From 65d65ea1262f5a2842a3c2d3ec3fd80da3522dd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20J=C3=B6rg?= Date: Mon, 2 Jun 2025 12:32:14 +0200 Subject: [PATCH] chore: Cleanup old nix code and add helmfile experiments --- .envrc | 15 +- default.nix | 33 - flake.lock | 666 ------------------ flake.nix | 148 ---- generate.nix | 44 -- helmfile.d/atlantis.yaml.gotmpl | 20 - helmfile.d/kyverno.yaml.gotmpl | 46 ++ helmfile.d/nix/argo.gotmpl.nix | 92 +++ helmfile.d/nix/helmfile.gotmpl.nix | 94 +++ helmfile.d/postgres-operator.yaml.gotmpl | 45 ++ helmfile.d/prometheus.yaml.gotmpl | 42 ++ helmfile.d/velero.yaml.gotmpl | 42 ++ justfile | 25 +- nix/default.nix | 80 --- nix/sources.json | 47 -- npins/default.nix | 146 ++++ npins/sources.json | 37 + shell.nix | 43 +- statix.toml | 7 - .../{app.yaml => manifests/atlantis.yaml} | 0 .../kyverno/kustomize/base/kustomization.yaml | 4 + .../kustomize/default/kustomization.yaml | 4 + values/kyverno/manifests/kyverno.yaml | 39 + values/kyverno/values.yaml.gotmpl | 11 + values/kyverno/values/kyverno.yaml.gotmpl | 41 ++ .../kustomize/base/kustomization.yaml | 4 + .../kustomize/default/kustomization.yaml | 4 + .../manifests/postgres-operator.yaml | 34 + values/postgres-operator/values.yaml.gotmpl | 3 + values/prometheus/manifests/prometheus.yaml | 74 ++ values/prometheus/values-oceanbox.yaml.gotmpl | 15 + values/prometheus/values.yaml.gotmpl | 32 + .../prometheus/values/prometheus.yaml.gotmpl | 106 +++ .../velero/kustomize/base/kustomization.yaml | 4 + .../kustomize/default/kustomization.yaml | 4 + values/velero/manifests/velero.yaml | 34 + values/velero/values.yaml.gotmpl | 28 + values/velero/values/velero.yaml.gotmpl | 74 ++ 38 files changed, 1109 insertions(+), 1078 deletions(-) delete mode 100644 default.nix delete mode 100644 flake.lock delete mode 100644 flake.nix delete mode 100644 generate.nix create mode 100644 helmfile.d/kyverno.yaml.gotmpl create mode 100644 helmfile.d/nix/argo.gotmpl.nix create mode 100644 helmfile.d/nix/helmfile.gotmpl.nix create mode 100644 helmfile.d/postgres-operator.yaml.gotmpl create mode 100644 helmfile.d/prometheus.yaml.gotmpl create mode 100644 helmfile.d/velero.yaml.gotmpl delete mode 100644 nix/default.nix delete mode 100644 nix/sources.json create mode 100644 npins/default.nix create mode 100644 npins/sources.json delete mode 100644 statix.toml rename values/atlantis/{app.yaml => manifests/atlantis.yaml} (100%) create mode 100644 values/kyverno/kustomize/base/kustomization.yaml create mode 100644 values/kyverno/kustomize/default/kustomization.yaml create mode 100644 values/kyverno/manifests/kyverno.yaml create mode 100644 values/kyverno/values.yaml.gotmpl create mode 100644 values/kyverno/values/kyverno.yaml.gotmpl create mode 100644 values/postgres-operator/kustomize/base/kustomization.yaml create mode 100644 values/postgres-operator/kustomize/default/kustomization.yaml create mode 100644 values/postgres-operator/manifests/postgres-operator.yaml create mode 100644 values/postgres-operator/values.yaml.gotmpl create mode 100644 values/prometheus/manifests/prometheus.yaml create mode 100644 values/prometheus/values-oceanbox.yaml.gotmpl create mode 100644 values/prometheus/values.yaml.gotmpl create mode 100644 values/prometheus/values/prometheus.yaml.gotmpl create mode 100644 values/velero/kustomize/base/kustomization.yaml create mode 100644 values/velero/kustomize/default/kustomization.yaml create mode 100644 values/velero/manifests/velero.yaml create mode 100644 values/velero/values.yaml.gotmpl create mode 100644 values/velero/values/velero.yaml.gotmpl diff --git a/.envrc b/.envrc index 1d953f4b..e72c864b 100644 --- a/.envrc +++ b/.envrc @@ -1 +1,14 @@ -use nix +#!/usr/bin/env bash +# the shebang is ignored, but nice for editors +watch_file npins/sources.json + +# Load .env file if it exists +dotenv_if_exists + +# Activate development shell +if type -P lorri &>/dev/null; then + eval "$(lorri direnv)" +else + echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]' + use nix +fi diff --git a/default.nix b/default.nix deleted file mode 100644 index a40feab8..00000000 --- a/default.nix +++ /dev/null @@ -1,33 +0,0 @@ -let - sources = import ./nix; - system = builtins.currentSystem; - pkgs = import sources.nixpkgs { - inherit system; - config = { }; - overlays = [ ]; - }; - nixpkgs = sources.nixpkgs; - nixhelm = sources.nixhelm; - nixidy = import sources.nixidy { inherit nixpkgs; }; - kube = pkgs.callPackage "${sources.nix-kube-gen}/lib/default.nix" { inherit pkgs; }; -in -nixidy.lib.mkEnvs { - libOverlay = self: super: { - apps = import ./modules/lib.nix { inherit pkgs kube; }; - }; - modules = [ - ( - { lib, ... }: - { - nixidy.charts = lib.helm.mkChartAttrs "${nixhelm}/charts"; - } - ) - ./modules - ./apps - ./policies - ]; - envs = { - prod.modules = [ ./envs/prod.nix ]; - staging.modules = [ ./envs/staging.nix ]; - }; -} diff --git a/flake.lock b/flake.lock deleted file mode 100644 index 0dc2350e..00000000 --- a/flake.lock +++ /dev/null @@ -1,666 +0,0 @@ -{ - "nodes": { - "cargo2nix": { - "inputs": { - "flake-compat": "flake-compat_3", - "flake-utils": "flake-utils_5", - "nixpkgs": "nixpkgs_3", - "rust-overlay": "rust-overlay" - }, - "locked": { - "lastModified": 1699033427, - "narHash": "sha256-OVtd5IPbb4NvHibN+QvMrMxq7aZN5GFoINZSAXKjUdA=", - "owner": "cargo2nix", - "repo": "cargo2nix", - "rev": "c6f33051f412352f293e738cc8da6fd4c457080f", - "type": "github" - }, - "original": { - "owner": "cargo2nix", - "ref": "release-0.11.0", - "repo": "cargo2nix", - "type": "github" - } - }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_3": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "id": "flake-utils", - "type": "indirect" - } - }, - "flake-utils_3": { - "inputs": { - "systems": "systems_3" - }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_4": { - "inputs": { - "systems": "systems_5" - }, - "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_5": { - "inputs": { - "systems": "systems_7" - }, - "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "gitignore": { - "inputs": { - "nixpkgs": [ - "pre-commit-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "haumea": { - "inputs": { - "nixpkgs": [ - "nixhelm", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1685133229, - "narHash": "sha256-FePm/Gi9PBSNwiDFq3N+DWdfxFq0UKsVVTJS3cQPn94=", - "owner": "nix-community", - "repo": "haumea", - "rev": "34dd58385092a23018748b50f9b23de6266dffc2", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "v0.2.2", - "repo": "haumea", - "type": "github" - } - }, - "kubenix": { - "inputs": { - "flake-compat": "flake-compat", - "nixpkgs": [ - "nixidy", - "nixpkgs" - ], - "systems": "systems_6", - "treefmt": "treefmt" - }, - "locked": { - "lastModified": 1718110643, - "narHash": "sha256-KrEOCx/bpN++sySOEL5EO5AhYsqRZZk+CXacueUeSl4=", - "owner": "hall", - "repo": "kubenix", - "rev": "a04066c45526c6d8410ba998134f692ff991b4f3", - "type": "github" - }, - "original": { - "owner": "hall", - "repo": "kubenix", - "type": "github" - } - }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "nixhelm", - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1703863825, - "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, - "nix-kube-generators": { - "locked": { - "lastModified": 1708155396, - "narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=", - "owner": "farcaller", - "repo": "nix-kube-generators", - "rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88", - "type": "github" - }, - "original": { - "owner": "farcaller", - "repo": "nix-kube-generators", - "type": "github" - } - }, - "nix-kube-generators_2": { - "locked": { - "lastModified": 1708155396, - "narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=", - "owner": "farcaller", - "repo": "nix-kube-generators", - "rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88", - "type": "github" - }, - "original": { - "owner": "farcaller", - "repo": "nix-kube-generators", - "type": "github" - } - }, - "nix-kube-generators_3": { - "locked": { - "lastModified": 1708155396, - "narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=", - "owner": "farcaller", - "repo": "nix-kube-generators", - "rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88", - "type": "github" - }, - "original": { - "owner": "farcaller", - "repo": "nix-kube-generators", - "type": "github" - } - }, - "nixhelm": { - "inputs": { - "flake-utils": "flake-utils_2", - "haumea": "haumea", - "nix-kube-generators": "nix-kube-generators_2", - "nixpkgs": [ - "nixpkgs" - ], - "poetry2nix": "poetry2nix" - }, - "locked": { - "lastModified": 1728868745, - "narHash": "sha256-ZuaxkAtUL1visOmVMxgHk3j+H8/bMmm82tJfE1s35VY=", - "owner": "farcaller", - "repo": "nixhelm", - "rev": "f901d2ba3ce1bd0086d50efdcce3cc76bce04d80", - "type": "github" - }, - "original": { - "owner": "farcaller", - "repo": "nixhelm", - "type": "github" - } - }, - "nixidy": { - "inputs": { - "flake-utils": "flake-utils_4", - "kubenix": "kubenix", - "nix-kube-generators": "nix-kube-generators_3", - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1728815994, - "narHash": "sha256-uF6HAoDMAX0cZbKH27k/0UpIteQMhyLkP1rYKUfj5ys=", - "owner": "arnarg", - "repo": "nixidy", - "rev": "6e20193c95a0aaca444289d7c69f4eb329d25234", - "type": "github" - }, - "original": { - "owner": "arnarg", - "ref": "HEAD", - "repo": "nixidy", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1702151865, - "narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1720386169, - "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1728492678, - "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1697382362, - "narHash": "sha256-PvFjWFmSYOF6TjNZ/WjOeqa+sgaWm+83Fz37vEuATHA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "ad9a253a0d34f313707f9c25fb8c95c65b1c8882", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "release-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "poetry2nix": { - "inputs": { - "flake-utils": "flake-utils_3", - "nix-github-actions": "nix-github-actions", - "nixpkgs": [ - "nixhelm", - "nixpkgs" - ], - "systems": "systems_4", - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1718285706, - "narHash": "sha256-DScsBM+kZvxOva7QegfdtleebMXh30XPxDQr/1IGKYo=", - "owner": "nix-community", - "repo": "poetry2nix", - "rev": "a5be1bbbe0af0266147a88e0ec43b18c722f2bb9", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "poetry2nix", - "type": "github" - } - }, - "pre-commit-hooks": { - "inputs": { - "flake-compat": "flake-compat_2", - "gitignore": "gitignore", - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1728778939, - "narHash": "sha256-WybK5E3hpGxtCYtBwpRj1E9JoiVxe+8kX83snTNaFHE=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "ff68f91754be6f3427e4986d7949e6273659be1d", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, - "root": { - "inputs": { - "flake-utils": "flake-utils", - "nix-kube-generators": "nix-kube-generators", - "nixhelm": "nixhelm", - "nixidy": "nixidy", - "nixpkgs": "nixpkgs_2", - "pre-commit-hooks": "pre-commit-hooks", - "yaml2nix": "yaml2nix" - } - }, - "rust-overlay": { - "inputs": { - "flake-utils": [ - "yaml2nix", - "cargo2nix", - "flake-utils" - ], - "nixpkgs": [ - "yaml2nix", - "cargo2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1697336027, - "narHash": "sha256-ctmmw7j4liyfSh63v9rdFZeIoNYCkCvgqvtEOB7KhX8=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "e494404d36a41247987eeb1bfc2f1ca903e97764", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_4": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "id": "systems", - "type": "indirect" - } - }, - "systems_5": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_6": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "id": "systems", - "type": "indirect" - } - }, - "systems_7": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "treefmt": { - "inputs": { - "nixpkgs": [ - "nixidy", - "kubenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1688026376, - "narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "nixhelm", - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1717850719, - "narHash": "sha256-npYqVg+Wk4oxnWrnVG7416fpfrlRhp/lQ6wQ4DHI8YE=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "4fc1c45a5f50169f9f29f6a98a438fb910b834ed", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "yaml2nix": { - "inputs": { - "cargo2nix": "cargo2nix", - "flake-utils": [ - "flake-utils" - ], - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1726132715, - "narHash": "sha256-DkHWWpvBco2yodyOk40LjTNcoaJ1bFKf0JY9OwWgy5M=", - "owner": "euank", - "repo": "yaml2nix", - "rev": "3a6df359da40ee49cb9ed597c2400342b76f2083", - "type": "github" - }, - "original": { - "owner": "euank", - "repo": "yaml2nix", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/flake.nix b/flake.nix deleted file mode 100644 index ba16ecfb..00000000 --- a/flake.nix +++ /dev/null @@ -1,148 +0,0 @@ -{ - description = "My ArgoCD configuration with nixidy."; - - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - flake-utils.url = "github:numtide/flake-utils"; - - nixidy = { - url = "github:juselius/nixidy?ref=HEAD"; - # url = "github:juselius/nixidy?ref=special-args"; - # url = "/home/jonas/src/OceanBox/nixidy"; - # inputs.nixpkgs.follows = "nixpkgs"; - }; - - nixhelm = { - url = "github:farcaller/nixhelm"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - pre-commit-hooks = { - url = "github:cachix/pre-commit-hooks.nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - nix-kube-generators.url = "github:farcaller/nix-kube-generators"; - - yaml2nix = { - url = "github:euank/yaml2nix"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.flake-utils.follows = "flake-utils"; - }; - }; - - outputs = - { - self, - nixpkgs, - flake-utils, - nixidy, - nixhelm, - yaml2nix, - pre-commit-hooks, - nix-kube-generators, - }: - (flake-utils.lib.eachDefaultSystem ( - system: - let - pkgs = import nixpkgs { inherit system; }; - kube = nix-kube-generators.lib { inherit pkgs; }; - lib = { - apps = import ./modules/lib.nix { inherit pkgs kube;}; - }; - in - { - nixidyEnvs = nixidy.lib.mkEnvs { - inherit pkgs; - extraSpecialArgs = { inherit lib; }; - charts = nixhelm.chartsDerivations.${system}; - modules = [ - ./modules - ./apps - ./policies - ]; - envs = { - prod.modules = [ ./envs/prod.nix ]; - staging.modules = [ ./envs/staging.nix ]; - }; - }; - - checks = { - pre-commit-check = pre-commit-hooks.lib.${system}.run { - src = ./.; - hooks = { - nixfmt-rfc-style.enable = false; - deadnix.enable = false; - statix.enable = false; - }; - }; - }; - - packages = { - nixidy = nixidy.packages.${system}.default; - generators = { - cilium = nixidy.packages.${system}.generators.fromCRD { - name = "cilium"; - src = pkgs.fetchFromGitHub { - owner = "cilium"; - repo = "cilium"; - rev = "v1.16.0"; - hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E="; - }; - crds = [ - "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml" - "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml" - ]; - }; - - kyverno = nixidy.packages.${system}.generators.fromCRD { - name = "kyverno"; - src = pkgs.fetchFromGitHub { - owner = "kyverno"; - repo = "kyverno"; - rev = "v1.12.6"; - hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M="; - }; - crds = [ - "config/crds/kyverno/kyverno.io_cleanuppolicies.yaml" - "config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml" - "config/crds/kyverno/kyverno.io_clusterpolicies.yaml" - "config/crds/kyverno/kyverno.io_globalcontextentries.yaml" - "config/crds/kyverno/kyverno.io_policies.yaml" - "config/crds/kyverno/kyverno.io_policyexceptions.yaml" - "config/crds/kyverno/kyverno.io_updaterequests.yaml" - ]; - }; - }; - }; - - apps = { - gen-crd = { - type = "app"; - program = - (pkgs.writeShellScript "generate-modules" '' - set -eo pipefail - echo "generate cilium" - cat ${self.packages.${system}.generators.cilium} > modules/cilium-crd.nix - echo "generate kyverno" - cat ${self.packages.${system}.generators.kyverno} > modules/kyverno-crd.nix - '').outPath; - }; - }; - - devShells.default = pkgs.mkShellNoCC { - inherit (self.checks.${system}.pre-commit-check) shellHook; - nativeBuildInputs = with pkgs; [ - self.checks.${system}.pre-commit-check.enabledPackages - nixidy.packages.${system}.default - yaml2nix.packages.${system}.default - nixd - nixfmt-rfc-style - just - fzf - ]; - NIXD_FLAGS = "--inlay-hints"; - }; - } - )); -} diff --git a/generate.nix b/generate.nix deleted file mode 100644 index 63b657b6..00000000 --- a/generate.nix +++ /dev/null @@ -1,44 +0,0 @@ -let - sources = import ./nix; - system = builtins.currentSystem; - pkgs = import sources.nixpkgs { - inherit system; - config = { }; - overlays = [ ]; - }; - nixpkgs = sources.nixpkgs; - nixidy = import sources.nixidy { inherit nixpkgs; }; -in -{ - cilium = nixidy.generators.fromCRD { - name = "cilium"; - src = pkgs.fetchFromGitHub { - owner = "cilium"; - repo = "cilium"; - rev = "v1.16.0"; - hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E="; - }; - crds = [ - "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml" - "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml" - ]; - }; - kyverno = nixidy.generators.fromCRD { - name = "kyverno"; - src = pkgs.fetchFromGitHub { - owner = "kyverno"; - repo = "kyverno"; - rev = "v1.12.6"; - hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M="; - }; - crds = [ - "config/crds/kyverno/kyverno.io_cleanuppolicies.yaml" - "config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml" - "config/crds/kyverno/kyverno.io_clusterpolicies.yaml" - "config/crds/kyverno/kyverno.io_globalcontextentries.yaml" - "config/crds/kyverno/kyverno.io_policies.yaml" - "config/crds/kyverno/kyverno.io_policyexceptions.yaml" - "config/crds/kyverno/kyverno.io_updaterequests.yaml" - ]; - }; -} diff --git a/helmfile.d/atlantis.yaml.gotmpl b/helmfile.d/atlantis.yaml.gotmpl index 120abbb1..7e50acf0 100644 --- a/helmfile.d/atlantis.yaml.gotmpl +++ b/helmfile.d/atlantis.yaml.gotmpl @@ -35,23 +35,3 @@ releases: - '{{`{{ .Environment.Name }}`}}' - ../values/atlantis/manifests - _atlantis-manifests -- name: atlantis-app - namespace: argocd - chart: _atlantis-app - condition: atlantis.enabled - missingFileHandler: Info - values: - - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml - - ../values/atlantis/values.yaml.gotmpl - - ../values/atlantis/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl - hooks: - - events: [ prepare, cleanup ] - showlogs: true - command: ../bin/helmify - args: - - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' - - '{{`{{ .Release.Chart }}`}}' - - '{{`{{ .Environment.Name }}`}}' - - ../values/atlantis/app.yaml - - _atlantis-app - diff --git a/helmfile.d/kyverno.yaml.gotmpl b/helmfile.d/kyverno.yaml.gotmpl new file mode 100644 index 00000000..283233b3 --- /dev/null +++ b/helmfile.d/kyverno.yaml.gotmpl @@ -0,0 +1,46 @@ +bases: + - ../envs/environments.yaml.gotmpl + +repositories: +- name: kyverno + url: 'https://kyverno.github.io/kyverno/' + +commonLabels: + tier: system + +apiVersions: +- monitoring.coreos.com/v1 + +releases: +- name: kyverno + namespace: kyverno + chart: kyverno/kyverno + version: 3.2.5 + condition: kyverno.enabled + values: + - ../values/kyverno/values/kyverno.yaml.gotmpl + - ../values/kyverno/values/kyverno-{{ .Environment.Name }}.yaml.gotmpl + postRenderer: ../bin/kustomizer + postRendererArgs: + - ../values/postgres-operator/kustomize/{{ .Environment.Name }} + missingFileHandler: Info +- name: kyverno-manifests + namespace: kyverno + chart: _kyverno-manifests + condition: kyverno.enabled + values: + - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml + - ../values/kyverno/values.yaml.gotmpl + - ../values/kyverno/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl + missingFileHandler: Info + hooks: + - events: [ prepare, cleanup ] + showlogs: true + command: ../bin/helmify + args: + - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' + - '{{`{{ .Release.Chart }}`}}' + - '{{`{{ .Environment.Name }}`}}' + - ../values/kyverno/manifests + - _kyverno-manifests + diff --git a/helmfile.d/nix/argo.gotmpl.nix b/helmfile.d/nix/argo.gotmpl.nix new file mode 100644 index 00000000..3a6a485b --- /dev/null +++ b/helmfile.d/nix/argo.gotmpl.nix @@ -0,0 +1,92 @@ +{ var, ... }: +{ + bases = [ + "../envs/environments.yaml.gotmpl" + ]; + repositories = [ + { + name = "argo"; + url = "https://argoproj.github.io/argo-helm"; + } + ]; + commonLabels = { + tier = "system"; + }; + releases = [ + { + name = "argocd"; + namespace = "argocd"; + chart = "argo/argo-cd"; + version = "7.5.2"; + condition = "argo.enabled"; + values = [ + "../values/argo/values/argocd.yaml.gotmpl" + "../values/argo/values/argocd-${var.environment.name}.yaml.gotmpl" + ]; + postRenderer = "../bin/kustomizer"; + postRendererArgs = [ + "../values/argo/kustomize/${var.environment.name}" + ]; + missingFileHandler = "Info"; + } + { + name = "argocd-apps"; + namespace = "argocd"; + chart = "argo/argocd-apps"; + version = "0.0.1"; + condition = "argo.apps.enabled"; + values = [ + "../values/argo/values/apps.yaml.gotmpl" + ]; + missingFileHandler = "Info"; + } + { + name = "argo-rollouts"; + namespace = "argocd"; + chart = "argo/argo-rollouts"; + version = "2.35.2"; + condition = "argo.rollouts.enabled"; + values = [ + "../values/argo/values/rollouts.yaml.gotmpl" + ]; + missingFileHandler = "Info"; + } + { + name = "argo-workflows"; + namespace = "argocd"; + chart = "argo/argo-workflows"; + version = "0.45.0"; + condition = "argo.workflows.enabled"; + missingFileHandler = "Info"; + } + { + name = "argo-manifests"; + namespace = "argocd"; + chart = "_argo"; + condition = "argo.enabled"; + values = [ + # "../values/values-${var.CLUSTER_NAME}.yaml" + "../values/argo/values.yaml.gotmpl" + # "../values/argo/values-${var.CLUSTER_NAME}.yaml.gotmpl" + ]; + missingFileHandler = "Info"; + hooks = [ + { + events = [ + "prepare" + "cleanup" + ]; + showlogs = true; + command = "../bin/helmify"; + args = [ + # "${if (var.event.name == "prepare") then "build" else "clean"}" + # "${var.release.chart}" + "${var.environment.name}" + "../values/argo/manifests" + "_argo" + ]; + } + ]; + } + ]; +} diff --git a/helmfile.d/nix/helmfile.gotmpl.nix b/helmfile.d/nix/helmfile.gotmpl.nix new file mode 100644 index 00000000..d557db1b --- /dev/null +++ b/helmfile.d/nix/helmfile.gotmpl.nix @@ -0,0 +1,94 @@ +{ var, escape_var, ... }: +[ + { + bases = [ + "../envs/environments.yaml.gotmpl" + ]; + repositories = [ + { + name = "argo"; + url = "https://argoproj.github.io/argo-helm"; + } + ]; + commonLabels = { + tier = "system"; + }; + releases = [ + { + name = "argocd"; + namespace = "argocd"; + chart = "argo/argo-cd"; + version = "7.5.2"; + condition = "argo.enabled"; + values = [ + "../values/argo/values/argocd.yaml.gotmpl" + "../values/argo/values/argocd-${var.environment.name}.yaml.gotmpl" + ]; + postRenderer = "../bin/kustomizer"; + postRendererArgs = [ + "../values/argo/kustomize/${var.environment.name}" + ]; + missingFileHandler = "Info"; + } + { + name = "argocd-apps"; + namespace = "argocd"; + chart = "argo/argocd-apps"; + version = "0.0.1"; + condition = "argo.apps.enabled"; + values = [ + "../values/argo/values/apps.yaml.gotmpl" + ]; + missingFileHandler = "Info"; + } + { + name = "argo-rollouts"; + namespace = "argocd"; + chart = "argo/argo-rollouts"; + version = "2.35.2"; + condition = "argo.rollouts.enabled"; + values = [ + "../values/argo/values/rollouts.yaml.gotmpl" + ]; + missingFileHandler = "Info"; + } + { + name = "argo-workflows"; + namespace = "argocd"; + chart = "argo/argo-workflows"; + version = "0.45.0"; + condition = "argo.workflows.enabled"; + missingFileHandler = "Info"; + } + { + name = "argo-manifests"; + namespace = "argocd"; + chart = "_argo"; + condition = "argo.enabled"; + values = [ + (escape_var "../values/values-{{requiredEnv \"CLUSTER_NAME\"}}.yaml") + "../values/argo/values.yaml.gotmpl" + (escape_var "../values/argo/values-{{requiredEnv \"CLUSTER_NAME\"}}.yaml.gotmpl") + ]; + missingFileHandler = "Info"; + hooks = [ + { + events = [ + "prepare" + "cleanup" + ]; + showlogs = true; + command = "../bin/helmify"; + args = [ + (escape_var "{{ if eq .Event.Name \"prepare\" }}build{{ else }}clean{{ end }}") + (escape_var "{{ .Release.Chart | toJson }}") + (escape_var "{{ .Environment.Name | toJson }}") + "../values/argo/manifests" + "_argo" + ]; + } + ]; + } + ]; + } +] diff --git a/helmfile.d/postgres-operator.yaml.gotmpl b/helmfile.d/postgres-operator.yaml.gotmpl new file mode 100644 index 00000000..73a4b512 --- /dev/null +++ b/helmfile.d/postgres-operator.yaml.gotmpl @@ -0,0 +1,45 @@ +bases: + - ../envs/environments.yaml.gotmpl + +repositories: +- name: cloudnative-pg + url: 'https://cloudnative-pg.github.io/charts' + +commonLabels: + tier: system + +apiVersions: +- monitoring.coreos.com/v1 + +releases: +- name: postgres-operator + namespace: cnpg + chart: cloudnative-pg/cloudnative-pg + version: 0.18.2 + condition: postgres_operator.enabled + values: + - ../values/postgres-operator/values/postgres-operator.yaml.gotmpl + - ../values/postgres-operator/values/postgres-operator-{{ .Environment.Name }}.yaml.gotmpl + postRenderer: ../bin/kustomizer + postRendererArgs: + - ../values/postgres-operator/kustomize/{{ .Environment.Name }} + missingFileHandler: Info +- name: postgres-operator-manifests + namespace: cnpg + chart: _postgres-operator-manifests + condition: postgres_operator.enabled + values: + - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml + - ../values/postgres-operator/values.yaml.gotmpl + - ../values/postgres-operator/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl + missingFileHandler: Info + hooks: + - events: [ prepare, cleanup ] + showlogs: true + command: ../bin/helmify + args: + - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' + - '{{`{{ .Release.Chart }}`}}' + - '{{`{{ .Environment.Name }}`}}' + - ../values/postgres-operator/manifests + - _postgres-operator-manifests diff --git a/helmfile.d/prometheus.yaml.gotmpl b/helmfile.d/prometheus.yaml.gotmpl new file mode 100644 index 00000000..7fee4570 --- /dev/null +++ b/helmfile.d/prometheus.yaml.gotmpl @@ -0,0 +1,42 @@ +bases: + - ../envs/environments.yaml.gotmpl + +repositories: +- name: prometheus + url: 'https://prometheus-community.github.io/helm-charts' + +commonLabels: + tier: system + +apiVersions: +- monitoring.coreos.com/v1 + +releases: +- name: prometheus + namespace: prometheus + chart: prometheus/kube-prometheus-stack + version: 62.7.0 + condition: prometheus.enabled + values: + - ../values/prometheus/values/prometheus.yaml.gotmpl + - ../values/prometheus/values/prometheus-{{ .Environment.Name }}.yaml.gotmpl + missingFileHandler: Info +- name: prometheus-manifests + namespace: prometheus + chart: _prometheus-manifests + condition: prometheus.enabled + values: + - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml + - ../values/prometheus/values.yaml.gotmpl + - ../values/prometheus/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl + hooks: + - events: [ prepare, cleanup ] + showlogs: true + command: ../bin/helmify + args: + - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' + - '{{`{{ .Release.Chart }}`}}' + - '{{`{{ .Environment.Name }}`}}' + - ../values/prometheus/prometheus-manifests + - _prometheus-manifests + diff --git a/helmfile.d/velero.yaml.gotmpl b/helmfile.d/velero.yaml.gotmpl new file mode 100644 index 00000000..e683a6fb --- /dev/null +++ b/helmfile.d/velero.yaml.gotmpl @@ -0,0 +1,42 @@ +bases: + - ../envs/environments.yaml.gotmpl + +repositories: +- name: velero + url: 'https://vmware-tanzu.github.io/helm-charts' + +commonLabels: + tier: system + +releases: +- name: velero + namespace: velero + chart: velero/velero + version: 0.18.2 + condition: velero.enabled + values: + - ../values/velero/values/velero.yaml.gotmpl + - ../values/velero/values/velero-{{ .Environment.Name }}.yaml.gotmpl + postRenderer: ../bin/kustomizer + postRendererArgs: + - ../values/velero/kustomize/{{ .Environment.Name }} + missingFileHandler: Info +- name: velero-manifests + namespace: velero + chart: _velero-manifests + condition: velero.enabled + values: + - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml + - ../values/velero/values.yaml.gotmpl + - ../values/velero/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl + missingFileHandler: Info + hooks: + - events: [ prepare, cleanup ] + showlogs: true + command: ../bin/helmify + args: + - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' + - '{{`{{ .Release.Chart }}`}}' + - '{{`{{ .Environment.Name }}`}}' + - ../values/velero/manifests + - _velero-manifests diff --git a/justfile b/justfile index 10d9d46e..04d755e5 100644 --- a/justfile +++ b/justfile @@ -1,17 +1,12 @@ -default := "prod" - +[private] default: - just --choose + just --list -u -info target=default: - nix run .#nixidy -- info .#{{target}} - -build target=default: - nix run .#nixidy -- build .#{{target}} - -switch target=default: - nix run .#nixidy -- switch .#{{target}} - -generate: - nix build .#generators.cilium - nix build .#generators.kyverno +# NOTE: Render a specifc helm chart +r HELMFILE ENV: + # helmfile --environment={{ENV}} lint --args --quiet --skip-deps --skip-refresh -f helmfile.d/{{HELMFILE}}.yaml.gotmpl + helmfile --environment={{ENV}} lint --args --quiet -f helmfile.d/{{HELMFILE}}.yaml.gotmpl +# +# NOTE: Render charts for one environment +# render ENV="staging": + diff --git a/nix/default.nix b/nix/default.nix deleted file mode 100644 index 5e7d086e..00000000 --- a/nix/default.nix +++ /dev/null @@ -1,80 +0,0 @@ -# Generated by npins. Do not modify; will be overwritten regularly -let - data = builtins.fromJSON (builtins.readFile ./sources.json); - version = data.version; - - mkSource = - spec: - assert spec ? type; - let - path = - if spec.type == "Git" then - mkGitSource spec - else if spec.type == "GitRelease" then - mkGitSource spec - else if spec.type == "PyPi" then - mkPyPiSource spec - else if spec.type == "Channel" then - mkChannelSource spec - else - builtins.throw "Unknown source type ${spec.type}"; - in - spec // { outPath = path; }; - - mkGitSource = - { - repository, - revision, - url ? null, - hash, - branch ? null, - ... - }: - assert repository ? type; - # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository - # In the latter case, there we will always be an url to the tarball - if url != null then - (builtins.fetchTarball { - inherit url; - sha256 = hash; # FIXME: check nix version & use SRI hashes - }) - else - assert repository.type == "Git"; - let - urlToName = - url: rev: - let - matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url; - - short = builtins.substring 0 7 rev; - - appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else ""; - in - "${if matched == null then "source" else builtins.head matched}${appendShort}"; - name = urlToName repository.url revision; - in - builtins.fetchGit { - url = repository.url; - rev = revision; - inherit name; - # hash = hash; - }; - - mkPyPiSource = - { url, hash, ... }: - builtins.fetchurl { - inherit url; - sha256 = hash; - }; - - mkChannelSource = - { url, hash, ... }: - builtins.fetchTarball { - inherit url; - sha256 = hash; - }; -in -if version == 3 then - builtins.mapAttrs (_: mkSource) data.pins -else - throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" diff --git a/nix/sources.json b/nix/sources.json deleted file mode 100644 index de5928b7..00000000 --- a/nix/sources.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "pins": { - "nix-kube-gen": { - "type": "Git", - "repository": { - "type": "GitHub", - "owner": "farcaller", - "repo": "nix-kube-generators" - }, - "branch": "master", - "revision": "2be4f3cb99e179d9f94e6c8723862421437f8efb", - "url": "https://github.com/farcaller/nix-kube-generators/archive/2be4f3cb99e179d9f94e6c8723862421437f8efb.tar.gz", - "hash": "0pgpr0szig7plmj7i4hjfkpcm4vgy0ingqr115wqjzbx5yjc6c7j" - }, - "nixhelm": { - "type": "Git", - "repository": { - "type": "GitHub", - "owner": "farcaller", - "repo": "nixhelm" - }, - "branch": "master", - "revision": "cafa44fc8c2ad34baf6e5f1bdea3eb3a587a1f6d", - "url": "https://github.com/farcaller/nixhelm/archive/cafa44fc8c2ad34baf6e5f1bdea3eb3a587a1f6d.tar.gz", - "hash": "1waplza2c0wgq23v41ladfgqdq2wrbw889c973cm439940zj4mj1" - }, - "nixidy": { - "type": "Git", - "repository": { - "type": "GitHub", - "owner": "arnarg", - "repo": "nixidy" - }, - "branch": "main", - "revision": "d28f45aea4d7b93928f1ea94f22a03a3f6dc25f6", - "url": "https://github.com/arnarg/nixidy/archive/d28f45aea4d7b93928f1ea94f22a03a3f6dc25f6.tar.gz", - "hash": "0ijxdh2432wvwyff1f5yfrjn93lzayrswi1bkasjpwaps9v6ld4r" - }, - "nixpkgs": { - "type": "Channel", - "name": "nixpkgs-unstable", - "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre699031.2d2a9ddbe3f2/nixexprs.tar.xz", - "hash": "1vx044c8gdg1c8zmabzbi9xrgjgaz2bfqbl47xsgh517f580bycx" - } - }, - "version": 3 -} diff --git a/npins/default.nix b/npins/default.nix new file mode 100644 index 00000000..65924762 --- /dev/null +++ b/npins/default.nix @@ -0,0 +1,146 @@ +/* + This file is provided under the MIT licence: + + Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +*/ +# Generated by npins. Do not modify; will be overwritten regularly +let + data = builtins.fromJSON (builtins.readFile ./sources.json); + version = data.version; + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 + range = + first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 + stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 + stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); + concatMapStrings = f: list: concatStrings (map f list); + concatStrings = builtins.concatStringsSep ""; + + # If the environment variable NPINS_OVERRIDE_${name} is set, then use + # the path directly as opposed to the fetched source. + # (Taken from Niv for compatibility) + mayOverride = + name: path: + let + envVarName = "NPINS_OVERRIDE_${saneName}"; + saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name; + ersatz = builtins.getEnv envVarName; + in + if ersatz == "" then + path + else + # this turns the string into an actual Nix path (for both absolute and + # relative paths) + builtins.trace "Overriding path of \"${name}\" with \"${ersatz}\" due to set \"${envVarName}\"" ( + if builtins.substring 0 1 ersatz == "/" then + /. + ersatz + else + /. + builtins.getEnv "PWD" + "/${ersatz}" + ); + + mkSource = + name: spec: + assert spec ? type; + let + path = + if spec.type == "Git" then + mkGitSource spec + else if spec.type == "GitRelease" then + mkGitSource spec + else if spec.type == "PyPi" then + mkPyPiSource spec + else if spec.type == "Channel" then + mkChannelSource spec + else if spec.type == "Tarball" then + mkTarballSource spec + else + builtins.throw "Unknown source type ${spec.type}"; + in + spec // { outPath = mayOverride name path; }; + + mkGitSource = + { + repository, + revision, + url ? null, + submodules, + hash, + branch ? null, + ... + }: + assert repository ? type; + # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository + # In the latter case, there we will always be an url to the tarball + if url != null && !submodules then + builtins.fetchTarball { + inherit url; + sha256 = hash; # FIXME: check nix version & use SRI hashes + } + else + let + url = + if repository.type == "Git" then + repository.url + else if repository.type == "GitHub" then + "https://github.com/${repository.owner}/${repository.repo}.git" + else if repository.type == "GitLab" then + "${repository.server}/${repository.repo_path}.git" + else + throw "Unrecognized repository type ${repository.type}"; + urlToName = + url: rev: + let + matched = builtins.match "^.*/([^/]*)(\\.git)?$" url; + + short = builtins.substring 0 7 rev; + + appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else ""; + in + "${if matched == null then "source" else builtins.head matched}${appendShort}"; + name = urlToName url revision; + in + builtins.fetchGit { + rev = revision; + inherit name; + # hash = hash; + inherit url submodules; + }; + + mkPyPiSource = + { url, hash, ... }: + builtins.fetchurl { + inherit url; + sha256 = hash; + }; + + mkChannelSource = + { url, hash, ... }: + builtins.fetchTarball { + inherit url; + sha256 = hash; + }; + + mkTarballSource = + { + url, + locked_url ? url, + hash, + ... + }: + builtins.fetchTarball { + url = locked_url; + sha256 = hash; + }; +in +if version == 5 then + builtins.mapAttrs mkSource data.pins +else + throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" diff --git a/npins/sources.json b/npins/sources.json new file mode 100644 index 00000000..6df53cc7 --- /dev/null +++ b/npins/sources.json @@ -0,0 +1,37 @@ +{ + "pins": { + "gomod2nix": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "nix-community", + "repo": "gomod2nix" + }, + "branch": "master", + "submodules": false, + "revision": "2cbd7fdd6eeab65c494cc426e18f4e4d2a5e35c0", + "url": "https://github.com/nix-community/gomod2nix/archive/2cbd7fdd6eeab65c494cc426e18f4e4d2a5e35c0.tar.gz", + "hash": "18hl5fz6aqg12ypkjramvlv43p413iwzy5zbvwl9m3kp5l4id2fi" + }, + "helmfile-nix": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "remarkable", + "repo": "helmfile-nix" + }, + "branch": "main", + "submodules": false, + "revision": "03b3de30d44b6e90e9425bad10476dadd75bcba9", + "url": "https://github.com/remarkable/helmfile-nix/archive/03b3de30d44b6e90e9425bad10476dadd75bcba9.tar.gz", + "hash": "12bdar6cb459vw9ldk73npvydbcjgb4ic8w416yf4i4alky3d9ib" + }, + "nixpkgs": { + "type": "Channel", + "name": "nixpkgs-unstable", + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre800239.b1bebd0fe266/nixexprs.tar.xz", + "hash": "0vnfj9d7kzk673i7s1vnkbx513a4gh5mfcd8fag2c7wi6hz471n6" + } + }, + "version": 5 +} diff --git a/shell.nix b/shell.nix index fb3d055c..bb02e2ac 100644 --- a/shell.nix +++ b/shell.nix @@ -1,25 +1,34 @@ let - sources = import ./nix; + sources = import ./npins; system = builtins.currentSystem; pkgs = import sources.nixpkgs { inherit system; config = { }; - overlays = [ ]; + overlays = [ (import "${sources.gomod2nix}/overlay.nix") ]; }; - nixpkgs = sources.nixpkgs; - nixidy = import sources.nixidy { inherit nixpkgs; }; + helmfile-nix = import sources.helmfile-nix { inherit pkgs; }; + helmWrap = + with pkgs; + wrapHelm kubernetes-helm { + plugins = with kubernetes-helmPlugins; [ + helm-diff + helm-git + ]; + }; + helmfileWrap = pkgs.helmfile-wrapped.override { inherit (helmWrap) pluginsDir; }; in -{ - shell = pkgs.mkShellNoCC { - name = "clstr"; - nativeBuildInputs = with pkgs; [ - helmfile - nixidy.nixidy - npins - nixfmt-rfc-style - just - fzf - ]; - NPINS_DIRECTORY = "nix"; - }; +pkgs.mkShellNoCC { + name = "clstr"; + + packages = with pkgs; [ + npins + nix-converter + + # helm + helmWrap + helmfileWrap + helmfile-nix + ]; + + CLUSTER_NAME = "oceanbox"; } diff --git a/statix.toml b/statix.toml deleted file mode 100644 index fdbac046..00000000 --- a/statix.toml +++ /dev/null @@ -1,7 +0,0 @@ -disabled = [ - # I think enforcing this can often produce - # code that is harder to read. - "manual_inherit_from" - # Does not improve readability - "repeated_keys" -] \ No newline at end of file diff --git a/values/atlantis/app.yaml b/values/atlantis/manifests/atlantis.yaml similarity index 100% rename from values/atlantis/app.yaml rename to values/atlantis/manifests/atlantis.yaml diff --git a/values/kyverno/kustomize/base/kustomization.yaml b/values/kyverno/kustomize/base/kustomization.yaml new file mode 100644 index 00000000..57f354b1 --- /dev/null +++ b/values/kyverno/kustomize/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - _manifest.yaml diff --git a/values/kyverno/kustomize/default/kustomization.yaml b/values/kyverno/kustomize/default/kustomization.yaml new file mode 100644 index 00000000..22967828 --- /dev/null +++ b/values/kyverno/kustomize/default/kustomization.yaml @@ -0,0 +1,4 @@ +generatorOptions: + disableNameSuffixHash: true +resources: + - ../base diff --git a/values/kyverno/manifests/kyverno.yaml b/values/kyverno/manifests/kyverno.yaml new file mode 100644 index 00000000..b255f435 --- /dev/null +++ b/values/kyverno/manifests/kyverno.yaml @@ -0,0 +1,39 @@ +{{- if .Values.clusterConfig.argo.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kyverno + namespace: argocd +spec: + destination: + namespace: kyverno + server: 'https://kubernetes.default.svc' + sources: + - repoURL: {{ .Values.clusterConfig.manifests }} + targetRevision: HEAD + path: helmfiles/kyverno + plugin: + name: helmfile + env: + - name: CLUSTER_NAME + value: {{ .Values.clusterConfig.cluster }} + project: sys + syncPolicy: + managedNamespaceMetadata: + labels: + component: sys + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + # - ServerSideApply=true + {{- if .Values.kyverno.autosync }} + automated: + prune: true + # selfHeal: false + {{- end }} + ignoreDifferences: + - group: batch + kind: CronJob + jqPathExpressions: + - '.spec.jobTemplate.spec.template.spec.containers[]?.resources' +{{- end }} diff --git a/values/kyverno/values.yaml.gotmpl b/values/kyverno/values.yaml.gotmpl new file mode 100644 index 00000000..7f97294d --- /dev/null +++ b/values/kyverno/values.yaml.gotmpl @@ -0,0 +1,11 @@ +kyverno: + enabled: true + autosync: false + metrics: false + resources: + cleanupController: + memory: "128Mi" + reportsController: + memory: "128Mi" + backgroundController: + memory: "128Mi" diff --git a/values/kyverno/values/kyverno.yaml.gotmpl b/values/kyverno/values/kyverno.yaml.gotmpl new file mode 100644 index 00000000..98a4f5ef --- /dev/null +++ b/values/kyverno/values/kyverno.yaml.gotmpl @@ -0,0 +1,41 @@ +replicaCount: 3 +{{ if .Values.kyverno.metrics }} +admissionController: + serviceMonitor: + enabled: true + metricsService: + create: true +backgroundController: + serviceMonitor: + enabled: true + metricsService: + create: true +cleanupController: + serviceMonitor: + enabled: true + metricsService: + create: true +reportsController: + serviceMonitor: + enabled: true + metricsService: + create: true +{{ end }} +cleanupController: + resources: + limits: + memory: {{ .Values.kyverno.resources.cleanupController.memory }} + requests: + memory: {{ .Values.kyverno.resources.cleanupController.memory }} +reportsController: + resources: + limits: + memory: {{ .Values.kyverno.resources.reportsController.memory }} + requests: + memory: {{ .Values.kyverno.resources.reportsController.memory }} +backgroundController: + resources: + limits: + memory: {{ .Values.kyverno.resources.backgroundController.memory }} + requests: + memory: {{ .Values.kyverno.resources.backgroundController.memory }} diff --git a/values/postgres-operator/kustomize/base/kustomization.yaml b/values/postgres-operator/kustomize/base/kustomization.yaml new file mode 100644 index 00000000..57f354b1 --- /dev/null +++ b/values/postgres-operator/kustomize/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - _manifest.yaml diff --git a/values/postgres-operator/kustomize/default/kustomization.yaml b/values/postgres-operator/kustomize/default/kustomization.yaml new file mode 100644 index 00000000..22967828 --- /dev/null +++ b/values/postgres-operator/kustomize/default/kustomization.yaml @@ -0,0 +1,4 @@ +generatorOptions: + disableNameSuffixHash: true +resources: + - ../base diff --git a/values/postgres-operator/manifests/postgres-operator.yaml b/values/postgres-operator/manifests/postgres-operator.yaml new file mode 100644 index 00000000..05b57fb7 --- /dev/null +++ b/values/postgres-operator/manifests/postgres-operator.yaml @@ -0,0 +1,34 @@ +{{- if .Values.clusterConfig.argo.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: postgres-operator + namespace: argocd +spec: + destination: + namespace: cnpg + server: 'https://kubernetes.default.svc' + sources: + - repoURL: {{ .Values.clusterConfig.manifests }} + targetRevision: HEAD + path: helmfiles/postgres-operator + plugin: + name: helmfile + env: + - name: CLUSTER_NAME + value: {{ .Values.clusterConfig.cluster }} + project: sys + syncPolicy: + managedNamespaceMetadata: + labels: + component: sys + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + # - ServerSideApply=true + {{- if .Values.postgres_operator.autosync }} + automated: + prune: true + # selfHeal: false + {{- end }} +{{- end }} diff --git a/values/postgres-operator/values.yaml.gotmpl b/values/postgres-operator/values.yaml.gotmpl new file mode 100644 index 00000000..8f1400a6 --- /dev/null +++ b/values/postgres-operator/values.yaml.gotmpl @@ -0,0 +1,3 @@ +postgres_operator: + enabled: true + autosync: false \ No newline at end of file diff --git a/values/prometheus/manifests/prometheus.yaml b/values/prometheus/manifests/prometheus.yaml new file mode 100644 index 00000000..00f95320 --- /dev/null +++ b/values/prometheus/manifests/prometheus.yaml @@ -0,0 +1,74 @@ +{{- if .Values.clusterConfig.argo.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: prometheus + namespace: argocd +spec: + destination: + namespace: prometheus + server: 'https://kubernetes.default.svc' + sources: + - repoURL: {{ .Values.clusterConfig.manifests }} + targetRevision: HEAD + path: helmfiles/cilium + plugin: + name: helmfile + env: + - name: CLUSTER_NAME + value: {{ .Values.clusterConfig.cluster }} + project: sys + syncPolicy: + syncOptions: + - ServerSideApply=true + {{- if .Values.prometheus.autosync }} + automated: + prune: true + # selfHeal: false + {{- end }} + ignoreDifferences: + - group: apps + kind: Deployment + jqPathExpressions: + - '.spec.template.spec.containers[]?.resources' + - group: monitoring.coreos.com + kind: ServiceMonitor + jqPathExpressions: + - '.spec.endpoints[]?.relabelings' + - group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + jqPathExpressions: + - '.webhooks[]?.clientConfig.caBundle' + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + jqPathExpressions: + - '.webhooks[]?.clientConfig.caBundle' +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: prometheus-crd + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-1" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: prometheus + server: 'https://kubernetes.default.svc' + source: + repoURL: 'https://prometheus-community.github.io/helm-charts' + targetRevision: '14.0.0' + chart: prometheus-operator-crds + project: sys + syncPolicy: + managedNamespaceMetadata: + labels: + component: sys + automated: {} + syncOptions: + - ServerSideApply=true + - CreateNamespace=true + - ApplyOutOfSyncOnly=true +{{- end }} diff --git a/values/prometheus/values-oceanbox.yaml.gotmpl b/values/prometheus/values-oceanbox.yaml.gotmpl new file mode 100644 index 00000000..6ae6980a --- /dev/null +++ b/values/prometheus/values-oceanbox.yaml.gotmpl @@ -0,0 +1,15 @@ +cilium: + enabled: true + nodePort: + enable: true + l2announcement: + enable: true + loadbalancerPool: + enabled: true + cidr: + - 10.255.241.11/32 + - 10.255.241.12/32 + - 10.255.241.13/32 + - 10.255.241.14/32 + - 10.255.241.15/32 + diff --git a/values/prometheus/values.yaml.gotmpl b/values/prometheus/values.yaml.gotmpl new file mode 100644 index 00000000..6163164c --- /dev/null +++ b/values/prometheus/values.yaml.gotmpl @@ -0,0 +1,32 @@ +cilium: + enabled: false + autosync: true + spire: + enabled: false + envoy: + enabled: false + hubble: + ui: true + enabled: false + encryption: + enabled: true + type: wireguard + kubeProxyReplacement: true + l2announcement: + enabled: false + nodePort: + enabled: false + gatewayAPI: + enabled: false + ingressController: + enabled: false + defaultClass: false + loadbalancerMode: shared + policyAuditMode: false + upgradeCompatability: 1.15 + k8sServiceHost: localhost + k8sServicePort: 7445 + loadbalancerPool: + enabled: false + cidr: [] + diff --git a/values/prometheus/values/prometheus.yaml.gotmpl b/values/prometheus/values/prometheus.yaml.gotmpl new file mode 100644 index 00000000..61d3d62f --- /dev/null +++ b/values/prometheus/values/prometheus.yaml.gotmpl @@ -0,0 +1,106 @@ +authentication: + mutual: + spire: + enabled: {{ .Values.cilium.spire.enabled }} +cgroup: + autoMount: + enabled: false + hostRoot: /sys/fs/cgroup +dashboards: + enabled: true + namespace: prometheus +enableXTSocketFallback: false +encryption: + enabled: {{ .Values.cilium.encryption.enabled }} + type: {{ .Values.cilium.encryption.type}} +envoy: + enabled: {{ .Values.cilium.envoy.enabled }} + prometheus: + serviceMonitor: + enabled: {{ .Values.cilium.envoy.enabled }} +extraConfig: + enable-envoy-config: "true" +hubble: + enabled: true + tls: + auto: + method: cronJob + metrics: + dashboards: + enabled: true + namespace: prometheus + enabled: + - dns:query;ignoreAAAA + - drop + - tcp + - flow + - icmp + - policy:sourceContext=app|workload-name|pod|reserved-identity;destinationContext=app|workload-name|pod|dns|reserved-identity;labelsContext=source_namespace,destination_namespace + - httpV2:exemplars=false;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction + port: 12304 + serviceMonitor: + enabled: true + redact: + enabled: true + relay: + enabled: true + prometheus: + enabled: true + serviceMonitor: + enabled: true + ui: + enabled: {{ .Values.cilium.hubble.ui }} +ipam: + mode: kubernetes +kubeProxyReplacement: {{ .Values.cilium.kubeProxyReplacement }} +l2announcements: + enabled: {{ .Values.cilium.l2announcement.enabled }} +k8sServiceHost: {{ .Values.cilium.k8sServiceHost }} +k8sServicePort: {{ .Values.cilium.k8sServicePort }} +nodePort: + enabled: {{ .Values.cilium.nodePort.enabled }} +gatewayAPI: + enabled: {{ .Values.cilium.gatewayAPI.enabled }} +ingressController: + enabled: {{ .Values.cilium.ingressController.enabled }} + default: {{ .Values.cilium.ingressController.defaultClass }} + loadbalancerMode: {{ .Values.cilium.ingressController.loadbalancerMode }} +operator: + dashboards: + enabled: true + namespace: prometheus + prometheus: + enabled: true + port: 12301 + serviceMointor: + enabled: true + port: 12302 + rollOutPods: true +policyAuditMode: {{ .Values.cilium.policyAuditMode }} +prometheus: + enabled: true + port: 12300 + serviceMonitor: + enabled: true +rollOutCiliumPods: true +securityContext: + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE +{{- with .Values.cilium.upgradeCompatability}} +upgradeCompatability: {{ . }} +{{- end }} diff --git a/values/velero/kustomize/base/kustomization.yaml b/values/velero/kustomize/base/kustomization.yaml new file mode 100644 index 00000000..57f354b1 --- /dev/null +++ b/values/velero/kustomize/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - _manifest.yaml diff --git a/values/velero/kustomize/default/kustomization.yaml b/values/velero/kustomize/default/kustomization.yaml new file mode 100644 index 00000000..22967828 --- /dev/null +++ b/values/velero/kustomize/default/kustomization.yaml @@ -0,0 +1,4 @@ +generatorOptions: + disableNameSuffixHash: true +resources: + - ../base diff --git a/values/velero/manifests/velero.yaml b/values/velero/manifests/velero.yaml new file mode 100644 index 00000000..2e455085 --- /dev/null +++ b/values/velero/manifests/velero.yaml @@ -0,0 +1,34 @@ +{{- if .Values.clusterConfig.argo.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: velero + namespace: argocd +spec: + destination: + namespace: velero + server: 'https://kubernetes.default.svc' + sources: + - repoURL: {{ .Values.clusterConfig.manifests }} + targetRevision: HEAD + path: helmfiles/velero + plugin: + name: helmfile + env: + - name: CLUSTER_NAME + value: {{ .Values.clusterConfig.cluster }} + project: sys + syncPolicy: + managedNamespaceMetadata: + labels: + component: sys + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + # - ServerSideApply=true + {{- if .Values.velero.autosync }} + automated: + prune: true + # selfHeal: false + {{- end }} +{{- end }} diff --git a/values/velero/values.yaml.gotmpl b/values/velero/values.yaml.gotmpl new file mode 100644 index 00000000..966cdf7d --- /dev/null +++ b/values/velero/values.yaml.gotmpl @@ -0,0 +1,28 @@ +velero: + enabled: true + autosync: true + kubeletRootDir: "/var/lib/kubernetes/pods" + bucket: velero-backup + bsl: default + # Opt-in or opt-out pvc backup + # https://velero.io/docs/main/file-system-backup/#to-back-up + backupAllVolumes: true + credentials: + secretName: "s3-credentials" + s3: + region: us-east-1 + url: "https://nutanix-obj-s3.kube-system" + insecureSkipTLSVerify: true + resources: + velero: + request: + cpu: 500m + memory: 1Gi + limit: + memory: 2Gi + nodeAgent: + request: + cpu: 500m + memory: 1Gi + limit: + memory: 2Gi diff --git a/values/velero/values/velero.yaml.gotmpl b/values/velero/values/velero.yaml.gotmpl new file mode 100644 index 00000000..a1ffec82 --- /dev/null +++ b/values/velero/values/velero.yaml.gotmpl @@ -0,0 +1,74 @@ +initContainers: +- name: velero-plugin-for-aws + image: velero/velero-plugin-for-aws:v1.9.0 + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /target + name: plugins +credentials: + useSecret: true + existingSecret: {{ .Values.velero.credentials.secretName }} +deployNodeAgent: true +nodeAgent: + podVolumePath: {{ .Values.velero.kubeletRootDir }} + resources: + requests: + cpu: {{ .Values.velero.resources.nodeAgent.request.cpu | default "500m" }} + memory: {{ .Values.velero.resources.nodeAgent.request.memory | default "1Gi" }} + limits: + memory: {{ .Values.velero.resources.nodeAgent.limit.memory | default "2Gi" }} +snapshotsEnabled: false +resources: + requests: + cpu: {{ .Values.velero.resources.velero.request.cpu | default "500m" }} + memory: {{ .Values.velero.resources.velero.request.memory | default "1Gi" }} + limits: + memory: {{ .Values.velero.resources.velero.limit.memory | default "1Gi" }} +configuration: + uploaderType: kopia + # Backup all volumes by default + defaultVolumesToFsBackup: {{ .Values.velero.backupAllVolumes }} + ## https://velero.io/docs/v1.6/api-types/backupstoragelocation/ + backupStorageLocation: + - name: {{ .Values.velero.bsl }} + bucket: {{ .Values.velero.bucket }} + provider: aws + default: true + ## prefix is the directory under which all Velero data should be stored within the bucket. Optional. + prefix: {{ .Values.cluster_config.cluster }}/velero + accessMode: ReadWrite + config: + ## ONLY us-east-1 region is supported by nutanix + region: {{ .Values.velero.s3.region }} + s3ForcePathStyle: "true" + s3Url: {{ .Values.velero.s3.url }} + {{- if .Values.velero.s3.insecureSkipTLSVerify }} + insecureSkipTLSVerify: true + {{- end }} +metrics: + serviceMonitor: + enabled: true + additionalLabels: + k8s-app: "velero" + release: "prometheus" + prometheusRule: + enabled: true + # namespace: "" + # Rules to be deployed + spec: + - alert: VeleroBackupPartialFailures + annotations: + message: Velero backup {{` {{ $labels.schedule }} `}} has {{` {{$value | humanizePercentage}} `}} partialy failed backups. + expr: |- + velero_backup_partial_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} > 0.25 + for: 15m + labels: + severity: critical + - alert: VeleroBackupFailures + annotations: + message: Velero backup {{` {{$labels.schedule}} `}} has {{` {{$value | humanizePercentage}} `}} failed backups. + expr: |- + velero_backup_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} > 0.25 + for: 15m + labels: + severity: critical