Merge pull request #165 from cloud-pi-native/develop

Develop
cloud-pi-native · Mar 1, 2024 · 5685e58 · 5685e58
2 parents 37c23c7 + fcab4e2
commit 5685e58
Show file tree

Hide file tree

Showing 38 changed files with 24,949 additions and 213 deletions.
diff --git a/README.md b/README.md
diff --git a/admin-tools/get-credentials.yaml b/admin-tools/get-credentials.yaml
@@ -123,6 +123,7 @@
         - argocd
         - console
         - console-dso
+        - grafana
 
     - name: Set Keycloak DSO user facts
       ansible.builtin.set_fact:
@@ -134,6 +135,7 @@
         - argocd
         - console
         - console-dso
+        - grafana
 
     #    - name: Get Keycloak admin secret
     #      kubernetes.core.k8s_info:
@@ -243,21 +245,27 @@
         - console
         - console-dso
 
-    - name: Get Grafana credentials secret
-      kubernetes.core.k8s_info:
-        namespace: "{{ dsc.grafana.namespace }}"
-        kind: Secret
-        name: grafana-creds
-      register: grafana_creds
+    - name: Initialize grafana_name fact
+      ansible.builtin.set_fact:
+        grafana_name: "{{ dsc_name }}-prod"
       tags:
+        - never
+        - grafana
+
+    - name: Set grafana_name
+      when: dsc.global.environment != 'production'
+      ansible.builtin.set_fact:
+        grafana_name: "{{ dsc_name }}-horsprod"
+      tags:
+        - never
         - grafana
 
     - name: Display Grafana URL and credentials
       ansible.builtin.debug:
         msg:
-          - "URL: https://{{ dsc.grafana.subDomain }}{{ dsc.global.rootDomain }} "
-          - "Admin username: {{ grafana_creds.resources[0].data.GF_SECURITY_ADMIN_USER | b64decode }} "
-          - "Admin password: {{ grafana_creds.resources[0].data.GF_SECURITY_ADMIN_PASSWORD | b64decode }} "
+          - "URL: https://{{ dsc.grafana.subDomain }}{{ dsc.global.rootDomain }}/{{ grafana_name }} "
+          - "Admin username: {{ keycloak_user }} "
+          - "Admin password: {{ keycloak_user_password }} "
       tags:
         - never
         - grafana
diff --git a/install.yaml b/install.yaml
@@ -21,10 +21,9 @@
         - cert-manager
         - cm
 
-    - name: confSyncer
+    - name: kyverno
       tags:
-        - confSyncer
-        - kubed
+        - kyverno
 
     - name: cloudnativepg
       tags:
@@ -98,6 +97,11 @@
         - grafana-datasource
         - never
 
+    - name: grafana-dashboards
+      tags:
+        - grafana-dashboards
+        - never
+
   post_tasks:
     - name: Post-Install Disclaimer
       ansible.builtin.debug:

diff --git a/roles/argocd/tasks/main.yaml b/roles/argocd/tasks/main.yaml
@@ -29,6 +29,12 @@
         - kind: ServiceAccount
           namespace: "{{ dsc.argocd.namespace }}"
           name: argo-redis
+        - kind: ServiceAccount
+          namespace: "{{ dsc.argocd.namespace }}"
+          name: argo-redis-master
+        - kind: ServiceAccount
+          namespace: "{{ dsc.argocd.namespace }}"
+          name: argo-redis-replica
 
 - name: Add helm repo
   kubernetes.core.helm_repository:

diff --git a/roles/argocd/templates/values/00-main.j2 b/roles/argocd/templates/values/00-main.j2
@@ -1,6 +1,8 @@
 securityContext: &securityContext
   containerSecurityContext:
     runAsUser: null
+    runAsGroup: null
+    seLinuxOptions: null
   podSecurityContext:
     fsGroup: null
 
@@ -9,15 +11,39 @@ config:
   secret:
     argocdServerAdminPassword: "{{ dsc.argocd.admin.password }}"
 {% endif %}
+  rbac:
+    policy.csv: |
+      p, role:admin, *, *, */*, allow
+      p, role:nada, *, *, */*, deny
+      g, system:cluster-admins, role:admin
+      g, cluster-admins, role:admin
+      g, /ArgoCDAdmins, role:admin
+      g, ArgoCDAdmins, role:admin
+    scopes: "[groups]"
+    policy.default: role:nada
+    admin.enabled: "false"
 redis:
-  <<: *securityContext
   architecture: replication
+  master:
+    podSecurityContext:
+      enabled: false
+    containerSecurityContext:
+      enabled: false
+  replica:
+    podSecurityContext:
+      enabled: false
+    containerSecurityContext:
+      enabled: false
 {% if dsc.global.metrics.enabled %}
   metrics:
     enabled: true
     serviceMonitor:
       enabled: true
       namespace: {{ dsc.argocd.namespace }}
+    podSecurityContext:
+      enabled: false
+    containerSecurityContext:
+      enabled: false
 {% endif %}
 controller:
   <<: *securityContext
@@ -82,24 +108,8 @@ repoServer:
       enabled: true
       namespace: {{ dsc.argocd.namespace }}
 {% endif %}
-extraDeploy:
-  - apiVersion: v1
-    data:
-      policy.csv: |
-        p, role:admin, *, *, */*, allow
-        p, role:nada, *, *, */*, deny
-        g, system:cluster-admins, role:admin
-        g, cluster-admins, role:admin
-        g, /ArgoCDAdmins, role:admin
-        g, ArgoCDAdmins, role:admin
-      scopes: "[groups]"
-      policy.default: role:nada
-      admin.enabled: "false"
-    kind: ConfigMap
-    metadata:
-      name: argocd-rbac-cm
-      namespace: {{ dsc.argocd.namespace }}
 applicationSet:
+  enabled: false
   replicaCount: 3
   webhook:
     ingress:
@@ -112,6 +122,7 @@ applicationSet:
       namespace: {{ dsc.argocd.namespace }}
 {% endif %}
 notifications:
+  enabled: false
   webhook:
     ingress:
       ingressClassName: {{ dsc.ingress.className | default('') }}

diff --git a/roles/console-dso/templates/project.j2 b/roles/console-dso/templates/project.j2
@@ -24,6 +24,7 @@ spec:
     name: admin-RO
     policies:
     - p, proj:console-pi-native:admin, applications, get, console-pi-native/*, allow
+    - p, proj:console-pi-native:admin-RO, applications, get, console-pi-native/*, allow
   - description: admin-RW
     groups:
     - /admin
@@ -33,5 +34,6 @@ spec:
     name: admin-RW
     policies:
     - p, proj:console-pi-native:admin, applications, *, console-pi-native/*, *
+    - p, proj:console-pi-native:admin-RW, applications, *, console-pi-native/*, *
   sourceRepos:
   - https://github.com/cloud-pi-native/console.git
diff --git a/roles/gitlab/tasks/add-podmonitors.yaml b/roles/gitlab/tasks/add-podmonitors.yaml
diff --git a/roles/gitlab/tasks/main.yaml b/roles/gitlab/tasks/main.yaml
@@ -351,7 +351,3 @@
         file: add-servicemonitors.yaml
       loop: "{{ gitlab_additional_service_monitors }}"
 
-    - name: Declare some additionnal PodMonitors
-      ansible.builtin.include_tasks:
-        file: add-podmonitors.yaml
-      loop: "{{ gitlab_additional_pod_monitors }}"
diff --git a/roles/gitlab/tasks/patch-servicemonitors.yaml b/roles/gitlab/tasks/patch-servicemonitors.yaml
@@ -29,4 +29,4 @@
               key: ""
             interval: 30s
             path: "{{item.path}}"
-            port: "{{ metrics_port_name }}"
+            port: "{{ metrics_port_name }}"
diff --git a/roles/gitlab/templates/servicemonitor.yml.j2 b/roles/gitlab/templates/servicemonitor.yml.j2
@@ -13,7 +13,6 @@ spec:
   namespaceSelector: {}
   selector:
     matchLabels:
-      app: {{ item.name }}
       app.kubernetes.io/component: {{ item.name }}
       app.kubernetes.io/instance: gitlab-{{ item.name }}
       app.kubernetes.io/managed-by: gitlab-operator

diff --git a/roles/gitlab/templates/values/00-main.j2 b/roles/gitlab/templates/values/00-main.j2
@@ -11,12 +11,40 @@ gitlab:
   webservice:
     registry:
       enabled: false
+{% if dsc.global.metrics.enabled %}
+    metrics:
+      serviceMonitor:
+        enabled: true
+{% endif %}
   sidekiq:
     registry:
       enabled: false
+{% if dsc.global.metrics.enabled %}
+    metrics:
+      podMonitor:
+        enabled: true
+{% endif %}
   unicorn:
     registry:
       enabled: false
+  gitaly:
+{% if dsc.global.metrics.enabled %}
+    metrics:
+      serviceMonitor:
+        enabled: true
+{% endif %}
+  gitlab-exporter:
+{% if dsc.global.metrics.enabled %}
+    metrics:
+      serviceMonitor:
+        enabled: true
+{% endif %}
+  kas:
+{% if dsc.global.metrics.enabled %}
+    metrics:
+      serviceMonitor:
+        enabled: true
+{% endif %}
 
 global:
   registry:

diff --git a/roles/gitlab/vars/main.yaml b/roles/gitlab/vars/main.yaml
@@ -1,29 +1,13 @@
 ---
 gitlab_service_monitors:
-  - name: gitaly
-    port: 9236
-    path: /metrics
-  - name: gitlab-exporter
-    port: 9168
-    path: /metrics
   - name: postgresql
     port: 9187
     path: /metrics
     metrics_endpoint_name: metrics
+
+gitlab_additional_service_monitors:
   - name: redis
     port: 9121
     path: /metrics
     metrics_endpoint_name: metrics
-  - name: webservice
-    port: 8083
-    path: /metrics
 
-gitlab_additional_service_monitors:
-  - name: kas
-    port: 8151
-    path: /metrics
-
-gitlab_additional_pod_monitors:
-  - name: sidekiq
-    port: 3807
-    path: /metrics
diff --git a/roles/grafana-dashboards/tasks/main.yaml b/roles/grafana-dashboards/tasks/main.yaml
@@ -0,0 +1,28 @@
+---
+- name: Initialize grafana_label fact
+  ansible.builtin.set_fact:
+    grafana_label: "{{ dsc_name }}-prod"
+
+- name: Set grafana_label
+  when: dsc.global.environment != 'production'
+  ansible.builtin.set_fact:
+    grafana_label: "{{ dsc_name }}-horsprod"
+
+- name: Get Grafana instance
+  kubernetes.core.k8s_info:
+    api_version: grafana.integreatly.org/v1beta1
+    namespace: "{{ dsc.grafana.namespace }}"
+    kind: Grafana
+    label_selectors:
+      - app={{ grafana_label }}
+  register: gf_instance
+
+- name: Manage missing Grafana instance.
+  when: gf_instance.resources | length == 0
+  ansible.builtin.fail:
+    msg: "Missing Grafana instance. Please execute 'ansible-playbook install.yaml -t grafana' before trying to install the default datasource."
+
+- name: Create Grafana dashboards
+  kubernetes.core.k8s:
+    template: "{{ item.dashboard_template }}"
+  loop: "{{ grafana_dashboards }}"