From 8f6723a299bf458a2fc9b0b98104a141dc1958e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20J=C3=B6rg?= Date: Tue, 24 Jun 2025 16:51:57 +0200 Subject: [PATCH] feat: Add helmfile for linkerd --- helmfile.d/linkerd.yaml.gotmpl | 47 ++++++++++ .../values/ingress-nginx.yaml.gotmpl | 5 ++ values/linkerd/env.yaml.gotmpl | 39 +++++++++ values/linkerd/manifests/linkerd.yaml | 85 +++++++++++++++++++ values/linkerd/values/linkerd.yaml.gotmpl | 17 ++++ 5 files changed, 193 insertions(+) create mode 100644 helmfile.d/linkerd.yaml.gotmpl create mode 100644 values/linkerd/env.yaml.gotmpl create mode 100644 values/linkerd/manifests/linkerd.yaml create mode 100644 values/linkerd/values/linkerd.yaml.gotmpl diff --git a/helmfile.d/linkerd.yaml.gotmpl b/helmfile.d/linkerd.yaml.gotmpl new file mode 100644 index 00000000..b400d853 --- /dev/null +++ b/helmfile.d/linkerd.yaml.gotmpl @@ -0,0 +1,47 @@ +bases: + - ../envs/environments.yaml.gotmpl + +repositories: +- name: linkerd + url: 'https://helm.linkerd.io/stable' + +commonLabels: + tier: system + +apiVersions: +- monitoring.coreos.com/v1 + +releases: +- name: linkerd + namespace: linkerd + chart: linkerd/linkerd-control-plane + version: 1.9.3 + condition: linkerd.enabled + values: + - ../values/linkerd/values/linkerd.yaml.gotmpl + - ../values/linkerd/values/linkerd-{{ .Environment.Name }}.yaml.gotmpl + postRenderer: ../bin/kustomizer + postRendererArgs: + - ../values/linkerd/kustomize/{{ .Environment.Name }} + missingFileHandler: Info +- name: manifests + namespace: linkerd + chart: manifests + condition: linkerd.enabled + missingFileHandler: Info + values: + - ../values/env.yaml + - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml + - ../values/linkerd/env.yaml.gotmpl + - ../values/linkerd/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl + hooks: + - events: [ prepare, cleanup ] + showlogs: true + command: ../bin/helmify + args: + - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' + - '{{`{{ .Release.Chart }}`}}' + - '{{`{{ .Environment.Name }}`}}' + - ../values/linkerd/manifests + - manifests + diff --git a/values/ingress-nginx/values/ingress-nginx.yaml.gotmpl b/values/ingress-nginx/values/ingress-nginx.yaml.gotmpl index 44f80e33..e2e2d65d 100644 --- a/values/ingress-nginx/values/ingress-nginx.yaml.gotmpl +++ b/values/ingress-nginx/values/ingress-nginx.yaml.gotmpl @@ -13,6 +13,11 @@ controller: cpu: {{ .Values.nginx.resources.controller.cpu }} memory: {{ .Values.nginx.resources.controller.memory }} + {{if eq .Values.clusterConfig.cluster "ekman"}} + config: + worker-prcesses: 32 + {{end }} + ingressClassResource: default: true diff --git a/values/linkerd/env.yaml.gotmpl b/values/linkerd/env.yaml.gotmpl new file mode 100644 index 00000000..66c676c0 --- /dev/null +++ b/values/linkerd/env.yaml.gotmpl @@ -0,0 +1,39 @@ +linkerd: + enabled: true + autosync: true + trustAnchorPEM: | + -----BEGIN CERTIFICATE----- + MIIBtDCCAVqgAwIBAgIQRlhbOLj9zw+QTGHqbOBaozAKBggqhkjOPQQDAjAlMSMw + IQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yMTA0MDkxNDAy + NTFaFw0zMTA0MDcxNDAyNTFaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5jbHVz + dGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEljOLtSPSi6XIEdFP + VCGa4BKoQ0X5dBSZvHRLt/IzHRzAbIVIjgjvyRQc7EQlRKvZ8P9um/WG1ypyyA2l + C9MWz6NsMGowDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD + VR0OBBYEFHz4UuVKCNX8/hsZCcdTlmWnSCGXMCUGA1UdEQQeMByCGnJvb3QubGlu + a2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0gAMEUCIGAiz3yNhboVdze1 + sNFcFL2GF5WwW9z53u03UkPkiuBTAiEA4ZHWZJVGV5VAQArL5v32HeH/IjC1ssGl + 7Y8D0rQqkis= + -----END CERTIFICATE----- + webhookPEM: | + -----BEGIN CERTIFICATE----- + MIIBlDCCATqgAwIBAgIRAP9aY0pRwkDnXqi3FwKmfZowCgYIKoZIzj0EAwIwKDEm + MCQGA1UEAxMdd2ViaG9vay5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjIxMDI3 + MDUxNTE0WhcNMjQxMDI1MDkxNTE0WjAoMSYwJAYDVQQDEx13ZWJob29rLmxpbmtl + cmQuY2x1c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIGSt6Th + 62wgjM5dRbZLa9YwPQAm/T2QnTzzrAUm+GeqvKfBhpPMGX6+91/x20X0uV26LvKz + YV1wVMs7tuPZioijRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/ + AgEBMB0GA1UdDgQWBBQWV6+eqRWOPyLWz9s0HT96MOr01zAKBggqhkjOPQQDAgNI + ADBFAiBTBFuIJUBEI5T2unrnFhM+Bj0rZFfuxQqEwD6+z2YRzwIhAOINkH5u7Z8M + zIVl06Biq2N+MO4TJ+CSS1C1w/22CDru + -----END CERTIFICATE----- + identityIssuerPEM: "" + secretScheme: kubernetes.io/tls + crds: + version: 1.4.0 + multicluster: + version: 30.2.0 + enabled: false + viz: + enabled: false + jaeger: + enabled: false diff --git a/values/linkerd/manifests/linkerd.yaml b/values/linkerd/manifests/linkerd.yaml new file mode 100644 index 00000000..4ce296aa --- /dev/null +++ b/values/linkerd/manifests/linkerd.yaml @@ -0,0 +1,85 @@ +{{- if .Values.clusterConfig.argo.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: linkerd + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "5" +spec: + destination: + namespace: linkerd + server: 'https://kubernetes.default.svc' + sources: + - repoURL: {{ .Values.clusterConfig.manifests }} + targetRevision: HEAD + path: helmfile.d + plugin: + name: helmfile-cmp + env: + - name: CLUSTER_NAME + value: {{ .Values.clusterConfig.cluster }} + - name: HELMFILE_ENVIRONMENT + value: default + - name: HELMFILE_FILE_PATH + value: linkerd.yaml.gotmpl + project: sys + syncPolicy: + managedNamespaceMetadata: + labels: + component: sys + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + - ServerSideApply=true + {{- if .Values.linkerd.autosync }} + automated: + prune: true + # selfHeal: false + {{- end }} + ignoreDifferences: + - group: batch + kind: CronJob + jsonPointers: + - /spec/schedule + - kind: Secret + name: linkerd-proxy-injector-k8s-tls + jsonPointers: + - /data/tls.crt + - /data/tls.key + - kind: Secret + name: linkerd-sp-validator-k8s-tls + jsonPointers: + - /data/tls.crt + - /data/tls.key + - kind: Secret + name: linkerd-tap-k8s-tls + jsonPointers: + - /data/tls.crt + - /data/tls.key + - kind: Secret + name: linkerd-policy-validator-k8s-tls + jsonPointers: + - /data/tls.crt + - /data/tls.key + - group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + name: linkerd-proxy-injector-webhook-config + jqPathExpressions: + - '.webhooks[0].clientConfig.caBundle' + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + name: linkerd-sp-validator-webhook-config + jqPathExpressions: + - '.webhooks[0].clientConfig.caBundle' + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + name: linkerd-policy-validator-webhook-config + jqPathExpressions: + - '.webhooks[0].clientConfig.caBundle' + - group: apiregistration.k8s.io/v1 + kind: APIService + name: v1alpha1.tap.linkerd.io + jsonPointers: + - /spec/caBundle +{{- end }} diff --git a/values/linkerd/values/linkerd.yaml.gotmpl b/values/linkerd/values/linkerd.yaml.gotmpl new file mode 100644 index 00000000..47413e35 --- /dev/null +++ b/values/linkerd/values/linkerd.yaml.gotmpl @@ -0,0 +1,17 @@ +identityTrustAnchorsPEM: {{- .Values.linkerd.trustAnchorPEM | toYaml | indent 7 }} +identity: + issuer: + scheme: {{ .Values.linkerd.secretScheme }} + {{- if .Values.linkerd.identityIssuerPEM }} + tls: + crtPEM: {{- .Values.linkerd.identityIssuerPEM | toYaml | indent 14 }} + {{- end }} +policyValidator: + externalSecret: true + caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }} +proxyInjector: + externalSecret: true + caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }} +profileValidator: + externalSecret: true + caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}