diff --git a/template/registry/coder.yaml b/template/registry/coder.yaml new file mode 100644 index 0000000..40cfffb --- /dev/null +++ b/template/registry/coder.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: coder-reg + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + name: in-cluster + namespace: argocd + source: + path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/coder" + repoURL: "https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}" + targetRevision: HEAD + project: default + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/template/registry/garm.yaml b/template/registry/garm.yaml new file mode 100644 index 0000000..3b9a08c --- /dev/null +++ b/template/registry/garm.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: garm-reg + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + name: in-cluster + namespace: argocd + source: + path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/garm" + repoURL: "https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}" + targetRevision: HEAD + project: default + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/template/registry/terralist.yaml b/template/registry/terralist.yaml new file mode 100644 index 0000000..167345d --- /dev/null +++ b/template/registry/terralist.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: terralist-reg + namespace: argocd + labels: + env: dev + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + name: in-cluster + namespace: argocd + source: + path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/terralist" + repoURL: "https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}}" + targetRevision: HEAD + project: default + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/template/stacks/coder/coder.yaml b/template/stacks/coder/coder.yaml new file mode 100644 index 0000000..a0eaa9c --- /dev/null +++ b/template/stacks/coder/coder.yaml @@ -0,0 +1,32 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: coder + namespace: argocd + labels: + env: dev +spec: + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: -1 + destination: + name: in-cluster + namespace: coder + sources: + - repoURL: https://helm.coder.com/v2 + chart: coder + targetRevision: 2.28.3 + helm: + valueFiles: + - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/coder/coder/values.yaml + - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}} + targetRevision: HEAD + ref: values + - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}} + targetRevision: HEAD + path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/coder/coder/manifests" diff --git a/template/stacks/coder/coder/manifests/postgres.yaml b/template/stacks/coder/coder/manifests/postgres.yaml new file mode 100644 index 0000000..cae4b97 --- /dev/null +++ b/template/stacks/coder/coder/manifests/postgres.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: coder-db + namespace: coder +spec: + instances: 1 + primaryUpdateStrategy: unsupervised + resources: + requests: + memory: "1Gi" + cpu: "1" + limits: + memory: "1Gi" + cpu: "1" + managed: + roles: + - name: coder + createdb: true + login: true + passwordSecret: + name: coder-db-user + storage: + size: 10Gi + storageClass: csi-disk +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Database +metadata: + name: coder + namespace: coder +spec: + cluster: + name: coder-db + name: coder + owner: coder +--- diff --git a/template/stacks/coder/coder/values.yaml b/template/stacks/coder/coder/values.yaml new file mode 100644 index 0000000..df4334e --- /dev/null +++ b/template/stacks/coder/coder/values.yaml @@ -0,0 +1,61 @@ +coder: + # You can specify any environment variables you'd like to pass to Coder + # here. Coder consumes environment variables listed in + # `coder server --help`, and these environment variables are also passed + # to the workspace provisioner (so you can consume them in your Terraform + # templates for auth keys etc.). + # + # Please keep in mind that you should not set `CODER_HTTP_ADDRESS`, + # `CODER_TLS_ENABLE`, `CODER_TLS_CERT_FILE` or `CODER_TLS_KEY_FILE` as + # they are already set by the Helm chart and will cause conflicts. + env: + - name: CODER_ACCESS_URL + value: https://coder.{{{ .Env.DOMAIN_GITEA }}} + - name: CODER_PG_CONNECTION_URL + valueFrom: + secretKeyRef: + # You'll need to create a secret called coder-db-url with your + # Postgres connection URL like: + # postgres://coder:password@postgres:5432/coder?sslmode=disable + name: coder-db-user + key: url + # For production deployments, we recommend configuring your own GitHub + # OAuth2 provider and disabling the default one. + - name: CODER_OAUTH2_GITHUB_DEFAULT_PROVIDER_ENABLE + value: "false" + - name: EDGE_CONNECT_ENDPOINT + valueFrom: + secretKeyRef: + name: edge-credential + key: endpoint + - name: EDGE_CONNECT_USERNAME + valueFrom: + secretKeyRef: + name: edge-credential + key: username + - name: EDGE_CONNECT_PASSWORD + valueFrom: + secretKeyRef: + name: edge-credential + key: password + + # (Optional) For production deployments the access URL should be set. + # If you're just trying Coder, access the dashboard via the service IP. + # - name: CODER_ACCESS_URL + # value: "https://coder.example.com" + + #tls: + # secretNames: + # - my-tls-secret-name + service: + type: ClusterIP + + ingress: + enable: true + className: nginx + host: coder.{{{ .Env.DOMAIN_GITEA }}} + annotations: + cert-manager.io/cluster-issuer: main + tls: + enable: true + secretName: coder-tls-secret diff --git a/template/stacks/core/argocd.yaml b/template/stacks/core/argocd.yaml index cb1e886..f54bb04 100644 --- a/template/stacks/core/argocd.yaml +++ b/template/stacks/core/argocd.yaml @@ -18,12 +18,12 @@ spec: name: in-cluster namespace: argocd sources: - - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/DevFW-CICD/argocd-helm.git + - repoURL: https://github.com/argoproj/argo-helm.git path: charts/argo-cd # TODO: RIRE Can be updated when https://github.com/argoproj/argo-cd/issues/20790 is fixed and merged # As logout make problems, it is suggested to switch from path based routing to an own argocd domain, # similar to the CNOE amazon reference implementation and in our case, Forgejo - targetRevision: argo-cd-7.8.28-depends + targetRevision: argo-cd-9.1.5 helm: valueFiles: - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/argocd/values.yaml @@ -32,4 +32,4 @@ spec: ref: values - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}} targetRevision: HEAD - path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/argocd/manifests" \ No newline at end of file + path: "{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/argocd/manifests" diff --git a/template/stacks/core/argocd/values.yaml b/template/stacks/core/argocd/values.yaml index dfb7f96..d197745 100644 --- a/template/stacks/core/argocd/values.yaml +++ b/template/stacks/core/argocd/values.yaml @@ -5,6 +5,16 @@ configs: params: server.insecure: true cm: + oidc.config: | + name: FORGEJO + issuer: https://{{{ .Env.DOMAIN_DEX }}} + clientID: controller-argocd-dex + clientSecret: $dex-argo-client:clientSecret + requestedScopes: + - openid + - profile + - email + - groups application.resourceTrackingMethod: annotation timeout.reconciliation: 60s resource.exclusions: | @@ -18,10 +28,9 @@ configs: - CiliumIdentity clusters: - "*" - accounts.provider-argocd: apiKey url: https://{{{ .Env.DOMAIN_ARGOCD }}} rbac: - policy.csv: 'g, provider-argocd, role:admin' + policy.csv: 'g, DevFW, role:admin' tls: certificates: diff --git a/template/stacks/core/cloudnative-pg.yaml b/template/stacks/core/cloudnative-pg.yaml new file mode 100644 index 0000000..861c693 --- /dev/null +++ b/template/stacks/core/cloudnative-pg.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cloudnative-pg + namespace: argocd + labels: + env: dev +spec: + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: -1 + destination: + name: in-cluster + namespace: cloudnative-pg + sources: + - repoURL: https://cloudnative-pg.github.io/charts + chart: cloudnative-pg + targetRevision: 0.26.1 + helm: + valueFiles: + - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/cloudnative-pg/values.yaml + - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}} + targetRevision: HEAD + ref: values diff --git a/template/stacks/core/cloudnative-pg/values.yaml b/template/stacks/core/cloudnative-pg/values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/template/stacks/core/dex.yaml b/template/stacks/core/dex.yaml new file mode 100644 index 0000000..d41c0bf --- /dev/null +++ b/template/stacks/core/dex.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: dex + namespace: argocd + labels: + env: dev +spec: + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: -1 + destination: + name: in-cluster + namespace: dex + sources: + - repoURL: https://charts.dexidp.io + chart: dex + targetRevision: 0.23.0 + helm: + valueFiles: + - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/core/dex/values.yaml + - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}} + targetRevision: HEAD + ref: values diff --git a/template/stacks/core/dex/values.yaml b/template/stacks/core/dex/values.yaml new file mode 100644 index 0000000..c6f8b1c --- /dev/null +++ b/template/stacks/core/dex/values.yaml @@ -0,0 +1,76 @@ +ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: main + hosts: + - host: {{{ .Env.DOMAIN_DEX }}} + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - {{{ .Env.DOMAIN_DEX }}} + secretName: dex-cert + +envVars: + - name: FORGEJO_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: dex-forgejo-client + key: clientSecret + - name: FORGEJO_CLIENT_ID + valueFrom: + secretKeyRef: + name: dex-forgejo-client + key: clientID + - name: OIDC_DEX_GRAFANA_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: dex-grafana-client + key: clientSecret + - name: OIDC_DEX_ARGO_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: dex-argo-client + key: clientSecret + - name: LOG_LEVEL + value: debug + +config: + # Set it to a valid URL + issuer: https://{{{ .Env.DOMAIN_DEX }}} + + # See https://dexidp.io/docs/storage/ for more options + storage: + type: memory + + oauth2: + skipApprovalScreen: true + alwaysShowLoginScreen: false + + connectors: + - type: gitea + id: gitea + name: Forgejo + config: + clientID: "$FORGEJO_CLIENT_ID" + clientSecret: "$FORGEJO_CLIENT_SECRET" + redirectURI: https://{{{ .Env.DOMAIN_DEX }}}/callback + baseURL: https://edp.buildth.ing + # loadAllGroups: true + orgs: + - name: DevFW + enablePasswordDB: false + + staticClients: + - id: controller-argocd-dex + name: ArgoCD Client + redirectURIs: + - "https://{{{ .Env.DOMAIN_ARGOCD }}}/auth/callback" + secretEnv: "OIDC_DEX_ARGO_CLIENT_SECRET" + - id: grafana + redirectURIs: + - "https://{{{ .Env.DOMAIN_GRAFANA }}}/login/generic_oauth" + name: "Grafana" + secretEnv: "OIDC_DEX_GRAFANA_CLIENT_SECRET" diff --git a/template/stacks/forgejo/forgejo-server.yaml b/template/stacks/forgejo/forgejo-server.yaml index 249976a..21a7049 100644 --- a/template/stacks/forgejo/forgejo-server.yaml +++ b/template/stacks/forgejo/forgejo-server.yaml @@ -18,15 +18,9 @@ spec: name: in-cluster namespace: gitea sources: - - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/DevFW-CICD/forgejo-helm.git + - repoURL: https://code.forgejo.org/forgejo-helm/forgejo-helm.git path: . - # first check out the desired version (example v9.0.0): https://code.forgejo.org/forgejo-helm/forgejo-helm/src/tag/v9.0.0/Chart.yaml - # (note that the chart version is not the same as the forgejo application version, which is specified in the above Chart.yaml file) - # then use the devops pipeline and select development, forgejo and the desired version (example v9.0.0): - # https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/DevFW-CICD/devops-pipelines/actions?workflow=update-helm-depends.yaml&actor=0&status=0 - # finally update the desired version here and include "-depends", it is created by the devops pipeline. - # why do we have an added "-depends" tag? it resolves rate limitings when downloading helm OCI dependencies - targetRevision: v12.0.0-depends + targetRevision: v12.0.0 helm: valueFiles: - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/forgejo/forgejo-server/values.yaml diff --git a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml new file mode 100644 index 0000000..3d77021 --- /dev/null +++ b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml @@ -0,0 +1,91 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: forgejo-s3-backup + namespace: gitea +spec: + schedule: "0 1 * * *" + concurrencyPolicy: "Forbid" + successfulJobsHistoryLimit: 5 + failedJobsHistoryLimit: 5 + startingDeadlineSeconds: 600 # 10 minutes + jobTemplate: + spec: + # 60 min until backup - 10 min start - (backoffLimit * activeDeadlineSeconds) - some time sync buffer + activeDeadlineSeconds: 1350 + backoffLimit: 2 + ttlSecondsAfterFinished: 259200 # + template: + spec: + containers: + - name: rclone + image: rclone/rclone:1.70 + imagePullPolicy: IfNotPresent + env: + - name: SOURCE_BUCKET + valueFrom: + secretKeyRef: + name: forgejo-cloud-credentials + key: bucket-name + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: forgejo-cloud-credentials + key: access-key + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: forgejo-cloud-credentials + key: secret-key + volumeMounts: + - name: rclone-config + mountPath: /config/rclone + readOnly: true + - name: backup-dir + mountPath: /backup + readOnly: false + command: + - /bin/sh + - -c + - | + rclone sync source:/${SOURCE_BUCKET} /backup -v --ignore-checksum + restartPolicy: OnFailure + volumes: + - name: rclone-config + secret: + secretName: forgejo-s3-backup + - name: backup-dir + persistentVolumeClaim: + claimName: s3-backup +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: s3-backup + namespace: gitea + annotations: + everest.io/disk-volume-type: GPSSD + everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}} +spec: + storageClassName: csi-disk + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 100Gi +--- +apiVersion: v1 +kind: Secret +metadata: + name: forgejo-s3-backup + namespace: gitea +type: Opaque +stringData: + rclone.conf: | + [source] + type = s3 + provider = HuaweiOBS + env_auth = true + endpoint = obs.eu-de.otc.t-systems.com + region = eu-de + acl = private diff --git a/template/stacks/forgejo/forgejo-server/values.yaml b/template/stacks/forgejo/forgejo-server/values.yaml index 3b354fe..00dba3d 100644 --- a/template/stacks/forgejo/forgejo-server/values.yaml +++ b/template/stacks/forgejo/forgejo-server/values.yaml @@ -1,3 +1,4 @@ +# This is only used for deploying older versions of infra-catalogue where the bucket name is not an output of the terragrunt modules {{{- define "BUCKET_NAME" -}}} {{{- if (getenv "FORGEJO_BUCKET_NAME") -}}} {{{ getenv "FORGEJO_BUCKET_NAME" }}} @@ -8,7 +9,7 @@ edp-forgejo-{{{ getenv "CLUSTER_ENVIRONMENT" }}} -# We use recreate to make sure only one instance with one version is running, because Forgejo might break or data gets inconsistant. +# We use recreate to make sure only one instance with one version is running, because Forgejo might break or data gets inconsistant. strategy: type: Recreate @@ -27,8 +28,10 @@ postgresql-ha: persistence: enabled: true size: 200Gi + storageClass: csi-disk annotations: everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}} + everest.io/disk-volume-type: GPSSD test: enabled: false @@ -146,6 +149,7 @@ gitea: service: DISABLE_REGISTRATION: true + ENABLE_NOTIFY_MAIL: true other: SHOW_FOOTER_VERSION: false @@ -173,7 +177,7 @@ service: nodePort: 32222 externalTrafficPolicy: Cluster annotations: - kubernetes.io/elb.id: {{{ .Env.LOADBALANCER_ID }}} + kubernetes.io/elb.id: {{{ .Env.LOADBALANCER_ID }}} image: pullPolicy: "IfNotPresent" @@ -181,8 +185,7 @@ image: #tag: "8.0.3" # Adds -rootless suffix to image name # rootless: true - #fullOverride: {{{ getenv "CLIENT_REPO_DOMAIN" }}}/devfw-cicd/edp-forgejo:v1.1.0-edp-v11.0.3 - fullOverride: {{{ getenv "CLIENT_REPO_DOMAIN" }}}/devfw-cicd/edp-forgejo:osctest + fullOverride: {{{ getenv "CLIENT_REPO_DOMAIN" }}}/devfw-cicd/edp-forgejo:{{{ .Env.FORGEJO_IMAGE_TAG }}} forgejo: runner: diff --git a/template/stacks/garm/garm.yaml b/template/stacks/garm/garm.yaml new file mode 100644 index 0000000..555c998 --- /dev/null +++ b/template/stacks/garm/garm.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: garm + namespace: argocd + labels: + env: dev +spec: + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: -1 + destination: + name: in-cluster + namespace: garm + sources: + - repoURL: https://edp.buildth.ing/DevFW-CICD/garm-helm + path: charts/garm + targetRevision: v0.0.4 + helm: + valueFiles: + - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/garm/garm/values.yaml + - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}} + targetRevision: HEAD + ref: values diff --git a/template/stacks/garm/garm/values.yaml b/template/stacks/garm/garm/values.yaml new file mode 100644 index 0000000..ff18d15 --- /dev/null +++ b/template/stacks/garm/garm/values.yaml @@ -0,0 +1,23 @@ +ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: main + nginx.ingress.kubernetes.io/backend-protocol: HTTP + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + hosts: + - host: garm.{{{ .Env.DOMAIN_GITEA }}} + paths: + - path: / + pathType: Prefix + tls: + - secretName: garm-net-tls + hosts: + - garm.{{{ .Env.DOMAIN_GITEA }}} + +# Credentials and Secrets +credentials: + edgeConnect: + existingSecretName: "edge-credential" + gitea: + url: "https://{{{ .Env.DOMAIN_GITEA }}}" # Required diff --git a/template/stacks/observability-client/vm-client-stack/manifests/simple-user-secret.yaml b/template/stacks/observability-client/vm-client-stack/manifests/simple-user-secret.yaml deleted file mode 100644 index f13b0b6..0000000 --- a/template/stacks/observability-client/vm-client-stack/manifests/simple-user-secret.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: simple-user-secret - namespace: observability -type: Opaque -stringData: - username: simple-user - password: simple-password diff --git a/template/stacks/observability/grafana-operator/manifests/grafana.yaml b/template/stacks/observability/grafana-operator/manifests/grafana.yaml index 87bc732..41f32db 100644 --- a/template/stacks/observability/grafana-operator/manifests/grafana.yaml +++ b/template/stacks/observability/grafana-operator/manifests/grafana.yaml @@ -6,12 +6,51 @@ metadata: dashboards: "grafana" spec: persistentVolumeClaim: + metadata: + annotations: + everest.io/disk-volume-type: GPSSD + everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}} spec: + storageClassName: csi-disk accessModes: - ReadWriteOnce resources: requests: storage: 10Gi + deployment: + spec: + template: + spec: + containers: + - name: grafana + env: + - name: OAUTH_CLIENT_SECRET + valueFrom: + secretKeyRef: + key: clientSecret + name: dex-grafana-client + config: + log.console: + level: debug + server: + root_url: "https://{{{ .Env.DOMAIN_GRAFANA }}}" + auth: + disable_login: "true" + disable_login_form: "true" + auth.generic_oauth: + enabled: "true" + name: Forgejo + allow_sign_up: "true" + use_refresh_token: "true" + client_id: grafana + client_secret: $__env{OAUTH_CLIENT_SECRET} + scopes: openid email profile offline_access groups + auth_url: https://{{{ .Env.DOMAIN_DEX }}}/auth + token_url: https://{{{ .Env.DOMAIN_DEX }}}/token + api_url: https://{{{ .Env.DOMAIN_DEX }}}/userinfo + redirect_uri: https://{{{ .Env.DOMAIN_GRAFANA }}}/login/generic_oauth + role_attribute_path: "contains(groups[*], 'DevFW') && 'GrafanaAdmin' || 'None'" + allow_assign_grafana_admin: "true" ingress: metadata: annotations: @@ -20,7 +59,7 @@ spec: spec: ingressClassName: nginx rules: - - host: grafana.{{{ .Env.DOMAIN }}} + - host: {{{ .Env.DOMAIN_GRAFANA }}} http: paths: - backend: @@ -32,5 +71,5 @@ spec: pathType: Prefix tls: - hosts: - - grafana.{{{ .Env.DOMAIN }}} + - {{{ .Env.DOMAIN_GRAFANA }}} secretName: grafana-net-tls diff --git a/template/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml b/template/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml index f884bd9..110ee7e 100644 --- a/template/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml +++ b/template/stacks/observability/victoria-k8s-stack/manifests/alerts.yaml @@ -11,8 +11,30 @@ spec: expr: sum by(cluster_environment) (up{pod=~"forgejo-server-.*"}) < 1 for: 30s labels: - severity: major + severity: critical job: "{{ $labels.job }}" annotations: value: "{{ $value }}" description: 'forgejo is down in cluster environment {{ $labels.cluster_environment }}' + - name: forgejo-backup + rules: + - alert: forgejo s3 backup job failed + expr: max by(cluster_environment) (kube_job_status_failed{job_name=~"forgejo-s3-backup-.*"}) != 0 + for: 30s + labels: + severity: critical + job: "{{ $labels.job }}" + annotations: + value: "{{ $value }}" + description: 'forgejo s3 backup job failed in cluster environment {{ $labels.cluster_environment }}' + - name: disk-consumption-high + rules: + - alert: disk consumption high + expr: 1-(kubelet_volume_stats_available_bytes / kubelet_volume_stats_capacity_bytes) > 0.6 + for: 30s + labels: + severity: major + job: "{{ $labels.job }}" + annotations: + value: "{{ $value }}" + description: 'disk consumption of pvc {{ $labels.namespace }}/{{ $labels.persistentvolumeclaim }} is high in cluster environment {{ $labels.cluster_environment }}' diff --git a/template/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml b/template/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml index 4c6fbe9..2fec1ef 100644 --- a/template/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml +++ b/template/stacks/observability/victoria-k8s-stack/manifests/vlogs.yaml @@ -9,7 +9,9 @@ spec: storageMetadata: annotations: everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}} + everest.io/disk-volume-type: GPSSD storage: + storageClassName: csi-disk accessModes: - ReadWriteOnce resources: @@ -21,4 +23,4 @@ spec: cpu: 500m limits: memory: 10Gi - cpu: 2 \ No newline at end of file + cpu: 2 diff --git a/template/stacks/observability/victoria-k8s-stack/manifests/vmauth.yaml b/template/stacks/observability/victoria-k8s-stack/manifests/vmauth.yaml index 2ea5d76..5759093 100644 --- a/template/stacks/observability/victoria-k8s-stack/manifests/vmauth.yaml +++ b/template/stacks/observability/victoria-k8s-stack/manifests/vmauth.yaml @@ -5,11 +5,13 @@ metadata: namespace: observability spec: username: simple-user - password: simple-password + passwordRef: + key: password + name: simple-user-secret targetRefs: - static: url: http://vmsingle-o12y:8429 paths: ["/api/v1/write"] - static: url: http://vlogs-victorialogs:9428 - paths: ["/insert/elasticsearch/.*"] + paths: ["/insert/elasticsearch/.*"] \ No newline at end of file diff --git a/template/stacks/observability/victoria-k8s-stack/values.yaml b/template/stacks/observability/victoria-k8s-stack/values.yaml index db459f3..dd1996b 100644 --- a/template/stacks/observability/victoria-k8s-stack/values.yaml +++ b/template/stacks/observability/victoria-k8s-stack/values.yaml @@ -201,13 +201,13 @@ defaultRules: create: true rules: {} kubernetesSystemControllerManager: - create: true + create: false rules: {} kubeScheduler: - create: true + create: false rules: {} kubernetesSystemScheduler: - create: true + create: false rules: {} kubeStateMetrics: create: true @@ -289,7 +289,9 @@ vmsingle: storageMetadata: annotations: everest.io/crypt-key-id: {{{ .Env.PVC_KMS_KEY_ID }}} + everest.io/disk-volume-type: GPSSD storage: + storageClassName: csi-disk accessModes: - ReadWriteOnce resources: @@ -536,108 +538,30 @@ alertmanager: # If you're migrating existing config, please make sure that `.Values.alertmanager.config`: # - with `useManagedConfig: false` has structure described [here](https://prometheus.io/docs/alerting/latest/configuration/). # - with `useManagedConfig: true` has structure described [here](https://docs.victoriametrics.com/operator/api/#vmalertmanagerconfig). - useManagedConfig: false + useManagedConfig: true # -- (object) Alertmanager configuration config: route: receiver: "blackhole" - # group_by: ["alertgroup", "job"] - # group_wait: 30s - # group_interval: 5m - # repeat_interval: 12h - # routes: - # - # # Duplicate code_owner routes to teams - # # These will send alerts to team channels but continue - # # processing through the rest of the tree to handled by on-call - # - matchers: - # - code_owner_channel!="" - # - severity=~"info|warning|critical" - # group_by: ["code_owner_channel", "alertgroup", "job"] - # receiver: slack-code-owners - # - # # Standard on-call routes - # - matchers: - # - severity=~"info|warning|critical" - # receiver: slack-monitoring - # continue: true - # - # inhibit_rules: - # - target_matchers: - # - severity=~"warning|info" - # source_matchers: - # - severity=critical - # equal: - # - cluster - # - namespace - # - alertname - # - target_matchers: - # - severity=info - # source_matchers: - # - severity=warning - # equal: - # - cluster - # - namespace - # - alertname - # - target_matchers: - # - severity=info - # source_matchers: - # - alertname=InfoInhibitor - # equal: - # - cluster - # - namespace - + routes: + - matchers: + - severity=~"critical|major" + receiver: outlook receivers: - name: blackhole - # - name: "slack-monitoring" - # slack_configs: - # - channel: "#channel" - # send_resolved: true - # title: '{{ template "slack.monzo.title" . }}' - # icon_emoji: '{{ template "slack.monzo.icon_emoji" . }}' - # color: '{{ template "slack.monzo.color" . }}' - # text: '{{ template "slack.monzo.text" . }}' - # actions: - # - type: button - # text: "Runbook :green_book:" - # url: "{{ (index .Alerts 0).Annotations.runbook_url }}" - # - type: button - # text: "Query :mag:" - # url: "{{ (index .Alerts 0).GeneratorURL }}" - # - type: button - # text: "Dashboard :grafana:" - # url: "{{ (index .Alerts 0).Annotations.dashboard }}" - # - type: button - # text: "Silence :no_bell:" - # url: '{{ template "__alert_silence_link" . }}' - # - type: button - # text: '{{ template "slack.monzo.link_button_text" . }}' - # url: "{{ .CommonAnnotations.link_url }}" - # - name: slack-code-owners - # slack_configs: - # - channel: "#{{ .CommonLabels.code_owner_channel }}" - # send_resolved: true - # title: '{{ template "slack.monzo.title" . }}' - # icon_emoji: '{{ template "slack.monzo.icon_emoji" . }}' - # color: '{{ template "slack.monzo.color" . }}' - # text: '{{ template "slack.monzo.text" . }}' - # actions: - # - type: button - # text: "Runbook :green_book:" - # url: "{{ (index .Alerts 0).Annotations.runbook }}" - # - type: button - # text: "Query :mag:" - # url: "{{ (index .Alerts 0).GeneratorURL }}" - # - type: button - # text: "Dashboard :grafana:" - # url: "{{ (index .Alerts 0).Annotations.dashboard }}" - # - type: button - # text: "Silence :no_bell:" - # url: '{{ template "__alert_silence_link" . }}' - # - type: button - # text: '{{ template "slack.monzo.link_button_text" . }}' - # url: "{{ .CommonAnnotations.link_url }}" - # + - name: outlook + email_configs: + - smarthost: 'mail.mms-support.de:465' + auth_username: 'ipcei-cis-devfw@mms-support.de' + auth_password: + name: email-user-credentials + key: connection-string + from: '"IPCEI CIS DevFW" ' + to: 'f9f9953a.mg.telekom.de@de.teams.ms' + headers: + subject: 'Grafana Mail Alerts' + require_tls: false + # -- Better alert templates for [slack source](https://gist.github.com/milesbxf/e2744fc90e9c41b47aa47925f8ff6512) monzoTemplate: enabled: true @@ -880,7 +804,7 @@ grafana: enabled: false # all values for grafana helm chart can be specified here persistence: - enabled: true + enabled: false type: pvc storageClassName: "default" grafana.ini: @@ -1096,7 +1020,7 @@ kubeApiServer: # Component scraping the kube controller manager kubeControllerManager: # -- Enable kube controller manager metrics scraping - enabled: true + enabled: false # -- If your kube controller manager is not deployed as a pod, specify IPs it can be found on endpoints: [] @@ -1229,7 +1153,7 @@ kubeEtcd: # Component scraping kube scheduler kubeScheduler: # -- Enable KubeScheduler metrics scraping - enabled: true + enabled: false # -- If your kube scheduler is not deployed as a pod, specify IPs it can be found on endpoints: [] diff --git a/template/stacks/otc/ingress-nginx.yaml b/template/stacks/otc/ingress-nginx.yaml index d240304..cb58d5d 100644 --- a/template/stacks/otc/ingress-nginx.yaml +++ b/template/stacks/otc/ingress-nginx.yaml @@ -18,9 +18,9 @@ spec: name: in-cluster namespace: ingress-nginx sources: - - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/DevFW-CICD/ingress-nginx-helm.git + - repoURL: https://github.com/kubernetes/ingress-nginx.git path: charts/ingress-nginx - targetRevision: helm-chart-4.12.4-depends + targetRevision: helm-chart-4.12.1 helm: valueFiles: - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/otc/ingress-nginx/values.yaml diff --git a/template/stacks/terralist/terralist.yaml b/template/stacks/terralist/terralist.yaml new file mode 100644 index 0000000..77126f8 --- /dev/null +++ b/template/stacks/terralist/terralist.yaml @@ -0,0 +1,30 @@ +# helm upgrade --install --create-namespace --namespace terralist terralist oci://ghcr.io/terralist/helm-charts/terralist -f terralist-values.yaml +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: terralist + namespace: argocd + labels: + env: dev +spec: + project: default + syncPolicy: + automated: + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: -1 + destination: + name: in-cluster + namespace: terralist + sources: + - repoURL: https://github.com/terralist/helm-charts + path: charts/terralist + targetRevision: terralist-0.8.1 + helm: + valueFiles: + - $values/{{{ .Env.CLIENT_REPO_ID }}}/{{{ .Env.DOMAIN }}}/stacks/terralist/terralist/values.yaml + - repoURL: https://{{{ .Env.CLIENT_REPO_DOMAIN }}}/{{{ .Env.CLIENT_REPO_ORG_NAME }}} + targetRevision: HEAD + ref: values diff --git a/template/stacks/terralist/terralist/values.yaml b/template/stacks/terralist/terralist/values.yaml new file mode 100644 index 0000000..096db37 --- /dev/null +++ b/template/stacks/terralist/terralist/values.yaml @@ -0,0 +1,87 @@ +controllers: + main: + strategy: Recreate + containers: + app: + env: + - name: TERRALIST_OAUTH_PROVIDER + value: oidc + - name: TERRALIST_OI_CLIENT_ID + valueFrom: + secretKeyRef: + name: oidc-credentials + key: client-id + - name: TERRALIST_OI_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oidc-credentials + key: client-secret + - name: TERRALIST_OI_AUTHORIZE_URL + valueFrom: + secretKeyRef: + name: oidc-credentials + key: authorize-url + - name: TERRALIST_OI_TOKEN_URL + valueFrom: + secretKeyRef: + name: oidc-credentials + key: token-url + - name: TERRALIST_OI_USERINFO_URL + valueFrom: + secretKeyRef: + name: oidc-credentials + key: userinfo-url + - name: TERRALIST_OI_SCOPE + valueFrom: + secretKeyRef: + name: oidc-credentials + key: scope + - name: TERRALIST_TOKEN_SIGNING_SECRET + valueFrom: + secretKeyRef: + name: terralist-secret + key: token-signing-secret + - name: TERRALIST_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: terralist-secret + key: cookie-secret + - name: TERRALIST_URL + value: https://terralist.{{{ .Env.DOMAIN_GITEA }}} + - name: TERRALIST_SQLITE_PATH + value: /data/db.sqlite + - name: TERRALIST_LOCAL_STORE + value: /data/modules + - name: TERRALIST_PROVIDERS_ANONYMOUS_READ + value: "true" + +ingress: + main: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: main + hosts: + - host: terralist.{{{ .Env.DOMAIN_GITEA }}} + paths: + - path: / + pathType: Prefix + service: + identifier: main + port: http + tls: + - hosts: + - terralist.{{{ .Env.DOMAIN_GITEA }}} + secretName: terralist-tls-secret + +persistence: + data: + enabled: true + accessMode: ReadWriteOnce + size: 10Gi + retain: false + storageClass: "csi-disk" + annotations: + everest.io/disk-volume-type: GPSSD + globalMounts: + - path: /data