--- k8s_prometheus_helm__name: "prometheus" k8s_prometheus_helm__release_namespace: "monitoring" k8s_argocd_helm__name: "argo-cd" k8s_argocd_helm__release_namespace: "argo-cd" argocd_client_admin_username: argocd-admin argocd_client_admin_password: argocd-admin argo_realm_name: &argoname 'argocd' argo_realm_display_name: *argoname k8s_argocd_helm__domain: &argourl "{{ stage }}-kube-argocd.{{ domain }}" argo_realm_group: ArgoCDAdmins argo_keycloak_clientscope_protocol: openid-connect argo_keycloak_clientscope_name: groups argo_client_id: *argoname argo_client_root_url: 'https://{{ k8s_argocd_helm__domain }}' argo_client_redirect_uris: - 'https://{{ k8s_argocd_helm__domain }}/auth/callback' argo_client_base_url: '/applications' argo_client_admin_url: 'https://{{ k8s_argocd_helm__domain }}' argo_client_web_origins: - 'https://{{ k8s_argocd_helm__domain }}' argo_realm_users: [ { "username": "{{ argocd_client_admin_username }}", "password": "{{ argocd_client_admin_password }}", } ] # https://github.com/grafana/helm-charts # https://github.com/prometheus-community/helm-charts k8s_prometheus_helm__release_values: prometheus: ingress: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/issue-temporary-certificate: "true" kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/ssl-redirect: "false" nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ip_whitelist | join(',') }}" hosts: - "{{ stage }}-kube-prometheus.{{ domain }}" tls: - secretName: "{{ stage }}-kube-prometheus-cert" hosts: - "{{ stage }}-kube-prometheus.{{ domain }}" prometheusSpec: # TODO Using PersistentVolumeClaim storageSpec: {} deploymentStrategy: type: Recreate alertmanager: ingress: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/issue-temporary-certificate: "true" kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/ssl-redirect: "false" nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ip_whitelist | join(',') }}" hosts: - "{{ stage }}-kube-alertmanager.{{ domain }}" tls: - secretName: "{{ stage }}-kube-alertmanager-cert" hosts: - "{{ stage }}-kube-alertmanager.{{ domain }}" deploymentStrategy: type: Recreate grafana: adminUser: "{{ grafana_admin_username }}" adminPassword: "{{ grafana_admin_password }}" ingress: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/issue-temporary-certificate: "true" kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/ssl-redirect: "false" nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ip_whitelist | join(',') }}" hosts: - "{{ stage }}-kube-grafana.{{ domain }}" tls: - secretName: "{{ stage }}-kube-grafana-cert" hosts: - "{{ stage }}-kube-grafana.{{ domain }}" persistence: enabled: true size: 10Gi deploymentStrategy: type: Recreate kubeControllerManager: service: port: 10257 targetPort: 10257 serviceMonitor: https: true insecureSkipVerify: true # https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd k8s_argocd_helm__release_values: global: hostAliases: - ip: "{{ shared_service_docker_ip }}" hostnames: - "{{ shared_service_docker_registry_hostname }}" - ip: "{{ shared_service_keycloak_ip }}" hostnames: - "{{ shared_service_keycloak_hostname }}" - ip: "{{ shared_service_gitea_ip }}" hostnames: - "{{ shared_service_gitea_hostname }}" controller: metrics: enabled: true serviceMonitor: enabled: true namespace: "{{ k8s_argocd_helm__release_namespace }}" additionalLabels: release: "{{ k8s_prometheus_helm__name }}" repoServer: metrics: enabled: true serviceMonitor: enabled: true namespace: "{{ k8s_argocd_helm__release_namespace }}" additionalLabels: release: "{{ k8s_prometheus_helm__name }}" env: - name: ARGOCD_MAX_CONCURRENT_LOGIN_REQUESTS_COUNT value: "0" - name: ARGOCD_EXEC_TIMEOUT value: "300s" server: config: oidc.config: | name: Keycloak issuer: '{{ keycloak_server_url }}/auth/realms/argocd' clientID: '{{ argo_client_id }}' clientSecret: $oidc.keycloak.clientSecret requestedScopes: ["openid", "profile", "email", "{{ argo_keycloak_clientscope_name }}"] url: 'https://{{ k8s_argocd_helm__domain }}' rbacConfig: policy.default: role:readonly policy.csv: | g, /{{ argo_realm_group }}, role:admin g, admin, role:admin metrics: enabled: true serviceMonitor: enabled: true namespace: "{{ k8s_argocd_helm__release_namespace }}" additionalLabels: release: "{{ k8s_prometheus_helm__name }}" service: sessionAffinity: ClientIP ingress: enabled: true annotations: cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/issue-temporary-certificate: "true" kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ip_whitelist | join(',') }}" nginx.ingress.kubernetes.io/force-ssl-redirect: "false" nginx.ingress.kubernetes.io/ssl-passthrough: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" hosts: - "{{ k8s_argocd_helm__domain }}" tls: - secretName: "{{ stage }}-kube-argocd-cert" hosts: - "{{ k8s_argocd_helm__domain }}" dex: enabled: false redis: metrics: enabled: true serviceMonitor: enabled: true namespace: "{{ k8s_argocd_helm__release_namespace }}" additionalLabels: release: "{{ k8s_prometheus_helm__name }}"