Oke gitops 1.1.2

app-dev/devops-and-containers/oke/oke-gitops/README.md

@@ -139,7 +139,7 @@ This stack will:
 * Create 2 OCI Code Repositories: one with pipelines definitions, and another one called "oke-cluster-config" with the git template for the OKE cluster administrators
 * Create an OCI Build Pipeline that will mirror the ArgoCD Helm Chart inside the Oracle Cloud Registry, and deploy it in the chosen cluster
 
-[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-gitops-1.1.1/stack.zip)
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/oke-gitops-1.1.2/stack.zip)
 
 Once the stack has been provisioned, you can modify the ArgoCD version to deploy by editing the `mirror_argo.yaml` file in the `pipelines` repository.
 By default, ArgoCD will be deployed in an "insecure" mode to disable the default SSL certificate, but feel free to modify the chart values in the `argo-cd-chart-values` artifact.

app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/app-category/example-app/config/config-hub.json

@@ -3,7 +3,7 @@
     "repo": "https://example-app/chart",
     "name": "app",
     "version": "*",
-    "release-name": "example-app"
+    "releaseName": "example-app"
   },
   "namespace": "default"
 }

app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/apps/app-category/example-app/config/config-prod.json

@@ -3,7 +3,7 @@
     "repo": "https://example-app/chart",
     "name": "app",
     "version": "1.0.0",
-    "release-name": "example-app"
+    "releaseName": "example-app"
   },
   "namespace": "default"
 }

app-dev/devops-and-containers/oke/oke-gitops/repos/apps-cluster-config/appsets/hub/app-category/example-app.yml

@@ -1,7 +1,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
-  name: example-app
+  name: example-app-hub
   namespace: argocd
 spec:
   goTemplate: true
@@ -36,7 +36,7 @@ spec:
             releaseName: '{{.chart.releaseName}}'
             valueFiles:
               - $values/apps/{{index .path.segments 1}}/{{index .path.segments 2}}/helm/values/values-common.yml
-              - $values/apps/{{index .path.segments 1}}/{{index .path.segments 2}}/helm/values/values-{{.metadata.labels.type }}.yml
+              - $values/apps/{{index .path.segments 1}}/{{index .path.segments 2}}/helm/values/{{.metadata.labels.type}}/values.yml
 
         - repoURL: #REPOURL
           targetRevision: HEAD

app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/README.md

@@ -24,8 +24,9 @@ Under `Settings --> Repositories` click on **CONNECT REPO** and select to connec
 Fill the form with the following values:
 1. `Repository type`: "git"
 2. `Repository URL`: <oke-cluster-config clone URL>
-3. `Username`: \<OCI username of a user with access to the git repository>
-4. `Password`: \<Auth Token of the user>
+3. `Project`. "None" (leave blank)
+4. `Username`: \<OCI username of a user with access to the git repository>
+5. `Password`: \<Auth Token of the user>
 
 The repository we want to connect to is the system-cluster-config repository in OCI DevOps, already created by the Resource Manager Stack.
 It's better to go into the OCI DevOps, find the repository, and find the right HTTPS clone URL.
@@ -64,7 +65,7 @@ This repository organizes configurations to install tools and configure clusters
 ## Repository Structure
 
 ```
-repos/system-cluster-config/
+system-cluster-config/
 ├── hub.yml                 # ArgoCD Application to deploy ApplicationSets to the hub cluster
 ├── in-cluster.yml          # Secret defining the hub cluster itself
 ├── apps/                   # Application definitions, organized by category

app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/app-category/example-app/config/config-hub.json

@@ -3,7 +3,7 @@
     "repo": "https://example-app/chart",
     "name": "app",
     "version": "*",
-    "release-name": "example-app"
+    "releaseName": "example-app"
   },
   "namespace": "default"
 }

app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/app-category/example-app/config/config-prod.json

@@ -3,7 +3,7 @@
     "repo": "https://example-app/chart",
     "name": "app",
     "version": "1.0.0",
-    "release-name": "example-app"
+    "releaseName": "example-app"
   },
   "namespace": "default"
 }

app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/ci-cd/argocd/config/config-hub.json

@@ -3,7 +3,7 @@
     "repo": "https://argoproj.github.io/argo-helm",
     "name": "argo-cd",
     "version": "*",
-    "release-name": "argocd"
+    "releaseName": "argocd"
   },
   "namespace": "argocd"
 }

app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/network/traefik/config/config-hub.json

@@ -0,0 +1,9 @@
+{
+  "chart": {
+    "repo": "https://traefik.github.io/charts",
+    "name": "traefik",
+    "version": "*",
+    "releaseName": "traefik"
+  },
+  "namespace": "traefik"
+}

app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/network/traefik/helm/values/hub/values-additional-service-private-flannel.yml

@@ -0,0 +1,60 @@
+# If your default LB is a public one, and you also want to expose Traefik internally through an additional NLB, these are the configurations
+
+ports:
+  private-web:
+    # Ports must be different
+    port: 8001
+    expose:
+      default: false    # do not expose on the default that is public
+      internal: true    # this entrypoint is exposed to the internal additional service
+    exposedPort: 80
+    redirections:
+      entryPoint:
+        to: private-websecure
+        scheme: https
+  private-websecure:
+    # Ports must be different
+    port: 8444
+    expose:
+      default: false
+      internal: true
+    exposedPort: 443
+    # Traefik will need to handle TLS termination for private network load balancers
+    tls:
+      enabled: true
+
+service:
+  additionalServices:
+    internal:
+      type: LoadBalancer
+      annotations:
+        oci.oraclecloud.com/load-balancer-type: "nlb"
+        # Always specify the NLB to be internal, or creation will fail
+        oci-network-load-balancer.oraclecloud.com/internal: "true"
+
+        # Specify a private subnet OCID where to create the NLB. MUST BE SET IF THE DEFAULT LB SUBNET FOR OKE IS PUBLIC!
+        #oci-network-load-balancer.oraclecloud.com/subnet: "<subnet-OCID>"
+
+        # Better to attach 2 NSGs, one containing only ingress rules, the other containing only egress rules
+        oci-network-load-balancer.oraclecloud.com/oci-network-security-groups: "ocid1.networksecuritygroup...,ocid1.networksecuritygroup..."
+        # By setting this to None, you will be in charge of writing all the security rules, CCM will not be allowed to set automatically any security rule
+        oci.oraclecloud.com/security-rule-management-mode: "None"
+
+        # Defaults to FIVE_TUPLE, other values are TWO_TUPLE and THREE_TUPLE
+        #oci-network-load-balancer.oraclecloud.com/backend-policy: "FIVE_TUPLE"
+
+        # Health check configurations
+        oci-network-load-balancer.oraclecloud.com/health-check-interval: "10000"
+        oci-network-load-balancer.oraclecloud.com/health-check-timeout: "2000"
+        oci-network-load-balancer.oraclecloud.com/health-check-retries: "3"
+
+        # If needed, you can reserve and assign a private IP address
+        #oci-network-load-balancer.oraclecloud.com/assigned-private-ipv4: "<ipv4-address>"
+
+        # Default value is true. Set this to false if you do not want to preserve source IP address or if you need proxy protocol
+        #oci-network-load-balancer.oraclecloud.com/is-preserve-source: "true"
+
+        # Enable proxy protocol for IP preservation. NOTE: oci-network-load-balancer.oraclecloud.com/is-preserve-source must be explicitly set to false for this to work
+        #oci-network-load-balancer.oraclecloud.com/is-ppv2-enabled: "true"
+      spec:
+        externalTrafficPolicy: "Local"

app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/network/traefik/helm/values/hub/values-additional-service-private-vcn-native.yml

@@ -0,0 +1,63 @@
+# If your default LB is a public one, and you also want to expose Traefik internally through an additional NLB, these are the configurations
+
+ports:
+  private-web:
+    # Ports must be different
+    port: 8001
+    expose:
+      default: false    # do not expose on the default that is public
+      internal: true    # this entrypoint is exposed to the internal additional service
+    exposedPort: 80
+    redirections:
+      entryPoint:
+        to: private-websecure
+        scheme: https
+  private-websecure:
+    # Ports must be different
+    port: 8444
+    expose:
+      default: false
+      internal: true
+    exposedPort: 443
+    # Traefik will need to handle TLS termination for private network load balancers
+    tls:
+      enabled: true
+
+service:
+  additionalServices:
+    internal:
+      type: LoadBalancer
+      annotations:
+        oci.oraclecloud.com/load-balancer-type: "nlb"
+        # Always specify the NLB to be internal, or creation will fail
+        oci-network-load-balancer.oraclecloud.com/internal: "true"
+
+        # Specify a private subnet OCID where to create the NLB. MUST BE SET IF THE DEFAULT LB SUBNET FOR OKE IS PUBLIC!
+        # oci-network-load-balancer.oraclecloud.com/subnet: "ocid1.subnet.oc1..."
+
+        # Better to attach 2 NSGs, one containing only ingress rules, the other containing only egress rules
+        oci-network-load-balancer.oraclecloud.com/oci-network-security-groups: "ocid1.networksecuritygroup.oc1...,ocid1.networksecuritygroup.oc1..."
+        # By setting this to None, you will be in charge of writing all the security rules, CCM will not be allowed to set automatically any security rule
+        oci.oraclecloud.com/security-rule-management-mode: "None"
+
+        # Defaults to FIVE_TUPLE, other values are TWO_TUPLE and THREE_TUPLE
+        #oci-network-load-balancer.oraclecloud.com/backend-policy: "FIVE_TUPLE"
+
+        # Pods as Backends configuration: health check
+        oci-network-load-balancer.oraclecloud.com/health-check: '{"protocol": "HTTP", "port": 8080, "urlPath": "/healthz", "returnCode": 200, "retries": 3, "timeoutInMillis": 2000}'
+
+        # If needed, you can reserve and assign a private IP address
+        #oci-network-load-balancer.oraclecloud.com/assigned-private-ipv4: "<ipv4-address>"
+
+        # Default value is true. Set this to false if you do not want to preserve source IP address or if you need proxy protocol
+        #oci-network-load-balancer.oraclecloud.com/is-preserve-source: "true"
+
+        # Enable proxy protocol for IP preservation. NOTE: oci-network-load-balancer.oraclecloud.com/is-preserve-source must be explicitly set to false for this to work
+        #oci-network-load-balancer.oraclecloud.com/is-ppv2-enabled: "true"
+      spec:
+        # We are forced to put Cluster here because of the risk of packet drops when a readiness gate is implemented.
+        # Example: LB health check is OK before readiness, the packet will be forwarded, but the ingress is still not available from a Kubernetes perspective.
+        # Then, if the externalTrafficPolicy is Local, the packet will just be dropped, instead of being re-routed to an ingress pod in another node
+        externalTrafficPolicy: "Cluster"
+        # Necessary for Pods as Backends
+        allocateLoadBalancerNodePorts: false

app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/network/traefik/helm/values/hub/values-additional-service-public-flannel.yml

@@ -0,0 +1,74 @@
+# If your default LB is a private one, and you also want to expose Traefik externally through a public LB, these are the configurations
+
+ports:
+  public-web:
+    # Ports must be different
+    port: 8001
+    expose:
+      default: false    # do not expose on the default that is private
+      external: true    # this entrypoint is exposed to the external additional service
+    exposedPort: 80
+    redirections:
+      entryPoint:
+        to: public-websecure
+        scheme: https
+  public-websecure:
+    # Ports must be different
+    port: 8444
+    expose:
+      default: false
+      external: true
+    exposedPort: 443
+    # LB will handle TLS termination
+    tls:
+      enabled: false
+
+service:
+  additionalServices:
+    external:
+      type: LoadBalancer
+      annotations:
+        oci.oraclecloud.com/load-balancer-type: "lb"
+        service.beta.kubernetes.io/oci-load-balancer-shape: "flexible"
+        # Set suitable values for min-max bandwidth
+        service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "10"
+        service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "10"
+        # Better to attach 2 NSGs, one containing only ingress rules, the other containing only egress rules
+        oci.oraclecloud.com/oci-network-security-groups: "ocid1.networksecuritygroup...,ocid1.networksecuritygroup..."
+        # By setting this to None, you will be in charge of writing all the security rules, CCM will not be allowed to set automatically any security rule
+        oci.oraclecloud.com/security-rule-management-mode: "None"
+        # Set listener to HTTP if you want to use WAF, otherwise TCP
+        service.beta.kubernetes.io/oci-load-balancer-backend-protocol: "HTTP"
+
+        # MUST specify a public subnet where to create the LB
+        service.beta.kubernetes.io/oci-load-balancer-subnet1: "<subnet-OCID>"
+
+        # TLS termination. The secret must be present in the traefik namespace. Only 1 certificate is supported, and to rotate you need to create a new secret and modify this annotation
+        service.beta.kubernetes.io/oci-load-balancer-ssl-ports: "443"
+        service.beta.kubernetes.io/oci-load-balancer-tls-secret: "ssl-certificate-secret"
+        #oci.oraclecloud.com/oci-load-balancer-listener-ssl-config: '{"CipherSuiteName":"oci-default-http2-tls-12-13-ssl-cipher-suite-v1", "Protocols":["TLSv1.3"]}'
+
+        # Specify load balancer policy if needed, supported values are ROUND_ROBIN, LEAST_CONNECTIONS, IP_HASH
+        oci.oraclecloud.com/loadbalancer-policy: "ROUND_ROBIN"
+        # Health check configurations
+        service.beta.kubernetes.io/oci-load-balancer-health-check-interval: "3000"
+        service.beta.kubernetes.io/oci-load-balancer-health-check-timeout: "2000"
+        service.beta.kubernetes.io/oci-load-balancer-health-check-retries: "3"
+        # Connection idle timeout, for TCP listener max is 300 seconds, for HTTP max is 60 seconds
+        service.beta.kubernetes.io/oci-load-balancer-connection-idle-timeout: "60"
+        # For security, better limit the HTTP header size
+        oci.oraclecloud.com/oci-load-balancer-rule-sets: |
+          {
+            "header_size": {
+              "items": [
+                {
+                  "action": "HTTP_HEADER",
+                  "httpLargeHeaderSizeInKB": 16
+                }
+              ]
+            }
+          }
+      spec:
+        externalTrafficPolicy: "Local"
+        # Public Reserved IP
+        #loadBalancerIP: "140.121.164.12"

app-dev/devops-and-containers/oke/oke-gitops/repos/system-cluster-config/apps/network/traefik/helm/values/hub/values-additional-service-public-vcn-native.yml

@@ -0,0 +1,78 @@
+# If your default LB is a private one, and you also want to expose Traefik externally through a public LB, these are the configurations
+
+ports:
+  public-web:
+    # Ports must be different
+    port: 8001
+    expose:
+      default: false    # do not expose on the default that is private
+      external: true    # this entrypoint is exposed to the external additional service
+    exposedPort: 80
+    redirections:
+      entryPoint:
+        to: public-websecure
+        scheme: https
+  public-websecure:
+    # Ports must be different
+    port: 8444
+    expose:
+      default: false
+      external: true
+    exposedPort: 443
+    # LB will handle TLS termination
+    tls:
+      enabled: false
+
+service:
+  additionalServices:
+    external:
+      type: LoadBalancer
+      annotations:
+        oci.oraclecloud.com/load-balancer-type: "lb"
+        service.beta.kubernetes.io/oci-load-balancer-shape: "flexible"
+        # Set suitable values for min-max bandwidth
+        service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "10"
+        service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "10"
+
+        # MUST specify a public subnet where to create the LB
+        service.beta.kubernetes.io/oci-load-balancer-subnet1: "<subnet-OCID>"
+
+        # Better to attach 2 NSGs, one containing only ingress rules, the other containing only egress rules
+        oci.oraclecloud.com/oci-network-security-groups: "ocid1.networksecuritygroup...,ocid1.networksecuritygroup..."
+        # By setting this to None, you will be in charge of writing all the security rules, CCM will not be allowed to set automatically any security rule
+        oci.oraclecloud.com/security-rule-management-mode: "None"
+        # Set listener to HTTP if you want to use WAF, otherwise TCP
+        service.beta.kubernetes.io/oci-load-balancer-backend-protocol: "HTTP"
+
+        # TLS termination. The secret must be present in the traefik namespace. Only 1 certificate is supported, and to rotate you need to create a new secret and modify this annotation
+        service.beta.kubernetes.io/oci-load-balancer-ssl-ports: "443"
+        service.beta.kubernetes.io/oci-load-balancer-tls-secret: "ssl-certificate-secret"
+        #oci.oraclecloud.com/oci-load-balancer-listener-ssl-config: '{"CipherSuiteName":"oci-default-http2-tls-12-13-ssl-cipher-suite-v1", "Protocols":["TLSv1.3"]}'
+
+        # Specify load balancer policy if needed, supported values are ROUND_ROBIN, LEAST_CONNECTIONS, IP_HASH
+        oci.oraclecloud.com/loadbalancer-policy: "ROUND_ROBIN"
+        # Connection idle timeout, for TCP listener max is 300 seconds, for HTTP max is 60 seconds
+        service.beta.kubernetes.io/oci-load-balancer-connection-idle-timeout: "60"
+        # For security, better limit the HTTP header size
+        oci.oraclecloud.com/oci-load-balancer-rule-sets: |
+          {
+            "header_size": {
+              "items": [
+                {
+                  "action": "HTTP_HEADER",
+                  "httpLargeHeaderSizeInKB": 16
+                }
+              ]
+            }
+          }
+        # Pods as Backends configuration: health check
+        oci-load-balancer.oraclecloud.com/health-check: '{"protocol": "HTTP", "port": 8080, "urlPath": "/healthz", "returnCode": 200, "retries": 3, "timeoutInMillis": 2000}'
+      spec:
+        # We are forced to put Cluster here because of the risk of packet drops when a readiness gate is implemented.
+        # Example: LB health check is OK before readiness, the packet will be forwarded, but the ingress is still not available from a Kubernetes perspective.
+        # Then, if the externalTrafficPolicy is Local, the packet will just be dropped, instead of being re-routed to an ingress pod in another node
+        externalTrafficPolicy: "Cluster"
+        # Public Reserved IP
+        #loadBalancerIP: "140.121.164.12"
+        # Necessary for Pods as Backends
+        allocateLoadBalancerNodePorts: false