From 2e00aceed1dd82c822de3027aa063f4ab798e475 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Fri, 4 Oct 2024 14:28:09 +0200 Subject: [PATCH] fix: fix volumes and secrets for atlantis --- charts/atlantis/templates/cluster.yaml | 21 +++++----- charts/atlantis/templates/secrets.yaml | 22 ++++++++++ charts/atlantis/values.yaml | 6 +-- .../host-manifests/sync-atlantis-secrets.yaml | 42 ++++++++++++++++++- 4 files changed, 76 insertions(+), 15 deletions(-) diff --git a/charts/atlantis/templates/cluster.yaml b/charts/atlantis/templates/cluster.yaml index 54b2409a..194c80d3 100644 --- a/charts/atlantis/templates/cluster.yaml +++ b/charts/atlantis/templates/cluster.yaml @@ -8,7 +8,8 @@ metadata: labels: {{- include "Atlantis.labels" . | nindent 4 }} spec: - instances: {{ .Values.cluster.instances | default "2" }} + instances: {{ .Values.cluster.instances | default "1" }} + imageName: ghcr.io/cloudnative-pg/postgis:15-3.3 # Example of rolling update strategy: # - unsupervised: automated update of the primary once all # replicas have been upgraded (default) @@ -19,16 +20,8 @@ spec: retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }} storage: size: {{ .Values.cluster.size | default "5Gi" }} - imageName: ghcr.io/cloudnative-pg/postgis:15-3.3 - bootstrap: - initdb: - postInitTemplateSQL: - - CREATE EXTENSION postgis; - - CREATE EXTENSION postgis_topology; - - CREATE EXTENSION fuzzystrmatch; - - CREATE EXTENSION postgis_tiger_geocoder; - - ALTER USER app WITH SUPERUSER; {{- with .Values.cluster.bootstrap }} + bootstrap: {{- if .enabled }} pg_basebackup: source: archmaester @@ -47,6 +40,14 @@ spec: sslRootCert: name: {{ .source.db }}-ca key: ca.crt +{{- else }} + initdb: + postInitTemplateSQL: + - CREATE EXTENSION postgis; + - CREATE EXTENSION postgis_topology; + - CREATE EXTENSION fuzzystrmatch; + - CREATE EXTENSION postgis_tiger_geocoder; + - ALTER USER app WITH SUPERUSER; {{- end }} {{- end }} {{- end }} diff --git a/charts/atlantis/templates/secrets.yaml b/charts/atlantis/templates/secrets.yaml index abfb2ce1..6acba356 100644 --- a/charts/atlantis/templates/secrets.yaml +++ b/charts/atlantis/templates/secrets.yaml @@ -29,4 +29,26 @@ type: kubernetes.io/basic-auth data: username: password: +{{- else }} +apiVersion: v1 +kind: Secret +metadata: + annotations: + kyverno/clone: "true" + name: {{ .Values.cluster.bootstrap.source.db }}-replication +type: kubernetes.io/tls +data: + tls.crt: "" + tls.key: "" +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + annotations: + kyverno/clone: "true" + name: {{ .Values.cluster.bootstrap.source.db }}-ca +data: + ca.crt: "" + ca.key: "" {{- end }} diff --git a/charts/atlantis/values.yaml b/charts/atlantis/values.yaml index ac4e575f..84e346e5 100644 --- a/charts/atlantis/values.yaml +++ b/charts/atlantis/values.yaml @@ -59,7 +59,7 @@ persistence: storageClass: "" accessMode: ReadWriteOnce cluster: - enabled: false + enabled: true instances: 1 backupEnabled: true backupRetention: 60d @@ -70,13 +70,13 @@ cluster: db: prod-archmeister namespace: atlantis redis: - enabled: false + enabled: true name: redis-stack redis_stack_server: image: "redis/redis-stack-server" tag: "7.4.0-v1" replicas: 1 - storage_class: ceph-rdb + storage_class: ceph-rbd storage: 1Gi resources: {} # We usually recommend not to specify default resources and to leave this as a conscious diff --git a/resources/atlantis/host-manifests/sync-atlantis-secrets.yaml b/resources/atlantis/host-manifests/sync-atlantis-secrets.yaml index 05620381..3c1a3a2a 100644 --- a/resources/atlantis/host-manifests/sync-atlantis-secrets.yaml +++ b/resources/atlantis/host-manifests/sync-atlantis-secrets.yaml @@ -52,8 +52,8 @@ spec: namespace: '{{ request.object.metadata.namespace }}' synchronize: true clone: - name: staging-archmeister-superuser - namespace: staging-vcluster + name: prod-archmeister-superuser + namespace: atlantis match: any: - resources: @@ -63,6 +63,44 @@ spec: - "*-db-superuser" annotations: kyverno/clone: "true" + - name: sync-archmaester-replication-secret + generate: + apiVersion: v1 + kind: Secret + name: '{{ request.object.metadata.name }}' + namespace: '{{ request.object.metadata.namespace }}' + synchronize: true + clone: + name: prod-archmeister-replication + namespace: atlantis + match: + any: + - resources: + kinds: + - Secret + names: + - prod-archmeister-replication + annotations: + kyverno/clone: "true" + - name: sync-archmaester-ca + generate: + apiVersion: v1 + kind: Secret + name: '{{ request.object.metadata.name }}' + namespace: '{{ request.object.metadata.namespace }}' + synchronize: true + clone: + name: prod-archmeister-ca + namespace: atlantis + match: + any: + - resources: + kinds: + - Secret + names: + - prod-archmeister-ca + annotations: + kyverno/clone: "true" # exclude: # any: # - resources: