allanger
/
helmule-gs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Activity

Add gitops-server
ci/woodpecker/push/woodpecker Pipeline failed Details

This commit is contained in:
Nikolai Rodionov 2024-01-10 15:52:19 +01:00
parent ff4f8ef910
commit e55a24dbd6
Signed by: allanger
GPG Key ID: 0AA46A90E25592AD
5 changed files with 649 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
extensions/vpa-gitops-server/vpa.yaml Normal file
View File

@ -0,0 +1,27 @@
{{ if eq (include "resource.vpa.enabled" .) "true" }}
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
name: gitops-server
namespace: {{ .Release.Namespace }}
labels:
{{- include "chart.labels" . | nindent 4 }}
spec:
resourcePolicy:
containerPolicies:
- containerName: {{ .Chart.Name }}
controlledValues: RequestsAndLimits
minAllowed:
cpu: {{ .Values.giantswarm.resources.server.requests.cpu }}
memory: {{ .Values.giantswarm.resources.server.requests.memory }}
maxAllowed:
cpu: 1000m
memory: 1000Mi
mode: Auto
targetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "chart.fullname" . }}
updatePolicy:
updateMode: Auto
{{ end }}

90
helmule.yaml
View File

@ -1,3 +1,6 @@
variables:
global: example
repositories:
# -- Because their helm repo seems not to be accessible
- name: zot-git
@ -6,7 +9,13 @@ repositories:
git_ref: main
# git_ref: zot-0.1.42
path: charts
- name: weave
helm:
url: https://helm.gitops.weave.works
charts:
# -------------------------------------------------------------------
# -- Zot Application
# -------------------------------------------------------------------
- name: zot
repository: zot-git
extensions:
@ -16,6 +25,8 @@ charts:
- name: Add values for CI
source_dir: ./extensions/ci-values
target_dir: ci
variables:
target_repo: zot-app
patches:
- name: Add team annotation
yq:
@ -48,14 +59,85 @@ charts:
- yamlfmt values.yaml --conf ./yamlfmt.yaml
- rm -f yamlfmt.yaml
mirrors:
- zot-app-git
- apps-git
# -------------------------------------------------------------------
# -- GitOps Server Application
# -------------------------------------------------------------------
- name: weave-gitops
repository: weave
version: 4.0.15
variables:
target_repo: app-gitops-server
mirrors:
- apps-git
extensions:
- name: Add VPA
source_dir: ./extensions/vpa-gitops-server
target_dir: templates/gs-vpa
patches:
- name: Git patch
git:
path: ./patches/git/gitops-server.patch
- name: Generate values.schema
custom_command:
commands:
- helm schema-gen values.yaml > values.schema.json
- name: Git patch for values schema
git:
path: ./patches/git/gitops-server-values-schema.patch
- name: Git patch for test-job security
git:
path: ./patches/git/gitops-server-test-job.patch
# -- Update Chart.ymal
- name: Change the chart name
yq:
op: Replace
file: Chart.yaml
key: .name
value: gitops-server
- name: Set the home URL
yq:
op: Add
file: Chart.yaml
key: .home
value: https://github.com/giantswarm/gitops-server-app
- name: set the icon url
yq:
op: Add
file: Chart.yaml
key: .icon
value: https://s.giantswarm.io/app-icons/weaveworks/1/icon_light.svg
- name: Add keywords
yq:
op: Add
file: Chart.yaml
key: .keywords
value: '["gitops", "flux"]'
- name: Add team annotation
yq:
op: Add
key: .annotations."application.giantswarm.io/team"
value: team-honeybadger
file: Chart.yaml
- name: Add team annotation
yq:
op: Add
key: .annotations."config.giantswarm.io/version"
value: 1.x.x
file: Chart.yaml
- name: yamlfmt
custom_command:
commands:
- "cat <<EOT >> .yamlfmt\n formatter:\n pad_line_comments: 2\nEOT"
- yamlfmt values.yaml --conf ./yamlfmt.yaml
- rm -f yamlfmt.yaml
mirrors:
- name: zot-app-git
- name: apps-git
git:
url: git@git.badhouseplants.net:allanger/zot-app.git
url: git@git.badhouseplants.net:allanger/{{ vars.target_repo }}.git
git_dir: app-{{ name }}-git
branch: upgrade-{{ name }}-to-{{ version }}
path: helm/{{ name }}
commit: |-
chore: mirror {{ name }}-{{ version }}
upstream_repo: {{ repo_url }}

19
patches/git/gitops-server-test-job.patch Normal file
View File

@ -0,0 +1,19 @@
diff --git a/templates/tests/test-connection.yaml b/templates/tests/test-connection.yaml
index 8dfed87..b4b98bc 100644
--- a/templates/tests/test-connection.yaml
+++ b/templates/tests/test-connection.yaml
@@ -9,7 +9,13 @@ metadata:
spec:
containers:
- name: wget
- image: busybox
+ image: "{{ .Values.image.registry }}/{{ .Values.giantswarm.images.test.image }}:{{ .Values.giantswarm.images.test.tag }}"
+ imagePullPolicy: {{ .Values.giantswarm.images.test.pullPolicy }}
command: ['wget']
args: ['{{ include "chart.fullname" . }}:{{ .Values.service.port }}']
+ securityContext:
+ readOnlyRootFilesystem: true
+ runAsUser: 1000
+ resources:
+ {{- toYaml .Values.giantswarm.resources.test | nindent 8 }}
restartPolicy: Never

210
patches/git/gitops-server-values-schema.patch Normal file
View File

@ -0,0 +1,210 @@
diff --git a/values.schema.json b/values.schema.json
index f759f82..c0762fa 100644
--- a/values.schema.json
+++ b/values.schema.json
@@ -43,10 +43,51 @@
}
},
"extraVolumeMounts": {
- "type": "array"
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ }
+ }
},
"extraVolumes": {
- "type": "array"
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "csi": {
+ "type": "object",
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeAttributes": {
+ "type": "object",
+ "properties": {
+ "secretProviderClass": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "name": {
+ "type": "string"
+ }
+ }
+ }
},
"fullnameOverride": {
"type": "string"
@@ -91,7 +132,30 @@
"type": "object",
"properties": {
"additionalRules": {
- "type": "array"
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "apiGroups": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "resources": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "verbs": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ }
},
"create": {
"type": "boolean"
@@ -106,7 +170,10 @@
"type": "boolean"
},
"resourceNames": {
- "type": "array"
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
}
}
},
@@ -117,7 +184,10 @@
"type": "boolean"
},
"resourceNames": {
- "type": "array"
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
}
}
}
@@ -134,6 +204,14 @@
"resources": {
"type": "object",
"properties": {
+ "vpa":{
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ }
+ },
"server": {
"type": "object",
"properties": {
@@ -187,14 +265,6 @@
}
}
}
- },
- "vpa": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean"
- }
- }
}
}
}
@@ -209,7 +279,15 @@
}
},
"imagePullSecrets": {
- "type": "array"
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ }
+ }
},
"ingress": {
"type": "object",
@@ -224,10 +302,46 @@
"type": "boolean"
},
"hosts": {
- "type": "array"
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "paths": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "pathType": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ }
},
"tls": {
- "type": "array"
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "hosts": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "secretName": {
+ "type": "string"
+ }
+ }
+ }
}
}
},

307
patches/git/gitops-server.patch Normal file
View File

@ -0,0 +1,307 @@
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index af32c5b..1fdf723 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -39,6 +39,7 @@ helm.sh/chart: {{ include "chart.chart" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
+application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
@@ -75,3 +76,16 @@ Return the target Kubernetes version
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
{{- end -}}
{{- end -}}
+
+{{- define "resource.vpa.enabled" -}}
+{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.giantswarm.resources.vpa.enabled) }}true{{ else }}false{{ end }}
+{{- end -}}
+
+{{- define "deployment.resources" -}}
+requests:
+{{ toYaml .Values.giantswarm.resources.server.requests | indent 2 -}}
+{{ if eq (include "resource.vpa.enabled" .) "false" }}
+limits:
+{{ toYaml .Values.giantswarm.resources.server.limits | indent 2 -}}
+{{- end -}}
+{{- end -}}
diff --git a/templates/admin-user-roles.yaml b/templates/admin-user-roles.yaml
index 74a1844..c0fa72c 100644
--- a/templates/admin-user-roles.yaml
+++ b/templates/admin-user-roles.yaml
@@ -30,8 +30,8 @@ rules:
resources: ["terraforms"]
verbs: [ "get", "list", "watch", "patch" ]
-{{- if gt (len $.Values.rbac.additionalRules) 0 -}}
-{{- toYaml $.Values.rbac.additionalRules | nindent 2 -}}
+{{- if gt (len $.Values.giantswarm.rbac.additionalRules) 0 -}}
+{{- toYaml $.Values.giantswarm.rbac.additionalRules | nindent 2 -}}
{{- end }}
{{- if .Values.adminUser.createClusterRole }}
---
@@ -72,8 +72,8 @@ rules:
resources: [ "providers", "alerts" ]
verbs: [ "get", "list", "watch", "patch" ]
-{{- if gt (len $.Values.rbac.additionalRules) 0 -}}
-{{- toYaml $.Values.rbac.additionalRules | nindent 2 -}}
+{{- if gt (len $.Values.giantswarm.rbac.additionalRules) 0 -}}
+{{- toYaml $.Values.giantswarm.rbac.additionalRules | nindent 2 -}}
{{- end -}}
{{- end }}
{{- end }}
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
index a54c37c..a498259 100644
--- a/templates/deployment.yaml
+++ b/templates/deployment.yaml
@@ -36,8 +36,8 @@ spec:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
- image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
- imagePullPolicy: {{ .Values.image.pullPolicy }}
+ image: "{{ .Values.image.registry }}/{{ .Values.giantswarm.images.server.image }}:{{ .Values.giantswarm.images.server.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.giantswarm.images.server.pullPolicy }}
args:
- "--log-level"
- "{{ .Values.logLevel }}"
@@ -88,7 +88,7 @@ spec:
{{- end }}
{{- end }}
resources:
- {{- toYaml .Values.resources | nindent 12 }}
+ {{- include "deployment.resources" . | nindent 12 }}
{{- if or .Values.serverTLS.enable .Values.extraVolumeMounts }}
volumeMounts:
{{- end }}
diff --git a/templates/role.yaml b/templates/role.yaml
index b292176..5a55339 100644
--- a/templates/role.yaml
+++ b/templates/role.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create -}}
+{{- if .Values.giantswarm.rbac.create -}}
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- else }}
@@ -6,32 +6,39 @@ apiVersion: rbac.authorization.k8s.io/v1
{{- end }}
kind: ClusterRole
metadata:
- name: {{ include "chart.fullname" . }}
+ name: {{ include "chart.fullname" . }}
rules:
# impersonation rules for ui calls
+ {{- if .Values.giantswarm.rbac.impersonation.users.enabled }}
- apiGroups: [""]
- resources: {{ .Values.rbac.impersonationResources | toJson }}
+ resources: ["users"]
verbs: [ "impersonate" ]
- {{- with .Values.rbac.impersonationResourceNames }}
+ {{- with .Values.giantswarm.rbac.impersonation.users.resourceNames }}
resourceNames: {{ . | toJson }}
{{- end }}
+ {{- end }}
+ {{- if .Values.giantswarm.rbac.impersonation.groups.enabled }}
+ {{- if and .Values.giantswarm.rbac.impersonation.groups.enabled (not .Values.giantswarm.rbac.impersonation.users.enabled) }}
+ {{- fail "Enabling impersonation for groups requires users impersonation permissions, see https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation" }}
+ {{- end }}
+ - apiGroups: [""]
+ resources: ["groups"]
+ verbs: [ "impersonate" ]
+ {{- with .Values.giantswarm.rbac.impersonation.groups.resourceNames }}
+ resourceNames: {{ . | toJson }}
+ {{- end }}
+ {{- end }}
# Access to enterprise entitlement
- apiGroups: [""]
resources: [ "secrets" ]
verbs: [ "get", "list" ]
- {{- if and .Values.rbac.viewSecrets .Values.rbac.viewSecretsResourceNames }}
- {{- fail "You've supplied both rbac.viewSecrets and rbac.viewSecretsResourceNames. Please only use rbac.viewSecretsResourceNames" }}
- {{- end }}
- # or should return the first non-falsy result
- {{- with (or .Values.rbac.viewSecretsResourceNames .Values.rbac.viewSecrets) }}
+ {{- with .Values.giantswarm.rbac.viewSecretsResourceNames }}
resourceNames: {{ . | toJson }}
{{- end }}
-
# The service account needs to read namespaces to know where it can query
- apiGroups: [ "" ]
resources: [ "namespaces" ]
verbs: [ "get", "list", "watch" ]
-
# The service account needs to list custom resources to query if given feature
# is available or not.
- apiGroups: [ "apiextensions.k8s.io" ]
diff --git a/templates/rolebinding.yaml b/templates/rolebinding.yaml
index b8756fe..df718ff 100644
--- a/templates/rolebinding.yaml
+++ b/templates/rolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create -}}
+{{- if .Values.giantswarm.rbac.create -}}
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- else }}
@@ -9,7 +9,7 @@ metadata:
name: {{ include "chart.fullname" . }}
labels:
{{- include "chart.labels" . | nindent 4 }}
- {{- with .Values.rbac.annotations }}
+ {{- with .Values.giantswarm.rbac.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
diff --git a/values.yaml b/values.yaml
index 374ad32..7b3b35f 100644
--- a/values.yaml
+++ b/values.yaml
@@ -1,16 +1,57 @@
-# Default values for chart.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
+giantswarm:
+ images:
+ server:
+ image: giantswarm/weaveworks-wego-app
+ pullPolicy: IfNotPresent
+ tag: v0.18.0
+ test:
+ image: giantswarm/busybox
+ pullPolicy: IfNotPresent
+ tag: 1.36.0
+ resources:
+ vpa:
+ enabled: true
+ server:
+ limits:
+ cpu: 200m
+ memory: 256Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ test:
+ requests:
+ cpu: 10m
+ memory: 2Mi
+ limits:
+ cpu: 10m
+ memory: 4Mi
+ rbac:
+ create: true
+ impersonation:
+ users:
+ enabled: true
+ # -- If non-empty, this limits the users names that the service account
+ # can impersonate, e.g. `['user1@corporation.com', 'user2@corporation.com']`
+ resourceNames: []
+ groups:
+ enabled: true
+ # -- If non-empty, this limits the groups names that the service account
+ # can impersonate, e.g. `['admins', 'operations', 'devops']`
+ resourceNames: []
+ # -- If non-empty, this limits the secrets that can be accessed by
+ # the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']`
+ viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"]
+ # -- If non-empty, these additional rules will be appended to the RBAC role and the cluster role.
+ # for example,
+ # additionalRules:
+ # - apiGroups: ["infra.contrib.fluxcd.io"]
+ # resources: ["terraforms"]
+ # verbs: [ "get", "list", "patch" ]
+ additionalRules: []
-# Note: paragraphs starting with `# --` will end up in our manual -
-# see https://github.com/norwoodj/helm-docs
replicaCount: 1
image:
- # FIXME check the app name
- repository: ghcr.io/weaveworks/wego-app
- pullPolicy: IfNotPresent
- # Overrides the image tag whose default is the chart appVersion.
- tag: "v0.18.0"
+ registry: gsoci.azurecr.io
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
@@ -43,28 +84,9 @@ serviceAccount:
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
-rbac:
- # -- Specifies whether the clusterRole & binding to the service account should be created
- create: true
- # -- If non-empty, this limits the resources that the service
- # account can impersonate. This applies to both users and groups, e.g.
- # `['user1@corporation.com', 'user2@corporation.com', 'operations']`
- impersonationResourceNames: []
- # -- Limit the type of principal that can be impersonated
- impersonationResources: ["users", "groups"]
- # -- If non-empty, this limits the secrets that can be accessed by
- # the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']`
- viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"]
- # -- If non-empty, these additional rules will be appended to the RBAC role and the cluster role.
- # for example,
- # additionalRules:
- # - apiGroups: ["infra.contrib.fluxcd.io"]
- # resources: ["terraforms"]
- # verbs: [ "get", "list", "patch" ]
- additionalRules: []
adminUser:
# -- Whether the local admin user should be created.
- # If you use this make sure you add it to `rbac.impersonationResourceNames`.
+ # If you use this make sure you add it to `giantswarm.rbac.impersonation.users.resourceNames`.
create: false
# -- Specifies whether the clusterRole & binding to the admin user should be created.
# Will be created only if `adminUser.create` is enabled. Without this,
@@ -82,7 +104,7 @@ adminUser:
# -- (string) Set the password for local admin user. Requires `adminUser.create` and `adminUser.createSecret`
# This needs to have been hashed using bcrypt.
# You can do this via our CLI with `gitops get bcrypt-hash`.
- passwordHash:
+ passwordHash: ""
podAnnotations: {}
podLabels: {}
# aadpodidbinding: identity
@@ -111,7 +133,7 @@ ingress:
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
- hosts:
+ hosts: []
# - host: chart-example.local
# paths:
# - path: /
@@ -123,8 +145,8 @@ ingress:
# - chart-example.local
extraVolumes: []
extraVolumeMounts: []
-# Example using extraVolumes and extraVolumeMounts to load 'oidc-auth' secret
-# with a secrets store CSI driver. Specify the secretName 'oidc-auth' in the
+# Example using extraVolumes and extraVolumeMounts to load 'oidc-auth' secret
+# with a secrets store CSI driver. Specify the secretName 'oidc-auth' in the
# secretProviderClass so this will be created by the secrets store CSI driver.
# See https://secrets-store-csi-driver.sigs.k8s.io/topics/sync-as-kubernetes-secret.html
# extraVolumeMounts:
@@ -138,17 +160,6 @@ extraVolumeMounts: []
# readOnly: true
# volumeAttributes:
# secretProviderClass: ww-gitops-oauth-provider
-resources: {}
-# We usually recommend not to specify default resources and to leave this as a conscious
-# choice for the user. This also increases chances charts run on environments with little
-# resources, such as Minikube. If you do want to specify resources, uncomment the following
-# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-# limits:
-# cpu: 100m
-# memory: 128Mi
-# requests:
-# cpu: 100m
-# memory: 128Mi
networkPolicy:
# -- Specifies whether default network policies should be created.