From aadc6cb30552748b8ccdf3e228b0217733e85310 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Tue, 13 May 2025 16:08:16 +0200 Subject: [PATCH] wip: towards a helmfile based config scheme --- apps/templates/argocd.yaml | 309 +----------------- argocd/helmfile-cmp/generate.sh | 12 +- bin/helmify | 41 +++ bin/kustomizer | 8 + helmfiles/argocd/base/foo.yaml | 11 + helmfiles/argocd/base/kustomization.yaml | 5 + helmfiles/argocd/helmfile.yaml | 32 ++ ...rkPolicy-allow-applicationset-ingress.yaml | 14 + ...etworkPolicy-allow-argo-notifications.yaml | 13 + ...allow-argo-repo-access-applicationset.yaml | 13 + ...mNetworkPolicy-allow-argo-repo-access.yaml | 13 + ...tworkPolicy-allow-chartmuseum-ingress.yaml | 14 + ...olicy-allow-image-updater-repo-access.yaml | 13 + .../CiliumNetworkPolicy-allow-ingress.yaml | 14 + .../CiliumNetworkPolicy-allow-kube-api.yaml | 16 + ...liumNetworkPolicy-allow-microsoft-sso.yaml | 16 + ...licy-allow-prometheus-metrics-rollout.yaml | 18 + ...cy-allow-prometheus-metrics-workflows.yaml | 18 + ...etworkPolicy-allow-prometheus-metrics.yaml | 30 ++ helmfiles/argocd/prod/kustomization.yaml | 8 + helmfiles/argocd/values.yaml.gotmpl | 290 ++++++++++++++++ shell.nix | 1 + 22 files changed, 607 insertions(+), 302 deletions(-) create mode 100755 bin/helmify create mode 100755 bin/kustomizer create mode 100644 helmfiles/argocd/base/foo.yaml create mode 100644 helmfiles/argocd/base/kustomization.yaml create mode 100644 helmfiles/argocd/helmfile.yaml create mode 100644 helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-applicationset-ingress.yaml create mode 100644 helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-notifications.yaml create mode 100644 helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml create mode 100644 helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-repo-access.yaml create mode 100644 helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml create mode 100644 helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml create mode 100644 helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-ingress.yaml create mode 100644 helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-kube-api.yaml create mode 100644 helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-microsoft-sso.yaml create mode 100644 helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml create mode 100644 helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml create mode 100644 helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics.yaml create mode 100644 helmfiles/argocd/prod/kustomization.yaml create mode 100644 helmfiles/argocd/values.yaml.gotmpl diff --git a/apps/templates/argocd.yaml b/apps/templates/argocd.yaml index 9fe8b5af..89aa0eb0 100644 --- a/apps/templates/argocd.yaml +++ b/apps/templates/argocd.yaml @@ -10,304 +10,19 @@ spec: namespace: argocd server: 'https://kubernetes.default.svc' sources: - - path: {{ .Values.cluster_config.policies }}/argocd - repoURL: {{ .Values.cluster_config.manifests }} + - repoURL: {{ .Values.cluster_config.manifests }} targetRevision: HEAD - - repoURL: 'https://argoproj.github.io/argo-helm' - targetRevision: {{ .Values.argocd.version }} - chart: argo-cd - helm: - values: | - global: - domain: argocd.{{ .Values.cluster_config.domain }} - ## ArgoCD configuration - ## Ref: https://github.com/argoproj/argo-cd - ## - configs: - {{- if .Values.argocd.anyNamespaces.enabled }} - params: - applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}" - # TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it - applicationsetcontroller.enable.scm.providers: "false" - application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}" - {{- end }} - cm: - application.resourceTrackingMethod: annotation+label - application.instanceLabelKey: app.kubernetes.io/instance - create: true - # NOTE(kai): callback URL for dex - url: "https://argocd.{{ .Values.cluster_config.domain }}" - resource.compareoptions: | - ignoreAggregatedRoles: true - resource.exclusions: | - - apiGroups: - - cilium.io - kinds: - - CiliumIdentity - clusters: - - "*" - - apiGroups: - - kyverno.io - kinds: - - AdmissionReport - - BackgroundScanReport - - ClusterAdmissionReport - - ClusterBackgroundScanReport - clusters: - - "*" - # dex saml config - dex.config: | - logger: - level: debug - format: json - connectors: - {{- with .Values.cluster_config.oidc }} - {{- range . }} - {{- if eq .provider "azuread" }} - - type: oidc - id: {{ .name }} - name: {{ .name }} - config: - issuer: https://login.microsoftonline.com/{{ .tenant }}/v2.0 - clientID: ${{ .name | replace "-" "_" }}_client_id - clientSecret: ${{ .name | replace "-" "_" }}_client_secret - insecureSkipEmailVerified: true - requestedIDTokenClaims: - groups: - essential: true - insecureEnableGroups: true - requestedScopes: - - openid - - profile - - email - - groups - {{- else if eq .provider "github" }} - - type: github - id: {{ .name }} - name: {{ .name }} - config: - clientID: ${{ .name | replace "-" "_" }}_client_id - clientSecret: ${{ .name | replace "-" "_" }}_client_secret - redirectURI: https://argocd.{{ $.Values.cluster_config.domain }}/api/dex/callback - orgs: - - name: {{ .allowed_organizations }} - loadAllGroups: true - teamNameField: slug - useLoginAsID: false - staticClients: - - id: ${{ .name | replace "-" "_" }}_client_id - name: Kubernetes - # These are kubectl oidc plugin internal URLs - redirectURIs: - - http://localhost:8000 - - http://localhost:18000 - # Random secret for the user to authenticat dex client - secret: 8d52926efe879ee505391b75f4b046cf - {{- end }} - {{- end }} - {{- end }} - admin.enabled: '{{ .Values.argocd.adminLogin }}' - rbac: - # NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group - policy.csv: | - p, role:org-admin, applications, *, */*, allow - p, role:org-admin, projects, *, *, allow - p, role:org-admin, logs, get, *, allow - p, role:org-admin, clusters, get, *, allow - p, role:org-admin, clusters, update, *, allow - p, role:org-admin, repositories, get, *, allow - p, role:org-admin, repositories, create, *, allow - p, role:org-admin, repositories, update, *, allow - p, role:org-admin, repositories, delete, *, allow - g, "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29", role:org-admin - {{- if .Values.cluster_config.external_access.enabled }} - p, role:external-admin, applications, *, sys/*, deny - p, role:external-admin, applications, *, oxb/*, deny - p, role:external-admin, applications, *, */*, allow - p, role:external-admin, projects, *, oxb, deny - p, role:external-admin, projects, *, sys, deny - p, role:external-admin, projects, get, *, allow - p, role:external-admin, logs, get, *, allow - p, role:external-admin, clusters, get, *, allow - p, role:external-admin, repositories, get, *, allow - p, role:external-admin, repositories, create, *, allow - p, role:external-admin, repositories, update, *, allow - p, role:external-admin, repositories, delete, *, allow - g, "{{ .Values.cluster_config.external_access.admin_group }}", role:external-admin - {{- end }} - {{- if .Values.cluster_config.external_access.enabled }} - {{- range .Values.cluster_config.external_access.groups }} - {{- "\n" -}} - {{- $name := .name }} - p, role:{{$name}}, projects, get, {{$name}}, allow - p, role:{{$name}}, applications, get, {{$name}}/*, allow - p, role:{{$name}}, logs, get, {{$name}}/*, allow - {{- range .group_id }} - g, {{ . }}, role:{{$name}} - {{- end }} - {{- end }} - {{- end }} - {{- with .Values.argocd.additional_rbac_settings }} - {{- range .}} - {{ . }} - {{- end }} - {{- end }} - repositories: - # Repositories for applications - argo-helm: - type: helm - url: https://argoproj.github.io/argo-helm - # UI changes based on env - styles: | - /* blue, orange, red depending on env */ - :root { - --test-color: #0f2cbd; - --dev-color: #33b025; - --staging-color: #ebac2f; - --prod-color: #ff000d; - } - .top-bar__breadcrumbs::after { - content: "cluster: {{.Values.cluster_config.cluster}}, env: {{.Values.cluster_config.env}} "; - color: var(--{{.Values.cluster_config.env}}-color); - font-weight: bolder; - font-size: larger; - position: fixed; - left: 50%; - } - - controller: - metrics: - enabled: true - serviceMonitor: - enabled: true - resources: - limits: - memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }} - requests: - cpu: {{ .Values.argocd.resources.controller.cpu | default "250m" }} - memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }} - - # Mount azure ca as file for SAML auth - dex: - metrics: - enabled: true - serviceMonitor: - enabled: true - {{- with .Values.cluster_config.oidc }} - env: - {{- range . }} - - name: {{ .name | replace "-" "_" }}_client_secret - valueFrom: - secretKeyRef: - name: {{ .secret_ref.name }} - key: client_secret - - name: {{ .name | replace "-" "_" }}_client_id - valueFrom: - secretKeyRef: - name: {{ .secret_ref.name }} - key: client_id - {{- end }} - {{- end }} - - redis: - metrics: - enabled: true - serviceMonitor: - enabled: true - - repoServer: - metrics: - enabled: true - serviceMonitor: - enabled: true - {{- if .Values.argocd.repoServer.cmp.enabled }} - extraContainers: - - command: - - /var/run/argocd/argocd-cmp-server - image: {{ .Values.argocd.repoServer.cmp.image }} - imagePullPolicy: Always - name: {{ .Values.argocd.repoServer.cmp.name }} - securityContext: - runAsNonRoot: true - runAsUser: 999 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/run/argocd - name: var-files - - mountPath: /home/argocd/cmp-server/plugins - name: plugins - - mountPath: /tmp - name: cmp-tmp - {{- with .Values.argocd.repoServer.cmp.initContainers }} - initContainers: - {{- toYaml . | nindent 10}} - {{- end }} - volumes: - - name: cmp-tmp - emptyDir: {} - {{- if .Values.argocd.repoServer.cmp.imagePullSecret }} - imagePullSecrets: - {{- range .Values.argocd.repoServer.cmp.imagePullSecret}} - - name: {{ .name }} - {{- end }} - {{- end }} - {{- end }} - - # Configuration for argocd server instance - server: - metrics: - enabled: true - serviceMonitor: - enabled: true - ingress: - enabled: {{ .Values.argocd.ingress.enabled }} - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }} - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - {{- with .Values.cluster_config.ingress_whitelist_ips }} - nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }} - {{- end }} - hosts: - - "argocd.{{ .Values.cluster_config.domain }}" - tls: - - secretName: argocd-tls - hosts: - - "argocd.{{ .Values.cluster_config.domain }}" - applicationSet: - metrics: - enabled: true - serviceMonitor: - enabled: true - {{- if .Values.argocd.anyNamespaces.enabled }} - allowAnyNamespaces: true - {{- end }} - ingress: - enabled: {{ .Values.argocd.applicationset_webhook.enabled }} - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }} - # {{- with .Values.cluster_config.ingress_whitelist_ips}} - # NOTE(kai): include gitlab and github webhook ranges - # nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }},192.30.252.0/22,140.82.112.0/20,34.74.226.27/28,34.74.226.0/24 - # {{- end }} - hostname: "argocd-applicationset.{{ .Values.cluster_config.domain }}" - tls: - - secretName: argocd-applicationset-tls - hosts: - - "argocd-applicationset.{{ .Values.cluster_config.domain }}" - notifications: - metrics: - enabled: true - serviceMonitor: - enabled: true - secret: - create: false - cm: - create: false + path: helmfiles/argocd + plugin: + name: helmfile + env: + - name: CLUSTER + value: {{ .Values.cluster_config.name }} + - name: ENVIRONMENT + value: {{ .environment }} + {{/* - repoURL: {{ .Values.cluster_config.manifests }} */}} + {{/* path: {{ .Values.cluster_config.policies }}/argocd */}} + {{/* targetRevision: HEAD */}} project: sys syncPolicy: managedNamespaceMetadata: diff --git a/argocd/helmfile-cmp/generate.sh b/argocd/helmfile-cmp/generate.sh index d27a22bc..ec8b99cc 100644 --- a/argocd/helmfile-cmp/generate.sh +++ b/argocd/helmfile-cmp/generate.sh @@ -8,11 +8,13 @@ export HELMFILE_TEMPDIR=/tmp/helmfile/tmp env > /tmp/$ARGOCD_APP_NAME.env -if [[ -v ENV_NAME ]]; then - helmfile -n "$ARGOCD_APP_NAMESPACE" -e $ENV_NAME template --include-crds -q -elif [[ -v ARGOCD_ENV_ENV_NAME ]]; then - helmfile -n "$ARGOCD_APP_NAMESPACE" -e "$ARGOCD_ENV_ENV_NAME" template --include-crds -q +if [[ -v ENVIRONMENT ]]; then + ARGS="-e $ENVIRONMENT" +elif [[ -v ARGOCD_ENV_ENVIRONMENT ]]; then + ARGS="-e $ARGOCD_ENV_ENVIRONMENT " else - helmfile -n "$ARGOCD_APP_NAMESPACE" template --include-crds -q + ARGS="" fi +helmfile -n "$ARGOCD_APP_NAMESPACE" $ARGS template --include-crds -q + diff --git a/bin/helmify b/bin/helmify new file mode 100755 index 00000000..81ee6d41 --- /dev/null +++ b/bin/helmify @@ -0,0 +1,41 @@ +#!/usr/bin/env bash + +cmd=$1 +chart=$2 +env=$3 + +dir=_manifests + +build() { + if [ ! -d "manifests" ]; then + echo "nothing to do here..." + exit 0 + fi + + mkdir -p $dir/templates + + echo "generating $dir/Chart.yaml" 1>&2 + + cat < $dir/Chart.yaml +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Kubernetes +name: $chart +version: 0.1.0 +EOF + +echo $env 1>&2 +echo $chart 1>&2 +cp -r manifests/* $dir/templates +} + +clean() { + rm -rf $dir +} + +case "$cmd" in + "build" ) build ;; + "clean" ) clean ;; + * ) echo "unsupported command: $cmd" 1>&2; exit 1 ;; +esac + diff --git a/bin/kustomizer b/bin/kustomizer new file mode 100755 index 00000000..e5efe229 --- /dev/null +++ b/bin/kustomizer @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +if [[ -f base/kustomization.yaml ]]; then + cat >base/_manifest.yaml + kubectl kustomize base +else + cat +fi diff --git a/helmfiles/argocd/base/foo.yaml b/helmfiles/argocd/base/foo.yaml new file mode 100644 index 00000000..4a1f50af --- /dev/null +++ b/helmfiles/argocd/base/foo.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: + kyverno/clone: "true" + kyverno/env: "prod" + name: prod-atlantis-rabbitmq +type: Opaque +data: + foo: | + bar: raboof diff --git a/helmfiles/argocd/base/kustomization.yaml b/helmfiles/argocd/base/kustomization.yaml new file mode 100644 index 00000000..aaebae24 --- /dev/null +++ b/helmfiles/argocd/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - _manifest.yaml + - foo.yaml diff --git a/helmfiles/argocd/helmfile.yaml b/helmfiles/argocd/helmfile.yaml new file mode 100644 index 00000000..c6d9dd06 --- /dev/null +++ b/helmfiles/argocd/helmfile.yaml @@ -0,0 +1,32 @@ +repositories: +- name: argo + url: https://argoproj.github.io/argo-helm + +environments: + default: + values: + - ../../apps/values.yaml + - ../../values/sys/values-{{ requiredEnv "CLUSTER" }}.yaml + +helmDefaults: + postRenderer: ../../bin/kustomizer + +releases: +- name: argocd + namespace: argocd + chart: argo/argo-cd + values: + - values.yaml.gotmpl +- name: argocd-extras + namespace: argocd + chart: _manifests + values: + - values.yaml.gotmpl + hooks: + - events: [ "prepare", "cleanup" ] + showlogs: true + command: "../../bin/helmify" + args: + - "{{`{{if eq .Event.Name \"prepare\"}}build{{else}}clean{{end}}`}}" + - "{{`{{.Release.Chart}}`}}" + - "{{`{{.Environment.Name}}`}}" diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-applicationset-ingress.yaml b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-applicationset-ingress.yaml new file mode 100644 index 00000000..1678e7a3 --- /dev/null +++ b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-applicationset-ingress.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-applicationset-ingress + namespace: argocd +spec: + description: Allow access from the ingress controller + endpointSelector: + matchLabels: + app.kubernetes.io/component: applicationset-controller + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-notifications.yaml b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-notifications.yaml new file mode 100644 index 00000000..045dbc56 --- /dev/null +++ b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-notifications.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-argo-notifications + namespace: argocd +spec: + description: Allow access to the ArgoCD Notifications + egress: + - toFQDNs: + - matchName: slack.com + endpointSelector: + matchLabels: + app.kubernetes.io/component: notifications-controller diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml new file mode 100644 index 00000000..0af071b5 --- /dev/null +++ b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-argo-repo-access-applicationset + namespace: argocd +spec: + description: Allow access to the ArgoCD repo Applicationset + egress: + - toEntities: + - world + endpointSelector: + matchLabels: + app.kubernetes.io/component: applicationset-controller diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-repo-access.yaml b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-repo-access.yaml new file mode 100644 index 00000000..6e2b7e04 --- /dev/null +++ b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-repo-access.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-argo-repo-access + namespace: argocd +spec: + description: Allow access to the ArgoCD repo server + egress: + - toEntities: + - world + endpointSelector: + matchLabels: + app.kubernetes.io/component: repo-server diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml new file mode 100644 index 00000000..5f030377 --- /dev/null +++ b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-chartmuseum-ingress + namespace: argocd +spec: + description: Allow access to the chartmuseum ingress + endpointSelector: + matchLabels: + app.kubernetes.io/name: chartmuseum + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml new file mode 100644 index 00000000..1534b3c8 --- /dev/null +++ b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml @@ -0,0 +1,13 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-image-updater-repo-access + namespace: argocd +spec: + description: Allow argoCD image updater to access github container registry + egress: + - toFQDNs: + - matchName: ghcr.io + endpointSelector: + matchLabels: + app.kubernetes.io/name: argocd-image-updater diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-ingress.yaml b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-ingress.yaml new file mode 100644 index 00000000..2096eaae --- /dev/null +++ b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-ingress.yaml @@ -0,0 +1,14 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-ingress + namespace: argocd +spec: + description: Allow access from the ingress controller + endpointSelector: + matchLabels: + app.kubernetes.io/component: server + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress-nginx diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-kube-api.yaml b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-kube-api.yaml new file mode 100644 index 00000000..40045bb8 --- /dev/null +++ b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-kube-api.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-kube-api + namespace: argocd +spec: + description: Allow access to the Kube API server + egress: + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP + endpointSelector: + matchLabels: {} diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-microsoft-sso.yaml b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-microsoft-sso.yaml new file mode 100644 index 00000000..e68b04d2 --- /dev/null +++ b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-microsoft-sso.yaml @@ -0,0 +1,16 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-microsoft-sso + namespace: argocd +spec: + description: Allow argoCD dex server to authenticate to microsoft online azure oatuh + egress: + - toFQDNs: + - matchName: login.microsoftonline.com + - matchPattern: '*.microsoftonline.com' + - matchName: github.com + - matchName: api.github.com + endpointSelector: + matchLabels: + app.kubernetes.io/name: argocd-dex-server diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml new file mode 100644 index 00000000..ebfed5bd --- /dev/null +++ b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml @@ -0,0 +1,18 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-prometheus-metrics-rollout + namespace: argocd +spec: + description: Allow access to the Prometheus metrics + endpointSelector: + matchLabels: + app.kubernetes.io/instance: argo-rollouts + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + toPorts: + - ports: + - port: "8090" + protocol: TCP diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml new file mode 100644 index 00000000..f8f81286 --- /dev/null +++ b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml @@ -0,0 +1,18 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-prometheus-metrics-workflows + namespace: argocd +spec: + description: Allow access to the Prometheus metrics + endpointSelector: + matchLabels: + app.kubernetes.io/instance: argo-workflows + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + toPorts: + - ports: + - port: "9090" + protocol: TCP diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics.yaml new file mode 100644 index 00000000..a1b0f86f --- /dev/null +++ b/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -0,0 +1,30 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-prometheus-metrics + namespace: argocd +spec: + description: Allow access to the Prometheus metrics + endpointSelector: + matchLabels: + app.kubernetes.io/instance: argocd + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + toPorts: + - ports: + - port: "8082" + protocol: TCP + - port: "8080" + protocol: TCP + - port: "9001" + protocol: TCP + - port: "9121" + protocol: TCP + - port: "8084" + protocol: TCP + - port: "8083" + protocol: TCP + - port: "5558" + protocol: TCP diff --git a/helmfiles/argocd/prod/kustomization.yaml b/helmfiles/argocd/prod/kustomization.yaml new file mode 100644 index 00000000..ecfa7607 --- /dev/null +++ b/helmfiles/argocd/prod/kustomization.yaml @@ -0,0 +1,8 @@ +generatorOptions: + disableNameSuffixHash: true +# configMapGenerator: +# - name: prod-atlantis-appsettings +# files: +# - appsettings.json +resources: + - ../base diff --git a/helmfiles/argocd/values.yaml.gotmpl b/helmfiles/argocd/values.yaml.gotmpl new file mode 100644 index 00000000..31d9fa13 --- /dev/null +++ b/helmfiles/argocd/values.yaml.gotmpl @@ -0,0 +1,290 @@ +global: + domain: argocd.{{ .Values.cluster_config.domain }} +## ArgoCD configuration +## Ref: https://github.com/argoproj/argo-cd +## +configs: + {{- if .Values.argocd.anyNamespaces.enabled }} + params: + applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}" + # TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it + applicationsetcontroller.enable.scm.providers: "false" + application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}" + {{- end }} + cm: + application.resourceTrackingMethod: annotation+label + application.instanceLabelKey: app.kubernetes.io/instance + create: true + # NOTE(kai): callback URL for dex + url: "https://argocd.{{ .Values.cluster_config.domain }}" + resource.compareoptions: | + ignoreAggregatedRoles: true + resource.exclusions: | + - apiGroups: + - cilium.io + kinds: + - CiliumIdentity + clusters: + - "*" + - apiGroups: + - kyverno.io + kinds: + - AdmissionReport + - BackgroundScanReport + - ClusterAdmissionReport + - ClusterBackgroundScanReport + clusters: + - "*" + # dex saml config + dex.config: | + logger: + level: debug + format: json + connectors: + {{- with .Values.cluster_config.oidc }} + {{- range . }} + {{- if eq .provider "azuread" }} + - type: oidc + id: {{ .name }} + name: {{ .name }} + config: + issuer: https://login.microsoftonline.com/{{ .tenant }}/v2.0 + clientID: ${{ .name | replace "-" "_" }}_client_id + clientSecret: ${{ .name | replace "-" "_" }}_client_secret + insecureSkipEmailVerified: true + requestedIDTokenClaims: + groups: + essential: true + insecureEnableGroups: true + requestedScopes: + - openid + - profile + - email + - groups + {{- else if eq .provider "github" }} + - type: github + id: {{ .name }} + name: {{ .name }} + config: + clientID: ${{ .name | replace "-" "_" }}_client_id + clientSecret: ${{ .name | replace "-" "_" }}_client_secret + redirectURI: https://argocd.{{ $.Values.cluster_config.domain }}/api/dex/callback + orgs: + - name: {{ .allowed_organizations }} + loadAllGroups: true + teamNameField: slug + useLoginAsID: false + staticClients: + - id: ${{ .name | replace "-" "_" }}_client_id + name: Kubernetes + # These are kubectl oidc plugin internal URLs + redirectURIs: + - http://localhost:8000 + - http://localhost:18000 + # Random secret for the user to authenticat dex client + secret: 8d52926efe879ee505391b75f4b046cf + {{- end }} + {{- end }} + {{- end }} + admin.enabled: '{{ .Values.argocd.adminLogin }}' + rbac: + # NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group + policy.csv: | + p, role:org-admin, applications, *, */*, allow + p, role:org-admin, projects, *, *, allow + p, role:org-admin, logs, get, *, allow + p, role:org-admin, clusters, get, *, allow + p, role:org-admin, clusters, update, *, allow + p, role:org-admin, repositories, get, *, allow + p, role:org-admin, repositories, create, *, allow + p, role:org-admin, repositories, update, *, allow + p, role:org-admin, repositories, delete, *, allow + g, "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29", role:org-admin + {{- if .Values.cluster_config.external_access.enabled }} + p, role:external-admin, applications, *, sys/*, deny + p, role:external-admin, applications, *, oxb/*, deny + p, role:external-admin, applications, *, */*, allow + p, role:external-admin, projects, *, oxb, deny + p, role:external-admin, projects, *, sys, deny + p, role:external-admin, projects, get, *, allow + p, role:external-admin, logs, get, *, allow + p, role:external-admin, clusters, get, *, allow + p, role:external-admin, repositories, get, *, allow + p, role:external-admin, repositories, create, *, allow + p, role:external-admin, repositories, update, *, allow + p, role:external-admin, repositories, delete, *, allow + g, "{{ .Values.cluster_config.external_access.admin_group }}", role:external-admin + {{- end }} + {{- if .Values.cluster_config.external_access.enabled }} + {{- range .Values.cluster_config.external_access.groups }} + {{- "\n" -}} + {{- $name := .name }} + p, role:{{$name}}, projects, get, {{$name}}, allow + p, role:{{$name}}, applications, get, {{$name}}/*, allow + p, role:{{$name}}, logs, get, {{$name}}/*, allow + {{- range .group_id }} + g, {{ . }}, role:{{$name}} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.argocd.additional_rbac_settings }} + {{- range .}} + {{ . }} + {{- end }} + {{- end }} + repositories: + # Repositories for applications + argo-helm: + type: helm + url: https://argoproj.github.io/argo-helm + # UI changes based on env + styles: | + /* blue, orange, red depending on env */ + :root { + --test-color: #0f2cbd; + --dev-color: #33b025; + --staging-color: #ebac2f; + --prod-color: #ff000d; + } + .top-bar__breadcrumbs::after { + content: "cluster: {{.Values.cluster_config.cluster}}, env: {{.Values.cluster_config.env}} "; + color: var(--{{.Values.cluster_config.env}}-color); + font-weight: bolder; + font-size: larger; + position: fixed; + left: 50%; + } + +controller: + metrics: + enabled: true + serviceMonitor: + enabled: true + resources: + limits: + memory: {{ .Values | get "argocd.resources.controller.memory" "1000Mi" }} + requests: + cpu: {{ .Values | get "argocd.resources.controller.cpu" "250m" }} + memory: {{ .Values | get "argocd.resources.controller.memory" "1000Mi" }} + +# Mount azure ca as file for SAML auth +dex: + metrics: + enabled: true + serviceMonitor: + enabled: true + {{- with .Values.cluster_config.oidc }} + env: + {{- range . }} + - name: {{ .name | replace "-" "_" }}_client_secret + valueFrom: + secretKeyRef: + name: {{ .secret_ref.name }} + key: client_secret + - name: {{ .name | replace "-" "_" }}_client_id + valueFrom: + secretKeyRef: + name: {{ .secret_ref.name }} + key: client_id + {{- end }} + {{- end }} + +redis: + metrics: + enabled: true + serviceMonitor: + enabled: true + +repoServer: + metrics: + enabled: true + serviceMonitor: + enabled: true + {{- if .Values.argocd.repoServer.cmp.enabled }} + extraContainers: + - command: + - /var/run/argocd/argocd-cmp-server + image: {{ .Values.argocd.repoServer.cmp.image }} + imagePullPolicy: Always + name: {{ .Values.argocd.repoServer.cmp.name }} + securityContext: + runAsNonRoot: true + runAsUser: 999 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /var/run/argocd + name: var-files + - mountPath: /home/argocd/cmp-server/plugins + name: plugins + - mountPath: /tmp + name: cmp-tmp + {{- with .Values.argocd.repoServer.cmp.initContainers }} + initContainers: + {{- toYaml . | nindent 10}} + {{- end }} + volumes: + - name: cmp-tmp + emptyDir: {} + {{- if .Values.argocd.repoServer.cmp.imagePullSecret }} + imagePullSecrets: + {{- range .Values.argocd.repoServer.cmp.imagePullSecret}} + - name: {{ .name }} + {{- end }} + {{- end }} +{{- end }} + +# Configuration for argocd server instance +server: + metrics: + enabled: true + serviceMonitor: + enabled: true + ingress: + enabled: {{ .Values.argocd.ingress.enabled }} + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }} + nginx.ingress.kubernetes.io/ssl-passthrough: "true" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + {{- with .Values.cluster_config.ingress_whitelist_ips }} + nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }} + {{- end }} + hosts: + - "argocd.{{ .Values.cluster_config.domain }}" + tls: + - secretName: argocd-tls + hosts: + - "argocd.{{ .Values.cluster_config.domain }}" +applicationSet: + metrics: + enabled: true + serviceMonitor: + enabled: true + {{- if .Values.argocd.anyNamespaces.enabled }} + allowAnyNamespaces: true + {{- end }} + ingress: + enabled: {{ .Values.argocd.applicationset_webhook.enabled }} + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }} + # {{- with .Values.cluster_config.ingress_whitelist_ips}} + # NOTE(kai): include gitlab and github webhook ranges + # nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }},192.30.252.0/22,140.82.112.0/20,34.74.226.27/28,34.74.226.0/24 + # {{- end }} + hostname: "argocd-applicationset.{{ .Values.cluster_config.domain }}" + tls: + - secretName: argocd-applicationset-tls + hosts: + - "argocd-applicationset.{{ .Values.cluster_config.domain }}" +notifications: + metrics: + enabled: true + serviceMonitor: + enabled: true + secret: + create: false + cm: + create: false diff --git a/shell.nix b/shell.nix index bc4c835c..fb3d055c 100644 --- a/shell.nix +++ b/shell.nix @@ -13,6 +13,7 @@ in shell = pkgs.mkShellNoCC { name = "clstr"; nativeBuildInputs = with pkgs; [ + helmfile nixidy.nixidy npins nixfmt-rfc-style