wip: use separate toplevel helmfile.d and values/

2025-05-16 10:46:38 +02:00
parent 55c6bb5923
commit ddc95aad80
34 changed files with 404 additions and 151 deletions
@@ -0,0 +1,59 @@
+bases:
+ - ../base/environments.yaml.gotmpl
+
+repositories:
+- name: argo
+  url: https://argoproj.github.io/argo-helm
+
+releases:
+- name: argocd
+  namespace: argocd
+  chart: argo/argo-cd
+  version: 7.5.2
+  values:
+  - values/argocd.yaml.gotmpl
+  - values/argocd-{{ .Environment.Name }}.yaml.gotmpl
+  - values/argocd-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+  postRenderer: ../../bin/kustomizer
+  postRendererArgs:
+  - kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: argocd-apps
+  namespace: argocd
+  chart: argo/argocd-apps
+  version: 0.0.1
+  condition: install.argo.apps.enabled
+  values:
+  - values/apps.yaml.gotmpl
+  - values/apps-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+  missingFileHandler: Info
+- name: argo-rollouts
+  namespace: argocd
+  chart: argo/argo-rollouts
+  version: 2.35.2
+  condition: install.argo.rollouts.enabled
+  values:
+  - values/rollouts.yaml.gotmpl
+  - values/rollouts-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+  missingFileHandler: Info
+- name: argo-workflows
+  namespace: argocd
+  chart: argo/argo-workflows
+  version: 0.45.0
+  condition: install.argo.workflows.enabled
+  values:
+  - values/workflows.yaml.gotmpl
+  - values/workflows-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+  missingFileHandler: Info
+- name: manifests
+  namespace: argocd
+  chart: _manifests
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - _manifest.yaml
@@ -0,0 +1,4 @@
+generatorOptions:
+  disableNameSuffixHash: true
+resources:
+  - ../base
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-applicationset-ingress
+  namespace: argocd
+spec:
+  description: Allow access from the ingress controller
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: applicationset-controller
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-argo-notifications
+  namespace: argocd
+spec:
+  description: Allow access to the ArgoCD Notifications
+  egress:
+    - toFQDNs:
+        - matchName: slack.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: notifications-controller
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-argo-repo-access-applicationset
+  namespace: argocd
+spec:
+  description: Allow access to the ArgoCD repo Applicationset
+  egress:
+    - toEntities:
+        - world
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: applicationset-controller
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-argo-repo-access
+  namespace: argocd
+spec:
+  description: Allow access to the ArgoCD repo server
+  egress:
+    - toEntities:
+        - world
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: repo-server
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-chartmuseum-ingress
+  namespace: argocd
+spec:
+  description: Allow access to the chartmuseum ingress
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: chartmuseum
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-image-updater-repo-access
+  namespace: argocd
+spec:
+  description: Allow argoCD image updater to access github container registry
+  egress:
+    - toFQDNs:
+        - matchName: ghcr.io
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-image-updater
@@ -0,0 +1,14 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-ingress
+  namespace: argocd
+spec:
+  description: Allow access from the ingress controller
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/component: server
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx
@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kube-api
+  namespace: argocd
+spec:
+  description: Allow access to the Kube API server
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels: {}
@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-microsoft-sso
+  namespace: argocd
+spec:
+  description: Allow argoCD dex server to authenticate to microsoft online azure oatuh
+  egress:
+    - toFQDNs:
+        - matchName: login.microsoftonline.com
+        - matchPattern: '*.microsoftonline.com'
+        - matchName: github.com
+        - matchName: api.github.com
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-dex-server
@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics-rollout
+  namespace: argocd
+spec:
+  description: Allow access to the Prometheus metrics
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: argo-rollouts
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "8090"
+              protocol: TCP
@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics-workflows
+  namespace: argocd
+spec:
+  description: Allow access to the Prometheus metrics
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: argo-workflows
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "9090"
+              protocol: TCP
@@ -0,0 +1,30 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: argocd
+spec:
+  description: Allow access to the Prometheus metrics
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: argocd
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "8082"
+              protocol: TCP
+            - port: "8080"
+              protocol: TCP
+            - port: "9001"
+              protocol: TCP
+            - port: "9121"
+              protocol: TCP
+            - port: "8084"
+              protocol: TCP
+            - port: "8083"
+              protocol: TCP
+            - port: "5558"
+              protocol: TCP
@@ -0,0 +1,10 @@
+argocd:
+  anyNamespaces:
+    enabled: false
+    glob: ""
+  repoServers:
+  - name: "helmfile-cmp"
+    image: "registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest"
+    imagePullSecret: []
+  additional_rbac_settings:
+  - g, "eb17a659-4ce6-41bc-9153-d9b117c44479", role:org-admin
@@ -0,0 +1,257 @@
+global:
+  domain: argocd.{{ .Values.clusterConfig.domain }}
+## ArgoCD configuration
+## Ref: https://github.com/argoproj/argo-cd
+##
+configs:
+  {{- if .Values.argocd.anyNamespaces.enabled }}
+  params:
+    applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
+    # TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it
+    applicationsetcontroller.enable.scm.providers: "false"
+    application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
+  {{- end }}
+  cm:
+    application.resourceTrackingMethod: annotation+label
+    application.instanceLabelKey: app.kubernetes.io/instance
+    create: true
+    # NOTE(kai): callback URL for dex
+    url: "https://argocd.{{ .Values.clusterConfig.domain }}"
+    resource.compareoptions: |
+      ignoreAggregatedRoles: true
+    resource.exclusions: |
+      - apiGroups:
+        - cilium.io
+        kinds:
+        - CiliumIdentity
+        clusters:
+        - "*"
+      - apiGroups:
+        - kyverno.io
+        kinds:
+        - AdmissionReport
+        - BackgroundScanReport
+        - ClusterAdmissionReport
+        - ClusterBackgroundScanReport
+        clusters:
+        - "*"
+    # dex saml config
+    dex.config: |
+      logger:
+        level: debug
+        format: json
+      connectors:
+      {{- with .Values.clusterConfig.oidc }}
+      {{- range . }}
+      {{- if eq .provider "azuread" }}
+      - type: oidc
+        id: {{ .name }}
+        name: {{ .name }}
+        config:
+          issuer: https://login.microsoftonline.com/{{ .tenant }}/v2.0
+          clientID: ${{ .name | replace "-" "_" }}_client_id
+          clientSecret: ${{ .name | replace "-" "_" }}_client_secret
+          insecureSkipEmailVerified: true
+          requestedIDTokenClaims:
+            groups:
+               essential: true
+          insecureEnableGroups: true
+          requestedScopes:
+            - openid
+            - profile
+            - email
+            - groups
+      {{- else if eq .provider "github" }}
+      - type: github
+        id: {{ .name }}
+        name: {{ .name }}
+        config:
+          clientID: ${{ .name | replace "-" "_" }}_client_id
+          clientSecret: ${{ .name | replace "-" "_" }}_client_secret
+          redirectURI: https://argocd.{{ $.Values.clusterConfig.domain }}/api/dex/callback
+          orgs:
+          - name: {{ .allowed_organizations }}
+          loadAllGroups: true
+          teamNameField: slug
+          useLoginAsID: false
+      staticClients:
+      - id: ${{ .name | replace "-" "_" }}_client_id
+        name: Kubernetes
+        # These are kubectl oidc plugin internal URLs
+        redirectURIs:
+          - http://localhost:8000
+          - http://localhost:18000
+        # Random secret for the user to authenticat dex client
+        secret: 8d52926efe879ee505391b75f4b046cf
+      {{- end }}
+      {{- end }}
+      {{- end }}
+    admin.enabled: false
+  rbac:
+    # NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group
+    policy.csv: |
+      p, role:org-admin, applications, *, */*, allow
+      p, role:org-admin, projects, *, *, allow
+      p, role:org-admin, logs, get, *, allow
+      p, role:org-admin, clusters, get, *, allow
+      p, role:org-admin, clusters, update, *, allow
+      p, role:org-admin, repositories, get, *, allow
+      p, role:org-admin, repositories, create, *, allow
+      p, role:org-admin, repositories, update, *, allow
+      p, role:org-admin, repositories, delete, *, allow
+      g, "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29", role:org-admin
+      {{- with .Values.argocd.additional_rbac_settings }}
+      {{- range .}}
+      {{ . }}
+      {{- end }}
+      {{- end }}
+  repositories:
+    # Repositories for applications
+    argo-helm:
+      type: helm
+      url: https://argoproj.github.io/argo-helm
+  # UI changes based on env
+  styles: |
+    /* blue, orange, red depending on env */
+    :root {
+      --test-color: #0f2cbd;
+      --dev-color: #33b025;
+      --staging-color: #ebac2f;
+      --prod-color: #ff000d;
+    }
+    .top-bar__breadcrumbs::after {
+      content: "cluster: {{.Values.clusterConfig.cluster}},  env: {{.Values.clusterConfig.env}} ";
+      color: var(--{{.Values.clusterConfig.env}}-color);
+      font-weight: bolder;
+      font-size: larger;
+      position: fixed;
+      left: 50%;
+    }
+
+controller:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  resources:
+    limits:
+      memory: "1000Mi"
+    requests:
+      cpu: "250m"
+      memory: "1000Mi"
+
+# Mount azure ca as file for SAML auth
+dex:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  {{- with .Values.clusterConfig.oidc }}
+  env:
+  {{- range . }}
+  - name: {{ .name | replace "-" "_" }}_client_secret
+    valueFrom:
+      secretKeyRef:
+        name: {{ .secret_ref.name }}
+        key: client_secret
+  - name: {{ .name | replace "-" "_" }}_client_id
+    valueFrom:
+      secretKeyRef:
+        name: {{ .secret_ref.name }}
+        key: client_id
+  {{- end }}
+  {{- end }}
+
+redis:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+
+repoServer:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  {{- range .Values.argocd.repoServers }}
+  extraContainers:
+  - command:
+    - /var/run/argocd/argocd-cmp-server
+    image: {{ .image }}
+    imagePullPolicy: Always
+    name: {{ .name }}
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 999
+    terminationMessagePath: /dev/termination-log
+    terminationMessagePolicy: File
+    volumeMounts:
+    - mountPath: /var/run/argocd
+      name: var-files
+    - mountPath: /home/argocd/cmp-server/plugins
+      name: plugins
+    - mountPath: /tmp
+      name: cmp-tmp
+  volumes:
+  - name: cmp-tmp
+    emptyDir: {}
+  imagePullSecrets:
+    {{- range .imagePullSecret }}
+    - name: {{ .name }}
+    {{- end }}
+  {{- end }}
+
+# Configuration for argocd server instance
+server:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  ingress:
+    enabled: true
+    ingressClassName: nginx
+    annotations:
+      cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
+      nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+      {{- with .Values.clusterConfig.ingress_whitelist_ips }}
+      nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
+      {{- end }}
+    hosts:
+      - "argocd.{{ .Values.clusterConfig.domain }}"
+    tls:
+      - secretName: argocd-tls
+        hosts:
+          - "argocd.{{ .Values.clusterConfig.domain }}"
+applicationSet:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  {{- if .Values.argocd.anyNamespaces.enabled }}
+  allowAnyNamespaces: true
+  {{- end }}
+  ingress:
+    enabled: false
+    ingressClassName: nginx
+    annotations:
+      cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
+      # {{- with .Values.clusterConfig.ingress_whitelist_ips}}
+      # NOTE(kai): include gitlab and github webhook ranges
+      # nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }},192.30.252.0/22,140.82.112.0/20,34.74.226.27/28,34.74.226.0/24
+      # {{- end }}
+    hostname: "argocd-applicationset.{{ .Values.clusterConfig.domain }}"
+    tls:
+      - secretName: argocd-applicationset-tls
+        hosts:
+          - "argocd-applicationset.{{ .Values.clusterConfig.domain }}"
+notifications:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  secret:
+    create: false
+  cm:
+    create: false
@@ -0,0 +1,9 @@
+dashboard:
+  enabled: {{ .Values.apps. true }}
+
+controller:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+
@@ -0,0 +1,9 @@
+dashboard:
+  enabled: {{ .Values.apps. true }}
+
+controller:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+