platform/manifests
1
1
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: platform/manifests:main
Branches Tags
platform/manifests:main platform/manifests:renovate/kubernetes-ingress-1.x platform/manifests:renovate/jobset-0.x platform/manifests:renovate/registry.k8s.io-kueue-charts-kueue-0.x platform/manifests:renovate/spegel-0.x platform/manifests:renovate/rabbitmq-16.x platform/manifests:renovate/ghcr.io-juanfont-headscale-0.x platform/manifests:mrtz/cilium-hel1-gateway platform/manifests:automated/npins-update-20260130 platform/manifests:vcluster platform/manifests:attic platform/manifests:nexus platform/manifests:diadash platform/manifests:mrtz/beta platform/manifests:simkir/codex platform/manifests:mrtz/nixidy platform/manifests:nixidy platform/manifests:otel-policy platform/manifests:spmsa platform/manifests:priv-redis platform/manifests:wip platform/manifests:dev
..
pull from: platform/manifests:mrtz/nixidy
Branches Tags
platform/manifests:main platform/manifests:renovate/kubernetes-ingress-1.x platform/manifests:renovate/jobset-0.x platform/manifests:renovate/registry.k8s.io-kueue-charts-kueue-0.x platform/manifests:renovate/spegel-0.x platform/manifests:renovate/rabbitmq-16.x platform/manifests:renovate/ghcr.io-juanfont-headscale-0.x platform/manifests:mrtz/cilium-hel1-gateway platform/manifests:automated/npins-update-20260130 platform/manifests:vcluster platform/manifests:attic platform/manifests:nexus platform/manifests:diadash platform/manifests:mrtz/beta platform/manifests:simkir/codex platform/manifests:mrtz/nixidy platform/manifests:nixidy platform/manifests:otel-policy platform/manifests:spmsa platform/manifests:priv-redis platform/manifests:wip platform/manifests:dev

1 Commits
main .. mrtz/nixidy

Author SHA1 Message Date
Moritz Jörg 9e1beb6895 Add more Nix Apps 
Rewrite of some of the Apps to Nix. Tried to convert
ApplicationSets to simple Applications with an ${env}
modifier.
 2025-02-21 17:47:45 +00:00
1095 changed files with 70739 additions and 65549 deletions
Expand all files Collapse all files
.envrc
+1 -16
View File
@@ -1,16 +1 @@
#!/usr/bin/env bash use nix
# the shebang is ignored, but nice for editors
watch_file npins/sources.json
# Load .env file if it exists
dotenv_if_exists
# Activate development shell
if type lorri &>/dev/null; then
echo "direnv: using lorri from PATH ($(type -p lorri))"
eval "$(lorri direnv)"
else
# fall back to using direnv's builtin nix support
# to prevent bootstrapping problems.
use nix
fi
.gitignore
+2 -3
View File
@@ -1,7 +1,6 @@
*.tgz *.tgz
_*/ _*/
.direnv/ .direnv/
.env
.pre-commit-config.yaml .pre-commit-config.yaml
_*.yaml _manifest.yaml
backup/ _resources.yaml
.gitlab-ci.yml
+46
View File
@@ -0,0 +1,46 @@
image:
name: alpine/helm:latest
entrypoint: [ "/bin/bash", "-c" ]
stages:
- release
release:
stage: release
rules:
- if: '$CI_COMMIT_BRANCH =~ /^main/'
when: always
- when: never
script:
- |
cd $CI_PROJECT_DIR
for i in $(git show --pretty="" --name-only | grep '^charts/.*/Chart.yaml' | cut -d/ -f2); do
pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
if [ ! -z $pack ]; then
chart=$(basename $pack)
curl --request POST \
--user gitlab-ci-token:$CI_JOB_TOKEN \
--form "chart=@${chart}" \
"${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"
fi
done
rebuild:
stage: release
rules:
- when: manual
allow_failure: true
script:
- |
cd $CI_PROJECT_DIR
for i in $(find ./charts -maxdepth 2 -name Chart.yaml | cut -d/ -f3); do
pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
if [ ! -z $pack ]; then
chart=$(basename $pack)
curl --request POST \
--user gitlab-ci-token:$CI_JOB_TOKEN \
--form "chart=@${chart}" \
"${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"
fi
done
README.md
-33
View File
@@ -1,33 +0,0 @@
# Manifests
> [!note]
> For CI/CD to push updates to this repo add your repo [here](https://gitlab.com/oceanbox/alpine-k8s/-/settings/ci_cd#js-token-access)
Manifest repo managed using [Helmfile](https://github.com/helmfile/helmfile).
Repository structure:
```bash
/
├── helmfile.d/ # Helmfiles, *.yaml.gotmpl
├── charts/ # Our own charts, e.g `Atlantis`
├── values # Values for helmfiles
│ ├── <chart>
│ │ ├── env.yaml.gotmpl # Values to be templated in `values/`
│ │ ├── kustomize # Kustomizations per environment
│ │ ├── manifests # Raw manifests
│ │ │ ├── <chart>.yaml # Argo App for bootstrap
│ │ │ ├── dashboards # Grafana dashboards
│ │ │ │ └── <chart>-metrics.yaml
│ │ │ └── policies # Cilium and Kyverno policies
│ │ │ ├── CiliumNetworkPolicy-allow-api-server.yaml
│ │ │ └── KyvernoPolicy-regred-secret.yaml
│ │ └── values # Values for each environment
│ │ ├── <chart>-staging.yaml.gotmpl # Values for staging environment
│ │ ├── <chart>-prod.yaml.gotmpl # Values for prod environment
│ │ └── <chart>.yaml.gotmpl # Standard values for all environments
│ │
│ ├── env.yaml # Standard values for all cluster
│ ├── env-oceanbox.yaml # Values overrides for oceanbox
│ ├── env-ekman.yaml # Values overrides for ekman
```
apps/archmeister.yaml
+47
View File
@@ -0,0 +1,47 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: archmeister
namespace: argocd
spec:
goTemplate: true
generators:
- list:
elements:
- cluster: https://kubernetes.default.svc
env: prod
hostname: archmeister.srv.oceanbox.io
autoSync: false
prune: true
# - cluster: https://staging-vcluster.staging-vcluster
# env: staging
# hostname: archmeister.beta.oceanbox.io
# autoSync: true
# prune: true
template:
metadata:
name: "{{ .env }}-archmeister"
spec:
project: atlantis
destination:
namespace: atlantis
server: "{{ .cluster }}"
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
path: values/archmeister
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: "{{ .env }}"
- name: hostname
string: "{{ .hostname }}"
templatePatch: |
{{- if .autoSync }}
spec:
syncPolicy:
automated:
prune: {{ .prune }}
selfHeal: false
{{- end }}
apps/atlantis-host-resources.yaml
+27
View File
@@ -0,0 +1,27 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: atlantis-cluster-resources
namespace: argocd
# annotations: # close, but no cigar
# argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
spec:
project: atlantis
destination:
server: https://kubernetes.default.svc
syncPolicy:
automated:
prune: false
selfHeal: false
# ignoreDifferences:
# - kind: Secret
# name: prod-rabbitmq
# jqPathExpressions:
# - '.data'
# - '.metadata.annotations.clone'
# - '.metadata.labels'
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
path: resources/atlantis
apps/atlantis-resources.yaml
+41
View File
@@ -0,0 +1,41 @@
# Currently not in use. Configured via the create-vcluster script.
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: atlantis-resources
namespace: argocd
spec:
goTemplate: true
generators:
- list:
elements:
- cluster: https://kubernetes.default.svc
env: prod
autoSync: false
prune: false
# - cluster: https://staging-vcluster.staging-vcluster
# env: staging
# autoSync: false
# prune: false
template:
metadata:
name: "{{ .env }}-atlantis-resources"
spec:
project: aux
syncPolicy:
automated: {}
destination:
server: "{{ .cluster }}"
namespace: atlantis
sources: {}
# - repoURL: https://gitlab.com/oceanbox/manifests.git
# targetRevision: main
# path: 'resources/atlantis/manifests/{{ env }}'
templatePatch: |
{{- if .autoSync }}
spec:
syncPolicy:
automated:
prune: {{ .prune }}
selfHeal: false
{{- end }}
apps/atlantis.nix
+51
View File
@@ -0,0 +1,51 @@
{ lib, config, ... }:
let
cfg = config.apps.atlantis;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
base = ../values/atlantis;
extraValues = {};
};
kustomize = r:
if r.kind == "Deployment" then
lib.attrsets.recursiveUpdate r {
spec.template.spec.containers =
builtins.map (x:
x // {
livenessProbe.httpGet.path = "/healthz";
readinessProble.httpGet.path = "/healthz";
env = x.env ++ [ { name = "INERNAL_PORT"; value = 8000; } ];
}) r.spec.template.spec.containers;
}
else if r.kind == "Service" then
{}
else r;
in
{
options.apps.atlantis = lib.apps.appOptions {
revision = lib.mkOption {
type = lib.types.str;
default = "main";
description = "Revision";
};
hostname = lib.mkOption {
type = lib.types.str;
default = if env == "prod"
then "maps.oceanbox.io"
else "atlantis.beta.oceanbox.io";
description = "Revision";
};
};
config = lib.apps.appConfig cfg "${env}-atlantis" {
helm.releases."${env}-atlantis" = {
inherit values;
chart = ../charts/atlantis;
transformer = rs: builtins.map (x: kustomize x) rs;
};
};
}
apps/atlantis.yaml
+47
View File
@@ -0,0 +1,47 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: atlantis
namespace: argocd
spec:
goTemplate: true
generators:
- list:
elements:
- cluster: https://kubernetes.default.svc
env: prod
hostname: atlantis.srv.oceanbox.io
autoSync: false
prune: true
# - cluster: https://staging-vcluster.staging-vcluster
# env: staging
# hostname: atlantis.beta.oceanbox.io
# autoSync: true
# prune: true
template:
metadata:
name: '{{ .env }}-atlantis'
spec:
project: atlantis
destination:
namespace: atlantis
server: '{{ .cluster }}'
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
path: values/atlantis
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: '{{ .env }}'
- name: hostname
string: '{{ .hostname }}'
templatePatch: |
{{- if .autoSync }}
spec:
syncPolicy:
automated:
prune: {{ .prune }}
selfHeal: false
{{- end }}
apps/busynix.yaml
+34
View File
@@ -0,0 +1,34 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: busynix
namespace: argocd
spec:
generators:
- list:
elements:
# - cluster: https://kubernetes.default.svc
# env: prod
# hostname: busynix.srv.oceanbox.io
- cluster: https://staging-vcluster.staging-vcluster
env: staging
hostname: busynix.beta.oceanbox.io
template:
metadata:
name: '{{ env }}-busynix'
spec:
project: aux
destination:
namespace: default
server: '{{ cluster }}'
source:
repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
path: values/busynix
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: '{{ env }}'
- name: hostname
string: '{{ hostname }}'
apps/cerbos.yaml
+32
View File
@@ -0,0 +1,32 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: cerbos
namespace: argocd
spec:
generators:
- list:
elements:
- cluster: https://kubernetes.default.svc
env: prod
- cluster: https://staging-vcluster.staging-vcluster
env: staging
template:
metadata:
name: '{{ env }}-cerbos'
spec:
project: aux
destination:
server: https://kubernetes.default.svc
namespace: idp
sources:
- repoURL: https://download.cerbos.dev/helm-charts
targetRevision: 0.33.0
chart: cerbos
helm:
valueFiles:
- $values/values/cerbos/values.yaml
- $values/values/cerbos/values-{{ env }}.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
ref: values
apps/dapr.nix
+46
View File
@@ -0,0 +1,46 @@
{ lib, config, ... }:
let
cfg = config.apps.dapr;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
extraValues = {
global.ha.enabled = true;
};
};
in
{
options.apps.dapr = lib.apps.appOptions {
revision = lib.mkOption {
type = lib.types.str;
default = "1.14.4";
description = "Dapr chart version";
};
};
config = lib.apps.appConfig cfg "dapr" {
namespace = "argocd";
helm.releases.dapr = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://dapr.github.io/helm-charts/";
chart = "dapr";
version = cfg.revision;
};
};
annotations = {
"argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
};
resources = {
"argoproj.io".v1alpha1.Application.dapr.spec = {
destination = {
namespace = "dapr-system";
server = "https://kubernetes.default.svc";
};
project = "default";
};
};
};
}
apps/dapr.yaml
+33
View File
@@ -0,0 +1,33 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: dapr
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: dapr-system
server: https://kubernetes.default.svc
project: default
syncPolicy:
# managedNamespaceMetadata:
# labels:
# component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: true
sources:
- repoURL: https://dapr.github.io/helm-charts/
targetRevision: 1.14.4
chart: dapr
helm:
values: |
global:
ha:
enabled: true
apps/default.nix
+16
View File
@@ -0,0 +1,16 @@
{ ... }:
{
imports = [
./atlantis.nix
./dapr.nix
./dex.nix
./keycloak.nix
./loki.nix
./openfga.nix
./opentelemetry-collector.nix
./rabbitmq.nix
./redis.nix
./tempo.nix
./wordpress.nix
];
}
apps/dex.nix
+39
View File
@@ -0,0 +1,39 @@
{ lib, config, ... }:
let
cfg = config.apps.dex;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
base = ../values/dex;
extraValues = {};
};
in
{
options.apps.dex = lib.apps.appOptions {
enable = lib.mkEnableOption "Dex";
revision = lib.mkOption {
type = lib.types.str;
default = "0.16.0";
description = "Dex chart version";
};
hostname = lib.mkOption {
type = lib.types.str;
description = "Dex hostname";
default = "idp.${env}.oceanbox.io";
};
};
config = lib.apps.appConfig cfg "${env}-dex" {
namespace = "idp";
helm.releases.dex = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://charts.dexidp.io";
chart = "dex";
version = cfg.revision;
chartHash = "";
};
transformer = rs: builtins.map (x: kustomize x) rs;
};
};
}
apps/dex.yaml
+15
View File
@@ -0,0 +1,15 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: dex
namespace: argocd
spec:
project: aux
destination:
server: https://kubernetes.default.svc
namespace: idp
source:
repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
path: values/dex/manifests
apps/geoserver.yaml
+38
View File
@@ -0,0 +1,38 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: geoserver
namespace: argocd
spec:
generators:
- list:
elements:
- cluster: https://kubernetes.default.svc
env: prod
hostname: geoserver.srv.oceanbox.io
# - cluster: https://kubernetes.default.svc
# env: staging
# hostname: geoserver.beta.oceanbox.io
template:
metadata:
name: '{{ env }}-geoserver'
spec:
project: aux
destination:
server: https://kubernetes.default.svc
namespace: geoserver
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
path: values/geoserver
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: '{{ env }}'
- name: hostname
string: geoserver.srv.oceanbox.io
- name: flags
string: "--skip-tests"
- name: chart
string: ncsa/geoserver
apps/hipster.yaml
+47
View File
@@ -0,0 +1,47 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: hipster
namespace: argocd
spec:
goTemplate: true
generators:
- list:
elements:
- cluster: https://kubernetes.default.svc
env: prod
hostname: hipster.srv.oceanbox.io
autoSync: false
prune: true
# - cluster: https://staging-vcluster.staging-vcluster
# env: staging
# hostname: hipster.beta.oceanbox.io
# autoSync: true
# prune: true
template:
metadata:
name: '{{ .env }}-hipster'
spec:
project: atlantis
destination:
namespace: atlantis
server: '{{ .cluster }}'
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
path: values/hipster
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: '{{ .env }}'
- name: hostname
string: '{{ .hostname }}'
templatePatch: |
{{- if .autoSync }}
spec:
syncPolicy:
automated:
prune: {{ .prune }}
selfHeal: false
{{- end }}
apps/jaeger.yaml
+22
View File
@@ -0,0 +1,22 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: jaeger
namespace: argocd
spec:
project: atlantis
destination:
server: https://kubernetes.default.svc
namespace: jaeger
sources:
- repoURL: https://jaegertracing.github.io/helm-charts
targetRevision: 2.54.0
chart: jaeger-operator
helm:
valueFiles:
- $values/values/jaeger/values.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
# path: values/jaeger/manifests
ref: values
apps/keycloak.nix
+34
View File
@@ -0,0 +1,34 @@
{ lib, config, ... }:
let
cfg = config.apps.keycloak;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
base = ../values/keycloak;
extraValues = {};
};
in
{
options.apps.keycloak = lib.apps.appOptions {
enable = lib.mkEnableOption "Keycloak";
revision = lib.mkOption {
type = lib.types.str;
default = "24.0.2";
description = "Keycloak chart version";
};
};
config = lib.apps.appConfig cfg "keycloak" {
namespace = "idp";
helm.releases.keycloak = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://charts.bitnami.com/bitnami";
chart = "keycloak";
version = cfg.revision;
chartHash = "";
};
transformer = rs: builtins.map (x: kustomize x) rs;
};
};
}
apps/keycloak.yaml
+21
View File
@@ -0,0 +1,21 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: keycloak
namespace: argocd
spec:
project: aux
destination:
server: https://kubernetes.default.svc
namespace: idp
sources:
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 24.0.2
chart: keycloak
helm:
valueFiles:
- $values/values/keycloak/values.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
apps/loki.nix
+249
View File
@@ -0,0 +1,249 @@
{ lib, config, ... }:
let
cfg = config.apps.loki;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
extraValues = {
loki = {
auth_enabled = false;
storage = {
bucketNames = {
chunks = cfg.buckets.chunks;
ruler = cfg.buckets.ruler;
admin = cfg.buckets.admin;
};
s3 =
{
endpoint = cfg.s3.endpoint;
region = cfg.s3.region;
secretAccessKey = "\${S3SECRET}";
accessKeyId = "\${S3KEY}";
s3ForcePathStyle = true;
}
// lib.optionalAttrs cfg.s3.insecureSkipVerify {
http_config.insecure_skip_verify = true;
};
};
schemaConfig.configs = [
{
from = "2024-04-01";
index.period = "24h";
index.prefix = "loki_index_";
object_store = "s3";
schema = "v13";
store = "tsdb";
}
];
compactor = {
compaction_interval = "10m";
working_directory = "/tmp/loki/compactor";
retention_enabled = true;
retention_delete_delay = "2h";
retention_delete_worker_count = 150;
delete_request_store = "s3";
};
limits_config.retention_period = "744h";
};
write = {
extraArgs = [ "-config.expand-env=true" ];
extraEnv = [
{
name = "S3KEY";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.accessKey;
};
}
{
name = "S3SECRET";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.secretKey;
};
}
];
tolerations = [
{
effect = "NoSchedule";
operator = "Equal";
key = "unschedulable";
value = "true";
}
];
};
read = {
extraArgs = [ "-config.expand-env=true" ];
extraEnv = [
{
name = "S3KEY";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.accessKey;
};
}
{
name = "S3SECRET";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.secretKey;
};
}
];
tolerations = [
{
effect = "NoSchedule";
operator = "Equal";
key = "unschedulable";
value = "true";
}
];
};
ingress = {
enabled = true;
ingressClassName = "nginx";
annotations = {
"cert-manager.io/cluster-issuer" = "letsencrypt-staging";
"nginx.ingress.kubernetes.io/ssl-redirect" = "true";
"atlantis.oceanbox.io/expose" = "internal";
};
hosts = [ "loki.adm.oceanbox.io" ];
tls = [{
hosts = [ "loki.adm.oceanbox.io" ];
secretName = "loki-distributed-tls";
}];
};
compactor = {
extraArgs = [ "-config.expand-env=true" ];
extraEnv = [
{
name = "S3KEY";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.accessKey;
};
}
{
name = "S3SECRET";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.secretKey;
};
}
];
};
backend = {
extraArgs = [ "-config.expand-env=true" ];
extraEnv = [
{
name = "S3KEY";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.accessKey;
};
}
{
name = "S3SECRET";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.secretKey;
};
}
];
};
};
};
in
{
options.apps.loki = lib.apps.appOptions {
revision = lib.mkOption {
type = lib.types.str;
default = "6.12.0";
description = "Loki chart version";
};
buckets = {
chunks = lib.mkOption {
type = lib.types.str;
default = "loki-chunks";
description = "S3 bucket for chunks";
};
ruler = lib.mkOption {
type = lib.types.str;
default = "loki-chunks";
description = "S3 bucket for ruler";
};
admin = lib.mkOption {
type = lib.types.str;
default = "loki-chunks";
description = "S3 bucket for admin";
};
};
s3 = {
endpoint = lib.mkOption {
type = lib.types.str;
default = "http://10.255.241.30:30080";
description = "S3 endpoint";
};
region = lib.mkOption {
type = lib.types.str;
default = "tos";
description = "S3 region";
};
insecureSkipVerify = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Skip TLS verification";
};
};
secret = {
name = lib.mkOption {
type = lib.types.str;
default = "loki-s3";
description = "Name of the S3 credentials secret";
};
accessKey = lib.mkOption {
type = lib.types.str;
default = "AWS_ACCESS_KEY_ID";
description = "Access key field in secret";
};
secretKey = lib.mkOption {
type = lib.types.str;
default = "AWS_ACCESS_KEY_SECRET";
description = "Secret key field in secret";
};
};
};
config = lib.apps.appConfig cfg "loki" {
namespace = "argocd";
helm.releases.loki = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://grafana.github.io/helm-charts";
chart = "loki";
version = cfg.revision;
chartHash = "sha256-YUtEIUiQWRzlttfOOgDk1xfTaiAZ12tIgpGr1QcMpro=";
};
};
annotations = {
"argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
};
# TODO: Add network policies as a second source or integrate them into `resources`.
resources = {
"argoproj.io".v1alpha1.Application.loki.spec.ignoreDifferences = [
{
group = "apps";
kind = "StatefulSet";
jsonPointers = [ "/spec/persistentVolumeClaimRetentionPolicy" ];
}
];
};
};
}
apps/loki.yaml
+150
View File
@@ -0,0 +1,150 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: loki
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: loki
server: 'https://kubernetes.default.svc'
project: aux
ignoreDifferences:
- group: apps
kind: StatefulSet
jsonPointers:
- /spec/persistentVolumeClaimRetentionPolicy
syncPolicy:
managedNamespaceMetadata:
labels:
component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: true
sources:
- repoURL: https://gitlab.com/serit/k8s/serit-platform-manifests.git
path: network-policies/netpol-loki
targetRevision: HEAD
- repoURL: 'https://grafana.github.io/helm-charts'
targetRevision: 6.12.0
chart: loki
helm:
values: |
loki:
auth_enabled: false
storage:
bucketNames:
chunks: loki-chunks
ruler: loki-chunks
admin: loki-chunks
s3:
endpoint: http://10.255.241.30:30080
region: tos
accessKeyId: ${S3KEY}
secretAccessKey: ${S3SECRET}
s3ForcePathStyle: true
http_config:
insecure_skip_verify: true
schemaConfig:
configs:
- from: "2024-04-01"
index:
period: 24h
prefix: loki_index_
object_store: s3
schema: v13
store: tsdb
compactor:
compaction_interval: 10m
working_directory: /tmp/loki/compactor
retention_enabled: true
retention_delete_delay: 2h
retention_delete_worker_count: 150
delete_request_store: s3
limits_config:
retention_period: 744h
write:
extraArgs:
- -config.expand-env=true
extraEnv:
- name: S3KEY
valueFrom:
secretKeyRef:
name: loki-s3
key: AWS_ACCESS_KEY_ID
- name: S3SECRET
valueFrom:
secretKeyRef:
name: loki-s3
key: AWS_ACCESS_KEY_SECRET
tolerations:
- effect: "NoSchedule"
operator: "Equal"
key: "unschedulable"
value: "true"
read:
extraArgs:
- -config.expand-env=true
extraEnv:
- name: S3KEY
valueFrom:
secretKeyRef:
name: loki-s3
key: AWS_ACCESS_KEY_ID
- name: S3SECRET
valueFrom:
secretKeyRef:
name: loki-s3
key: AWS_ACCESS_KEY_SECRET
tolerations:
- effect: "NoSchedule"
operator: "Equal"
key: "unschedulable"
value: "true"
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
nginx.ingress.kubernetes.io/ssl-redirect: "true"
atlantis.oceanbox.io/expose: internal
hosts:
- loki.adm.oceanbox.io
tls:
- hosts:
- loki.adm.oceanbox.io
secretName: loki-distributed-tls
compactor:
extraArgs:
- -config.expand-env=true
extraEnv:
- name: S3KEY
valueFrom:
secretKeyRef:
name: loki-s3
key: AWS_ACCESS_KEY_ID
- name: S3SECRET
valueFrom:
secretKeyRef:
name: loki-s3
key: AWS_ACCESS_KEY_SECRET
backend:
extraArgs:
- -config.expand-env=true
extraEnv:
- name: S3KEY
valueFrom:
secretKeyRef:
name: loki-s3
key: AWS_ACCESS_KEY_ID
- name: S3SECRET
valueFrom:
secretKeyRef:
name: loki-s3
key: AWS_ACCESS_KEY_SECRET
apps/openfga.nix
+39
View File
@@ -0,0 +1,39 @@
{ lib, config, ... }:
let
cfg = config.apps.openfga;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
base = ../values/openfga;
extraValues = {};
};
kustomize = r:
if r.kind == "Job" then
lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; }
else r;
in
{
options.apps.openfga = lib.apps.appOptions {};
config = lib.apps.appConfig cfg "${env}-openfga" {
helm.releases."${env}-openfga" = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://openfga.github.io/helm-charts";
chart = "openfga";
version = "0.2.12";
chartHash = "sha256-7yLcw9/oNPvCePrtTJwKAG88t0Ym5Dl/S83Gz+gQdDU=";
};
transformer = rs: builtins.map (x: kustomize x) rs;
};
annotations = {};
resources = {
services.poop.spec = {
};
};
};
}
apps/opentelemetry-collector.nix
+117
View File
@@ -0,0 +1,117 @@
{ lib, config, ... }:
let
cfg = config.apps.opentelemetry-collector;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
extraValues = {
mode = "deployment";
image = {
repository = "otel/opentelemetry-collector-k8s";
};
service = {
type = "LoadBalancer";
loadBalancerIP = "10.255.241.12";
};
config = {
receivers = {
"prometheus/collector" = {
config.scrape_configs = [{
job_name = "opentelemetry-collector";
static_configs = [{
targets = [ "\${env:MY_POD_IP}:8888" ];
}];
}];
};
zipkin.endpoint = "\${env:MY_POD_IP}:9411";
};
exporters = {
otlp = {
endpoint = "tempo.tempo.svc:4317";
tls.insecure = true;
};
"otlphttp/metrics" = {
endpoint = "http://prom-prometheus.prometheus:9090/api/v1/otlp";
tls.insecure = true;
};
"otlphttp/logs" = {
endpoint = "http://loki-write-headless.loki:3100/otlp";
tls.insecure = true;
};
"debug/metrics".verbosity = "detailed";
"debug/traces".verbosity = "detailed";
"debug/logs".verbosity = "detailed";
};
service = {
telemetry.logs.level = "info";
pipelines = {
traces = {
receivers = [ "otlp" "zipkin" ];
processors = [ "batch" ];
exporters = [ "otlp" ];
};
metrics = {
receivers = [ "otlp" "prometheus/collector" ];
processors = [ "batch" ];
exporters = [ "otlphttp/metrics" ];
};
logs = {
receivers = [ "otlp" ];
processors = [ "batch" ];
exporters = [ "otlphttp/logs" ];
};
};
};
};
ports.metrics.enabled = true;
ingress = {
enabled = false;
annotations = {
"cert-manager.io/cluster-issuer" = "letsencrypt-production";
"nginx.ingress.kubernetes.io/ssl-redirect" = "true";
"atlantis.oceanbox.io/expose" = "internal";
};
ingressClassName = "nginx";
hosts = [{
host = "opentelemetry-collector.adm.oceanbox.io";
paths = [{
path = "/";
pathType = "Prefix";
port = 4318;
}];
}];
tls = [{
secretName = "collector-tls";
hosts = [ "opentelemetry-collector.adm.oceanbox.io" ];
}];
};
};
};
in
{
options.apps.opentelemetry-collector = lib.apps.appOptions {
revision = lib.mkOption {
type = lib.types.str;
default = "0.107.0";
description = "OpenTelemetry Collector chart version";
};
};
config = lib.apps.appConfig cfg "opentelemetry-collector" {
namespace = "argocd";
helm.releases.opentelemetry-collector = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://open-telemetry.github.io/opentelemetry-helm-charts";
chart = "opentelemetry-collector";
version = cfg.revision;
chartHash = "sha256-0000000000000000000000000000000000000000000000"; # TODO: Add correct hash
};
};
annotations = {
"argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
};
};
}
apps/opentelemetry-collector.yaml
+109
View File
@@ -0,0 +1,109 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: opentelemetry-collector
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: otel
server: 'https://kubernetes.default.svc'
project: aux
syncPolicy:
# managedNamespaceMetadata:
# labels:
# component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: true
sources:
- repoURL: 'https://open-telemetry.github.io/opentelemetry-helm-charts'
targetRevision: 0.107.0
chart: opentelemetry-collector
helm:
values: |
mode: deployment
image:
repository: otel/opentelemetry-collector-k8s
service:
type: LoadBalancer
loadBalancerIP: 10.255.241.12
config:
receivers:
prometheus/collector:
config:
scrape_configs:
- job_name: 'opentelemetry-collector'
static_configs:
- targets:
- ${env:MY_POD_IP}:8888
zipkin:
endpoint: ${env:MY_POD_IP}:9411
exporters:
otlp:
endpoint: "tempo.tempo.svc:4317"
tls:
insecure: true
otlphttp/metrics:
endpoint: http://prom-prometheus.prometheus:9090/api/v1/otlp
tls:
insecure: true
otlphttp/logs:
endpoint: http://loki-write-headless.loki:3100/otlp
tls:
insecure: true
debug/metrics:
verbosity: detailed
debug/traces:
verbosity: detailed
debug/logs:
verbosity: detailed
service:
telemetry:
logs:
level: "info"
pipelines:
traces:
receivers: [otlp,zipkin]
processors: [batch]
exporters: [otlp]
# exporters: [otlphttp/traces,debug/traces]
metrics:
receivers: [otlp,prometheus/collector]
processors: [batch]
exporters: [otlphttp/metrics]
# exporters: [otlphttp/metrics,debug/metrics]
logs:
receivers: [otlp]
processors: [batch]
exporters: [otlphttp/logs]
# exporters: [otlphttp/logs,debug/logs]
ports:
metrics:
enabled: true
# presets:
# logsCollection:
# enabled: true
ingress:
enabled: false
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/ssl-redirect: "true"
atlantis.oceanbox.io/expose: internal
ingressClassName: nginx
hosts:
- host: opentelemetry-collector.adm.oceanbox.io
paths:
- path: /
pathType: Prefix
port: 4318
tls:
- secretName: collector-tls
hosts:
- opentelemetry-collector.adm.oceanbox.io
apps/osm-tile-server.yaml
+34
View File
@@ -0,0 +1,34 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: osm-tile-server
namespace: argocd
spec:
generators:
- list:
elements:
- cluster: https://kubernetes.default.svc
env: prod
hostname: osm.srv.oceanbox.io
- cluster: https://staging-vcluster.staging-vcluster
env: staging
hostname: osm.beta.oceanbox.io
template:
metadata:
name: '{{ env }}-osm-tile-server'
spec:
project: aux
destination:
namespace: oceanbox
server: '{{ cluster }}'
source:
repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: HEAD
path: values/osm-tile-server
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: '{{ env }}'
- name: hostname
string: '{{ hostname }}'
apps/petimeter.yaml
+50
View File
@@ -0,0 +1,50 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: petimeter
namespace: argocd
spec:
goTemplate: true
generators:
- list:
elements:
- cluster: https://kubernetes.default.svc
env: prod
hostname: petimeter.srv.oceanbox.io
autoSync: false
prune: true
# - cluster: https://staging-vcluster.staging-vcluster
# env: staging
# hostname: petimeter.beta.oceanbox.io
# autoSync: true
# prune: true
template:
metadata:
name: '{{ .env }}-petimeter'
spec:
project: atlantis
destination:
namespace: atlantis
server: '{{ .cluster }}'
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
path: values/petimeter
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: '{{ .env }}'
- name: hostname
string: '{{ .hostname }}'
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
path: values/petimeter/manifests
templatePatch: |
{{- if .autoSync }}
spec:
syncPolicy:
automated:
prune: {{ .prune }}
selfHeal: false
{{- end }}
apps/prod-atlantis.yaml
+66
View File
@@ -0,0 +1,66 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prod-atlantis
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: prod-atlantis
server: https://kubernetes.default.svc
project: atlantis
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
path: values/atlantis
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: prod
- name: hostname
string: maps.oceanbox.io
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 20.1.7
chart: redis
helm:
valueFiles:
- $values/values/atlantis/prod/redis.yaml
ignoreDifferences:
- kind: Secret
name: azure-keyvault
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-atlantis-rabbitmq
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-archmeister-replication
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-archmeister-ca
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
syncPolicy:
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
# automated:
# prune: true
# selfHeal: false
values/keycloak/manifests/keycloak.yaml → apps/prod-keycloak.yaml
+19 -21
View File
@@ -1,31 +1,17 @@
{{- if .Values.clusterConfig.argo.enabled }}
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: {{ .Values.keycloak.env }}-keycloak name: prod-keycloak
namespace: argocd namespace: argocd
annotations: annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers: finalizers:
- resources-finalizer.argocd.argoproj.io - resources-finalizer.argocd.argoproj.io
spec: spec:
destination:
namespace: keycloak
server: https://kubernetes.default.svc
project: aux project: aux
sources: destination:
- repoURL: {{ .Values.clusterConfig.manifests }} server: https://kubernetes.default.svc
targetRevision: HEAD namespace: keycloak
path: helmfile.d
plugin:
name: helmfile-cmp
env:
- name: CLUSTER_NAME
value: {{ .Values.clusterConfig.cluster }}
- name: HELMFILE_ENVIRONMENT
value: {{ .Values.keycloak.env }}
- name: HELMFILE_FILE_PATH
value: keycloak.yaml.gotmpl
syncPolicy: syncPolicy:
managedNamespaceMetadata: managedNamespaceMetadata:
labels: labels:
@@ -33,8 +19,20 @@ spec:
syncOptions: syncOptions:
- CreateNamespace=true - CreateNamespace=true
- ApplyOutOfSyncOnly=true - ApplyOutOfSyncOnly=true
{{- if .Values.keycloak.autosync }}
automated: automated:
prune: true prune: true
{{- end }} selfHeal: true
{{- end }} sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
path: values/keycloak/prod
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 24.0.2
chart: keycloak
helm:
valueFiles:
- $values/values/keycloak/values-prod.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
apps/prod-openfga.yaml
+39
View File
@@ -0,0 +1,39 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prod-openfga
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: openfga
server: https://kubernetes.default.svc
project: aux
# ignoreDifferences:
# - group: apps
# kind: StatefulSet
# jsonPointers:
# - /spec/persistentVolumeClaimRetentionPolicy
syncPolicy:
managedNamespaceMetadata:
labels:
component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: true
sources:
- repoURL: https://openfga.github.io/helm-charts
targetRevision: 0.2.19
chart: openfga
helm:
valueFiles:
- $values/values/openfga/values-prod.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
apps/prod-sorcerer.yaml
+54
View File
@@ -0,0 +1,54 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prod-sorcerer
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: prod-sorcerer
server: https://10.255.241.99:4443
project: atlantis
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
path: values/sorcerer
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: prod
- name: hostname
string: sorcerer.data.oceanbox.io
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 20.1.7
chart: redis
helm:
valueFiles:
- $values/values/sorcerer/prod/redis.yaml
ignoreDifferences:
- kind: Secret
name: azure-keyvault
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-atlantis-rabbitmq
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
syncPolicy:
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
# automated:
# prune: true
# selfHeal: false
apps/rabbitmq.nix
+39
View File
@@ -0,0 +1,39 @@
{ lib, config, ... }:
let
cfg = config.apps.rabbitmq;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
base = ../values/rabbitmq;
extraValues = {};
};
in
{
options.apps.rabbitmq = lib.apps.appOptions {
enable = lib.mkEnableOption "RabbitMQ";
revision = lib.mkOption {
type = lib.types.str;
default = "12.9.0";
description = "RabbitMQ chart version";
};
hostname = lib.mkOption {
type = lib.types.str;
description = "RabbitMQ hostname";
default = "rabbitmq.${env}.oceanbox.io";
};
};
config = lib.apps.appConfig cfg "${env}-rabbitmq" {
namespace = "rabbitmq";
helm.releases.rabbitmq = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://charts.bitnami.com/bitnami";
chart = "rabbitmq";
version = cfg.revision;
chartHash = "";
};
transformer = rs: builtins.map (x: kustomize x) rs;
};
};
}
apps/rabbitmq.yaml
+34
View File
@@ -0,0 +1,34 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: rabbitmq
namespace: argocd
spec:
generators:
- list:
elements:
- cluster: https://kubernetes.default.svc
env: prod
hostname: rabbitmq.srv.oceanbox.io
- cluster: https://kubernetes.default.svc
env: staging
hostname: rabbitmq.beta.oceanbox.io
template:
metadata:
name: '{{ env }}-rabbitmq'
spec:
project: aux
destination:
server: https://kubernetes.default.svc
namespace: rabbitmq
sources:
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 12.9.0
chart: rabbitmq
helm:
valueFiles:
- $values/values/rabbitmq/values-{{ env }}.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
path: values/rabbitmq/{{ env }}
ref: values
apps/redis.nix
+34
View File
@@ -0,0 +1,34 @@
{ lib, config, ... }:
let
cfg = config.apps.redis;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
base = ../values/redis;
extraValues = {};
};
in
{
options.apps.redis = lib.apps.appOptions {
enable = lib.mkEnableOption "Redis";
revision = lib.mkOption {
type = lib.types.str;
default = "19.5.2";
description = "Redis chart version";
};
};
config = lib.apps.appConfig cfg "${env}-redis" {
namespace = "redis";
helm.releases.redis = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://charts.bitnami.com/bitnami";
chart = "redis";
version = cfg.revision;
chartHash = "";
};
transformer = rs: builtins.map (x: kustomize x) rs;
};
};
}
apps/redis.yaml
+39
View File
@@ -0,0 +1,39 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: redis
namespace: argocd
spec:
generators:
- list:
elements:
- cluster: https://kubernetes.default.svc
env: prod
- cluster: https://kubernetes.default.svc
env: staging
template:
metadata:
name: '{{ env }}-redis'
spec:
project: aux
destination:
server: https://kubernetes.default.svc
namespace: redis
sources:
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 19.5.2
chart: redis
helm:
valueFiles:
- $values/values/redis/values-{{ env }}.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: HEAD
ref: values
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
path: values/redis/{{ env }}
ignoreDifferences:
- group: apps
kind: StatefulSet
jqPathExpressions:
- '.spec.template.spec.containers[].resources.limits.cpu'
apps/seq.yaml
+20
View File
@@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: seq
namespace: argocd
spec:
project: aux
destination:
server: https://kubernetes.default.svc
namespace: seq
sources:
- repoURL: https://helm.datalust.co
targetRevision: 2024.1.0
chart: seq
helm:
valueFiles:
- $values/values/seq/values.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
ref: values
apps/sorcerer.yaml
+47
View File
@@ -0,0 +1,47 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: sorcerer
namespace: argocd
spec:
goTemplate: true
generators:
- list:
elements:
- cluster: https://10.255.241.99:4443
env: prod
hostname: sorcerer.data.oceanbox.io
autoSync: false
prune: true
# - cluster: https://10.255.241.99:4443
# env: staging
# hostname: sorcerer.ekman.oceanbox.io
# autoSync: true
# prune: true
template:
metadata:
name: '{{ .env }}-sorcerer'
spec:
project: atlantis
destination:
namespace: sorcerer
server: '{{ .cluster }}'
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
path: values/sorcerer
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: '{{ .env }}'
- name: hostname
string: '{{ .hostname }}'
templatePatch: |
{{- if .autoSync }}
spec:
syncPolicy:
automated:
prune: {{ .prune }}
selfHeal: false
{{- end }}
apps/staging-atlantis.yaml
+66
View File
@@ -0,0 +1,66 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: staging-atlantis
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: staging-atlantis
server: https://kubernetes.default.svc
project: atlantis
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
path: values/atlantis
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: staging
- name: hostname
string: atlantis.beta.oceanbox.io
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 20.1.7
chart: redis
helm:
valueFiles:
- $values/values/atlantis/staging/redis.yaml
ignoreDifferences:
- kind: Secret
name: azure-keyvault
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: staging-atlantis-rabbitmq
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-archmeister-replication
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-archmeister-ca
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
syncPolicy:
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: false
apps/staging-openfga.yaml
+39
View File
@@ -0,0 +1,39 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: staging-openfga
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: openfga
server: https://kubernetes.default.svc
project: aux
# ignoreDifferences:
# - group: apps
# kind: StatefulSet
# jsonPointers:
# - /spec/persistentVolumeClaimRetentionPolicy
syncPolicy:
managedNamespaceMetadata:
labels:
component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: true
sources:
- repoURL: https://openfga.github.io/helm-charts
targetRevision: 0.2.19
chart: openfga
helm:
valueFiles:
- $values/values/openfga/values-staging.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
apps/staging-sorcerer.yaml
+54
View File
@@ -0,0 +1,54 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: staging-sorcerer
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: staging-sorcerer
server: https://10.255.241.99:4443
project: atlantis
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
path: values/sorcerer
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: staging
- name: hostname
string: sorcerer.ekman.oceanbox.io
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 20.1.7
chart: redis
helm:
valueFiles:
- $values/values/sorcerer/staging/redis.yaml
ignoreDifferences:
- kind: Secret
name: azure-keyvault
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-atlantis-rabbitmq
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
syncPolicy:
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
# automated:
# prune: true
# selfHeal: false
apps/tempo.nix
+124
View File
@@ -0,0 +1,124 @@
{ lib, config, ... }:
let
cfg = config.apps.tempo;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
extraValues = {
tempo = {
storage = {
trace = {
backend = "s3";
s3 = {
bucket = cfg.s3.bucket;
endpoint = cfg.s3.endpoint;
access_key = "\${S3SECRET}";
secret_key = "\${S3KEY}";
insecure = true;
};
local = {
path = "/var/tempo/traces";
};
wal = {
path = "/var/tempo/wal";
};
};
};
metricsGenerator = {
enabled = true;
remoteWriteUrl = "http://prom-prometheus.prometheus:9090/api/v1/write";
};
extraEnv = [
{
name = "S3KEY";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.accessKey;
};
}
{
name = "S3SECRET";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.secretKey;
};
}
];
};
tempoQuery = {
ingress = {
enabled = true;
ingressClassName = "nginx";
annotations = {
"cert-manager.io/cluster-issuer" = "letsencrypt-staging";
"nginx.ingress.kubernetes.io/ssl-redirect" = "true";
"atlantis.oceanbox.io/expose" = "internal";
};
path = "/";
pathType = "Prefix";
hosts = [ "query.tempo.adm.oceanbox.io" ];
tls = [{
secretName = "tempo-query-tls";
hosts = [ "query.tempo.adm.oceanbox.io" ];
}];
};
};
};
};
in
{
options.apps.tempo = lib.apps.appOptions {
revision = lib.mkOption {
type = lib.types.str;
default = "1.10.3";
description = "Tempo chart version";
};
s3 = {
bucket = lib.mkOption {
type = lib.types.str;
default = "tempo-traces";
description = "S3 bucket for traces";
};
endpoint = lib.mkOption {
type = lib.types.str;
default = "http://10.255.241.30:30080";
description = "S3 endpoint";
};
};
secret = {
name = lib.mkOption {
type = lib.types.str;
default = "tempo-s3";
description = "Name of the S3 credentials secret";
};
accessKey = lib.mkOption {
type = lib.types.str;
default = "AWS_ACCESS_KEY_ID";
description = "Access key field in secret";
};
secretKey = lib.mkOption {
type = lib.types.str;
default = "AWS_ACCESS_KEY_SECRET";
description = "Secret key field in secret";
};
};
};
config = lib.apps.appConfig cfg "tempo" {
namespace = "argocd";
helm.releases.tempo = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://grafana.github.io/helm-charts";
chart = "tempo";
version = cfg.revision;
};
};
annotations = {
"argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
};
};
}
apps/tempo.yaml
+76
View File
@@ -0,0 +1,76 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: tempo
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: tempo
server: 'https://kubernetes.default.svc'
project: aux
syncPolicy:
# managedNamespaceMetadata:
# labels:
# component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: true
sources:
- repoURL: 'https://grafana.github.io/helm-charts'
targetRevision: 1.10.3
chart: tempo
helm:
values: |
tempo:
storage:
trace:
backend: s3
s3:
bucket: tempo-traces
endpoint: 10.255.241.30:30080
access_key: ${S3KEY}
secret_key: ${S3SECRET}
forcepathstyle: true
insecure: true
local:
path: /var/tempo/traces
wal:
path: /var/tempo/wal
metricsGenerator:
enabled: true
remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
extraArgs: { config.expand-env=true }
extraEnv:
- name: S3KEY
valueFrom:
secretKeyRef:
name: tempo-s3
key: AWS_ACCESS_KEY_ID
- name: S3SECRET
valueFrom:
secretKeyRef:
name: tempo-s3
key: AWS_ACCESS_KEY_SECRET
tempoQuery:
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
nginx.ingress.kubernetes.io/ssl-redirect: "true"
atlantis.oceanbox.io/expose: internal
path: /
pathType: Prefix
hosts:
- query.tempo.adm.oceanbox.io
tls:
- secretName: tempo-query-tls
hosts:
- query.tempo.adm.oceanbox.io
apps/wordpress.nix
+39
View File
@@ -0,0 +1,39 @@
{ lib, config, ... }:
let
cfg = config.apps.wordpress;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
base = ../values/wordpress;
extraValues = {};
};
in
{
options.apps.wordpress = lib.apps.appOptions {
enable = lib.mkEnableOption "WordPress";
revision = lib.mkOption {
type = lib.types.str;
default = "19.2.2";
description = "WordPress chart version";
};
hostname = lib.mkOption {
type = lib.types.str;
description = "WordPress hostname";
default = "www.${env}.oceanbox.io";
};
};
config = lib.apps.appConfig cfg "www-oceanbox" {
namespace = "www-oceanbox";
helm.releases.wordpress = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://charts.bitnami.com/bitnami";
chart = "wordpress";
version = cfg.revision;
chartHash = "";
};
transformer = rs: builtins.map (x: kustomize x) rs;
};
};
}
apps/wordpress.yaml
+20
View File
@@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: www-oceanbox
namespace: argocd
spec:
project: default
destination:
server: https://kubernetes.default.svc
namespace: www-oceanbox
sources:
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 19.2.2
chart: wordpress
helm:
valueFiles:
- $values/wordpress/values.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: HEAD
ref: values
apps/yolo-dl.yaml
+14
View File
@@ -0,0 +1,14 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: yolo-dl
namespace: argocd
spec:
project: aux
destination:
server: https://10.255.241.99:4443
namespace: oceanbox
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
path: charts/yolo-dl
bootstrap/cluster-ekman.yaml → argocd/ekman.yaml
+4 -2
View File
@@ -1,12 +1,14 @@
apiVersion: v1 apiVersion: v1
stringData: stringData:
config: '{"bearerToken":"@token@","tlsClientConfig":{"insecure":true}}' config: |
{"bearerToken":"","tlsClientConfig":{"insecure":true}}
name: ekman name: ekman
server: https://10.255.241.99:4443 server: https://10.255.241.99:4443
kind: Secret kind: Secret
metadata: metadata:
labels: labels:
argocd.argoproj.io/secret-type: cluster argocd.argoproj.io/secret-type: cluster
name: cluster-ekman name: cluster-10.255.241.99-4046803085
namespace: argocd namespace: argocd
type: Opaque type: Opaque
bootstrap/helm-kustomize-cmp/.gitignore → argocd/kustomize-helm-with-rewrite/.gitignore
View File
bootstrap/helm-kustomize-cmp/Dockerfile → argocd/kustomize-helm-with-rewrite/Dockerfile
View File
argocd/kustomize-helm-with-rewrite/deploy.sh
+7
View File
@@ -0,0 +1,7 @@
#!/bin/sh
img=registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite
tag=${1:-latest}
docker build -t $img:$tag .
docker push $img:$tag
argocd/kustomize-helm-with-rewrite/generate.sh
+35
View File
@@ -0,0 +1,35 @@
#!/bin/sh
export HOME=/helm-working-dir
env > /tmp/$ARGOCD_APP_NAME.env
echo "$ARGOCD_APP_PARAMETERS" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
cp parameters.yaml /tmp/$ARGOCD_APP_NAME-parameters.yaml
if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
CHART=$PARAM_CHART
elif [ -d chart ]; then
CHART=chart
elif [ -f chart ]; then
CHART=$(cat chart)
else
CHART="."
fi
[ -f chart/values.yaml ] && VALUES="-f chart/values.yaml"
[ -f values-chart.yaml ] && VALUES="$VALUES -f values-chart.yaml"
[ -f values.yaml ] && VALUES="$VALUES -f values.yaml"
[ -f values-$PARAM_ENV.yaml ] && VALUES="$VALUES -f values-$PARAM_ENV.yaml"
VALUES="$VALUES -f parameters.yaml"
mkdir -p base
echo "helm template -n $ARGOCD_APP_NAMESPACE $PARAM_FLAGS $VALUES $ARGOCD_APP_NAME $CHART" > /tmp/$ARGOCD_APP_NAME-helm.sh
helm template -n $ARGOCD_APP_NAMESPACE $PARAM_FLAGS $VALUES $ARGOCD_APP_NAME $CHART > ./base/_manifest.yaml
sed -i "$PARAM_REWRITE" ./base/_manifest.yaml
cp ./base/_manifest.yaml /tmp/$ARGOCD_APP_NAME-manifest.yaml
[ -d "$PARAM_ENV" ] && kubectl kustomize $PARAM_ENV > /tmp/$ARGOCD_APP_NAME-manifest.yaml
cat /tmp/$ARGOCD_APP_NAME-manifest.yaml
bootstrap/helm-kustomize-cmp/get-values.sh → argocd/kustomize-helm-with-rewrite/get-values.sh
+1 -1
View File
@@ -18,7 +18,7 @@ EOF
exit 0 exit 0
fi fi
yq e -o=p "${VALUES}" | jq --slurp --raw-input ' yq e -o=p $VALUES | jq --slurp --raw-input '
[{ [{
name: "helm-parameters", name: "helm-parameters",
title: "Helm Parameters", title: "Helm Parameters",
bootstrap/helm-kustomize-cmp/init-helm-repos.sh → argocd/kustomize-helm-with-rewrite/init-helm-repos.sh
+2 -3
View File
@@ -1,9 +1,8 @@
#!/bin/sh #!/bin/sh
# shellcheck disable=SC2154
export HOME=/plugin export HOME=/helm-working-dir
helm repo add --username argocd-helm --password "${OCEANBOX_HELM_ACCESS_TOKEN}" oceanbox \ helm repo add --username argocd-helm --password "$OCEANBOX_HELM_ACCESS_TOKEN" oceanbox \
https://gitlab.com/api/v4/projects/54396343/packages/helm/stable https://gitlab.com/api/v4/projects/54396343/packages/helm/stable
helm repo add bitnami https://charts.bitnami.com/bitnami helm repo add bitnami https://charts.bitnami.com/bitnami
argocd/kustomize-helm-with-rewrite/init.sh
+12
View File
@@ -0,0 +1,12 @@
#!/bin/sh
export HOME=/helm-working-dir
helm repo update oceanbox
if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
helm show values $PARAM_CHART > values-chart.yaml
elif [ -f chart ]; then
CHART=$(cat chart)
helm show values $CHART > values-chart.yaml
fi
bootstrap/helm-kustomize-cmp/plugin.yaml → argocd/kustomize-helm-with-rewrite/plugin.yaml
+34 -26
View File
@@ -1,7 +1,7 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: ConfigManagementPlugin kind: ConfigManagementPlugin
metadata: metadata:
name: helm-kustomize-cmp name: kustomize-helm-with-rewrite
spec: spec:
# version: v1.2 # version: v1.2
# The init command runs in the Application source directory at the beginning of each manifest generation. The init # The init command runs in the Application source directory at the beginning of each manifest generation. The init
@@ -9,7 +9,7 @@ spec:
init: init:
# Init always happens immediately before generate, but its output is not treated as manifests. # Init always happens immediately before generate, but its output is not treated as manifests.
# This is a good place to, for example, download chart dependencies. # This is a good place to, for example, download chart dependencies.
command: [/bin/sh] command: [ /bin/sh ]
args: args:
- /plugin/init.sh - /plugin/init.sh
# The generate command runs in the Application source directory each time manifests are generated. Standard output # The generate command runs in the Application source directory each time manifests are generated. Standard output
@@ -17,7 +17,7 @@ spec:
# To write log messages from the command, write them to stderr, it will always be displayed. # To write log messages from the command, write them to stderr, it will always be displayed.
# Error output will be sent to the UI, so avoid printing sensitive information (such as secrets). # Error output will be sent to the UI, so avoid printing sensitive information (such as secrets).
generate: generate:
command: [/bin/sh] command: [ /bin/sh ]
args: args:
- /plugin/generate.sh - /plugin/generate.sh
@@ -27,15 +27,15 @@ spec:
# Only one of fileName, find.glob, or find.command should be specified. If multiple are specified then only the # Only one of fileName, find.glob, or find.command should be specified. If multiple are specified then only the
# first (in that order) is evaluated. # first (in that order) is evaluated.
# discover: # discover:
# fileName is a glob pattern (https://pkg.go.dev/path/filepath#Glob) that is applied to the Application's source # fileName is a glob pattern (https://pkg.go.dev/path/filepath#Glob) that is applied to the Application's source
# directory. If there is a match, this plugin may be used for the Application. # directory. If there is a match, this plugin may be used for the Application.
# fileName: "./subdir/s*.yaml" # fileName: "./subdir/s*.yaml"
# find: # find:
# This does the same thing as fileName, but it supports double-start (nested directory) glob patterns. # This does the same thing as fileName, but it supports double-start (nested directory) glob patterns.
# glob: "**/Chart.yaml" # glob: "**/Chart.yaml"
# The find command runs in the repository's root directory. To match, it must exit with status code 0 _and_ # The find command runs in the repository's root directory. To match, it must exit with status code 0 _and_
# produce non-empty output to standard out. # produce non-empty output to standard out.
# command: [sh, -c, find . -name env.yaml] # command: [sh, -c, find . -name env.yaml]
# The parameters config describes what parameters the UI should display for an Application. It is up to the user to # The parameters config describes what parameters the UI should display for an Application. It is up to the user to
# actually set parameters in the Application manifest (in spec.source.plugin.parameters). The announcements _only_ # actually set parameters in the Application manifest (in spec.source.plugin.parameters). The announcements _only_
# inform the "Parameters" tab in the App Details page of the UI. # inform the "Parameters" tab in the App Details page of the UI.
@@ -52,6 +52,13 @@ spec:
itemType: string itemType: string
collectionType: string collectionType: string
string: "staging" string: "staging"
- name: rewrite
title: Rewrite
tooltip: sed rewrite experssion
required: false
itemType: string
collectionType: string
string: ""
- name: chart - name: chart
title: Chart title: Chart
tooltip: Name or path of helm chart tooltip: Name or path of helm chart
@@ -66,21 +73,22 @@ spec:
itemType: string itemType: string
collectionType: string collectionType: string
string: "" string: ""
# All the fields above besides 'string' apply to both the array and map type parameter announcements. # All the fields above besides "string" apply to both the array and map type parameter announcements.
# - name: array-param # - name: array-param
# # This field communicates the parameter's default value to the UI. Setting this field is optional. # # This field communicates the parameter's default value to the UI. Setting this field is optional.
# array: [default, items] # array: [default, items]
# collectionType: array # collectionType: array
# - name: map-param # - name: map-param
# # This field communicates the parameter's default value to the UI. Setting this field is optional. # # This field communicates the parameter's default value to the UI. Setting this field is optional.
# map: # map:
# some: value # some: value
# collectionType: map # collectionType: map
# dynamic: dynamic:
# The command is run in an Application's source directory. Standard output must be JSON matching the schema of the # The command is run in an Application's source directory. Standard output must be JSON matching the schema of the
# static parameter announcements list. # static parameter announcements list.
# command: [ /bin/sh, /plugin/get-values.sh ] command: [ /bin/sh, /plugin/get-values.sh ]
# If set to `true` then the plugin receives repository files with original file mode. Dangerous since the repository # If set to `true` then the plugin receives repository files with original file mode. Dangerous since the repository
# might have executable files. Set to true only if you trust the CMP plugin authors. # might have executable files. Set to true only if you trust the CMP plugin authors.
preserveFileMode: false preserveFileMode: false
bootstrap/staging-vcluster.yaml → argocd/staging-vcluster.yaml
+1
View File
@@ -13,3 +13,4 @@ stringData:
name: staging-vcluster name: staging-vcluster
server: https://staging-vcluster.staging-vcluster server: https://staging-vcluster.staging-vcluster
type: Opaque type: Opaque
bin/generate.sh
-69
View File
@@ -1,69 +0,0 @@
#!/usr/bin/env bash
# shellcheck disable=SC2034 # Unused variables left for readability
helmfile () {
name=$1
tier=$2
cat <<EOF
bases:
- ../envs/environments.yaml.gotmpl
commonLabels:
tier: ${tier}
releases:
- name: ${name}
namespace: {{ .Environment.Name }}-${name}
chart: ../charts/${name}
condition: ${name}.enabled
values:
- ../values/${name}/values/values.yaml.gotmpl
- ../values/${name}/values/values-{{ .Environment.Name }}.yaml
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/${name}/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: manifests
namespace: {{ .Environment.Name }}-${name}
chart: manifests
condition: ${name}.enabled
missingFileHandler: Info
values:
- ../values/env.yaml
- ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/${name}/env.yaml.gotmpl
- ../values/${name}/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{\`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}\`}}'
- '{{\`{{ .Release.Chart }}\`}}'
- '{{\`{{ .Environment.Name }}\`}}'
- ../values/${name}/manifests
- manifests
EOF
}
while true; do
case $* in
--with-env)
ns=true
shift ;;
--*|-*) shift;;
*) break ;;
esac
done
name=$1
tier=$2
if [[ -n "${ns}" ]]; then
namespace="namespace: {{ .Environment.Name }}-${name}"
else
namespace="namespace: ${name}"
fi
helmfile "$1" "$2"
bin/helmify
-41
View File
@@ -1,41 +0,0 @@
#!/usr/bin/env bash
set -o pipefail
cmd=$1
chart=$2
manifests=${4:-manifests}
outdir=${5:-_manifests}
build() {
mkdir -p "${outdir}"/templates
echo "Creating ${outdir}/templates"
echo "generating ${outdir}/Chart.yaml" 1>&2
cat <<EOF > "${outdir}"/Chart.yaml
apiVersion: v1
appVersion: "1.0"
# description: A Helm chart for Kubernetes
name: ${chart}
version: 0.1.0
EOF
if [[ -d "${manifests}" ]]; then
cp -r "${manifests}"/* "${outdir}"/templates
elif [[ -f "${manifests}" ]]; then
cp "${manifests}" "${outdir}"/templates
fi
}
clean() {
echo "cleaning ${outdir}" 1>&2
rm -rf "${outdir}"
}
case "${cmd}" in
"build" ) build ;;
"clean" ) clean ;;
* ) echo "unsupported command: ${cmd}" 1>&2; exit 1 ;;
esac
bin/kustomizer
-13
View File
@@ -1,13 +0,0 @@
#!/usr/bin/env bash
[[ $# != 1 ]] && exit 1
dir=$1
base=${dir}/../base
if [[ -f "${base}"/kustomization.yaml ]] && [[ -f "${dir}"/kustomization.yaml ]]; then
cat > "${base}"/_manifest.yaml
kubectl kustomize "${dir}"
else
cat
fi
bootstrap/argocd-cluster-admin.yaml
-35
View File
@@ -1,35 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: argocd-cluster-admin
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- "*"
- nonResourceURLs:
- "*"
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: argocd-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: argocd-cluster-admin
subjects:
- kind: ServiceAccount
name: argocd-cluster-admin
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: argocd-cluster-admin
namespace: kube-system
---
bootstrap/cluster-admin-token.yaml
-8
View File
@@ -1,8 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: cluster-admin
name: cluster-admin-token
namespace: kube-system
type: kubernetes.io/service-account-token
bootstrap/deploy.sh
-6
View File
@@ -1,6 +0,0 @@
#!/usr/bin/env bash
helm upgrade --install --create-namespace argocd argo/argo-cd -n argocd --version 7.8.0
helm upgrade --install --create-namespace --values values.yaml argocd-apps argo/argocd-apps -n argocd
#kubectl patch -n argocd deployment argocd-repo-server --type merge --patch-file helmfile-cmp/argo-repo-server-patch.yaml
bootstrap/helm-kustomize-cmp/deploy.sh
-7
View File
@@ -1,7 +0,0 @@
#!/bin/sh
img=registry.gitlab.com/oceanbox/manifests/helm-kustomize-cmp
tag=${1:-latest}
docker build -t "${img}":"${tag}" .
docker push "${img}":"${tag}"
bootstrap/helm-kustomize-cmp/generate.sh
-37
View File
@@ -1,37 +0,0 @@
#!/bin/sh
# shellcheck disable=SC2154
export HOME=/plugin
env > /tmp/"${ARGOCD_APP_NAME}".env
echo "${ARGOCD_APP_PARAMETERS}" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
cp parameters.yaml /tmp/"${ARGOCD_APP_NAME}"-parameters.yaml
if [ -n "${PARAM_CHART}" ] && [ "${PARAM_CHART}" != "." ]; then
CHART=${PARAM_CHART}
elif [ -d chart ]; then
CHART=chart
elif [ -f chart ]; then
CHART=$(cat chart)
else
CHART="."
fi
[ -f chart/values.yaml ] && VALUES="-f chart/values.yaml"
[ -f values-chart.yaml ] && VALUES="${VALUES} -f values-chart.yaml"
[ -f values.yaml ] && VALUES="${VALUES} -f values.yaml"
[ -f values-"${PARAM_ENV}".yaml ] && VALUES="${VALUES} -f values-${PARAM_ENV}.yaml"
VALUES="${VALUES} -f parameters.yaml"
helm dependency update "${CHART}" >/tmp/"${ARGOCD_APP_NAME}"-helm-dependency-build.out
mkdir -p base
echo "helm template -n ${ARGOCD_APP_NAMESPACE} ${PARAM_FLAGS} ${VALUES} ${ARGOCD_APP_NAME} ${CHART}" > /tmp/"${ARGOCD_APP_NAME}"-helm.sh
helm template -n "${ARGOCD_APP_NAMESPACE}" "${PARAM_FLAGS}" "${VALUES}" "${ARGOCD_APP_NAME}" "${CHART}" > ./base/_manifest.yaml
cp ./base/_manifest.yaml /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml
[ -d "${PARAM_ENV}" ] && kubectl kustomize "${PARAM_ENV}" > /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml
cat /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml
bootstrap/helm-kustomize-cmp/init.sh
-12
View File
@@ -1,12 +0,0 @@
#!/bin/sh
export HOME=/plugin
helm repo update oceanbox
if [ -n "${PARAM_CHART}" ] && [ "${PARAM_CHART}" != "." ]; then
helm show values "${PARAM_CHART}" > values-chart.yaml
elif [ -f chart ]; then
CHART=$(cat chart)
helm show values "${CHART}" > values-chart.yaml
fi
bootstrap/helmfile-cmp/Dockerfile
-7
View File
@@ -1,7 +0,0 @@
FROM ghcr.io/helmfile/helmfile:v1.3.1
RUN mkdir -p /home/argocd/cmp-server/config/
COPY plugin.yaml /home/argocd/cmp-server/config/
WORKDIR /plugin
COPY generate.sh ./
bootstrap/helmfile-cmp/argo-repo-server-old.yaml
-476
View File
@@ -1,476 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
argocd.argoproj.io/tracking-id: argocd:apps/Deployment:argocd/argocd-repo-server
deployment.kubernetes.io/revision: "27"
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.12.3
helm.sh/chart: argo-cd-7.5.2
name: argocd-repo-server
namespace: argocd
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/instance: argocd
app.kubernetes.io/name: argocd-repo-server
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
checksum/cm: 67d6152e0e3482f9a74a6b570fd32bbec4e7856bffe49f577a2a0d3aeaed6f48
checksum/cmd-params: 69ed50e8936f4d6429dc331f782ad0a7d22eb12c318d6800403040352214b781
creationTimestamp: null
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.12.3
helm.sh/chart: argo-cd-7.5.2
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
topologyKey: kubernetes.io/hostname
weight: 100
automountServiceAccountToken: true
containers:
- args:
- /usr/local/bin/argocd-repo-server
- --port=8081
- --metrics-port=8084
env:
- name: ARGOCD_REPO_SERVER_NAME
value: argocd-repo-server
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
key: timeout.reconciliation
name: argocd-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: reposerver.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: reposerver.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
valueFrom:
configMapKeyRef:
key: reposerver.listen.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
valueFrom:
configMapKeyRef:
key: reposerver.metrics.listen.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_TLS
valueFrom:
configMapKeyRef:
key: reposerver.disable.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MIN_VERSION
valueFrom:
configMapKeyRef:
key: reposerver.tls.minversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MAX_VERSION
valueFrom:
configMapKeyRef:
key: reposerver.tls.maxversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_CIPHERS
valueFrom:
configMapKeyRef:
key: reposerver.tls.ciphers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: reposerver.repo.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
key: redis.server
name: argocd-cmd-params-cm
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
key: redis.compression
name: argocd-cmd-params-cm
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
key: redis.db
name: argocd-cmd-params-cm
optional: true
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
key: redis-username
name: argocd-redis
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
key: auth
name: argocd-redis
- name: REDIS_SENTINEL_USERNAME
valueFrom:
secretKeyRef:
key: redis-sentinel-username
name: argocd-redis
optional: true
- name: REDIS_SENTINEL_PASSWORD
valueFrom:
secretKeyRef:
key: redis-sentinel-password
name: argocd-redis
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: reposerver.default.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
key: otlp.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
key: otlp.insecure
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
key: otlp.headers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.max.combined.directory.manifests.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
valueFrom:
configMapKeyRef:
key: reposerver.plugin.tar.exclusions
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
valueFrom:
configMapKeyRef:
key: reposerver.allow.oob.symlinks
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.tar.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.disable.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_MODULES_ENABLED
valueFrom:
configMapKeyRef:
key: reposerver.enable.git.submodule
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.git.lsremote.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_REQUEST_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.git.request.timeout
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.revision.cache.lock.timeout
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES
valueFrom:
configMapKeyRef:
key: reposerver.include.hidden.directories
name: argocd-cmd-params-cm
optional: true
- name: HELM_CACHE_HOME
value: /helm-working-dir
- name: HELM_CONFIG_HOME
value: /helm-working-dir
- name: HELM_DATA_HOME
value: /helm-working-dir
image: quay.io/argoproj/argocd:v2.12.3
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz?full=true
port: metrics
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: repo-server
ports:
- containerPort: 8081
name: repo-server
protocol: TCP
- containerPort: 8084
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: metrics
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/gpg/source
name: gpg-keys
- mountPath: /app/config/gpg/keys
name: gpg-keyring
- mountPath: /app/config/reposerver/tls
name: argocd-repo-server-tls
- mountPath: /helm-working-dir
name: helm-working-dir
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp
- command:
- /var/run/argocd/argocd-cmp-server
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
imagePullPolicy: Always
name: kustomize-helm-with-rewrite
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
- mountPath: /helm-working-dir
name: helm-working-dir
- command:
- /var/run/argocd/argocd-cmp-server
image: registry.gitlab.com/oceanbox/manifests/helm-kustomize-cmp:latest
imagePullPolicy: Always
name: helm-kustomize-cmp
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
- mountPath: /helm-working-dir
name: helm-working-dir
- command:
- /var/run/argocd/argocd-cmp-server
image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
imagePullPolicy: Always
name: helmfile-cmp
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
- mountPath: /helm-working-dir
name: helm-working-dir
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: gitlab-pull-secret
initContainers:
- command:
- /bin/cp
- -n
- /usr/local/bin/argocd
- /var/run/argocd/argocd-cmp-server
image: quay.io/argoproj/argocd:v2.12.3
imagePullPolicy: IfNotPresent
name: copyutil
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- command:
- /bin/sh
- /plugin/init-helm-repos.sh
env:
- name: OCEANBOX_HELM_ACCESS_TOKEN
valueFrom:
secretKeyRef:
key: token
name: oceanbox-helm
optional: false
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
imagePullPolicy: Always
name: init-helm-repos
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 999
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /helm-working-dir
name: helm-working-dir
restartPolicy: Always
schedulerName: default-scheduler
serviceAccount: argocd-repo-server
serviceAccountName: argocd-repo-server
terminationGracePeriodSeconds: 30
volumes:
- name: cmp-tmp
- name: helm-working-dir
- name: plugins
- name: var-files
- name: tmp
- configMap:
defaultMode: 420
name: argocd-ssh-known-hosts-cm
name: ssh-known-hosts
- configMap:
defaultMode: 420
name: argocd-tls-certs-cm
name: tls-certs
- configMap:
defaultMode: 420
name: argocd-gpg-keys-cm
name: gpg-keys
- name: gpg-keyring
- name: argocd-repo-server-tls
secret:
defaultMode: 420
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-repo-server-tls
bootstrap/helmfile-cmp/argo-repo-server-patch.yaml
-27
View File
@@ -1,27 +0,0 @@
# Don't apply this patch with kubectl, it overwrites the original repo-server!
# Instead merge by hand in the bootstap process.
spec:
template:
spec:
imagePullSecrets:
- name: gitlab-pull-secret
containers:
- command:
- /var/run/argocd/argocd-cmp-server
image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
imagePullPolicy: Always
name: helmfile-cmp
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp
- mountPath: /helm-working-dir
name: helm-working-dir
bootstrap/helmfile-cmp/deploy.sh
-7
View File
@@ -1,7 +0,0 @@
#!/bin/sh
img=git.oceanbox.io/platform/manifests/helmfile-cmp
tag=${1:-latest}
docker build -t "${img}":"${tag}" .
docker push "${img}":"${tag}"
bootstrap/helmfile-cmp/generate.sh
-17
View File
@@ -1,17 +0,0 @@
#!/bin/sh
# shellcheck disable=SC2154
# NOTE: Ensure errors are part of exitcode
# set -o pipefail
export HOME=/plugin
export HELM_CACHE_HOME=/tmp/helm/cache
export HELM_CONFIG_HOME=/tmp/helm/config
export HELMFILE_CACHE_HOME=/tmp/helmfile/cache
export HELMFILE_TEMPDIR=/tmp/helmfile/tmp
test -n ARGOCD_ENV_HELMFILE_ENVIRONMENT && export HELMFILE_ENVIRONMENT="${ARGOCD_ENV_HELMFILE_ENVIRONMENT}"
test -n ARGOCD_ENV_HELMFILE_FILE_PATH && export HELMFILE_FILE_PATH="${ARGOCD_ENV_HELMFILE_FILE_PATH}"
helmfile -n "${ARGOCD_APP_NAMESPACE}" "${ARGS}" template -q --include-crds
bootstrap/helmfile-cmp/plugin.yaml
-11
View File
@@ -1,11 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: ConfigManagementPlugin
metadata:
name: helmfile-cmp
spec:
generate:
command: ["/bin/sh"]
args:
- /plugin/generate.sh
lockRepo: false
preserveFileMode: true
bootstrap/keycloak-theme/Dockerfile
-3
View File
@@ -1,3 +0,0 @@
FROM busybox
COPY keycloak-themes/oceanbox /theme
bootstrap/keycloak-theme/keycloak-themes/oceanbox/login/resources/css/oceanbox.css
-47
View File
@@ -1,47 +0,0 @@
/* Oceanbox Keycloak Login Theme */
/* Brand colours */
:root {
--pf-v5-global--primary-color--100: #0bb4aa;
--pf-v5-global--primary-color--200: #099e95;
--pf-v5-global--link--Color: #0bb4aa;
--pf-v5-global--link--Color--hover: #031275;
}
/* Background */
.login-pf body {
background: #f9fafd url("../img/oceanbox-bg.png") no-repeat center bottom fixed;
background-size: cover;
}
/* Logo */
div.kc-logo-text {
background-image: url('../img/oceanbox-logo-text.png');
height: 80px;
width: 360px;
background-repeat: no-repeat;
background-size: contain;
background-position: center;
margin: 0 auto;
}
div.kc-logo-text span {
display: none;
}
/* Primary button */
.pf-v5-c-button.pf-m-primary {
--pf-v5-c-button--m-primary--BackgroundColor: #0bb4aa;
--pf-v5-c-button--m-primary--hover--BackgroundColor: #099e95;
--pf-v5-c-button--m-primary--active--BackgroundColor: #37746F;
--pf-v5-c-button--m-primary--focus--BackgroundColor: #099e95;
}
/* Links */
a, .pf-v5-c-button.pf-m-link {
color: #0bb4aa;
}
a:hover, .pf-v5-c-button.pf-m-link:hover {
color: #031275;
}
bootstrap/keycloak-theme/keycloak-themes/oceanbox/login/resources/img/oceanbox-bg.png
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 2.4 MiB

bootstrap/keycloak-theme/keycloak-themes/oceanbox/login/resources/img/oceanbox-logo-text.png
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 57 KiB

bootstrap/keycloak-theme/keycloak-themes/oceanbox/login/theme.properties
-5
View File
@@ -1,5 +0,0 @@
parent=keycloak.v2
import=common/keycloak
stylesCommon=vendor/patternfly-v5/patternfly.min.css vendor/patternfly-v5/patternfly-addons.css
styles=css/styles.css css/oceanbox.css
bootstrap/kustomize-helm-with-rewrite/argo-repo-server.yaml
-424
View File
@@ -1,424 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
argocd.argoproj.io/tracking-id: argocd:apps/Deployment:argocd/argocd-repo-server
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.10.4
helm.sh/chart: argo-cd-6.7.3
name: argocd-repo-server
namespace: argocd
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/instance: argocd
app.kubernetes.io/name: argocd-repo-server
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
checksum/cm: 3d88c02b8c8e470b75262aae39da4b4bc6f29a02d2a6c7a9e0d44d2d69aa908b
checksum/cmd-params: d76791b7d65a3839bc44b46b65ecfecb5be7ac834b4915b0dea1577f524ea687
creationTimestamp: null
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.10.4
helm.sh/chart: argo-cd-6.7.3
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
topologyKey: kubernetes.io/hostname
weight: 100
containers:
- args:
- /usr/local/bin/argocd-repo-server
- --port=8081
- --metrics-port=8084
env:
- name: ARGOCD_REPO_SERVER_NAME
value: argocd-repo-server
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
key: timeout.reconciliation
name: argocd-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: reposerver.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: reposerver.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
valueFrom:
configMapKeyRef:
key: reposerver.listen.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
valueFrom:
configMapKeyRef:
key: reposerver.metrics.listen.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_TLS
valueFrom:
configMapKeyRef:
key: reposerver.disable.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MIN_VERSION
valueFrom:
configMapKeyRef:
key: reposerver.tls.minversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MAX_VERSION
valueFrom:
configMapKeyRef:
key: reposerver.tls.maxversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_CIPHERS
valueFrom:
configMapKeyRef:
key: reposerver.tls.ciphers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: reposerver.repo.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
key: redis.server
name: argocd-cmd-params-cm
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
key: redis.compression
name: argocd-cmd-params-cm
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
key: redis.db
name: argocd-cmd-params-cm
optional: true
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
key: redis-username
name: argocd-redis
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
key: redis-password
name: argocd-redis
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: reposerver.default.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
key: otlp.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
key: otlp.insecure
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
key: otlp.headers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.max.combined.directory.manifests.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
valueFrom:
configMapKeyRef:
key: reposerver.plugin.tar.exclusions
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
valueFrom:
configMapKeyRef:
key: reposerver.allow.oob.symlinks
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.tar.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.disable.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_MODULES_ENABLED
valueFrom:
configMapKeyRef:
key: reposerver.enable.git.submodule
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.git.lsremote.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_REQUEST_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.git.request.timeout
name: argocd-cmd-params-cm
optional: true
- name: HELM_CACHE_HOME
value: /helm-working-dir
- name: HELM_CONFIG_HOME
value: /helm-working-dir
- name: HELM_DATA_HOME
value: /helm-working-dir
image: quay.io/argoproj/argocd:v2.10.4
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz?full=true
port: metrics
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: repo-server
ports:
- containerPort: 8081
name: repo-server
protocol: TCP
- containerPort: 8084
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: metrics
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/gpg/source
name: gpg-keys
- mountPath: /app/config/gpg/keys
name: gpg-keyring
- mountPath: /app/config/reposerver/tls
name: argocd-repo-server-tls
- mountPath: /helm-working-dir
name: helm-working-dir
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp
- command:
- /var/run/argocd/argocd-cmp-server
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
imagePullPolicy: Always
name: kustomize-helm-with-rewrite
resources: {}
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
- mountPath: /helm-working-dir
name: helm-working-dir
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: gitlab-pull-secret
initContainers:
- command:
- /bin/cp
- -n
- /usr/local/bin/argocd
- /var/run/argocd/argocd-cmp-server
image: quay.io/argoproj/argocd:v2.10.4
imagePullPolicy: IfNotPresent
name: copyutil
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- command:
- /bin/sh
- /plugin/init-helm-repos.sh
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
imagePullPolicy: Always
name: init-helm-repos
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsUser: 999
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
env:
- name: OCEANBOX_HELM_ACCESS_TOKEN
valueFrom:
secretKeyRef:
key: token
name: oceanbox-helm
optional: false
volumeMounts:
- mountPath: /helm-working-dir
name: helm-working-dir
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: argocd-repo-server
serviceAccountName: argocd-repo-server
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: cmp-tmp
- emptyDir: {}
name: helm-working-dir
- emptyDir: {}
name: plugins
- emptyDir: {}
name: var-files
- emptyDir: {}
name: tmp
- configMap:
defaultMode: 420
name: argocd-ssh-known-hosts-cm
name: ssh-known-hosts
- configMap:
defaultMode: 420
name: argocd-tls-certs-cm
name: tls-certs
- configMap:
defaultMode: 420
name: argocd-gpg-keys-cm
name: gpg-keys
- emptyDir: {}
name: gpg-keyring
- name: argocd-repo-server-tls
secret:
defaultMode: 420
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-repo-server-tls
bootstrap/purge.sh
-5
View File
@@ -1,5 +0,0 @@
#!/usr/bin/env bash
helm uninstall argocd argo/argocd-apps -n argocd
helm uninstall argocd argo/argo-cd -n argocd
bootstrap/reset-ekman-cluster.sh
-21
View File
@@ -1,21 +0,0 @@
#!/bin/sh
echo "reset ekman cluster admin token... "
kubectl --context ekman delete -f cluster-admin-token.yaml
sleep 1
kubectl --context ekman apply -f cluster-admin-token.yaml
# secret=$(kubectl --context ekman get secret -n kube-system | grep cluster-admin-token | cut -d' ' -f1)
# token=$(kubectl --context ekman get secret -n kube-system $secret -o yaml | grep ' token:' | cut -d' ' -f4 | base64 -d)
# sed "s/@token@/$token/" cluster-ekman.yaml > _cluster-ekman.yaml
# echo "configure argocd ekman-cluster..."
# cat _cluster-ekman.yaml
# kubectl --context oceanbox apply -f _cluster-ekman.yaml
token=$(kubectl --context ekman get secret -n kube-system argocd-manager-token -o yaml | grep ' token:' | cut -d' ' -f4 | base64 -d)
sed "s/@token@/${token}/" cluster-ekman.yaml > _cluster-ekman.yaml
echo "configure argocd ekman-cluster..."
cat _cluster-ekman.yaml
kubectl --context oceanbox apply -f _cluster-ekman.yaml
echo "done."
bootstrap/values.yaml
-43
View File
@@ -1,43 +0,0 @@
## !!
# This values files only contains the bare minimum to get argo up and running.
# Only update things like initial argo-cd version here
# Rest of config is located in argocd-apps/sys/argocd.yaml
##
applications:
system:
namespace: argocd
additionalAnnotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
destination:
namespace: argocd
server: https://kubernetes.default.svc
project: sys
sources:
- repoURL: https://gitlab.com/oceanbox//manifests.git
targetRevision: HEAD
path: helmfile.d
plugin:
name: helmfile-cmp
env:
- name: CLUSTER_NAME
value: replaceme
- name: HELMFILE_ENVIRONMENT
value: default
- name: HELMFILE_FILE_PATH
value: system.yaml.gotmpl
projects:
sys:
namespace: argocd
additionalLabels: {}
additionalAnnotations: {}
description: sys components project
sourceRepos:
- "*"
destinations:
- namespace: "*"
server: https://kubernetes.default.svc
clusterResourceWhitelist:
- group: "*"
kind: "*"
orphanedResources:
warn: false
attic/charts/archmeister/.helmignore → charts/archmeister/.helmignore
View File
attic/charts/archmeister/Chart.yaml → charts/archmeister/Chart.yaml
View File
attic/charts/archmeister/templates/NOTES.txt → charts/archmeister/templates/NOTES.txt
View File
attic/charts/archmeister/templates/_helpers.tpl → charts/archmeister/templates/_helpers.tpl
View File
attic/charts/archmeister/templates/cluster.yaml → charts/archmeister/templates/cluster.yaml
View File
attic/charts/archmeister/templates/deployment.yaml → charts/archmeister/templates/deployment.yaml
View File
attic/charts/archmeister/templates/hpa.yaml → charts/archmeister/templates/hpa.yaml
View File
attic/charts/archmeister/templates/ingress.yaml → charts/archmeister/templates/ingress.yaml
View File
attic/charts/archmeister/templates/internal-ingress.yaml → charts/archmeister/templates/internal-ingress.yaml
+1 -1
View File
@@ -20,7 +20,7 @@ metadata:
{{- include "Archmeister.labels" . | nindent 4 }} {{- include "Archmeister.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }} {{- with .Values.ingress.annotations }}
annotations: annotations:
oceanbox.io/expose: internal atlantis.oceanbox.io/expose: internal
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
spec: spec:
attic/charts/archmeister/templates/pvc.yaml → charts/archmeister/templates/pvc.yaml
View File
attic/charts/archmeister/templates/service.yaml → charts/archmeister/templates/service.yaml
View File
attic/charts/archmeister/templates/serviceaccount.yaml → charts/archmeister/templates/serviceaccount.yaml
View File
attic/charts/archmeister/values.yaml → charts/archmeister/values.yaml
View File
charts/atlantis/Chart.yaml
+2 -11
View File
@@ -2,14 +2,5 @@ apiVersion: v2
name: atlantis name: atlantis
description: Atlantis map and simulation service description: Atlantis map and simulation service
type: application type: application
# This is the chart version. This version number should be incremented each time you make changes version: v2.87.1
# to the chart and its templates, including the app version. appVersion: v2.87.1
version: v1.42.25
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application.
appVersion: v1.42.25
dependencies:
- name: diagrid-dashboard
version: "0.1.0"
repository: "file://../diagrid-dashboard"
condition: diagrid-dashboard.enabled
charts/atlantis/templates/cluster.yaml
+2 -55
View File
@@ -17,13 +17,8 @@ spec:
# - supervised: requires manual supervision to perform # - supervised: requires manual supervision to perform
# the switchover of the primary # the switchover of the primary
primaryUpdateStrategy: unsupervised primaryUpdateStrategy: unsupervised
{{- if .Values.cluster.backup.enabled }} backup:
plugins: retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
- name: barman-cloud.cloudnative-pg.io
isWALArchiver: true
parameters:
barmanObjectName: tos-store
{{- end}}
storage: storage:
size: {{ .Values.cluster.size | default "5Gi" }} size: {{ .Values.cluster.size | default "5Gi" }}
{{- with .Values.cluster.bootstrap }} {{- with .Values.cluster.bootstrap }}
@@ -56,52 +51,4 @@ spec:
- ALTER USER app WITH SUPERUSER; - ALTER USER app WITH SUPERUSER;
{{- end }} {{- end }}
{{- end }} {{- end }}
---
{{- if and .Values.cluster.backup.enabled .Values.cluster.enabled -}}
apiVersion: barmancloud.cnpg.io/v1
kind: ObjectStore
metadata:
name: tos-store
namespace: {{ .Release.Namespace }}
spec:
retentionPolicy: {{ .Values.cluster.backup.backupRetention | default "60d" }}
configuration:
destinationPath: {{ .Values.cluster.destinationPath | default ""}}
endpointURL: http://10.255.241.30:30080
s3Credentials:
accessKeyId:
name: cnpg-s3
key: access_key
secretAccessKey:
name: cnpg-s3
key: access_secret
wal:
compression: snappy
---
apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup
metadata:
name: {{ include "Atlantis.fullname" . }}-db
namespace: {{ .Release.Namespace }}
spec:
schedule: "0 0 1 * * *"
backupOwnerReference: self
cluster:
name: '{{ include "Atlantis.fullname" . }}-db'
method: plugin
pluginConfiguration:
name: barman-cloud.cloudnative-pg.io
{{- end }}
---
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ include "Atlantis.fullname" . }}-db-monitor
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
cnpg.io/cluster: {{ include "Atlantis.fullname" . }}-db
podMetricsEndpoints:
- port: metrics
{{- end }} {{- end }}
charts/atlantis/templates/deployment.yaml
-6
View File
@@ -40,12 +40,6 @@ spec:
protocol: TCP protocol: TCP
env: env:
{{- toYaml .Values.env | nindent 12 }} {{- toYaml .Values.env | nindent 12 }}
startupProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 30
failureThreshold: 10
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz
charts/atlantis/templates/internal-ingress.yaml
+1 -1
View File
@@ -20,7 +20,7 @@ metadata:
{{- include "Atlantis.labels" . | nindent 4 }} {{- include "Atlantis.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }} {{- with .Values.ingress.annotations }}
annotations: annotations:
oceanbox.io/expose: internal atlantis.oceanbox.io/expose: internal
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
spec: spec:
charts/atlantis/templates/redis.yaml
-62
View File
@@ -1,62 +0,0 @@
{{- if .Values.redis.enabled -}}
apiVersion: dragonflydb.io/v1alpha1
kind: Dragonfly
metadata:
name: {{ include "Atlantis.fullname" . }}-redis
namespace: {{ .Release.Namespace }}
annotations:
linkerd.io/inject: disabled
labels:
app.kubernetes.io/created-by: dragonfly-operator
{{- include "Atlantis.labels" . | nindent 4 }}
spec:
args:
- --dbfilename=dump # Static filename prevents disk exhaustion
- --maxmemory=$(MAX_MEMORY)Mi # Graceful memory management (90% of limit)
- --proactor_threads=1 # Auto-detect CPU cores (optimal threading)
- --cluster_mode=emulated
- --logtostderr
- --save_schedule= # Disable continuous saves (cron snapshots only)
- --s3_endpoint=hel1.your-objectstorage.com # Hertzner S3
env:
- name: MAX_MEMORY
valueFrom:
resourceFieldRef:
resource: limits.memory
divisor: 1Mi
{{- if .Values.redis.backup.enabled }}
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: access_key
name: redis-s3
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: access_secret
name: redis-s3
{{- end}}
replicas: {{ .Values.redis.replicas | default "1" }}
resources:
requests:
cpu: {{ .Values.redis.resources.cpu | default "150m" }}
memory: {{ .Values.redis.resources.memory | default "256Mi"}}
limits:
memory: {{ .Values.redis.resources.memory | default "256Mi"}}
authentication:
passwordFromSecret:
name: {{ .Values.redis.secret.name | quote }}
key: {{ .Values.redis.secret.key | quote }}
{{- if .Values.redis.backup.enabled }}
snapshot:
dir: "s3://obx-redis/hel1/{{ include "Atlantis.fullname" . }}-redis"
cron: "0 3 * * *" # Default: every day at 03:00
enableOnMasterOnly: false
persistentVolumeClaimSpec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.redis.size | default "1Gi" }}
{{- end }}
{{- end}}
charts/atlantis/values.yaml
+25 -19
View File
@@ -1,18 +1,22 @@
# Default values for Atlantis. # Default values for Atlantis.
# This is a YAML-formatted file. # This is a YAML-formatted file.
# Declare variables to be passed into your templates. # Declare variables to be passed into your templates.
replicaCount: 1 replicaCount: 1
image: image:
repository: git.oceanbox.io/oceanbox/poseidon/atlantis repository: registry.gitlab.com/oceanbox/atlantis
tag: v1.42.25 tag: v2.87.1
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
init: init:
enabled: false enabled: false
image: ubuntu:rolling image: ubuntu:rolling
command: ["/bin/sh", "-c", "true"] command: ["/bin/sh", "-c", "true"]
env: env:
- name: LOG_LEVEL - name: LOG_LEVEL
value: "2" value: "3"
- name: APP_NAME - name: APP_NAME
valueFrom: valueFrom:
fieldRef: fieldRef:
@@ -21,10 +25,14 @@ env:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.namespace fieldPath: metadata.namespace
imagePullSecrets: imagePullSecrets:
- name: gitlab-pull-secret - name: gitlab-pull-secret
nameOverride: "" nameOverride: ""
fullnameOverride: "" fullnameOverride: ""
serviceAccount: serviceAccount:
create: true create: true
# Annotations to add to the service account # Annotations to add to the service account
@@ -32,9 +40,12 @@ serviceAccount:
# The name of the service account to use. # The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template # If not set and create is true, a name is generated using the fullname template
name: "" name: ""
podAnnotations: {} podAnnotations: {}
podSecurityContext: podSecurityContext:
fsGroup: 2000 fsGroup: 2000
securityContext: securityContext:
capabilities: capabilities:
drop: drop:
@@ -42,9 +53,11 @@ securityContext:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
runAsNonRoot: true runAsNonRoot: true
runAsUser: 1000 runAsUser: 1000
service: service:
type: ClusterIP type: ClusterIP
port: 8085 port: 8085
ingress: ingress:
enabled: false enabled: false
className: "nginx" className: "nginx"
@@ -67,32 +80,25 @@ ingress:
- hosts: - hosts:
- atlantis.srv.oceanbox.io - atlantis.srv.oceanbox.io
secretName: atlantis-tls secretName: atlantis-tls
persistence: persistence:
enabled: false enabled: false
size: 1G size: 1G
storageClass: "" storageClass: ""
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
redis:
enabled: false
instances: 1
# metrics:
# enabled: false
backup:
enabled: false
size: 5Gi
cluster: cluster:
enabled: true enabled: true
instances: 1 instances: 1
destinationPath: "s3://cnpg/prod-atlantis-db" backupEnabled: true
backup: backupRetention: 60d
enabled: true
backupRetention: 60d
size: 5Gi size: 5Gi
bootstrap: bootstrap:
enabled: true enabled: true
source: source:
db: prod-atlantis-db db: prod-archmeister
namespace: prod-atlantis namespace: atlantis
resources: {} resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious # We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little # choice for the user. This also increases chances charts run on environments with little
@@ -111,10 +117,10 @@ autoscaling:
maxReplicas: 100 maxReplicas: 100
targetCPUUtilizationPercentage: 80 targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80
serviceMonitor: serviceMonitor:
enabled: true enabled: true
nodeSelector: {} nodeSelector: {}
tolerations: [] tolerations: []
affinity: {} affinity: {}
diagrid-dashboard:
enabled: false
charts/codex/.helmignore
-23
View File
@@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

Some files were not shown because too many files have changed in this diff Show More