{{- $fullname := include "vCluster.fullname" . -}} {{- $name := include "vCluster.releaseName" . -}} apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: {{ $fullname }} namespace: argocd spec: project: vcluster syncPolicy: automated: {} syncOptions: - createNamespace=true destination: server: https://kubernetes.default.svc namespace: {{ .Release.Namespace }} source: repoURL: https://charts.loft.sh targetRevision: 0.20.1 chart: vcluster helm: values: |- vcluster: env: {{ if .Values.persistence }} - name: PG_PASSWORD valueFrom: secretKeyRef: name: "{{ $fullname }}-db-app" key: password - name: K3S_DATASTORE_ENDPOINT value: "postgres://k3s:$(PG_PASSWORD)@{{ $fullname }}-db-rw:5432/k3s" {{ end }} extraArgs: - "--kube-apiserver-arg=oidc-client-id=9b6daef0-02fa-4574-8949-f7c1b5fccd15" - "--kube-apiserver-arg=oidc-issuer-url=https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/v2.0" - "--kube-apiserver-arg=oidc-groups-claim=roles" - "--kube-apiserver-arg=oidc-username-claim=sub" ingress: enabled: true ingressClassName: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-staging nginx.ingress.kubernetes.io/backend-protocol: HTTPS nginx.ingress.kubernetes.io/ssl-passthrough: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 host: "{{ $fullname }}.beta.oceanbox.io" tls: - hosts: - "{{ $fullname }}.beta.oceanbox.io" secretName: "{{ $fullname }}-tls" storage: persistence: {{ .Values.persistence }} # coredns: # image: coredns/coredns:1.10.1 fallbackHostDns: true multiNamespaceMode: enabled: true mapServices: fromHost: - from: "rabbitmq/{{ .Values.environment }}-rabbitmq" to: "rabbitmq/{{ .Values.environment }}-rabbitmq" - from: "{{ .Release.Namespace }}/{{ $name }}-archmaester-rw" to: "atlantis/{{ $name }}-archmaester-rw" - from: "idp/{{ .Values.environment }}-openfga" to: "idp/{{ .Values.environment }}-openfga" - from: "otel/opentelemetry-collector" to: "otel/opentelemetry-collector" - from: "idp/{{ .Values.environment }}-cerbos" to: "idp/{{ .Values.environment }}-cerbos" sync: secrets: all: true configmaps: all: true ingresses: enabled: true generic: clusterRole: extraRules: - apiGroups: [ "apiextensions.k8s.io" ] resources: [ "customresourcedefinitions" ] verbs: [ "get", "list", "watch" ] role: extraRules: - apiGroups: ["postgresql.cnpg.io"] resources: ["backups", "clusters", "poolers", "scheduledbackups" ] verbs: ["create", "delete", "patch", "update", "get", "list", "watch"] - apiGroups: [ "cilium.io" ] resources: [ "ciliumnetworkpolicies" ] verbs: [ "get", "list", "watch", "create", "patch" ] config: |- version: v1beta1 import: - kind: Secret apiVersion: v1 export: - kind: Cluster apiVersion: postgresql.cnpg.io/v1 init: manifests: |- --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: oidc-cluster-admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: Group name: eb17a659-4ce6-41bc-9153-d9b117c44479 --- apiVersion: v1 kind: ServiceAccount metadata: name: admin namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount namespace: kube-system name: admin --- apiVersion: v1 kind: Secret metadata: name: admin-token namespace: kube-system annotations: kubernetes.io/service-account.name: admin type: kubernetes.io/service-account-token --- apiVersion: v1 kind: Namespace metadata: labels: kubernetes.io/metadata.name: atlantis name: atlantis # The contents of manifests-template will be templated using helm # this allows you to use helm values inside, e.g.: {{ .Release.Name }} # manifestsTemplate: |- # {{- range .Files.Lines "_atlantis.yaml" }} # {{ . }} # {{- end }} helm: - chart: name: dapr version: 1.14.0 repo: https://dapr.github.io/helm-charts/ release: name: dapr namespace: dapr-system timeout: 180 values: |- ha.enabled: false # plugin: # secret-syncer: # image: registry.gitlab.com/oceanbox/vcluster-secret-syncer:v1.0.1 # imagePullPolicy: IfNotPresent