platform/manifests
1
1
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity
Files
9e1beb6895884aef66d8747bbdabf3b5bc752393
manifests/charts/vcluster/templates/vcluster.yaml
T
Jonas Juselius 61379ad665 fix: update vcluster adn remove kyverno policies
2024-10-09 14:07:23 +02:00

178 lines
6.2 KiB
YAML
Raw Blame History

{{- $fullname := include "vCluster.fullname" . -}}
{{- $name := include "vCluster.releaseName" . -}}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: {{ $fullname }}
namespace: argocd
spec:
project: vcluster
syncPolicy:
automated: {}
syncOptions:
- createNamespace=true
destination:
server: https://kubernetes.default.svc
namespace: {{ .Release.Namespace }}
source:
repoURL: https://charts.loft.sh
targetRevision: 0.20.1
chart: vcluster
helm:
values: |-
vcluster:
env:
{{ if .Values.persistence }}
- name: PG_PASSWORD
valueFrom:
secretKeyRef:
name: "{{ $fullname }}-db-app"
key: password
- name: K3S_DATASTORE_ENDPOINT
value: "postgres://k3s:$(PG_PASSWORD)@{{ $fullname }}-db-rw:5432/k3s"
{{ end }}
extraArgs:
- "--kube-apiserver-arg=oidc-client-id=9b6daef0-02fa-4574-8949-f7c1b5fccd15"
- "--kube-apiserver-arg=oidc-issuer-url=https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/v2.0"
- "--kube-apiserver-arg=oidc-groups-claim=roles"
- "--kube-apiserver-arg=oidc-username-claim=sub"
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
host: "{{ $fullname }}.beta.oceanbox.io"
tls:
- hosts:
- "{{ $fullname }}.beta.oceanbox.io"
secretName: "{{ $fullname }}-tls"
storage:
persistence: {{ .Values.persistence }}
# coredns:
# image: coredns/coredns:1.10.1
fallbackHostDns: true
multiNamespaceMode:
enabled: true
mapServices:
fromHost:
- from: "rabbitmq/{{ .Values.environment }}-rabbitmq"
to: "rabbitmq/{{ .Values.environment }}-rabbitmq"
- from: "{{ .Release.Namespace }}/{{ $name }}-archmaester-rw"
to: "atlantis/{{ $name }}-archmaester-rw"
- from: "idp/{{ .Values.environment }}-openfga"
to: "idp/{{ .Values.environment }}-openfga"
- from: "otel/opentelemetry-collector"
to: "otel/opentelemetry-collector"
- from: "idp/{{ .Values.environment }}-cerbos"
to: "idp/{{ .Values.environment }}-cerbos"
sync:
secrets:
all: true
configmaps:
all: true
ingresses:
enabled: true
generic:
clusterRole:
extraRules:
- apiGroups: [ "apiextensions.k8s.io" ]
resources: [ "customresourcedefinitions" ]
verbs: [ "get", "list", "watch" ]
role:
extraRules:
- apiGroups: ["postgresql.cnpg.io"]
resources: ["backups", "clusters", "poolers", "scheduledbackups" ]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
- apiGroups: [ "cilium.io" ]
resources: [ "ciliumnetworkpolicies" ]
verbs: [ "get", "list", "watch", "create", "patch" ]
config: |-
version: v1beta1
import:
- kind: Secret
apiVersion: v1
export:
- kind: Cluster
apiVersion: postgresql.cnpg.io/v1
init:
manifests: |-
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: oidc-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: Group
name: eb17a659-4ce6-41bc-9153-d9b117c44479
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
namespace: kube-system
name: admin
---
apiVersion: v1
kind: Secret
metadata:
name: admin-token
namespace: kube-system
annotations:
kubernetes.io/service-account.name: admin
type: kubernetes.io/service-account-token
---
apiVersion: v1
kind: Namespace
metadata:
labels:
kubernetes.io/metadata.name: atlantis
name: atlantis
# The contents of manifests-template will be templated using helm
# this allows you to use helm values inside, e.g.: {{ .Release.Name }}
# manifestsTemplate: |-
# {{- range .Files.Lines "_atlantis.yaml" }}
# {{ . }}
# {{- end }}
helm:
- chart:
name: dapr
version: 1.14.0
repo: https://dapr.github.io/helm-charts/
release:
name: dapr
namespace: dapr-system
timeout: 180
values: |-
ha.enabled: false
# plugin:
# secret-syncer:
# image: registry.gitlab.com/oceanbox/vcluster-secret-syncer:v1.0.1
# imagePullPolicy: IfNotPresent
Reference in New Issue View Git Blame Copy Permalink