Staging is prod

apps/base/hephy/hephy-workflow-beta.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: hephy-workflow-beta
+  namespace: deis
+spec:
+  interval: 1m0s
+  ref:
+    branch: main
+  url: https://github.com/kingdonb/hephy-workflow-beta

apps/base/hephy/kustomization.yaml

@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
 - helmrelease-deis-hephy.yaml
 - teamhephy-repo.yaml
+- hephy-workflow-beta.yaml

apps/base/minio/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- minio-stage-ns.yaml

apps/base/minio/minio-stage-ns.yaml

@@ -0,0 +1,4 @@
+# apiVersion: v1
+# kind: Namespace
+# metadata:
+#   name: minio-stage

apps/base/traefik/traefik.yaml

@@ -78,4 +78,5 @@ spec:
               name: storage-volume
       volumes:
         - name: storage-volume
-          emptyDir: {}
+          persistentVolumeClaim:
+            claimName: traefik-tls

apps/chartmuseum/charts-beta-ingressroute.yaml

@@ -0,0 +1,35 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: charts-beta-public-access
+  namespace: chartmuseum
+spec:
+  entryPoints:
+  - web
+  routes:
+  - kind: Rule
+    match: Host(`charts-beta.hephy.pro`)
+    services:
+    - kind: Service
+      name: chartmuseum-chartmuseum
+      namespace: chartmuseum
+      port: 8080
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: charts-beta-public-access-https
+  namespace: chartmuseum
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - kind: Rule
+    match: Host(`charts-beta.hephy.pro`)
+    services:
+    - kind: Service
+      name: chartmuseum-chartmuseum
+      namespace: chartmuseum
+      port: 8080
+  tls:
+    certResolver: prodresolver

apps/chartmuseum/helmrelease.yaml

@@ -0,0 +1,36 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: chartmuseum
+  namespace: chartmuseum
+spec:
+  chart:
+    spec:
+      chart: chartmuseum
+      sourceRef:
+        kind: HelmRepository
+        name: chartmuseum
+  targetNamespace: chartmuseum
+  storageNamespace: chartmuseum
+  interval: 15m0s
+  values:
+    env:
+      open:
+        STORAGE: amazon
+        STORAGE_AMAZON_BUCKET: charts-beta
+        STORAGE_AMAZON_PREFIX:
+        STORAGE_AMAZON_REGION: us-east-1
+        STORAGE_AMAZON_ENDPOINT: https://minio.hephy.pro
+      # secret:
+        # AWS_ACCESS_KEY_ID: "********" ## aws access key id value
+        # AWS_SECRET_ACCESS_KEY: "********" ## aws access key secret value
+  valuesFrom:
+  - kind: Secret
+    name: minio-user
+    valuesKey: accesskey
+    targetPath: env.secret.AWS_ACCESS_KEY_ID
+  - kind: Secret
+    name: minio-user
+    valuesKey: secretkey
+    targetPath: env.secret.AWS_SECRET_ACCESS_KEY

apps/chartmuseum/helmrepo.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: chartmuseum
+  namespace: chartmuseum
+spec:
+  interval: 1h1m49s
+  url: https://chartmuseum.github.io/charts
+

apps/harbor/helmrelease.yaml

@@ -0,0 +1,14 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: harbor
+spec:
+  chart:
+    spec:
+      chart: harbor
+      sourceRef:
+        kind: HelmRepository
+        name: harbor
+      version: 1.8.1
+  interval: 15m15s
+  timeout: 10m0s

apps/harbor/helmrepo.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: harbor
+spec:
+  interval: 1h1m49s
+  url: https://helm.goharbor.io
+

apps/harbor/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: harbor
+resources:
+- helmrelease.yaml
+- helmrepo.yaml

apps/hephy/blog-ingressroute.yaml

@@ -1,7 +1,8 @@
+---
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
-  name: blog
+  name: blog-insecure
 spec:
   entryPoints:
     - web
@@ -13,3 +14,21 @@ spec:
       name: blog
       namespace: blog
       port: 80
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: blog
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`blog.teamhephy.info`)
+    kind: Rule
+    services:
+    - kind: Service
+      name: blog
+      namespace: blog
+      port: 80
+  tls:
+    certResolver: prodresolver

apps/hephy/hephy-patch.yaml

@@ -6,17 +6,42 @@ spec:
   chart:
     spec:
       sourceRef:
-        kind: HelmRepository
-        name: teamhephy
+        kind: GitRepository
+        name: hephy-workflow-beta
         namespace: deis
-      version: 2.23.0
+      version: ^2.24.0-0
   interval: 15m15s
   timeout: 10m0s
   storageNamespace: deis
   targetNamespace: deis
+  dependsOn:
+    - namespace: ingress-nginx
+      name: internal-ingress
+    - namespace: ingress-nginx
+      name: public-ingress
   postRenderers:
     - kustomize:
         patchesStrategicMerge:
+          # - kind: Deployment
+          #   apiVersion: apps/v1
+          #   metadata:
+          #     name: deis-builder
+          #   spec:
+          #     template:
+          #       spec:
+          #         containers:
+          #           - name: deis-builder
+          #             image: kingdonb/builder:git-a3cb9b2
+          - kind: Deployment
+            apiVersion: apps/v1
+            metadata:
+              name: deis-controller
+            spec:
+              template:
+                spec:
+                  containers:
+                    - name: deis-controller
+                      image: kingdonb/controller:git-7beda111
           - kind: Service
             apiVersion: v1
             metadata:

apps/keycloak/kustomization.yaml

@@ -4,7 +4,7 @@ namespace: keycloak
 resources:
   - keycloak-ingress.yaml
   - keycloak-db-user-configmap.yaml
-  - https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/kubernetes-examples/keycloak.yaml
+  - https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/15.1.0/kubernetes-examples/keycloak.yaml
 patchesStrategicMerge:
 - |-
   apiVersion: v1

apps/kuby-test/dashboard.yaml

@@ -0,0 +1,27 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: traefik-staging
+spec:
+  routes:
+  - match: Host(`dashboard.hephy.pro`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
+    kind: Rule
+    services:
+    - name: api@internal
+      kind: TraefikService
+    middlewares:
+      - name: auth
+  entryPoints:
+    - websecure
+  tls:
+    certResolver: myresolver
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: auth
+  namespace: traefik-staging
+spec:
+  basicAuth:
+    secret: traefik-dashboard-auth-htpasswd

apps/kuby-test/flux-system-rw-gitrepo.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: flux-system-rw
+  namespace: kubytest-production
+spec:
+  gitImplementation: go-git
+  interval: 30m0s
+  ref:
+    branch: staging
+  secretRef:
+    name: flux-system-rw
+  timeout: 20s
+  url: ssh://git@github.com/kingdonb/bootstrap-repo

apps/kuby-test/image-webhook-recv.yaml

@@ -0,0 +1,13 @@
+apiVersion: notification.toolkit.fluxcd.io/v1beta1
+kind: Receiver
+metadata:
+  name: image-webhook
+  namespace: kubytest-production
+spec:
+  resources:
+  - apiVersion: image.toolkit.fluxcd.io/v1alpha1
+    kind: ImageRepository
+    name: kuby-tester
+  secretRef:
+    name: webhook-token
+  type: generic

apps/kuby-test/kuby-tester-assets-imagepol.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImagePolicy
+metadata:
+  name: kuby-tester-assets
+  namespace: kubytest-production
+spec:
+  filterTags:
+    extract: $ts
+    pattern: ^(?P<ts>[0-9]+)-assets$
+  imageRepositoryRef:
+    name: kuby-tester
+  policy:
+    numerical:
+      order: asc
+

apps/kuby-test/kuby-tester-imageauto.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImageUpdateAutomation
+metadata:
+  name: kuby-tester
+  namespace: kubytest-production
+spec:
+  git:
+    checkout:
+      ref:
+        branch: staging
+    commit:
+      author:
+        email: fluxcdbot@users.noreply.github.com
+        name: fluxcdbot
+      messageTemplate: '{{range .Updated.Images}}{{println .}}{{end}}'
+    push:
+      branch: staging
+  interval: 30m0s
+  sourceRef:
+    kind: GitRepository
+    name: flux-system-rw
+  update:
+    path: ./clusters/moo-cluster/kuby-test
+    strategy: Setters
+

apps/kuby-test/kuby-tester-imagepol.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImagePolicy
+metadata:
+  name: kuby-tester
+  namespace: kubytest-production
+spec:
+  filterTags:
+    extract: $ts
+    pattern: ^(?P<ts>[0-9]+)$
+  imageRepositoryRef:
+    name: kuby-tester
+  policy:
+    numerical:
+      order: asc
+

apps/kuby-test/kuby-tester-imagerepo.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImageRepository
+metadata:
+  name: kuby-tester
+  namespace: kubytest-production
+spec:
+  image: ghcr.io/kingdonb/kuby-tester
+  interval: 10m0s
+  secretRef:
+    name: kubytest-registry-secret