Update: Docs, functions, examples, ...

drone
nold 1 year ago
parent be478af8c5
commit e45e66d224
  1. 2
      Chart.yaml
  2. 126
      README.md
  3. 29
      bin/20_vault_init.sh
  4. 6294
      crds/cert-manager.yaml
  5. 4
      manifests/heqet-apps.yaml
  6. 62
      templates/_helpers.tpl
  7. 16
      templates/acme-clusterissuer.yaml
  8. 2
      templates/crds.yaml
  9. 220
      templates/crds/vaultsecrets.yml
  10. 25
      templates/dashboard/deployment.yaml
  11. 27
      templates/dashboard/ingress.yaml
  12. 19
      templates/dashboard/service.yaml
  13. 96
      templates/external-dns.yaml
  14. 73
      templates/heqet-apps.yaml
  15. 296
      values.d/argocd.yaml
  16. 129
      values.d/cert-manager.yaml
  17. 316
      values.d/che.yaml
  18. 518
      values.d/jaeger.yaml
  19. 551
      values.d/kubeless.yaml
  20. 200
      values.d/kubernetes-dashboard.yaml
  21. 24
      values.d/loki-stack.yaml
  22. 12
      values.d/nginx-ingress.yaml
  23. 32
      values.d/polaris.yaml
  24. 146
      values.d/rook.yaml
  25. 64
      values.d/sealed-secrets.yaml
  26. 143
      values.d/vault-secrets-operator.yaml
  27. 764
      values.d/vault.yaml
  28. 168
      values.yaml

@ -2,4 +2,4 @@ apiVersion: v2
appVersion: "0.1"
description: Heqet-Bootstrap Applications
name: heqet
version: 0.1.0
version: 0.2.0

@ -2,28 +2,104 @@
*Heqet (Egyptian ḥqt, also ḥqtyt "Heqtit") is an Egyptian goddess of fertility.*
I would call it a 'GitOps Kubernetes Development Distribution/Environment' supplying everything you need to get startet with k8s. Heqet heavily relies on a Helm-Chart `charts/heqet` which will generate all applications using ArgoCD's [App-of-Apps-Pattern](https://argoproj.github.io/argo-cd/operator-manual/cluster-bootstrapping/)
Heqet Keyfeatures:
* As easy to setup as possible
* Follow the GitOps principles
* Supply an independent development environment; incl:
* Continous Deployment
* Storage [for bare-metal/on-prem]
* Ingress
* ...
**This project is still in a very early stage of development - WIP**
## Components
Core component is `ArgoCD` which will deploy all of Heqet's apps & also your's! All you need is a git-repo & k8s cluster.
Heqets application stack contains:
* ArgoCD [Deploys all Applications from Git]
* Prometheus, Grafana, Loki & fluentd - preconfigured for basic Monitoring and Logging
* Kubernetes Dashboard
* NGINX Ingress
* Cert-Manager
* Jaeger [Tracing]
* Rook [Block/Object-Strage]
Heqet is my attempt to make Kubernetes GitOps Deployments as easy as possible. It reduces the need of configuration by generating the required Application definitions for you. Heqet heavily relies on a Helm-Chart which will generate all applications, namespaces & more using ArgoCDs [App-of-Apps-Pattern](https://argoproj.github.io/argo-cd/operator-manual/cluster-bootstrapping/).
## Keyfeatures
* Easy Setup [Sane Kubernetes cluster + PVC-StorageClass]
* Easy application definition & configuration
* Follows the GitOps principles
* Deploy a whole application environment or cluster from a singe git-repo
**This project is still in a very early stage of development, but feel free to try it out & contribute!**
## Components & Configuration
Core component is `ArgoCD` which will deploy Heqet & also your apps! All you need is a git-repo & k8s cluster.
The heqet Helm-Chart will generate ArgoCD Applications, namespaces and if required vault Secrets. All you need to do if add your Helm-Application to heqet's `values.yaml`.
If more configuration values are required, simply throw your applications `values.yaml` into heqets `values.d` folder, named as the application [e.g. `values.d/argocd.yaml`.
## Installation
Installing heqet can't be simpler, after configuring your apps, argocd and pushing it to your git repo:
1. Configure `manifests/heqet-apps.yaml` to match your Setup
2. `kubectl apply -f manifests/argocd.yaml`
3. `kubectl apply -f manifests/heqet-apps.yaml`
ArgoCD will start and bootstrap heqet.
## Application Definition
Here is a list of available configuration options inside the `apps` array.o
### Required
| Parameter | Type | Example | Description |
|-----------|--------|---------|-------------|
| name | string | `"argocd"` | Name of your application & namespace [if not specified] |
| repoURL | string | `"https://github.com/nold360/heqet"` | URL to git or Helmchart repo |
| path | string | `"charts/heqet"` | Path to chart if using git in `repoURL` |
| chart | string | `"heqet"` | Chart name [ only use either `path` or `chart` ] |
| targetRevision | string | `"1.2.3"` or `"master"` | Version of Helm-Chart or Branch/Tag of git |
### Optional
| Parameter | Type | Default | Example | Description |
|-----------|--------|---------|---------|-------------|
| disabled | bool | false | `true` | Disable App |
| noCreateNamespace | bool | false | `true` | Don't create namespace for app |
| namespace | string | .Values.name | `"superns"` | Name of application namespace |
| annotations | hash | | `my.anno.org/stuff: is-awesome` | Namespace annotations |
| syncWave | string | `"0"` | `"-2" | ArgoCD SyncWave |
| project | string | `"default"` | `"myproject"` | Name of ArgoCD Project |
| server | string | `"https://kubernetes.default.svc"` | `https://my.external.cluster:8443` | K8s Cluster to deploy to |
| prune | bool | `false` | `true` | ArgoCD automatic prune app |
| selfHeal | bool | `false` | `true` | ArgoCD automatic self-heal app |
| ignoreDiff | array | | See ArgoCD docs | ArgoCD [ignoreDifferences](https://argoproj.github.io/argo-cd/user-guide/diffing/)
| parameters | array | |- name: ingress.host<br>value: awesome.url | Parameters override values of app |
### Generators
Heqet contains a "generators" feature which will create additional resources for you. Currently only one generator is implemented.
#### VaultSecret
The VaultSecret generator will create `VaultSecret` for the secrets specified in `secrets`. It's based on the [vault-secret-operator](https://github.com/ricoberger/vault-secrets-operator).
##### Values
Here is an example for a simple secret:
``` yaml
apps:
- name: myapp
secrets:
- name: my-secret
keys:
- username
- password
# default:
type: Opaque
```
This will result in following resource. Notice that the path inside of Vault is `/heqet/<name-of-app>/<name-of-secret>`.
``` yaml
apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
name: vpn-config
namespace: "myapp"
labels:
app: myapp
annotations:
argocd.argoproj.io/sync-wave: "-1"
spec:
keys:
- username
- password
path: heqet/myapp/my-secret
type: Opaque
```
## Custom Resource Definitions
CRDs might be required before applying application configuration. If so, copy the `crd.yaml` into heqets `templates/crds`-Directory.
## Full Example
Check out the `test`-Branch of this repo for my current testing setup.

@ -0,0 +1,29 @@
#!/bin/bash
# Generate Vault Service-Account for Apps & preseed data
function v {
echo "vault $@"
kubectl exec -it vault-0 -n vault -- vault $@
}
v auth enable kubernetes
v write auth/kubernetes/config \
token_reviewer_jwt="\$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://\${KUBERNETES_PORT_443_TCP_ADDR}:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
v secrets enable -path=heqet kv-v2
v policy write "heqet-app" - <<EOF
path "heqet/*/*" {
capabilities = ["read"]
}
EOF
v write auth/kubernetes/role/heqet-app \
bound_service_account_names=vault-secrets-operator \
bound_service_account_namespaces=vault-secrets-operator \
policies=heqet-app \
ttl=6h
# Passwort: argocd
v kv put heqet/argocd/argocd-secret admin.password='$2y$12$FP8OlsVj5pOOqRAhI4XPoev1STaW01uUEZGcNPQtVZmpacebNhj9i' server.secretkey="pDYAWK2mHa68GwwVPAsQOsG/SUT8iIo3S3FXYUWf2qM="

File diff suppressed because it is too large Load Diff

@ -3,8 +3,6 @@ apiVersion: v1
kind: Namespace
metadata:
name: heqet
spec: {}
status: {}
---
apiVersion: argoproj.io/v1alpha1
kind: Application
@ -18,7 +16,7 @@ spec:
source:
path: .
repoURL: 'https://github.com/nold360/heqet'
targetRevision: HEAD
targetRevision: k3s
helm:
valueFiles:
- values.yaml

@ -1,62 +0,0 @@
{{- /*
Heqet's Auto TLS Ingress Injector [ATIC]:
*/ -}}
{{- define "heqet.ingress" }}
{{- if .vhost }}
ingress:
enabled: true
hosts:
{{- if not .ingressHostsKeymap }}
- {{ required "You need to set a domain for your app or disable atic" .vhost }}
{{- else }}
- host: {{ required "You need to set a domain for your app or disable atic" .vhost }}
paths: []
{{- end }}
annotations:
kubernetes.io/ingress.class: {{ .ingressClass | default "nginx" }}
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: {{ .clusterIssuer | default "letsencrypt" }}
external-dns.alpha.kubernetes.io/hostname: {{ .vhost }}
nginx.ingress.kubernetes.io/ssl-redirect: "true"
tls:
- secretName: {{ .name }}-le-tls
hosts:
- {{ .vhost | quote }}
{{- end -}}
{{- end -}}
{{- /*
Read value files for every application
*/ -}}
{{- define "app.values" }}
{{- $values := $.Files.Get (printf "values.d/%s.yaml" .name ) | fromYaml }}
{{- ($values)| indent 8 }}
{{ end }}
{{- /*
Inject vault-injector into pods
*/ -}}
{{- define "heqet.vault" }}
podAnnotations:
heqet.gnu.one/app: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "{{ .name }}-vault-ro"
{{- if .secrets }}
{{- $app := . }}
{{- range .secrets }}
{{- with $app }}
vault.hashicorp.com/agent-inject-secret-{{ .path |replace "/" "-" }}: "heqet/apps/{{ $app.name }}/{{ .name }}"
{{- end }}
{{- end }}
{{- end }}
spec:
serviceAccountName: "{{ .name }}-vault-ro"
{{- end -}}
{{- define "heqet.patch" }}
{{- if .root }}
{{- dict .root .patchValues | toYaml }}
{{- else }}
{{- toYaml .patchValues }}
{{- end }}
{{- end }}

@ -1,16 +0,0 @@
{{ if .Values.generators.ingress.acme.enabled }}
apiVersion: cert-manager.io/v1alpha3
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: {{ .Values.generators.ingress.acme.server | default "https://acme-staging-v02.api.letsencrypt.org/directory" }}
email: {{ .Values.generators.ingress.acme.email | quote }}
privateKeySecretRef:
name: letsencrypt-clusterissuer
solvers:
- http01:
ingress:
class: nginx
{{- end }}

@ -1,5 +1,5 @@
{{- if .Values.installCRDs }}
{{- range $path, $_ := .Files.Glob "crds/*.yaml" }}
{{- range $path, $_ := .Files.Glob "crds/*.y*ml" }}
{{ $.Files.Get $path }}
---
{{- end }}

@ -0,0 +1,220 @@
---
# Source: vault-secrets-operator/templates/custom-resource-definition.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
creationTimestamp: null
name: vaultsecrets.ricoberger.de
labels:
app.kubernetes.io/name: vault-secrets-operator
helm.sh/chart: vault-secrets-operator-1.14.2
app.kubernetes.io/instance: vault-secrets-operator
app.kubernetes.io/managed-by: Helm
spec:
group: ricoberger.de
names:
kind: VaultSecret
listKind: VaultSecretList
plural: vaultsecrets
singular: vaultsecret
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Indicates if the secret was created/updated successfully
jsonPath: .status.conditions[?(@.type=="SecretCreated")].status
name: Succeeded
type: string
- description: Reason for the current status
jsonPath: .status.conditions[?(@.type=="SecretCreated")].reason
name: Reason
type: string
- description: Message with more information, regarding the current status
jsonPath: .status.conditions[?(@.type=="SecretCreated")].message
name: Message
type: string
- description: Time when the condition was updated the last time
jsonPath: .status.conditions[?(@.type=="SecretCreated")].lastTransitionTime
name: Last Transition
type: date
- description: Time when this VaultSecret was created
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: VaultSecret is the Schema for the vaultsecrets API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: VaultSecretSpec defines the desired state of VaultSecret
properties:
isBinary:
description: isBinary is a flag indicates if data stored in vault
is binary data. Since vault does not store binary data natively,
the binary data is stored as base64 encoded. However, same data
get encoded again when operator stored them as secret in k8s which
caused the data to get double encoded. This flag will skip the base64
encode which is needed for string data to avoid the double encode
problem.
type: boolean
keys:
description: Keys is an array of Keys, which should be included in
the Kubernetes secret. If the Keys field is ommitted all keys from
the Vault secret will be included in the Kubernetes secret.
items:
type: string
type: array
path:
description: Path is the path of the corresponding secret in Vault.
type: string
reconcileStrategy:
description: ReconcileStrategy defines the strategy for reconcilation.
The default value is "Replace", which replaces any existing data
keys in a secret with the loaded keys from Vault. The second valid
value is "Merge" wiche merges the loaded keys from Vault with the
existing keys in a secret. Duplicated keys will be replaced with
the value from Vault. Other values are not valid for this field.
type: string
secretEngine:
description: SecretEngine specifies the type of the Vault secret engine
in which the secret is stored. Currently the 'KV Secrets Engine
- Version 1' and 'KV Secrets Engine - Version 2' are supported.
The value must be 'kv'. If the value is omitted or an other values
is used the Vault Secrets Operator will try to use the KV secret
engine.
type: string
templates:
additionalProperties:
type: string
description: Templates, if not empty will be run through the the Go
templating engine, with `.Secrets` being mapped to the list of secrets
received from Vault. When omitted set, all secrets will be added
as key/val pairs under Secret.data.
type: object
type:
description: Type is the type of the Kubernetes secret, which will
be created by the Vault Secrets Operator.
type: string
vaultNamespace:
description: 'VaultNamespace can be used to specify the Vault namespace
for a secret. When this value is set, the X-Vault-Namespace header
will be set for the request. More information regarding namespaces
can be found in the Vault Enterprise documentation: https://www.vaultproject.io/docs/enterprise/namespaces'
type: string
vaultRole:
description: VaultRole can be used to specify the Vault role, which
should be used to get the secret from Vault. If the vaultRole property
is set a new client with the specified Vault Role will be created
and the shared client is ignored. If the operator is configured
using the token auth method this property has no effect.
type: string
version:
description: Version sets the version of the secret which should be
used. The version is only used if the KVv2 secret engine is used.
If the version is omitted the Operator uses the latest version of
the secret. If the version omitted and the VAULT_RECONCILIATION_TIME
environment variable is set, the Kubernetes secret will be updated
if the Vault secret changes.
type: integer
required:
- path
- type
type: object
status:
description: VaultSecretStatus defines the observed state of VaultSecret
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are:
\"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type
\ // +patchStrategy=merge // +listType=map // +listMapKey=type
\ Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
\n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

@ -1,25 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: hqt-dashboard
name: hqt-dashboard
namespace: heqet
spec:
replicas: 1
selector:
matchLabels:
app: hqt-dashboard
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: hqt-dashboard
spec:
containers:
- image: nold360/hqt
name: hqt
resources: {}
status: {}

@ -1,27 +0,0 @@
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: hqt-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
kubernetes.io/ingress.class: {{ .ingressClass | default "nginx" }}
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: {{ .clusterIssuer | default "letsencrypt" }}
external-dns.alpha.kubernetes.io/hostname: hqt.{{ $.Values.defaults.domain }}
nginx.ingress.kubernetes.io/ssl-redirect: "true"
labels:
app: hqt-dashboard
namespace: heqet
spec:
rules:
- host: hqt.{{ $.Values.defaults.domain }}
http:
paths:
- backend:
serviceName: hqt-dashboard
servicePort: 80
path: null
tls:
- hosts:
- hqt.{{ $.Values.defaults.domain }}
secretName: hqt-le-tls

@ -1,19 +0,0 @@
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app: hqt-dashboard
name: hqt-dashboard
namespace: heqet
spec:
ports:
- name: "80"
port: 80
protocol: TCP
targetPort: 80
selector:
app: hqt-dashboard
type: ClusterIP
status:
loadBalancer: {}

@ -1,96 +0,0 @@
# External DNS Provider using OVH
# Service Annotation: external-dns.alpha.kubernetes.io/hostname: example.com
# See: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/ovh.md
#
apiVersion: v1
kind: Namespace
metadata:
annotations:
argocd.argoproj.io/sync-wave: "-1"
name: external-dns
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-dns
namespace: external-dns
annotations:
argocd.argoproj.io/sync-wave: "-1"
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: external-dns
annotations:
argocd.argoproj.io/sync-wave: "-1"
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get","watch","list"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get","watch","list"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get","watch","list"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: external-dns-viewer
annotations:
argocd.argoproj.io/sync-wave: "-1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: external-dns
subjects:
- kind: ServiceAccount
name: external-dns
namespace: external-dns
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: external-dns
namespace: external-dns
annotations:
argocd.argoproj.io/sync-wave: "0"
spec:
strategy:
type: Recreate
selector:
matchLabels:
app: external-dns
template:
metadata:
labels:
app: external-dns
spec:
serviceAccountName: external-dns
containers:
- name: external-dns
image: registry.opensource.zalan.do/teapot/external-dns:latest
args:
- --source=ingress
- --domain-filter=lib42.me
- --provider=ovh
env:
- name: OVH_APPLICATION_KEY
valueFrom:
secretKeyRef:
name: external-dns-auth
key: OVH_APPLICATION_KEY
- name: OVH_APPLICATION_SECRET
valueFrom:
secretKeyRef:
name: external-dns-auth
key: OVH_APPLICATION_SECRET
- name: OVH_CONSUMER_KEY
valueFrom:
secretKeyRef:
name: external-dns-auth
key: OVH_CONSUMER_KEY

@ -7,10 +7,8 @@ kind: Namespace
metadata:
name: {{ .namespace | default .name | quote }}
annotations:
argocd.argoproj.io/sync-wave: "-1"
{{- if .namespace_vars }}
{{ .namespace_vars | indent 2 }}
{{- end }}
argocd.argoproj.io/sync-wave: "-42"
{{ .annotations | toYaml | indent 4}}
{{- end }}
---
apiVersion: argoproj.io/v1alpha1
@ -24,61 +22,56 @@ metadata:
app.kubernetes.io/name: {{ .name }}
app.kubernetes.io/part-of: heqet
annotations:
argocd.argoproj.io/sync-wave: {{ .syncWave | default "0" | quote}}
argocd.argoproj.io/sync-wave: {{ .syncWave | default "0" | quote }}
spec:
project: {{ .project | default "default" }}
project: {{ .project | default $.Values.defaults.project | default "default" }}
destination:
namespace: {{ .namespace | default .name | quote }}
server: {{ .server | default $.Values.defaults.server }}
server: {{ .server | default $.Values.defaults.server | default "https://kubernetes.default.svc" }}
source:
path: {{ .path | default "." | quote }}
path: {{ .path | default "" | quote }}
repoURL: {{ .repoURL | default $.Values.defaults.repoURL | quote }}
targetRevision: {{ default "HEAD" .targetRevision | quote }}
targetRevision: {{ .targetRevision | default $.Values.defaults.targetRevision | default "HEAD" | quote }}
{{ if .chart }}chart: {{ .chart | quote }}{{ end }}
helm:
{{- if .parameters }}
parameters:
{{- range .parameters }}
- name: {{ .name | quote }}
{{- if .noquote }}
value: {{ .value }}
{{- else }}
value: {{ .value | quote }}
{{- end }}
{{- end }}
{{ .parameters | toYaml | indent 8 }}
{{- end }}
values: |
{{- $values := $.Files.Get (printf "values.d/%s.yaml" .name ) | fromYaml | default dict }}
{{- $context := . }}
{{- range $gen, $vals := $.Values.generators }}
{{- with $context }}
{{- with $values }}
{{- if not $context.noValues }}
{{- $patchValues := include (printf "heqet.%s" $gen) $context | fromYaml }}
{{- $root := pluck $gen $context | first }}
{{- $data := dict "root" $root "patchValues" $patchValues }}
{{- $tmp := (include "heqet.patch" $data) | fromYaml }}
{{- $_ := deepCopy $tmp | mergeOverwrite $values }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{ toYaml $values | indent 8 }}
syncPolicy:
automated:
# FIXME: Open Issue: https://github.com/helm/helm/issues/8026
prune: {{ $.Values.defaults.automated.prune | default "false" }}
selfHeal: {{ $.Values.defaults.automated.selfHeal | default "false" }}
{{- if .ignoreDifferences }}
prune: {{ .prune | default $.Values.defaults.automated.prune | default "false" }}
selfHeal: {{ .selfHeal | default $.Values.defaults.automated.selfHeal | default "false" }}
{{- if .ignoreDiff }}
ignoreDifferences:
{{ .ignoreDifferences | indent 4 }}
{{ .ignoreDiff | toYaml | indent 4 }}
{{- end }}
{{- if $.Values.generators.vault }}
{{- $context := . }}
{{- with $context }}
{{- range .secrets }}
---
apiVersion: v1
kind: ServiceAccount
apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
name: {{ .name }}-vault-ro
{{ end }}
name: {{ .name }}
namespace: {{ $context.namespace | default $context.name | quote }}
labels:
app: {{ $context.name }}
annotations:
argocd.argoproj.io/sync-wave: "-1"
spec:
keys:
{{- range .keys }}
- {{ . }}
{{- end }}
path: heqet/{{ $context.name }}/{{ .name }}
type: {{ $context.type | default "Opaque" }}
{{ end }}
{{ end }}
{{ end }}
{{ end }}
{{- end }}

@ -10,12 +10,12 @@ installCRDs: true
global:
image:
repository: argoproj/argocd
tag: v1.6.0-rc1
tag: v2.0.0
imagePullPolicy: IfNotPresent
securityContext: {}
# runAsUser: 999
# runAsGroup: 999
# fsGroup: 999
securityContext:
runAsUser: 999
runAsGroup: 999
fsGroup: 999
imagePullSecrets: []
hostAliases: []
# - ip: 10.20.30.40
@ -28,16 +28,27 @@ controller:
image:
repository: # argoproj/argocd
tag: v1.6.0-rc1
tag: # v1.7.11
imagePullPolicy: # IfNotPresent
# If changing the number of replicas you must pass the number as ARGOCD_CONTROLLER_REPLICAS as an environment variable
replicas: 1
# Deploy the application as a StatefulSet instead of a Deployment, this is required for HA capability.
# This is a feature flag that will become the default in chart version 3.x
enableStatefulSet: false
## Argo controller commandline flags
args:
statusProcessors: "20"
operationProcessors: "10"
appResyncPeriod: "180"
selfHealTimeout: "5"
## Argo controller log format: text|json
logFormat: text
## Argo controller log level
logLevel: debug
logLevel: info
## Additional command line arguments to pass to argocd-controller
##
@ -45,7 +56,10 @@ controller:
## Environment variables to pass to argocd-controller
##
env: []
env:
[]
# - name: "ARGOCD_CONTROLLER_REPLICAS"
# value: ""
## Annotations to be added to controller pods
##
@ -56,10 +70,11 @@ controller:
podLabels: {}
## Labels to set container specific security contexts
containerSecurityContext: {}
# capabilities:
# drop:
# - all
containerSecurityContext:
capabilities:
drop:
- all
readOnlyRootFilesystem: true
## Configures the controller port
containerPort: 8082
@ -113,10 +128,14 @@ controller:
serviceAccount:
create: true
name: argocd-application-controller
## Annotations applied to created service account
annotations: {}
## Automount API credentials for the Service Account
automountServiceAccountToken: true
## Server metrics controller configuration
metrics:
enabled: true
enabled: false
service:
annotations: {}
labels: {}
@ -144,7 +163,7 @@ controller:
# resolved for this cloud to continue to maintain state.
# - alert: ArgoAppNotSynced
# expr: |
# argocd_app_sync_status{sync_status!="Synced"} == 1
# argocd_app_info{sync_status!="Synced"} == 1
# for: 12h
# labels:
# severity: warning
@ -169,9 +188,17 @@ dex:
enabled: true
name: dex-server
metrics:
enabled: false
service:
annotations: {}
labels: {}
serviceMonitor:
enabled: false
image:
repository: quay.io/dexidp/dex
tag: v2.22.0
tag: v2.26.0
imagePullPolicy: IfNotPresent
initImage:
repository:
@ -193,6 +220,10 @@ dex:
serviceAccount:
create: true
name: argocd-dex-server
## Annotations applied to created service account
annotations: {}
## Automount API credentials for the Service Account
automountServiceAccountToken: true
## Additional volumeMounts to the controller main container.
volumeMounts:
@ -209,6 +240,8 @@ dex:
servicePortHttp: 5556
containerPortGrpc: 5557
servicePortGrpc: 5557
containerPortMetrics: 5558
servicePortMetrics: 5558
## Node selectors and tolerations for server scheduling to nodes with taints
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
@ -220,11 +253,11 @@ dex:
priorityClassName: ""
## Labels to set container specific security contexts
containerSecurityContext: {}
# capabilities:
# drop:
# - all
containerSecurityContext:
capabilities:
drop:
- all
readOnlyRootFilesystem: true
resources: {}
# limits:
@ -241,7 +274,7 @@ redis:
image:
repository: redis
tag: 5.0.3
tag: 5.0.10-alpine
imagePullPolicy: IfNotPresent
containerPort: 6379
@ -269,11 +302,18 @@ redis:
priorityClassName: ""
## Labels to set container specific security contexts
containerSecurityContext: {}
# capabilities:
# drop:
# - all
containerSecurityContext:
capabilities:
drop:
- all
readOnlyRootFilesystem: true
## Redis Pod specific security context
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
runAsNonRoot: true
resources: {}
# limits:
@ -298,11 +338,13 @@ redis-ha:
redis:
masterGroupName: argocd
config:
save: "\"\""
save: '""'
haproxy:
enabled: true
metrics:
enabled: true
image:
tag: 5.0.8-alpine
## Server
server:
@ -318,12 +360,12 @@ server:
targetMemoryUtilizationPercentage: 50
image:
repository: argoproj/argocd
tag: v1.6.0-rc1
repository: # argoproj/argocd
tag: # v1.7.11
imagePullPolicy: # IfNotPresent
## Additional command line arguments to pass to argocd-server
## Heqet: We have Ingress
##
extraArgs:
- --insecure
@ -331,9 +373,14 @@ server:
##
env: []
## Specify postStart and preStop lifecycle hooks for your argo-cd-server container
##
lifecycle: {}
## Argo server log format: text|json
logFormat: text
## Argo server log level
# Heqet: Just in case.. this is a Dev Environment!
logLevel: debug
logLevel: info
## Annotations to be added to controller pods
##
@ -378,10 +425,11 @@ server:
priorityClassName: ""
## Labels to set container specific security contexts
containerSecurityContext: {}
# capabilities:
# drop:
# - all
containerSecurityContext:
capabilities:
drop:
- all
readOnlyRootFilesystem: true
resources: {}
# limits:
@ -403,16 +451,21 @@ server:
annotations: {}
labels: {}
type: ClusterIP
## For node port default ports
nodePortHttp: 30080
nodePortHttps: 30443
servicePortHttp: 80
servicePortHttps: 443
servicePortHttpName: http
servicePortHttpsName: https
namedTargetPort: true
loadBalancerIP: ""
loadBalancerSourceRanges: []
externalIPs: []
## Server metrics service configuration
metrics:
enabled: true
enabled: false
service:
annotations: {}
labels: {}
@ -427,8 +480,39 @@ server:
serviceAccount:
create: true
name: argocd-server
## Annotations applied to created service account
annotations: {}
## Automount API credentials for the Service Account
automountServiceAccountToken: true
ingress:
enabled: true
annotations: {}
labels: {}
## Argo Ingress.
## Hostnames must be provided if Ingress is enabled.
## Secrets must be manually created in the namespace
##
hosts:
- argocd.k3s
paths:
- /
extraPaths:
[]
# - path: /*
# backend:
# serviceName: ssl-redirect
# servicePort: use-annotation
tls:
[]
# - secretName: argocd-example-tls
# hosts:
# - argocd.example.com
https: false
# dedicated ingess for gRPC as documented at
# https://argoproj.github.io/argo-cd/operator-manual/ingress/
ingressGrpc:
enabled: false
annotations: {}
labels: {}
@ -442,11 +526,18 @@ server:
# - argocd.example.com
paths:
- /
extraPaths:
[]
# - path: /*
# backend:
# serviceName: ssl-redirect
# servicePort: use-annotation
tls:
[]
# - secretName: argocd-example-tls
# hosts:
# - argocd.example.com
https: false
# Create a OpenShift Route with SSL passthrough for UI and CLI
# Consider setting 'hostname' e.g. https://argocd.apps-crc.testing/ using your Default Ingress Controller Domain
@ -458,9 +549,10 @@ server:
## ArgoCD config
## reference https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml
configEnabled: true
config:
# Argo CD's externally facing base URL (optional). Required when configuring SSO
url: https://argocd.example.com
url: https://argocd.k3s
# Argo CD instance label key
application.instanceLabelKey: argocd.argoproj.io/instance
# repositories: |
@ -469,7 +561,7 @@ server:
# name: secret-name
# key: sshPrivateKey
# - type: helm
# url: https://kubernetes-charts.storage.googleapis.com
# url: https://charts.helm.sh/stable
# name: stable
# - type: helm
# url: https://argoproj.github.io/argo-helm
@ -487,6 +579,9 @@ server:
# - profile
# - email
## Annotations to be added to ArgoCD ConfigMap
configAnnotations: {}
## ArgoCD rbac config
## reference https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
rbacConfig:
@ -510,6 +605,13 @@ server:
# If omitted, defaults to: '[groups]'. The scope value can be a string, or a list of strings.
# scopes: '[cognito:groups, email]'
## Annotations to be added to ArgoCD rbac ConfigMap
rbacConfigAnnotations: {}
# Boolean determining whether or not to create the configmap. If false, it is expected tthe configmap will be created
# by something else. ArgoCD will not work if there is no configMap created with the name above.
rbacConfigCreate: true
## Not well tested and not well supported on release v1.0.0.
## Applications
## reference: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/
@ -563,6 +665,13 @@ server:
# kind: StatefulSet
# orphanedResources: {}
# roles: []
# syncWindows:
# - kind: allow
# schedule: '10 1 * * *'
# duration: 1h
# applications:
# - '*-prod'
# manualSync: true
## Enable Admin ClusterRole resources.
## Enable if you would like to grant rights to ArgoCD to deploy to the local Kubernetes cluster.
@ -579,6 +688,30 @@ server:
# oauthclientCredentials:
# secretName: argocd-secret
extraContainers: []
## Additional containers to be added to the controller pod.
## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example.
# - name: my-sidecar
# image: nginx:latest
# - name: lemonldap-ng-controller
# image: lemonldapng/lemonldap-ng-controller:0.2.0
# args:
# - /lemonldap-ng-controller
# - --alsologtostderr
# - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration
# env:
# - name: POD_NAME
# valueFrom:
# fieldRef:
# fieldPath: metadata.name
# - name: POD_NAMESPACE
# valueFrom:
# fieldRef:
# fieldPath: metadata.namespace
# volumeMounts:
# - name: copy-portal-skins
# mountPath: /srv/var/lib/lemonldap-ng/portal/skins
## Repo Server
repoServer:
name: repo-server
@ -593,8 +726,8 @@ repoServer:
targetMemoryUtilizationPercentage: 50
image:
repository: argoproj/argocd
tag: v1.6.0-rc1
repository: # argoproj/argocd
tag: # v1.7.11
imagePullPolicy: # IfNotPresent
## Additional command line arguments to pass to argocd-repo-server
@ -605,8 +738,10 @@ repoServer:
##
env: []
## Argo repoServer log format: text|json
logFormat: text
## Argo repoServer log level
logLevel: debug
logLevel: info
## Annotations to be added to repo server pods
##
@ -651,10 +786,12 @@ repoServer:
priorityClassName: ""
## Labels to set container specific security contexts
containerSecurityContext: {}
containerSecurityContext:
{}
# capabilities:
# drop:
# - all
# readOnlyRootFilesystem: true
resources: {}
# limits:
@ -692,6 +829,8 @@ repoServer:
# name: argocd-repo-server
## Annotations applied to created service account
annotations: {}
## Automount API credentials for the Service Account
automountServiceAccountToken: true
## Repo server rbac rules
# rbac:
@ -707,27 +846,51 @@ repoServer:
## Use init containers to configure custom tooling
## https://argoproj.github.io/argo-cd/operator-manual/custom_tools/
## When using the volumes & volumeMounts section bellow, please comment out those above.
# volumes:
# - name: custom-tools
# emptyDir: {}
#
# initContainers:
# - name: download-tools
# image: alpine:3.8
# command: [sh, -c]
# args:
# - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - &&
# mv linux-amd64/helm /custom-tools/
# volumeMounts:
# - mountPath: /custom-tools
# name: custom-tools
# volumeMounts:
# - mountPath: /usr/local/bin/helm
# name: custom-tools
# subPath: helm
# volumes:
# - name: custom-tools
# emptyDir: {}
#
# initContainers:
# - name: download-tools
# image: alpine:3.8
# command: [sh, -c]
# args:
# - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - &&
# mv linux-amd64/helm /custom-tools/
# volumeMounts:
# - mountPath: /custom-tools
# name: custom-tools
# volumeMounts:
# - mountPath: /usr/local/bin/helm
# name: custom-tools
# subPath: helm
## Argo Configs
configs:
## External Cluster Credentials
## reference:
## - https://argoproj.github.io/argo-cd/operator-manual/declarative-setup/#clusters
## - https://argoproj.github.io/argo-cd/operator-manual/security/#external-cluster-credentials
clusterCredentials: []
# - name: mycluster
# server: https://mycluster.com
# annotations: {}
# config:
# bearerToken: "<authentication token>"
# tlsClientConfig:
# insecure: false
# caData: "<base64 encoded certificate>"
# - name: mycluster2
# server: https://mycluster2.com
# annotations: {}
# namespaces: namespace1,namespace2
# config:
# bearerToken: "<authentication token>"
# tlsClientConfig:
# insecure: false
# caData: "<base64 encoded certificate>"
knownHostsAnnotations: {}
knownHosts:
data:
ssh_known_hosts: |
@ -738,6 +901,7 @@ configs:
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
tlsCertsAnnotations: {}
tlsCerts:
{}
# data:
@ -796,11 +960,10 @@ configs:
# XG+bpHPF4SiCpAxthP5WNa17zuvk+CDsMZgZNuhYNMo=
# -----END RSA PRIVATE KEY-----
secret:
createSecret: true
createSecret: false
## Annotations to be added to argocd-secret
##
annotations:
sealedsecrets.bitnami.com/managed: true
annotations: {}
# Webhook Configs
githubSecret: ""
@ -812,10 +975,11 @@ configs:
# Custom secrets. Useful for injecting SSO secrets into environment variables.
# Ref: https://argoproj.github.io/argo-cd/operator-manual/sso/
# Note that all values must be non-empty.
extra: {}
extra:
{}
# LDAP_PASSWORD: "mypassword"
# Argo TLS Data.
# Argo TLS Data.
argocdServerTlsConfig:
{}
# key:

@ -1,129 +0,0 @@
# Default values for cert-manager.
# Heket: CRDs via crds/
installCRDs: false
# Heket: More stuff
cainjector:
image:
tag: v0.15.1
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
global:
## Reference to one or more secrets to be used when pulling images
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
imagePullSecrets: []
# - name: "image-pull-secret"
# Optional priority class to be used for the cert-manager pods
priorityClassName: ""
replicaCount: 1
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
image:
repository: quay.io/jetstack/cert-manager-controller
tag: v0.15.1
pullPolicy: IfNotPresent
# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
# resources. By default, the same namespace as cert-manager is deployed within is
# used. This namespace will not be automatically created by the Helm chart.
clusterResourceNamespace: ""
leaderElection:
# Override the namespace used to store the ConfigMap for leader election
namespace: ""