From 04a99fc3f769446223eef734cee5a4380ce645ae Mon Sep 17 00:00:00 2001 From: alcampag Date: Tue, 16 Sep 2025 10:26:50 +0200 Subject: [PATCH 1/2] oke-gitops-1.1.0 --- .../modules/devops/build_pipeline.tf | 2 +- .../oke-gitops/modules/devops/repositories.tf | 49 +- .../oke/oke-gitops/provider.tf | 2 +- .../apps/helm/charts/example-app/Chart.yaml | 9 + .../charts/example-app/templates}/.gitkeep | 0 .../example-app/env-type/values-no-prod.yml} | 0 .../values/example-app/envs/values-prod.yml | 0 .../values/example-app/envs/values-qa.yml | 0 .../values/example-app/regions/values-uk.yml | 0 .../helm/values/example-app/values-common.yml | 0 .../helm/values/example-app/variants/.gitkeep | 0 .../example-app/version/values-prod.yml | 0 .../values/example-app/version/values-qa.yml | 0 .../example-app/base/kustomization.yml | 4 + .../env-type/no-prod/kustomization.yml | 5 + .../example-app/envs/prod/kustomization.yml | 5 + .../example-app/envs/qa/kustomization.yml | 5 + .../appsets/Chart.yaml | 0 .../appsets/examples/helm-apps-qa.yml | 63 + .../appsets/examples/kustomize-apps-qa.yml | 50 + .../appsets/templates/.gitkeep | 0 .../appsets/values.yaml | 3 +- .../in-cluster.yml | 5 +- .../root.yml | 6 +- .../repos/oke-cluster-config/README.md | 114 -- .../_config_/clusterRole/cluster-reader.yml | 9 - .../cluster-reader-binding.yml | 15 - .../cert-manager/cert-manager.yml | 1466 ----------------- .../cert-manager/cert-manager/values.yml | 9 - .../in-cluster/example/_config_/namespace.yml | 4 - .../example/_config_/role/pod-restricted.yml | 12 - .../roleBinding/edit-role-binding.yml | 19 - .../roleBinding/pod-restricted-binding.yml | 13 - .../serviceAccount/application-sa.yml | 11 - .../metrics-server/metrics-server.yml | 201 --- .../kube-system/metrics-server/values.yml | 8 - .../appsets/templates/argocd/argocd.yml | 44 - .../appsets/templates/cluster-config.yml | 38 - .../templates/example/example-config.yml | 36 - .../repos/pipelines/mirror_argo.yaml | 2 +- .../repos/system-cluster-config/README.md | 54 + .../apps/helm/charts/.gitkeep | 0 .../values/argocd/env-type/values-hub.yml | 4 + .../helm/values/argocd/values-common.yml} | 0 .../clusters/values-in-cluster.yml | 0 .../example-app/env-type/values-no-prod.yml | 0 .../values/example-app/envs/values-prod.yml | 0 .../values/example-app/envs/values-qa.yml | 0 .../values/example-app/regions/values-uk.yml | 0 .../helm/values/example-app/values-common.yml | 0 .../example-app/variants/values-agent.yml | 0 .../values/example-app/version/values-qa.yml | 0 .../kustomize/argocd/base/kustomization.yml | 5 + .../argocd/base}/secret/in-cluster.yml | 5 +- .../argocd/env-type/hub/kustomization.yml | 5 + .../kustomize/config/base/kustomization.yml | 4 + .../config/env-type/hub/kustomization.yml | 5 + .../example-app/base/kustomization.yml | 4 + .../env-type/hub/kustomization.yml | 5 + .../env-type/no-prod/kustomization.yml | 5 + .../example-app/envs/prod/kustomization.yml | 5 + .../example-app/envs/qa/kustomization.yml | 5 + .../system-cluster-config/appsets/Chart.yaml | 9 + .../appsets/examples/helm-no-prod.yml | 54 + .../appsets/examples/helm-qa.yml | 60 + .../appsets/examples/helm-single-cluster.yml | 52 + .../appsets/examples/hub-config.yml} | 22 +- .../appsets/templates/argocd.yml | 48 + .../system-cluster-config/appsets/values.yaml | 2 + .../system-cluster-config/in-cluster.yml | 16 + .../repos/system-cluster-config/root.yml | 26 + 71 files changed, 576 insertions(+), 2028 deletions(-) create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/charts/example-app/Chart.yaml rename app-dev/devops-and-containers/oke/oke-gitops/repos/{oke-cluster-config/apps/in-cluster/cert-manager/_config_ => apps-cluster-config/apps/helm/charts/example-app/templates}/.gitkeep (100%) rename app-dev/devops-and-containers/oke/oke-gitops/repos/{oke-cluster-config/apps/in-cluster/kube-system/_config_/.gitkeep => apps-cluster-config/apps/helm/values/example-app/env-type/values-no-prod.yml} (100%) create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/envs/values-prod.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/envs/values-qa.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/regions/values-uk.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/values-common.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/variants/.gitkeep create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/version/values-prod.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/version/values-qa.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/kustomize/example-app/base/kustomization.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/kustomize/example-app/env-type/no-prod/kustomization.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/kustomize/example-app/envs/prod/kustomization.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/kustomize/example-app/envs/qa/kustomization.yml rename app-dev/devops-and-containers/oke/oke-gitops/repos/{oke-cluster-config => apps-cluster-config}/appsets/Chart.yaml (100%) create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/examples/helm-apps-qa.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/examples/kustomize-apps-qa.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/templates/.gitkeep rename app-dev/devops-and-containers/oke/oke-gitops/repos/{oke-cluster-config => apps-cluster-config}/appsets/values.yaml (75%) rename app-dev/devops-and-containers/oke/oke-gitops/repos/{oke-cluster-config => apps-cluster-config}/in-cluster.yml (51%) rename app-dev/devops-and-containers/oke/oke-gitops/repos/{oke-cluster-config => apps-cluster-config}/root.yml (85%) delete mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/README.md delete mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/_config_/clusterRole/cluster-reader.yml delete mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/_config_/clusterRoleBinding/cluster-reader-binding.yml delete mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/cert-manager/cert-manager/cert-manager.yml delete mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/cert-manager/cert-manager/values.yml delete mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/namespace.yml delete mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/role/pod-restricted.yml delete mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/roleBinding/edit-role-binding.yml delete mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/roleBinding/pod-restricted-binding.yml delete mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/serviceAccount/application-sa.yml delete mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/kube-system/metrics-server/metrics-server.yml delete mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/kube-system/metrics-server/values.yml delete mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/templates/argocd/argocd.yml delete mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/templates/cluster-config.yml delete mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/templates/example/example-config.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/README.md create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/charts/.gitkeep create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/argocd/env-type/values-hub.yml rename app-dev/devops-and-containers/oke/oke-gitops/repos/{oke-cluster-config/apps/in-cluster/argocd/argocd/values.yml => system-cluster-config/apps/helm/values/argocd/values-common.yml} (100%) create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/clusters/values-in-cluster.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/env-type/values-no-prod.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/envs/values-prod.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/envs/values-qa.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/regions/values-uk.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/values-common.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/variants/values-agent.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/version/values-qa.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/argocd/base/kustomization.yml rename app-dev/devops-and-containers/oke/oke-gitops/repos/{oke-cluster-config/apps/in-cluster/argocd/_config_ => system-cluster-config/apps/kustomize/argocd/base}/secret/in-cluster.yml (51%) create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/argocd/env-type/hub/kustomization.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/config/base/kustomization.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/config/env-type/hub/kustomization.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/base/kustomization.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/env-type/hub/kustomization.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/env-type/no-prod/kustomization.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/envs/prod/kustomization.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/envs/qa/kustomization.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/Chart.yaml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/examples/helm-no-prod.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/examples/helm-qa.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/examples/helm-single-cluster.yml rename app-dev/devops-and-containers/oke/oke-gitops/repos/{oke-cluster-config/appsets/templates/argocd/argocd-config.yml => system-cluster-config/appsets/examples/hub-config.yml} (59%) create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/templates/argocd.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/values.yaml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/in-cluster.yml create mode 100644 app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/root.yml diff --git a/app-dev/devops-and-containers/oke/oke-gitops/modules/devops/build_pipeline.tf b/app-dev/devops-and-containers/oke/oke-gitops/modules/devops/build_pipeline.tf index d106c91d2..b77bc590f 100644 --- a/app-dev/devops-and-containers/oke/oke-gitops/modules/devops/build_pipeline.tf +++ b/app-dev/devops-and-containers/oke/oke-gitops/modules/devops/build_pipeline.tf @@ -25,7 +25,7 @@ resource "oci_devops_build_pipeline_stage" "mirror_argocd_stage" { display_name = "Mirror Helm Chart" description = "Stage to import a public Helm Chart into the tenancy Oracle Container Registry" primary_build_source = "pipelines" - image = "OL7_X86_64_STANDARD_10" + image = "OL8_X86_64_STANDARD_10" stage_execution_timeout_in_seconds = 36000 } diff --git a/app-dev/devops-and-containers/oke/oke-gitops/modules/devops/repositories.tf b/app-dev/devops-and-containers/oke/oke-gitops/modules/devops/repositories.tf index 626beccb6..c9f0a6639 100644 --- a/app-dev/devops-and-containers/oke/oke-gitops/modules/devops/repositories.tf +++ b/app-dev/devops-and-containers/oke/oke-gitops/modules/devops/repositories.tf @@ -47,16 +47,16 @@ resource "null_resource" "push_pipelines_repo_content" { } -resource "oci_devops_repository" "argo_repo" { - name = "oke-cluster-config" +resource "oci_devops_repository" "system_config_repo" { + name = "system-cluster-config" project_id = oci_devops_project.devops_project.id - description = "Repository containing Kubernetes cluster configurations" + description = "Repository containing Kubernetes cluster configurations, to be used by cluster admins" repository_type = "HOSTED" } data "archive_file" "cluster_config_archive" { - output_path = "oke-cluster-config.zip" - source_dir = "${path.root}/repos/oke-cluster-config" + output_path = "system-cluster-config.zip" + source_dir = "${path.root}/repos/system-cluster-config" type = "zip" } @@ -65,17 +65,50 @@ resource "null_resource" "push_cluster_config_repo_content" { provisioner "local-exec" { command = "chmod +x ./script/push_repo.sh && ./script/push_repo.sh" environment = { - REPO_CLONE_URL = oci_devops_repository.argo_repo.http_url + REPO_CLONE_URL = oci_devops_repository.system_config_repo.http_url GIT_USERNAME = var.git_username GIT_PASSWORD = var.git_password REGION = var.region - SOURCE_REPO = "/repos/oke-cluster-config" + SOURCE_REPO = "/repos/system-cluster-config" } working_dir = path.root } triggers = { src_hash = data.archive_file.cluster_config_archive.output_sha - repo_id = oci_devops_repository.argo_repo.id + repo_id = oci_devops_repository.system_config_repo.id + } + depends_on = [local_file.export_variables] +} + +resource "oci_devops_repository" "apps_config_repo" { + name = "apps-cluster-config" + project_id = oci_devops_project.devops_project.id + description = "Repository containing Kubernetes application configurations, to be used by developers" + repository_type = "HOSTED" +} + +data "archive_file" "apps_config_archive" { + output_path = "apps-cluster-config.zip" + source_dir = "${path.root}/repos/apps-cluster-config" + type = "zip" +} + +resource "null_resource" "push_apps_config_repo_content" { + + provisioner "local-exec" { + command = "chmod +x ./script/push_repo.sh && ./script/push_repo.sh" + environment = { + REPO_CLONE_URL = oci_devops_repository.apps_config_repo.http_url + GIT_USERNAME = var.git_username + GIT_PASSWORD = var.git_password + REGION = var.region + SOURCE_REPO = "/repos/apps-cluster-config" + } + working_dir = path.root + } + triggers = { + src_hash = data.archive_file.apps_config_archive.output_sha + repo_id = oci_devops_repository.apps_config_repo.id } depends_on = [local_file.export_variables] } diff --git a/app-dev/devops-and-containers/oke/oke-gitops/provider.tf b/app-dev/devops-and-containers/oke/oke-gitops/provider.tf index d9bcb5d30..6170fb656 100644 --- a/app-dev/devops-and-containers/oke/oke-gitops/provider.tf +++ b/app-dev/devops-and-containers/oke/oke-gitops/provider.tf @@ -3,7 +3,7 @@ terraform { required_providers { oci = { source = "oracle/oci" - version = "7.4.0" + version = "7.18.0" } null = { source = "hashicorp/null" diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/charts/example-app/Chart.yaml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/charts/example-app/Chart.yaml new file mode 100644 index 000000000..664517939 --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/charts/example-app/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: appsets +description: An example of a Helm application + +type: application + +version: 1.0.0 + +appVersion: "1.0.0" diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/cert-manager/_config_/.gitkeep b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/charts/example-app/templates/.gitkeep similarity index 100% rename from app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/cert-manager/_config_/.gitkeep rename to app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/charts/example-app/templates/.gitkeep diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/kube-system/_config_/.gitkeep b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/env-type/values-no-prod.yml similarity index 100% rename from app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/kube-system/_config_/.gitkeep rename to app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/env-type/values-no-prod.yml diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/envs/values-prod.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/envs/values-prod.yml new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/envs/values-qa.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/envs/values-qa.yml new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/regions/values-uk.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/regions/values-uk.yml new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/values-common.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/values-common.yml new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/variants/.gitkeep b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/variants/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/version/values-prod.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/version/values-prod.yml new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/version/values-qa.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/helm/values/example-app/version/values-qa.yml new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/kustomize/example-app/base/kustomization.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/kustomize/example-app/base/kustomization.yml new file mode 100644 index 000000000..b1745d738 --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/kustomize/example-app/base/kustomization.yml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: [] \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/kustomize/example-app/env-type/no-prod/kustomization.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/kustomize/example-app/env-type/no-prod/kustomization.yml new file mode 100644 index 000000000..681848f0c --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/kustomize/example-app/env-type/no-prod/kustomization.yml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/kustomize/example-app/envs/prod/kustomization.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/kustomize/example-app/envs/prod/kustomization.yml new file mode 100644 index 000000000..681848f0c --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/kustomize/example-app/envs/prod/kustomization.yml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/kustomize/example-app/envs/qa/kustomization.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/kustomize/example-app/envs/qa/kustomization.yml new file mode 100644 index 000000000..681848f0c --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/kustomize/example-app/envs/qa/kustomization.yml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/Chart.yaml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/Chart.yaml similarity index 100% rename from app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/Chart.yaml rename to app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/Chart.yaml diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/examples/helm-apps-qa.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/examples/helm-apps-qa.yml new file mode 100644 index 000000000..014a4e773 --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/examples/helm-apps-qa.yml @@ -0,0 +1,63 @@ +# Deploy all helm application on all qa clusters. + +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: helm-apps-qa + namespace: argocd +spec: + goTemplate: true + goTemplateOptions: [ "missingkey=error" ] + generators: + - matrix: + generators: + - git: + repoURL: {{ .Values.repo }} + revision: HEAD + directories: + - path: apps/helm/charts/* + - clusters: + selector: + matchLabels: + type: "workload" + matchExpressions: + - key: "qa" + operator: In + values: + - "true" + + syncPolicy: + preserveResourcesOnDeletion: false # If true, application will be kept even if removed from ArgoCD + template: + metadata: + name: '{{ "{{" }}index .path.segments 3{{ "}}" }}-{{ "{{" }}.nameNormalized{{ "}}" }}-qa' + spec: + project: team-project # Project dedicated to this development team + sources: + - repoURL: {{ .Values.repo }} + path: '{{ "{{" }}.path.path{{ "}}" }}' + targetRevision: HEAD # Git HEAD will represent the latest state of the applications + helm: + releaseName: '{{ "{{" }}index .path.segments 3{{ "}}" }}-qa' + valueFiles: + - $values/apps/helm/values/{{ "{{" }}index .path.segments 3{{ "}}" }}/values-common.yml + - $values/apps/helm/values/{{ "{{" }}index .path.segments 3{{ "}}" }}/env-type/values-no-prod.yml + # If you have some image tag version that differ between environments + - $values/apps/helm/values/{{ "{{" }}index .path.segments 3{{ "}}" }}/version/values-qa.yml + # Environment specific configurations + - $values/apps/helm/values/{{ "{{" }}index .path.segments 3{{ "}}" }}/envs/values-qa.yml + + + - repoURL: {{ .Values.repo }} + targetRevision: HEAD + ref: values + destination: + server: '{{ "{{" }}.server{{ "}}" }}' + namespace: 'namespace-qa' # This is just the default qa namespace. If an application needs to be deployed on another namespace, it must be set in the helm values + syncPolicy: + syncOptions: + - CreateNamespace=false # qa namespace should already have been created + - ServerSideApply=true + automated: + prune: true + selfHeal: true \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/examples/kustomize-apps-qa.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/examples/kustomize-apps-qa.yml new file mode 100644 index 000000000..73bc88672 --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/examples/kustomize-apps-qa.yml @@ -0,0 +1,50 @@ +# Deploy all helm application on all qa clusters. + +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: helm-apps-qa + namespace: argocd +spec: + goTemplate: true + goTemplateOptions: [ "missingkey=error" ] + generators: + - matrix: + generators: + - git: + repoURL: {{ .Values.repo }} + revision: HEAD + directories: + - path: apps/kustomize/*/envs/qa + - clusters: + selector: + matchLabels: + type: "workload" + matchExpressions: + - key: "qa" + operator: In + values: + - "true" + + syncPolicy: + preserveResourcesOnDeletion: false # If true, application will be kept even if removed from ArgoCD + template: + metadata: + name: '{{ "{{" }}index .path.segments 2{{ "}}" }}-{{ "{{" }}.nameNormalized{{ "}}" }}-qa' + spec: + project: team-project # Project dedicated to this development team + sources: + - repoURL: {{ .Values.repo }} + path: '{{ "{{" }}.path.path{{ "}}" }}' + targetRevision: HEAD # Git HEAD will represent the latest state of the applications + + destination: + server: '{{ "{{" }}.server{{ "}}" }}' + namespace: 'namespace-qa' # This is just the default qa namespace. If an application needs to be deployed on another namespace, it must be set in the helm values + syncPolicy: + syncOptions: + - CreateNamespace=false # qa namespace should already have been created + - ServerSideApply=true + automated: + prune: true + selfHeal: true \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/templates/.gitkeep b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/templates/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/values.yaml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/values.yaml similarity index 75% rename from app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/values.yaml rename to app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/values.yaml index 74c21a777..90ef2bd0e 100644 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/values.yaml +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/values.yaml @@ -1,3 +1,2 @@ # Git repository where the cluster configurations are located, with .git postfix -repo: "" -project: "default" \ No newline at end of file +repo: "" \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/in-cluster.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/in-cluster.yml similarity index 51% rename from app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/in-cluster.yml rename to app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/in-cluster.yml index 238c3df86..b593082d9 100644 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/in-cluster.yml +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/in-cluster.yml @@ -3,7 +3,10 @@ kind: Secret metadata: labels: argocd.argoproj.io/secret-type: cluster - cluster: in-cluster + type: "hub" # hub cluster is where ArgoCD is deployed, all other cluster will be "workload" + #region: "uk" + provider: "oci" + # prod: "true" # By "environment" we mean NOT an application environment, rather a common set of clusters where applications are deployed name: in-cluster namespace: argocd stringData: diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/root.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/root.yml similarity index 85% rename from app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/root.yml rename to app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/root.yml index fd092632e..a043824e5 100644 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/root.yml +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/root.yml @@ -3,18 +3,16 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: all-apps-in-cluster + name: apps-cluster-config namespace: argocd spec: project: default source: repoURL: ${REPO} targetRevision: HEAD - path: appsets + path: appset helm: parameters: - - name: project - value: default - name: repo value: ${REPO} destination: diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/README.md b/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/README.md deleted file mode 100644 index 40fd97e2e..000000000 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/README.md +++ /dev/null @@ -1,114 +0,0 @@ -# First access to ArgoCD - -ArgoCD has been installed in the argocd namespace of the cluster. -For the first access, you can get the admin password directly from the secret by running this command: - -`kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d` - -Then, you can initially access the argocd interface by performing a port-forwarding: - -`kubectl port-forward svc/argo-cd-argocd-server -n argocd 8080:443` - -After running the command, you should be able to access ArgoCD UI from `localhost:8080`, enter with username **admin** and the admin password. - -NOTE: If you have deployed the Helm Chart on a private OKE cluster, you will need to perform some networking setup to be able to connect through kubectl. - -# Connecting to the OCI Code Repository - -Under `Settings --> Repositories` click on **CONNECT REPO** and select to connect to a repository **VIA HTTPS**. -Fill the form with the following values: -1. `Repository type`: "git" -2. `Repository URL`: -3. `Username`: \ -4. `Password`: \ - -The repository we want to connect to is the oke-cluster-config repository in OCI DevOps, already created by the Resource Manager Stack. -It's better to go into the OCI DevOps, find the repository, and find the right HTTPS clone URL. - -NOTE: The username to connect to the OCI DevOps Code Repository should be `//` - -# Clone the OCI Code Repository locally - -It is always better to clone the Git repository locally and have an appropriate IDE where we can work. A lot of YAMLs are involved when managing a cluster, -so it's important to correctly indent the code. -Once you have cloned the **oke-cluster-config**, it's time to perform the following actions: -1. Deploy the cluster secret by running `kubectl apply -f in-cluster.yml` -2. Substitute ${REPO} with the repository https URL from OCI DevOps -3. Push the code to the remote Git repository (optional) -4. Run `kubectl apply -f root.yml` -5. You will lose the port-forwarding session if still active, but don't worry, it's something expected -6. Access to the ArgoCD UI, and be sure that `all-apps` application is synchronized - -After having performed these steps, you will have an installation of ArgoCD configured with the apps-of-apps pattern. - -# How to use this template - -The concept is simple, there are some naming conventions that need to be known so that everything is kept in order. - -## Apps folder -The apps folder will contain the applications to deploy in the cluster. When we talk about applications, we mean here **infrastructure** applications. -Infrastructure applications are usually not developed by the company IT team, and it is a best practice to separate infra application from custom business applications. -As such, infra applications are usually pre-packaged applications deployed as Helm charts. Think of an application to collect logs and send them to a backend, or a Helm chart -installing a Kafka cluster on OKE. -The same ArgoCD application is actually an infra application! -As cluster administrators, you are tasked to install and maintain these kind of applications in the cluster, so that developers can make use of them. -Apart from installing infra applications, a Kubernetes administrator should also configure the cluster and the single namespace so that everything is secured. - -To keep everything in order, it is better to use some naming conventions: - -``` -- apps - - - - _config_ - - - * .yml - - - - _config_ - - -``` - -The content of the application folder depends on the way the application is deployed. If there is a Helm chart available, I will only need the `values.yml` file to deploy the Helm chart. -Here is an example: -``` -- argocd - * argocd.yml - * values.yml -``` - -When dealing with Helm, it's always better to keep at hand all the possible values configurable for the Helm chart. The **"all-values file"** will not be considered by ArgoCD, as we will -only specify the `values.yml` file. -You can get all the default values of a chart by running this command: -`helm show values / > all-values.yml` - -Depending on your needs, you can opt to deploy applications directly using a Kubernetes manifest or Kustomize. - -## AppSets folder - -The `appsets` folder is structured as a Helm chart for convenience. It contains all the code necessary to instruct ArgoCD on what applications to deploy, in which cluster and namespace. All YAMLs are in the `templates` folder. -Folders are organized by namespace, so the structure needs to be something like this: -``` -- templates - - - * application.yml - * -config.yml - * cluster-config.yml -``` - -**cluster-config** will point to the apps//\_config_ folder so that all the cluster-wide configurations are deployed. --config.yml will point to apps//namespace/\_config_ so that all namespace-wide configurations are deployed. -**application.yml** will point to apps//namespace/application/values.yml to read the values and deploy the Helm chart. You can have a look at the argocd application to understand it. - -# FAQ - -* I need to setup some roles cluster wide, so some ClusterRole, where should I put my manifests? - * In apps/in-cluster/\_config_/clusterRole/.yml - -* I need to configure some ResourceQuota in the namespace `example`, where should I put the created manifest? - * In apps/in-cluster/example/\_config_/.yml - -* I need to deploy a Helm application in a namespace called `example`, what should I do? - * Create a value file in apps/in-cluster/example//values.yml - * If you have troubles filling up the right values, create a yaml with all the default values with `helm show values` - * Create a new AppSet in appsets/templates/example/.yml - * Be sure that the AppSet points to the right value file created in the previous steps - diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/_config_/clusterRole/cluster-reader.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/_config_/clusterRole/cluster-reader.yml deleted file mode 100644 index 054124457..000000000 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/_config_/clusterRole/cluster-reader.yml +++ /dev/null @@ -1,9 +0,0 @@ -# Compared to the default view clusterrole, this one is more generic and will allow to also view secrets -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cluster-reader -rules: - - apiGroups: [""] - resources: [""] - verbs: ["get", "watch", "list"] diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/_config_/clusterRoleBinding/cluster-reader-binding.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/_config_/clusterRoleBinding/cluster-reader-binding.yml deleted file mode 100644 index e60ab835f..000000000 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/_config_/clusterRoleBinding/cluster-reader-binding.yml +++ /dev/null @@ -1,15 +0,0 @@ -# ClusterRoles should be bound to the OCID of a IAM Group in OCI, see: https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengaboutaccesscontrol.htm -# NOTE: Be sure that users do not have the "manage cluster" policy, as that policy will grant the users the "super-admin" role - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cluster-reader-binding -subjects: - - kind: Group - name: ocid... - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: cluster-reader - apiGroup: rbac.authorization.k8s.io diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/cert-manager/cert-manager/cert-manager.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/cert-manager/cert-manager/cert-manager.yml deleted file mode 100644 index a7f7c667f..000000000 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/cert-manager/cert-manager/cert-manager.yml +++ /dev/null @@ -1,1466 +0,0 @@ -# +docs:section=Global - -# Default values for cert-manager. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -global: - # Reference to one or more secrets to be used when pulling images. - # For more information, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). - # - # For example: - # imagePullSecrets: - # - name: "image-pull-secret" - imagePullSecrets: [] - - # Labels to apply to all resources. - # Please note that this does not add labels to the resources created dynamically by the controllers. - # For these resources, you have to add the labels in the template in the cert-manager custom resource: - # For example, podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress - # For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress). - # For example, secretTemplate in CertificateSpec - # For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec). - commonLabels: {} - - # The number of old ReplicaSets to retain to allow rollback (if not set, the default Kubernetes value is set to 10). - # +docs:property - # revisionHistoryLimit: 1 - - # The optional priority class to be used for the cert-manager pods. - priorityClassName: "" - - rbac: - # Create required ClusterRoles and ClusterRoleBindings for cert-manager. - create: true - # Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) - aggregateClusterRoles: true - - podSecurityPolicy: - # Create PodSecurityPolicy for cert-manager. - # - # Note that PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in Kubernetes 1.25. - enabled: false - # Configure the PodSecurityPolicy to use AppArmor. - useAppArmor: true - - # Set the verbosity of cert-manager. A range of 0 - 6, with 6 being the most verbose. - logLevel: 2 - - leaderElection: - # Override the namespace used for the leader election lease. - namespace: "kube-system" - - # The duration that non-leader candidates will wait after observing a - # leadership renewal until attempting to acquire leadership of a led but - # unrenewed leader slot. This is effectively the maximum duration that a - # leader can be stopped before it is replaced by another candidate. - # +docs:property - # leaseDuration: 60s - - # The interval between attempts by the acting master to renew a leadership - # slot before it stops leading. This must be less than or equal to the - # lease duration. - # +docs:property - # renewDeadline: 40s - - # The duration the clients should wait between attempting acquisition and - # renewal of a leadership. - # +docs:property - # retryPeriod: 15s - -# This option is equivalent to setting crds.enabled=true and crds.keep=true. -# Deprecated: use crds.enabled and crds.keep instead. -installCRDs: false - -crds: - # This option decides if the CRDs should be installed - # as part of the Helm installation. - enabled: false - - # This option makes it so that the "helm.sh/resource-policy": keep - # annotation is added to the CRD. This will prevent Helm from uninstalling - # the CRD when the Helm release is uninstalled. - # WARNING: when the CRDs are removed, all cert-manager custom resources - # (Certificates, Issuers, ...) will be removed too by the garbage collector. - keep: true - -# +docs:section=Controller - -# The number of replicas of the cert-manager controller to run. -# -# The default is 1, but in production set this to 2 or 3 to provide high -# availability. -# -# If `replicas > 1`, consider setting `podDisruptionBudget.enabled=true`. -# -# Note that cert-manager uses leader election to ensure that there can -# only be a single instance active at a time. -replicaCount: 1 - -# Deployment update strategy for the cert-manager controller deployment. -# For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy). -# -# For example: -# strategy: -# type: RollingUpdate -# rollingUpdate: -# maxSurge: 0 -# maxUnavailable: 1 -strategy: {} - -podDisruptionBudget: - # Enable or disable the PodDisruptionBudget resource. - # - # This prevents downtime during voluntary disruptions such as during a Node upgrade. - # For example, the PodDisruptionBudget will block `kubectl drain` - # if it is used on the Node where the only remaining cert-manager - # Pod is currently running. - enabled: false - - # This configures the minimum available pods for disruptions. It can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). - # It cannot be used if `maxUnavailable` is set. - # +docs:property - # +docs:type=unknown - # minAvailable: 1 - - # This configures the maximum unavailable pods for disruptions. It can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). - # it cannot be used if `minAvailable` is set. - # +docs:property - # +docs:type=unknown - # maxUnavailable: 1 - -# A comma-separated list of feature gates that should be enabled on the -# controller pod. -featureGates: "" - -# The maximum number of challenges that can be scheduled as 'processing' at once. -maxConcurrentChallenges: 60 - -image: - # The container registry to pull the manager image from. - # +docs:property - # registry: quay.io - - # The container image for the cert-manager controller. - # +docs:property - repository: quay.io/jetstack/cert-manager-controller - - # Override the image tag to deploy by setting this variable. - # If no value is set, the chart's appVersion is used. - # +docs:property - # tag: vX.Y.Z - - # Setting a digest will override any tag. - # +docs:property - # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 - - # Kubernetes imagePullPolicy on Deployment. - pullPolicy: IfNotPresent - -# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer -# resources. By default, the same namespace as cert-manager is deployed within is -# used. This namespace will not be automatically created by the Helm chart. -clusterResourceNamespace: "" - -# This namespace allows you to define where the services are installed into. -# If not set then they use the namespace of the release. -# This is helpful when installing cert manager as a chart dependency (sub chart). -namespace: "" - -# Override the "cert-manager.fullname" value. This value is used as part of -# most of the names of the resources created by this Helm chart. -# +docs:property -# fullnameOverride: "my-cert-manager" - -# Override the "cert-manager.name" value, which is used to annotate some of -# the resources that are created by this Chart (using "app.kubernetes.io/name"). -# NOTE: There are some inconsistencies in the Helm chart when it comes to -# these annotations (some resources use eg. "cainjector.name" which resolves -# to the value "cainjector"). -# +docs:property -# nameOverride: "my-cert-manager" - -serviceAccount: - # Specifies whether a service account should be created. - create: true - - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template. - # +docs:property - # name: "" - - # Optional additional annotations to add to the controller's Service Account. Templates are allowed for both keys and values. - # Example using templating: - # annotations: - # "{{ .Chart.Name }}-helm-chart/version": "{{ .Chart.Version }}" - # +docs:property - # annotations: {} - - # Optional additional labels to add to the controller's Service Account. - # +docs:property - # labels: {} - - # Automount API credentials for a Service Account. - automountServiceAccountToken: true - -# Automounting API credentials for a particular pod. -# +docs:property -# automountServiceAccountToken: true - -# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted. -enableCertificateOwnerRef: false - -# This property is used to configure options for the controller pod. -# This allows setting options that would usually be provided using flags. -# -# If `apiVersion` and `kind` are unspecified they default to the current latest -# version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin -# the version by specifying the `apiVersion` yourself. -# -# For example: -# config: -# apiVersion: controller.config.cert-manager.io/v1alpha1 -# kind: ControllerConfiguration -# logging: -# verbosity: 2 -# format: text -# leaderElectionConfig: -# namespace: kube-system -# kubernetesAPIQPS: 9000 -# kubernetesAPIBurst: 9000 -# numberOfConcurrentWorkers: 200 -# enableGatewayAPI: true -# # Feature gates as of v1.17.0. Listed with their default values. -# # See https://cert-manager.io/docs/cli/controller/ -# featureGates: -# AdditionalCertificateOutputFormats: true # BETA - default=true -# AllAlpha: false # ALPHA - default=false -# AllBeta: false # BETA - default=false -# ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false -# ExperimentalGatewayAPISupport: true # BETA - default=true -# LiteralCertificateSubject: true # BETA - default=true -# NameConstraints: true # BETA - default=true -# OtherNames: false # ALPHA - default=false -# SecretsFilteredCaching: true # BETA - default=true -# ServerSideApply: false # ALPHA - default=false -# StableCertificateRequestName: true # BETA - default=true -# UseCertificateRequestBasicConstraints: false # ALPHA - default=false -# UseDomainQualifiedFinalizer: true # BETA - default=false -# ValidateCAA: false # ALPHA - default=false -# # Configure the metrics server for TLS -# # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls -# metricsTLSConfig: -# dynamic: -# secretNamespace: "cert-manager" -# secretName: "cert-manager-metrics-ca" -# dnsNames: -# - cert-manager-metrics -config: {} - -# Setting Nameservers for DNS01 Self Check. -# For more information, see the [cert-manager documentation](https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check). - -# A comma-separated string with the host and port of the recursive nameservers cert-manager should query. -dns01RecursiveNameservers: "" - -# Forces cert-manager to use only the recursive nameservers for verification. -# Enabling this option could cause the DNS01 self check to take longer owing to caching performed by the recursive nameservers. -dns01RecursiveNameserversOnly: false - -# Option to disable cert-manager's build-in auto-approver. The auto-approver -# approves all CertificateRequests that reference issuers matching the 'approveSignerNames' -# option. This 'disableAutoApproval' option is useful when you want to make all approval decisions -# using a different approver (like approver-policy - https://github.com/cert-manager/approver-policy). -disableAutoApproval: false - -# List of signer names that cert-manager will approve by default. CertificateRequests -# referencing these signer names will be auto-approved by cert-manager. Defaults to just -# approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty -# array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, -# because eg. you are using approver-policy, you can enable 'disableAutoApproval'. -# ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval -# +docs:property -approveSignerNames: -- issuers.cert-manager.io/* -- clusterissuers.cert-manager.io/* - -# Additional command line flags to pass to cert-manager controller binary. -# To see all available flags run `docker run quay.io/jetstack/cert-manager-controller: --help`. -# -# Use this flag to enable or disable arbitrary controllers. For example, to disable the CertificateRequests approver. -# -# For example: -# extraArgs: -# - --controllers=*,-certificaterequests-approver -extraArgs: [] - -# Additional environment variables to pass to cert-manager controller binary. -# For example: -# extraEnv: -# - name: SOME_VAR -# value: 'some value' -extraEnv: [] - -# Resources to provide to the cert-manager controller pod. -# -# For example: -# requests: -# cpu: 10m -# memory: 32Mi -# -# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). -resources: {} - -# Pod Security Context. -# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). -# +docs:property -securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - -# Container Security Context to be set on the controller component container. -# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). -# +docs:property -containerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - -# Additional volumes to add to the cert-manager controller pod. -volumes: [] - -# Additional volume mounts to add to the cert-manager controller container. -volumeMounts: [] - -# Optional additional annotations to add to the controller Deployment. -# +docs:property -# deploymentAnnotations: {} - -# Optional additional annotations to add to the controller Pods. -# +docs:property -# podAnnotations: {} - -# Optional additional labels to add to the controller Pods. -podLabels: {} - -# Optional annotations to add to the controller Service. -# +docs:property -# serviceAnnotations: {} - -# Optional additional labels to add to the controller Service. -# +docs:property -# serviceLabels: {} - -# Optionally set the IP family policy for the controller Service to configure dual-stack; see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services). -# +docs:property -# serviceIPFamilyPolicy: "" - -# Optionally set the IP families for the controller Service that should be supported, in the order in which they should be applied to ClusterIP. Can be IPv4 and/or IPv6. -# +docs:property -# serviceIPFamilies: [] - -# Optional DNS settings. These are useful if you have a public and private DNS zone for -# the same domain on Route 53. The following is an example of ensuring -# cert-manager can access an ingress or DNS TXT records at all times. -# Note that this requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for -# the cluster to work. - -# Pod DNS policy. -# For more information, see [Pod's DNS Policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy). -# +docs:property -# podDnsPolicy: "None" - -# Pod DNS configuration. The podDnsConfig field is optional and can work with any podDnsPolicy -# settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified. -# For more information, see [Pod's DNS Config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config). -# +docs:property -# podDnsConfig: -# nameservers: -# - "1.1.1.1" -# - "8.8.8.8" - -# Optional hostAliases for cert-manager-controller pods. May be useful when performing ACME DNS-01 self checks. -hostAliases: [] -# - ip: 127.0.0.1 -# hostnames: -# - foo.local -# - bar.local -# - ip: 10.1.2.3 -# hostnames: -# - foo.remote -# - bar.remote - -# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with -# matching labels. -# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). -# -# This default ensures that Pods are only scheduled to Linux nodes. -# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. -# +docs:property -nodeSelector: - kubernetes.io/os: linux - -# +docs:ignore -ingressShim: {} - - # Optional default issuer to use for ingress resources. - # +docs:property=ingressShim.defaultIssuerName - # defaultIssuerName: "" - - # Optional default issuer kind to use for ingress resources. - # +docs:property=ingressShim.defaultIssuerKind - # defaultIssuerKind: "" - - # Optional default issuer group to use for ingress resources. - # +docs:property=ingressShim.defaultIssuerGroup - # defaultIssuerGroup: "" - -# Use these variables to configure the HTTP_PROXY environment variables. - -# Configures the HTTP_PROXY environment variable where a HTTP proxy is required. -# +docs:property -# http_proxy: "http://proxy:8080" - -# Configures the HTTPS_PROXY environment variable where a HTTP proxy is required. -# +docs:property -# https_proxy: "https://proxy:8080" - -# Configures the NO_PROXY environment variable where a HTTP proxy is required, -# but certain domains should be excluded. -# +docs:property -# no_proxy: 127.0.0.1,localhost - - -# A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core). -# -# For example: -# affinity: -# nodeAffinity: -# requiredDuringSchedulingIgnoredDuringExecution: -# nodeSelectorTerms: -# - matchExpressions: -# - key: foo.bar.com/role -# operator: In -# values: -# - master -affinity: {} - -# A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core). -# -# For example: -# tolerations: -# - key: foo.bar.com/role -# operator: Equal -# value: master -# effect: NoSchedule -tolerations: [] - -# A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core -# -# For example: -# topologySpreadConstraints: -# - maxSkew: 2 -# topologyKey: topology.kubernetes.io/zone -# whenUnsatisfiable: ScheduleAnyway -# labelSelector: -# matchLabels: -# app.kubernetes.io/instance: cert-manager -# app.kubernetes.io/component: controller -topologySpreadConstraints: [] - -# LivenessProbe settings for the controller container of the controller Pod. -# -# This is enabled by default, in order to enable the clock-skew liveness probe that -# restarts the controller in case of a skew between the system clock and the monotonic clock. -# LivenessProbe durations and thresholds are based on those used for the Kubernetes -# controller-manager. For more information see the following on the -# [Kubernetes GitHub repository](https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245) -# +docs:property -livenessProbe: - enabled: true - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 15 - successThreshold: 1 - failureThreshold: 8 - -# enableServiceLinks indicates whether information about services should be -# injected into the pod's environment variables, matching the syntax of Docker -# links. -enableServiceLinks: false - -# +docs:section=Prometheus - -prometheus: - # Enable Prometheus monitoring for the cert-manager controller and webhook. - # If you use the Prometheus Operator, set prometheus.podmonitor.enabled or - # prometheus.servicemonitor.enabled, to create a PodMonitor or a - # ServiceMonitor resource. - # Otherwise, 'prometheus.io' annotations are added to the cert-manager and - # cert-manager-webhook Deployments. - # Note that you can not enable both PodMonitor and ServiceMonitor as they are - # mutually exclusive. Enabling both will result in an error. - enabled: true - - servicemonitor: - # Create a ServiceMonitor to add cert-manager to Prometheus. - enabled: false - - # The namespace that the service monitor should live in, defaults - # to the cert-manager namespace. - # +docs:property - # namespace: cert-manager - - # Specifies the `prometheus` label on the created ServiceMonitor. This is - # used when different Prometheus instances have label selectors matching - # different ServiceMonitors. - prometheusInstance: default - - # The target port to set on the ServiceMonitor. This must match the port that the - # cert-manager controller is listening on for metrics. - targetPort: 9402 - - # The path to scrape for metrics. - path: /metrics - - # The interval to scrape metrics. - interval: 60s - - # The timeout before a metrics scrape fails. - scrapeTimeout: 30s - - # Additional labels to add to the ServiceMonitor. - labels: {} - - # Additional annotations to add to the ServiceMonitor. - annotations: {} - - # Keep labels from scraped data, overriding server-side labels. - honorLabels: false - - # EndpointAdditionalProperties allows setting additional properties on the - # endpoint such as relabelings, metricRelabelings etc. - # - # For example: - # endpointAdditionalProperties: - # relabelings: - # - action: replace - # sourceLabels: - # - __meta_kubernetes_pod_node_name - # targetLabel: instance - # - # +docs:property - endpointAdditionalProperties: {} - - # Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error. - podmonitor: - # Create a PodMonitor to add cert-manager to Prometheus. - enabled: false - - # The namespace that the pod monitor should live in, defaults - # to the cert-manager namespace. - # +docs:property - # namespace: cert-manager - - # Specifies the `prometheus` label on the created PodMonitor. This is - # used when different Prometheus instances have label selectors matching - # different PodMonitors. - prometheusInstance: default - - # The path to scrape for metrics. - path: /metrics - - # The interval to scrape metrics. - interval: 60s - - # The timeout before a metrics scrape fails. - scrapeTimeout: 30s - - # Additional labels to add to the PodMonitor. - labels: {} - - # Additional annotations to add to the PodMonitor. - annotations: {} - - # Keep labels from scraped data, overriding server-side labels. - honorLabels: false - - # EndpointAdditionalProperties allows setting additional properties on the - # endpoint such as relabelings, metricRelabelings etc. - # - # For example: - # endpointAdditionalProperties: - # relabelings: - # - action: replace - # sourceLabels: - # - __meta_kubernetes_pod_node_name - # targetLabel: instance - # # Configure the PodMonitor for TLS connections - # # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls - # scheme: https - # tlsConfig: - # serverName: cert-manager-metrics - # ca: - # secret: - # name: cert-manager-metrics-ca - # key: "tls.crt" - # - # +docs:property - endpointAdditionalProperties: {} - -# +docs:section=Webhook - -webhook: - # Number of replicas of the cert-manager webhook to run. - # - # The default is 1, but in production set this to 2 or 3 to provide high - # availability. - # - # If `replicas > 1`, consider setting `webhook.podDisruptionBudget.enabled=true`. - replicaCount: 1 - - # The number of seconds the API server should wait for the webhook to respond before treating the call as a failure. - # The value must be between 1 and 30 seconds. For more information, see - # [Validating webhook configuration v1](https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/). - # - # The default is set to the maximum value of 30 seconds as - # users sometimes report that the connection between the K8S API server and - # the cert-manager webhook server times out. - # If *this* timeout is reached, the error message will be "context deadline exceeded", - # which doesn't help the user diagnose what phase of the HTTPS connection timed out. - # For example, it could be during DNS resolution, TCP connection, TLS - # negotiation, HTTP negotiation, or slow HTTP response from the webhook - # server. - # By setting this timeout to its maximum value the underlying timeout error - # message has more chance of being returned to the end user. - timeoutSeconds: 30 - - # This is used to configure options for the webhook pod. - # This allows setting options that would usually be provided using flags. - # - # If `apiVersion` and `kind` are unspecified they default to the current latest - # version (currently `webhook.config.cert-manager.io/v1alpha1`). You can pin - # the version by specifying the `apiVersion` yourself. - # - # For example: - # apiVersion: webhook.config.cert-manager.io/v1alpha1 - # kind: WebhookConfiguration - # # The port that the webhook listens on for requests. - # # In GKE private clusters, by default Kubernetes apiservers are allowed to - # # talk to the cluster nodes only on 443 and 10250. Configuring - # # securePort: 10250 therefore will work out-of-the-box without needing to add firewall - # # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000. - # # This should be uncommented and set as a default by the chart once - # # the apiVersion of WebhookConfiguration graduates beyond v1alpha1. - # securePort: 10250 - # # Configure the metrics server for TLS - # # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls - # metricsTLSConfig: - # dynamic: - # secretNamespace: "cert-manager" - # secretName: "cert-manager-metrics-ca" - # dnsNames: - # - cert-manager-metrics - config: {} - - # The update strategy for the cert-manager webhook deployment. - # For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) - # - # For example: - # strategy: - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 - strategy: {} - - # Pod Security Context to be set on the webhook component Pod. - # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). - # +docs:property - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - - # Container Security Context to be set on the webhook component container. - # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). - # +docs:property - containerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - - podDisruptionBudget: - # Enable or disable the PodDisruptionBudget resource. - # - # This prevents downtime during voluntary disruptions such as during a Node upgrade. - # For example, the PodDisruptionBudget will block `kubectl drain` - # if it is used on the Node where the only remaining cert-manager - # Pod is currently running. - enabled: false - - # This property configures the minimum available pods for disruptions. Can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). - # It cannot be used if `maxUnavailable` is set. - # +docs:property - # +docs:type=unknown - # minAvailable: 1 - - # This property configures the maximum unavailable pods for disruptions. Can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). - # It cannot be used if `minAvailable` is set. - # +docs:property - # +docs:type=unknown - # maxUnavailable: 1 - - # Optional additional annotations to add to the webhook Deployment. - # +docs:property - # deploymentAnnotations: {} - - # Optional additional annotations to add to the webhook Pods. - # +docs:property - # podAnnotations: {} - - # Optional additional annotations to add to the webhook Service. - # +docs:property - # serviceAnnotations: {} - - # Optional additional annotations to add to the webhook MutatingWebhookConfiguration. - # +docs:property - # mutatingWebhookConfigurationAnnotations: {} - - # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration. - # +docs:property - # validatingWebhookConfigurationAnnotations: {} - - validatingWebhookConfiguration: - # Configure spec.namespaceSelector for validating webhooks. - # +docs:property - namespaceSelector: - matchExpressions: - - key: "cert-manager.io/disable-validation" - operator: "NotIn" - values: - - "true" - - mutatingWebhookConfiguration: - # Configure spec.namespaceSelector for mutating webhooks. - # +docs:property - namespaceSelector: {} - # matchLabels: - # key: value - # matchExpressions: - # - key: kubernetes.io/metadata.name - # operator: NotIn - # values: - # - kube-system - - - # Additional command line flags to pass to cert-manager webhook binary. - # To see all available flags run `docker run quay.io/jetstack/cert-manager-webhook: --help`. - extraArgs: [] - # Path to a file containing a WebhookConfiguration object used to configure the webhook. - # - --config= - - # Additional environment variables to pass to cert-manager webhook binary. - # For example: - # extraEnv: - # - name: SOME_VAR - # value: 'some value' - extraEnv: [] - - # Comma separated list of feature gates that should be enabled on the - # webhook pod. - featureGates: "" - - # Resources to provide to the cert-manager webhook pod. - # - # For example: - # requests: - # cpu: 10m - # memory: 32Mi - # - # For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - resources: {} - - # Liveness probe values. - # For more information, see [Container probes](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). - # - # +docs:property - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 60 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - - # Readiness probe values. - # For more information, see [Container probes](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). - # - # +docs:property - readinessProbe: - failureThreshold: 3 - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - - # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with - # matching labels. - # For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). - # - # This default ensures that Pods are only scheduled to Linux nodes. - # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - # +docs:property - nodeSelector: - kubernetes.io/os: linux - - # A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core). - # - # For example: - # affinity: - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: foo.bar.com/role - # operator: In - # values: - # - master - affinity: {} - - # A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core). - # - # For example: - # tolerations: - # - key: foo.bar.com/role - # operator: Equal - # value: master - # effect: NoSchedule - tolerations: [] - - # A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core). - # - # For example: - # topologySpreadConstraints: - # - maxSkew: 2 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: ScheduleAnyway - # labelSelector: - # matchLabels: - # app.kubernetes.io/instance: cert-manager - # app.kubernetes.io/component: controller - topologySpreadConstraints: [] - - # Optional additional labels to add to the Webhook Pods. - podLabels: {} - - # Optional additional labels to add to the Webhook Service. - serviceLabels: {} - - # Optionally set the IP family policy for the controller Service to configure dual-stack; see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services). - serviceIPFamilyPolicy: "" - - # Optionally set the IP families for the controller Service that should be supported, in the order in which they should be applied to ClusterIP. Can be IPv4 and/or IPv6. - serviceIPFamilies: [] - - image: - # The container registry to pull the webhook image from. - # +docs:property - # registry: quay.io - - # The container image for the cert-manager webhook - # +docs:property - repository: quay.io/jetstack/cert-manager-webhook - - # Override the image tag to deploy by setting this variable. - # If no value is set, the chart's appVersion will be used. - # +docs:property - # tag: vX.Y.Z - - # Setting a digest will override any tag - # +docs:property - # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 - - # Kubernetes imagePullPolicy on Deployment. - pullPolicy: IfNotPresent - - serviceAccount: - # Specifies whether a service account should be created. - create: true - - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template. - # +docs:property - # name: "" - - # Optional additional annotations to add to the webhook's Service Account. - # +docs:property - # annotations: {} - - # Optional additional labels to add to the webhook's Service Account. - # +docs:property - # labels: {} - - # Automount API credentials for a Service Account. - automountServiceAccountToken: true - - # Automounting API credentials for a particular pod. - # +docs:property - # automountServiceAccountToken: true - - # The port that the webhook listens on for requests. - # In GKE private clusters, by default Kubernetes apiservers are allowed to - # talk to the cluster nodes only on 443 and 10250. Configuring - # securePort: 10250, therefore will work out-of-the-box without needing to add firewall - # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000. - securePort: 10250 - - # Specifies if the webhook should be started in hostNetwork mode. - # - # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom - # CNI (such as calico), because control-plane managed by AWS cannot communicate - # with pods' IP CIDR and admission webhooks are not working - # - # Since the default port for the webhook conflicts with kubelet on the host - # network, `webhook.securePort` should be changed to an available port if - # running in hostNetwork mode. - hostNetwork: false - - # Specifies how the service should be handled. Useful if you want to expose the - # webhook outside of the cluster. In some cases, the control plane cannot - # reach internal services. - serviceType: ClusterIP - - # Specify the load balancer IP for the created service. - # +docs:property - # loadBalancerIP: "10.10.10.10" - - # Overrides the mutating webhook and validating webhook so they reach the webhook - # service using the `url` field instead of a service. - url: {} - # host: - - # Enables default network policies for webhooks. - networkPolicy: - # Create network policies for the webhooks. - enabled: false - - # Ingress rule for the webhook network policy. By default, it allows all - # inbound traffic. - # +docs:property - ingress: - - from: - - ipBlock: - cidr: 0.0.0.0/0 - - # Egress rule for the webhook network policy. By default, it allows all - # outbound traffic to ports 80 and 443, as well as DNS ports. - # +docs:property - egress: - - ports: - - port: 80 - protocol: TCP - - port: 443 - protocol: TCP - - port: 53 - protocol: TCP - - port: 53 - protocol: UDP - # On OpenShift and OKD, the Kubernetes API server listens on. - # port 6443. - - port: 6443 - protocol: TCP - to: - - ipBlock: - cidr: 0.0.0.0/0 - - # Additional volumes to add to the cert-manager controller pod. - volumes: [] - - # Additional volume mounts to add to the cert-manager controller container. - volumeMounts: [] - - # enableServiceLinks indicates whether information about services should be - # injected into the pod's environment variables, matching the syntax of Docker - # links. - enableServiceLinks: false - -# +docs:section=CA Injector - -cainjector: - # Create the CA Injector deployment - enabled: true - - # The number of replicas of the cert-manager cainjector to run. - # - # The default is 1, but in production set this to 2 or 3 to provide high - # availability. - # - # If `replicas > 1`, consider setting `cainjector.podDisruptionBudget.enabled=true`. - # - # Note that cert-manager uses leader election to ensure that there can - # only be a single instance active at a time. - replicaCount: 1 - - # This is used to configure options for the cainjector pod. - # It allows setting options that are usually provided via flags. - # - # If `apiVersion` and `kind` are unspecified they default to the current latest - # version (currently `cainjector.config.cert-manager.io/v1alpha1`). You can pin - # the version by specifying the `apiVersion` yourself. - # - # For example: - # apiVersion: cainjector.config.cert-manager.io/v1alpha1 - # kind: CAInjectorConfiguration - # logging: - # verbosity: 2 - # format: text - # leaderElectionConfig: - # namespace: kube-system - # # Configure the metrics server for TLS - # # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls - # metricsTLSConfig: - # dynamic: - # secretNamespace: "cert-manager" - # secretName: "cert-manager-metrics-ca" - # dnsNames: - # - cert-manager-metrics - config: {} - - # Deployment update strategy for the cert-manager cainjector deployment. - # For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy). - # - # For example: - # strategy: - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 - strategy: {} - - # Pod Security Context to be set on the cainjector component Pod - # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). - # +docs:property - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - - # Container Security Context to be set on the cainjector component container - # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). - # +docs:property - containerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - - podDisruptionBudget: - # Enable or disable the PodDisruptionBudget resource. - # - # This prevents downtime during voluntary disruptions such as during a Node upgrade. - # For example, the PodDisruptionBudget will block `kubectl drain` - # if it is used on the Node where the only remaining cert-manager - # Pod is currently running. - enabled: false - - # `minAvailable` configures the minimum available pods for disruptions. It can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). - # Cannot be used if `maxUnavailable` is set. - # +docs:property - # +docs:type=unknown - # minAvailable: 1 - - # `maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). - # Cannot be used if `minAvailable` is set. - # +docs:property - # +docs:type=unknown - # maxUnavailable: 1 - - # Optional additional annotations to add to the cainjector Deployment. - # +docs:property - # deploymentAnnotations: {} - - # Optional additional annotations to add to the cainjector Pods. - # +docs:property - # podAnnotations: {} - - # Optional additional annotations to add to the cainjector metrics Service. - # +docs:property - # serviceAnnotations: {} - - # Additional command line flags to pass to cert-manager cainjector binary. - # To see all available flags run `docker run quay.io/jetstack/cert-manager-cainjector: --help`. - extraArgs: [] - # Enable profiling for cainjector. - # - --enable-profiling=true - - # Additional environment variables to pass to cert-manager cainjector binary. - # For example: - # extraEnv: - # - name: SOME_VAR - # value: 'some value' - extraEnv: [] - - # Comma separated list of feature gates that should be enabled on the - # cainjector pod. - featureGates: "" - - # Resources to provide to the cert-manager cainjector pod. - # - # For example: - # requests: - # cpu: 10m - # memory: 32Mi - # - # For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - resources: {} - - - # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with - # matching labels. - # For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). - # - # This default ensures that Pods are only scheduled to Linux nodes. - # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - # +docs:property - nodeSelector: - kubernetes.io/os: linux - - # A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core). - # - # For example: - # affinity: - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: foo.bar.com/role - # operator: In - # values: - # - master - affinity: {} - - # A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core). - # - # For example: - # tolerations: - # - key: foo.bar.com/role - # operator: Equal - # value: master - # effect: NoSchedule - tolerations: [] - - # A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core). - # - # For example: - # topologySpreadConstraints: - # - maxSkew: 2 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: ScheduleAnyway - # labelSelector: - # matchLabels: - # app.kubernetes.io/instance: cert-manager - # app.kubernetes.io/component: controller - topologySpreadConstraints: [] - - # Optional additional labels to add to the CA Injector Pods. - podLabels: {} - - # Optional additional labels to add to the CA Injector metrics Service. - serviceLabels: {} - - image: - # The container registry to pull the cainjector image from. - # +docs:property - # registry: quay.io - - # The container image for the cert-manager cainjector - # +docs:property - repository: quay.io/jetstack/cert-manager-cainjector - - # Override the image tag to deploy by setting this variable. - # If no value is set, the chart's appVersion will be used. - # +docs:property - # tag: vX.Y.Z - - # Setting a digest will override any tag. - # +docs:property - # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 - - # Kubernetes imagePullPolicy on Deployment. - pullPolicy: IfNotPresent - - serviceAccount: - # Specifies whether a service account should be created. - create: true - - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - # +docs:property - # name: "" - - # Optional additional annotations to add to the cainjector's Service Account. - # +docs:property - # annotations: {} - - # Optional additional labels to add to the cainjector's Service Account. - # +docs:property - # labels: {} - - # Automount API credentials for a Service Account. - automountServiceAccountToken: true - - # Automounting API credentials for a particular pod. - # +docs:property - # automountServiceAccountToken: true - - # Additional volumes to add to the cert-manager controller pod. - volumes: [] - - # Additional volume mounts to add to the cert-manager controller container. - volumeMounts: [] - - # enableServiceLinks indicates whether information about services should be - # injected into the pod's environment variables, matching the syntax of Docker - # links. - enableServiceLinks: false - -# +docs:section=ACME Solver - -acmesolver: - image: - # The container registry to pull the acmesolver image from. - # +docs:property - # registry: quay.io - - # The container image for the cert-manager acmesolver. - # +docs:property - repository: quay.io/jetstack/cert-manager-acmesolver - - # Override the image tag to deploy by setting this variable. - # If no value is set, the chart's appVersion is used. - # +docs:property - # tag: vX.Y.Z - - # Setting a digest will override any tag. - # +docs:property - # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 - - # Kubernetes imagePullPolicy on Deployment. - pullPolicy: IfNotPresent - -# +docs:section=Startup API Check -# This startupapicheck is a Helm post-install hook that waits for the webhook -# endpoints to become available. -# The check is implemented using a Kubernetes Job - if you are injecting mesh -# sidecar proxies into cert-manager pods, ensure that they -# are not injected into this Job's pod. Otherwise, the installation may time out -# owing to the Job never being completed because the sidecar proxy does not exit. -# For more information, see [this note](https://github.com/cert-manager/cert-manager/pull/4414). - -startupapicheck: - # Enables the startup api check. - enabled: true - - # Pod Security Context to be set on the startupapicheck component Pod. - # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). - # +docs:property - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - - # Container Security Context to be set on the controller component container. - # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). - # +docs:property - containerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - - # Timeout for 'kubectl check api' command. - timeout: 1m - - # Job backoffLimit - backoffLimit: 4 - - # Optional additional annotations to add to the startupapicheck Job. - # +docs:property - jobAnnotations: - helm.sh/hook: post-install - helm.sh/hook-weight: "1" - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - - # Optional additional annotations to add to the startupapicheck Pods. - # +docs:property - # podAnnotations: {} - - # Additional command line flags to pass to startupapicheck binary. - # To see all available flags run `docker run quay.io/jetstack/cert-manager-startupapicheck: --help`. - # - # Verbose logging is enabled by default so that if startupapicheck fails, you - # can know what exactly caused the failure. Verbose logs include details of - # the webhook URL, IP address and TCP connect errors for example. - # +docs:property - extraArgs: - - -v - - # Additional environment variables to pass to cert-manager startupapicheck binary. - # For example: - # extraEnv: - # - name: SOME_VAR - # value: 'some value' - extraEnv: [] - - # Resources to provide to the cert-manager controller pod. - # - # For example: - # requests: - # cpu: 10m - # memory: 32Mi - # - # For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - resources: {} - - - # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with - # matching labels. - # For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). - # - # This default ensures that Pods are only scheduled to Linux nodes. - # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - # +docs:property - nodeSelector: - kubernetes.io/os: linux - - # A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core). - # For example: - # affinity: - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: foo.bar.com/role - # operator: In - # values: - # - master - affinity: {} - - # A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core). - # - # For example: - # tolerations: - # - key: foo.bar.com/role - # operator: Equal - # value: master - # effect: NoSchedule - tolerations: [] - - # Optional additional labels to add to the startupapicheck Pods. - podLabels: {} - - image: - # The container registry to pull the startupapicheck image from. - # +docs:property - # registry: quay.io - - # The container image for the cert-manager startupapicheck. - # +docs:property - repository: quay.io/jetstack/cert-manager-startupapicheck - - # Override the image tag to deploy by setting this variable. - # If no value is set, the chart's appVersion is used. - # +docs:property - # tag: vX.Y.Z - - # Setting a digest will override any tag. - # +docs:property - # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 - - # Kubernetes imagePullPolicy on Deployment. - pullPolicy: IfNotPresent - - rbac: - # annotations for the startup API Check job RBAC and PSP resources. - # +docs:property - annotations: - helm.sh/hook: post-install - helm.sh/hook-weight: "-5" - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - - # Automounting API credentials for a particular pod. - # +docs:property - # automountServiceAccountToken: true - - serviceAccount: - # Specifies whether a service account should be created. - create: true - - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template. - # +docs:property - # name: "" - - # Optional additional annotations to add to the Job's Service Account. - # +docs:property - annotations: - helm.sh/hook: post-install - helm.sh/hook-weight: "-5" - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - - # Automount API credentials for a Service Account. - # +docs:property - automountServiceAccountToken: true - - # Optional additional labels to add to the startupapicheck's Service Account. - # +docs:property - # labels: {} - - # Additional volumes to add to the cert-manager controller pod. - volumes: [] - - # Additional volume mounts to add to the cert-manager controller container. - volumeMounts: [] - - # enableServiceLinks indicates whether information about services should be - # injected into pod's environment variables, matching the syntax of Docker - # links. - enableServiceLinks: false - -# Create dynamic manifests via values. -# -# For example: -# extraObjects: -# - | -# apiVersion: v1 -# kind: ConfigMap -# metadata: -# name: '{{ template "cert-manager.fullname" . }}-extra-configmap' -extraObjects: [] - -# Field used by our release pipeline to produce the static manifests. -# The field defaults to "helm" but is set to "static" when we render -# the static YAML manifests. -# +docs:hidden -creator: "helm" - -# Field that can be used as a condition when cert-manager is a dependency. -# This definition is only here as a placeholder such that it is included in -# the json schema. -# See https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags -# for more info. -# +docs:hidden -enabled: true - diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/cert-manager/cert-manager/values.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/cert-manager/cert-manager/values.yml deleted file mode 100644 index 3620d99e5..000000000 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/cert-manager/cert-manager/values.yml +++ /dev/null @@ -1,9 +0,0 @@ -crds: - enabled: true - -config: - apiVersion: "controller.config.cert-manager.io/v1alpha1" - kind: "ControllerConfiguration" - enableGatewayAPI: true - -replicaCount: 3 \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/namespace.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/namespace.yml deleted file mode 100644 index 97c438c50..000000000 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/namespace.yml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: example \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/role/pod-restricted.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/role/pod-restricted.yml deleted file mode 100644 index 1dfe2562b..000000000 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/role/pod-restricted.yml +++ /dev/null @@ -1,12 +0,0 @@ -# A role specific for this namespace to be used by pods -# We let pods get, watch and list other pods in the same namespace -# Not all pods need this kind of restriction, and most of them do not even need to communicate with the Kubernetes API server at all -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: pod-restricted - namespace: example -rules: - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list"] \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/roleBinding/edit-role-binding.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/roleBinding/edit-role-binding.yml deleted file mode 100644 index 253124d85..000000000 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/roleBinding/edit-role-binding.yml +++ /dev/null @@ -1,19 +0,0 @@ -# Here I am binding to the default ClusterRole edit of Kubernetes. -# NOTE: edit role allows read/write access to most objects in a namespace. -# Also, this role does not allow viewing or modifying roles or role bindings, but allows accessing Secrets - -# You are encouraged to start from the edit ClusterRole and customize it according to your needs - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: edit-role-binding - namespace: example -subjects: - - kind: Group - name: ocid... # OCID of the OCI IAM group the developers belong to - apiGroup: rbac.authorization.k8s.io -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: edit \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/roleBinding/pod-restricted-binding.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/roleBinding/pod-restricted-binding.yml deleted file mode 100644 index 30bd1a281..000000000 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/roleBinding/pod-restricted-binding.yml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: pod-restricted-binding - namespace: example -subjects: - - kind: ServiceAccount - name: application-sa - namespace: example -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: pod-restricted \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/serviceAccount/application-sa.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/serviceAccount/application-sa.yml deleted file mode 100644 index 9be3b2b3a..000000000 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/example/_config_/serviceAccount/application-sa.yml +++ /dev/null @@ -1,11 +0,0 @@ -# As a best practice, it is better not use the default ServiceAccount when deploying pods, so better create a new one and tell the developers to use this -# By default, automountServiceAccountToken is set to true, but if the pod requires to use the token issued by the Kubernetes control plane, the developer can still specify it in the Pod spec - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: application-sa - namespace: example -imagePullSecrets: - - name: ocirsecret -automountServiceAccountToken: false \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/kube-system/metrics-server/metrics-server.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/kube-system/metrics-server/metrics-server.yml deleted file mode 100644 index aed2f1d97..000000000 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/kube-system/metrics-server/metrics-server.yml +++ /dev/null @@ -1,201 +0,0 @@ -# Default values for metrics-server. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -image: - repository: registry.k8s.io/metrics-server/metrics-server - # Overrides the image tag whose default is v{{ .Chart.AppVersion }} - tag: "" - pullPolicy: IfNotPresent - -imagePullSecrets: [] -# - name: registrySecretName - -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - # The list of secrets mountable by this service account. - # See https://kubernetes.io/docs/reference/labels-annotations-taints/#enforce-mountable-secrets - secrets: [] - -rbac: - # Specifies whether RBAC resources should be created - create: true - # Note: PodSecurityPolicy will not be created when Kubernetes version is 1.25 or later. - pspEnabled: false - -apiService: - # Specifies if the v1beta1.metrics.k8s.io API service should be created. - # - # You typically want this enabled! If you disable API service creation you have to - # manage it outside of this chart for e.g horizontal pod autoscaling to - # work with this release. - create: true - # Annotations to add to the API service - annotations: {} - # Specifies whether to skip TLS verification - insecureSkipTLSVerify: true - # The PEM encoded CA bundle for TLS verification - caBundle: "" - -commonLabels: {} -podLabels: {} -podAnnotations: {} - -podSecurityContext: {} - -securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - -priorityClassName: system-cluster-critical - -containerPort: 10250 - -hostNetwork: - # Specifies if metrics-server should be started in hostNetwork mode. - # - # You would require this enabled if you use alternate overlay networking for pods and - # API server unable to communicate with metrics-server. As an example, this is required - # if you use Weave network on EKS - enabled: false - -replicas: 1 - -revisionHistoryLimit: - -updateStrategy: {} -# type: RollingUpdate -# rollingUpdate: -# maxSurge: 0 -# maxUnavailable: 1 - -podDisruptionBudget: - # https://kubernetes.io/docs/tasks/run-application/configure-pdb/ - enabled: false - minAvailable: - maxUnavailable: - -defaultArgs: - - --cert-dir=/tmp - - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - - --kubelet-use-node-status-port - - --metric-resolution=15s - -args: [] - -livenessProbe: - httpGet: - path: /livez - port: https - scheme: HTTPS - initialDelaySeconds: 0 - periodSeconds: 10 - failureThreshold: 3 - -readinessProbe: - httpGet: - path: /readyz - port: https - scheme: HTTPS - initialDelaySeconds: 20 - periodSeconds: 10 - failureThreshold: 3 - -service: - type: ClusterIP - port: 443 - annotations: {} - labels: {} - # Add these labels to have metrics-server show up in `kubectl cluster-info` - # kubernetes.io/cluster-service: "true" - # kubernetes.io/name: "Metrics-server" - -addonResizer: - enabled: false - image: - repository: registry.k8s.io/autoscaling/addon-resizer - tag: 1.8.21 - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - resources: - requests: - cpu: 40m - memory: 25Mi - limits: - cpu: 40m - memory: 25Mi - nanny: - cpu: 0m - extraCpu: 1m - memory: 0Mi - extraMemory: 2Mi - minClusterSize: 100 - pollPeriod: 300000 - threshold: 5 - -metrics: - enabled: false - -serviceMonitor: - enabled: false - additionalLabels: {} - interval: 1m - scrapeTimeout: 10s - metricRelabelings: [] - relabelings: [] - -# See https://github.com/kubernetes-sigs/metrics-server#scaling -resources: - requests: - cpu: 100m - memory: 200Mi - # limits: - # cpu: - # memory: - -extraVolumeMounts: [] - -extraVolumes: [] - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -topologySpreadConstraints: [] - -dnsConfig: {} - -# Annotations to add to the deployment -deploymentAnnotations: {} - -schedulerName: "" - -tmpVolume: - emptyDir: {} - diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/kube-system/metrics-server/values.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/kube-system/metrics-server/values.yml deleted file mode 100644 index 164871c24..000000000 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/kube-system/metrics-server/values.yml +++ /dev/null @@ -1,8 +0,0 @@ -replicas: 3 - -defaultArgs: - - --cert-dir=/tmp - - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - - --kubelet-use-node-status-port - - --metric-resolution=15s - - --kubelet-insecure-tls \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/templates/argocd/argocd.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/templates/argocd/argocd.yml deleted file mode 100644 index 7759fb0d2..000000000 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/templates/argocd/argocd.yml +++ /dev/null @@ -1,44 +0,0 @@ -# This template will deploy a Helm Chart with the specified values - -apiVersion: argoproj.io/v1alpha1 -kind: ApplicationSet -metadata: - name: argocd # Name of the ApplicationSet - namespace: argocd # Better to have all ApplicationSet and Application under the same argocd namespace -spec: - goTemplate: true - goTemplateOptions: [ "missingkey=error" ] - generators: - - clusters: # You can deploy the Helm chart on multiple clusters, selecting them by labels - selector: - matchLabels: - cluster: in-cluster - syncPolicy: - preserveResourcesOnDeletion: true # This is more of a safety mechanism that will preserve the Application if the ApplicationSet is deleted, see https://argo-cd.readthedocs.io/en/stable/operator-manual/applicationset/Application-Deletion/ - template: - metadata: - name: 'argocd-{{ "{{" }}.name{{ "}}" }}' # Include this metadata if you want your ApplicationSet to have a different name than the metadata.name - spec: - project: {{ .Values.project }} # The default project is always present. You might have to create multiple projects in you have multiple teams working in the same repository - sources: - - repoURL: https://argoproj.github.io/argo-helm # This is the repository where to pull the Helm chart. It is possible to configure even an OCI compliant repository, such as the Oracle Container Registry - chart: argo-cd # Name of the Chart to pull - targetRevision: 8.0.17 # Better always to specify the version of the Chart to deploy - helm: - releaseName: "argocd" # Helm release name for the Chart - valueFiles: - - $values/apps/{{ "{{" }}.name{{ "}}" }}/argocd/argocd/values.yml # Location of the value file: apps////values.ym - # NOTE: If you are copy-pasting this template, BE SURE to change the namespace and app name and that all the folders and files are in place - - - repoURL: {{ .Values.repo }} # Just a reference to the remote Git, do not modify it - targetRevision: HEAD - ref: values - destination: - server: '{{ "{{" }}.server{{ "}}" }}' # Server parameter is provided by the cluster generator - namespace: argocd # Namespace where to deploy the application (TO BE CHANGED in case you are copy-pasting this template) - syncPolicy: - syncOptions: - - CreateNamespace=true - automated: - prune: true # If set to true, will automatically delete resources if they are not present in the Git repository - selfHeal: true # If set to true, will automatically revert any manual update done to resources generated by the Application \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/templates/cluster-config.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/templates/cluster-config.yml deleted file mode 100644 index a73b04c03..000000000 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/templates/cluster-config.yml +++ /dev/null @@ -1,38 +0,0 @@ -# This template will deploy global configurations for the entire cluster - -apiVersion: argoproj.io/v1alpha1 -kind: ApplicationSet -metadata: - name: cluster-config - namespace: argocd -spec: - goTemplate: true - goTemplateOptions: [ "missingkey=error" ] - generators: - - clusters: - selector: - matchLabels: - cluster: in-cluster - template: - metadata: - labels: - type: config - name: 'cluster-config-{{ "{{" }}.name{{ "}}" }}' - spec: - project: {{ .Values.project }} - sources: - - repoURL: {{ .Values.repo }} - targetRevision: HEAD - path: apps/{{ "{{" }}.name{{ "}}" }}/_config_ - directory: - recurse: true - - destination: - server: '{{ "{{" }}.server{{ "}}" }}' - namespace: default - syncPolicy: - syncOptions: - - CreateNamespace=true - automated: - prune: true - selfHeal: true \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/templates/example/example-config.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/templates/example/example-config.yml deleted file mode 100644 index 24de72bd4..000000000 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/templates/example/example-config.yml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: ApplicationSet -metadata: - name: example-config - namespace: argocd -spec: - goTemplate: true - goTemplateOptions: [ "missingkey=error" ] - generators: - - clusters: - selector: - matchLabels: - cluster: example # Replace with in-cluster to deploy the example namespace - template: - metadata: - labels: - type: config - name: 'example-config-{{ "{{" }}.name{{ "}}" }}' - spec: - project: {{ .Values.project }} - sources: - - repoURL: {{ .Values.repo }} - targetRevision: HEAD - path: apps/{{ "{{" }}.name{{ "}}" }}/example/_config_ - directory: - recurse: true - - destination: - server: '{{ "{{" }}.server{{ "}}" }}' - namespace: example - syncPolicy: - syncOptions: - - CreateNamespace=true - automated: - prune: true - selfHeal: true \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/pipelines/mirror_argo.yaml b/app-dev/devops-and-containers/oke/oke-gitops/repos/pipelines/mirror_argo.yaml index 98ceac6d5..e37d91c2b 100644 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/pipelines/mirror_argo.yaml +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/pipelines/mirror_argo.yaml @@ -10,7 +10,7 @@ env: repo_prefix: "" region: "" artifact: "argo-cd" - version: "8.0.17" + version: "8.3.9" source_helm_repo: "https://argoproj.github.io/argo-helm" namespace: "argocd" # The Helm Chart will be deployed in this namespace diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/README.md b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/README.md new file mode 100644 index 000000000..71a327d06 --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/README.md @@ -0,0 +1,54 @@ +# First access to ArgoCD + +ArgoCD has been installed in the argocd namespace of the cluster. +For the first access, you can get the admin password directly from the secret by running this command: + +`kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d` + +Then, you can initially access the argocd interface by performing a port-forwarding: + +`kubectl port-forward svc/argo-cd-argocd-server -n argocd 8080:443` + +After running the command, you should be able to access ArgoCD UI from `localhost:8080`, enter with username **admin** and the admin password. + +NOTE: If you have deployed the Helm Chart on a private OKE cluster, you will need to perform some networking setup to be able to connect through kubectl. + +# Connecting to the OCI Code Repository + +Under `Settings --> Repositories` click on **CONNECT REPO** and select to connect to a repository **VIA HTTPS**. +Fill the form with the following values: +1. `Repository type`: "git" +2. `Repository URL`: +3. `Username`: \ +4. `Password`: \ + +The repository we want to connect to is the oke-cluster-config repository in OCI DevOps, already created by the Resource Manager Stack. +It's better to go into the OCI DevOps, find the repository, and find the right HTTPS clone URL. + +NOTE: The username to connect to the OCI DevOps Code Repository should be `//` + +# Clone the OCI Code Repository locally + +It is always better to clone the Git repository locally and have an appropriate IDE where we can work. A lot of YAMLs are involved when managing a cluster, +so it's important to correctly indent the code. +Once you have cloned the **oke-cluster-config**, it's time to perform the following actions: +1. Deploy the cluster secret by running `kubectl apply -f in-cluster.yml` +2. Substitute ${REPO} with the repository https URL from OCI DevOps +3. Push the code to the remote Git repository (optional) +4. Run `kubectl apply -f root.yml` +5. You will lose the port-forwarding session if still active, but don't worry, it's something expected +6. Access to the ArgoCD UI, and be sure that `all-apps` application is synchronized + +After having performed these steps, you will have an installation of ArgoCD configured with the apps-of-apps pattern. + +# How to use this template + +The concept is simple, there are some naming conventions that need to be known so that everything is kept in order. + +## Apps folder +The apps folder will contain the applications to deploy in the cluster. Applications can be helm or kustomize charts. Examples are in each folder. + +## AppSets folder + +The `appsets` folder is structured as a Helm chart for convenience. It contains all the code necessary to instruct ArgoCD on what applications to deploy, in which cluster and namespace. All YAMLs are in the `templates` folder. +The folder in examples contains some examples using generators to deploy applications. diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/charts/.gitkeep b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/charts/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/argocd/env-type/values-hub.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/argocd/env-type/values-hub.yml new file mode 100644 index 000000000..921e167af --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/argocd/env-type/values-hub.yml @@ -0,0 +1,4 @@ +configs: + cm: + timeout.reconciliation: 1h + timeout.reconciliation.jitter: 30m \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/argocd/argocd/values.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/argocd/values-common.yml similarity index 100% rename from app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/argocd/argocd/values.yml rename to app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/argocd/values-common.yml diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/clusters/values-in-cluster.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/clusters/values-in-cluster.yml new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/env-type/values-no-prod.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/env-type/values-no-prod.yml new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/envs/values-prod.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/envs/values-prod.yml new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/envs/values-qa.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/envs/values-qa.yml new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/regions/values-uk.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/regions/values-uk.yml new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/values-common.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/values-common.yml new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/variants/values-agent.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/variants/values-agent.yml new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/version/values-qa.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/helm/values/example-app/version/values-qa.yml new file mode 100644 index 000000000..e69de29bb diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/argocd/base/kustomization.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/argocd/base/kustomization.yml new file mode 100644 index 000000000..47919a89b --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/argocd/base/kustomization.yml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - secret/in-cluster.yml \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/argocd/_config_/secret/in-cluster.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/argocd/base/secret/in-cluster.yml similarity index 51% rename from app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/argocd/_config_/secret/in-cluster.yml rename to app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/argocd/base/secret/in-cluster.yml index 238c3df86..b593082d9 100644 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/apps/in-cluster/argocd/_config_/secret/in-cluster.yml +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/argocd/base/secret/in-cluster.yml @@ -3,7 +3,10 @@ kind: Secret metadata: labels: argocd.argoproj.io/secret-type: cluster - cluster: in-cluster + type: "hub" # hub cluster is where ArgoCD is deployed, all other cluster will be "workload" + #region: "uk" + provider: "oci" + # prod: "true" # By "environment" we mean NOT an application environment, rather a common set of clusters where applications are deployed name: in-cluster namespace: argocd stringData: diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/argocd/env-type/hub/kustomization.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/argocd/env-type/hub/kustomization.yml new file mode 100644 index 000000000..681848f0c --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/argocd/env-type/hub/kustomization.yml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/config/base/kustomization.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/config/base/kustomization.yml new file mode 100644 index 000000000..b1745d738 --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/config/base/kustomization.yml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: [] \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/config/env-type/hub/kustomization.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/config/env-type/hub/kustomization.yml new file mode 100644 index 000000000..681848f0c --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/config/env-type/hub/kustomization.yml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/base/kustomization.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/base/kustomization.yml new file mode 100644 index 000000000..b1745d738 --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/base/kustomization.yml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: [] \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/env-type/hub/kustomization.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/env-type/hub/kustomization.yml new file mode 100644 index 000000000..681848f0c --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/env-type/hub/kustomization.yml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/env-type/no-prod/kustomization.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/env-type/no-prod/kustomization.yml new file mode 100644 index 000000000..681848f0c --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/env-type/no-prod/kustomization.yml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/envs/prod/kustomization.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/envs/prod/kustomization.yml new file mode 100644 index 000000000..681848f0c --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/envs/prod/kustomization.yml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/envs/qa/kustomization.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/envs/qa/kustomization.yml new file mode 100644 index 000000000..681848f0c --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/kustomize/example-app/envs/qa/kustomization.yml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/Chart.yaml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/Chart.yaml new file mode 100644 index 000000000..83d9169f3 --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: appsets +description: A Helm chart for the AppSets deployment + +type: application + +version: 1.0.0 + +appVersion: "1.0.0" diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/examples/helm-no-prod.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/examples/helm-no-prod.yml new file mode 100644 index 000000000..8fe73e89d --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/examples/helm-no-prod.yml @@ -0,0 +1,54 @@ +# Deploy a single application on all non-prod clusters. + +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: example-app + namespace: argocd +spec: + goTemplate: true + goTemplateOptions: [ "missingkey=error" ] + generators: + - clusters: + selector: + matchExpressions: + - key: "prod" + operator: DoesNotExists + + syncPolicy: + preserveResourcesOnDeletion: true + template: + metadata: + name: 'example-app-{{ "{{" }}.nameNormalized{{ "}}" }}' + spec: + project: default + sources: + - repoURL: https://example.chart + chart: example-app + targetRevision: "*" # This will fetch the latest chart, do not use it for production, specify a version + helm: + releaseName: "example-app" + valueFiles: + - $values/apps/helm/values/example-app/values-common.yml + - $values/apps/helm/values/example-app/env-type/values-no-prod.yml + # Cluster specific values are optional, they will override all the other values + - $values/apps/helm/values/example-app/clusters/values-{{ "{{" }}.metadata.labels.name{{ "}}" }}.yml + + # We can add some kubernetes manifests that are highly coupled with this Helm release, for example, a secret needed by this system tool to work (optional) + - repoURL: {{ .Values.repo }} + targetRevision: HEAD + path: apps/kustomize/example-app/env-type/no-prod + + - repoURL: {{ .Values.repo }} + targetRevision: HEAD + ref: values + destination: + server: '{{ "{{" }}.server{{ "}}" }}' + namespace: example + syncPolicy: + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + automated: + prune: true + selfHeal: true \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/examples/helm-qa.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/examples/helm-qa.yml new file mode 100644 index 000000000..87b97f33d --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/examples/helm-qa.yml @@ -0,0 +1,60 @@ +# Deploy a single application on all qa clusters. Note that by environments we mean entire clusters, not namespaces + +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: example-app + namespace: argocd +spec: + goTemplate: true + goTemplateOptions: [ "missingkey=error" ] + generators: + - clusters: + selector: + matchExpressions: + - key: "qa" + operator: In + values: + - "true" + + syncPolicy: + preserveResourcesOnDeletion: true + template: + metadata: + name: 'example-app-{{ "{{" }}.nameNormalized{{ "}}" }}-qa' + spec: + project: default + sources: + - repoURL: https://example.chart + chart: example-app + targetRevision: "*" # This will fetch the latest chart, do not use it for production, specify a version + helm: + releaseName: "example-app-qa" + valueFiles: + - $values/apps/helm/values/example-app/values-common.yml + - $values/apps/helm/values/example-app/env-type/values-no-prod.yml + # If you have some image tag version that differ between environments + - $values/apps/helm/values/example-app/version/values-qa.yml + - $values/apps/helm/values/example-app/envs/values-qa.yml + # Cluster specific values are optional, they will override all the other values + - $values/apps/helm/values/example-app/clusters/values-{{ "{{" }}.metadata.labels.name{{ "}}" }}.yml + + + # We can add some kubernetes manifests that are highly coupled with this Helm release, for example, a secret needed by this system tool to work (optional) + - repoURL: {{ .Values.repo }} + targetRevision: HEAD + path: apps/kustomize/example-app/envs/qa + + - repoURL: {{ .Values.repo }} + targetRevision: HEAD + ref: values + destination: + server: '{{ "{{" }}.server{{ "}}" }}' + namespace: example + syncPolicy: + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + automated: + prune: true + selfHeal: true \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/examples/helm-single-cluster.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/examples/helm-single-cluster.yml new file mode 100644 index 000000000..fe03daef0 --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/examples/helm-single-cluster.yml @@ -0,0 +1,52 @@ +# Deploy a single application on a specific cluster. This should be an uncommon use case, as clusters should all +# be created in a similar way, with predefined structures (staging cluster, test cluster, production cluster) + +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: example-app + namespace: argocd +spec: + goTemplate: true + goTemplateOptions: [ "missingkey=error" ] + generators: + - clusters: + selector: + matchLabels: + name: "" + + syncPolicy: + preserveResourcesOnDeletion: true + template: + metadata: + name: 'example-app-{{ "{{" }}.nameNormalized{{ "}}" }}' + spec: + project: default + sources: + - repoURL: https://example.chart + chart: example-app + targetRevision: "*" # This will fetch the latest chart, do not use it for production, specify a version + helm: + releaseName: "example-app" + valueFiles: + - $values/apps/helm/values/example-app/values-common.yml + - $values/apps/helm/values/example-app/clusters/values-{{ "{{" }}.metadata.labels.name{{ "}}" }}.yml + + # We can add some kubernetes manifests that are highly coupled with this Helm release, for example, a secret needed by this system tool to work (optional) + - repoURL: {{ .Values.repo }} + targetRevision: HEAD + path: apps/kustomize/example-app/env-type/{{ "{{" }}.metadata.labels.type{{ "}}" }} + + - repoURL: {{ .Values.repo }} + targetRevision: HEAD + ref: values + destination: + server: '{{ "{{" }}.server{{ "}}" }}' + namespace: example + syncPolicy: + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + automated: + prune: true + selfHeal: true \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/templates/argocd/argocd-config.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/examples/hub-config.yml similarity index 59% rename from app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/templates/argocd/argocd-config.yml rename to app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/examples/hub-config.yml index a00366cc6..ec51467a6 100644 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/oke-cluster-config/appsets/templates/argocd/argocd-config.yml +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/examples/hub-config.yml @@ -1,9 +1,10 @@ -# This template will deploy namespace specific config in the cluster +# Kustomize application containing cluster configurations for the hub cluster. + apiVersion: argoproj.io/v1alpha1 kind: ApplicationSet metadata: - name: argocd-config + name: hub-config namespace: argocd spec: goTemplate: true @@ -12,20 +13,20 @@ spec: - clusters: selector: matchLabels: - cluster: in-cluster + type: "hub" + + syncPolicy: + preserveResourcesOnDeletion: true template: metadata: - labels: - type: config - name: 'argocd-config-{{ "{{" }}.name{{ "}}" }}' + name: 'hub-config' spec: - project: {{ .Values.project }} + project: default sources: + # Global config for each cluster - repoURL: {{ .Values.repo }} targetRevision: HEAD - path: apps/{{ "{{" }}.name{{ "}}" }}/argocd/_config_ - directory: - recurse: true + path: apps/kustomize/config/env-type/{{ "{{" }}.metadata.labels.type{{ "}}" }} destination: server: '{{ "{{" }}.server{{ "}}" }}' @@ -33,6 +34,7 @@ spec: syncPolicy: syncOptions: - CreateNamespace=true + - ServerSideApply=true automated: prune: true selfHeal: true \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/templates/argocd.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/templates/argocd.yml new file mode 100644 index 000000000..f39cb2e39 --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/templates/argocd.yml @@ -0,0 +1,48 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: argocd + namespace: argocd +spec: + goTemplate: true + goTemplateOptions: [ "missingkey=error" ] + generators: + - clusters: + selector: + matchLabels: + type: "hub" + + syncPolicy: + preserveResourcesOnDeletion: true + template: + metadata: + name: 'argocd-{{ "{{" }}.nameNormalized{{ "}}" }}' + spec: + project: default + sources: + - repoURL: https://argoproj.github.io/argo-helm + chart: argo-cd + targetRevision: "*" + helm: + releaseName: "argo-alcampag" + valueFiles: + - $values/apps/helm/values/argocd/values-common.yml + - $values/apps/helm/values/argocd/env-type/values-{{ "{{" }}.metadata.labels.type{{ "}}" }}.yml + + - repoURL: {{ .Values.repo }} + targetRevision: HEAD + path: apps/kustomize/argocd/env-type/{{ "{{" }}.metadata.labels.type{{ "}}" }} + + - repoURL: {{ .Values.repo }} + targetRevision: HEAD + ref: values + destination: + server: '{{ "{{" }}.server{{ "}}" }}' + namespace: argocd + syncPolicy: + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + automated: + prune: true + selfHeal: true \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/values.yaml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/values.yaml new file mode 100644 index 000000000..90ef2bd0e --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/appsets/values.yaml @@ -0,0 +1,2 @@ +# Git repository where the cluster configurations are located, with .git postfix +repo: "" \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/in-cluster.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/in-cluster.yml new file mode 100644 index 000000000..b593082d9 --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/in-cluster.yml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + argocd.argoproj.io/secret-type: cluster + type: "hub" # hub cluster is where ArgoCD is deployed, all other cluster will be "workload" + #region: "uk" + provider: "oci" + # prod: "true" # By "environment" we mean NOT an application environment, rather a common set of clusters where applications are deployed + name: in-cluster + namespace: argocd +stringData: + config: '{"bearerToken":"","tlsClientConfig":{"insecure":false,"caData":""}}' + name: in-cluster + server: https://kubernetes.default.svc +type: Opaque \ No newline at end of file diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/root.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/root.yml new file mode 100644 index 000000000..d4122d5ea --- /dev/null +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/root.yml @@ -0,0 +1,26 @@ +# Insert Git repository where the cluster configurations are located, with .git postfix. This template has to be applied manually + +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: system-cluster-config + namespace: argocd +spec: + project: default + source: + repoURL: ${REPO} + targetRevision: HEAD + path: appset + helm: + parameters: + - name: repo + value: ${REPO} + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: false + selfHeal: true \ No newline at end of file From 2d3df19c5a72df406cb7fd50eafb2b1b56af53e0 Mon Sep 17 00:00:00 2001 From: alcampag Date: Tue, 16 Sep 2025 15:11:10 +0200 Subject: [PATCH 2/2] oke-gitops-1.1.0 --- .../oke/oke-gitops/repos/apps-cluster-config/root.yml | 2 +- .../oke/oke-gitops/repos/system-cluster-config/root.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/root.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/root.yml index a043824e5..28adb84ab 100644 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/root.yml +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/root.yml @@ -10,7 +10,7 @@ spec: source: repoURL: ${REPO} targetRevision: HEAD - path: appset + path: appsets helm: parameters: - name: repo diff --git a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/root.yml b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/root.yml index d4122d5ea..2b9ab8014 100644 --- a/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/root.yml +++ b/app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/root.yml @@ -10,7 +10,7 @@ spec: source: repoURL: ${REPO} targetRevision: HEAD - path: appset + path: appsets helm: parameters: - name: repo