First commit

2024-01-08 16:41:03 +01:00 · 2024-01-08 16:41:03 +01:00 · ce5f695d1e
commit ce5f695d1e
3 changed files with 172 additions and 0 deletions
--- a/extensions/vpa.yaml
+++ b/extensions/vpa.yaml
@ -0,0 +1,29 @@
+{{ if (.Values.vpa).enabled }}
+{{ if .Values.resources }}
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: {{ include "zot.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "zot.labels" . | nindent 4 }}
+spec:
+  resourcePolicy:
+    containerPolicies:
+    - containerName: manager
+      controlledValues: RequestsAndLimits
+      minAllowed:
+        cpu: {{ .Values.resources.requests.cpu }}
+        memory: {{ .Values.resources.requests.memory }}
+      maxAllowed:
+        cpu: {{ .Values.resources.limits.cpu }}
+        memory: {{ .Values.resources.limits.memory }}
+      mode: Auto
+  targetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "zot.fullname" . }}
+  updatePolicy:
+    updateMode: Auto
+{{- end }}
+{{- end }}
--- a/helmule.yaml
+++ b/helmule.yaml
@ -0,0 +1,54 @@
+repositories:
+  # -- Because their helm repo seems not to be accessible
+  - name: zot-git
+    git:
+      url: https://github.com/project-zot/helm-charts.git
+      git_ref: zot-0.1.42
+      path: charts
+charts:
+  - name: zot
+    repository: zot-git
+    extensions:
+      - name: All extensions to zop
+        source_dir: ./extensions
+        target_dir: templates/gs-extensions
+    patches:
+      - name: Add team annotation
+        yq:
+          op: Add
+          key: .annotations."application.giantswarm.io/team"
+          value: team-honeybadger
+          file: Chart.yaml
+      - name:
+        yq:
+          op: Add
+          key: .home
+          value: https://github.com/giantswarm/flux-app
+          file: Chart.yaml
+      - name:
+        yq:
+          op: Add
+          key: .engine
+          value: gtpl
+          file: Chart.yaml
+      - name: Regexp patches
+        regexp:
+          path: ./patches
+      - name: yaml-fmt
+        custom_command:
+          commands:
+            - "cat <<EOT >> .yamlfmt\n  formatter:\n    pad_line_comments: 2\nEOT"
+            - yamlfmt values.yaml --conf ./yamlfmt.yaml
+            - rm -f yamlfmt.yaml
+    mirrors:
+      - custom-command
+mirrors:
+  - name: badhouseplants-git
+    git:
+      url: git@git.badhouseplants.net:allanger/zot-app.git
+      branch: upgrade-{{ name }}-to-{{ version }}
+      path: charts/{{ name }}
+      commit: |-
+        chore: mirror {{ name }}-{{ version }}
+
+        upstream_repo: {{ repo_url }}
--- a/patches/values-patches.yaml
+++ b/patches/values-patches.yaml
@ -0,0 +1,89 @@
+---
+name: Replace image repository in values
+targets:
+  - values.yaml
+before: |-
+  image:
+    repository: ghcr.io/project-zot/zot-linux-amd64
+    pullPolicy: IfNotPresent
+    # Overrides the image tag whose default is the chart appVersion.
+    tag: "v2.0.0"
+after: |-
+  image:
+    repository: gsoci/dummy/zot-linux
+    pullPolicy: Always
+    tag: ""
+---
+name: Fix security policies in the deployment
+targets:
+  - templates/deployment.yaml
+before: |-
+          \{\{- toYaml .Values.podSecurityContext .*
+after: |-
+            fsGroup: 1337
+                    {{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
+                    {{- with .Values.podSeccompProfile }}
+                    seccompProfile:
+                      {{- . | toYaml | nindent 10 }}
+                    {{- end }}
+                    {{- end }}
+---
+name: Fix security policies in container
+targets:
+  - templates/deployment.yaml
+before: |-
+  \{\{- toYaml .Values.securityContext .*
+after: |-
+            {{- with .Values.containerSecurityContext }}
+                        {{- . | toYaml | nindent 12 }}
+                        {{- end }}
+                        readOnlyRootFilesystem: true
+                        runAsUser: 100
+                        {{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
+                        {{- with .Values.seccompProfile }}
+                        seccompProfile:
+                          {{- . | toYaml | nindent 14 }}
+                        {{- end }}
+                        {{- end }}
+---
+name: Fix security policies in test jobs
+targets:
+  - templates/tests/test-connection-fails.yaml
+  - templates/tests/test-connection.yaml
+before: |-
+  spec:
+    containers:
+after: |-
+  spec:
+    securityContext:
+      fsGroup: 1337
+      {{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
+      {{- with .Values.podSeccompProfile }}
+      seccompProfile:
+        {{- . | toYaml | nindent 10 }}
+      {{- end }}
+      {{- end }}
+    containers:
+---
+name: Fix security policies in test jobs containers
+targets:
+  - templates/tests/test-connection-fails.yaml
+  - templates/tests/test-connection.yaml
+before: |-
+    containers:
+        - name: wget
+after: |-
+    containers:
+        - name: wget
+          securityContext:
+            {{- with .Values.containerSecurityContext }}
+            {{- . | toYaml | nindent 12 }}
+            {{- end }}
+            readOnlyRootFilesystem: true
+            runAsUser: 100
+            {{- if ge (int .Capabilities.KubeVersion.Minor) 19 }}
+            {{- with .Values.seccompProfile }}
+            seccompProfile:
+              {{- . | toYaml | nindent 14 }}
+            {{- end }}
+            {{- end }}