wip: Match chart to k8s state

values/argo/manifests/argo.yaml

@@ -12,13 +12,18 @@ spec:
     server: 'https://kubernetes.default.svc'
   sources:
   - repoURL: {{ .Values.clusterConfig.manifests }}
-    targetRevision: HEAD
-    path: helmfiles/argocd
+    # targetRevision: HEAD
+    targetRevision: mrtz/helmify
+    path: helmfile.d
     plugin:
-      name: helmfile
+      name: helmfile-cmp
       env:
       - name: CLUSTER_NAME
         value: {{ .Values.clusterConfig.cluster }}
+      - name: HELMFILE_ENVIRONMENT
+        value: default
+      - name: HELMFILE_FILE_PATH
+        value: argo.yaml.gotmpl
   project: sys
   syncPolicy:
     managedNamespaceMetadata:
@@ -27,6 +32,7 @@ spec:
     syncOptions:
       - CreateNamespace=true
       - ApplyOutOfSyncOnly=true
+      - ServerSideApply=true
     {{- if .Values.argocd.autosync }}
     automated:
       prune: true

values/argo/manifests/nodeport.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: argocd-server-nodeport
+  namespace: argocd
+spec:
+  clusterIP: 10.102.84.163
+  clusterIPs:
+  - 10.102.84.163
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - name: http
+    nodePort: 30290
+    port: 80
+    targetPort: 8080
+  - name: https
+    nodePort: 31261
+    port: 443
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/instance: argocd
+    app.kubernetes.io/name: argocd-server
+  type: NodePort

values/argo/manifests/sys-project.yaml

@@ -0,0 +1,84 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: sys
+  namespace: argocd
+spec:
+  clusterResourceWhitelist:
+  - group: '*'
+    kind: '*'
+  description: sys components project
+  destinations:
+  - namespace: argocd
+    server: https://kubernetes.default.svc
+  - namespace: kube-system
+    server: https://kubernetes.default.svc
+  - namespace: ingress-nginx
+    server: https://kubernetes.default.svc
+  - namespace: serit-operator
+    server: https://kubernetes.default.svc
+  - namespace: prometheus
+    server: https://kubernetes.default.svc
+  - namespace: cnpg
+    server: https://kubernetes.default.svc
+  - namespace: cert-manager
+    server: https://kubernetes.default.svc
+  - namespace: kubernetes-dashboard
+    server: https://kubernetes.default.svc
+  - namespace: rabbitmq
+    server: https://kubernetes.default.svc
+  - namespace: sealed-secrets
+    server: https://kubernetes.default.svc
+  - namespace: gitlab
+    server: https://kubernetes.default.svc
+  - namespace: thanos
+    server: https://kubernetes.default.svc
+  - namespace: linkerd
+    server: https://kubernetes.default.svc
+  - namespace: linkerd-multicluster
+    server: https://kubernetes.default.svc
+  - namespace: observability
+    server: https://kubernetes.default.svc
+  - namespace: kyverno
+    server: https://kubernetes.default.svc
+  - namespace: velero
+    server: https://kubernetes.default.svc
+  - namespace: loki
+    server: https://kubernetes.default.svc
+  - namespace: x509-exporter
+    server: https://kubernetes.default.svc
+  - namespace: mariadb-operator
+    server: https://kubernetes.default.svc
+  - namespace: cilium-spire
+    server: https://kubernetes.default.svc
+  - namespace: cilium-test
+    server: https://kubernetes.default.svc
+  - namespace: cilium-secrets
+    server: https://kubernetes.default.svc
+  sourceRepos:
+  - https://argoproj.github.io/argo-helm
+  - https://kubernetes-sigs.github.io/metrics-server/
+  - https://gitlab.com/oceanbox/manifests.git
+  - https://gitlab.com/serit/k8s/serit-platform.git
+  - https://gitlab.com/serit/k8s/serit-platform-values.git
+  - https://gitlab.com/serit/k8s/serit-platform-manifests.git
+  - https://gitlab.com/serit/k8s/serit-operator.git
+  - https://kubernetes.github.io/ingress-nginx
+  - https://cloudnative-pg.github.io/charts
+  - https://charts.jetstack.io
+  - https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
+  - https://github.com/kubernetes/dashboard
+  - https://bitnami-labs.github.io/sealed-secrets
+  - https://prometheus-community.github.io/helm-charts
+  - https://github.com/prometheus-community/helm-charts.git
+  - https://charts.gitlab.io/
+  - https://charts.bitnami.com/bitnami
+  - https://helm.linkerd.io/stable
+  - https://github.com/jaegertracing/jaeger-operator
+  - https://kyverno.github.io/kyverno/
+  - https://vmware-tanzu.github.io/helm-charts
+  - https://grafana.github.io/helm-charts
+  - https://charts.enix.io
+  - https://helm.mariadb.com/mariadb-operator
+  - https://helm.cilium.io
+  - https://chartmuseum.github.io/charts

values/argo/values.yaml.gotmpl

@@ -8,12 +8,28 @@ argo:
     enabled: false
 
 argocd:
+  autosync: true
+  ingress:
+    enabled: true
+  adminLogin: false
+  kustomizeHelmSupport: false
+  applicationset_webhook:
+    enabled: false
   anyNamespaces:
     enabled: false
     glob: ""
+  resources:
+    controller:
+      memory: 2000Mi
+      cpu: 250m
   repoServers:
   - name: "helmfile-cmp"
     image: "registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest"
-    imagePullSecret: []
+    imagePullSecrets:
+      - gitlab-pull-secret
+  - name: "kustomize-helm-with-rewrite"
+    image: "registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest"
+    imagePullSecrets:
+      - gitlab-pull-secret
   additional_rbac_settings:
   - g, "eb17a659-4ce6-41bc-9153-d9b117c44479", role:org-admin

values/argo/values/argocd.yaml.gotmpl

@@ -135,10 +135,10 @@ controller:
       enabled: true
   resources:
     limits:
-      memory: "1000Mi"
+      memory: {{ .Values.argocd.resources.controller.memory  | default "1000Mi" }}
     requests:
-      cpu: "250m"
-      memory: "1000Mi"
+      cpu: {{ .Values.argocd.resources.controller.cpu  | default "250m" }}
+      memory: {{ .Values.argocd.resources.controller.memory  | default "1000Mi" }}
 
 # Mount azure ca as file for SAML auth
 dex:
@@ -175,6 +175,25 @@ repoServer:
       enabled: true
   {{- range .Values.argocd.repoServers }}
   extraContainers:
+  - command:
+    - /var/run/argocd/argocd-cmp-server
+    image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
+    imagePullPolicy: Always
+    name: helmfile-cmp
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 999
+    terminationMessagePath: /dev/termination-log
+    terminationMessagePolicy: File
+    volumeMounts:
+    - mountPath: /var/run/argocd
+      name: var-files
+    - mountPath: /home/argocd/cmp-server/plugins
+      name: plugins
+    - mountPath: /tmp
+      name: cmp-tmp
+    - mountPath: /helm-working-dir
+      name: helm-working-dir
   - command:
     - /var/run/argocd/argocd-cmp-server
     image: {{ .image }}
@@ -196,10 +215,40 @@ repoServer:
   - name: cmp-tmp
     emptyDir: {}
   imagePullSecrets:
-    {{- range .imagePullSecret }}
-    - name: {{ .name }}
+    {{- range .imagePullSecrets }}
+    - name: {{ . }}
     {{- end }}
   {{- end }}
+  initContainers:
+  - command:
+    - /bin/sh
+    - /plugin/init-helm-repos.sh
+    env:
+    - name: OCEANBOX_HELM_ACCESS_TOKEN
+      valueFrom:
+        secretKeyRef:
+          key: token
+          name: oceanbox-helm
+          optional: false
+    image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
+    imagePullPolicy: Always
+    name: init-helm-repos
+    resources: {}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+      runAsUser: 999
+      seccompProfile:
+        type: RuntimeDefault
+    terminationMessagePath: /dev/termination-log
+    terminationMessagePolicy: File
+    volumeMounts:
+    - mountPath: /helm-working-dir
+      name: helm-working-dir
 
 # Configuration for argocd server instance
 server: