allanger
/
app-gitops-server
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Activity

chore: mirror weave-gitops-4.0.15 

upstream_repo: https://helm.gitops.weave.works
This commit is contained in:
Nikolai Rodionov 2024-01-10 15:51:16 +01:00
parent cd6dd2a273
commit 3cbbc9e2cf
Signed by: allanger
GPG Key ID: 0AA46A90E25592AD
22 changed files with 1443 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
helm/weave-gitops/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

2
helm/weave-gitops/.yamlfmt Normal file
View File

@ -0,0 +1,2 @@
formatter:
pad_line_comments: 2

14
helm/weave-gitops/Chart.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v2
appVersion: v0.18.0
description: Weave Gitops is a set of tools and services to aid your interactions with Flux
name: gitops-server
type: application
version: 4.0.15
home: https://github.com/giantswarm/gitops-server-app
icon: https://s.giantswarm.io/app-icons/weaveworks/1/icon_light.svg
keywords:
- gitops
- flux
annotations:
application.giantswarm.io/team: team-honeybadger
config.giantswarm.io/version: 1.x.x

52
helm/weave-gitops/README.md Normal file
View File

@ -0,0 +1,52 @@
# Weave Gitops Helm Chart
This is the [Weave Gitops](https://github.com/weaveworks/weave-gitops) [Helm](https://helm.sh) chart.
It installs the weave-gitops-server component as a 1-replica deployment.
Optionally it will also install:
* Service Account
* ClusterRoleBinding (to the service account) and ClusterRole with the
permissions required to run Gitops.
* Service, this is optional as you may want to limit access to the UI to via
port-forwarding
* Ingress
* Test User -- A test user with hard-coded username & password with minimal
permissions
This chart assumes kubernetes > 1.17
## Security
The role that this chart creates includes 2 main 'blocks' of permissions; that
should be treated separately and carefully:
* `impersonate` This is how the gitops-server gathers data to display in the UI,
it impersonates the user, determined by OIDC/plain auth. This means that
a user's permissions in the UI will reflect their permissions in the cluster
* `get`, `list`, `watch` on `helmrepositories` and `secrets`. These permissions
are required by the profiles system.
### Impersonate
When deploying gitops-server it is recommended to limit the types of resource
and specific resources that the service account can impersonate. e.g.
```yaml
rbac:
create: true
impersonationResources: ["groups"]
impersonationResourceNames: ["gitops-reader"]
```
Using groups is the recommended way of doing this as it means that you don't
have to enumerate all users in a group.
### Get helmrepositories
This permissions are scoped to enable the profiles functionality of gitops-server
and should not need to change.
### Test User
This user should not be used, it is intended for development and testing
purposes and relies on static credentials in a secret.

11
helm/weave-gitops/README.md.gotmpl Normal file
View File

@ -0,0 +1,11 @@
# Helm chart reference
<!-- The contents of this file is generated directly from the chart's values.yaml, please make any edits there -->
This is a reference of all the configurable values in weave gitops's
helm chart. This is intended for customizing your installation after
you've gone through the [getting started](../getting-started/intro.mdx) guide.
This reference was generated for the chart version {{ template
"chart.version" . }} which installs weave gitops {{ template "chart.appVersion" . }}.
{{ template "chart.valuesSection" . }}

22
helm/weave-gitops/templates/NOTES.txt Normal file
View File

@ -0,0 +1,22 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "chart.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "chart.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "chart.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "chart.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}

91
helm/weave-gitops/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,91 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "chart.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "chart.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "chart.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "chart.labels" -}}
helm.sh/chart: {{ include "chart.chart" . }}
{{ include "chart.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "chart.selectorLabels" -}}
app.kubernetes.io/name: {{ include "chart.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "chart.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "chart.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Return the target Kubernetes version
*/}}
{{- define "common.capabilities.kubeVersion" -}}
{{- if .Values.global }}
{{- if .Values.global.kubeVersion }}
{{- .Values.global.kubeVersion -}}
{{- else }}
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
{{- end -}}
{{- else }}
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
{{- end -}}
{{- end -}}
{{- define "resource.vpa.enabled" -}}
{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.giantswarm.resources.vpa.enabled) }}true{{ else }}false{{ end }}
{{- end -}}
{{- define "deployment.resources" -}}
requests:
{{ toYaml .Values.giantswarm.resources.server.requests | indent 2 -}}
{{ if eq (include "resource.vpa.enabled" .) "false" }}
limits:
{{ toYaml .Values.giantswarm.resources.server.limits | indent 2 -}}
{{- end -}}
{{- end -}}

16
helm/weave-gitops/templates/admin-user-creds.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if .Values.adminUser.create }}
{{- if .Values.adminUser.createSecret }}
---
apiVersion: v1
kind: Secret
metadata:
name: cluster-user-auth
namespace: {{ .Release.Namespace }}
type: Opaque
data:
{{- with .Values.adminUser }}
username: {{ .username | b64enc | quote }}
password: {{ .passwordHash | required "passwordHash must be set!" | b64enc | quote }}
{{- end }}
{{- end }}
{{- end }}

79
helm/weave-gitops/templates/admin-user-roles.yaml Normal file
View File

@ -0,0 +1,79 @@
{{- if .Values.adminUser.create }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: wego-admin-role
namespace: {{ .Release.Namespace }}
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: [ "get", "list", "watch" ]
- apiGroups: ["source.toolkit.fluxcd.io"]
resources: [ "buckets", "helmcharts", "gitrepositories", "helmrepositories", "ocirepositories" ]
verbs: [ "get", "list", "watch", "patch" ]
- apiGroups: ["kustomize.toolkit.fluxcd.io"]
resources: [ "kustomizations" ]
verbs: [ "get", "list", "watch", "patch" ]
- apiGroups: ["helm.toolkit.fluxcd.io"]
resources: [ "helmreleases" ]
verbs: [ "get", "list", "watch", "patch" ]
- apiGroups: [ "notification.toolkit.fluxcd.io" ]
resources: [ "providers", "alerts" ]
verbs: [ "get", "list", "watch", "patch" ]
- apiGroups: ["infra.contrib.fluxcd.io"]
resources: ["terraforms"]
verbs: [ "get", "list", "watch", "patch" ]
{{- if gt (len $.Values.giantswarm.rbac.additionalRules) 0 -}}
{{- toYaml $.Values.giantswarm.rbac.additionalRules | nindent 2 -}}
{{- end }}
{{- if .Values.adminUser.createClusterRole }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: wego-admin-cluster-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: [ "get", "list", "watch" ]
- apiGroups: ["source.toolkit.fluxcd.io"]
resources: [ "buckets", "helmcharts", "gitrepositories", "helmrepositories", "ocirepositories" ]
verbs: [ "get", "list", "watch", "patch" ]
- apiGroups: ["kustomize.toolkit.fluxcd.io"]
resources: [ "kustomizations" ]
verbs: [ "get", "list", "watch", "patch" ]
- apiGroups: ["helm.toolkit.fluxcd.io"]
resources: [ "helmreleases" ]
verbs: [ "get", "list", "watch", "patch" ]
- apiGroups: [ "notification.toolkit.fluxcd.io" ]
resources: [ "providers", "alerts" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: ["infra.contrib.fluxcd.io"]
resources: ["terraforms"]
verbs: [ "get", "list", "watch", "patch" ]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["list", "watch"]
- apiGroups: [ "notification.toolkit.fluxcd.io" ]
resources: [ "providers", "alerts" ]
verbs: [ "get", "list", "watch", "patch" ]
{{- if gt (len $.Values.giantswarm.rbac.additionalRules) 0 -}}
{{- toYaml $.Values.giantswarm.rbac.additionalRules | nindent 2 -}}
{{- end -}}
{{- end }}
{{- end }}

31
helm/weave-gitops/templates/admin-user.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if .Values.adminUser.create }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Values.adminUser.username }}-user-read-resources
namespace: {{ .Release.Namespace }}
subjects:
- kind: User
name: wego-admin
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: wego-admin-role
apiGroup: rbac.authorization.k8s.io
{{- if .Values.adminUser.createClusterRole }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Values.adminUser.username }}-user-read-resources-cr
subjects:
- kind: User
name: {{ .Values.adminUser.username }}
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: wego-admin-cluster-role
apiGroup: rbac.authorization.k8s.io
{{- end }}
{{- end }}

125
helm/weave-gitops/templates/deployment.yaml Normal file
View File

@ -0,0 +1,125 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "chart.fullname" . }}
labels:
{{- include "chart.labels" . | nindent 4 }}
{{- with .Values.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "chart.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "chart.selectorLabels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "chart.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.registry }}/{{ .Values.giantswarm.images.server.image }}:{{ .Values.giantswarm.images.server.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.giantswarm.images.server.pullPolicy }}
args:
- "--log-level"
- "{{ .Values.logLevel }}"
{{- if .Values.serverTLS.enable }}
- "--tls-cert-file"
- "/etc/tls-volume/tls.crt"
- "--tls-private-key-file"
- "/etc/tls-volume/tls.key"
{{- else }}
- "--insecure"
{{- end }}
{{- if .Values.metrics.enabled }}
- "--enable-metrics"
- "--metrics-address=:{{ .Values.metrics.service.port }}"
{{- end }}
{{- with .Values.additionalArgs }}
{{- range . }}
- {{ . | quote }}
{{- end }}
{{- end }}
ports:
- name: http
containerPort: 9001
protocol: TCP
{{- if .Values.metrics.enabled }}
- name: http-metrics
containerPort: {{ .Values.metrics.service.port }}
protocol: TCP
{{- end }}
livenessProbe:
httpGet:
path: /
port: http
{{- if .Values.serverTLS.enable }}
scheme: HTTPS
{{- end }}
readinessProbe:
httpGet:
path: /
port: http
{{- if .Values.serverTLS.enable }}
scheme: HTTPS
{{- end }}
env:
{{- if .Values.envVars }}
{{- with .Values.envVars }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
resources:
{{- include "deployment.resources" . | nindent 12 }}
{{- if or .Values.serverTLS.enable .Values.extraVolumeMounts }}
volumeMounts:
{{- end }}
{{- if .Values.serverTLS.enable }}
- name: tls-volume
readOnly: true
mountPath: "/etc/tls-volume"
{{- end }}
{{- with .Values.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if or .Values.serverTLS.enable .Values.extraVolumes }}
volumes:
{{- end }}
{{- if .Values.serverTLS.enable }}
- name: tls-volume
secret:
secretName: {{ .Values.serverTLS.secretName }}
{{ end }}
{{- with .Values.extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

27
helm/weave-gitops/templates/gs-vpa/vpa.yaml Normal file
View File

@ -0,0 +1,27 @@
{{ if eq (include "resource.vpa.enabled" .) "true" }}
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
name: gitops-server
namespace: {{ .Release.Namespace }}
labels:
{{- include "chart.labels" . | nindent 4 }}
spec:
resourcePolicy:
containerPolicies:
- containerName: {{ .Chart.Name }}
controlledValues: RequestsAndLimits
minAllowed:
cpu: {{ .Values.giantswarm.resources.server.requests.cpu }}
memory: {{ .Values.giantswarm.resources.server.requests.memory }}
maxAllowed:
cpu: 1000m
memory: 1000Mi
mode: Auto
targetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "chart.fullname" . }}
updatePolicy:
updateMode: Auto
{{ end }}

61
helm/weave-gitops/templates/ingress.yaml Normal file
View File

@ -0,0 +1,61 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "chart.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "chart.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

34
helm/weave-gitops/templates/network-policy.yaml Normal file
View File

@ -0,0 +1,34 @@
{{- if .Values.networkPolicy.create -}}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dashboard-ingress
spec:
podSelector:
matchLabels:
{{- include "chart.selectorLabels" . | nindent 6 }}
ingress:
- ports:
- port: 9001
protocol: TCP
{{- if .Values.metrics.enabled }}
- port: {{ .Values.metrics.service.port }}
protocol: TCP
{{- end }}
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dashboard-egress
spec:
podSelector:
matchLabels:
{{- include "chart.selectorLabels" . | nindent 6 }}
egress:
- {}
policyTypes:
- Egress
{{- end -}}

15
helm/weave-gitops/templates/oidc-auth-secret.yaml Normal file
View File

@ -0,0 +1,15 @@
{{- if .Values.oidcSecret.create -}}
apiVersion: v1
kind: Secret
metadata:
name: oidc-auth
labels:
{{- include "chart.labels" . | nindent 4 }}
data:
{{- with .Values.oidcSecret }}
clientID: {{ .clientID | required "oidcSecret.clientID must be set" | b64enc | quote }}
clientSecret: {{ .clientSecret | required "oidcSecret.clientSecret must be set" | b64enc | quote }}
issuerURL: {{ .issuerURL | required "oidcSecret.issuerURL must be set" | b64enc | quote }}
redirectURL: {{ .redirectURL | required "oidcSecret.redirectURL must be set" | b64enc | quote }}
{{- end }}
{{- end }}

47
helm/weave-gitops/templates/role.yaml Normal file
View File

@ -0,0 +1,47 @@
{{- if .Values.giantswarm.rbac.create -}}
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- else }}
apiVersion: rbac.authorization.k8s.io/v1
{{- end }}
kind: ClusterRole
metadata:
name: {{ include "chart.fullname" . }}
rules:
# impersonation rules for ui calls
{{- if .Values.giantswarm.rbac.impersonation.users.enabled }}
- apiGroups: [""]
resources: ["users"]
verbs: [ "impersonate" ]
{{- with .Values.giantswarm.rbac.impersonation.users.resourceNames }}
resourceNames: {{ . | toJson }}
{{- end }}
{{- end }}
{{- if .Values.giantswarm.rbac.impersonation.groups.enabled }}
{{- if and .Values.giantswarm.rbac.impersonation.groups.enabled (not .Values.giantswarm.rbac.impersonation.users.enabled) }}
{{- fail "Enabling impersonation for groups requires users impersonation permissions, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation" }}
{{- end }}
- apiGroups: [""]
resources: ["groups"]
verbs: [ "impersonate" ]
{{- with .Values.giantswarm.rbac.impersonation.groups.resourceNames }}
resourceNames: {{ . | toJson }}
{{- end }}
{{- end }}
# Access to enterprise entitlement
- apiGroups: [""]
resources: [ "secrets" ]
verbs: [ "get", "list" ]
{{- with .Values.giantswarm.rbac.viewSecretsResourceNames }}
resourceNames: {{ . | toJson }}
{{- end }}
# The service account needs to read namespaces to know where it can query
- apiGroups: [ "" ]
resources: [ "namespaces" ]
verbs: [ "get", "list", "watch" ]
# The service account needs to list custom resources to query if given feature
# is available or not.
- apiGroups: [ "apiextensions.k8s.io" ]
resources: [ "customresourcedefinitions" ]
verbs: [ "list" ]
{{- end -}}

24
helm/weave-gitops/templates/rolebinding.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if .Values.giantswarm.rbac.create -}}
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- else }}
apiVersion: rbac.authorization.k8s.io/v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: {{ include "chart.fullname" . }}
labels:
{{- include "chart.labels" . | nindent 4 }}
{{- with .Values.giantswarm.rbac.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ include "chart.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ include "chart.fullname" . }}
apiGroup: rbac.authorization.k8s.io
{{- end -}}

33
helm/weave-gitops/templates/service.yaml Normal file
View File

@ -0,0 +1,33 @@
{{- if .Values.service.create -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "chart.fullname" . }}
labels:
{{- include "chart.labels" . | nindent 4 }}
annotations:
{{- with .Values.service.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.metrics.enabled }}
{{- tpl (.Values.metrics.service.annotations | toYaml) $ | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
{{- if and (eq .Values.service.type "NodePort") .Values.service.nodePort }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
protocol: TCP
name: http
{{- if .Values.metrics.enabled }}
- port: {{ .Values.metrics.service.port }}
targetPort: {{ .Values.metrics.service.port }}
protocol: TCP
name: http-metrics
{{- end }}
selector:
{{- include "chart.selectorLabels" . | nindent 4 }}
{{- end -}}

12
helm/weave-gitops/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "chart.serviceAccountName" . }}
labels:
{{- include "chart.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

21
helm/weave-gitops/templates/tests/test-connection.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "chart.fullname" . }}-test-connection"
labels:
{{- include "chart.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
spec:
containers:
- name: wget
image: "{{ .Values.image.registry }}/{{ .Values.giantswarm.images.test.image }}:{{ .Values.giantswarm.images.test.tag }}"
imagePullPolicy: {{ .Values.giantswarm.images.test.pullPolicy }}
command: ['wget']
args: ['{{ include "chart.fullname" . }}:{{ .Values.service.port }}']
securityContext:
readOnlyRootFilesystem: true
runAsUser: 1000
resources:
{{- toYaml .Values.giantswarm.resources.test | nindent 8 }}
restartPolicy: Never

497
helm/weave-gitops/values.schema.json Normal file
View File

@ -0,0 +1,497 @@
{
"$schema": "http://json-schema.org/schema#",
"type": "object",
"properties": {
"adminUser": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"createClusterRole": {
"type": "boolean"
},
"createSecret": {
"type": "boolean"
},
"passwordHash": {
"type": "string"
},
"username": {
"type": "string"
}
}
},
"affinity": {
"type": "object"
},
"annotations": {
"type": "object"
},
"envVars": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"value": {
"type": "string"
}
}
}
},
"extraVolumeMounts": {
"type": "array",
"items": {
"type": "object",
"properties": {
"mountPath": {
"type": "string"
},
"name": {
"type": "string"
},
"readOnly": {
"type": "boolean"
}
}
}
},
"extraVolumes": {
"type": "array",
"items": {
"type": "object",
"properties": {
"csi": {
"type": "object",
"properties": {
"driver": {
"type": "string"
},
"readOnly": {
"type": "boolean"
},
"volumeAttributes": {
"type": "object",
"properties": {
"secretProviderClass": {
"type": "string"
}
}
}
}
},
"name": {
"type": "string"
}
}
}
},
"fullnameOverride": {
"type": "string"
},
"giantswarm": {
"type": "object",
"properties": {
"images": {
"type": "object",
"properties": {
"server": {
"type": "object",
"properties": {
"image": {
"type": "string"
},
"pullPolicy": {
"type": "string"
},
"tag": {
"type": "string"
}
}
},
"test": {
"type": "object",
"properties": {
"image": {
"type": "string"
},
"pullPolicy": {
"type": "string"
},
"tag": {
"type": "string"
}
}
}
}
},
"rbac": {
"type": "object",
"properties": {
"additionalRules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"apiGroups": {
"type": "array",
"items": {
"type": "string"
}
},
"resources": {
"type": "array",
"items": {
"type": "string"
}
},
"verbs": {
"type": "array",
"items": {
"type": "string"
}
}
}
}
},
"create": {
"type": "boolean"
},
"impersonation": {
"type": "object",
"properties": {
"groups": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"resourceNames": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"users": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"resourceNames": {
"type": "array",
"items": {
"type": "string"
}
}
}
}
}
},
"viewSecretsResourceNames": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"resources": {
"type": "object",
"properties": {
"vpa":{
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
}
},
"server": {
"type": "object",
"properties": {
"limits": {
"type": "object",
"properties": {
"cpu": {
"type": "string"
},
"memory": {
"type": "string"
}
}
},
"requests": {
"type": "object",
"properties": {
"cpu": {
"type": "string"
},
"memory": {
"type": "string"
}
}
}
}
},
"test": {
"type": "object",
"properties": {
"limits": {
"type": "object",
"properties": {
"cpu": {
"type": "string"
},
"memory": {
"type": "string"
}
}
},
"requests": {
"type": "object",
"properties": {
"cpu": {
"type": "string"
},
"memory": {
"type": "string"
}
}
}
}
}
}
}
}
},
"image": {
"type": "object",
"properties": {
"registry": {
"type": "string"
}
}
},
"imagePullSecrets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
}
}
}
},
"ingress": {
"type": "object",
"properties": {
"annotations": {
"type": "object"
},
"className": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"hosts": {
"type": "array",
"items": {
"type": "object",
"properties": {
"host": {
"type": "string"
},
"paths": {
"type": "array",
"items": {
"type": "object",
"properties": {
"path": {
"type": "string"
},
"pathType": {
"type": "string"
}
}
}
}
}
}
},
"tls": {
"type": "array",
"items": {
"type": "object",
"properties": {
"hosts": {
"type": "array",
"items": {
"type": "string"
}
},
"secretName": {
"type": "string"
}
}
}
}
}
},
"logLevel": {
"type": "string"
},
"metrics": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"service": {
"type": "object",
"properties": {
"annotations": {
"type": "object",
"properties": {
"prometheus.io/path": {
"type": "string"
},
"prometheus.io/port": {
"type": "string"
},
"prometheus.io/scrape": {
"type": "string"
}
}
},
"port": {
"type": "integer"
}
}
}
}
},
"nameOverride": {
"type": "string"
},
"networkPolicy": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
}
}
},
"nodeSelector": {
"type": "object"
},
"oidcSecret": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
}
}
},
"podAnnotations": {
"type": "object"
},
"podLabels": {
"type": "object"
},
"podSecurityContext": {
"type": "object"
},
"replicaCount": {
"type": "integer"
},
"securityContext": {
"type": "object",
"properties": {
"allowPrivilegeEscalation": {
"type": "boolean"
},
"capabilities": {
"type": "object",
"properties": {
"drop": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"readOnlyRootFilesystem": {
"type": "boolean"
},
"runAsNonRoot": {
"type": "boolean"
},
"runAsUser": {
"type": "integer"
},
"seccompProfile": {
"type": "object",
"properties": {
"type": {
"type": "string"
}
}
}
}
},
"serverTLS": {
"type": "object",
"properties": {
"enable": {
"type": "boolean"
},
"secretName": {
"type": "string"
}
}
},
"service": {
"type": "object",
"properties": {
"annotations": {
"type": "object"
},
"create": {
"type": "boolean"
},
"port": {
"type": "integer"
},
"type": {
"type": "string"
}
}
},
"serviceAccount": {
"type": "object",
"properties": {
"annotations": {
"type": "object"
},
"create": {
"type": "boolean"
},
"name": {
"type": "string"
}
}
},
"tolerations": {
"type": "array"
}
}
}

206
helm/weave-gitops/values.yaml Normal file
View File

@ -0,0 +1,206 @@
giantswarm:
images:
server:
image: giantswarm/weaveworks-wego-app
pullPolicy: IfNotPresent
tag: v0.18.0
test:
image: giantswarm/busybox
pullPolicy: IfNotPresent
tag: 1.36.0
resources:
vpa:
enabled: true
server:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
test:
requests:
cpu: 10m
memory: 2Mi
limits:
cpu: 10m
memory: 4Mi
rbac:
create: true
impersonation:
users:
enabled: true
# -- If non-empty, this limits the users names that the service account
# can impersonate, e.g. `['user1@corporation.com', 'user2@corporation.com']`
resourceNames: []
groups:
enabled: true
# -- If non-empty, this limits the groups names that the service account
# can impersonate, e.g. `['admins', 'operations', 'devops']`
resourceNames: []
# -- If non-empty, this limits the secrets that can be accessed by
# the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']`
viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"]
# -- If non-empty, these additional rules will be appended to the RBAC role and the cluster role.
# for example,
# additionalRules:
# - apiGroups: ["infra.contrib.fluxcd.io"]
# resources: ["terraforms"]
# verbs: [ "get", "list", "patch" ]
additionalRules: []
replicaCount: 1
image:
registry: gsoci.azurecr.io
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
# -- What log level to output. Valid levels are 'debug', 'info', 'warn' and 'error'
logLevel: info
# Additional arguments to pass in
# additionalArgs:
# Any other environment variables:
envVars:
- name: WEAVE_GITOPS_FEATURE_TENANCY
value: "true"
- name: WEAVE_GITOPS_FEATURE_CLUSTER
value: "false"
# -- Annotations to add to the deployment
annotations: {}
# Should the 'oidc-auth' secret be created. For a detailed
# explanation of these attributes please see our documentation:
# https://docs.gitops.weave.works/docs/configuration/securing-access-to-the-dashboard/#login-via-an-oidc-provider
oidcSecret:
create: false
# clientID:
# clientSecret:
# issuerURL:
# redirectURL:
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
adminUser:
# -- Whether the local admin user should be created.
# If you use this make sure you add it to `giantswarm.rbac.impersonation.users.resourceNames`.
create: false
# -- Specifies whether the clusterRole & binding to the admin user should be created.
# Will be created only if `adminUser.create` is enabled. Without this,
# the adminUser will only be able to see resources in the target namespace.
createClusterRole: true
# -- Whether we should create the secret for the local
# adminUser. Will be created only if `adminUser.create` is
# enabled. Without this, we'll still set up the roles and
# permissions, but the secret with username and password has to be
# provided separately.
createSecret: true
# -- Set username for local admin user, this should match the value in the secret `cluster-user-auth`
# which can be created with `adminUser.createSecret`. Requires `adminUser.create`.
username: gitops-test-user
# -- (string) Set the password for local admin user. Requires `adminUser.create` and `adminUser.createSecret`
# This needs to have been hashed using bcrypt.
# You can do this via our CLI with `gitops get bcrypt-hash`.
passwordHash: ""
podAnnotations: {}
podLabels: {}
# aadpodidbinding: identity
podSecurityContext: {}
# fsGroup: 2000
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
runAsUser: 1000
readOnlyRootFilesystem: true
service:
create: true
type: ClusterIP
port: 9001
# nodePort:
annotations: {}
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts: []
# - host: chart-example.local
# paths:
# - path: /
# pathType: ImplementationSpecific
#
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
extraVolumes: []
extraVolumeMounts: []
# Example using extraVolumes and extraVolumeMounts to load 'oidc-auth' secret
# with a secrets store CSI driver. Specify the secretName 'oidc-auth' in the
# secretProviderClass so this will be created by the secrets store CSI driver.
# See https://secrets-store-csi-driver.sigs.k8s.io/topics/sync-as-kubernetes-secret.html
# extraVolumeMounts:
# - name: ww-gitops-oauth-volume
# mountPath: /mnt/secrets
# readOnly: true
# extraVolumes:
# - name: ww-gitops-oauth-volume
# csi:
# driver: secrets-store.csi.k8s.io
# readOnly: true
# volumeAttributes:
# secretProviderClass: ww-gitops-oauth-provider
networkPolicy:
# -- Specifies whether default network policies should be created.
create: true
nodeSelector: {}
tolerations: []
affinity: {}
serverTLS:
# -- Enable TLS termination in gitops itself. If you enable this,
# you need to create a secret, and specify the secretName. Another
# option is to create an ingress.
enable: false
# -- Specify the tls secret name. This type of secrets have a key called `tls.crt` and `tls.key` containing their corresponding values in base64 format.
# See
# https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more details and examples
secretName: "my-secret-tls"
# Example of tls secret
#
# apiVersion: v1
# kind: Secret
# metadata:
# name: my-secret-tls
# type: kubernetes.io/tls
# data:
# # the data is abbreviated in this example
# tls.crt: |
# MIIC2DCCAcCgAwIBAgIBATANBgkqh ...
# tls.key: |
# MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ...
#
# You can also create a tls secre t from files whith this k8s command:
# kubectl create secret tls my-tls-secret \
# --cert=path/to/cert/file \
# --key=path/to/key/file
metrics:
# -- Start the metrics exporter
enabled: false
service:
# -- Port to start the metrics exporter on
port: 2112
# -- Annotations to set on the service
annotations:
prometheus.io/scrape: "true"
prometheus.io/path: "/metrics"
prometheus.io/port: "{{ .Values.metrics.service.port }}"