Merge pull request 'Add SOPS support for ArgoCD & replace deployment with helm' (#144) from tn-add-ksops-support-to-argocd into main
All checks were successful
ci/woodpecker/push/dashboard Pipeline was successful
All checks were successful
ci/woodpecker/push/dashboard Pipeline was successful
Reviewed-on: #144 Reviewed-by: Aaron Riedel <git@ar21.de>
This commit is contained in:
commit
5fd12a4d54
10 changed files with 150 additions and 57 deletions
4
.gitignore
vendored
4
.gitignore
vendored
|
@ -1,4 +1,4 @@
|
||||||
**/secret.yaml
|
|
||||||
**/temp.yaml
|
**/temp.yaml
|
||||||
**/credentials
|
**/credentials
|
||||||
**/.DS_Store
|
**/.DS_Store
|
||||||
|
*.agekey
|
||||||
|
|
13
.sops.yaml
Normal file
13
.sops.yaml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
keys:
|
||||||
|
- &argo age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz
|
||||||
|
- &tom age1s9nvc4rxj3kaj4apmzzn8fmjrudrvdhgu70rg04we9hyse5aadsq7kmckn
|
||||||
|
- &aaron age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: .*
|
||||||
|
encrypted_regex: ^(data|stringData)$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *argo
|
||||||
|
- *tom
|
||||||
|
- *aaron
|
|
@ -32,14 +32,24 @@ spec:
|
||||||
apiVersion: argoproj.io/v1alpha1
|
apiVersion: argoproj.io/v1alpha1
|
||||||
kind: Application
|
kind: Application
|
||||||
metadata:
|
metadata:
|
||||||
name: argocd-ingress
|
name: argocd
|
||||||
namespace: argocd
|
namespace: argocd
|
||||||
spec:
|
spec:
|
||||||
project: default
|
project: default
|
||||||
source:
|
sources:
|
||||||
repoURL: https://git.ar21.de/yolokube/core-deployments.git
|
- repoURL: https://argoproj.github.io/argo-helm
|
||||||
targetRevision: HEAD
|
chart: argo-cd
|
||||||
path: argo
|
targetRevision: 7.6.6
|
||||||
|
helm:
|
||||||
|
releaseName: argo
|
||||||
|
valueFiles:
|
||||||
|
- $values/argo/values.yaml
|
||||||
|
- repoURL: https://git.ar21.de/yolokube/core-deployments.git
|
||||||
|
targetRevision: HEAD
|
||||||
|
ref: values
|
||||||
|
- repoURL: https://git.ar21.de/yolokube/core-deployments.git
|
||||||
|
targetRevision: HEAD
|
||||||
|
path: argo
|
||||||
destination:
|
destination:
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
namespace: argocd
|
namespace: argocd
|
||||||
|
@ -47,7 +57,8 @@ spec:
|
||||||
syncOptions:
|
syncOptions:
|
||||||
- CreateNamespace=true
|
- CreateNamespace=true
|
||||||
automated:
|
automated:
|
||||||
prune: true
|
selfHeal: true
|
||||||
|
prune: false
|
||||||
---
|
---
|
||||||
apiVersion: argoproj.io/v1alpha1
|
apiVersion: argoproj.io/v1alpha1
|
||||||
kind: Application
|
kind: Application
|
||||||
|
|
26
argo/cm.yaml
26
argo/cm.yaml
|
@ -9,6 +9,7 @@ metadata:
|
||||||
app.kubernetes.io/name: argocd-cm
|
app.kubernetes.io/name: argocd-cm
|
||||||
app.kubernetes.io/part-of: argocd
|
app.kubernetes.io/part-of: argocd
|
||||||
data:
|
data:
|
||||||
|
kustomize.buildOptions: "--enable-alpha-plugins --enable-exec"
|
||||||
statusbadge.enabled: "true"
|
statusbadge.enabled: "true"
|
||||||
resource.customizations: |
|
resource.customizations: |
|
||||||
networking.k8s.io/Ingress:
|
networking.k8s.io/Ingress:
|
||||||
|
@ -33,28 +34,3 @@ data:
|
||||||
# Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
|
# Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
|
||||||
requestedScopes: ["openid", "profile", "email"]
|
requestedScopes: ["openid", "profile", "email"]
|
||||||
logoutURL: https://auth.ar21.de/application/o/yolokube-argocd/end-session/
|
logoutURL: https://auth.ar21.de/application/o/yolokube-argocd/end-session/
|
||||||
---
|
|
||||||
kind: ConfigMap
|
|
||||||
apiVersion: v1
|
|
||||||
metadata:
|
|
||||||
name: argocd-cmd-params-cm
|
|
||||||
namespace: argocd
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/instance: argocd-ingress
|
|
||||||
app.kubernetes.io/name: argocd-cm
|
|
||||||
app.kubernetes.io/part-of: argocd
|
|
||||||
data:
|
|
||||||
server.insecure: "true"
|
|
||||||
---
|
|
||||||
kind: ConfigMap
|
|
||||||
apiVersion: v1
|
|
||||||
metadata:
|
|
||||||
name: argocd-rbac-cm
|
|
||||||
namespace: argocd
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/instance: argocd-ingress
|
|
||||||
app.kubernetes.io/name: argocd-cm
|
|
||||||
app.kubernetes.io/part-of: argocd
|
|
||||||
data:
|
|
||||||
policy.csv: |
|
|
||||||
g, yolokube-general, role:admin
|
|
||||||
|
|
|
@ -1,24 +0,0 @@
|
||||||
---
|
|
||||||
apiVersion: networking.k8s.io/v1
|
|
||||||
kind: Ingress
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/tls-acme: "true"
|
|
||||||
name: argocd-ingress
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
rules:
|
|
||||||
- host: "argo.services.yolokube.de"
|
|
||||||
http:
|
|
||||||
paths:
|
|
||||||
- pathType: Prefix
|
|
||||||
path: "/"
|
|
||||||
backend:
|
|
||||||
service:
|
|
||||||
name: argocd-server
|
|
||||||
port:
|
|
||||||
number: 80
|
|
||||||
tls:
|
|
||||||
- hosts:
|
|
||||||
- argo.services.yolokube.de
|
|
||||||
secretName: argocd-tls-key
|
|
6
argo/kustomization.yaml
Normal file
6
argo/kustomization.yaml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
generators:
|
||||||
|
- ./secret-generator.yaml
|
||||||
|
resources:
|
||||||
|
- ./cm.yaml
|
10
argo/secret-generator.yaml
Normal file
10
argo/secret-generator.yaml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
apiVersion: viaduct.ai/v1
|
||||||
|
kind: ksops
|
||||||
|
metadata:
|
||||||
|
name: secret-generator
|
||||||
|
annotations:
|
||||||
|
config.kubernetes.io/function: |
|
||||||
|
exec:
|
||||||
|
path: ksops
|
||||||
|
files:
|
||||||
|
- ./sops-secret.yaml
|
46
argo/sops-secret.yaml
Normal file
46
argo/sops-secret.yaml
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: sops-age
|
||||||
|
namespace: argocd
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
keys.txt: ENC[AES256_GCM,data:fY3isf0iaornjPYAGu7quWYC2O+LIm+gMvmjjhYgLWKK1YzIlOnW+ECaXRsmESr6F14rXayCGSlFzsEVJlVnaHvR+XgqX5Qj+ZUD8BCHW/cNcAcEWThVKZp6+CNIO9QsekkVv+huKpEZ/WPPr/dQZ/J8kuMHp7sCjoieG9tVXp0LbsGzMkodwrVKlE6kASKDsFZshtsQBhkx03MDLc/HC3z8eFwLV31fJ7MJTwZnhz9ONAexyFXwsjclWRR5nGizOCV0/tC8E3nOHugFX0Ae1GmWn69sTSf3lqNmT2RMm0iAZABJCdjcuBVZhegIyuGkrbL4GhKteNpqYVqe,iv:CuOiL/LTGp/W+7pOJPSb3b/UDewIusKs18MNKdsoC3s=,tag:ii1NFa2j4RxXgDfbMyJGjQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Z2lHdHB1bDBMNGFDb3gw
|
||||||
|
blJOU2RpTlRlTXM4OEdXL0oxczd4d2Y0TDNrCnFBWnluUDZhRVEyTVRoWC9HaXly
|
||||||
|
eTVsenRiTVFxU2h6VXFneEM0KzNWNFUKLS0tIDZLMHRNbm1rS04xUXBxdHlOVHAx
|
||||||
|
a0d1SW93TEROWkRpekt1VHlQZHhCRFEKsz8LUmpDrR7a7p7pd0FotGtxuEPwEeOY
|
||||||
|
L9lg0WJNJ9OAqJDBXoygedyQ4bWqFdDnr1U3RoPzbnOOgvAk9aPj3Q==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1s9nvc4rxj3kaj4apmzzn8fmjrudrvdhgu70rg04we9hyse5aadsq7kmckn
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzVkNZWFBIQnhxbEJ4T01J
|
||||||
|
aVlKa2NrcVAxdGNWY0JDaWk3UDlxeE90b2x3CjhMVm1Zb0ozdzB2VVlVckdwUUk5
|
||||||
|
dkZBeUo3aW1BM2ZmQVhpZ29TSm15RGsKLS0tIDZNc01xMVFnOGpLV3JGYytHTlgv
|
||||||
|
T3hQZHVZVDA1cjFNNEtBWkF2VkdFbjQKg4yy1rWCprRYmpXtMA0++x4VGJPEKAyx
|
||||||
|
b8+RC5TV82yWhqtF9pWpkIuzJ/5zKih49is9rSo5PoaL+QOpLYR5yw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMmZ6ekNxMEdCZXJKUCtp
|
||||||
|
YVV4RzBuQllGQlpZeDZ4UkpQV1l4Q0pIeWtjCjNlK3Y2Z21LRERVMkxZNVFYUHdU
|
||||||
|
NGhkdm9TSGtaNWo1ZEV0eTFNR2ZhNkkKLS0tIEpKOU44SU5EeC81aGRUektyUFl0
|
||||||
|
dE84M3JQeW1iY25ZaTdqMG8ySG9Cam8KQS8eKuIjhcTVBbcdkcyFezqoi9S6dc74
|
||||||
|
hWbNlP+BSHZD/Sx+6oYHIpJPYtJ8/IqZAwdQavyqj27AnsiKzY4rnw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-09-30T18:24:55Z"
|
||||||
|
mac: ENC[AES256_GCM,data:4+/TztJYPPFOY/b9XEo3XfzDHD2tVZJc6/tDF0u5+DvTzGdp2/YvSTI/UPS2iEprsvG0lyveqPxdgweEgXMGcnpEcMhK6gzW1LVJmzFgWev0WjrmCxNNnMPMkU0hGG0WdgSAAlx4FLnms/gdEHDYnkXYqHH01N5EUSP9c8JpTIg=,iv:XJ+JuI5WjqXPTIgX1Jklc+kJzmIcEa6QAEGJISo4QBE=,tag:bMBGUfchsJE6I0h04aUB4Q==,type:str]
|
||||||
|
pgp: []
|
||||||
|
encrypted_regex: ^(data|stringData)$
|
||||||
|
version: 3.9.0
|
51
argo/values.yaml
Normal file
51
argo/values.yaml
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
global:
|
||||||
|
domain: argo.services.yolokube.de
|
||||||
|
configs:
|
||||||
|
cm:
|
||||||
|
create: false
|
||||||
|
params:
|
||||||
|
create: true
|
||||||
|
server.insecure: true
|
||||||
|
rbac:
|
||||||
|
create: true
|
||||||
|
policy.csv: |
|
||||||
|
g, yolokube-general, role:admin
|
||||||
|
server:
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/tls-acme: "true"
|
||||||
|
tls: true
|
||||||
|
repoServer:
|
||||||
|
volumes:
|
||||||
|
- name: custom-tools
|
||||||
|
emptyDir: {}
|
||||||
|
- name: sops-key
|
||||||
|
secret:
|
||||||
|
secretName: sops-age
|
||||||
|
initContainers:
|
||||||
|
- name: install-ksops
|
||||||
|
image: viaductoss/ksops:v4.3.2
|
||||||
|
command: ["/bin/sh", "-c"]
|
||||||
|
args:
|
||||||
|
- echo "Installing KSOPS...";
|
||||||
|
mv ksops /custom-tools/;
|
||||||
|
mv kustomize /custom-tools/;
|
||||||
|
echo "Done.";
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /custom-tools
|
||||||
|
name: custom-tools
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /usr/local/bin/kustomize
|
||||||
|
name: custom-tools
|
||||||
|
subPath: kustomize
|
||||||
|
- mountPath: /usr/local/bin/ksops
|
||||||
|
name: custom-tools
|
||||||
|
subPath: ksops
|
||||||
|
- mountPath: /.config/sops/age
|
||||||
|
name: sops-key
|
||||||
|
env:
|
||||||
|
- name: XDG_CONFIG_HOME
|
||||||
|
value: /.config
|
||||||
|
- name: SOPS_AGE_KEY_FILE
|
||||||
|
value: /.config/sops/age/keys.txt
|
|
@ -5,6 +5,10 @@
|
||||||
"argocd": {
|
"argocd": {
|
||||||
"fileMatch": ["^app-files/core-deployments\\.yaml$"]
|
"fileMatch": ["^app-files/core-deployments\\.yaml$"]
|
||||||
},
|
},
|
||||||
|
"kubernetes": {
|
||||||
|
"enabled": true,
|
||||||
|
"fileMatch": ["\\.yaml$"]
|
||||||
|
},
|
||||||
"packageRules": [
|
"packageRules": [
|
||||||
{
|
{
|
||||||
"matchPackageNames": ["kube-prometheus-stack"],
|
"matchPackageNames": ["kube-prometheus-stack"],
|
||||||
|
|
Loading…
Reference in a new issue