platform/manifests
1
0
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

feat: move vcluster charts to charts/

Browse Source
This commit is contained in:
Jonas Juselius
2024-06-04 15:04:12 +02:00
parent 351fce65f5
commit c0f9f38207
14 changed files with 1 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
vcluster/chart/.helmignore
-22
View File
@@ -1,22 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
vcluster/chart/Chart.yaml
-6
View File
@@ -1,6 +0,0 @@
apiVersion: v2
name: atlantis-vcluster
description: vClusters for Atlantis
type: application
version: v0.18.1
appVersion: v0.18.1
vcluster/chart/templates/_helpers.tpl
-71
View File
@@ -1,71 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "vCluster.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "vCluster.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default "vcluster" .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{- define "vCluster.releaseName" -}}
{{- if .Values.nameOverride }}
{{- .Values.nameOverride | trunc 63 | trimSuffix "vcluster" | trimSuffix "-" }}
{{- else }}
{{- default .Chart.Name .Release.Name | trunc 63 | trimSuffix "vcluster" | trimSuffix "-" }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "vCluster.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "vCluster.labels" -}}
helm.sh/chart: {{ include "vCluster.chart" . }}
{{ include "vCluster.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "vCluster.selectorLabels" -}}
app.kubernetes.io/name: {{ include "vCluster.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "vCluster.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "vCluster.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
vcluster/chart/templates/allow-external-services.yaml
-14
View File
@@ -1,14 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-external-services
namespace: {{ .Release.Namespace }}
spec:
egress:
- toFQDNs:
- matchName: api.github.com
- matchName: dapr.github.io
- matchName: gitlab.com
- matchName: analytics.loft.rocks
endpointSelector:
matchLabels: {}
vcluster/chart/templates/argo-cluster-connection.yaml
-14
View File
@@ -1,14 +0,0 @@
{{- $fullname := include "vCluster.fullname" . -}}
{{- $name := include "vCluster.releaseName" . -}}
apiVersion: v1
kind: Secret
metadata:
labels:
argocd.argoproj.io/secret-type: cluster
name: cluster-{{ $fullname }}
namespace: argocd
type: Opaque
stringData:
config: '{"bearerToken": "token", "tlsClientConfig": { "insecure" : true }}'
name: {{ $fullname }}
server: https://{{ $fullname }}.{{ .Release.Namespace }}
vcluster/chart/templates/cnpg.yaml
-69
View File
@@ -1,69 +0,0 @@
{{- $fullname := include "vCluster.fullname" . -}}
{{- $name := include "vCluster.releaseName" . -}}
{{- if .Values.persistence }}
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: {{ $fullname }}-db
namespace: {{ .Release.Namespace }}
annotations:
linkerd.io/inject: disabled
spec:
instances: 1
bootstrap:
initdb:
database: k3s
owner: k3s
primaryUpdateStrategy: unsupervised
backup:
retentionPolicy: "7d"
storage:
size: "5Gi"
{{- end }}
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: staging-archmeister
namespace: {{ .Release.Namespace }}
annotations:
linkerd.io/inject: disabled
spec:
instances: 1
imageName: ghcr.io/cloudnative-pg/postgis:15-3.3
bootstrap:
initdb:
postInitTemplateSQL:
- CREATE EXTENSION postgis;
- CREATE EXTENSION postgis_topology;
- CREATE EXTENSION fuzzystrmatch;
- CREATE EXTENSION postgis_tiger_geocoder;
# Example of rolling update strategy:
# - unsupervised: automated update of the primary once all
# replicas have been upgraded (default)
# - supervised: requires manual supervision to perform
# the switchover of the primary
primaryUpdateStrategy: unsupervised
backup:
retentionPolicy: "7d"
storage:
size: "5Gi"
bootstrap:
pg_basebackup:
source: prod-archmeister
externalClusters:
- name: prod-archmeister
connectionParameters:
host: prod-archmeister-rw.atlantis.svc
user: streaming_replica
sslmode: verify-full
sslKey:
name: prod-archmeister-replication
key: tls.key
sslCert:
name: prod-archmeister-replication
key: tls.crt
sslRootCert:
name: prod-archmeister-ca
key: ca.crt
vcluster/chart/templates/jaeger.yaml
-14
View File
@@ -1,14 +0,0 @@
apiVersion: jaegertracing.io/v1
kind: Jaeger
metadata:
name: jaeger
namespace: {{ .Release.Namespace }}
spec:
strategy: allInOne
ingress:
enabled: false
allInOne:
image: jaegertracing/all-in-one:1.22
options:
query:
base-path: /jaeger
vcluster/chart/templates/kyverno-policies/allow-vcluster-apiserver.yaml
-49
View File
@@ -1,49 +0,0 @@
{{- $fullname := include "vCluster.fullname" . -}}
{{- $name := include "vCluster.releaseName" . -}}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
kyverno.io/kyverno-version: 1.7.0
policies.kyverno.io/description: Allow egress to vcluster kube-apiserver
policies.kyverno.io/minversion: 1.7.0
policies.kyverno.io/subject: Namespace, NetworkPolicy
policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces
name: allow-{{ $name }}-vcluster-apiserver
namespace: {{ .Release.Namespace }}
spec:
background: true
generateExisting: true
rules:
- name: allow-{{ $name }}-vcluster-apiserver
generate:
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
name: allow-{{ $name }}-vcluster-apiserver-access
namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
synchronize: true
data:
spec:
description: Allow egress to vcluster kube-apiserver
egress:
- toEndpoints:
- matchLabels:
app: vcluster
toPorts:
- ports:
- port: "443"
protocol: TCP
endpointSelector: {}
match:
any:
- resources:
kinds:
- Namespace
names:
- {{ $fullname }}
- resources:
kinds:
- Namespace
selector:
matchLabels:
vcluster.loft.sh/vcluster-name: {{ $fullname }}
vcluster/chart/templates/kyverno-policies/sync-vcluster-atlantis-secrets.yaml
-66
View File
@@ -1,66 +0,0 @@
{{- $name := include "vCluster.releaseName" . -}}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: "sync-{{ $name }}-vcluster-secrets"
spec:
background: true
generateExisting: true
rules:
- name: sync-rabbitmq-secrets
generate:
apiVersion: v1
kind: Secret
name: staging-rabbitmq
namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
synchronize: false
clone:
namespace: rabbitmq
name: staging-rabbitmq
match:
resources:
kinds:
- Namespace
names:
- "vcluster-009dba7e-*"
selector:
matchLabels:
vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
- name: sync-redis-secrets
generate:
apiVersion: v1
kind: Secret
name: staging-redis
namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
synchronize: false
clone:
namespace: redis
name: staging-redis
match:
resources:
kinds:
- Namespace
names:
- "vcluster-009dba7e-*"
selector:
matchLabels:
vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
- name: sync-archmeister-app-secret
generate:
apiVersion: v1
kind: Secret
name: staging-archmeister-app
namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
synchronize: false
clone:
namespace: '{{ .Release.Namespace }}'
name: staging-archmeister-superuser
match:
resources:
kinds:
- Namespace
names:
- "vcluster-009dba7e-*"
selector:
matchLabels:
vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
vcluster/chart/templates/kyverno-policies/sync-vcluster-oceanbox-regcred.yaml
-40
View File
@@ -1,40 +0,0 @@
{{- $fullname := include "vCluster.fullname" . -}}
{{- $name := include "vCluster.releaseName" . -}}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Sample
policies.kyverno.io/description: 'Secrets like registry credentials often need
to exist in multiple Namespaces so Pods there have access. Manually duplicating
those Secrets is time consuming and error prone. This policy will copy a Secret
called `regcred` which exists in the `default` Namespace to new Namespaces when
they are created. It will also push updates to the copied Secrets should the
source Secret be changed. '
creationTimestamp: "2024-01-15T11:58:24Z"
name: sync-{{ $name }}-vcluster-oceanbox-regcred
spec:
admission: true
background: true
generateExisting: true
rules:
- generate:
apiVersion: v1
clone:
# name: oceanbox-regcred
name: gitlab-pull-secret
namespace: default
kind: Secret
# name: oceanbox-regcred
name: gitlab-pull-secret
namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
synchronize: false
match:
any:
- resources:
kinds:
- Namespace
selector:
matchLabels:
vcluster.loft.sh/vcluster-name: {{ $fullname }}
name: sync-vcluster-oceanbox-regcred
vcluster/chart/templates/rbac.yaml
-26
View File
@@ -1,26 +0,0 @@
{{- $fullname := include "vCluster.fullname" . -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vcluster-cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vcluster-create-cilium-networkpolicies
subjects:
- kind: ServiceAccount
namespace: {{ $fullname }}
name: {{ $fullname }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vcluster-jaegers
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vcluster-jaegers
subjects:
- kind: ServiceAccount
namespace: {{ $fullname }}
name: {{ $fullname }}
vcluster/chart/templates/vcluster.yaml
-187
View File
@@ -1,187 +0,0 @@
{{- $fullname := include "vCluster.fullname" . -}}
{{- $name := include "vCluster.releaseName" . -}}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: {{ $fullname }}
namespace: argocd
spec:
project: vcluster
syncPolicy:
automated: {}
syncOptions:
- createNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: {{ .Release.Namespace }}
source:
repoURL: https://charts.loft.sh
targetRevision: 0.19.5
chart: vcluster
helm:
values: |-
vcluster:
env:
{{ if .Values.persistence }}
- name: PG_PASSWORD
valueFrom:
secretKeyRef:
name: "{{ $fullname }}-db-app"
key: password
- name: K3S_DATASTORE_ENDPOINT
value: "postgres://k3s:$(PG_PASSWORD)@{{ $fullname }}-db-rw:5432/k3s"
{{ end }}
extraArgs:
- "--kube-apiserver-arg=oidc-client-id=9b6daef0-02fa-4574-8949-f7c1b5fccd15"
- "--kube-apiserver-arg=oidc-issuer-url=https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/v2.0"
- "--kube-apiserver-arg=oidc-groups-claim=roles"
- "--kube-apiserver-arg=oidc-username-claim=sub"
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
host: "{{ $fullname }}.beta.oceanbox.io"
tls:
- hosts:
- "{{ $fullname }}.beta.oceanbox.io"
secretName: "{{ $fullname }}-tls"
storage:
persistence: {{ .Values.persistence }}
# coredns:
# image: coredns/coredns:1.10.1
fallbackHostDns: true
multiNamespaceMode:
enabled: true
mapServices:
fromHost:
- from: "redis/{{ .Values.environment }}-redis-master"
to: "redis/{{ .Values.environment }}-redis-master"
- from: "rabbitmq/{{ .Values.environment }}-rabbitmq"
to: "rabbitmq/{{ .Values.environment }}-rabbitmq"
- from: "{{ .Release.Namespace }}/staging-archmeister-rw"
to: "atlantis/staging-archmeister-rw"
- from: "{{ .Release.Namespace }}/jaeger-collector"
to: "atlantis/jaeger-collector"
- from: "idp/{{ .Values.environment }}-cerbos"
to: "idp/{{ .Values.environment }}-cerbos"
sync:
secrets:
all: true
configmaps:
all: true
ingresses:
enabled: true
generic:
clusterRole:
extraRules:
- apiGroups: [ "apiextensions.k8s.io" ]
resources: [ "customresourcedefinitions" ]
verbs: [ "get", "list", "watch" ]
role:
extraRules:
- apiGroups: ["postgresql.cnpg.io"]
resources: ["backups", "clusters", "poolers", "scheduledbackups" ]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
- apiGroups: [ "cilium.io" ]
resources: [ "ciliumnetworkpolicies" ]
verbs: [ "get", "list", "watch", "create", "patch" ]
# - apiGroups: [ "jaegertracing.io" ]
# resources: [ "jaegers" ]
# verbs: [ "get", "list", "watch", "create", "patch" ]
config: |-
version: v1beta1
import:
- kind: Cluster
apiVersion: postgresql.cnpg.io/v1
- kind: Secret
apiVersion: v1
# - kind: Component
# apiVersion: dapr.io/v1alpha1
# - kind: Configuration
# apiVersion: dapr.io/v1alpha1
# - kind: Subscription
# apiVersion: dapr.io/v1alpha1
# - kind: Jaeger
# apiVersion: jaegertracing.io/v1
# - kind: CiliumNetworkPolicy
# apiVersion: cilium.io/v2
export:
- kind: CiliumNetworkPolicy
apiVersion: cilium.io/v2
# - kind: Jaeger
# apiVersion: jaegertracing.io/v1
init:
manifests: |-
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: oidc-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: Group
name: eb17a659-4ce6-41bc-9153-d9b117c44479
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
namespace: kube-system
name: admin
---
apiVersion: v1
kind: Secret
metadata:
name: admin-token
namespace: kube-system
annotations:
kubernetes.io/service-account.name: admin
type: kubernetes.io/service-account-token
# The contents of manifests-template will be templated using helm
# this allows you to use helm values inside, e.g.: {{ .Release.Name }}
# manifestsTemplate: |-
# {{- range .Files.Lines "_atlantis.yaml" }}
# {{ . }}
# {{- end }}
helm:
- chart:
name: dapr
version: 1.13.3
repo: https://dapr.github.io/helm-charts/
release:
name: dapr
namespace: dapr-system
timeout: 180
values: |-
ha.enabled: false
# plugin:
# secret-syncer:
# image: registry.gitlab.com/oceanbox/vcluster-secret-syncer:v1.0.1
# imagePullPolicy: IfNotPresent
vcluster/chart/values.yaml
-2
View File
@@ -1,2 +0,0 @@
environment: staging
persistence: false
vcluster/create-vcluster.sh
+1 -6
View File
@@ -5,11 +5,6 @@ if [ ! $# -ge 1 ]; then
exit 1
fi
if [ ! -d chart ]; then
echo "error: must be run from toplevel directory"
exit 1
fi
k='kubectl --context oceanbox'
name=$1
@@ -20,7 +15,7 @@ yq ".clusters[]|select(.name|contains(\"$name-vcluster\")).name" ~/.kube/config
if [ $? = 0 ]; then
$k get ns $ns >/dev/null 2>&1 || $k create ns $ns
helm template -n $ns $@ $name ./chart | $k apply -f -
helm template -n $ns $@ $name oceanbox/vcluster | $k apply -f -
echo "waiting for vcluster $name to appear... "
while true; do