drone
nold 2 years ago
parent bef15267c1
commit 3e3a320569
  1. 7
      README.md
  2. 2
      manifests/heqet-apps.yaml
  3. 4
      templates/_helpers.tpl
  4. 4
      templates/heqet-apps.yaml
  5. 125
      values.d/cert-manager.yaml
  6. 201
      values.d/kubernetes-dashboard.yaml
  7. 13
      values.yaml

@ -17,12 +17,13 @@ Heqet Keyfeatures:
## Components
Core component is `ArgoCD` which will deploy all of Heqet's apps & your's if you want. All you need is a git-repo & k8s cluster.
Core component is `ArgoCD` which will deploy all of Heqet's apps & also your's! All you need is a git-repo & k8s cluster.
Hequet contains / will contain:
Heqets application stack contains:
* ArgoCD [Deploys all Applications from Git]
* Prometheus, Grafana, Loki & fluentd - preconfigured for basic Monitoring and Logging
* Kubernetes Dashboard
* Traefik Ingress
* NGINX Ingress
* Cert-Manager
* Jaeger [Tracing]
* Rook [Block/Object-Strage]

@ -16,7 +16,7 @@ spec:
namespace: heqet
server: 'https://kubernetes.default.svc'
source:
path: charts/heqet
path: .
repoURL: 'https://github.com/nold360/heqet'
targetRevision: HEAD
helm:

@ -39,11 +39,11 @@ podAnnotations:
heqet.gnu.one/app: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "{{ .name }}-vault-ro"
{{- if .secret }}
{{- if .secrets }}
{{- $app := . }}
{{- range .secrets }}
{{- with $app }}
vault.hashicorp.com/agent-inject-secret-{{ .path }}: "heqet/apps/{{ $app.name }}/{{ .name }}"
vault.hashicorp.com/agent-inject-secret-{{ .path |replace "/" "-" }}: "heqet/apps/{{ $app.name }}/{{ .name }}"
{{- end }}
{{- end }}
{{- end }}

@ -1,4 +1,5 @@
{{- range .Values.apps -}}
{{- if not .disabled }}
---
apiVersion: v1
kind: Namespace
@ -70,9 +71,12 @@ spec:
ignoreDifferences:
{{ .ignoreDifferences | indent 4 }}
{{- end }}
{{- if $.Values.generators.vault }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .name }}-vault-ro
{{ end }}
{{ end }}
{{ end }}

@ -1,17 +1,120 @@
# Cert Manager Config
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
# Default values for cert-manager.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
global:
## Reference to one or more secrets to be used when pulling images
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
imagePullSecrets: []
# - name: "image-pull-secret"
installCRDs: false
# Optional priority class to be used for the cert-manager pods
priorityClassName: ""
replicaCount: 1
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
image:
tag: v0.15.1
repository: quay.io/jetstack/cert-manager-controller
tag: v0.6.2
pullPolicy: IfNotPresent
# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
# resources. By default, the same namespace as cert-manager is deployed within is
# used. This namespace will not be automatically created by the Helm chart.
clusterResourceNamespace: ""
leaderElection:
# Override the namespace used to store the ConfigMap for leader election
namespace: ""
rbac:
# Specifies whether RBAC resources should be created
create: true
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:
# Optional additional arguments
extraArgs: []
# Use this flag to set a namespace that cert-manager will use to store
# supporting resources required for each ClusterIssuer (default is kube-system)
# - --cluster-resource-namespace=kube-system
extraEnv: []
# - name: SOME_VAR
# value: 'some value'
cainjector:
image:
tag: v0.15.1
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
# Pod Security Context
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
enabled: false
fsGroup: 1001
runAsUser: 1001
podAnnotations:
vault.hashicorp.com/agent-inject-config: "heqet/apps/cert-manager/config"
podLabels: {}
# Optional DNS settings, useful if you have a public and private DNS zone for
# the same domain on Route 53. What follows is an example of ensuring
# cert-manager can access an ingress or DNS TXT records at all times.
# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for
# the cluster to work.
# podDnsPolicy: "None"
# podDnsConfig:
# nameservers:
# - "1.1.1.1"
# - "8.8.8.8"
nodeSelector: {}
ingressShim: {}
# defaultIssuerName: ""
# defaultIssuerKind: ""
# defaultACMEChallengeType: ""
# defaultACMEDNS01ChallengeProvider: ""
webhook:
image:
tag: v0.15.1
enabled: true
# Use these variables to configure the HTTP_PROXY environment variables
# http_proxy: "http://proxy:8080"
# http_proxy: "http://proxy:8080"
# no_proxy: 127.0.0.1,localhost
# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
# for example:
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: foo.bar.com/role
# operator: In
# values:
# - master
affinity: {}
# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core
# for example:
# tolerations:
# - key: foo.bar.com/role
# operator: Equal
# value: master
# effect: NoSchedule
tolerations: []

@ -1,6 +1,199 @@
# Kube Dashboard Values
# Default values for kubernetes-dashboard
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
image:
repository: k8s.gcr.io/kubernetes-dashboard-amd64
tag: v1.10.1
pullPolicy: IfNotPresent
pullSecrets: []
replicaCount: 1
## Here annotations can be added to the kubernetes dashboard deployment
annotations: {}
## Here labels can be added to the kubernetes dashboard deployment
##
labels: {}
# kubernetes.io/name: "Kubernetes Dashboard"
## Enable possibility to skip login
enableSkipLogin: false
## Serve application over HTTP without TLS
enableInsecureLogin: false
## Additional container arguments
##
# extraArgs:
# - --enable-skip-login
# - --enable-insecure-login
# - --system-banner="Welcome to Kubernetes"
## Additional container environment variables
##
extraEnv: []
# - name: SOME_VAR
# value: 'some value'
# Annotations to be added to kubernetes dashboard pods
## Recommended value
# podAnnotations:
# seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
podAnnotations: {}
## SecurityContext for the kubernetes dashboard container
## Recommended values
# dashboardContainerSecurityContext:
# allowPrivilegeEscalation: false
# readOnlyRootFilesystem: true
## The two values below can be set here or at podLevel (using variable .securityContext)
# runAsUser: 1001
# runAsGroup: 2001
dashboardContainerSecurityContext: {}
## Node labels for pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## List of node taints to tolerate (requires Kubernetes >= 1.6)
tolerations: []
# - key: "key"
# operator: "Equal|Exists"
# value: "value"
# effect: "NoSchedule|PreferNoSchedule|NoExecute"
## Affinity
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
# priorityClassName: ""
service:
type: ClusterIP
externalPort: 443
## This allows an override of the heapster service name
## Default: {{ .Chart.Name }}
##
# nameOverride:
# LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to
# set allowed inbound rules on the security group assigned to the master load balancer
# loadBalancerSourceRanges: []
## Kubernetes Dashboard Service annotations
##
## For GCE ingress, the following annotation is required:
## service.alpha.kubernetes.io/app-protocols: '{"https":"HTTPS"}' if enableInsecureLogin=false
## or
## service.alpha.kubernetes.io/app-protocols: '{"http":"HTTP"}' if enableInsecureLogin=true
annotations: {}
## Here labels can be added to the Kubernetes Dashboard service
##
labels: {}
# kubernetes.io/name: "Kubernetes Dashboard"
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 100m
memory: 100Mi
ingress:
## If true, Kubernetes Dashboard Ingress will be created.
##
enabled: false
## Kubernetes Dashboard Ingress annotations
##
## Add custom labels
# labels:
# key: value
# annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: 'true'
## If you plan to use TLS backend with enableInsecureLogin set to false
## (default), you need to uncomment the below.
## If you use ingress-nginx < 0.21.0
# nginx.ingress.kubernetes.io/secure-backends: "true"
## if you use ingress-nginx >= 0.21.0
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
## Kubernetes Dashboard Ingress paths
##
paths:
- /
# - /*
## Kubernetes Dashboard Ingress hostnames
## Must be provided if Ingress is enabled
##
# hosts:
# - kubernetes-dashboard.domain.com
## Kubernetes Dashboard Ingress TLS configuration
## Secrets must be manually created in the namespace
##
# tls:
# - secretName: kubernetes-dashboard-tls
# hosts:
# - kubernetes-dashboard.domain.com
rbac:
clusterAdminRole: true
# Specifies whether RBAC resources should be created
create: true
# Specifies whether cluster-admin ClusterRole will be used for dashboard
# ServiceAccount (NOT RECOMMENDED).
clusterAdminRole: false
# Start in ReadOnly mode.
# Only dashboard-related Secrets and ConfigMaps will still be available for writing.
#
# Turn OFF clusterAdminRole to use clusterReadOnlyRole.
#
# The basic idea of the clusterReadOnlyRole comparing to the clusterAdminRole
# is not to hide all the secrets and sensitive data but more
# to avoid accidental changes in the cluster outside the standard CI/CD.
#
# Same as for clusterAdminRole, it is NOT RECOMMENDED to use this version in production.
# Instead you should review the role and remove all potentially sensitive parts such as
# access to persistentvolumes, pods/log etc.
clusterReadOnlyRole: false
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:
livenessProbe:
# Number of seconds to wait before sending first probe
initialDelaySeconds: 30
# Number of seconds to wait for probe response
timeoutSeconds: 30
podDisruptionBudget:
# https://kubernetes.io/docs/tasks/run-application/configure-pdb/
enabled: false
minAvailable:
maxUnavailable:
## PodSecurityContext for pod level securityContext
##
# securityContext:
# runAsUser: 1001
# runAsGroup: 2001
securityContext: {}
# We use Ingress anyways
enableInsecureLogin: true
networkPolicy: false

@ -23,12 +23,12 @@ generators:
email: [email protected]
# Vault Secret Injector
# incl. ServiceAccount read-only ["ro"]
vault:
enabled: true
createServiceAccount: true
defaultPermissions: "ro"
# # Vault Secret Injector
# # incl. ServiceAccount read-only ["ro"]
# vault:
# enabled: false
# createServiceAccount: true
# defaultPermissions: "ro"
# annotations:
commonAnnotations:
@ -70,6 +70,7 @@ apps:
syncWave: "0"
- name: vault
disabled: true
repoURL: https://github.com/hashicorp/vault-helm
vhost: vault.heqet.gnu.one
syncWave: "0"

Loading…
Cancel
Save