platform/manifests
1
1
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

wip: towards a helmfile based config scheme

Browse Source
This commit is contained in:
Jonas Juselius
2025-05-13 16:08:16 +02:00
parent abba0999e2
commit aadc6cb305
22 changed files with 607 additions and 302 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/templates/argocd.yaml
+12 -297
View File
@@ -10,304 +10,19 @@ spec:
namespace: argocd
server: 'https://kubernetes.default.svc'
sources:
- path: {{ .Values.cluster_config.policies }}/argocd
repoURL: {{ .Values.cluster_config.manifests }}
- repoURL: {{ .Values.cluster_config.manifests }}
targetRevision: HEAD
- repoURL: 'https://argoproj.github.io/argo-helm'
targetRevision: {{ .Values.argocd.version }}
chart: argo-cd
helm:
values: |
global:
domain: argocd.{{ .Values.cluster_config.domain }}
## ArgoCD configuration
## Ref: https://github.com/argoproj/argo-cd
##
configs:
{{- if .Values.argocd.anyNamespaces.enabled }}
params:
applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
# TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it
applicationsetcontroller.enable.scm.providers: "false"
application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
{{- end }}
cm:
application.resourceTrackingMethod: annotation+label
application.instanceLabelKey: app.kubernetes.io/instance
create: true
# NOTE(kai): callback URL for dex
url: "https://argocd.{{ .Values.cluster_config.domain }}"
resource.compareoptions: |
ignoreAggregatedRoles: true
resource.exclusions: |
- apiGroups:
- cilium.io
kinds:
- CiliumIdentity
clusters:
- "*"
- apiGroups:
- kyverno.io
kinds:
- AdmissionReport
- BackgroundScanReport
- ClusterAdmissionReport
- ClusterBackgroundScanReport
clusters:
- "*"
# dex saml config
dex.config: |
logger:
level: debug
format: json
connectors:
{{- with .Values.cluster_config.oidc }}
{{- range . }}
{{- if eq .provider "azuread" }}
- type: oidc
id: {{ .name }}
name: {{ .name }}
config:
issuer: https://login.microsoftonline.com/{{ .tenant }}/v2.0
clientID: ${{ .name | replace "-" "_" }}_client_id
clientSecret: ${{ .name | replace "-" "_" }}_client_secret
insecureSkipEmailVerified: true
requestedIDTokenClaims:
groups:
essential: true
insecureEnableGroups: true
requestedScopes:
- openid
- profile
- email
- groups
{{- else if eq .provider "github" }}
- type: github
id: {{ .name }}
name: {{ .name }}
config:
clientID: ${{ .name | replace "-" "_" }}_client_id
clientSecret: ${{ .name | replace "-" "_" }}_client_secret
redirectURI: https://argocd.{{ $.Values.cluster_config.domain }}/api/dex/callback
orgs:
- name: {{ .allowed_organizations }}
loadAllGroups: true
teamNameField: slug
useLoginAsID: false
staticClients:
- id: ${{ .name | replace "-" "_" }}_client_id
name: Kubernetes
# These are kubectl oidc plugin internal URLs
redirectURIs:
- http://localhost:8000
- http://localhost:18000
# Random secret for the user to authenticat dex client
secret: 8d52926efe879ee505391b75f4b046cf
{{- end }}
{{- end }}
{{- end }}
admin.enabled: '{{ .Values.argocd.adminLogin }}'
rbac:
# NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group
policy.csv: |
p, role:org-admin, applications, *, */*, allow
p, role:org-admin, projects, *, *, allow
p, role:org-admin, logs, get, *, allow
p, role:org-admin, clusters, get, *, allow
p, role:org-admin, clusters, update, *, allow
p, role:org-admin, repositories, get, *, allow
p, role:org-admin, repositories, create, *, allow
p, role:org-admin, repositories, update, *, allow
p, role:org-admin, repositories, delete, *, allow
g, "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29", role:org-admin
{{- if .Values.cluster_config.external_access.enabled }}
p, role:external-admin, applications, *, sys/*, deny
p, role:external-admin, applications, *, oxb/*, deny
p, role:external-admin, applications, *, */*, allow
p, role:external-admin, projects, *, oxb, deny
p, role:external-admin, projects, *, sys, deny
p, role:external-admin, projects, get, *, allow
p, role:external-admin, logs, get, *, allow
p, role:external-admin, clusters, get, *, allow
p, role:external-admin, repositories, get, *, allow
p, role:external-admin, repositories, create, *, allow
p, role:external-admin, repositories, update, *, allow
p, role:external-admin, repositories, delete, *, allow
g, "{{ .Values.cluster_config.external_access.admin_group }}", role:external-admin
{{- end }}
{{- if .Values.cluster_config.external_access.enabled }}
{{- range .Values.cluster_config.external_access.groups }}
{{- "\n" -}}
{{- $name := .name }}
p, role:{{$name}}, projects, get, {{$name}}, allow
p, role:{{$name}}, applications, get, {{$name}}/*, allow
p, role:{{$name}}, logs, get, {{$name}}/*, allow
{{- range .group_id }}
g, {{ . }}, role:{{$name}}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.argocd.additional_rbac_settings }}
{{- range .}}
{{ . }}
{{- end }}
{{- end }}
repositories:
# Repositories for applications
argo-helm:
type: helm
url: https://argoproj.github.io/argo-helm
# UI changes based on env
styles: |
/* blue, orange, red depending on env */
:root {
--test-color: #0f2cbd;
--dev-color: #33b025;
--staging-color: #ebac2f;
--prod-color: #ff000d;
}
.top-bar__breadcrumbs::after {
content: "cluster: {{.Values.cluster_config.cluster}}, env: {{.Values.cluster_config.env}} ";
color: var(--{{.Values.cluster_config.env}}-color);
font-weight: bolder;
font-size: larger;
position: fixed;
left: 50%;
}
controller:
metrics:
enabled: true
serviceMonitor:
enabled: true
resources:
limits:
memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }}
requests:
cpu: {{ .Values.argocd.resources.controller.cpu | default "250m" }}
memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }}
# Mount azure ca as file for SAML auth
dex:
metrics:
enabled: true
serviceMonitor:
enabled: true
{{- with .Values.cluster_config.oidc }}
env:
{{- range . }}
- name: {{ .name | replace "-" "_" }}_client_secret
valueFrom:
secretKeyRef:
name: {{ .secret_ref.name }}
key: client_secret
- name: {{ .name | replace "-" "_" }}_client_id
valueFrom:
secretKeyRef:
name: {{ .secret_ref.name }}
key: client_id
{{- end }}
{{- end }}
redis:
metrics:
enabled: true
serviceMonitor:
enabled: true
repoServer:
metrics:
enabled: true
serviceMonitor:
enabled: true
{{- if .Values.argocd.repoServer.cmp.enabled }}
extraContainers:
- command:
- /var/run/argocd/argocd-cmp-server
image: {{ .Values.argocd.repoServer.cmp.image }}
imagePullPolicy: Always
name: {{ .Values.argocd.repoServer.cmp.name }}
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
{{- with .Values.argocd.repoServer.cmp.initContainers }}
initContainers:
{{- toYaml . | nindent 10}}
{{- end }}
volumes:
- name: cmp-tmp
emptyDir: {}
{{- if .Values.argocd.repoServer.cmp.imagePullSecret }}
imagePullSecrets:
{{- range .Values.argocd.repoServer.cmp.imagePullSecret}}
- name: {{ .name }}
{{- end }}
{{- end }}
{{- end }}
# Configuration for argocd server instance
server:
metrics:
enabled: true
serviceMonitor:
enabled: true
ingress:
enabled: {{ .Values.argocd.ingress.enabled }}
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
{{- with .Values.cluster_config.ingress_whitelist_ips }}
nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
{{- end }}
hosts:
- "argocd.{{ .Values.cluster_config.domain }}"
tls:
- secretName: argocd-tls
hosts:
- "argocd.{{ .Values.cluster_config.domain }}"
applicationSet:
metrics:
enabled: true
serviceMonitor:
enabled: true
{{- if .Values.argocd.anyNamespaces.enabled }}
allowAnyNamespaces: true
{{- end }}
ingress:
enabled: {{ .Values.argocd.applicationset_webhook.enabled }}
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
# {{- with .Values.cluster_config.ingress_whitelist_ips}}
# NOTE(kai): include gitlab and github webhook ranges
# nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }},192.30.252.0/22,140.82.112.0/20,34.74.226.27/28,34.74.226.0/24
# {{- end }}
hostname: "argocd-applicationset.{{ .Values.cluster_config.domain }}"
tls:
- secretName: argocd-applicationset-tls
hosts:
- "argocd-applicationset.{{ .Values.cluster_config.domain }}"
notifications:
metrics:
enabled: true
serviceMonitor:
enabled: true
secret:
create: false
cm:
create: false
path: helmfiles/argocd
plugin:
name: helmfile
env:
- name: CLUSTER
value: {{ .Values.cluster_config.name }}
- name: ENVIRONMENT
value: {{ .environment }}
{{/* - repoURL: {{ .Values.cluster_config.manifests }} */}}
{{/* path: {{ .Values.cluster_config.policies }}/argocd */}}
{{/* targetRevision: HEAD */}}
project: sys
syncPolicy:
managedNamespaceMetadata:
argocd/helmfile-cmp/generate.sh
+7 -5
View File
@@ -8,11 +8,13 @@ export HELMFILE_TEMPDIR=/tmp/helmfile/tmp
env > /tmp/$ARGOCD_APP_NAME.env
if [[ -v ENV_NAME ]]; then
helmfile -n "$ARGOCD_APP_NAMESPACE" -e $ENV_NAME template --include-crds -q
elif [[ -v ARGOCD_ENV_ENV_NAME ]]; then
helmfile -n "$ARGOCD_APP_NAMESPACE" -e "$ARGOCD_ENV_ENV_NAME" template --include-crds -q
if [[ -v ENVIRONMENT ]]; then
ARGS="-e $ENVIRONMENT"
elif [[ -v ARGOCD_ENV_ENVIRONMENT ]]; then
ARGS="-e $ARGOCD_ENV_ENVIRONMENT "
else
helmfile -n "$ARGOCD_APP_NAMESPACE" template --include-crds -q
ARGS=""
fi
helmfile -n "$ARGOCD_APP_NAMESPACE" $ARGS template --include-crds -q
bin/helmify
Executable
+41
View File
@@ -0,0 +1,41 @@
#!/usr/bin/env bash
cmd=$1
chart=$2
env=$3
dir=_manifests
build() {
if [ ! -d "manifests" ]; then
echo "nothing to do here..."
exit 0
fi
mkdir -p $dir/templates
echo "generating $dir/Chart.yaml" 1>&2
cat <<EOF > $dir/Chart.yaml
apiVersion: v1
appVersion: "1.0"
description: A Helm chart for Kubernetes
name: $chart
version: 0.1.0
EOF
echo $env 1>&2
echo $chart 1>&2
cp -r manifests/* $dir/templates
}
clean() {
rm -rf $dir
}
case "$cmd" in
"build" ) build ;;
"clean" ) clean ;;
* ) echo "unsupported command: $cmd" 1>&2; exit 1 ;;
esac
bin/kustomizer
Executable
+8
View File
@@ -0,0 +1,8 @@
#!/usr/bin/env bash
if [[ -f base/kustomization.yaml ]]; then
cat >base/_manifest.yaml
kubectl kustomize base
else
cat
fi
helmfiles/argocd/base/foo.yaml
+11
View File
@@ -0,0 +1,11 @@
apiVersion: v1
kind: Secret
metadata:
annotations:
kyverno/clone: "true"
kyverno/env: "prod"
name: prod-atlantis-rabbitmq
type: Opaque
data:
foo: |
bar: raboof
helmfiles/argocd/base/kustomization.yaml
+5
View File
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- _manifest.yaml
- foo.yaml
helmfiles/argocd/helmfile.yaml
+32
View File
@@ -0,0 +1,32 @@
repositories:
- name: argo
url: https://argoproj.github.io/argo-helm
environments:
default:
values:
- ../../apps/values.yaml
- ../../values/sys/values-{{ requiredEnv "CLUSTER" }}.yaml
helmDefaults:
postRenderer: ../../bin/kustomizer
releases:
- name: argocd
namespace: argocd
chart: argo/argo-cd
values:
- values.yaml.gotmpl
- name: argocd-extras
namespace: argocd
chart: _manifests
values:
- values.yaml.gotmpl
hooks:
- events: [ "prepare", "cleanup" ]
showlogs: true
command: "../../bin/helmify"
args:
- "{{`{{if eq .Event.Name \"prepare\"}}build{{else}}clean{{end}}`}}"
- "{{`{{.Release.Chart}}`}}"
- "{{`{{.Environment.Name}}`}}"
helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-applicationset-ingress.yaml
+14
View File
@@ -0,0 +1,14 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-applicationset-ingress
namespace: argocd
spec:
description: Allow access from the ingress controller
endpointSelector:
matchLabels:
app.kubernetes.io/component: applicationset-controller
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress-nginx
helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-notifications.yaml
+13
View File
@@ -0,0 +1,13 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-argo-notifications
namespace: argocd
spec:
description: Allow access to the ArgoCD Notifications
egress:
- toFQDNs:
- matchName: slack.com
endpointSelector:
matchLabels:
app.kubernetes.io/component: notifications-controller
helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml
+13
View File
@@ -0,0 +1,13 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-argo-repo-access-applicationset
namespace: argocd
spec:
description: Allow access to the ArgoCD repo Applicationset
egress:
- toEntities:
- world
endpointSelector:
matchLabels:
app.kubernetes.io/component: applicationset-controller
helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-repo-access.yaml
+13
View File
@@ -0,0 +1,13 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-argo-repo-access
namespace: argocd
spec:
description: Allow access to the ArgoCD repo server
egress:
- toEntities:
- world
endpointSelector:
matchLabels:
app.kubernetes.io/component: repo-server
helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml
+14
View File
@@ -0,0 +1,14 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-chartmuseum-ingress
namespace: argocd
spec:
description: Allow access to the chartmuseum ingress
endpointSelector:
matchLabels:
app.kubernetes.io/name: chartmuseum
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress-nginx
helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml
+13
View File
@@ -0,0 +1,13 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-image-updater-repo-access
namespace: argocd
spec:
description: Allow argoCD image updater to access github container registry
egress:
- toFQDNs:
- matchName: ghcr.io
endpointSelector:
matchLabels:
app.kubernetes.io/name: argocd-image-updater
helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-ingress.yaml
+14
View File
@@ -0,0 +1,14 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-ingress
namespace: argocd
spec:
description: Allow access from the ingress controller
endpointSelector:
matchLabels:
app.kubernetes.io/component: server
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress-nginx
helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-kube-api.yaml
+16
View File
@@ -0,0 +1,16 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-kube-api
namespace: argocd
spec:
description: Allow access to the Kube API server
egress:
- toEntities:
- kube-apiserver
toPorts:
- ports:
- port: "6443"
protocol: TCP
endpointSelector:
matchLabels: {}
helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-microsoft-sso.yaml
+16
View File
@@ -0,0 +1,16 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-microsoft-sso
namespace: argocd
spec:
description: Allow argoCD dex server to authenticate to microsoft online azure oatuh
egress:
- toFQDNs:
- matchName: login.microsoftonline.com
- matchPattern: '*.microsoftonline.com'
- matchName: github.com
- matchName: api.github.com
endpointSelector:
matchLabels:
app.kubernetes.io/name: argocd-dex-server
helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml
+18
View File
@@ -0,0 +1,18 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-prometheus-metrics-rollout
namespace: argocd
spec:
description: Allow access to the Prometheus metrics
endpointSelector:
matchLabels:
app.kubernetes.io/instance: argo-rollouts
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: prometheus
toPorts:
- ports:
- port: "8090"
protocol: TCP
helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml
+18
View File
@@ -0,0 +1,18 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-prometheus-metrics-workflows
namespace: argocd
spec:
description: Allow access to the Prometheus metrics
endpointSelector:
matchLabels:
app.kubernetes.io/instance: argo-workflows
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: prometheus
toPorts:
- ports:
- port: "9090"
protocol: TCP
helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics.yaml
+30
View File
@@ -0,0 +1,30 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-prometheus-metrics
namespace: argocd
spec:
description: Allow access to the Prometheus metrics
endpointSelector:
matchLabels:
app.kubernetes.io/instance: argocd
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: prometheus
toPorts:
- ports:
- port: "8082"
protocol: TCP
- port: "8080"
protocol: TCP
- port: "9001"
protocol: TCP
- port: "9121"
protocol: TCP
- port: "8084"
protocol: TCP
- port: "8083"
protocol: TCP
- port: "5558"
protocol: TCP
helmfiles/argocd/prod/kustomization.yaml
+8
View File
@@ -0,0 +1,8 @@
generatorOptions:
disableNameSuffixHash: true
# configMapGenerator:
# - name: prod-atlantis-appsettings
# files:
# - appsettings.json
resources:
- ../base
helmfiles/argocd/values.yaml.gotmpl
+290
View File
@@ -0,0 +1,290 @@
global:
domain: argocd.{{ .Values.cluster_config.domain }}
## ArgoCD configuration
## Ref: https://github.com/argoproj/argo-cd
##
configs:
{{- if .Values.argocd.anyNamespaces.enabled }}
params:
applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
# TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it
applicationsetcontroller.enable.scm.providers: "false"
application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
{{- end }}
cm:
application.resourceTrackingMethod: annotation+label
application.instanceLabelKey: app.kubernetes.io/instance
create: true
# NOTE(kai): callback URL for dex
url: "https://argocd.{{ .Values.cluster_config.domain }}"
resource.compareoptions: |
ignoreAggregatedRoles: true
resource.exclusions: |
- apiGroups:
- cilium.io
kinds:
- CiliumIdentity
clusters:
- "*"
- apiGroups:
- kyverno.io
kinds:
- AdmissionReport
- BackgroundScanReport
- ClusterAdmissionReport
- ClusterBackgroundScanReport
clusters:
- "*"
# dex saml config
dex.config: |
logger:
level: debug
format: json
connectors:
{{- with .Values.cluster_config.oidc }}
{{- range . }}
{{- if eq .provider "azuread" }}
- type: oidc
id: {{ .name }}
name: {{ .name }}
config:
issuer: https://login.microsoftonline.com/{{ .tenant }}/v2.0
clientID: ${{ .name | replace "-" "_" }}_client_id
clientSecret: ${{ .name | replace "-" "_" }}_client_secret
insecureSkipEmailVerified: true
requestedIDTokenClaims:
groups:
essential: true
insecureEnableGroups: true
requestedScopes:
- openid
- profile
- email
- groups
{{- else if eq .provider "github" }}
- type: github
id: {{ .name }}
name: {{ .name }}
config:
clientID: ${{ .name | replace "-" "_" }}_client_id
clientSecret: ${{ .name | replace "-" "_" }}_client_secret
redirectURI: https://argocd.{{ $.Values.cluster_config.domain }}/api/dex/callback
orgs:
- name: {{ .allowed_organizations }}
loadAllGroups: true
teamNameField: slug
useLoginAsID: false
staticClients:
- id: ${{ .name | replace "-" "_" }}_client_id
name: Kubernetes
# These are kubectl oidc plugin internal URLs
redirectURIs:
- http://localhost:8000
- http://localhost:18000
# Random secret for the user to authenticat dex client
secret: 8d52926efe879ee505391b75f4b046cf
{{- end }}
{{- end }}
{{- end }}
admin.enabled: '{{ .Values.argocd.adminLogin }}'
rbac:
# NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group
policy.csv: |
p, role:org-admin, applications, *, */*, allow
p, role:org-admin, projects, *, *, allow
p, role:org-admin, logs, get, *, allow
p, role:org-admin, clusters, get, *, allow
p, role:org-admin, clusters, update, *, allow
p, role:org-admin, repositories, get, *, allow
p, role:org-admin, repositories, create, *, allow
p, role:org-admin, repositories, update, *, allow
p, role:org-admin, repositories, delete, *, allow
g, "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29", role:org-admin
{{- if .Values.cluster_config.external_access.enabled }}
p, role:external-admin, applications, *, sys/*, deny
p, role:external-admin, applications, *, oxb/*, deny
p, role:external-admin, applications, *, */*, allow
p, role:external-admin, projects, *, oxb, deny
p, role:external-admin, projects, *, sys, deny
p, role:external-admin, projects, get, *, allow
p, role:external-admin, logs, get, *, allow
p, role:external-admin, clusters, get, *, allow
p, role:external-admin, repositories, get, *, allow
p, role:external-admin, repositories, create, *, allow
p, role:external-admin, repositories, update, *, allow
p, role:external-admin, repositories, delete, *, allow
g, "{{ .Values.cluster_config.external_access.admin_group }}", role:external-admin
{{- end }}
{{- if .Values.cluster_config.external_access.enabled }}
{{- range .Values.cluster_config.external_access.groups }}
{{- "\n" -}}
{{- $name := .name }}
p, role:{{$name}}, projects, get, {{$name}}, allow
p, role:{{$name}}, applications, get, {{$name}}/*, allow
p, role:{{$name}}, logs, get, {{$name}}/*, allow
{{- range .group_id }}
g, {{ . }}, role:{{$name}}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.argocd.additional_rbac_settings }}
{{- range .}}
{{ . }}
{{- end }}
{{- end }}
repositories:
# Repositories for applications
argo-helm:
type: helm
url: https://argoproj.github.io/argo-helm
# UI changes based on env
styles: |
/* blue, orange, red depending on env */
:root {
--test-color: #0f2cbd;
--dev-color: #33b025;
--staging-color: #ebac2f;
--prod-color: #ff000d;
}
.top-bar__breadcrumbs::after {
content: "cluster: {{.Values.cluster_config.cluster}}, env: {{.Values.cluster_config.env}} ";
color: var(--{{.Values.cluster_config.env}}-color);
font-weight: bolder;
font-size: larger;
position: fixed;
left: 50%;
}
controller:
metrics:
enabled: true
serviceMonitor:
enabled: true
resources:
limits:
memory: {{ .Values | get "argocd.resources.controller.memory" "1000Mi" }}
requests:
cpu: {{ .Values | get "argocd.resources.controller.cpu" "250m" }}
memory: {{ .Values | get "argocd.resources.controller.memory" "1000Mi" }}
# Mount azure ca as file for SAML auth
dex:
metrics:
enabled: true
serviceMonitor:
enabled: true
{{- with .Values.cluster_config.oidc }}
env:
{{- range . }}
- name: {{ .name | replace "-" "_" }}_client_secret
valueFrom:
secretKeyRef:
name: {{ .secret_ref.name }}
key: client_secret
- name: {{ .name | replace "-" "_" }}_client_id
valueFrom:
secretKeyRef:
name: {{ .secret_ref.name }}
key: client_id
{{- end }}
{{- end }}
redis:
metrics:
enabled: true
serviceMonitor:
enabled: true
repoServer:
metrics:
enabled: true
serviceMonitor:
enabled: true
{{- if .Values.argocd.repoServer.cmp.enabled }}
extraContainers:
- command:
- /var/run/argocd/argocd-cmp-server
image: {{ .Values.argocd.repoServer.cmp.image }}
imagePullPolicy: Always
name: {{ .Values.argocd.repoServer.cmp.name }}
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
{{- with .Values.argocd.repoServer.cmp.initContainers }}
initContainers:
{{- toYaml . | nindent 10}}
{{- end }}
volumes:
- name: cmp-tmp
emptyDir: {}
{{- if .Values.argocd.repoServer.cmp.imagePullSecret }}
imagePullSecrets:
{{- range .Values.argocd.repoServer.cmp.imagePullSecret}}
- name: {{ .name }}
{{- end }}
{{- end }}
{{- end }}
# Configuration for argocd server instance
server:
metrics:
enabled: true
serviceMonitor:
enabled: true
ingress:
enabled: {{ .Values.argocd.ingress.enabled }}
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
{{- with .Values.cluster_config.ingress_whitelist_ips }}
nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
{{- end }}
hosts:
- "argocd.{{ .Values.cluster_config.domain }}"
tls:
- secretName: argocd-tls
hosts:
- "argocd.{{ .Values.cluster_config.domain }}"
applicationSet:
metrics:
enabled: true
serviceMonitor:
enabled: true
{{- if .Values.argocd.anyNamespaces.enabled }}
allowAnyNamespaces: true
{{- end }}
ingress:
enabled: {{ .Values.argocd.applicationset_webhook.enabled }}
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
# {{- with .Values.cluster_config.ingress_whitelist_ips}}
# NOTE(kai): include gitlab and github webhook ranges
# nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }},192.30.252.0/22,140.82.112.0/20,34.74.226.27/28,34.74.226.0/24
# {{- end }}
hostname: "argocd-applicationset.{{ .Values.cluster_config.domain }}"
tls:
- secretName: argocd-applicationset-tls
hosts:
- "argocd-applicationset.{{ .Values.cluster_config.domain }}"
notifications:
metrics:
enabled: true
serviceMonitor:
enabled: true
secret:
create: false
cm:
create: false
shell.nix
+1
View File
@@ -13,6 +13,7 @@ in
shell = pkgs.mkShellNoCC {
name = "clstr";
nativeBuildInputs = with pkgs; [
helmfile
nixidy.nixidy
npins
nixfmt-rfc-style