feat(patches)

drone
nold 2 years ago
parent a0e101aaad
commit 65d7e8e466
  1. 27
      charts/heqet/templates/_helpers.tpl
  2. 6
      charts/heqet/templates/acme-clusterissuer.yaml
  3. 26
      charts/heqet/templates/heqet-apps.yaml
  4. 836
      charts/heqet/values.d/argocd.yaml
  5. 17
      charts/heqet/values.d/cert-manager.yaml
  6. 6
      charts/heqet/values.d/kubernetes-dashboard.yaml
  7. 24
      charts/heqet/values.d/loki-stack.yaml
  8. 12
      charts/heqet/values.d/nginx-ingress.yaml
  9. 15
      charts/heqet/values.d/vault.yal
  10. 5
      charts/heqet/values.d/vault.yaml
  11. 133
      charts/heqet/values.yaml

@ -2,29 +2,32 @@
Heket's Auto TLS Ingress Injector [ATIC]:
*/ -}}
{{- define "heqet.ingress" }}
{{- if .vhost }}
ingress:
enabled: true
hosts:
{{- if not .ingress_hosts_keymap }}
{{- if not .ingressHostsKeymap }}
- {{ required "You need to set a domain for your app or disable atic" .vhost }}
{{- else }}
- host: {{ required "You need to set a domain for your app or disable atic" .vhost }}
paths: []
{{- end }}
annotations:
kubernetes.io/ingress.class: {{ .ingress_class | default "nginx" }}
kubernetes.io/ingress.class: {{ .ingressClass | default "nginx" }}
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: {{ .ingress_cluster_issuer | default "letsencrypt" }}
cert-manager.io/cluster-issuer: {{ .clusterIssuer | default "letsencrypt" }}
tls:
- secretName: {{ .name }}-le-tls
hosts:
- {{ .vhost | quote }}
{{- end }}
{{- end -}}
{{- end -}}
{{- /*
Read value files for every application
*/ -}}
{{- define "app.values" }}
{{- $values := .Files.Glob "values.d/*.yaml" }}
{{- $values := $.Files.Get (printf "values.d/%s.yaml" .name ) | fromYaml }}
{{- ($values)| indent 8 }}
{{ end }}
@ -37,11 +40,21 @@ podAnnotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "{{ .name }}-vault-ro"
{{- if .secret }}
{{- $appname := .name }}
{{- $app := . }}
{{- range .secrets }}
vault.hashicorp.com/agent-inject-secret-{{ .path }}: "heqet/apps/{{ $appname }}/{{ .name }}"
{{- with $app }}
vault.hashicorp.com/agent-inject-secret-{{ .path }}: "heqet/apps/{{ $app.name }}/{{ .name }}"
{{- end }}
{{- end }}
{{- end }}
spec:
serviceAccountName: "{{ .name }}-vault-ro"
{{- end -}}
{{- define "heqet.patch" }}
{{- if .root }}
{{- dict .root .patchValues | toYaml }}
{{- else }}
{{- toYaml .patchValues }}
{{- end }}
{{- end }}

@ -1,12 +1,12 @@
{{ if .Values.acme.enabled }}
{{ if .Values.generators.ingress.acme.enabled }}
apiVersion: cert-manager.io/v1alpha3
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: {{ .Values.acme.server | default "https://acme-staging-v02.api.letsencrypt.org/directory" }}
email: {{ .Values.acme.email | quote }}
server: {{ .Values.generators.ingress.acme.server | default "https://acme-staging-v02.api.letsencrypt.org/directory" }}
email: {{ .Values.generators.ingress.acme.email | quote }}
privateKeySecretRef:
name: letsencrypt-clusterissuer
solvers:

@ -29,7 +29,6 @@ spec:
path: {{ .path | default "." | quote }}
repoURL: {{ .repoURL | default $.Values.defaults.repoURL | quote }}
targetRevision: {{ .targetRevision | default "HEAD" | quote }}
{{- if or .parameters .domain }}
helm:
{{- if .parameters }}
parameters:
@ -42,19 +41,24 @@ spec:
{{- end }}
{{- end }}
{{- end }}
values:
{{- $values := $.Files.Get (printf "values.d/%s.yaml" .name ) | fromYaml | default dict }}
{{- $context := . }}
{{- range $gen, $vals := $.Values.generators }}
{{- with $context }}
{{- with $values }}
{{- if not $context.noValues }}
{{- $patchValues := include (printf "heqet.%s" $gen) $context | fromYaml }}
{{- $root := pluck $gen $context | first }}
{{- $data := dict "root" $root "patchValues" $patchValues }}
{{- $tmp := (include "heqet.patch" $data) | fromYaml }}
{{- $_ := deepCopy $tmp | mergeOverwrite $values }}
{{- end }}
{{- $values := dict }}
{{- if .has_values }}
{{- $patch_values := $.Files.Get (printf "values.d/%s.yaml" .name ) | fromYaml }}
{{- $values := deepCopy $patch_values | merge $values }}
{{- end }}
{{- range .patches }}
{{- $patch_values := include (printf "heqet.%s" .name) . | fromYaml }}
{{- $tmp := dict .path }}
{{- $_ := set $tmp .path $patch_values }}
{{- $values := deepCopy $tmp | merge $values }}
{{- end }}
{{- end }}
{{- end }}
{{ toYaml $values | indent 8 }}
# ASDFASDF
syncPolicy:
automated:
# FIXME: Open Issue: https://github.com/helm/helm/issues/8026

@ -0,0 +1,836 @@
## ArgoCD configuration
## Ref: https://github.com/argoproj/argo-cd
##
nameOverride: argocd
fullnameOverride: ""
# Optional CRD installation for those without Helm hooks
installCRDs: true
global:
image:
repository: argoproj/argocd
tag: v1.5.5
imagePullPolicy: IfNotPresent
securityContext: {}
# runAsUser: 999
# runAsGroup: 999
# fsGroup: 999
imagePullSecrets: []
hostAliases: []
# - ip: 10.20.30.40
# hostnames:
# - git.myhostname
## Controller
controller:
name: application-controller
image:
repository: # argoproj/argocd
tag: v1.5.5
imagePullPolicy: # IfNotPresent
## Argo controller commandline flags
args:
statusProcessors: "20"
operationProcessors: "10"
## Argo controller log level
logLevel: debug
## Additional command line arguments to pass to argocd-controller
##
extraArgs: []
## Environment variables to pass to argocd-controller
##
env: []
## Annotations to be added to controller pods
##
podAnnotations: {}
## Labels to be added to controller pods
##
podLabels: {}
## Labels to set container specific security contexts
containerSecurityContext: {}
# capabilities:
# drop:
# - all
## Configures the controller port
containerPort: 8082
## Readiness and liveness probes for default backend
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
##
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
## Additional volumeMounts to the controller main container.
volumeMounts: []
## Additional volumes to the controller pod.
volumes: []
## Controller service configuration
service:
annotations: {}
labels: {}
port: 8082
portName: https-controller
## Node selectors and tolerations for server scheduling to nodes with taints
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
##
nodeSelector: {}
tolerations: []
affinity: {}
priorityClassName: ""
resources: {}
# limits:
# cpu: 500m
# memory: 512Mi
# requests:
# cpu: 250m
# memory: 256Mi
serviceAccount:
create: true
name: argocd-application-controller
## Server metrics controller configuration
metrics:
enabled: false
service:
annotations: {}
labels: {}
servicePort: 8082
serviceMonitor:
enabled: false
# selector:
# prometheus: kube-prometheus
# namespace: monitoring
# additionalLabels: {}
rules:
enabled: false
spec: []
# - alert: ArgoAppMissing
# expr: |
# absent(argocd_app_info)
# for: 15m
# labels:
# severity: critical
# annotations:
# summary: "[ArgoCD] No reported applications"
# description: >
# ArgoCD has not reported any applications data for the past 15 minutes which
# means that it must be down or not functioning properly. This needs to be
# resolved for this cloud to continue to maintain state.
# - alert: ArgoAppNotSynced
# expr: |
# argocd_app_sync_status{sync_status!="Synced"} == 1
# for: 12h
# labels:
# severity: warning
# annotations:
# summary: "[{{`{{$labels.name}}`}}] Application not synchronized"
# description: >
# The application [{{`{{$labels.name}}`}} has not been synchronized for over
# 12 hours which means that the state of this cloud has drifted away from the
# state inside Git.
# selector:
# prometheus: kube-prometheus
# namespace: monitoring
# additionalLabels: {}
## Enable Admin ClusterRole resources.
## Enable if you would like to grant rights to ArgoCD to deploy to the local Kubernetes cluster.
clusterAdminAccess:
enabled: true
## Dex
dex:
enabled: true
name: dex-server
image:
repository: quay.io/dexidp/dex
tag: v2.22.0
imagePullPolicy: IfNotPresent
initImage:
repository:
tag:
imagePullPolicy:
## Environment variables to pass to the Dex server
##
env: []
## Annotations to be added to the Dex server pods
##
podAnnotations: {}
## Labels to be added to the Dex server pods
##
podLabels: {}
serviceAccount:
create: true
name: argocd-dex-server
## Additional volumeMounts to the controller main container.
volumeMounts:
- name: static-files
mountPath: /shared
## Additional volumes to the controller pod.
volumes:
- name: static-files
emptyDir: {}
## Dex deployment container ports
containerPortHttp: 5556
servicePortHttp: 5556
containerPortGrpc: 5557
servicePortGrpc: 5557
## Node selectors and tolerations for server scheduling to nodes with taints
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
##
nodeSelector: {}
tolerations: []
affinity: {}
priorityClassName: ""
## Labels to set container specific security contexts
containerSecurityContext: {}
# capabilities:
# drop:
# - all
resources: {}
# limits:
# cpu: 50m
# memory: 64Mi
# requests:
# cpu: 10m
# memory: 32Mi
## Redis
redis:
enabled: true
name: redis
image:
repository: redis
tag: 5.0.3
imagePullPolicy: IfNotPresent
containerPort: 6379
servicePort: 6379
## Environment variables to pass to the Redis server
##
env: []
## Annotations to be added to the Redis server pods
##
podAnnotations: {}
## Labels to be added to the Redis server pods
##
podLabels: {}
## Node selectors and tolerations for server scheduling to nodes with taints
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
##
nodeSelector: {}
tolerations: []
affinity: {}
priorityClassName: ""
## Labels to set container specific security contexts
containerSecurityContext: {}
# capabilities:
# drop:
# - all
resources: {}
# limits:
# cpu: 200m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 64Mi
volumeMounts: []
volumes: []
# This key configures Redis-HA subchart and when enabled (redis-ha.enabled=true)
# the custom redis deployment is omitted
redis-ha:
enabled: false
# Check the redis-ha chart for more properties
exporter:
enabled: true
persistentVolume:
enabled: false
redis:
masterGroupName: argocd
config:
save: "\"\""
haproxy:
enabled: true
metrics:
enabled: true
## Server
server:
name: server
replicas: 1
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 50
image:
repository: # argoproj/argocd
tag: # v1.5.4
imagePullPolicy: # IfNotPresent
## Additional command line arguments to pass to argocd-server
## Heket: We have Ingress
extraArgs:
- --insecure
## Environment variables to pass to argocd-server
##
env: []
## Argo server log level
# Heket: Just in case.. this is a Dev Environment!
logLevel: debug
## Annotations to be added to controller pods
##
podAnnotations: {}
## Labels to be added to controller pods
##
podLabels: {}
## Configures the server port
containerPort: 8080
## Readiness and liveness probes for default backend
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
##
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
## Additional volumeMounts to the server main container.
volumeMounts: []
## Additional volumes to the controller pod.
volumes: []
## Node selectors and tolerations for server scheduling to nodes with taints
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
##
nodeSelector: {}
tolerations: []
affinity: {}
priorityClassName: ""
## Labels to set container specific security contexts
containerSecurityContext: {}
# capabilities:
# drop:
# - all
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 50m
# memory: 64Mi
## Certificate configuration
certificate:
enabled: false
domain: argocd.example.com
issuer: {}
additionalHosts: []
## Server service configuration
service:
annotations: {}
labels: {}
type: ClusterIP
servicePortHttp: 80
servicePortHttps: 443
servicePortHttpName: http
servicePortHttpsName: https
loadBalancerIP: ""
loadBalancerSourceRanges: []
## Server metrics service configuration
metrics:
enabled: false
service:
annotations: {}
labels: {}
servicePort: 8083
serviceMonitor:
enabled: false
# selector:
# prometheus: kube-prometheus
# namespace: monitoring
# additionalLabels: {}
serviceAccount:
create: true
name: argocd-server
ingress:
enabled: false
annotations: {}
labels: {}
## Argo Ingress.
## Hostnames must be provided if Ingress is enabled.
## Secrets must be manually created in the namespace
##
hosts:
[]
# - argocd.example.com
paths:
- /
tls:
[]
# - secretName: argocd-example-tls
# hosts:
# - argocd.example.com
# Create a OpenShift Route with SSL passthrough for UI and CLI
# Consider setting 'hostname' e.g. https://argocd.apps-crc.testing/ using your Default Ingress Controller Domain
# Find your domain with: kubectl describe --namespace=openshift-ingress-operator ingresscontroller/default | grep Domain:
# If 'hostname' is an empty string "" OpenShift will create a hostname for you.
route:
enabled: false
hostname: ""
## ArgoCD config
## reference https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml
config:
# Argo CD's externally facing base URL (optional). Required when configuring SSO
url: https://argocd.example.com
# Argo CD instance label key
application.instanceLabelKey: argocd.argoproj.io/instance
# repositories: |
# - url: git@github.com:group/repo.git
# sshPrivateKeySecret:
# name: secret-name
# key: sshPrivateKey
# - type: helm
# url: https://kubernetes-charts.storage.googleapis.com
# name: stable
# - type: helm
# url: https://argoproj.github.io/argo-helm
# name: argo
# oidc.config: |
# name: AzureAD
# issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
# clientID: CLIENT_ID
# clientSecret: $oidc.azuread.clientSecret
# requestedIDTokenClaims:
# groups:
# essential: true
# requestedScopes:
# - openid
# - profile
# - email
## ArgoCD rbac config
## reference https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
rbacConfig:
{}
# policy.csv is an file containing user-defined RBAC policies and role definitions (optional).
# Policy rules are in the form:
# p, subject, resource, action, object, effect
# Role definitions and bindings are in the form:
# g, subject, inherited-subject
# See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md for additional information.
# policy.csv: |
# # Grant all members of the group 'my-org:team-alpha; the ability to sync apps in 'my-project'
# p, my-org:team-alpha, applications, sync, my-project/*, allow
# # Grant all members of 'my-org:team-beta' admins
# g, my-org:team-beta, role:admin
# policy.default is the name of the default role which Argo CD will falls back to, when
# authorizing API requests (optional). If omitted or empty, users may be still be able to login,
# but will see no apps, projects, etc...
# policy.default: role:readonly
# scopes controls which OIDC scopes to examine during rbac enforcement (in addition to `sub` scope).
# If omitted, defaults to: '[groups]'. The scope value can be a string, or a list of strings.
# scopes: '[cognito:groups, email]'
## Not well tested and not well supported on release v1.0.0.
## Applications
## reference: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/
additionalApplications: []
# - name: guestbook
# namespace: argocd
# additionalLabels: {}
# additionalAnnotations: {}
# project: guestbook
# source:
# repoURL: https://github.com/argoproj/argocd-example-apps.git
# targetRevision: HEAD
# path: guestbook
# directory:
# recurse: true
# destination:
# server: https://kubernetes.default.svc
# namespace: guestbook
# syncPolicy:
# automated:
# prune: false
# selfHeal: false
## Projects
## reference: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/
additionalProjects: []
# - name: guestbook
# namespace: argocd
# additionalLabels: {}
# additionalAnnotations: {}
# description: Example Project
# sourceRepos:
# - '*'
# destinations:
# - namespace: guestbook
# server: https://kubernetes.default.svc
# clusterResourceWhitelist: []
# namespaceResourceBlacklist:
# - group: ''
# kind: ResourceQuota
# - group: ''
# kind: LimitRange
# - group: ''
# kind: NetworkPolicy
# orphanedResources: {}
# roles: []
# namespaceResourceWhitelist:
# - group: 'apps'
# kind: Deployment
# - group: 'apps'
# kind: StatefulSet
# orphanedResources: {}
# roles: []
## Enable Admin ClusterRole resources.
## Enable if you would like to grant rights to ArgoCD to deploy to the local Kubernetes cluster.
clusterAdminAccess:
enabled: true
## Enable BackendConfig custom resource for Google Kubernetes Engine
GKEbackendConfig:
enabled: false
spec: {}
# spec:
# iap:
# enabled: true
# oauthclientCredentials:
# secretName: argocd-secret
## Repo Server
repoServer:
name: repo-server
replicas: 1
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 50
image:
repository: # argoproj/argocd
tag: # v1.5.4
imagePullPolicy: # IfNotPresent
## Additional command line arguments to pass to argocd-repo-server
##
extraArgs: []
## Environment variables to pass to argocd-repo-server
##
env: []
## Argo repoServer log level
logLevel: debug
## Annotations to be added to repo server pods
##
podAnnotations: {}
## Labels to be added to repo server pods
##
podLabels: {}
## Configures the repo server port
containerPort: 8081
## Readiness and liveness probes for default backend
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
##
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
## Additional volumeMounts to the repo server main container.
volumeMounts: []
## Additional volumes to the repo server pod.
volumes: []
## Node selectors and tolerations for server scheduling to nodes with taints
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
##
nodeSelector: {}
tolerations: []
affinity: {}
priorityClassName: ""
## Labels to set container specific security contexts
containerSecurityContext: {}
# capabilities:
# drop:
# - all
resources: {}
# limits:
# cpu: 50m
# memory: 128Mi
# requests:
# cpu: 10m
# memory: 64Mi
## Repo server service configuration
service:
annotations: {}
labels: {}
port: 8081
portName: https-repo-server
## Repo server metrics service configuration
metrics:
enabled: false
service:
annotations: {}
labels: {}
servicePort: 8084
serviceMonitor:
enabled: false
# selector:
# prometheus: kube-prometheus
# namespace: monitoring
# additionalLabels: {}
## Repo server service account
## If create is set to true, make sure to uncomment the name and update the rbac section below
serviceAccount:
create: false
# name: argocd-repo-server
## Annotations applied to created service account
annotations: {}
## Repo server rbac rules
# rbac:
# - apiGroups:
# - argoproj.io
# resources:
# - applications
# verbs:
# - get
# - list
# - watch
## Use init containers to configure custom tooling
## https://argoproj.github.io/argo-cd/operator-manual/custom_tools/
## When using the volumes & volumeMounts section bellow, please comment out those above.
# volumes:
# - name: custom-tools
# emptyDir: {}
#
# initContainers:
# - name: download-tools
# image: alpine:3.8
# command: [sh, -c]
# args:
# - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - &&
# mv linux-amd64/helm /custom-tools/
# volumeMounts:
# - mountPath: /custom-tools
# name: custom-tools
# volumeMounts:
# - mountPath: /usr/local/bin/helm
# name: custom-tools
# subPath: helm
## Argo Configs
configs:
knownHosts:
data:
ssh_known_hosts: |
bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
tlsCerts:
{}
# data:
# argocd.example.com: |
# -----BEGIN CERTIFICATE-----
# MIIF1zCCA7+gAwIBAgIUQdTcSHY2Sxd3Tq/v1eIEZPCNbOowDQYJKoZIhvcNAQEL
# BQAwezELMAkGA1UEBhMCREUxFTATBgNVBAgMDExvd2VyIFNheG9ueTEQMA4GA1UE
# BwwHSGFub3ZlcjEVMBMGA1UECgwMVGVzdGluZyBDb3JwMRIwEAYDVQQLDAlUZXN0
# c3VpdGUxGDAWBgNVBAMMD2Jhci5leGFtcGxlLmNvbTAeFw0xOTA3MDgxMzU2MTda
# Fw0yMDA3MDcxMzU2MTdaMHsxCzAJBgNVBAYTAkRFMRUwEwYDVQQIDAxMb3dlciBT
# YXhvbnkxEDAOBgNVBAcMB0hhbm92ZXIxFTATBgNVBAoMDFRlc3RpbmcgQ29ycDES
# MBAGA1UECwwJVGVzdHN1aXRlMRgwFgYDVQQDDA9iYXIuZXhhbXBsZS5jb20wggIi
# MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCv4mHMdVUcafmaSHVpUM0zZWp5
# NFXfboxA4inuOkE8kZlbGSe7wiG9WqLirdr39Ts+WSAFA6oANvbzlu3JrEQ2CHPc
# CNQm6diPREFwcDPFCe/eMawbwkQAPVSHPts0UoRxnpZox5pn69ghncBR+jtvx+/u
# P6HdwW0qqTvfJnfAF1hBJ4oIk2AXiip5kkIznsAh9W6WRy6nTVCeetmIepDOGe0G
# ZJIRn/OfSz7NzKylfDCat2z3EAutyeT/5oXZoWOmGg/8T7pn/pR588GoYYKRQnp+
# YilqCPFX+az09EqqK/iHXnkdZ/Z2fCuU+9M/Zhrnlwlygl3RuVBI6xhm/ZsXtL2E
# Gxa61lNy6pyx5+hSxHEFEJshXLtioRd702VdLKxEOuYSXKeJDs1x9o6cJ75S6hko
# Ml1L4zCU+xEsMcvb1iQ2n7PZdacqhkFRUVVVmJ56th8aYyX7KNX6M9CD+kMpNm6J
# kKC1li/Iy+RI138bAvaFplajMF551kt44dSvIoJIbTr1LigudzWPqk31QaZXV/4u
# kD1n4p/XMc9HYU/was/CmQBFqmIZedTLTtK7clkuFN6wbwzdo1wmUNgnySQuMacO
# gxhHxxzRWxd24uLyk9Px+9U3BfVPaRLiOPaPoC58lyVOykjSgfpgbus7JS69fCq7
# bEH4Jatp/10zkco+UQIDAQABo1MwUTAdBgNVHQ4EFgQUjXH6PHi92y4C4hQpey86
# r6+x1ewwHwYDVR0jBBgwFoAUjXH6PHi92y4C4hQpey86r6+x1ewwDwYDVR0TAQH/
# BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAFE4SdKsX9UsLy+Z0xuHSxhTd0jfn
# Iih5mtzb8CDNO5oTw4z0aMeAvpsUvjJ/XjgxnkiRACXh7K9hsG2r+ageRWGevyvx
# CaRXFbherV1kTnZw4Y9/pgZTYVWs9jlqFOppz5sStkfjsDQ5lmPJGDii/StENAz2
# XmtiPOgfG9Upb0GAJBCuKnrU9bIcT4L20gd2F4Y14ccyjlf8UiUi192IX6yM9OjT
# +TuXwZgqnTOq6piVgr+FTSa24qSvaXb5z/mJDLlk23npecTouLg83TNSn3R6fYQr
# d/Y9eXuUJ8U7/qTh2Ulz071AO9KzPOmleYPTx4Xty4xAtWi1QE5NHW9/Ajlv5OtO
# OnMNWIs7ssDJBsB7VFC8hcwf79jz7kC0xmQqDfw51Xhhk04kla+v+HZcFW2AO9so
# 6ZdVHHQnIbJa7yQJKZ+hK49IOoBR6JgdB5kymoplLLiuqZSYTcwSBZ72FYTm3iAr
# jzvt1hxpxVDmXvRnkhRrIRhK4QgJL0jRmirBjDY+PYYd7bdRIjN7WNZLFsgplnS8
# 9w6CwG32pRlm0c8kkiQ7FXA6BYCqOsDI8f1VGQv331OpR2Ck+FTv+L7DAmg6l37W
# +LB9LGh4OAp68ImTjqf6ioGKG0RBSznwME+r4nXtT1S/qLR6ASWUS4ViWRhbRlNK
# XWyb96wrUlv+E8I=
# -----END CERTIFICATE-----
# Creates a secret with optional repository credentials
repositoryCredentials:
{}
# sample-ssh-key: |
# -----BEGIN RSA PRIVATE KEY-----
# MIICXAIBAAKBgQCcmiVJXGUvL8zqWmRRETbCKgFadtjJ9WDQpSwiZzMiktpYBo0N
# z0cThzGQfWqvdiJYEy72MrKCaSYssV3eHP5zTffk4VBDktNfdl1kgkOpqnh7tQO4
# nBONRLzcK6KEbKUsmiTbW8Jb4UFYDhyyyveby7y3vYePmaRQIrlEenVfKwIDAQAB
# AoGAbbg+WZjnt9jYzHWKhZX29LDzg8ty9oT6URT4yB3gIOAdJMFqQHuyg8cb/e0x
# O0AcrfK623oHwgEj4vpeFwnfaBdtM5GfH9zaj6pnXV7VZc3oBHrBnHUgFT3NEYUe
# tt6rtatIguBH61Aj/pyij9sOfF0xDj0s1nwFTbdHtZR/31kCQQDIwcVTqhKkDNW6
# cvdz+Wt3v9x1wNg+VhZhyA/pKILz3+qtn3GogLrQqhpVi+Y7tdvEv9FvgKaCjUp8
# 6Lfp6dDFAkEAx7HpQbXFdrtcveOi9kosKRDX1PT4zdhB08jAXGlV8jr0jkrZazVM
# hV5rVCuu35Vh6x1fiyGwwiVsqhgWE+KPLwJAWrDemasM/LsnmjDxhJy6ZcBwsWlK
# xu5Q8h9UwLmiXtVayNBsofh1bGpLtzWZ7oN7ImidDkgJ8JQvgDoJS0xrGQJBALPJ
# FkMFnrjtqGqBVkc8shNqyZY90v6oM2OzupO4dht2PpUZCDPAMZtlTWXjSjabbCPc
# NxexBk1UmkdtFftjHxsCQGjG+nhRYH92MsmrbvZyFzgxg9SIOu6xel7D3Dq9l5Le
# XG+bpHPF4SiCpAxthP5WNa17zuvk+CDsMZgZNuhYNMo=
# -----END RSA PRIVATE KEY-----
secret:
createSecret: true
## Annotations to be added to argocd-secret
##
annotations: {}
# Webhook Configs
githubSecret: ""
gitlabSecret: ""
bitbucketServerSecret: ""
bitbucketUUID: ""
gogsSecret: ""
# Custom secrets. Useful for injecting SSO secrets into environment variables.
# Ref: https://argoproj.github.io/argo-cd/operator-manual/sso/
# Note that all values must be non-empty.
extra: {}
# LDAP_PASSWORD: "mypassword"
# Argo TLS Data.
argocdServerTlsConfig:
{}
# key:
# crt: |
# -----BEGIN CERTIFICATE-----
# <cert data>
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# <ca cert data>
# -----END CERTIFICATE-----
# Argo expects the password in the secret to be bcrypt hashed. You can create this hash with
# `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'`
# argocdServerAdminPassword:
# Password modification time defaults to current time if not set
# argocdServerAdminPasswordMtime: "2006-01-02T15:04:05Z"
openshift:
enabled: false

@ -0,0 +1,17 @@
# Cert Manager Config
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: nold@gnu.one
installCRDs: false
image:
tag: v0.15.1
cainjector:
image:
tag: v0.15.1
webhook:
image:
tag: v0.15.1

@ -0,0 +1,6 @@
# Kube Dashboard Values
rbac:
clusterAdminRole: true
# We use Ingress anyways
enableInsecureLogin: true

@ -0,0 +1,24 @@
loki:
enabled: true
promtail:
enabled: true
fluent-bit:
enabled: false
grafana:
enabled: true
sidecar:
datasources:
enabled: true
dashboards:
enabled: true
label: grafana_dashboard
image:
tag: 6.7.0
persistence:
storageClassName: standard
prometheus:
enabled: true

@ -0,0 +1,12 @@
controller:
admissionWebhooks:
enabled: true
patch:
enabled: true
publishService:
enabled: true
image:
repository: bitnami/nginx-ingress-controller
rbac:
create: true

@ -0,0 +1,15 @@
ignoreDifferences:
- group: apiextensions.k8s.io
kind: CustomResourceDefinition
jsonPointers:
- /metadata/annotations
- /metadata/labels
- /spec/validation
- group: admissionregistration.k8s.io
kind: MutatingWebhookConfiguration
jsonPointers:
- /webhooks
- group: admissionregistration.k8s.io
kind: ValidatingWebhookConfiguration
jsonPointers:
- /webhooks

@ -0,0 +1,5 @@
server:
dev:
enabled: true
ui:
enabled: true

@ -1,114 +1,76 @@
# Install Custom Ressource Definitions?
installCRDs: true
# This configures Heqet's ATIC ['Automatic-Tls-Ingress-Creator']
ingress:
enabled: true
class: "nginx"
#FIXME: Can't disable tls ATM
tls:
enabled: true
cluster_issuer: "letsencrypt"
# Enables ACME cluster-issuer
acme:
enabled: true
email: nold@gnu.one
server: https://acme-v02.api.letsencrypt.org/directory
# Default values for you applications
# Default values for your applications
defaults:
project: "default"
repoURL: https://github.com/nold360/heqet
repoURL: https://github.com/nold360/heket
server: https://kubernetes.default.svc
automated:
prune: true
selfHeal: false
# Heqet Functions / Injectors:
generators:
# Nginx Ingress & Cert Manager TLS Injector
ingress:
enabled: true
# ACME / Letsencrypt Injector
acme:
enabled: true
server:
email: nold@gnu.one
# Vault Secret Injector
# incl. ServiceAccount read-only ["ro"]
vault:
enabled: true
createServiceAccount: true
defaultPermissions: "ro"
# annotations:
commonAnnotations:
enabled: false # to code...
# App Definitions
apps:
- name: heqet
path: charts/heqet
noValues: true
- name: argocd
repoURL: https://github.com/argoproj/argo-helm
path: charts/argo-cd
vhost: argocd.heqet.gnu.one
ingress_prefix: server
pod_spec_prefix: server
has_values: true
patches:
- name: vault
path: server
paths:
- root: server
values:
access: ro
parameters:
- name: server.debug
value: "true"
- name: server.config.url
value: https://argocd.heqet.gnu.one
- name: server.ingress.enabled
value: "true"
- name: dex.enabled
value: "false"
- name: controller.logLevel
value: debug
- name: repoServer.logLevel
value: debug
ingress: server
vault: server
# for pod annotations / vault/ ...
podSpecRoots:
- server
- name: jaeger
path: charts/jaeger
repoURL: https://github.com/jaegertracing/helm-charts
path: charts/jaeger
targetRevision: HEAD
vhost: jaeger.heqet.gnu.one
ingress_prefix: query
vhost: jaeger.heket.gnu.one
ingress: query
- name: nginx-ingress
repoURL: https://github.com/kubernetes/ingress-nginx
path: charts/ingress-nginx
parameters:
- name: controller.admissionWebhooks.enabled
value: "false"
- name: controller.admissionWebhooks.patch.enabled
value: "false"
- name: rbac.create
value: "true"
- name: controller.publishService.enabled
value: "true"
- name: controller.image.repository
value: bitnami/nginx-ingress-controller
- name: cert-manager
repoURL: https://github.com/jetstack/cert-manager
path: deploy/charts/cert-manager
parameters:
- name: acme.server
value: https://acme-v02.api.letsencrypt.org/directory
- name: acme.email
value: nold@gnu.one
# using crds/ directory
- name: installCRDs
value: "false"
- name: cainjector.image.tag
value: v0.15.1
- name: image.tag
value: v0.15.1
- name: webhook.image.tag
value: v0.15.1
- name: vault
repoURL: https://github.com/hashicorp/vault-helm
vhost: vault.heqet.gnu.one
ingress_prefix: server
ingress_hosts_keymap: true
novault: true
parameters:
- name: server.dev.enabled
value: "true"
- name: ui.enabled
value: "true"
vhost: vault.heket.gnu.one
ingress: server
ingressHostsKeymap: true
ignoreDifferences: |
- group: apiextensions.k8s.io
kind: CustomResourceDefinition
@ -125,16 +87,11 @@ apps:
jsonPointers:
- /webhooks
- name: kubernetes-dashboard
path: stable/kubernetes-dashboard
repoURL: https://github.com/helm/charts
vhost: dashboard.heqet.gnu.one
parameters:
- name: rbac.clusterAdminRole
value: "true"
- name: enableInsecureLogin
value: "true"
path: stable/kubernetes-dashboard
vhost: dashboard.heket.gnu.one
- name: loki-stack
path: charts/loki-stack
repoURL: https://github.com/grafana/loki
path: production/helm/loki-stack

Loading…
Cancel
Save