diff --git a/envs/env-data-schema.ytt.yaml b/envs/env-data-schema.ytt.yaml new file mode 100644 index 0000000..4bae227 --- /dev/null +++ b/envs/env-data-schema.ytt.yaml @@ -0,0 +1,37 @@ +#@data/values-schema +--- +#@overlay/match missing_ok=True +cluster: + domain: "" + ingress: + className: "" + tls: + issuer: "" + storageClass: + block: "" + local: "" + +#@overlay/match missing_ok=True +backups: + enabled: false + s3: + endpoint: "" + region: "" + storagebox: + enabled: false + +#@overlay/match missing_ok=True +ocis: + s3: + external: false + endpoint: "" + region: "" + bucket: "" + +#@overlay/match missing_ok=True +forgejo: + sshPort: 22 + #@schema/type any=True + nodeSelector: {} + backup: + s3Bucket: "" diff --git a/envs/production/env-data.ytt.yaml b/envs/production/env-data.ytt.yaml index cf9e793..f884d68 100644 --- a/envs/production/env-data.ytt.yaml +++ b/envs/production/env-data.ytt.yaml @@ -1,3 +1,5 @@ +#@ load("@ytt:overlay", "overlay") + #@data/values --- environment: @@ -16,3 +18,36 @@ environment: - proto: cloudnative-pg - proto: metrics-server - proto: ocis + +cluster: + domain: tr1ceracop.de + ingress: + className: traefik + tls: + issuer: letsencrypt + storageClass: + block: hcloud-volumes + local: local-path + +backups: + enabled: true + s3: + endpoint: https://fsn1.your-objectstorage.com + region: fsn1 + storagebox: + enabled: true + +ocis: + s3: + external: true + endpoint: https://nbg1.your-objectstorage.com + region: nbg1 + bucket: ocis-tr1ceracop + +forgejo: + sshPort: 222 + #@overlay/replace + nodeSelector: + kubernetes.io/hostname: ubuntu-4gb-nbg1-3 + backup: + s3Bucket: k8s-and-chill-backups diff --git a/prototypes/argocd/app-data.ytt.yaml b/prototypes/argocd/app-data.ytt.yaml index a3ba5fa..eddda3a 100644 --- a/prototypes/argocd/app-data.ytt.yaml +++ b/prototypes/argocd/app-data.ytt.yaml @@ -3,3 +3,4 @@ #@overlay/match-child-defaults missing_ok=True application: namespace: argocd + subdomain: argocd diff --git a/prototypes/argocd/helm/argo-cd.yaml b/prototypes/argocd/helm/argo-cd.ytt.yaml similarity index 70% rename from prototypes/argocd/helm/argo-cd.yaml rename to prototypes/argocd/helm/argo-cd.ytt.yaml index 92ba777..5abfe19 100644 --- a/prototypes/argocd/helm/argo-cd.yaml +++ b/prototypes/argocd/helm/argo-cd.ytt.yaml @@ -1,10 +1,12 @@ +#@ load("@ytt:data", "data") +#@ host = data.values.application.subdomain + "." + data.values.cluster.domain --- crds: install: true keep: true global: - domain: argocd.tr1ceracop.de + domain: #@ host configs: params: @@ -30,10 +32,10 @@ server: enabled: true ingress: enabled: true - ingressClassName: traefik + ingressClassName: #@ data.values.cluster.ingress.className tls: true annotations: - cert-manager.io/cluster-issuer: letsencrypt + cert-manager.io/cluster-issuer: #@ data.values.cluster.tls.issuer repoServer: metrics: diff --git a/prototypes/cert-manager/ytt/clusterissuer.ytt.yaml b/prototypes/cert-manager/ytt/clusterissuer.ytt.yaml index b0d5e91..f049af3 100644 --- a/prototypes/cert-manager/ytt/clusterissuer.ytt.yaml +++ b/prototypes/cert-manager/ytt/clusterissuer.ytt.yaml @@ -1,5 +1,7 @@ #@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") +#@ if data.values.cluster.tls.issuer == "letsencrypt": --- apiVersion: cert-manager.io/v1 kind: ClusterIssuer @@ -14,4 +16,5 @@ spec: solvers: - http01: ingress: - ingressClassName: traefik + ingressClassName: #@ data.values.cluster.ingress.className +#@ end diff --git a/prototypes/cert-manager/ytt/mkcert-ca-precheck-job.ytt.yaml b/prototypes/cert-manager/ytt/mkcert-ca-precheck-job.ytt.yaml new file mode 100644 index 0000000..7e06acb --- /dev/null +++ b/prototypes/cert-manager/ytt/mkcert-ca-precheck-job.ytt.yaml @@ -0,0 +1,85 @@ +#@ load("@ytt:data", "data") + +#@ ns = data.values.application.namespace + +#@ if data.values.cluster.tls.issuer == "mkcert": +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mkcert-ca-precheck + namespace: #@ ns + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mkcert-ca-precheck + namespace: #@ ns +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mkcert-ca-precheck + namespace: #@ ns +subjects: + - kind: ServiceAccount + name: mkcert-ca-precheck + namespace: #@ ns +roleRef: + kind: Role + name: mkcert-ca-precheck + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: mkcert-ca-precheck + namespace: #@ ns + annotations: + argocd.argoproj.io/sync-wave: "-1" + argocd.argoproj.io/sync-options: Replace=true +spec: + ttlSecondsAfterFinished: 300 + template: + spec: + serviceAccountName: mkcert-ca-precheck + restartPolicy: OnFailure + securityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + seccompProfile: + type: RuntimeDefault + containers: + - name: precheck + image: alpine/k8s:1.32.3 + command: + - sh + - -c + - | + set -e + if ! kubectl get secret mkcert-ca -n "${NAMESPACE}" >/dev/null 2>&1; then + echo "ERROR: External secret mkcert-ca must be created in ${NAMESPACE} before deploying cert-manager." + echo "Run: mkcert -install && kubectl -n ${NAMESPACE} create secret tls mkcert-ca --cert=\"\$(mkcert -CAROOT)/rootCA.pem\" --key=\"\$(mkcert -CAROOT)/rootCA-key.pem\"" + exit 1 + fi + echo "OK: mkcert-ca exists" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL +#@ end diff --git a/prototypes/cert-manager/ytt/mkcert-clusterissuer.ytt.yaml b/prototypes/cert-manager/ytt/mkcert-clusterissuer.ytt.yaml new file mode 100644 index 0000000..14e4ed5 --- /dev/null +++ b/prototypes/cert-manager/ytt/mkcert-clusterissuer.ytt.yaml @@ -0,0 +1,12 @@ +#@ load("@ytt:data", "data") + +#@ if data.values.cluster.tls.issuer == "mkcert": +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: mkcert +spec: + ca: + secretName: mkcert-ca +#@ end diff --git a/prototypes/forgejo/app-data.ytt.yaml b/prototypes/forgejo/app-data.ytt.yaml index 7e1e12d..040e565 100644 --- a/prototypes/forgejo/app-data.ytt.yaml +++ b/prototypes/forgejo/app-data.ytt.yaml @@ -3,3 +3,4 @@ #@overlay/match-child-defaults missing_ok=True application: namespace: forgejo + subdomain: git diff --git a/prototypes/forgejo/helm/forgejo.yaml b/prototypes/forgejo/helm/forgejo.ytt.yaml similarity index 74% rename from prototypes/forgejo/helm/forgejo.yaml rename to prototypes/forgejo/helm/forgejo.ytt.yaml index 0d8ba82..642e886 100644 --- a/prototypes/forgejo/helm/forgejo.yaml +++ b/prototypes/forgejo/helm/forgejo.ytt.yaml @@ -1,3 +1,5 @@ +#@ load("@ytt:data", "data") +#@ host = data.values.application.subdomain + "." + data.values.cluster.domain --- strategy: type: Recreate @@ -17,16 +19,16 @@ persistence: ingress: enabled: true hosts: - - host: git.tr1ceracop.de + - host: #@ host paths: - path: / pathType: Prefix tls: - secretName: forgejo-tls hosts: - - git.tr1ceracop.de + - #@ host annotations: - cert-manager.io/cluster-issuer: letsencrypt + cert-manager.io/cluster-issuer: #@ data.values.cluster.tls.issuer service: ssh: @@ -58,9 +60,9 @@ gitea: queue: TYPE: level server: - DOMAIN: git.tr1ceracop.de - ROOT_URL: https://git.tr1ceracop.de/ - SSH_PORT: 222 + DOMAIN: #@ host + ROOT_URL: #@ "https://{}/".format(host) + SSH_PORT: #@ data.values.forgejo.sshPort service: DISABLE_REGISTRATION: true actions: diff --git a/prototypes/forgejo/ytt/argocd-deploy-key-job.ytt.yaml b/prototypes/forgejo/ytt/argocd-deploy-key-job.ytt.yaml index 68c0799..87f471b 100644 --- a/prototypes/forgejo/ytt/argocd-deploy-key-job.ytt.yaml +++ b/prototypes/forgejo/ytt/argocd-deploy-key-job.ytt.yaml @@ -1,6 +1,9 @@ #@ load("@ytt:data", "data") #@ ns = data.values.application.namespace +#@ host = data.values.application.subdomain + "." + data.values.cluster.domain +#@ repo_url = "ssh://git@" + host + ":" + str(data.values.forgejo.sshPort) + "/gitea_admin/k8s-and-chill.git" +#@ forgejo_url = "https://" + host --- apiVersion: v1 @@ -51,6 +54,15 @@ spec: containers: - name: init image: alpine/k8s:1.32.3 + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: REPO_URL + value: #@ repo_url + - name: FORGEJO_URL + value: #@ forgejo_url command: - sh - -c @@ -59,8 +71,6 @@ spec: ARGOCD_NS="argocd" REPO_SECRET="forgejo-repo" - REPO_URL="ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git" - FORGEJO_URL="https://git.tr1ceracop.de" REPO_OWNER="gitea_admin" REPO_NAME="k8s-and-chill" @@ -142,8 +152,3 @@ spec: EOSECRET echo "Created ArgoCD repository secret ${REPO_SECRET} in ${ARGOCD_NS}" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace diff --git a/prototypes/forgejo/ytt/cnpg-cluster.ytt.yaml b/prototypes/forgejo/ytt/cnpg-cluster.ytt.yaml index 86a9d3d..9c26d7a 100644 --- a/prototypes/forgejo/ytt/cnpg-cluster.ytt.yaml +++ b/prototypes/forgejo/ytt/cnpg-cluster.ytt.yaml @@ -18,7 +18,7 @@ spec: storage: size: 5Gi - storageClass: hcloud-volumes + storageClass: #@ data.values.cluster.storageClass.block resources: requests: @@ -27,10 +27,11 @@ spec: limits: memory: 512Mi + #@ if data.values.backups.enabled: backup: barmanObjectStore: - endpointURL: https://fsn1.your-objectstorage.com - destinationPath: s3://k8s-and-chill-backups/forgejo/cnpg + endpointURL: #@ data.values.backups.s3.endpoint + destinationPath: #@ "s3://{}/forgejo/cnpg".format(data.values.forgejo.backup.s3Bucket) s3Credentials: accessKeyId: name: forgejo-backup-s3 @@ -44,6 +45,7 @@ spec: compression: gzip retentionPolicy: "30d" target: prefer-standby + #@ end postgresql: parameters: diff --git a/prototypes/forgejo/ytt/cnpg-scheduled-backup.ytt.yaml b/prototypes/forgejo/ytt/cnpg-scheduled-backup.ytt.yaml index a9947b5..f3482c9 100644 --- a/prototypes/forgejo/ytt/cnpg-scheduled-backup.ytt.yaml +++ b/prototypes/forgejo/ytt/cnpg-scheduled-backup.ytt.yaml @@ -2,6 +2,7 @@ #@ ns = data.values.application.namespace +#@ if data.values.backups.enabled: --- apiVersion: postgresql.cnpg.io/v1 kind: ScheduledBackup @@ -15,3 +16,4 @@ spec: method: barmanObjectStore backupOwnerReference: cluster target: prefer-standby +#@ end diff --git a/prototypes/forgejo/ytt/git-pvc.ytt.yaml b/prototypes/forgejo/ytt/git-pvc.ytt.yaml index 54c1963..678adba 100644 --- a/prototypes/forgejo/ytt/git-pvc.ytt.yaml +++ b/prototypes/forgejo/ytt/git-pvc.ytt.yaml @@ -13,7 +13,7 @@ metadata: spec: accessModes: - ReadWriteOnce - storageClassName: hcloud-volumes + storageClassName: #@ data.values.cluster.storageClass.block resources: requests: storage: 20Gi diff --git a/prototypes/forgejo/ytt/git-snapshot-cronjob.ytt.yaml b/prototypes/forgejo/ytt/git-snapshot-cronjob.ytt.yaml index f0691cb..4c37792 100644 --- a/prototypes/forgejo/ytt/git-snapshot-cronjob.ytt.yaml +++ b/prototypes/forgejo/ytt/git-snapshot-cronjob.ytt.yaml @@ -2,6 +2,43 @@ #@ ns = data.values.application.namespace +#@ s3_endpoint = data.values.backups.s3.endpoint +#@ s3_bucket = data.values.forgejo.backup.s3Bucket + +#@ backup_script = """\ +#@ set -e +#@ apk add --no-cache rclone > /dev/null 2>&1 +#@ +#@ mkdir -p /tmp/rclone +#@ cat > /tmp/rclone/rclone.conf < /dev/null 2>&1 - - mkdir -p /tmp/rclone - cat > /tmp/rclone/rclone.conf < 0: --- apiVersion: v1 kind: ServiceAccount @@ -72,15 +81,7 @@ spec: command: - sh - -c - - | - set -e - for s in ocis-s3-credentials ocis-storagebox-credentials; do - if ! kubectl get secret "$s" -n "${NAMESPACE}" >/dev/null 2>&1; then - echo "ERROR: External secret $s must be created manually before deploying ocis" - exit 1 - fi - echo "OK: $s exists" - done + - #@ "set -e\nfor s in " + " ".join(secrets) + "; do\n if ! kubectl get secret \"$s\" -n \"${NAMESPACE}\" >/dev/null 2>&1; then\n echo \"ERROR: External secret $s must be created manually before deploying ocis\"\n exit 1\n fi\n echo \"OK: $s exists\"\ndone\n" env: - name: NAMESPACE valueFrom: @@ -92,3 +93,4 @@ spec: capabilities: drop: - ALL +#@ end diff --git a/prototypes/ocis/ytt/s3-backup-cronjob.ytt.yaml b/prototypes/ocis/ytt/s3-backup-cronjob.ytt.yaml index 9d422c3..ecc978d 100644 --- a/prototypes/ocis/ytt/s3-backup-cronjob.ytt.yaml +++ b/prototypes/ocis/ytt/s3-backup-cronjob.ytt.yaml @@ -2,6 +2,7 @@ #@ ns = data.values.application.namespace +#@ if data.values.backups.enabled and data.values.backups.storagebox.enabled: --- apiVersion: v1 kind: ServiceAccount @@ -110,3 +111,4 @@ spec: - key: ssh-key path: ssh-key defaultMode: 0440 +#@ end diff --git a/prototypes/ocis/ytt/volume-backup-cronjob.ytt.yaml b/prototypes/ocis/ytt/volume-backup-cronjob.ytt.yaml index 1a52974..d55cbaa 100644 --- a/prototypes/ocis/ytt/volume-backup-cronjob.ytt.yaml +++ b/prototypes/ocis/ytt/volume-backup-cronjob.ytt.yaml @@ -19,6 +19,7 @@ #@ {"app": "storagesystem", "pvc": "storagesystem-data"}, #@ ] +#@ if data.values.backups.enabled and data.values.backups.storagebox.enabled: #@ for t in targets: --- apiVersion: batch/v1 @@ -118,3 +119,4 @@ spec: path: ssh-key defaultMode: 0440 #@ end +#@ end diff --git a/rendered/envs/production/forgejo/job-argocd-deploy-key-init.yaml b/rendered/envs/production/forgejo/job-argocd-deploy-key-init.yaml index 5c61724..317f69f 100644 --- a/rendered/envs/production/forgejo/job-argocd-deploy-key-init.yaml +++ b/rendered/envs/production/forgejo/job-argocd-deploy-key-init.yaml @@ -19,8 +19,6 @@ spec: ARGOCD_NS="argocd" REPO_SECRET="forgejo-repo" - REPO_URL="ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git" - FORGEJO_URL="https://git.tr1ceracop.de" REPO_OWNER="gitea_admin" REPO_NAME="k8s-and-chill" @@ -107,6 +105,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: REPO_URL + value: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + - name: FORGEJO_URL + value: https://git.tr1ceracop.de image: alpine/k8s:1.32.3 name: init restartPolicy: OnFailure