2025-06-10 17:45:51 +00:00
34 changed files with 404 additions and 151 deletions
@@ -2,5 +2,4 @@
 _*/
 .direnv/
 .pre-commit-config.yaml
-_manifest.yaml
-_resources.yaml
+_*.yaml
@@ -16,9 +16,9 @@ spec:
    plugin:
      name: helmfile
      env:
-        - name: CLUSTER
+        - name: CLUSTER_NAME
          value: {{ .Values.cluster_config.name }}
-        - name: ENVIRONMENT
+        - name: HELMFILE_ENVIRONMENT
          value: {{ .environment }}
  {{/* - repoURL: {{ .Values.cluster_config.manifests }} */}}
  {{/*   path: {{ .Values.cluster_config.policies }}/argocd */}}
@@ -73,6 +73,7 @@ argocd:
      imagePullSecret: []
      helmTokenSecret: ""
 argocd_apps:
+  enable: true
  autosync: true
  version: 0.0.1
 argo_workflows:
@@ -90,7 +91,6 @@ argo_rollouts:
    enabled: false
  dashboard_enabled: false

-
 cilium:
  enabled: false
  autosync: true
@@ -375,18 +375,30 @@ yolo-registry.enable: false
 osm-tile-server.enable: false
 geoserver.enable: false

-atlantis:
-  enabled: false
-  envs:
-    - prod
-    - staging
-sorcerer:
-  enabled: false
-  envs:
-    - prod
-    - staging
-openfga:
-  enabled: false
-  envs:
-    - prod
-    - staging
+install:
+  argo:
+    autosync: true
+    argocd:
+      enabled: true
+    apps:
+      enabled: true
+    rollouts:
+      enabled: false
+    workflows:
+      enabled: false
+  atlantis:
+    enabled: false
+    envs:
+      - prod
+      - staging
+  sorcerer:
+    enabled: false
+    envs:
+      - prod
+      - staging
+  openfga:
+    enabled: false
+    envs:
+      - prod
+      - staging
+
@@ -7,7 +7,7 @@ manifests=${4:-manifests}
 outdir=${5:-_manifests}

 build() {
-  if [ ! -d "manifests" ]; then
+  if [ ! -d "$manifests" ]; then
    echo "nothing to do here..." 1>&2
    exit 0
  fi
@@ -1,13 +1,13 @@
 #!/usr/bin/env bash

 [ $# != 1 ] && exit 1
-[ ! -f base/kustomization.yaml ] && exit 1

-env=$1
+dir=$1
+base=$dir/../base

-if [ -f $env/kustomization.yaml ]; then
-    cat >base/_manifest.yaml
-    kubectl kustomize $env
+if [ -f $base/kustomization.yaml -a -f $dir/kustomization.yaml ]; then
+    cat > $base/_manifest.yaml
+    kubectl kustomize $dir
 else
    cat
 fi
@@ -0,0 +1,23 @@
+---
+environments:
+  default:
+    values:
+    - ../values/values.yaml
+    - ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
+    - ../values/*/values.yaml.gotmpl
+    - ../values/*/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+    missingFileHandler: Info
+  prod:
+    values:
+    - ../values.yaml
+    - ../values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
+    - ../values/*/values.yaml.gotmpl
+    - ../values/*/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+    missingFileHandler: Info
+  staging:
+    values:
+    - ../values.yaml
+    - ../values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
+    - ../values/*/values.yaml.gotmpl
+    - ../values/*/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+    missingFileHandler: Info
@@ -0,0 +1,58 @@
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+repositories:
+- name: argo
+  url: https://argoproj.github.io/argo-helm
+
+releases:
+- name: argocd
+  namespace: argocd
+  chart: argo/argo-cd
+  version: 7.5.2
+  condition: install.argo.argocd.enabled
+  values:
+  - ../values/argo/values/argocd.yaml.gotmpl
+  - ../values/argo/values/argocd-{{ .Environment.Name }}.yaml.gotmpl
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/argo/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: argocd-apps
+  namespace: argocd
+  chart: argo/argocd-apps
+  version: 0.0.1
+  condition: install.argo.apps.enabled
+  values:
+  - ../values/argo/values/apps.yaml.gotmpl
+  missingFileHandler: Info
+- name: argo-rollouts
+  namespace: argocd
+  chart: argo/argo-rollouts
+  version: 2.35.2
+  condition: install.argo.rollouts.enabled
+  values:
+  - ../values/argo/values/rollouts.yaml.gotmpl
+  missingFileHandler: Info
+- name: argo-workflows
+  namespace: argocd
+  chart: argo/argo-workflows
+  version: 0.45.0
+  condition: install.argo.workflows.enabled
+  values:
+  - ../values/argo/values/workflows.yaml.gotmpl
+  missingFileHandler: Info
+- name: argo-manifests
+  namespace: argocd
+  chart: _argo
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/argo/manifests
+    - _argo
+
@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    kyverno/clone: "true"
-    kyverno/env: "prod"
-  name: prod-atlantis-rabbitmq
-type: Opaque
-data:
-  foo: |
-    bar: raboof
@@ -1,42 +0,0 @@
-environments:
-  default:
-    values:
-    - ../../apps/values.yaml
-    - ../../values/sys/values-{{ requiredEnv "CLUSTER" }}.yaml
-  prod:
-    values:
-    - ../../apps/values.yaml
-    - ../../../values/sys/values-{{ requiredEnv "CLUSTER" }}.yaml
-  staging:
-    values:
-    - ../../apps/values.yaml
-    - ../../values/sys/values-{{ requiredEnv "CLUSTER" }}.yaml
---
-repositories:
- name: argo
-  url: https://argoproj.github.io/argo-helm
-
-releases:
- name: argocd
-  namespace: argocd
-  chart: argo/argo-cd
-  values:
-  - values.yaml.gotmpl
-  - values-{{ .Environment.Name }}.yaml.gotmpl
-  - values-{{ requiredEnv "CLUSTER" }}.yaml.gotmpl
-  postRenderer: ../../bin/kustomizer
-  postRendererArgs:
-  - {{ .Environment.Name }}
-  missingFileHandler: Info
- name: manifests
-  namespace: argocd
-  chart: _manifests
-  hooks:
-  - events: [ prepare, cleanup ]
-    showlogs: true
-    command: ../../bin/helmify
-    args:
-    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
-    - '{{`{{ .Release.Chart }}`}}'
-    - '{{`{{ .Environment.Name }}`}}'
-
@@ -1,8 +0,0 @@
-generatorOptions:
-  disableNameSuffixHash: true
-# configMapGenerator:
-# - name: prod-atlantis-appsettings
-#   files:
-#     - appsettings.json
-resources:
-  - ../base
@@ -1,4 +0,0 @@
-configs:
-  cm:
-    url: "https://foobar.oceanbox.io"
-
@@ -0,0 +1,59 @@
+bases:
+ - ../base/environments.yaml.gotmpl
+
+repositories:
+- name: argo
+  url: https://argoproj.github.io/argo-helm
+
+releases:
+- name: argocd
+  namespace: argocd
+  chart: argo/argo-cd
+  version: 7.5.2
+  values:
+  - values/argocd.yaml.gotmpl
+  - values/argocd-{{ .Environment.Name }}.yaml.gotmpl
+  - values/argocd-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+  postRenderer: ../../bin/kustomizer
+  postRendererArgs:
+  - kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: argocd-apps
+  namespace: argocd
+  chart: argo/argocd-apps
+  version: 0.0.1
+  condition: install.argo.apps.enabled
+  values:
+  - values/apps.yaml.gotmpl
+  - values/apps-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+  missingFileHandler: Info
+- name: argo-rollouts
+  namespace: argocd
+  chart: argo/argo-rollouts
+  version: 2.35.2
+  condition: install.argo.rollouts.enabled
+  values:
+  - values/rollouts.yaml.gotmpl
+  - values/rollouts-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+  missingFileHandler: Info
+- name: argo-workflows
+  namespace: argocd
+  chart: argo/argo-workflows
+  version: 0.45.0
+  condition: install.argo.workflows.enabled
+  values:
+  - values/workflows.yaml.gotmpl
+  - values/workflows-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
+  missingFileHandler: Info
+- name: manifests
+  namespace: argocd
+  chart: _manifests
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+
@@ -2,4 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - _manifest.yaml
-  - foo.yaml
@@ -0,0 +1,4 @@
+generatorOptions:
+  disableNameSuffixHash: true
+resources:
+  - ../base
@@ -0,0 +1,10 @@
+argocd:
+  anyNamespaces:
+    enabled: false
+    glob: ""
+  repoServers:
+  - name: "helmfile-cmp"
+    image: "registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest"
+    imagePullSecret: []
+  additional_rbac_settings:
+  - g, "eb17a659-4ce6-41bc-9153-d9b117c44479", role:org-admin
@@ -1,5 +1,5 @@
 global:
-  domain: argocd.{{ .Values.cluster_config.domain }}
+  domain: argocd.{{ .Values.clusterConfig.domain }}
 ## ArgoCD configuration
 ## Ref: https://github.com/argoproj/argo-cd
 ##
@@ -16,7 +16,7 @@ configs:
    application.instanceLabelKey: app.kubernetes.io/instance
    create: true
    # NOTE(kai): callback URL for dex
-    url: "https://argocd.{{ .Values.cluster_config.domain }}"
+    url: "https://argocd.{{ .Values.clusterConfig.domain }}"
    resource.compareoptions: |
      ignoreAggregatedRoles: true
    resource.exclusions: |
@@ -41,7 +41,7 @@ configs:
        level: debug
        format: json
      connectors:
-      {{- with .Values.cluster_config.oidc }}
+      {{- with .Values.clusterConfig.oidc }}
      {{- range . }}
      {{- if eq .provider "azuread" }}
      - type: oidc
@@ -68,7 +68,7 @@ configs:
        config:
          clientID: ${{ .name | replace "-" "_" }}_client_id
          clientSecret: ${{ .name | replace "-" "_" }}_client_secret
-          redirectURI: https://argocd.{{ $.Values.cluster_config.domain }}/api/dex/callback
+          redirectURI: https://argocd.{{ $.Values.clusterConfig.domain }}/api/dex/callback
          orgs:
          - name: {{ .allowed_organizations }}
          loadAllGroups: true
@@ -86,7 +86,7 @@ configs:
      {{- end }}
      {{- end }}
      {{- end }}
-    admin.enabled: '{{ .Values.argocd.adminLogin }}'
+    admin.enabled: false
  rbac:
    # NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group
    policy.csv: |
@@ -100,33 +100,6 @@ configs:
      p, role:org-admin, repositories, update, *, allow
      p, role:org-admin, repositories, delete, *, allow
      g, "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29", role:org-admin
-      {{- if .Values.cluster_config.external_access.enabled }}
-      p, role:external-admin, applications, *, sys/*, deny
-      p, role:external-admin, applications, *, oxb/*, deny
-      p, role:external-admin, applications, *, */*, allow
-      p, role:external-admin, projects, *, oxb, deny
-      p, role:external-admin, projects, *, sys, deny
-      p, role:external-admin, projects, get, *, allow
-      p, role:external-admin, logs, get, *, allow
-      p, role:external-admin, clusters, get, *, allow
-      p, role:external-admin, repositories, get, *, allow
-      p, role:external-admin, repositories, create, *, allow
-      p, role:external-admin, repositories, update, *, allow
-      p, role:external-admin, repositories, delete, *, allow
-      g, "{{ .Values.cluster_config.external_access.admin_group }}", role:external-admin
-      {{- end }}
-      {{- if .Values.cluster_config.external_access.enabled }}
-      {{- range .Values.cluster_config.external_access.groups }}
-      {{- "\n" -}}
-        {{- $name := .name }}
-      p, role:{{$name}}, projects, get, {{$name}}, allow
-      p, role:{{$name}}, applications, get, {{$name}}/*, allow
-      p, role:{{$name}}, logs, get, {{$name}}/*, allow
-        {{- range .group_id }}
-      g, {{ . }}, role:{{$name}}
-          {{- end }}
-        {{- end }}
-      {{- end }}
      {{- with .Values.argocd.additional_rbac_settings }}
      {{- range .}}
      {{ . }}
@@ -147,8 +120,8 @@ configs:
      --prod-color: #ff000d;
    }
    .top-bar__breadcrumbs::after {
-      content: "cluster: {{.Values.cluster_config.cluster}},  env: {{.Values.cluster_config.env}} ";
-      color: var(--{{.Values.cluster_config.env}}-color);
+      content: "cluster: {{.Values.clusterConfig.cluster}},  env: {{.Values.clusterConfig.env}} ";
+      color: var(--{{.Values.clusterConfig.env}}-color);
      font-weight: bolder;
      font-size: larger;
      position: fixed;
@@ -162,10 +135,10 @@ controller:
      enabled: true
  resources:
    limits:
-      memory: {{ .Values | get "argocd.resources.controller.memory" "1000Mi" }}
+      memory: "1000Mi"
    requests:
-      cpu: {{ .Values | get "argocd.resources.controller.cpu" "250m" }}
-      memory: {{ .Values | get "argocd.resources.controller.memory" "1000Mi" }}
+      cpu: "250m"
+      memory: "1000Mi"

 # Mount azure ca as file for SAML auth
 dex:
@@ -173,7 +146,7 @@ dex:
    enabled: true
    serviceMonitor:
      enabled: true
-  {{- with .Values.cluster_config.oidc }}
+  {{- with .Values.clusterConfig.oidc }}
  env:
  {{- range . }}
  - name: {{ .name | replace "-" "_" }}_client_secret
@@ -200,13 +173,13 @@ repoServer:
    enabled: true
    serviceMonitor:
      enabled: true
-  {{- if .Values.argocd.repoServer.cmp.enabled }}
+  {{- range .Values.argocd.repoServers }}
  extraContainers:
  - command:
    - /var/run/argocd/argocd-cmp-server
-    image: {{ .Values.argocd.repoServer.cmp.image }}
+    image: {{ .image }}
    imagePullPolicy: Always
-    name: {{ .Values.argocd.repoServer.cmp.name }}
+    name: {{ .name }}
    securityContext:
      runAsNonRoot: true
      runAsUser: 999
@@ -219,20 +192,14 @@ repoServer:
      name: plugins
    - mountPath: /tmp
      name: cmp-tmp
-  {{- with .Values.argocd.repoServer.cmp.initContainers }}
-  initContainers:
-    {{- toYaml . | nindent 10}}
-  {{- end }}
  volumes:
  - name: cmp-tmp
    emptyDir: {}
-  {{- if .Values.argocd.repoServer.cmp.imagePullSecret }}
  imagePullSecrets:
-    {{- range .Values.argocd.repoServer.cmp.imagePullSecret}}
+    {{- range .imagePullSecret }}
    - name: {{ .name }}
+    {{- end }}
  {{- end }}
-  {{- end }}
-{{- end }}

 # Configuration for argocd server instance
 server:
@@ -241,22 +208,22 @@ server:
    serviceMonitor:
      enabled: true
  ingress:
-    enabled: {{ .Values.argocd.ingress.enabled }}
+    enabled: true
    ingressClassName: nginx
    annotations:
-      cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+      cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
      nginx.ingress.kubernetes.io/ssl-passthrough: "true"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
-      {{- with .Values.cluster_config.ingress_whitelist_ips }}
+      {{- with .Values.clusterConfig.ingress_whitelist_ips }}
      nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
      {{- end }}
    hosts:
-      - "argocd.{{ .Values.cluster_config.domain }}"
+      - "argocd.{{ .Values.clusterConfig.domain }}"
    tls:
      - secretName: argocd-tls
        hosts:
-          - "argocd.{{ .Values.cluster_config.domain }}"
+          - "argocd.{{ .Values.clusterConfig.domain }}"
 applicationSet:
  metrics:
    enabled: true
@@ -266,19 +233,19 @@ applicationSet:
  allowAnyNamespaces: true
  {{- end }}
  ingress:
-    enabled: {{ .Values.argocd.applicationset_webhook.enabled }}
+    enabled: false
    ingressClassName: nginx
    annotations:
-      cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
-      # {{- with .Values.cluster_config.ingress_whitelist_ips}}
+      cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
+      # {{- with .Values.clusterConfig.ingress_whitelist_ips}}
      # NOTE(kai): include gitlab and github webhook ranges
      # nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }},192.30.252.0/22,140.82.112.0/20,34.74.226.27/28,34.74.226.0/24
      # {{- end }}
-    hostname: "argocd-applicationset.{{ .Values.cluster_config.domain }}"
+    hostname: "argocd-applicationset.{{ .Values.clusterConfig.domain }}"
    tls:
      - secretName: argocd-applicationset-tls
        hosts:
-          - "argocd-applicationset.{{ .Values.cluster_config.domain }}"
+          - "argocd-applicationset.{{ .Values.clusterConfig.domain }}"
 notifications:
  metrics:
    enabled: true
@@ -0,0 +1,9 @@
+dashboard:
+  enabled: {{ .Values.apps. true }}
+
+controller:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+
@@ -0,0 +1,9 @@
+dashboard:
+  enabled: {{ .Values.apps. true }}
+
+controller:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+
@@ -0,0 +1,37 @@
+clusterConfig:
+  env: "prod"
+  distro: "talos"
+  domain: "adm.oceanbox.io"
+  initca: ""
+  apiserver: ""
+  apiserverip: ""
+  etcd_nodes: [ "10.255.241.201, 10.255.241.202, 10.255.241.203" ]
+  k8s_nodes: [ "" ]
+  cluster: "oceanbox"
+  ingress_nodes: ["oceanbox-controlplane-1, oceanbox-controlplane-2, oceanbox-controlplane-3" ]
+  ingress_replica_count: 3
+  fileserver: "10.255.241.210"
+  acme_email: "acme@oceanbox.io"
+  oidc:
+  - name: serit-oidc
+    provider: azuread
+    tenant: "95e5d757-4fb3-4113-a93c-c41393be61cf"
+    secret_ref:
+      name: serit-oidc
+    group_id: "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29"
+    external_access:
+      enabled: false
+  - name: oceanbox-oidc
+    provider: azuread
+    tenant: "3f737008-e9a0-4485-9d27-40329d288089"
+    secret_ref:
+      name: oceanbox-oidc
+    group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
+  nodes: []
+  ingress_whitelist_ips:
+    #itp internal
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+    - 192.168.0.0/16
+    - 172.19.255.0/24
+
@@ -0,0 +1,132 @@
+clusterConfig:
+  manifests: https://gitlab.com/oceanbox/manifests.git
+  policies: policies/sys
+  resources: resources/sys
+  distro: "" #[nixos, talos]
+  env: "" #[dev, test, staging, prod]
+  initca: ""
+  domain: ".local"
+  apiserver: ""
+  apiserverip: ""
+  etcd_nodes: []
+  k8s_nodes: []
+  cluster: ""
+  ingress_nodes: []
+  ingress_replica_count: 3
+  fileserver: ""
+  acme_email: ""
+  nodenames: []
+  nodes: []
+  ingress_clusterissuer: "letsencrypt-production"
+  ingress_whitelist_ips:
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+    - 192.168.0.0/16
+    - 172.19.255.0/24
+  oidc: []
+    #- name: azure-oidc
+    #  provider: azuread
+    #  tenant: "https://login.microsoftonline.com/<tenant>/oauth2/v2.0"
+    #  secret_ref:
+    #    name: azure-oidc
+    #  group_id: "<group_id>"
+    #- name: github-oidc
+    #  provider: github
+    #  secret_ref:
+    #    name: github-oidc
+    #  allowed_organizations: <org>
+    #  allowed_teams: <team-id>
+
+install:
+  argo:
+    argocd:
+      enabled: true
+    apps:
+      enabled: true
+    rollouts:
+      enabled: false
+    workflows:
+      enabled: false
+  atlantis:
+    enabled: false
+    envs:
+      - prod
+      - staging
+  sorcerer:
+    enabled: false
+    envs:
+      - prod
+      - staging
+  openfga:
+    enabled: false
+    envs:
+      - prod
+      - staging
+
+  cilium:
+    enabled: false
+  linkerd:
+    enabled: true
+  thanos:
+    enabled: false
+  prometheus:
+    enabled: true
+  nfs_provisioner:
+    enabled: true
+  cert_manager:
+    autosync: true
+  kubernetes_dashboard:
+    enabled: false
+  metrics_server:
+    autosync: true
+  nginx:
+    enabled: true
+  kyverno:
+    enabled: false
+  velero:
+    enabled: true
+  x509_exporter:
+    enabled: true
+  downscaler:
+    enabled: false
+  actions_runner_controller:
+    enabled: false
+  gitlab_runner:
+    enabled: true
+  postgres_operator:
+    enabled: true
+  rabbitmq_operator:
+    enabled: false
+  jaeger_operator:
+    enabled: false
+  loki:
+    enabled: false
+  tempo:
+    enabled: false
+  otel:
+    enabled: false
+  promtail:
+    enabled: false
+  mariadb_operator:
+    enabled: false
+  chartmuseum:
+    enabled: false
+  clickhouse_operator:
+    enabled: false
+  oncall:
+    enabled: false
+  dapr:
+    enable: true
+  busynix.enable: false
+  headscale.enable: false
+  plausible.enable: false
+  dex.enable: false
+  keycloak.enable: false
+  rabbitmq.enable: false
+  redis.enable: false
+  wordpress.enable: false
+  yolo-dl.enable: false
+  yolo-registry.enable: false
+  osm-tile-server.enable: false
+  geoserver.enable: false
+