (.Values.cilium.loadbalancerPool.enabled )}}
+{{if .Values.cilium.loadbalancerPool.enabled }}
 apiVersion: "cilium.io/v2alpha1"
 kind: CiliumLoadBalancerIPPool
 metadata:
  name: "loadbalancer"
 spec:
  blocks:
-  {{- range .Values.cilium.loadbalancerPool.cidr}}
+  {{- range .Values.cilium.loadbalancerPool.cidr }}
  - cidr: {{ . }}
  {{- end }}
 ---
@@ -6,14 +6,14 @@ spec:
  description: Policy for egress for CNPG Backups.
  egress:
    - toFQDNs:
-      {{- range .Values.s3.hosts }}
+      {{- range .Values.clusterConfig.s3.hosts }}
        - matchName: {{ . | quote }}
      {{- end }}
-      {{- range .Values.s3.patterns }}
+      {{- range .Values.clusterConfig.s3.patterns }}
        - matchPattern: {{ . | quote }}
      {{- end }}
    - toCIDR:
-      {{- range .Values.s3.cidr }}
+      {{- range .Values.clusterConfig.s3.cidr }}
        - {{ . | quote }}
      {{- end }}
  endpointSelector:
@@ -0,0 +1,15 @@
+cilium:
+  enabled: true
+  nodePort:
+    enable: true
+  l2announcement:
+    enable: true
+  loadbalancerPool:
+    enabled: true
+    cidr:
+     - 10.255.241.11/32
+     - 10.255.241.12/32
+     - 10.255.241.13/32
+     - 10.255.241.14/32
+     - 10.255.241.15/32
+
@@ -0,0 +1,32 @@
+cilium:
+  enabled: false
+  autosync: true
+  spire:
+    enabled: false
+  envoy:
+    enabled: false
+  hubble:
+    ui: true
+    enabled: false
+  encryption:
+    enabled: true
+    type: wireguard
+  kubeProxyReplacement: true
+  l2announcement:
+    enabled: false
+  nodePort:
+    enabled: false
+  gatewayAPI:
+    enabled: false
+  ingressController:
+    enabled: false
+    defaultClass: false
+    loadbalancerMode: shared
+  policyAuditMode: false
+  upgradeCompatability: 1.15
+  k8sServiceHost: localhost
+  k8sServicePort: 7445
+  loadbalancerPool:
+    enabled: false
+    cidr: []
+
@@ -1,4 +1,6 @@
 clusterConfig:
+  argo:
+    enabled: true
  env: "prod"
  distro: "talos"
  domain: "adm.oceanbox.io"
@@ -27,6 +29,10 @@ clusterConfig:
    secret_ref:
      name: oceanbox-oidc
    group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
+  s3:
+    hosts: []
+    patterns: []
+    cidr: []
  nodes: []
  ingress_whitelist_ips:
    #itp internal
@@ -17,6 +17,10 @@ clusterConfig:
  acme_email: ""
  nodenames: []
  nodes: []
+  s3:
+    hosts: []
+    patterns: []
+    cidr: []
  ingress_clusterissuer: "letsencrypt-production"
  ingress_whitelist_ips:
    - 10.0.0.0/8