wip: merge old serit-platfrom into manifests
This commit is contained in:
Executable
+5
@@ -0,0 +1,5 @@
|
||||
#!/usr/bin/env bash
|
||||
helm upgrade --install --create-namespace argocd argo/argo-cd -n argocd
|
||||
helm upgrade --install --create-namespace --values values-apps.yaml argocd-apps argo/argocd-apps -n argocd
|
||||
|
||||
|
||||
Executable
+5
@@ -0,0 +1,5 @@
|
||||
#!/usr/bin/env bash
|
||||
helm uninstall argocd argo/argocd-apps -n argocd
|
||||
helm uninstall argocd argo/argo-cd -n argocd
|
||||
|
||||
|
||||
@@ -0,0 +1,36 @@
|
||||
## !!
|
||||
# This values files only contains the bare minimum to get argo up and running.
|
||||
# Only update things like initial argo-cd version here
|
||||
# Rest of config is located in argocd-apps/sys/argocd.yaml
|
||||
##
|
||||
applications:
|
||||
sys:
|
||||
namespace: argocd
|
||||
additionalAnnotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
destination:
|
||||
namespace: argocd
|
||||
server: https://kubernetes.default.svc
|
||||
project: sys
|
||||
sources:
|
||||
- directory:
|
||||
recurse: true
|
||||
path: sys/_rendered/<cluster>/sys/templates
|
||||
repoURL: https://gitlab.com/serit/k8s/serit-platform.git
|
||||
targetRevision: main
|
||||
projects:
|
||||
sys:
|
||||
namespace: argocd
|
||||
additionalLabels: {}
|
||||
additionalAnnotations: {}
|
||||
description: sys components project
|
||||
sourceRepos:
|
||||
- '*'
|
||||
destinations:
|
||||
- namespace: '*'
|
||||
server: https://kubernetes.default.svc
|
||||
clusterResourceWhitelist:
|
||||
- group: '*'
|
||||
kind: '*'
|
||||
orphanedResources:
|
||||
warn: false
|
||||
@@ -0,0 +1,23 @@
|
||||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*.orig
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
||||
@@ -0,0 +1,24 @@
|
||||
apiVersion: v2
|
||||
name: sys
|
||||
description: A Helm chart for Kubernetes
|
||||
|
||||
# A chart can be either an 'application' or a 'library' chart.
|
||||
#
|
||||
# Application charts are a collection of templates that can be packaged into versioned archives
|
||||
# to be deployed.
|
||||
#
|
||||
# Library charts provide useful utilities or functions for the chart developer. They're included as
|
||||
# a dependency of application charts to inject those utilities and functions into the rendering
|
||||
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
|
||||
type: application
|
||||
|
||||
# This is the chart version. This version number should be incremented each time you make changes
|
||||
# to the chart and its templates, including the app version.
|
||||
# Versions are expected to follow Semantic Versioning (https://semver.org/)
|
||||
version: 0.1.0
|
||||
|
||||
# This is the version number of the application being deployed. This version number should be
|
||||
# incremented each time you make changes to the application. Versions are not expected to
|
||||
# follow Semantic Versioning. They should reflect the version the application is using.
|
||||
# It is recommended to use it with quotes.
|
||||
appVersion: "1.16.0"
|
||||
@@ -0,0 +1,48 @@
|
||||
{{- if .Values.x509_exporter.alerts }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PrometheusRule
|
||||
metadata:
|
||||
labels:
|
||||
# Some labels for various prometheus matching
|
||||
k8s-app: x509-exporter
|
||||
prometheus: k8s
|
||||
role: alert-rules
|
||||
name: x509-exporter-x509-certificate-exporter
|
||||
namespace: x509-exporter
|
||||
spec:
|
||||
groups:
|
||||
- name: x509-certificate-exporter.rules
|
||||
rules:
|
||||
- alert: X509ExporterReadErrors
|
||||
annotations:
|
||||
description: Over the last 15 minutes, this x509-certificate-exporter instance has experienced errors reading certificate files or querying the Kubernetes API. This could be caused by a misconfiguration if triggered when the exporter starts.
|
||||
summary: Increasing read errors for x509-certificate-exporter
|
||||
expr: delta(x509_read_errors[15m]) > 0
|
||||
for: 5m
|
||||
labels:
|
||||
severity: warning
|
||||
- alert: CertificateError
|
||||
annotations:
|
||||
description: Certificate could not be decoded {{`{{`}}if $labels.secret_name {{`}}`}} in Kubernetes secret "{{`{{`}} $labels.secret_namespace {{`}}`}}/{{`{{`}} $labels.secret_name {{`}}`}}"{{`{{`}}else{{`}}`}}at location "{{`{{`}} $labels.filepath {{`}}`}}"{{`{{`}}end{{`}}`}}
|
||||
summary: Certificate cannot be decoded
|
||||
expr: x509_cert_error > 0
|
||||
for: 15m
|
||||
labels:
|
||||
severity: warning
|
||||
- alert: CertificateRenewal
|
||||
annotations:
|
||||
description: Certificate for "{{`{{`}} $labels.subject_CN {{`}}`}}" should be renewed {{`{{`}}if $labels.secret_name {{`}}`}}in Kubernetes secret "{{`{{`}} $labels.secret_namespace {{`}}`}}/{{`{{`}} $labels.secret_name {{`}}`}}"{{`{{`}}else{{`}}`}}at location "{{`{{`}} $labels.filepath {{`}}`}}"{{`{{`}}end{{`}}`}}
|
||||
summary: Certificate should be renewed
|
||||
expr: ((x509_cert_not_after{secret_name!="linkerd-identity-issuer", issuer_O="", issuer_CN!="webhook.linkerd.cluster.local"} - time()) / 86400) < 28
|
||||
for: 15m
|
||||
labels:
|
||||
severity: warning
|
||||
- alert: CertificateExpiration
|
||||
annotations:
|
||||
description: Certificate for "{{`{{`}} $labels.subject_CN {{`}}`}}" is about to expire {{`{{`}}if $labels.secret_name {{`}}`}}in Kubernetes secret "{{`{{`}} $labels.secret_namespace {{`}}`}}/{{`{{`}} $labels.secret_name {{`}}`}}"{{`{{`}}else{{`}}`}}at location "{{`{{`}} $labels.filepath {{`}}`}}"{{`{{`}}end{{`}}`}}
|
||||
summary: Certificate is about to expire
|
||||
expr: ((x509_cert_not_after{secret_name!="linkerd-identity-issuer", issuer_O="", issuer_CN!="webhook.linkerd.cluster.local"} - time()) / 86400) < 14
|
||||
for: 15m
|
||||
labels:
|
||||
severity: critical
|
||||
{{- end }}
|
||||
@@ -0,0 +1,42 @@
|
||||
{{ if .Values.actions_runner_controller.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: actions-runner-controller
|
||||
namespace: argocd #TODO move arc to isolated project
|
||||
spec:
|
||||
destination:
|
||||
namespace: actions-runner-controller
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- repoURL: 'https://actions-runner-controller.github.io/actions-runner-controller'
|
||||
targetRevision: {{ .Values.actions_runner_controller.version }}
|
||||
chart: actions-runner-controller
|
||||
helm:
|
||||
values: |
|
||||
replicaCount: 1
|
||||
# Webhook
|
||||
webhookPort: 9443
|
||||
syncPeriod: 1m
|
||||
defaultScaleDownDelay: 10m
|
||||
# Authentication
|
||||
authSecret:
|
||||
enabled: true
|
||||
create: false
|
||||
name: arc-gh-token
|
||||
annotations: {}
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
- ServerSideApply=true
|
||||
{{- if .Values.actions_runner_controller.version }}
|
||||
automated:
|
||||
# selfHeal: false
|
||||
prune: true
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,37 @@
|
||||
{{- if .Values.argo_rollouts.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: argo-rollouts
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "-1"
|
||||
spec:
|
||||
destination:
|
||||
namespace: argocd
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
#- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
# path: {{ .Values.cluster_config.policies }}/argo-rollouts
|
||||
# targetRevision: HEAD
|
||||
- repoURL: 'https://argoproj.github.io/argo-helm'
|
||||
targetRevision: {{ .Values.argo_rollouts.version }}
|
||||
chart: argo-rollouts
|
||||
helm:
|
||||
values: |
|
||||
dashboard:
|
||||
enabled: {{ .Values.argo_rollouts.dashboard_enabled }}
|
||||
{{- with .Values.argo_rollouts.metrics.enabled }}
|
||||
controller:
|
||||
metrics:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
{{- end }}
|
||||
project: sys
|
||||
{{- if .Values.argo_rollouts.autosync }}
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,43 @@
|
||||
{{- if .Values.argo_workflows.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: argo-workflows
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "-1"
|
||||
spec:
|
||||
destination:
|
||||
namespace: argocd
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- repoURL: 'https://argoproj.github.io/argo-helm'
|
||||
targetRevision: {{ .Values.argo_workflows.version }}
|
||||
chart: argo-workflows
|
||||
helm:
|
||||
values: |
|
||||
controller:
|
||||
workflowNamespaces:
|
||||
{{- .Values.argo_workflows.allowed_namespaces | toYaml | nindent 10 }}
|
||||
{{- with .Values.argo_workflows.metrics.enabled }}
|
||||
metricsConfig:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
{{- end }}
|
||||
server:
|
||||
extraArgs:
|
||||
- --auth-mode=server
|
||||
workflow:
|
||||
rbac:
|
||||
create: true
|
||||
serviceAccount:
|
||||
create: true
|
||||
name: argo-workflow
|
||||
project: argo-workflows
|
||||
{{- if .Values.argo_workflows.autosync }}
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,153 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: argocd-apps
|
||||
namespace: argocd
|
||||
spec:
|
||||
destination:
|
||||
namespace: argocd
|
||||
server: 'https://kubernetes.default.svc'
|
||||
source:
|
||||
repoURL: 'https://argoproj.github.io/argo-helm'
|
||||
targetRevision: {{ .Values.argocd_apps.version }}
|
||||
chart: argocd-apps
|
||||
helm:
|
||||
values: |
|
||||
projects:
|
||||
# System component project
|
||||
- name: sys
|
||||
namespace: argocd
|
||||
description: sys components project
|
||||
sourceRepos:
|
||||
- '{{ .Values.cluster_config.manifests }}'
|
||||
- 'https://argoproj.github.io/argo-helm'
|
||||
- 'https://kubernetes-sigs.github.io/metrics-server/'
|
||||
- 'https://kubernetes.github.io/ingress-nginx'
|
||||
- 'https://cloudnative-pg.github.io/charts'
|
||||
- 'https://charts.jetstack.io'
|
||||
- 'https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/'
|
||||
- 'https://github.com/kubernetes/dashboard'
|
||||
- 'https://bitnami-labs.github.io/sealed-secrets'
|
||||
- 'https://prometheus-community.github.io/helm-charts'
|
||||
- 'https://github.com/prometheus-community/helm-charts.git'
|
||||
- 'https://charts.gitlab.io/'
|
||||
- 'https://charts.bitnami.com/bitnami'
|
||||
- 'https://helm.linkerd.io/stable'
|
||||
- 'https://github.com/jaegertracing/jaeger-operator'
|
||||
- 'https://kyverno.github.io/kyverno/'
|
||||
- 'https://vmware-tanzu.github.io/helm-charts'
|
||||
- 'https://grafana.github.io/helm-charts'
|
||||
- 'https://charts.enix.io'
|
||||
- 'https://helm.mariadb.com/mariadb-operator'
|
||||
- 'https://helm.cilium.io'
|
||||
- 'https://chartmuseum.github.io/charts'
|
||||
- 'https://open-telemetry.github.io/opentelemetry-helm-charts'
|
||||
- 'https://strimzi.io/charts'
|
||||
- 'https://helm.elastic.co'
|
||||
- 'https://1password.github.io/connect-helm-charts'
|
||||
- 'https://actions-runner-controller.github.io/actions-runner-controller'
|
||||
- 'https://imio.github.io/helm-charts'
|
||||
- 'https://docs.altinity.com/clickhouse-operator'
|
||||
|
||||
destinations:
|
||||
- namespace: argocd
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: kube-system
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: ingress-nginx
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: prometheus
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: cnpg
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: cert-manager
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: kubernetes-dashboard
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: rabbitmq
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: sealed-secrets
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: gitlab
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: thanos
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: linkerd
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: linkerd-multicluster
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: observability
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: kyverno
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: velero
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: loki
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: tempo
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: otel
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: x509-exporter
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: mariadb-operator
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: cilium-spire
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: cilium-secrets
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: actions-runner-controller
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: analytics
|
||||
server: https://kubernetes.default.svc
|
||||
- namespace: clickhouse
|
||||
server: https://kubernetes.default.svc
|
||||
clusterResourceWhitelist:
|
||||
- group: '*'
|
||||
kind: '*'
|
||||
|
||||
{{- if .Values.argo_workflows.enabled }}
|
||||
- name: argo-workflows
|
||||
namespace: argocd
|
||||
description: argo-workflows resources
|
||||
sourceRepos:
|
||||
- 'https://argoproj.github.io/argo-helm'
|
||||
destinations:
|
||||
- namespace: argocd
|
||||
server: https://kubernetes.default.svc
|
||||
{{- range .Values.argo_workflows.allowed_namespaces }}
|
||||
- namespace: {{.}}
|
||||
server: https://kubernetes.default.svc
|
||||
{{- end }}
|
||||
namespaceResourceWhitelist:
|
||||
- group: "rbac.authorization.k8s.io"
|
||||
kind: Role
|
||||
- group: "rbac.authorization.k8s.io"
|
||||
kind: RoleBinding
|
||||
- group: ""
|
||||
kind: ConfigMap
|
||||
- group: ""
|
||||
kind: Secret
|
||||
- group: ""
|
||||
kind: Service
|
||||
- group: ""
|
||||
kind: ServiceAccount
|
||||
- group: apps
|
||||
kind: Deployment
|
||||
- group: "monitoring.coreos.com"
|
||||
kind: ServiceMonitor
|
||||
clusterResourceWhitelist:
|
||||
- group: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
- group: rbac.authorization.k8s.io
|
||||
kind: ClusterRoleBinding
|
||||
- group: apiextensions.k8s.io
|
||||
kind: CustomResourceDefinition
|
||||
{{- end }}
|
||||
project: sys
|
||||
syncPolicy:
|
||||
automated: {}
|
||||
syncOptions:
|
||||
- ServerSideApply=true
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
@@ -0,0 +1,325 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: argocd
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "-1"
|
||||
spec:
|
||||
destination:
|
||||
namespace: argocd
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- path: {{ .Values.cluster_config.policies }}/argocd
|
||||
repoURL: {{ .Values.cluster_config.manifests }}
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://argoproj.github.io/argo-helm'
|
||||
targetRevision: {{ .Values.argocd.version }}
|
||||
chart: argo-cd
|
||||
helm:
|
||||
values: |
|
||||
global:
|
||||
domain: argocd.{{ .Values.cluster_config.domain }}
|
||||
## ArgoCD configuration
|
||||
## Ref: https://github.com/argoproj/argo-cd
|
||||
##
|
||||
configs:
|
||||
{{- if .Values.argocd.anyNamespaces.enabled }}
|
||||
params:
|
||||
applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
|
||||
# TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it
|
||||
applicationsetcontroller.enable.scm.providers: "false"
|
||||
application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
|
||||
{{- end }}
|
||||
cm:
|
||||
application.resourceTrackingMethod: annotation+label
|
||||
application.instanceLabelKey: app.kubernetes.io/instance
|
||||
create: true
|
||||
# NOTE(kai): callback URL for dex
|
||||
url: "https://argocd.{{ .Values.cluster_config.domain }}"
|
||||
resource.compareoptions: |
|
||||
ignoreAggregatedRoles: true
|
||||
resource.exclusions: |
|
||||
- apiGroups:
|
||||
- cilium.io
|
||||
kinds:
|
||||
- CiliumIdentity
|
||||
clusters:
|
||||
- "*"
|
||||
- apiGroups:
|
||||
- kyverno.io
|
||||
kinds:
|
||||
- AdmissionReport
|
||||
- BackgroundScanReport
|
||||
- ClusterAdmissionReport
|
||||
- ClusterBackgroundScanReport
|
||||
clusters:
|
||||
- "*"
|
||||
# dex saml config
|
||||
dex.config: |
|
||||
logger:
|
||||
level: debug
|
||||
format: json
|
||||
connectors:
|
||||
{{- with .Values.cluster_config.oidc }}
|
||||
{{- range . }}
|
||||
{{- if eq .provider "azuread" }}
|
||||
- type: oidc
|
||||
id: {{ .name }}
|
||||
name: {{ .name }}
|
||||
config:
|
||||
issuer: https://login.microsoftonline.com/{{ .tenant }}/v2.0
|
||||
clientID: ${{ .name | replace "-" "_" }}_client_id
|
||||
clientSecret: ${{ .name | replace "-" "_" }}_client_secret
|
||||
insecureSkipEmailVerified: true
|
||||
requestedIDTokenClaims:
|
||||
groups:
|
||||
essential: true
|
||||
insecureEnableGroups: true
|
||||
requestedScopes:
|
||||
- openid
|
||||
- profile
|
||||
- email
|
||||
- groups
|
||||
{{- else if eq .provider "github" }}
|
||||
- type: github
|
||||
id: {{ .name }}
|
||||
name: {{ .name }}
|
||||
config:
|
||||
clientID: ${{ .name | replace "-" "_" }}_client_id
|
||||
clientSecret: ${{ .name | replace "-" "_" }}_client_secret
|
||||
redirectURI: https://argocd.{{ $.Values.cluster_config.domain }}/api/dex/callback
|
||||
orgs:
|
||||
- name: {{ .allowed_organizations }}
|
||||
loadAllGroups: true
|
||||
teamNameField: slug
|
||||
useLoginAsID: false
|
||||
staticClients:
|
||||
- id: ${{ .name | replace "-" "_" }}_client_id
|
||||
name: Kubernetes
|
||||
# These are kubectl oidc plugin internal URLs
|
||||
redirectURIs:
|
||||
- http://localhost:8000
|
||||
- http://localhost:18000
|
||||
# Random secret for the user to authenticat dex client
|
||||
secret: 8d52926efe879ee505391b75f4b046cf
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
admin.enabled: '{{ .Values.argocd.adminLogin }}'
|
||||
rbac:
|
||||
# NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group
|
||||
policy.csv: |
|
||||
p, role:org-admin, applications, *, */*, allow
|
||||
p, role:org-admin, projects, *, *, allow
|
||||
p, role:org-admin, logs, get, *, allow
|
||||
p, role:org-admin, clusters, get, *, allow
|
||||
p, role:org-admin, clusters, update, *, allow
|
||||
p, role:org-admin, repositories, get, *, allow
|
||||
p, role:org-admin, repositories, create, *, allow
|
||||
p, role:org-admin, repositories, update, *, allow
|
||||
p, role:org-admin, repositories, delete, *, allow
|
||||
g, "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29", role:org-admin
|
||||
{{- if .Values.cluster_config.external_access.enabled }}
|
||||
p, role:external-admin, applications, *, sys/*, deny
|
||||
p, role:external-admin, applications, *, oxb/*, deny
|
||||
p, role:external-admin, applications, *, */*, allow
|
||||
p, role:external-admin, projects, *, oxb, deny
|
||||
p, role:external-admin, projects, *, sys, deny
|
||||
p, role:external-admin, projects, get, *, allow
|
||||
p, role:external-admin, logs, get, *, allow
|
||||
p, role:external-admin, clusters, get, *, allow
|
||||
p, role:external-admin, repositories, get, *, allow
|
||||
p, role:external-admin, repositories, create, *, allow
|
||||
p, role:external-admin, repositories, update, *, allow
|
||||
p, role:external-admin, repositories, delete, *, allow
|
||||
g, "{{ .Values.cluster_config.external_access.admin_group }}", role:external-admin
|
||||
{{- end }}
|
||||
{{- if .Values.cluster_config.external_access.enabled }}
|
||||
{{- range .Values.cluster_config.external_access.groups }}
|
||||
{{- "\n" -}}
|
||||
{{- $name := .name }}
|
||||
p, role:{{$name}}, projects, get, {{$name}}, allow
|
||||
p, role:{{$name}}, applications, get, {{$name}}/*, allow
|
||||
p, role:{{$name}}, logs, get, {{$name}}/*, allow
|
||||
{{- range .group_id }}
|
||||
g, {{ . }}, role:{{$name}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.argocd.additional_rbac_settings }}
|
||||
{{- range .}}
|
||||
{{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
repositories:
|
||||
# Repositories for applications
|
||||
argo-helm:
|
||||
type: helm
|
||||
url: https://argoproj.github.io/argo-helm
|
||||
# UI changes based on env
|
||||
styles: |
|
||||
/* blue, orange, red depending on env */
|
||||
:root {
|
||||
--test-color: #0f2cbd;
|
||||
--dev-color: #33b025;
|
||||
--staging-color: #ebac2f;
|
||||
--prod-color: #ff000d;
|
||||
}
|
||||
.top-bar__breadcrumbs::after {
|
||||
content: "cluster: {{.Values.cluster_config.cluster}}, env: {{.Values.cluster_config.env}} ";
|
||||
color: var(--{{.Values.cluster_config.env}}-color);
|
||||
font-weight: bolder;
|
||||
font-size: larger;
|
||||
position: fixed;
|
||||
left: 50%;
|
||||
}
|
||||
|
||||
controller:
|
||||
metrics:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
resources:
|
||||
limits:
|
||||
memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }}
|
||||
requests:
|
||||
cpu: {{ .Values.argocd.resources.controller.cpu | default "250m" }}
|
||||
memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }}
|
||||
|
||||
# Mount azure ca as file for SAML auth
|
||||
dex:
|
||||
metrics:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
{{- with .Values.cluster_config.oidc }}
|
||||
env:
|
||||
{{- range . }}
|
||||
- name: {{ .name | replace "-" "_" }}_client_secret
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .secret_ref.name }}
|
||||
key: client_secret
|
||||
- name: {{ .name | replace "-" "_" }}_client_id
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .secret_ref.name }}
|
||||
key: client_id
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
redis:
|
||||
metrics:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
|
||||
repoServer:
|
||||
metrics:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
{{- if .Values.argocd.repoServer.cmp.enabled }}
|
||||
extraContainers:
|
||||
- command:
|
||||
- /var/run/argocd/argocd-cmp-server
|
||||
image: {{ .Values.argocd.repoServer.cmp.image }}
|
||||
imagePullPolicy: Always
|
||||
name: {{ .Values.argocd.repoServer.cmp.name }}
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 999
|
||||
terminationMessagePath: /dev/termination-log
|
||||
terminationMessagePolicy: File
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/argocd
|
||||
name: var-files
|
||||
- mountPath: /home/argocd/cmp-server/plugins
|
||||
name: plugins
|
||||
- mountPath: /tmp
|
||||
name: cmp-tmp
|
||||
- mountPath: /helm-working-dir
|
||||
name: helm-working-dir
|
||||
{{- with .Values.argocd.repoServer.cmp.initContainers }}
|
||||
initContainers:
|
||||
{{- toYaml . | nindent 10}}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: cmp-tmp
|
||||
emptyDir: {}
|
||||
{{- if .Values.argocd.repoServer.cmp.imagePullSecret }}
|
||||
imagePullSecrets:
|
||||
{{- range .Values.argocd.repoServer.cmp.imagePullSecret}}
|
||||
- name: {{ .name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
# Configuration for argocd server instance
|
||||
server:
|
||||
metrics:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
ingress:
|
||||
enabled: {{ .Values.argocd.ingress.enabled }}
|
||||
ingressClassName: nginx
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
||||
{{- with .Values.cluster_config.ingress_whitelist_ips }}
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
|
||||
{{- end }}
|
||||
hosts:
|
||||
- "argocd.{{ .Values.cluster_config.domain }}"
|
||||
tls:
|
||||
- secretName: argocd-tls
|
||||
hosts:
|
||||
- "argocd.{{ .Values.cluster_config.domain }}"
|
||||
applicationSet:
|
||||
metrics:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
{{- if .Values.argocd.anyNamespaces.enabled }}
|
||||
allowAnyNamespaces: true
|
||||
{{- end }}
|
||||
ingress:
|
||||
enabled: {{ .Values.argocd.applicationset_webhook.enabled }}
|
||||
ingressClassName: nginx
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
# {{- with .Values.cluster_config.ingress_whitelist_ips}}
|
||||
# NOTE(kai): include gitlab and github webhook ranges
|
||||
# nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }},192.30.252.0/22,140.82.112.0/20,34.74.226.27/28,34.74.226.0/24
|
||||
# {{- end }}
|
||||
hostname: "argocd-applicationset.{{ .Values.cluster_config.domain }}"
|
||||
tls:
|
||||
- secretName: argocd-applicationset-tls
|
||||
hosts:
|
||||
- "argocd-applicationset.{{ .Values.cluster_config.domain }}"
|
||||
notifications:
|
||||
metrics:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
secret:
|
||||
create: false
|
||||
cm:
|
||||
create: false
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.argocd.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
@@ -0,0 +1,36 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: cert-manager
|
||||
namespace: argocd
|
||||
spec:
|
||||
destination:
|
||||
namespace: cert-manager
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
path: {{ .Values.cluster_config.policies }}/cert-manager
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://charts.jetstack.io'
|
||||
targetRevision: {{ .Values.cert_manager.version }}
|
||||
chart: cert-manager
|
||||
helm:
|
||||
values: |
|
||||
installCRDs: true
|
||||
enableCertificateOwnerRef: true
|
||||
startupapicheck:
|
||||
podAnnotations:
|
||||
linkerd.io/inject: disabled
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.cert_manager.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
@@ -0,0 +1,60 @@
|
||||
{{- if .Values.chartmuseum.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: chartmuseum
|
||||
namespace: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: argocd
|
||||
server: 'https://kubernetes.default.svc'
|
||||
source:
|
||||
repoURL: 'https://chartmuseum.github.io/charts'
|
||||
targetRevision: {{ .Values.chartmuseum.version }}
|
||||
chart: chartmuseum
|
||||
helm:
|
||||
values: |
|
||||
env:
|
||||
open:
|
||||
ENABLE_METRICS: true
|
||||
DISABLE_API: false
|
||||
ALLOW_OVERWRITE: false
|
||||
CHART_URL: ""
|
||||
AUTH_ANONYMOUS_GET: true
|
||||
existingSecret: chartmuseum-basic-auth
|
||||
existingSecretMappings:
|
||||
BASIC_AUTH_USER: user
|
||||
BASIC_AUTH_PASS: password
|
||||
extraArgs:
|
||||
- --web-template-path=/storage/web
|
||||
serviceMonitor:
|
||||
enabled: false
|
||||
persistence:
|
||||
enabled: true
|
||||
accessMode: ReadWriteOnce
|
||||
size: {{ .Values.chartmuseum.storage.size }}
|
||||
path: /storage
|
||||
storageClass: "nutanix-volume"
|
||||
ingress:
|
||||
enabled: {{ .Values.chartmuseum.ingress.enabled }}
|
||||
annotations:
|
||||
{{- with .Values.cluster_config.ingress_whitelist_ips}}
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
|
||||
{{- end }}
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
ingressClassName: nginx
|
||||
hosts:
|
||||
- name: charts.{{ .Values.cluster_config.domain }}
|
||||
path: /
|
||||
tls: true
|
||||
tlsSecret: chartmuseum-tls
|
||||
project: sys
|
||||
{{- if .Values.chartmuseum.autosync }}
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,165 @@
|
||||
{{- if .Values.cilium.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: cilium
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "-1"
|
||||
spec:
|
||||
destination:
|
||||
namespace: kube-system
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
{{- if .Values.cilium.spire.enabled }}
|
||||
- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
path: {{ .Values.cluster_config.policies }}/cilium-spire
|
||||
targetRevision: HEAD
|
||||
{{- end }}
|
||||
- repoURL: 'https://helm.cilium.io'
|
||||
targetRevision: {{ .Values.cilium.version }}
|
||||
chart: cilium
|
||||
helm:
|
||||
values: |
|
||||
authentication:
|
||||
mutual:
|
||||
spire:
|
||||
enabled: {{ .Values.cilium.spire.enabled }}
|
||||
cgroup:
|
||||
autoMount:
|
||||
enabled: false
|
||||
hostRoot: /sys/fs/cgroup
|
||||
dashboards:
|
||||
enabled: true
|
||||
namespace: prometheus
|
||||
enableXTSocketFallback: false
|
||||
encryption:
|
||||
enabled: {{ .Values.cilium.encryption.enabled }}
|
||||
type: {{ .Values.cilium.encryption.type}}
|
||||
envoy:
|
||||
enabled: {{ .Values.cilium.envoy.enabled }}
|
||||
prometheus:
|
||||
serviceMonitor:
|
||||
enabled: {{ .Values.cilium.envoy.enabled }}
|
||||
extraConfig:
|
||||
enable-envoy-config: "true"
|
||||
hubble:
|
||||
enabled: true
|
||||
tls:
|
||||
auto:
|
||||
method: cronJob
|
||||
metrics:
|
||||
dashboards:
|
||||
enabled: true
|
||||
namespace: prometheus
|
||||
enabled:
|
||||
- dns:query;ignoreAAAA
|
||||
- drop
|
||||
- tcp
|
||||
- flow
|
||||
- icmp
|
||||
- policy:sourceContext=app|workload-name|pod|reserved-identity;destinationContext=app|workload-name|pod|dns|reserved-identity;labelsContext=source_namespace,destination_namespace
|
||||
- httpV2:exemplars=false;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction
|
||||
port: 12304
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
redact:
|
||||
enabled: true
|
||||
relay:
|
||||
enabled: true
|
||||
prometheus:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
ui:
|
||||
enabled: {{ .Values.cilium.hubble.ui }}
|
||||
ipam:
|
||||
mode: kubernetes
|
||||
kubeProxyReplacement: {{ .Values.cilium.kubeProxyReplacement }}
|
||||
l2announcements:
|
||||
enabled: {{ .Values.cilium.l2announcement.enabled }}
|
||||
k8sServiceHost: {{ .Values.cilium.k8sServiceHost }}
|
||||
k8sServicePort: {{ .Values.cilium.k8sServicePort }}
|
||||
nodePort:
|
||||
enabled: {{ .Values.cilium.nodePort.enabled }}
|
||||
gatewayAPI:
|
||||
enabled: {{ .Values.cilium.gatewayAPI.enabled }}
|
||||
ingressController:
|
||||
enabled: {{ .Values.cilium.ingressController.enabled }}
|
||||
default: {{ .Values.cilium.ingressController.defaultClass }}
|
||||
loadbalancerMode: {{ .Values.cilium.ingressController.loadbalancerMode }}
|
||||
operator:
|
||||
dashboards:
|
||||
enabled: true
|
||||
namespace: prometheus
|
||||
prometheus:
|
||||
enabled: true
|
||||
port: 12301
|
||||
serviceMointor:
|
||||
enabled: true
|
||||
port: 12302
|
||||
rollOutPods: true
|
||||
policyAuditMode: {{ .Values.cilium.policyAuditMode }}
|
||||
prometheus:
|
||||
enabled: true
|
||||
port: 12300
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
rollOutCiliumPods: true
|
||||
securityContext:
|
||||
capabilities:
|
||||
ciliumAgent:
|
||||
- CHOWN
|
||||
- KILL
|
||||
- NET_ADMIN
|
||||
- NET_RAW
|
||||
- IPC_LOCK
|
||||
- SYS_ADMIN
|
||||
- SYS_RESOURCE
|
||||
- DAC_OVERRIDE
|
||||
- FOWNER
|
||||
- SETGID
|
||||
- SETUID
|
||||
cleanCiliumState:
|
||||
- NET_ADMIN
|
||||
- SYS_ADMIN
|
||||
- SYS_RESOURCE
|
||||
{{- with .Values.cilium.upgradeCompatability}}
|
||||
upgradeCompatability: {{ . }}
|
||||
{{- end }}
|
||||
project: sys
|
||||
syncPolicy:
|
||||
syncOptions:
|
||||
- ServerSideApply=true
|
||||
{{- if .Values.cilium.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
ignoreDifferences:
|
||||
- group: apps
|
||||
jqPathExpressions:
|
||||
- .spec.volumeClaimTemplates
|
||||
kind: StatefulSet
|
||||
name: spire-server
|
||||
- group: monitoring.coreos.com
|
||||
jqPathExpressions:
|
||||
- .spec.endpoints[]?.relabelings[]?.action
|
||||
kind: ServiceMonitor
|
||||
- group: ''
|
||||
jsonPointers:
|
||||
- /data/ca.crt
|
||||
kind: ConfigMap
|
||||
name: hubble-ca-cert
|
||||
- group: ''
|
||||
jsonPointers:
|
||||
- /data/ca.crt
|
||||
- /data/ca.key
|
||||
kind: Secret
|
||||
name: cilium-ca
|
||||
- group: ''
|
||||
jqPathExpressions:
|
||||
- .spec.ports[]?.nodePort
|
||||
kind: Service
|
||||
name: cilium-ingress
|
||||
{{- end }}
|
||||
@@ -0,0 +1,45 @@
|
||||
{{ if .Values.clickhouse_operator.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: clickhouse-operator
|
||||
namespace: argocd
|
||||
spec:
|
||||
destination:
|
||||
namespace: clickhouse
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
path: {{ .Values.cluster_config.policies }}/clickhouse
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://docs.altinity.com/clickhouse-operator'
|
||||
targetRevision: {{ .Values.clickhouse_operator.version }}
|
||||
chart: altinity-clickhouse-operator
|
||||
helm:
|
||||
values: |
|
||||
configs:
|
||||
files:
|
||||
config.yaml:
|
||||
watch:
|
||||
namespaces: ["analytics", "analytics-production"]
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
- ServerSideApply=true
|
||||
{{- if .Values.clickhouse_operator.version }}
|
||||
automated:
|
||||
# selfHeal: false
|
||||
prune: true
|
||||
{{- end }}
|
||||
ignoreDifferences:
|
||||
- group: apps
|
||||
kind: Deployment
|
||||
jqPathExpressions:
|
||||
- .spec.template.spec.containers[].env[].valueFrom.resourceFieldRef.divisor
|
||||
- .spec.template.spec.initContainers[].env[].valueFrom.resourceFieldRef.divisor
|
||||
{{ end }}
|
||||
@@ -0,0 +1,47 @@
|
||||
{{ if .Values.downscaler.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: downscaler
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: kube-downscaler
|
||||
server: 'https://kubernetes.default.svc'
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.downscaler.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: true
|
||||
{{- end }}
|
||||
sources:
|
||||
- repoURL: '{{ .Values.cluster_config.manifests }}'
|
||||
path: {{ .Values.cluster_config.policies }}/downscaler
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://caas-team.github.io/helm-charts/'
|
||||
targetRevision: {{ .Values.downscaler.version }}
|
||||
chart: py-kube-downscaler
|
||||
helm:
|
||||
values: |
|
||||
arguments:
|
||||
- --interval=60
|
||||
- --include-resources=deployments,statefulsets,scaledobjects,cronjobs
|
||||
# Namespaces being excluded from the 'downscale for non-work hours'
|
||||
# DEFAULT_UPTIME: "Mon-Fri 07:30-20:30 CET"
|
||||
{{- with .Values.downscaler.excludedNamespaces }}
|
||||
excludedNamespaces: {{ join "," . }}
|
||||
{{- end }}
|
||||
extraConfig: {{- toYaml .Values.downscaler.extraConfig | nindent 8 }}
|
||||
{{ end }}
|
||||
|
||||
@@ -0,0 +1,78 @@
|
||||
{{ if .Values.gitlab_runner.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: gitlab-runner
|
||||
namespace: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: gitlab
|
||||
server: 'https://kubernetes.default.svc'
|
||||
source:
|
||||
repoURL: 'https://charts.gitlab.io/'
|
||||
targetRevision: {{ .Values.gitlab_runner.version }}
|
||||
chart: gitlab-runner
|
||||
helm:
|
||||
releaseName: runner-gitlab-runner
|
||||
values: |
|
||||
gitlabUrl: https://gitlab.com/
|
||||
# certsSecretName: cluster-ca
|
||||
# sentryDsn: https://cb9cbeb704c4454fadf0d231602b7abc@o990465.ingest.sentry.io/5996879
|
||||
|
||||
checkInterval: 15
|
||||
|
||||
rbac:
|
||||
create: true
|
||||
clusterWideAccess: true
|
||||
|
||||
service:
|
||||
enabled: true
|
||||
|
||||
metrics:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
|
||||
runners:
|
||||
tags: kubernetes, {{ .Values.gitlab_runner.tag }}, {{ .Values.cluster_config.cluster }}, {{ .Values.cluster_config.env}}
|
||||
executor: kubernetes
|
||||
cache:
|
||||
secretName: s3access
|
||||
secret: runner-token
|
||||
|
||||
# tpl: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function
|
||||
# runner configuration: https://docs.gitlab.com/runner/configuration/advanced-configurati>
|
||||
config: |
|
||||
[[runners]]
|
||||
[runners.kubernetes]
|
||||
pull_policy = "always"
|
||||
namespace = "gitlab"
|
||||
image = "ubuntu:24.04"
|
||||
[runners.cache]
|
||||
Path = ""
|
||||
Shared = true
|
||||
Type = "s3"
|
||||
[runners.cache.s3]
|
||||
BucketLocation = "us-east-1"
|
||||
AuthenticationType = "access-key"
|
||||
AccessKey = {{ .Values.gitlab_runner.s3.access_key }}
|
||||
SecretKey = {{ .Values.gitlab_runner.s3.secret_key }}
|
||||
ServerAddress = {{ .Values.gitlab_runner.s3.server }}
|
||||
BucketName = "gitlab-runner"
|
||||
Insecure = false
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.gitlab_runner.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,132 @@
|
||||
{{- if .Values.nginx.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: ingress-nginx
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
spec:
|
||||
destination:
|
||||
namespace: ingress-nginx
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
path: {{ .Values.cluster_config.policies }}/ingress-nginx
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://kubernetes.github.io/ingress-nginx'
|
||||
targetRevision: {{ .Values.nginx.version }}
|
||||
chart: ingress-nginx
|
||||
helm:
|
||||
values: |
|
||||
## nginx configuration
|
||||
## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md
|
||||
##
|
||||
## Overrides for generated resource names
|
||||
# See templates/_helpers.tpl
|
||||
# nameOverride:
|
||||
fullnameOverride: main-ingress-nginx
|
||||
controller:
|
||||
resources:
|
||||
limits:
|
||||
memory: {{ .Values.nginx.resources.controller.memory }}
|
||||
requests:
|
||||
cpu: {{ .Values.nginx.resources.controller.cpu }}
|
||||
memory: {{ .Values.nginx.resources.controller.memory }}
|
||||
|
||||
ingressClassResource:
|
||||
default: true
|
||||
|
||||
tolerations:
|
||||
- key: unschedulable
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: kubernetes.io/hostname
|
||||
operator: In
|
||||
values: {{ .Values.cluster_config.ingress_nodes }}
|
||||
|
||||
podAntiAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
- labelSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/instance
|
||||
operator: In
|
||||
values:
|
||||
- ingress-nginx
|
||||
- key: app.kubernetes.io/component
|
||||
operator: In
|
||||
values:
|
||||
- controller
|
||||
topologyKey: "kubernetes.io/hostname"
|
||||
|
||||
podAnnotations:
|
||||
config.linkerd.io/skip-inbound-ports: 80,443
|
||||
|
||||
replicaCount: {{ .Values.cluster_config.ingress_replica_count }}
|
||||
|
||||
minAvailable: {{ .Values.nginx.pdb.minAvailable }}
|
||||
|
||||
service:
|
||||
externalTrafficPolicy: Local
|
||||
# type: ClusterIP
|
||||
type: NodePort
|
||||
# nodePorts:
|
||||
# http: 32080
|
||||
# https: 32443
|
||||
# tcp:
|
||||
# 8080: 32808
|
||||
nodePorts:
|
||||
http: 30080
|
||||
https: 30443
|
||||
tcp: {}
|
||||
udp: {}
|
||||
|
||||
metrics:
|
||||
enabled: true
|
||||
|
||||
service:
|
||||
annotations:
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/port: "10254"
|
||||
|
||||
servicePort: 9913
|
||||
type: ClusterIP
|
||||
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
|
||||
## Default 404 backend
|
||||
##
|
||||
defaultBackend:
|
||||
enabled: true
|
||||
|
||||
tolerations:
|
||||
- key: unschedulable
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.nginx.autosync}}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,36 @@
|
||||
{{ if .Values.jaeger_operator.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: jaeger-operator
|
||||
namespace: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: observability
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
path: {{ .Values.cluster_config.policies }}/jaeger-operator
|
||||
targetRevision: HEAD
|
||||
- repoURL: "https://github.com/jaegertracing/jaeger-operator"
|
||||
targetRevision: v{{ .Values.jaeger_operator.version }}
|
||||
path: bundle/manifests
|
||||
directory:
|
||||
# Exclude jaeger-operator clusterserviceversion, as we don't have operator lifecycle manager installed
|
||||
exclude: jaeger-operator.clusterserviceversion.yaml
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.jaeger_operator.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,30 @@
|
||||
{{ if .Values.kubernetes_dashboard.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: kubernetes-dashboard
|
||||
namespace: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: kubernetes-dashboard
|
||||
server: 'https://kubernetes.default.svc'
|
||||
source:
|
||||
path: aio/deploy/recommended
|
||||
repoURL: https://github.com/kubernetes/dashboard
|
||||
targetRevision: {{ .Values.kubernetes_dashboard.version }}
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.kubernetes_dashboard.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,84 @@
|
||||
{{ if .Values.kyverno.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: kyverno
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: kyverno
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
path: {{ .Values.cluster_config.policies }}/kyverno
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://kyverno.github.io/kyverno/'
|
||||
targetRevision: {{ .Values.kyverno.version }}
|
||||
chart: kyverno
|
||||
helm:
|
||||
values: |
|
||||
replicaCount: 3
|
||||
{{ if .Values.kyverno.metrics }}
|
||||
admissionController:
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
metricsService:
|
||||
create: true
|
||||
backgroundController:
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
metricsService:
|
||||
create: true
|
||||
cleanupController:
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
metricsService:
|
||||
create: true
|
||||
reportsController:
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
metricsService:
|
||||
create: true
|
||||
{{ end }}
|
||||
cleanupController:
|
||||
resources:
|
||||
limits:
|
||||
memory: {{ .Values.kyverno.resources.cleanupController.memory }}
|
||||
requests:
|
||||
memory: {{ .Values.kyverno.resources.cleanupController.memory }}
|
||||
reportsController:
|
||||
resources:
|
||||
limits:
|
||||
memory: {{ .Values.kyverno.resources.reportsController.memory }}
|
||||
requests:
|
||||
memory: {{ .Values.kyverno.resources.reportsController.memory }}
|
||||
backgroundController:
|
||||
resources:
|
||||
limits:
|
||||
memory: {{ .Values.kyverno.resources.backgroundController.memory }}
|
||||
requests:
|
||||
memory: {{ .Values.kyverno.resources.backgroundController.memory }}
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
- ServerSideApply=true
|
||||
{{- if .Values.kyverno.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
ignoreDifferences:
|
||||
- group: batch
|
||||
kind: CronJob
|
||||
jqPathExpressions:
|
||||
- '.spec.jobTemplate.spec.template.spec.containers[]?.resources'
|
||||
{{ end }}
|
||||
@@ -0,0 +1,35 @@
|
||||
{{ if .Values.linkerd.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: linkerd-crds
|
||||
namespace: argocd
|
||||
#finalizers:
|
||||
#- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
ignoreDifferences:
|
||||
- group: apiextensions.k8s.io
|
||||
kind: CustomResourceDefinition
|
||||
jsonPointers:
|
||||
- /spec/names/shortNames
|
||||
destination:
|
||||
namespace: linkerd
|
||||
server: 'https://kubernetes.default.svc'
|
||||
source:
|
||||
repoURL: 'https://helm.linkerd.io/stable'
|
||||
targetRevision: {{ .Values.linkerd.crds.version }}
|
||||
chart: linkerd-crds
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.linkerd.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,35 @@
|
||||
{{ if .Values.linkerd.multicluster.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: linkerd-multicluster
|
||||
namespace: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
annotations:
|
||||
# Should sync after linkerd (which is wave 0)
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
spec:
|
||||
destination:
|
||||
namespace: linkerd-multicluster
|
||||
server: 'https://kubernetes.default.svc'
|
||||
source:
|
||||
repoURL: 'https://helm.linkerd.io/stable'
|
||||
targetRevision: {{ .Values.linkerd.multicluster.version }}
|
||||
chart: linkerd-multicluster
|
||||
helm:
|
||||
values: |
|
||||
gateway:
|
||||
serviceType: "NodePort"
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{ end }}
|
||||
@@ -0,0 +1,100 @@
|
||||
{{ if .Values.linkerd.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: linkerd
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "5"
|
||||
#finalizers:
|
||||
#- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: linkerd
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
path: {{ .Values.cluster_config.policies }}/linkerd
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://helm.linkerd.io/stable'
|
||||
targetRevision: {{ .Values.linkerd.version }}
|
||||
chart: linkerd-control-plane
|
||||
helm:
|
||||
values: |
|
||||
identityTrustAnchorsPEM: {{- .Values.linkerd.trustAnchorPEM | toYaml | indent 7 }}
|
||||
identity:
|
||||
issuer:
|
||||
scheme: {{ .Values.linkerd.secretScheme }}
|
||||
{{- if .Values.linkerd.identityIssuerPEM }}
|
||||
tls:
|
||||
crtPEM: {{- .Values.linkerd.identityIssuerPEM | toYaml | indent 14 }}
|
||||
{{- end }}
|
||||
policyValidator:
|
||||
externalSecret: true
|
||||
caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}
|
||||
proxyInjector:
|
||||
externalSecret: true
|
||||
caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}
|
||||
profileValidator:
|
||||
externalSecret: true
|
||||
caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}
|
||||
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.linkerd.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
ignoreDifferences:
|
||||
- group: batch
|
||||
kind: CronJob
|
||||
jsonPointers:
|
||||
- /spec/schedule
|
||||
- kind: Secret
|
||||
name: linkerd-proxy-injector-k8s-tls
|
||||
jsonPointers:
|
||||
- /data/tls.crt
|
||||
- /data/tls.key
|
||||
- kind: Secret
|
||||
name: linkerd-sp-validator-k8s-tls
|
||||
jsonPointers:
|
||||
- /data/tls.crt
|
||||
- /data/tls.key
|
||||
- kind: Secret
|
||||
name: linkerd-tap-k8s-tls
|
||||
jsonPointers:
|
||||
- /data/tls.crt
|
||||
- /data/tls.key
|
||||
- kind: Secret
|
||||
name: linkerd-policy-validator-k8s-tls
|
||||
jsonPointers:
|
||||
- /data/tls.crt
|
||||
- /data/tls.key
|
||||
- group: admissionregistration.k8s.io
|
||||
kind: MutatingWebhookConfiguration
|
||||
name: linkerd-proxy-injector-webhook-config
|
||||
jqPathExpressions:
|
||||
- '.webhooks[0].clientConfig.caBundle'
|
||||
- group: admissionregistration.k8s.io
|
||||
kind: ValidatingWebhookConfiguration
|
||||
name: linkerd-sp-validator-webhook-config
|
||||
jqPathExpressions:
|
||||
- '.webhooks[0].clientConfig.caBundle'
|
||||
- group: admissionregistration.k8s.io
|
||||
kind: ValidatingWebhookConfiguration
|
||||
name: linkerd-policy-validator-webhook-config
|
||||
jqPathExpressions:
|
||||
- '.webhooks[0].clientConfig.caBundle'
|
||||
- group: apiregistration.k8s.io/v1
|
||||
kind: APIService
|
||||
name: v1alpha1.tap.linkerd.io
|
||||
jsonPointers:
|
||||
- /spec/caBundle
|
||||
{{ end }}
|
||||
@@ -0,0 +1,145 @@
|
||||
{{ if .Values.loki.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: loki
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: loki
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
path: {{ .Values.cluster_config.policies }}/loki
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://grafana.github.io/helm-charts'
|
||||
targetRevision: {{ .Values.loki.version }}
|
||||
chart: loki
|
||||
helm:
|
||||
values: |
|
||||
loki:
|
||||
auth_enabled: false
|
||||
storage:
|
||||
bucketNames:
|
||||
chunks: {{ .Values.loki.buckets.chunks }}
|
||||
ruler: {{ .Values.loki.buckets.ruler }}
|
||||
admin: {{ .Values.loki.buckets.admin }}
|
||||
s3:
|
||||
endpoint: {{ .Values.loki.s3.endpoint | default "https://s3.production.itpartner.no" }}
|
||||
region: {{ .Values.loki.s3.region | default "us-east-1" }}
|
||||
secretAccessKey: ${S3SECRET}
|
||||
accessKeyId: ${S3KEY}
|
||||
s3ForcePathStyle: true
|
||||
{{- if .Values.loki.s3.insecure_skip_verify }}
|
||||
http_config:
|
||||
insecure_skip_verify: true
|
||||
{{- end }}
|
||||
schemaConfig:
|
||||
configs:
|
||||
- from: "2022-09-28"
|
||||
index:
|
||||
period: 24h
|
||||
prefix: loki_index_
|
||||
object_store: s3
|
||||
schema: v13
|
||||
store: tsdb
|
||||
{{- if .Values.loki.compactor }}
|
||||
compactor:
|
||||
compaction_interval: 10m
|
||||
working_directory: /tmp/loki/compactor
|
||||
retention_enabled: true
|
||||
retention_delete_delay: 2h
|
||||
retention_delete_worker_count: 150
|
||||
delete_request_store: s3
|
||||
{{- end }}
|
||||
write:
|
||||
extraArgs:
|
||||
- -config.expand-env=true
|
||||
extraEnv:
|
||||
- name: S3KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.loki.secret.name | default "nutanix-s3"}}
|
||||
key: {{ .Values.loki.secret.access_key | default "access_key" }}
|
||||
- name: S3SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.loki.secret.name | default "nutanix-s3"}}
|
||||
key: {{ .Values.loki.secret.access_key | default "access_secret" }}
|
||||
tolerations:
|
||||
- effect: "NoSchedule"
|
||||
operator: "Equal"
|
||||
key: "unschedulable"
|
||||
value: "true"
|
||||
read:
|
||||
extraArgs:
|
||||
- -config.expand-env=true
|
||||
extraEnv:
|
||||
- name: S3KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.loki.secret.name | default "nutanix-s3"}}
|
||||
key: {{ .Values.loki.secret.access_key | default "access_key" }}
|
||||
- name: S3SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.loki.secret.name | default "nutanix-s3"}}
|
||||
key: {{ .Values.loki.secret.access_key | default "access_secret" }}
|
||||
tolerations:
|
||||
- effect: "NoSchedule"
|
||||
operator: "Equal"
|
||||
key: "unschedulable"
|
||||
value: "true"
|
||||
{{- if .Values.loki.compactor }}
|
||||
compactor:
|
||||
extraArgs:
|
||||
- -config.expand-env=true
|
||||
extraEnv:
|
||||
- name: S3KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.loki.secret.name | default "nutanix-s3"}}
|
||||
key: {{ .Values.loki.secret.access_key | default "access_key" }}
|
||||
- name: S3SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.loki.secret.name | default "nutanix-s3"}}
|
||||
key: {{ .Values.loki.secret.access_key | default "access_secret" }}
|
||||
{{- end }}
|
||||
backend:
|
||||
extraArgs:
|
||||
- -config.expand-env=true
|
||||
extraEnv:
|
||||
- name: S3KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.loki.secret.name | default "nutanix-s3"}}
|
||||
key: {{ .Values.loki.secret.access_key | default "access_key" }}
|
||||
- name: S3SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.loki.secret.name | default "nutanix-s3"}}
|
||||
key: {{ .Values.loki.secret.access_key | default "access_secret" }}
|
||||
project: sys
|
||||
ignoreDifferences:
|
||||
- group: apps
|
||||
kind: StatefulSet
|
||||
jsonPointers:
|
||||
- /spec/persistentVolumeClaimRetentionPolicy
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.loki.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,46 @@
|
||||
{{- if .Values.mariadb_operator.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: mariadb-operator
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "-1"
|
||||
spec:
|
||||
destination:
|
||||
namespace: mariadb-operator
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
path: {{ .Values.cluster_config.policies }}/mariadb-operator
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://helm.mariadb.com/mariadb-operator'
|
||||
targetRevision: {{ .Values.mariadb_operator.version }}
|
||||
chart: mariadb-operator
|
||||
helm:
|
||||
values: |
|
||||
ha:
|
||||
enabled: false
|
||||
metrics:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
additionalLabels:
|
||||
release: prometheus
|
||||
enabled: true
|
||||
webhook:
|
||||
certificate:
|
||||
certManager: false
|
||||
serviceMonitor:
|
||||
additionalLabels:
|
||||
release: prometehus
|
||||
project: sys
|
||||
syncPolicy:
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ServerSideApply=true
|
||||
{{- if .Values.mariadb_operator.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,39 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: metrics-server
|
||||
namespace: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: kube-system
|
||||
server: 'https://kubernetes.default.svc'
|
||||
source:
|
||||
repoURL: 'https://kubernetes-sigs.github.io/metrics-server/'
|
||||
targetRevision: {{ .Values.metrics_server.version }}
|
||||
chart: metrics-server
|
||||
helm:
|
||||
values: |
|
||||
containerPort: 10250
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 200Mi
|
||||
{{- if .Values.metrics_server.ignoreTLS }}
|
||||
args:
|
||||
- "--kubelet-insecure-tls"
|
||||
{{- end }}
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.metrics_server.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
@@ -0,0 +1,46 @@
|
||||
{{- if .Values.nfs_provisioner.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: nfs-provisioner
|
||||
namespace: argocd
|
||||
spec:
|
||||
destination:
|
||||
namespace: kube-system
|
||||
server: 'https://kubernetes.default.svc'
|
||||
source:
|
||||
#- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
# path: {{ .Values.cluster_config.policies }}/nfs-provisioner
|
||||
# targetRevision: HEAD
|
||||
repoURL: 'https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/'
|
||||
targetRevision: {{ .Values.nfs_provisioner.version }}
|
||||
chart: nfs-subdir-external-provisioner
|
||||
helm:
|
||||
values: |
|
||||
nfs:
|
||||
server: {{ .Values.cluster_config.fileserver }}
|
||||
path: /{{ default (.Values.cluster_config.cluster) .Values.nfs_provisioner.path }}
|
||||
mountOptions:
|
||||
- nfsvers=4.2
|
||||
{{- range .Values.nfs_provisioner.extraMountOpts }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
storageClass:
|
||||
defaultClass: {{ .Values.nfs_provisioner.defaultClass}}
|
||||
name: managed-nfs-storage
|
||||
archiveOnDelete: {{ .Values.nfs_provisioner.archiveOnDelete }}
|
||||
tolerations:
|
||||
- key: unschedulable
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
project: sys
|
||||
syncPolicy:
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.nfs_provisioner.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,104 @@
|
||||
{{ if .Values.oncall.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: oncall
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: prometheus
|
||||
server: 'https://kubernetes.default.svc'
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{ if .Values.oncall.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{ end }}
|
||||
sources:
|
||||
# - repoURL: {{ .Values.cluster_config.manifests }}
|
||||
# path: {{ .Values.cluster_config.policies }}/oncall
|
||||
# targetRevision: HEAD
|
||||
- repoURL: 'https://grafana.github.io/helm-charts'
|
||||
targetRevision: '{{ .Values.oncall.version }}'
|
||||
chart: oncall
|
||||
helm:
|
||||
values: |
|
||||
base_url: oncall.{{ .Values.cluster_config.domain }}
|
||||
base_url_protocol: https
|
||||
image:
|
||||
repository: grafana/oncall
|
||||
pullPolicy: IfNotPresent
|
||||
ingress-nginx:
|
||||
enabled: false
|
||||
cert-manager:
|
||||
enabled: false
|
||||
installCRDs: false
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: nginx
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
{{- with .Values.cluster_config.ingress_whitelist_ips }}
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
|
||||
{{- end }}
|
||||
path: /
|
||||
pathType: Prefix
|
||||
hosts:
|
||||
- oncall.{{ .Values.cluster_config.domain }}
|
||||
tls:
|
||||
- secretName: oncall-tls
|
||||
hosts:
|
||||
- oncall.{{ .Values.cluster_config.domain }}
|
||||
|
||||
{{- if .Values.oncall.slack }}
|
||||
oncall:
|
||||
slack:
|
||||
enabled: true
|
||||
clientId: {{ .Values.oncall.slack.clientId }}
|
||||
clientSecret: {{ .Values.oncall.slack.clientSecret }}
|
||||
signingSecret: {{ .Values.oncall.slack.signingSecret }}
|
||||
redirectHost: https://oncall.{{ .Values.cluster_config.domain }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.oncall.smtp }}
|
||||
oncall:
|
||||
smtp:
|
||||
enabled: true
|
||||
host: {{ .Values.oncall.smtp.host }}
|
||||
port: {{ .Values.oncall.smtp.port }}
|
||||
username: {{ .Values.oncall.smtp.username }}
|
||||
password: {{ .Values.oncall.smtp.password }}
|
||||
tls: {{ .Values.oncall.smtp.tls }}
|
||||
fromEmail: {{ .Values.oncall.smtp.fromEmail }}
|
||||
{{- end }}
|
||||
database:
|
||||
type: postgresql
|
||||
postgresql:
|
||||
enabled: true
|
||||
auth:
|
||||
database: oncall
|
||||
mariadb:
|
||||
enabled: false
|
||||
redis:
|
||||
enabled: true
|
||||
broker:
|
||||
type: rabbitmq
|
||||
rabbitmq:
|
||||
enabled: true
|
||||
grafana:
|
||||
enabled: false
|
||||
externalGrafana:
|
||||
url: {{ .Values.oncall.externalGrafana.url }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,117 @@
|
||||
{{ if .Values.otel.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: opentelemetry-collector
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: otel
|
||||
server: 'https://kubernetes.default.svc'
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.otel.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: true
|
||||
{{- end }}
|
||||
sources:
|
||||
- repoURL: '{{ .Values.cluster_config.manifests }}'
|
||||
path: {{ .Values.cluster_config.policies }}/otel
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://open-telemetry.github.io/opentelemetry-helm-charts'
|
||||
targetRevision: {{ .Values.otel.version }}
|
||||
chart: opentelemetry-collector
|
||||
helm:
|
||||
values: |
|
||||
mode: deployment
|
||||
image:
|
||||
repository: otel/opentelemetry-collector-k8s
|
||||
config:
|
||||
receivers:
|
||||
prometheus/collector:
|
||||
config:
|
||||
scrape_configs:
|
||||
- job_name: 'opentelemetry-collector'
|
||||
static_configs:
|
||||
- targets:
|
||||
- ${env:MY_POD_IP}:8888
|
||||
zipkin:
|
||||
endpoint: ${env:MY_POD_IP}:9411
|
||||
exporters:
|
||||
otlp:
|
||||
endpoint: "tempo.tempo.svc:4317"
|
||||
tls:
|
||||
insecure: true
|
||||
##
|
||||
otlphttp/metrics:
|
||||
endpoint: http://prom-prometheus.prometheus:9090/api/v1/otlp
|
||||
tls:
|
||||
insecure: true
|
||||
otlphttp/logs:
|
||||
endpoint: http://loki-write-headless.loki:3100/otlp
|
||||
tls:
|
||||
insecure: true
|
||||
## Detailed? make toggleable with values
|
||||
debug/metrics:
|
||||
verbosity: detailed
|
||||
debug/traces:
|
||||
verbosity: detailed
|
||||
debug/logs:
|
||||
verbosity: detailed
|
||||
service:
|
||||
telemetry:
|
||||
logs:
|
||||
level: "info"
|
||||
pipelines:
|
||||
traces:
|
||||
receivers: [otlp,zipkin]
|
||||
processors: [batch]
|
||||
exporters: [otlp]
|
||||
# exporters: [otlphttp/traces,debug/traces]
|
||||
metrics:
|
||||
receivers: [otlp,prometheus/collector]
|
||||
processors: [batch]
|
||||
exporters: [otlphttp/metrics]
|
||||
# exporters: [otlphttp/metrics,debug/metrics]
|
||||
logs:
|
||||
receivers: [otlp]
|
||||
processors: [batch]
|
||||
exporters: [otlphttp/logs]
|
||||
# exporters: [otlphttp/logs,debug/logs]
|
||||
ports:
|
||||
metrics:
|
||||
enabled: true
|
||||
# presets:
|
||||
# logsCollection:
|
||||
# enabled: true
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: nginx
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
{{- with .Values.cluster_config.ingress_whitelist_ips }}
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
|
||||
{{- end }}
|
||||
hosts:
|
||||
- host: opentelemetry-collector.{{ .Values.cluster_config.domain }}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
port: 4318
|
||||
tls:
|
||||
- secretName: collector-tls
|
||||
hosts:
|
||||
- opentelemetry-collector.{{ .Values.cluster_config.domain }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,39 @@
|
||||
{{ if .Values.postgres_operator.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: postgres-operator
|
||||
namespace: argocd
|
||||
spec:
|
||||
destination:
|
||||
namespace: cnpg
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
path: {{ .Values.cluster_config.policies }}/cnpg
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://cloudnative-pg.github.io/charts'
|
||||
targetRevision: {{ .Values.postgres_operator.version }}
|
||||
chart: cloudnative-pg
|
||||
helm:
|
||||
values: |
|
||||
additionalArgs: []
|
||||
config:
|
||||
data:
|
||||
INHERITED_ANNOTATIONS: "linkerd.io/*"
|
||||
INHERITED_LABELS: "velero.io/*"
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
- ServerSideApply=true
|
||||
{{- if .Values.postgres_operator.version }}
|
||||
automated:
|
||||
# selfHeal: false
|
||||
prune: true
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,342 @@
|
||||
{{ if .Values.thanos.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: thanos
|
||||
namespace: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: thanos
|
||||
server: 'https://kubernetes.default.svc'
|
||||
source:
|
||||
repoURL: 'https://charts.bitnami.com/bitnami'
|
||||
targetRevision: {{ .Values.thanos.version }}
|
||||
chart: thanos
|
||||
helm:
|
||||
values: |
|
||||
## Handled by sealed secret now, and uses minio root user
|
||||
#objstoreConfig: |-
|
||||
# type: s3
|
||||
# config:
|
||||
# bucket: thanos
|
||||
# endpoint: thanos-minio.thanos.svc.cluster.local:9000
|
||||
# access_key: "thanos"
|
||||
# secret_key: "en to tre fire"
|
||||
# insecure: true
|
||||
|
||||
## @param indexCacheConfig The [index cache configuration](https://thanos.io/components/store.md/)
|
||||
## Specify content for index-cache.yml
|
||||
indexCacheConfig: ""
|
||||
## @param bucketCacheConfig The [bucket cache configuration](https://thanos.io/components/store.md/)
|
||||
## Specify content for bucket-cache.yml
|
||||
##
|
||||
bucketCacheConfig: ""
|
||||
## @param existingObjstoreSecret Secret with Objstore Configuration
|
||||
## Note: This will override objstoreConfig
|
||||
##
|
||||
existingObjstoreSecret: "thanos-objstore-secret"
|
||||
existingObjstoreSecretItems: []
|
||||
existingServiceAccount: ""
|
||||
|
||||
query:
|
||||
enabled: true
|
||||
stores:
|
||||
- {{ .Values.prometheus.fullname | default "prometheus-kube-prometheus" }}-prometheus.prometheus.svc:10901
|
||||
- thanos-envoy:10000
|
||||
- thanos-envoy:10002
|
||||
- thanos-envoy:11000
|
||||
ingress:
|
||||
enabled: true
|
||||
certManager: false
|
||||
hostname: thanos.{{ .Values.cluster_config.domain }}
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
nginx.ingress.kubernetes.io/backend-protocol: HTTP
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: 1024m
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24
|
||||
## extraHosts:
|
||||
## - name: thanos.local
|
||||
## path: /
|
||||
## pathType: ImplementationSpecific
|
||||
##
|
||||
extraHosts: []
|
||||
extraTls:
|
||||
- hosts:
|
||||
- thanos.{{ .Values.cluster_config.domain }}
|
||||
secretName: thanos-tls
|
||||
|
||||
## @section Thanos Query Frontend parameters
|
||||
|
||||
queryFrontend:
|
||||
enabled: true
|
||||
ingress:
|
||||
enabled: true
|
||||
certManager: false
|
||||
hostname: thanos-query.{{ .Values.cluster_config.domain }}
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
nginx.ingress.kubernetes.io/backend-protocol: HTTP
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: 1024m
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24
|
||||
## extraHosts:
|
||||
## - name: thanos.local
|
||||
## path: /
|
||||
## pathType: ImplementationSpecific
|
||||
##
|
||||
extraHosts: []
|
||||
extraTls:
|
||||
- hosts:
|
||||
- thanos-query.{{ .Values.cluster_config.domain }}
|
||||
secretName: thanos-query-tls
|
||||
|
||||
## @section Thanos Bucket Web parameters
|
||||
|
||||
bucketweb:
|
||||
enabled: true
|
||||
ingress:
|
||||
enabled: true
|
||||
certManager: false
|
||||
hostname: thanos-bucketweb.{{ .Values.cluster_config.domain }}
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
nginx.ingress.kubernetes.io/backend-protocol: HTTP
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: 1024m
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24
|
||||
## extraHosts:
|
||||
## - name: thanos-bucketweb.local
|
||||
## path: /
|
||||
## pathType: ImplementationSpecific
|
||||
##
|
||||
extraHosts: []
|
||||
extraTls:
|
||||
- hosts:
|
||||
- thanos-bucketweb.{{ .Values.cluster_config.domain }}
|
||||
secretName: thanos-bucketweb-tls
|
||||
|
||||
## @section Thanos Compactor parameters
|
||||
|
||||
compactor:
|
||||
enabled: true
|
||||
ingress:
|
||||
enabled: true
|
||||
certManager: false
|
||||
hostname: thanos-compactor.{{ .Values.cluster_config.domain }}
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
nginx.ingress.kubernetes.io/backend-protocol: HTTP
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: 1024m
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24
|
||||
## extraHosts:
|
||||
## - name: thanos.local
|
||||
## path: /
|
||||
## pathType: ImplementationSpecific
|
||||
##
|
||||
extraHosts: []
|
||||
extraTls:
|
||||
- hosts:
|
||||
- thanos-compactor.{{ .Values.cluster_config.domain }}
|
||||
secretName: thanos-compactor-tls
|
||||
persistence:
|
||||
enabled: true
|
||||
storageClass: "local-storage"
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
size: 8Gi
|
||||
|
||||
## @section Thanos Store Gateway parameters
|
||||
|
||||
storegateway:
|
||||
enabled: true
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
certManager: false
|
||||
hostname: thanos-storage.{{ .Values.cluster_config.domain }}
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
nginx.ingress.kubernetes.io/backend-protocol: HTTP
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: 1024m
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24
|
||||
## extraHosts:
|
||||
## - name: thanos.local
|
||||
## path: /
|
||||
## pathType: ImplementationSpecific
|
||||
##
|
||||
extraHosts: []
|
||||
extraTls:
|
||||
- hosts:
|
||||
- thanos-storage.{{ .Values.cluster_config.domain }}
|
||||
secretName: thanos-storage-tls
|
||||
persistence:
|
||||
enabled: true
|
||||
storageClass: "local-storage"
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
size: 8Gi
|
||||
|
||||
## @section Thanos Ruler parameters
|
||||
|
||||
ruler:
|
||||
enabled: true
|
||||
alertmanagers:
|
||||
- https://alertmanager.k1.itpartner.no
|
||||
- https://alertmanager.k2.itpartner.no
|
||||
- https://alertmanager.k0.itpartner.no
|
||||
config: |-
|
||||
groups:
|
||||
- name: "metamonitoring"
|
||||
rules:
|
||||
- alert: "PrometheusDown"
|
||||
expr: absent(up{container="prometheus",job="prometheus-kube-prometheus-prometheus",namespace="prometheus"})
|
||||
global:
|
||||
resolve_timeout: 5m
|
||||
route:
|
||||
receiver: pagerduty
|
||||
group_by:
|
||||
- alertname
|
||||
routes:
|
||||
- receiver: snitch
|
||||
match:
|
||||
alertname: Watchdog
|
||||
group_wait: 0s
|
||||
group_interval: 1m
|
||||
repeat_interval: 50s
|
||||
group_wait: 60s
|
||||
group_interval: 15m
|
||||
repeat_interval: 24h
|
||||
receivers:
|
||||
- name: pagerduty
|
||||
pagerduty_configs:
|
||||
- routing_key: e67f3a24f11c450ad060128f20ffa5d1
|
||||
url: https://events.pagerduty.com/v2/enqueue
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
certManager: false
|
||||
hostname: thanos-ruler.{{ .Values.cluster_config.domain }}
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
nginx.ingress.kubernetes.io/backend-protocol: HTTP
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: 1024m
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24
|
||||
## extraHosts:
|
||||
## - name: thanos.local
|
||||
## path: /
|
||||
## pathType: ImplementationSpecific
|
||||
##
|
||||
extraHosts: []
|
||||
extraTls:
|
||||
- hosts:
|
||||
- thanos-ruler.{{ .Values.cluster_config.domain }}
|
||||
secretName: thanos-ruler-tls
|
||||
persistence:
|
||||
enabled: true
|
||||
storageClass: "local-storage"
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
size: 8Gi
|
||||
|
||||
## @section Thanos Receive parameters
|
||||
|
||||
receive:
|
||||
enabled: false
|
||||
mode: standalone
|
||||
replicationFactor: 1
|
||||
replicaLabel: replica
|
||||
tsdbRetention: 15d
|
||||
config:
|
||||
- endpoints:
|
||||
- "127.0.0.1:10901"
|
||||
ingress:
|
||||
enabled: true
|
||||
certManager: false
|
||||
hostname: thanos-receive.{{ .Values.cluster_config.domain }}
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
nginx.ingress.kubernetes.io/backend-protocol: HTTP
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: 1024m
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24
|
||||
## extraHosts:
|
||||
## - name: thanos.local
|
||||
## path: /
|
||||
## pathType: ImplementationSpecific
|
||||
##
|
||||
extraHosts: []
|
||||
extraTls:
|
||||
- hosts:
|
||||
- thanos-receive.{{ .Values.cluster_config.domain }}
|
||||
secretName: thanos-receive-tls
|
||||
persistence:
|
||||
enabled: true
|
||||
storageClass: "local-storage"
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
size: 8Gi
|
||||
|
||||
## @section Metrics parameters
|
||||
|
||||
metrics:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
|
||||
## @section MinIO® chart parameters
|
||||
|
||||
minio:
|
||||
enabled: true
|
||||
accessKey:
|
||||
password: "thanos"
|
||||
secretKey:
|
||||
password: "en to tre fire"
|
||||
defaultBuckets: thanos
|
||||
ingress:
|
||||
enabled: true
|
||||
certManager: false
|
||||
hostname: thanos-minio.{{ .Values.cluster_config.domain }}
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
nginx.ingress.kubernetes.io/backend-protocol: HTTP
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: 1024m
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24
|
||||
## extraHosts:
|
||||
## - name: thanos.local
|
||||
## path: /
|
||||
## pathType: ImplementationSpecific
|
||||
##
|
||||
extraHosts: []
|
||||
extraTls:
|
||||
- hosts:
|
||||
- thanos-minio.{{ .Values.cluster_config.domain }}
|
||||
secretName: thanos-minio-tls
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.prometheus.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,625 @@
|
||||
{{- if .Values.prometheus.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: prometheus
|
||||
namespace: argocd
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: prometheus
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
path: {{ .Values.cluster_config.policies }}/prometheus
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://prometheus-community.github.io/helm-charts'
|
||||
targetRevision: '{{ .Values.prometheus.version }}'
|
||||
chart: kube-prometheus-stack
|
||||
helm:
|
||||
skipCrds: true
|
||||
values: |
|
||||
crds:
|
||||
enabled: false
|
||||
|
||||
fullnameOverride: {{ .Values.prometheus.fullname | default "prometheus-kube-prometheus" }}
|
||||
|
||||
{{- with .Values.prometheus.defaultRules }}
|
||||
defaultRules:
|
||||
{{- . | toYaml | nindent 10 }}
|
||||
{{- end}}
|
||||
|
||||
## Configuration for alertmanager
|
||||
## ref: https://prometheus.io/docs/alerting/alertmanager/
|
||||
##
|
||||
alertmanager:
|
||||
config:
|
||||
route:
|
||||
{{- if .Values.prometheus.alert_group_by }}
|
||||
group_by:
|
||||
{{- range .Values.prometheus.alert_group_by }}
|
||||
- {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
group_by: ["alertname"]
|
||||
{{- end }}
|
||||
group_wait: 60s
|
||||
group_interval: 15m
|
||||
repeat_interval: 24h
|
||||
receiver: {{ .Values.prometheus.alert_receiver | default "pagerduty" }}
|
||||
routes:
|
||||
- match:
|
||||
alertname: Watchdog
|
||||
group_wait: 0s
|
||||
group_interval: 1m
|
||||
repeat_interval: 50s
|
||||
receiver: snitch
|
||||
{{- if .Values.prometheus.oncallUrl}}
|
||||
- match:
|
||||
alertname: .*
|
||||
receiver: oncall
|
||||
continue: true
|
||||
{{- end }}
|
||||
receivers:
|
||||
- name: pagerduty
|
||||
pagerduty_configs:
|
||||
- routing_key: {{ default "key" .Values.prometheus.pagerdutyRoutingKey }}
|
||||
url: "https://events.pagerduty.com/v2/enqueue"
|
||||
severity: {{`'{{ if .CommonLabels.severity }}{{ .CommonLabels.severity | toLower }}{{ else }}critical{{ end }}'`}}
|
||||
{{- if .Values.prometheus.snitchUrl}}
|
||||
- name: snitch
|
||||
webhook_configs:
|
||||
- url: "{{ .Values.prometheus.snitchUrl }}"
|
||||
send_resolved: false
|
||||
{{- end }}
|
||||
- name: teams
|
||||
webhook_configs:
|
||||
- url: "https://prometheus-msteams.{{ .Values.cluster_config.domain }}/{{ .Values.cluster_config.cluster }}"
|
||||
http_config:
|
||||
tls_config:
|
||||
insecure_skip_verify: true
|
||||
{{- if .Values.prometheus.oncallUrl}}
|
||||
- name: oncall
|
||||
webhook_configs:
|
||||
- url: "{{ .Values.prometheus.oncallUrl }}"
|
||||
send_resolved: true
|
||||
{{- end }}
|
||||
|
||||
storage: {}
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: nginx
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
{{- with .Values.cluster_config.ingress_whitelist_ips }}
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
|
||||
{{- end }}
|
||||
hosts:
|
||||
- alertmanager.{{ .Values.cluster_config.domain }}
|
||||
paths:
|
||||
- /
|
||||
pathType: ImplementationSpecific
|
||||
tls:
|
||||
- secretName: alertmanager-general-tls
|
||||
hosts:
|
||||
- alertmanager.{{ .Values.cluster_config.domain }}
|
||||
|
||||
ingressPerReplica:
|
||||
pathType: ImplementationSpecific
|
||||
|
||||
alertmanagerSpec:
|
||||
affinity: {}
|
||||
# nodeAffinity:
|
||||
# requiredDuringSchedulingIgnoredDuringExecution:
|
||||
# nodeSelectorTerms:
|
||||
# - matchExpressions:
|
||||
# - key: kubernetes.io/hostname
|
||||
# operator: In
|
||||
# values:
|
||||
# - {{ .Values.cluster_config.cluster }}-0.itpartner.intern
|
||||
|
||||
tolerations: []
|
||||
# - key: unschedulable
|
||||
# operator: Exists
|
||||
# effect: NoSchedule
|
||||
|
||||
grafana:
|
||||
defaultDashboardsEnabled: {{ .Values.prometheus.grafana.defaultDashboardsEnabled }}
|
||||
{{- if .Values.prometheus.grafana.plugins }}
|
||||
plugins:
|
||||
{{- range .Values.prometheus.grafana.plugins }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
grafana.ini:
|
||||
server:
|
||||
root_url: "https://grafana.{{.Values.cluster_config.domain}}:443"
|
||||
security:
|
||||
allow_embedding: "true"
|
||||
auth:
|
||||
disable_login_form: "{{ .Values.prometheus.grafana.disable_login_form }}"
|
||||
users:
|
||||
auto_assign_org_role: "Admin"
|
||||
{{- range .Values.cluster_config.oidc }}
|
||||
{{- if eq .provider "azuread" }}
|
||||
auth.{{ .provider }}:
|
||||
enabled: true
|
||||
name: {{ .name }}
|
||||
client_id: $__file{/etc/secrets/oauth/{{ .name }}/client_id}
|
||||
client_secret: $__file{/etc/secrets/oauth/{{ .name }}/client_secret}
|
||||
scopes: openid email profile
|
||||
auth_url: https://login.microsoftonline.com/{{ .tenant }}/oauth2/v2.0/authorize
|
||||
token_url: https://login.microsoftonline.com/{{ .tenant }}/oauth2/v2.0/token
|
||||
allowed_groups: {{ .group_id }}
|
||||
allow_sign_up: true
|
||||
role_attribute_strict: false
|
||||
allow_assign_grafana_admin: true
|
||||
{{- else if eq .provider "github" }}
|
||||
auth.{{ .provider }}:
|
||||
name: {{ .name }}
|
||||
enabled: true
|
||||
client_id: $__file{/etc/secrets/oauth/{{ .name }}/client_id}
|
||||
client_secret: $__file{/etc/secrets/oauth/{{ .name }}/client_secret}
|
||||
allowed_organizations: {{ .allowed_organizations }}
|
||||
{{- if .allowed_teams }}
|
||||
allowed_teams: "{{ .allowed_teams }}"
|
||||
{{- end }}
|
||||
scopes: user:email,read:org
|
||||
auth_url: https://github.com/login/oauth/authorize
|
||||
token_url: https://github.com/login/oauth/access_token
|
||||
allow_sign_up: true
|
||||
role_attribute_strict: false
|
||||
allow_assign_grafana_admin: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
extraSecretMounts:
|
||||
{{- range .Values.cluster_config.oidc }}
|
||||
- name: {{ .name }}
|
||||
secretName: {{ .secret_ref.name }}
|
||||
defaultMode: 0440
|
||||
mountPath: /etc/secrets/oauth/{{ .name }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.prometheus.grafana.persistence }}
|
||||
persistence:
|
||||
enabled: true
|
||||
size: 10Gi
|
||||
{{- end }}
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: nginx
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
{{- with .Values.cluster_config.ingress_whitelist_ips}}
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
|
||||
{{- end }}
|
||||
hosts:
|
||||
- grafana.{{ .Values.cluster_config.domain }}
|
||||
path: /
|
||||
tls:
|
||||
- secretName: grafana-general-tls
|
||||
hosts:
|
||||
- grafana.{{ .Values.cluster_config.domain }}
|
||||
sidecar:
|
||||
dashboards:
|
||||
enabled: true
|
||||
label: grafana_dashboard
|
||||
folderAnnotation: grafana_folder
|
||||
annotations: {}
|
||||
multicluster:
|
||||
global:
|
||||
enabled: true
|
||||
etcd:
|
||||
enabled: false
|
||||
provider:
|
||||
allowUiUpdates: false
|
||||
foldersFromFilesStructure: true
|
||||
{{- if .Values.prometheus.thanos.datasource.enabled }}
|
||||
datasources:
|
||||
enabled: true
|
||||
defaultDatasourceEnabled: true
|
||||
url: http://thanos-query-frontend.thanos.svc:9090/
|
||||
# defaultDatasourceScrapeInterval: 15s
|
||||
annotations: {}
|
||||
|
||||
## Create datasource for each Pod of Prometheus StatefulSet;
|
||||
## this uses headless service `prometheus-operated` which is
|
||||
## created by Prometheus Operator
|
||||
## ref: https://git.io/fjaBS
|
||||
createPrometheusReplicasDatasources: false
|
||||
label: grafana_datasource
|
||||
{{ end }}
|
||||
{{- if or .Values.loki.enabled .Values.prometheus.additionalDataSources }}
|
||||
additionalDataSources:
|
||||
{{- end }}
|
||||
{{- if .Values.tempo.enabled }}
|
||||
- name: Tempo
|
||||
type: tempo
|
||||
uid: tempo
|
||||
orgId: 1
|
||||
url: http://tempo.tempo:3100
|
||||
isDefault: false
|
||||
version: 1
|
||||
access: proxy
|
||||
jsonData:
|
||||
nodeGraph:
|
||||
enabled: true
|
||||
serviceMap:
|
||||
datasourceUid: 'Prometheus'
|
||||
tracesToLogs:
|
||||
datasourceUid: loki
|
||||
filterByTraceID: false
|
||||
spanEndTimeShift: "500ms"
|
||||
spanStartTimeShift: "-500ms"
|
||||
timeInterval: 30s
|
||||
{{- end }}
|
||||
{{- if .Values.loki.enabled }}
|
||||
- name: loki
|
||||
type: loki
|
||||
uid: loki
|
||||
access: proxy
|
||||
basicAuth: false
|
||||
editable: false
|
||||
jsonData:
|
||||
tlsSkipVerify: false
|
||||
{{- if .Values.tempo.enabled }}
|
||||
derivedFields:
|
||||
- datasourceUid: tempo
|
||||
matcherRegex: trace_id
|
||||
matcherType: label
|
||||
name: Trace ID
|
||||
url: $${__value.raw}
|
||||
urlDisplayLabel: 'Trace ID: $${__value.raw}'
|
||||
{{- end }}
|
||||
orgId: 1
|
||||
url: http://loki-read-headless.loki:3100
|
||||
version: 1
|
||||
{{- end }}
|
||||
{{- with .Values.prometheus.additionalDataSources }}
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
|
||||
kubeApiServer:
|
||||
tlsConfig:
|
||||
serverName: kubernetes
|
||||
insecureSkipVerify: true
|
||||
|
||||
kubelet:
|
||||
serviceMonitor:
|
||||
https: {{ .Values.prometheus.kubelet.https }}
|
||||
cAdvisor: true
|
||||
|
||||
# NOTE(simkir): Including throttling seconds by setting this. We use that in some dashboards, and could be useful
|
||||
## MetricRelabelConfigs to apply to samples after scraping, but before ingestion.
|
||||
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api-reference/api.md#relabelconfig
|
||||
##
|
||||
cAdvisorMetricRelabelings:
|
||||
# Drop less useful container CPU metrics.
|
||||
- sourceLabels: [__name__]
|
||||
action: drop
|
||||
regex: 'container_cpu_(load_average_10s|system_seconds_total|user_seconds_total)'
|
||||
# Drop less useful container / always zero filesystem metrics.
|
||||
- sourceLabels: [__name__]
|
||||
action: drop
|
||||
regex: 'container_fs_(io_current|io_time_seconds_total|io_time_weighted_seconds_total|reads_merged_total|sector_reads_total|sector_writes_total|writes_merged_total)'
|
||||
# Drop less useful / always zero container memory metrics.
|
||||
- sourceLabels: [__name__]
|
||||
action: drop
|
||||
regex: 'container_memory_(mapped_file|swap)'
|
||||
# Drop less useful container process metrics.
|
||||
- sourceLabels: [__name__]
|
||||
action: drop
|
||||
regex: 'container_(file_descriptors|tasks_state|threads_max)'
|
||||
# Drop container_memory_failures_total{scope="hierarchy"} metrics,
|
||||
# we only need the container scope.
|
||||
- sourceLabels: [__name__, scope]
|
||||
action: drop
|
||||
regex: 'container_memory_failures_total;hierarchy'
|
||||
# Drop container_network_... metrics that match various interfaces that
|
||||
# correspond to CNI and similar interfaces. This avoids capturing network
|
||||
# metrics for host network containers.
|
||||
- sourceLabels: [__name__, interface]
|
||||
action: drop
|
||||
regex: 'container_network_.*;(cali|cilium|cni|lxc|nodelocaldns|tunl).*'
|
||||
# Drop container spec metrics that overlap with kube-state-metrics.
|
||||
- sourceLabels: [__name__]
|
||||
action: drop
|
||||
regex: 'container_spec.*'
|
||||
# Drop cgroup metrics with no pod.
|
||||
- sourceLabels: [id, pod]
|
||||
action: drop
|
||||
regex: '.+;'
|
||||
# - sourceLabels: [__name__, image]
|
||||
# separator: ;
|
||||
# regex: container_([a-z_]+);
|
||||
# replacement: $1
|
||||
# action: drop
|
||||
# - sourceLabels: [__name__]
|
||||
# separator: ;
|
||||
# regex: container_(network_tcp_usage_total|network_udp_usage_total|tasks_state|cpu_load_average_10s)
|
||||
# replacement: $1
|
||||
# action: drop
|
||||
|
||||
kubeControllerManager:
|
||||
enabled: false
|
||||
{{- if .Values.cluster_config.apiserverip }}
|
||||
endpoints:
|
||||
- {{ .Values.cluster_config.apiserverip }}
|
||||
{{- end }}
|
||||
service:
|
||||
port: 10252
|
||||
selector:
|
||||
k8s-app: kube-controller-manager
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
https: true
|
||||
insecureSkipVerify: true
|
||||
|
||||
coreDns:
|
||||
enabled: true
|
||||
service:
|
||||
targetPort: {{ .Values.prometheus.coredns.targetPort | default 10055 }}
|
||||
selector:
|
||||
k8s-app: kube-dns
|
||||
|
||||
kubeEtcd:
|
||||
enabled: true
|
||||
{{- if .Values.cluster_config.etcd_nodes }}
|
||||
endpoints: {{ .Values.cluster_config.etcd_nodes }}
|
||||
{{- end }}
|
||||
service:
|
||||
port: {{ .Values.prometheus.etcd.targetPort | default 2379 }}
|
||||
targetPort: {{ .Values.prometheus.etcd.targetPort | default 2379 }}
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
scheme: https
|
||||
insecureSkipVerify: true
|
||||
caFile: /etc/prometheus/secrets/etcd-client-cert/ca.pem
|
||||
certFile: /etc/prometheus/secrets/etcd-client-cert/etcd.pem
|
||||
keyFile: /etc/prometheus/secrets/etcd-client-cert/etcd-key.pem
|
||||
|
||||
kubeScheduler:
|
||||
enabled: false
|
||||
{{- if .Values.cluster_config.apiserverip }}
|
||||
endpoints:
|
||||
- {{ .Values.cluster_config.apiserverip }}
|
||||
{{- end }}
|
||||
service:
|
||||
port: {{ .Values.prometheus.scheduler.targetPort | default 10251 }}
|
||||
targetPort: {{ .Values.prometheus.scheduler.targetPort | default 10251 }}
|
||||
selector:
|
||||
k8s-app: kube-scheduler
|
||||
|
||||
kubeProxy:
|
||||
enabled: false
|
||||
{{- if .Values.cluster_config.k8s_nodes }}
|
||||
endpoints: {{ .Values.cluster_config.k8s_nodes }}
|
||||
{{- else }}
|
||||
service:
|
||||
selector:
|
||||
k8s-app: kube-proxy
|
||||
{{- end }}
|
||||
|
||||
prometheusOperator:
|
||||
enabled: true
|
||||
|
||||
admissionWebhooks:
|
||||
certManager:
|
||||
enabled: true
|
||||
issuerRef:
|
||||
name: "ca-issuer"
|
||||
kind: "ClusterIssuer"
|
||||
|
||||
kubeletService:
|
||||
enabled: {{ .Values.prometheus.kubelet.enabled }}
|
||||
|
||||
prometheus:
|
||||
enabled: true
|
||||
{{- if .Values.otel.enabled }}
|
||||
enableRemoteWriteReceiver: true
|
||||
{{- end }}
|
||||
|
||||
thanosService:
|
||||
enabled: false
|
||||
type: ClusterIP
|
||||
|
||||
## gRPC port config
|
||||
portName: grpc
|
||||
port: 10901
|
||||
targetPort: "grpc"
|
||||
|
||||
## HTTP port config (for metrics)
|
||||
httpPortName: http
|
||||
httpPort: 10902
|
||||
targetHttpPort: "http"
|
||||
|
||||
# Default is to make this a headless service ("None")
|
||||
# clusterIP: "None"
|
||||
|
||||
## Port to expose on each node, if service type is NodePort
|
||||
##
|
||||
nodePort: 30901
|
||||
httpNodePort: 30902
|
||||
|
||||
{{- if .Values.prometheus.thanos.enabled }}
|
||||
# ServiceMonitor to scrape Sidecar metrics
|
||||
# Needs thanosService to be enabled as well
|
||||
thanosServiceMonitor:
|
||||
enabled: true
|
||||
interval: ""
|
||||
|
||||
thanosIngress:
|
||||
enabled: true
|
||||
servicePort: 10901
|
||||
ingressClassName: nginx
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
|
||||
{{- with .Values.cluster_config.ingress_whitelist_ips }}
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
|
||||
{{- end }}
|
||||
kubernetes.io/ingress.allow-http: "false"
|
||||
hosts:
|
||||
- thanos-gateway.{{ .Values.cluster_config.domain }}
|
||||
paths:
|
||||
- /
|
||||
pathType: ImplementationSpecific
|
||||
tls:
|
||||
- secretName: thanos-gateway-tls
|
||||
hosts:
|
||||
- thanos-gateway.{{ .Values.cluster_config.domain }}
|
||||
{{- end }}
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: nginx
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
{{- with .Values.cluster_config.ingress_whitelist_ips }}
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
|
||||
{{- end }}
|
||||
hosts:
|
||||
- prometheus.{{ .Values.cluster_config.domain }}
|
||||
paths:
|
||||
- /
|
||||
pathType: ImplementationSpecific
|
||||
tls:
|
||||
- secretName: prometheus-general-tls
|
||||
hosts:
|
||||
- prometheus.{{ .Values.cluster_config.domain }}
|
||||
|
||||
ingressPerReplica:
|
||||
enabled: false
|
||||
pathType: ImplementationSpecific
|
||||
|
||||
prometheusSpec:
|
||||
tolerations: []
|
||||
# - key: unschedulable
|
||||
# operator: Exists
|
||||
# effect: NoSchedule
|
||||
secrets:
|
||||
- etcd-client-cert
|
||||
storageSpec:
|
||||
volumeClaimTemplate:
|
||||
spec:
|
||||
accessModes: ["ReadWriteOnce"]
|
||||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.prometheus.storage.size }}
|
||||
{{- with .Values.prometheus.enableFeatures}}
|
||||
enableFeatures:
|
||||
{{- range . }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
## External labels to add to any time series or alerts when communicating with external systems
|
||||
##
|
||||
externalLabels:
|
||||
cluster: {{ .Values.cluster_config.cluster }}
|
||||
|
||||
## Name of the external label used to denote replica name
|
||||
##
|
||||
replicaExternalLabelName: ""
|
||||
|
||||
## If true, the Operator won't add the external label used to denote replica name
|
||||
##
|
||||
replicaExternalLabelNameClear: true
|
||||
|
||||
## Name of the external label used to denote Prometheus instance name
|
||||
##
|
||||
prometheusExternalLabelName: ""
|
||||
|
||||
## If true, the Operator won't add the external label used to denote Prometheus instance name
|
||||
##
|
||||
prometheusExternalLabelNameClear: true
|
||||
|
||||
serviceMonitorSelectorNilUsesHelmValues: false
|
||||
podMonitorSelectorNilUsesHelmValues: false
|
||||
ruleSelectorNilUsesHelmValues: false
|
||||
|
||||
## Thanos configuration allows configuring various aspects of a Prometheus server in a Thanos environment.
|
||||
## This section is experimental, it may change significantly without deprecation notice in any release.
|
||||
## This is experimental and may change significantly without backward compatibility in any release.
|
||||
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#thanosspec
|
||||
##
|
||||
{{- if .Values.prometheus.thanos.enabled }}
|
||||
thanos:
|
||||
objectStorageConfig:
|
||||
key: thanos.yaml
|
||||
name: thanos-objstore-config
|
||||
{{- end }}
|
||||
# remoteWrite:
|
||||
# - url: https://thanos-receive.k1.itpartner.no/api/v1/receive
|
||||
# name: {{ .Values.cluster_config.cluster }}
|
||||
{{- with .Values.prometheus.additionalScrapeConfigs}}
|
||||
additionalScrapeConfigs:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- ServerSideApply=true
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.prometheus.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
ignoreDifferences:
|
||||
- group: apps
|
||||
kind: Deployment
|
||||
jqPathExpressions:
|
||||
- '.spec.template.spec.containers[]?.resources'
|
||||
- group: monitoring.coreos.com
|
||||
kind: ServiceMonitor
|
||||
jqPathExpressions:
|
||||
- '.spec.endpoints[]?.relabelings'
|
||||
- group: admissionregistration.k8s.io
|
||||
kind: MutatingWebhookConfiguration
|
||||
jqPathExpressions:
|
||||
- '.webhooks[]?.clientConfig.caBundle'
|
||||
- group: admissionregistration.k8s.io
|
||||
kind: ValidatingWebhookConfiguration
|
||||
jqPathExpressions:
|
||||
- '.webhooks[]?.clientConfig.caBundle'
|
||||
---
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: prometheus-crd
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "-1"
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: prometheus
|
||||
server: 'https://kubernetes.default.svc'
|
||||
source:
|
||||
repoURL: 'https://prometheus-community.github.io/helm-charts'
|
||||
targetRevision: '{{ .Values.prometheus.crd_version }}'
|
||||
chart: prometheus-operator-crds
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
automated: {}
|
||||
syncOptions:
|
||||
- ServerSideApply=true
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- end }}
|
||||
@@ -0,0 +1,50 @@
|
||||
{{ if .Values.promtail.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: promtail
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: loki
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
#- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
# path: {{ .Values.cluster_config.policies }}/promtail
|
||||
# targetRevision: HEAD
|
||||
- repoURL: 'https://grafana.github.io/helm-charts'
|
||||
targetRevision: {{ .Values.promtail.version }}
|
||||
chart: promtail
|
||||
helm:
|
||||
values: |
|
||||
config:
|
||||
snippets:
|
||||
pipelineStages:
|
||||
- labelallow:
|
||||
- app
|
||||
- app_kubernetes_io_component
|
||||
- app_kubernetes_io_instance
|
||||
- app_kubernetes_io_version
|
||||
- container
|
||||
- instance
|
||||
- namespace
|
||||
- pod
|
||||
- stream
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.promtail.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,60 @@
|
||||
{{ if .Values.rabbitmq_operator.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: rabbitmq-operator
|
||||
namespace: argocd
|
||||
spec:
|
||||
destination:
|
||||
namespace: rabbitmq
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
path: {{ .Values.cluster_config.policies }}/rabbitmq
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://charts.bitnami.com/bitnami'
|
||||
targetRevision: {{ .Values.rabbitmq_operator.version }}
|
||||
chart: rabbitmq-cluster-operator
|
||||
helm:
|
||||
# NOTE(mrtz): Also add metrics for topology operator?
|
||||
values: |
|
||||
fullnameOverride: rabbitmq-operator
|
||||
additionalArgs: []
|
||||
useCertManager: true
|
||||
{{ if .Values.rabbitmq_operator.metrics }}
|
||||
clusterOperator:
|
||||
metrics:
|
||||
service:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
podMonitor:
|
||||
enabled: true
|
||||
{{ end }}
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
- ServerSideApply=true
|
||||
{{- if .Values.rabbitmq_operator.version }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
ignoreDifferences:
|
||||
- group: ""
|
||||
kind: Secret
|
||||
name: rabbitmq-operator-messaging-topology-operator-webhook
|
||||
jsonPointers:
|
||||
- /data/ca.crt
|
||||
- /data/tls.crt
|
||||
- /data/tls.key
|
||||
- group: admissionregistration.k8s.io
|
||||
kind: ValidatingWebhookConfiguration
|
||||
jqPathExpressions:
|
||||
- '.webhooks[]?.clientConfig.caBundle'
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,32 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: sealed-secrets
|
||||
namespace: argocd
|
||||
spec:
|
||||
destination:
|
||||
namespace: sealed-secrets
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
path: {{ .Values.cluster_config.policies }}/sealed-secrets
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://bitnami-labs.github.io/sealed-secrets'
|
||||
targetRevision: {{ .Values.sealed_secrets.version }}
|
||||
chart: sealed-secrets
|
||||
helm:
|
||||
values: |
|
||||
fullnameOverride: "vault-sealed-secrets"
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.sealed_secrets.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
@@ -0,0 +1,90 @@
|
||||
{{ if .Values.tempo.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: tempo
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: tempo
|
||||
server: 'https://kubernetes.default.svc'
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{ if .Values.tempo.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{ end }}
|
||||
sources:
|
||||
- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
path: {{ .Values.cluster_config.policies }}/tempo
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://grafana.github.io/helm-charts'
|
||||
targetRevision: {{ .Values.tempo.version }}
|
||||
chart: tempo
|
||||
helm:
|
||||
values: |
|
||||
tempo:
|
||||
reportingEnabled: false
|
||||
storage:
|
||||
trace:
|
||||
backend: s3
|
||||
s3:
|
||||
bucket: {{ .Values.tempo.bucketName | default "tempo-traces" }}
|
||||
endpoint: {{ .Values.tempo.s3.endpoint | default "https://s3.production.itpartner.no" }}
|
||||
prefix: traces
|
||||
access_key: ${S3KEY}
|
||||
secret_key: ${S3SECRET}
|
||||
forcepathstyle: true
|
||||
region: us-east-1
|
||||
{{- if .Values.tempo.s3.insecure_skip_verify }}
|
||||
tls_insecure_skip_verify: true
|
||||
{{- end }}
|
||||
local:
|
||||
path: /var/tempo/traces
|
||||
wal:
|
||||
path: /var/tempo/wal
|
||||
metricsGenerator:
|
||||
enabled: true
|
||||
remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
|
||||
extraArgs: { config.expand-env=true }
|
||||
extraEnv:
|
||||
- name: S3KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.tempo.secret.name | default "nutanix-s3"}}
|
||||
key: {{ .Values.tempo.secret.access_key | default "access_key" }}
|
||||
- name: S3SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.tempo.secret.name | default "nutanix-s3"}}
|
||||
key: {{ .Values.tempo.secret.access_key | default "access_secret" }}
|
||||
tempoQuery:
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: nginx
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
{{- with .Values.cluster_config.ingress_whitelist_ips }}
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
|
||||
{{- end }}
|
||||
path: /
|
||||
pathType: Prefix
|
||||
hosts:
|
||||
- query.tempo.{{ .Values.cluster_config.domain }}
|
||||
tls:
|
||||
- secretName: tempo-query-tls
|
||||
hosts:
|
||||
- query.tempo.{{ .Values.cluster_config.domain }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,111 @@
|
||||
{{ if .Values.velero.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: velero
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
spec:
|
||||
destination:
|
||||
namespace: velero
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
path: {{ .Values.cluster_config.policies }}/velero
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://vmware-tanzu.github.io/helm-charts'
|
||||
targetRevision: {{ .Values.velero.version }}
|
||||
chart: velero
|
||||
helm:
|
||||
values: |
|
||||
initContainers:
|
||||
- name: velero-plugin-for-aws
|
||||
image: velero/velero-plugin-for-aws:v1.9.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
volumeMounts:
|
||||
- mountPath: /target
|
||||
name: plugins
|
||||
credentials:
|
||||
useSecret: true
|
||||
existingSecret: {{ .Values.velero.credentials.secretName }}
|
||||
deployNodeAgent: true
|
||||
nodeAgent:
|
||||
podVolumePath: {{ .Values.velero.kubeletRootDir }}
|
||||
resources:
|
||||
requests:
|
||||
cpu: {{ .Values.velero.resources.nodeAgent.request.cpu | default "500m" }}
|
||||
memory: {{ .Values.velero.resources.nodeAgent.request.memory | default "1Gi" }}
|
||||
limits:
|
||||
memory: {{ .Values.velero.resources.nodeAgent.limit.memory | default "2Gi" }}
|
||||
snapshotsEnabled: false
|
||||
resources:
|
||||
requests:
|
||||
cpu: {{ .Values.velero.resources.velero.request.cpu | default "500m" }}
|
||||
memory: {{ .Values.velero.resources.velero.request.memory | default "1Gi" }}
|
||||
limits:
|
||||
memory: {{ .Values.velero.resources.velero.limit.memory | default "1Gi" }}
|
||||
configuration:
|
||||
uploaderType: kopia
|
||||
# Backup all volumes by default
|
||||
defaultVolumesToFsBackup: {{ .Values.velero.backupAllVolumes }}
|
||||
## https://velero.io/docs/v1.6/api-types/backupstoragelocation/
|
||||
backupStorageLocation:
|
||||
- name: {{ .Values.velero.bsl }}
|
||||
bucket: {{ .Values.velero.bucket }}
|
||||
provider: aws
|
||||
default: true
|
||||
## prefix is the directory under which all Velero data should be stored within the bucket. Optional.
|
||||
prefix: {{ .Values.cluster_config.cluster }}/velero
|
||||
accessMode: ReadWrite
|
||||
config:
|
||||
## ONLY us-east-1 region is supported by nutanix
|
||||
region: {{ .Values.velero.s3.region }}
|
||||
s3ForcePathStyle: "true"
|
||||
{{- if .Values.velero.s3.url }}
|
||||
s3Url: {{ .Values.velero.s3.url }}
|
||||
{{- end }}
|
||||
{{- if .Values.velero.s3.insecureSkipTLSVerify }}
|
||||
insecureSkipTLSVerify: true
|
||||
{{- end }}
|
||||
metrics:
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
additionalLabels:
|
||||
k8s-app: "velero"
|
||||
release: "prometheus"
|
||||
prometheusRule:
|
||||
enabled: true
|
||||
# namespace: ""
|
||||
# Rules to be deployed
|
||||
spec:
|
||||
- alert: VeleroBackupPartialFailures
|
||||
annotations:
|
||||
message: Velero backup {{` {{ $labels.schedule }} `}} has {{` {{$value | humanizePercentage}} `}} partialy failed backups.
|
||||
expr: |-
|
||||
velero_backup_partial_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} > 0.25
|
||||
for: 15m
|
||||
labels:
|
||||
severity: critical
|
||||
- alert: VeleroBackupFailures
|
||||
annotations:
|
||||
message: Velero backup {{` {{$labels.schedule}} `}} has {{` {{$value | humanizePercentage}} `}} failed backups.
|
||||
expr: |-
|
||||
velero_backup_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} > 0.25
|
||||
for: 15m
|
||||
labels:
|
||||
severity: critical
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.velero.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,53 @@
|
||||
{{ if .Values.x509_exporter.enabled }}
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: x509-exporter
|
||||
namespace: argocd
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
destination:
|
||||
namespace: x509-exporter
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sources:
|
||||
- repoURL: {{ .Values.cluster_config.manifests }}
|
||||
path: {{ .Values.cluster_config.policies }}/x509-exporter
|
||||
targetRevision: HEAD
|
||||
- repoURL: 'https://charts.enix.io'
|
||||
targetRevision: {{ .Values.x509_exporter.version }}
|
||||
chart: x509-certificate-exporter
|
||||
helm:
|
||||
values: |
|
||||
secretsExporter:
|
||||
excludeNamespaces:
|
||||
- sealed-secrets
|
||||
excludeLabels:
|
||||
- cert-manager.io/*
|
||||
resources:
|
||||
limits:
|
||||
memory: 100Mi
|
||||
requests:
|
||||
cpu: 20m
|
||||
memory: 100Mi
|
||||
prometheusServiceMonitor:
|
||||
extraLabels:
|
||||
k8s-app: x509-exporter
|
||||
prometheusRules:
|
||||
create: false
|
||||
project: sys
|
||||
syncPolicy:
|
||||
managedNamespaceMetadata:
|
||||
labels:
|
||||
component: sys
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
{{- if .Values.x509_exporter.autosync }}
|
||||
automated:
|
||||
prune: true
|
||||
# selfHeal: false
|
||||
{{- end }}
|
||||
{{ end }}
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,372 @@
|
||||
{{- if .Values.rabbitmq_operator.enabled }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: rabbitmq-overview-dashboard
|
||||
namespace: prometheus
|
||||
labels:
|
||||
grafana_dashboard: "1"
|
||||
data:
|
||||
# https://grafana.com/grafana/dashboards/10991
|
||||
rabbitmq-overview-dashboard.json.url: "https://github.com/rabbitmq/rabbitmq-server/raw/e57c579d1a71b283469defdd0d6d45313e6d6daf/deps/rabbitmq_prometheus/docker/grafana/dashboards/RabbitMQ-Overview.json"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: rabbitmq-queue-grafana-dashboard
|
||||
namespace: prometheus
|
||||
labels:
|
||||
grafana_dashboard: "1"
|
||||
data:
|
||||
rabbitmq-queue-grafana-dashboard.json: |-
|
||||
{
|
||||
"__inputs":[
|
||||
{
|
||||
"name":"DS_PROMETHEUS",
|
||||
"label":"prometheus",
|
||||
"description":"",
|
||||
"type":"datasource",
|
||||
"pluginId":"prometheus",
|
||||
"pluginName":"Prometheus"
|
||||
}
|
||||
],
|
||||
"__elements":{
|
||||
|
||||
},
|
||||
"__requires":[
|
||||
{
|
||||
"type":"grafana",
|
||||
"id":"grafana",
|
||||
"name":"Grafana",
|
||||
"version":"8.3.4"
|
||||
},
|
||||
{
|
||||
"type":"datasource",
|
||||
"id":"prometheus",
|
||||
"name":"Prometheus",
|
||||
"version":"1.0.0"
|
||||
},
|
||||
{
|
||||
"type":"panel",
|
||||
"id":"timeseries",
|
||||
"name":"Time series",
|
||||
"version":""
|
||||
}
|
||||
],
|
||||
"annotations":{
|
||||
"list":[
|
||||
{
|
||||
"builtIn":1,
|
||||
"datasource":{
|
||||
"type":"datasource",
|
||||
"uid":"grafana"
|
||||
},
|
||||
"enable":true,
|
||||
"hide":true,
|
||||
"iconColor":"rgba(0, 211, 255, 1)",
|
||||
"name":"Annotations & Alerts",
|
||||
"target":{
|
||||
"limit":100,
|
||||
"matchAny":false,
|
||||
"tags":[
|
||||
|
||||
],
|
||||
"type":"dashboard"
|
||||
},
|
||||
"type":"dashboard"
|
||||
}
|
||||
]
|
||||
},
|
||||
"editable":true,
|
||||
"fiscalYearStartMonth":0,
|
||||
"graphTooltip":0,
|
||||
"id":null,
|
||||
"links":[
|
||||
|
||||
],
|
||||
"liveNow":false,
|
||||
"panels":[
|
||||
{
|
||||
"datasource":{
|
||||
"type":"prometheus",
|
||||
"uid":"${DS_PROMETHEUS}"
|
||||
},
|
||||
"fieldConfig":{
|
||||
"defaults":{
|
||||
"color":{
|
||||
"mode":"palette-classic"
|
||||
},
|
||||
"custom":{
|
||||
"axisCenteredZero":false,
|
||||
"axisColorMode":"text",
|
||||
"axisLabel":"Messages",
|
||||
"axisPlacement":"left",
|
||||
"axisSoftMin":0,
|
||||
"barAlignment":0,
|
||||
"drawStyle":"line",
|
||||
"fillOpacity":0,
|
||||
"gradientMode":"none",
|
||||
"hideFrom":{
|
||||
"graph":false,
|
||||
"legend":false,
|
||||
"tooltip":false,
|
||||
"viz":false
|
||||
},
|
||||
"lineInterpolation":"linear",
|
||||
"lineWidth":1,
|
||||
"pointSize":5,
|
||||
"scaleDistribution":{
|
||||
"type":"linear"
|
||||
},
|
||||
"showPoints":"auto",
|
||||
"spanNulls":false,
|
||||
"stacking":{
|
||||
"group":"A",
|
||||
"mode":"none"
|
||||
},
|
||||
"thresholdsStyle":{
|
||||
"mode":"off"
|
||||
}
|
||||
},
|
||||
"mappings":[
|
||||
|
||||
],
|
||||
"thresholds":{
|
||||
"mode":"absolute",
|
||||
"steps":[
|
||||
{
|
||||
"color":"green",
|
||||
"value":null
|
||||
},
|
||||
{
|
||||
"color":"red",
|
||||
"value":80
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"overrides":[
|
||||
{
|
||||
"matcher":{
|
||||
"id":"byName",
|
||||
"options":"Consumers"
|
||||
},
|
||||
"properties":[
|
||||
{
|
||||
"id":"custom.axisPlacement",
|
||||
"value":"right"
|
||||
},
|
||||
{
|
||||
"id":"unit",
|
||||
"value":"prefix:"
|
||||
},
|
||||
{
|
||||
"id":"custom.axisLabel",
|
||||
"value":"Consumers"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"matcher":{
|
||||
"id":"byName",
|
||||
"options":"Messages"
|
||||
},
|
||||
"properties":[
|
||||
{
|
||||
"id":"custom.drawStyle",
|
||||
"value":"line"
|
||||
},
|
||||
{
|
||||
"id":"custom.fillOpacity",
|
||||
"value":0
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"gridPos":{
|
||||
"h":20,
|
||||
"w":24,
|
||||
"x":0,
|
||||
"y":0
|
||||
},
|
||||
"id":2,
|
||||
"options":{
|
||||
"legend":{
|
||||
"calcs":[
|
||||
|
||||
],
|
||||
"displayMode":"list",
|
||||
"placement":"bottom",
|
||||
"showLegend":true
|
||||
},
|
||||
"tooltip":{
|
||||
"mode":"single",
|
||||
"sort":"none"
|
||||
}
|
||||
},
|
||||
"targets":[
|
||||
{
|
||||
"datasource":{
|
||||
"type":"prometheus",
|
||||
"uid":"${DS_PROMETHEUS}"
|
||||
},
|
||||
"editorMode":"code",
|
||||
"expr":"(rabbitmq_detailed_queue_messages{namespace=\"$namespace\", queue=\"$queue\"} * on (instance, job) rabbitmq_identity_info{namespace=\"$namespace\",rabbitmq_cluster=\"$rabbitmq_cluster\"})",
|
||||
"legendFormat":"Messages ({{`{{job}}`}} | {{`{{instance}}`}})",
|
||||
"range":true,
|
||||
"refId":"A"
|
||||
},
|
||||
{
|
||||
"datasource":{
|
||||
"type":"prometheus",
|
||||
"uid":"${DS_PROMETHEUS}"
|
||||
},
|
||||
"editorMode":"code",
|
||||
"expr":"rabbitmq_detailed_queue_consumers{namespace=\"$namespace\", queue=\"$queue\"} * on (instance, job) rabbitmq_identity_info{namespace=\"$namespace\",rabbitmq_cluster=\"$rabbitmq_cluster\"}",
|
||||
"legendFormat":"Consumers ({{`{{job}}`}} | {{`{{instance}}`}})",
|
||||
"range":true,
|
||||
"refId":"B"
|
||||
}
|
||||
],
|
||||
"title":"Queue messages and consumers",
|
||||
"type":"timeseries"
|
||||
}
|
||||
],
|
||||
"refresh":"10s",
|
||||
"revision":1,
|
||||
"schemaVersion":38,
|
||||
"style":"dark",
|
||||
"tags":[
|
||||
"rabbitmq-prometheus"
|
||||
],
|
||||
"templating":{
|
||||
"list":[
|
||||
{
|
||||
"current":{
|
||||
"selected":false,
|
||||
"text":"default",
|
||||
"value":"default"
|
||||
},
|
||||
"hide":2,
|
||||
"includeAll":false,
|
||||
"label":"datasource",
|
||||
"multi":false,
|
||||
"name":"DS_PROMETHEUS",
|
||||
"options":[
|
||||
|
||||
],
|
||||
"query":"prometheus",
|
||||
"refresh":1,
|
||||
"regex":"",
|
||||
"skipUrlSync":false,
|
||||
"type":"datasource",
|
||||
"datasource":"${DS_PROMETHEUS}"
|
||||
},
|
||||
{
|
||||
"current":{
|
||||
|
||||
},
|
||||
"datasource":{
|
||||
"type":"prometheus",
|
||||
"uid":"${DS_PROMETHEUS}"
|
||||
},
|
||||
"definition":"label_values(rabbitmq_identity_info, namespace)",
|
||||
"hide":0,
|
||||
"includeAll":false,
|
||||
"label":"Namespace",
|
||||
"multi":false,
|
||||
"name":"namespace",
|
||||
"options":[
|
||||
|
||||
],
|
||||
"query":{
|
||||
"query":"label_values(rabbitmq_identity_info, namespace)",
|
||||
"refId":"StandardVariableQuery"
|
||||
},
|
||||
"refresh":2,
|
||||
"regex":"",
|
||||
"skipUrlSync":false,
|
||||
"sort":1,
|
||||
"tagValuesQuery":"",
|
||||
"tagsQuery":"",
|
||||
"type":"query",
|
||||
"useTags":false
|
||||
},
|
||||
{
|
||||
"current":{
|
||||
|
||||
},
|
||||
"datasource":{
|
||||
"type":"prometheus",
|
||||
"uid":"${DS_PROMETHEUS}"
|
||||
},
|
||||
"definition":"label_values(rabbitmq_identity_info{namespace=\"$namespace\"}, rabbitmq_cluster)",
|
||||
"hide":0,
|
||||
"includeAll":false,
|
||||
"label":"RabbitMQ Cluster",
|
||||
"multi":false,
|
||||
"name":"rabbitmq_cluster",
|
||||
"options":[
|
||||
|
||||
],
|
||||
"query":{
|
||||
"query":"label_values(rabbitmq_identity_info{namespace=\"$namespace\"}, rabbitmq_cluster)",
|
||||
"refId":"StandardVariableQuery"
|
||||
},
|
||||
"refresh":2,
|
||||
"regex":"",
|
||||
"skipUrlSync":false,
|
||||
"sort":1,
|
||||
"tagValuesQuery":"",
|
||||
"tagsQuery":"",
|
||||
"type":"query",
|
||||
"useTags":false
|
||||
},
|
||||
{
|
||||
"current":{
|
||||
|
||||
},
|
||||
"datasource":{
|
||||
"type":"prometheus",
|
||||
"uid":"${DS_PROMETHEUS}"
|
||||
},
|
||||
"definition":"query_result(rabbitmq_detailed_queue_messages{namespace=\"$namespace\"} * on (instance, job) group_left(rabbitmq_cluster) rabbitmq_identity_info{namespace=\"$namespace\"})",
|
||||
"hide":0,
|
||||
"includeAll":false,
|
||||
"label":"Queue",
|
||||
"multi":false,
|
||||
"name":"queue",
|
||||
"options":[
|
||||
|
||||
],
|
||||
"query":{
|
||||
"query":"query_result(rabbitmq_detailed_queue_messages{namespace=\"$namespace\"} * on (instance, job) group_left(rabbitmq_cluster) rabbitmq_identity_info{namespace=\"$namespace\", rabbitmq_cluster=\"$rabbitmq_cluster\"})",
|
||||
"refId":"StandardVariableQuery"
|
||||
},
|
||||
"refresh":2,
|
||||
"regex":"/.*queue=\"([^\"]+)\".*/",
|
||||
"skipUrlSync":false,
|
||||
"sort":0,
|
||||
"tagValuesQuery":"",
|
||||
"tagsQuery":"",
|
||||
"type":"query",
|
||||
"useTags":false
|
||||
}
|
||||
]
|
||||
},
|
||||
"time":{
|
||||
"from":"now-15m",
|
||||
"to":"now"
|
||||
},
|
||||
"timepicker":{
|
||||
|
||||
},
|
||||
"timezone":"",
|
||||
"title":"RabbitMQ-Queue",
|
||||
"uid":"j9t8vwH7k",
|
||||
"version":3,
|
||||
"weekStart":""
|
||||
}
|
||||
{{- end }}
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,52 @@
|
||||
{{- if and (.Values.kyverno.enabled) (.Values.postgres_operator.enabled) (.Values.velero.enabled) }}
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cnpg-add-backup-section
|
||||
annotations:
|
||||
policies.kyverno.io/title: add backup section to cnpg cluster spec
|
||||
policies.kyverno.io/category: Other
|
||||
policies.kyverno.io/severity: medium
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.23"
|
||||
policies.kyverno.io/subject: Cluster
|
||||
policies.kyverno.io/description: >-
|
||||
When a CNPG cluster is created, a backup section should be added.
|
||||
The user can then create their own backup or backup schedule.
|
||||
spec:
|
||||
background: false
|
||||
rules:
|
||||
- name: cnpg-add-backup-section
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Cluster
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Cluster
|
||||
names:
|
||||
- "review-*"
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
spec:
|
||||
backup:
|
||||
barmanObjectStore:
|
||||
destinationPath: s3://{{ .Values.velero.bucket }}/{{ .Values.cluster_config.cluster }}/cnpg-backup
|
||||
serverName: {{` "{{ request.object.metadata.name }}"`}}
|
||||
endpointURL: https://s3.production.itpartner.no
|
||||
s3Credentials:
|
||||
accessKeyId:
|
||||
key: access_key
|
||||
name: nutanix-s3
|
||||
inheritFromIAMRole: false
|
||||
secretAccessKey:
|
||||
key: access_secret
|
||||
name: nutanix-s3
|
||||
wal:
|
||||
compression: snappy
|
||||
{{- end }}
|
||||
|
||||
@@ -0,0 +1,36 @@
|
||||
{{- if and (.Values.kyverno.enabled) (.Values.postgres_operator.enabled) (.Values.velero.enabled) }}
|
||||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: cnpg-clone-s3-credentials
|
||||
annotations:
|
||||
policies.kyverno.io/title: add backup section to cnpg cluster spec
|
||||
policies.kyverno.io/category: Other
|
||||
policies.kyverno.io/severity: medium
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.23"
|
||||
policies.kyverno.io/subject: Cluster
|
||||
policies.kyverno.io/description: >-
|
||||
When a CNPG cluster is created, s3 credentials and CA secrets
|
||||
should be synced from the velero namespace
|
||||
spec:
|
||||
background: false
|
||||
rules:
|
||||
- name: clone-s3-credentials
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Cluster
|
||||
generate:
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
name: nutanix-s3
|
||||
namespace: {{` "{{request.object.metadata.namespace}}" `}}
|
||||
synchronize: true
|
||||
clone:
|
||||
namespace: velero
|
||||
name: nutanix-s3
|
||||
{{- end }}
|
||||
|
||||
@@ -0,0 +1,55 @@
|
||||
{{- if and (.Values.cluster_config.external_kubectl_access.enabled) (.Values.kyverno.enabled) }}
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: generate-external-admin-rolebinding
|
||||
annotations:
|
||||
policies.kyverno.io/title: Generate cluster-Admin rolebinding customer namespaces
|
||||
policies.kyverno.io/category: other
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Namespace, RoleBinding
|
||||
kyverno.io/kyverno-version: 1.7.0
|
||||
policies.kyverno.io/minversion: 1.7.0
|
||||
kyverno.io/kubernetes-version: "1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
Customers should not have full admin permissions on their own namespaces.
|
||||
This policy will generate a RoleBinding, binding their group_id to
|
||||
the Cluster-Admin clusterrole. This will still only apply to the namespace as
|
||||
the resource is a rolebinding, not clusterrolebinding.
|
||||
This policy should not trigger on any namespaces with label component=sys
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: true
|
||||
rules:
|
||||
- name: generate-rolebinding
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
selector:
|
||||
matchLabels:
|
||||
component: sys
|
||||
generate:
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
name: external-ns-admin
|
||||
namespace: {{` "{{request.object.metadata.name}}" `}}
|
||||
synchronize: true
|
||||
data:
|
||||
metadata:
|
||||
labels:
|
||||
created-by: kyverno
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- apiGroup: rbac.authorization.k8s.io
|
||||
kind: Group
|
||||
name: {{ .Values.cluster_config.external_kubectl_access.admin_group }}
|
||||
{{- end }}
|
||||
+32
@@ -0,0 +1,32 @@
|
||||
{{- if and (.Values.kyverno.enabled) (.Values.prometheus.enabled) }}
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: prometheus-stack-default-dashboard-folder
|
||||
namespace: prometheus
|
||||
spec:
|
||||
admission: true
|
||||
background: true
|
||||
mutateExistingOnPolicyUpdate: true
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/part-of: kube-prometheus-stack
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
annotations:
|
||||
grafana_folder: Prometheus-stack
|
||||
targets:
|
||||
- apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: "{{`{{ request.object.metadata.name }}`}}"
|
||||
name: generate-dashboard-folder-annotation
|
||||
skipBackgroundRequests: true
|
||||
validationFailureAction: Audit
|
||||
{{- end }}
|
||||
@@ -0,0 +1,31 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: sync-gitlab-secret
|
||||
annotations:
|
||||
policies.kyverno.io/title: Sync Secrets
|
||||
policies.kyverno.io/category: Sample
|
||||
policies.kyverno.io/subject: Secret
|
||||
policies.kyverno.io/description: >-
|
||||
Secrets like registry credentials often need to exist in multiple
|
||||
Namespaces so Pods there have access. Manually duplicating those Secrets
|
||||
is time consuming and error prone. This policy will copy a
|
||||
Secret called `regcred` which exists in the `default` Namespace to
|
||||
new Namespaces when they are created. It will also push updates to
|
||||
the copied Secrets should the source Secret be changed.
|
||||
spec:
|
||||
rules:
|
||||
- name: sync-image-pull-secret
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
generate:
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
name: regcred
|
||||
namespace: "{{`{{request.object.metadata.name}}`}}"
|
||||
synchronize: true
|
||||
clone:
|
||||
namespace: default
|
||||
name: gitlab-pull-secret
|
||||
@@ -0,0 +1,33 @@
|
||||
{{- if .Values.kyverno.enabled }}
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: sync-regcred-secret
|
||||
annotations:
|
||||
policies.kyverno.io/title: Sync Secrets
|
||||
policies.kyverno.io/category: Sample
|
||||
policies.kyverno.io/subject: Secret
|
||||
policies.kyverno.io/description: >-
|
||||
Secrets like registry credentials often need to exist in multiple
|
||||
Namespaces so Pods there have access. Manually duplicating those Secrets
|
||||
is time consuming and error prone. This policy will copy a
|
||||
Secret called `regcred` which exists in the `default` Namespace to
|
||||
new Namespaces when they are created. It will also push updates to
|
||||
the copied Secrets should the source Secret be changed.
|
||||
spec:
|
||||
rules:
|
||||
- name: sync-image-pull-secret
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
generate:
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
name: regcred
|
||||
namespace: "{{`{{request.object.metadata.name}}`}}"
|
||||
synchronize: true
|
||||
clone:
|
||||
namespace: default
|
||||
name: regcred
|
||||
{{- end }}
|
||||
@@ -0,0 +1,33 @@
|
||||
{{- if .Values.kyverno.enabled }}
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
annotations:
|
||||
policies.kyverno.io/description: 'This policy will sync the nutanix-s3 secret in kube-system namespace across namespaces'
|
||||
policies.kyverno.io/subject: Secret
|
||||
policies.kyverno.io/title: Sync s3 Secrets
|
||||
name: sync-nutanix-s3-credentials
|
||||
spec:
|
||||
generateExistingOnPolicyUpdate: true
|
||||
background: true
|
||||
rules:
|
||||
- generate:
|
||||
apiVersion: v1
|
||||
clone:
|
||||
name: nutanix-s3
|
||||
namespace: kube-system
|
||||
kind: Secret
|
||||
name: nutanix-s3
|
||||
namespace: '{{`{{request.object.metadata.name}}`}}'
|
||||
synchronize: true
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Namespace
|
||||
names:
|
||||
- "velero"
|
||||
- "loki"
|
||||
- "tempo"
|
||||
name: sync-s3-secret
|
||||
validationFailureAction: audit
|
||||
{{- end }}
|
||||
@@ -0,0 +1,73 @@
|
||||
{{- if .Values.kyverno.enabled }}
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: whitelist-internal-ingresses
|
||||
annotations:
|
||||
policies.kyverno.io/title: Concatenate Ingresss
|
||||
policies.kyverno.io/category: Other
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Ingress
|
||||
policies.kyverno.io/description: >-
|
||||
Ingresses with the label "internal=true" should be whitelisted.
|
||||
If no whitelist exists, add the default values, otherwise append
|
||||
whitelist to the already existing ones
|
||||
spec:
|
||||
mutateExistingOnPolicyUpdate: false
|
||||
#precondition: has whitelist annotation or
|
||||
rules:
|
||||
- name: ensure-nginx-whitelist-exists
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Ingress
|
||||
selector:
|
||||
matchLabels:
|
||||
internal: "true"
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
annotations:
|
||||
+(nginx.ingress.kubernetes.io/whitelist-source-range): ""
|
||||
- name: append-existing-whitelist
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Ingress
|
||||
selector:
|
||||
matchLabels:
|
||||
internal: "true"
|
||||
preconditions:
|
||||
any:
|
||||
- key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
|
||||
operator: NotEquals
|
||||
value: ""
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
annotations:
|
||||
{{- with .Values.cluster_config.ingress_whitelist_ips }}
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: "{{`{{ @ }}`}},{{ join "," . }}"
|
||||
{{- end }}
|
||||
- name: add-nginx-whitelist
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Ingress
|
||||
selector:
|
||||
matchLabels:
|
||||
internal: "true"
|
||||
preconditions:
|
||||
any:
|
||||
- key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
|
||||
operator: Equals
|
||||
value: ""
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
annotations:
|
||||
{{- with .Values.cluster_config.ingress_whitelist_ips }}
|
||||
nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," . }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -0,0 +1,225 @@
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
name: letsencrypt-production
|
||||
spec:
|
||||
acme:
|
||||
# The ACME server URL
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
# Email address used for ACME registration
|
||||
email: {{ .Values.cluster_config.acme_email }}
|
||||
# Name of a secret used to store the ACME account private key
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-production
|
||||
solvers:
|
||||
- http01:
|
||||
ingress:
|
||||
class: nginx
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
name: letsencrypt-staging
|
||||
spec:
|
||||
acme:
|
||||
# The ACME server URL
|
||||
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
||||
# Email address used for ACME registration
|
||||
email: {{ .Values.cluster_config.acme_email }}
|
||||
# Name of a secret used to store the ACME account private key
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-staging
|
||||
solvers:
|
||||
- http01:
|
||||
ingress:
|
||||
class: nginx
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
name: ca-issuer
|
||||
spec:
|
||||
ca:
|
||||
secretName: cluster-ca
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
||||
name: selfsigning-issuer
|
||||
spec:
|
||||
selfSigned: {}
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: front-proxy-client
|
||||
subjects:
|
||||
- kind: User
|
||||
name: front-proxy-client
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: front-proxy-client
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: front-proxy-client
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "webhook.cert-manager.io"
|
||||
resources:
|
||||
- mutations
|
||||
- validations
|
||||
verbs: [ "*" ]
|
||||
- apiGroups:
|
||||
- metrics.k8s.io
|
||||
resources:
|
||||
- pods
|
||||
- nodes
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
|
||||
{{ if .Values.cluster_config.initca }}
|
||||
|
||||
# Pod to update certificates from master nodes
|
||||
# only runs on control plane nodes (etcd)
|
||||
# Mounts cert files rotatet by nixos service.mgr and uses it to update cert-manager secret
|
||||
# Always create certs on initial creation,
|
||||
# Otherwise, cert creation would not happen until cronJob runs
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: cert-create
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
backoffLimit: 1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
block-egress: "true"
|
||||
annotations:
|
||||
linkerd.io/inject: disabled
|
||||
spec:
|
||||
restartPolicy: Never
|
||||
serviceAccountName: cert-secret-updater
|
||||
securityContext:
|
||||
runAsUser: 12000
|
||||
runAsGroup: 13000
|
||||
fsGroup: 10000
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: node-role.kubernetes.io
|
||||
operator: In
|
||||
values:
|
||||
- control-plane
|
||||
tolerations:
|
||||
- key: unschedulable
|
||||
value: "true"
|
||||
effect: NoSchedule
|
||||
containers:
|
||||
- image: bitnami/kubectl:1.24
|
||||
name: kubectl
|
||||
resources: {}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
command:
|
||||
- "/bin/sh"
|
||||
- -c
|
||||
- /tmp/renew-certs/renew-certs.sh
|
||||
volumeMounts:
|
||||
- name: ca-pem
|
||||
mountPath: /tmp/ca.pem
|
||||
- name: ca-key-pem
|
||||
mountPath: /tmp/ca-key.pem
|
||||
- name: certs-script
|
||||
mountPath: /tmp/renew-certs
|
||||
volumes:
|
||||
- name: ca-pem
|
||||
hostPath:
|
||||
path: {{.Values.cluster_config.initca}}/ca.pem
|
||||
type: File
|
||||
- name: ca-key-pem
|
||||
hostPath:
|
||||
path: {{.Values.cluster_config.initca}}/ca-key.pem
|
||||
type: File
|
||||
- name: certs-script
|
||||
configMap:
|
||||
name: renew-certs-script
|
||||
defaultMode: 0755
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
renew-certs.sh: |
|
||||
#! /bin/bash
|
||||
kubectl create secret tls -n cert-manager cluster-ca --cert=/tmp/ca.pem --key=/tmp/ca-key.pem --dry-run=client -o yaml > /tmp/new-secret.yaml
|
||||
kubectl apply -f /tmp/new-secret.yaml
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: renew-certs-script
|
||||
namespace: cert-manager
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: cert-secret-updater
|
||||
namespace: cert-manager
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: cert-secret-updater-role
|
||||
namespace: cert-manager
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resourceNames:
|
||||
- cluster-ca
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- '*'
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: cert-secret-updater-rbinding
|
||||
namespace: cert-manager
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: cert-secret-updater-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cert-secret-updater
|
||||
namespace: cert-manager
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: default-deny-egress
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
block-egress: "true"
|
||||
policyTypes:
|
||||
- Egress
|
||||
---
|
||||
{{ end }}
|
||||
@@ -0,0 +1,23 @@
|
||||
{{if and (.Values.cilium.enabled) (.Values.cilium.loadbalancerPool.enabled )}}
|
||||
apiVersion: "cilium.io/v2alpha1"
|
||||
kind: CiliumLoadBalancerIPPool
|
||||
metadata:
|
||||
name: "loadbalancer"
|
||||
spec:
|
||||
blocks:
|
||||
{{- range .Values.cilium.loadbalancerPool.cidr}}
|
||||
- cidr: {{ . }}
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: "cilium.io/v2alpha1"
|
||||
kind: CiliumL2AnnouncementPolicy
|
||||
metadata:
|
||||
name: policy
|
||||
spec:
|
||||
nodeSelector:
|
||||
matchExpressions:
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: DoesNotExist
|
||||
externalIPs: true
|
||||
loadBalancerIPs: true
|
||||
{{- end}}
|
||||
@@ -0,0 +1,47 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: cluster-admin
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cluster-admin
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
namespace: kube-system
|
||||
name: cluster-admin
|
||||
- apiGroup: rbac.authorization.k8s.io
|
||||
kind: Group
|
||||
name: 'system:masters'
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: system-default
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
namespace: kube-system
|
||||
name: default
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kubernetes
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- apiGroup: rbac.authorization.k8s.io
|
||||
kind: User
|
||||
name: kubernetes
|
||||
@@ -0,0 +1,42 @@
|
||||
# Create the clusterrole and clusterrolebinding:
|
||||
# $ kubectl create -f kube-flannel-rbac.yml
|
||||
# Create the pod using the same namespace used by the flannel serviceaccount:
|
||||
# $ kubectl create --namespace kube-system -f kube-flannel-legacy.yml
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: flannel-client
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- pods
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes/status
|
||||
verbs:
|
||||
- patch
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: flannel-client
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: flannel-client
|
||||
subjects:
|
||||
- kind: User
|
||||
name: flannel-client
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
@@ -0,0 +1,51 @@
|
||||
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: kube-proxy
|
||||
subjects:
|
||||
- kind: User
|
||||
name: kube-proxy
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
- kind: ServiceAccount
|
||||
name: kube-proxy
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kube-proxy
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kube-proxy
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- endpoints
|
||||
- events
|
||||
- services
|
||||
- nodes
|
||||
verbs: ["get", "watch", "list"]
|
||||
- nonResourceURLs: ["*"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
|
||||
- apiGroups:
|
||||
- ""
|
||||
- "events.k8s.io"
|
||||
resources:
|
||||
- events
|
||||
verbs: ["*"]
|
||||
|
||||
- nonResourceURLs: ["*"]
|
||||
verbs: ["*"]
|
||||
- apiGroups:
|
||||
- discovery.k8s.io
|
||||
resources:
|
||||
- endpointslices
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
|
||||
|
||||
@@ -0,0 +1,96 @@
|
||||
{{ if .Values.cluster_config.nodes }}
|
||||
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: label-and-taint-nodes
|
||||
namespace: kube-system
|
||||
spec:
|
||||
backoffLimit: 1
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/inject: disable
|
||||
spec:
|
||||
restartPolicy: Never
|
||||
serviceAccountName: label-and-taint-nodes
|
||||
securityContext:
|
||||
runAsUser: 12000
|
||||
runAsGroup: 13000
|
||||
fsGroup: 10000
|
||||
affinity:
|
||||
tolerations:
|
||||
- key: unschedulable
|
||||
value: "true"
|
||||
effect: NoSchedule
|
||||
containers:
|
||||
- image: bitnami/kubectl:1.24
|
||||
name: kubectl
|
||||
resources: {}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
command:
|
||||
- "/bin/sh"
|
||||
- -c
|
||||
- /tmp/scripts/script.sh
|
||||
volumeMounts:
|
||||
- name: scripts
|
||||
mountPath: /tmp/scripts
|
||||
volumes:
|
||||
- name: scripts
|
||||
configMap:
|
||||
name: label-and-taint-scripts
|
||||
defaultMode: 0755
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
script.sh: |
|
||||
#! /bin/bash
|
||||
{{- range $node := .Values.cluster_config.nodes }}
|
||||
{{- range .labels }}
|
||||
kubectl label nodes --overwrite=true {{ $node.name }} {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- range .taints }}
|
||||
kubectl taint nodes --overwrite=true {{ $node.name }} {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: label-and-taint-scripts
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: label-and-taint-nodes
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: label-and-taint-nodes
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- update
|
||||
- patch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: label-and-taint-nodes
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: label-and-taint-nodes
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: label-and-taint-nodes
|
||||
namespace: kube-system
|
||||
{{ end }}
|
||||
@@ -0,0 +1,128 @@
|
||||
{{- if and (.Values.gitlab_runner.enabled) (.Values.gitlab_runner.createCertSecret) }}
|
||||
# Pod to update certificates from master nodes
|
||||
# only runs on control plane nodes (etcd)
|
||||
# Mounts cert files rotatet by nixos service.mgr and uses it to update gitlab secret
|
||||
# Always create certs on initial creation,
|
||||
# Otherwise, cert creation would not happen until cronJob runs
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: cert-create
|
||||
namespace: gitlab
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
block-egress: "true"
|
||||
annotations:
|
||||
linkerd.io/inject: disabled
|
||||
spec:
|
||||
restartPolicy: Never
|
||||
serviceAccountName: cert-secret-updater
|
||||
securityContext:
|
||||
runAsUser: 12000
|
||||
runAsGroup: 13000
|
||||
fsGroup: 10000
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: node-role.kubernetes.io
|
||||
operator: In
|
||||
values:
|
||||
- control-plane
|
||||
tolerations:
|
||||
- key: unschedulable
|
||||
value: "true"
|
||||
effect: NoSchedule
|
||||
containers:
|
||||
- image: bitnami/kubectl:1.24
|
||||
name: kubectl
|
||||
resources: {}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
command:
|
||||
- "/bin/sh"
|
||||
- -c
|
||||
- /tmp/renew-certs/renew-certs.sh
|
||||
volumeMounts:
|
||||
- name: ca-pem
|
||||
mountPath: /tmp/ca.pem
|
||||
- name: ca-key-pem
|
||||
mountPath: /tmp/ca-key.pem
|
||||
- name: certs-script
|
||||
mountPath: /tmp/renew-certs
|
||||
volumes:
|
||||
- name: ca-pem
|
||||
hostPath:
|
||||
path: {{.Values.cluster_config.initca}}/ca.pem
|
||||
type: File
|
||||
- name: ca-key-pem
|
||||
hostPath:
|
||||
path: {{.Values.cluster_config.initca}}/ca-key.pem
|
||||
type: File
|
||||
- name: certs-script
|
||||
configMap:
|
||||
name: renew-certs-script
|
||||
defaultMode: 0755
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
renew-certs.sh: |
|
||||
#! /bin/bash
|
||||
kubectl create secret tls -n gitlab itp-cluster-ca --cert=/tmp/ca.pem --key=/tmp/ca-key.pem --dry-run=client -o yaml > /tmp/new-secret.yaml
|
||||
kubectl apply -f /tmp/new-secret.yaml
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: renew-certs-script
|
||||
namespace: gitlab
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: cert-secret-updater
|
||||
namespace: gitlab
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: cert-secret-updater-role
|
||||
namespace: gitlab
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resourceNames:
|
||||
- itp-cluster-ca
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- '*'
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: cert-secret-updater-rbinding
|
||||
namespace: gitlab
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: cert-secret-updater-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cert-secret-updater
|
||||
namespace: gitlab
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: default-deny-egress
|
||||
namespace: gitlab
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
block-egress: "true"
|
||||
policyTypes:
|
||||
- Egress
|
||||
---
|
||||
{{- end }}
|
||||
@@ -0,0 +1,206 @@
|
||||
{{ if .Values.linkerd.enabled }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
labels:
|
||||
linkerd.io/control-plane-ns: linkerd
|
||||
linkerd.io/is-control-plane: 'true'
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
annotations:
|
||||
linkerd.io/inject: disabled
|
||||
argocd.argoproj.io/sync-wave: "-1"
|
||||
name: linkerd
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: linkerd-trust-anchor
|
||||
namespace: linkerd
|
||||
spec:
|
||||
ca:
|
||||
secretName: linkerd-trust-anchor
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: linkerd-identity-issuer
|
||||
namespace: linkerd
|
||||
spec:
|
||||
revisionHistoryLimit: 5
|
||||
secretName: linkerd-identity-issuer
|
||||
duration: 48h0m0s
|
||||
renewBefore: 25h0m0s
|
||||
issuerRef:
|
||||
name: linkerd-trust-anchor
|
||||
kind: Issuer
|
||||
dnsNames:
|
||||
- identity.linkerd.cluster.local
|
||||
isCA: true
|
||||
privateKey:
|
||||
algorithm: ECDSA
|
||||
usages:
|
||||
- cert sign
|
||||
- crl sign
|
||||
- server auth
|
||||
- client auth
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: webhook-issuer
|
||||
namespace: linkerd
|
||||
spec:
|
||||
ca:
|
||||
secretName: webhook-issuer-tls
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: linkerd-policy-validator
|
||||
namespace: linkerd
|
||||
spec:
|
||||
revisionHistoryLimit: 5
|
||||
secretName: linkerd-policy-validator-k8s-tls
|
||||
duration: 24h0m0s
|
||||
renewBefore: 1h0m0s
|
||||
issuerRef:
|
||||
name: webhook-issuer
|
||||
kind: Issuer
|
||||
commonName: linkerd-policy-validator.linkerd.svc
|
||||
dnsNames:
|
||||
- linkerd-policy-validator.linkerd.svc
|
||||
privateKey:
|
||||
algorithm: ECDSA
|
||||
encoding: PKCS8
|
||||
usages:
|
||||
- server auth
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: linkerd-proxy-injector
|
||||
namespace: linkerd
|
||||
spec:
|
||||
revisionHistoryLimit: 5
|
||||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
duration: 24h0m0s
|
||||
renewBefore: 1h0m0s
|
||||
issuerRef:
|
||||
name: webhook-issuer
|
||||
kind: Issuer
|
||||
commonName: linkerd-proxy-injector.linkerd.svc
|
||||
dnsNames:
|
||||
- linkerd-proxy-injector.linkerd.svc
|
||||
privateKey:
|
||||
algorithm: ECDSA
|
||||
usages:
|
||||
- server auth
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: linkerd-sp-validator
|
||||
namespace: linkerd
|
||||
spec:
|
||||
revisionHistoryLimit: 5
|
||||
secretName: linkerd-sp-validator-k8s-tls
|
||||
duration: 24h0m0s
|
||||
renewBefore: 1h0m0s
|
||||
issuerRef:
|
||||
name: webhook-issuer
|
||||
kind: Issuer
|
||||
commonName: linkerd-sp-validator.linkerd.svc
|
||||
dnsNames:
|
||||
- linkerd-sp-validator.linkerd.svc
|
||||
privateKey:
|
||||
algorithm: ECDSA
|
||||
usages:
|
||||
- server auth
|
||||
---
|
||||
{{ if .Values.linkerd.viz.enabled }}
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: webhook-issuer
|
||||
namespace: linkerd-viz
|
||||
spec:
|
||||
ca:
|
||||
secretName: webhook-issuer-tls
|
||||
# ignore if not using the viz extension
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: tap
|
||||
namespace: linkerd-viz
|
||||
spec:
|
||||
revisionHistoryLimit: 5
|
||||
secretName: tap-k8s-tls
|
||||
duration: 24h0m0s
|
||||
renewBefore: 1h0m0s
|
||||
issuerRef:
|
||||
name: webhook-issuer
|
||||
kind: Issuer
|
||||
commonName: tap.linkerd-viz.svc
|
||||
dnsNames:
|
||||
- tap.linkerd-viz.svc
|
||||
isCA: false
|
||||
privateKey:
|
||||
algorithm: ECDSA
|
||||
usages:
|
||||
- server auth
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: linkerd-tap-injector
|
||||
namespace: linkerd-viz
|
||||
spec:
|
||||
revisionHistoryLimit: 5
|
||||
secretName: tap-injector-k8s-tls
|
||||
duration: 24h0m0s
|
||||
renewBefore: 1h0m0s
|
||||
issuerRef:
|
||||
name: webhook-issuer
|
||||
kind: Issuer
|
||||
commonName: tap-injector.linkerd-viz.svc
|
||||
dnsNames:
|
||||
- tap-injector.linkerd-viz.svc
|
||||
privateKey:
|
||||
algorithm: ECDSA
|
||||
usages:
|
||||
- server auth
|
||||
---
|
||||
{{ end }}
|
||||
{{ if .Values.linkerd.jaeger.enabled }}
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: webhook-issuer
|
||||
namespace: linkerd-jaeger
|
||||
spec:
|
||||
ca:
|
||||
secretName: webhook-issuer-tls
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: jaeger-injector
|
||||
namespace: linkerd-jaeger
|
||||
spec:
|
||||
revisionHistoryLimit: 5
|
||||
secretName: jaeger-injector-k8s-tls
|
||||
duration: 24h0m0s
|
||||
renewBefore: 1h0m0s
|
||||
issuerRef:
|
||||
name: webhook-issuer
|
||||
kind: Issuer
|
||||
commonName: jaeger-injector.linkerd-jaeger.svc
|
||||
dnsNames:
|
||||
- jaeger-injector.linkerd-jaeger.svc
|
||||
privateKey:
|
||||
algorithm: ECDSA
|
||||
usages:
|
||||
- server auth
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,209 @@
|
||||
{{- if .Values.cluster_config.external_kubectl_access.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: external-access
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- pods
|
||||
- serviceaccounts
|
||||
- namespaces
|
||||
- events
|
||||
- persistentvolumeclaims
|
||||
- persistentvolumes
|
||||
- bindings
|
||||
- componentstatuses
|
||||
- podtemplates
|
||||
- replicationcontrollers
|
||||
- resourcequotas
|
||||
- services
|
||||
- nodes
|
||||
- limitranges
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- namespaces
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- apiGroups:
|
||||
- apiregistration.k8s.io
|
||||
resources:
|
||||
- apiservices
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- apps
|
||||
resources:
|
||||
- controllerrevisions
|
||||
- statefulsets
|
||||
- replicasets
|
||||
- daemonsets
|
||||
- deployments
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- events.k8s.io
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- autoscaling
|
||||
resources:
|
||||
- horizontalpodautoscalers
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- batch
|
||||
resources:
|
||||
- jobs
|
||||
- cronjobs
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- certificates.k8s.io
|
||||
resources:
|
||||
- certificatesigningrequests
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- networking.k8s.io
|
||||
resources:
|
||||
- ingressclasses
|
||||
- networkpolicies
|
||||
- ingresses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- policy
|
||||
resources:
|
||||
- poddisruptionbudgets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- rbac.authorization.k8s.io
|
||||
resources:
|
||||
- roles
|
||||
- clusterroles
|
||||
- clusterrolebindings
|
||||
- rolebindings
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- storage.k8s.io
|
||||
resources:
|
||||
- csinodes
|
||||
- storageclasses
|
||||
- csistoragecapacities
|
||||
- volumeattachments
|
||||
- csidrivers
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- admissionregistration.k8s.io
|
||||
resources:
|
||||
- mutatingwebhookconfigurations
|
||||
- validatingwebhookconfigurations
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- apiextensions.k8s.io
|
||||
resources:
|
||||
- customresourcedefinitions
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- scheduling.k8s.io
|
||||
resources:
|
||||
- priorityclasses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- coordination.k8s.io
|
||||
resources:
|
||||
- leases
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- node.k8s.io
|
||||
resources:
|
||||
- runtimeclasses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- flowcontrol.apiserver.k8s.io
|
||||
resources:
|
||||
- flowschemas
|
||||
- prioritylevelconfigurations
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- talos.dev
|
||||
resources:
|
||||
- serviceaccounts
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- cilium.io
|
||||
resources:
|
||||
- ciliumexternalworkloads
|
||||
- ciliumnetworkpolicies
|
||||
- ciliumidentities
|
||||
- ciliumnodes
|
||||
- ciliumendpoints
|
||||
- ciliumclusterwidenetworkpolicies
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- metrics.k8s.io
|
||||
resources:
|
||||
- pods
|
||||
- nodes
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
{{- end }}
|
||||
@@ -0,0 +1,14 @@
|
||||
{{- if .Values.cluster_config.external_kubectl_access.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: external-access
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: external-access
|
||||
subjects:
|
||||
- apiGroup: rbac.authorization.k8s.io
|
||||
kind: Group
|
||||
name: {{ .Values.cluster_config.external_kubectl_access.admin_group }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,17 @@
|
||||
{{- if .Values.kyverno.enabled }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kyverno:generate-admin
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kyverno
|
||||
namespace: kyverno
|
||||
- kind: ServiceAccount
|
||||
name: kyverno-background-controller
|
||||
namespace: kyverno
|
||||
{{- end }}
|
||||
@@ -0,0 +1,29 @@
|
||||
{{- if and (.Values.kyverno.enabled) (.Values.cilium.enabled) }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kyverno:generate-cilium-networkpolicies
|
||||
rules:
|
||||
- apiGroups:
|
||||
- cilium.io
|
||||
resources:
|
||||
- ciliumnetworkpolicies
|
||||
verbs:
|
||||
- "*"
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kyverno:generate-cilium-network-policies
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kyverno:generate-cilium-networkpolicies
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kyverno
|
||||
namespace: kyverno
|
||||
- kind: ServiceAccount
|
||||
name: kyverno-background-controller
|
||||
namespace: kyverno
|
||||
{{- end }}
|
||||
@@ -0,0 +1,12 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: az-kubernetes-operators-cluster-admin
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- apiGroup: rbac.authorization.k8s.io
|
||||
kind: Group
|
||||
name: dd2aa2d6-269d-48fe-90cc-04fd5c08bd29
|
||||
@@ -0,0 +1,356 @@
|
||||
cluster_config:
|
||||
manifests: https://gitlab.com/oceanbox/manifests.git
|
||||
policies: policies/sys
|
||||
resources: resources/sys
|
||||
distro: "" #[nixos, talos]
|
||||
env: "" #[dev, test, staging, prod]
|
||||
initca: ""
|
||||
domain: "itpartner.no"
|
||||
apiserver: ""
|
||||
apiserverip: ""
|
||||
etcd_nodes: []
|
||||
k8s_nodes: []
|
||||
cluster: ""
|
||||
ingress_nodes: []
|
||||
ingress_replica_count: 3
|
||||
fileserver: ""
|
||||
acme_email: ""
|
||||
nodenames: []
|
||||
nodes: []
|
||||
ingress_clusterissuer: "letsencrypt-production"
|
||||
ingress_whitelist_ips:
|
||||
- 10.0.0.0/8
|
||||
- 172.16.0.0/12
|
||||
- 192.168.0.0/16
|
||||
- 172.19.255.0/24
|
||||
external_kubectl_access:
|
||||
enabled: false
|
||||
admin_group: ""
|
||||
external_access:
|
||||
enabled: false
|
||||
admin_group: ""
|
||||
groups: []
|
||||
#- group_id:
|
||||
# - "<group-id>"
|
||||
# name: <argocd project name>
|
||||
# namespaces:
|
||||
# - <namespaces access>
|
||||
oidc: []
|
||||
#- name: azure-oidc
|
||||
# provider: azuread
|
||||
# tenant: "https://login.microsoftonline.com/<tenant>/oauth2/v2.0"
|
||||
# secret_ref:
|
||||
# name: azure-oidc
|
||||
# group_id: "<group_id>"
|
||||
#- name: github-oidc
|
||||
# provider: github
|
||||
# secret_ref:
|
||||
# name: github-oidc
|
||||
# allowed_organizations: <org>
|
||||
# allowed_teams: <team-id>
|
||||
argocd:
|
||||
autosync: true
|
||||
version: 7.5.2
|
||||
ingress:
|
||||
enabled: true
|
||||
adminLogin: false
|
||||
anyNamespaces:
|
||||
enabled: false
|
||||
kustomizeHelmSupport: false
|
||||
applicationset_webhook:
|
||||
enabled: false
|
||||
additional_rbac_settings: []
|
||||
resources:
|
||||
controller:
|
||||
memory: ""
|
||||
repoServer:
|
||||
cmp:
|
||||
enabled: false
|
||||
name: ""
|
||||
image: ""
|
||||
imagePullSecret: []
|
||||
helmTokenSecret: ""
|
||||
argocd_apps:
|
||||
autosync: true
|
||||
version: 0.0.1
|
||||
argo_workflows:
|
||||
enabled: false
|
||||
autosync: true
|
||||
version: 0.45.0
|
||||
metrics:
|
||||
enabled: false
|
||||
allowed_namespaces: []
|
||||
argo_rollouts:
|
||||
enabled: false
|
||||
autosync: true
|
||||
version: 2.35.2
|
||||
metrics:
|
||||
enabled: false
|
||||
dashboard_enabled: false
|
||||
actions_runner_controller:
|
||||
enabled: false
|
||||
autosync: true
|
||||
version: 0.23.7
|
||||
cilium:
|
||||
enabled: false
|
||||
autosync: true
|
||||
version: 1.16.2
|
||||
spire:
|
||||
enabled: false
|
||||
policyAuditMode: false
|
||||
encryption:
|
||||
enabled: true
|
||||
type: ipsec
|
||||
endpointStatus:
|
||||
enabled: true
|
||||
kubeProxyReplacement: false
|
||||
k8sServiceHost: localhost
|
||||
k8sServicePort: 7445
|
||||
nodePort:
|
||||
enabled: false
|
||||
# NOTE: requires that ingressconroller is also enabled (bug)
|
||||
gatewayAPI:
|
||||
enabled: false
|
||||
ingressController:
|
||||
enabled: false
|
||||
defaultClass: false
|
||||
loadbalancerMode: shared
|
||||
l2announcement:
|
||||
enabled: false
|
||||
k8sClientRateLimit:
|
||||
qps: 10
|
||||
burst: 3
|
||||
loadbalancerPool:
|
||||
enabled: false
|
||||
cidr: []
|
||||
envoy:
|
||||
enabled: false
|
||||
hubble:
|
||||
ui: true
|
||||
upgradeCompatability: ""
|
||||
linkerd:
|
||||
enabled: true
|
||||
autosync: true
|
||||
version: 1.9.3
|
||||
trustAnchorPEM: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
-----END CERTIFICATE-----
|
||||
webhookPEM: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
-----END CERTIFICATE-----
|
||||
identyIssuerPEM: ""
|
||||
secretScheme: kubernetes.io/tls
|
||||
crds:
|
||||
version: 1.4.0
|
||||
multicluster:
|
||||
version: 30.2.0
|
||||
enabled: false
|
||||
viz:
|
||||
enabled: false
|
||||
jaeger:
|
||||
enabled: false
|
||||
thanos:
|
||||
enabled: false
|
||||
autosync: true
|
||||
version: 8.3.0
|
||||
pagerdutyRoutingKey: ""
|
||||
prometheus:
|
||||
enabled: true
|
||||
autosync: true
|
||||
version: 62.7.0
|
||||
# Helm chart version, and app version is different. CRD version MUST be equals to chart's APP version
|
||||
crd_version: 14.0.0
|
||||
certRenewCronEnabled: true
|
||||
snitchUrl: ""
|
||||
oncallUrl: ""
|
||||
pagerdutyRoutingKey: ""
|
||||
fullname: ""
|
||||
# https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/values.yaml#L47
|
||||
defaultRules: {}
|
||||
additionalScrapeConfigs: []
|
||||
additionalDataSources: []
|
||||
enableFeatures: []
|
||||
storage:
|
||||
size: 50Gi
|
||||
grafana:
|
||||
defaultDashboardsEnabled: true
|
||||
persistence: false
|
||||
disable_login_form: true
|
||||
plugins: []
|
||||
coredns:
|
||||
targetPort: ""
|
||||
etcd:
|
||||
targetPort: ""
|
||||
scheduler:
|
||||
targetPort: ""
|
||||
kubelet:
|
||||
enabled: false
|
||||
https: false
|
||||
thanos:
|
||||
enabled: false
|
||||
datasource:
|
||||
enabled: false
|
||||
nfs_provisioner:
|
||||
enabled: true
|
||||
autosync: true
|
||||
version: 4.0.13
|
||||
archiveOnDelete: true
|
||||
defaultClass: true
|
||||
extraMountOpts: []
|
||||
cert_manager:
|
||||
autosync: true
|
||||
version: 1.12.13
|
||||
kubernetes_dashboard:
|
||||
enabled: false
|
||||
autosync: true
|
||||
version: v2.3.1
|
||||
gitlab_runner:
|
||||
enabled: true
|
||||
autosync: true
|
||||
version: 0.39.0
|
||||
createCertSecret: true
|
||||
tag: "obx"
|
||||
s3:
|
||||
server: ""
|
||||
access_key: ""
|
||||
secret_key: ""
|
||||
postgres_operator:
|
||||
enabled: true
|
||||
autosync: true
|
||||
version: 0.18.2
|
||||
rabbitmq_operator:
|
||||
enabled: false
|
||||
autosync: true
|
||||
version: 4.3.27
|
||||
metrics_server:
|
||||
autosync: true
|
||||
version: 3.8.2
|
||||
ignoreTLS: false
|
||||
nginx:
|
||||
enabled: true
|
||||
autosync: true
|
||||
version: 4.8.3
|
||||
pdb:
|
||||
minAvailable: 1
|
||||
resources:
|
||||
controller:
|
||||
cpu: "100m"
|
||||
memory: "100Mi"
|
||||
jaeger_operator:
|
||||
enabled: false
|
||||
autosync: true
|
||||
version: 1.38.0
|
||||
kyverno:
|
||||
enabled: false
|
||||
autosync: true
|
||||
metrics: false
|
||||
version: 3.2.5
|
||||
resources:
|
||||
cleanupController:
|
||||
memory: "64Mi"
|
||||
reportsController:
|
||||
memory: "64Mi"
|
||||
backgroundController:
|
||||
memory: "64Mi"
|
||||
velero:
|
||||
enabled: true
|
||||
autosync: true
|
||||
version: 6.0.0
|
||||
kubeletRootDir: "/var/lib/kubernetes/pods"
|
||||
bucket: velero-backup
|
||||
bsl: default
|
||||
# Opt-in or opt-out pvc backup
|
||||
# https://velero.io/docs/main/file-system-backup/#to-back-up
|
||||
backupAllVolumes: true
|
||||
credentials:
|
||||
secretName: "s3-credentials"
|
||||
s3:
|
||||
region: us-east-1
|
||||
url: "https://nutanix-obj-s3.kube-system"
|
||||
insecureSkipTLSVerify: true
|
||||
resources:
|
||||
velero:
|
||||
request:
|
||||
cpu: 500m
|
||||
memory: 1Gi
|
||||
limit:
|
||||
memory: 2Gi
|
||||
nodeAgent:
|
||||
request:
|
||||
cpu: 500m
|
||||
memory: 1Gi
|
||||
limit:
|
||||
memory: 2Gi
|
||||
loki:
|
||||
enabled: false
|
||||
autosync: true
|
||||
version: 6.12.0
|
||||
compactor: false
|
||||
s3:
|
||||
endpoint: ""
|
||||
region: ""
|
||||
insecure_skip_verify: false
|
||||
secret:
|
||||
name: ""
|
||||
access_key: ""
|
||||
access_secret: ""
|
||||
buckets:
|
||||
chunks: ""
|
||||
ruler: ""
|
||||
admin: ""
|
||||
tempo:
|
||||
enabled: false
|
||||
autosync: true
|
||||
version: 1.14.0
|
||||
s3:
|
||||
endpoint: ""
|
||||
region: ""
|
||||
insecure_skip_verify: false
|
||||
secret:
|
||||
name: ""
|
||||
access_key: ""
|
||||
access_secret: ""
|
||||
bucketName: ""
|
||||
otel:
|
||||
enabled: false
|
||||
autosync: true
|
||||
version: 0.107.0
|
||||
promtail:
|
||||
enabled: false
|
||||
autosync: true
|
||||
version: 6.6.1
|
||||
x509_exporter:
|
||||
enabled: true
|
||||
autosync: true
|
||||
alerts: true
|
||||
version: 3.6.0
|
||||
mariadb_operator:
|
||||
enabled: false
|
||||
autosync: true
|
||||
version: 0.30.0
|
||||
chartmuseum:
|
||||
enabled: false
|
||||
autosync: true
|
||||
version: 3.10.2
|
||||
storage:
|
||||
size: 8Gi
|
||||
ingress:
|
||||
enabled: true
|
||||
downscaler:
|
||||
enabled: false
|
||||
autosync: true
|
||||
version: 0.2.12
|
||||
extraConfig: |
|
||||
DEFAULT_UPTIME: "Mon-Fri 07:00-20:00 Europe/Berlin"
|
||||
excludedNamespaces:
|
||||
- py-kube-downscaler
|
||||
- kube-downscaler
|
||||
- kube-system
|
||||
clickhouse_operator:
|
||||
enabled: false
|
||||
autosync: true
|
||||
version: 0.24.4
|
||||
oncall:
|
||||
enabled: false
|
||||
externalGrafana:
|
||||
url: ""
|
||||
@@ -0,0 +1,14 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-applicationset-ingress
|
||||
namespace: argocd
|
||||
spec:
|
||||
description: Allow access from the ingress controller
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/component: applicationset-controller
|
||||
ingress:
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
io.kubernetes.pod.namespace: ingress-nginx
|
||||
@@ -0,0 +1,13 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-argo-notifications
|
||||
namespace: argocd
|
||||
spec:
|
||||
description: Allow access to the ArgoCD Notifications
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchName: slack.com
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/component: notifications-controller
|
||||
@@ -0,0 +1,13 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-argo-repo-access-applicationset
|
||||
namespace: argocd
|
||||
spec:
|
||||
description: Allow access to the ArgoCD repo Applicationset
|
||||
egress:
|
||||
- toEntities:
|
||||
- world
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/component: applicationset-controller
|
||||
@@ -0,0 +1,13 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-argo-repo-access
|
||||
namespace: argocd
|
||||
spec:
|
||||
description: Allow access to the ArgoCD repo server
|
||||
egress:
|
||||
- toEntities:
|
||||
- world
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/component: repo-server
|
||||
@@ -0,0 +1,14 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-chartmuseum-ingress
|
||||
namespace: argocd
|
||||
spec:
|
||||
description: Allow access to the chartmuseum ingress
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: chartmuseum
|
||||
ingress:
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
io.kubernetes.pod.namespace: ingress-nginx
|
||||
@@ -0,0 +1,13 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-image-updater-repo-access
|
||||
namespace: argocd
|
||||
spec:
|
||||
description: Allow argoCD image updater to access github container registry
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchName: ghcr.io
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-image-updater
|
||||
@@ -0,0 +1,14 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-ingress
|
||||
namespace: argocd
|
||||
spec:
|
||||
description: Allow access from the ingress controller
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/component: server
|
||||
ingress:
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
io.kubernetes.pod.namespace: ingress-nginx
|
||||
@@ -0,0 +1,16 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-kube-api
|
||||
namespace: argocd
|
||||
spec:
|
||||
description: Allow access to the Kube API server
|
||||
egress:
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "6443"
|
||||
protocol: TCP
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
@@ -0,0 +1,16 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-microsoft-sso
|
||||
namespace: argocd
|
||||
spec:
|
||||
description: Allow argoCD dex server to authenticate to microsoft online azure oatuh
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchName: login.microsoftonline.com
|
||||
- matchPattern: '*.microsoftonline.com'
|
||||
- matchName: github.com
|
||||
- matchName: api.github.com
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-dex-server
|
||||
@@ -0,0 +1,18 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-prometheus-metrics-rollout
|
||||
namespace: argocd
|
||||
spec:
|
||||
description: Allow access to the Prometheus metrics
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/instance: argo-rollouts
|
||||
ingress:
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
io.kubernetes.pod.namespace: prometheus
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "8090"
|
||||
protocol: TCP
|
||||
@@ -0,0 +1,18 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-prometheus-metrics-workflows
|
||||
namespace: argocd
|
||||
spec:
|
||||
description: Allow access to the Prometheus metrics
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/instance: argo-workflows
|
||||
ingress:
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
io.kubernetes.pod.namespace: prometheus
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "9090"
|
||||
protocol: TCP
|
||||
@@ -0,0 +1,30 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-prometheus-metrics
|
||||
namespace: argocd
|
||||
spec:
|
||||
description: Allow access to the Prometheus metrics
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/instance: argocd
|
||||
ingress:
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
io.kubernetes.pod.namespace: prometheus
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "8082"
|
||||
protocol: TCP
|
||||
- port: "8080"
|
||||
protocol: TCP
|
||||
- port: "9001"
|
||||
protocol: TCP
|
||||
- port: "9121"
|
||||
protocol: TCP
|
||||
- port: "8084"
|
||||
protocol: TCP
|
||||
- port: "8083"
|
||||
protocol: TCP
|
||||
- port: "5558"
|
||||
protocol: TCP
|
||||
@@ -0,0 +1,13 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-api-server-to-cert-manager
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
description: Allow the API server to communicate with the cert-manager pods
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- remote-node
|
||||
@@ -0,0 +1,12 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-api-server
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
description: Allow the Kube API server to communicate with cert-manager
|
||||
egress:
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
@@ -0,0 +1,18 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-prometheus-metrics
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
description: Allow Prometheus metrics
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
ingress:
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
io.kubernetes.pod.namespace: prometheus
|
||||
- toPorts:
|
||||
- ports:
|
||||
- port: "9402"
|
||||
protocol: TCP
|
||||
@@ -0,0 +1,12 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-world-traffic
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
description: Allow the world to communicate with cert-manager
|
||||
egress:
|
||||
- toEntities:
|
||||
- world
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-api-server
|
||||
namespace: cilium-spire
|
||||
spec:
|
||||
egress:
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "6443"
|
||||
protocol: TCP
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-remote-node-to-server
|
||||
namespace: cilium-spire
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- remote-node
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "8081"
|
||||
protocol: TCP
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-api-server
|
||||
namespace: cilium-test
|
||||
spec:
|
||||
egress:
|
||||
- toEndpoints:
|
||||
- {}
|
||||
- toEntities:
|
||||
- cluster
|
||||
- toEntities:
|
||||
- remote-node
|
||||
- toEntities:
|
||||
- world
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- cluster
|
||||
- fromEntities:
|
||||
- world
|
||||
@@ -0,0 +1,13 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: allow-acme-solvers
|
||||
spec:
|
||||
description: Policy for ingress for Acme Solvers.
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
acme.cert-manager.io/http01-solver: "true"
|
||||
ingress:
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
io.kubernetes.pod.namespace: ingress-nginx
|
||||
@@ -0,0 +1,12 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: allow-cnpg-backups
|
||||
spec:
|
||||
description: Policy for egress for CNPG Backups.
|
||||
egress:
|
||||
- toFQDNs:
|
||||
- matchName: s3.production.itpartner.no
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
cnpg.io/podRole: instance
|
||||
@@ -0,0 +1,24 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: allow-dns
|
||||
spec:
|
||||
description: 'description: Allow only dns traffic by default. Also acts as a deny-all policy'
|
||||
egress:
|
||||
- toEndpoints:
|
||||
- matchLabels:
|
||||
io.kubernetes.pod.namespace: kube-system
|
||||
k8s-app: kube-dns
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "53"
|
||||
protocol: UDP
|
||||
- rules:
|
||||
dns:
|
||||
- matchPattern: '*'
|
||||
endpointSelector:
|
||||
matchExpressions:
|
||||
- key: io.kubernetes.pod.namespace
|
||||
operator: NotIn
|
||||
values:
|
||||
- kube-system
|
||||
@@ -0,0 +1,18 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: allow-mariadb-operator
|
||||
spec:
|
||||
description: allow mariadb instances to be reached by operator
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: mariadb
|
||||
ingress:
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
app.kubernetes.io/name: mariadb-operator
|
||||
io.kubernetes.pod.namespace: mariadb-operator
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "3306"
|
||||
protocol: TCP
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: cilium-health-checks
|
||||
spec:
|
||||
description: Health checks
|
||||
egress:
|
||||
- toEntities:
|
||||
- remote-node
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
reserved:health: ""
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- remote-node
|
||||
@@ -0,0 +1,9 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: deny-all
|
||||
spec:
|
||||
description: Deny all
|
||||
egress: []
|
||||
endpointSelector: {}
|
||||
ingress: []
|
||||
@@ -0,0 +1,16 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-api-server
|
||||
namespace: cnpg
|
||||
spec:
|
||||
egress:
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "6443"
|
||||
protocol: TCP
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/instance: postgres-operator
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-remote-node-webhooks
|
||||
namespace: cnpg
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- kube-apiserver
|
||||
- toPorts:
|
||||
- ports:
|
||||
- port: "9443"
|
||||
protocol: TCP
|
||||
@@ -0,0 +1,16 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-api-server
|
||||
namespace: kube-downscaler
|
||||
spec:
|
||||
egress:
|
||||
- toEntities:
|
||||
- kube-apiserver
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "6443"
|
||||
protocol: TCP
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
application: downscaler-py-kube-downscaler
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: allow-remote-node-webhooks
|
||||
namespace: kube-downscaler
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels: {}
|
||||
ingress:
|
||||
- fromEntities:
|
||||
- kube-apiserver
|
||||
- toPorts:
|
||||
- ports:
|
||||
- port: "9443"
|
||||
protocol: TCP
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user