You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
313 lines
9.9 KiB
YAML
313 lines
9.9 KiB
YAML
---
|
|
|
|
k8s_prometheus_helm__name: "prometheus"
|
|
k8s_prometheus_helm__release_namespace: "monitoring"
|
|
|
|
k8s_argocd_helm__name: "argo-cd"
|
|
k8s_argocd_helm__release_namespace: "argo-cd"
|
|
|
|
argo_realm_name: &argoname 'argocd'
|
|
argo_realm_display_name: *argoname
|
|
|
|
k8s_argocd_helm__domain: &argourl "{{ stage }}-kube-argocd.{{ domain }}"
|
|
argo_realm_group: argoadmins # shouldn't be 'admin' due to default adminuser called 'admin' in argo
|
|
argo_keycloak_clientscope_protocol: openid-connect
|
|
argo_keycloak_clientscope_name: groups
|
|
argo_client_id: *argoname
|
|
|
|
argo_client_root_url: 'https://{{ k8s_argocd_helm__domain }}'
|
|
argo_client_redirect_uris:
|
|
- 'https://{{ k8s_argocd_helm__domain }}/auth/callback'
|
|
argo_client_base_url: '/applications'
|
|
argo_client_admin_url: 'https://{{ k8s_argocd_helm__domain }}'
|
|
argo_client_web_origins:
|
|
- 'https://{{ k8s_argocd_helm__domain }}'
|
|
|
|
argo_realm_users: [
|
|
{
|
|
"username": "{{ argocd_admin_username }}",
|
|
"password": "{{ argocd_admin_password }}",
|
|
}
|
|
]
|
|
|
|
# https://github.com/grafana/helm-charts
|
|
# https://github.com/prometheus-community/helm-charts
|
|
k8s_prometheus_helm__release_values:
|
|
prometheus:
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
cert-manager.io/issue-temporary-certificate: "true"
|
|
kubernetes.io/ingress.class: nginx
|
|
nginx.ingress.kubernetes.io/ssl-redirect: "false"
|
|
nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
|
|
hosts:
|
|
- "{{ stage }}-kube-prometheus.{{ domain }}"
|
|
tls:
|
|
- secretName: "{{ stage }}-kube-prometheus-cert"
|
|
hosts:
|
|
- "{{ stage }}-kube-prometheus.{{ domain }}"
|
|
prometheusSpec:
|
|
# TODO Using PersistentVolumeClaim
|
|
storageSpec: {}
|
|
deploymentStrategy:
|
|
type: Recreate
|
|
alertmanager:
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
cert-manager.io/issue-temporary-certificate: "true"
|
|
kubernetes.io/ingress.class: nginx
|
|
nginx.ingress.kubernetes.io/ssl-redirect: "false"
|
|
nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
|
|
hosts:
|
|
- "{{ stage }}-kube-alertmanager.{{ domain }}"
|
|
tls:
|
|
- secretName: "{{ stage }}-kube-alertmanager-cert"
|
|
hosts:
|
|
- "{{ stage }}-kube-alertmanager.{{ domain }}"
|
|
deploymentStrategy:
|
|
type: Recreate
|
|
grafana:
|
|
adminUser: "{{ grafana_admin_username }}"
|
|
adminPassword: "{{ grafana_admin_password }}"
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
cert-manager.io/issue-temporary-certificate: "true"
|
|
kubernetes.io/ingress.class: nginx
|
|
nginx.ingress.kubernetes.io/ssl-redirect: "false"
|
|
nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
|
|
hosts:
|
|
- "{{ stage }}-kube-grafana.{{ domain }}"
|
|
tls:
|
|
- secretName: "{{ stage }}-kube-grafana-cert"
|
|
hosts:
|
|
- "{{ stage }}-kube-grafana.{{ domain }}"
|
|
persistence:
|
|
enabled: true
|
|
size: 10Gi
|
|
deploymentStrategy:
|
|
type: Recreate
|
|
kubeControllerManager:
|
|
service:
|
|
port: 10257
|
|
targetPort: 10257
|
|
serviceMonitor:
|
|
https: true
|
|
insecureSkipVerify: true
|
|
|
|
# https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd
|
|
k8s_argocd_helm__release_values:
|
|
global:
|
|
hostAliases:
|
|
- ip: "{{ shared_service_harbor_ip }}"
|
|
hostnames:
|
|
- "{{ shared_service_harbor_hostname }}"
|
|
- ip: "{{ shared_service_keycloak_ip }}"
|
|
hostnames:
|
|
- "{{ shared_service_keycloak_hostname }}"
|
|
- ip: "{{ shared_service_gitea_ip }}"
|
|
hostnames:
|
|
- "{{ shared_service_gitea_hostname }}"
|
|
controller:
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|
|
namespace: "{{ k8s_argocd_helm__release_namespace }}"
|
|
additionalLabels:
|
|
release: "{{ k8s_prometheus_helm__name }}"
|
|
repoServer:
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|
|
namespace: "{{ k8s_argocd_helm__release_namespace }}"
|
|
additionalLabels:
|
|
release: "{{ k8s_prometheus_helm__name }}"
|
|
env:
|
|
- name: ARGOCD_MAX_CONCURRENT_LOGIN_REQUESTS_COUNT
|
|
value: "0"
|
|
- name: ARGOCD_EXEC_TIMEOUT
|
|
value: "300s"
|
|
- name: XDG_CONFIG_HOME
|
|
value: /.config
|
|
- name: GNUPGHOME
|
|
value: /home/argocd/.gnupg
|
|
volumes:
|
|
- name: custom-tools
|
|
emptyDir: {}
|
|
- name: gnupg-home
|
|
emptyDir: {}
|
|
- name: sops-gpg
|
|
secret:
|
|
secretName: sops-gpg
|
|
volumeMounts:
|
|
- mountPath: /home/argocd/.gnupg
|
|
name: gnupg-home
|
|
subPath: .gnupg
|
|
- mountPath: /usr/local/bin/kustomize
|
|
name: custom-tools
|
|
subPath: kustomize
|
|
# Verify this matches a XDG_CONFIG_HOME=/.config env variable
|
|
- mountPath: /.config/kustomize/plugin/viaduct.ai/v1/ksops/ksops
|
|
name: custom-tools
|
|
subPath: ksops
|
|
initContainers:
|
|
- name: 1-install-ksops
|
|
image: viaductoss/ksops:v3.0.1
|
|
command: ["/bin/sh", "-c"]
|
|
args:
|
|
- echo "Installing KSOPS...";
|
|
mv ksops /custom-tools/;
|
|
mv $GOPATH/bin/kustomize /custom-tools/;
|
|
echo "Done.";
|
|
volumeMounts:
|
|
- mountPath: /custom-tools
|
|
name: custom-tools
|
|
- name: 2-import-gpg-key
|
|
image: argoproj/argocd:v2.2.5
|
|
command: ["gpg", "--import","/sops-gpg/gpg_key_smardigo_automation__private"]
|
|
env:
|
|
- name: GNUPGHOME
|
|
value: /gnupg-home/.gnupg
|
|
volumeMounts:
|
|
- mountPath: /sops-gpg
|
|
name: sops-gpg
|
|
- mountPath: /gnupg-home
|
|
name: gnupg-home
|
|
server:
|
|
config:
|
|
oidc.config: |
|
|
name: Keycloak
|
|
issuer: '{{ keycloak_server_url }}/auth/realms/argocd'
|
|
clientID: '{{ argo_client_id }}'
|
|
clientSecret: $oidc.keycloak.clientSecret
|
|
requestedScopes: ["openid", "profile", "email", "{{ argo_keycloak_clientscope_name }}"]
|
|
url: 'https://{{ k8s_argocd_helm__domain }}'
|
|
kustomize.buildOptions: "--enable-alpha-plugins"
|
|
rbacConfig:
|
|
policy.default: role:readonly
|
|
policy.csv: |
|
|
g, {{ argo_realm_group }}, role:admin
|
|
g, admin, role:admin
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|
|
namespace: "{{ k8s_argocd_helm__release_namespace }}"
|
|
additionalLabels:
|
|
release: "{{ k8s_prometheus_helm__name }}"
|
|
service:
|
|
sessionAffinity: ClientIP
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
cert-manager.io/issue-temporary-certificate: "true"
|
|
kubernetes.io/ingress.class: nginx
|
|
nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
|
|
nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
|
|
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
|
|
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
|
hosts:
|
|
- "{{ k8s_argocd_helm__domain }}"
|
|
tls:
|
|
- secretName: "{{ stage }}-kube-argocd-cert"
|
|
hosts:
|
|
- "{{ k8s_argocd_helm__domain }}"
|
|
additionalProjects:
|
|
- name: infrastructure
|
|
namespace: '{{ k8s_argocd_helm__release_namespace }}'
|
|
additionalLabels: {}
|
|
additionalAnnotations: {}
|
|
description: apps needed for maintaining stuff
|
|
sourceRepos:
|
|
- '*'
|
|
destinations:
|
|
- namespace: '*'
|
|
server: https://kubernetes.default.svc
|
|
clusterResourceWhitelist:
|
|
- group: '*'
|
|
kind: '*'
|
|
orphanedResources:
|
|
warn: false
|
|
additionalApplications:
|
|
-
|
|
name: awx
|
|
namespace: '{{ k8s_argocd_helm__release_namespace }}'
|
|
destination:
|
|
namespace: awx
|
|
server: https://kubernetes.default.svc
|
|
project: infrastructure
|
|
source:
|
|
path: apps/awx
|
|
repoURL: https://{{ shared_service_gitea_hostname }}/gitea-admin/argocd.git
|
|
targetRevision: HEAD
|
|
syncPolicy:
|
|
automated:
|
|
prune: true
|
|
selfHeal: true
|
|
syncOptions:
|
|
- CreateNamespace=true
|
|
-
|
|
name: guestbook
|
|
namespace: '{{ k8s_argocd_helm__release_namespace }}'
|
|
destination:
|
|
namespace: guestbook
|
|
server: https://kubernetes.default.svc
|
|
project: infrastructure
|
|
source:
|
|
path: apps/guestbook
|
|
repoURL: https://{{ shared_service_gitea_hostname }}/gitea-admin/argocd.git
|
|
targetRevision: HEAD
|
|
syncPolicy:
|
|
automated:
|
|
prune: true
|
|
selfHeal: true
|
|
syncOptions:
|
|
- CreateNamespace=true
|
|
dex:
|
|
enabled: false
|
|
redis:
|
|
metrics:
|
|
enabled: true
|
|
serviceMonitor:
|
|
enabled: true
|
|
namespace: "{{ k8s_argocd_helm__release_namespace }}"
|
|
additionalLabels:
|
|
release: "{{ k8s_prometheus_helm__name }}"
|
|
configs:
|
|
secret:
|
|
argocdServerAdminPassword: '{{ argocd_server_admin_password | password_hash("bcrypt") }}'
|
|
|
|
k8s_argocd__crd_applicationset_version: v0.4.0
|
|
|
|
awx_admin_username: admin
|
|
awx_ansible_username: ansible
|
|
awx_ansible_password: ansible
|
|
|
|
# TODO
|
|
# reason: IT DOES NOT SCALE!!!!
|
|
# plz move it so separate DIR and do a lookup for all file in $DIR
|
|
# not doing it right now due avoiding breaking change within <migrating awx to k8s>
|
|
awx_job_templates:
|
|
- name: "create-database"
|
|
- name: "create-database-backup"
|
|
- name: "create-kibana-objects"
|
|
- name: "create-realm"
|
|
- name: "create-server"
|
|
- name: "create-service"
|
|
- name: "import-database"
|
|
- name: "remove-database"
|
|
- name: "remove-realm"
|
|
- name: "remove-server"
|
|
- name: "remove-service"
|
|
- name: "restore-database-backup"
|
|
- name: "update-monitoring"
|
|
- name: "update-service-state"
|