diff --git a/common/bootstrap-v2/Chart.yaml b/common/bootstrap-v2/Chart.yaml new file mode 100644 index 00000000..983b564c --- /dev/null +++ b/common/bootstrap-v2/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +type: application +name: bootstrap-v2 +description: A Helm chart bootstrapping the cluster +version: 0.2.0 +appVersion: 1.0.0 diff --git a/common/bootstrap-v2/templates/argocd-appproject-infra.yaml b/common/bootstrap-v2/templates/argocd-appproject-infra.yaml new file mode 100644 index 00000000..2dcfa847 --- /dev/null +++ b/common/bootstrap-v2/templates/argocd-appproject-infra.yaml @@ -0,0 +1,17 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: infra +spec: + description: In-cluster applications managed by DevOps team + sourceRepos: + - '*' + destinations: + - namespace: '*' + server: https://kubernetes.default.svc + clusterResourceWhitelist: + - group: '*' + kind: '*' + namespaceResourceWhitelist: + - group: '*' + kind: '*' diff --git a/common/bootstrap-v2/templates/argocd-secretmanager.yaml b/common/bootstrap-v2/templates/argocd-secretmanager.yaml new file mode 100644 index 00000000..9aa40984 --- /dev/null +++ b/common/bootstrap-v2/templates/argocd-secretmanager.yaml @@ -0,0 +1,13 @@ +{{- if .Values.externalSecrets.enabled }} +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: argocd-secretmanager + namespace: argocd +spec: + provider: + {{- if eq .Values.provider "GCP" }} + gcpsm: + projectID: {{ .Values.GCP.projectID }} + {{- end }} +{{- end }} diff --git a/common/bootstrap-v2/templates/argocd.yaml b/common/bootstrap-v2/templates/argocd.yaml new file mode 100644 index 00000000..5fc3d695 --- /dev/null +++ b/common/bootstrap-v2/templates/argocd.yaml @@ -0,0 +1,71 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd +spec: + project: infra + syncPolicy: + syncOptions: + - CreateNamespace=true + destination: + server: https://kubernetes.default.svc + namespace: argocd + source: + repoURL: https://argoproj.github.io/argo-helm + chart: argo-cd + targetRevision: 7.7.16 + helm: + values: |- + global: + domain: {{ .Values.argocd.domain }} + controller: + replicas: 1 + redis-ha: + enabled: true + repoServer: + autoscaling: + enabled: true + server: + autoscaling: + enabled: true + ingress: + enabled: true + ingressClassName: traefik + configs: + params: + server.insecure: true + rbac: + scopes: "[email, groups]" + policy.default: role:readonly + policy.csv: | + g, planetarium:DevOps, role:admin + cm: + admin.enabled: true + statusbadge.enabled: true + dex.config: |- + connectors: + - type: github + id: github + name: GitHub + config: + orgs: + - name: planetarium + clientID: "$github-ssh-client:dex.github.clientId" + clientSecret: "$github-ssh-client:dex.github.clientSecret" + extraObjects: + {{- if .Values.externalSecrets.enabled }} + - apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + metadata: + name: github-ssh-client + spec: + refreshInterval: 1m + secretStoreRef: + kind: SecretStore + name: argocd-secretsmanager + target: + name: github-ssh-client + dataFrom: + - extract: + key: {{ .Values.clusterName }}-argocd-github-ssh-client + {{- end }} diff --git a/common/bootstrap-v2/templates/external-secrets.yaml b/common/bootstrap-v2/templates/external-secrets.yaml new file mode 100644 index 00000000..fe5dab0b --- /dev/null +++ b/common/bootstrap-v2/templates/external-secrets.yaml @@ -0,0 +1,24 @@ +{{- if .Values.externalSecrets.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-secrets +spec: + project: infra + syncPolicy: + syncOptions: + - CreateNamespace=true + destination: + server: https://kubernetes.default.svc + namespace: external-secrets + source: + repoURL: https://charts.external-secrets.io + chart: external-secrets + targetRevision: 0.12.1 + helm: + values: |- + certController: + create: false + webhook: + create: false +{{- end }} diff --git a/common/bootstrap-v2/templates/traefik.yaml b/common/bootstrap-v2/templates/traefik.yaml new file mode 100644 index 00000000..0ed96bea --- /dev/null +++ b/common/bootstrap-v2/templates/traefik.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: traefik +spec: + project: infra + syncPolicy: + syncOptions: + - CreateNamespace=true + destination: + server: https://kubernetes.default.svc + namespace: traefik + source: + repoURL: https://traefik.github.io/charts + chart: traefik + targetRevision: 34.1.0 + helm: + values: |- + service: + annotations: + {{- with $.Values.global.service.annotations }} + {{- toYaml . | nindent 10 }} + {{- end }} diff --git a/common/bootstrap-v2/values.yaml b/common/bootstrap-v2/values.yaml new file mode 100644 index 00000000..9301c4b2 --- /dev/null +++ b/common/bootstrap-v2/values.yaml @@ -0,0 +1,12 @@ +clusterName: +provider: + +global: + service: + annotations: + +argocd: + domain: + +externalSecrets: + enabled: false diff --git a/gke-ninechronicles-internal/bootstrap.yaml b/gke-ninechronicles-internal/bootstrap.yaml new file mode 100644 index 00000000..38646130 --- /dev/null +++ b/gke-ninechronicles-internal/bootstrap.yaml @@ -0,0 +1,31 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: bootstrap +spec: + project: infra + destination: + server: https://kubernetes.default.svc + namespace: argocd + source: + repoURL: https://github.com/planetarium/9c-infra + targetRevision: gke + path: common/bootstrap-v2 + helm: + values: | + clusterName: ninechronicles-internal-test-1 + provider: GCP + + GCP: + projectID: devops-test-445104 + + global: + service: + annotations: + cloud.google.com/network-tier: Standard + + argocd: + domain: argocd-internal-gke.planetarium.network + + externalSecrets: + enabled: true