platform/manifests
1
1
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

feat: Helmfile-ify System Argo Applications #21

Merged
mrtz-j merged 4 commits from mrtz/helmify into helmify 2025-06-10 15:46:10 +00:00
Conversation 106 Commits 4 Files Changed 198
+40315 -1276
198 changed files with 40315 additions and 1276 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.envrc
+14 -1
View File
@@ -1 +1,14 @@
use nix
#!/usr/bin/env bash
# the shebang is ignored, but nice for editors
watch_file npins/sources.json
# Load .env file if it exists
dotenv_if_exists
# Activate development shell
if type -P lorri &>/dev/null; then
eval "$(lorri direnv)"
else
echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
use nix
fi
values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-acme-solvers.yaml → apps/charts/sys-cilium-policies/templates/cilium/CiliumClusterwideNetworkPolicy-allow-acme-solvers.yaml
View File
values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-dns.yaml → apps/charts/sys-cilium-policies/templates/cilium/CiliumClusterwideNetworkPolicy-allow-dns.yaml
View File
values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-mariadb-operator.yaml → apps/charts/sys-cilium-policies/templates/cilium/CiliumClusterwideNetworkPolicy-allow-mariadb-operator.yaml
View File
values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-deny-all.yaml → apps/charts/sys-cilium-policies/templates/cilium/CiliumClusterwideNetworkPolicy-deny-all.yaml
View File
apps/charts/sys-cilium-policies/templates/plausible/CiliumNetworkPolicy-allow-gravatar.yaml
+14
View File
@@ -0,0 +1,14 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-plausible-secure-gravatar
namespace: prometheus
spec:
description: Allow Plausible Gravatar
egress:
- toFQDNs:
- matchName: secure.gravatar.com
- matchName: gravatar.com
endpointSelector:
matchLabels:
app.kubernetes.io/name: plausible-analytics
apps/charts/sys-cilium-policies/templates/robusta/CiliumNetworkPolicy-allow-slack.yaml
+2 -1
View File
@@ -2,10 +2,11 @@ apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-slack
namespace: robusta
namespace: prometheus
spec:
egress:
- toFQDNs:
- matchPattern: slack.com
- matchName: hooks.slack.com
endpointSelector:
matchLabels: {}
apps/templates/argocd-apps.yaml
+1
View File
@@ -21,6 +21,7 @@ spec:
sourceRepos:
- '{{ .Values.cluster_config.manifests }}'
- 'https://argoproj.github.io/argo-helm'
- 'https://gitlab.com/oceanbox/manifests.git'
- 'https://kubernetes-sigs.github.io/metrics-server/'
- 'https://kubernetes.github.io/ingress-nginx'
- 'https://cloudnative-pg.github.io/charts'
apps/templates/resources/pre-cert-manager.yaml
+5 -5
View File
@@ -10,7 +10,7 @@ spec:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: {{ .Values.cluster_config.acme_email }}
email: {{ .Values.clusterConfig.acme_email }}
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-production
@@ -30,7 +30,7 @@ spec:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: {{ .Values.cluster_config.acme_email }}
email: {{ .Values.clusterConfig.acme_email }}
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
@@ -93,7 +93,7 @@ rules:
- watch
---
{{ if .Values.cluster_config.initca }}
{{ if .Values.clusterConfig.initca }}
# Pod to update certificates from master nodes
# only runs on control plane nodes (etcd)
@@ -153,11 +153,11 @@ spec:
volumes:
- name: ca-pem
hostPath:
path: {{.Values.cluster_config.initca}}/ca.pem
path: {{.Values.clusterConfig.initca}}/ca.pem
type: File
- name: ca-key-pem
hostPath:
path: {{.Values.cluster_config.initca}}/ca-key.pem
path: {{.Values.clusterConfig.initca}}/ca-key.pem
type: File
- name: certs-script
configMap:
argocd/helmfile-cmp/argo-repo-server.yaml
+476
View File
@@ -0,0 +1,476 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
argocd.argoproj.io/tracking-id: argocd:apps/Deployment:argocd/argocd-repo-server
deployment.kubernetes.io/revision: "27"
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.12.3
helm.sh/chart: argo-cd-7.5.2
name: argocd-repo-server
namespace: argocd
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/instance: argocd
app.kubernetes.io/name: argocd-repo-server
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
checksum/cm: 67d6152e0e3482f9a74a6b570fd32bbec4e7856bffe49f577a2a0d3aeaed6f48
checksum/cmd-params: 69ed50e8936f4d6429dc331f782ad0a7d22eb12c318d6800403040352214b781
creationTimestamp: null
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.12.3
helm.sh/chart: argo-cd-7.5.2
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
topologyKey: kubernetes.io/hostname
weight: 100
automountServiceAccountToken: true
containers:
- args:
- /usr/local/bin/argocd-repo-server
- --port=8081
- --metrics-port=8084
env:
- name: ARGOCD_REPO_SERVER_NAME
value: argocd-repo-server
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
key: timeout.reconciliation
name: argocd-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: reposerver.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: reposerver.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
valueFrom:
configMapKeyRef:
key: reposerver.listen.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
valueFrom:
configMapKeyRef:
key: reposerver.metrics.listen.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_TLS
valueFrom:
configMapKeyRef:
key: reposerver.disable.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MIN_VERSION
valueFrom:
configMapKeyRef:
key: reposerver.tls.minversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MAX_VERSION
valueFrom:
configMapKeyRef:
key: reposerver.tls.maxversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_CIPHERS
valueFrom:
configMapKeyRef:
key: reposerver.tls.ciphers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: reposerver.repo.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
key: redis.server
name: argocd-cmd-params-cm
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
key: redis.compression
name: argocd-cmd-params-cm
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
key: redis.db
name: argocd-cmd-params-cm
optional: true
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
key: redis-username
name: argocd-redis
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
key: auth
name: argocd-redis
- name: REDIS_SENTINEL_USERNAME
valueFrom:
secretKeyRef:
key: redis-sentinel-username
name: argocd-redis
optional: true
- name: REDIS_SENTINEL_PASSWORD
valueFrom:
secretKeyRef:
key: redis-sentinel-password
name: argocd-redis
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: reposerver.default.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
key: otlp.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
key: otlp.insecure
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
key: otlp.headers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.max.combined.directory.manifests.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
valueFrom:
configMapKeyRef:
key: reposerver.plugin.tar.exclusions
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
valueFrom:
configMapKeyRef:
key: reposerver.allow.oob.symlinks
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.tar.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.disable.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_MODULES_ENABLED
valueFrom:
configMapKeyRef:
key: reposerver.enable.git.submodule
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.git.lsremote.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_REQUEST_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.git.request.timeout
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.revision.cache.lock.timeout
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES
valueFrom:
configMapKeyRef:
key: reposerver.include.hidden.directories
name: argocd-cmd-params-cm
optional: true
- name: HELM_CACHE_HOME
value: /helm-working-dir
- name: HELM_CONFIG_HOME
value: /helm-working-dir
- name: HELM_DATA_HOME
value: /helm-working-dir
image: quay.io/argoproj/argocd:v2.12.3
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz?full=true
port: metrics
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: repo-server
ports:
- containerPort: 8081
name: repo-server
protocol: TCP
- containerPort: 8084
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: metrics
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/gpg/source
name: gpg-keys
- mountPath: /app/config/gpg/keys
name: gpg-keyring
- mountPath: /app/config/reposerver/tls
name: argocd-repo-server-tls
- mountPath: /helm-working-dir
name: helm-working-dir
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp
- command:
- /var/run/argocd/argocd-cmp-server
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
imagePullPolicy: Always
name: kustomize-helm-with-rewrite
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
- mountPath: /helm-working-dir
name: helm-working-dir
- command:
- /var/run/argocd/argocd-cmp-server
image: registry.gitlab.com/oceanbox/manifests/helm-kustomize-cmp:latest
imagePullPolicy: Always
name: helm-kustomize-cmp
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
- mountPath: /helm-working-dir
name: helm-working-dir
- command:
- /var/run/argocd/argocd-cmp-server
image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
imagePullPolicy: Always
name: helmfile-cmp
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
- mountPath: /helm-working-dir
name: helm-working-dir
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: gitlab-pull-secret
initContainers:
- command:
- /bin/cp
- -n
- /usr/local/bin/argocd
- /var/run/argocd/argocd-cmp-server
image: quay.io/argoproj/argocd:v2.12.3
imagePullPolicy: IfNotPresent
name: copyutil
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- command:
- /bin/sh
- /plugin/init-helm-repos.sh
env:
- name: OCEANBOX_HELM_ACCESS_TOKEN
valueFrom:
secretKeyRef:
key: token
name: oceanbox-helm
optional: false
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
imagePullPolicy: Always
name: init-helm-repos
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 999
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /helm-working-dir
name: helm-working-dir
restartPolicy: Always
schedulerName: default-scheduler
serviceAccount: argocd-repo-server
serviceAccountName: argocd-repo-server
terminationGracePeriodSeconds: 30
volumes:
- name: cmp-tmp
- name: helm-working-dir
- name: plugins
- name: var-files
- name: tmp
- configMap:
defaultMode: 420
name: argocd-ssh-known-hosts-cm
name: ssh-known-hosts
- configMap:
defaultMode: 420
name: argocd-tls-certs-cm
name: tls-certs
- configMap:
defaultMode: 420
name: argocd-gpg-keys-cm
name: gpg-keys
- name: gpg-keyring
- name: argocd-repo-server-tls
secret:
defaultMode: 420
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-repo-server-tls
argocd/helmfile-cmp/generate.sh
+5 -4
View File
@@ -1,5 +1,8 @@
#!/bin/sh
# NOTE: Ensure errors are part of exitcode
# set -o pipefail
export HOME=/plugin
export HELM_CACHE_HOME=/tmp/helm/cache
@@ -7,9 +10,7 @@ export HELM_CONFIG_HOME=/tmp/helm/config
export HELMFILE_CACHE_HOME=/tmp/helmfile/cache
export HELMFILE_TEMPDIR=/tmp/helmfile/tmp
[[ -v ARGOCD_ENV_HELMFILE_ENVIRONMENT ]] && export HELMFILE_ENVIRONMENT=$ARGOCD_ENV_HELMFILE_ENVIRONMENT
env > /tmp/$ARGOCD_APP_NAME.env
test -n ARGOCD_ENV_HELMFILE_ENVIRONMENT && export HELMFILE_ENVIRONMENT=$ARGOCD_ENV_HELMFILE_ENVIRONMENT
test -n ARGOCD_ENV_HELMFILE_FILE_PATH && export HELMFILE_FILE_PATH=$ARGOCD_ENV_HELMFILE_FILE_PATH
helmfile -n "$ARGOCD_APP_NAMESPACE" $ARGS template --include-crds -q
argocd/helmfile-cmp/plugin.yaml
+3 -4
View File
@@ -1,12 +1,11 @@
apiVersion: argoproj.io/v1alpha1
kind: ConfigManagementPlugin
metadata:
name: helmfile
name: helmfile-cmp
spec:
generate:
command: [ /bin/sh ]
command: [ "/bin/sh" ]
args:
- /plugin/generate.sh
discover:
fileName: helmfile.yaml
lockRepo: false
preserveFileMode: true
bin/generate.sh
+5 -24
View File
@@ -2,10 +2,10 @@
helmfile () {
tier=$2
name=$1
tier=$2
cat << EOF
cat <<EOF
bases:
- ../envs/environments.yaml.gotmpl
@@ -38,30 +38,11 @@ releases:
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- '{{\`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}\`}}'
- '{{\`{{ .Release.Chart }}\`}}'
- '{{\`{{ .Environment.Name }}\`}}'
- ../values/$name/manifests
- _$name-manifests
- name: $name-app
namespace: argocd
chart: _$name-app
condition: $name.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/$name/values.yaml.gotmpl
- ../values/$name/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/$name/app.yaml
- _$name-app
EOF
}
bin/helmify
+4 -1
View File
@@ -1,5 +1,7 @@
#!/usr/bin/env bash
set -o pipefail
cmd=$1
chart=$2
env=$3
@@ -8,13 +10,14 @@ outdir=${5:-_manifests}
build() {
mkdir -p $outdir/templates
echo "Creating $outdir/templates"
echo "generating $outdir/Chart.yaml" 1>&2
cat <<EOF > $outdir/Chart.yaml
apiVersion: v1
appVersion: "1.0"
description: A Helm chart for Kubernetes
# description: A Helm chart for Kubernetes
name: $chart
version: 0.1.0
EOF
default.nix
-33
View File
@@ -1,33 +0,0 @@
let
sources = import ./nix;
system = builtins.currentSystem;
pkgs = import sources.nixpkgs {
inherit system;
config = { };
overlays = [ ];
};
nixpkgs = sources.nixpkgs;
nixhelm = sources.nixhelm;
nixidy = import sources.nixidy { inherit nixpkgs; };
kube = pkgs.callPackage "${sources.nix-kube-gen}/lib/default.nix" { inherit pkgs; };
in
nixidy.lib.mkEnvs {
libOverlay = self: super: {
apps = import ./modules/lib.nix { inherit pkgs kube; };
};
modules = [
(
{ lib, ... }:
{
nixidy.charts = lib.helm.mkChartAttrs "${nixhelm}/charts";
}
)
./modules
./apps
./policies
];
envs = {
prod.modules = [ ./envs/prod.nix ];
staging.modules = [ ./envs/staging.nix ];
};
}
envs/environments.yaml.gotmpl
+6 -6
View File
@@ -2,22 +2,22 @@ environments:
default:
values:
- ../values/values.yaml
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/*/values.yaml.gotmpl
- ../values/*/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
- ../values/*/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
missingFileHandler: Info
prod:
values:
- ../values.yaml
- ../values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/*/values.yaml.gotmpl
- ../values/*/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
- ../values/*/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
missingFileHandler: Info
staging:
values:
- ../values.yaml
- ../values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/*/values.yaml.gotmpl
- ../values/*/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
- ../values/*/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
missingFileHandler: Info
flake.lock
Generated
-666
View File
@@ -1,666 +0,0 @@
{
"nodes": {
"cargo2nix": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_5",
"nixpkgs": "nixpkgs_3",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1699033427,
"narHash": "sha256-OVtd5IPbb4NvHibN+QvMrMxq7aZN5GFoINZSAXKjUdA=",
"owner": "cargo2nix",
"repo": "cargo2nix",
"rev": "c6f33051f412352f293e738cc8da6fd4c457080f",
"type": "github"
},
"original": {
"owner": "cargo2nix",
"ref": "release-0.11.0",
"repo": "cargo2nix",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_5": {
"inputs": {
"systems": "systems_7"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"haumea": {
"inputs": {
"nixpkgs": [
"nixhelm",
"nixpkgs"
]
},
"locked": {
"lastModified": 1685133229,
"narHash": "sha256-FePm/Gi9PBSNwiDFq3N+DWdfxFq0UKsVVTJS3cQPn94=",
"owner": "nix-community",
"repo": "haumea",
"rev": "34dd58385092a23018748b50f9b23de6266dffc2",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.2.2",
"repo": "haumea",
"type": "github"
}
},
"kubenix": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixidy",
"nixpkgs"
],
"systems": "systems_6",
"treefmt": "treefmt"
},
"locked": {
"lastModified": 1718110643,
"narHash": "sha256-KrEOCx/bpN++sySOEL5EO5AhYsqRZZk+CXacueUeSl4=",
"owner": "hall",
"repo": "kubenix",
"rev": "a04066c45526c6d8410ba998134f692ff991b4f3",
"type": "github"
},
"original": {
"owner": "hall",
"repo": "kubenix",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"nixhelm",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703863825,
"narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-kube-generators": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nix-kube-generators_2": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nix-kube-generators_3": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nixhelm": {
"inputs": {
"flake-utils": "flake-utils_2",
"haumea": "haumea",
"nix-kube-generators": "nix-kube-generators_2",
"nixpkgs": [
"nixpkgs"
],
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1728868745,
"narHash": "sha256-ZuaxkAtUL1visOmVMxgHk3j+H8/bMmm82tJfE1s35VY=",
"owner": "farcaller",
"repo": "nixhelm",
"rev": "f901d2ba3ce1bd0086d50efdcce3cc76bce04d80",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nixhelm",
"type": "github"
}
},
"nixidy": {
"inputs": {
"flake-utils": "flake-utils_4",
"kubenix": "kubenix",
"nix-kube-generators": "nix-kube-generators_3",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1728815994,
"narHash": "sha256-uF6HAoDMAX0cZbKH27k/0UpIteQMhyLkP1rYKUfj5ys=",
"owner": "arnarg",
"repo": "nixidy",
"rev": "6e20193c95a0aaca444289d7c69f4eb329d25234",
"type": "github"
},
"original": {
"owner": "arnarg",
"ref": "HEAD",
"repo": "nixidy",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1702151865,
"narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1720386169,
"narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1728492678,
"narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1697382362,
"narHash": "sha256-PvFjWFmSYOF6TjNZ/WjOeqa+sgaWm+83Fz37vEuATHA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ad9a253a0d34f313707f9c25fb8c95c65b1c8882",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"poetry2nix": {
"inputs": {
"flake-utils": "flake-utils_3",
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nixhelm",
"nixpkgs"
],
"systems": "systems_4",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1718285706,
"narHash": "sha256-DScsBM+kZvxOva7QegfdtleebMXh30XPxDQr/1IGKYo=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "a5be1bbbe0af0266147a88e0ec43b18c722f2bb9",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1728778939,
"narHash": "sha256-WybK5E3hpGxtCYtBwpRj1E9JoiVxe+8kX83snTNaFHE=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "ff68f91754be6f3427e4986d7949e6273659be1d",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nix-kube-generators": "nix-kube-generators",
"nixhelm": "nixhelm",
"nixidy": "nixidy",
"nixpkgs": "nixpkgs_2",
"pre-commit-hooks": "pre-commit-hooks",
"yaml2nix": "yaml2nix"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"yaml2nix",
"cargo2nix",
"flake-utils"
],
"nixpkgs": [
"yaml2nix",
"cargo2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1697336027,
"narHash": "sha256-ctmmw7j4liyfSh63v9rdFZeIoNYCkCvgqvtEOB7KhX8=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "e494404d36a41247987eeb1bfc2f1ca903e97764",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_6": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"systems_7": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt": {
"inputs": {
"nixpkgs": [
"nixidy",
"kubenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1688026376,
"narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixhelm",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717850719,
"narHash": "sha256-npYqVg+Wk4oxnWrnVG7416fpfrlRhp/lQ6wQ4DHI8YE=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "4fc1c45a5f50169f9f29f6a98a438fb910b834ed",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"yaml2nix": {
"inputs": {
"cargo2nix": "cargo2nix",
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1726132715,
"narHash": "sha256-DkHWWpvBco2yodyOk40LjTNcoaJ1bFKf0JY9OwWgy5M=",
"owner": "euank",
"repo": "yaml2nix",
"rev": "3a6df359da40ee49cb9ed597c2400342b76f2083",
"type": "github"
},
"original": {
"owner": "euank",
"repo": "yaml2nix",
"type": "github"
}
}
},
"root": "root",
"version": 7
}
flake.nix
-148
View File
@@ -1,148 +0,0 @@
{
description = "My ArgoCD configuration with nixidy.";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
nixidy = {
url = "github:juselius/nixidy?ref=HEAD";
# url = "github:juselius/nixidy?ref=special-args";
# url = "/home/jonas/src/OceanBox/nixidy";
# inputs.nixpkgs.follows = "nixpkgs";
};
nixhelm = {
url = "github:farcaller/nixhelm";
inputs.nixpkgs.follows = "nixpkgs";
};
pre-commit-hooks = {
url = "github:cachix/pre-commit-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-kube-generators.url = "github:farcaller/nix-kube-generators";
yaml2nix = {
url = "github:euank/yaml2nix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
};
outputs =
{
self,
nixpkgs,
flake-utils,
nixidy,
nixhelm,
yaml2nix,
pre-commit-hooks,
nix-kube-generators,
}:
(flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = import nixpkgs { inherit system; };
kube = nix-kube-generators.lib { inherit pkgs; };
lib = {
apps = import ./modules/lib.nix { inherit pkgs kube;};
};
in
{
nixidyEnvs = nixidy.lib.mkEnvs {
inherit pkgs;
extraSpecialArgs = { inherit lib; };
charts = nixhelm.chartsDerivations.${system};
modules = [
./modules
./apps
./policies
];
envs = {
prod.modules = [ ./envs/prod.nix ];
staging.modules = [ ./envs/staging.nix ];
};
};
checks = {
pre-commit-check = pre-commit-hooks.lib.${system}.run {
src = ./.;
hooks = {
nixfmt-rfc-style.enable = false;
deadnix.enable = false;
statix.enable = false;
};
};
};
packages = {
nixidy = nixidy.packages.${system}.default;
generators = {
cilium = nixidy.packages.${system}.generators.fromCRD {
name = "cilium";
src = pkgs.fetchFromGitHub {
owner = "cilium";
repo = "cilium";
rev = "v1.16.0";
hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
};
crds = [
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
];
};
kyverno = nixidy.packages.${system}.generators.fromCRD {
name = "kyverno";
src = pkgs.fetchFromGitHub {
owner = "kyverno";
repo = "kyverno";
rev = "v1.12.6";
hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
};
crds = [
"config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
"config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
"config/crds/kyverno/kyverno.io_policies.yaml"
"config/crds/kyverno/kyverno.io_policyexceptions.yaml"
"config/crds/kyverno/kyverno.io_updaterequests.yaml"
];
};
};
};
apps = {
gen-crd = {
type = "app";
program =
(pkgs.writeShellScript "generate-modules" ''
set -eo pipefail
echo "generate cilium"
cat ${self.packages.${system}.generators.cilium} > modules/cilium-crd.nix
echo "generate kyverno"
cat ${self.packages.${system}.generators.kyverno} > modules/kyverno-crd.nix
'').outPath;
};
};
devShells.default = pkgs.mkShellNoCC {
inherit (self.checks.${system}.pre-commit-check) shellHook;
nativeBuildInputs = with pkgs; [
self.checks.${system}.pre-commit-check.enabledPackages
nixidy.packages.${system}.default
yaml2nix.packages.${system}.default
nixd
nixfmt-rfc-style
just
fzf
];
NIXD_FLAGS = "--inlay-hints";
};
}
));
}
generate.nix
-44
View File
@@ -1,44 +0,0 @@
let
sources = import ./nix;
system = builtins.currentSystem;
pkgs = import sources.nixpkgs {
inherit system;
config = { };
overlays = [ ];
};
nixpkgs = sources.nixpkgs;
nixidy = import sources.nixidy { inherit nixpkgs; };
in
{
cilium = nixidy.generators.fromCRD {
name = "cilium";
src = pkgs.fetchFromGitHub {
owner = "cilium";
repo = "cilium";
rev = "v1.16.0";
hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
};
crds = [
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
];
};
kyverno = nixidy.generators.fromCRD {
name = "kyverno";
src = pkgs.fetchFromGitHub {
owner = "kyverno";
repo = "kyverno";
rev = "v1.12.6";
hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
};
crds = [
"config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
"config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
"config/crds/kyverno/kyverno.io_policies.yaml"
"config/crds/kyverno/kyverno.io_policyexceptions.yaml"
"config/crds/kyverno/kyverno.io_updaterequests.yaml"
];
};
}
helmfile.d/argo.yaml.gotmpl
+9 -6
View File
@@ -3,16 +3,19 @@ bases:
repositories:
- name: argo
url: https://argoproj.github.io/argo-helm
url: 'https://argoproj.github.io/argo-helm'
commonLabels:
tier: system
apiVersions:
- monitoring.coreos.com/v1
releases:
- name: argocd
namespace: argocd
chart: argo/argo-cd
version: 7.5.2
version: 7.8.0
condition: argo.enabled
values:
- ../values/argo/values/argocd.yaml.gotmpl
@@ -47,11 +50,11 @@ releases:
namespace: argocd
chart: _argo
condition: argo.enabled
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/argo/values.yaml.gotmpl
- ../values/argo/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/argo/values.yaml.gotmpl
- ../values/argo/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
helmfile.d/cert-manager.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: cert-manager
url: 'https://charts.jetstack.io'
commonLabels:
tier: system
releases:
- name: cert-manager
namespace: cert-manager
chart: cert-manager/cert-manager
version: 1.12.13
condition: cert_manager.enabled
values:
- ../values/cert-manager/values/cert-manager.yaml.gotmpl
- ../values/cert-manager/values/cert-manager-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/cert-manager/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: cert-manager-manifests
namespace: cert-manager
chart: _cert-manager-manifests
condition: cert_manager.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/cert-manager/values.yaml.gotmpl
- ../values/cert-manager/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/cert-manager/manifests
- _cert-manager-manifests
helmfile.d/cilium.yaml.gotmpl
+3 -2
View File
@@ -39,10 +39,11 @@ releases:
namespace: cilium
chart: _cilium-manifests
condition: cilium.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/cilium/values.yaml.gotmpl
- ../values/cilium/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
- ../values/cilium/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
helmfile.d/ingress-nginx.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: ingress-nginx
url: 'https://kubernetes.github.io/ingress-nginx'
commonLabels:
tier: system
releases:
- name: ingress-nginx
namespace: ingress-nginx
chart: ingress-nginx/ingress-nginx
version: 4.8.3
condition: nginx.enabled
values:
- ../values/ingress-nginx/values/ingress-nginx.yaml.gotmpl
- ../values/ingress-nginx/values/ingress-nginx-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/ingress-nginx/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: ingress-nginx-manifests
namespace: ingress-nginx
chart: _ingress-nginx-manifests
condition: nginx.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/ingress-nginx/values.yaml.gotmpl
- ../values/ingress-nginx/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/ingress-nginx/manifests
- _ingress-nginx-manifests
helmfile.d/kyverno.yaml.gotmpl
+46
View File
@@ -0,0 +1,46 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: kyverno
url: 'https://kyverno.github.io/kyverno/'
commonLabels:
tier: system
apiVersions:
- monitoring.coreos.com/v1
releases:
- name: kyverno
namespace: kyverno
chart: kyverno/kyverno
version: 3.2.5
condition: kyverno.enabled
values:
- ../values/kyverno/values/kyverno.yaml.gotmpl
- ../values/kyverno/values/kyverno-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/postgres-operator/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: kyverno-manifests
namespace: kyverno
chart: _kyverno-manifests
condition: kyverno.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/kyverno/values.yaml.gotmpl
- ../values/kyverno/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/kyverno/manifests
- _kyverno-manifests
helmfile.d/metrics-server.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: metrics-server
url: 'https://kubernetes-sigs.github.io/metrics-server/'
commonLabels:
tier: system
releases:
- name: metrics-server
namespace: kube-system
chart: metrics-server/metrics-server
version: 3.8.2
condition: metrics_server.enabled
values:
- ../values/metrics-server/values/metrics-server.yaml.gotmpl
- ../values/metrics-server/values/metrics-server-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/metrics-server/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: metrics-server-manifests
namespace: kube-system
chart: _metrics-server-manifests
condition: metrics_server.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/metrics-server/values.yaml.gotmpl
- ../values/metrics-server/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/metrics-server/manifests
- _metrics-server-manifests
helmfile.d/nfs-provisioner.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: nfs-provisioner
url: 'https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/'
commonLabels:
tier: system
releases:
- name: nfs-provisioner
namespace: kube-system
chart: nfs-provisioner/nfs-subdir-external-provisioner
version: 4.0.13
condition: nfs_provisioner.enabled
values:
- ../values/nfs-provisioner/values/nfs-provisioner.yaml.gotmpl
- ../values/nfs-provisioner/values/nfs-provisioner-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/nfs-provisioner/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: nfs-provisioner-manifests
namespace: kube-system
chart: _nfs-provisioner-manifests
condition: nfs_provisioner.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/nfs-provisioner/values.yaml.gotmpl
- ../values/nfs-provisioner/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/nfs-provisioner/manifests
- _nfs-provisioner-manifests
helmfile.d/postgres-operator.yaml.gotmpl
+45
View File
@@ -0,0 +1,45 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: cloudnative-pg
url: 'https://cloudnative-pg.github.io/charts'
commonLabels:
tier: system
apiVersions:
- monitoring.coreos.com/v1
releases:
- name: postgres-operator
namespace: cnpg
chart: cloudnative-pg/cloudnative-pg
version: 0.18.2
condition: postgres_operator.enabled
values:
- ../values/postgres-operator/values/postgres-operator.yaml.gotmpl
- ../values/postgres-operator/values/postgres-operator-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/postgres-operator/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: postgres-operator-manifests
namespace: cnpg
chart: _postgres-operator-manifests
condition: postgres_operator.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/postgres-operator/values.yaml.gotmpl
- ../values/postgres-operator/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/postgres-operator/manifests
- _postgres-operator-manifests
helmfile.d/prometheus.yaml.gotmpl
+43
View File
@@ -0,0 +1,43 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: prometheus
url: 'https://prometheus-community.github.io/helm-charts'
commonLabels:
tier: system
apiVersions:
- monitoring.coreos.com/v1
releases:
- name: prometheus
namespace: prometheus
chart: prometheus/kube-prometheus-stack
version: 62.7.0
condition: prometheus.enabled
values:
- ../values/prometheus/values/prometheus.yaml.gotmpl
- ../values/prometheus/values/prometheus-{{ .Environment.Name }}.yaml.gotmpl
missingFileHandler: Info
- name: prometheus-manifests
namespace: prometheus
chart: _prometheus-manifests
condition: prometheus.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/prometheus/values.yaml.gotmpl
- ../values/prometheus/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/prometheus/manifests
- _prometheus-manifests
helmfile.d/velero.yaml.gotmpl
+45
View File
@@ -0,0 +1,45 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: velero
url: 'https://vmware-tanzu.github.io/helm-charts'
commonLabels:
tier: system
apiVersions:
- monitoring.coreos.com/v1
releases:
- name: velero
namespace: velero
chart: velero/velero
version: 6.0.0
condition: velero.enabled
values:
- ../values/velero/values/velero.yaml.gotmpl
- ../values/velero/values/velero-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/velero/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: velero-manifests
namespace: velero
chart: _velero-manifests
condition: velero.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/velero/values.yaml.gotmpl
- ../values/velero/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: "../bin/helmify"
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/velero/manifests
- _velero-manifests
helmfile.d/x509-exporter.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: x509-exporter
url: 'https://charts.enix.io'
commonLabels:
tier: sys
releases:
- name: x509-exporter
namespace: x509-exporter
chart: x509-exporter/x509-certificate-exporter
version: 3.6.0
condition: x509_exporter.enabled
values:
- ../values/x509-exporter/values/x509-exporter.yaml.gotmpl
- ../values/x509-exporter/values/x509-exporter-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/x509-exporter/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: x509-exporter-manifests
namespace: x509-exporter
chart: _x509-exporter-manifests
condition: x509_exporter.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/x509-exporter/values.yaml.gotmpl
- ../values/x509-exporter/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/x509-exporter/manifests
- _x509-exporter-manifests
justfile
+6 -15
View File
@@ -1,17 +1,8 @@
default := "prod"
[private]
default:
just --choose
just --list -u
info target=default:
nix run .#nixidy -- info .#{{target}}
build target=default:
nix run .#nixidy -- build .#{{target}}
switch target=default:
nix run .#nixidy -- switch .#{{target}}
generate:
nix build .#generators.cilium
nix build .#generators.kyverno
# Render a specifc helm chart
r HELMFILE ENV="default":
helmfile --environment={{ENV}} lint --args --quiet -f helmfile.d/{{HELMFILE}}.yaml.gotmpl
helmfile --environment={{ENV}} template -q -f helmfile.d/{{HELMFILE}}.yaml.gotmpl --output-dir-template="../_manifests/{{HELMFILE}}/{{ENV}}"
nix/default.nix
-80
View File
@@ -1,80 +0,0 @@
# Generated by npins. Do not modify; will be overwritten regularly
let
data = builtins.fromJSON (builtins.readFile ./sources.json);
version = data.version;
mkSource =
spec:
assert spec ? type;
let
path =
if spec.type == "Git" then
mkGitSource spec
else if spec.type == "GitRelease" then
mkGitSource spec
else if spec.type == "PyPi" then
mkPyPiSource spec
else if spec.type == "Channel" then
mkChannelSource spec
else
builtins.throw "Unknown source type ${spec.type}";
in
spec // { outPath = path; };
mkGitSource =
{
repository,
revision,
url ? null,
hash,
branch ? null,
...
}:
assert repository ? type;
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
# In the latter case, there we will always be an url to the tarball
if url != null then
(builtins.fetchTarball {
inherit url;
sha256 = hash; # FIXME: check nix version & use SRI hashes
})
else
assert repository.type == "Git";
let
urlToName =
url: rev:
let
matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url;
short = builtins.substring 0 7 rev;
appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
in
"${if matched == null then "source" else builtins.head matched}${appendShort}";
name = urlToName repository.url revision;
in
builtins.fetchGit {
url = repository.url;
rev = revision;
inherit name;
# hash = hash;
};
mkPyPiSource =
{ url, hash, ... }:
builtins.fetchurl {
inherit url;
sha256 = hash;
};
mkChannelSource =
{ url, hash, ... }:
builtins.fetchTarball {
inherit url;
sha256 = hash;
};
in
if version == 3 then
builtins.mapAttrs (_: mkSource) data.pins
else
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
nix/sources.json
-47
View File
@@ -1,47 +0,0 @@
{
"pins": {
"nix-kube-gen": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "farcaller",
"repo": "nix-kube-generators"
},
"branch": "master",
"revision": "2be4f3cb99e179d9f94e6c8723862421437f8efb",
"url": "https://github.com/farcaller/nix-kube-generators/archive/2be4f3cb99e179d9f94e6c8723862421437f8efb.tar.gz",
"hash": "0pgpr0szig7plmj7i4hjfkpcm4vgy0ingqr115wqjzbx5yjc6c7j"
},
"nixhelm": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "farcaller",
"repo": "nixhelm"
},
"branch": "master",
"revision": "cafa44fc8c2ad34baf6e5f1bdea3eb3a587a1f6d",
"url": "https://github.com/farcaller/nixhelm/archive/cafa44fc8c2ad34baf6e5f1bdea3eb3a587a1f6d.tar.gz",
"hash": "1waplza2c0wgq23v41ladfgqdq2wrbw889c973cm439940zj4mj1"
},
"nixidy": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "arnarg",
"repo": "nixidy"
},
"branch": "main",
"revision": "d28f45aea4d7b93928f1ea94f22a03a3f6dc25f6",
"url": "https://github.com/arnarg/nixidy/archive/d28f45aea4d7b93928f1ea94f22a03a3f6dc25f6.tar.gz",
"hash": "0ijxdh2432wvwyff1f5yfrjn93lzayrswi1bkasjpwaps9v6ld4r"
},
"nixpkgs": {
"type": "Channel",
"name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre699031.2d2a9ddbe3f2/nixexprs.tar.xz",
"hash": "1vx044c8gdg1c8zmabzbi9xrgjgaz2bfqbl47xsgh517f580bycx"
}
},
"version": 3
}
npins/default.nix
+146
View File
@@ -0,0 +1,146 @@
/*
This file is provided under the MIT licence:
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the Software), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
# Generated by npins. Do not modify; will be overwritten regularly
let
data = builtins.fromJSON (builtins.readFile ./sources.json);
version = data.version;
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
range =
first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
concatMapStrings = f: list: concatStrings (map f list);
concatStrings = builtins.concatStringsSep "";
# If the environment variable NPINS_OVERRIDE_${name} is set, then use
# the path directly as opposed to the fetched source.
# (Taken from Niv for compatibility)
mayOverride =
name: path:
let
envVarName = "NPINS_OVERRIDE_${saneName}";
saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
ersatz = builtins.getEnv envVarName;
in
if ersatz == "" then
path
else
# this turns the string into an actual Nix path (for both absolute and
# relative paths)
builtins.trace "Overriding path of \"${name}\" with \"${ersatz}\" due to set \"${envVarName}\"" (
if builtins.substring 0 1 ersatz == "/" then
/. + ersatz
else
/. + builtins.getEnv "PWD" + "/${ersatz}"
);
mkSource =
name: spec:
assert spec ? type;
let
path =
if spec.type == "Git" then
mkGitSource spec
else if spec.type == "GitRelease" then
mkGitSource spec
else if spec.type == "PyPi" then
mkPyPiSource spec
else if spec.type == "Channel" then
mkChannelSource spec
else if spec.type == "Tarball" then
mkTarballSource spec
else
builtins.throw "Unknown source type ${spec.type}";
in
spec // { outPath = mayOverride name path; };
mkGitSource =
{
repository,
revision,
url ? null,
submodules,
hash,
branch ? null,
...
}:
assert repository ? type;
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
# In the latter case, there we will always be an url to the tarball
if url != null && !submodules then
builtins.fetchTarball {
inherit url;
sha256 = hash; # FIXME: check nix version & use SRI hashes
}
else
let
url =
if repository.type == "Git" then
repository.url
else if repository.type == "GitHub" then
"https://github.com/${repository.owner}/${repository.repo}.git"
else if repository.type == "GitLab" then
"${repository.server}/${repository.repo_path}.git"
else
throw "Unrecognized repository type ${repository.type}";
urlToName =
url: rev:
let
matched = builtins.match "^.*/([^/]*)(\\.git)?$" url;
short = builtins.substring 0 7 rev;
appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
in
"${if matched == null then "source" else builtins.head matched}${appendShort}";
name = urlToName url revision;
in
builtins.fetchGit {
rev = revision;
inherit name;
# hash = hash;
inherit url submodules;
};
mkPyPiSource =
{ url, hash, ... }:
builtins.fetchurl {
inherit url;
sha256 = hash;
};
mkChannelSource =
{ url, hash, ... }:
builtins.fetchTarball {
inherit url;
sha256 = hash;
};
mkTarballSource =
{
url,
locked_url ? url,
hash,
...
}:
builtins.fetchTarball {
url = locked_url;
sha256 = hash;
};
in
if version == 5 then
builtins.mapAttrs mkSource data.pins
else
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
npins/sources.json
+37
View File
@@ -0,0 +1,37 @@
{
"pins": {
"gomod2nix": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "nix-community",
"repo": "gomod2nix"
},
"branch": "master",
"submodules": false,
"revision": "2cbd7fdd6eeab65c494cc426e18f4e4d2a5e35c0",
"url": "https://github.com/nix-community/gomod2nix/archive/2cbd7fdd6eeab65c494cc426e18f4e4d2a5e35c0.tar.gz",
"hash": "18hl5fz6aqg12ypkjramvlv43p413iwzy5zbvwl9m3kp5l4id2fi"
},
"helmfile-nix": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "remarkable",
"repo": "helmfile-nix"
},
"branch": "main",
"submodules": false,
"revision": "03b3de30d44b6e90e9425bad10476dadd75bcba9",
"url": "https://github.com/remarkable/helmfile-nix/archive/03b3de30d44b6e90e9425bad10476dadd75bcba9.tar.gz",
"hash": "12bdar6cb459vw9ldk73npvydbcjgb4ic8w416yf4i4alky3d9ib"
},
"nixpkgs": {
"type": "Channel",
"name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre800239.b1bebd0fe266/nixexprs.tar.xz",
"hash": "0vnfj9d7kzk673i7s1vnkbx513a4gh5mfcd8fag2c7wi6hz471n6"
}
},
"version": 5
}
shell.nix
+31 -17
View File
@@ -1,25 +1,39 @@
let
sources = import ./nix;
sources = import ./npins;
system = builtins.currentSystem;
pkgs = import sources.nixpkgs {
inherit system;
config = { };
overlays = [ ];
overlays = [ (import "${sources.gomod2nix}/overlay.nix") ];
};
nixpkgs = sources.nixpkgs;
nixidy = import sources.nixidy { inherit nixpkgs; };
helmfile-nix = import sources.helmfile-nix { inherit pkgs; };
helmWrap =
with pkgs;
wrapHelm kubernetes-helm {
plugins = with kubernetes-helmPlugins; [
helm-diff
helm-git
];
};
helmfileWrap = pkgs.helmfile-wrapped.override { inherit (helmWrap) pluginsDir; };
in
{
shell = pkgs.mkShellNoCC {
name = "clstr";
nativeBuildInputs = with pkgs; [
helmfile
nixidy.nixidy
npins
nixfmt-rfc-style
just
fzf
];
NPINS_DIRECTORY = "nix";
};
pkgs.mkShellNoCC {
name = "clstr";
packages = with pkgs; [
# nix helpers
npins
nix-converter
# helm
helmWrap
helmfileWrap
helmfile-nix
# kubectl tools
kubectl-cnpg
kubectl-neat
];
ARGOCD_ENV_CLUSTER_NAME = "oceanbox";
}
statix.toml
-7
View File
@@ -1,7 +0,0 @@
disabled = [
# I think enforcing this can often produce
# code that is harder to read.
"manual_inherit_from"
# Does not improve readability
"repeated_keys"
]
helmfile.d/atlantis.yaml.gotmpl → temp/atlantis.yaml.gotmpl
-20
View File
@@ -35,23 +35,3 @@ releases:
- '{{`{{ .Environment.Name }}`}}'
- ../values/atlantis/manifests
- _atlantis-manifests
- name: atlantis-app
namespace: argocd
chart: _atlantis-app
condition: atlantis.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/atlantis/values.yaml.gotmpl
- ../values/atlantis/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/atlantis/app.yaml
- _atlantis-app
temp/dapr.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: dapr
url: 'https://dapr.github.io/helm-charts/'
commonLabels:
tier: aux
releases:
- name: dapr
namespace: dapr-system
chart: dapr/dapr
version: 1.14.4
condition: dapr.enabled
values:
- ../values/dapr/values/dapr.yaml.gotmpl
- ../values/dapr/values/dapr-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/dapr/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: dapr-manifests
namespace: dapr
chart: _dapr-manifests
condition: dapr.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/dapr/values.yaml.gotmpl
- ../values/dapr/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/dapr/manifests
- _dapr-manifests
temp/geoserver.yaml.gotmpl
+37
View File
@@ -0,0 +1,37 @@
bases:
- ../envs/environments.yaml.gotmpl
commonLabels:
tier: aux
releases:
- name: geoserver
namespace: {{ .Environment.Name }}-geoserver
chart: ../charts/geoserver
condition: geoserver.enabled
values:
- ../values/geoserver/values/geoserver.yaml.gotmpl
- ../values/geoserver/values/geoserver-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/geoserver/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: geoserver-manifests
namespace: {{ .Environment.Name }}-geoserver
chart: _geoserver-manifests
condition: geoserver.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/geoserver/values.yaml.gotmpl
- ../values/geoserver/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/geoserver/manifests
- _geoserver-manifests
temp/headscale.yaml.gotmpl
+37
View File
@@ -0,0 +1,37 @@
bases:
- ../envs/environments.yaml.gotmpl
commonLabels:
tier: aux
releases:
- name: headscale
namespace: {{ .Environment.Name }}-headscale
chart: ../charts/headscale
condition: headscale.enabled
values:
- ../values/headscale/values/headscale.yaml.gotmpl
- ../values/headscale/values/headscale-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/headscale/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: headscale-manifests
namespace: {{ .Environment.Name }}-headscale
chart: _headscale-manifests
condition: headscale.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/headscale/values.yaml.gotmpl
- ../values/headscale/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/headscale/manifests
- _headscale-manifests
temp/keycloak.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: keycloak
url: 'https://charts.bitnami.com/bitnami'
commonLabels:
tier: aux
releases:
- name: keycloak
namespace: keycloak
chart: keycloak/keycloak
version: 24.0.2
condition: keycloak.enabled
values:
- ../values/keycloak/values/keycloak.yaml.gotmpl
- ../values/keycloak/values/keycloak-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/keycloak/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: keycloak-manifests
namespace: keycloak
chart: _keycloak-manifests
condition: keycloak.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/keycloak/values.yaml.gotmpl
- ../values/keycloak/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/keycloak/manifests
- _keycloak-manifests
temp/loki.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: loki
url: 'https://grafana.github.io/helm-charts'
commonLabels:
tier: sys
releases:
- name: loki
namespace: loki
chart: loki/loki
version: 6.12.0
condition: loki.enabled
values:
- ../values/loki/values/loki.yaml.gotmpl
- ../values/loki/values/loki-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/loki/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: loki-manifests
namespace: loki
chart: _loki-manifests
condition: loki.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/loki/values.yaml.gotmpl
- ../values/loki/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/loki/manifests
- _loki-manifests
temp/nix/argo.gotmpl.nix
+92
View File
@@ -0,0 +1,92 @@
{ var, ... }:
{
bases = [
"../envs/environments.yaml.gotmpl"
];
repositories = [
{
name = "argo";
url = "https://argoproj.github.io/argo-helm";
}
];
commonLabels = {
tier = "system";
};
releases = [
{
name = "argocd";
namespace = "argocd";
chart = "argo/argo-cd";
version = "7.5.2";
condition = "argo.enabled";
values = [
"../values/argo/values/argocd.yaml.gotmpl"
"../values/argo/values/argocd-${var.environment.name}.yaml.gotmpl"
];
postRenderer = "../bin/kustomizer";
postRendererArgs = [
"../values/argo/kustomize/${var.environment.name}"
];
missingFileHandler = "Info";
}
{
name = "argocd-apps";
namespace = "argocd";
chart = "argo/argocd-apps";
version = "0.0.1";
condition = "argo.apps.enabled";
values = [
"../values/argo/values/apps.yaml.gotmpl"
];
missingFileHandler = "Info";
}
{
name = "argo-rollouts";
namespace = "argocd";
chart = "argo/argo-rollouts";
version = "2.35.2";
condition = "argo.rollouts.enabled";
values = [
"../values/argo/values/rollouts.yaml.gotmpl"
];
missingFileHandler = "Info";
}
{
name = "argo-workflows";
namespace = "argocd";
chart = "argo/argo-workflows";
version = "0.45.0";
condition = "argo.workflows.enabled";
missingFileHandler = "Info";
}
{
name = "argo-manifests";
namespace = "argocd";
chart = "_argo";
condition = "argo.enabled";
values = [
# "../values/values-${var.CLUSTER_NAME}.yaml"
"../values/argo/values.yaml.gotmpl"
# "../values/argo/values-${var.CLUSTER_NAME}.yaml.gotmpl"
];
missingFileHandler = "Info";
hooks = [
{
events = [
"prepare"
"cleanup"
];
showlogs = true;
command = "../bin/helmify";
args = [
# "${if (var.event.name == "prepare") then "build" else "clean"}"
# "${var.release.chart}"
"${var.environment.name}"
"../values/argo/manifests"
"_argo"
];
}
];
}
];
}
temp/nix/helmfile.gotmpl.nix
+94
View File
@@ -0,0 +1,94 @@
{ var, escape_var, ... }:
[
{
bases = [
"../envs/environments.yaml.gotmpl"
];
repositories = [
{
name = "argo";
url = "https://argoproj.github.io/argo-helm";
}
];
commonLabels = {
tier = "system";
};
releases = [
{
name = "argocd";
namespace = "argocd";
chart = "argo/argo-cd";
version = "7.5.2";
condition = "argo.enabled";
values = [
"../values/argo/values/argocd.yaml.gotmpl"
"../values/argo/values/argocd-${var.environment.name}.yaml.gotmpl"
];
postRenderer = "../bin/kustomizer";
postRendererArgs = [
"../values/argo/kustomize/${var.environment.name}"
];
missingFileHandler = "Info";
}
{
name = "argocd-apps";
namespace = "argocd";
chart = "argo/argocd-apps";
version = "0.0.1";
condition = "argo.apps.enabled";
values = [
"../values/argo/values/apps.yaml.gotmpl"
];
missingFileHandler = "Info";
}
{
name = "argo-rollouts";
namespace = "argocd";
chart = "argo/argo-rollouts";
version = "2.35.2";
condition = "argo.rollouts.enabled";
values = [
"../values/argo/values/rollouts.yaml.gotmpl"
];
missingFileHandler = "Info";
}
{
name = "argo-workflows";
namespace = "argocd";
chart = "argo/argo-workflows";
version = "0.45.0";
condition = "argo.workflows.enabled";
missingFileHandler = "Info";
}
{
name = "argo-manifests";
namespace = "argocd";
chart = "_argo";
condition = "argo.enabled";
values = [
(escape_var "../values/values-{{requiredEnv \"CLUSTER_NAME\"}}.yaml")
"../values/argo/values.yaml.gotmpl"
(escape_var "../values/argo/values-{{requiredEnv \"CLUSTER_NAME\"}}.yaml.gotmpl")
];
missingFileHandler = "Info";
hooks = [
{
events = [
"prepare"
"cleanup"
];
showlogs = true;
command = "../bin/helmify";
args = [
(escape_var "{{ if eq .Event.Name \"prepare\" }}build{{ else }}clean{{ end }}")
(escape_var "{{ .Release.Chart | toJson }}")
(escape_var "{{ .Environment.Name | toJson }}")
"../values/argo/manifests"
"_argo"
];
}
];
}
];
}
]
temp/openfga.yaml.gotmpl
+41
View File
@@ -0,0 +1,41 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: openfga
url: 'https://openfga.github.io/helm-charts'
commonLabels:
tier: aux
releases:
- name: openfga
namespace: {{ .Environment.Name }}-openfga
chart: openfga/openfga
condition: openfga.enabled
values:
- ../values/openfga/values/openfga.yaml.gotmpl
- ../values/openfga/values/openfga-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/openfga/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: openfga-manifests
namespace: {{ .Environment.Name }}-openfga
chart: _openfga-manifests
condition: openfga.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/openfga/values.yaml.gotmpl
- ../values/openfga/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/openfga/manifests
- _openfga-manifests
temp/otel-collector.yaml.gotmpl
+37
View File
@@ -0,0 +1,37 @@
bases:
- ../envs/environments.yaml.gotmpl
commonLabels:
tier: sys
releases:
- name: otel-collector
namespace: {{ .Environment.Name }}-otel-collector
chart: ../charts/otel-collector
condition: otel-collector.enabled
values:
- ../values/otel-collector/values/otel-collector.yaml.gotmpl
- ../values/otel-collector/values/otel-collector-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/otel-collector/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: otel-collector-manifests
namespace: {{ .Environment.Name }}-otel-collector
chart: _otel-collector-manifests
condition: otel-collector.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/otel-collector/values.yaml.gotmpl
- ../values/otel-collector/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/otel-collector/manifests
- _otel-collector-manifests
temp/plausible.yaml.gotmpl
+37
View File
@@ -0,0 +1,37 @@
bases:
- ../envs/environments.yaml.gotmpl
commonLabels:
tier: aux
releases:
- name: plausible
namespace: {{ .Environment.Name }}-plausible
chart: ../charts/plausible
condition: plausible.enabled
values:
- ../values/plausible/values/plausible.yaml.gotmpl
- ../values/plausible/values/plausible-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/plausible/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: plausible-manifests
namespace: {{ .Environment.Name }}-plausible
chart: _plausible-manifests
condition: plausible.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/plausible/values.yaml.gotmpl
- ../values/plausible/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/plausible/manifests
- _plausible-manifests
temp/rabbitmq.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: rabbitmq
url: 'https://charts.bitnami.com/bitnami'
commonLabels:
tier: aux
releases:
- name: rabbitmq
namespace: {{ .Environment.Name }}-rabbitmq
chart: rabbitmq/rabbitmq
version: 12.9.0
condition: rabbitmq.enabled
values:
- ../values/rabbitmq/values/rabbitmq.yaml.gotmpl
- ../values/rabbitmq/values/rabbitmq-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/rabbitmq/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: rabbitmq-manifests
namespace: {{ .Environment.Name }}-rabbitmq
chart: _rabbitmq-manifests
condition: rabbitmq.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/rabbitmq/values.yaml.gotmpl
- ../values/rabbitmq/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/rabbitmq/manifests
- _rabbitmq-manifests
temp/redis.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: redis
url: 'https://charts.bitnami.com/bitnami'
commonLabels:
tier: aux
releases:
- name: redis
namespace: {{ .Environment.Name }}-redis
chart: redis/redis
condition: redis.enabled
version: 19.5.2
values:
- ../values/redis/values/redis.yaml.gotmpl
- ../values/redis/values/redis-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/redis/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: redis-manifests
namespace: {{ .Environment.Name }}-redis
chart: _redis-manifests
condition: redis.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/redis/values.yaml.gotmpl
- ../values/redis/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/redis/manifests
- _redis-manifests
temp/tempo.yaml.gotmpl
+43
View File
@@ -0,0 +1,43 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: tempo
url: 'https://grafana.github.io/helm-charts'
commonLabels:
tier: sys
releases:
- name: tempo
namespace: tempo
chart: tempo/tempo
version: 0.14.0
condition: tempo.enabled
values:
- ../values/tempo/values/tempo.yaml.gotmpl
- ../values/tempo/values/tempo-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/tempo/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: tempo-manifests
namespace: tempo
chart: _tempo-manifests
condition: tempo.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/tempo/values.yaml.gotmpl
- ../values/tempo/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/tempo/manifests
- _tempo-manifests
temp/wordpress.yaml.gotmpl
+37
View File
@@ -0,0 +1,37 @@
bases:
- ../envs/environments.yaml.gotmpl
commonLabels:
tier: sys
releases:
- name: wordpress
namespace: {{ .Environment.Name }}-wordpress
chart: ../charts/wordpress
condition: wordpress.enabled
values:
- ../values/wordpress/values/wordpress.yaml.gotmpl
- ../values/wordpress/values/wordpress-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/wordpress/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: wordpress-manifests
namespace: {{ .Environment.Name }}-wordpress
chart: _wordpress-manifests
condition: wordpress.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/wordpress/values.yaml.gotmpl
- ../values/wordpress/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/wordpress/manifests
- _wordpress-manifests
values/argo/manifests/argo.yaml
+9 -3
View File
@@ -12,13 +12,18 @@ spec:
server: 'https://kubernetes.default.svc'
sources:
- repoURL: {{ .Values.clusterConfig.manifests }}
targetRevision: HEAD
path: helmfiles/argocd
# targetRevision: HEAD
targetRevision: mrtz/helmify
path: helmfile.d
plugin:
name: helmfile
name: helmfile-cmp
env:
- name: CLUSTER_NAME
value: {{ .Values.clusterConfig.cluster }}
- name: HELMFILE_ENVIRONMENT
value: default
- name: HELMFILE_FILE_PATH
value: argo.yaml.gotmpl
project: sys
syncPolicy:
managedNamespaceMetadata:
@@ -27,6 +32,7 @@ spec:
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
{{- if .Values.argocd.autosync }}
automated:
prune: true
values/argo/manifests/dashboards/argocd.yaml
+4260
View File
File diff suppressed because it is too large Load Diff
values/argo/manifests/nodeport.yaml
+26
View File
@@ -0,0 +1,26 @@
apiVersion: v1
kind: Service
metadata:
name: argocd-server-nodeport
namespace: argocd
spec:
clusterIP: 10.102.84.163
clusterIPs:
- 10.102.84.163
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: http
nodePort: 30290
port: 80
targetPort: 8080
- name: https
nodePort: 31261
port: 443
targetPort: 8080
selector:
app.kubernetes.io/instance: argocd
app.kubernetes.io/name: argocd-server
type: NodePort
values/argo/manifests/cilium/CiliumNetworkPolicy-allow-applicationset-ingress.yaml → values/argo/manifests/policies/CiliumNetworkPolicy-allow-applicationset-ingress.yaml
View File
values/argo/manifests/cilium/CiliumNetworkPolicy-allow-argo-notifications.yaml → values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-notifications.yaml
View File
values/argo/manifests/cilium/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml → values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml
View File
values/argo/manifests/cilium/CiliumNetworkPolicy-allow-argo-repo-access.yaml → values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-repo-access.yaml
View File
values/argo/manifests/cilium/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml → values/argo/manifests/policies/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml
View File
values/argo/manifests/cilium/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml → values/argo/manifests/policies/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml
View File
values/argo/manifests/cilium/CiliumNetworkPolicy-allow-ingress.yaml → values/argo/manifests/policies/CiliumNetworkPolicy-allow-ingress.yaml
View File
values/argo/manifests/cilium/CiliumNetworkPolicy-allow-kube-api.yaml → values/argo/manifests/policies/CiliumNetworkPolicy-allow-kube-api.yaml
View File
values/argo/manifests/cilium/CiliumNetworkPolicy-allow-microsoft-sso.yaml → values/argo/manifests/policies/CiliumNetworkPolicy-allow-microsoft-sso.yaml
View File
values/argo/manifests/cilium/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml → values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml
View File
values/argo/manifests/cilium/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml → values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml
View File
values/argo/manifests/cilium/CiliumNetworkPolicy-allow-prometheus-metrics.yaml → values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml
View File
values/argo/manifests/sys-project.yaml
+84
View File
@@ -0,0 +1,84 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: sys
namespace: argocd
spec:
clusterResourceWhitelist:
- group: '*'
kind: '*'
description: sys components project
destinations:
- namespace: argocd
server: https://kubernetes.default.svc
- namespace: kube-system
server: https://kubernetes.default.svc
- namespace: ingress-nginx
server: https://kubernetes.default.svc
- namespace: serit-operator
server: https://kubernetes.default.svc
- namespace: prometheus
server: https://kubernetes.default.svc
- namespace: cnpg
server: https://kubernetes.default.svc
- namespace: cert-manager
server: https://kubernetes.default.svc
- namespace: kubernetes-dashboard
server: https://kubernetes.default.svc
- namespace: rabbitmq
server: https://kubernetes.default.svc
- namespace: sealed-secrets
server: https://kubernetes.default.svc
- namespace: gitlab
server: https://kubernetes.default.svc
- namespace: thanos
server: https://kubernetes.default.svc
- namespace: linkerd
server: https://kubernetes.default.svc
- namespace: linkerd-multicluster
server: https://kubernetes.default.svc
- namespace: observability
server: https://kubernetes.default.svc
- namespace: kyverno
server: https://kubernetes.default.svc
- namespace: velero
server: https://kubernetes.default.svc
- namespace: loki
server: https://kubernetes.default.svc
- namespace: x509-exporter
server: https://kubernetes.default.svc
- namespace: mariadb-operator
server: https://kubernetes.default.svc
- namespace: cilium-spire
server: https://kubernetes.default.svc
- namespace: cilium-test
server: https://kubernetes.default.svc
- namespace: cilium-secrets
server: https://kubernetes.default.svc
sourceRepos:
- https://argoproj.github.io/argo-helm
- https://kubernetes-sigs.github.io/metrics-server/
- https://gitlab.com/oceanbox/manifests.git
- https://gitlab.com/serit/k8s/serit-platform.git
- https://gitlab.com/serit/k8s/serit-platform-values.git
- https://gitlab.com/serit/k8s/serit-platform-manifests.git
- https://gitlab.com/serit/k8s/serit-operator.git
- https://kubernetes.github.io/ingress-nginx
- https://cloudnative-pg.github.io/charts
- https://charts.jetstack.io
- https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
- https://github.com/kubernetes/dashboard
- https://bitnami-labs.github.io/sealed-secrets
- https://prometheus-community.github.io/helm-charts
- https://github.com/prometheus-community/helm-charts.git
- https://charts.gitlab.io/
- https://charts.bitnami.com/bitnami
- https://helm.linkerd.io/stable
- https://github.com/jaegertracing/jaeger-operator
- https://kyverno.github.io/kyverno/
- https://vmware-tanzu.github.io/helm-charts
- https://grafana.github.io/helm-charts
- https://charts.enix.io
- https://helm.mariadb.com/mariadb-operator
- https://helm.cilium.io
- https://chartmuseum.github.io/charts
values/argo/values.yaml.gotmpl
+17 -1
View File
@@ -8,12 +8,28 @@ argo:
enabled: false
argocd:
autosync: true
ingress:
enabled: true
adminLogin: false
kustomizeHelmSupport: false
applicationset_webhook:
enabled: false
anyNamespaces:
enabled: false
glob: ""
resources:
controller:
memory: 2000Mi
cpu: 250m
repoServers:
- name: "helmfile-cmp"
image: "registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest"
imagePullSecret: []
imagePullSecrets:
- gitlab-pull-secret
- name: "kustomize-helm-with-rewrite"
image: "registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest"
imagePullSecrets:
- gitlab-pull-secret
additional_rbac_settings:
- g, "eb17a659-4ce6-41bc-9153-d9b117c44479", role:org-admin
values/argo/values/argocd.yaml.gotmpl
+54 -5
View File
@@ -135,10 +135,10 @@ controller:
enabled: true
resources:
limits:
memory: "1000Mi"
memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }}
requests:
cpu: "250m"
memory: "1000Mi"
cpu: {{ .Values.argocd.resources.controller.cpu | default "250m" }}
memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }}
# Mount azure ca as file for SAML auth
dex:
@@ -175,6 +175,25 @@ repoServer:
enabled: true
{{- range .Values.argocd.repoServers }}
extraContainers:
- command:
- /var/run/argocd/argocd-cmp-server
image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
imagePullPolicy: Always
name: helmfile-cmp
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
- mountPath: /helm-working-dir
name: helm-working-dir
- command:
- /var/run/argocd/argocd-cmp-server
image: {{ .image }}
@@ -196,10 +215,40 @@ repoServer:
- name: cmp-tmp
emptyDir: {}
imagePullSecrets:
{{- range .imagePullSecret }}
- name: {{ .name }}
{{- range .imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
initContainers:
- command:
- /bin/sh
- /plugin/init-helm-repos.sh
env:
- name: OCEANBOX_HELM_ACCESS_TOKEN
valueFrom:
secretKeyRef:
key: token
name: oceanbox-helm
optional: false
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
imagePullPolicy: Always
name: init-helm-repos
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 999
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /helm-working-dir
name: helm-working-dir
# Configuration for argocd server instance
server:
values/atlantis/app.yaml → values/atlantis/manifests/atlantis.yaml
View File
values/cert-manager/manifests/cert-manager.yaml
+41
View File
@@ -0,0 +1,41 @@
{{- if .Values.clusterConfig.argo.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cert-manager
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: cert-manager
server: 'https://kubernetes.default.svc'
sources:
- repoURL: {{ .Values.clusterConfig.manifests }}
# targetRevision: HEAD
targetRevision: mrtz/helmify
path: helmfile.d
plugin:
name: helmfile-cmp
env:
- name: CLUSTER_NAME
value: {{ .Values.clusterConfig.cluster }}
- name: HELMFILE_ENVIRONMENT
value: default
- name: HELMFILE_FILE_PATH
value: cert-manager.yaml.gotmpl
project: sys
syncPolicy:
managedNamespaceMetadata:
labels:
component: sys
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
{{- if .Values.cert_manager.autosync }}
automated:
prune: true
# selfHeal: false
{{- end }}
{{- end }}
apps/charts/sys-cilium-policies/templates/cert-manager/CiliumNetworkPolicy-allow-api-server-to-cert-manager.yaml → values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-api-server-to-cert-manager.yaml
View File
apps/charts/sys-cilium-policies/templates/cert-manager/CiliumNetworkPolicy-allow-api-server.yaml → values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml
View File
apps/charts/sys-cilium-policies/templates/cert-manager/CiliumNetworkPolicy-allow-prometheus-metrics.yaml → values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml
View File
apps/charts/sys-cilium-policies/templates/cert-manager/CiliumNetworkPolicy-allow-world-traffic.yaml → values/cert-manager/manifests/policies/CiliumNetworkPolicy-allow-world-traffic.yaml
View File
values/cert-manager/manifests/pre-cert-manager.yaml
+225
View File
@@ -0,0 +1,225 @@
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
name: letsencrypt-production
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: {{ .Values.clusterConfig.acme_email }}
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-production
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: {{ .Values.clusterConfig.acme_email }}
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
name: ca-issuer
spec:
ca:
secretName: cluster-ca
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
name: selfsigning-issuer
spec:
selfSigned: {}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: front-proxy-client
subjects:
- kind: User
name: front-proxy-client
apiGroup: rbac.authorization.k8s.io
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: front-proxy-client
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: front-proxy-client
rules:
- apiGroups:
- "webhook.cert-manager.io"
resources:
- mutations
- validations
verbs: [ "*" ]
- apiGroups:
- metrics.k8s.io
resources:
- pods
- nodes
verbs:
- get
- list
- watch
---
{{ if .Values.clusterConfig.initca }}
# Pod to update certificates from master nodes
# only runs on control plane nodes (etcd)
# Mounts cert files rotatet by nixos service.mgr and uses it to update cert-manager secret
# Always create certs on initial creation,
# Otherwise, cert creation would not happen until cronJob runs
apiVersion: batch/v1
kind: Job
metadata:
name: cert-create
namespace: cert-manager
spec:
backoffLimit: 1
template:
metadata:
labels:
block-egress: "true"
annotations:
linkerd.io/inject: disabled
spec:
restartPolicy: Never
serviceAccountName: cert-secret-updater
securityContext:
runAsUser: 12000
runAsGroup: 13000
fsGroup: 10000
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io
operator: In
values:
- control-plane
tolerations:
- key: unschedulable
value: "true"
effect: NoSchedule
containers:
- image: bitnami/kubectl:1.24
name: kubectl
resources: {}
securityContext:
allowPrivilegeEscalation: false
command:
- "/bin/sh"
- -c
- /tmp/renew-certs/renew-certs.sh
volumeMounts:
- name: ca-pem
mountPath: /tmp/ca.pem
- name: ca-key-pem
mountPath: /tmp/ca-key.pem
- name: certs-script
mountPath: /tmp/renew-certs
volumes:
- name: ca-pem
hostPath:
path: {{.Values.clusterConfig.initca}}/ca.pem
type: File
- name: ca-key-pem
hostPath:
path: {{.Values.clusterConfig.initca}}/ca-key.pem
type: File
- name: certs-script
configMap:
name: renew-certs-script
defaultMode: 0755
---
apiVersion: v1
data:
renew-certs.sh: |
#! /bin/bash
kubectl create secret tls -n cert-manager cluster-ca --cert=/tmp/ca.pem --key=/tmp/ca-key.pem --dry-run=client -o yaml > /tmp/new-secret.yaml
kubectl apply -f /tmp/new-secret.yaml
kind: ConfigMap
metadata:
name: renew-certs-script
namespace: cert-manager
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-secret-updater
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-secret-updater-role
namespace: cert-manager
rules:
- apiGroups:
- ""
resourceNames:
- cluster-ca
resources:
- secrets
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-secret-updater-rbinding
namespace: cert-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-secret-updater-role
subjects:
- kind: ServiceAccount
name: cert-secret-updater
namespace: cert-manager
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: cert-manager
spec:
podSelector:
matchLabels:
block-egress: "true"
policyTypes:
- Egress
---
{{ end }}
values/cert-manager/values.yaml.gotmpl
+3
View File
@@ -0,0 +1,3 @@
cert_manager:
enabled: true
autosync: true
values/cert-manager/values/cert-manager.yaml.gotmpl
+5
View File
@@ -0,0 +1,5 @@
installCRDs: true
enableCertificateOwnerRef: true
startupapicheck:
podAnnotations:
linkerd.io/inject: disabled
values/cilium/cilium-manifests/cilium-test/CiliumNetworkPolicy-allow-api-server.yaml
-22
View File
@@ -1,22 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-api-server
namespace: cilium-test
spec:
egress:
- toEndpoints:
- {}
- toEntities:
- cluster
- toEntities:
- remote-node
- toEntities:
- world
endpointSelector:
matchLabels: {}
ingress:
- fromEntities:
- cluster
- fromEntities:
- world
values/cilium/cilium-manifests/cilium.yaml
+8 -3
View File
@@ -12,13 +12,18 @@ spec:
server: 'https://kubernetes.default.svc'
sources:
- repoURL: {{ .Values.clusterConfig.manifests }}
targetRevision: HEAD
path: helmfiles/cilium
# targetRevision: HEAD
targetRevision: mrtz/helmify
path: helmfile.d
plugin:
name: helmfile
name: helmfile-cmp
env:
- name: CLUSTER_NAME
value: {{ .Values.clusterConfig.cluster }}
- name: HELMFILE_ENVIRONMENT
value: default
- name: HELMFILE_FILE_PATH
value: cilium.yaml.gotmpl
project: sys
syncPolicy:
syncOptions:
values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-s3.yaml
-20
View File
@@ -1,20 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: allow-s3-traffic
spec:
description: Policy for egress for CNPG Backups.
egress:
- toFQDNs:
{{- range .Values.clusterConfig.s3.hosts }}
- matchName: {{ . | quote }}
{{- end }}
{{- range .Values.clusterConfig.s3.patterns }}
- matchPattern: {{ . | quote }}
{{- end }}
- toCIDR:
{{- range .Values.clusterConfig.s3.cidr }}
- {{ . | quote }}
{{- end }}
endpointSelector:
matchLabels: {}
values/cilium/values-oceanbox.yaml.gotmpl
+2 -3
View File
@@ -1,9 +1,9 @@
cilium:
enabled: true
nodePort:
enable: true
enabled: true
l2announcement:
enable: true
enabled: true
loadbalancerPool:
enabled: true
cidr:
@@ -12,4 +12,3 @@ cilium:
- 10.255.241.13/32
- 10.255.241.14/32
- 10.255.241.15/32
values/cilium/values.yaml.gotmpl
+2 -1
View File
@@ -16,6 +16,7 @@ cilium:
enabled: false
nodePort:
enabled: false
# NOTE: Requires that ingresscontroller is also enabled
gatewayAPI:
enabled: false
ingressController:
@@ -23,7 +24,7 @@ cilium:
defaultClass: false
loadbalancerMode: shared
policyAuditMode: false
upgradeCompatability: 1.15
upgradeCompatability: 1.16
k8sServiceHost: localhost
k8sServicePort: 7445
loadbalancerPool:
values/cilium/values/cilium.yaml.gotmpl
+1
View File
@@ -83,6 +83,7 @@ prometheus:
serviceMonitor:
enabled: true
rollOutCiliumPods: true
podSecurityContext: null
securityContext:
capabilities:
ciliumAgent:
values/dapr/manifests/dapr.yaml
+38
View File
@@ -0,0 +1,38 @@
{{- if .Values.clusterConfig.argo.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: dapr
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: dapr-system
server: 'https://kubernetes.default.svc'
sources:
- repoURL: {{ .Values.clusterConfig.manifests }}
targetRevision: HEAD
path: helmfiles/dapr
plugin:
name: helmfile
env:
- name: CLUSTER_NAME
value: {{ .Values.clusterConfig.cluster }}
project: default
syncPolicy:
managedNamespaceMetadata:
labels:
component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
# - ServerSideApply=true
{{- if .Values.dapr.autosync }}
automated:
prune: true
# selfHeal: false
{{- end }}
{{- end }}
values/dapr/values.yaml.gotmpl
+2
View File
@@ -0,0 +1,2 @@
dapr:
enabled: true
values/dapr/values/dapr.yaml.gotmpl
+3
View File
@@ -0,0 +1,3 @@
global:
ha:
enabled: true
apps/templates/resources/dashboards/ingress-nginx.yaml → values/ingress-nginx/manifests/dashboards/ingress-nginx.yaml
View File
values/ingress-nginx/manifests/ingress-nginx.yaml
+41
View File
@@ -0,0 +1,41 @@
{{- if .Values.clusterConfig.argo.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: ingress-nginx
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
destination:
namespace: ingress-nginx
server: 'https://kubernetes.default.svc'
sources:
- repoURL: {{ .Values.clusterConfig.manifests }}
# targetRevision: HEAD
targetRevision: mrtz/helmify
path: helmfile.d
plugin:
name: helmfile-cmp
env:
- name: CLUSTER_NAME
value: {{ .Values.clusterConfig.cluster }}
- name: HELMFILE_ENVIRONMENT
value: default
- name: HELMFILE_FILE_PATH
value: ingress-nginx.yaml.gotmpl
project: sys
syncPolicy:
managedNamespaceMetadata:
labels:
component: sys
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
{{- if .Values.nginx.autosync }}
automated:
prune: true
# selfHeal: false
{{- end }}
{{- end }}
values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-host-traffic.yaml
+14
View File
@@ -0,0 +1,14 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-host-traffic
namespace: ingress-nginx
spec:
egress:
- toEntities:
- kube-apiserver
- host
endpointSelector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-hubble-traffic.yaml
+14
View File
@@ -0,0 +1,14 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-hubble-traffic
namespace: ingress-nginx
spec:
egress:
- toFQDNs:
- matchPattern: hubble.*.*.*
- matchPattern: hubble.*.*.*.*
endpointSelector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml
+17
View File
@@ -0,0 +1,17 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-prometheus-metrics
namespace: ingress-nginx
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/instance: ingress-nginx
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: prometheus
- toPorts:
- ports:
- port: "9913"
protocol: TCP
values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-s3-traffic.yaml
+19
View File
@@ -0,0 +1,19 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-s3-traffic
namespace: ingress-nginx
spec:
egress:
- toCIDR:
- 10.139.2.10/32
- toCIDR:
- 10.139.2.11/32
- toCIDR:
- 10.139.2.20/32
- toCIDR:
- 10.139.2.21/32
endpointSelector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
values/ingress-nginx/manifests/policies/CiliumNetworkPolicy-allow-world-to-ingress-nginx.yaml
+19
View File
@@ -0,0 +1,19 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-world-to-ingress-nginx
namespace: ingress-nginx
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
ingress:
- fromEntities:
- world
- toPorts:
- ports:
- port: "80"
protocol: TCP
- port: "443"
protocol: TCP
values/ingress-nginx/values.yaml.gotmpl
+9
View File
@@ -0,0 +1,9 @@
nginx:
enabled: true
autosync: true
pdb:
minAvailable: 1
resources:
controller:
cpu: "100m"
memory: "100Mi"
values/ingress-nginx/values/ingress-nginx.yaml.gotmpl
+98
View File
@@ -0,0 +1,98 @@
## nginx configuration
## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md
##
## Overrides for generated resource names
# See templates/_helpers.tpl
# nameOverride:
fullnameOverride: main-ingress-nginx
controller:
resources:
#limits:
# memory: {{ .Values.nginx.resources.controller.memory }}
requests:
cpu: {{ .Values.nginx.resources.controller.cpu }}
memory: {{ .Values.nginx.resources.controller.memory }}
ingressClassResource:
default: true
tolerations:
- key: unschedulable
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values: {{ .Values.clusterConfig.ingress_nodes }}
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- ingress-nginx
- key: app.kubernetes.io/component
operator: In
values:
- controller
topologyKey: "kubernetes.io/hostname"
podAnnotations:
config.linkerd.io/skip-inbound-ports: 80,443
replicaCount: {{ .Values.clusterConfig.ingress_replica_count }}
minAvailable: {{ .Values.nginx.pdb.minAvailable }}
service:
externalTrafficPolicy: Local
# type: ClusterIP
type: NodePort
# nodePorts:
# http: 32080
# https: 32443
# tcp:
# 8080: 32808
nodePorts:
http: 30080
https: 30443
tcp: {}
udp: {}
metrics:
enabled: true
service:
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "10254"
servicePort: 9913
type: ClusterIP
serviceMonitor:
enabled: true
admissionWebhooks:
enabled: false
## Default 404 backend
##
defaultBackend:
enabled: true
tolerations:
- key: unschedulable
operator: Exists
effect: NoSchedule
values/keycloak/prod/ingress.yaml → values/keycloak/manifests/ingress.yaml
View File
values/keycloak/manifests/keycloak.yaml
+40
View File
@@ -0,0 +1,40 @@
{{- if .Values.clusterConfig.argo.enabled }}
{{- range .Values.keycloak.envs }}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: {{ . }}-keycloak
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: keycloak
server: 'https://kubernetes.default.svc'
sources:
- repoURL: {{ .Values.clusterConfig.manifests }}
targetRevision: HEAD
path: helmfiles/keycloak
plugin:
name: helmfile
env:
- name: CLUSTER_NAME
value: {{ .Values.clusterConfig.cluster }}
project: aux
syncPolicy:
managedNamespaceMetadata:
labels:
component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
# - ServerSideApply=true
{{- if .Values.keycloak.autosync }}
automated:
prune: true
# selfHeal: false
{{- end }}
{{- end }}
{{- end }}
values/keycloak/values.yaml.gotmpl
+2
View File
@@ -0,0 +1,2 @@
keycloak:
enabled: true

Some files were not shown because too many files have changed in this diff Show More