From ddc95aad806f06b5c5478722cd4f6adb67cd0057 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Fri, 16 May 2025 10:46:38 +0200 Subject: [PATCH] wip: use separate toplevel helmfile.d and values/ --- .gitignore | 3 +- apps/templates/argocd.yaml | 4 +- apps/values.yaml | 44 +++--- bin/helmify | 2 +- bin/kustomizer | 10 +- envs/environments.yaml.gotmpl | 23 +++ helmfile.d/argo.yaml.gotmpl | 58 ++++++++ helmfiles/argocd/base/foo.yaml | 11 -- helmfiles/argocd/helmfile.yaml | 42 ------ helmfiles/argocd/prod/kustomization.yaml | 8 -- helmfiles/argocd/values-oceanbox.yaml.gotmpl | 4 - helmfiles/argocd/values-staging.yaml.gotmpl | 0 values/argo/helmfile.yaml | 59 ++++++++ .../argo/kustomize}/base/kustomization.yaml | 1 - .../argo/kustomize/default/kustomization.yaml | 4 + ...rkPolicy-allow-applicationset-ingress.yaml | 0 ...etworkPolicy-allow-argo-notifications.yaml | 0 ...allow-argo-repo-access-applicationset.yaml | 0 ...mNetworkPolicy-allow-argo-repo-access.yaml | 0 ...tworkPolicy-allow-chartmuseum-ingress.yaml | 0 ...olicy-allow-image-updater-repo-access.yaml | 0 .../CiliumNetworkPolicy-allow-ingress.yaml | 0 .../CiliumNetworkPolicy-allow-kube-api.yaml | 0 ...liumNetworkPolicy-allow-microsoft-sso.yaml | 0 ...licy-allow-prometheus-metrics-rollout.yaml | 0 ...cy-allow-prometheus-metrics-workflows.yaml | 0 ...etworkPolicy-allow-prometheus-metrics.yaml | 0 values/argo/values.yaml.gotmpl | 10 ++ .../argo/values/apps.yaml.gotmpl | 0 .../argo/values/argocd.yaml.gotmpl | 85 ++++------- values/argo/values/rollouts.yaml.gotmpl | 9 ++ values/argo/values/workflows.yaml.gotmpl | 9 ++ values/values-oceanbox.yaml | 37 +++++ values/values.yaml | 132 ++++++++++++++++++ 34 files changed, 404 insertions(+), 151 deletions(-) create mode 100644 envs/environments.yaml.gotmpl create mode 100644 helmfile.d/argo.yaml.gotmpl delete mode 100644 helmfiles/argocd/base/foo.yaml delete mode 100644 helmfiles/argocd/helmfile.yaml delete mode 100644 helmfiles/argocd/prod/kustomization.yaml delete mode 100644 helmfiles/argocd/values-oceanbox.yaml.gotmpl delete mode 100644 helmfiles/argocd/values-staging.yaml.gotmpl create mode 100644 values/argo/helmfile.yaml rename {helmfiles/argocd => values/argo/kustomize}/base/kustomization.yaml (87%) create mode 100644 values/argo/kustomize/default/kustomization.yaml rename {helmfiles/argocd => values/argo}/manifests/CiliumNetworkPolicy-allow-applicationset-ingress.yaml (100%) rename {helmfiles/argocd => values/argo}/manifests/CiliumNetworkPolicy-allow-argo-notifications.yaml (100%) rename {helmfiles/argocd => values/argo}/manifests/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml (100%) rename {helmfiles/argocd => values/argo}/manifests/CiliumNetworkPolicy-allow-argo-repo-access.yaml (100%) rename {helmfiles/argocd => values/argo}/manifests/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml (100%) rename {helmfiles/argocd => values/argo}/manifests/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml (100%) rename {helmfiles/argocd => values/argo}/manifests/CiliumNetworkPolicy-allow-ingress.yaml (100%) rename {helmfiles/argocd => values/argo}/manifests/CiliumNetworkPolicy-allow-kube-api.yaml (100%) rename {helmfiles/argocd => values/argo}/manifests/CiliumNetworkPolicy-allow-microsoft-sso.yaml (100%) rename {helmfiles/argocd => values/argo}/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml (100%) rename {helmfiles/argocd => values/argo}/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml (100%) rename {helmfiles/argocd => values/argo}/manifests/CiliumNetworkPolicy-allow-prometheus-metrics.yaml (100%) create mode 100644 values/argo/values.yaml.gotmpl rename helmfiles/argocd/values-prod.yaml.gotmpl => values/argo/values/apps.yaml.gotmpl (100%) rename helmfiles/argocd/values.yaml.gotmpl => values/argo/values/argocd.yaml.gotmpl (66%) create mode 100644 values/argo/values/rollouts.yaml.gotmpl create mode 100644 values/argo/values/workflows.yaml.gotmpl create mode 100644 values/values-oceanbox.yaml create mode 100644 values/values.yaml diff --git a/.gitignore b/.gitignore index 098d7691..021dfe2f 100644 --- a/.gitignore +++ b/.gitignore @@ -2,5 +2,4 @@ _*/ .direnv/ .pre-commit-config.yaml -_manifest.yaml -_resources.yaml +_*.yaml diff --git a/apps/templates/argocd.yaml b/apps/templates/argocd.yaml index 89aa0eb0..2227dcef 100644 --- a/apps/templates/argocd.yaml +++ b/apps/templates/argocd.yaml @@ -16,9 +16,9 @@ spec: plugin: name: helmfile env: - - name: CLUSTER + - name: CLUSTER_NAME value: {{ .Values.cluster_config.name }} - - name: ENVIRONMENT + - name: HELMFILE_ENVIRONMENT value: {{ .environment }} {{/* - repoURL: {{ .Values.cluster_config.manifests }} */}} {{/* path: {{ .Values.cluster_config.policies }}/argocd */}} diff --git a/apps/values.yaml b/apps/values.yaml index 60c925d3..f2b7ffa2 100644 --- a/apps/values.yaml +++ b/apps/values.yaml @@ -73,6 +73,7 @@ argocd: imagePullSecret: [] helmTokenSecret: "" argocd_apps: + enable: true autosync: true version: 0.0.1 argo_workflows: @@ -90,7 +91,6 @@ argo_rollouts: enabled: false dashboard_enabled: false - cilium: enabled: false autosync: true @@ -375,18 +375,30 @@ yolo-registry.enable: false osm-tile-server.enable: false geoserver.enable: false -atlantis: - enabled: false - envs: - - prod - - staging -sorcerer: - enabled: false - envs: - - prod - - staging -openfga: - enabled: false - envs: - - prod - - staging +install: + argo: + autosync: true + argocd: + enabled: true + apps: + enabled: true + rollouts: + enabled: false + workflows: + enabled: false + atlantis: + enabled: false + envs: + - prod + - staging + sorcerer: + enabled: false + envs: + - prod + - staging + openfga: + enabled: false + envs: + - prod + - staging + diff --git a/bin/helmify b/bin/helmify index 3f7abe1d..fadc45f0 100755 --- a/bin/helmify +++ b/bin/helmify @@ -7,7 +7,7 @@ manifests=${4:-manifests} outdir=${5:-_manifests} build() { - if [ ! -d "manifests" ]; then + if [ ! -d "$manifests" ]; then echo "nothing to do here..." 1>&2 exit 0 fi diff --git a/bin/kustomizer b/bin/kustomizer index b16b08bf..99207bf0 100755 --- a/bin/kustomizer +++ b/bin/kustomizer @@ -1,13 +1,13 @@ #!/usr/bin/env bash [ $# != 1 ] && exit 1 -[ ! -f base/kustomization.yaml ] && exit 1 -env=$1 +dir=$1 +base=$dir/../base -if [ -f $env/kustomization.yaml ]; then - cat >base/_manifest.yaml - kubectl kustomize $env +if [ -f $base/kustomization.yaml -a -f $dir/kustomization.yaml ]; then + cat > $base/_manifest.yaml + kubectl kustomize $dir else cat fi diff --git a/envs/environments.yaml.gotmpl b/envs/environments.yaml.gotmpl new file mode 100644 index 00000000..4ca2e101 --- /dev/null +++ b/envs/environments.yaml.gotmpl @@ -0,0 +1,23 @@ +--- +environments: + default: + values: + - ../values/values.yaml + - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml + - ../values/*/values.yaml.gotmpl + - ../values/*/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl + missingFileHandler: Info + prod: + values: + - ../values.yaml + - ../values-{{ requiredEnv "CLUSTER_NAME" }}.yaml + - ../values/*/values.yaml.gotmpl + - ../values/*/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl + missingFileHandler: Info + staging: + values: + - ../values.yaml + - ../values-{{ requiredEnv "CLUSTER_NAME" }}.yaml + - ../values/*/values.yaml.gotmpl + - ../values/*/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl + missingFileHandler: Info diff --git a/helmfile.d/argo.yaml.gotmpl b/helmfile.d/argo.yaml.gotmpl new file mode 100644 index 00000000..3d0c034a --- /dev/null +++ b/helmfile.d/argo.yaml.gotmpl @@ -0,0 +1,58 @@ +bases: + - ../envs/environments.yaml.gotmpl + +repositories: +- name: argo + url: https://argoproj.github.io/argo-helm + +releases: +- name: argocd + namespace: argocd + chart: argo/argo-cd + version: 7.5.2 + condition: install.argo.argocd.enabled + values: + - ../values/argo/values/argocd.yaml.gotmpl + - ../values/argo/values/argocd-{{ .Environment.Name }}.yaml.gotmpl + postRenderer: ../bin/kustomizer + postRendererArgs: + - ../values/argo/kustomize/{{ .Environment.Name }} + missingFileHandler: Info +- name: argocd-apps + namespace: argocd + chart: argo/argocd-apps + version: 0.0.1 + condition: install.argo.apps.enabled + values: + - ../values/argo/values/apps.yaml.gotmpl + missingFileHandler: Info +- name: argo-rollouts + namespace: argocd + chart: argo/argo-rollouts + version: 2.35.2 + condition: install.argo.rollouts.enabled + values: + - ../values/argo/values/rollouts.yaml.gotmpl + missingFileHandler: Info +- name: argo-workflows + namespace: argocd + chart: argo/argo-workflows + version: 0.45.0 + condition: install.argo.workflows.enabled + values: + - ../values/argo/values/workflows.yaml.gotmpl + missingFileHandler: Info +- name: argo-manifests + namespace: argocd + chart: _argo + hooks: + - events: [ prepare, cleanup ] + showlogs: true + command: ../bin/helmify + args: + - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' + - '{{`{{ .Release.Chart }}`}}' + - '{{`{{ .Environment.Name }}`}}' + - ../values/argo/manifests + - _argo + diff --git a/helmfiles/argocd/base/foo.yaml b/helmfiles/argocd/base/foo.yaml deleted file mode 100644 index 4a1f50af..00000000 --- a/helmfiles/argocd/base/foo.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - annotations: - kyverno/clone: "true" - kyverno/env: "prod" - name: prod-atlantis-rabbitmq -type: Opaque -data: - foo: | - bar: raboof diff --git a/helmfiles/argocd/helmfile.yaml b/helmfiles/argocd/helmfile.yaml deleted file mode 100644 index 6e1ca392..00000000 --- a/helmfiles/argocd/helmfile.yaml +++ /dev/null @@ -1,42 +0,0 @@ -environments: - default: - values: - - ../../apps/values.yaml - - ../../values/sys/values-{{ requiredEnv "CLUSTER" }}.yaml - prod: - values: - - ../../apps/values.yaml - - ../../../values/sys/values-{{ requiredEnv "CLUSTER" }}.yaml - staging: - values: - - ../../apps/values.yaml - - ../../values/sys/values-{{ requiredEnv "CLUSTER" }}.yaml ---- -repositories: -- name: argo - url: https://argoproj.github.io/argo-helm - -releases: -- name: argocd - namespace: argocd - chart: argo/argo-cd - values: - - values.yaml.gotmpl - - values-{{ .Environment.Name }}.yaml.gotmpl - - values-{{ requiredEnv "CLUSTER" }}.yaml.gotmpl - postRenderer: ../../bin/kustomizer - postRendererArgs: - - {{ .Environment.Name }} - missingFileHandler: Info -- name: manifests - namespace: argocd - chart: _manifests - hooks: - - events: [ prepare, cleanup ] - showlogs: true - command: ../../bin/helmify - args: - - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' - - '{{`{{ .Release.Chart }}`}}' - - '{{`{{ .Environment.Name }}`}}' - diff --git a/helmfiles/argocd/prod/kustomization.yaml b/helmfiles/argocd/prod/kustomization.yaml deleted file mode 100644 index ecfa7607..00000000 --- a/helmfiles/argocd/prod/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ -generatorOptions: - disableNameSuffixHash: true -# configMapGenerator: -# - name: prod-atlantis-appsettings -# files: -# - appsettings.json -resources: - - ../base diff --git a/helmfiles/argocd/values-oceanbox.yaml.gotmpl b/helmfiles/argocd/values-oceanbox.yaml.gotmpl deleted file mode 100644 index da0d0d00..00000000 --- a/helmfiles/argocd/values-oceanbox.yaml.gotmpl +++ /dev/null @@ -1,4 +0,0 @@ -configs: - cm: - url: "https://foobar.oceanbox.io" - diff --git a/helmfiles/argocd/values-staging.yaml.gotmpl b/helmfiles/argocd/values-staging.yaml.gotmpl deleted file mode 100644 index e69de29b..00000000 diff --git a/values/argo/helmfile.yaml b/values/argo/helmfile.yaml new file mode 100644 index 00000000..99353b7a --- /dev/null +++ b/values/argo/helmfile.yaml @@ -0,0 +1,59 @@ +bases: + - ../base/environments.yaml.gotmpl + +repositories: +- name: argo + url: https://argoproj.github.io/argo-helm + +releases: +- name: argocd + namespace: argocd + chart: argo/argo-cd + version: 7.5.2 + values: + - values/argocd.yaml.gotmpl + - values/argocd-{{ .Environment.Name }}.yaml.gotmpl + - values/argocd-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl + postRenderer: ../../bin/kustomizer + postRendererArgs: + - kustomize/{{ .Environment.Name }} + missingFileHandler: Info +- name: argocd-apps + namespace: argocd + chart: argo/argocd-apps + version: 0.0.1 + condition: install.argo.apps.enabled + values: + - values/apps.yaml.gotmpl + - values/apps-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl + missingFileHandler: Info +- name: argo-rollouts + namespace: argocd + chart: argo/argo-rollouts + version: 2.35.2 + condition: install.argo.rollouts.enabled + values: + - values/rollouts.yaml.gotmpl + - values/rollouts-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl + missingFileHandler: Info +- name: argo-workflows + namespace: argocd + chart: argo/argo-workflows + version: 0.45.0 + condition: install.argo.workflows.enabled + values: + - values/workflows.yaml.gotmpl + - values/workflows-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl + missingFileHandler: Info +- name: manifests + namespace: argocd + chart: _manifests + hooks: + - events: [ prepare, cleanup ] + showlogs: true + command: ../../bin/helmify + args: + - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' + - '{{`{{ .Release.Chart }}`}}' + - '{{`{{ .Environment.Name }}`}}' + diff --git a/helmfiles/argocd/base/kustomization.yaml b/values/argo/kustomize/base/kustomization.yaml similarity index 87% rename from helmfiles/argocd/base/kustomization.yaml rename to values/argo/kustomize/base/kustomization.yaml index aaebae24..57f354b1 100644 --- a/helmfiles/argocd/base/kustomization.yaml +++ b/values/argo/kustomize/base/kustomization.yaml @@ -2,4 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - _manifest.yaml - - foo.yaml diff --git a/values/argo/kustomize/default/kustomization.yaml b/values/argo/kustomize/default/kustomization.yaml new file mode 100644 index 00000000..22967828 --- /dev/null +++ b/values/argo/kustomize/default/kustomization.yaml @@ -0,0 +1,4 @@ +generatorOptions: + disableNameSuffixHash: true +resources: + - ../base diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-applicationset-ingress.yaml b/values/argo/manifests/CiliumNetworkPolicy-allow-applicationset-ingress.yaml similarity index 100% rename from helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-applicationset-ingress.yaml rename to values/argo/manifests/CiliumNetworkPolicy-allow-applicationset-ingress.yaml diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-notifications.yaml b/values/argo/manifests/CiliumNetworkPolicy-allow-argo-notifications.yaml similarity index 100% rename from helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-notifications.yaml rename to values/argo/manifests/CiliumNetworkPolicy-allow-argo-notifications.yaml diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml b/values/argo/manifests/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml similarity index 100% rename from helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml rename to values/argo/manifests/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-repo-access.yaml b/values/argo/manifests/CiliumNetworkPolicy-allow-argo-repo-access.yaml similarity index 100% rename from helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-argo-repo-access.yaml rename to values/argo/manifests/CiliumNetworkPolicy-allow-argo-repo-access.yaml diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml b/values/argo/manifests/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml similarity index 100% rename from helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml rename to values/argo/manifests/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml b/values/argo/manifests/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml similarity index 100% rename from helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml rename to values/argo/manifests/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-ingress.yaml b/values/argo/manifests/CiliumNetworkPolicy-allow-ingress.yaml similarity index 100% rename from helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-ingress.yaml rename to values/argo/manifests/CiliumNetworkPolicy-allow-ingress.yaml diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-kube-api.yaml b/values/argo/manifests/CiliumNetworkPolicy-allow-kube-api.yaml similarity index 100% rename from helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-kube-api.yaml rename to values/argo/manifests/CiliumNetworkPolicy-allow-kube-api.yaml diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-microsoft-sso.yaml b/values/argo/manifests/CiliumNetworkPolicy-allow-microsoft-sso.yaml similarity index 100% rename from helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-microsoft-sso.yaml rename to values/argo/manifests/CiliumNetworkPolicy-allow-microsoft-sso.yaml diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml b/values/argo/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml similarity index 100% rename from helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml rename to values/argo/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml b/values/argo/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml similarity index 100% rename from helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml rename to values/argo/manifests/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml diff --git a/helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/values/argo/manifests/CiliumNetworkPolicy-allow-prometheus-metrics.yaml similarity index 100% rename from helmfiles/argocd/manifests/CiliumNetworkPolicy-allow-prometheus-metrics.yaml rename to values/argo/manifests/CiliumNetworkPolicy-allow-prometheus-metrics.yaml diff --git a/values/argo/values.yaml.gotmpl b/values/argo/values.yaml.gotmpl new file mode 100644 index 00000000..3269c570 --- /dev/null +++ b/values/argo/values.yaml.gotmpl @@ -0,0 +1,10 @@ +argocd: + anyNamespaces: + enabled: false + glob: "" + repoServers: + - name: "helmfile-cmp" + image: "registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest" + imagePullSecret: [] + additional_rbac_settings: + - g, "eb17a659-4ce6-41bc-9153-d9b117c44479", role:org-admin diff --git a/helmfiles/argocd/values-prod.yaml.gotmpl b/values/argo/values/apps.yaml.gotmpl similarity index 100% rename from helmfiles/argocd/values-prod.yaml.gotmpl rename to values/argo/values/apps.yaml.gotmpl diff --git a/helmfiles/argocd/values.yaml.gotmpl b/values/argo/values/argocd.yaml.gotmpl similarity index 66% rename from helmfiles/argocd/values.yaml.gotmpl rename to values/argo/values/argocd.yaml.gotmpl index 31d9fa13..b8e355ca 100644 --- a/helmfiles/argocd/values.yaml.gotmpl +++ b/values/argo/values/argocd.yaml.gotmpl @@ -1,5 +1,5 @@ global: - domain: argocd.{{ .Values.cluster_config.domain }} + domain: argocd.{{ .Values.clusterConfig.domain }} ## ArgoCD configuration ## Ref: https://github.com/argoproj/argo-cd ## @@ -16,7 +16,7 @@ configs: application.instanceLabelKey: app.kubernetes.io/instance create: true # NOTE(kai): callback URL for dex - url: "https://argocd.{{ .Values.cluster_config.domain }}" + url: "https://argocd.{{ .Values.clusterConfig.domain }}" resource.compareoptions: | ignoreAggregatedRoles: true resource.exclusions: | @@ -41,7 +41,7 @@ configs: level: debug format: json connectors: - {{- with .Values.cluster_config.oidc }} + {{- with .Values.clusterConfig.oidc }} {{- range . }} {{- if eq .provider "azuread" }} - type: oidc @@ -68,7 +68,7 @@ configs: config: clientID: ${{ .name | replace "-" "_" }}_client_id clientSecret: ${{ .name | replace "-" "_" }}_client_secret - redirectURI: https://argocd.{{ $.Values.cluster_config.domain }}/api/dex/callback + redirectURI: https://argocd.{{ $.Values.clusterConfig.domain }}/api/dex/callback orgs: - name: {{ .allowed_organizations }} loadAllGroups: true @@ -86,7 +86,7 @@ configs: {{- end }} {{- end }} {{- end }} - admin.enabled: '{{ .Values.argocd.adminLogin }}' + admin.enabled: false rbac: # NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group policy.csv: | @@ -100,33 +100,6 @@ configs: p, role:org-admin, repositories, update, *, allow p, role:org-admin, repositories, delete, *, allow g, "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29", role:org-admin - {{- if .Values.cluster_config.external_access.enabled }} - p, role:external-admin, applications, *, sys/*, deny - p, role:external-admin, applications, *, oxb/*, deny - p, role:external-admin, applications, *, */*, allow - p, role:external-admin, projects, *, oxb, deny - p, role:external-admin, projects, *, sys, deny - p, role:external-admin, projects, get, *, allow - p, role:external-admin, logs, get, *, allow - p, role:external-admin, clusters, get, *, allow - p, role:external-admin, repositories, get, *, allow - p, role:external-admin, repositories, create, *, allow - p, role:external-admin, repositories, update, *, allow - p, role:external-admin, repositories, delete, *, allow - g, "{{ .Values.cluster_config.external_access.admin_group }}", role:external-admin - {{- end }} - {{- if .Values.cluster_config.external_access.enabled }} - {{- range .Values.cluster_config.external_access.groups }} - {{- "\n" -}} - {{- $name := .name }} - p, role:{{$name}}, projects, get, {{$name}}, allow - p, role:{{$name}}, applications, get, {{$name}}/*, allow - p, role:{{$name}}, logs, get, {{$name}}/*, allow - {{- range .group_id }} - g, {{ . }}, role:{{$name}} - {{- end }} - {{- end }} - {{- end }} {{- with .Values.argocd.additional_rbac_settings }} {{- range .}} {{ . }} @@ -147,8 +120,8 @@ configs: --prod-color: #ff000d; } .top-bar__breadcrumbs::after { - content: "cluster: {{.Values.cluster_config.cluster}}, env: {{.Values.cluster_config.env}} "; - color: var(--{{.Values.cluster_config.env}}-color); + content: "cluster: {{.Values.clusterConfig.cluster}}, env: {{.Values.clusterConfig.env}} "; + color: var(--{{.Values.clusterConfig.env}}-color); font-weight: bolder; font-size: larger; position: fixed; @@ -162,10 +135,10 @@ controller: enabled: true resources: limits: - memory: {{ .Values | get "argocd.resources.controller.memory" "1000Mi" }} + memory: "1000Mi" requests: - cpu: {{ .Values | get "argocd.resources.controller.cpu" "250m" }} - memory: {{ .Values | get "argocd.resources.controller.memory" "1000Mi" }} + cpu: "250m" + memory: "1000Mi" # Mount azure ca as file for SAML auth dex: @@ -173,7 +146,7 @@ dex: enabled: true serviceMonitor: enabled: true - {{- with .Values.cluster_config.oidc }} + {{- with .Values.clusterConfig.oidc }} env: {{- range . }} - name: {{ .name | replace "-" "_" }}_client_secret @@ -200,13 +173,13 @@ repoServer: enabled: true serviceMonitor: enabled: true - {{- if .Values.argocd.repoServer.cmp.enabled }} + {{- range .Values.argocd.repoServers }} extraContainers: - command: - /var/run/argocd/argocd-cmp-server - image: {{ .Values.argocd.repoServer.cmp.image }} + image: {{ .image }} imagePullPolicy: Always - name: {{ .Values.argocd.repoServer.cmp.name }} + name: {{ .name }} securityContext: runAsNonRoot: true runAsUser: 999 @@ -219,20 +192,14 @@ repoServer: name: plugins - mountPath: /tmp name: cmp-tmp - {{- with .Values.argocd.repoServer.cmp.initContainers }} - initContainers: - {{- toYaml . | nindent 10}} - {{- end }} volumes: - name: cmp-tmp emptyDir: {} - {{- if .Values.argocd.repoServer.cmp.imagePullSecret }} imagePullSecrets: - {{- range .Values.argocd.repoServer.cmp.imagePullSecret}} + {{- range .imagePullSecret }} - name: {{ .name }} + {{- end }} {{- end }} - {{- end }} -{{- end }} # Configuration for argocd server instance server: @@ -241,22 +208,22 @@ server: serviceMonitor: enabled: true ingress: - enabled: {{ .Values.argocd.ingress.enabled }} + enabled: true ingressClassName: nginx annotations: - cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }} + cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }} nginx.ingress.kubernetes.io/ssl-passthrough: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - {{- with .Values.cluster_config.ingress_whitelist_ips }} + {{- with .Values.clusterConfig.ingress_whitelist_ips }} nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }} {{- end }} hosts: - - "argocd.{{ .Values.cluster_config.domain }}" + - "argocd.{{ .Values.clusterConfig.domain }}" tls: - secretName: argocd-tls hosts: - - "argocd.{{ .Values.cluster_config.domain }}" + - "argocd.{{ .Values.clusterConfig.domain }}" applicationSet: metrics: enabled: true @@ -266,19 +233,19 @@ applicationSet: allowAnyNamespaces: true {{- end }} ingress: - enabled: {{ .Values.argocd.applicationset_webhook.enabled }} + enabled: false ingressClassName: nginx annotations: - cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }} - # {{- with .Values.cluster_config.ingress_whitelist_ips}} + cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }} + # {{- with .Values.clusterConfig.ingress_whitelist_ips}} # NOTE(kai): include gitlab and github webhook ranges # nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }},192.30.252.0/22,140.82.112.0/20,34.74.226.27/28,34.74.226.0/24 # {{- end }} - hostname: "argocd-applicationset.{{ .Values.cluster_config.domain }}" + hostname: "argocd-applicationset.{{ .Values.clusterConfig.domain }}" tls: - secretName: argocd-applicationset-tls hosts: - - "argocd-applicationset.{{ .Values.cluster_config.domain }}" + - "argocd-applicationset.{{ .Values.clusterConfig.domain }}" notifications: metrics: enabled: true diff --git a/values/argo/values/rollouts.yaml.gotmpl b/values/argo/values/rollouts.yaml.gotmpl new file mode 100644 index 00000000..3dc66812 --- /dev/null +++ b/values/argo/values/rollouts.yaml.gotmpl @@ -0,0 +1,9 @@ +dashboard: + enabled: {{ .Values.apps. true }} + +controller: + metrics: + enabled: true + serviceMonitor: + enabled: true + diff --git a/values/argo/values/workflows.yaml.gotmpl b/values/argo/values/workflows.yaml.gotmpl new file mode 100644 index 00000000..3dc66812 --- /dev/null +++ b/values/argo/values/workflows.yaml.gotmpl @@ -0,0 +1,9 @@ +dashboard: + enabled: {{ .Values.apps. true }} + +controller: + metrics: + enabled: true + serviceMonitor: + enabled: true + diff --git a/values/values-oceanbox.yaml b/values/values-oceanbox.yaml new file mode 100644 index 00000000..81c64c49 --- /dev/null +++ b/values/values-oceanbox.yaml @@ -0,0 +1,37 @@ +clusterConfig: + env: "prod" + distro: "talos" + domain: "adm.oceanbox.io" + initca: "" + apiserver: "" + apiserverip: "" + etcd_nodes: [ "10.255.241.201, 10.255.241.202, 10.255.241.203" ] + k8s_nodes: [ "" ] + cluster: "oceanbox" + ingress_nodes: ["oceanbox-controlplane-1, oceanbox-controlplane-2, oceanbox-controlplane-3" ] + ingress_replica_count: 3 + fileserver: "10.255.241.210" + acme_email: "acme@oceanbox.io" + oidc: + - name: serit-oidc + provider: azuread + tenant: "95e5d757-4fb3-4113-a93c-c41393be61cf" + secret_ref: + name: serit-oidc + group_id: "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29" + external_access: + enabled: false + - name: oceanbox-oidc + provider: azuread + tenant: "3f737008-e9a0-4485-9d27-40329d288089" + secret_ref: + name: oceanbox-oidc + group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479" + nodes: [] + ingress_whitelist_ips: + #itp internal + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 172.19.255.0/24 + diff --git a/values/values.yaml b/values/values.yaml new file mode 100644 index 00000000..bda33a71 --- /dev/null +++ b/values/values.yaml @@ -0,0 +1,132 @@ +clusterConfig: + manifests: https://gitlab.com/oceanbox/manifests.git + policies: policies/sys + resources: resources/sys + distro: "" #[nixos, talos] + env: "" #[dev, test, staging, prod] + initca: "" + domain: ".local" + apiserver: "" + apiserverip: "" + etcd_nodes: [] + k8s_nodes: [] + cluster: "" + ingress_nodes: [] + ingress_replica_count: 3 + fileserver: "" + acme_email: "" + nodenames: [] + nodes: [] + ingress_clusterissuer: "letsencrypt-production" + ingress_whitelist_ips: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 172.19.255.0/24 + oidc: [] + #- name: azure-oidc + # provider: azuread + # tenant: "https://login.microsoftonline.com//oauth2/v2.0" + # secret_ref: + # name: azure-oidc + # group_id: "" + #- name: github-oidc + # provider: github + # secret_ref: + # name: github-oidc + # allowed_organizations: + # allowed_teams: + +install: + argo: + argocd: + enabled: true + apps: + enabled: true + rollouts: + enabled: false + workflows: + enabled: false + atlantis: + enabled: false + envs: + - prod + - staging + sorcerer: + enabled: false + envs: + - prod + - staging + openfga: + enabled: false + envs: + - prod + - staging + + cilium: + enabled: false + linkerd: + enabled: true + thanos: + enabled: false + prometheus: + enabled: true + nfs_provisioner: + enabled: true + cert_manager: + autosync: true + kubernetes_dashboard: + enabled: false + metrics_server: + autosync: true + nginx: + enabled: true + kyverno: + enabled: false + velero: + enabled: true + x509_exporter: + enabled: true + downscaler: + enabled: false + actions_runner_controller: + enabled: false + gitlab_runner: + enabled: true + postgres_operator: + enabled: true + rabbitmq_operator: + enabled: false + jaeger_operator: + enabled: false + loki: + enabled: false + tempo: + enabled: false + otel: + enabled: false + promtail: + enabled: false + mariadb_operator: + enabled: false + chartmuseum: + enabled: false + clickhouse_operator: + enabled: false + oncall: + enabled: false + dapr: + enable: true + busynix.enable: false + headscale.enable: false + plausible.enable: false + dex.enable: false + keycloak.enable: false + rabbitmq.enable: false + redis.enable: false + wordpress.enable: false + yolo-dl.enable: false + yolo-registry.enable: false + osm-tile-server.enable: false + geoserver.enable: false +