diff --git a/templates/controlplane-template/.helmignore b/templates/controlplane-template/.helmignore new file mode 100644 index 0000000..fe06809 --- /dev/null +++ b/templates/controlplane-template/.helmignore @@ -0,0 +1,20 @@ +# Patterns to ignore when building packages. +.DS_Store +.git/ +.gitignore +.helmignore +*.swp +*.bak +*.tmp +*.orig +*~ +.project +.idea/ +*.tmproj +.vscode/ + +# Ignore .gitkeep files in templates +.gitkeep +*/.gitkeep +*/*/.gitkeep +*/*/*/.gitkeep diff --git a/templates/controlplane-template/Chart.yaml b/templates/controlplane-template/Chart.yaml new file mode 100644 index 0000000..53adf34 --- /dev/null +++ b/templates/controlplane-template/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: controlplane-template +description: Management cluster template for Konstruct GitOps - deploys ArgoCD applications and components +type: application +version: 0.1.0 +appVersion: "1.0.0" diff --git a/templates/controlplane-template/templates/actions-runner-controller.yaml b/templates/controlplane-template/templates/actions-runner-controller.yaml new file mode 100644 index 0000000..c130a63 --- /dev/null +++ b/templates/controlplane-template/templates/actions-runner-controller.yaml @@ -0,0 +1,33 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: actions-runner-controller-components + finalizers: + - resources-finalizer.argocd.argoproj.io + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '50' +spec: + project: {{ .Values.project }} + source: + repoURL: {{ .Values.gitopsRepoUrl }} + path: registry/clusters/{{ .Values.clusterName }}/components/actions-runner-controller + targetRevision: HEAD + destination: + name: {{ .Values.clusterDestination }} + namespace: github-runner + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + - Replace=true + - PruneLast=true + retry: + limit: 5 + backoff: + duration: 5s + maxDuration: 5m0s + factor: 2 diff --git a/templates/controlplane-template/templates/appprojects.yaml b/templates/controlplane-template/templates/appprojects.yaml new file mode 100644 index 0000000..4dbba88 --- /dev/null +++ b/templates/controlplane-template/templates/appprojects.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd-projects + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + annotations: + argocd.argoproj.io/sync-wave: '0' +spec: + project: {{ .Values.project }} + source: + repoURL: {{ .Values.gitopsRepoUrl }} + path: registry/clusters/{{ .Values.clusterName }}/components/argocd-appprojects + targetRevision: HEAD + destination: + name: {{ .Values.clusterDestination }} + namespace: argocd + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/templates/controlplane-template/templates/argocd.yaml b/templates/controlplane-template/templates/argocd.yaml new file mode 100644 index 0000000..5bd3355 --- /dev/null +++ b/templates/controlplane-template/templates/argocd.yaml @@ -0,0 +1,31 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd-kustomized-app + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '100' + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: argocd + name: {{ .Values.clusterDestination }} + project: {{ .Values.project }} + source: + path: registry/clusters/{{ .Values.clusterName }}/components/argocd + repoURL: '{{ .Values.gitopsRepoUrl }}' + targetRevision: HEAD + syncPolicy: + automated: + prune: true + selfHeal: true + retry: + limit: 5 + backoff: + duration: 5s + maxDuration: 5m0s + factor: 2 + syncOptions: + - CreateNamespace=true + - ServerSideApply=true diff --git a/templates/controlplane-template/templates/cert-issuers.yaml b/templates/controlplane-template/templates/cert-issuers.yaml new file mode 100644 index 0000000..ee6e30e --- /dev/null +++ b/templates/controlplane-template/templates/cert-issuers.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-issuers + finalizers: + - resources-finalizer.argocd.argoproj.io + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '20' +spec: + project: {{ .Values.project }} + source: + repoURL: {{ .Values.gitopsRepoUrl }} + path: registry/clusters/{{ .Values.clusterName }}/components/cert-issuers + targetRevision: HEAD + destination: + name: {{ .Values.clusterDestination }} + namespace: cert-manager + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/templates/controlplane-template/templates/cert-manager.yaml b/templates/controlplane-template/templates/cert-manager.yaml new file mode 100644 index 0000000..33a6e06 --- /dev/null +++ b/templates/controlplane-template/templates/cert-manager.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager-components + finalizers: + - resources-finalizer.argocd.argoproj.io + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '10' +spec: + project: {{ .Values.project }} + source: + repoURL: {{ .Values.gitopsRepoUrl }} + path: registry/clusters/{{ .Values.clusterName }}/components/cert-manager + targetRevision: HEAD + destination: + name: {{ .Values.clusterDestination }} + namespace: cert-manager + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/templates/controlplane-template/templates/cloudflare-origin-ca-issuer.yaml b/templates/controlplane-template/templates/cloudflare-origin-ca-issuer.yaml new file mode 100644 index 0000000..1a2a692 --- /dev/null +++ b/templates/controlplane-template/templates/cloudflare-origin-ca-issuer.yaml @@ -0,0 +1,34 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cloudflare-cloudflare-origin-ca-issuer + finalizers: + - resources-finalizer.argocd.argoproj.io + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '19' +spec: + project: {{ .Values.project }} + source: + repoURL: ghcr.io/cloudflare/origin-ca-issuer-charts + chart: origin-ca-issuer + targetRevision: 0.5.2 + helm: + values: |- + global: + rbac: + create: true + controller: + image: + repository: cloudflare/origin-ca-issuer + tag: v0.6.1 + pullPolicy: Always + destination: + name: {{ .Values.clusterDestination }} + namespace: cert-manager + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/templates/controlplane-template/templates/cloudflare-origin-issuer-crd.yaml b/templates/controlplane-template/templates/cloudflare-origin-issuer-crd.yaml new file mode 100644 index 0000000..a4bcd58 --- /dev/null +++ b/templates/controlplane-template/templates/cloudflare-origin-issuer-crd.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cloudflare-origin-issuer-crd + finalizers: + - resources-finalizer.argocd.argoproj.io + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '19' +spec: + project: {{ .Values.project }} + source: + repoURL: https://github.com/cloudflare/origin-ca-issuer + path: deploy/crds + targetRevision: v0.6.1 + destination: + name: {{ .Values.clusterDestination }} + namespace: cert-manager + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/templates/controlplane-template/templates/clusterrolebinding.yaml b/templates/controlplane-template/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..35bf79f --- /dev/null +++ b/templates/controlplane-template/templates/clusterrolebinding.yaml @@ -0,0 +1,119 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: argocd-clusterrole + annotations: + argocd.argoproj.io/sync-wave: '0' +subjects: + - kind: ServiceAccount + name: argocd + namespace: argocd +roleRef: + kind: ClusterRole + name: admin + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: argo-clusterrole + annotations: + argocd.argoproj.io/sync-wave: '0' +subjects: + - kind: ServiceAccount + name: argo-server + namespace: argo +roleRef: + kind: ClusterRole + name: admin + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: github-runner-clusterrole + annotations: + argocd.argoproj.io/sync-wave: '0' +subjects: + - kind: ServiceAccount + name: github-runner + namespace: github-runner +roleRef: + kind: ClusterRole + name: admin + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: argo-admin-admin-clusterrole + annotations: + argocd.argoproj.io/sync-wave: '0' +subjects: + - kind: ServiceAccount + name: argo-admin + namespace: argo +roleRef: + kind: ClusterRole + name: admin + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: argo-admin-clusterrole + annotations: + argocd.argoproj.io/sync-wave: '0' +subjects: + - kind: ServiceAccount + name: argo-admin + namespace: argo +roleRef: + kind: ClusterRole + name: argo-admin + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: argo-developer-clusterrole + annotations: + argocd.argoproj.io/sync-wave: '0' +subjects: + - kind: ServiceAccount + name: argo-developer + namespace: argo +roleRef: + kind: ClusterRole + name: argo-view + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: argocd-admin-crb + annotations: + argocd.argoproj.io/sync-wave: '0' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin +subjects: + - kind: ServiceAccount + name: argocd-server + namespace: argocd +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: argocd-crossplane-admin-crb + annotations: + argocd.argoproj.io/sync-wave: '0' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: crossplane-admin +subjects: + - kind: ServiceAccount + name: argocd-server + namespace: argocd diff --git a/templates/controlplane-template/templates/clusters.yaml b/templates/controlplane-template/templates/clusters.yaml new file mode 100644 index 0000000..d5c3847 --- /dev/null +++ b/templates/controlplane-template/templates/clusters.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: clusters + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + annotations: + argocd.argoproj.io/sync-wave: '1000' +spec: + project: {{ .Values.project }} + source: + repoURL: {{ .Values.gitopsRepoUrl }} + path: registry/clusters/{{ .Values.clusterName }}/components/clusters + targetRevision: HEAD + destination: + name: {{ .Values.clusterDestination }} + namespace: argocd + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: true + syncOptions: + - CreateNamespace=true diff --git a/templates/controlplane-template/templates/components/actions-runner-controller/application.yaml b/templates/controlplane-template/templates/components/actions-runner-controller/application.yaml new file mode 100644 index 0000000..d16dbb5 --- /dev/null +++ b/templates/controlplane-template/templates/components/actions-runner-controller/application.yaml @@ -0,0 +1,41 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: actions-runner-contoller + finalizers: + - resources-finalizer.argocd.argoproj.io + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '10' +spec: + project: default + source: + repoURL: https://actions-runner-controller.github.io/actions-runner-controller + targetRevision: 0.20.2 + helm: + values: |- + image: + dindSidecarRepositoryAndTag: "docker:dind-rootless" + podSecurityContext: + runAsUser: 1000 + runAsNonRoot: true + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + chart: actions-runner-controller + destination: + name: in-cluster + namespace: github-runner + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + - Replace=true + - PruneLast=true diff --git a/templates/controlplane-template/templates/components/actions-runner-controller/externalsecret.yaml b/templates/controlplane-template/templates/components/actions-runner-controller/externalsecret.yaml new file mode 100644 index 0000000..8d2657e --- /dev/null +++ b/templates/controlplane-template/templates/components/actions-runner-controller/externalsecret.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1alpha1 +kind: ExternalSecret +metadata: + name: controller-manager + namespace: github-runner + annotations: + argocd.argoproj.io/sync-wave: '0' +spec: + target: + name: controller-manager + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + data: + - remoteRef: + key: ci-secrets + property: PERSONAL_ACCESS_TOKEN + secretKey: github_token diff --git a/templates/controlplane-template/templates/components/argocd-appprojects/.gitkeep b/templates/controlplane-template/templates/components/argocd-appprojects/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/templates/controlplane-template/templates/components/argocd/argocd-cm.yaml b/templates/controlplane-template/templates/components/argocd/argocd-cm.yaml new file mode 100644 index 0000000..fdc9ddb --- /dev/null +++ b/templates/controlplane-template/templates/components/argocd/argocd-cm.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cm +data: + url: 'https://argocd.{{ .Values.domainName }}' + oidc.config: | + name: Vault + issuer: https://vault.{{ .Values.domainName }}/v1/identity/oidc/provider/kubefirst + clientID: $argocd-oidc-secret:clientId + clientSecret: $argocd-oidc-secret:clientSecret + requestedScopes: ["openid", "groups", "user", "profile", "email"] + requestedIDTokenClaims: {"groups": {"essential": true}} diff --git a/templates/controlplane-template/templates/components/argocd/argocd-cmd-params-cm.yaml b/templates/controlplane-template/templates/components/argocd/argocd-cmd-params-cm.yaml new file mode 100644 index 0000000..c3b99b9 --- /dev/null +++ b/templates/controlplane-template/templates/components/argocd/argocd-cmd-params-cm.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cmd-params-cm + labels: + app.kubernetes.io/name: argocd-cmd-params-cm + app.kubernetes.io/part-of: argocd +data: + # ssl terminated at ingress-nginx and forwarded + # to allow for cloudflare origin issuer certificates + server.insecure: 'true' diff --git a/templates/controlplane-template/templates/components/argocd/argocd-ui-ingress.yaml b/templates/controlplane-template/templates/components/argocd/argocd-ui-ingress.yaml new file mode 100644 index 0000000..d3c740c --- /dev/null +++ b/templates/controlplane-template/templates/components/argocd/argocd-ui-ingress.yaml @@ -0,0 +1,74 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: argocd-server-http-ingress + namespace: argocd + annotations: + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTP" + {{- if .Values.certManager.issuerAnnotation1 }} + {{ .Values.certManager.issuerAnnotation1 }} + {{- end }} + {{- if .Values.certManager.issuerAnnotation2 }} + {{ .Values.certManager.issuerAnnotation2 }} + {{- end }} + {{- if .Values.certManager.issuerAnnotation3 }} + {{ .Values.certManager.issuerAnnotation3 }} + {{- end }} + {{- if .Values.certManager.issuerAnnotation4 }} + {{ .Values.certManager.issuerAnnotation4 }} + {{- end }} +spec: + ingressClassName: nginx + rules: + - http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: argocd-server + port: + name: http + host: argocd.{{ .Values.domainName }} + tls: + - hosts: + - argocd.{{ .Values.domainName }} + secretName: argocd-ingress-http +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: argocd-server-grpc-ingress + namespace: argocd + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + {{- if .Values.certManager.issuerAnnotation1 }} + {{ .Values.certManager.issuerAnnotation1 }} + {{- end }} + {{- if .Values.certManager.issuerAnnotation2 }} + {{ .Values.certManager.issuerAnnotation2 }} + {{- end }} + {{- if .Values.certManager.issuerAnnotation3 }} + {{ .Values.certManager.issuerAnnotation3 }} + {{- end }} + {{- if .Values.certManager.issuerAnnotation4 }} + {{ .Values.certManager.issuerAnnotation4 }} + {{- end }} +spec: + ingressClassName: nginx + rules: + - http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: argocd-server + port: + name: https + host: grpc.argocd.{{ .Values.domainName }} + tls: + - hosts: + - grpc-argocd.{{ .Values.domainName }} + secretName: argocd-ingress-grpc diff --git a/templates/controlplane-template/templates/components/argocd/cloudflareissuer.yaml b/templates/controlplane-template/templates/components/argocd/cloudflareissuer.yaml new file mode 100644 index 0000000..9fb35ae --- /dev/null +++ b/templates/controlplane-template/templates/components/argocd/cloudflareissuer.yaml @@ -0,0 +1,29 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: cloudflare-creds + namespace: argocd +spec: + target: + name: cloudflare-creds + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + refreshInterval: 10s + data: + - remoteRef: + key: cloudflare + property: origin-ca-api-key + secretKey: origin-ca-api-key +--- +apiVersion: cert-manager.k8s.cloudflare.com/v1 +kind: OriginIssuer +metadata: + name: cloudflare-origin-issuer + namespace: argocd +spec: + requestType: OriginECC + auth: + serviceKeyRef: + key: origin-ca-api-key + name: cloudflare-creds diff --git a/templates/controlplane-template/templates/components/argocd/kustomization.yaml b/templates/controlplane-template/templates/components/argocd/kustomization.yaml new file mode 100644 index 0000000..87d6cac --- /dev/null +++ b/templates/controlplane-template/templates/components/argocd/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: argocd + +# To upgrade ArgoCD, increment the version here +# https://github.com/argoproj/argo-cd/tags +resources: + - github.com:konstructio/manifests.git/argocd/cloud?ref=jokestax-patch-2 + - argocd-ui-ingress.yaml + +patchesStrategicMerge: + - argocd-cm.yaml + - argocd-cmd-params-cm.yaml + +generatorOptions: + disableNameSuffixHash: true diff --git a/templates/controlplane-template/templates/components/cert-issuers/clusterissuers.yaml b/templates/controlplane-template/templates/components/cert-issuers/clusterissuers.yaml new file mode 100644 index 0000000..40ea1e9 --- /dev/null +++ b/templates/controlplane-template/templates/components/cert-issuers/clusterissuers.yaml @@ -0,0 +1,29 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: {{ .Values.alertsEmail }} + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - http01: + ingress: + class: nginx +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: {{ .Values.alertsEmail }} + privateKeySecretRef: + name: letsencrypt-prod + solvers: + - http01: + ingress: + class: nginx diff --git a/templates/controlplane-template/templates/components/cert-manager/application.yaml b/templates/controlplane-template/templates/components/cert-manager/application.yaml new file mode 100644 index 0000000..6387457 --- /dev/null +++ b/templates/controlplane-template/templates/components/cert-manager/application.yaml @@ -0,0 +1,30 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager + finalizers: + - resources-finalizer.argocd.argoproj.io + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '10' +spec: + project: default + source: + repoURL: https://charts.jetstack.io + targetRevision: v1.14.4 + helm: + values: |- + serviceAccount: + create: true + name: cert-manager + installCRDs: true + chart: cert-manager + destination: + name: in-cluster + namespace: cert-manager + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/templates/controlplane-template/templates/components/clusters/.gitkeep b/templates/controlplane-template/templates/components/clusters/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/templates/controlplane-template/templates/components/crossplane/crossplane-system.yaml b/templates/controlplane-template/templates/components/crossplane/crossplane-system.yaml new file mode 100644 index 0000000..8606bc7 --- /dev/null +++ b/templates/controlplane-template/templates/components/crossplane/crossplane-system.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: crossplane-system + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '10' + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ .Values.project }} + source: + repoURL: {{ .Values.gitopsRepoUrl }} + path: registry/clusters/{{ .Values.clusterName }}/components/crossplane/crossplane-system + targetRevision: HEAD + destination: + name: {{ .Values.clusterDestination }} + namespace: crossplane-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - Replace=true diff --git a/templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-secrets.yaml b/templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-secrets.yaml new file mode 100644 index 0000000..72e3d80 --- /dev/null +++ b/templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-secrets.yaml @@ -0,0 +1,51 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + annotations: + argocd.argoproj.io/sync-wave: "0" + name: crossplane-secrets + namespace: crossplane-system +spec: + dataFrom: + - extract: + conversionStrategy: Default + decodingStrategy: None + key: /crossplane + refreshInterval: 10s + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + target: + creationPolicy: Owner + deletionPolicy: Retain + name: crossplane-secrets +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: git-credentials + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + target: + name: git-credentials + template: + engineVersion: v2 + data: + creds: | + https://{{ .username }}:{{ .password }}@github.com + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + refreshInterval: 10s + data: + - remoteRef: + key: crossplane + property: username + conversionStrategy: Default + secretKey: username + - remoteRef: + key: crossplane + property: password + conversionStrategy: Default + secretKey: password \ No newline at end of file diff --git a/templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-system.yaml b/templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-system.yaml new file mode 100644 index 0000000..56acbf5 --- /dev/null +++ b/templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-system.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: crossplane + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "10" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ .Values.project }} + destination: + name: {{ .Values.clusterDestination }} + namespace: crossplane-system + source: + repoURL: https://charts.crossplane.io/stable + chart: crossplane + targetRevision: 1.17.0 + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/templates/controlplane-template/templates/components/crossplane/provider.yaml b/templates/controlplane-template/templates/components/crossplane/provider.yaml new file mode 100644 index 0000000..ed56724 --- /dev/null +++ b/templates/controlplane-template/templates/components/crossplane/provider.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: crossplane-provider + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '20' + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ .Values.project }} + source: + repoURL: {{ .Values.gitopsRepoUrl }} + path: registry/clusters/{{ .Values.clusterName }}/components/crossplane/provider + targetRevision: HEAD + destination: + name: {{ .Values.clusterDestination }} + namespace: crossplane-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - Replace=true diff --git a/templates/controlplane-template/templates/components/crossplane/provider/controllerconfig.yaml b/templates/controlplane-template/templates/components/crossplane/provider/controllerconfig.yaml new file mode 100644 index 0000000..11a60c7 --- /dev/null +++ b/templates/controlplane-template/templates/components/crossplane/provider/controllerconfig.yaml @@ -0,0 +1,58 @@ +apiVersion: pkg.crossplane.io/v1beta1 +kind: DeploymentRuntimeConfig +metadata: + name: terraform-config + labels: + app: crossplane-provider-terraform + annotations: + argocd.argoproj.io/sync-wave: '10' +spec: + deploymentTemplate: + spec: + selector: + matchLabels: + pkg.crossplane.io/provider: terraform + template: + metadata: + labels: + pkg.crossplane.io/provider: terraform + spec: + securityContext: + fsGroup: 65532 + containers: + - name: package-runtime + image: ghcr.io/konstructio/provider-terraform:v0.0.1 + args: + - -d + - --poll=4m + - --max-reconcile-rate=10 + envFrom: + - secretRef: + name: crossplane-secrets + volumeMounts: + - mountPath: /.cache + name: helmcache + - mountPath: /logs + name: shared-logs + - name: log-streamer + imagePullPolicy: Always + image: ghcr.io/konstructio/logs-streamer:v0.0.8 + ports: + - containerPort: 9090 + name: http + protocol: TCP + env: + - name: PORT + value: "9090" + - name: LOG_DIR + value: "/logs" + volumeMounts: + - mountPath: /logs + name: shared-logs + readOnly: true + volumes: + - name: helmcache + emptyDir: + sizeLimit: 500Mi + - name: shared-logs + emptyDir: {} diff --git a/templates/controlplane-template/templates/components/crossplane/provider/crossplane-secrets.yaml b/templates/controlplane-template/templates/components/crossplane/provider/crossplane-secrets.yaml new file mode 100644 index 0000000..69127cc --- /dev/null +++ b/templates/controlplane-template/templates/components/crossplane/provider/crossplane-secrets.yaml @@ -0,0 +1,51 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + annotations: + argocd.argoproj.io/sync-wave: "0" + name: crossplane-secrets + namespace: crossplane-system +spec: + dataFrom: + - extract: + conversionStrategy: Default + decodingStrategy: None + key: /crossplane + refreshInterval: 10s + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + target: + creationPolicy: Owner + deletionPolicy: Retain + name: crossplane-secrets +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: git-credentials + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + target: + name: git-credentials + template: + engineVersion: v2 + data: + creds: | + https://{{ .username }}:{{ .password }}@github.com + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + refreshInterval: 10s + data: + - remoteRef: + key: crossplane + property: username + conversionStrategy: Default + secretKey: username + - remoteRef: + key: crossplane + property: password + conversionStrategy: Default + secretKey: password diff --git a/templates/controlplane-template/templates/components/crossplane/provider/svc.yaml b/templates/controlplane-template/templates/components/crossplane/provider/svc.yaml new file mode 100644 index 0000000..8e2aa98 --- /dev/null +++ b/templates/controlplane-template/templates/components/crossplane/provider/svc.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: Service +metadata: + name: log-streamer-service + labels: + app: log-streamer +spec: + ports: + - port: 9090 + targetPort: 9090 + protocol: TCP + name: http + selector: + pkg.crossplane.io/provider: provider-terraform + pkg.crossplane.io/revision: crossplane-provider-terraform-6fe8d52ff0a1 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/proxy-buffering: 'off' + nginx.ingress.kubernetes.io/proxy-cache-bypass: '1' + nginx.ingress.kubernetes.io/proxy-read-timeout: '3600' + nginx.ingress.kubernetes.io/proxy-send-timeout: '3600' + name: log-streamer-ingress + namespace: crossplane-system +spec: + ingressClassName: nginx + rules: + - host: logs-{{ .Values.clusterName }}.{{ .Values.domainName }} + http: + paths: + - backend: + service: + name: log-streamer-service + port: + number: 9090 + path: / + pathType: Prefix + tls: + - hosts: + - logs-{{ .Values.clusterName }}.{{ .Values.domainName }} + secretName: logs-{{ .Values.clusterName }}-cluster diff --git a/templates/controlplane-template/templates/components/crossplane/provider/terraform-provider.yaml b/templates/controlplane-template/templates/components/crossplane/provider/terraform-provider.yaml new file mode 100644 index 0000000..8ad0079 --- /dev/null +++ b/templates/controlplane-template/templates/components/crossplane/provider/terraform-provider.yaml @@ -0,0 +1,16 @@ +apiVersion: pkg.crossplane.io/v1 +kind: Provider +metadata: + annotations: + argocd.argoproj.io/sync-wave: '20' + name: crossplane-provider-terraform +spec: + runtimeConfigRef: + name: terraform-config + ignoreCrossplaneConstraints: false + package: xpkg.upbound.io/upbound/provider-terraform:v0.20.0 + packagePullPolicy: IfNotPresent + revisionActivationPolicy: Automatic + revisionHistoryLimit: 1 + skipDependencyResolution: false + diff --git a/templates/controlplane-template/templates/components/external-dns/application.yaml b/templates/controlplane-template/templates/components/external-dns/application.yaml new file mode 100644 index 0000000..77c161f --- /dev/null +++ b/templates/controlplane-template/templates/components/external-dns/application.yaml @@ -0,0 +1,44 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-dns + finalizers: + - resources-finalizer.argocd.argoproj.io + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '10' +spec: + project: {{ .Values.project }} + source: + repoURL: https://kubernetes-sigs.github.io/external-dns + targetRevision: {{ .Values.versions.externalDns }} + helm: + releaseName: external-dns + values: | + image: + repository: registry.k8s.io/external-dns/external-dns + tag: "v0.13.2" + serviceAccount: + create: true + name: external-dns + provider: {{ .Values.externalDns.providerName }} + sources: + - ingress + domainFilters: + - {{ .Values.externalDns.domainName }} + env: + - name: {{ .Values.externalDns.providerTokenEnvName }} + valueFrom: + secretKeyRef: + name: external-dns-secrets + key: token + chart: external-dns + destination: + name: {{ .Values.clusterDestination }} + namespace: external-dns + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/templates/controlplane-template/templates/components/external-secrets-operator/external-secrets-operator.yaml b/templates/controlplane-template/templates/components/external-secrets-operator/external-secrets-operator.yaml new file mode 100644 index 0000000..56bf765 --- /dev/null +++ b/templates/controlplane-template/templates/components/external-secrets-operator/external-secrets-operator.yaml @@ -0,0 +1,73 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-secrets-operator + finalizers: + - resources-finalizer.argocd.argoproj.io + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '10' +spec: + project: default + source: + repoURL: https://charts.external-secrets.io + targetRevision: 0.19.2 + helm: + values: |- + serviceAccount: + create: false + name: external-secrets + chart: external-secrets + destination: + name: in-cluster + namespace: external-secrets-operator + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - RespectIgnoreDifferences=true + - ServerSideApply=true + - ServerSideApplyForce=true + ignoreDifferences: + - group: apiextensions.k8s.io + kind: CustomResourceDefinition + jqPathExpressions: + - .spec.conversion.webhook.clientConfig.caBundle + - .spec.conversion.webhook.clientConfig.service.name + - .spec.conversion.webhook.clientConfig.service.namespace + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + jqPathExpressions: + - .webhooks[]?.clientConfig.caBundle +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: eso-kubernetes-external-secrets-auth + annotations: + argocd.argoproj.io/sync-wave: '40' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 'system:auth-delegator' +subjects: + - kind: ServiceAccount + name: external-secrets + namespace: external-secrets-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: eso-kubernetes-external-secrets-auth2 + annotations: + argocd.argoproj.io/sync-wave: '40' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 'cluster-admin' +subjects: + - kind: ServiceAccount + name: external-secrets + namespace: external-secrets-operator diff --git a/templates/controlplane-template/templates/components/github-runner/runnerdeployment.yaml b/templates/controlplane-template/templates/components/github-runner/runnerdeployment.yaml new file mode 100644 index 0000000..991352b --- /dev/null +++ b/templates/controlplane-template/templates/components/github-runner/runnerdeployment.yaml @@ -0,0 +1,20 @@ +apiVersion: actions.summerwind.dev/v1alpha1 +kind: RunnerDeployment +metadata: + name: actions-runner + annotations: + argocd.argoproj.io/sync-wave: '10' +spec: + replicas: 2 + template: + spec: + organization: {{ .Values.githubOwner }} + image: ghcr.io/actions-runner-controller/actions-runner-controller/actions-runner-dind-rootless:v2.315.0-ubuntu-20.04-5b9b9f7 + serviceAccountName: github-runner + automountServiceAccountToken: true + dockerEnabled: false + dockerdWithinRunnerContainer: false + resources: {} + securityContext: + fsGroup: 1000 + runAsUser: 1000 diff --git a/templates/controlplane-template/templates/components/github-runner/serviceaccount.yaml b/templates/controlplane-template/templates/components/github-runner/serviceaccount.yaml new file mode 100644 index 0000000..6e2d556 --- /dev/null +++ b/templates/controlplane-template/templates/components/github-runner/serviceaccount.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: github-runner + namespace: github-runner + annotations: + argocd.argoproj.io/sync-wave: '0' diff --git a/templates/controlplane-template/templates/components/ingress-nginx/application.yaml b/templates/controlplane-template/templates/components/ingress-nginx/application.yaml new file mode 100644 index 0000000..7186776 --- /dev/null +++ b/templates/controlplane-template/templates/components/ingress-nginx/application.yaml @@ -0,0 +1,35 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: ingress-nginx + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + annotations: + argocd.argoproj.io/sync-wave: '10' +spec: + project: default + source: + repoURL: https://kubernetes.github.io/ingress-nginx + targetRevision: 4.12.1 + helm: + values: |- + controller: + publishService: + enabled: true + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" + extraArgs: + enable-ssl-passthrough: true + chart: ingress-nginx + destination: + name: in-cluster + namespace: ingress-nginx + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/templates/controlplane-template/templates/components/reloader/application.yaml b/templates/controlplane-template/templates/components/reloader/application.yaml new file mode 100644 index 0000000..5353788 --- /dev/null +++ b/templates/controlplane-template/templates/components/reloader/application.yaml @@ -0,0 +1,33 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: reloader + finalizers: + - resources-finalizer.argocd.argoproj.io + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '10' +spec: + project: default + source: + repoURL: 'https://stakater.github.io/stakater-charts' + targetRevision: v1.0.10 + chart: reloader + helm: + values: |- + ignoreSecrets: false + destination: + server: 'https://kubernetes.default.svc' + namespace: reloader + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: 5 + backoff: + duration: 5s + maxDuration: 5m0s + factor: 2 diff --git a/templates/controlplane-template/templates/components/reloader/wait.yaml b/templates/controlplane-template/templates/components/reloader/wait.yaml new file mode 100644 index 0000000..d2e9893 --- /dev/null +++ b/templates/controlplane-template/templates/components/reloader/wait.yaml @@ -0,0 +1,59 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: k8s-toolkit-reloader + namespace: reloader +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: k8s-toolkit-reloader + namespace: reloader +rules: + - apiGroups: + - apps + resources: + - deployments + - statefulsets + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: k8s-toolkit-reloader + namespace: reloader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: k8s-toolkit-reloader +subjects: + - kind: ServiceAccount + name: k8s-toolkit-reloader + namespace: reloader +--- +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + argocd.argoproj.io/sync-wave: '20' + name: wait-reloader + namespace: reloader +spec: + template: + spec: + containers: + - args: + - wait-for + - deployment + - --namespace + - reloader + - --label + - app=reloader-reloader + image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3 + imagePullPolicy: IfNotPresent + name: wait + restartPolicy: OnFailure + serviceAccountName: k8s-toolkit-reloader diff --git a/templates/controlplane-template/templates/crossplane.yaml b/templates/controlplane-template/templates/crossplane.yaml new file mode 100644 index 0000000..c92434b --- /dev/null +++ b/templates/controlplane-template/templates/crossplane.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: crossplane-components + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '60' + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ .Values.project }} + source: + repoURL: {{ .Values.gitopsRepoUrl }} + path: registry/clusters/{{ .Values.clusterName }}/components/crossplane + targetRevision: HEAD + destination: + name: {{ .Values.clusterDestination }} + namespace: crossplane-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - Replace=true diff --git a/templates/controlplane-template/templates/external-dns.yaml b/templates/controlplane-template/templates/external-dns.yaml new file mode 100644 index 0000000..61eaad3 --- /dev/null +++ b/templates/controlplane-template/templates/external-dns.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-dns-components + finalizers: + - resources-finalizer.argocd.argoproj.io + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '10' +spec: + project: {{ .Values.project }} + source: + repoURL: {{ .Values.gitopsRepoUrl }} + path: registry/clusters/{{ .Values.clusterName }}/components/external-dns + targetRevision: HEAD + destination: + name: {{ .Values.clusterDestination }} + namespace: external-dns + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/templates/controlplane-template/templates/external-secrets-operator.yaml b/templates/controlplane-template/templates/external-secrets-operator.yaml new file mode 100644 index 0000000..19f1a38 --- /dev/null +++ b/templates/controlplane-template/templates/external-secrets-operator.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-secrets-operator-components + finalizers: + - resources-finalizer.argocd.argoproj.io + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '30' +spec: + project: {{ .Values.project }} + source: + repoURL: {{ .Values.gitopsRepoUrl }} + path: registry/clusters/{{ .Values.clusterName }}/components/external-secrets-operator + targetRevision: HEAD + destination: + name: {{ .Values.clusterDestination }} + namespace: external-secrets-operator + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/templates/controlplane-template/templates/github-runner.yaml b/templates/controlplane-template/templates/github-runner.yaml new file mode 100644 index 0000000..026cb74 --- /dev/null +++ b/templates/controlplane-template/templates/github-runner.yaml @@ -0,0 +1,33 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: github-runner-components + finalizers: + - resources-finalizer.argocd.argoproj.io + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '60' +spec: + project: {{ .Values.project }} + source: + repoURL: {{ .Values.gitopsRepoUrl }} + path: registry/clusters/{{ .Values.clusterName }}/components/github-runner + targetRevision: HEAD + destination: + name: {{ .Values.clusterDestination }} + namespace: github-runner + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + - Replace=true + - PruneLast=true + retry: + limit: 5 + backoff: + duration: 5s + maxDuration: 5m0s + factor: 2 diff --git a/templates/controlplane-template/templates/ingress-nginx.yaml b/templates/controlplane-template/templates/ingress-nginx.yaml new file mode 100644 index 0000000..d0d5a4b --- /dev/null +++ b/templates/controlplane-template/templates/ingress-nginx.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: ingress-nginx-components + finalizers: + - resources-finalizer.argocd.argoproj.io + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '10' +spec: + project: {{ .Values.project }} + source: + repoURL: {{ .Values.gitopsRepoUrl }} + path: registry/clusters/{{ .Values.clusterName }}/components/ingress-nginx + targetRevision: HEAD + destination: + name: {{ .Values.clusterDestination }} + namespace: ingress-nginx + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/templates/controlplane-template/templates/registry.yaml b/templates/controlplane-template/templates/registry.yaml new file mode 100644 index 0000000..bd32d42 --- /dev/null +++ b/templates/controlplane-template/templates/registry.yaml @@ -0,0 +1,30 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: registry + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '1001' + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: {{ .Values.project }} + source: + repoURL: {{ .Values.gitopsRepoUrl }} + path: registry/clusters/{{ .Values.clusterName }} + targetRevision: HEAD + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: 5 + backoff: + duration: 5s + maxDuration: 5m0s + factor: 2 diff --git a/templates/controlplane-template/templates/reloader.yaml b/templates/controlplane-template/templates/reloader.yaml new file mode 100644 index 0000000..118df7b --- /dev/null +++ b/templates/controlplane-template/templates/reloader.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: reloader-components + finalizers: + - resources-finalizer.argocd.argoproj.io + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: '60' +spec: + project: {{ .Values.project }} + source: + repoURL: {{ .Values.gitopsRepoUrl }} + path: registry/clusters/{{ .Values.clusterName }}/components/reloader + targetRevision: HEAD + destination: + name: {{ .Values.clusterDestination }} + namespace: reloader + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/templates/controlplane-template/values.yaml b/templates/controlplane-template/values.yaml new file mode 100644 index 0000000..d45def1 --- /dev/null +++ b/templates/controlplane-template/values.yaml @@ -0,0 +1,169 @@ +# Management Cluster Template Configuration +# This values file contains all configurable parameters for deploying the management cluster components + +# ============================================================================= +# GLOBAL/COMMON VALUES +# ============================================================================= + +# @input.type: string +# @input.description: Cluster name identifier used in registry paths +# @input.required: true +# @input.default: mgmt +clusterName: mgmt + +# @input.type: string +# @input.description: GitOps repository URL for ArgoCD sync +# @input.required: true +# @input.default: https://github.com/example/gitops-repo +gitopsRepoUrl: https://github.com/example/gitops-repo + +# @input.type: string +# @input.description: Domain name for all services (e.g., example.com) +# @input.required: true +# @input.default: example.com +domainName: example.com + +# @input.type: string +# @input.description: Target cluster destination for ArgoCD applications +# @input.required: true +# @input.default: in-cluster +clusterDestination: in-cluster + +# @input.type: string +# @input.description: ArgoCD project name for applications +# @input.required: true +# @input.default: default +project: default + +# @input.type: string +# @input.description: Cloud region for services (e.g., NYC1, us-east-1) +# @input.required: true +# @input.default: NYC1 +cloudRegion: NYC1 + +# @input.type: string +# @input.description: State store bucket name for artifacts and state +# @input.required: true +# @input.default: kubefirst-state-store +kubefirstStateStoreBucket: kubefirst-state-store + +# @input.type: string +# @input.description: Email address for alerts and certificate notifications +# @input.required: true +# @input.default: alerts@example.com +alertsEmail: alerts@example.com + +# ============================================================================= +# GIT PROVIDER SETTINGS +# ============================================================================= + +# @input.type: enum +# @input.description: Git provider type (github or gitlab) +# @input.options: github,gitlab +# @input.required: true +# @input.default: github +gitProvider: github + +# @input.type: string +# @input.description: GitHub organization or user name +# @input.required: false +# @input.default: "" +githubOwner: "" + +# @input.type: string +# @input.description: GitLab group or user name +# @input.required: false +# @input.default: "" +gitlabOwner: "" + +# ============================================================================= +# CERT MANAGER ISSUER ANNOTATIONS +# ============================================================================= + +certManager: + # @input.type: string + # @input.description: First cert-manager issuer annotation (key: value format) + # @input.required: false + # @input.default: "cert-manager.io/cluster-issuer: letsencrypt-prod" + issuerAnnotation1: "cert-manager.io/cluster-issuer: letsencrypt-prod" + + # @input.type: string + # @input.description: Second cert-manager issuer annotation (optional) + # @input.required: false + # @input.default: "" + issuerAnnotation2: "" + + # @input.type: string + # @input.description: Third cert-manager issuer annotation (optional) + # @input.required: false + # @input.default: "" + issuerAnnotation3: "" + + # @input.type: string + # @input.description: Fourth cert-manager issuer annotation (optional) + # @input.required: false + # @input.default: "" + issuerAnnotation4: "" + +# ============================================================================= +# EXTERNAL DNS SETTINGS +# ============================================================================= + +externalDns: + # @input.type: string + # @input.description: External DNS provider name (e.g., cloudflare, route53, civo) + # @input.required: true + # @input.default: cloudflare + providerName: cloudflare + + # @input.type: string + # @input.description: Domain name filter for external DNS + # @input.required: true + # @input.default: example.com + domainName: example.com + + # @input.type: string + # @input.description: Environment variable name for provider token + # @input.required: true + # @input.default: CF_API_TOKEN + providerTokenEnvName: CF_API_TOKEN + +# ============================================================================= +# ATLANTIS SETTINGS +# ============================================================================= + +atlantis: + # @input.type: string + # @input.description: Atlantis repository allowlist (e.g., github.com/org/*) + # @input.required: true + # @input.default: github.com/example/* + allowList: github.com/example/* + +# ============================================================================= +# COMPONENT VERSIONS (Chart Versions) +# ============================================================================= + +versions: + # @input.type: string + # @input.description: Atlantis Helm chart version + # @input.required: false + # @input.default: 4.11.2 + atlantis: "4.11.2" + + # @input.type: string + # @input.description: External DNS Helm chart version + # @input.required: false + # @input.default: 1.14.4 + externalDns: "1.14.4" + + # @input.type: string + # @input.description: ChartMuseum Helm chart version + # @input.required: false + # @input.default: 3.9.3 + chartmuseum: "3.9.3" + + # @input.type: string + # @input.description: Argo Workflows Helm chart version + # @input.required: false + # @input.default: 0.20.1 + argoWorkflows: "0.20.1" diff --git a/terraform/civo/main.tf b/terraform/civo/main.tf deleted file mode 100644 index a9279ce..0000000 --- a/terraform/civo/main.tf +++ /dev/null @@ -1,36 +0,0 @@ -provider "civo" { - region = "" -} - -locals { - cluster_name = "" - kube_config_filename = "../../../kubeconfig" -} - -resource "civo_network" "kubefirst" { - label = local.cluster_name -} - -resource "civo_firewall" "kubefirst" { - name = local.cluster_name - network_id = civo_network.kubefirst.id - create_default_rules = true -} - -resource "civo_kubernetes_cluster" "kubefirst" { - name = local.cluster_name - network_id = civo_network.kubefirst.id - firewall_id = civo_firewall.kubefirst.id - kubernetes_version = "1.28.7-k3s1" - write_kubeconfig = true - pools { - label = local.cluster_name - size = "" - node_count = tonumber("") # tonumber() is used for a string token value - } -} - -resource "local_file" "kubeconfig" { - content = civo_kubernetes_cluster.kubefirst.kubeconfig - filename = local.kube_config_filename -} diff --git a/terraform/gcp/workload-cluster/main.tf b/terraform/gcp/workload-cluster/main.tf deleted file mode 100644 index 4c35c97..0000000 --- a/terraform/gcp/workload-cluster/main.tf +++ /dev/null @@ -1,209 +0,0 @@ - - -locals { - cluster_name = var.cluster_name - subnet_name = lookup(module.vpc.subnets, "${var.cluster_region}/subnet-01-${local.cluster_name}").name -} - -data "google_client_config" "current" {} - -resource "google_compute_router" "router" { - name = "gke-cloud-router-${local.cluster_name}" - project = data.google_client_config.current.project - network = local.cluster_name - region = var.cluster_region -} - -module "cloud-nat" { - name = "gke-nat-config-${local.cluster_name}" - source = "terraform-google-modules/cloud-nat/google" - version = "~> 5.0" - project_id = data.google_client_config.current.project - region = var.cluster_region - router = google_compute_router.router.name - source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" -} - -resource "google_service_account" "kubefirst" { - account_id = local.cluster_name - display_name = "Service Account for ${local.cluster_name} cluster" -} - -module "vpc" { - source = "terraform-google-modules/network/google" - version = "~> 9.1" - - project_id = data.google_client_config.current.project - network_name = local.cluster_name - - subnets = [ - { - subnet_name = "subnet-01-${local.cluster_name}" - subnet_ip = "10.10.10.0/24" - subnet_region = var.cluster_region - subnet_private_access = "true" - subnet_flow_logs = "true" - description = "This base subnet." - }, - ] - - secondary_ranges = { - "subnet-01-${local.cluster_name}" = [ - { - range_name = "subnet-01-${local.cluster_name}-gke-01-pods" - ip_cidr_range = "10.13.0.0/16" - }, - { - range_name = "subnet-01-${local.cluster_name}-gke-01-services" - ip_cidr_range = "10.14.0.0/16" - }, - ] - } -} - -module "gke" { - source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 31.0" - - project_id = data.google_client_config.current.project - name = local.cluster_name - region = var.cluster_region - release_channel = "STABLE" - remove_default_node_pool = true - - deletion_protection = false - - // External availability - enable_private_endpoint = false - enable_private_nodes = true - - // Service Account - create_service_account = true - - // Networking - network = module.vpc.network_name - subnetwork = local.subnet_name - ip_range_pods = "${local.subnet_name}-gke-01-pods" - ip_range_services = "${local.subnet_name}-gke-01-services" - - // Addons - dns_cache = true - enable_shielded_nodes = true - filestore_csi_driver = false - gce_pd_csi_driver = true - horizontal_pod_autoscaling = false - http_load_balancing = false - network_policy = false - - // Node Pools - node_pools = [ - { - name = "kubefirst" - machine_type = var.node_type - - // Autoscaling - // PER ZONE - min_count = var.node_count - // PER ZONE - max_count = var.node_count - // PER ZONE - initial_node_count = var.node_count - - local_ssd_count = 0 - spot = false - disk_size_gb = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" - enable_gcfs = false - enable_gvnic = false - auto_repair = true - auto_upgrade = true - preemptible = false - }, - ] - - node_pools_oauth_scopes = { - all = [ - "https://www.googleapis.com/auth/logging.write", - "https://www.googleapis.com/auth/monitoring", - "https://www.googleapis.com/auth/devstorage.read_only", - ] - } -} - -resource "aws_ssm_parameter" "clusters" { - provider = aws.PROJECT_REGION - name = "/clusters/${local.cluster_name}" - description = "Cluster configuration for ${local.cluster_name}" - type = "String" - value = jsonencode( - { - cluster_ca_certificate = base64decode(module.gke.ca_certificate) - host = "https://${module.gke.endpoint}" - token = data.google_client_config.current.access_token - cluster_name = local.cluster_name - argocd_manager_sa_token = kubernetes_secret_v1.argocd_manager.data.token - } - ) -} - - -provider "kubernetes" { - host = "https://${module.gke.endpoint}" - token = data.google_client_config.current.access_token - cluster_ca_certificate = base64decode(module.gke.ca_certificate) -} - -resource "kubernetes_cluster_role_v1" "argocd_manager" { - metadata { - name = "argocd-manager-role" - } - - rule { - api_groups = ["*"] - resources = ["*"] - verbs = ["*"] - } - rule { - non_resource_urls = ["*"] - verbs = ["*"] - } -} - -resource "kubernetes_cluster_role_binding_v1" "argocd_manager" { - metadata { - name = "argocd-manager-role-binding" - } - role_ref { - api_group = "rbac.authorization.k8s.io" - kind = "ClusterRole" - name = kubernetes_cluster_role_v1.argocd_manager.metadata.0.name - } - subject { - kind = "ServiceAccount" - name = kubernetes_service_account_v1.argocd_manager.metadata.0.name - namespace = "kube-system" - } -} - -resource "kubernetes_service_account_v1" "argocd_manager" { - metadata { - name = "argocd-manager" - namespace = "kube-system" - } - secret { - name = "argocd-manager-token" - } -} - -resource "kubernetes_secret_v1" "argocd_manager" { - metadata { - name = "argocd-manager-token" - namespace = "kube-system" - annotations = { - "kubernetes.io/service-account.name" = "argocd-manager" - } - } - type = "kubernetes.io/service-account-token" - depends_on = [ kubernetes_service_account_v1.argocd_manager ] -} diff --git a/terraform/gcp/workload-cluster/variables.tf b/terraform/gcp/workload-cluster/variables.tf deleted file mode 100644 index 04cecfa..0000000 --- a/terraform/gcp/workload-cluster/variables.tf +++ /dev/null @@ -1,16 +0,0 @@ - -variable "node_type" { - type = string -} - -variable "cluster_region" { - type = string -} - -variable "node_count" { - type = number -} - -variable "cluster_name" { - type = string -}