Update jobset Docker tag to v0.12.0

Reviewed-on: #198

.envrc

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# the shebang is ignored, but nice for editors
+watch_file npins/sources.json
+
+# Load .env file if it exists
+dotenv_if_exists
+
+# Activate development shell
+if type lorri &>/dev/null; then
+    echo "direnv: using lorri from PATH ($(type -p lorri))"
+    eval "$(lorri direnv)"
+else
+    # fall back to using direnv's builtin nix support
+    # to prevent bootstrapping problems.
+    use nix
+fi

.gitignore

@@ -1,2 +1,7 @@
-_manifest.yaml
-_resources.yaml
+*.tgz
+_*/
+.direnv/
+.env
+.pre-commit-config.yaml
+_*.yaml
+backup/

.gitlab-ci.yml

@@ -1,46 +0,0 @@
-image:
-  name: alpine/helm:latest
-  entrypoint: [ "/bin/bash", "-c" ]
-
-stages:
-  - release
-
-release:
-  stage: release
-  rules:
-  - if: '$CI_COMMIT_BRANCH =~ /^main/'
-    when: always
-  - when: never
-  script:
-    - |
-      cd $CI_PROJECT_DIR
-      for i in $(git show --pretty="" --name-only | grep '^charts/.*/Chart.yaml' | cut -d/ -f2); do
-        pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
-        if [ ! -z $pack ]; then
-          chart=$(basename $pack)
-          curl --request POST \
-               --user gitlab-ci-token:$CI_JOB_TOKEN \
-               --form "chart=@${chart}" \
-               "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"
-        fi
-      done
-
-rebuild:
-  stage: release
-  rules:
-    - when: manual
-      allow_failure: true
-  script:
-    - |
-      cd $CI_PROJECT_DIR
-      for i in $(find ./charts -maxdepth 2 -name Chart.yaml | cut -d/ -f3); do
-        pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
-        if [ ! -z $pack ]; then
-          chart=$(basename $pack)
-          curl --request POST \
-               --user gitlab-ci-token:$CI_JOB_TOKEN \
-               --form "chart=@${chart}" \
-               "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"
-        fi
-      done
-

README.md

@@ -0,0 +1,33 @@
+# Manifests
+
+> [!note]
+> For CI/CD to push updates to this repo add your repo [here](https://gitlab.com/oceanbox/alpine-k8s/-/settings/ci_cd#js-token-access)
+
+Manifest repo managed using [Helmfile](https://github.com/helmfile/helmfile).
+
+Repository structure:
+
+```bash
+/
+├── helmfile.d/                                                 # Helmfiles, *.yaml.gotmpl
+├── charts/                                                     # Our own charts, e.g `Atlantis`
+├── values                                                      # Values for helmfiles
+│   ├── <chart>
+│   │   ├── env.yaml.gotmpl                                     # Values to be templated in `values/`
+│   │   ├── kustomize                                           # Kustomizations per environment
+│   │   ├── manifests                                           # Raw manifests
+│   │   │   ├── <chart>.yaml                                    # Argo App for bootstrap
+│   │   │   ├── dashboards                                      # Grafana dashboards
+│   │   │   │   └── <chart>-metrics.yaml
+│   │   │   └── policies                                        # Cilium and Kyverno policies
+│   │   │       ├── CiliumNetworkPolicy-allow-api-server.yaml
+│   │   │       └── KyvernoPolicy-regred-secret.yaml
+│   │   └── values                                              # Values for each environment
+│   │       ├── <chart>-staging.yaml.gotmpl                     # Values for staging environment
+│   │       ├── <chart>-prod.yaml.gotmpl                        # Values for prod environment
+│   │       └── <chart>.yaml.gotmpl                             # Standard values for all environments
+│   │
+│   ├── env.yaml                                             # Standard values for all cluster
+│   ├── env-oceanbox.yaml                                    # Values overrides for oceanbox
+│   ├── env-ekman.yaml                                       # Values overrides for ekman
+```

acl.json

@@ -1 +0,0 @@
-kustomizations/petimeter/manifests/acl.json

applications/archmeister.yaml

@@ -1,47 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: archmeister
-  namespace: argocd
-spec:
-  goTemplate: true
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: archmeister.srv.oceanbox.io
-        autoSync: false
-        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: archmeister.beta.oceanbox.io
-        autoSync: true
-        prune: true
-  template:
-    metadata:
-      name: "{{ .env }}-archmeister"
-    spec:
-      project: atlantis
-      destination:
-        namespace: atlantis
-        server: "{{ .cluster }}"
-      sources:
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: kustomizations/archmeister
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: "{{ .env }}"
-          - name: hostname
-            string: "{{ .hostname }}"
-  templatePatch: |
-    {{- if .autoSync }}
-    spec:
-      syncPolicy:
-        automated:
-          prune: {{ .prune }}
-          selfHeal: false
-    {{- end }}

applications/atlantis-host-resources.yaml

@@ -1,36 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: atlantis-host-cluster-resources
-  namespace: argocd
-  # annotations: # close, but no cigar
-  #   argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
-spec:
-  project: aux
-  destination:
-    server: https://kubernetes.default.svc
-  syncPolicy:
-    automated:
-      prune: false
-      selfHeal: false
-  ignoreDifferences:
-    - kind: Secret
-      name: prod-rabbitmq
-      jqPathExpressions:
-        - '.data'
-        - '.metadata.annotations.clone'
-        - '.metadata.labels'
-    - kind: Secret
-      name: prod-redis
-      jqPathExpressions:
-        - '.data'
-        - '.metadata.annotations.clone'
-        - '.metadata.labels'
-  sources:
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    path: resources/atlantis/host-manifests
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    path: 'resources/atlantis/manifests/prod'
-

applications/atlantis-resources.yaml

@@ -1,41 +0,0 @@
-# Currently not in use. Configured via the create-vcluster script.
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: atlantis-resources
-  namespace: argocd
-spec:
-  goTemplate: true
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        autoSync: false
-        prune: false
-      # - cluster: https://staging-vcluster.staging-vcluster
-      #   env: staging
-      #   autoSync: false
-      #   prune: false
-  template:
-    metadata:
-      name: "{{ .env }}-atlantis-resources"
-    spec:
-      project: aux
-      syncPolicy:
-        automated: {}
-      destination:
-        server: "{{ .cluster }}"
-        namespace: atlantis
-      sources: {}
-      # - repoURL: https://gitlab.com/oceanbox/manifests.git
-      #   targetRevision: main
-      #   path: 'resources/atlantis/manifests/{{ env }}'
-  templatePatch: |
-    {{- if .autoSync }}
-    spec:
-      syncPolicy:
-        automated:
-          prune: {{ .prune }}
-          selfHeal: false
-    {{- end }}

applications/atlantis.yaml

@@ -1,47 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: atlantis
-  namespace: argocd
-spec:
-  goTemplate: true
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: atlantis.srv.oceanbox.io
-        autoSync: false
-        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: atlantis.beta.oceanbox.io
-        autoSync: true
-        prune: true
-  template:
-    metadata:
-      name: '{{ .env }}-atlantis'
-    spec:
-      project: atlantis
-      destination:
-        namespace: atlantis
-        server: '{{ .cluster }}'
-      sources:
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: kustomizations/atlantis
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: '{{ .env }}'
-          - name: hostname
-            string: '{{ .hostname }}'
-  templatePatch: |
-    {{- if .autoSync }}
-    spec:
-      syncPolicy:
-        automated:
-          prune: {{ .prune }}
-          selfHeal: false
-    {{- end }}

applications/busynix.yaml

@@ -1,34 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: busynix
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      # - cluster: https://kubernetes.default.svc
-      #   env: prod
-      #   hostname: busynix.srv.oceanbox.io
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: busynix.beta.oceanbox.io
-  template:
-    metadata:
-      name: '{{ env }}-busynix'
-    spec:
-      project: aux
-      destination:
-        namespace: default
-        server: '{{ cluster }}'
-      source:
-        repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: kustomizations/busynix
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: '{{ env }}'
-          - name: hostname
-            string: '{{ hostname }}'

applications/cerbos.yaml

@@ -1,32 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: cerbos
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-  template:
-    metadata:
-      name: '{{ env }}-cerbos'
-    spec:
-      project: aux
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: idp
-      sources:
-        - repoURL: https://download.cerbos.dev/helm-charts
-          targetRevision: 0.33.0
-          chart: cerbos
-          helm:
-            valueFiles:
-              - $values/kustomizations/cerbos/values.yaml
-              - $values/kustomizations/cerbos/values-{{ env }}.yaml
-        - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: main
-          ref: values

applications/dex.yaml

@@ -1,15 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: dex
-  namespace: argocd
-spec:
-  project: aux
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: idp
-  source:
-    repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    path: kustomizations/dex/manifests
-

applications/geoserver.yaml

@@ -1,38 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: geoserver
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: geoserver.srv.oceanbox.io
-      # - cluster: https://kubernetes.default.svc
-      #   env: staging
-      #   hostname: geoserver.beta.oceanbox.io
-  template:
-    metadata:
-      name: '{{ env }}-geoserver'
-    spec:
-      project: aux
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: geoserver
-      sources:
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: kustomizations/geoserver
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: '{{ env }}'
-          - name: hostname
-            string: geoserver.srv.oceanbox.io
-          - name: flags
-            string: "--skip-tests"
-          - name: chart
-            string: ncsa/geoserver

applications/hipster.yaml

@@ -1,47 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: hipster
-  namespace: argocd
-spec:
-  goTemplate: true
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: hipster.srv.oceanbox.io
-        autoSync: false
-        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: hipster.beta.oceanbox.io
-        autoSync: true
-        prune: true
-  template:
-    metadata:
-      name: '{{ .env }}-hipster'
-    spec:
-      project: atlantis
-      destination:
-        namespace: atlantis
-        server: '{{ .cluster }}'
-      sources:
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: kustomizations/hipster
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: '{{ .env }}'
-          - name: hostname
-            string: '{{ .hostname }}'
-  templatePatch: |
-    {{- if .autoSync }}
-    spec:
-      syncPolicy:
-        automated:
-          prune: {{ .prune }}
-          selfHeal: false
-    {{- end }}

applications/jaeger.yaml

@@ -1,22 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: jaeger
-  namespace: argocd
-spec:
-  project: atlantis
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: jaeger
-  sources:
-  - repoURL: https://jaegertracing.github.io/helm-charts
-    targetRevision: 2.54.0
-    chart: jaeger-operator
-    helm:
-      valueFiles:
-        - $values/kustomizations/jaeger/values.yaml
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    # path: kustomizations/jaeger/manifests
-    ref: values
-

applications/keycloak.yaml

@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: keycloak
-  namespace: argocd
-spec:
-  project: aux
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: idp
-  sources:
-  - repoURL: https://charts.bitnami.com/bitnami
-    targetRevision: 18.3.4
-    chart: keycloak
-    helm:
-      valueFiles:
-        - $values/kustomizations/keycloak/values.yaml
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    ref: values
-

applications/loki.yaml

@@ -1,150 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: loki
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  destination:
-    namespace: loki
-    server: 'https://kubernetes.default.svc'
-  project: aux
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/persistentVolumeClaimRetentionPolicy
-  syncPolicy:
-    managedNamespaceMetadata:
-      labels:
-        component: aux
-    syncOptions:
-      - CreateNamespace=true
-      - ApplyOutOfSyncOnly=true
-    automated:
-      prune: true
-      selfHeal: true
-  sources:
-  - repoURL: https://gitlab.com/serit/k8s/serit-platform-manifests.git
-    path: network-policies/netpol-loki
-    targetRevision: HEAD
-  - repoURL: 'https://grafana.github.io/helm-charts'
-    targetRevision: 6.12.0
-    chart: loki
-    helm:
-      values: |
-        loki:
-          auth_enabled: false
-          storage:
-            bucketNames:
-              chunks: loki-chunks
-              ruler: loki-chunks
-              admin: loki-chunks
-            s3:
-              endpoint: http://10.255.241.30:30080
-              region: tos
-              secretAccessKey: ${S3SECRET}
-              accessKeyId: ${S3KEY}
-              s3ForcePathStyle: true
-              http_config:
-                insecure_skip_verify: true
-          schemaConfig:
-            configs:
-            - from: "2024-04-01"
-              index:
-                period: 24h
-                prefix: loki_index_
-              object_store: s3
-              schema: v13
-              store: tsdb
-          compactor:
-            compaction_interval: 10m
-            working_directory: /tmp/loki/compactor
-            retention_enabled: true
-            retention_delete_delay: 2h
-            retention_delete_worker_count: 150
-            delete_request_store: s3
-          limits_config:
-            retention_period: 744h
-        write:
-          extraArgs:
-            - -config.expand-env=true
-          extraEnv:
-          - name: S3KEY
-            valueFrom:
-              secretKeyRef:
-                name: loki-s3
-                key: AWS_ACCESS_KEY_ID
-          - name: S3SECRET
-            valueFrom:
-              secretKeyRef:
-                name: loki-s3
-                key: AWS_ACCESS_KEY_SECRET
-          tolerations:
-          - effect: "NoSchedule"
-            operator: "Equal"
-            key: "unschedulable"
-            value: "true"
-        read:
-          extraArgs:
-            - -config.expand-env=true
-          extraEnv:
-          - name: S3KEY
-            valueFrom:
-              secretKeyRef:
-                name: loki-s3
-                key: AWS_ACCESS_KEY_ID
-          - name: S3SECRET
-            valueFrom:
-              secretKeyRef:
-                name: loki-s3
-                key: AWS_ACCESS_KEY_SECRET
-          tolerations:
-          - effect: "NoSchedule"
-            operator: "Equal"
-            key: "unschedulable"
-            value: "true"
-        ingress:
-          enabled: true
-          ingressClassName: nginx
-          annotations:
-            cert-manager.io/cluster-issuer: letsencrypt-staging
-            nginx.ingress.kubernetes.io/ssl-redirect: "true"
-            atlantis.oceanbox.io/expose: internal
-          hosts:
-            - loki.adm.oceanbox.io
-          tls:
-            - hosts:
-               - loki.adm.oceanbox.io
-              secretName: loki-distributed-tls
-        compactor:
-          extraArgs:
-            - -config.expand-env=true
-          extraEnv:
-          - name: S3KEY
-            valueFrom:
-              secretKeyRef:
-                name: loki-s3
-                key: AWS_ACCESS_KEY_ID
-          - name: S3SECRET
-            valueFrom:
-              secretKeyRef:
-                name: loki-s3
-                key: AWS_ACCESS_KEY_SECRET
-        backend:
-          extraArgs:
-            - -config.expand-env=true
-          extraEnv:
-          - name: S3KEY
-            valueFrom:
-              secretKeyRef:
-                name: loki-s3
-                key: AWS_ACCESS_KEY_ID
-          - name: S3SECRET
-            valueFrom:
-              secretKeyRef:
-                name: loki-s3
-                key: AWS_ACCESS_KEY_SECRET

applications/openfga.yaml

@@ -1,47 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: openfga
-  namespace: argocd
-spec:
-  goTemplate: true
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: openfga.adm.oceanbox.io
-        autoSync: false
-        prune: true
-      - cluster: https://kubernetes.default.svc
-        env: staging
-        hostname: openfga.dev.oceanbox.io
-        autoSync: true
-        prune: true
-  template:
-    metadata:
-      name: '{{ .env }}-openfga'
-    spec:
-      project: aux
-      destination:
-        namespace: idp
-        server: '{{ .cluster }}'
-      sources:
-        - repoURL: https://openfga.github.io/helm-charts
-          targetRevision: 0.2.12
-          chart: openfga
-          helm:
-            valueFiles:
-              - $values/kustomizations/openfga/values.yaml
-              - $values/kustomizations/openfga/values-{{ .env }}.yaml
-        - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: main
-          ref: values
-  templatePatch: |
-    {{- if .autoSync }}
-    spec:
-      syncPolicy:
-        automated:
-          prune: {{ .prune }}
-          selfHeal: false
-    {{- end }}

applications/opentelemetry-collector.yaml

@@ -1,106 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: opentelemetry-collector
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  destination:
-    namespace: otel
-    server: 'https://kubernetes.default.svc'
-  project: aux
-  syncPolicy:
-    # managedNamespaceMetadata:
-    #   labels:
-    #     component: aux
-    syncOptions:
-      - CreateNamespace=true
-      - ApplyOutOfSyncOnly=true
-    automated:
-      prune: true
-      selfHeal: true
-  sources:
-  - repoURL: 'https://open-telemetry.github.io/opentelemetry-helm-charts'
-    targetRevision: 0.107.0
-    chart: opentelemetry-collector
-    helm:
-      values: |
-        mode: deployment
-        image:
-          repository: otel/opentelemetry-collector-k8s
-        config:
-          receivers:
-            prometheus/collector:
-              config:
-                scrape_configs:
-                  - job_name: 'opentelemetry-collector'
-                    static_configs:
-                      - targets:
-                         - ${env:MY_POD_IP}:8888
-            zipkin:
-              endpoint: ${env:MY_POD_IP}:9411
-          exporters:
-            otlp:
-              endpoint: "tempo.tempo.svc:4317"
-              tls:
-                insecure: true
-            otlphttp/metrics:
-              endpoint: http://prom-prometheus.prometheus:9090/api/v1/otlp
-              tls:
-                insecure: true
-            otlphttp/logs:
-              endpoint: http://loki-write-headless.loki:3100/otlp
-              tls:
-                insecure: true
-            debug/metrics:
-              verbosity: detailed
-            debug/traces:
-              verbosity: detailed
-            debug/logs:
-              verbosity: detailed
-          service:
-            telemetry:
-              logs:
-                level: "info"
-            pipelines:
-              traces:
-                receivers: [otlp,zipkin]
-                processors: [batch]
-                exporters: [otlp]
-                # exporters: [otlphttp/traces,debug/traces]
-              metrics:
-                receivers: [otlp,prometheus/collector]
-                processors: [batch]
-                exporters: [otlphttp/metrics]
-                # exporters: [otlphttp/metrics,debug/metrics]
-              logs:
-                receivers: [otlp]
-                processors: [batch]
-                exporters: [otlphttp/logs]
-                # exporters: [otlphttp/logs,debug/logs]
-        ports:
-          metrics:
-            enabled: true
-        # presets:
-        #   logsCollection:
-        #     enabled: true
-        ingress:
-          enabled: true
-          annotations:
-              cert-manager.io/cluster-issuer: letsencrypt-staging
-              nginx.ingress.kubernetes.io/ssl-redirect: "true"
-              atlantis.oceanbox.io/expose: internal
-          ingressClassName: nginx
-          hosts:
-            - host: collector.adm.oceanbox.io
-              paths:
-                - path: /
-                  pathType: Prefix
-                  port: 4318
-          tls:
-            - secretName: collector-tls
-              hosts:
-                - collector.adm.oceanbox.io

applications/osm-tile-server.yaml

@@ -1,34 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: osm-tile-server
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: osm.srv.oceanbox.io
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: osm.beta.oceanbox.io
-  template:
-    metadata:
-      name: '{{ env }}-osm-tile-server'
-    spec:
-      project: aux
-      destination:
-        namespace: oceanbox
-        server: '{{ cluster }}'
-      source:
-        repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: HEAD
-        path: kustomizations/osm-tile-server
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: '{{ env }}'
-          - name: hostname
-            string: '{{ hostname }}'

applications/petimeter.yaml

@@ -1,50 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: petimeter
-  namespace: argocd
-spec:
-  goTemplate: true
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: petimeter.srv.oceanbox.io
-        autoSync: false
-        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: petimeter.beta.oceanbox.io
-        autoSync: true
-        prune: true
-  template:
-    metadata:
-      name: '{{ .env }}-petimeter'
-    spec:
-      project: atlantis
-      destination:
-        namespace: atlantis
-        server: '{{ .cluster }}'
-      sources:
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: kustomizations/petimeter
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: '{{ .env }}'
-          - name: hostname
-            string: '{{ .hostname }}'
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: kustomizations/petimeter/manifests
-  templatePatch: |
-    {{- if .autoSync }}
-    spec:
-      syncPolicy:
-        automated:
-          prune: {{ .prune }}
-          selfHeal: false
-    {{- end }}

applications/rabbitmq.yaml

@@ -1,34 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: rabbitmq
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: rabbitmq.srv.oceanbox.io
-      - cluster: https://kubernetes.default.svc
-        env: staging
-        hostname: rabbitmq.beta.oceanbox.io
-  template:
-    metadata:
-      name: '{{ env }}-rabbitmq'
-    spec:
-      project: aux
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: rabbitmq
-      sources:
-        - repoURL: https://charts.bitnami.com/bitnami
-          targetRevision: 12.9.0
-          chart: rabbitmq
-          helm:
-            valueFiles:
-              - $values/kustomizations/rabbitmq/values-{{ env }}.yaml
-        - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: main
-          path: kustomizations/rabbitmq/{{ env }}
-          ref: values

applications/redis.yaml

@@ -1,39 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: redis
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-      - cluster: https://kubernetes.default.svc
-        env: staging
-  template:
-    metadata:
-      name: '{{ env }}-redis'
-    spec:
-      project: aux
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: redis
-      sources:
-        - repoURL: https://charts.bitnami.com/bitnami
-          targetRevision: 19.5.2
-          chart: redis
-          helm:
-            valueFiles:
-              - $values/kustomizations/redis/values-{{ env }}.yaml
-        - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: HEAD
-          ref: values
-        - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: main
-          path: kustomizations/redis/{{ env }}
-      ignoreDifferences:
-        - group: apps
-          kind: StatefulSet
-          jqPathExpressions:
-            - '.spec.template.spec.containers[].resources.limits.cpu'

applications/seq.yaml

@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: seq
-  namespace: argocd
-spec:
-  project: aux
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: seq
-  sources:
-  - repoURL: https://helm.datalust.co
-    targetRevision: 2024.1.0
-    chart: seq
-    helm:
-      valueFiles:
-        - $values/kustomizations/seq/values.yaml
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    ref: values

applications/sorcerer.yaml

@@ -1,47 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: sorcerer
-  namespace: argocd
-spec:
-  goTemplate: true
-  generators:
-  - list:
-      elements:
-      - cluster: https://10.255.241.99:4443
-        env: prod
-        hostname: sorcerer.data.oceanbox.io
-        autoSync: false
-        prune: true
-      - cluster: https://10.255.241.99:4443
-        env: staging
-        hostname: sorcerer.ekman.oceanbox.io
-        autoSync: true
-        prune: true
-  template:
-    metadata:
-      name: '{{ .env }}-sorcerer'
-    spec:
-      project: atlantis
-      destination:
-        namespace: sorcerer
-        server: '{{ .cluster }}'
-      sources:
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: kustomizations/sorcerer
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: '{{ .env }}'
-          - name: hostname
-            string: '{{ .hostname }}'
-  templatePatch: |
-    {{- if .autoSync }}
-    spec:
-      syncPolicy:
-        automated:
-          prune: {{ .prune }}
-          selfHeal: false
-    {{- end }}

applications/tempo.yaml

@@ -1,75 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: tempo
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  destination:
-    namespace: tempo
-    server: 'https://kubernetes.default.svc'
-  project: aux
-  syncPolicy:
-    # managedNamespaceMetadata:
-    #   labels:
-    #     component: aux
-    syncOptions:
-      - CreateNamespace=true
-      - ApplyOutOfSyncOnly=true
-    automated:
-      prune: true
-      selfHeal: true
-  sources:
-  - repoURL: 'https://grafana.github.io/helm-charts'
-    targetRevision: 1.10.3
-    chart: tempo
-    helm:
-      values: |
-        tempo:
-          storage:
-            trace:
-              backend: s3
-              s3:
-                bucket: tempo-traces
-                endpoint: http://10.255.241.30:30080
-                access_key: ${S3SECRET}
-                secret_key: ${S3KEY}
-                insecure: true
-              backend: local
-              local:
-                path: /var/tempo/traces
-              wal:
-                path: /var/tempo/wal
-          metricsGenerator:
-            enabled: true
-            remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
-          extraEnv:
-          - name: S3KEY
-            valueFrom:
-              secretKeyRef:
-                name: tempo-s3
-                key: AWS_ACCESS_KEY_ID
-          - name: S3SECRET
-            valueFrom:
-              secretKeyRef:
-                name: tempo-s3
-                key: AWS_ACCESS_KEY_SECRET
-        tempoQuery:
-          ingress:
-            enabled: true
-            ingressClassName: nginx
-            annotations:
-              cert-manager.io/cluster-issuer: letsencrypt-staging
-              nginx.ingress.kubernetes.io/ssl-redirect: "true"
-              atlantis.oceanbox.io/expose: internal
-            path: /
-            pathType: Prefix
-            hosts:
-              - query.tempo.adm.oceanbox.io
-            tls:
-             - secretName: tempo-query-tls
-               hosts:
-                 - query.tempo.adm.oceanbox.io

applications/wordpress.yaml

@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: www-oceanbox
-  namespace: argocd
-spec:
-  project: default
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: www-oceanbox
-  sources:
-  - repoURL: https://charts.bitnami.com/bitnami
-    targetRevision: 19.2.2
-    chart: wordpress
-    helm:
-      valueFiles:
-        - $values/wordpress/values.yaml
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: HEAD
-    ref: values

applications/yolo-dl.yaml

@@ -1,14 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: yolo-dl
-  namespace: argocd
-spec:
-  project: aux
-  destination:
-    server: https://10.255.241.99:4443
-    namespace: oceanbox
-  sources:
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    path: charts/yolo-dl

argocd/kustomize-helm-with-rewrite/deploy.sh

@@ -1,7 +0,0 @@
-#!/bin/sh
-
-img=registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite
-tag=${1:-latest}
-
-docker build -t $img:$tag .
-docker push $img:$tag

argocd/kustomize-helm-with-rewrite/generate.sh

@@ -1,35 +0,0 @@
-#!/bin/sh
-
-export HOME=/helm-working-dir
-
-env > /tmp/$ARGOCD_APP_NAME.env
-
-echo "$ARGOCD_APP_PARAMETERS" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
-cp parameters.yaml /tmp/$ARGOCD_APP_NAME-parameters.yaml
-
-if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
-    CHART=$PARAM_CHART
-elif [ -d chart ]; then
-    CHART=chart
-elif [ -f chart ]; then
-    CHART=$(cat chart)
-else
-    CHART="."
-fi
-
-[ -f chart/values.yaml ] && VALUES="-f chart/values.yaml"
-[ -f values-chart.yaml ] && VALUES="$VALUES -f values-chart.yaml"
-[ -f values.yaml ] && VALUES="$VALUES -f values.yaml"
-[ -f values-$PARAM_ENV.yaml ] && VALUES="$VALUES -f values-$PARAM_ENV.yaml"
-VALUES="$VALUES -f parameters.yaml"
-
-mkdir -p base
-echo "helm template -n $ARGOCD_APP_NAMESPACE $PARAM_FLAGS $VALUES $ARGOCD_APP_NAME $CHART" > /tmp/$ARGOCD_APP_NAME-helm.sh
-helm template -n $ARGOCD_APP_NAMESPACE $PARAM_FLAGS $VALUES $ARGOCD_APP_NAME $CHART > ./base/_manifest.yaml
-
-sed -i "$PARAM_REWRITE" ./base/_manifest.yaml
-cp ./base/_manifest.yaml /tmp/$ARGOCD_APP_NAME-manifest.yaml
-
-[ -d "$PARAM_ENV" ] && kubectl kustomize $PARAM_ENV > /tmp/$ARGOCD_APP_NAME-manifest.yaml
-
-cat /tmp/$ARGOCD_APP_NAME-manifest.yaml

argocd/kustomize-helm-with-rewrite/init.sh

@@ -1,12 +0,0 @@
-#!/bin/sh
-
-export HOME=/helm-working-dir
-
-helm repo update oceanbox
-
-if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
-    helm show values $PARAM_CHART > values-chart.yaml
-elif [ -f chart ]; then
-    CHART=$(cat chart)
-    helm show values $CHART > values-chart.yaml
-fi

attic/charts/archmeister/templates/internal-ingress.yaml

@@ -20,7 +20,7 @@ metadata:
     {{- include "Archmeister.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}
   annotations:
-    atlantis.oceanbox.io/expose: internal
+    oceanbox.io/expose: internal
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:

attic/charts/archmeister/values.yaml

@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

attic/charts/hipster/values.yaml

@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

attic/charts/petimeter/values.yaml

@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

bin/generate.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC2034  # Unused variables left for readability
+
+helmfile () {
+
+name=$1
+tier=$2
+
+cat <<EOF
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+commonLabels:
+  tier: ${tier}
+
+releases:
+- name: ${name}
+  namespace: {{ .Environment.Name }}-${name}
+  chart: ../charts/${name}
+  condition: ${name}.enabled
+  values:
+  - ../values/${name}/values/values.yaml.gotmpl
+  - ../values/${name}/values/values-{{ .Environment.Name }}.yaml
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/${name}/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: manifests
+  namespace: {{ .Environment.Name }}-${name}
+  chart: manifests
+  condition: ${name}.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/env.yaml
+  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  - ../values/${name}/env.yaml.gotmpl
+  - ../values/${name}/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{\`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}\`}}'
+    - '{{\`{{ .Release.Chart }}\`}}'
+    - '{{\`{{ .Environment.Name }}\`}}'
+    - ../values/${name}/manifests
+    - manifests
+EOF
+}
+
+while true; do
+    case $* in
+        --with-env)
+            ns=true
+            shift ;;
+        --*|-*) shift;;
+        *) break ;;
+    esac
+done
+
+name=$1
+tier=$2
+if [[ -n "${ns}" ]]; then
+    namespace="namespace: {{ .Environment.Name }}-${name}"
+else
+    namespace="namespace: ${name}"
+fi
+
+helmfile "$1" "$2"

bin/helmify

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+set -o pipefail
+
+cmd=$1
+chart=$2
+manifests=${4:-manifests}
+outdir=${5:-_manifests}
+
+build() {
+  mkdir -p "${outdir}"/templates
+  echo "Creating ${outdir}/templates"
+
+  echo "generating ${outdir}/Chart.yaml" 1>&2
+
+  cat <<EOF > "${outdir}"/Chart.yaml
+apiVersion: v1
+appVersion: "1.0"
+# description: A Helm chart for Kubernetes
+name: ${chart}
+version: 0.1.0
+EOF
+
+if [[ -d "${manifests}" ]]; then
+    cp -r "${manifests}"/* "${outdir}"/templates
+elif [[ -f "${manifests}" ]]; then
+    cp "${manifests}" "${outdir}"/templates
+fi
+}
+
+clean() {
+  echo "cleaning ${outdir}" 1>&2
+  rm -rf "${outdir}"
+}
+
+case "${cmd}" in
+  "build" ) build ;;
+  "clean" ) clean ;;
+  * ) echo "unsupported command: ${cmd}" 1>&2; exit 1 ;;
+esac
+

bin/kustomizer

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+[[ $# != 1 ]] && exit 1
+
+dir=$1
+base=${dir}/../base
+
+if [[ -f "${base}"/kustomization.yaml ]] && [[ -f "${dir}"/kustomization.yaml ]]; then
+    cat > "${base}"/_manifest.yaml
+    kubectl kustomize "${dir}"
+else
+    cat
+fi

bootstrap/argocd-cluster-admin.yaml

@@ -0,0 +1,35 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argocd-cluster-admin
+rules:
+  - apiGroups:
+      - "*"
+    resources:
+      - "*"
+    verbs:
+      - "*"
+  - nonResourceURLs:
+      - "*"
+    verbs:
+      - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argocd-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argocd-cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: argocd-cluster-admin
+    namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-cluster-admin
+  namespace: kube-system
+---

bootstrap/cluster-admin-token.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: cluster-admin
+  name: cluster-admin-token
+  namespace: kube-system
+type: kubernetes.io/service-account-token

bootstrap/cluster-ekman.yaml

@@ -1,14 +1,12 @@
 apiVersion: v1
 stringData:
-  config: |
-    {"bearerToken":"","tlsClientConfig":{"insecure":true}}
+  config: '{"bearerToken":"@token@","tlsClientConfig":{"insecure":true}}'
   name: ekman
   server: https://10.255.241.99:4443
 kind: Secret
 metadata:
   labels:
     argocd.argoproj.io/secret-type: cluster
-  name: cluster-10.255.241.99-4046803085
+  name: cluster-ekman
   namespace: argocd
 type: Opaque
-

bootstrap/deploy.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+helm upgrade --install --create-namespace argocd argo/argo-cd -n argocd --version 7.8.0
+helm upgrade --install --create-namespace --values values.yaml argocd-apps argo/argocd-apps -n argocd
+#kubectl patch -n argocd deployment argocd-repo-server --type merge --patch-file helmfile-cmp/argo-repo-server-patch.yaml
+
+

bootstrap/helm-kustomize-cmp/deploy.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+img=registry.gitlab.com/oceanbox/manifests/helm-kustomize-cmp
+tag=${1:-latest}
+
+docker build -t "${img}":"${tag}" .
+docker push "${img}":"${tag}"

bootstrap/helm-kustomize-cmp/generate.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+# shellcheck disable=SC2154
+
+export HOME=/plugin
+
+env > /tmp/"${ARGOCD_APP_NAME}".env
+
+echo "${ARGOCD_APP_PARAMETERS}" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
+cp parameters.yaml /tmp/"${ARGOCD_APP_NAME}"-parameters.yaml
+
+if [ -n "${PARAM_CHART}" ] && [ "${PARAM_CHART}" != "." ]; then
+    CHART=${PARAM_CHART}
+elif [ -d chart ]; then
+    CHART=chart
+elif [ -f chart ]; then
+    CHART=$(cat chart)
+else
+    CHART="."
+fi
+
+[ -f chart/values.yaml ] && VALUES="-f chart/values.yaml"
+[ -f values-chart.yaml ] && VALUES="${VALUES} -f values-chart.yaml"
+[ -f values.yaml ] && VALUES="${VALUES} -f values.yaml"
+[ -f values-"${PARAM_ENV}".yaml ] && VALUES="${VALUES} -f values-${PARAM_ENV}.yaml"
+VALUES="${VALUES} -f parameters.yaml"
+
+helm dependency update "${CHART}" >/tmp/"${ARGOCD_APP_NAME}"-helm-dependency-build.out
+
+mkdir -p base
+echo "helm template -n ${ARGOCD_APP_NAMESPACE} ${PARAM_FLAGS} ${VALUES} ${ARGOCD_APP_NAME} ${CHART}" > /tmp/"${ARGOCD_APP_NAME}"-helm.sh
+helm template -n "${ARGOCD_APP_NAMESPACE}" "${PARAM_FLAGS}" "${VALUES}" "${ARGOCD_APP_NAME}" "${CHART}" > ./base/_manifest.yaml
+
+cp ./base/_manifest.yaml /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml
+
+[ -d "${PARAM_ENV}" ] && kubectl kustomize "${PARAM_ENV}" > /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml
+
+cat /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml

bootstrap/helm-kustomize-cmp/get-values.sh

@@ -18,7 +18,7 @@ EOF
     exit 0
 fi
 
-yq e -o=p $VALUES | jq --slurp --raw-input '
+yq e -o=p "${VALUES}" | jq --slurp --raw-input '
   [{
     name: "helm-parameters",
     title: "Helm Parameters",

bootstrap/helm-kustomize-cmp/init-helm-repos.sh

@@ -1,8 +1,9 @@
 #!/bin/sh
+# shellcheck disable=SC2154
 
-export HOME=/helm-working-dir
+export HOME=/plugin
 
-helm repo add --username argocd-helm --password "$OCEANBOX_HELM_ACCESS_TOKEN" oceanbox \
+helm repo add --username argocd-helm --password "${OCEANBOX_HELM_ACCESS_TOKEN}" oceanbox \
     https://gitlab.com/api/v4/projects/54396343/packages/helm/stable
 
 helm repo add bitnami https://charts.bitnami.com/bitnami

bootstrap/helm-kustomize-cmp/init.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+export HOME=/plugin
+
+helm repo update oceanbox
+
+if [ -n "${PARAM_CHART}" ] && [ "${PARAM_CHART}" != "." ]; then
+    helm show values "${PARAM_CHART}" > values-chart.yaml
+elif [ -f chart ]; then
+    CHART=$(cat chart)
+    helm show values "${CHART}" > values-chart.yaml
+fi

bootstrap/helm-kustomize-cmp/plugin.yaml

@@ -1,7 +1,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ConfigManagementPlugin
 metadata:
-  name: kustomize-helm-with-rewrite
+  name: helm-kustomize-cmp
 spec:
   # version: v1.2
   # The init command runs in the Application source directory at the beginning of each manifest generation. The init
@@ -9,7 +9,7 @@ spec:
   init:
     # Init always happens immediately before generate, but its output is not treated as manifests.
     # This is a good place to, for example, download chart dependencies.
-    command: [ /bin/sh ]
+    command: [/bin/sh]
     args:
       - /plugin/init.sh
   # The generate command runs in the Application source directory each time manifests are generated. Standard output
@@ -17,7 +17,7 @@ spec:
   # To write log messages from the command, write them to stderr, it will always be displayed.
   # Error output will be sent to the UI, so avoid printing sensitive information (such as secrets).
   generate:
-    command: [ /bin/sh ]
+    command: [/bin/sh]
     args:
       - /plugin/generate.sh
 
@@ -27,15 +27,15 @@ spec:
   # Only one of fileName, find.glob, or find.command should be specified. If multiple are specified then only the
   # first (in that order) is evaluated.
   # discover:
-    # fileName is a glob pattern (https://pkg.go.dev/path/filepath#Glob) that is applied to the Application's source
-    # directory. If there is a match, this plugin may be used for the Application.
-    # fileName: "./subdir/s*.yaml"
-    # find:
-      # This does the same thing as fileName, but it supports double-start (nested directory) glob patterns.
-      # glob: "**/Chart.yaml"
-      # The find command runs in the repository's root directory. To match, it must exit with status code 0 _and_
-      # produce non-empty output to standard out.
-      # command: [sh, -c, find . -name env.yaml]
+  # fileName is a glob pattern (https://pkg.go.dev/path/filepath#Glob) that is applied to the Application's source
+  # directory. If there is a match, this plugin may be used for the Application.
+  # fileName: "./subdir/s*.yaml"
+  # find:
+  # This does the same thing as fileName, but it supports double-start (nested directory) glob patterns.
+  # glob: "**/Chart.yaml"
+  # The find command runs in the repository's root directory. To match, it must exit with status code 0 _and_
+  # produce non-empty output to standard out.
+  # command: [sh, -c, find . -name env.yaml]
   # The parameters config describes what parameters the UI should display for an Application. It is up to the user to
   # actually set parameters in the Application manifest (in spec.source.plugin.parameters). The announcements _only_
   # inform the "Parameters" tab in the App Details page of the UI.
@@ -52,13 +52,6 @@ spec:
         itemType: string
         collectionType: string
         string: "staging"
-      - name: rewrite
-        title: Rewrite
-        tooltip: sed rewrite experssion
-        required: false
-        itemType: string
-        collectionType: string
-        string: ""
       - name: chart
         title: Chart
         tooltip: Name or path of helm chart
@@ -73,22 +66,21 @@ spec:
         itemType: string
         collectionType: string
         string: ""
-      # All the fields above besides "string" apply to both the array and map type parameter announcements.
-      # - name: array-param
-      #   # This field communicates the parameter's default value to the UI. Setting this field is optional.
-      #   array: [default, items]
-      #   collectionType: array
-      # - name: map-param
-      #   # This field communicates the parameter's default value to the UI. Setting this field is optional.
-      #   map:
-      #     some: value
-      #   collectionType: map
-    dynamic:
-      # The command is run in an Application's source directory. Standard output must be JSON matching the schema of the
-      # static parameter announcements list.
-      command: [ /bin/sh, /plugin/get-values.sh ]
+        # All the fields above besides 'string' apply to both the array and map type parameter announcements.
+        # - name: array-param
+        #   # This field communicates the parameter's default value to the UI. Setting this field is optional.
+        #   array: [default, items]
+        #   collectionType: array
+        # - name: map-param
+        #   # This field communicates the parameter's default value to the UI. Setting this field is optional.
+        #   map:
+        #     some: value
+        #   collectionType: map
+    # dynamic:
+    # The command is run in an Application's source directory. Standard output must be JSON matching the schema of the
+    # static parameter announcements list.
+    # command: [ /bin/sh, /plugin/get-values.sh ]
 
     # If set to `true` then the plugin receives repository files with original file mode. Dangerous since the repository
     # might have executable files. Set to true only if you trust the CMP plugin authors.
     preserveFileMode: false
-

bootstrap/helmfile-cmp/Dockerfile

@@ -0,0 +1,7 @@
+FROM ghcr.io/helmfile/helmfile:v1.3.1
+
+RUN mkdir -p /home/argocd/cmp-server/config/
+COPY plugin.yaml /home/argocd/cmp-server/config/
+
+WORKDIR /plugin
+COPY generate.sh ./

bootstrap/helmfile-cmp/argo-repo-server-old.yaml

@@ -0,0 +1,476 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    argocd.argoproj.io/tracking-id: argocd:apps/Deployment:argocd/argocd-repo-server
+    deployment.kubernetes.io/revision: "27"
+  labels:
+    app.kubernetes.io/component: repo-server
+    app.kubernetes.io/instance: argocd
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: argocd-repo-server
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/version: v2.12.3
+    helm.sh/chart: argo-cd-7.5.2
+  name: argocd-repo-server
+  namespace: argocd
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: argocd
+      app.kubernetes.io/name: argocd-repo-server
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        checksum/cm: 67d6152e0e3482f9a74a6b570fd32bbec4e7856bffe49f577a2a0d3aeaed6f48
+        checksum/cmd-params: 69ed50e8936f4d6429dc331f782ad0a7d22eb12c318d6800403040352214b781
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/component: repo-server
+        app.kubernetes.io/instance: argocd
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: argocd-repo-server
+        app.kubernetes.io/part-of: argocd
+        app.kubernetes.io/version: v2.12.3
+        helm.sh/chart: argo-cd-7.5.2
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    app.kubernetes.io/name: argocd-repo-server
+                topologyKey: kubernetes.io/hostname
+              weight: 100
+      automountServiceAccountToken: true
+      containers:
+        - args:
+            - /usr/local/bin/argocd-repo-server
+            - --port=8081
+            - --metrics-port=8084
+          env:
+            - name: ARGOCD_REPO_SERVER_NAME
+              value: argocd-repo-server
+            - name: ARGOCD_RECONCILIATION_TIMEOUT
+              valueFrom:
+                configMapKeyRef:
+                  key: timeout.reconciliation
+                  name: argocd-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_LOGFORMAT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.log.format
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_LOGLEVEL
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.log.level
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.parallelism.limit
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.listen.address
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.metrics.listen.address
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_DISABLE_TLS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.disable.tls
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_TLS_MIN_VERSION
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.tls.minversion
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_TLS_MAX_VERSION
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.tls.maxversion
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_TLS_CIPHERS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.tls.ciphers
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_CACHE_EXPIRATION
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.repo.cache.expiration
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: REDIS_SERVER
+              valueFrom:
+                configMapKeyRef:
+                  key: redis.server
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: REDIS_COMPRESSION
+              valueFrom:
+                configMapKeyRef:
+                  key: redis.compression
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: REDISDB
+              valueFrom:
+                configMapKeyRef:
+                  key: redis.db
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: REDIS_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key: redis-username
+                  name: argocd-redis
+                  optional: true
+            - name: REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: auth
+                  name: argocd-redis
+            - name: REDIS_SENTINEL_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key: redis-sentinel-username
+                  name: argocd-redis
+                  optional: true
+            - name: REDIS_SENTINEL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: redis-sentinel-password
+                  name: argocd-redis
+                  optional: true
+            - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.default.cache.expiration
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
+              valueFrom:
+                configMapKeyRef:
+                  key: otlp.address
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_OTLP_INSECURE
+              valueFrom:
+                configMapKeyRef:
+                  key: otlp.insecure
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_OTLP_HEADERS
+              valueFrom:
+                configMapKeyRef:
+                  key: otlp.headers
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.max.combined.directory.manifests.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.plugin.tar.exclusions
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.allow.oob.symlinks
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.streamed.manifest.max.tar.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.streamed.manifest.max.extracted.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.helm.manifest.max.extracted.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.disable.helm.manifest.max.extracted.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_GIT_MODULES_ENABLED
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.enable.git.submodule
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.git.lsremote.parallelism.limit
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_GIT_REQUEST_TIMEOUT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.git.request.timeout
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.revision.cache.lock.timeout
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.include.hidden.directories
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: HELM_CACHE_HOME
+              value: /helm-working-dir
+            - name: HELM_CONFIG_HOME
+              value: /helm-working-dir
+            - name: HELM_DATA_HOME
+              value: /helm-working-dir
+          image: quay.io/argoproj/argocd:v2.12.3
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz?full=true
+              port: metrics
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          name: repo-server
+          ports:
+            - containerPort: 8081
+              name: repo-server
+              protocol: TCP
+            - containerPort: 8084
+              name: metrics
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: metrics
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /app/config/ssh
+              name: ssh-known-hosts
+            - mountPath: /app/config/tls
+              name: tls-certs
+            - mountPath: /app/config/gpg/source
+              name: gpg-keys
+            - mountPath: /app/config/gpg/keys
+              name: gpg-keyring
+            - mountPath: /app/config/reposerver/tls
+              name: argocd-repo-server-tls
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+            - mountPath: /tmp
+              name: tmp
+        - command:
+            - /var/run/argocd/argocd-cmp-server
+          image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
+          imagePullPolicy: Always
+          name: kustomize-helm-with-rewrite
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 999
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /var/run/argocd
+              name: var-files
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+            - mountPath: /tmp
+              name: cmp-tmp
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+        - command:
+            - /var/run/argocd/argocd-cmp-server
+          image: registry.gitlab.com/oceanbox/manifests/helm-kustomize-cmp:latest
+          imagePullPolicy: Always
+          name: helm-kustomize-cmp
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 999
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /var/run/argocd
+              name: var-files
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+            - mountPath: /tmp
+              name: cmp-tmp
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+        - command:
+            - /var/run/argocd/argocd-cmp-server
+          image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
+          imagePullPolicy: Always
+          name: helmfile-cmp
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 999
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /var/run/argocd
+              name: var-files
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+            - mountPath: /tmp
+              name: cmp-tmp
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+      dnsPolicy: ClusterFirst
+      imagePullSecrets:
+        - name: gitlab-pull-secret
+      initContainers:
+        - command:
+            - /bin/cp
+            - -n
+            - /usr/local/bin/argocd
+            - /var/run/argocd/argocd-cmp-server
+          image: quay.io/argoproj/argocd:v2.12.3
+          imagePullPolicy: IfNotPresent
+          name: copyutil
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /var/run/argocd
+              name: var-files
+        - command:
+            - /bin/sh
+            - /plugin/init-helm-repos.sh
+          env:
+            - name: OCEANBOX_HELM_ACCESS_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  key: token
+                  name: oceanbox-helm
+                  optional: false
+          image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
+          imagePullPolicy: Always
+          name: init-helm-repos
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 999
+            seccompProfile:
+              type: RuntimeDefault
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      serviceAccount: argocd-repo-server
+      serviceAccountName: argocd-repo-server
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - name: cmp-tmp
+        - name: helm-working-dir
+        - name: plugins
+        - name: var-files
+        - name: tmp
+        - configMap:
+            defaultMode: 420
+            name: argocd-ssh-known-hosts-cm
+          name: ssh-known-hosts
+        - configMap:
+            defaultMode: 420
+            name: argocd-tls-certs-cm
+          name: tls-certs
+        - configMap:
+            defaultMode: 420
+            name: argocd-gpg-keys-cm
+          name: gpg-keys
+        - name: gpg-keyring
+        - name: argocd-repo-server-tls
+          secret:
+            defaultMode: 420
+            items:
+              - key: tls.crt
+                path: tls.crt
+              - key: tls.key
+                path: tls.key
+              - key: ca.crt
+                path: ca.crt
+            optional: true
+            secretName: argocd-repo-server-tls

bootstrap/helmfile-cmp/argo-repo-server-patch.yaml

@@ -0,0 +1,27 @@
+# Don't apply this patch with kubectl, it overwrites the original repo-server!
+# Instead merge by hand in the bootstap process.
+spec:
+  template:
+    spec:
+      imagePullSecrets:
+        - name: gitlab-pull-secret
+      containers:
+        - command:
+            - /var/run/argocd/argocd-cmp-server
+          image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
+          imagePullPolicy: Always
+          name: helmfile-cmp
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 999
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /var/run/argocd
+              name: var-files
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+            - mountPath: /tmp
+              name: tmp
+            - mountPath: /helm-working-dir
+              name: helm-working-dir

bootstrap/helmfile-cmp/deploy.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+img=git.oceanbox.io/platform/manifests/helmfile-cmp
+tag=${1:-latest}
+
+docker build -t "${img}":"${tag}" .
+docker push "${img}":"${tag}"

bootstrap/helmfile-cmp/generate.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+# shellcheck disable=SC2154
+
+# NOTE: Ensure errors are part of exitcode
+# set -o pipefail
+
+export HOME=/plugin
+
+export HELM_CACHE_HOME=/tmp/helm/cache
+export HELM_CONFIG_HOME=/tmp/helm/config
+export HELMFILE_CACHE_HOME=/tmp/helmfile/cache
+export HELMFILE_TEMPDIR=/tmp/helmfile/tmp
+
+test -n ARGOCD_ENV_HELMFILE_ENVIRONMENT && export HELMFILE_ENVIRONMENT="${ARGOCD_ENV_HELMFILE_ENVIRONMENT}"
+test -n ARGOCD_ENV_HELMFILE_FILE_PATH && export HELMFILE_FILE_PATH="${ARGOCD_ENV_HELMFILE_FILE_PATH}"
+
+helmfile -n "${ARGOCD_APP_NAMESPACE}" "${ARGS}" template -q --include-crds

bootstrap/helmfile-cmp/plugin.yaml

@@ -0,0 +1,11 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ConfigManagementPlugin
+metadata:
+  name: helmfile-cmp
+spec:
+  generate:
+    command: ["/bin/sh"]
+    args:
+      - /plugin/generate.sh
+  lockRepo: false
+  preserveFileMode: true

bootstrap/keycloak-theme/Dockerfile

@@ -0,0 +1,3 @@
+FROM busybox
+
+COPY keycloak-themes/oceanbox /theme

bootstrap/keycloak-theme/keycloak-themes/oceanbox/login/resources/css/oceanbox.css

@@ -0,0 +1,47 @@
+/* Oceanbox Keycloak Login Theme */
+
+/* Brand colours */
+:root {
+    --pf-v5-global--primary-color--100: #0bb4aa;
+    --pf-v5-global--primary-color--200: #099e95;
+    --pf-v5-global--link--Color: #0bb4aa;
+    --pf-v5-global--link--Color--hover: #031275;
+}
+
+/* Background */
+.login-pf body {
+    background: #f9fafd url("../img/oceanbox-bg.png") no-repeat center bottom fixed;
+    background-size: cover;
+}
+
+/* Logo */
+div.kc-logo-text {
+    background-image: url('../img/oceanbox-logo-text.png');
+    height: 80px;
+    width: 360px;
+    background-repeat: no-repeat;
+    background-size: contain;
+    background-position: center;
+    margin: 0 auto;
+}
+
+div.kc-logo-text span {
+    display: none;
+}
+
+/* Primary button */
+.pf-v5-c-button.pf-m-primary {
+    --pf-v5-c-button--m-primary--BackgroundColor: #0bb4aa;
+    --pf-v5-c-button--m-primary--hover--BackgroundColor: #099e95;
+    --pf-v5-c-button--m-primary--active--BackgroundColor: #37746F;
+    --pf-v5-c-button--m-primary--focus--BackgroundColor: #099e95;
+}
+
+/* Links */
+a, .pf-v5-c-button.pf-m-link {
+    color: #0bb4aa;
+}
+
+a:hover, .pf-v5-c-button.pf-m-link:hover {
+    color: #031275;
+}

bootstrap/keycloak-theme/keycloak-themes/oceanbox/login/theme.properties

@@ -0,0 +1,5 @@
+parent=keycloak.v2
+import=common/keycloak
+
+stylesCommon=vendor/patternfly-v5/patternfly.min.css vendor/patternfly-v5/patternfly-addons.css
+styles=css/styles.css css/oceanbox.css

bootstrap/kustomize-helm-with-rewrite/argo-repo-server.yaml

@@ -0,0 +1,424 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    argocd.argoproj.io/tracking-id: argocd:apps/Deployment:argocd/argocd-repo-server
+  labels:
+    app.kubernetes.io/component: repo-server
+    app.kubernetes.io/instance: argocd
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: argocd-repo-server
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/version: v2.10.4
+    helm.sh/chart: argo-cd-6.7.3
+  name: argocd-repo-server
+  namespace: argocd
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: argocd
+      app.kubernetes.io/name: argocd-repo-server
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        checksum/cm: 3d88c02b8c8e470b75262aae39da4b4bc6f29a02d2a6c7a9e0d44d2d69aa908b
+        checksum/cmd-params: d76791b7d65a3839bc44b46b65ecfecb5be7ac834b4915b0dea1577f524ea687
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/component: repo-server
+        app.kubernetes.io/instance: argocd
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: argocd-repo-server
+        app.kubernetes.io/part-of: argocd
+        app.kubernetes.io/version: v2.10.4
+        helm.sh/chart: argo-cd-6.7.3
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    app.kubernetes.io/name: argocd-repo-server
+                topologyKey: kubernetes.io/hostname
+              weight: 100
+      containers:
+        - args:
+            - /usr/local/bin/argocd-repo-server
+            - --port=8081
+            - --metrics-port=8084
+          env:
+            - name: ARGOCD_REPO_SERVER_NAME
+              value: argocd-repo-server
+            - name: ARGOCD_RECONCILIATION_TIMEOUT
+              valueFrom:
+                configMapKeyRef:
+                  key: timeout.reconciliation
+                  name: argocd-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_LOGFORMAT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.log.format
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_LOGLEVEL
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.log.level
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.parallelism.limit
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.listen.address
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.metrics.listen.address
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_DISABLE_TLS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.disable.tls
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_TLS_MIN_VERSION
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.tls.minversion
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_TLS_MAX_VERSION
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.tls.maxversion
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_TLS_CIPHERS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.tls.ciphers
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_CACHE_EXPIRATION
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.repo.cache.expiration
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: REDIS_SERVER
+              valueFrom:
+                configMapKeyRef:
+                  key: redis.server
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: REDIS_COMPRESSION
+              valueFrom:
+                configMapKeyRef:
+                  key: redis.compression
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: REDISDB
+              valueFrom:
+                configMapKeyRef:
+                  key: redis.db
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: REDIS_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key: redis-username
+                  name: argocd-redis
+                  optional: true
+            - name: REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: redis-password
+                  name: argocd-redis
+                  optional: true
+            - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.default.cache.expiration
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
+              valueFrom:
+                configMapKeyRef:
+                  key: otlp.address
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_OTLP_INSECURE
+              valueFrom:
+                configMapKeyRef:
+                  key: otlp.insecure
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_OTLP_HEADERS
+              valueFrom:
+                configMapKeyRef:
+                  key: otlp.headers
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.max.combined.directory.manifests.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.plugin.tar.exclusions
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.allow.oob.symlinks
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.streamed.manifest.max.tar.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.streamed.manifest.max.extracted.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.helm.manifest.max.extracted.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.disable.helm.manifest.max.extracted.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_GIT_MODULES_ENABLED
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.enable.git.submodule
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.git.lsremote.parallelism.limit
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_GIT_REQUEST_TIMEOUT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.git.request.timeout
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: HELM_CACHE_HOME
+              value: /helm-working-dir
+            - name: HELM_CONFIG_HOME
+              value: /helm-working-dir
+            - name: HELM_DATA_HOME
+              value: /helm-working-dir
+          image: quay.io/argoproj/argocd:v2.10.4
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz?full=true
+              port: metrics
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          name: repo-server
+          ports:
+            - containerPort: 8081
+              name: repo-server
+              protocol: TCP
+            - containerPort: 8084
+              name: metrics
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: metrics
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          resources: {}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /app/config/ssh
+              name: ssh-known-hosts
+            - mountPath: /app/config/tls
+              name: tls-certs
+            - mountPath: /app/config/gpg/source
+              name: gpg-keys
+            - mountPath: /app/config/gpg/keys
+              name: gpg-keyring
+            - mountPath: /app/config/reposerver/tls
+              name: argocd-repo-server-tls
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+            - mountPath: /tmp
+              name: tmp
+        - command:
+            - /var/run/argocd/argocd-cmp-server
+          image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
+          imagePullPolicy: Always
+          name: kustomize-helm-with-rewrite
+          resources: {}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 999
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /var/run/argocd
+              name: var-files
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+            - mountPath: /tmp
+              name: cmp-tmp
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+      dnsPolicy: ClusterFirst
+      imagePullSecrets:
+        - name: gitlab-pull-secret
+      initContainers:
+        - command:
+            - /bin/cp
+            - -n
+            - /usr/local/bin/argocd
+            - /var/run/argocd/argocd-cmp-server
+          image: quay.io/argoproj/argocd:v2.10.4
+          imagePullPolicy: IfNotPresent
+          name: copyutil
+          resources: {}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /var/run/argocd
+              name: var-files
+        - command:
+            - /bin/sh
+            - /plugin/init-helm-repos.sh
+          image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
+          imagePullPolicy: Always
+          name: init-helm-repos
+          resources: {}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsUser: 999
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          env:
+            - name: OCEANBOX_HELM_ACCESS_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  key: token
+                  name: oceanbox-helm
+                  optional: false
+          volumeMounts:
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      serviceAccount: argocd-repo-server
+      serviceAccountName: argocd-repo-server
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - emptyDir: {}
+          name: cmp-tmp
+        - emptyDir: {}
+          name: helm-working-dir
+        - emptyDir: {}
+          name: plugins
+        - emptyDir: {}
+          name: var-files
+        - emptyDir: {}
+          name: tmp
+        - configMap:
+            defaultMode: 420
+            name: argocd-ssh-known-hosts-cm
+          name: ssh-known-hosts
+        - configMap:
+            defaultMode: 420
+            name: argocd-tls-certs-cm
+          name: tls-certs
+        - configMap:
+            defaultMode: 420
+            name: argocd-gpg-keys-cm
+          name: gpg-keys
+        - emptyDir: {}
+          name: gpg-keyring
+        - name: argocd-repo-server-tls
+          secret:
+            defaultMode: 420
+            items:
+              - key: tls.crt
+                path: tls.crt
+              - key: tls.key
+                path: tls.key
+              - key: ca.crt
+                path: ca.crt
+            optional: true
+            secretName: argocd-repo-server-tls

bootstrap/purge.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+helm uninstall argocd argo/argocd-apps -n argocd
+helm uninstall argocd argo/argo-cd -n argocd
+
+

bootstrap/reset-ekman-cluster.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+echo "reset ekman cluster admin token... "
+kubectl --context ekman delete -f cluster-admin-token.yaml
+sleep 1
+kubectl --context ekman apply -f cluster-admin-token.yaml
+
+# secret=$(kubectl --context ekman get secret -n kube-system | grep cluster-admin-token | cut -d' ' -f1)
+# token=$(kubectl --context ekman get secret -n kube-system $secret -o yaml | grep ' token:' | cut -d' ' -f4 | base64 -d)
+# sed "s/@token@/$token/" cluster-ekman.yaml > _cluster-ekman.yaml
+# echo "configure argocd ekman-cluster..."
+# cat _cluster-ekman.yaml
+# kubectl --context oceanbox apply -f _cluster-ekman.yaml
+
+token=$(kubectl --context ekman get secret -n kube-system argocd-manager-token -o yaml | grep ' token:' | cut -d' ' -f4 | base64 -d)
+sed "s/@token@/${token}/" cluster-ekman.yaml > _cluster-ekman.yaml
+echo "configure argocd ekman-cluster..."
+cat _cluster-ekman.yaml
+kubectl --context oceanbox apply -f _cluster-ekman.yaml
+echo "done."
+

bootstrap/staging-vcluster.yaml

@@ -13,4 +13,3 @@ stringData:
   name: staging-vcluster
   server: https://staging-vcluster.staging-vcluster
 type: Opaque
-

bootstrap/values.yaml

@@ -0,0 +1,43 @@
+## !!
+# This values files only contains the bare minimum to get argo up and running.
+# Only update things like initial argo-cd version here
+# Rest of config is located in argocd-apps/sys/argocd.yaml
+##
+applications:
+  system:
+    namespace: argocd
+    additionalAnnotations:
+      argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    destination:
+      namespace: argocd
+      server: https://kubernetes.default.svc
+    project: sys
+    sources:
+      - repoURL: https://gitlab.com/oceanbox//manifests.git
+        targetRevision: HEAD
+        path: helmfile.d
+        plugin:
+          name: helmfile-cmp
+          env:
+            - name: CLUSTER_NAME
+              value: replaceme
+            - name: HELMFILE_ENVIRONMENT
+              value: default
+            - name: HELMFILE_FILE_PATH
+              value: system.yaml.gotmpl
+projects:
+  sys:
+    namespace: argocd
+    additionalLabels: {}
+    additionalAnnotations: {}
+    description: sys components project
+    sourceRepos:
+      - "*"
+    destinations:
+      - namespace: "*"
+        server: https://kubernetes.default.svc
+    clusterResourceWhitelist:
+      - group: "*"
+        kind: "*"
+    orphanedResources:
+      warn: false

charts/atlantis/Chart.lock

@@ -1,6 +0,0 @@
-dependencies:
-- name: redis-stack-server
-  repository: https://redis-stack.github.io/helm-redis-stack/
-  version: 0.4.14
-digest: sha256:ed6bf447567c0d92030bffebc947801c67cb4e9b4dd95680c35a0b5f6b23d71f
-generated: "2024-10-04T11:54:47.575418518+02:00"

charts/atlantis/Chart.yaml

@@ -2,11 +2,14 @@ apiVersion: v2
 name: atlantis
 description: Atlantis map and simulation service
 type: application
-version: v2.87.1
-appVersion: v2.87.1
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+version: v2.6.6
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application.
+appVersion: v2.6.6
 dependencies:
-  - name: redis-stack-server
-    version: 0.4.14
-    repository: https://redis-stack.github.io/helm-redis-stack/
-    condition: redis.enabled
-    alias: redis
+  - name: diagrid-dashboard
+    version: "0.1.0"
+    repository: "file://../diagrid-dashboard"
+    condition: diagrid-dashboard.enabled