platform/manifests
1
1
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

feat: Migrate sys applications to helmfile #24

Merged
mrtz-j merged 13 commits from helmify into main 2025-06-10 17:45:51 +00:00
Conversation 2 Commits 13 Files Changed 262
+41808 -1585
262 changed files with 41808 additions and 1585 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.envrc
+14 -1
View File
@@ -1 +1,14 @@
use nix #!/usr/bin/env bash
# the shebang is ignored, but nice for editors
watch_file npins/sources.json
# Load .env file if it exists
dotenv_if_exists
# Activate development shell
if type -P lorri &>/dev/null; then
eval "$(lorri direnv)"
else
echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
use nix
fi
.gitignore
+1 -2
View File
@@ -2,5 +2,4 @@
_*/ _*/
.direnv/ .direnv/
.pre-commit-config.yaml .pre-commit-config.yaml
_manifest.yaml _*.yaml
_resources.yaml
apps/charts/sys-cilium-policies/templates/cilium-test/CiliumNetworkPolicy-allow-api-server.yaml
-22
View File
@@ -1,22 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-api-server
namespace: cilium-test
spec:
egress:
- toEndpoints:
- {}
- toEntities:
- cluster
- toEntities:
- remote-node
- toEntities:
- world
endpointSelector:
matchLabels: {}
ingress:
- fromEntities:
- cluster
- fromEntities:
- world
apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-acme-solvers.yaml → apps/charts/sys-cilium-policies/templates/cilium/CiliumClusterwideNetworkPolicy-allow-acme-solvers.yaml
View File
apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-dns.yaml → apps/charts/sys-cilium-policies/templates/cilium/CiliumClusterwideNetworkPolicy-allow-dns.yaml
View File
apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-mariadb-operator.yaml → apps/charts/sys-cilium-policies/templates/cilium/CiliumClusterwideNetworkPolicy-allow-mariadb-operator.yaml
View File
apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-deny-all.yaml → apps/charts/sys-cilium-policies/templates/cilium/CiliumClusterwideNetworkPolicy-deny-all.yaml
View File
apps/charts/sys-cilium-policies/templates/clusterwide/CiliumClusterwideNetworkPolicy-allow-s3.yaml
-20
View File
@@ -1,20 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: allow-s3-traffic
spec:
description: Policy for egress for CNPG Backups.
egress:
- toFQDNs:
{{- range .Values.s3.hosts }}
- matchName: {{ . | quote }}
{{- end }}
{{- range .Values.s3.patterns }}
- matchPattern: {{ . | quote }}
{{- end }}
- toCIDR:
{{- range .Values.s3.cidr }}
- {{ . | quote }}
{{- end }}
endpointSelector:
matchLabels: {}
apps/charts/sys-cilium-policies/templates/plausible/CiliumNetworkPolicy-allow-gravatar.yaml
+14
View File
@@ -0,0 +1,14 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-plausible-secure-gravatar
namespace: prometheus
spec:
description: Allow Plausible Gravatar
egress:
- toFQDNs:
- matchName: secure.gravatar.com
- matchName: gravatar.com
endpointSelector:
matchLabels:
app.kubernetes.io/name: plausible-analytics
apps/charts/sys-cilium-policies/templates/robusta/CiliumNetworkPolicy-allow-slack.yaml
+2 -1
View File
@@ -2,10 +2,11 @@ apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy kind: CiliumNetworkPolicy
metadata: metadata:
name: allow-slack name: allow-slack
namespace: robusta namespace: prometheus
spec: spec:
egress: egress:
- toFQDNs: - toFQDNs:
- matchPattern: slack.com - matchPattern: slack.com
- matchName: hooks.slack.com
endpointSelector: endpointSelector:
matchLabels: {} matchLabels: {}
apps/templates/argocd-apps.yaml
+1
View File
@@ -21,6 +21,7 @@ spec:
sourceRepos: sourceRepos:
- '{{ .Values.cluster_config.manifests }}' - '{{ .Values.cluster_config.manifests }}'
- 'https://argoproj.github.io/argo-helm' - 'https://argoproj.github.io/argo-helm'
- 'https://gitlab.com/oceanbox/manifests.git'
- 'https://kubernetes-sigs.github.io/metrics-server/' - 'https://kubernetes-sigs.github.io/metrics-server/'
- 'https://kubernetes.github.io/ingress-nginx' - 'https://kubernetes.github.io/ingress-nginx'
- 'https://cloudnative-pg.github.io/charts' - 'https://cloudnative-pg.github.io/charts'
apps/templates/argocd.yaml
-323
View File
@@ -1,323 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: argocd
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "-1"
spec:
destination:
namespace: argocd
server: 'https://kubernetes.default.svc'
sources:
- path: {{ .Values.cluster_config.policies }}/argocd
repoURL: {{ .Values.cluster_config.manifests }}
targetRevision: HEAD
- repoURL: 'https://argoproj.github.io/argo-helm'
targetRevision: {{ .Values.argocd.version }}
chart: argo-cd
helm:
values: |
global:
domain: argocd.{{ .Values.cluster_config.domain }}
## ArgoCD configuration
## Ref: https://github.com/argoproj/argo-cd
##
configs:
{{- if .Values.argocd.anyNamespaces.enabled }}
params:
applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
# TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it
applicationsetcontroller.enable.scm.providers: "false"
application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
{{- end }}
cm:
application.resourceTrackingMethod: annotation+label
application.instanceLabelKey: app.kubernetes.io/instance
create: true
# NOTE(kai): callback URL for dex
url: "https://argocd.{{ .Values.cluster_config.domain }}"
resource.compareoptions: |
ignoreAggregatedRoles: true
resource.exclusions: |
- apiGroups:
- cilium.io
kinds:
- CiliumIdentity
clusters:
- "*"
- apiGroups:
- kyverno.io
kinds:
- AdmissionReport
- BackgroundScanReport
- ClusterAdmissionReport
- ClusterBackgroundScanReport
clusters:
- "*"
# dex saml config
dex.config: |
logger:
level: debug
format: json
connectors:
{{- with .Values.cluster_config.oidc }}
{{- range . }}
{{- if eq .provider "azuread" }}
- type: oidc
id: {{ .name }}
name: {{ .name }}
config:
issuer: https://login.microsoftonline.com/{{ .tenant }}/v2.0
clientID: ${{ .name | replace "-" "_" }}_client_id
clientSecret: ${{ .name | replace "-" "_" }}_client_secret
insecureSkipEmailVerified: true
requestedIDTokenClaims:
groups:
essential: true
insecureEnableGroups: true
requestedScopes:
- openid
- profile
- email
- groups
{{- else if eq .provider "github" }}
- type: github
id: {{ .name }}
name: {{ .name }}
config:
clientID: ${{ .name | replace "-" "_" }}_client_id
clientSecret: ${{ .name | replace "-" "_" }}_client_secret
redirectURI: https://argocd.{{ $.Values.cluster_config.domain }}/api/dex/callback
orgs:
- name: {{ .allowed_organizations }}
loadAllGroups: true
teamNameField: slug
useLoginAsID: false
staticClients:
- id: ${{ .name | replace "-" "_" }}_client_id
name: Kubernetes
# These are kubectl oidc plugin internal URLs
redirectURIs:
- http://localhost:8000
- http://localhost:18000
# Random secret for the user to authenticat dex client
secret: 8d52926efe879ee505391b75f4b046cf
{{- end }}
{{- end }}
{{- end }}
admin.enabled: '{{ .Values.argocd.adminLogin }}'
rbac:
# NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group
policy.csv: |
p, role:org-admin, applications, *, */*, allow
p, role:org-admin, projects, *, *, allow
p, role:org-admin, logs, get, *, allow
p, role:org-admin, clusters, get, *, allow
p, role:org-admin, clusters, update, *, allow
p, role:org-admin, repositories, get, *, allow
p, role:org-admin, repositories, create, *, allow
p, role:org-admin, repositories, update, *, allow
p, role:org-admin, repositories, delete, *, allow
g, "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29", role:org-admin
{{- if .Values.cluster_config.external_access.enabled }}
p, role:external-admin, applications, *, sys/*, deny
p, role:external-admin, applications, *, oxb/*, deny
p, role:external-admin, applications, *, */*, allow
p, role:external-admin, projects, *, oxb, deny
p, role:external-admin, projects, *, sys, deny
p, role:external-admin, projects, get, *, allow
p, role:external-admin, logs, get, *, allow
p, role:external-admin, clusters, get, *, allow
p, role:external-admin, repositories, get, *, allow
p, role:external-admin, repositories, create, *, allow
p, role:external-admin, repositories, update, *, allow
p, role:external-admin, repositories, delete, *, allow
g, "{{ .Values.cluster_config.external_access.admin_group }}", role:external-admin
{{- end }}
{{- if .Values.cluster_config.external_access.enabled }}
{{- range .Values.cluster_config.external_access.groups }}
{{- "\n" -}}
{{- $name := .name }}
p, role:{{$name}}, projects, get, {{$name}}, allow
p, role:{{$name}}, applications, get, {{$name}}/*, allow
p, role:{{$name}}, logs, get, {{$name}}/*, allow
{{- range .group_id }}
g, {{ . }}, role:{{$name}}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.argocd.additional_rbac_settings }}
{{- range .}}
{{ . }}
{{- end }}
{{- end }}
repositories:
# Repositories for applications
argo-helm:
type: helm
url: https://argoproj.github.io/argo-helm
# UI changes based on env
styles: |
/* blue, orange, red depending on env */
:root {
--test-color: #0f2cbd;
--dev-color: #33b025;
--staging-color: #ebac2f;
--prod-color: #ff000d;
}
.top-bar__breadcrumbs::after {
content: "cluster: {{.Values.cluster_config.cluster}}, env: {{.Values.cluster_config.env}} ";
color: var(--{{.Values.cluster_config.env}}-color);
font-weight: bolder;
font-size: larger;
position: fixed;
left: 50%;
}
controller:
metrics:
enabled: true
serviceMonitor:
enabled: true
resources:
limits:
memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }}
requests:
cpu: {{ .Values.argocd.resources.controller.cpu | default "250m" }}
memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }}
# Mount azure ca as file for SAML auth
dex:
metrics:
enabled: true
serviceMonitor:
enabled: true
{{- with .Values.cluster_config.oidc }}
env:
{{- range . }}
- name: {{ .name | replace "-" "_" }}_client_secret
valueFrom:
secretKeyRef:
name: {{ .secret_ref.name }}
key: client_secret
- name: {{ .name | replace "-" "_" }}_client_id
valueFrom:
secretKeyRef:
name: {{ .secret_ref.name }}
key: client_id
{{- end }}
{{- end }}
redis:
metrics:
enabled: true
serviceMonitor:
enabled: true
repoServer:
metrics:
enabled: true
serviceMonitor:
enabled: true
{{- if .Values.argocd.repoServer.cmp.enabled }}
extraContainers:
- command:
- /var/run/argocd/argocd-cmp-server
image: {{ .Values.argocd.repoServer.cmp.image }}
imagePullPolicy: Always
name: {{ .Values.argocd.repoServer.cmp.name }}
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
{{- with .Values.argocd.repoServer.cmp.initContainers }}
initContainers:
{{- toYaml . | nindent 10}}
{{- end }}
volumes:
- name: cmp-tmp
emptyDir: {}
{{- if .Values.argocd.repoServer.cmp.imagePullSecret }}
imagePullSecrets:
{{- range .Values.argocd.repoServer.cmp.imagePullSecret}}
- name: {{ .name }}
{{- end }}
{{- end }}
{{- end }}
# Configuration for argocd server instance
server:
metrics:
enabled: true
serviceMonitor:
enabled: true
ingress:
enabled: {{ .Values.argocd.ingress.enabled }}
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
{{- with .Values.cluster_config.ingress_whitelist_ips }}
nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
{{- end }}
hosts:
- "argocd.{{ .Values.cluster_config.domain }}"
tls:
- secretName: argocd-tls
hosts:
- "argocd.{{ .Values.cluster_config.domain }}"
applicationSet:
metrics:
enabled: true
serviceMonitor:
enabled: true
{{- if .Values.argocd.anyNamespaces.enabled }}
allowAnyNamespaces: true
{{- end }}
ingress:
enabled: {{ .Values.argocd.applicationset_webhook.enabled }}
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
# {{- with .Values.cluster_config.ingress_whitelist_ips}}
# NOTE(kai): include gitlab and github webhook ranges
# nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }},192.30.252.0/22,140.82.112.0/20,34.74.226.27/28,34.74.226.0/24
# {{- end }}
hostname: "argocd-applicationset.{{ .Values.cluster_config.domain }}"
tls:
- secretName: argocd-applicationset-tls
hosts:
- "argocd-applicationset.{{ .Values.cluster_config.domain }}"
notifications:
metrics:
enabled: true
serviceMonitor:
enabled: true
secret:
create: false
cm:
create: false
project: sys
syncPolicy:
managedNamespaceMetadata:
labels:
component: sys
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
{{- if .Values.argocd.autosync }}
automated:
prune: true
# selfHeal: false
{{- end }}
apps/templates/resources/pre-cert-manager.yaml
+5 -5
View File
@@ -10,7 +10,7 @@ spec:
# The ACME server URL # The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration # Email address used for ACME registration
email: {{ .Values.cluster_config.acme_email }} email: {{ .Values.clusterConfig.acme_email }}
# Name of a secret used to store the ACME account private key # Name of a secret used to store the ACME account private key
privateKeySecretRef: privateKeySecretRef:
name: letsencrypt-production name: letsencrypt-production
@@ -30,7 +30,7 @@ spec:
# The ACME server URL # The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration # Email address used for ACME registration
email: {{ .Values.cluster_config.acme_email }} email: {{ .Values.clusterConfig.acme_email }}
# Name of a secret used to store the ACME account private key # Name of a secret used to store the ACME account private key
privateKeySecretRef: privateKeySecretRef:
name: letsencrypt-staging name: letsencrypt-staging
@@ -93,7 +93,7 @@ rules:
- watch - watch
--- ---
{{ if .Values.cluster_config.initca }} {{ if .Values.clusterConfig.initca }}
# Pod to update certificates from master nodes # Pod to update certificates from master nodes
# only runs on control plane nodes (etcd) # only runs on control plane nodes (etcd)
@@ -153,11 +153,11 @@ spec:
volumes: volumes:
- name: ca-pem - name: ca-pem
hostPath: hostPath:
path: {{.Values.cluster_config.initca}}/ca.pem path: {{.Values.clusterConfig.initca}}/ca.pem
type: File type: File
- name: ca-key-pem - name: ca-key-pem
hostPath: hostPath:
path: {{.Values.cluster_config.initca}}/ca-key.pem path: {{.Values.clusterConfig.initca}}/ca-key.pem
type: File type: File
- name: certs-script - name: certs-script
configMap: configMap:
apps/values.yaml
+28 -16
View File
@@ -73,6 +73,7 @@ argocd:
imagePullSecret: [] imagePullSecret: []
helmTokenSecret: "" helmTokenSecret: ""
argocd_apps: argocd_apps:
enable: true
autosync: true autosync: true
version: 0.0.1 version: 0.0.1
argo_workflows: argo_workflows:
@@ -90,7 +91,6 @@ argo_rollouts:
enabled: false enabled: false
dashboard_enabled: false dashboard_enabled: false
cilium: cilium:
enabled: false enabled: false
autosync: true autosync: true
@@ -375,18 +375,30 @@ yolo-registry.enable: false
osm-tile-server.enable: false osm-tile-server.enable: false
geoserver.enable: false geoserver.enable: false
atlantis: install:
enabled: false argo:
envs: autosync: true
- prod argocd:
- staging enabled: true
sorcerer: apps:
enabled: false enabled: true
envs: rollouts:
- prod enabled: false
- staging workflows:
openfga: enabled: false
enabled: false atlantis:
envs: enabled: false
- prod envs:
- staging - prod
- staging
sorcerer:
enabled: false
envs:
- prod
- staging
openfga:
enabled: false
envs:
- prod
- staging
argocd/_ekman.yaml
-14
View File
@@ -1,14 +0,0 @@
apiVersion: v1
stringData:
config: '{"bearerToken":"eyJhbGciOiJSUzI1NiIsImtpZCI6IjFja0VGbHBYYjMxVEZiWFBNYVNERldhZTlHUXFWdDM2cGpGZUhTVFB3QU0ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjbHVzdGVyLWFkbWluLXRva2VuIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImNsdXN0ZXItYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0YjE2ZmQzYi1mNjJiLTQ2MzctOGIwNC0yMGNiNTBlNzhiMmYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06Y2x1c3Rlci1hZG1pbiJ9.sd3AP4HmHgjLXSmQMZC6lEeVX2y1_RdzCK34-TKtu2k_6NhGtGopc10ZdNXy68uigwVLVNFW1fREpj5z3mgpWyQPUzZrXN0ANp0C3oM8rt77cKRrmn_ZQuiMjH_0_t4tmjwIWla5rQ52Y7QC-zoCMfAkalofh1Jo0yu8QeWIXd3Q0hnfGiIKCwVrfWrZXopLbiuntKColFMQPkenz-pPo5DjcMAarmlXGy-TztGvN1X5NkVWy8DXrSUPLL_JZ5Ok5DZoGejilrssj45sXBeUyTM5pIYZi7gE5ngB2y1nod9UakkPKXeF_ZyFtvLMtvXOCi1YNgfYM9crtuECz8DoRA","tlsClientConfig":{"insecure":true}}'
name: ekman
server: https://10.255.241.99:4443
kind: Secret
metadata:
labels:
argocd.argoproj.io/secret-type: cluster
name: cluster-ekman
namespace: argocd
type: Opaque
argocd/helmfile-cmp/Dockerfile
+1 -1
View File
@@ -1,4 +1,4 @@
FROM ghcr.io/helmfile/helmfile:v0.157.0 FROM ghcr.io/helmfile/helmfile:v1.0.0
RUN mkdir -p /home/argocd/cmp-server/config/ RUN mkdir -p /home/argocd/cmp-server/config/
COPY plugin.yaml /home/argocd/cmp-server/config/ COPY plugin.yaml /home/argocd/cmp-server/config/
argocd/helmfile-cmp/argo-repo-server.yaml
+476
View File
@@ -0,0 +1,476 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
argocd.argoproj.io/tracking-id: argocd:apps/Deployment:argocd/argocd-repo-server
deployment.kubernetes.io/revision: "27"
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.12.3
helm.sh/chart: argo-cd-7.5.2
name: argocd-repo-server
namespace: argocd
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/instance: argocd
app.kubernetes.io/name: argocd-repo-server
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
checksum/cm: 67d6152e0e3482f9a74a6b570fd32bbec4e7856bffe49f577a2a0d3aeaed6f48
checksum/cmd-params: 69ed50e8936f4d6429dc331f782ad0a7d22eb12c318d6800403040352214b781
creationTimestamp: null
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.12.3
helm.sh/chart: argo-cd-7.5.2
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
topologyKey: kubernetes.io/hostname
weight: 100
automountServiceAccountToken: true
containers:
- args:
- /usr/local/bin/argocd-repo-server
- --port=8081
- --metrics-port=8084
env:
- name: ARGOCD_REPO_SERVER_NAME
value: argocd-repo-server
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
key: timeout.reconciliation
name: argocd-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: reposerver.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: reposerver.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
valueFrom:
configMapKeyRef:
key: reposerver.listen.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
valueFrom:
configMapKeyRef:
key: reposerver.metrics.listen.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_TLS
valueFrom:
configMapKeyRef:
key: reposerver.disable.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MIN_VERSION
valueFrom:
configMapKeyRef:
key: reposerver.tls.minversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MAX_VERSION
valueFrom:
configMapKeyRef:
key: reposerver.tls.maxversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_CIPHERS
valueFrom:
configMapKeyRef:
key: reposerver.tls.ciphers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: reposerver.repo.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
key: redis.server
name: argocd-cmd-params-cm
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
key: redis.compression
name: argocd-cmd-params-cm
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
key: redis.db
name: argocd-cmd-params-cm
optional: true
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
key: redis-username
name: argocd-redis
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
key: auth
name: argocd-redis
- name: REDIS_SENTINEL_USERNAME
valueFrom:
secretKeyRef:
key: redis-sentinel-username
name: argocd-redis
optional: true
- name: REDIS_SENTINEL_PASSWORD
valueFrom:
secretKeyRef:
key: redis-sentinel-password
name: argocd-redis
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: reposerver.default.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
key: otlp.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
key: otlp.insecure
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
key: otlp.headers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.max.combined.directory.manifests.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
valueFrom:
configMapKeyRef:
key: reposerver.plugin.tar.exclusions
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
valueFrom:
configMapKeyRef:
key: reposerver.allow.oob.symlinks
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.tar.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.disable.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_MODULES_ENABLED
valueFrom:
configMapKeyRef:
key: reposerver.enable.git.submodule
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.git.lsremote.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_REQUEST_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.git.request.timeout
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.revision.cache.lock.timeout
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES
valueFrom:
configMapKeyRef:
key: reposerver.include.hidden.directories
name: argocd-cmd-params-cm
optional: true
- name: HELM_CACHE_HOME
value: /helm-working-dir
- name: HELM_CONFIG_HOME
value: /helm-working-dir
- name: HELM_DATA_HOME
value: /helm-working-dir
image: quay.io/argoproj/argocd:v2.12.3
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz?full=true
port: metrics
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: repo-server
ports:
- containerPort: 8081
name: repo-server
protocol: TCP
- containerPort: 8084
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: metrics
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/gpg/source
name: gpg-keys
- mountPath: /app/config/gpg/keys
name: gpg-keyring
- mountPath: /app/config/reposerver/tls
name: argocd-repo-server-tls
- mountPath: /helm-working-dir
name: helm-working-dir
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp
- command:
- /var/run/argocd/argocd-cmp-server
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
imagePullPolicy: Always
name: kustomize-helm-with-rewrite
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
- mountPath: /helm-working-dir
name: helm-working-dir
- command:
- /var/run/argocd/argocd-cmp-server
image: registry.gitlab.com/oceanbox/manifests/helm-kustomize-cmp:latest
imagePullPolicy: Always
name: helm-kustomize-cmp
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
- mountPath: /helm-working-dir
name: helm-working-dir
- command:
- /var/run/argocd/argocd-cmp-server
image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
imagePullPolicy: Always
name: helmfile-cmp
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
- mountPath: /helm-working-dir
name: helm-working-dir
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: gitlab-pull-secret
initContainers:
- command:
- /bin/cp
- -n
- /usr/local/bin/argocd
- /var/run/argocd/argocd-cmp-server
image: quay.io/argoproj/argocd:v2.12.3
imagePullPolicy: IfNotPresent
name: copyutil
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- command:
- /bin/sh
- /plugin/init-helm-repos.sh
env:
- name: OCEANBOX_HELM_ACCESS_TOKEN
valueFrom:
secretKeyRef:
key: token
name: oceanbox-helm
optional: false
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
imagePullPolicy: Always
name: init-helm-repos
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 999
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /helm-working-dir
name: helm-working-dir
restartPolicy: Always
schedulerName: default-scheduler
serviceAccount: argocd-repo-server
serviceAccountName: argocd-repo-server
terminationGracePeriodSeconds: 30
volumes:
- name: cmp-tmp
- name: helm-working-dir
- name: plugins
- name: var-files
- name: tmp
- configMap:
defaultMode: 420
name: argocd-ssh-known-hosts-cm
name: ssh-known-hosts
- configMap:
defaultMode: 420
name: argocd-tls-certs-cm
name: tls-certs
- configMap:
defaultMode: 420
name: argocd-gpg-keys-cm
name: gpg-keys
- name: gpg-keyring
- name: argocd-repo-server-tls
secret:
defaultMode: 420
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-repo-server-tls
argocd/helmfile-cmp/generate.sh
+7 -9
View File
@@ -1,18 +1,16 @@
#!/bin/sh #!/bin/sh
# NOTE: Ensure errors are part of exitcode
# set -o pipefail
export HOME=/plugin export HOME=/plugin
export HELM_CACHE_HOME=/tmp/helm/cache export HELM_CACHE_HOME=/tmp/helm/cache
export HELM_CONFIG_HOME=/tmp/helm/config export HELM_CONFIG_HOME=/tmp/helm/config
export HELMFILE_CACHE_HOME=/tmp/helmfile/cache export HELMFILE_CACHE_HOME=/tmp/helmfile/cache
export HELMFILE_TEMPDIR=/tmp/helmfile/tmp export HELMFILE_TEMPDIR=/tmp/helmfile/tmp
env > /tmp/$ARGOCD_APP_NAME.env test -n ARGOCD_ENV_HELMFILE_ENVIRONMENT && export HELMFILE_ENVIRONMENT=$ARGOCD_ENV_HELMFILE_ENVIRONMENT
test -n ARGOCD_ENV_HELMFILE_FILE_PATH && export HELMFILE_FILE_PATH=$ARGOCD_ENV_HELMFILE_FILE_PATH
if [[ -v ENV_NAME ]]; then
helmfile -n "$ARGOCD_APP_NAMESPACE" -e $ENV_NAME template --include-crds -q
elif [[ -v ARGOCD_ENV_ENV_NAME ]]; then
helmfile -n "$ARGOCD_APP_NAMESPACE" -e "$ARGOCD_ENV_ENV_NAME" template --include-crds -q
else
helmfile -n "$ARGOCD_APP_NAMESPACE" template --include-crds -q
fi
helmfile -n "$ARGOCD_APP_NAMESPACE" $ARGS template --include-crds -q
argocd/helmfile-cmp/plugin.yaml
+3 -4
View File
@@ -1,12 +1,11 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: ConfigManagementPlugin kind: ConfigManagementPlugin
metadata: metadata:
name: helmfile name: helmfile-cmp
spec: spec:
generate: generate:
command: [ /bin/sh ] command: [ "/bin/sh" ]
args: args:
- /plugin/generate.sh - /plugin/generate.sh
discover:
fileName: helmfile.yaml
lockRepo: false lockRepo: false
preserveFileMode: true
argocd/kustomize-helm-with-rewrite/argo-repo-server.yaml
+425
View File
@@ -0,0 +1,425 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
argocd.argoproj.io/tracking-id: argocd:apps/Deployment:argocd/argocd-repo-server
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.10.4
helm.sh/chart: argo-cd-6.7.3
name: argocd-repo-server
namespace: argocd
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/instance: argocd
app.kubernetes.io/name: argocd-repo-server
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
checksum/cm: 3d88c02b8c8e470b75262aae39da4b4bc6f29a02d2a6c7a9e0d44d2d69aa908b
checksum/cmd-params: d76791b7d65a3839bc44b46b65ecfecb5be7ac834b4915b0dea1577f524ea687
creationTimestamp: null
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/instance: argocd
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: v2.10.4
helm.sh/chart: argo-cd-6.7.3
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
topologyKey: kubernetes.io/hostname
weight: 100
containers:
- args:
- /usr/local/bin/argocd-repo-server
- --port=8081
- --metrics-port=8084
env:
- name: ARGOCD_REPO_SERVER_NAME
value: argocd-repo-server
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
key: timeout.reconciliation
name: argocd-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: reposerver.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: reposerver.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
valueFrom:
configMapKeyRef:
key: reposerver.listen.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
valueFrom:
configMapKeyRef:
key: reposerver.metrics.listen.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_TLS
valueFrom:
configMapKeyRef:
key: reposerver.disable.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MIN_VERSION
valueFrom:
configMapKeyRef:
key: reposerver.tls.minversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MAX_VERSION
valueFrom:
configMapKeyRef:
key: reposerver.tls.maxversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_CIPHERS
valueFrom:
configMapKeyRef:
key: reposerver.tls.ciphers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: reposerver.repo.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
key: redis.server
name: argocd-cmd-params-cm
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
key: redis.compression
name: argocd-cmd-params-cm
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
key: redis.db
name: argocd-cmd-params-cm
optional: true
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
key: redis-username
name: argocd-redis
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
key: redis-password
name: argocd-redis
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: reposerver.default.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
key: otlp.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
key: otlp.insecure
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
key: otlp.headers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.max.combined.directory.manifests.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
valueFrom:
configMapKeyRef:
key: reposerver.plugin.tar.exclusions
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
valueFrom:
configMapKeyRef:
key: reposerver.allow.oob.symlinks
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.tar.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.disable.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_MODULES_ENABLED
valueFrom:
configMapKeyRef:
key: reposerver.enable.git.submodule
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.git.lsremote.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_REQUEST_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.git.request.timeout
name: argocd-cmd-params-cm
optional: true
- name: HELM_CACHE_HOME
value: /helm-working-dir
- name: HELM_CONFIG_HOME
value: /helm-working-dir
- name: HELM_DATA_HOME
value: /helm-working-dir
image: quay.io/argoproj/argocd:v2.10.4
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz?full=true
port: metrics
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: repo-server
ports:
- containerPort: 8081
name: repo-server
protocol: TCP
- containerPort: 8084
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: metrics
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/gpg/source
name: gpg-keys
- mountPath: /app/config/gpg/keys
name: gpg-keyring
- mountPath: /app/config/reposerver/tls
name: argocd-repo-server-tls
- mountPath: /helm-working-dir
name: helm-working-dir
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp
- command:
- /var/run/argocd/argocd-cmp-server
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
imagePullPolicy: Always
name: kustomize-helm-with-rewrite
resources: {}
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
- mountPath: /helm-working-dir
name: helm-working-dir
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: gitlab-pull-secret
initContainers:
- command:
- /bin/cp
- -n
- /usr/local/bin/argocd
- /var/run/argocd/argocd-cmp-server
image: quay.io/argoproj/argocd:v2.10.4
imagePullPolicy: IfNotPresent
name: copyutil
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- command:
- /bin/sh
- /plugin/init-helm-repos.sh
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
imagePullPolicy: Always
name: init-helm-repos
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsUser: 999
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
env:
- name: OCEANBOX_HELM_ACCESS_TOKEN
valueFrom:
secretKeyRef:
key: token
name: oceanbox-helm
optional: false
volumeMounts:
- mountPath: /helm-working-dir
name: helm-working-dir
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: argocd-repo-server
serviceAccountName: argocd-repo-server
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: cmp-tmp
- emptyDir: {}
name: helm-working-dir
- emptyDir: {}
name: plugins
- emptyDir: {}
name: var-files
- emptyDir: {}
name: tmp
- configMap:
defaultMode: 420
name: argocd-ssh-known-hosts-cm
name: ssh-known-hosts
- configMap:
defaultMode: 420
name: argocd-tls-certs-cm
name: tls-certs
- configMap:
defaultMode: 420
name: argocd-gpg-keys-cm
name: gpg-keys
- emptyDir: {}
name: gpg-keyring
- name: argocd-repo-server-tls
secret:
defaultMode: 420
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-repo-server-tls
argocd/reset-ekman-cluster.sh
Regular → Executable
View File
bin/generate.sh
Executable
+67
View File
@@ -0,0 +1,67 @@
#!/usr/bin/env bash
helmfile () {
name=$1
tier=$2
cat <<EOF
bases:
- ../envs/environments.yaml.gotmpl
commonLabels:
tier: $tier
releases:
- name: $name
namespace: {{ .Environment.Name }}-$name
chart: ../charts/$name
condition: $name.enabled
values:
- ../values/$name/values/$name.yaml.gotmpl
- ../values/$name/values/$name-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/$name/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: $name-manifests
namespace: {{ .Environment.Name }}-$name
chart: _$name-manifests
condition: $name.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/$name/values.yaml.gotmpl
- ../values/$name/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{\`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}\`}}'
- '{{\`{{ .Release.Chart }}\`}}'
- '{{\`{{ .Environment.Name }}\`}}'
- ../values/$name/manifests
- _$name-manifests
EOF
}
while true; do
case $* in
--with-env)
ns=true
shift ;;
--*|-*) shift;;
*) break ;;
esac
done
name=$1
tier=$2
if [ -n "$ns" ]; then
namespace="namespace: {{ .Environment.Name }}-$name"
else
namespace="namespace: $name"
fi
helmfile $1 $2
bin/helmify
Executable
+42
View File
@@ -0,0 +1,42 @@
#!/usr/bin/env bash
set -o pipefail
cmd=$1
chart=$2
env=$3
manifests=${4:-manifests}
outdir=${5:-_manifests}
build() {
mkdir -p $outdir/templates
echo "Creating $outdir/templates"
echo "generating $outdir/Chart.yaml" 1>&2
cat <<EOF > $outdir/Chart.yaml
apiVersion: v1
appVersion: "1.0"
# description: A Helm chart for Kubernetes
name: $chart
version: 0.1.0
EOF
if [ -d $manifests ]; then
cp -r $manifests/* $outdir/templates
elif [ -f $manifests ]; then
cp $manifests $outdir/templates
fi
}
clean() {
echo "cleaning $outdir" 1>&2
rm -rf $outdir
}
case "$cmd" in
"build" ) build ;;
"clean" ) clean ;;
* ) echo "unsupported command: $cmd" 1>&2; exit 1 ;;
esac
bin/kustomizer
Executable
+13
View File
@@ -0,0 +1,13 @@
#!/usr/bin/env bash
[ $# != 1 ] && exit 1
dir=$1
base=$dir/../base
if [ -f $base/kustomization.yaml -a -f $dir/kustomization.yaml ]; then
cat > $base/_manifest.yaml
kubectl kustomize $dir
else
cat
fi
default.nix
-33
View File
@@ -1,33 +0,0 @@
let
sources = import ./nix;
system = builtins.currentSystem;
pkgs = import sources.nixpkgs {
inherit system;
config = { };
overlays = [ ];
};
nixpkgs = sources.nixpkgs;
nixhelm = sources.nixhelm;
nixidy = import sources.nixidy { inherit nixpkgs; };
kube = pkgs.callPackage "${sources.nix-kube-gen}/lib/default.nix" { inherit pkgs; };
in
nixidy.lib.mkEnvs {
libOverlay = self: super: {
apps = import ./modules/lib.nix { inherit pkgs kube; };
};
modules = [
(
{ lib, ... }:
{
nixidy.charts = lib.helm.mkChartAttrs "${nixhelm}/charts";
}
)
./modules
./apps
./policies
];
envs = {
prod.modules = [ ./envs/prod.nix ];
staging.modules = [ ./envs/staging.nix ];
};
}
envs/environments.yaml.gotmpl
+23
View File
@@ -0,0 +1,23 @@
environments:
default:
values:
- ../values/values.yaml
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/*/values.yaml.gotmpl
- ../values/*/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
missingFileHandler: Info
prod:
values:
- ../values.yaml
- ../values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/*/values.yaml.gotmpl
- ../values/*/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
missingFileHandler: Info
staging:
values:
- ../values.yaml
- ../values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/*/values.yaml.gotmpl
- ../values/*/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
missingFileHandler: Info
flake.lock
Generated
-666
View File
@@ -1,666 +0,0 @@
{
"nodes": {
"cargo2nix": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_5",
"nixpkgs": "nixpkgs_3",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1699033427,
"narHash": "sha256-OVtd5IPbb4NvHibN+QvMrMxq7aZN5GFoINZSAXKjUdA=",
"owner": "cargo2nix",
"repo": "cargo2nix",
"rev": "c6f33051f412352f293e738cc8da6fd4c457080f",
"type": "github"
},
"original": {
"owner": "cargo2nix",
"ref": "release-0.11.0",
"repo": "cargo2nix",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_5": {
"inputs": {
"systems": "systems_7"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"haumea": {
"inputs": {
"nixpkgs": [
"nixhelm",
"nixpkgs"
]
},
"locked": {
"lastModified": 1685133229,
"narHash": "sha256-FePm/Gi9PBSNwiDFq3N+DWdfxFq0UKsVVTJS3cQPn94=",
"owner": "nix-community",
"repo": "haumea",
"rev": "34dd58385092a23018748b50f9b23de6266dffc2",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.2.2",
"repo": "haumea",
"type": "github"
}
},
"kubenix": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixidy",
"nixpkgs"
],
"systems": "systems_6",
"treefmt": "treefmt"
},
"locked": {
"lastModified": 1718110643,
"narHash": "sha256-KrEOCx/bpN++sySOEL5EO5AhYsqRZZk+CXacueUeSl4=",
"owner": "hall",
"repo": "kubenix",
"rev": "a04066c45526c6d8410ba998134f692ff991b4f3",
"type": "github"
},
"original": {
"owner": "hall",
"repo": "kubenix",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"nixhelm",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703863825,
"narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-kube-generators": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nix-kube-generators_2": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nix-kube-generators_3": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nixhelm": {
"inputs": {
"flake-utils": "flake-utils_2",
"haumea": "haumea",
"nix-kube-generators": "nix-kube-generators_2",
"nixpkgs": [
"nixpkgs"
],
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1728868745,
"narHash": "sha256-ZuaxkAtUL1visOmVMxgHk3j+H8/bMmm82tJfE1s35VY=",
"owner": "farcaller",
"repo": "nixhelm",
"rev": "f901d2ba3ce1bd0086d50efdcce3cc76bce04d80",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nixhelm",
"type": "github"
}
},
"nixidy": {
"inputs": {
"flake-utils": "flake-utils_4",
"kubenix": "kubenix",
"nix-kube-generators": "nix-kube-generators_3",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1728815994,
"narHash": "sha256-uF6HAoDMAX0cZbKH27k/0UpIteQMhyLkP1rYKUfj5ys=",
"owner": "arnarg",
"repo": "nixidy",
"rev": "6e20193c95a0aaca444289d7c69f4eb329d25234",
"type": "github"
},
"original": {
"owner": "arnarg",
"ref": "HEAD",
"repo": "nixidy",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1702151865,
"narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1720386169,
"narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1728492678,
"narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1697382362,
"narHash": "sha256-PvFjWFmSYOF6TjNZ/WjOeqa+sgaWm+83Fz37vEuATHA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ad9a253a0d34f313707f9c25fb8c95c65b1c8882",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"poetry2nix": {
"inputs": {
"flake-utils": "flake-utils_3",
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nixhelm",
"nixpkgs"
],
"systems": "systems_4",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1718285706,
"narHash": "sha256-DScsBM+kZvxOva7QegfdtleebMXh30XPxDQr/1IGKYo=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "a5be1bbbe0af0266147a88e0ec43b18c722f2bb9",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1728778939,
"narHash": "sha256-WybK5E3hpGxtCYtBwpRj1E9JoiVxe+8kX83snTNaFHE=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "ff68f91754be6f3427e4986d7949e6273659be1d",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nix-kube-generators": "nix-kube-generators",
"nixhelm": "nixhelm",
"nixidy": "nixidy",
"nixpkgs": "nixpkgs_2",
"pre-commit-hooks": "pre-commit-hooks",
"yaml2nix": "yaml2nix"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"yaml2nix",
"cargo2nix",
"flake-utils"
],
"nixpkgs": [
"yaml2nix",
"cargo2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1697336027,
"narHash": "sha256-ctmmw7j4liyfSh63v9rdFZeIoNYCkCvgqvtEOB7KhX8=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "e494404d36a41247987eeb1bfc2f1ca903e97764",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_6": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"systems_7": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt": {
"inputs": {
"nixpkgs": [
"nixidy",
"kubenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1688026376,
"narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixhelm",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717850719,
"narHash": "sha256-npYqVg+Wk4oxnWrnVG7416fpfrlRhp/lQ6wQ4DHI8YE=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "4fc1c45a5f50169f9f29f6a98a438fb910b834ed",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"yaml2nix": {
"inputs": {
"cargo2nix": "cargo2nix",
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1726132715,
"narHash": "sha256-DkHWWpvBco2yodyOk40LjTNcoaJ1bFKf0JY9OwWgy5M=",
"owner": "euank",
"repo": "yaml2nix",
"rev": "3a6df359da40ee49cb9ed597c2400342b76f2083",
"type": "github"
},
"original": {
"owner": "euank",
"repo": "yaml2nix",
"type": "github"
}
}
},
"root": "root",
"version": 7
}
flake.nix
-148
View File
@@ -1,148 +0,0 @@
{
description = "My ArgoCD configuration with nixidy.";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
nixidy = {
url = "github:juselius/nixidy?ref=HEAD";
# url = "github:juselius/nixidy?ref=special-args";
# url = "/home/jonas/src/OceanBox/nixidy";
# inputs.nixpkgs.follows = "nixpkgs";
};
nixhelm = {
url = "github:farcaller/nixhelm";
inputs.nixpkgs.follows = "nixpkgs";
};
pre-commit-hooks = {
url = "github:cachix/pre-commit-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-kube-generators.url = "github:farcaller/nix-kube-generators";
yaml2nix = {
url = "github:euank/yaml2nix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
};
outputs =
{
self,
nixpkgs,
flake-utils,
nixidy,
nixhelm,
yaml2nix,
pre-commit-hooks,
nix-kube-generators,
}:
(flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = import nixpkgs { inherit system; };
kube = nix-kube-generators.lib { inherit pkgs; };
lib = {
apps = import ./modules/lib.nix { inherit pkgs kube;};
};
in
{
nixidyEnvs = nixidy.lib.mkEnvs {
inherit pkgs;
extraSpecialArgs = { inherit lib; };
charts = nixhelm.chartsDerivations.${system};
modules = [
./modules
./apps
./policies
];
envs = {
prod.modules = [ ./envs/prod.nix ];
staging.modules = [ ./envs/staging.nix ];
};
};
checks = {
pre-commit-check = pre-commit-hooks.lib.${system}.run {
src = ./.;
hooks = {
nixfmt-rfc-style.enable = false;
deadnix.enable = false;
statix.enable = false;
};
};
};
packages = {
nixidy = nixidy.packages.${system}.default;
generators = {
cilium = nixidy.packages.${system}.generators.fromCRD {
name = "cilium";
src = pkgs.fetchFromGitHub {
owner = "cilium";
repo = "cilium";
rev = "v1.16.0";
hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
};
crds = [
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
];
};
kyverno = nixidy.packages.${system}.generators.fromCRD {
name = "kyverno";
src = pkgs.fetchFromGitHub {
owner = "kyverno";
repo = "kyverno";
rev = "v1.12.6";
hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
};
crds = [
"config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
"config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
"config/crds/kyverno/kyverno.io_policies.yaml"
"config/crds/kyverno/kyverno.io_policyexceptions.yaml"
"config/crds/kyverno/kyverno.io_updaterequests.yaml"
];
};
};
};
apps = {
gen-crd = {
type = "app";
program =
(pkgs.writeShellScript "generate-modules" ''
set -eo pipefail
echo "generate cilium"
cat ${self.packages.${system}.generators.cilium} > modules/cilium-crd.nix
echo "generate kyverno"
cat ${self.packages.${system}.generators.kyverno} > modules/kyverno-crd.nix
'').outPath;
};
};
devShells.default = pkgs.mkShellNoCC {
inherit (self.checks.${system}.pre-commit-check) shellHook;
nativeBuildInputs = with pkgs; [
self.checks.${system}.pre-commit-check.enabledPackages
nixidy.packages.${system}.default
yaml2nix.packages.${system}.default
nixd
nixfmt-rfc-style
just
fzf
];
NIXD_FLAGS = "--inlay-hints";
};
}
));
}
generate.nix
-44
View File
@@ -1,44 +0,0 @@
let
sources = import ./nix;
system = builtins.currentSystem;
pkgs = import sources.nixpkgs {
inherit system;
config = { };
overlays = [ ];
};
nixpkgs = sources.nixpkgs;
nixidy = import sources.nixidy { inherit nixpkgs; };
in
{
cilium = nixidy.generators.fromCRD {
name = "cilium";
src = pkgs.fetchFromGitHub {
owner = "cilium";
repo = "cilium";
rev = "v1.16.0";
hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
};
crds = [
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
];
};
kyverno = nixidy.generators.fromCRD {
name = "kyverno";
src = pkgs.fetchFromGitHub {
owner = "kyverno";
repo = "kyverno";
rev = "v1.12.6";
hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
};
crds = [
"config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
"config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
"config/crds/kyverno/kyverno.io_policies.yaml"
"config/crds/kyverno/kyverno.io_policyexceptions.yaml"
"config/crds/kyverno/kyverno.io_updaterequests.yaml"
];
};
}
helmfile.d/argo.yaml.gotmpl
+68
View File
@@ -0,0 +1,68 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: argo
url: 'https://argoproj.github.io/argo-helm'
commonLabels:
tier: system
apiVersions:
- monitoring.coreos.com/v1
releases:
- name: argocd
namespace: argocd
chart: argo/argo-cd
version: 7.8.0
condition: argo.enabled
values:
- ../values/argo/values/argocd.yaml.gotmpl
- ../values/argo/values/argocd-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/argo/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: argocd-apps
namespace: argocd
chart: argo/argocd-apps
version: 0.0.1
condition: argo.apps.enabled
values:
- ../values/argo/values/apps.yaml.gotmpl
missingFileHandler: Info
- name: argo-rollouts
namespace: argocd
chart: argo/argo-rollouts
version: 2.35.2
condition: argo.rollouts.enabled
values:
- ../values/argo/values/rollouts.yaml.gotmpl
missingFileHandler: Info
- name: argo-workflows
namespace: argocd
chart: argo/argo-workflows
version: 0.45.0
condition: argo.workflows.enabled
missingFileHandler: Info
- name: argo-manifests
namespace: argocd
chart: _argo
condition: argo.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/argo/values.yaml.gotmpl
- ../values/argo/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/argo/manifests
- _argo
helmfile.d/cert-manager.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: cert-manager
url: 'https://charts.jetstack.io'
commonLabels:
tier: system
releases:
- name: cert-manager
namespace: cert-manager
chart: cert-manager/cert-manager
version: 1.12.13
condition: cert_manager.enabled
values:
- ../values/cert-manager/values/cert-manager.yaml.gotmpl
- ../values/cert-manager/values/cert-manager-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/cert-manager/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: cert-manager-manifests
namespace: cert-manager
chart: _cert-manager-manifests
condition: cert_manager.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/cert-manager/values.yaml.gotmpl
- ../values/cert-manager/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/cert-manager/manifests
- _cert-manager-manifests
helmfile.d/cilium.yaml.gotmpl
+57
View File
@@ -0,0 +1,57 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: cilium
url: 'https://helm.cilium.io'
commonLabels:
tier: system
apiVersions:
- monitoring.coreos.com/v1
releases:
- name: cilium
namespace: kube-system
chart: cilium/cilium
version: 1.16.2
condition: cilium.enabled
values:
- ../values/cilium/values/cilium.yaml.gotmpl
- ../values/cilium/values/cilium-{{ .Environment.Name }}.yaml.gotmpl
missingFileHandler: Info
- name: spire-manifests
namespace: cilium
chart: _sprire-manifests
condition: cilium.spire.enabled
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/cilium/spire-manifests
- _spire-manifests
- name: cilium-manifests
namespace: cilium
chart: _cilium-manifests
condition: cilium.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/cilium/values.yaml.gotmpl
- ../values/cilium/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/cilium/cilium-manifests
- _cilium-manifests
helmfile.d/ingress-nginx.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: ingress-nginx
url: 'https://kubernetes.github.io/ingress-nginx'
commonLabels:
tier: system
releases:
- name: ingress-nginx
namespace: ingress-nginx
chart: ingress-nginx/ingress-nginx
version: 4.8.3
condition: nginx.enabled
values:
- ../values/ingress-nginx/values/ingress-nginx.yaml.gotmpl
- ../values/ingress-nginx/values/ingress-nginx-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/ingress-nginx/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: ingress-nginx-manifests
namespace: ingress-nginx
chart: _ingress-nginx-manifests
condition: nginx.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/ingress-nginx/values.yaml.gotmpl
- ../values/ingress-nginx/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/ingress-nginx/manifests
- _ingress-nginx-manifests
helmfile.d/kyverno.yaml.gotmpl
+46
View File
@@ -0,0 +1,46 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: kyverno
url: 'https://kyverno.github.io/kyverno/'
commonLabels:
tier: system
apiVersions:
- monitoring.coreos.com/v1
releases:
- name: kyverno
namespace: kyverno
chart: kyverno/kyverno
version: 3.2.5
condition: kyverno.enabled
values:
- ../values/kyverno/values/kyverno.yaml.gotmpl
- ../values/kyverno/values/kyverno-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/postgres-operator/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: kyverno-manifests
namespace: kyverno
chart: _kyverno-manifests
condition: kyverno.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/kyverno/values.yaml.gotmpl
- ../values/kyverno/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/kyverno/manifests
- _kyverno-manifests
helmfile.d/metrics-server.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: metrics-server
url: 'https://kubernetes-sigs.github.io/metrics-server/'
commonLabels:
tier: system
releases:
- name: metrics-server
namespace: kube-system
chart: metrics-server/metrics-server
version: 3.8.2
condition: metrics_server.enabled
values:
- ../values/metrics-server/values/metrics-server.yaml.gotmpl
- ../values/metrics-server/values/metrics-server-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/metrics-server/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: metrics-server-manifests
namespace: kube-system
chart: _metrics-server-manifests
condition: metrics_server.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/metrics-server/values.yaml.gotmpl
- ../values/metrics-server/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/metrics-server/manifests
- _metrics-server-manifests
helmfile.d/nfs-provisioner.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: nfs-provisioner
url: 'https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/'
commonLabels:
tier: system
releases:
- name: nfs-provisioner
namespace: kube-system
chart: nfs-provisioner/nfs-subdir-external-provisioner
version: 4.0.13
condition: nfs_provisioner.enabled
values:
- ../values/nfs-provisioner/values/nfs-provisioner.yaml.gotmpl
- ../values/nfs-provisioner/values/nfs-provisioner-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/nfs-provisioner/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: nfs-provisioner-manifests
namespace: kube-system
chart: _nfs-provisioner-manifests
condition: nfs_provisioner.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/nfs-provisioner/values.yaml.gotmpl
- ../values/nfs-provisioner/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/nfs-provisioner/manifests
- _nfs-provisioner-manifests
helmfile.d/postgres-operator.yaml.gotmpl
+45
View File
@@ -0,0 +1,45 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: cloudnative-pg
url: 'https://cloudnative-pg.github.io/charts'
commonLabels:
tier: system
apiVersions:
- monitoring.coreos.com/v1
releases:
- name: postgres-operator
namespace: cnpg
chart: cloudnative-pg/cloudnative-pg
version: 0.18.2
condition: postgres_operator.enabled
values:
- ../values/postgres-operator/values/postgres-operator.yaml.gotmpl
- ../values/postgres-operator/values/postgres-operator-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/postgres-operator/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: postgres-operator-manifests
namespace: cnpg
chart: _postgres-operator-manifests
condition: postgres_operator.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/postgres-operator/values.yaml.gotmpl
- ../values/postgres-operator/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/postgres-operator/manifests
- _postgres-operator-manifests
helmfile.d/prometheus.yaml.gotmpl
+43
View File
@@ -0,0 +1,43 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: prometheus
url: 'https://prometheus-community.github.io/helm-charts'
commonLabels:
tier: system
apiVersions:
- monitoring.coreos.com/v1
releases:
- name: prometheus
namespace: prometheus
chart: prometheus/kube-prometheus-stack
version: 62.7.0
condition: prometheus.enabled
values:
- ../values/prometheus/values/prometheus.yaml.gotmpl
- ../values/prometheus/values/prometheus-{{ .Environment.Name }}.yaml.gotmpl
missingFileHandler: Info
- name: prometheus-manifests
namespace: prometheus
chart: _prometheus-manifests
condition: prometheus.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/prometheus/values.yaml.gotmpl
- ../values/prometheus/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/prometheus/manifests
- _prometheus-manifests
helmfile.d/velero.yaml.gotmpl
+45
View File
@@ -0,0 +1,45 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: velero
url: 'https://vmware-tanzu.github.io/helm-charts'
commonLabels:
tier: system
apiVersions:
- monitoring.coreos.com/v1
releases:
- name: velero
namespace: velero
chart: velero/velero
version: 6.0.0
condition: velero.enabled
values:
- ../values/velero/values/velero.yaml.gotmpl
- ../values/velero/values/velero-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/velero/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: velero-manifests
namespace: velero
chart: _velero-manifests
condition: velero.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/velero/values.yaml.gotmpl
- ../values/velero/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: "../bin/helmify"
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/velero/manifests
- _velero-manifests
helmfile.d/x509-exporter.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: x509-exporter
url: 'https://charts.enix.io'
commonLabels:
tier: sys
releases:
- name: x509-exporter
namespace: x509-exporter
chart: x509-exporter/x509-certificate-exporter
version: 3.6.0
condition: x509_exporter.enabled
values:
- ../values/x509-exporter/values/x509-exporter.yaml.gotmpl
- ../values/x509-exporter/values/x509-exporter-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/x509-exporter/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: x509-exporter-manifests
namespace: x509-exporter
chart: _x509-exporter-manifests
condition: x509_exporter.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/x509-exporter/values.yaml.gotmpl
- ../values/x509-exporter/values-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/x509-exporter/manifests
- _x509-exporter-manifests
justfile
+6 -15
View File
@@ -1,17 +1,8 @@
default := "prod" [private]
default: default:
just --choose just --list -u
info target=default: # Render a specifc helm chart
nix run .#nixidy -- info .#{{target}} r HELMFILE ENV="default":
helmfile --environment={{ENV}} lint --args --quiet -f helmfile.d/{{HELMFILE}}.yaml.gotmpl
build target=default: helmfile --environment={{ENV}} template -q -f helmfile.d/{{HELMFILE}}.yaml.gotmpl --output-dir-template="../_manifests/{{HELMFILE}}/{{ENV}}"
nix run .#nixidy -- build .#{{target}}
switch target=default:
nix run .#nixidy -- switch .#{{target}}
generate:
nix build .#generators.cilium
nix build .#generators.kyverno
nix/default.nix
-80
View File
@@ -1,80 +0,0 @@
# Generated by npins. Do not modify; will be overwritten regularly
let
data = builtins.fromJSON (builtins.readFile ./sources.json);
version = data.version;
mkSource =
spec:
assert spec ? type;
let
path =
if spec.type == "Git" then
mkGitSource spec
else if spec.type == "GitRelease" then
mkGitSource spec
else if spec.type == "PyPi" then
mkPyPiSource spec
else if spec.type == "Channel" then
mkChannelSource spec
else
builtins.throw "Unknown source type ${spec.type}";
in
spec // { outPath = path; };
mkGitSource =
{
repository,
revision,
url ? null,
hash,
branch ? null,
...
}:
assert repository ? type;
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
# In the latter case, there we will always be an url to the tarball
if url != null then
(builtins.fetchTarball {
inherit url;
sha256 = hash; # FIXME: check nix version & use SRI hashes
})
else
assert repository.type == "Git";
let
urlToName =
url: rev:
let
matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url;
short = builtins.substring 0 7 rev;
appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
in
"${if matched == null then "source" else builtins.head matched}${appendShort}";
name = urlToName repository.url revision;
in
builtins.fetchGit {
url = repository.url;
rev = revision;
inherit name;
# hash = hash;
};
mkPyPiSource =
{ url, hash, ... }:
builtins.fetchurl {
inherit url;
sha256 = hash;
};
mkChannelSource =
{ url, hash, ... }:
builtins.fetchTarball {
inherit url;
sha256 = hash;
};
in
if version == 3 then
builtins.mapAttrs (_: mkSource) data.pins
else
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
nix/sources.json
-47
View File
@@ -1,47 +0,0 @@
{
"pins": {
"nix-kube-gen": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "farcaller",
"repo": "nix-kube-generators"
},
"branch": "master",
"revision": "2be4f3cb99e179d9f94e6c8723862421437f8efb",
"url": "https://github.com/farcaller/nix-kube-generators/archive/2be4f3cb99e179d9f94e6c8723862421437f8efb.tar.gz",
"hash": "0pgpr0szig7plmj7i4hjfkpcm4vgy0ingqr115wqjzbx5yjc6c7j"
},
"nixhelm": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "farcaller",
"repo": "nixhelm"
},
"branch": "master",
"revision": "cafa44fc8c2ad34baf6e5f1bdea3eb3a587a1f6d",
"url": "https://github.com/farcaller/nixhelm/archive/cafa44fc8c2ad34baf6e5f1bdea3eb3a587a1f6d.tar.gz",
"hash": "1waplza2c0wgq23v41ladfgqdq2wrbw889c973cm439940zj4mj1"
},
"nixidy": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "arnarg",
"repo": "nixidy"
},
"branch": "main",
"revision": "d28f45aea4d7b93928f1ea94f22a03a3f6dc25f6",
"url": "https://github.com/arnarg/nixidy/archive/d28f45aea4d7b93928f1ea94f22a03a3f6dc25f6.tar.gz",
"hash": "0ijxdh2432wvwyff1f5yfrjn93lzayrswi1bkasjpwaps9v6ld4r"
},
"nixpkgs": {
"type": "Channel",
"name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre699031.2d2a9ddbe3f2/nixexprs.tar.xz",
"hash": "1vx044c8gdg1c8zmabzbi9xrgjgaz2bfqbl47xsgh517f580bycx"
}
},
"version": 3
}
npins/default.nix
+146
View File
@@ -0,0 +1,146 @@
/*
This file is provided under the MIT licence:
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the Software), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
# Generated by npins. Do not modify; will be overwritten regularly
let
data = builtins.fromJSON (builtins.readFile ./sources.json);
version = data.version;
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
range =
first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
concatMapStrings = f: list: concatStrings (map f list);
concatStrings = builtins.concatStringsSep "";
# If the environment variable NPINS_OVERRIDE_${name} is set, then use
# the path directly as opposed to the fetched source.
# (Taken from Niv for compatibility)
mayOverride =
name: path:
let
envVarName = "NPINS_OVERRIDE_${saneName}";
saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
ersatz = builtins.getEnv envVarName;
in
if ersatz == "" then
path
else
# this turns the string into an actual Nix path (for both absolute and
# relative paths)
builtins.trace "Overriding path of \"${name}\" with \"${ersatz}\" due to set \"${envVarName}\"" (
if builtins.substring 0 1 ersatz == "/" then
/. + ersatz
else
/. + builtins.getEnv "PWD" + "/${ersatz}"
);
mkSource =
name: spec:
assert spec ? type;
let
path =
if spec.type == "Git" then
mkGitSource spec
else if spec.type == "GitRelease" then
mkGitSource spec
else if spec.type == "PyPi" then
mkPyPiSource spec
else if spec.type == "Channel" then
mkChannelSource spec
else if spec.type == "Tarball" then
mkTarballSource spec
else
builtins.throw "Unknown source type ${spec.type}";
in
spec // { outPath = mayOverride name path; };
mkGitSource =
{
repository,
revision,
url ? null,
submodules,
hash,
branch ? null,
...
}:
assert repository ? type;
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
# In the latter case, there we will always be an url to the tarball
if url != null && !submodules then
builtins.fetchTarball {
inherit url;
sha256 = hash; # FIXME: check nix version & use SRI hashes
}
else
let
url =
if repository.type == "Git" then
repository.url
else if repository.type == "GitHub" then
"https://github.com/${repository.owner}/${repository.repo}.git"
else if repository.type == "GitLab" then
"${repository.server}/${repository.repo_path}.git"
else
throw "Unrecognized repository type ${repository.type}";
urlToName =
url: rev:
let
matched = builtins.match "^.*/([^/]*)(\\.git)?$" url;
short = builtins.substring 0 7 rev;
appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
in
"${if matched == null then "source" else builtins.head matched}${appendShort}";
name = urlToName url revision;
in
builtins.fetchGit {
rev = revision;
inherit name;
# hash = hash;
inherit url submodules;
};
mkPyPiSource =
{ url, hash, ... }:
builtins.fetchurl {
inherit url;
sha256 = hash;
};
mkChannelSource =
{ url, hash, ... }:
builtins.fetchTarball {
inherit url;
sha256 = hash;
};
mkTarballSource =
{
url,
locked_url ? url,
hash,
...
}:
builtins.fetchTarball {
url = locked_url;
sha256 = hash;
};
in
if version == 5 then
builtins.mapAttrs mkSource data.pins
else
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
npins/sources.json
+37
View File
@@ -0,0 +1,37 @@
{
"pins": {
"gomod2nix": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "nix-community",
"repo": "gomod2nix"
},
"branch": "master",
"submodules": false,
"revision": "2cbd7fdd6eeab65c494cc426e18f4e4d2a5e35c0",
"url": "https://github.com/nix-community/gomod2nix/archive/2cbd7fdd6eeab65c494cc426e18f4e4d2a5e35c0.tar.gz",
"hash": "18hl5fz6aqg12ypkjramvlv43p413iwzy5zbvwl9m3kp5l4id2fi"
},
"helmfile-nix": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "remarkable",
"repo": "helmfile-nix"
},
"branch": "main",
"submodules": false,
"revision": "03b3de30d44b6e90e9425bad10476dadd75bcba9",
"url": "https://github.com/remarkable/helmfile-nix/archive/03b3de30d44b6e90e9425bad10476dadd75bcba9.tar.gz",
"hash": "12bdar6cb459vw9ldk73npvydbcjgb4ic8w416yf4i4alky3d9ib"
},
"nixpkgs": {
"type": "Channel",
"name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre800239.b1bebd0fe266/nixexprs.tar.xz",
"hash": "0vnfj9d7kzk673i7s1vnkbx513a4gh5mfcd8fag2c7wi6hz471n6"
}
},
"version": 5
}
shell.nix
+31 -16
View File
@@ -1,24 +1,39 @@
let let
sources = import ./nix; sources = import ./npins;
system = builtins.currentSystem; system = builtins.currentSystem;
pkgs = import sources.nixpkgs { pkgs = import sources.nixpkgs {
inherit system; inherit system;
config = { }; config = { };
overlays = [ ]; overlays = [ (import "${sources.gomod2nix}/overlay.nix") ];
}; };
nixpkgs = sources.nixpkgs; helmfile-nix = import sources.helmfile-nix { inherit pkgs; };
nixidy = import sources.nixidy { inherit nixpkgs; }; helmWrap =
with pkgs;
wrapHelm kubernetes-helm {
plugins = with kubernetes-helmPlugins; [
helm-diff
helm-git
];
};
helmfileWrap = pkgs.helmfile-wrapped.override { inherit (helmWrap) pluginsDir; };
in in
{ pkgs.mkShellNoCC {
shell = pkgs.mkShellNoCC { name = "clstr";
name = "clstr";
nativeBuildInputs = with pkgs; [ packages = with pkgs; [
nixidy.nixidy # nix helpers
npins npins
nixfmt-rfc-style nix-converter
just
fzf # helm
]; helmWrap
NPINS_DIRECTORY = "nix"; helmfileWrap
}; helmfile-nix
# kubectl tools
kubectl-cnpg
kubectl-neat
];
ARGOCD_ENV_CLUSTER_NAME = "oceanbox";
} }
statix.toml
-7
View File
@@ -1,7 +0,0 @@
disabled = [
# I think enforcing this can often produce
# code that is harder to read.
"manual_inherit_from"
# Does not improve readability
"repeated_keys"
]
temp/atlantis.yaml.gotmpl
+37
View File
@@ -0,0 +1,37 @@
bases:
- ../envs/environments.yaml.gotmpl
commonLabels:
tier: atlantis
releases:
- name: atlantis
namespace: {{ .Environment.Name }}-atlantis
chart: ../charts/atlantis
condition: atlantis.enabled
values:
- ../values/atlantis/values/atlantis.yaml.gotmpl
- ../values/atlantis/values/atlantis-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/atlantis/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: atlantis-manifests
namespace: {{ .Environment.Name }}-atlantis
chart: _atlantis-manifests
condition: atlantis.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/atlantis/values.yaml.gotmpl
- ../values/atlantis/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/atlantis/manifests
- _atlantis-manifests
temp/dapr.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: dapr
url: 'https://dapr.github.io/helm-charts/'
commonLabels:
tier: aux
releases:
- name: dapr
namespace: dapr-system
chart: dapr/dapr
version: 1.14.4
condition: dapr.enabled
values:
- ../values/dapr/values/dapr.yaml.gotmpl
- ../values/dapr/values/dapr-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/dapr/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: dapr-manifests
namespace: dapr
chart: _dapr-manifests
condition: dapr.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/dapr/values.yaml.gotmpl
- ../values/dapr/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/dapr/manifests
- _dapr-manifests
temp/geoserver.yaml.gotmpl
+37
View File
@@ -0,0 +1,37 @@
bases:
- ../envs/environments.yaml.gotmpl
commonLabels:
tier: aux
releases:
- name: geoserver
namespace: {{ .Environment.Name }}-geoserver
chart: ../charts/geoserver
condition: geoserver.enabled
values:
- ../values/geoserver/values/geoserver.yaml.gotmpl
- ../values/geoserver/values/geoserver-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/geoserver/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: geoserver-manifests
namespace: {{ .Environment.Name }}-geoserver
chart: _geoserver-manifests
condition: geoserver.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/geoserver/values.yaml.gotmpl
- ../values/geoserver/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/geoserver/manifests
- _geoserver-manifests
temp/headscale.yaml.gotmpl
+37
View File
@@ -0,0 +1,37 @@
bases:
- ../envs/environments.yaml.gotmpl
commonLabels:
tier: aux
releases:
- name: headscale
namespace: {{ .Environment.Name }}-headscale
chart: ../charts/headscale
condition: headscale.enabled
values:
- ../values/headscale/values/headscale.yaml.gotmpl
- ../values/headscale/values/headscale-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/headscale/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: headscale-manifests
namespace: {{ .Environment.Name }}-headscale
chart: _headscale-manifests
condition: headscale.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/headscale/values.yaml.gotmpl
- ../values/headscale/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/headscale/manifests
- _headscale-manifests
temp/keycloak.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: keycloak
url: 'https://charts.bitnami.com/bitnami'
commonLabels:
tier: aux
releases:
- name: keycloak
namespace: keycloak
chart: keycloak/keycloak
version: 24.0.2
condition: keycloak.enabled
values:
- ../values/keycloak/values/keycloak.yaml.gotmpl
- ../values/keycloak/values/keycloak-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/keycloak/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: keycloak-manifests
namespace: keycloak
chart: _keycloak-manifests
condition: keycloak.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/keycloak/values.yaml.gotmpl
- ../values/keycloak/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/keycloak/manifests
- _keycloak-manifests
temp/loki.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: loki
url: 'https://grafana.github.io/helm-charts'
commonLabels:
tier: sys
releases:
- name: loki
namespace: loki
chart: loki/loki
version: 6.12.0
condition: loki.enabled
values:
- ../values/loki/values/loki.yaml.gotmpl
- ../values/loki/values/loki-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/loki/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: loki-manifests
namespace: loki
chart: _loki-manifests
condition: loki.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/loki/values.yaml.gotmpl
- ../values/loki/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/loki/manifests
- _loki-manifests
temp/nix/argo.gotmpl.nix
+92
View File
@@ -0,0 +1,92 @@
{ var, ... }:
{
bases = [
"../envs/environments.yaml.gotmpl"
];
repositories = [
{
name = "argo";
url = "https://argoproj.github.io/argo-helm";
}
];
commonLabels = {
tier = "system";
};
releases = [
{
name = "argocd";
namespace = "argocd";
chart = "argo/argo-cd";
version = "7.5.2";
condition = "argo.enabled";
values = [
"../values/argo/values/argocd.yaml.gotmpl"
"../values/argo/values/argocd-${var.environment.name}.yaml.gotmpl"
];
postRenderer = "../bin/kustomizer";
postRendererArgs = [
"../values/argo/kustomize/${var.environment.name}"
];
missingFileHandler = "Info";
}
{
name = "argocd-apps";
namespace = "argocd";
chart = "argo/argocd-apps";
version = "0.0.1";
condition = "argo.apps.enabled";
values = [
"../values/argo/values/apps.yaml.gotmpl"
];
missingFileHandler = "Info";
}
{
name = "argo-rollouts";
namespace = "argocd";
chart = "argo/argo-rollouts";
version = "2.35.2";
condition = "argo.rollouts.enabled";
values = [
"../values/argo/values/rollouts.yaml.gotmpl"
];
missingFileHandler = "Info";
}
{
name = "argo-workflows";
namespace = "argocd";
chart = "argo/argo-workflows";
version = "0.45.0";
condition = "argo.workflows.enabled";
missingFileHandler = "Info";
}
{
name = "argo-manifests";
namespace = "argocd";
chart = "_argo";
condition = "argo.enabled";
values = [
# "../values/values-${var.CLUSTER_NAME}.yaml"
"../values/argo/values.yaml.gotmpl"
# "../values/argo/values-${var.CLUSTER_NAME}.yaml.gotmpl"
];
missingFileHandler = "Info";
hooks = [
{
events = [
"prepare"
"cleanup"
];
showlogs = true;
command = "../bin/helmify";
args = [
# "${if (var.event.name == "prepare") then "build" else "clean"}"
# "${var.release.chart}"
"${var.environment.name}"
"../values/argo/manifests"
"_argo"
];
}
];
}
];
}
temp/nix/helmfile.gotmpl.nix
+94
View File
@@ -0,0 +1,94 @@
{ var, escape_var, ... }:
[
{
bases = [
"../envs/environments.yaml.gotmpl"
];
repositories = [
{
name = "argo";
url = "https://argoproj.github.io/argo-helm";
}
];
commonLabels = {
tier = "system";
};
releases = [
{
name = "argocd";
namespace = "argocd";
chart = "argo/argo-cd";
version = "7.5.2";
condition = "argo.enabled";
values = [
"../values/argo/values/argocd.yaml.gotmpl"
"../values/argo/values/argocd-${var.environment.name}.yaml.gotmpl"
];
postRenderer = "../bin/kustomizer";
postRendererArgs = [
"../values/argo/kustomize/${var.environment.name}"
];
missingFileHandler = "Info";
}
{
name = "argocd-apps";
namespace = "argocd";
chart = "argo/argocd-apps";
version = "0.0.1";
condition = "argo.apps.enabled";
values = [
"../values/argo/values/apps.yaml.gotmpl"
];
missingFileHandler = "Info";
}
{
name = "argo-rollouts";
namespace = "argocd";
chart = "argo/argo-rollouts";
version = "2.35.2";
condition = "argo.rollouts.enabled";
values = [
"../values/argo/values/rollouts.yaml.gotmpl"
];
missingFileHandler = "Info";
}
{
name = "argo-workflows";
namespace = "argocd";
chart = "argo/argo-workflows";
version = "0.45.0";
condition = "argo.workflows.enabled";
missingFileHandler = "Info";
}
{
name = "argo-manifests";
namespace = "argocd";
chart = "_argo";
condition = "argo.enabled";
values = [
(escape_var "../values/values-{{requiredEnv \"CLUSTER_NAME\"}}.yaml")
"../values/argo/values.yaml.gotmpl"
(escape_var "../values/argo/values-{{requiredEnv \"CLUSTER_NAME\"}}.yaml.gotmpl")
];
missingFileHandler = "Info";
hooks = [
{
events = [
"prepare"
"cleanup"
];
showlogs = true;
command = "../bin/helmify";
args = [
(escape_var "{{ if eq .Event.Name \"prepare\" }}build{{ else }}clean{{ end }}")
(escape_var "{{ .Release.Chart | toJson }}")
(escape_var "{{ .Environment.Name | toJson }}")
"../values/argo/manifests"
"_argo"
];
}
];
}
];
}
]
temp/openfga.yaml.gotmpl
+41
View File
@@ -0,0 +1,41 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: openfga
url: 'https://openfga.github.io/helm-charts'
commonLabels:
tier: aux
releases:
- name: openfga
namespace: {{ .Environment.Name }}-openfga
chart: openfga/openfga
condition: openfga.enabled
values:
- ../values/openfga/values/openfga.yaml.gotmpl
- ../values/openfga/values/openfga-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/openfga/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: openfga-manifests
namespace: {{ .Environment.Name }}-openfga
chart: _openfga-manifests
condition: openfga.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/openfga/values.yaml.gotmpl
- ../values/openfga/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/openfga/manifests
- _openfga-manifests
temp/otel-collector.yaml.gotmpl
+37
View File
@@ -0,0 +1,37 @@
bases:
- ../envs/environments.yaml.gotmpl
commonLabels:
tier: sys
releases:
- name: otel-collector
namespace: {{ .Environment.Name }}-otel-collector
chart: ../charts/otel-collector
condition: otel-collector.enabled
values:
- ../values/otel-collector/values/otel-collector.yaml.gotmpl
- ../values/otel-collector/values/otel-collector-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/otel-collector/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: otel-collector-manifests
namespace: {{ .Environment.Name }}-otel-collector
chart: _otel-collector-manifests
condition: otel-collector.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/otel-collector/values.yaml.gotmpl
- ../values/otel-collector/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/otel-collector/manifests
- _otel-collector-manifests
temp/plausible.yaml.gotmpl
+37
View File
@@ -0,0 +1,37 @@
bases:
- ../envs/environments.yaml.gotmpl
commonLabels:
tier: aux
releases:
- name: plausible
namespace: {{ .Environment.Name }}-plausible
chart: ../charts/plausible
condition: plausible.enabled
values:
- ../values/plausible/values/plausible.yaml.gotmpl
- ../values/plausible/values/plausible-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/plausible/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: plausible-manifests
namespace: {{ .Environment.Name }}-plausible
chart: _plausible-manifests
condition: plausible.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/plausible/values.yaml.gotmpl
- ../values/plausible/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/plausible/manifests
- _plausible-manifests
temp/rabbitmq.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: rabbitmq
url: 'https://charts.bitnami.com/bitnami'
commonLabels:
tier: aux
releases:
- name: rabbitmq
namespace: {{ .Environment.Name }}-rabbitmq
chart: rabbitmq/rabbitmq
version: 12.9.0
condition: rabbitmq.enabled
values:
- ../values/rabbitmq/values/rabbitmq.yaml.gotmpl
- ../values/rabbitmq/values/rabbitmq-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/rabbitmq/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: rabbitmq-manifests
namespace: {{ .Environment.Name }}-rabbitmq
chart: _rabbitmq-manifests
condition: rabbitmq.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/rabbitmq/values.yaml.gotmpl
- ../values/rabbitmq/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/rabbitmq/manifests
- _rabbitmq-manifests
temp/redis.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: redis
url: 'https://charts.bitnami.com/bitnami'
commonLabels:
tier: aux
releases:
- name: redis
namespace: {{ .Environment.Name }}-redis
chart: redis/redis
condition: redis.enabled
version: 19.5.2
values:
- ../values/redis/values/redis.yaml.gotmpl
- ../values/redis/values/redis-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/redis/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: redis-manifests
namespace: {{ .Environment.Name }}-redis
chart: _redis-manifests
condition: redis.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/redis/values.yaml.gotmpl
- ../values/redis/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/redis/manifests
- _redis-manifests
temp/tempo.yaml.gotmpl
+43
View File
@@ -0,0 +1,43 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: tempo
url: 'https://grafana.github.io/helm-charts'
commonLabels:
tier: sys
releases:
- name: tempo
namespace: tempo
chart: tempo/tempo
version: 0.14.0
condition: tempo.enabled
values:
- ../values/tempo/values/tempo.yaml.gotmpl
- ../values/tempo/values/tempo-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/tempo/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: tempo-manifests
namespace: tempo
chart: _tempo-manifests
condition: tempo.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/tempo/values.yaml.gotmpl
- ../values/tempo/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/tempo/manifests
- _tempo-manifests
temp/wordpress.yaml.gotmpl
+37
View File
@@ -0,0 +1,37 @@
bases:
- ../envs/environments.yaml.gotmpl
commonLabels:
tier: sys
releases:
- name: wordpress
namespace: {{ .Environment.Name }}-wordpress
chart: ../charts/wordpress
condition: wordpress.enabled
values:
- ../values/wordpress/values/wordpress.yaml.gotmpl
- ../values/wordpress/values/wordpress-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/wordpress/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: wordpress-manifests
namespace: {{ .Environment.Name }}-wordpress
chart: _wordpress-manifests
condition: wordpress.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/wordpress/values.yaml.gotmpl
- ../values/wordpress/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/wordpress/manifests
- _wordpress-manifests
values/argo/kustomize/base/kustomization.yaml
+4
View File
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- _manifest.yaml
values/argo/kustomize/default/kustomization.yaml
+4
View File
@@ -0,0 +1,4 @@
generatorOptions:
disableNameSuffixHash: true
resources:
- ../base
values/argo/manifests/argo.yaml
+41
View File
@@ -0,0 +1,41 @@
{{- if .Values.clusterConfig.argo.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: argocd
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "-1"
spec:
destination:
namespace: argocd
server: 'https://kubernetes.default.svc'
sources:
- repoURL: {{ .Values.clusterConfig.manifests }}
# targetRevision: HEAD
targetRevision: mrtz/helmify
path: helmfile.d
plugin:
name: helmfile-cmp
env:
- name: CLUSTER_NAME
value: {{ .Values.clusterConfig.cluster }}
- name: HELMFILE_ENVIRONMENT
value: default
- name: HELMFILE_FILE_PATH
value: argo.yaml.gotmpl
project: sys
syncPolicy:
managedNamespaceMetadata:
labels:
component: sys
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
{{- if .Values.argocd.autosync }}
automated:
prune: true
# selfHeal: false
{{- end }}
{{- end }}
values/argo/manifests/dashboards/argocd.yaml
+4260
View File
File diff suppressed because it is too large Load Diff
values/argo/manifests/nodeport.yaml
+26
View File
@@ -0,0 +1,26 @@
apiVersion: v1
kind: Service
metadata:
name: argocd-server-nodeport
namespace: argocd
spec:
clusterIP: 10.102.84.163
clusterIPs:
- 10.102.84.163
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: http
nodePort: 30290
port: 80
targetPort: 8080
- name: https
nodePort: 31261
port: 443
targetPort: 8080
selector:
app.kubernetes.io/instance: argocd
app.kubernetes.io/name: argocd-server
type: NodePort
values/argo/manifests/policies/CiliumNetworkPolicy-allow-applicationset-ingress.yaml
+14
View File
@@ -0,0 +1,14 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-applicationset-ingress
namespace: argocd
spec:
description: Allow access from the ingress controller
endpointSelector:
matchLabels:
app.kubernetes.io/component: applicationset-controller
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress-nginx
values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-notifications.yaml
+13
View File
@@ -0,0 +1,13 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-argo-notifications
namespace: argocd
spec:
description: Allow access to the ArgoCD Notifications
egress:
- toFQDNs:
- matchName: slack.com
endpointSelector:
matchLabels:
app.kubernetes.io/component: notifications-controller
values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-repo-access-applicationset.yaml
+13
View File
@@ -0,0 +1,13 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-argo-repo-access-applicationset
namespace: argocd
spec:
description: Allow access to the ArgoCD repo Applicationset
egress:
- toEntities:
- world
endpointSelector:
matchLabels:
app.kubernetes.io/component: applicationset-controller
values/argo/manifests/policies/CiliumNetworkPolicy-allow-argo-repo-access.yaml
+13
View File
@@ -0,0 +1,13 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-argo-repo-access
namespace: argocd
spec:
description: Allow access to the ArgoCD repo server
egress:
- toEntities:
- world
endpointSelector:
matchLabels:
app.kubernetes.io/component: repo-server
values/argo/manifests/policies/CiliumNetworkPolicy-allow-chartmuseum-ingress.yaml
+14
View File
@@ -0,0 +1,14 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-chartmuseum-ingress
namespace: argocd
spec:
description: Allow access to the chartmuseum ingress
endpointSelector:
matchLabels:
app.kubernetes.io/name: chartmuseum
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress-nginx
values/argo/manifests/policies/CiliumNetworkPolicy-allow-image-updater-repo-access.yaml
+13
View File
@@ -0,0 +1,13 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-image-updater-repo-access
namespace: argocd
spec:
description: Allow argoCD image updater to access github container registry
egress:
- toFQDNs:
- matchName: ghcr.io
endpointSelector:
matchLabels:
app.kubernetes.io/name: argocd-image-updater
values/argo/manifests/policies/CiliumNetworkPolicy-allow-ingress.yaml
+14
View File
@@ -0,0 +1,14 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-ingress
namespace: argocd
spec:
description: Allow access from the ingress controller
endpointSelector:
matchLabels:
app.kubernetes.io/component: server
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress-nginx
values/argo/manifests/policies/CiliumNetworkPolicy-allow-kube-api.yaml
+16
View File
@@ -0,0 +1,16 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-kube-api
namespace: argocd
spec:
description: Allow access to the Kube API server
egress:
- toEntities:
- kube-apiserver
toPorts:
- ports:
- port: "6443"
protocol: TCP
endpointSelector:
matchLabels: {}
values/argo/manifests/policies/CiliumNetworkPolicy-allow-microsoft-sso.yaml
+16
View File
@@ -0,0 +1,16 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-microsoft-sso
namespace: argocd
spec:
description: Allow argoCD dex server to authenticate to microsoft online azure oatuh
egress:
- toFQDNs:
- matchName: login.microsoftonline.com
- matchPattern: '*.microsoftonline.com'
- matchName: github.com
- matchName: api.github.com
endpointSelector:
matchLabels:
app.kubernetes.io/name: argocd-dex-server
values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics-rollout.yaml
+18
View File
@@ -0,0 +1,18 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-prometheus-metrics-rollout
namespace: argocd
spec:
description: Allow access to the Prometheus metrics
endpointSelector:
matchLabels:
app.kubernetes.io/instance: argo-rollouts
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: prometheus
toPorts:
- ports:
- port: "8090"
protocol: TCP
values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics-workflows.yaml
+18
View File
@@ -0,0 +1,18 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-prometheus-metrics-workflows
namespace: argocd
spec:
description: Allow access to the Prometheus metrics
endpointSelector:
matchLabels:
app.kubernetes.io/instance: argo-workflows
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: prometheus
toPorts:
- ports:
- port: "9090"
protocol: TCP
values/argo/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml
+30
View File
@@ -0,0 +1,30 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-prometheus-metrics
namespace: argocd
spec:
description: Allow access to the Prometheus metrics
endpointSelector:
matchLabels:
app.kubernetes.io/instance: argocd
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: prometheus
toPorts:
- ports:
- port: "8082"
protocol: TCP
- port: "8080"
protocol: TCP
- port: "9001"
protocol: TCP
- port: "9121"
protocol: TCP
- port: "8084"
protocol: TCP
- port: "8083"
protocol: TCP
- port: "5558"
protocol: TCP
values/argo/manifests/sys-project.yaml
+84
View File
@@ -0,0 +1,84 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: sys
namespace: argocd
spec:
clusterResourceWhitelist:
- group: '*'
kind: '*'
description: sys components project
destinations:
- namespace: argocd
server: https://kubernetes.default.svc
- namespace: kube-system
server: https://kubernetes.default.svc
- namespace: ingress-nginx
server: https://kubernetes.default.svc
- namespace: serit-operator
server: https://kubernetes.default.svc
- namespace: prometheus
server: https://kubernetes.default.svc
- namespace: cnpg
server: https://kubernetes.default.svc
- namespace: cert-manager
server: https://kubernetes.default.svc
- namespace: kubernetes-dashboard
server: https://kubernetes.default.svc
- namespace: rabbitmq
server: https://kubernetes.default.svc
- namespace: sealed-secrets
server: https://kubernetes.default.svc
- namespace: gitlab
server: https://kubernetes.default.svc
- namespace: thanos
server: https://kubernetes.default.svc
- namespace: linkerd
server: https://kubernetes.default.svc
- namespace: linkerd-multicluster
server: https://kubernetes.default.svc
- namespace: observability
server: https://kubernetes.default.svc
- namespace: kyverno
server: https://kubernetes.default.svc
- namespace: velero
server: https://kubernetes.default.svc
- namespace: loki
server: https://kubernetes.default.svc
- namespace: x509-exporter
server: https://kubernetes.default.svc
- namespace: mariadb-operator
server: https://kubernetes.default.svc
- namespace: cilium-spire
server: https://kubernetes.default.svc
- namespace: cilium-test
server: https://kubernetes.default.svc
- namespace: cilium-secrets
server: https://kubernetes.default.svc
sourceRepos:
- https://argoproj.github.io/argo-helm
- https://kubernetes-sigs.github.io/metrics-server/
- https://gitlab.com/oceanbox/manifests.git
- https://gitlab.com/serit/k8s/serit-platform.git
- https://gitlab.com/serit/k8s/serit-platform-values.git
- https://gitlab.com/serit/k8s/serit-platform-manifests.git
- https://gitlab.com/serit/k8s/serit-operator.git
- https://kubernetes.github.io/ingress-nginx
- https://cloudnative-pg.github.io/charts
- https://charts.jetstack.io
- https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
- https://github.com/kubernetes/dashboard
- https://bitnami-labs.github.io/sealed-secrets
- https://prometheus-community.github.io/helm-charts
- https://github.com/prometheus-community/helm-charts.git
- https://charts.gitlab.io/
- https://charts.bitnami.com/bitnami
- https://helm.linkerd.io/stable
- https://github.com/jaegertracing/jaeger-operator
- https://kyverno.github.io/kyverno/
- https://vmware-tanzu.github.io/helm-charts
- https://grafana.github.io/helm-charts
- https://charts.enix.io
- https://helm.mariadb.com/mariadb-operator
- https://helm.cilium.io
- https://chartmuseum.github.io/charts
values/argo/values.yaml.gotmpl
+35
View File
@@ -0,0 +1,35 @@
argo:
enabled: true
apps:
enabled: true
rollouts:
enabled: false
workflows:
enabled: false
argocd:
autosync: true
ingress:
enabled: true
adminLogin: false
kustomizeHelmSupport: false
applicationset_webhook:
enabled: false
anyNamespaces:
enabled: false
glob: ""
resources:
controller:
memory: 2000Mi
cpu: 250m
repoServers:
- name: "helmfile-cmp"
image: "registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest"
imagePullSecrets:
- gitlab-pull-secret
- name: "kustomize-helm-with-rewrite"
image: "registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest"
imagePullSecrets:
- gitlab-pull-secret
additional_rbac_settings:
- g, "eb17a659-4ce6-41bc-9153-d9b117c44479", role:org-admin
values/argo/values/apps.yaml.gotmpl
View File
values/argo/values/argocd.yaml.gotmpl
+306
View File
@@ -0,0 +1,306 @@
global:
domain: argocd.{{ .Values.clusterConfig.domain }}
## ArgoCD configuration
## Ref: https://github.com/argoproj/argo-cd
##
configs:
{{- if .Values.argocd.anyNamespaces.enabled }}
params:
applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
# TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it
applicationsetcontroller.enable.scm.providers: "false"
application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
{{- end }}
cm:
application.resourceTrackingMethod: annotation+label
application.instanceLabelKey: app.kubernetes.io/instance
create: true
# NOTE(kai): callback URL for dex
url: "https://argocd.{{ .Values.clusterConfig.domain }}"
resource.compareoptions: |
ignoreAggregatedRoles: true
resource.exclusions: |
- apiGroups:
- cilium.io
kinds:
- CiliumIdentity
clusters:
- "*"
- apiGroups:
- kyverno.io
kinds:
- AdmissionReport
- BackgroundScanReport
- ClusterAdmissionReport
- ClusterBackgroundScanReport
clusters:
- "*"
# dex saml config
dex.config: |
logger:
level: debug
format: json
connectors:
{{- with .Values.clusterConfig.oidc }}
{{- range . }}
{{- if eq .provider "azuread" }}
- type: oidc
id: {{ .name }}
name: {{ .name }}
config:
issuer: https://login.microsoftonline.com/{{ .tenant }}/v2.0
clientID: ${{ .name | replace "-" "_" }}_client_id
clientSecret: ${{ .name | replace "-" "_" }}_client_secret
insecureSkipEmailVerified: true
requestedIDTokenClaims:
groups:
essential: true
insecureEnableGroups: true
requestedScopes:
- openid
- profile
- email
- groups
{{- else if eq .provider "github" }}
- type: github
id: {{ .name }}
name: {{ .name }}
config:
clientID: ${{ .name | replace "-" "_" }}_client_id
clientSecret: ${{ .name | replace "-" "_" }}_client_secret
redirectURI: https://argocd.{{ $.Values.clusterConfig.domain }}/api/dex/callback
orgs:
- name: {{ .allowed_organizations }}
loadAllGroups: true
teamNameField: slug
useLoginAsID: false
staticClients:
- id: ${{ .name | replace "-" "_" }}_client_id
name: Kubernetes
# These are kubectl oidc plugin internal URLs
redirectURIs:
- http://localhost:8000
- http://localhost:18000
# Random secret for the user to authenticat dex client
secret: 8d52926efe879ee505391b75f4b046cf
{{- end }}
{{- end }}
{{- end }}
admin.enabled: false
rbac:
# NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group
policy.csv: |
p, role:org-admin, applications, *, */*, allow
p, role:org-admin, projects, *, *, allow
p, role:org-admin, logs, get, *, allow
p, role:org-admin, clusters, get, *, allow
p, role:org-admin, clusters, update, *, allow
p, role:org-admin, repositories, get, *, allow
p, role:org-admin, repositories, create, *, allow
p, role:org-admin, repositories, update, *, allow
p, role:org-admin, repositories, delete, *, allow
g, "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29", role:org-admin
{{- with .Values.argocd.additional_rbac_settings }}
{{- range .}}
{{ . }}
{{- end }}
{{- end }}
repositories:
# Repositories for applications
argo-helm:
type: helm
url: https://argoproj.github.io/argo-helm
# UI changes based on env
styles: |
/* blue, orange, red depending on env */
:root {
--test-color: #0f2cbd;
--dev-color: #33b025;
--staging-color: #ebac2f;
--prod-color: #ff000d;
}
.top-bar__breadcrumbs::after {
content: "cluster: {{.Values.clusterConfig.cluster}}, env: {{.Values.clusterConfig.env}} ";
color: var(--{{.Values.clusterConfig.env}}-color);
font-weight: bolder;
font-size: larger;
position: fixed;
left: 50%;
}
controller:
metrics:
enabled: true
serviceMonitor:
enabled: true
resources:
limits:
memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }}
requests:
cpu: {{ .Values.argocd.resources.controller.cpu | default "250m" }}
memory: {{ .Values.argocd.resources.controller.memory | default "1000Mi" }}
# Mount azure ca as file for SAML auth
dex:
metrics:
enabled: true
serviceMonitor:
enabled: true
{{- with .Values.clusterConfig.oidc }}
env:
{{- range . }}
- name: {{ .name | replace "-" "_" }}_client_secret
valueFrom:
secretKeyRef:
name: {{ .secret_ref.name }}
key: client_secret
- name: {{ .name | replace "-" "_" }}_client_id
valueFrom:
secretKeyRef:
name: {{ .secret_ref.name }}
key: client_id
{{- end }}
{{- end }}
redis:
metrics:
enabled: true
serviceMonitor:
enabled: true
repoServer:
metrics:
enabled: true
serviceMonitor:
enabled: true
{{- range .Values.argocd.repoServers }}
extraContainers:
- command:
- /var/run/argocd/argocd-cmp-server
image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
imagePullPolicy: Always
name: helmfile-cmp
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
- mountPath: /helm-working-dir
name: helm-working-dir
- command:
- /var/run/argocd/argocd-cmp-server
image: {{ .image }}
imagePullPolicy: Always
name: {{ .name }}
securityContext:
runAsNonRoot: true
runAsUser: 999
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: cmp-tmp
volumes:
- name: cmp-tmp
emptyDir: {}
imagePullSecrets:
{{- range .imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
initContainers:
- command:
- /bin/sh
- /plugin/init-helm-repos.sh
env:
- name: OCEANBOX_HELM_ACCESS_TOKEN
valueFrom:
secretKeyRef:
key: token
name: oceanbox-helm
optional: false
image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
imagePullPolicy: Always
name: init-helm-repos
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 999
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /helm-working-dir
name: helm-working-dir
# Configuration for argocd server instance
server:
metrics:
enabled: true
serviceMonitor:
enabled: true
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
{{- with .Values.clusterConfig.ingress_whitelist_ips }}
nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
{{- end }}
hosts:
- "argocd.{{ .Values.clusterConfig.domain }}"
tls:
- secretName: argocd-tls
hosts:
- "argocd.{{ .Values.clusterConfig.domain }}"
applicationSet:
metrics:
enabled: true
serviceMonitor:
enabled: true
{{- if .Values.argocd.anyNamespaces.enabled }}
allowAnyNamespaces: true
{{- end }}
ingress:
enabled: false
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
# {{- with .Values.clusterConfig.ingress_whitelist_ips}}
# NOTE(kai): include gitlab and github webhook ranges
# nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }},192.30.252.0/22,140.82.112.0/20,34.74.226.27/28,34.74.226.0/24
# {{- end }}
hostname: "argocd-applicationset.{{ .Values.clusterConfig.domain }}"
tls:
- secretName: argocd-applicationset-tls
hosts:
- "argocd-applicationset.{{ .Values.clusterConfig.domain }}"
notifications:
metrics:
enabled: true
serviceMonitor:
enabled: true
secret:
create: false
cm:
create: false
values/argo/values/rollouts.yaml.gotmpl
+9
View File
@@ -0,0 +1,9 @@
dashboard:
enabled: {{ .Values.apps. true }}
controller:
metrics:
enabled: true
serviceMonitor:
enabled: true
values/argo/values/workflows.yaml.gotmpl
+9
View File
@@ -0,0 +1,9 @@
dashboard:
enabled: {{ .Values.apps. true }}
controller:
metrics:
enabled: true
serviceMonitor:
enabled: true
values/atlantis/chart
-1
View File
@@ -1 +0,0 @@
../../charts/atlantis
values/atlantis/base/acl.json → values/atlantis/kustomize/base/acl.json
View File
values/atlantis/base/defaultbackend.yaml → values/atlantis/kustomize/base/defaultbackend.yaml
View File
values/atlantis/base/deployment_patch.yaml → values/atlantis/kustomize/base/deployment_patch.yaml
View File
values/atlantis/base/ingress_patch.yaml → values/atlantis/kustomize/base/ingress_patch.yaml
View File
values/atlantis/base/kustomization.yaml → values/atlantis/kustomize/base/kustomization.yaml
View File
values/atlantis/base/service_patch.yaml → values/atlantis/kustomize/base/service_patch.yaml
View File
values/atlantis/prod/appsettings.json → values/atlantis/kustomize/prod/appsettings.json
View File
values/atlantis/prod/barentswatch-api.env → values/atlantis/kustomize/prod/barentswatch-api.env
View File
values/atlantis/prod/bindings.yaml → values/atlantis/kustomize/prod/bindings.yaml
View File
values/atlantis/prod/configurations.yaml → values/atlantis/kustomize/prod/configurations.yaml
View File
values/atlantis/prod/default.env → values/atlantis/kustomize/prod/default.env
View File
values/atlantis/prod/deployment_patch.yaml → values/atlantis/kustomize/prod/deployment_patch.yaml
View File
values/atlantis/prod/keyvault.yaml → values/atlantis/kustomize/prod/keyvault.yaml
View File
values/atlantis/prod/kustomization.yaml → values/atlantis/kustomize/prod/kustomization.yaml
View File

Some files were not shown because too many files have changed in this diff Show More