del(vault)

README.md

@@ -17,12 +17,13 @@ Heqet Keyfeatures:
 
 ## Components
 
-Core component is `ArgoCD` which will deploy all of Heqet's apps & your's if you want. All you need is a git-repo & k8s cluster.
+Core component is `ArgoCD` which will deploy all of Heqet's apps & also your's! All you need is a git-repo & k8s cluster.
 
-Hequet contains / will contain:
+Heqets application stack contains:
  * ArgoCD [Deploys all Applications from Git]
  * Prometheus, Grafana, Loki & fluentd - preconfigured for basic Monitoring and Logging
  * Kubernetes Dashboard
- * Traefik Ingress
+ * NGINX Ingress
+ * Cert-Manager
  * Jaeger [Tracing]
  * Rook [Block/Object-Strage]

manifests/heqet-apps.yaml

@@ -16,7 +16,7 @@ spec:
  namespace: heqet
  server: 'https://kubernetes.default.svc'
  source:
- path: charts/heqet
+ path: .
  repoURL: 'https://github.com/nold360/heqet'
  targetRevision: HEAD
  helm:

templates/_helpers.tpl

@@ -39,11 +39,11 @@ podAnnotations:
  heqet.gnu.one/app: "true"
  vault.hashicorp.com/agent-inject: "true"
  vault.hashicorp.com/role: "{{ .name }}-vault-ro"
- {{- if .secret }}
+ {{- if .secrets }}
  {{- $app := . }}
  {{- range .secrets }}
  {{- with $app }}
- vault.hashicorp.com/agent-inject-secret-{{ .path }}: "heqet/apps/{{ $app.name }}/{{ .name }}"
+ vault.hashicorp.com/agent-inject-secret-{{ .path |replace "/" "-" }}: "heqet/apps/{{ $app.name }}/{{ .name }}"
  {{- end }}
  {{- end }}
  {{- end }}

templates/heqet-apps.yaml

@@ -1,4 +1,5 @@
 {{- range .Values.apps -}}
+{{- if not .disabled }}
 ---
 apiVersion: v1
 kind: Namespace
@@ -70,9 +71,12 @@ spec:
  ignoreDifferences:
 {{ .ignoreDifferences | indent 4 }}
 {{- end }}
+{{- if $.Values.generators.vault }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ .name }}-vault-ro
 {{ end }}
+{{ end }}
+{{ end }}

values.d/cert-manager.yaml

@@ -1,17 +1,120 @@
-# Cert Manager Config
-acme:
- server: https://acme-v02.api.letsencrypt.org/directory
- email: [email protected]
+# Default values for cert-manager.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+global:
+ ## Reference to one or more secrets to be used when pulling images
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ imagePullSecrets: []
+ # - name: "image-pull-secret"
 
-installCRDs: false
+ # Optional priority class to be used for the cert-manager pods
+ priorityClassName: ""
+
+replicaCount: 1
+
+strategy: {}
+ # type: RollingUpdate
+ # rollingUpdate:
+ # maxSurge: 0
+ # maxUnavailable: 1
 
 image:
- tag: v0.15.1
+ repository: quay.io/jetstack/cert-manager-controller
+ tag: v0.6.2
+ pullPolicy: IfNotPresent
+
+# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
+# resources. By default, the same namespace as cert-manager is deployed within is
+# used. This namespace will not be automatically created by the Helm chart.
+clusterResourceNamespace: ""
+
+leaderElection:
+ # Override the namespace used to store the ConfigMap for leader election
+ namespace: ""
+
+rbac:
+ # Specifies whether RBAC resources should be created
+ create: true
+
+serviceAccount:
+ # Specifies whether a service account should be created
+ create: true
+ # The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template
+ name:
+
+# Optional additional arguments
+extraArgs: []
+ # Use this flag to set a namespace that cert-manager will use to store
+ # supporting resources required for each ClusterIssuer (default is kube-system)
+ # - --cluster-resource-namespace=kube-system
+
+extraEnv: []
+# - name: SOME_VAR
+# value: 'some value'
 
-cainjector:
- image:
- tag: v0.15.1
+resources: {}
+ # requests:
+ # cpu: 10m
+ # memory: 32Mi
+
+# Pod Security Context
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+securityContext:
+ enabled: false
+ fsGroup: 1001
+ runAsUser: 1001
+
+podAnnotations:
+ vault.hashicorp.com/agent-inject-config: "heqet/apps/cert-manager/config"
+
+podLabels: {}
+# Optional DNS settings, useful if you have a public and private DNS zone for
+# the same domain on Route 53. What follows is an example of ensuring
+# cert-manager can access an ingress or DNS TXT records at all times.
+# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for
+# the cluster to work.
+# podDnsPolicy: "None"
+# podDnsConfig:
+# nameservers:
+# - "1.1.1.1"
+# - "8.8.8.8"
+
+nodeSelector: {}
+
+ingressShim: {}
+ # defaultIssuerName: ""
+ # defaultIssuerKind: ""
+ # defaultACMEChallengeType: ""
+ # defaultACMEDNS01ChallengeProvider: ""
 
 webhook:
- image:
- tag: v0.15.1
+ enabled: true
+
+# Use these variables to configure the HTTP_PROXY environment variables
+# http_proxy: "http://proxy:8080"
+# http_proxy: "http://proxy:8080"
+# no_proxy: 127.0.0.1,localhost
+
+# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
+# for example:
+# affinity:
+# nodeAffinity:
+# requiredDuringSchedulingIgnoredDuringExecution:
+# nodeSelectorTerms:
+# - matchExpressions:
+# - key: foo.bar.com/role
+# operator: In
+# values:
+# - master
+affinity: {}
+
+# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core
+# for example:
+# tolerations:
+# - key: foo.bar.com/role
+# operator: Equal
+# value: master
+# effect: NoSchedule
+tolerations: []

values.d/kubernetes-dashboard.yaml

@@ -1,6 +1,199 @@
-# Kube Dashboard Values
+# Default values for kubernetes-dashboard
+# This is a YAML-formatted file.
+# Declare name/value pairs to be passed into your templates.
+# name: value
+
+image:
+ repository: k8s.gcr.io/kubernetes-dashboard-amd64
+ tag: v1.10.1
+ pullPolicy: IfNotPresent
+ pullSecrets: []
+
+replicaCount: 1
+
+## Here annotations can be added to the kubernetes dashboard deployment
+annotations: {}
+## Here labels can be added to the kubernetes dashboard deployment
+##
+labels: {}
+# kubernetes.io/name: "Kubernetes Dashboard"
+
+
+## Enable possibility to skip login
+enableSkipLogin: false
+
+## Serve application over HTTP without TLS
+enableInsecureLogin: false
+
+## Additional container arguments
+##
+# extraArgs:
+# - --enable-skip-login
+# - --enable-insecure-login
+# - --system-banner="Welcome to Kubernetes"
+
+## Additional container environment variables
+##
+extraEnv: []
+# - name: SOME_VAR
+# value: 'some value'
+
+# Annotations to be added to kubernetes dashboard pods
+## Recommended value
+# podAnnotations:
+# seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
+podAnnotations: {}
+
+## SecurityContext for the kubernetes dashboard container
+## Recommended values
+# dashboardContainerSecurityContext:
+# allowPrivilegeEscalation: false
+# readOnlyRootFilesystem: true
+## The two values below can be set here or at podLevel (using variable .securityContext)
+# runAsUser: 1001
+# runAsGroup: 2001
+dashboardContainerSecurityContext: {}
+
+## Node labels for pod assignment
+## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+##
+nodeSelector: {}
+
+## List of node taints to tolerate (requires Kubernetes >= 1.6)
+tolerations: []
+# - key: "key"
+# operator: "Equal|Exists"
+# value: "value"
+# effect: "NoSchedule|PreferNoSchedule|NoExecute"
+
+## Affinity
+## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+affinity: {}
+
+# priorityClassName: ""
+
+service:
+ type: ClusterIP
+ externalPort: 443
+
+ ## This allows an override of the heapster service name
+ ## Default: {{ .Chart.Name }}
+ ##
+ # nameOverride:
+
+ # LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to
+ # set allowed inbound rules on the security group assigned to the master load balancer
+ # loadBalancerSourceRanges: []
+
+ ## Kubernetes Dashboard Service annotations
+ ##
+ ## For GCE ingress, the following annotation is required:
+ ## service.alpha.kubernetes.io/app-protocols: '{"https":"HTTPS"}' if enableInsecureLogin=false
+ ## or
+ ## service.alpha.kubernetes.io/app-protocols: '{"http":"HTTP"}' if enableInsecureLogin=true
+ annotations: {}
+
+ ## Here labels can be added to the Kubernetes Dashboard service
+ ##
+ labels: {}
+ # kubernetes.io/name: "Kubernetes Dashboard"
+
+resources:
+ limits:
+ cpu: 100m
+ memory: 100Mi
+ requests:
+ cpu: 100m
+ memory: 100Mi
+
+ingress:
+ ## If true, Kubernetes Dashboard Ingress will be created.
+ ##
+ enabled: false
+
+ ## Kubernetes Dashboard Ingress annotations
+ ##
+ ## Add custom labels
+ # labels:
+ # key: value
+ # annotations:
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: 'true'
+ ## If you plan to use TLS backend with enableInsecureLogin set to false
+ ## (default), you need to uncomment the below.
+ ## If you use ingress-nginx < 0.21.0
+ # nginx.ingress.kubernetes.io/secure-backends: "true"
+ ## if you use ingress-nginx >= 0.21.0
+ # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+
+
+ ## Kubernetes Dashboard Ingress paths
+ ##
+ paths:
+ - /
+ # - /*
+
+ ## Kubernetes Dashboard Ingress hostnames
+ ## Must be provided if Ingress is enabled
+ ##
+ # hosts:
+ # - kubernetes-dashboard.domain.com
+
+ ## Kubernetes Dashboard Ingress TLS configuration
+ ## Secrets must be manually created in the namespace
+ ##
+ # tls:
+ # - secretName: kubernetes-dashboard-tls
+ # hosts:
+ # - kubernetes-dashboard.domain.com
+
 rbac:
- clusterAdminRole: true
+ # Specifies whether RBAC resources should be created
+ create: true
+
+ # Specifies whether cluster-admin ClusterRole will be used for dashboard
+ # ServiceAccount (NOT RECOMMENDED).
+ clusterAdminRole: false
+
+ # Start in ReadOnly mode.
+ # Only dashboard-related Secrets and ConfigMaps will still be available for writing.
+ #
+ # Turn OFF clusterAdminRole to use clusterReadOnlyRole.
+ #
+ # The basic idea of the clusterReadOnlyRole comparing to the clusterAdminRole
+ # is not to hide all the secrets and sensitive data but more
+ # to avoid accidental changes in the cluster outside the standard CI/CD.
+ #
+ # Same as for clusterAdminRole, it is NOT RECOMMENDED to use this version in production.
+ # Instead you should review the role and remove all potentially sensitive parts such as
+ # access to persistentvolumes, pods/log etc.
+ clusterReadOnlyRole: false
+
+serviceAccount:
+ # Specifies whether a service account should be created
+ create: true
+ # The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template
+ name:
+
+livenessProbe:
+ # Number of seconds to wait before sending first probe
+ initialDelaySeconds: 30
+ # Number of seconds to wait for probe response
+ timeoutSeconds: 30
+
+podDisruptionBudget:
+ # https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+ enabled: false
+ minAvailable:
+ maxUnavailable:
+
+
+## PodSecurityContext for pod level securityContext
+##
+# securityContext:
+# runAsUser: 1001
+# runAsGroup: 2001
+securityContext: {}
 
-# We use Ingress anyways
-enableInsecureLogin: true
+networkPolicy: false

values.yaml

@@ -23,12 +23,12 @@ generators:
  email: [email protected]
 
 
- # Vault Secret Injector
- # incl. ServiceAccount read-only ["ro"]
- vault:
- enabled: true
- createServiceAccount: true
- defaultPermissions: "ro"
+# # Vault Secret Injector
+# # incl. ServiceAccount read-only ["ro"]
+# vault:
+# enabled: false
+# createServiceAccount: true
+# defaultPermissions: "ro"
 
 # annotations:
 commonAnnotations:
@@ -70,6 +70,7 @@ apps:
  syncWave: "0"
  
  - name: vault
+ disabled: true
  repoURL: https://github.com/hashicorp/vault-helm
  vhost: vault.heqet.gnu.one
  syncWave: "0"