From bf3005343ef6e07fe6b2174899300215b12a03d5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 4 Nov 2021 07:39:40 +0000 Subject: [PATCH 001/147] Bumped binary / provider versions --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- terraform/variables.tf | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 46ea5eb..bf8f00f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -66,7 +66,7 @@ env: # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases TFLINT_RULESET_AZURERM_VERSION: "v0.13.2" # https://github.com/terraform-linters/tflint/releases - TFLINT_VERSION: "v0.33.0" + TFLINT_VERSION: "v0.33.1" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 4e1f5a3..638819b 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -55,7 +55,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.0.8" + TF_VERSION: "1.0.10" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: diff --git a/terraform/variables.tf b/terraform/variables.tf index 3ebd3fa..f53f581 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -6,7 +6,7 @@ # https://github.com/Azure/AKS/releases # az aks get-versions --location eastus --output table variable "kubernetes_version" { - default = "1.20.9" + default = "1.21.2" } # Helm charts @@ -26,7 +26,7 @@ variable "nginx_chart_version" { # https://hub.helm.sh/charts/jetstack/cert-manager # helm search repo jetstack/cert-manager variable "cert_manager_chart_version" { - default = "v1.5.4" + default = "v1.6.1" } # https://github.com/vmware-tanzu/helm-charts/releases From 75c9131801006e6df0c148b8686cd1c1415c058b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 15 Nov 2021 07:53:41 +0000 Subject: [PATCH 002/147] Bumped binary / provider versions --- .github/workflows/build.yml | 4 ++-- .github/workflows/destroy.yml | 2 +- terraform/variables.tf | 2 +- terraform/versions.tf | 6 +++--- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bf8f00f..59376f3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -61,10 +61,10 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.0.10" + TF_VERSION: "1.0.11" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases - TFLINT_RULESET_AZURERM_VERSION: "v0.13.2" + TFLINT_RULESET_AZURERM_VERSION: "v0.14.0" # https://github.com/terraform-linters/tflint/releases TFLINT_VERSION: "v0.33.1" diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 638819b..ad8a6b0 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -55,7 +55,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.0.10" + TF_VERSION: "1.0.11" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: diff --git a/terraform/variables.tf b/terraform/variables.tf index f53f581..7458bc7 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -90,7 +90,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.26.3" + default = "3.26.8" } # https://hub.docker.com/r/argoproj/argocd/tags diff --git a/terraform/versions.tf b/terraform/versions.tf index 499e410..4a74b0d 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,13 +23,13 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.83.0" + version = "~> 2.85.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.8.0" + version = "~> 2.9.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases @@ -41,7 +41,7 @@ terraform { # https://github.com/hashicorp/terraform-provider-helm/releases helm = { source = "hashicorp/helm" - version = "~> 2.2.0" + version = "~> 2.4.1" } random = { From 6b08372cd3150a3131b23f192e7dea8b46ba4b2e Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 15 Nov 2021 07:58:52 +0000 Subject: [PATCH 003/147] Removed trigger for starred repo --- .github/workflows/build.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 59376f3..1d7cff7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,10 +7,6 @@ name: build # name of GitHub event that triggers workflow # https://help.github.com/en/actions/reference/events-that-trigger-workflows#watch-event-watch on: - # trigger when I star my own repo - watch: - types: [started] - # trigger via webhook # https://github.com/adamrushuk/devops-lab/blob/master/TriggerCustomAction.ps1#L28 repository_dispatch: From d317deebcf1ffac4113f149b0e06561e4d58dc21 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 15 Nov 2021 09:55:31 +0000 Subject: [PATCH 004/147] Added multiple list for_each loop terraform example --- .../README.md | 28 ++++ .../main.tf | 133 ++++++++++++++++++ 2 files changed, 161 insertions(+) create mode 100644 terraform/examples/setproduct-multiple-list-variations/README.md create mode 100644 terraform/examples/setproduct-multiple-list-variations/main.tf diff --git a/terraform/examples/setproduct-multiple-list-variations/README.md b/terraform/examples/setproduct-multiple-list-variations/README.md new file mode 100644 index 0000000..d2399b9 --- /dev/null +++ b/terraform/examples/setproduct-multiple-list-variations/README.md @@ -0,0 +1,28 @@ +# setproduct example + +## usage + +```bash +# init +cd terraform/examples/setproduct-multiple-list-variations +terraform init + +# show plan +terraform plan + +# enter console +terraform console + +# output locals to view data structures +# show all list variations +local.role_scopes_product + +# show the map of lists +local.role_scopes_map_of_lists + +# show the nested map +local.role_scopes_map_of_maps + +# show plan +terraform plan +``` diff --git a/terraform/examples/setproduct-multiple-list-variations/main.tf b/terraform/examples/setproduct-multiple-list-variations/main.tf new file mode 100644 index 0000000..0505e77 --- /dev/null +++ b/terraform/examples/setproduct-multiple-list-variations/main.tf @@ -0,0 +1,133 @@ +# Create all possible combinations from two lists, and loop through result to assign roles +# https://www.terraform.io/docs/language/functions/setproduct.html + +provider "azurerm" { + features {} +} + +terraform { + required_version = ">= 0.13" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 2.85.0" + } + } +} + +locals { + roles = [ + "Storage Blob Data Owner", + "Key Vault Contributor", + ] + scopes = [ + "/subscriptions/SUB_NAME/resourceGroups/rg1", + "/subscriptions/SUB_NAME/resourceGroups/rg2", + ] + + role_scopes_product = setproduct(local.roles, local.scopes) + + # Setproduct produces a structure like this for role_scopes_product: + # [ + # [ + # "Storage Blob Data Owner", + # "/subscriptions/SUB_NAME/resourceGroups/rg1", + # ], + # [ + # "Storage Blob Data Owner", + # "/subscriptions/SUB_NAME/resourceGroups/rg2", + # ], + # [ + # "Key Vault Contributor", + # "/subscriptions/SUB_NAME/resourceGroups/rg1", + # ], + # [ + # "Key Vault Contributor", + # "/subscriptions/SUB_NAME/resourceGroups/rg2", + # ], + # ] + + + # Build a map from the above "list of lists", using a compound key of both list values, and the map value being the original list of the role and scope + role_scopes_map_of_lists = { for role_scope in local.role_scopes_product : "${role_scope[0]}-${role_scope[1]}" => role_scope } + + # role_scopes_map_of_lists looks like this: + # { + # "Key Vault Contributor-/subscriptions/SUB_NAME/resourceGroups/rg1" = [ + # "Key Vault Contributor", + # "/subscriptions/SUB_NAME/resourceGroups/rg1", + # ] + # "Key Vault Contributor-/subscriptions/SUB_NAME/resourceGroups/rg2" = [ + # "Key Vault Contributor", + # "/subscriptions/SUB_NAME/resourceGroups/rg2", + # ] + # "Storage Blob Data Owner-/subscriptions/SUB_NAME/resourceGroups/rg1" = [ + # "Storage Blob Data Owner", + # "/subscriptions/SUB_NAME/resourceGroups/rg1", + # ] + # "Storage Blob Data Owner-/subscriptions/SUB_NAME/resourceGroups/rg2" = [ + # "Storage Blob Data Owner", + # "/subscriptions/SUB_NAME/resourceGroups/rg2", + # ] + # } + + + role_scopes_map_of_maps = { + for role_scope in local.role_scopes_product : "${role_scope[0]}-${role_scope[1]}" => { + "role_name" = role_scope[0], + "scope" = role_scope[1] + } + } + + # role_scopes_map_of_maps looks like this: + # { + # "Key Vault Contributor-/subscriptions/SUB_NAME/resourceGroups/rg1" = { + # "role_name" = "Key Vault Contributor" + # "scope" = "/subscriptions/SUB_NAME/resourceGroups/rg1" + # } + # "Key Vault Contributor-/subscriptions/SUB_NAME/resourceGroups/rg2" = { + # "role_name" = "Key Vault Contributor" + # "scope" = "/subscriptions/SUB_NAME/resourceGroups/rg2" + # } + # "Storage Blob Data Owner-/subscriptions/SUB_NAME/resourceGroups/rg1" = { + # "role_name" = "Storage Blob Data Owner" + # "scope" = "/subscriptions/SUB_NAME/resourceGroups/rg1" + # } + # "Storage Blob Data Owner-/subscriptions/SUB_NAME/resourceGroups/rg2" = { + # "role_name" = "Storage Blob Data Owner" + # "scope" = "/subscriptions/SUB_NAME/resourceGroups/rg2" + # } + # } +} + +# resource groups +resource "azurerm_resource_group" "rg1" { + name = "rg1" + location = "uksouth" +} + +resource "azurerm_resource_group" "rg2" { + name = "rg2" + location = "uksouth" +} + +data "azurerm_client_config" "current" {} +data "azuread_service_principal" "current" { + application_id = data.azurerm_client_config.current.client_id +} + +# maps of lists loop example +resource "azurerm_role_assignment" "map_of_lists" { + for_each = local.role_scopes_map_of_lists + scope = each.value[1] + role_definition_name = each.value[0] + principal_id = "MY_USER_ID" +} + +# maps of maps loop example +resource "azurerm_role_assignment" "map_of_maps" { + for_each = local.role_scopes_map_of_maps + scope = each.value.scope + role_definition_name = each.value.role_name + principal_id = data.azuread_service_principal.current.object_id +} From 8831b93b7f97b6a1160d1861a1cfb315c3afaddd Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 13 Feb 2022 08:24:10 +0000 Subject: [PATCH 005/147] Removed extension --- .devcontainer/devcontainer.json | 1 - 1 file changed, 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index a781456..5c07f87 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -27,7 +27,6 @@ "ms-vscode.azurecli", "ms-azuretools.vscode-docker", "aaron-bond.better-comments", - "coenraads.bracket-pair-colorizer-2", "eamodio.gitlens", "ms-kubernetes-tools.vscode-kubernetes-tools", "yzhang.markdown-all-in-one", From 042f9a5cbdfc028db8e1aa2c54930a9ab91b7cff Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 13 Feb 2022 08:24:21 +0000 Subject: [PATCH 006/147] Fixed formatting --- ansible/site.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/ansible/site.yml b/ansible/site.yml index 1854036..654a21a 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -27,20 +27,20 @@ validate_certs: false tasks: - # ROLES - - import_role: - name: init - - import_role: - name: user - - import_role: - name: nuget_repo - - import_role: - name: chocolatey_repo - - import_role: - name: docker_repo - - import_role: - name: helm_repo -# - import_role: -# name: pypi_repo - - import_role: - name: raw_repo + # ROLES + - import_role: + name: init + - import_role: + name: user + - import_role: + name: nuget_repo + - import_role: + name: chocolatey_repo + - import_role: + name: docker_repo + - import_role: + name: helm_repo + # - import_role: + # name: pypi_repo + - import_role: + name: raw_repo From f007882cca344666c8b502e71776f072ce257cdd Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 13 Feb 2022 08:24:51 +0000 Subject: [PATCH 007/147] Added csi disk expand script --- scripts/aks-csi-disk-expand.sh | 37 ++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 scripts/aks-csi-disk-expand.sh diff --git a/scripts/aks-csi-disk-expand.sh b/scripts/aks-csi-disk-expand.sh new file mode 100644 index 0000000..5d2b4a5 --- /dev/null +++ b/scripts/aks-csi-disk-expand.sh @@ -0,0 +1,37 @@ +kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/master/deploy/example/pvc-azuredisk-csi.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/master/deploy/example/nginx-pod-azuredisk.yaml + +# check disk size in pod +kubectl exec -it nginx-azuredisk -- df -h /mnt/azuredisk + + Filesystem Size Used Available Use% Mounted on + /dev/sdd 9.7G 36.0K 9.7G 0% /mnt/azuredisk + +# delete pod top unattach disk +kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/master/deploy/example/nginx-pod-azuredisk.yaml + + + +# TODO: add code that waits for disk state to be "unattached" +# where tag is: "kubernetes.io-created-for-pvc-name": "pvc-azuredisk" +PVC_NAME='pvc-azuredisk' +while true; do + # body + az disk list --query "[?tags.\"kubernetes.io-created-for-pvc-name\" == '$PVC_NAME'].{state:diskState, diskSizeGb:diskSizeGb, name:name, pvcname:tags.\"kubernetes.io-created-for-pvc-name\"}" -o table + echo + sleep 2 +done + + + +# expand pvc +kubectl patch pvc pvc-azuredisk --type merge --patch '{"spec": {"resources": {"requests": {"storage": "15Gi"}}}}' + +# create pod again +kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/master/deploy/example/nginx-pod-azuredisk.yaml + +# check disk size in pod +kubectl exec -it nginx-azuredisk -- df -h /mnt/azuredisk + + + From 7cfb171175f910ef25ba03acffd78ab0e3ec37de Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 13 Feb 2022 08:27:09 +0000 Subject: [PATCH 008/147] Added tf files to ignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index b07bc59..cc9c108 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ # Misc .terraform +.terraform.* terraform.tfstate* localonly credentials* From adf10318739a398cc729a95949f85692318c2d74 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 13 Feb 2022 08:27:54 +0000 Subject: [PATCH 009/147] Added terraform examples --- .../examples/module-dependency/README.md | 29 ++++++ .../module-dependency/aad-group/aad-group.tf | 18 ++++ terraform/examples/module-dependency/main.tf | 33 +++++++ terraform/examples/module-dependency/rg/rg.tf | 9 ++ terraform/examples/role-assignment/README.md | 29 ++++++ terraform/examples/role-assignment/main.tf | 92 +++++++++++++++++++ 6 files changed, 210 insertions(+) create mode 100644 terraform/examples/module-dependency/README.md create mode 100644 terraform/examples/module-dependency/aad-group/aad-group.tf create mode 100644 terraform/examples/module-dependency/main.tf create mode 100644 terraform/examples/module-dependency/rg/rg.tf create mode 100644 terraform/examples/role-assignment/README.md create mode 100644 terraform/examples/role-assignment/main.tf diff --git a/terraform/examples/module-dependency/README.md b/terraform/examples/module-dependency/README.md new file mode 100644 index 0000000..3fef396 --- /dev/null +++ b/terraform/examples/module-dependency/README.md @@ -0,0 +1,29 @@ +# role assignment example + +## usage + +```bash +# login via service principle +azh + +# init +cd terraform/examples/module-dependency +terraform init + +# show plan and apply +terraform apply + +# change role definition permissions, then apply changes +# this should show "~ update in-place" changes +terraform apply + +# test locals +terraform console +local.custom_contributor_default_not_actions +local.nsg_right_allowed_actions +local.nsg_not_actions + + +# CLEANUP +terraform destroy +``` diff --git a/terraform/examples/module-dependency/aad-group/aad-group.tf b/terraform/examples/module-dependency/aad-group/aad-group.tf new file mode 100644 index 0000000..92e4be5 --- /dev/null +++ b/terraform/examples/module-dependency/aad-group/aad-group.tf @@ -0,0 +1,18 @@ +# testing module dependency +data "azurerm_subscription" "current" {} + +resource "azuread_group" "elevated_group" { + display_name = "${data.azurerm_subscription.current.display_name}_Elevated_Ops" + security_enabled = true + prevent_duplicate_names = true +} + +output "aad_elevated_group" { + value = azuread_group.elevated_group.id + description = "Id of the AAD Elevated Ops group for the subscription" +} + +output "aad_group_name" { + value = azuread_group.elevated_group.display_name + description = "Id of the AAD Elevated Ops group for the subscription" +} diff --git a/terraform/examples/module-dependency/main.tf b/terraform/examples/module-dependency/main.tf new file mode 100644 index 0000000..d14135c --- /dev/null +++ b/terraform/examples/module-dependency/main.tf @@ -0,0 +1,33 @@ +# testing module dependency + +# providers +provider "azurerm" { + features {} +} +terraform { + required_version = ">= 0.13" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 2.86.0" + } + } +} + +# module "aad_group +module "aad_group" { + source = "./aad-group" +} + +# module "aad_group +module "rg" { + source = "./rg" + # object_id = module.aad_group.aad_elevated_group + object_id = module.aad_group.aad_group_name +} + +# resource "azurerm_resource_group" "example" { +# count = var.object_id == "" ? 0 : 1 +# name = module.aad_group.aad_elevated_group +# location = "uksouth" +# } diff --git a/terraform/examples/module-dependency/rg/rg.tf b/terraform/examples/module-dependency/rg/rg.tf new file mode 100644 index 0000000..f8a2e8f --- /dev/null +++ b/terraform/examples/module-dependency/rg/rg.tf @@ -0,0 +1,9 @@ +variable "object_id" { + default = "" +} + +resource "azurerm_resource_group" "example" { + count = var.object_id == "" ? 0 : 1 + name = var.object_id + location = "uksouth" +} diff --git a/terraform/examples/role-assignment/README.md b/terraform/examples/role-assignment/README.md new file mode 100644 index 0000000..fa44e8e --- /dev/null +++ b/terraform/examples/role-assignment/README.md @@ -0,0 +1,29 @@ +# role assignment example + +## usage + +```bash +# login via service principle +azh + +# init +cd terraform/examples/role-assignment +terraform init + +# show plan and apply +terraform apply + +# change role definition permissions, then apply changes +# this should show "~ update in-place" changes +terraform apply + +# test locals +terraform console +local.custom_contributor_default_not_actions +local.nsg_right_allowed_actions +local.nsg_not_actions + + +# CLEANUP +terraform destroy +``` diff --git a/terraform/examples/role-assignment/main.tf b/terraform/examples/role-assignment/main.tf new file mode 100644 index 0000000..9d96e12 --- /dev/null +++ b/terraform/examples/role-assignment/main.tf @@ -0,0 +1,92 @@ +# test modifying a role def after a role assignment exists + +# providers +provider "azurerm" { + features {} +} +terraform { + required_version = ">= 0.13" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 2.86.0" + } + } +} + +# vars +variable "nsg_rights_enabled" { + description = "additional rights for nsg usage" + default = false +} + +locals { + default_custom_not_actions = [ + "Microsoft.Authorization/*/Delete", + "Microsoft.Authorization/*/Write", + "Microsoft.Authorization/elevateAccess/Action", + "Microsoft.Blueprint/blueprintAssignments/delete", + "Microsoft.Blueprint/blueprintAssignments/write", + "Microsoft.Network/networkSecurityGroups/delete", + "Microsoft.Network/networkSecurityGroups/join/action", + "Microsoft.Network/networkSecurityGroups/securityRules/delete", + "Microsoft.Network/networkSecurityGroups/securityRules/write", + "Microsoft.Network/networkSecurityGroups/write", + "Microsoft.Network/publicIPAddresses/delete", + "Microsoft.Network/publicIPAddresses/join/action", + "Microsoft.Network/publicIPAddresses/write", + "Microsoft.Network/publicIPPrefixes/delete", + "Microsoft.Network/publicIPPrefixes/join/action", + "Microsoft.Network/publicIPPrefixes/write", + "Microsoft.Network/routeTables/*/delete", + "Microsoft.Network/routeTables/*/write", + "Microsoft.Network/virtualNetworks/*/delete", + "Microsoft.Network/virtualNetworks/*/write", + "Microsoft.Subscription/cancel/action", + "Microsoft.Subscription/rename/action", + ] + + nsg_rights_allowed_actions = [ + "Microsoft.Network/networkSecurityGroups/delete", + "Microsoft.Network/networkSecurityGroups/join/action", + "Microsoft.Network/networkSecurityGroups/securityRules/delete", + "Microsoft.Network/networkSecurityGroups/securityRules/write", + "Microsoft.Network/networkSecurityGroups/write", + ] + + nsg_custom_not_actions = tolist(setsubtract(local.default_custom_not_actions, local.nsg_rights_allowed_actions)) +} + +# data sources +data "azurerm_subscription" "current" {} +data "azurerm_client_config" "current" {} + + + +# resources +resource "azurerm_role_definition" "custom" { + name = "Test-Role" + scope = data.azurerm_subscription.current.id + + permissions { + actions = [ + "Microsoft.Blueprint/blueprintAssignments/write", + "Microsoft.Resources/subscriptions/resourceGroups/read", + "Microsoft.Blueprint/blueprintAssignments/delete", + "Microsoft.Resources/subscriptions/resourceGroups/write", + ] + + # not_actions = var.nsg_rights_enabled ? local.nsg_custom_not_actions : local.default_custom_not_actions + } + + assignable_scopes = [ + data.azurerm_subscription.current.id, + ] +} + +resource "azurerm_role_assignment" "custom" { + scope = data.azurerm_subscription.current.id + role_definition_id = azurerm_role_definition.custom.role_definition_resource_id + # principal_id = data.azurerm_client_config.current.client_id + principal_id = "577321c0-cff2-4d20-b29e-5e775942b32a" +} From 70434116c427e375294cf2609096bca07768366d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 13 Feb 2022 08:28:48 +0000 Subject: [PATCH 010/147] Added tftest ignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index cc9c108..5e4daf5 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ .terraform .terraform.* terraform.tfstate* +tftest localonly credentials* /temp From 3d1a75a7f439de246520854db4082de1e3731b73 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 13 Feb 2022 08:29:26 +0000 Subject: [PATCH 011/147] Bumped terraform providers and helm charts --- terraform/files/scripts/argocd_config.sh | 2 +- terraform/helm/velero_default_values.yaml | 25 ++++++++++++++++------- terraform/helm/velero_values.yaml | 4 ++-- terraform/variables.tf | 23 +++++++++++---------- terraform/versions.tf | 6 +++--- 5 files changed, 36 insertions(+), 24 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index fb2d72c..752d272 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -19,7 +19,7 @@ ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install # https://github.com/argoproj/argo-cd/releases/ -VERSION="v2.1.6" +VERSION="v2.2.5" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" diff --git a/terraform/helm/velero_default_values.yaml b/terraform/helm/velero_default_values.yaml index 8bd33d5..a19dcaa 100644 --- a/terraform/helm/velero_default_values.yaml +++ b/terraform/helm/velero_default_values.yaml @@ -1,4 +1,4 @@ -# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.26.1/charts/velero/values.yaml +# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.27.3/charts/velero/values.yaml ## ## Configuration settings that directly affect the Velero deployment YAML. @@ -8,7 +8,7 @@ # enabling restic). Required. image: repository: velero/velero - tag: v1.7.0 + tag: v1.7.1 # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. # If used, it will take precedence over the image.tag. # digest: @@ -52,7 +52,14 @@ resources: dnsPolicy: ClusterFirst # Init containers to add to the Velero deployment's pod spec. At least one plugin provider image is required. -initContainers: [] +# If the value is a string then it is evaluated as a template. +initContainers: + # - name: velero-plugin-for-csi + # image: velero/velero-plugin-for-csi:v0.2.0 + # imagePullPolicy: IfNotPresent + # volumeMounts: + # - mountPath: /target + # name: plugins # - name: velero-plugin-for-aws # image: velero/velero-plugin-for-aws:v1.3.0 # imagePullPolicy: IfNotPresent @@ -229,6 +236,7 @@ configuration: extraEnvVars: {} # Comma separated list of velero feature flags. default: empty + # features: EnableCSI features: # Set log-level for Velero pod. Default: info. Other options: debug, warning, error, fatal, panic. @@ -240,6 +248,9 @@ configuration: # Set true for backup all pod volumes without having to apply annotation on the pod when used restic Default: false. Other option: false. defaultVolumesToRestic: + # How often 'restic prune' is run for restic repositories by default. Default: 168h. Optional. + defaultResticPruneFrequency: + ## ## End of backup/snapshot location settings. ## @@ -267,9 +278,9 @@ serviceAccount: # should contain credentials for the cloud provider IAM account you've # set up for Velero. credentials: - # Whether a secret should be used as the source of IAM account - # credentials. Set to false if, for example, using kube2iam or - # kiam to provide IAM credentials for the Velero pod. + # Whether a secret should be used. Set to false if, for examples: + # - using kube2iam or kiam to provide AWS IAM credentials instead of providing the key file. (AWS only) + # - using workload identity instead of providing the key file. (GCP only) useSecret: true # Name of the secret to create if `useSecret` is true and `existingSecret` is empty name: @@ -382,7 +393,7 @@ schedules: {} # velero.io/plugin-config: "" # velero.io/restic: RestoreItemAction # data: -# image: velero/velero-restic-restore-helper:v1.7.0 +# image: velero/velero-restic-restore-helper:v1.7.1 configMaps: {} ## diff --git a/terraform/helm/velero_values.yaml b/terraform/helm/velero_values.yaml index 6c59cc2..f2ed064 100644 --- a/terraform/helm/velero_values.yaml +++ b/terraform/helm/velero_values.yaml @@ -1,11 +1,11 @@ # velero helm values -# source (with full comments): https://github.com/vmware-tanzu/helm-charts/blob/velero-2.17.0/charts/velero/values.yaml +# source (with full comments): https://github.com/vmware-tanzu/helm-charts/blob/velero-2.27.3/charts/velero/values.yaml # https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/releases initContainers: - name: velero-plugin-for-microsoft-azure # https://hub.docker.com/r/velero/velero-plugin-for-microsoft-azure/tags - image: velero/velero-plugin-for-microsoft-azure:v1.2.1 + image: velero/velero-plugin-for-microsoft-azure:v1.4.0 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /target diff --git a/terraform/variables.tf b/terraform/variables.tf index 7458bc7..2458660 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -6,7 +6,7 @@ # https://github.com/Azure/AKS/releases # az aks get-versions --location eastus --output table variable "kubernetes_version" { - default = "1.21.2" + default = "1.21.9" } # Helm charts @@ -20,30 +20,31 @@ variable "kubernetes_version" { # helm repo update # helm search repo ingress-nginx/ingress-nginx variable "nginx_chart_version" { - default = "4.0.6" + default = "4.0.17" } # https://hub.helm.sh/charts/jetstack/cert-manager # helm search repo jetstack/cert-manager variable "cert_manager_chart_version" { - default = "v1.6.1" + default = "v1.7.1" } # https://github.com/vmware-tanzu/helm-charts/releases # helm search repo vmware-tanzu/velero +# * also update terraform/helm/velero_default_values.yaml # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.26.1" + default = "2.27.3" } # https://hub.docker.com/r/velero/velero/tags variable "velero_image_tag" { - default = "v1.7.0" + default = "v1.7.1" } # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.36.0" + default = "3.37.3" } # https://github.com/adamrushuk/charts/releases @@ -64,7 +65,7 @@ variable "akv2k8s_chart_version" { # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity variable "aad_pod_identity_chart_version" { - default = "4.1.6" + default = "4.1.8" } # https://bitnami.com/stack/external-dns/helm @@ -77,12 +78,12 @@ variable "external_dns_chart_version" { # https://github.com/weaveworks/kured/tree/master/charts/kured # helm search repo kured/kured variable "kured_chart_version" { - default = "2.10.0" + default = "2.11.2" } # https://github.com/weaveworks/kured#kubernetes--os-compatibility variable "kured_image_tag" { - default = "1.8.0" + default = "1.8.1" } @@ -90,13 +91,13 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.26.8" + default = "3.33.5" } # https://hub.docker.com/r/argoproj/argocd/tags # * also update cli version: terraform/files/scripts/argocd_config.sh#L22 variable "argocd_image_tag" { - default = "v2.1.6" + default = "v2.2.5" } #endregion Versions diff --git a/terraform/versions.tf b/terraform/versions.tf index 4a74b0d..80d5a34 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,19 +23,19 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.85.0" + version = "~> 2.96.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.9.0" + version = "~> 2.18.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.6.1" + version = "~> 2.8.0" } # https://github.com/hashicorp/terraform-provider-helm/releases From d29ac86e594a9eeea21fed80d903f16c0d9267d0 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 13 Feb 2022 11:00:47 +0000 Subject: [PATCH 012/147] Bumped TF version to v1.1.5 --- .github/workflows/build.yml | 4 ++-- .github/workflows/destroy.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1d7cff7..98eeec3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,12 +57,12 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.0.11" + TF_VERSION: "1.1.5" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases TFLINT_RULESET_AZURERM_VERSION: "v0.14.0" # https://github.com/terraform-linters/tflint/releases - TFLINT_VERSION: "v0.33.1" + TFLINT_VERSION: "v0.34.1" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index ad8a6b0..fe4d401 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -55,7 +55,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.0.11" + TF_VERSION: "1.1.5" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: From c74506edde996a75549057cf493de43d2d397551 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 24 Feb 2022 07:49:34 +0000 Subject: [PATCH 013/147] Testing tf version constraints --- terraform/versions.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index 80d5a34..8457967 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,25 +23,25 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.96.0" + version = "~> 2.97.x" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.18.0" + version = "~> 2.x" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.8.0" + version = "~> 2.8.x" } # https://github.com/hashicorp/terraform-provider-helm/releases helm = { source = "hashicorp/helm" - version = "~> 2.4.1" + version = "~> 2.4.x" } random = { From ccd3f0340a1e1da379ff47225d41ef1077f3d41f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 24 Feb 2022 07:52:34 +0000 Subject: [PATCH 014/147] Reverted tf version constraints --- terraform/versions.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index 8457967..dc250af 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,25 +23,25 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.97.x" + version = "~> 2.97.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.x" + version = "~> 2.18.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.8.x" + version = "~> 2.8.0" } # https://github.com/hashicorp/terraform-provider-helm/releases helm = { source = "hashicorp/helm" - version = "~> 2.4.x" + version = "~> 2.4.1" } random = { From 798935b8ade79e7567c6f60c6b4adf832dda5ea3 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 6 Mar 2022 09:26:28 +0000 Subject: [PATCH 015/147] Bumped terraform providers and helm charts --- terraform/files/scripts/argocd_config.sh | 2 +- terraform/helm/argocd_default_values.yaml | 1057 +++++++++++++++++---- terraform/helm/velero_default_values.yaml | 11 +- terraform/helm/velero_values.yaml | 4 +- terraform/variables.tf | 13 +- terraform/versions.tf | 2 +- 6 files changed, 870 insertions(+), 219 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index 752d272..ce4fad5 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -19,7 +19,7 @@ ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install # https://github.com/argoproj/argo-cd/releases/ -VERSION="v2.2.5" +VERSION="v2.3.0" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" diff --git a/terraform/helm/argocd_default_values.yaml b/terraform/helm/argocd_default_values.yaml index 8e26b6e..c7d0c40 100644 --- a/terraform/helm/argocd_default_values.yaml +++ b/terraform/helm/argocd_default_values.yaml @@ -1,103 +1,159 @@ -# https://github.com/argoproj/argo-helm/blob/argo-cd-3.17.5/charts/argo-cd/values.yaml +# https://github.com/argoproj/argo-helm/blob/argo-cd-3.35.0/charts/argo-cd/values.yaml ## ArgoCD configuration ## Ref: https://github.com/argoproj/argo-cd ## + +# -- Provide a name in place of `argocd` nameOverride: argocd +# -- String to fully override `"argo-cd.fullname"` fullnameOverride: "" +# -- Override the Kubernetes version, which is used to evaluate certain manifests kubeVersionOverride: "" global: image: + # -- If defined, a repository applied to all ArgoCD deployments repository: quay.io/argoproj/argocd - tag: v2.1.1 + # -- Overrides the global ArgoCD image tag whose default is the chart appVersion + tag: "" + # -- If defined, a imagePullPolicy applied to all ArgoCD deployments imagePullPolicy: IfNotPresent - ## Annotations applied to all pods + # -- Annotations for the all deployed pods podAnnotations: {} - ## Labels applied to all pods + # -- Labels for the all deployed pods podLabels: {} + # -- Toggle and define securityContext. See [values.yaml] securityContext: {} # runAsUser: 999 # runAsGroup: 999 # fsGroup: 999 + + # -- If defined, uses a Secret to pull an image from a private Docker registry or repository imagePullSecrets: [] + # -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files hostAliases: [] # - ip: 10.20.30.40 # hostnames: # - git.myhostname + # -- Additional labels to add to all resources + additionalLabels: {} + # app: argo-cd + networkPolicy: + # -- Create NetworkPolicy objects for all components create: false + # -- Default deny all ingress traffic defaultDenyIngress: false # Override APIVersions # If you want to template helm charts but cannot access k8s API server # you can set api versions here apiVersionOverrides: + # -- String to override apiVersion of certmanager resources rendered by this helm chart certmanager: "" # cert-manager.io/v1 + # -- String to override apiVersion of ingresses rendered by this helm chart ingress: "" # networking.k8s.io/v1beta1 -## Create clusterroles that extend existing clusterroles to interact with argo-cd crds +# -- Create clusterroles that extend existing clusterroles to interact with argo-cd crds ## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles createAggregateRoles: false +# -- Array of extra K8s manifests to deploy +extraObjects: [] + # - apiVersion: secrets-store.csi.x-k8s.io/v1 + # kind: SecretProviderClass + # metadata: + # name: argocd-secrets-store + # spec: + # provider: aws + # parameters: + # objects: | + # - objectName: "argocd" + # objectType: "secretsmanager" + # jmesPath: + # - path: "client_id" + # objectAlias: "client_id" + # - path: "client_secret" + # objectAlias: "client_secret" + # secretObjects: + # - data: + # - key: client_id + # objectName: client_id + # - key: client_secret + # objectName: client_secret + # secretName: argocd-secrets-store + # type: Opaque + # labels: + # app.kubernetes.io/part-of: argocd + ## Controller controller: + # -- Application controller name string name: application-controller image: - repository: # defaults to global.image.repository - tag: # defaults to global.image.tag - imagePullPolicy: # IfNotPresent - - # If changing the number of replicas you must pass the number as ARGOCD_CONTROLLER_REPLICAS as an environment variable + # -- Repository to use for the application controller + # @default -- `""` (defaults to global.image.repository) + repository: "" + # -- Tag to use for the application controller + # @default -- `""` (defaults to global.image.tag) + tag: "" + # -- Image pull policy for the application controller + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" + + # -- The number of application controller pods to run. + # If changing the number of replicas you must pass the number as `ARGOCD_CONTROLLER_REPLICAS` as an environment variable replicas: 1 - # Deploy the application as a StatefulSet instead of a Deployment, this is required for HA capability. + # -- Deploy the application controller as a StatefulSet instead of a Deployment, this is required for HA capability. # This is a feature flag that will become the default in chart version 3.x enableStatefulSet: false - ## Argo controller commandline flags + ## Application controller commandline flags args: + # -- define the application controller `--status-processors` statusProcessors: "20" + # -- define the application controller `--operation-processors` operationProcessors: "10" + # -- define the application controller `--app-resync` appResyncPeriod: "180" + # -- define the application controller `--self-heal-timeout-seconds` selfHealTimeout: "5" + # -- define the application controller `--repo-server-timeout-seconds` repoServerTimeoutSeconds: "60" - ## Argo controller log format: text|json + # -- Application controller log format. Either `text` or `json` logFormat: text - ## Argo controller log level + # -- Application controller log level logLevel: info - ## Additional command line arguments to pass to argocd-controller - ## + # -- Additional command line arguments to pass to application controller extraArgs: [] - ## Environment variables to pass to argocd-controller - ## + # -- Environment variables to pass to application controller env: [] # - name: "ARGOCD_CONTROLLER_REPLICAS" # value: "" - ## envFrom to pass to argocd-controller - ## + # -- envFrom to pass to application controller + # @default -- `[]` (See [values.yaml]) envFrom: [] # - configMapRef: # name: config-map-name # - secretRef: # name: secret-name - ## Annotations to be added to controller pods - ## + # -- Annotations to be added to application controller pods podAnnotations: {} - ## Labels to be added to controller pods - ## + # -- Labels to be added to application controller pods podLabels: {} - ## Labels to set container specific security contexts + # -- Application controller container-level security context containerSecurityContext: {} # capabilities: @@ -106,47 +162,71 @@ controller: # readOnlyRootFilesystem: true # runAsNonRoot: true - ## Configures the controller port + # -- Application controller listening port containerPort: 8082 ## Readiness and liveness probes for default backend ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ ## readinessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated initialDelaySeconds: 10 + # -- How often (in seconds) to perform the [probe] periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed successThreshold: 1 + # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 livenessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated initialDelaySeconds: 10 + # -- How often (in seconds) to perform the [probe] periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed successThreshold: 1 + # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 - ## Additional volumeMounts to the controller main container. + # -- Additional volumeMounts to the application controller main container volumeMounts: [] - ## Additional volumes to the controller pod. + # -- Additional volumes to the application controller pod volumes: [] ## Controller service configuration service: + # -- Application controller service annotations annotations: {} + # -- Application controller service labels labels: {} + # -- Application controller service port port: 8082 + # -- Application controller service port name portName: https-controller - ## Node selectors and tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## + # -- [Node selector] nodeSelector: {} + # -- [Tolerations] for use with node taints tolerations: [] + # -- Assign custom [affinity] rules to the deployment affinity: {} + # -- Assign custom [TopologySpreadConstraints] rules to the application controller + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Priority class for the application controller pods priorityClassName: "" + # -- Resource limits and requests for the application controller pods resources: {} # limits: # cpu: 500m @@ -156,31 +236,52 @@ controller: # memory: 256Mi serviceAccount: + # -- Create a service account for the application controller create: true + # -- Service account name name: argocd-application-controller - ## Annotations applied to created service account + # -- Annotations applied to created service account annotations: {} - ## Automount API credentials for the Service Account + # -- Automount API credentials for the Service Account automountServiceAccountToken: true - ## Server metrics controller configuration + ## Application controller metrics configuration metrics: + # -- Deploy metrics service enabled: false + applicationLabels: + # -- Enables additional labels in argocd_app_labels metric + enabled: false + # -- Additional labels + labels: {} service: + # -- Metrics service annotations annotations: {} + # -- Metrics service labels labels: {} + # -- Metrics service port servicePort: 8082 serviceMonitor: + # -- Enable a prometheus ServiceMonitor enabled: false + # -- Prometheus ServiceMonitor interval interval: 30s + # -- Prometheus [RelabelConfigs] to apply to samples before scraping relabelings: [] + # -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion metricRelabelings: [] - # selector: - # prometheus: kube-prometheus - # namespace: monitoring - # additionalLabels: {} + # -- Prometheus ServiceMonitor selector + selector: {} + # prometheus: kube-prometheus + + # -- Prometheus ServiceMonitor namespace + namespace: "" # "monitoring" + # -- Prometheus ServiceMonitor labels + additionalLabels: {} rules: + # -- Deploy a PrometheusRule for the application controller enabled: false + # -- PrometheusRule.Spec for the application controller spec: [] # - alert: ArgoAppMissing # expr: | @@ -211,121 +312,214 @@ controller: # namespace: monitoring # additionalLabels: {} - ## Enable Admin ClusterRole resources. ## Enable if you would like to grant rights to ArgoCD to deploy to the local Kubernetes cluster. clusterAdminAccess: + # -- Enable RBAC for local cluster deployments enabled: true - ## Enable Custom Rules for the Application Controller's Cluster Role resource + ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. ## Defaults to off clusterRoleRules: + # -- Enable custom rules for the application controller's ClusterRole resource enabled: false + # -- List of custom rules for the application controller's ClusterRole resource rules: [] + # -- Additional containers to be added to the application controller pod + extraContainers: [] + + # -- Init containers to add to the application controller pod + ## If your target Kubernetes cluster(s) require a custom auth provider executable + ## you could use this (and the same in the server pod) to bootstrap + ## that executable into your ArgoCD container + initContainers: [] + # - name: download-tools + # image: alpine:3.8 + # command: [sh, -c] + # args: + # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && + # mv linux-amd64/helm /custom-tools/ + # volumeMounts: + # - mountPath: /custom-tools + # name: custom-tools + # volumeMounts: + # - mountPath: /usr/local/bin/helm + # name: custom-tools + # subPath: helm + + pdb: + # -- Labels to be added to application controller pdb + labels: {} + # -- Annotations to be added to application controller pdb + annotations: {} + + # -- Deploy a Poddisruptionbudget for the application controller + enabled: false + # minAvailable: 1 + # maxUnavailable: 0 ## Dex dex: + # -- Enable dex enabled: true + # -- Dex name name: dex-server + # -- Additional command line arguments to pass to the Dex server + extraArgs: [] + metrics: + # -- Deploy metrics service enabled: false service: + # -- Metrics service annotations annotations: {} + # -- Metrics service labels labels: {} serviceMonitor: + # -- Enable a prometheus ServiceMonitor enabled: false + # -- Prometheus ServiceMonitor interval interval: 30s + # -- Prometheus [RelabelConfigs] to apply to samples before scraping relabelings: [] + # -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion metricRelabelings: [] - # selector: - # prometheus: kube-prometheus - # namespace: monitoring - # additionalLabels: {} + # -- Prometheus ServiceMonitor selector + selector: {} + # prometheus: kube-prometheus + + # -- Prometheus ServiceMonitor namespace + namespace: "" # "monitoring" + # -- Prometheus ServiceMonitor labels + additionalLabels: {} image: + # -- Dex image repository repository: ghcr.io/dexidp/dex + # -- Dex image tag tag: v2.30.0 + # -- Dex imagePullPolicy imagePullPolicy: IfNotPresent initImage: - repository: - tag: - imagePullPolicy: - - ## Environment variables to pass to the Dex server - ## + # -- Argo CD init image repository + # @default -- `""` (defaults to global.image.repository) + repository: "" + # -- Argo CD init image tag + # @default -- `""` (defaults to global.image.tag) + tag: "" + # -- Argo CD init image imagePullPolicy + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" + + # -- Environment variables to pass to the Dex server env: [] - ## envFrom to pass to the Dex server + # -- envFrom to pass to the Dex server + # @default -- `[]` (See [values.yaml]) envFrom: [] # - configMapRef: # name: config-map-name # - secretRef: # name: secret-name - ## Annotations to be added to the Dex server pods - ## + # -- Annotations to be added to the Dex server pods podAnnotations: {} - ## Labels to be added to the Dex server pods - ## + # -- Labels to be added to the Dex server pods podLabels: {} ## Probes for Dex server ## Supported from Dex >= 2.28.0 livenessProbe: + # -- Enable Kubernetes liveness probe for Dex >= 2.28.0 enabled: false + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated initialDelaySeconds: 10 + # -- How often (in seconds) to perform the [probe] periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed successThreshold: 1 + # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 readinessProbe: + # -- Enable Kubernetes readiness probe for Dex >= 2.28.0 enabled: false + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated initialDelaySeconds: 10 + # -- How often (in seconds) to perform the [probe] periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed successThreshold: 1 + # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 serviceAccount: + # -- Create dex service account create: true + # -- Dex service account name name: argocd-dex-server - ## Annotations applied to created service account + # -- Annotations applied to created service account annotations: {} - ## Automount API credentials for the Service Account + # -- Automount API credentials for the Service Account automountServiceAccountToken: true - ## Additional volumeMounts to the controller main container. + # -- Additional volumeMounts to the dex main container volumeMounts: - name: static-files mountPath: /shared - ## Additional volumes to the controller pod. + # -- Additional volumes to the dex pod volumes: - name: static-files emptyDir: {} - ## Dex deployment container ports + # -- Extra volumes to the dex pod + extraVolumes: [] + + # -- Extra volumeMounts to the dex pod + extraVolumeMounts: [] + + # -- Container port for HTTP access containerPortHttp: 5556 + # -- Service port for HTTP access servicePortHttp: 5556 + # -- Service port name for HTTP access servicePortHttpName: http + # -- Container port for gRPC access containerPortGrpc: 5557 + # -- Service port for gRPC access servicePortGrpc: 5557 + # -- Service port name for gRPC access servicePortGrpcName: grpc + # -- Container port for metrics access containerPortMetrics: 5558 + # -- Service port for metrics access servicePortMetrics: 5558 - ## Node selectors and tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## + # -- [Node selector] nodeSelector: {} + # -- [Tolerations] for use with node taints tolerations: [] + # -- Assign custom [affinity] rules to the deployment affinity: {} + # -- Assign custom [TopologySpreadConstraints] rules to dex + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Priority class for dex priorityClassName: "" - ## Labels to set container specific security contexts + # -- Dex container-level security context containerSecurityContext: {} # capabilities: @@ -333,6 +527,7 @@ dex: # - all # readOnlyRootFilesystem: true +# -- Resource limits and requests for dex resources: {} # limits: # cpu: 50m @@ -341,55 +536,97 @@ dex: # cpu: 10m # memory: 32Mi + # -- Additional containers to be added to the dex pod + extraContainers: [] + + # -- Init containers to add to the dex pod + initContainers: [] + # - name: download-tools + # image: alpine:3.8 + # command: [sh, -c] + # args: + # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && + # mv linux-amd64/helm /custom-tools/ + # volumeMounts: + # - mountPath: /custom-tools + # name: custom-tools + # volumeMounts: + # - mountPath: /usr/local/bin/helm + # name: custom-tools + # subPath: helm + + pdb: + # -- Labels to be added to Dex server pdb + labels: {} + # -- Annotations to be added to Dex server pdb + annotations: {} + + # -- Deploy a Poddisruptionbudget for the Dex server + enabled: false + # minAvailable: 1 + # maxUnavailable: 0 + ## Redis redis: + # -- Enable redis enabled: true + # -- Redis name name: redis image: + # -- Redis repository repository: redis - tag: 6.2.4-alpine + # -- Redis tag + tag: 6.2.6-alpine + # -- Redis imagePullPolicy imagePullPolicy: IfNotPresent - ## Additional command line arguments to pass to redis-server - ## + # -- Additional command line arguments to pass to redis-server extraArgs: [] # - --bind # - "0.0.0.0" + # -- Redis container port containerPort: 6379 + # -- Redis service port servicePort: 6379 - ## Environment variables to pass to the Redis server - ## + # -- Environment variables to pass to the Redis server env: [] - ## envFrom to pass to the Redis server - ## + # -- envFrom to pass to the Redis server + # @default -- `[]` (See [values.yaml]) envFrom: [] # - configMapRef: # name: config-map-name # - secretRef: # name: secret-name - ## Annotations to be added to the Redis server pods - ## + # -- Annotations to be added to the Redis server pods podAnnotations: {} - ## Labels to be added to the Redis server pods - ## + # -- Labels to be added to the Redis server pods podLabels: {} - ## Node selectors and tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## + # -- [Node selector] nodeSelector: {} + # -- [Tolerations] for use with node taints tolerations: [] + # -- Assign custom [affinity] rules to the deployment affinity: {} + # -- Assign custom [TopologySpreadConstraints] rules to redis + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Priority class for redis priorityClassName: "" - ## Labels to set container specific security contexts + # -- Redis container-level security context containerSecurityContext: {} # capabilities: @@ -397,19 +634,22 @@ redis: # - all # readOnlyRootFilesystem: true - ## Redis Pod specific security context + # -- Redis pod-level security context securityContext: runAsNonRoot: true runAsUser: 999 serviceAccount: + # -- Create a service account for the redis pod create: false + # -- Service account name for redis pod name: "" - ## Annotations applied to created service account + # -- Annotations applied to created service account annotations: {} - ## Automount API credentials for the Service Account + # -- Automount API credentials for the Service Account automountServiceAccountToken: false + # -- Resource limits and requests for redis resources: {} # limits: # cpu: 200m @@ -418,120 +658,247 @@ redis: # cpu: 100m # memory: 64Mi + # -- Additional volumeMounts to the redis container volumeMounts: [] + # -- Additional volumes to the redis pod volumes: [] + # -- Additional containers to be added to the redis pod + extraContainers: [] + + # -- Init containers to add to the redis pod + initContainers: [] + # - name: download-tools + # image: alpine:3.8 + # command: [sh, -c] + # args: + # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && + # mv linux-amd64/helm /custom-tools/ + # volumeMounts: + # - mountPath: /custom-tools + # name: custom-tools + # volumeMounts: + # - mountPath: /usr/local/bin/helm + # name: custom-tools + # subPath: helm + + service: + # -- Redis service annotations + annotations: {} + # -- Additional redis service labels + labels: {} + + metrics: + # -- Deploy metrics service and redis-exporter sidecar + enabled: false + image: + # -- redis-exporter image repository + repository: quay.io/bitnami/redis-exporter + # -- redis-exporter image tag + tag: 1.26.0-debian-10-r2 + # -- redis-exporter image PullPolicy + imagePullPolicy: IfNotPresent + # -- Port to use for redis-exporter sidecar + containerPort: 9121 + # -- Resource limits and requests for redis-exporter sidecar + resources: {} + # limits: + # cpu: 50m + # memory: 64Mi + # requests: + # cpu: 10m + # memory: 32Mi + service: + # -- Metrics service type + type: ClusterIP + # -- Metrics service clusterIP. `None` makes a "headless service" (no virtual IP) + clusterIP: None + # -- Metrics service annotations + annotations: {} + # -- Metrics service labels + labels: {} + # -- Metrics service port + servicePort: 9121 + # -- Metrics service port name + portName: http-metrics + serviceMonitor: + # -- Enable a prometheus ServiceMonitor + enabled: false + # -- Interval at which metrics should be scraped + interval: 30s + # -- Prometheus [RelabelConfigs] to apply to samples before scraping + relabelings: [] + # -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion + metricRelabelings: [] + # -- Prometheus ServiceMonitor selector + selector: {} + # prometheus: kube-prometheus + + # -- Prometheus ServiceMonitor namespace + namespace: "" # "monitoring" + # -- Prometheus ServiceMonitor labels + additionalLabels: {} + + pdb: + # -- Labels to be added to Redis server pdb + labels: {} + # -- Annotations to be added to Redis server pdb + annotations: {} + + # -- Deploy a Poddisruptionbudget for the Redis server + enabled: false + # minAvailable: 1 + # maxUnavailable: 0 + # This key configures Redis-HA subchart and when enabled (redis-ha.enabled=true) # the custom redis deployment is omitted +# Check the redis-ha chart for more properties redis-ha: + # -- Enables the Redis HA subchart and disables the custom Redis single node deployment enabled: false - # Check the redis-ha chart for more properties exporter: + # -- If `true`, the prometheus exporter sidecar is enabled enabled: true persistentVolume: + # -- Configures persistency on Redis nodes enabled: false redis: + # -- Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated masterGroupName: argocd + # -- Any valid redis config options in this section will be applied to each server (see `redis-ha` chart) + # @default -- See [values.yaml] config: + # -- Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled save: '""' haproxy: + # -- Enabled HAProxy LoadBalancing/Proxy enabled: true metrics: + # -- HAProxy enable prometheus metric scraping enabled: true image: - tag: 6.2.4-alpine + # -- Redis tag + tag: 6.2.6-alpine ## Server server: + # -- Argo CD server name name: server + # -- The number of server pods to run replicas: 1 autoscaling: + # -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo CD server enabled: false + # -- Minimum number of replicas for the Argo CD server [HPA] minReplicas: 1 + # -- Maximum number of replicas for the Argo CD server [HPA] maxReplicas: 5 + # -- Average CPU utilization percentage for the Argo CD server [HPA] targetCPUUtilizationPercentage: 50 + # -- Average memory utilization percentage for the Argo CD server [HPA] targetMemoryUtilizationPercentage: 50 image: - repository: # defaults to global.image.repository - tag: # defaults to global.image.tag - imagePullPolicy: # IfNotPresent - - ## Additional command line arguments to pass to argocd-server - ## + # -- Repository to use for the Argo CD server + # @default -- `""` (defaults to global.image.repository) + repository: "" # defaults to global.image.repository + # -- Tag to use for the Argo CD server + # @default -- `""` (defaults to global.image.tag) + tag: "" # defaults to global.image.tag + # -- Image pull policy for the Argo CD server + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" # IfNotPresent + + # -- Additional command line arguments to pass to Argo CD server extraArgs: [] # - --insecure - # This flag is used to either remove or pass the CLI flag --staticassets /shared/app to the argocd-server app + # This flag is used to either remove or pass the CLI flag --staticassets /shared/app to the Argo CD server app staticAssets: + # -- Disable deprecated flag `--staticassets` enabled: true - ## Environment variables to pass to argocd-server - ## + # -- Environment variables to pass to Argo CD server env: [] - ## envFrom to pass to argocd-server - ## + # -- envFrom to pass to Argo CD server + # @default -- `[]` (See [values.yaml]) envFrom: [] # - configMapRef: # name: config-map-name # - secretRef: # name: secret-name - ## Specify postStart and preStop lifecycle hooks for your argo-cd-server container - ## + # -- Specify postStart and preStop lifecycle hooks for your argo-cd-server container lifecycle: {} - ## Argo server log format: text|json + # -- Argo CD server log format: Either `text` or `json` logFormat: text - ## Argo server log level + # -- Argo CD server log level logLevel: info - ## Annotations to be added to controller pods - ## + # -- Annotations to be added to server pods podAnnotations: {} - ## Labels to be added to controller pods - ## + # -- Labels to be added to server pods podLabels: {} - ## Configures the server port + # -- Configures the server port containerPort: 8080 ## Readiness and liveness probes for default backend ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ ## readinessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated initialDelaySeconds: 10 + # -- How often (in seconds) to perform the [probe] periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed successThreshold: 1 + # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 livenessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated initialDelaySeconds: 10 + # -- How often (in seconds) to perform the [probe] periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed successThreshold: 1 + # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 - ## Additional volumeMounts to the server main container. + # -- Additional volumeMounts to the server main container volumeMounts: [] - ## Additional volumes to the controller pod. + # -- Additional volumes to the server pod volumes: [] - ## Node selectors and tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## + # -- [Node selector] nodeSelector: {} + # -- [Tolerations] for use with node taints tolerations: [] + # -- Assign custom [affinity] rules to the deployment affinity: {} + # -- Assign custom [TopologySpreadConstraints] rules to the Argo CD server + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Priority class for the Argo CD server priorityClassName: "" - ## Labels to set container specific security contexts + # -- Servers container-level security context containerSecurityContext: {} # capabilities: @@ -539,6 +906,7 @@ server: # - all # readOnlyRootFilesystem: true + # -- Resource limits and requests for the Argo CD server resources: {} # limits: # cpu: 100m @@ -549,74 +917,118 @@ server: ## Certificate configuration certificate: + # -- Enables a certificate manager certificate enabled: false + # -- Certificate manager domain domain: argocd.example.com issuer: + # -- Certificate manager issuer kind: # ClusterIssuer + # -- Certificate manager name name: # letsencrypt + # -- Certificate manager additional hosts additionalHosts: [] + # -- Certificate manager secret name secretName: argocd-server-tls ## Server service configuration service: + # -- Server service annotations annotations: {} + # -- Server service labels labels: {} + # -- Server service type type: ClusterIP - ## For node port default ports + # -- Server service http port for NodePort service type (only if `server.service.type` is set to "NodePort") nodePortHttp: 30080 + # -- Server service https port for NodePort service type (only if `server.service.type` is set to "NodePort") nodePortHttps: 30443 + # -- Server service http port servicePortHttp: 80 + # -- Server service https port servicePortHttps: 443 + # -- Server service http port name, can be used to route traffic via istio servicePortHttpName: http + # -- Server service https port name, can be used to route traffic via istio servicePortHttpsName: https + # -- Use named target port for argocd + ## Named target ports are not supported by GCE health checks, so when deploying argocd on GKE + ## and exposing it via GCE ingress, the health checks fail and the load balancer returns a 502. namedTargetPort: true + # -- LoadBalancer will get created with the IP specified in this field loadBalancerIP: "" + # -- Source IP ranges to allow access to service from loadBalancerSourceRanges: [] + # -- Server service external IPs externalIPs: [] + # -- Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints externalTrafficPolicy: "" + # -- Used to maintain session affinity. Supports `ClientIP` and `None` sessionAffinity: "" ## Server metrics service configuration metrics: + # -- Deploy metrics service enabled: false service: + # -- Metrics service annotations annotations: {} + # -- Metrics service labels labels: {} + # -- Metrics service port servicePort: 8083 serviceMonitor: + # -- Enable a prometheus ServiceMonitor enabled: false + # -- Prometheus ServiceMonitor interval interval: 30s + # -- Prometheus [RelabelConfigs] to apply to samples before scraping relabelings: [] + # -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion metricRelabelings: [] - # selector: - # prometheus: kube-prometheus - # namespace: monitoring - # additionalLabels: {} + # -- Prometheus ServiceMonitor selector + selector: {} + # prometheus: kube-prometheus + + # -- Prometheus ServiceMonitor namespace + namespace: "" # monitoring + # -- Prometheus ServiceMonitor labels + additionalLabels: {} serviceAccount: + # -- Create server service account create: true + # -- Server service account name name: argocd-server - ## Annotations applied to created service account + # -- Annotations applied to created service account annotations: {} - ## Automount API credentials for the Service Account + # -- Automount API credentials for the Service Account automountServiceAccountToken: true ingress: + # -- Enable an ingress resource for the Argo CD server enabled: false + # -- Additional ingress annotations annotations: {} + # -- Additional ingress labels labels: {} + # -- Defines which ingress controller will implement the resource ingressClassName: "" + # -- List of ingress hosts ## Argo Ingress. ## Hostnames must be provided if Ingress is enabled. ## Secrets must be manually created in the namespace - ## hosts: [] # - argocd.example.com + + # -- List of ingress paths paths: - / + # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` pathType: Prefix + # -- Additional ingress paths extraPaths: [] # - path: /* @@ -631,31 +1043,44 @@ server: # name: ssl-redirect # port: # name: use-annotation + + # -- Ingress TLS configuration tls: [] # - secretName: argocd-tls-certificate # hosts: # - argocd.example.com + + # -- Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` https: false + # dedicated ingress for gRPC as documented at - # https://argoproj.github.io/argo-cd/operator-manual/ingress/ + # Ref: https://argoproj.github.io/argo-cd/operator-manual/ingress/ ingressGrpc: + # -- Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress] enabled: false + # -- Setup up gRPC ingress to work with an AWS ALB isAWSALB: false + # -- Additional ingress annotations for dedicated [gRPC-ingress] annotations: {} + # -- Additional ingress labels for dedicated [gRPC-ingress] labels: {} + # -- Defines which ingress controller will implement the resource [gRPC-ingress] ingressClassName: "" awsALB: + # -- Service type for the AWS ALB gRPC service ## Service Type if isAWSALB is set to true ## Can be of type NodePort or ClusterIP depending on which mode you are ## are running. Instance mode needs type NodePort, IP mode needs type ## ClusterIP ## Ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/how-it-works/#ingress-traffic serviceType: NodePort - # This tells AWS to send traffic from the ALB using HTTP2. Can use GRPC as well if you want to leverage GRPC specific features + # -- Backend protocol version for the AWS ALB gRPC service + ## This tells AWS to send traffic from the ALB using HTTP2. Can use gRPC as well if you want to leverage gRPC specific features backendProtocolVersion: HTTP2 + # -- List of ingress hosts for dedicated [gRPC-ingress] ## Argo Ingress. ## Hostnames must be provided if Ingress is enabled. ## Secrets must be manually created in the namespace @@ -663,9 +1088,13 @@ server: hosts: [] # - argocd.example.com + + # -- List of ingress paths for dedicated [gRPC-ingress] paths: - / + # -- Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific` pathType: Prefix + # -- Additional ingress paths for dedicated [gRPC-ingress] extraPaths: [] # - path: /* @@ -680,11 +1109,15 @@ server: # name: ssl-redirect # port: # name: use-annotation + + # -- Ingress TLS configuration for dedicated [gRPC-ingress] tls: [] # - secretName: argocd-tls-certificate # hosts: # - argocd.example.com + + # -- Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` https: false # Create a OpenShift Route with SSL passthrough for UI and CLI @@ -692,12 +1125,22 @@ server: # Find your domain with: kubectl describe --namespace=openshift-ingress-operator ingresscontroller/default | grep Domain: # If 'hostname' is an empty string "" OpenShift will create a hostname for you. route: + # -- Enable an OpenShift Route for the Argo CD server enabled: false + # -- Openshift Route annotations + annotations: {} + # -- Hostname of OpenShift Route hostname: "" + # -- Termination type of Openshift Route + termination_type: passthrough + # -- Termination policy of Openshift Route + termination_policy: None - ## ArgoCD config - ## reference https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml + # -- Manage ArgoCD configmap (Declarative Setup) + ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml configEnabled: true + # -- [General Argo CD configuration] + # @default -- See [values.yaml] config: # Argo CD's externally facing base URL (optional). Required when configuring SSO url: https://argocd.example.com @@ -730,14 +1173,14 @@ server: # - profile # - email - ## Annotations to be added to ArgoCD ConfigMap + # -- Annotations to be added to ArgoCD ConfigMap configAnnotations: {} - ## ArgoCD rbac config - ## reference https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md + # -- ArgoCD rbac config ([ArgoCD RBAC policy]) + ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md rbacConfig: {} - # policy.csv is an file containing user-defined RBAC policies and role definitions (optional). + # policy.csv is a file containing user-defined RBAC policies and role definitions (optional). # Policy rules are in the form: # p, subject, resource, action, object, effect # Role definitions and bindings are in the form: @@ -756,21 +1199,23 @@ server: # If omitted, defaults to: '[groups]'. The scope value can be a string, or a list of strings. # scopes: '[cognito:groups, email]' - ## Annotations to be added to ArgoCD rbac ConfigMap + # -- Annotations to be added to ArgoCD rbac ConfigMap rbacConfigAnnotations: {} - # Boolean determining whether or not to create the configmap. If false, it is expected the configmap will be created + # -- Whether or not to create the configmap. If false, it is expected the configmap will be created # by something else. ArgoCD will not work if there is no configMap created with the name above. rbacConfigCreate: true - ## Not well tested and not well supported on release v1.0.0. - ## Applications - ## reference: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ + # -- Deploy ArgoCD Applications within this helm release + # @default -- `[]` (See [values.yaml]) + ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ additionalApplications: [] # - name: guestbook # namespace: argocd # additionalLabels: {} # additionalAnnotations: {} + # finalizers: + # - resources-finalizer.argocd.argoproj.io # project: guestbook # source: # repoURL: https://github.com/argoproj/argocd-example-apps.git @@ -778,21 +1223,32 @@ server: # path: guestbook # directory: # recurse: true - # destination: + # destination: # server: https://kubernetes.default.svc # namespace: guestbook - # syncPolicy: - # automated: - # prune: false - # selfHeal: false - - ## Projects - ## reference: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ + # syncPolicy: + # automated: + # prune: false + # selfHeal: false + # ignoreDifferences: + # - group: apps + # kind: Deployment + # jsonPointers: + # - /spec/replicas + # info: + # - name: url + # value: https://argoproj.github.io/ + + # -- Deploy ArgoCD Projects within this helm release + # @default -- `[]` (See [values.yaml]) + ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ additionalProjects: [] # - name: guestbook # namespace: argocd # additionalLabels: {} # additionalAnnotations: {} + # finalizers: + # - resources-finalizer.argocd.argoproj.io # description: Example Project # sourceRepos: # - '*' @@ -823,15 +1279,19 @@ server: # applications: # - '*-prod' # manualSync: true + # signatureKeys: + # - keyID: ABCDEF1234567890 ## Enable Admin ClusterRole resources. ## Enable if you would like to grant rights to ArgoCD to deploy to the local Kubernetes cluster. clusterAdminAccess: + # -- Enable RBAC for local cluster deployments enabled: true - ## Enable BackendConfig custom resource for Google Kubernetes Engine GKEbackendConfig: + # -- Enable BackendConfig custom resource for Google Kubernetes Engine enabled: false + # -- [BackendConfigSpec] spec: {} # spec: # iap: @@ -839,9 +1299,30 @@ server: # oauthclientCredentials: # secretName: argocd-secret - extraContainers: [] - ## Additional containers to be added to the controller pod. + ## Create a Google Managed Certificate for use with the GKE Ingress Controller + ## https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs + GKEmanagedCertificate: + # -- Enable ManagedCertificate custom resource for Google Kubernetes Engine. + enabled: false + # -- Domains for the Google Managed Certificate + domains: + - argocd.example.com + + ## Create a Google FrontendConfig Custom Resource, for use with the GKE Ingress Controller + ## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters + GKEfrontendConfig: + # -- Enable FrontConfig custom resource for Google Kubernetes Engine + enabled: false + # -- [FrontendConfigSpec] + spec: {} + # spec: + # redirectToHttps: + # enabled: true + # responseCodeName: RESPONSE_CODE + + # -- Additional containers to be added to the server pod ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. + extraContainers: [] # - name: my-sidecar # image: nginx:latest # - name: lemonldap-ng-controller @@ -863,88 +1344,178 @@ server: # - name: copy-portal-skins # mountPath: /srv/var/lib/lemonldap-ng/portal/skins + # -- Init containers to add to the server pod + ## If your target Kubernetes cluster(s) require a custom auth provider executable + ## you could use this (and the same in the application controller pod) to bootstrap + ## that executable into your ArgoCD container + initContainers: [] + # - name: download-tools + # image: alpine:3.8 + # command: [sh, -c] + # args: + # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && + # mv linux-amd64/helm /custom-tools/ + # volumeMounts: + # - mountPath: /custom-tools + # name: custom-tools + # volumeMounts: + # - mountPath: /usr/local/bin/helm + # name: custom-tools + # subPath: helm + + extensions: + # -- Enable support for extensions + ## This function in tech preview stage, do expect unstability or breaking changes in newer versions. Bump image.tag if necessary. + enabled: false + + image: + # -- Repository to use for extensions image + repository: "ghcr.io/argoproj-labs/argocd-extensions" + # -- Tag to use for extensions image + tag: "v0.1.0" + # -- Image pull policy for extensions + imagePullPolicy: IfNotPresent + + # -- Resource limits and requests for the argocd-extensions container + resources: {} + # limits: + # cpu: 50m + # memory: 128Mi + # requests: + # cpu: 10m + # memory: 64Mi + + # -- Extensions to be loaded into the server + contents: [] + # - name: argo-rollouts + # url: https://github.com/argoproj-labs/rollout-extension/releases/download/v0.1.0/extension.tar + + pdb: + # -- Labels to be added to server pdb + labels: {} + # -- Annotations to be added to server pdb + annotations: {} + + # -- Deploy a Poddisruptionbudget for the server + enabled: false + # minAvailable: 1 + # maxUnavailable: 0 + ## Repo Server repoServer: + # -- Repo server name name: repo-server + # -- The number of repo server pods to run replicas: 1 autoscaling: + # -- Enable Horizontal Pod Autoscaler ([HPA]) for the repo server enabled: false + # -- Minimum number of replicas for the repo server [HPA] minReplicas: 1 + # -- Maximum number of replicas for the repo server [HPA] maxReplicas: 5 + # -- Average CPU utilization percentage for the repo server [HPA] targetCPUUtilizationPercentage: 50 + # -- Average memory utilization percentage for the repo server [HPA] targetMemoryUtilizationPercentage: 50 image: - repository: # defaults to global.image.repository - tag: # defaults to global.image.tag - imagePullPolicy: # IfNotPresent - - ## Additional command line arguments to pass to argocd-repo-server - ## + # -- Repository to use for the repo server + # @default -- `""` (defaults to global.image.repository) + repository: "" # defaults to global.image.repository + # -- Tag to use for the repo server + # @default -- `""` (defaults to global.image.tag) + tag: "" # defaults to global.image.tag + # -- Image pull policy for the repo server + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" # IfNotPresent + + # -- Additional command line arguments to pass to repo server extraArgs: [] - ## Environment variables to pass to argocd-repo-server - ## + # -- Environment variables to pass to repo server env: [] - ## envFrom to pass to argocd-repo-server - ## + # -- envFrom to pass to repo server + # @default -- `[]` (See [values.yaml]) envFrom: [] # - configMapRef: # name: config-map-name # - secretRef: # name: secret-name - ## Argo repoServer log format: text|json + # -- Repo server log format: Either `text` or `json` logFormat: text - ## Argo repoServer log level + # -- Repo server log level logLevel: info - ## Annotations to be added to repo server pods - ## + # -- Annotations to be added to repo server pods podAnnotations: {} - ## Labels to be added to repo server pods - ## + # -- Labels to be added to repo server pods podLabels: {} - ## Configures the repo server port + # -- Configures the repo server port containerPort: 8081 ## Readiness and liveness probes for default backend ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ ## readinessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated initialDelaySeconds: 10 + # -- How often (in seconds) to perform the [probe] periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed successThreshold: 1 + # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 livenessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated initialDelaySeconds: 10 + # -- How often (in seconds) to perform the [probe] periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed successThreshold: 1 + # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 - ## Additional volumeMounts to the repo server main container. + # -- Additional volumeMounts to the repo server main container volumeMounts: [] - ## Additional volumes to the repo server pod. + # -- Additional volumes to the repo server pod volumes: [] + ## Use init containers to configure custom tooling + ## https://argoproj.github.io/argo-cd/operator-manual/custom_tools/ + ## When using the volumes & volumeMounts section bellow, please comment out those above. + # - name: custom-tools + # emptyDir: {} - ## Node selectors and tolerations for server scheduling to nodes with taints - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - ## + # -- [Node selector] nodeSelector: {} + # -- [Tolerations] for use with node taints tolerations: [] + # -- Assign custom [affinity] rules to the deployment affinity: {} + # -- Assign custom [TopologySpreadConstraints] rules to the repo server + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Priority class for the repo server priorityClassName: "" - ## Labels to set container specific security contexts + # -- Repo server container-level security context containerSecurityContext: {} # capabilities: @@ -952,6 +1523,7 @@ repoServer: # - all # readOnlyRootFilesystem: true + # -- Resource limits and requests for the repo server pods resources: {} # limits: # cpu: 50m @@ -962,40 +1534,75 @@ repoServer: ## Repo server service configuration service: + # -- Repo server service annotations annotations: {} + # -- Repo server service labels labels: {} + # -- Repo server service port port: 8081 + # -- Repo server service port name portName: https-repo-server ## Repo server metrics service configuration metrics: + # -- Deploy metrics service enabled: false service: + # -- Metrics service annotations annotations: {} + # -- Metrics service labels labels: {} + # -- Metrics service port servicePort: 8084 serviceMonitor: + # -- Enable a prometheus ServiceMonitor enabled: false + # -- Prometheus ServiceMonitor interval interval: 30s + # -- Prometheus [RelabelConfigs] to apply to samples before scraping relabelings: [] + # -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion metricRelabelings: [] - # selector: - # prometheus: kube-prometheus - # namespace: monitoring - # additionalLabels: {} + # -- Prometheus ServiceMonitor selector + selector: {} + # prometheus: kube-prometheus + + # -- Prometheus ServiceMonitor namespace + namespace: "" # "monitoring" + # -- Prometheus ServiceMonitor labels + additionalLabels: {} + + ## Enable Admin ClusterRole resources. + ## Enable if you would like to grant cluster rights to ArgoCD repo server. + clusterAdminAccess: + # -- Enable RBAC for local cluster deployments + enabled: false + ## Enable Custom Rules for the Repo server's Cluster Role resource + ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. + ## Defaults to off + clusterRoleRules: + # -- Enable custom rules for the Repo server's Cluster Role resource + enabled: false + # -- List of custom rules for the Repo server's Cluster Role resource + rules: [] ## Repo server service account ## If create is set to true, make sure to uncomment the name and update the rbac section below serviceAccount: + # -- Create repo server service account create: false - # name: argocd-repo-server - ## Annotations applied to created service account + # -- Repo server service account name + name: "" # "argocd-repo-server" + # -- Annotations applied to created service account annotations: {} - ## Automount API credentials for the Service Account + # -- Automount API credentials for the Service Account automountServiceAccountToken: true - ## Repo server rbac rules - # rbac: + # -- Additional containers to be added to the repo server pod + extraContainers: [] + + # -- Repo server rbac rules + rbac: [] # - apiGroups: # - argoproj.io # resources: @@ -1005,14 +1612,19 @@ repoServer: # - list # - watch - ## Use init containers to configure custom tooling - ## https://argoproj.github.io/argo-cd/operator-manual/custom_tools/ - ## When using the volumes & volumeMounts section bellow, please comment out those above. - # volumes: - # - name: custom-tools - # emptyDir: {} - # - # initContainers: + # Init container to copy argocd binary + copyutil: + # -- Resource limits and requests for the copyutil initContainer + resources: {} + # limits: + # cpu: 50m + # memory: 64Mi + # requests: + # cpu: 10m + # memory: 32Mi + + # -- Init containers to add to the repo server pods + initContainers: [] # - name: download-tools # image: alpine:3.8 # command: [sh, -c] @@ -1027,10 +1639,22 @@ repoServer: # name: custom-tools # subPath: helm + pdb: + # -- Labels to be added to Repo server pdb + labels: {} + # -- Annotations to be added to Repo server pdb + annotations: {} + + # -- Deploy a Poddisruptionbudget for the Repo server + enabled: false + # minAvailable: 1 + # maxUnavailable: 0 + ## Argo Configs configs: - ## External Cluster Credentials - ## reference: + # -- Provide one or multiple [external cluster credentials] + # @default -- `[]` (See [values.yaml]) + ## Ref: ## - https://argoproj.github.io/argo-cd/operator-manual/declarative-setup/#clusters ## - https://argoproj.github.io/argo-cd/operator-manual/security/#external-cluster-credentials clusterCredentials: [] @@ -1048,13 +1672,17 @@ configs: # labels: {} # annotations: {} # namespaces: namespace1,namespace2 + # clusterResources: true # config: # bearerToken: "" # tlsClientConfig: # insecure: false # caData: "" + # -- GnuPG key ring annotations gpgKeysAnnotations: {} + # -- [GnuPG](https://argoproj.github.io/argo-cd/user-guide/gpg-verification/) keys to add to the key ring + # @default -- `{}` (See [values.yaml]) gpgKeys: {} # 4AEE18F83AFDEB23: | # -----BEGIN PGP PUBLIC KEY BLOCK----- @@ -1075,18 +1703,26 @@ configs: # =Bvzs # -----END PGP PUBLIC KEY BLOCK----- + # -- Known Hosts configmap annotations knownHostsAnnotations: {} knownHosts: data: + # -- Known Hosts + # @default -- See [values.yaml] ssh_known_hosts: | bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== + github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= + github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H + # -- TLS certificate configmap annotations tlsCertsAnnotations: {} + # -- TLS certificate + # @default -- See [values.yaml] tlsCerts: {} # data: @@ -1125,11 +1761,12 @@ configs: # +LB9LGh4OAp68ImTjqf6ioGKG0RBSznwME+r4nXtT1S/qLR6ASWUS4ViWRhbRlNK # XWyb96wrUlv+E8I= # -----END CERTIFICATE----- -## # Creates a secret with optional repository credentials -## DEPRECATED: Instead, use configs.credentialTemplates and/or configs.repositories + + # -- *DEPRECATED:* Instead, use `configs.credentialTemplates` and/or `configs.repositories` repositoryCredentials: {} -## Creates a secret for each key/value specified below to create repository credentials + # -- Repository credentials to be used as Templates for other repos + ## Creates a secret for each key/value specified below to create repository credentials credentialTemplates: {} # github-enterprise-creds-1: # url: https://github.com/argoproj @@ -1151,8 +1788,9 @@ configs: # ... # -----END OPENSSH PRIVATE KEY----- -## Creates a secret for each key/value specified below to create repositories -## Note: the last example in the list would use a repository credential template, configured under "configs.repositoryCredentials". + # -- Repositories list to be used by applications + ## Creates a secret for each key/value specified below to create repositories + ## Note: the last example in the list would use a repository credential template, configured under "configs.repositoryCredentials". repositories: {} # istio-helm-repo: # url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts @@ -1168,26 +1806,31 @@ configs: # url: https://github.com/argoproj/private-repo secret: + # -- Create the argocd-secret createSecret: true - ## Annotations to be added to argocd-secret - ## + # -- Annotations to be added to argocd-secret annotations: {} - # Webhook Configs + # -- Shared secret for authenticating GitHub webhook events githubSecret: "" + # -- Shared secret for authenticating GitLab webhook events gitlabSecret: "" + # -- Shared secret for authenticating BitbucketServer webhook events bitbucketServerSecret: "" + # -- UUID for authenticating Bitbucket webhook events bitbucketUUID: "" + # -- Shared secret for authenticating Gogs webhook events gogsSecret: "" - # Custom secrets. Useful for injecting SSO secrets into environment variables. - # Ref: https://argoproj.github.io/argo-cd/operator-manual/sso/ - # Note that all values must be non-empty. + # -- add additional secrets to be added to argocd-secret + ## Custom secrets. Useful for injecting SSO secrets into environment variables. + ## Ref: https://argoproj.github.io/argo-cd/operator-manual/sso/ + ## Note that all values must be non-empty. extra: {} # LDAP_PASSWORD: "mypassword" - # Argo TLS Data. + # -- Argo TLS Data argocdServerTlsConfig: {} # key: @@ -1199,18 +1842,24 @@ configs: # # -----END CERTIFICATE----- - # Argo expects the password in the secret to be bcrypt hashed. You can create this hash with - # `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'` - # argocdServerAdminPassword: "" - # Password modification time defaults to current time if not set - # argocdServerAdminPasswordMtime: "2006-01-02T15:04:05Z" - - ## Custom CSS Styles - ## Reference: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/ + # -- Bcrypt hashed admin password + ## Argo expects the password in the secret to be bcrypt hashed. You can create this hash with + ## `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'` + argocdServerAdminPassword: "" + # -- Admin password modification time. Eg. `"2006-01-02T15:04:05Z"` + # @default -- `""` (defaults to current time) + argocdServerAdminPasswordMtime: "" + + # -- Define custom [CSS styles] for your argo instance. + # This setting will automatically mount the provided CSS and reference it in the argo configuration. + # @default -- `""` (See [values.yaml]) + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/ + styles: "" # styles: | # .nav-bar { # background: linear-gradient(to bottom, #999, #777, #333, #222, #111); # } openshift: + # -- enables using arbitrary uid for argo repo server enabled: false diff --git a/terraform/helm/velero_default_values.yaml b/terraform/helm/velero_default_values.yaml index a19dcaa..651d281 100644 --- a/terraform/helm/velero_default_values.yaml +++ b/terraform/helm/velero_default_values.yaml @@ -1,4 +1,4 @@ -# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.27.3/charts/velero/values.yaml +# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.28.0/charts/velero/values.yaml ## ## Configuration settings that directly affect the Velero deployment YAML. @@ -8,7 +8,7 @@ # enabling restic). Required. image: repository: velero/velero - tag: v1.7.1 + tag: v1.8.0 # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. # If used, it will take precedence over the image.tag. # digest: @@ -131,6 +131,9 @@ kubectl: # digest: # kubectl image tag. If used, it will take precedence over the cluster Kubernetes version. # tag: 1.16.15 + # Container Level Security Context for the 'kubectl' container of the crd jobs. Optional. + # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} # Resource requests/limits to specify for the upgrade/cleanup job. Optional resources: {} # Annotations to set for the upgrade/cleanup job. Optional. @@ -378,7 +381,7 @@ restic: # annotations: # myenv: foo # schedule: "0 0 * * *" -# useOwnerReferencesInBackup: true +# useOwnerReferencesInBackup: false # template: # ttl: "240h" # includedNamespaces: @@ -393,7 +396,7 @@ schedules: {} # velero.io/plugin-config: "" # velero.io/restic: RestoreItemAction # data: -# image: velero/velero-restic-restore-helper:v1.7.1 +# image: velero/velero-restic-restore-helper:v1.8.0 configMaps: {} ## diff --git a/terraform/helm/velero_values.yaml b/terraform/helm/velero_values.yaml index f2ed064..27bbdf0 100644 --- a/terraform/helm/velero_values.yaml +++ b/terraform/helm/velero_values.yaml @@ -1,5 +1,5 @@ # velero helm values -# source (with full comments): https://github.com/vmware-tanzu/helm-charts/blob/velero-2.27.3/charts/velero/values.yaml +# source (with full comments): https://github.com/vmware-tanzu/helm-charts/blob/main/charts/velero/values.yaml # https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/releases initContainers: @@ -11,13 +11,11 @@ initContainers: - mountPath: /target name: plugins - # BackupStorageLocation and VolumeSnapshotLocation configuration: provider: azure backupStorageLocation: name: default - provider: bucket: velero volumeSnapshotLocation: name: default diff --git a/terraform/variables.tf b/terraform/variables.tf index 2458660..e518366 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -20,7 +20,7 @@ variable "kubernetes_version" { # helm repo update # helm search repo ingress-nginx/ingress-nginx variable "nginx_chart_version" { - default = "4.0.17" + default = "4.0.18" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -34,17 +34,17 @@ variable "cert_manager_chart_version" { # * also update terraform/helm/velero_default_values.yaml # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.27.3" + default = "2.28.0" } # https://hub.docker.com/r/velero/velero/tags variable "velero_image_tag" { - default = "v1.7.1" + default = "v1.8.0" } # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.37.3" + default = "3.38.0" } # https://github.com/adamrushuk/charts/releases @@ -90,14 +90,15 @@ variable "kured_image_tag" { # argo cd # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd +# * also update terraform/helm/argocd_default_values.yaml variable "argocd_chart_version" { - default = "3.33.5" + default = "3.35.0" } # https://hub.docker.com/r/argoproj/argocd/tags # * also update cli version: terraform/files/scripts/argocd_config.sh#L22 variable "argocd_image_tag" { - default = "v2.2.5" + default = "v2.3.0" } #endregion Versions diff --git a/terraform/versions.tf b/terraform/versions.tf index dc250af..6bcafa6 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.97.0" + version = "~> 2.98.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases From 063d1e9d93bca6787daa54d8ffee0a5ccd60d622 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 30 Mar 2022 08:07:34 +0100 Subject: [PATCH 016/147] Bumped terraform providers and helm charts --- scripts/aks-csi-disk-expand.sh | 11 +++---- terraform/helm/velero_default_values.yaml | 36 ++++++++++++++++++++--- terraform/variables.tf | 17 ++++++----- terraform/versions.tf | 9 +++--- 4 files changed, 50 insertions(+), 23 deletions(-) diff --git a/scripts/aks-csi-disk-expand.sh b/scripts/aks-csi-disk-expand.sh index 5d2b4a5..f6291ee 100644 --- a/scripts/aks-csi-disk-expand.sh +++ b/scripts/aks-csi-disk-expand.sh @@ -1,3 +1,5 @@ +#!/usr/bin/env bash + kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/master/deploy/example/pvc-azuredisk-csi.yaml kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/master/deploy/example/nginx-pod-azuredisk.yaml @@ -7,11 +9,10 @@ kubectl exec -it nginx-azuredisk -- df -h /mnt/azuredisk Filesystem Size Used Available Use% Mounted on /dev/sdd 9.7G 36.0K 9.7G 0% /mnt/azuredisk -# delete pod top unattach disk +# ! this step ONLY required when using AKS v1.20 or below +# [optional] delete pod to unattach disk kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/master/deploy/example/nginx-pod-azuredisk.yaml - - # TODO: add code that waits for disk state to be "unattached" # where tag is: "kubernetes.io-created-for-pvc-name": "pvc-azuredisk" PVC_NAME='pvc-azuredisk' @@ -22,8 +23,6 @@ while true; do sleep 2 done - - # expand pvc kubectl patch pvc pvc-azuredisk --type merge --patch '{"spec": {"resources": {"requests": {"storage": "15Gi"}}}}' @@ -33,5 +32,3 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi # check disk size in pod kubectl exec -it nginx-azuredisk -- df -h /mnt/azuredisk - - diff --git a/terraform/helm/velero_default_values.yaml b/terraform/helm/velero_default_values.yaml index 651d281..273daf0 100644 --- a/terraform/helm/velero_default_values.yaml +++ b/terraform/helm/velero_default_values.yaml @@ -1,4 +1,4 @@ -# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.28.0/charts/velero/values.yaml +# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.29.4/charts/velero/values.yaml ## ## Configuration settings that directly affect the Velero deployment YAML. @@ -8,7 +8,7 @@ # enabling restic). Required. image: repository: velero/velero - tag: v1.8.0 + tag: v1.8.1 # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. # If used, it will take precedence over the image.tag. # digest: @@ -61,7 +61,7 @@ initContainers: # - mountPath: /target # name: plugins # - name: velero-plugin-for-aws - # image: velero/velero-plugin-for-aws:v1.3.0 + # image: velero/velero-plugin-for-aws:v1.4.1 # imagePullPolicy: IfNotPresent # volumeMounts: # - mountPath: /target @@ -100,6 +100,32 @@ extraVolumes: [] # Extra volumeMounts for the Velero deployment. Optional. extraVolumeMounts: [] +# Extra K8s manifests to deploy +extraObjects: [] + # - apiVersion: secrets-store.csi.x-k8s.io/v1 + # kind: SecretProviderClass + # metadata: + # name: velero-secrets-store + # spec: + # provider: aws + # parameters: + # objects: | + # - objectName: "velero" + # objectType: "secretsmanager" + # jmesPath: + # - path: "access_key" + # objectAlias: "access_key" + # - path: "secret_key" + # objectAlias: "secret_key" + # secretObjects: + # - data: + # - key: access_key + # objectName: client-id + # - key: client-secret + # objectName: client-secret + # secretName: velero-secrets-store + # type: Opaque + # Settings for Velero's prometheus metrics. Enabled by default. metrics: enabled: true @@ -268,6 +294,8 @@ rbac: create: true # Whether to create the cluster role binding to give administrator permissions to Velero clusterAdministrator: true + # Name of the ClusterRole. + clusterAdministratorName: cluster-admin # Information about the Kubernetes service account Velero uses. serviceAccount: @@ -396,7 +424,7 @@ schedules: {} # velero.io/plugin-config: "" # velero.io/restic: RestoreItemAction # data: -# image: velero/velero-restic-restore-helper:v1.8.0 +# image: velero/velero-restic-restore-helper:v1.8.1 configMaps: {} ## diff --git a/terraform/variables.tf b/terraform/variables.tf index e518366..73303ab 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -26,7 +26,7 @@ variable "nginx_chart_version" { # https://hub.helm.sh/charts/jetstack/cert-manager # helm search repo jetstack/cert-manager variable "cert_manager_chart_version" { - default = "v1.7.1" + default = "v1.7.2" } # https://github.com/vmware-tanzu/helm-charts/releases @@ -34,17 +34,17 @@ variable "cert_manager_chart_version" { # * also update terraform/helm/velero_default_values.yaml # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.28.0" + default = "2.29.4" } # https://hub.docker.com/r/velero/velero/tags variable "velero_image_tag" { - default = "v1.8.0" + default = "v1.8.1" } # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.38.0" + default = "3.38.1" } # https://github.com/adamrushuk/charts/releases @@ -78,27 +78,28 @@ variable "external_dns_chart_version" { # https://github.com/weaveworks/kured/tree/master/charts/kured # helm search repo kured/kured variable "kured_chart_version" { - default = "2.11.2" + default = "2.12.1" } # https://github.com/weaveworks/kured#kubernetes--os-compatibility variable "kured_image_tag" { - default = "1.8.1" + default = "1.9.2" } # argo cd # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd +# helm search repo -l argo/argo-cd | head -n 20 # * also update terraform/helm/argocd_default_values.yaml variable "argocd_chart_version" { - default = "3.35.0" + default = "3.35.4" } # https://hub.docker.com/r/argoproj/argocd/tags # * also update cli version: terraform/files/scripts/argocd_config.sh#L22 variable "argocd_image_tag" { - default = "v2.3.0" + default = "v2.2.8" } #endregion Versions diff --git a/terraform/versions.tf b/terraform/versions.tf index 6bcafa6..3e35f5c 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -21,27 +21,28 @@ terraform { required_providers { # https://github.com/terraform-providers/terraform-provider-azurerm/releases + # v2.99.0 is the last release in the 2.x line azurerm = { source = "hashicorp/azurerm" - version = "~> 2.98.0" + version = "~> 2.99.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.18.0" + version = "~> 2.19.1" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.8.0" + version = "~> 2.9.0" } # https://github.com/hashicorp/terraform-provider-helm/releases helm = { source = "hashicorp/helm" - version = "~> 2.4.1" + version = "~> 2.5.0" } random = { From 52a834e3b57ed839e4e71e51edc8243b58910083 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 30 Mar 2022 08:45:18 +0100 Subject: [PATCH 017/147] Fixed Nexus nuget repo --- ansible/roles/nuget_repo/defaults/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ansible/roles/nuget_repo/defaults/main.yml b/ansible/roles/nuget_repo/defaults/main.yml index 3d9e8f3..483dc9b 100644 --- a/ansible/roles/nuget_repo/defaults/main.yml +++ b/ansible/roles/nuget_repo/defaults/main.yml @@ -25,17 +25,18 @@ nuget_proxy_repo_request_body: timeToLive: 1440 httpClient: blocked: false - autoBlock: true + autoBlock: false connection: retries: userAgentSuffix: timeout: enableCircularRedirects: false enableCookies: false + useTrustStore: false authentication: routingRuleName: nugetProxy: queryCacheItemMaxAge: 3600 + nugetVersion: V2 format: nuget type: proxy - From d05fe82251cad371bdc7c54f579d389de8498eb5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 30 Mar 2022 08:59:07 +0100 Subject: [PATCH 018/147] Revert Nexus to v3.38.0 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 73303ab..775fa11 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -44,7 +44,7 @@ variable "velero_image_tag" { # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.38.1" + default = "3.38.0" } # https://github.com/adamrushuk/charts/releases From 3d87a49a69346d2877de7186a9fc88d732851025 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 30 Mar 2022 09:08:21 +0100 Subject: [PATCH 019/147] Enable CI_DEBUG --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 98eeec3..58aef8d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,7 +24,7 @@ env: PREFIX: arshz # debug - CI_DEBUG: false + CI_DEBUG: true # azure creds ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} From 1bc30fdaf18728c852d6b8bcda0f986d98513c54 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 30 Mar 2022 12:35:42 +0100 Subject: [PATCH 020/147] Bumped argocd chart to v4.3.0, and app to v2.3.3 --- terraform/files/scripts/argocd_config.sh | 2 +- terraform/helm/argocd_default_values.yaml | 749 +++++++++++++++++++++- terraform/variables.tf | 4 +- 3 files changed, 729 insertions(+), 26 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index ce4fad5..ecd4c33 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -19,7 +19,7 @@ ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install # https://github.com/argoproj/argo-cd/releases/ -VERSION="v2.3.0" +VERSION="v2.3.3" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" diff --git a/terraform/helm/argocd_default_values.yaml b/terraform/helm/argocd_default_values.yaml index c7d0c40..ce86ecc 100644 --- a/terraform/helm/argocd_default_values.yaml +++ b/terraform/helm/argocd_default_values.yaml @@ -1,6 +1,6 @@ -# https://github.com/argoproj/argo-helm/blob/argo-cd-3.35.0/charts/argo-cd/values.yaml +# https://github.com/argoproj/argo-helm/blob/argo-cd-4.3.0/charts/argo-cd/values.yaml -## ArgoCD configuration +## Argo CD configuration ## Ref: https://github.com/argoproj/argo-cd ## @@ -13,11 +13,11 @@ kubeVersionOverride: "" global: image: - # -- If defined, a repository applied to all ArgoCD deployments + # -- If defined, a repository applied to all Argo CD deployments repository: quay.io/argoproj/argocd - # -- Overrides the global ArgoCD image tag whose default is the chart appVersion + # -- Overrides the global Argo CD image tag whose default is the chart appVersion tag: "" - # -- If defined, a imagePullPolicy applied to all ArgoCD deployments + # -- If defined, a imagePullPolicy applied to all Argo CD deployments imagePullPolicy: IfNotPresent # -- Annotations for the all deployed pods podAnnotations: {} @@ -109,8 +109,7 @@ controller: replicas: 1 # -- Deploy the application controller as a StatefulSet instead of a Deployment, this is required for HA capability. - # This is a feature flag that will become the default in chart version 3.x - enableStatefulSet: false + enableStatefulSet: true ## Application controller commandline flags args: @@ -253,7 +252,7 @@ controller: # -- Enables additional labels in argocd_app_labels metric enabled: false # -- Additional labels - labels: {} + labels: [] service: # -- Metrics service annotations annotations: {} @@ -290,9 +289,9 @@ controller: # labels: # severity: critical # annotations: - # summary: "[ArgoCD] No reported applications" + # summary: "[Argo CD] No reported applications" # description: > - # ArgoCD has not reported any applications data for the past 15 minutes which + # Argo CD has not reported any applications data for the past 15 minutes which # means that it must be down or not functioning properly. This needs to be # resolved for this cloud to continue to maintain state. # - alert: ArgoAppNotSynced @@ -312,7 +311,7 @@ controller: # namespace: monitoring # additionalLabels: {} - ## Enable if you would like to grant rights to ArgoCD to deploy to the local Kubernetes cluster. + ## Enable if you would like to grant rights to Argo CD to deploy to the local Kubernetes cluster. clusterAdminAccess: # -- Enable RBAC for local cluster deployments enabled: true @@ -331,7 +330,7 @@ controller: # -- Init containers to add to the application controller pod ## If your target Kubernetes cluster(s) require a custom auth provider executable ## you could use this (and the same in the server pod) to bootstrap - ## that executable into your ArgoCD container + ## that executable into your Argo CD container initContainers: [] # - name: download-tools # image: alpine:3.8 @@ -1136,7 +1135,7 @@ server: # -- Termination policy of Openshift Route termination_policy: None - # -- Manage ArgoCD configmap (Declarative Setup) + # -- Manage Argo CD configmap (Declarative Setup) ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml configEnabled: true # -- [General Argo CD configuration] @@ -1173,10 +1172,10 @@ server: # - profile # - email - # -- Annotations to be added to ArgoCD ConfigMap + # -- Annotations to be added to Argo CD ConfigMap configAnnotations: {} - # -- ArgoCD rbac config ([ArgoCD RBAC policy]) + # -- Argo CD rbac config ([Argo CD RBAC policy]) ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md rbacConfig: {} @@ -1199,14 +1198,14 @@ server: # If omitted, defaults to: '[groups]'. The scope value can be a string, or a list of strings. # scopes: '[cognito:groups, email]' - # -- Annotations to be added to ArgoCD rbac ConfigMap + # -- Annotations to be added to Argo CD rbac ConfigMap rbacConfigAnnotations: {} # -- Whether or not to create the configmap. If false, it is expected the configmap will be created - # by something else. ArgoCD will not work if there is no configMap created with the name above. + # by something else. Argo CD will not work if there is no configMap created with the name above. rbacConfigCreate: true - # -- Deploy ArgoCD Applications within this helm release + # -- Deploy Argo CD Applications within this helm release # @default -- `[]` (See [values.yaml]) ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ additionalApplications: [] @@ -1239,7 +1238,7 @@ server: # - name: url # value: https://argoproj.github.io/ - # -- Deploy ArgoCD Projects within this helm release + # -- Deploy Argo CD Projects within this helm release # @default -- `[]` (See [values.yaml]) ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ additionalProjects: [] @@ -1283,7 +1282,7 @@ server: # - keyID: ABCDEF1234567890 ## Enable Admin ClusterRole resources. - ## Enable if you would like to grant rights to ArgoCD to deploy to the local Kubernetes cluster. + ## Enable if you would like to grant rights to Argo CD to deploy to the local Kubernetes cluster. clusterAdminAccess: # -- Enable RBAC for local cluster deployments enabled: true @@ -1347,7 +1346,7 @@ server: # -- Init containers to add to the server pod ## If your target Kubernetes cluster(s) require a custom auth provider executable ## you could use this (and the same in the application controller pod) to bootstrap - ## that executable into your ArgoCD container + ## that executable into your Argo CD container initContainers: [] # - name: download-tools # image: alpine:3.8 @@ -1573,7 +1572,7 @@ repoServer: additionalLabels: {} ## Enable Admin ClusterRole resources. - ## Enable if you would like to grant cluster rights to ArgoCD repo server. + ## Enable if you would like to grant cluster rights to Argo CD repo server. clusterAdminAccess: # -- Enable RBAC for local cluster deployments enabled: false @@ -1590,7 +1589,7 @@ repoServer: ## If create is set to true, make sure to uncomment the name and update the rbac section below serviceAccount: # -- Create repo server service account - create: false + create: true # -- Repo server service account name name: "" # "argocd-repo-server" # -- Annotations applied to created service account @@ -1863,3 +1862,707 @@ configs: openshift: # -- enables using arbitrary uid for argo repo server enabled: false + +applicationSet: + # -- Enable Application Set controller + enabled: true + + # -- Application Set controller name string + name: applicationset-controller + + # -- The number of controller pods to run + replicaCount: 1 + + image: + # -- Repository to use for the application set controller + repository: quay.io/argoproj/argocd-applicationset + # -- Image pull policy for the application set controller + pullPolicy: IfNotPresent + # -- Tag to use for the application set controller + tag: "v0.4.1" + + args: + # -- The default metric address + metricsAddr: :8080 + # -- The default health check port + probeBindAddr: :8081 + # -- The default leader election setting + enableLeaderElection: false + # -- How application is synced between the generator and the cluster + policy: sync + # -- Print debug logs + debug: false + # -- Enable dry run mode + dryRun: false + + # -- Additional containers to be added to the applicationset controller pod + extraContainers: [] + + ## Metrics service configuration + metrics: + # -- Deploy metrics service + enabled: false + service: + # -- Metrics service annotations + annotations: {} + # -- Metrics service labels + labels: {} + # -- Metrics service port + servicePort: 8085 + serviceMonitor: + # -- Enable a prometheus ServiceMonitor + enabled: false + # -- Prometheus ServiceMonitor interval + interval: 30s + # -- Prometheus [RelabelConfigs] to apply to samples before scraping + relabelings: [] + # -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion + metricRelabelings: [] + # -- Prometheus ServiceMonitor selector + selector: {} + # prometheus: kube-prometheus + + # -- Prometheus ServiceMonitor namespace + namespace: "" # monitoring + # -- Prometheus ServiceMonitor labels + additionalLabels: {} + + # -- If defined, uses a Secret to pull an image from a private Docker registry or repository. + imagePullSecrets: [] + + ## Application set service configuration + service: + # -- Application set service annotations + annotations: {} + # -- Application set service labels + labels: {} + # -- Application set service port + port: 7000 + # -- Application set service port name + portName: webhook + + serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + # -- Annotations for the controller pods + podAnnotations: {} + + # -- Labels for the controller pods + podLabels: {} + + # -- Pod Security Context + podSecurityContext: {} + # fsGroup: 2000 + + # -- Security Context + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + # -- Resource limits and requests for the controller pods. + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # -- [Node selector] + nodeSelector: {} + + # -- [Tolerations] for use with node taints + tolerations: [] + + # -- Assign custom [affinity] rules + affinity: {} + + # -- If specified, indicates the pod's priority. If not specified, the pod priority will be default or zero if there is no default. + priorityClassName: "" + + # -- List of extra mounts to add (normally used with extraVolumes) + extraVolumeMounts: [] + # - mountPath: /tmp/foobar + # name: foobar + + # -- List of extra volumes to add + extraVolumes: [] + # - name: foobar + # emptyDir: {} + + # -- List of extra cli args to add + extraArgs: [] + # - --loglevel=warn + + # -- Environment variables to pass to the controller + extraEnv: [] + # - name: "MY_VAR" + # value: "value" + + # -- envFrom to pass to the controller + # @default -- `[]` (See [values.yaml]) + extraEnvFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + ## Webhook for the Git Generator + ## Ref: https://argocd-applicationset.readthedocs.io/en/master/Generators-Git/#webhook-configuration) + webhook: + ingress: + # -- Enable an ingress resource for Webhooks + enabled: false + # -- Additional ingress annotations + annotations: {} + # -- Additional ingress labels + labels: {} + # -- Defines which ingress controller will implement the resource + ingressClassName: "" + + # -- List of ingress hosts + ## Hostnames must be provided if Ingress is enabled. + ## Secrets must be manually created in the namespace + hosts: [] + # - argocd-applicationset.example.com + + # -- List of ingress paths + paths: + - /api/webhook + # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` + pathType: Prefix + # -- Additional ingress paths + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used) + # - path: /* + # pathType: Prefix + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + + # -- Ingress TLS configuration + tls: [] + # - secretName: argocd-applicationset-tls + # hosts: + # - argocd-applicationset.example.com + +notifications: + # -- Enable Notifications controller + enabled: true + + # -- Notifications controller name string + name: notifications-controller + + # -- Assign custom [affinity] rules + affinity: {} + + # -- Argo CD dashboard url; used in place of {{.context.argocdUrl}} in templates + argocdUrl: + + image: + # -- Repository to use for the notifications controller + # @default -- `""` (defaults to global.image.repository) + repository: "" + # -- Tag to use for the notifications controller + # @default -- `""` (defaults to global.image.tag) + tag: "" + # -- Image pull policy for the notifications controller + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" + + # -- Secrets with credentials to pull images from a private registry + imagePullSecrets: [] + + # -- [Node selector] + nodeSelector: {} + + # -- The deployment strategy to use to replace existing pods with new ones + updateStrategy: + type: Recreate + + # -- Define user-defined context + ## For more information: https://argocd-notifications.readthedocs.io/en/stable/templates/#defining-user-defined-context + context: {} + # region: east + # environmentName: staging + + secret: + # -- Whether helm chart creates controller secret + create: true + + # -- key:value pairs of annotations to be added to the secret + annotations: {} + + # -- The name of the secret to use. + ## If not set and create is true, the default name 'argocd-notifications-secret' is used + name: "" + + # -- Generic key:value pairs to be inserted into the secret + ## Can be used for templates, notification services etc. Some examples given below. + ## For more information: https://argocd-notifications.readthedocs.io/en/stable/services/overview/ + items: {} + # slack-token: + # # For more information: https://argocd-notifications.readthedocs.io/en/stable/services/slack/ + + # grafana-apiKey: + # # For more information: https://argocd-notifications.readthedocs.io/en/stable/services/grafana/ + + # webhooks-github-token: + + # email-username: + # email-password: + # For more information: https://argocd-notifications.readthedocs.io/en/stable/services/email/ + + # -- Set the logging level. (One of: `debug`, `info`, `warn`, `error`) + logLevel: info + + # -- Extra arguments to provide to the controller + extraArgs: [] + + # -- Additional container environment variables + extraEnv: [] + + # -- List of extra mounts to add (normally used with extraVolumes) + extraVolumeMounts: [] + # - mountPath: /tmp/foobar + # name: foobar + + # -- List of extra volumes to add + extraVolumes: [] + # - name: foobar + # emptyDir: {} + + metrics: + # -- Enables prometheus metrics server + enabled: false + # -- Metrics port + port: 9001 + service: + # -- Metrics service annotations + annotations: {} + # -- Metrics service labels + labels: {} + serviceMonitor: + # -- Enable a prometheus ServiceMonitor + enabled: false + # -- Prometheus ServiceMonitor selector + selector: {} + # prometheus: kube-prometheus + # -- Prometheus ServiceMonitor labels + additionalLabels: {} + # namespace: monitoring + # interval: 30s + # scrapeTimeout: 10s + + # -- Configures notification services + # @default -- See [values.yaml] + ## For more information: https://argocd-notifications.readthedocs.io/en/stable/services/overview/ + notifiers: {} + # service.slack: | + # token: $slack-token + + # -- Annotations to be applied to the controller Pods + podAnnotations: {} + + # -- Labels to be applied to the controller Pods + podLabels: {} + + # -- Pod Security Context + securityContext: + runAsNonRoot: true + + # -- Container Security Context + containerSecurityContext: {} + + # -- Resource limits and requests for the controller + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + serviceAccount: + # -- Specifies whether a service account should be created + create: true + + # -- The name of the service account to use. + ## If not set and create is true, a name is generated using the fullname template + name: argocd-notifications-controller + + # -- Annotations applied to created service account + annotations: {} + + cm: + # -- Whether helm chart creates controller config map + create: true + + # -- The name of the config map to use. + ## If not set and create is true, the default name 'argocd-notifications-cm' is used + name: "" + + # -- Contains centrally managed global application subscriptions + ## For more information: https://argocd-notifications.readthedocs.io/en/stable/subscriptions/ + subscriptions: [] + # # subscription for on-sync-status-unknown trigger notifications + # - recipients: + # - slack:test2 + # - email:test@gmail.com + # triggers: + # - on-sync-status-unknown + # # subscription restricted to applications with matching labels only + # - recipients: + # - slack:test3 + # selector: test=true + # triggers: + # - on-sync-status-unknown + + # -- The notification template is used to generate the notification content + ## For more information: https://argocd-notifications.readthedocs.io/en/stable/templates/ + templates: {} + # template.app-deployed: | + # email: + # subject: New version of an application {{.app.metadata.name}} is up and running. + # message: | + # {{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} is now running new version of deployments manifests. + # slack: + # attachments: | + # [{ + # "title": "{{ .app.metadata.name}}", + # "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", + # "color": "#18be52", + # "fields": [ + # { + # "title": "Sync Status", + # "value": "{{.app.status.sync.status}}", + # "short": true + # }, + # { + # "title": "Repository", + # "value": "{{.app.spec.source.repoURL}}", + # "short": true + # }, + # { + # "title": "Revision", + # "value": "{{.app.status.sync.revision}}", + # "short": true + # } + # {{range $index, $c := .app.status.conditions}} + # {{if not $index}},{{end}} + # {{if $index}},{{end}} + # { + # "title": "{{$c.type}}", + # "value": "{{$c.message}}", + # "short": true + # } + # {{end}} + # ] + # }] + # template.app-health-degraded: | + # email: + # subject: Application {{.app.metadata.name}} has degraded. + # message: | + # {{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} has degraded. + # Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}. + # slack: + # attachments: |- + # [{ + # "title": "{{ .app.metadata.name}}", + # "title_link": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", + # "color": "#f4c030", + # "fields": [ + # { + # "title": "Sync Status", + # "value": "{{.app.status.sync.status}}", + # "short": true + # }, + # { + # "title": "Repository", + # "value": "{{.app.spec.source.repoURL}}", + # "short": true + # } + # {{range $index, $c := .app.status.conditions}} + # {{if not $index}},{{end}} + # {{if $index}},{{end}} + # { + # "title": "{{$c.type}}", + # "value": "{{$c.message}}", + # "short": true + # } + # {{end}} + # ] + # }] + # template.app-sync-failed: | + # email: + # subject: Failed to sync application {{.app.metadata.name}}. + # message: | + # {{if eq .serviceType "slack"}}:exclamation:{{end}} The sync operation of application {{.app.metadata.name}} has failed at {{.app.status.operationState.finishedAt}} with the following error: {{.app.status.operationState.message}} + # Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true . + # slack: + # attachments: |- + # [{ + # "title": "{{ .app.metadata.name}}", + # "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", + # "color": "#E96D76", + # "fields": [ + # { + # "title": "Sync Status", + # "value": "{{.app.status.sync.status}}", + # "short": true + # }, + # { + # "title": "Repository", + # "value": "{{.app.spec.source.repoURL}}", + # "short": true + # } + # {{range $index, $c := .app.status.conditions}} + # {{if not $index}},{{end}} + # {{if $index}},{{end}} + # { + # "title": "{{$c.type}}", + # "value": "{{$c.message}}", + # "short": true + # } + # {{end}} + # ] + # }] + # template.app-sync-running: | + # email: + # subject: Start syncing application {{.app.metadata.name}}. + # message: | + # The sync operation of application {{.app.metadata.name}} has started at {{.app.status.operationState.startedAt}}. + # Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true . + # slack: + # attachments: |- + # [{ + # "title": "{{ .app.metadata.name}}", + # "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", + # "color": "#0DADEA", + # "fields": [ + # { + # "title": "Sync Status", + # "value": "{{.app.status.sync.status}}", + # "short": true + # }, + # { + # "title": "Repository", + # "value": "{{.app.spec.source.repoURL}}", + # "short": true + # } + # {{range $index, $c := .app.status.conditions}} + # {{if not $index}},{{end}} + # {{if $index}},{{end}} + # { + # "title": "{{$c.type}}", + # "value": "{{$c.message}}", + # "short": true + # } + # {{end}} + # ] + # }] + # template.app-sync-status-unknown: | + # email: + # subject: Application {{.app.metadata.name}} sync status is 'Unknown' + # message: | + # {{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} sync is 'Unknown'. + # Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}. + # {{if ne .serviceType "slack"}} + # {{range $c := .app.status.conditions}} + # * {{$c.message}} + # {{end}} + # {{end}} + # slack: + # attachments: |- + # [{ + # "title": "{{ .app.metadata.name}}", + # "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", + # "color": "#E96D76", + # "fields": [ + # { + # "title": "Sync Status", + # "value": "{{.app.status.sync.status}}", + # "short": true + # }, + # { + # "title": "Repository", + # "value": "{{.app.spec.source.repoURL}}", + # "short": true + # } + # {{range $index, $c := .app.status.conditions}} + # {{if not $index}},{{end}} + # {{if $index}},{{end}} + # { + # "title": "{{$c.type}}", + # "value": "{{$c.message}}", + # "short": true + # } + # {{end}} + # ] + # }] + # template.app-sync-succeeded: | + # email: + # subject: Application {{.app.metadata.name}} has been successfully synced. + # message: | + # {{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} has been successfully synced at {{.app.status.operationState.finishedAt}}. + # Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true . + # slack: + # attachments: |- + # [{ + # "title": "{{ .app.metadata.name}}", + # "title_link":"{{.context.argocdUrl}}/applications/{{.app.metadata.name}}", + # "color": "#18be52", + # "fields": [ + # { + # "title": "Sync Status", + # "value": "{{.app.status.sync.status}}", + # "short": true + # }, + # { + # "title": "Repository", + # "value": "{{.app.spec.source.repoURL}}", + # "short": true + # } + # {{range $index, $c := .app.status.conditions}} + # {{if not $index}},{{end}} + # {{if $index}},{{end}} + # { + # "title": "{{$c.type}}", + # "value": "{{$c.message}}", + # "short": true + # } + # {{end}} + # ] + # }] + + # -- [Tolerations] for use with node taints + tolerations: [] + + # -- The trigger defines the condition when the notification should be sent + ## For more information: https://argocd-notifications.readthedocs.io/en/stable/triggers/ + triggers: {} + # trigger.on-deployed: | + # - description: Application is synced and healthy. Triggered once per commit. + # oncePer: app.status.sync.revision + # send: + # - app-deployed + # when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy' + # trigger.on-health-degraded: | + # - description: Application has degraded + # send: + # - app-health-degraded + # when: app.status.health.status == 'Degraded' + # trigger.on-sync-failed: | + # - description: Application syncing has failed + # send: + # - app-sync-failed + # when: app.status.operationState.phase in ['Error', 'Failed'] + # trigger.on-sync-running: | + # - description: Application is being synced + # send: + # - app-sync-running + # when: app.status.operationState.phase in ['Running'] + # trigger.on-sync-status-unknown: | + # - description: Application status is 'Unknown' + # send: + # - app-sync-status-unknown + # when: app.status.sync.status == 'Unknown' + # trigger.on-sync-succeeded: | + # - description: Application syncing has succeeded + # send: + # - app-sync-succeeded + # when: app.status.operationState.phase in ['Succeeded'] + # + # For more information: https://argocd-notifications.readthedocs.io/en/stable/triggers/#default-triggers + # defaultTriggers: | + # - on-sync-status-unknown + + ## The optional bot component simplifies managing subscriptions + ## For more information: https://argocd-notifications.readthedocs.io/en/stable/bots/overview/ + bots: + slack: + # -- Enable slack bot + ## You have to set secret.notifiers.slack.signingSecret + enabled: false + + # -- The deployment strategy to use to replace existing pods with new ones + updateStrategy: + type: Recreate + + image: + # -- Repository to use for the Slack bot + # @default -- `""` (defaults to global.image.repository) + repository: "" + # -- Tag to use for the Slack bot + # @default -- `""` (defaults to global.image.tag) + tag: "" + # -- Image pull policy for the Slack bot + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" + + # -- Secrets with credentials to pull images from a private registry + imagePullSecrets: [] + + service: + # -- Service annotations for Slack bot + annotations: {} + # -- Service port for Slack bot + port: 80 + # -- Service type for Slack bot + type: LoadBalancer + + serviceAccount: + # -- Specifies whether a service account should be created + create: true + + # -- The name of the service account to use. + ## If not set and create is true, a name is generated using the fullname template + name: argocd-notifications-bot + + # -- Annotations applied to created service account + annotations: {} + + # -- Pod Security Context + securityContext: + runAsNonRoot: true + + # -- Container Security Context + containerSecurityContext: {} + + # -- Resource limits and requests for the Slack bot + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # -- Assign custom [affinity] rules + affinity: {} + + # -- [Tolerations] for use with node taints + tolerations: [] + + # -- [Node selector] + nodeSelector: {} diff --git a/terraform/variables.tf b/terraform/variables.tf index 775fa11..3c4f1f5 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -93,13 +93,13 @@ variable "kured_image_tag" { # helm search repo -l argo/argo-cd | head -n 20 # * also update terraform/helm/argocd_default_values.yaml variable "argocd_chart_version" { - default = "3.35.4" + default = "4.3.0" } # https://hub.docker.com/r/argoproj/argocd/tags # * also update cli version: terraform/files/scripts/argocd_config.sh#L22 variable "argocd_image_tag" { - default = "v2.2.8" + default = "v2.3.3" } #endregion Versions From 74445911bb431a033f70c168c46bf4019013aa64 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 3 Apr 2022 08:57:51 +0100 Subject: [PATCH 021/147] Bumped terraform providers and helm charts --- .github/workflows/build.yml | 6 +++--- .github/workflows/destroy.yml | 2 +- terraform/helm/argocd_default_values.yaml | 19 ++++++++++++++++--- terraform/helm/nginx_values.yaml | 8 +++++--- terraform/variables.tf | 6 +++--- terraform/versions.tf | 2 +- 6 files changed, 29 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 58aef8d..17e3375 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,12 +57,12 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.1.5" + TF_VERSION: "1.1.7" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases - TFLINT_RULESET_AZURERM_VERSION: "v0.14.0" + TFLINT_RULESET_AZURERM_VERSION: "v0.15.0" # https://github.com/terraform-linters/tflint/releases - TFLINT_VERSION: "v0.34.1" + TFLINT_VERSION: "v0.35.0" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index fe4d401..936840d 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -55,7 +55,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.1.5" + TF_VERSION: "1.1.7" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: diff --git a/terraform/helm/argocd_default_values.yaml b/terraform/helm/argocd_default_values.yaml index ce86ecc..014807c 100644 --- a/terraform/helm/argocd_default_values.yaml +++ b/terraform/helm/argocd_default_values.yaml @@ -1,4 +1,5 @@ -# https://github.com/argoproj/argo-helm/blob/argo-cd-4.3.0/charts/argo-cd/values.yaml +# https://github.com/argoproj/argo-helm/blob/argo-cd-4.4.1/charts/argo-cd/values.yaml + ## Argo CD configuration ## Ref: https://github.com/argoproj/argo-cd @@ -397,7 +398,7 @@ dex: # -- Dex image repository repository: ghcr.io/dexidp/dex # -- Dex image tag - tag: v2.30.0 + tag: v2.30.2 # -- Dex imagePullPolicy imagePullPolicy: IfNotPresent initImage: @@ -779,6 +780,18 @@ redis-ha: # -- Redis tag tag: 6.2.6-alpine +# External Redis parameters +externalRedis: + # -- External Redis server host + host: "" + # -- External Redis password + password: "" + # -- External Redis server port + port: 6379 + # -- The name of an existing secret with Redis credentials (must contain key `redis-password`). + # When it's set, the `externalRedis.password` parameter is ignored + existingSecret: "" + ## Server server: # -- Argo CD server name @@ -1142,7 +1155,7 @@ server: # @default -- See [values.yaml] config: # Argo CD's externally facing base URL (optional). Required when configuring SSO - url: https://argocd.example.com + url: "" # Argo CD instance label key application.instanceLabelKey: argocd.argoproj.io/instance diff --git a/terraform/helm/nginx_values.yaml b/terraform/helm/nginx_values.yaml index 063160a..adc9fd4 100644 --- a/terraform/helm/nginx_values.yaml +++ b/terraform/helm/nginx_values.yaml @@ -1,5 +1,7 @@ +# default values: https://github.com/kubernetes/ingress-nginx/blob/helm-chart-4.0.19/charts/ingress-nginx/values.yaml + ## nginx configuration -## Ref: https://github.com/kubernetes/ingress/blob/main/controllers/nginx/configuration.md +## Ref: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/ ## controller: @@ -19,8 +21,8 @@ controller: ## node or nodes where an ingress controller pod is running. publishService: # ! This is required for external-dns to work properly - # ! https://github.com/kubernetes-sigs/external-dns/blob/main/docs/tutorials/azure.md#deploy-externaldns - # ! https://github.com/kubernetes-sigs/external-dns/blob/main/docs/faq.md#why-is-externaldns-only-adding-a-single-ip-address-in-route-53-on-aws-when-using-the-nginx-ingress-controller-how-do-i-get-it-to-use-the-fqdn-of-the-elb-assigned-to-my-nginx-ingress-controller-service-instead + # ! https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/azure.md + # ! https://github.com/kubernetes-sigs/external-dns/blob/master/docs/faq.md#why-is-externaldns-only-adding-a-single-ip-address-in-route-53-on-aws-when-using-the-nginx-ingress-controller-how-do-i-get-it-to-use-the-fqdn-of-the-elb-assigned-to-my-nginx-ingress-controller-service-instead enabled: true ## Allows overriding of the publish service to bind to ## Must be / diff --git a/terraform/variables.tf b/terraform/variables.tf index 3c4f1f5..0b9001a 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -20,7 +20,7 @@ variable "kubernetes_version" { # helm repo update # helm search repo ingress-nginx/ingress-nginx variable "nginx_chart_version" { - default = "4.0.18" + default = "4.0.19" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -78,7 +78,7 @@ variable "external_dns_chart_version" { # https://github.com/weaveworks/kured/tree/master/charts/kured # helm search repo kured/kured variable "kured_chart_version" { - default = "2.12.1" + default = "2.13.0" } # https://github.com/weaveworks/kured#kubernetes--os-compatibility @@ -93,7 +93,7 @@ variable "kured_image_tag" { # helm search repo -l argo/argo-cd | head -n 20 # * also update terraform/helm/argocd_default_values.yaml variable "argocd_chart_version" { - default = "4.3.0" + default = "4.4.1" } # https://hub.docker.com/r/argoproj/argocd/tags diff --git a/terraform/versions.tf b/terraform/versions.tf index 3e35f5c..fa07e5e 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -24,7 +24,7 @@ terraform { # v2.99.0 is the last release in the 2.x line azurerm = { source = "hashicorp/azurerm" - version = "~> 2.99.0" + version = "~> 3.0.2" } # https://github.com/terraform-providers/terraform-provider-azuread/releases From 70cc8fff8b9fbb781b0894975668366fee7999f2 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 22 Apr 2022 11:59:57 +0100 Subject: [PATCH 022/147] Bump aks module to v1.0.0 --- terraform/aks.tf | 2 +- terraform/function_app.tf | 15 ++++++++------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index 42b9d78..7c0f8cc 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -54,7 +54,7 @@ resource "azurerm_log_analytics_solution" "aks" { # https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest module "aks" { source = "adamrushuk/aks/azurerm" - version = "~> 0.11.0" + version = "~> 1.0.0" kubernetes_version = var.kubernetes_version location = azurerm_resource_group.aks.location diff --git a/terraform/function_app.tf b/terraform/function_app.tf index 4f2c484..129f4b0 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -5,14 +5,15 @@ resource "azurerm_resource_group" "func_app" { tags = var.tags } +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account resource "azurerm_storage_account" "func_app" { - name = "${var.prefix}stfuncapp" - resource_group_name = azurerm_resource_group.func_app.name - location = azurerm_resource_group.func_app.location - account_tier = "Standard" - account_replication_type = "LRS" - allow_blob_public_access = false - tags = var.tags + name = "${var.prefix}stfuncapp" + resource_group_name = azurerm_resource_group.func_app.name + location = azurerm_resource_group.func_app.location + account_tier = "Standard" + account_replication_type = "LRS" + allow_nested_items_to_be_public = false + tags = var.tags } resource "azurerm_storage_container" "func_app" { From 8ceb7e10318c7e75c11643cd6c8792b96c433fec Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 22 Apr 2022 12:00:04 +0100 Subject: [PATCH 023/147] Bumped terraform providers and helm charts --- terraform/helm/argocd_default_values.yaml | 25 +++++++++++++---------- terraform/variables.tf | 11 +++++----- terraform/versions.tf | 8 ++++---- 3 files changed, 24 insertions(+), 20 deletions(-) diff --git a/terraform/helm/argocd_default_values.yaml b/terraform/helm/argocd_default_values.yaml index 014807c..919d1d3 100644 --- a/terraform/helm/argocd_default_values.yaml +++ b/terraform/helm/argocd_default_values.yaml @@ -1,5 +1,4 @@ -# https://github.com/argoproj/argo-helm/blob/argo-cd-4.4.1/charts/argo-cd/values.yaml - +# https://github.com/argoproj/argo-helm/blob/argo-cd-4.5.7/charts/argo-cd/values.yaml ## Argo CD configuration ## Ref: https://github.com/argoproj/argo-cd @@ -693,7 +692,7 @@ redis: enabled: false image: # -- redis-exporter image repository - repository: quay.io/bitnami/redis-exporter + repository: bitnami/redis-exporter # -- redis-exporter image tag tag: 1.26.0-debian-10-r2 # -- redis-exporter image PullPolicy @@ -929,18 +928,22 @@ server: ## Certificate configuration certificate: - # -- Enables a certificate manager certificate + # -- Deploy a Certificate resource (requires cert-manager) enabled: false - # -- Certificate manager domain + # -- Certificate primary domain (commonName) domain: argocd.example.com + # -- The requested 'duration' (i.e. lifetime) of the Certificate. Value must be in units accepted by Go time.ParseDuration + duration: "" + # -- How long before the currently issued certificate's expiry cert-manager should renew the certificate. Value must be in units accepted by Go time.ParseDuration + renewBefore: "" issuer: - # -- Certificate manager issuer - kind: # ClusterIssuer - # -- Certificate manager name - name: # letsencrypt + # -- Certificate issuer kind. Either `Issuer` or `ClusterIssuer` + kind: "" + # -- Certificate isser name. Eg. `letsencrypt` + name: "" # -- Certificate manager additional hosts additionalHosts: [] - # -- Certificate manager secret name + # -- The name of the Secret that will be automatically created and managed by this Certificate resource secretName: argocd-server-tls ## Server service configuration @@ -2187,7 +2190,7 @@ notifications: # interval: 30s # scrapeTimeout: 10s - # -- Configures notification services + # -- Configures notification services such as slack, email or custom webhook # @default -- See [values.yaml] ## For more information: https://argocd-notifications.readthedocs.io/en/stable/services/overview/ notifiers: {} diff --git a/terraform/variables.tf b/terraform/variables.tf index 0b9001a..e7b2eed 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -19,14 +19,15 @@ variable "kubernetes_version" { # # helm repo update # helm search repo ingress-nginx/ingress-nginx +# helm search repo -l ingress-nginx/ingress-nginx | head -5 variable "nginx_chart_version" { - default = "4.0.19" + default = "4.1.0" } # https://hub.helm.sh/charts/jetstack/cert-manager # helm search repo jetstack/cert-manager variable "cert_manager_chart_version" { - default = "v1.7.2" + default = "v1.8.0" } # https://github.com/vmware-tanzu/helm-charts/releases @@ -59,13 +60,13 @@ variable "nexus_chart_version" { # https://github.com/SparebankenVest/public-helm-charts/blob/master/stable/akv2k8s/Chart.yaml#L5 # helm search repo spv-charts/akv2k8s variable "akv2k8s_chart_version" { - default = "2.1.0" + default = "2.2.0" } # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity variable "aad_pod_identity_chart_version" { - default = "4.1.8" + default = "4.1.9" } # https://bitnami.com/stack/external-dns/helm @@ -93,7 +94,7 @@ variable "kured_image_tag" { # helm search repo -l argo/argo-cd | head -n 20 # * also update terraform/helm/argocd_default_values.yaml variable "argocd_chart_version" { - default = "4.4.1" + default = "4.5.7" } # https://hub.docker.com/r/argoproj/argocd/tags diff --git a/terraform/versions.tf b/terraform/versions.tf index fa07e5e..e62156e 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -24,25 +24,25 @@ terraform { # v2.99.0 is the last release in the 2.x line azurerm = { source = "hashicorp/azurerm" - version = "~> 3.0.2" + version = "~> 3.3.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.19.1" + version = "~> 2.21.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.9.0" + version = "~> 2.10.0" } # https://github.com/hashicorp/terraform-provider-helm/releases helm = { source = "hashicorp/helm" - version = "~> 2.5.0" + version = "~> 2.5.1" } random = { From b4cf716285d9436c9df5271f01d7ed976d23a1df Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 22 Apr 2022 12:33:39 +0100 Subject: [PATCH 024/147] changed local_file to local_sensitive_file --- terraform/akv2k8s_helm.tf | 7 ++++--- terraform/argocd_helm.tf | 6 +++--- terraform/argocd_sso.tf | 6 +++--- terraform/dns.tf | 2 +- terraform/gitlab_helm.tf | 2 +- terraform/nexus_helm.tf | 2 +- 6 files changed, 13 insertions(+), 12 deletions(-) diff --git a/terraform/akv2k8s_helm.tf b/terraform/akv2k8s_helm.tf index 1ff38c6..1aa31a4 100644 --- a/terraform/akv2k8s_helm.tf +++ b/terraform/akv2k8s_helm.tf @@ -56,9 +56,10 @@ resource "azurerm_role_assignment" "aks_mi_kv_secrets" { # Requires "kube_admin_config_raw" as has AAD Auth enabled # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#kube_admin_config_raw -resource "local_file" "kubeconfig" { - sensitive_content = module.aks.full_object.kube_admin_config_raw - filename = var.aks_config_path +# https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file +resource "local_sensitive_file" "kubeconfig" { + content = module.aks.full_object.kube_admin_config_raw + filename = var.aks_config_path depends_on = [module.aks] } diff --git a/terraform/argocd_helm.tf b/terraform/argocd_helm.tf index d72f421..479e01c 100644 --- a/terraform/argocd_helm.tf +++ b/terraform/argocd_helm.tf @@ -32,7 +32,7 @@ resource "null_resource" "argocd_cert_sync" { } depends_on = [ - local_file.kubeconfig, + local_sensitive_file.kubeconfig, helm_release.akv2k8s, kubernetes_namespace.argocd ] @@ -100,7 +100,7 @@ resource "null_resource" "argocd_configure" { } depends_on = [ - local_file.kubeconfig, + local_sensitive_file.kubeconfig, helm_release.argocd ] } @@ -123,7 +123,7 @@ resource "null_resource" "argocd_apps" { } depends_on = [ - local_file.kubeconfig, + local_sensitive_file.kubeconfig, null_resource.argocd_configure ] } diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 1795316..f867767 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -112,7 +112,7 @@ resource "null_resource" "argocd_cm" { } depends_on = [ - local_file.kubeconfig, + local_sensitive_file.kubeconfig, null_resource.argocd_configure ] } @@ -145,7 +145,7 @@ resource "null_resource" "argocd_secret" { } depends_on = [ - local_file.kubeconfig, + local_sensitive_file.kubeconfig, null_resource.argocd_configure ] } @@ -181,7 +181,7 @@ resource "null_resource" "argocd_rbac_cm" { } depends_on = [ - local_file.kubeconfig, + local_sensitive_file.kubeconfig, null_resource.argocd_configure ] } diff --git a/terraform/dns.tf b/terraform/dns.tf index 8397895..c1c6d17 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -67,7 +67,7 @@ resource "null_resource" "azureIdentity_external_dns" { } depends_on = [ - local_file.kubeconfig, + local_sensitive_file.kubeconfig, kubernetes_namespace.external_dns, helm_release.aad_pod_identity ] diff --git a/terraform/gitlab_helm.tf b/terraform/gitlab_helm.tf index 8d05664..0c397c1 100644 --- a/terraform/gitlab_helm.tf +++ b/terraform/gitlab_helm.tf @@ -31,7 +31,7 @@ resource "null_resource" "gitlab_cert_sync" { } depends_on = [ - local_file.kubeconfig, + local_sensitive_file.kubeconfig, helm_release.akv2k8s, kubernetes_namespace.gitlab ] diff --git a/terraform/nexus_helm.tf b/terraform/nexus_helm.tf index eaeba3e..64c2d3d 100644 --- a/terraform/nexus_helm.tf +++ b/terraform/nexus_helm.tf @@ -30,7 +30,7 @@ resource "null_resource" "nexus_cert_sync" { } depends_on = [ - local_file.kubeconfig, + local_sensitive_file.kubeconfig, helm_release.akv2k8s, kubernetes_namespace.nexus ] From 0b1c2fdf93fb32276b6a7b0251cc6b7ab041f544 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 22 Apr 2022 12:58:31 +0100 Subject: [PATCH 025/147] Changed azurerm_function_app to azurerm_linux_function_app --- terraform/function_app.tf | 74 +++++++++++++++++++++------------------ 1 file changed, 40 insertions(+), 34 deletions(-) diff --git a/terraform/function_app.tf b/terraform/function_app.tf index 129f4b0..3cb66f0 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -65,20 +65,14 @@ data "azurerm_storage_account_sas" "func_app" { } } -resource "azurerm_app_service_plan" "func_app" { +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_plan +resource "azurerm_service_plan" "func_app" { name = "${var.prefix}-funcapp" location = azurerm_resource_group.func_app.location resource_group_name = azurerm_resource_group.func_app.name - # reserved = false # This needs to be set as 'false' otherwise the default is a Linux function app which won't work with our code - kind = "FunctionApp" - tags = var.tags - - # Consumption Plan - sku { - tier = "Dynamic" - size = "Y1" - } - + os_type = "Linux" + sku_name = "Y1" + tags = var.tags } # Application Insights used for logs and monitoring @@ -91,36 +85,48 @@ resource "azurerm_application_insights" "appinsights" { } # Function App using zipped up source files -resource "azurerm_function_app" "func_app" { - name = "${var.prefix}-funcapp" - location = azurerm_resource_group.func_app.location - resource_group_name = azurerm_resource_group.func_app.name - app_service_plan_id = azurerm_app_service_plan.func_app.id - https_only = true - storage_account_access_key = azurerm_storage_account.func_app.primary_access_key - storage_account_name = azurerm_storage_account.func_app.name - version = "~3" - tags = var.tags - app_settings = { - "APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.appinsights.instrumentation_key - "FUNCTION_APP_EDIT_MODE" = "readonly" - "FUNCTIONS_WORKER_RUNTIME_VERSION" = "~7" - "FUNCTIONS_WORKER_RUNTIME" = "powershell" - "HASH" = base64encode(filesha256("${path.module}/files/function_app.zip")) - "IFTTT_WEBHOOK_KEY" = var.ifttt_webhook_key - "WEBSITE_RUN_FROM_PACKAGE" = "https://${azurerm_storage_account.func_app.name}.blob.core.windows.net/${azurerm_storage_container.func_app.name}/${azurerm_storage_blob.func_app.name}${data.azurerm_storage_account_sas.func_app.sas}" - "WEEKDAY_ALLOWED_TIME_RANGE" = "06:30 -> 09:00" +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app +resource "azurerm_linux_function_app" "func_app" { + name = "${var.prefix}-funcapp" + location = azurerm_resource_group.func_app.location + resource_group_name = azurerm_resource_group.func_app.name + service_plan_id = azurerm_service_plan.func_app.id + https_only = true + storage_account_access_key = azurerm_storage_account.func_app.primary_access_key + storage_account_name = azurerm_storage_account.func_app.name + functions_extension_version = "~4" + tags = var.tags + + application_stack { + powershell_core_version = 7 } identity { type = "SystemAssigned" } - lifecycle { - ignore_changes = [ - app_settings, - ] + site_config { + # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app#application_insights_key + application_insights_key = azurerm_application_insights.appinsights.instrumentation_key } + + # https://docs.microsoft.com/en-us/azure/azure-functions/functions-app-settings + app_settings = { + # "APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.appinsights.instrumentation_key + "FUNCTION_APP_EDIT_MODE" = "readonly" + # "FUNCTIONS_WORKER_RUNTIME_VERSION" = "~7" + # "FUNCTIONS_WORKER_RUNTIME" = "powershell" + "HASH" = base64encode(filesha256("${path.module}/files/function_app.zip")) + "IFTTT_WEBHOOK_KEY" = var.ifttt_webhook_key + "WEBSITE_RUN_FROM_PACKAGE" = "https://${azurerm_storage_account.func_app.name}.blob.core.windows.net/${azurerm_storage_container.func_app.name}/${azurerm_storage_blob.func_app.name}${data.azurerm_storage_account_sas.func_app.sas}" + "WEEKDAY_ALLOWED_TIME_RANGE" = "06:30 -> 09:00" + } + + # lifecycle { + # ignore_changes = [ + # app_settings, + # ] + # } } From 436cf5ded0f1e8c45eeb0342e2429d8a7c773942 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 22 Apr 2022 13:01:54 +0100 Subject: [PATCH 026/147] Fixed azurerm_storage_account_sas errors --- terraform/function_app.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/function_app.tf b/terraform/function_app.tf index 3cb66f0..4d8db23 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -62,6 +62,8 @@ data "azurerm_storage_account_sas" "func_app" { create = false update = false process = false + tag = false + filter = false } } From 0d5007f13c9721978f6fc95fd62df138bdd9a965 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 22 Apr 2022 13:18:13 +0100 Subject: [PATCH 027/147] Fixed application_stack error --- terraform/function_app.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/function_app.tf b/terraform/function_app.tf index 4d8db23..249679b 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -99,10 +99,6 @@ resource "azurerm_linux_function_app" "func_app" { functions_extension_version = "~4" tags = var.tags - application_stack { - powershell_core_version = 7 - } - identity { type = "SystemAssigned" } @@ -110,6 +106,10 @@ resource "azurerm_linux_function_app" "func_app" { site_config { # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app#application_insights_key application_insights_key = azurerm_application_insights.appinsights.instrumentation_key + + application_stack { + powershell_core_version = 7 + } } # https://docs.microsoft.com/en-us/azure/azure-functions/functions-app-settings @@ -136,5 +136,5 @@ resource "azurerm_linux_function_app" "func_app" { resource "azurerm_role_assignment" "func_app" { scope = data.azurerm_resource_group.aks_node_rg.id role_definition_name = "Reader" - principal_id = azurerm_function_app.func_app.identity.0.principal_id + principal_id = azurerm_linux_function_app.func_app.identity.0.principal_id } From 5700c1ade9585cbe73f308b161b7335358337f5f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 22 Apr 2022 15:12:19 +0100 Subject: [PATCH 028/147] Disabled prevent_deletion_if_contains_resources --- terraform/versions.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index e62156e..233bfbd 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -75,7 +75,12 @@ terraform { # must include blank features block # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { - features {} + # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/features-block + features { + resource_group { + prevent_deletion_if_contains_resources = false + } + } } # https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs#credentials-config From ed504dee35925eccb6154c8527f4533e5b4e6051 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 11 May 2022 08:44:25 +0100 Subject: [PATCH 029/147] Bumped terraform providers and helm charts --- .github/workflows/build.yml | 16 ++++---- .github/workflows/destroy.yml | 2 +- terraform/helm/argocd_default_values.yaml | 48 +++++++++++++++++++++-- terraform/variables.tf | 6 +-- terraform/versions.tf | 15 +++---- 5 files changed, 65 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 17e3375..cd443da 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,12 +57,12 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.1.7" + TF_VERSION: "1.1.9" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases - TFLINT_RULESET_AZURERM_VERSION: "v0.15.0" + TFLINT_RULESET_AZURERM_VERSION: "v0.16.0" # https://github.com/terraform-linters/tflint/releases - TFLINT_VERSION: "v0.35.0" + TFLINT_VERSION: "v0.36.2" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 @@ -189,11 +189,11 @@ jobs: run: ./scripts/push_docker_images.sh # TODO: Remove once issue has been fixed - - name: Fix Function App version - run: pwsh -command "./scripts/Fix-FunctionApp.ps1" - env: - FUNCTION_APP_NAME: "${{ env.PREFIX }}-funcapp" - FUNCTION_APP_RG: "${{ env.PREFIX }}-rg-function-app" + # - name: Fix Function App version + # run: pwsh -command "./scripts/Fix-FunctionApp.ps1" + # env: + # FUNCTION_APP_NAME: "${{ env.PREFIX }}-funcapp" + # FUNCTION_APP_RG: "${{ env.PREFIX }}-rg-function-app" # Pester tests - name: 🧪 Run Pester tests diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 936840d..fe4f534 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -55,7 +55,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.1.7" + TF_VERSION: "1.1.9" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: diff --git a/terraform/helm/argocd_default_values.yaml b/terraform/helm/argocd_default_values.yaml index 919d1d3..71d7cee 100644 --- a/terraform/helm/argocd_default_values.yaml +++ b/terraform/helm/argocd_default_values.yaml @@ -260,6 +260,8 @@ controller: labels: {} # -- Metrics service port servicePort: 8082 + # -- Metrics service port name + portName: http-metrics serviceMonitor: # -- Enable a prometheus ServiceMonitor enabled: false @@ -273,6 +275,10 @@ controller: selector: {} # prometheus: kube-prometheus + # -- Prometheus ServiceMonitor scheme + scheme: "" + # -- Prometheus ServiceMonitor tlsConfig + tlsConfig: {} # -- Prometheus ServiceMonitor namespace namespace: "" # "monitoring" # -- Prometheus ServiceMonitor labels @@ -375,6 +381,8 @@ dex: annotations: {} # -- Metrics service labels labels: {} + # -- Metrics service port name + portName: http-metrics serviceMonitor: # -- Enable a prometheus ServiceMonitor enabled: false @@ -388,6 +396,10 @@ dex: selector: {} # prometheus: kube-prometheus + # -- Prometheus ServiceMonitor scheme + scheme: "" + # -- Prometheus ServiceMonitor tlsConfig + tlsConfig: {} # -- Prometheus ServiceMonitor namespace namespace: "" # "monitoring" # -- Prometheus ServiceMonitor labels @@ -399,7 +411,8 @@ dex: # -- Dex image tag tag: v2.30.2 # -- Dex imagePullPolicy - imagePullPolicy: IfNotPresent + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" initImage: # -- Argo CD init image repository # @default -- `""` (defaults to global.image.repository) @@ -733,6 +746,10 @@ redis: selector: {} # prometheus: kube-prometheus + # -- Prometheus ServiceMonitor scheme + scheme: "" + # -- Prometheus ServiceMonitor tlsConfig + tlsConfig: {} # -- Prometheus ServiceMonitor namespace namespace: "" # "monitoring" # -- Prometheus ServiceMonitor labels @@ -992,6 +1009,8 @@ server: labels: {} # -- Metrics service port servicePort: 8083 + # -- Metrics service port name + portName: http-metrics serviceMonitor: # -- Enable a prometheus ServiceMonitor enabled: false @@ -1005,6 +1024,10 @@ server: selector: {} # prometheus: kube-prometheus + # -- Prometheus ServiceMonitor scheme + scheme: "" + # -- Prometheus ServiceMonitor tlsConfig + tlsConfig: {} # -- Prometheus ServiceMonitor namespace namespace: "" # monitoring # -- Prometheus ServiceMonitor labels @@ -1569,6 +1592,8 @@ repoServer: labels: {} # -- Metrics service port servicePort: 8084 + # -- Metrics service port name + portName: http-metrics serviceMonitor: # -- Enable a prometheus ServiceMonitor enabled: false @@ -1582,6 +1607,10 @@ repoServer: selector: {} # prometheus: kube-prometheus + # -- Prometheus ServiceMonitor scheme + scheme: "" + # -- Prometheus ServiceMonitor tlsConfig + tlsConfig: {} # -- Prometheus ServiceMonitor namespace namespace: "" # "monitoring" # -- Prometheus ServiceMonitor labels @@ -1892,10 +1921,11 @@ applicationSet: image: # -- Repository to use for the application set controller repository: quay.io/argoproj/argocd-applicationset - # -- Image pull policy for the application set controller - pullPolicy: IfNotPresent # -- Tag to use for the application set controller tag: "v0.4.1" + # -- Image pull policy for the application set controller + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" args: # -- The default metric address @@ -1925,6 +1955,8 @@ applicationSet: labels: {} # -- Metrics service port servicePort: 8085 + # -- Metrics service port name + portName: http-metrics serviceMonitor: # -- Enable a prometheus ServiceMonitor enabled: false @@ -1938,6 +1970,10 @@ applicationSet: selector: {} # prometheus: kube-prometheus + # -- Prometheus ServiceMonitor scheme + scheme: "" + # -- Prometheus ServiceMonitor tlsConfig + tlsConfig: {} # -- Prometheus ServiceMonitor namespace namespace: "" # monitoring # -- Prometheus ServiceMonitor labels @@ -2178,6 +2214,8 @@ notifications: annotations: {} # -- Metrics service labels labels: {} + # -- Metrics service port name + portName: http-metrics serviceMonitor: # -- Enable a prometheus ServiceMonitor enabled: false @@ -2189,6 +2227,10 @@ notifications: # namespace: monitoring # interval: 30s # scrapeTimeout: 10s + # -- Prometheus ServiceMonitor scheme + scheme: "" + # -- Prometheus ServiceMonitor tlsConfig + tlsConfig: {} # -- Configures notification services such as slack, email or custom webhook # @default -- See [values.yaml] diff --git a/terraform/variables.tf b/terraform/variables.tf index e7b2eed..2fbdce3 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -21,7 +21,7 @@ variable "kubernetes_version" { # helm search repo ingress-nginx/ingress-nginx # helm search repo -l ingress-nginx/ingress-nginx | head -5 variable "nginx_chart_version" { - default = "4.1.0" + default = "4.1.1" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -79,7 +79,7 @@ variable "external_dns_chart_version" { # https://github.com/weaveworks/kured/tree/master/charts/kured # helm search repo kured/kured variable "kured_chart_version" { - default = "2.13.0" + default = "2.14.0" } # https://github.com/weaveworks/kured#kubernetes--os-compatibility @@ -94,7 +94,7 @@ variable "kured_image_tag" { # helm search repo -l argo/argo-cd | head -n 20 # * also update terraform/helm/argocd_default_values.yaml variable "argocd_chart_version" { - default = "4.5.7" + default = "4.6.0" } # https://hub.docker.com/r/argoproj/argocd/tags diff --git a/terraform/versions.tf b/terraform/versions.tf index 233bfbd..55f8e38 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -6,7 +6,7 @@ terraform { # https://github.com/hashicorp/terraform/releases # https://github.com/hashicorp/terraform/blob/main/CHANGELOG.md - required_version = ">= 0.13" + required_version = ">= 1.0" # terraform remote state backend "azurerm" { @@ -21,22 +21,21 @@ terraform { required_providers { # https://github.com/terraform-providers/terraform-provider-azurerm/releases - # v2.99.0 is the last release in the 2.x line azurerm = { source = "hashicorp/azurerm" - version = "~> 3.3.0" + version = "~> 3.5.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.21.0" + version = "~> 2.22.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.10.0" + version = "~> 2.11.0" } # https://github.com/hashicorp/terraform-provider-helm/releases @@ -52,12 +51,12 @@ terraform { tls = { source = "hashicorp/tls" - version = "~> 3.1" + version = "~> 3.3" } local = { source = "hashicorp/local" - version = "~> 2.1" + version = "~> 2.2" } null = { @@ -65,6 +64,8 @@ terraform { version = "~> 3.1" } + # TODO: remove template provider as deprecated (superseded by the templatefile function) + # https://registry.terraform.io/providers/hashicorp/template/latest/docs#deprecation template = { source = "hashicorp/template" version = "~> 2.2" From 44ae737fb53831c7fb1f55e78584a200684dc7d3 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 18 May 2022 08:26:36 +0100 Subject: [PATCH 030/147] Bumped terraform providers and helm charts --- terraform/helm/argocd_default_values.yaml | 2 +- terraform/variables.tf | 6 +++--- terraform/versions.tf | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/helm/argocd_default_values.yaml b/terraform/helm/argocd_default_values.yaml index 71d7cee..cc02cf0 100644 --- a/terraform/helm/argocd_default_values.yaml +++ b/terraform/helm/argocd_default_values.yaml @@ -1,4 +1,4 @@ -# https://github.com/argoproj/argo-helm/blob/argo-cd-4.5.7/charts/argo-cd/values.yaml +# https://github.com/argoproj/argo-helm/blob/argo-cd-4.6.0/charts/argo-cd/values.yaml ## Argo CD configuration ## Ref: https://github.com/argoproj/argo-cd diff --git a/terraform/variables.tf b/terraform/variables.tf index 2fbdce3..ceb444d 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -35,7 +35,7 @@ variable "cert_manager_chart_version" { # * also update terraform/helm/velero_default_values.yaml # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.29.4" + default = "2.29.5" } # https://hub.docker.com/r/velero/velero/tags @@ -45,7 +45,7 @@ variable "velero_image_tag" { # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.38.0" + default = "3.38.1" } # https://github.com/adamrushuk/charts/releases @@ -79,7 +79,7 @@ variable "external_dns_chart_version" { # https://github.com/weaveworks/kured/tree/master/charts/kured # helm search repo kured/kured variable "kured_chart_version" { - default = "2.14.0" + default = "2.14.1" } # https://github.com/weaveworks/kured#kubernetes--os-compatibility diff --git a/terraform/versions.tf b/terraform/versions.tf index 55f8e38..4cb4760 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 3.5.0" + version = "~> 3.6.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases From fcf32daf4714321f2f8adfbd2db25b4400b80a98 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 18 May 2022 08:27:05 +0100 Subject: [PATCH 031/147] Added func app settings --- terraform/function_app.tf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/terraform/function_app.tf b/terraform/function_app.tf index 249679b..de03b85 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -115,13 +115,13 @@ resource "azurerm_linux_function_app" "func_app" { # https://docs.microsoft.com/en-us/azure/azure-functions/functions-app-settings app_settings = { # "APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.appinsights.instrumentation_key - "FUNCTION_APP_EDIT_MODE" = "readonly" - # "FUNCTIONS_WORKER_RUNTIME_VERSION" = "~7" - # "FUNCTIONS_WORKER_RUNTIME" = "powershell" - "HASH" = base64encode(filesha256("${path.module}/files/function_app.zip")) - "IFTTT_WEBHOOK_KEY" = var.ifttt_webhook_key - "WEBSITE_RUN_FROM_PACKAGE" = "https://${azurerm_storage_account.func_app.name}.blob.core.windows.net/${azurerm_storage_container.func_app.name}/${azurerm_storage_blob.func_app.name}${data.azurerm_storage_account_sas.func_app.sas}" - "WEEKDAY_ALLOWED_TIME_RANGE" = "06:30 -> 09:00" + "FUNCTION_APP_EDIT_MODE" = "readonly" + "FUNCTIONS_WORKER_RUNTIME_VERSION" = "~7" + "FUNCTIONS_WORKER_RUNTIME" = "powershell" + "HASH" = base64encode(filesha256("${path.module}/files/function_app.zip")) + "IFTTT_WEBHOOK_KEY" = var.ifttt_webhook_key + "WEBSITE_RUN_FROM_PACKAGE" = "https://${azurerm_storage_account.func_app.name}.blob.core.windows.net/${azurerm_storage_container.func_app.name}/${azurerm_storage_blob.func_app.name}${data.azurerm_storage_account_sas.func_app.sas}" + "WEEKDAY_ALLOWED_TIME_RANGE" = "06:30 -> 09:00" } # lifecycle { From 6d16b18a421177ceb19d0260c211933df2f18809 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 20 May 2022 07:21:18 +0100 Subject: [PATCH 032/147] Changed powershell_core_version to 7.2 --- terraform/function_app.tf | 16 ++++++++-------- terraform/versions.tf | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/terraform/function_app.tf b/terraform/function_app.tf index de03b85..a8cc7fd 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -108,20 +108,20 @@ resource "azurerm_linux_function_app" "func_app" { application_insights_key = azurerm_application_insights.appinsights.instrumentation_key application_stack { - powershell_core_version = 7 + powershell_core_version = 7.2 } } # https://docs.microsoft.com/en-us/azure/azure-functions/functions-app-settings app_settings = { # "APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.appinsights.instrumentation_key - "FUNCTION_APP_EDIT_MODE" = "readonly" - "FUNCTIONS_WORKER_RUNTIME_VERSION" = "~7" - "FUNCTIONS_WORKER_RUNTIME" = "powershell" - "HASH" = base64encode(filesha256("${path.module}/files/function_app.zip")) - "IFTTT_WEBHOOK_KEY" = var.ifttt_webhook_key - "WEBSITE_RUN_FROM_PACKAGE" = "https://${azurerm_storage_account.func_app.name}.blob.core.windows.net/${azurerm_storage_container.func_app.name}/${azurerm_storage_blob.func_app.name}${data.azurerm_storage_account_sas.func_app.sas}" - "WEEKDAY_ALLOWED_TIME_RANGE" = "06:30 -> 09:00" + # "FUNCTIONS_WORKER_RUNTIME_VERSION" = "~7" + # "FUNCTIONS_WORKER_RUNTIME" = "powershell" + "FUNCTION_APP_EDIT_MODE" = "readonly" + "HASH" = base64encode(filesha256("${path.module}/files/function_app.zip")) + "IFTTT_WEBHOOK_KEY" = var.ifttt_webhook_key + "WEBSITE_RUN_FROM_PACKAGE" = "https://${azurerm_storage_account.func_app.name}.blob.core.windows.net/${azurerm_storage_container.func_app.name}/${azurerm_storage_blob.func_app.name}${data.azurerm_storage_account_sas.func_app.sas}" + "WEEKDAY_ALLOWED_TIME_RANGE" = "06:30 -> 09:00" } # lifecycle { diff --git a/terraform/versions.tf b/terraform/versions.tf index 4cb4760..2b0b7ce 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 3.6.0" + version = "~> 3.7.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases From b9bea940c26d01b03ad362d07e01cf0b26b80891 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 20 May 2022 07:22:37 +0100 Subject: [PATCH 033/147] Disable Ansible playbook step --- .github/workflows/build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cd443da..beffb20 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -170,12 +170,12 @@ jobs: - name: Wait for resources to be "Ready" run: ./scripts/wait.sh - # Ansible - - name: Run Ansible playbook - run: ./scripts/ansible.sh - env: - NEXUS_ADMIN_PASSWORD: ${{ secrets.NEXUS_ADMIN_PASSWORD }} - NEXUS_USER_PASSWORD: ${{ secrets.NEXUS_USER_PASSWORD }} + # # Ansible + # - name: Run Ansible playbook + # run: ./scripts/ansible.sh + # env: + # NEXUS_ADMIN_PASSWORD: ${{ secrets.NEXUS_ADMIN_PASSWORD }} + # NEXUS_USER_PASSWORD: ${{ secrets.NEXUS_USER_PASSWORD }} # Docker - name: Docker repo login From 6f4ab36911321e27de05a94d4b7f7fdff1687cdf Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 20 May 2022 07:42:27 +0100 Subject: [PATCH 034/147] Changed line ending --- ansible/site.yml | 92 ++++++++++++++++++++++++------------------------ 1 file changed, 46 insertions(+), 46 deletions(-) diff --git a/ansible/site.yml b/ansible/site.yml index 654a21a..3e33862 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -1,46 +1,46 @@ -# configure Nexus via rest api -# -# cd ansible -# ansible-playbook site.yml --extra-vars "api_base_uri=https://nexus.thehypepipe.co.uk" -# -# set env vars -# export NEW_ADMIN_PASSWORD= -# export AUTOGENERATED_ADMIN_PASSWORD= ---- -- name: configure nexus - hosts: localhost - connection: local - gather_facts: no - # debugger: always - - # DEFAULTS - # reduce calling the same module repeatedly with the same arguments - # https://docs.ansible.com/ansible/latest/user_guide/playbooks_module_defaults.html - module_defaults: - uri: - # automatically formats body as json, and sets the Content-Type header - body_format: json - user: "{{ api_user }}" - password: "{{ admin_password }}" - force_basic_auth: yes - timeout: 10 - validate_certs: false - - tasks: - # ROLES - - import_role: - name: init - - import_role: - name: user - - import_role: - name: nuget_repo - - import_role: - name: chocolatey_repo - - import_role: - name: docker_repo - - import_role: - name: helm_repo - # - import_role: - # name: pypi_repo - - import_role: - name: raw_repo +# configure Nexus via rest api +# +# cd ansible +# ansible-playbook site.yml --extra-vars "api_base_uri=https://nexus.thehypepipe.co.uk" +# +# set env vars +# export NEW_ADMIN_PASSWORD= +# export AUTOGENERATED_ADMIN_PASSWORD= +--- +- name: configure nexus + hosts: localhost + connection: local + gather_facts: no + # debugger: always + + # DEFAULTS + # reduce calling the same module repeatedly with the same arguments + # https://docs.ansible.com/ansible/latest/user_guide/playbooks_module_defaults.html + module_defaults: + uri: + # automatically formats body as json, and sets the Content-Type header + body_format: json + user: "{{ api_user }}" + password: "{{ admin_password }}" + force_basic_auth: yes + timeout: 10 + validate_certs: false + + tasks: + # ROLES + - import_role: + name: init + - import_role: + name: user + - import_role: + name: nuget_repo + - import_role: + name: chocolatey_repo + - import_role: + name: docker_repo + - import_role: + name: helm_repo + # - import_role: + # name: pypi_repo + - import_role: + name: raw_repo From f690e3f5f1fcbb7aa881b8b2fa8f4f12102600ff Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 20 May 2022 07:42:47 +0100 Subject: [PATCH 035/147] Enabled ansible --- .github/workflows/build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index beffb20..cd443da 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -170,12 +170,12 @@ jobs: - name: Wait for resources to be "Ready" run: ./scripts/wait.sh - # # Ansible - # - name: Run Ansible playbook - # run: ./scripts/ansible.sh - # env: - # NEXUS_ADMIN_PASSWORD: ${{ secrets.NEXUS_ADMIN_PASSWORD }} - # NEXUS_USER_PASSWORD: ${{ secrets.NEXUS_USER_PASSWORD }} + # Ansible + - name: Run Ansible playbook + run: ./scripts/ansible.sh + env: + NEXUS_ADMIN_PASSWORD: ${{ secrets.NEXUS_ADMIN_PASSWORD }} + NEXUS_USER_PASSWORD: ${{ secrets.NEXUS_USER_PASSWORD }} # Docker - name: Docker repo login From 77e27815cc4494c8915efa0aed46ee98d43ffe4f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 20 May 2022 07:44:18 +0100 Subject: [PATCH 036/147] Changed nexus to v3.39.0 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index ceb444d..b721711 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -45,7 +45,7 @@ variable "velero_image_tag" { # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.38.1" + default = "3.39.0" } # https://github.com/adamrushuk/charts/releases From e54a76da6eee2991a39fa4aa9579deca5cbd2bd6 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 20 May 2022 07:51:39 +0100 Subject: [PATCH 037/147] Added FUNCTIONS_WORKER_RUNTIME app settings --- terraform/function_app.tf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/terraform/function_app.tf b/terraform/function_app.tf index a8cc7fd..d886e67 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -115,13 +115,13 @@ resource "azurerm_linux_function_app" "func_app" { # https://docs.microsoft.com/en-us/azure/azure-functions/functions-app-settings app_settings = { # "APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.appinsights.instrumentation_key - # "FUNCTIONS_WORKER_RUNTIME_VERSION" = "~7" - # "FUNCTIONS_WORKER_RUNTIME" = "powershell" - "FUNCTION_APP_EDIT_MODE" = "readonly" - "HASH" = base64encode(filesha256("${path.module}/files/function_app.zip")) - "IFTTT_WEBHOOK_KEY" = var.ifttt_webhook_key - "WEBSITE_RUN_FROM_PACKAGE" = "https://${azurerm_storage_account.func_app.name}.blob.core.windows.net/${azurerm_storage_container.func_app.name}/${azurerm_storage_blob.func_app.name}${data.azurerm_storage_account_sas.func_app.sas}" - "WEEKDAY_ALLOWED_TIME_RANGE" = "06:30 -> 09:00" + "FUNCTIONS_WORKER_RUNTIME_VERSION" = "~7" + "FUNCTIONS_WORKER_RUNTIME" = "powershell" + "FUNCTION_APP_EDIT_MODE" = "readonly" + "HASH" = base64encode(filesha256("${path.module}/files/function_app.zip")) + "IFTTT_WEBHOOK_KEY" = var.ifttt_webhook_key + "WEBSITE_RUN_FROM_PACKAGE" = "https://${azurerm_storage_account.func_app.name}.blob.core.windows.net/${azurerm_storage_container.func_app.name}/${azurerm_storage_blob.func_app.name}${data.azurerm_storage_account_sas.func_app.sas}" + "WEEKDAY_ALLOWED_TIME_RANGE" = "06:30 -> 09:00" } # lifecycle { From eb9c32c0931fd14d4f93a43666523b3fe935aa02 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 20 May 2022 08:02:51 +0100 Subject: [PATCH 038/147] Added nugetVersion V2 for choco nuget proxy --- ansible/roles/chocolatey_repo/defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ansible/roles/chocolatey_repo/defaults/main.yml b/ansible/roles/chocolatey_repo/defaults/main.yml index efaa816..4011a08 100644 --- a/ansible/roles/chocolatey_repo/defaults/main.yml +++ b/ansible/roles/chocolatey_repo/defaults/main.yml @@ -26,10 +26,11 @@ chocolatey_proxy_repo_request_body: timeout: enableCircularRedirects: false enableCookies: false + useTrustStore: false authentication: routingRuleName: nugetProxy: queryCacheItemMaxAge: 3600 + nugetVersion: V2 format: nuget type: proxy - From 2df15878e26aacbda33b868b7c09864596bef740 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 24 May 2022 07:39:22 +0100 Subject: [PATCH 039/147] Bumped terraform providers and helm charts --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- terraform/files/scripts/argocd_config.sh | 2 +- terraform/helm/argocd_default_values.yaml | 4 +++- terraform/variables.tf | 10 +++++----- 5 files changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cd443da..1fc1698 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,7 +57,7 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.1.9" + TF_VERSION: "1.2.1" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases TFLINT_RULESET_AZURERM_VERSION: "v0.16.0" diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index fe4f534..31aad05 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -55,7 +55,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.1.9" + TF_VERSION: "1.2.1" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index ecd4c33..2dc20ba 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -19,7 +19,7 @@ ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install # https://github.com/argoproj/argo-cd/releases/ -VERSION="v2.3.3" +VERSION="v2.3.4" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" diff --git a/terraform/helm/argocd_default_values.yaml b/terraform/helm/argocd_default_values.yaml index cc02cf0..64f0945 100644 --- a/terraform/helm/argocd_default_values.yaml +++ b/terraform/helm/argocd_default_values.yaml @@ -1,4 +1,4 @@ -# https://github.com/argoproj/argo-helm/blob/argo-cd-4.6.0/charts/argo-cd/values.yaml +# https://github.com/argoproj/argo-helm/blob/argo-cd-4.6.5/charts/argo-cd/values.yaml ## Argo CD configuration ## Ref: https://github.com/argoproj/argo-cd @@ -954,6 +954,8 @@ server: # -- How long before the currently issued certificate's expiry cert-manager should renew the certificate. Value must be in units accepted by Go time.ParseDuration renewBefore: "" issuer: + # -- Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io` + group: "" # -- Certificate issuer kind. Either `Issuer` or `ClusterIssuer` kind: "" # -- Certificate isser name. Eg. `letsencrypt` diff --git a/terraform/variables.tf b/terraform/variables.tf index b721711..f91f2f8 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -21,7 +21,7 @@ variable "kubernetes_version" { # helm search repo ingress-nginx/ingress-nginx # helm search repo -l ingress-nginx/ingress-nginx | head -5 variable "nginx_chart_version" { - default = "4.1.1" + default = "4.1.2" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -35,7 +35,7 @@ variable "cert_manager_chart_version" { # * also update terraform/helm/velero_default_values.yaml # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.29.5" + default = "2.29.6" } # https://hub.docker.com/r/velero/velero/tags @@ -66,7 +66,7 @@ variable "akv2k8s_chart_version" { # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity variable "aad_pod_identity_chart_version" { - default = "4.1.9" + default = "4.1.10" } # https://bitnami.com/stack/external-dns/helm @@ -94,13 +94,13 @@ variable "kured_image_tag" { # helm search repo -l argo/argo-cd | head -n 20 # * also update terraform/helm/argocd_default_values.yaml variable "argocd_chart_version" { - default = "4.6.0" + default = "4.6.5" } # https://hub.docker.com/r/argoproj/argocd/tags # * also update cli version: terraform/files/scripts/argocd_config.sh#L22 variable "argocd_image_tag" { - default = "v2.3.3" + default = "v2.3.4" } #endregion Versions From 968ee3e58d3d76734e09419418300efb2ea48549 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 24 May 2022 07:40:37 +0100 Subject: [PATCH 040/147] Removed https_only --- terraform/function_app.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/function_app.tf b/terraform/function_app.tf index d886e67..2b65648 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -93,11 +93,11 @@ resource "azurerm_linux_function_app" "func_app" { location = azurerm_resource_group.func_app.location resource_group_name = azurerm_resource_group.func_app.name service_plan_id = azurerm_service_plan.func_app.id - https_only = true storage_account_access_key = azurerm_storage_account.func_app.primary_access_key storage_account_name = azurerm_storage_account.func_app.name functions_extension_version = "~4" tags = var.tags + # https_only = true identity { type = "SystemAssigned" From 595bafa7159e308858571a4e3751671368443476 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 2 Jun 2022 10:15:01 +0100 Subject: [PATCH 041/147] Added powershell function app example --- .../function-app/.vscode/extensions.json | 6 + .../examples/function-app/.vscode/launch.json | 13 ++ .../function-app/.vscode/settings.json | 6 + .../examples/function-app/.vscode/tasks.json | 14 +++ terraform/examples/function-app/README.md | 25 ++++ .../function-app/functions/.funcignore | 4 + .../function-app/functions/.gitignore | 11 ++ .../functions/HttpTrigger1/function.json | 19 +++ .../functions/HttpTrigger1/run.ps1 | 25 ++++ .../functions/HttpTrigger1/sample.dat | 3 + .../examples/function-app/functions/host.json | 18 +++ .../function-app/functions/profile.ps1 | 22 ++++ .../function-app/functions/requirements.psd1 | 8 ++ terraform/examples/function-app/main.tf | 116 ++++++++++++++++++ 14 files changed, 290 insertions(+) create mode 100644 terraform/examples/function-app/.vscode/extensions.json create mode 100644 terraform/examples/function-app/.vscode/launch.json create mode 100644 terraform/examples/function-app/.vscode/settings.json create mode 100644 terraform/examples/function-app/.vscode/tasks.json create mode 100644 terraform/examples/function-app/README.md create mode 100644 terraform/examples/function-app/functions/.funcignore create mode 100644 terraform/examples/function-app/functions/.gitignore create mode 100644 terraform/examples/function-app/functions/HttpTrigger1/function.json create mode 100644 terraform/examples/function-app/functions/HttpTrigger1/run.ps1 create mode 100644 terraform/examples/function-app/functions/HttpTrigger1/sample.dat create mode 100644 terraform/examples/function-app/functions/host.json create mode 100644 terraform/examples/function-app/functions/profile.ps1 create mode 100644 terraform/examples/function-app/functions/requirements.psd1 create mode 100644 terraform/examples/function-app/main.tf diff --git a/terraform/examples/function-app/.vscode/extensions.json b/terraform/examples/function-app/.vscode/extensions.json new file mode 100644 index 0000000..f915119 --- /dev/null +++ b/terraform/examples/function-app/.vscode/extensions.json @@ -0,0 +1,6 @@ +{ + "recommendations": [ + "ms-azuretools.vscode-azurefunctions", + "ms-vscode.PowerShell" + ] +} diff --git a/terraform/examples/function-app/.vscode/launch.json b/terraform/examples/function-app/.vscode/launch.json new file mode 100644 index 0000000..4027c7e --- /dev/null +++ b/terraform/examples/function-app/.vscode/launch.json @@ -0,0 +1,13 @@ +{ + "version": "0.2.0", + "configurations": [ + { + "name": "Attach to PowerShell Functions", + "type": "PowerShell", + "request": "attach", + "customPipeName": "AzureFunctionsPSWorker", + "runspaceId": 1, + "preLaunchTask": "func: host start" + } + ] +} diff --git a/terraform/examples/function-app/.vscode/settings.json b/terraform/examples/function-app/.vscode/settings.json new file mode 100644 index 0000000..5f36516 --- /dev/null +++ b/terraform/examples/function-app/.vscode/settings.json @@ -0,0 +1,6 @@ +{ + "azureFunctions.deploySubpath": "functions", + "azureFunctions.projectLanguage": "PowerShell", + "azureFunctions.projectRuntime": "~4", + "debug.internalConsoleOptions": "neverOpen" +} diff --git a/terraform/examples/function-app/.vscode/tasks.json b/terraform/examples/function-app/.vscode/tasks.json new file mode 100644 index 0000000..1b46dd8 --- /dev/null +++ b/terraform/examples/function-app/.vscode/tasks.json @@ -0,0 +1,14 @@ +{ + "version": "2.0.0", + "tasks": [ + { + "type": "func", + "command": "host start", + "problemMatcher": "$func-powershell-watch", + "isBackground": true, + "options": { + "cwd": "${workspaceFolder}/functions" + } + } + ] +} diff --git a/terraform/examples/function-app/README.md b/terraform/examples/function-app/README.md new file mode 100644 index 0000000..bf4b063 --- /dev/null +++ b/terraform/examples/function-app/README.md @@ -0,0 +1,25 @@ +# powershell function app example + +## usage + +```bash +# login via service principle +azh + +# init +cd terraform/examples/function-app +terraform init + +# show plan and apply +terraform apply + +# show outputs +terraform output function +terraform output function_url + +# test function +eval curl $(terraform output --raw function_url)?Name=Adam + +# CLEANUP +terraform destroy +``` diff --git a/terraform/examples/function-app/functions/.funcignore b/terraform/examples/function-app/functions/.funcignore new file mode 100644 index 0000000..414df2f --- /dev/null +++ b/terraform/examples/function-app/functions/.funcignore @@ -0,0 +1,4 @@ +.git* +.vscode +local.settings.json +test \ No newline at end of file diff --git a/terraform/examples/function-app/functions/.gitignore b/terraform/examples/function-app/functions/.gitignore new file mode 100644 index 0000000..4563a76 --- /dev/null +++ b/terraform/examples/function-app/functions/.gitignore @@ -0,0 +1,11 @@ + +# Azure Functions artifacts +bin +obj +appsettings.json +local.settings.json + +# Azurite artifacts +__blobstorage__ +__queuestorage__ +__azurite_db*__.json \ No newline at end of file diff --git a/terraform/examples/function-app/functions/HttpTrigger1/function.json b/terraform/examples/function-app/functions/HttpTrigger1/function.json new file mode 100644 index 0000000..a30d6d5 --- /dev/null +++ b/terraform/examples/function-app/functions/HttpTrigger1/function.json @@ -0,0 +1,19 @@ +{ + "bindings": [ + { + "authLevel": "anonymous", + "type": "httpTrigger", + "direction": "in", + "name": "Request", + "methods": [ + "get", + "post" + ] + }, + { + "type": "http", + "direction": "out", + "name": "Response" + } + ] +} diff --git a/terraform/examples/function-app/functions/HttpTrigger1/run.ps1 b/terraform/examples/function-app/functions/HttpTrigger1/run.ps1 new file mode 100644 index 0000000..ceaa2ad --- /dev/null +++ b/terraform/examples/function-app/functions/HttpTrigger1/run.ps1 @@ -0,0 +1,25 @@ +using namespace System.Net + +# Input bindings are passed in via param block. +param($Request, $TriggerMetadata) + +# Write to the Azure Functions log stream. +Write-Host "PowerShell HTTP trigger function processed a request." + +# Interact with query parameters or the body of the request. +$name = $Request.Query.Name +if (-not $name) { + $name = $Request.Body.Name +} + +$body = "This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response." + +if ($name) { + $body = "Hello, $name. This HTTP triggered function executed successfully." +} + +# Associate values to output bindings by calling 'Push-OutputBinding'. +Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body +}) diff --git a/terraform/examples/function-app/functions/HttpTrigger1/sample.dat b/terraform/examples/function-app/functions/HttpTrigger1/sample.dat new file mode 100644 index 0000000..68f5a0b --- /dev/null +++ b/terraform/examples/function-app/functions/HttpTrigger1/sample.dat @@ -0,0 +1,3 @@ +{ + "name": "Azure" +} diff --git a/terraform/examples/function-app/functions/host.json b/terraform/examples/function-app/functions/host.json new file mode 100644 index 0000000..6ae17b8 --- /dev/null +++ b/terraform/examples/function-app/functions/host.json @@ -0,0 +1,18 @@ +{ + "version": "2.0", + "logging": { + "applicationInsights": { + "samplingSettings": { + "isEnabled": true, + "excludedTypes": "Request" + } + } + }, + "extensionBundle": { + "id": "Microsoft.Azure.Functions.ExtensionBundle", + "version": "[2.*, 3.0.0)" + }, + "managedDependency": { + "enabled": true + } +} diff --git a/terraform/examples/function-app/functions/profile.ps1 b/terraform/examples/function-app/functions/profile.ps1 new file mode 100644 index 0000000..1670fc9 --- /dev/null +++ b/terraform/examples/function-app/functions/profile.ps1 @@ -0,0 +1,22 @@ +# Azure Functions profile.ps1 +# +# This profile.ps1 will get executed every "cold start" of your Function App. +# "cold start" occurs when: +# +# * A Function App starts up for the very first time +# * A Function App starts up after being de-allocated due to inactivity +# +# You can define helper functions, run commands, or specify environment variables +# NOTE: any variables defined that are not environment variables will get reset after the first execution + +# Authenticate with Azure PowerShell using MSI. +# Remove this if you are not planning on using MSI or Azure PowerShell. +if ($env:MSI_SECRET) { + Disable-AzContextAutosave -Scope Process | Out-Null + Connect-AzAccount -Identity +} + +# Uncomment the next line to enable legacy AzureRm alias in Azure PowerShell. +# Enable-AzureRmAlias + +# You can also define functions or aliases that can be referenced in any of your PowerShell functions. diff --git a/terraform/examples/function-app/functions/requirements.psd1 b/terraform/examples/function-app/functions/requirements.psd1 new file mode 100644 index 0000000..79d277a --- /dev/null +++ b/terraform/examples/function-app/functions/requirements.psd1 @@ -0,0 +1,8 @@ +# This file enables modules to be automatically managed by the Functions service. +# See https://aka.ms/functionsmanageddependency for additional information. +# +@{ + # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'. + # To use the Az module in your function app, please uncomment the line below. + # 'Az' = '8.*' +} \ No newline at end of file diff --git a/terraform/examples/function-app/main.tf b/terraform/examples/function-app/main.tf new file mode 100644 index 0000000..5ca3daa --- /dev/null +++ b/terraform/examples/function-app/main.tf @@ -0,0 +1,116 @@ +# function app example + +# providers +provider "azurerm" { + features {} +} +terraform { + required_version = ">= 1.0" + required_providers { + # https://github.com/terraform-providers/terraform-provider-azurerm/releases + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.8.0" + } + archive = { + source = "hashicorp/archive" + version = "2.2.0" + } + } +} + +locals { + region = "uksouth" + resource_group_name = "az-func-example" + storage_account_name = "arlinuxfunctionappps" + storage_container_name = "function-releases" + app_service_plan_name = "example-app-service-plan" + function_app_name = "arush-linux-function-app" + function_source_path = "./functions" + function_name = "HttpTrigger1" +} + +resource "azurerm_resource_group" "example" { + name = local.resource_group_name + location = local.region +} + +resource "azurerm_storage_account" "example" { + name = local.storage_account_name + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" +} + +resource "azurerm_storage_container" "example" { + name = local.storage_container_name + storage_account_name = azurerm_storage_account.example.name +} + +data "archive_file" "example" { + type = "zip" + source_dir = local.function_source_path + output_path = "function_release.zip" +} + +resource "azurerm_storage_blob" "example" { + # The name of the file will be "filehash.zip" where file hash is the SHA256 hash of the file. + name = "${filesha256(data.archive_file.example.output_path)}.zip" + source = data.archive_file.example.output_path + storage_account_name = azurerm_storage_account.example.name + storage_container_name = azurerm_storage_container.example.name + type = "Block" +} + +resource "azurerm_service_plan" "example" { + name = local.app_service_plan_name + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + os_type = "Linux" + sku_name = "Y1" +} + +resource "azurerm_linux_function_app" "example" { + name = local.function_app_name + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + enabled = true + storage_account_name = azurerm_storage_account.example.name + service_plan_id = azurerm_service_plan.example.id + storage_uses_managed_identity = true + + identity { + type = "SystemAssigned" + } + + site_config { + # vnet_route_all_enabled = true + # application_insights_key = azurerm_application_insights.application_insights.instrumentation_key + # http2_enabled = true + + application_stack { + powershell_core_version = 7.2 + } + } + + app_settings = { + "WEBSITE_RUN_FROM_PACKAGE" = azurerm_storage_blob.example.url + } + +} + +resource "azurerm_role_assignment" "example" { + principal_id = azurerm_linux_function_app.example.identity[0].principal_id + role_definition_name = "Storage Blob Data Contributor" + scope = azurerm_storage_account.example.id +} + +output "function" { + value = azurerm_linux_function_app.example + sensitive = true +} + +output "function_url" { + value = "https://${azurerm_linux_function_app.example.name}.azurewebsites.net/api/${local.function_name}" +} From 83d6f90e3adf94de406ce7f6fd208261c180650b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 2 Jun 2022 10:16:56 +0100 Subject: [PATCH 042/147] Updated readme --- terraform/examples/function-app/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/examples/function-app/README.md b/terraform/examples/function-app/README.md index bf4b063..ca7f84c 100644 --- a/terraform/examples/function-app/README.md +++ b/terraform/examples/function-app/README.md @@ -1,5 +1,7 @@ # powershell function app example +**IMPORTANT**: It can take a while for the `HttpTrigger1` function to show within the `Function App > Function` screen. + ## usage ```bash From 1a75f5ee74165afd7d0827aa97f8741d951487c0 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 2 Jun 2022 10:33:39 +0100 Subject: [PATCH 043/147] Fixed function app --- function_app/host.json | 2 +- terraform/function_app.tf | 98 ++++++++++++++------------------------- terraform/versions.tf | 6 +++ 3 files changed, 42 insertions(+), 64 deletions(-) diff --git a/function_app/host.json b/function_app/host.json index c1437cb..6ae17b8 100644 --- a/function_app/host.json +++ b/function_app/host.json @@ -10,7 +10,7 @@ }, "extensionBundle": { "id": "Microsoft.Azure.Functions.ExtensionBundle", - "version": "[1.*, 2.0.0)" + "version": "[2.*, 3.0.0)" }, "managedDependency": { "enabled": true diff --git a/terraform/function_app.tf b/terraform/function_app.tf index 2b65648..904db66 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -22,49 +22,19 @@ resource "azurerm_storage_container" "func_app" { container_access_type = "private" } +data "archive_file" "func_app" { + type = "zip" + source_dir = "${path.module}/../function_app" + output_path = "function_release.zip" +} + resource "azurerm_storage_blob" "func_app" { - name = "function_app.zip" + # name will be "[filehash].zip" (filehash is the SHA256 hash of the file) + name = "${filesha256(data.archive_file.example.output_path)}.zip" storage_account_name = azurerm_storage_account.func_app.name storage_container_name = azurerm_storage_container.func_app.name + source = data.archive_file.func_app.output_path type = "Block" - source = "${path.module}/files/function_app.zip" -} - -data "azurerm_storage_account_sas" "func_app" { - connection_string = azurerm_storage_account.func_app.primary_connection_string - https_only = true - # start = formatdate("YYYY-MM-DD", timestamp()) - # expiry = formatdate("YYYY-MM-DD", timeadd(timestamp(), var.func_app_sas_expires_in_hours)) - - # hardcoded values to stop timestamp() affecting EVERY Terraform Plan - start = "2020-10-25" - expiry = "2022-01-01" - - resource_types { - object = true - container = false - service = false - } - - services { - blob = true - queue = false - table = false - file = false - } - - permissions { - read = true - write = false - delete = false - list = false - add = false - create = false - update = false - process = false - tag = false - filter = false - } } # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_plan @@ -89,15 +59,16 @@ resource "azurerm_application_insights" "appinsights" { # Function App using zipped up source files # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app resource "azurerm_linux_function_app" "func_app" { - name = "${var.prefix}-funcapp" - location = azurerm_resource_group.func_app.location - resource_group_name = azurerm_resource_group.func_app.name - service_plan_id = azurerm_service_plan.func_app.id - storage_account_access_key = azurerm_storage_account.func_app.primary_access_key - storage_account_name = azurerm_storage_account.func_app.name - functions_extension_version = "~4" - tags = var.tags - # https_only = true + name = "${var.prefix}-funcapp" + location = azurerm_resource_group.func_app.location + resource_group_name = azurerm_resource_group.func_app.name + service_plan_id = azurerm_service_plan.func_app.id + storage_account_access_key = azurerm_storage_account.func_app.primary_access_key + storage_account_name = azurerm_storage_account.func_app.name + storage_uses_managed_identity = true + tags = var.tags + # enabled = true + # https_only = true identity { type = "SystemAssigned" @@ -115,26 +86,27 @@ resource "azurerm_linux_function_app" "func_app" { # https://docs.microsoft.com/en-us/azure/azure-functions/functions-app-settings app_settings = { # "APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.appinsights.instrumentation_key - "FUNCTIONS_WORKER_RUNTIME_VERSION" = "~7" - "FUNCTIONS_WORKER_RUNTIME" = "powershell" - "FUNCTION_APP_EDIT_MODE" = "readonly" - "HASH" = base64encode(filesha256("${path.module}/files/function_app.zip")) - "IFTTT_WEBHOOK_KEY" = var.ifttt_webhook_key - "WEBSITE_RUN_FROM_PACKAGE" = "https://${azurerm_storage_account.func_app.name}.blob.core.windows.net/${azurerm_storage_container.func_app.name}/${azurerm_storage_blob.func_app.name}${data.azurerm_storage_account_sas.func_app.sas}" - "WEEKDAY_ALLOWED_TIME_RANGE" = "06:30 -> 09:00" + # "FUNCTIONS_WORKER_RUNTIME_VERSION" = "~7" + # "FUNCTIONS_WORKER_RUNTIME" = "powershell" + # "FUNCTION_APP_EDIT_MODE" = "readonly" + # "HASH" = base64encode(filesha256("${path.module}/files/function_app.zip")) + # "WEBSITE_RUN_FROM_PACKAGE" = "https://${azurerm_storage_account.func_app.name}.blob.core.windows.net/${azurerm_storage_container.func_app.name}/${azurerm_storage_blob.func_app.name}${data.azurerm_storage_account_sas.func_app.sas}" + "WEBSITE_RUN_FROM_PACKAGE" = azurerm_storage_blob.func_app.url + "IFTTT_WEBHOOK_KEY" = var.ifttt_webhook_key + "WEEKDAY_ALLOWED_TIME_RANGE" = "06:30 -> 09:00" } - - # lifecycle { - # ignore_changes = [ - # app_settings, - # ] - # } } +# Give Function App access to function zip blob +resource "azurerm_role_assignment" "func_app_storage" { + principal_id = azurerm_linux_function_app.func_app.identity[0].principal_id + role_definition_name = "Storage Blob Data Contributor" + scope = azurerm_storage_account.example.id +} # Give Function App Reader role for the AKS cluster node resource group -resource "azurerm_role_assignment" "func_app" { +resource "azurerm_role_assignment" "func_app_aks" { scope = data.azurerm_resource_group.aks_node_rg.id role_definition_name = "Reader" - principal_id = azurerm_linux_function_app.func_app.identity.0.principal_id + principal_id = azurerm_linux_function_app.func_app.identity[0].principal_id } diff --git a/terraform/versions.tf b/terraform/versions.tf index 2b0b7ce..b4e6fb6 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -64,6 +64,12 @@ terraform { version = "~> 3.1" } + # https://registry.terraform.io/providers/hashicorp/archive/latest + archive = { + source = "hashicorp/archive" + version = "2.2.0" + } + # TODO: remove template provider as deprecated (superseded by the templatefile function) # https://registry.terraform.io/providers/hashicorp/template/latest/docs#deprecation template = { From 91bb036ab19ef5af5d0b2f848c3269358d04610c Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 2 Jun 2022 10:53:54 +0100 Subject: [PATCH 044/147] Added test function example --- terraform/examples/function-app/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/examples/function-app/README.md b/terraform/examples/function-app/README.md index ca7f84c..de04b51 100644 --- a/terraform/examples/function-app/README.md +++ b/terraform/examples/function-app/README.md @@ -21,6 +21,8 @@ terraform output function_url # test function eval curl $(terraform output --raw function_url)?Name=Adam +eval curl $(terraform output --raw function_url)?Name=Tasha + # CLEANUP terraform destroy From 553290b31fe4c638e1651f10e0137c11b29060eb Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 2 Jun 2022 10:54:24 +0100 Subject: [PATCH 045/147] Fixed archive path --- terraform/function_app.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/function_app.tf b/terraform/function_app.tf index 904db66..796125b 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -30,7 +30,7 @@ data "archive_file" "func_app" { resource "azurerm_storage_blob" "func_app" { # name will be "[filehash].zip" (filehash is the SHA256 hash of the file) - name = "${filesha256(data.archive_file.example.output_path)}.zip" + name = "${filesha256(data.archive_file.func_app.output_path)}.zip" storage_account_name = azurerm_storage_account.func_app.name storage_container_name = azurerm_storage_container.func_app.name source = data.archive_file.func_app.output_path From cd10404a9c2d98324a5c54398c4c756f6d4a3004 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 2 Jun 2022 10:58:06 +0100 Subject: [PATCH 046/147] Fixed role def scope --- terraform/function_app.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/function_app.tf b/terraform/function_app.tf index 796125b..10691e0 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -101,7 +101,7 @@ resource "azurerm_linux_function_app" "func_app" { resource "azurerm_role_assignment" "func_app_storage" { principal_id = azurerm_linux_function_app.func_app.identity[0].principal_id role_definition_name = "Storage Blob Data Contributor" - scope = azurerm_storage_account.example.id + scope = azurerm_storage_account.func_app.id } # Give Function App Reader role for the AKS cluster node resource group From 7ec25b5dab4af3e1c12b5ff08de22d92d2f87086 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 2 Jun 2022 15:12:59 +0100 Subject: [PATCH 047/147] Removed storage_account_access_key for func app --- terraform/README.md | 30 +++++++++++++++++++++++++++++- terraform/function_app.tf | 1 - terraform/versions.tf | 2 +- 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/terraform/README.md b/terraform/README.md index 7001f0c..da6d44b 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -1,4 +1,32 @@ -# Test README +# Terraform + +## usage + +```bash +# login via service principle +azh + +# init +cd ./terraform +terraform init -backend=false -input=false + +# validate +terraform validate + +# show plan and apply +terraform apply + +# show outputs +# terraform output function + +# test function +# eval curl $(terraform output --raw function_url)?Name=Adam +# eval curl $(terraform output --raw function_url)?Name=Tasha + + +# CLEANUP +terraform destroy +``` **PRE-COMMIT-TERRAFORM DOCS** content will be automatically created below: diff --git a/terraform/function_app.tf b/terraform/function_app.tf index 10691e0..d08ebf4 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -63,7 +63,6 @@ resource "azurerm_linux_function_app" "func_app" { location = azurerm_resource_group.func_app.location resource_group_name = azurerm_resource_group.func_app.name service_plan_id = azurerm_service_plan.func_app.id - storage_account_access_key = azurerm_storage_account.func_app.primary_access_key storage_account_name = azurerm_storage_account.func_app.name storage_uses_managed_identity = true tags = var.tags diff --git a/terraform/versions.tf b/terraform/versions.tf index b4e6fb6..1ee97e2 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 3.7.0" + version = "~> 3.8.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases From 6313b75cd6491425512e8f9ab3b06ff5f2cb974c Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 2 Jun 2022 15:18:16 +0100 Subject: [PATCH 048/147] Changed tf to use one resource group --- terraform/function_app.tf | 13 ++++--------- terraform/velero.tf | 20 ++++---------------- 2 files changed, 8 insertions(+), 25 deletions(-) diff --git a/terraform/function_app.tf b/terraform/function_app.tf index d08ebf4..00c3afc 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -1,14 +1,9 @@ # Function App for reporting on VMs left running outside allowed time range -resource "azurerm_resource_group" "func_app" { - name = "${var.prefix}-rg-function-app" - location = var.location - tags = var.tags -} # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account resource "azurerm_storage_account" "func_app" { name = "${var.prefix}stfuncapp" - resource_group_name = azurerm_resource_group.func_app.name + resource_group_name = azurerm_resource_group.aks.name location = azurerm_resource_group.func_app.location account_tier = "Standard" account_replication_type = "LRS" @@ -41,7 +36,7 @@ resource "azurerm_storage_blob" "func_app" { resource "azurerm_service_plan" "func_app" { name = "${var.prefix}-funcapp" location = azurerm_resource_group.func_app.location - resource_group_name = azurerm_resource_group.func_app.name + resource_group_name = azurerm_resource_group.aks.name os_type = "Linux" sku_name = "Y1" tags = var.tags @@ -51,7 +46,7 @@ resource "azurerm_service_plan" "func_app" { resource "azurerm_application_insights" "appinsights" { name = "${var.prefix}-funcapp" location = var.location - resource_group_name = azurerm_resource_group.func_app.name + resource_group_name = azurerm_resource_group.aks.name application_type = "web" tags = var.tags } @@ -61,7 +56,7 @@ resource "azurerm_application_insights" "appinsights" { resource "azurerm_linux_function_app" "func_app" { name = "${var.prefix}-funcapp" location = azurerm_resource_group.func_app.location - resource_group_name = azurerm_resource_group.func_app.name + resource_group_name = azurerm_resource_group.aks.name service_plan_id = azurerm_service_plan.func_app.id storage_account_name = azurerm_storage_account.func_app.name storage_uses_managed_identity = true diff --git a/terraform/velero.tf b/terraform/velero.tf index f0dd936..3c40be4 100644 --- a/terraform/velero.tf +++ b/terraform/velero.tf @@ -2,23 +2,11 @@ # Prereqs # https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/blob/master/README.md#Create-Azure-storage-account-and-blob-container -resource "azurerm_resource_group" "velero" { - count = var.velero_enabled ? 1 : 0 - name = var.velero_resource_group_name - location = var.location - tags = var.tags - - lifecycle { - ignore_changes = [ - tags - ] - } -} resource "azurerm_storage_account" "velero" { count = var.velero_enabled ? 1 : 0 name = var.velero_storage_account_name - resource_group_name = azurerm_resource_group.velero[0].name + resource_group_name = azurerm_resource_group.aks.name location = azurerm_resource_group.velero[0].location account_kind = "BlobStorage" account_tier = "Standard" @@ -87,7 +75,7 @@ resource "helm_release" "velero" { version = var.velero_chart_version timeout = 600 atomic = true - values = [file("helm/velero_values.yaml")] + values = [file("helm/velero_values.yaml")] set { name = "image.tag" @@ -96,7 +84,7 @@ resource "helm_release" "velero" { set { name = "configuration.backupStorageLocation.config.resourceGroup" - value = azurerm_resource_group.velero[0].name + value = azurerm_resource_group.aks.name } set { @@ -106,7 +94,7 @@ resource "helm_release" "velero" { set { name = "configuration.volumeSnapshotLocation.config.resourceGroup" - value = azurerm_resource_group.velero[0].name + value = azurerm_resource_group.aks.name } set { From e2335ecc7b967a635cb677ba6a42a2e56f149b99 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 2 Jun 2022 15:24:55 +0100 Subject: [PATCH 049/147] Bumped terraform providers and helm charts --- terraform/variables.tf | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index f91f2f8..bb53cfe 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -21,7 +21,7 @@ variable "kubernetes_version" { # helm search repo ingress-nginx/ingress-nginx # helm search repo -l ingress-nginx/ingress-nginx | head -5 variable "nginx_chart_version" { - default = "4.1.2" + default = "4.1.3" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -35,7 +35,7 @@ variable "cert_manager_chart_version" { # * also update terraform/helm/velero_default_values.yaml # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.29.6" + default = "2.29.7" } # https://hub.docker.com/r/velero/velero/tags @@ -70,16 +70,17 @@ variable "aad_pod_identity_chart_version" { } # https://bitnami.com/stack/external-dns/helm -# https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 +# https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml # helm search repo bitnami/external-dns +# helm search repo -l bitnami/external-dns variable "external_dns_chart_version" { - default = "5.4.8" + default = "6.5.1" } # https://github.com/weaveworks/kured/tree/master/charts/kured # helm search repo kured/kured variable "kured_chart_version" { - default = "2.14.1" + default = "2.14.2" } # https://github.com/weaveworks/kured#kubernetes--os-compatibility From 75d5e9a33f2e2e56527360a77c3ebf3fd92620c1 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 2 Jun 2022 15:44:59 +0100 Subject: [PATCH 050/147] Fixed rg refactor --- terraform/function_app.tf | 6 +++--- terraform/velero.tf | 2 +- terraform/velero_mi_auth.tf | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/function_app.tf b/terraform/function_app.tf index 00c3afc..2c66b91 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -4,7 +4,7 @@ resource "azurerm_storage_account" "func_app" { name = "${var.prefix}stfuncapp" resource_group_name = azurerm_resource_group.aks.name - location = azurerm_resource_group.func_app.location + location = azurerm_resource_group.aks.location account_tier = "Standard" account_replication_type = "LRS" allow_nested_items_to_be_public = false @@ -35,7 +35,7 @@ resource "azurerm_storage_blob" "func_app" { # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_plan resource "azurerm_service_plan" "func_app" { name = "${var.prefix}-funcapp" - location = azurerm_resource_group.func_app.location + location = azurerm_resource_group.aks.location resource_group_name = azurerm_resource_group.aks.name os_type = "Linux" sku_name = "Y1" @@ -55,7 +55,7 @@ resource "azurerm_application_insights" "appinsights" { # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app resource "azurerm_linux_function_app" "func_app" { name = "${var.prefix}-funcapp" - location = azurerm_resource_group.func_app.location + location = azurerm_resource_group.aks.location resource_group_name = azurerm_resource_group.aks.name service_plan_id = azurerm_service_plan.func_app.id storage_account_name = azurerm_storage_account.func_app.name diff --git a/terraform/velero.tf b/terraform/velero.tf index 3c40be4..17214be 100644 --- a/terraform/velero.tf +++ b/terraform/velero.tf @@ -7,7 +7,7 @@ resource "azurerm_storage_account" "velero" { count = var.velero_enabled ? 1 : 0 name = var.velero_storage_account_name resource_group_name = azurerm_resource_group.aks.name - location = azurerm_resource_group.velero[0].location + location = azurerm_resource_group.aks.location account_kind = "BlobStorage" account_tier = "Standard" account_replication_type = "LRS" diff --git a/terraform/velero_mi_auth.tf b/terraform/velero_mi_auth.tf index 1e2e610..595aa00 100644 --- a/terraform/velero_mi_auth.tf +++ b/terraform/velero_mi_auth.tf @@ -11,7 +11,7 @@ resource "azurerm_role_assignment" "velero_mi_velero_storage_rg" { count = var.velero_enabled ? 1 : 0 principal_id = azurerm_user_assigned_identity.velero[0].principal_id role_definition_name = "Contributor" - scope = azurerm_resource_group.velero[0].id + scope = azurerm_resource_group.aks.id } # assign velero MI contributor rights to velero storage RG From 45dbf0d896543a33685c764a81001d1d1f130631 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 2 Jun 2022 16:42:36 +0100 Subject: [PATCH 051/147] Function app cleanup --- terraform/files/function_app.zip | 1 - terraform/function_app.tf | 13 +++++-------- 2 files changed, 5 insertions(+), 9 deletions(-) delete mode 100644 terraform/files/function_app.zip diff --git a/terraform/files/function_app.zip b/terraform/files/function_app.zip deleted file mode 100644 index c128107..0000000 --- a/terraform/files/function_app.zip +++ /dev/null @@ -1 +0,0 @@ -# PLACEHOLDER so validate doesnt fail on missing file diff --git a/terraform/function_app.tf b/terraform/function_app.tf index 2c66b91..c68042a 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -60,9 +60,9 @@ resource "azurerm_linux_function_app" "func_app" { service_plan_id = azurerm_service_plan.func_app.id storage_account_name = azurerm_storage_account.func_app.name storage_uses_managed_identity = true + enabled = true + https_only = true tags = var.tags - # enabled = true - # https_only = true identity { type = "SystemAssigned" @@ -79,12 +79,9 @@ resource "azurerm_linux_function_app" "func_app" { # https://docs.microsoft.com/en-us/azure/azure-functions/functions-app-settings app_settings = { - # "APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.appinsights.instrumentation_key - # "FUNCTIONS_WORKER_RUNTIME_VERSION" = "~7" - # "FUNCTIONS_WORKER_RUNTIME" = "powershell" - # "FUNCTION_APP_EDIT_MODE" = "readonly" - # "HASH" = base64encode(filesha256("${path.module}/files/function_app.zip")) - # "WEBSITE_RUN_FROM_PACKAGE" = "https://${azurerm_storage_account.func_app.name}.blob.core.windows.net/${azurerm_storage_container.func_app.name}/${azurerm_storage_blob.func_app.name}${data.azurerm_storage_account_sas.func_app.sas}" + # The Function app will only use the code in the blob if the computed hash matches the hash you specify in the app settings. The computed hash takes the SHA256 hash of the file and then base64 encodes it + # "HASH" = base64encode(filesha256("${path.module}/files/function_app.zip")) + "FUNCTION_APP_EDIT_MODE" = "readwrite" "WEBSITE_RUN_FROM_PACKAGE" = azurerm_storage_blob.func_app.url "IFTTT_WEBHOOK_KEY" = var.ifttt_webhook_key "WEEKDAY_ALLOWED_TIME_RANGE" = "06:30 -> 09:00" From c51c0d5ae64a313d9d1d7613471e8301ae720add Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 2 Jun 2022 16:57:24 +0100 Subject: [PATCH 052/147] Added tfsec --- .github/workflows/build.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1fc1698..a493ce8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -129,8 +129,9 @@ jobs: HELM_CHART_REPO_DEPLOY_PRIVATE_KEY: ${{ secrets.HELM_CHART_REPO_DEPLOY_PRIVATE_KEY }} IFTTT_WEBHOOK_KEY: ${{ secrets.IFTTT_WEBHOOK_KEY }} - - name: Create zip file of Function App - run: pwsh -command "./function_app/CreateFunctionAppZip.ps1" + # TODO: investigate impact of removing this + # - name: Create zip file of Function App + # run: pwsh -command "./function_app/CreateFunctionAppZip.ps1" # Terraform - uses: hashicorp/setup-terraform@v1 @@ -143,6 +144,13 @@ jobs: terraform validate working-directory: ${{ env.TF_WORKING_DIR }} + - name: tfsec + uses: aquasecurity/tfsec-action@v1.0.0 + with: + working_directory: ${{ env.TF_WORKING_DIR }} + soft_fail: true + + # TODO: investigate impact of removing this - name: Terraform Lint run: ./scripts/tflint.sh env: From 123b0fdaf2c66f86bd9160a91732547c4fa7ebc2 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 2 Jun 2022 18:03:09 +0100 Subject: [PATCH 053/147] Removed Create zip file step --- .github/workflows/destroy.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 31aad05..22ac3b9 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -113,8 +113,9 @@ jobs: env: IFTTT_WEBHOOK_KEY: ${{ secrets.IFTTT_WEBHOOK_KEY }} - - name: Create zip file of Function App - run: pwsh -command "./function_app/CreateFunctionAppZip.ps1" + # TODO remove + # - name: Create zip file of Function App + # run: pwsh -command "./function_app/CreateFunctionAppZip.ps1" # Terraform - uses: hashicorp/setup-terraform@v1 From 69fd8cf8392d27315a3af35c8976423fd197b8a9 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 3 Jun 2022 08:07:01 +0100 Subject: [PATCH 054/147] Bumped terraform providers and helm charts --- terraform/helm/argocd_default_values.yaml | 50 ++++++++++++++++++++++- terraform/variables.tf | 3 +- terraform/versions.tf | 7 +--- 3 files changed, 52 insertions(+), 8 deletions(-) diff --git a/terraform/helm/argocd_default_values.yaml b/terraform/helm/argocd_default_values.yaml index 64f0945..230adb0 100644 --- a/terraform/helm/argocd_default_values.yaml +++ b/terraform/helm/argocd_default_values.yaml @@ -1,4 +1,4 @@ -# https://github.com/argoproj/argo-helm/blob/argo-cd-4.6.5/charts/argo-cd/values.yaml +# https://github.com/argoproj/argo-helm/blob/argo-cd-4.8.2/charts/argo-cd/values.yaml ## Argo CD configuration ## Ref: https://github.com/argoproj/argo-cd @@ -363,6 +363,9 @@ controller: # minAvailable: 1 # maxUnavailable: 0 + # -- Secrets with credentials to pull images from a private registry + imagePullSecrets: [] + ## Dex dex: # -- Enable dex @@ -578,6 +581,9 @@ dex: # minAvailable: 1 # maxUnavailable: 0 + # -- Secrets with credentials to pull images from a private registry + imagePullSecrets: [] + ## Redis redis: # -- Enable redis @@ -766,6 +772,9 @@ redis: # minAvailable: 1 # maxUnavailable: 0 + # -- Secrets with credentials to pull images from a private registry + imagePullSecrets: [] + # This key configures Redis-HA subchart and when enabled (redis-ha.enabled=true) # the custom redis deployment is omitted # Check the redis-ha chart for more properties @@ -775,6 +784,12 @@ redis-ha: exporter: # -- If `true`, the prometheus exporter sidecar is enabled enabled: true + # -- Exporter image + # @default -- `nil` (follows subchart default) + image: ~ + # -- Exporter tag + # @default -- `nil` (follows subchart default) + tag: ~ persistentVolume: # -- Configures persistency on Redis nodes enabled: false @@ -785,17 +800,42 @@ redis-ha: # @default -- See [values.yaml] config: # -- Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled + # @default -- `'""'` save: '""' haproxy: # -- Enabled HAProxy LoadBalancing/Proxy enabled: true + image: + # -- HAProxy Image Repository + # @default -- `nil` (follows subchart default) + repository: ~ + # -- HAProxy Image Tag + # @default -- `nil` (follows subchart default) + tag: ~ metrics: # -- HAProxy enable prometheus metric scraping enabled: true image: + # -- Redis image repository + # @default -- `nil` (follows subchart default) + repository: ~ # -- Redis tag tag: 6.2.6-alpine + ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: + # -- Enable Redis HA topology spread constraints + enabled: false + # -- Max skew of pods tolerated + # @default -- `""` (defaults to `1`) + maxSkew: "" + # -- Topology key for spread + # @default -- `""` (defaults to `topology.kubernetes.io/zone`) + topologyKey: "" + # -- Enforcement policy, hard or soft + # @default -- `""` (defaults to `ScheduleAnyway`) + whenUnsatisfiable: "" + # External Redis parameters externalRedis: # -- External Redis server host @@ -1441,6 +1481,9 @@ server: # minAvailable: 1 # maxUnavailable: 0 + # -- Secrets with credentials to pull images from a private registry + imagePullSecrets: [] + ## Repo Server repoServer: # -- Repo server name @@ -1696,6 +1739,9 @@ repoServer: # minAvailable: 1 # maxUnavailable: 0 + # -- Secrets with credentials to pull images from a private registry + imagePullSecrets: [] + ## Argo Configs configs: # -- Provide one or multiple [external cluster credentials] @@ -2189,6 +2235,8 @@ notifications: # -- Set the logging level. (One of: `debug`, `info`, `warn`, `error`) logLevel: info + # -- Application controller log format. Either `text` or `json` + logFormat: text # -- Extra arguments to provide to the controller extraArgs: [] diff --git a/terraform/variables.tf b/terraform/variables.tf index bb53cfe..9fe5c7f 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -1,6 +1,5 @@ # Variables - #region Versions # version used for both main AKS API service, and default node pool # https://github.com/Azure/AKS/releases @@ -95,7 +94,7 @@ variable "kured_image_tag" { # helm search repo -l argo/argo-cd | head -n 20 # * also update terraform/helm/argocd_default_values.yaml variable "argocd_chart_version" { - default = "4.6.5" + default = "4.8.2" } # https://hub.docker.com/r/argoproj/argocd/tags diff --git a/terraform/versions.tf b/terraform/versions.tf index 1ee97e2..33861f4 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -1,9 +1,5 @@ terraform { - # https://www.terraform.io/docs/language/expressions/references.html#sensitive-resource-attributes - # TODO: this currently makes builds fail intermittently - # experiments = [provider_sensitive_attrs] - # https://github.com/hashicorp/terraform/releases # https://github.com/hashicorp/terraform/blob/main/CHANGELOG.md required_version = ">= 1.0" @@ -23,7 +19,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 3.8.0" + version = "~> 3.9.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases @@ -85,6 +81,7 @@ provider "azurerm" { # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/features-block features { resource_group { + # required to cleanup velero snapshot(s) from resource group prevent_deletion_if_contains_resources = false } } From ff168ad934362f3f439aade060072920ee28860f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 3 Jun 2022 08:40:25 +0100 Subject: [PATCH 055/147] Fixed tfsec warnings --- terraform/examples/function-app/main.tf | 7 +++++++ terraform/function_app.tf | 1 + terraform/variables.tf | 2 +- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/terraform/examples/function-app/main.tf b/terraform/examples/function-app/main.tf index 5ca3daa..aa49929 100644 --- a/terraform/examples/function-app/main.tf +++ b/terraform/examples/function-app/main.tf @@ -41,6 +41,7 @@ resource "azurerm_storage_account" "example" { location = azurerm_resource_group.example.location account_tier = "Standard" account_replication_type = "LRS" + min_tls_version = "TLS1_2" } resource "azurerm_storage_container" "example" { @@ -98,6 +99,12 @@ resource "azurerm_linux_function_app" "example" { "WEBSITE_RUN_FROM_PACKAGE" = azurerm_storage_blob.example.url } + lifecycle { + # required to ignore the auto-generated "hidden-link:" tags + ignore_changes = [ + tags + ] + } } resource "azurerm_role_assignment" "example" { diff --git a/terraform/function_app.tf b/terraform/function_app.tf index c68042a..46c805d 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -8,6 +8,7 @@ resource "azurerm_storage_account" "func_app" { account_tier = "Standard" account_replication_type = "LRS" allow_nested_items_to_be_public = false + min_tls_version = "TLS1_2" tags = var.tags } diff --git a/terraform/variables.tf b/terraform/variables.tf index 9fe5c7f..8a7c0fb 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -173,7 +173,7 @@ variable "sla_sku" { variable "aks_container_insights_enabled" { description = "Should Container Insights monitoring be enabled" - default = false + default = true } variable "aks_config_path" { From d91845d3e8bbe98f1ca64265d025e11bae5e6e4d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 3 Jun 2022 09:04:54 +0100 Subject: [PATCH 056/147] Fixed LAW SKU --- terraform/aks.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index 7c0f8cc..18ed0a9 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -24,7 +24,7 @@ resource "azurerm_log_analytics_workspace" "aks" { name = var.log_analytics_workspace_name location = azurerm_resource_group.aks.location resource_group_name = azurerm_resource_group.aks.name - sku = "Free" + sku = "PerGB2018" retention_in_days = 7 tags = var.tags From 5f1d8b4108374aea28eb0f956cf9a4655e7618ea Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 3 Jun 2022 09:30:05 +0100 Subject: [PATCH 057/147] Fixed LAW retention_in_days --- terraform/aks.tf | 14 +------------- terraform/velero.tf | 10 ++-------- 2 files changed, 3 insertions(+), 21 deletions(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index 18ed0a9..1e805c8 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -8,12 +8,6 @@ resource "azurerm_resource_group" "aks" { name = var.azure_resourcegroup_name location = var.location tags = var.tags - - lifecycle { - ignore_changes = [ - tags - ] - } } # Log Analytics @@ -25,14 +19,8 @@ resource "azurerm_log_analytics_workspace" "aks" { location = azurerm_resource_group.aks.location resource_group_name = azurerm_resource_group.aks.name sku = "PerGB2018" - retention_in_days = 7 + retention_in_days = 30 tags = var.tags - - lifecycle { - ignore_changes = [ - tags - ] - } } resource "azurerm_log_analytics_solution" "aks" { diff --git a/terraform/velero.tf b/terraform/velero.tf index 17214be..6be5357 100644 --- a/terraform/velero.tf +++ b/terraform/velero.tf @@ -12,14 +12,8 @@ resource "azurerm_storage_account" "velero" { account_tier = "Standard" account_replication_type = "LRS" enable_https_traffic_only = true - - tags = var.tags - - lifecycle { - ignore_changes = [ - tags - ] - } + min_tls_version = "TLS1_2" + tags = var.tags } resource "azurerm_storage_container" "velero" { From ca00bb46551f9005010949a22b20ca51072645e4 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 3 Jun 2022 09:50:17 +0100 Subject: [PATCH 058/147] Added azurerm_log_analytics_workspace to app insights --- terraform/function_app.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/function_app.tf b/terraform/function_app.tf index 46c805d..52ad303 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -44,11 +44,13 @@ resource "azurerm_service_plan" "func_app" { } # Application Insights used for logs and monitoring +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_insights resource "azurerm_application_insights" "appinsights" { name = "${var.prefix}-funcapp" location = var.location resource_group_name = azurerm_resource_group.aks.name application_type = "web" + workspace_id = azurerm_log_analytics_workspace.aks[0].id tags = var.tags } From 3a4e630c3c074596db2205567ca0f77b93c55378 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 3 Jun 2022 10:10:07 +0100 Subject: [PATCH 059/147] Changed aks policy to enabled --- terraform/aks.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index 1e805c8..553d972 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -50,7 +50,7 @@ module "aks" { name = var.azurerm_kubernetes_cluster_name sla_sku = var.sla_sku aad_auth_enabled = true - azure_policy_enabled = false + azure_policy_enabled = true tags = var.tags # override defaults From 05fb566f9de64306d06c6abcd1b86f3b717de28b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 3 Jun 2022 10:16:54 +0100 Subject: [PATCH 060/147] Removed app setting --- terraform/function_app.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/function_app.tf b/terraform/function_app.tf index 52ad303..ee8f28b 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -84,7 +84,6 @@ resource "azurerm_linux_function_app" "func_app" { app_settings = { # The Function app will only use the code in the blob if the computed hash matches the hash you specify in the app settings. The computed hash takes the SHA256 hash of the file and then base64 encodes it # "HASH" = base64encode(filesha256("${path.module}/files/function_app.zip")) - "FUNCTION_APP_EDIT_MODE" = "readwrite" "WEBSITE_RUN_FROM_PACKAGE" = azurerm_storage_blob.func_app.url "IFTTT_WEBHOOK_KEY" = var.ifttt_webhook_key "WEEKDAY_ALLOWED_TIME_RANGE" = "06:30 -> 09:00" From 0e10647ce500e695764f8d5e724dc564d12df626 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 3 Jun 2022 10:24:27 +0100 Subject: [PATCH 061/147] Added ignore_changes to function app for hidden-link tags --- terraform/function_app.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/terraform/function_app.tf b/terraform/function_app.tf index ee8f28b..b78e480 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -88,6 +88,13 @@ resource "azurerm_linux_function_app" "func_app" { "IFTTT_WEBHOOK_KEY" = var.ifttt_webhook_key "WEEKDAY_ALLOWED_TIME_RANGE" = "06:30 -> 09:00" } + + lifecycle { + # required to ignore the auto-generated "hidden-link:" tags + ignore_changes = [ + tags + ] + } } # Give Function App access to function zip blob From 0b5cbd1a6c3aa5310d288395defb50e6453ecfbd Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 3 Jun 2022 10:45:35 +0100 Subject: [PATCH 062/147] Added Checkov action --- .github/workflows/build.yml | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a493ce8..07bdb1a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -150,13 +150,28 @@ jobs: working_directory: ${{ env.TF_WORKING_DIR }} soft_fail: true + - name: Run Checkov action + id: checkov + uses: bridgecrewio/checkov-action@master + with: + directory: ${{ env.TF_WORKING_DIR }} + # check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list + # skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list + quiet: true # optional: display only failed checks + soft_fail: true # optional: do not return an error code if there are failed checks + framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all} + output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif + download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry + # log_level: DEBUG # optional: set log level. Default WARNING + # config_file: path/this_file + # TODO: investigate impact of removing this - - name: Terraform Lint - run: ./scripts/tflint.sh - env: - TF_WORKING_DIR: ${{ env.TF_WORKING_DIR }} - TFLINT_RULESET_AZURERM_VERSION: ${{ env.TFLINT_RULESET_AZURERM_VERSION }} - TFLINT_VERSION: ${{ env.TFLINT_VERSION }} + # - name: Terraform Lint + # run: ./scripts/tflint.sh + # env: + # TF_WORKING_DIR: ${{ env.TF_WORKING_DIR }} + # TFLINT_RULESET_AZURERM_VERSION: ${{ env.TFLINT_RULESET_AZURERM_VERSION }} + # TFLINT_VERSION: ${{ env.TFLINT_VERSION }} - name: 👀 Terraform Plan id: plan From 08f27647efcd201da0b93c8754e7bc39cf3e4b8d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 3 Jun 2022 10:51:59 +0100 Subject: [PATCH 063/147] Bupmed AKS module to v1.1.0 --- terraform/aks.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index 553d972..0f5d8dd 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -42,7 +42,7 @@ resource "azurerm_log_analytics_solution" "aks" { # https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest module "aks" { source = "adamrushuk/aks/azurerm" - version = "~> 1.0.0" + version = "~> 1.1.0" kubernetes_version = var.kubernetes_version location = azurerm_resource_group.aks.location From 7dd123b701eea61240915467a9ae28db501c855a Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 3 Jun 2022 11:13:19 +0100 Subject: [PATCH 064/147] Changed build comments --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 07bdb1a..c1c63db 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -144,13 +144,13 @@ jobs: terraform validate working-directory: ${{ env.TF_WORKING_DIR }} - - name: tfsec + - name: Run tfsec security scan uses: aquasecurity/tfsec-action@v1.0.0 with: working_directory: ${{ env.TF_WORKING_DIR }} soft_fail: true - - name: Run Checkov action + - name: Run Checkov security scan id: checkov uses: bridgecrewio/checkov-action@master with: From 2aba2bf577fc88a4ae209b5144ccb3e71bd0694a Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 09:39:46 +0100 Subject: [PATCH 065/147] Fixed checkov checks - added some skip codes --- .github/workflows/build.yml | 3 ++- terraform/examples/function-app/main.tf | 18 ++++++++++-------- terraform/function_app.tf | 1 + 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c1c63db..7e48378 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -156,7 +156,8 @@ jobs: with: directory: ${{ env.TF_WORKING_DIR }} # check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list - # skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list + # optional: skip a specific check_id. can be comma separated list + skip_check: CKV2_AZURE_1,CKV_AZURE_4,CKV_AZURE_6,CKV2_AZURE_21,CKV_AZURE_33,CKV_AZURE_35,CKV_AZURE_117,CKV_AZURE_141 quiet: true # optional: display only failed checks soft_fail: true # optional: do not return an error code if there are failed checks framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all} diff --git a/terraform/examples/function-app/main.tf b/terraform/examples/function-app/main.tf index aa49929..ba78411 100644 --- a/terraform/examples/function-app/main.tf +++ b/terraform/examples/function-app/main.tf @@ -36,17 +36,19 @@ resource "azurerm_resource_group" "example" { } resource "azurerm_storage_account" "example" { - name = local.storage_account_name - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - account_tier = "Standard" - account_replication_type = "LRS" - min_tls_version = "TLS1_2" + name = local.storage_account_name + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" + enable_https_traffic_only = true + min_tls_version = "TLS1_2" } resource "azurerm_storage_container" "example" { - name = local.storage_container_name - storage_account_name = azurerm_storage_account.example.name + name = local.storage_container_name + storage_account_name = azurerm_storage_account.example.name + container_access_type = "private" } data "archive_file" "example" { diff --git a/terraform/function_app.tf b/terraform/function_app.tf index b78e480..4e9c5d0 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -8,6 +8,7 @@ resource "azurerm_storage_account" "func_app" { account_tier = "Standard" account_replication_type = "LRS" allow_nested_items_to_be_public = false + enable_https_traffic_only = true min_tls_version = "TLS1_2" tags = var.tags } From a451a18e633ed285d5817dfd95253e21392837a7 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 09:56:42 +0100 Subject: [PATCH 066/147] Removed velero rg --- .github/workflows/build.yml | 5 ----- .github/workflows/destroy.yml | 1 - terraform/variables.tf | 4 ---- 3 files changed, 10 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7e48378..cf04a47 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -103,7 +103,6 @@ jobs: echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_RG=${{ env.PREFIX }}-rg-tfstate-dev-001" >> $GITHUB_ENV echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV - echo "VELERO_STORAGE_RG=${{ env.PREFIX }}-rg-velero-dev-001" >> $GITHUB_ENV # Login - name: Login to Azure @@ -129,10 +128,6 @@ jobs: HELM_CHART_REPO_DEPLOY_PRIVATE_KEY: ${{ secrets.HELM_CHART_REPO_DEPLOY_PRIVATE_KEY }} IFTTT_WEBHOOK_KEY: ${{ secrets.IFTTT_WEBHOOK_KEY }} - # TODO: investigate impact of removing this - # - name: Create zip file of Function App - # run: pwsh -command "./function_app/CreateFunctionAppZip.ps1" - # Terraform - uses: hashicorp/setup-terraform@v1 with: diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 22ac3b9..b6a63b9 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -93,7 +93,6 @@ jobs: echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_RG=${{ env.PREFIX }}-rg-tfstate-dev-001" >> $GITHUB_ENV echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV - echo "VELERO_STORAGE_RG=${{ env.PREFIX }}-rg-velero-dev-001" >> $GITHUB_ENV # Login - name: Login to Azure diff --git a/terraform/variables.tf b/terraform/variables.tf index 8a7c0fb..d1fe860 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -241,10 +241,6 @@ variable "velero_enabled" { default = "__VELERO_ENABLED__" } -variable "velero_resource_group_name" { - default = "__VELERO_STORAGE_RG__" -} - variable "velero_storage_account_name" { default = "__VELERO_STORAGE_ACCOUNT__" } From c9c0bd8b1dfc1d1bb33d9d5a6e15b279fc1934c5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 10:06:00 +0100 Subject: [PATCH 067/147] Added checkov skip check --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cf04a47..965b6a0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -152,7 +152,7 @@ jobs: directory: ${{ env.TF_WORKING_DIR }} # check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list # optional: skip a specific check_id. can be comma separated list - skip_check: CKV2_AZURE_1,CKV_AZURE_4,CKV_AZURE_6,CKV2_AZURE_21,CKV_AZURE_33,CKV_AZURE_35,CKV_AZURE_117,CKV_AZURE_141 + skip_check: CKV2_AZURE_1,CKV_AZURE_4,CKV_AZURE_6,CKV2_AZURE_8,CKV2_AZURE_21,CKV_AZURE_33,CKV_AZURE_35,CKV_AZURE_117,CKV_AZURE_141 quiet: true # optional: display only failed checks soft_fail: true # optional: do not return an error code if there are failed checks framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all} From 2b6a876fae902938f32ebd99e4d5b1eeb5df2320 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 10:32:46 +0100 Subject: [PATCH 068/147] Changed slack message --- .github/workflows/TriggerCustomAction.ps1 | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- .github/workflows/start_aks_cluster.yml | 2 +- .github/workflows/stop_aks_cluster.yml | 2 +- .github/workflows/test.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/TriggerCustomAction.ps1 b/.github/workflows/TriggerCustomAction.ps1 index 91d16fe..3c11c1f 100644 --- a/.github/workflows/TriggerCustomAction.ps1 +++ b/.github/workflows/TriggerCustomAction.ps1 @@ -34,7 +34,7 @@ param( $GithubUserName = "adamrushuk", - $GithubRepo = "aks-nexus-velero", + $GithubRepo = "devops-lab", [ValidateSet("test", "build", "deallocate_vmss", "start_vmss", "destroy")] $CustomEventAction = "test" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 965b6a0..0b1e077 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -245,7 +245,7 @@ jobs: env: SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - run: ./scripts/send_slack_message.sh "[aks-nexus-velero] Build complete" + run: ./scripts/send_slack_message.sh "[devops-lab] Build complete" # used for any windows-only tasks test-windows: diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index b6a63b9..f3f4f38 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -144,4 +144,4 @@ jobs: env: SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - run: ./scripts/send_slack_message.sh "[aks-nexus-velero] Destroy complete" + run: ./scripts/send_slack_message.sh "[devops-lab] Destroy complete" diff --git a/.github/workflows/start_aks_cluster.yml b/.github/workflows/start_aks_cluster.yml index 20f17a4..b6fbedd 100644 --- a/.github/workflows/start_aks_cluster.yml +++ b/.github/workflows/start_aks_cluster.yml @@ -61,4 +61,4 @@ jobs: env: SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - run: ./scripts/send_slack_message.sh "[aks-nexus-velero] Start AKS Cluster complete" + run: ./scripts/send_slack_message.sh "[devops-lab] Start AKS Cluster complete" diff --git a/.github/workflows/stop_aks_cluster.yml b/.github/workflows/stop_aks_cluster.yml index 152263c..a77fc80 100644 --- a/.github/workflows/stop_aks_cluster.yml +++ b/.github/workflows/stop_aks_cluster.yml @@ -61,4 +61,4 @@ jobs: env: SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - run: ./scripts/send_slack_message.sh "[aks-nexus-velero] Stop AKS Cluster complete" + run: ./scripts/send_slack_message.sh "[devops-lab] Stop AKS Cluster complete" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 50fbd01..489b025 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -87,4 +87,4 @@ jobs: env: SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - run: ./scripts/send_slack_message.sh "[aks-nexus-velero] Test notification" + run: ./scripts/send_slack_message.sh "[devops-lab] Test notification" From 2ee223017e9cd3720ea4e454a2c46daa9a8b979b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 10:32:57 +0100 Subject: [PATCH 069/147] Added manual cleanup workflow --- .github/workflows/cleanup-resource-groups.yml | 63 +++++++++++++++++++ scripts/cleanup.ps1 | 18 ++++++ 2 files changed, 81 insertions(+) create mode 100644 .github/workflows/cleanup-resource-groups.yml create mode 100644 scripts/cleanup.ps1 diff --git a/.github/workflows/cleanup-resource-groups.yml b/.github/workflows/cleanup-resource-groups.yml new file mode 100644 index 0000000..9de337b --- /dev/null +++ b/.github/workflows/cleanup-resource-groups.yml @@ -0,0 +1,63 @@ +# cleanup - (useful after failed build/destroy workflows) +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +# https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions +name: cleanup + +# name of GitHub event that triggers workflow +# https://help.github.com/en/actions/reference/events-that-trigger-workflows#watch-event-watch +on: + # trigger via webhook + # https://github.com/adamrushuk/devops-lab/blob/master/TriggerCustomAction.ps1#L28 + repository_dispatch: + types: [cleanup] + + # enable manual workflow + # https://docs.github.com/en/actions/configuring-and-managing-workflows/configuring-a-workflow#manually-running-a-workflow + workflow_dispatch: + inputs: {} + +# global environment variables +# https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables +env: + # prefix: used for some globally unique name requirements + PREFIX: arshz + # azure creds + ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} + +jobs: + cleanup: + + # always pin versions + # view installed software: https://help.github.com/en/actions/reference/software-installed-on-github-hosted-runners + runs-on: ubuntu-18.04 + + # only run if owner triggered action + if: github.actor == github.event.repository.owner.login + + steps: + # Checkout + # Reference the major version of a release + # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-versioned-actions + - uses: actions/checkout@v2 + + # Login + - name: Login to Azure + run: | + chmod -R +x ./scripts/ + ./scripts/azure_login.sh + + # Cleanup + - name: Delete all resource groups + run: pwsh -command "./scripts/cleanup.ps1" + + # Notify + - name: Notify slack + continue-on-error: true + env: + SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: ./scripts/send_slack_message.sh "[devops-lab] Cleanup complete" diff --git a/scripts/cleanup.ps1 b/scripts/cleanup.ps1 new file mode 100644 index 0000000..3e1bce8 --- /dev/null +++ b/scripts/cleanup.ps1 @@ -0,0 +1,18 @@ +# cleanup all resource groups +# useful after failed build/destroy workflows + +$taskMessage="Deleting all devops lab resource groups" +Write-Output "STARTED: $taskMessage..." + +Write-Output "Found these resource groups:" +$resourceGroupsToDelete = Get-AzResourceGroup -Name "$PREFIX*" +$resourceGroupsToDelete.ResourceGroupName + +Write-Output "Deleting 'AsJob' for async removal..." +$jobs = $resourceGroupsToDelete | Remove-AzResourceGroup -Force -AsJob + +Write-Output "Waiting for [$($jobs.Count)] jobs to finish..." +$jobs | Wait-Job +$jobs | Receive-Job -Keep + +Write-Output "FINISHED: $taskMessage." From e8e1c7f47521724a3649c358ca980d4300e64767 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 10:39:41 +0100 Subject: [PATCH 070/147] Removed tflint --- .github/workflows/build.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0b1e077..f25c2de 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -161,14 +161,6 @@ jobs: # log_level: DEBUG # optional: set log level. Default WARNING # config_file: path/this_file - # TODO: investigate impact of removing this - # - name: Terraform Lint - # run: ./scripts/tflint.sh - # env: - # TF_WORKING_DIR: ${{ env.TF_WORKING_DIR }} - # TFLINT_RULESET_AZURERM_VERSION: ${{ env.TFLINT_RULESET_AZURERM_VERSION }} - # TFLINT_VERSION: ${{ env.TFLINT_VERSION }} - - name: 👀 Terraform Plan id: plan run: terraform plan -out=${{ env.TF_PLAN }} From 8eb50721fc61c83076774ad4b454d2eefc89eafb Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 10:39:45 +0100 Subject: [PATCH 071/147] debug --- .github/workflows/cleanup-resource-groups.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/cleanup-resource-groups.yml b/.github/workflows/cleanup-resource-groups.yml index 9de337b..ce51965 100644 --- a/.github/workflows/cleanup-resource-groups.yml +++ b/.github/workflows/cleanup-resource-groups.yml @@ -50,6 +50,10 @@ jobs: chmod -R +x ./scripts/ ./scripts/azure_login.sh + # Debug + - name: Debug + run: pwsh -command "Get-Module az* -ListAvailable" + # Cleanup - name: Delete all resource groups run: pwsh -command "./scripts/cleanup.ps1" From 3d0d2cfee79aa5febc69995b113592da8c82a6e1 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 10:45:21 +0100 Subject: [PATCH 072/147] Disabled func app PS7 update - only restarts --- scripts/Fix-FunctionApp.ps1 | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/scripts/Fix-FunctionApp.ps1 b/scripts/Fix-FunctionApp.ps1 index 2ce126f..ed400af 100644 --- a/scripts/Fix-FunctionApp.ps1 +++ b/scripts/Fix-FunctionApp.ps1 @@ -1,19 +1,17 @@ # source: https://github.com/terraform-providers/terraform-provider-azurerm/issues/8867#issuecomment-849842849 -# Fixes PowerShell function app stack version to 7 +# Fixes PowerShell function app stack version to 7, and restarts -# Change function app to PS 7 -Write-Host 'Change function app to PS 7' $function = az functionapp show --name $env:FUNCTION_APP_NAME --resource-group $env:FUNCTION_APP_RG | ConvertFrom-Json if ($function.siteConfig.powerShellVersion -ne "~7") { - Write-Host "Updating powershell version to ~7..." - az functionapp update --name $env:FUNCTION_APP_NAME --resource-group $env:FUNCTION_APP_RG --set "siteConfig.powerShellVersion=~7" - - # Restart Function App - # az functionapp restart --name $env:FUNCTION_APP_NAME --resource-group $env:FUNCTION_APP_RG + Write-Host "[NoOp] Updating powershell version to ~7..." + # az functionapp update --name $env:FUNCTION_APP_NAME --resource-group $env:FUNCTION_APP_RG --set "siteConfig.powerShellVersion=~7" } else { Write-Host "Powershell version already set to to ~7" } +# Restart Function App +az functionapp restart --name $env:FUNCTION_APP_NAME --resource-group $env:FUNCTION_APP_RG + Write-Host '' From 76e6c82a4631c71673c50bea773fb4d5b6ee70a5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 10:51:25 +0100 Subject: [PATCH 073/147] Added az ps step for cleanup --- .github/workflows/cleanup-resource-groups.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cleanup-resource-groups.yml b/.github/workflows/cleanup-resource-groups.yml index ce51965..8436262 100644 --- a/.github/workflows/cleanup-resource-groups.yml +++ b/.github/workflows/cleanup-resource-groups.yml @@ -50,13 +50,19 @@ jobs: chmod -R +x ./scripts/ ./scripts/azure_login.sh - # Debug - - name: Debug - run: pwsh -command "Get-Module az* -ListAvailable" + # # Debug + # - name: Debug + # run: pwsh -command "Get-Module az* -ListAvailable" + + # # Cleanup + # - name: Delete all resource groups + # run: pwsh -command "./scripts/cleanup.ps1" - # Cleanup - name: Delete all resource groups - run: pwsh -command "./scripts/cleanup.ps1" + uses: azure/powershell@v1 + with: + inlineScript: | + ./scripts/cleanup.ps1 # Notify - name: Notify slack From 9c802725c5b15d80740769b964a73eaf8e4bea2d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 10:54:37 +0100 Subject: [PATCH 074/147] Added missing azPSVersion arg --- .github/workflows/cleanup-resource-groups.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cleanup-resource-groups.yml b/.github/workflows/cleanup-resource-groups.yml index 8436262..7b794a4 100644 --- a/.github/workflows/cleanup-resource-groups.yml +++ b/.github/workflows/cleanup-resource-groups.yml @@ -61,6 +61,7 @@ jobs: - name: Delete all resource groups uses: azure/powershell@v1 with: + azPSVersion: "latest" inlineScript: | ./scripts/cleanup.ps1 From ce32453cdc6ec4e84089b325814b3fb3a5e1a33e Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 11:02:55 +0100 Subject: [PATCH 075/147] Added function app fix script step --- .github/workflows/build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f25c2de..05a0f87 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -200,11 +200,11 @@ jobs: run: ./scripts/push_docker_images.sh # TODO: Remove once issue has been fixed - # - name: Fix Function App version - # run: pwsh -command "./scripts/Fix-FunctionApp.ps1" - # env: - # FUNCTION_APP_NAME: "${{ env.PREFIX }}-funcapp" - # FUNCTION_APP_RG: "${{ env.PREFIX }}-rg-function-app" + - name: Fix Function App version + run: pwsh -command "./scripts/Fix-FunctionApp.ps1" + env: + FUNCTION_APP_NAME: "${{ env.PREFIX }}-funcapp" + FUNCTION_APP_RG: "${{ env.PREFIX }}-rg-function-app" # Pester tests - name: 🧪 Run Pester tests From c3fe1f7e514aec14240990d549880904c3b78534 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 11:04:06 +0100 Subject: [PATCH 076/147] Added login step --- scripts/cleanup.ps1 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/cleanup.ps1 b/scripts/cleanup.ps1 index 3e1bce8..7e756be 100644 --- a/scripts/cleanup.ps1 +++ b/scripts/cleanup.ps1 @@ -1,6 +1,10 @@ # cleanup all resource groups # useful after failed build/destroy workflows +Write-Output "Authenticating PowerShell sessions using env vars..." +$servicePrincipleCredential = [pscredential]::new($env:ARM_CLIENT_ID, (ConvertTo-SecureString $env:ARM_CLIENT_SECRET -AsPlainText -Force)) +Connect-AzAccount -ServicePrincipal -Tenant $env:ARM_TENANT_ID -Credential $servicePrincipleCredential -Subscription $env:ARM_SUBSCRIPTION_ID -Verbose + $taskMessage="Deleting all devops lab resource groups" Write-Output "STARTED: $taskMessage..." From 9f19c54bf2b437ee71c58775edd486474aa489cc Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 11:07:52 +0100 Subject: [PATCH 077/147] Fixed func app rg name --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 05a0f87..dc0c03f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -204,7 +204,7 @@ jobs: run: pwsh -command "./scripts/Fix-FunctionApp.ps1" env: FUNCTION_APP_NAME: "${{ env.PREFIX }}-funcapp" - FUNCTION_APP_RG: "${{ env.PREFIX }}-rg-function-app" + FUNCTION_APP_RG: "${{ env.PREFIX }}-rg-aks-dev-001" # Pester tests - name: 🧪 Run Pester tests From f01667a732b7d986ae5940abd97e41ceb48b2be6 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 11:15:32 +0100 Subject: [PATCH 078/147] Added comments --- scripts/Fix-FunctionApp.ps1 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/Fix-FunctionApp.ps1 b/scripts/Fix-FunctionApp.ps1 index ed400af..54c4363 100644 --- a/scripts/Fix-FunctionApp.ps1 +++ b/scripts/Fix-FunctionApp.ps1 @@ -4,6 +4,7 @@ $function = az functionapp show --name $env:FUNCTION_APP_NAME --resource-group $env:FUNCTION_APP_RG | ConvertFrom-Json +# TODO: I dont think this is required anymore as I use application_stack > powershell_core_version if ($function.siteConfig.powerShellVersion -ne "~7") { Write-Host "[NoOp] Updating powershell version to ~7..." # az functionapp update --name $env:FUNCTION_APP_NAME --resource-group $env:FUNCTION_APP_RG --set "siteConfig.powerShellVersion=~7" @@ -12,6 +13,7 @@ if ($function.siteConfig.powerShellVersion -ne "~7") { } # Restart Function App +Write-Host "Restarting function app [$($env:FUNCTION_APP_NAME)]..." az functionapp restart --name $env:FUNCTION_APP_NAME --resource-group $env:FUNCTION_APP_RG -Write-Host '' +Write-Host 'FINISHED.' From 8a4b832819b57df1c4217bd083995e1df5eb0b74 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 11:43:22 +0100 Subject: [PATCH 079/147] Testing cleanup --- .github/workflows/cleanup-resource-groups.yml | 2 +- scripts/cleanup.ps1 | 11 +++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cleanup-resource-groups.yml b/.github/workflows/cleanup-resource-groups.yml index 7b794a4..ff63f62 100644 --- a/.github/workflows/cleanup-resource-groups.yml +++ b/.github/workflows/cleanup-resource-groups.yml @@ -63,7 +63,7 @@ jobs: with: azPSVersion: "latest" inlineScript: | - ./scripts/cleanup.ps1 + ./scripts/cleanup.ps1 -ResourceGroupPrefix "${{ env.PREFIX }}" # Notify - name: Notify slack diff --git a/scripts/cleanup.ps1 b/scripts/cleanup.ps1 index 7e756be..cb369cf 100644 --- a/scripts/cleanup.ps1 +++ b/scripts/cleanup.ps1 @@ -1,15 +1,22 @@ # cleanup all resource groups # useful after failed build/destroy workflows +param( + [Parameter(Mandatory)] + [ValidateNotNull()] + [string] + $ResourceGroupPrefix +) + Write-Output "Authenticating PowerShell sessions using env vars..." $servicePrincipleCredential = [pscredential]::new($env:ARM_CLIENT_ID, (ConvertTo-SecureString $env:ARM_CLIENT_SECRET -AsPlainText -Force)) Connect-AzAccount -ServicePrincipal -Tenant $env:ARM_TENANT_ID -Credential $servicePrincipleCredential -Subscription $env:ARM_SUBSCRIPTION_ID -Verbose -$taskMessage="Deleting all devops lab resource groups" +$taskMessage = "Deleting all devops lab resource groups" Write-Output "STARTED: $taskMessage..." Write-Output "Found these resource groups:" -$resourceGroupsToDelete = Get-AzResourceGroup -Name "$PREFIX*" +$resourceGroupsToDelete = Get-AzResourceGroup -Name "$ResourceGroupPrefix*" -WhatIf $resourceGroupsToDelete.ResourceGroupName Write-Output "Deleting 'AsJob' for async removal..." From 5f4ca1b343cc8a41b6d21a00454a6c6397982119 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 11:46:07 +0100 Subject: [PATCH 080/147] Fixed cleanup script --- scripts/cleanup.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/cleanup.ps1 b/scripts/cleanup.ps1 index cb369cf..d961538 100644 --- a/scripts/cleanup.ps1 +++ b/scripts/cleanup.ps1 @@ -16,7 +16,7 @@ $taskMessage = "Deleting all devops lab resource groups" Write-Output "STARTED: $taskMessage..." Write-Output "Found these resource groups:" -$resourceGroupsToDelete = Get-AzResourceGroup -Name "$ResourceGroupPrefix*" -WhatIf +$resourceGroupsToDelete = Get-AzResourceGroup -Name "$ResourceGroupPrefix*" $resourceGroupsToDelete.ResourceGroupName Write-Output "Deleting 'AsJob' for async removal..." From 95e5e27b750a405765cd158948ee5b3b67fbc908 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 12:28:23 +0100 Subject: [PATCH 081/147] Added Delete-ResourceGroups.ps1 script --- .github/workflows/cleanup-resource-groups.yml | 17 +-- scripts/Delete-ResourceGroups.ps1 | 111 ++++++++++++++++++ 2 files changed, 116 insertions(+), 12 deletions(-) create mode 100644 scripts/Delete-ResourceGroups.ps1 diff --git a/.github/workflows/cleanup-resource-groups.yml b/.github/workflows/cleanup-resource-groups.yml index ff63f62..d4a95b2 100644 --- a/.github/workflows/cleanup-resource-groups.yml +++ b/.github/workflows/cleanup-resource-groups.yml @@ -44,26 +44,19 @@ jobs: # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-versioned-actions - uses: actions/checkout@v2 - # Login - - name: Login to Azure + # Init tasks + - name: Init run: | chmod -R +x ./scripts/ - ./scripts/azure_login.sh - - # # Debug - # - name: Debug - # run: pwsh -command "Get-Module az* -ListAvailable" - - # # Cleanup - # - name: Delete all resource groups - # run: pwsh -command "./scripts/cleanup.ps1" + # Cleanup - name: Delete all resource groups uses: azure/powershell@v1 with: azPSVersion: "latest" inlineScript: | - ./scripts/cleanup.ps1 -ResourceGroupPrefix "${{ env.PREFIX }}" + ./scripts/azure_login.ps1 + ./scripts/Delete-ResourceGroups.ps1 -Prefixes "${{ env.PREFIX }}" -MaxLimit 2 # Notify - name: Notify slack diff --git a/scripts/Delete-ResourceGroups.ps1 b/scripts/Delete-ResourceGroups.ps1 new file mode 100644 index 0000000..53ca16d --- /dev/null +++ b/scripts/Delete-ResourceGroups.ps1 @@ -0,0 +1,111 @@ +<# +.SYNOPSIS + Deletes Azure Resource Groups with a given prefix +.DESCRIPTION + Deletes Azure Resource Groups with a given prefix, with confirmation prompt and WhatIf functionality +.PARAMETER Prefixes + An array of prefix strings that matches the start of the Resource Group name + "abc99", "abc12" would match resource group called "abc99-rg-blahblah" and "abc12-rg-blahblah" + Wildcards are supported, so you could use "abc*" instead of "abc99" and "abc12". +.PARAMETER MaxLimit + Aborts script if too many Resource Groups are found. + This is a safety check. +.PARAMETER WhatIf + Does a dry-run and shows what Resource Groups would be deleted. +.EXAMPLE + ./Delete-ResourceGroups.ps1 -Prefixes abc99. + + Deletes all Resource Groups starting with "abc99", eg: + "abc99-rg-one" + "abc99-rg-two" +.EXAMPLE + ./Delete-ResourceGroups.ps1 -Prefixes abc99 -WhatIf + + Shows what Resource Groups would be deleted +.NOTES + Author: Adam Rush + GitHub: adamrushuk + Twitter: @adamrushuk +#> +[CmdletBinding()] +param ( + [Parameter(Mandatory)] + [ValidateNotNull()] + [string[]] + $Prefixes, + + [int] + $MaxLimit = 2, + + [switch] + $WhatIf +) + +Write-Output "Searching for Resource groups starting with [$($Prefixes -join ', ')]" + +# init +$resourceGroupsToDelete = $null +$jobs = $null + +foreach ($Prefix in $Prefixes) { + + $resourceGroups = $null + $resourceGroups = @(Get-AzResourceGroup -Name "$Prefix*") + Write-Host "`nResource groups found starting with [$Prefix]: [$($resourceGroups.Count)]" -ForegroundColor Yellow + + # abort if we find no resource groups + if ($resourceGroups.Count -eq 0) { + Write-Host "Continuing...`n" -ForegroundColor Green + continue + } + + # safety check + if ($resourceGroups.Count -gt $MaxLimit) { + Write-Host "ABORTING, MaxLimit was hit. Over [$MaxLimit] resource groups were found." -ForegroundColor Red + return + } + + + # show resource groups + $resourceGroups | Select-Object -ExpandProperty "ResourceGroupName" + Write-Output "" + + # confirm deletion + $confirmation = $null + while($confirmation -ne "y") { + if ($confirmation -eq 'n') { break } + + $confirmation = Read-Host "Are you sure you want to select these [$($resourceGroups.Count)] Resource Groups for deletion? [y/n]" + } + + # queue + if ($confirmation -eq "y") { + Write-Output "Queuing [$($resourceGroups.Count)] Resource Groups..." + $resourceGroupsToDelete += $resourceGroups + } else { + Write-Host "Skipping...`n" -ForegroundColor Yellow + } +} + +# delete +if ($resourceGroupsToDelete.Count -gt 0) { + Write-Output "Deleting [$($resourceGroupsToDelete.Count)] Resource Groups..." + if ($WhatIf.IsPresent) { + $resourceGroupsToDelete | Remove-AzResourceGroup -Force -WhatIf + } else { + $timer = [Diagnostics.Stopwatch]::StartNew() + $jobs += $resourceGroupsToDelete | Remove-AzResourceGroup -Force -AsJob + } +} + +# wait for jobs to complete +if ($null -ne $jobs) { + $jobs + + Write-Output "`nWaiting for [$($jobs.Count)] jobs to finish..." + $jobs | Wait-Job + $jobs | Receive-Job -Keep + + $timer.Stop() + Write-Output "Deletion jobs completed in: [$($timer.Elapsed.Minutes)m$($timer.Elapsed.Seconds)s]" +} From 68529fe388cb4433a999507d120430da5a87e3d8 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 12:28:40 +0100 Subject: [PATCH 082/147] Added azure powershell session login --- scripts/azure_login.ps1 | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/scripts/azure_login.ps1 b/scripts/azure_login.ps1 index c361fd0..5923ec8 100644 --- a/scripts/azure_login.ps1 +++ b/scripts/azure_login.ps1 @@ -2,10 +2,19 @@ $taskMessage="Logging in to Azure" Write-Output "STARTED: $taskMessage..." -az login --service-principal --tenant "$env:ARM_TENANT_ID" -u "$env:ARM_CLIENT_ID" -p "$env:ARM_CLIENT_SECRET" -Write-Output "FINISHED: $taskMessage." -$taskMessage="Selecting Subscription" -Write-Output "STARTED: $taskMessage..." -az account set --subscription "$env:ARM_SUBSCRIPTION_ID" +# Write-Output "Env vars loaded for Client ID: [$($env:ARM_CLIENT_ID)]" + +# Login PowerShell and Az CLI sessions with Service Principal env vars +Write-Output "Authenticating PowerShell and Az CLI sessions using env vars..." +$servicePrincipleCredential = [pscredential]::new($env:ARM_CLIENT_ID, (ConvertTo-SecureString $env:ARM_CLIENT_SECRET -AsPlainText -Force)) +Connect-AzAccount -ServicePrincipal -Tenant $env:ARM_TENANT_ID -Credential $servicePrincipleCredential -Subscription $env:ARM_SUBSCRIPTION_ID -Verbose + +# Set context to specific subscription +az login --service-principal --username $env:ARM_CLIENT_ID --password $env:ARM_CLIENT_SECRET --tenant $env:ARM_TENANT_ID +az account set --subscription $env:ARM_SUBSCRIPTION_ID +az account show + +Write-Output "PowerShell and Az CLI session logins complete." + Write-Output "FINISHED: $taskMessage." From 061affade2efd170b0bec7789c20865a07efe6fd Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 12:28:56 +0100 Subject: [PATCH 083/147] Added comment for future deletion --- scripts/cleanup.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/cleanup.ps1 b/scripts/cleanup.ps1 index d961538..8bfb927 100644 --- a/scripts/cleanup.ps1 +++ b/scripts/cleanup.ps1 @@ -1,3 +1,4 @@ +# TODO: delete this file if not required # cleanup all resource groups # useful after failed build/destroy workflows From 31fa3e42fa5136468797c667890798a5476d582d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 4 Jun 2022 12:58:57 +0100 Subject: [PATCH 084/147] Updated readme --- README.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c85ac34..9226729 100644 --- a/README.md +++ b/README.md @@ -18,8 +18,9 @@ being used now. - [Configure Key Vault / LetsEncrypt TLS Certificate](#configure-key-vault--letsencrypt-tls-certificate) - [Configure Azure Authentication](#configure-azure-authentication) - [Create Secrets](#create-secrets) - - [Running the Build workflow](#running-the-build-workflow) - - [Running the Destroy workflow](#running-the-destroy-workflow) + - [Update the Workflow Environment Variables](#update-the-workflow-environment-variables) + - [Running the Build Workflow](#running-the-build-workflow) + - [Running the Destroy Workflow](#running-the-destroy-workflow) ## Getting Started @@ -61,7 +62,11 @@ Once Azure authentication has been configured, the Service Principle credential - `ARM_SUBSCRIPTION_ID` - `ARM_TENANT_ID` -### Running the Build workflow +### Update the Workflow Environment Variables + +TODO - update key vault and dns env vars. + +### Running the Build Workflow Now that Azure authentication has been configured with corresponding secrets, the build workflow is ready to be run: @@ -70,7 +75,7 @@ Now that Azure authentication has been configured with corresponding secrets, th 1. Select the desired branch. 1. Click the `Run workflow` button. -### Running the Destroy workflow +### Running the Destroy Workflow There will be ongoing costs if the environment is left running, so to avoid unexpected bills the destroy workflow should be run once testing has been completed: From fbf87c3c1d75ecc603c85002a6f539b0eca99a9d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 6 Jun 2022 07:22:07 +0100 Subject: [PATCH 085/147] Added whatif switch --- .github/workflows/cleanup-resource-groups.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cleanup-resource-groups.yml b/.github/workflows/cleanup-resource-groups.yml index d4a95b2..c6810a7 100644 --- a/.github/workflows/cleanup-resource-groups.yml +++ b/.github/workflows/cleanup-resource-groups.yml @@ -56,7 +56,7 @@ jobs: azPSVersion: "latest" inlineScript: | ./scripts/azure_login.ps1 - ./scripts/Delete-ResourceGroups.ps1 -Prefixes "${{ env.PREFIX }}" -MaxLimit 2 + ./scripts/Delete-ResourceGroups.ps1 -Prefixes "${{ env.PREFIX }}" -MaxLimit 2 -WhatIf # Notify - name: Notify slack From 0b1326607f7cfbac10f8cdf8ed73a2b39c8e53bc Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 6 Jun 2022 12:14:50 +0100 Subject: [PATCH 086/147] Added Terrafy example --- terraform/examples/terrafy/README.md | 33 ++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 terraform/examples/terrafy/README.md diff --git a/terraform/examples/terrafy/README.md b/terraform/examples/terrafy/README.md new file mode 100644 index 0000000..bdf45cf --- /dev/null +++ b/terraform/examples/terrafy/README.md @@ -0,0 +1,33 @@ +# Terrafy + +## Install + +Run my [Azure Terrafy install script](https://github.com/adamrushuk/tools-install/blob/master/aztfy.sh). + +## Create Resources + +Before running Azure Terrafy, some resources will need to exist. + +For this test, I created a `PowerShell Core 7.2 Function App` within a Resource Group called `rg-functionapp`. + +## Usage + + +```bash +# init +cd terraform/examples/terrafy +mkdir -p ./output + +# login to your account +az login + +# run aztfy +# aztfy [option] +aztfy -o ./output rg-functionapp + +# review the resources +# select any entries that are marked with "skip", press "enter" then input the Terraform resource address in form +# of . (e.g. "azurerm_storage_account.func_app") + +# press "w" to import into local state +``` From 1a2772895acb9d74efeadbcf7c2144367a22488d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 21 Aug 2022 13:20:09 +0100 Subject: [PATCH 087/147] Added initial lab setup script and updated key vault name --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- README.md | 4 ++-- scripts/initial_lab_setup.sh | 12 ++++++++++++ 4 files changed, 16 insertions(+), 4 deletions(-) create mode 100644 scripts/initial_lab_setup.sh diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index dc0c03f..a8295e1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -42,7 +42,7 @@ env: FORCE_TEST_FAIL: false K8S_TLS_SECRET_NAME: tls-secret KEY_VAULT_CERT_NAME: wildcard-thehypepipe-co-uk - KEY_VAULT_NAME: kv-rush-iz6y + KEY_VAULT_NAME: kv-rush-aqy2 KEY_VAULT_RESOURCE_GROUP_NAME: rg-keyvault-acmebot # NOTE: "eastus" is cheaper than "uksouth" LOCATION: eastus diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index f3f4f38..4c9aa3a 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -40,7 +40,7 @@ env: ENABLE_TLS_INGRESS: true FORCE_TEST_FAIL: false K8S_TLS_SECRET_NAME: tls-secret - KEY_VAULT_NAME: kv-rush-iz6y + KEY_VAULT_NAME: kv-rush-aqy2 KEY_VAULT_CERT_NAME: wildcard-thehypepipe-co-uk KEY_VAULT_RESOURCE_GROUP_NAME: rg-keyvault-acmebot # NOTE: "eastus" is cheaper than "uksouth" diff --git a/README.md b/README.md index 9226729..ffc7b81 100644 --- a/README.md +++ b/README.md @@ -39,8 +39,8 @@ dynamically update DNS records. #### Configure Key Vault / LetsEncrypt TLS Certificate -Use the [keyvault-acmebot Getting Started guide](https://github.com/shibayan/keyvault-acmebot#getting-started) to -deploy AcmeBot and configure a wildcard certificate for your domain. +Use the [keyvault-acmebot Getting Started guide](https://github.com/shibayan/keyvault-acmebot/wiki/Getting-Started) to +deploy AcmeBot and configure a wildcard certificate for your domain (eg: `*.domain.com`). ### Configure Azure Authentication diff --git a/scripts/initial_lab_setup.sh b/scripts/initial_lab_setup.sh new file mode 100644 index 0000000..f9ef86f --- /dev/null +++ b/scripts/initial_lab_setup.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +# Steps from README to complete the initial lab setup + +# Vars +DNS_RG_NAME="rg-dns" +LOCATION="eastus" +ROOT_DOMAIN_NAME="thehypepipe.co.uk" + +# Configure DNS Zone +az group create --name "$DNS_RG_NAME" --location "$LOCATION" +az network dns zone create --resource-group "$DNS_RG_NAME" --name "$ROOT_DOMAIN_NAME" From bd5a7d4211d4fd5d640b6626ecd89769b3e0b01e Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 26 Aug 2022 07:53:09 +0100 Subject: [PATCH 088/147] Updated TF example for setproduct --- .../examples/setproduct-multiple-list-variations/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/examples/setproduct-multiple-list-variations/main.tf b/terraform/examples/setproduct-multiple-list-variations/main.tf index 0505e77..793f85d 100644 --- a/terraform/examples/setproduct-multiple-list-variations/main.tf +++ b/terraform/examples/setproduct-multiple-list-variations/main.tf @@ -6,11 +6,11 @@ provider "azurerm" { } terraform { - required_version = ">= 0.13" + required_version = ">= 1.0" required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.85.0" + version = "~> 3.20.0" } } } From f9ffc14b007c2cfc5c9825807efa75c4dfac3018 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 18 Oct 2022 07:29:45 +0100 Subject: [PATCH 089/147] Bumped AKS to v1.23.12 --- terraform/variables.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index d1fe860..f274274 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -4,8 +4,9 @@ # version used for both main AKS API service, and default node pool # https://github.com/Azure/AKS/releases # az aks get-versions --location eastus --output table +# pwsh -c "(az aks get-versions --location uksouth | convertfrom-json).orchestrators | where default" variable "kubernetes_version" { - default = "1.21.9" + default = "1.23.12" } # Helm charts From 7fbb550a80aa78965d807c6931153080ad563c66 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 18 Oct 2022 07:46:37 +0100 Subject: [PATCH 090/147] Updated kured source --- terraform/kured_helm.tf | 2 +- terraform/variables.tf | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/kured_helm.tf b/terraform/kured_helm.tf index f8ebfbb..655d071 100644 --- a/terraform/kured_helm.tf +++ b/terraform/kured_helm.tf @@ -19,7 +19,7 @@ resource "helm_release" "kured" { chart = "kured" name = "kured" namespace = kubernetes_namespace.kured.metadata[0].name - repository = "https://weaveworks.github.io/kured" + repository = "https://kubereboot.github.io/charts/" version = var.kured_chart_version timeout = 600 atomic = true diff --git a/terraform/variables.tf b/terraform/variables.tf index f274274..9626aec 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -4,7 +4,7 @@ # version used for both main AKS API service, and default node pool # https://github.com/Azure/AKS/releases # az aks get-versions --location eastus --output table -# pwsh -c "(az aks get-versions --location uksouth | convertfrom-json).orchestrators | where default" +# pwsh -Command "(az aks get-versions --location uksouth | convertfrom-json).orchestrators | where default" variable "kubernetes_version" { default = "1.23.12" } @@ -77,13 +77,13 @@ variable "external_dns_chart_version" { default = "6.5.1" } -# https://github.com/weaveworks/kured/tree/master/charts/kured +# https://github.com/kubereboot/charts/tree/main/charts/kured # helm search repo kured/kured variable "kured_chart_version" { default = "2.14.2" } -# https://github.com/weaveworks/kured#kubernetes--os-compatibility +# https://github.com/kubereboot/kured#kubernetes--os-compatibility variable "kured_image_tag" { default = "1.9.2" } From c00e27fc528fd4c00193214c184aa716e3206a34 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 18 Oct 2022 07:52:41 +0100 Subject: [PATCH 091/147] Bumped kured chart to v4.0.2 --- terraform/variables.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 9626aec..1a08791 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -78,14 +78,14 @@ variable "external_dns_chart_version" { } # https://github.com/kubereboot/charts/tree/main/charts/kured -# helm search repo kured/kured +# helm search repo kubereboot/kured variable "kured_chart_version" { - default = "2.14.2" + default = "4.0.2" } # https://github.com/kubereboot/kured#kubernetes--os-compatibility variable "kured_image_tag" { - default = "1.9.2" + default = "1.10.2" } From a12bf93154018857088c09ea38c267c6163d0400 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 19 Oct 2022 07:14:29 +0100 Subject: [PATCH 092/147] Bumped helm versions --- terraform/files/scripts/argocd_config.sh | 2 +- terraform/helm/argocd_default_values.yaml | 1396 +++++++++++---------- terraform/helm/nginx_values.yaml | 2 +- terraform/helm/velero_default_values.yaml | 69 +- terraform/helm/velero_values.yaml | 2 +- terraform/variables.tf | 25 +- 6 files changed, 836 insertions(+), 660 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index 2dc20ba..20707a8 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -19,7 +19,7 @@ ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install # https://github.com/argoproj/argo-cd/releases/ -VERSION="v2.3.4" +VERSION="v2.4.15" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" diff --git a/terraform/helm/argocd_default_values.yaml b/terraform/helm/argocd_default_values.yaml index 230adb0..2ab6310 100644 --- a/terraform/helm/argocd_default_values.yaml +++ b/terraform/helm/argocd_default_values.yaml @@ -1,4 +1,4 @@ -# https://github.com/argoproj/argo-helm/blob/argo-cd-4.8.2/charts/argo-cd/values.yaml +# https://github.com/argoproj/argo-helm/blob/argo-cd-5.6.0/charts/argo-cd/values.yaml ## Argo CD configuration ## Ref: https://github.com/argoproj/argo-cd @@ -10,6 +10,37 @@ nameOverride: argocd fullnameOverride: "" # -- Override the Kubernetes version, which is used to evaluate certain manifests kubeVersionOverride: "" +# Override APIVersions +# If you want to template helm charts but cannot access k8s API server +# you can set api versions here +apiVersionOverrides: + # -- String to override apiVersion of certmanager resources rendered by this helm chart + certmanager: "" # cert-manager.io/v1 + # -- String to override apiVersion of GKE resources rendered by this helm chart + cloudgoogle: "" # cloud.google.com/v1 + # -- String to override apiVersion of autoscaling rendered by this helm chart + autoscaling: "" # autoscaling/v2 + # -- String to override apiVersion of ingresses rendered by this helm chart + ingress: "" # networking.k8s.io/v1beta1 + # -- String to override apiVersion of pod disruption budgets rendered by this helm chart + pdb: "" # policy/v1 + +# -- Create clusterroles that extend existing clusterroles to interact with argo-cd crds +## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles +createAggregateRoles: false + +openshift: + # -- enables using arbitrary uid for argo repo server + enabled: false + +## Custom resource configuration +crds: + # -- Install and upgrade CRDs + install: true + # -- Keep CRDs on chart uninstall + keep: true + # -- Annotations to be added to all CRDs + annotations: {} global: image: @@ -19,6 +50,15 @@ global: tag: "" # -- If defined, a imagePullPolicy applied to all Argo CD deployments imagePullPolicy: IfNotPresent + + # -- Secrets with credentials to pull images from a private registry + imagePullSecrets: [] + + logging: + # -- Set the global logging format. Either: `text` or `json` + format: text + # -- Set the global logging level. One of: `debug`, `info`, `warn` or `error` + level: info # -- Annotations for the all deployed pods podAnnotations: {} # -- Labels for the all deployed pods @@ -29,8 +69,6 @@ global: # runAsGroup: 999 # fsGroup: 999 - # -- If defined, uses a Secret to pull an image from a private Docker registry or repository - imagePullSecrets: [] # -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files hostAliases: [] # - ip: 10.20.30.40 @@ -47,18 +85,258 @@ global: # -- Default deny all ingress traffic defaultDenyIngress: false -# Override APIVersions -# If you want to template helm charts but cannot access k8s API server -# you can set api versions here -apiVersionOverrides: - # -- String to override apiVersion of certmanager resources rendered by this helm chart - certmanager: "" # cert-manager.io/v1 - # -- String to override apiVersion of ingresses rendered by this helm chart - ingress: "" # networking.k8s.io/v1beta1 +## Argo Configs +configs: + # -- Provide one or multiple [external cluster credentials] + # @default -- `[]` (See [values.yaml]) + ## Ref: + ## - https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters + ## - https://argo-cd.readthedocs.io/en/stable/operator-manual/security/#external-cluster-credentials + clusterCredentials: [] + # - name: mycluster + # server: https://mycluster.com + # labels: {} + # annotations: {} + # config: + # bearerToken: "" + # tlsClientConfig: + # insecure: false + # caData: "" + # - name: mycluster2 + # server: https://mycluster2.com + # labels: {} + # annotations: {} + # namespaces: namespace1,namespace2 + # clusterResources: true + # config: + # bearerToken: "" + # tlsClientConfig: + # insecure: false + # caData: "" -# -- Create clusterroles that extend existing clusterroles to interact with argo-cd crds -## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles -createAggregateRoles: false + # -- GnuPG key ring annotations + gpgKeysAnnotations: {} + # -- [GnuPG](https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/) keys to add to the key ring + # @default -- `{}` (See [values.yaml]) + gpgKeys: {} + # 4AEE18F83AFDEB23: | + # -----BEGIN PGP PUBLIC KEY BLOCK----- + # + # mQENBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta + # x15OklctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrT + # SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ + # 7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa + # buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v + # yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAG0NUdpdEh1YiAod2ViLWZs + # b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+iQEiBBMBCAAW + # BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEH/iATWFmi2oxlBh3wAsySNCNV4IPf + # DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6 + # 9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws + # +8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5 + # 4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O + # j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48= + # =Bvzs + # -----END PGP PUBLIC KEY BLOCK----- + + # -- Known Hosts configmap annotations + knownHostsAnnotations: {} + knownHosts: + data: + # -- Known Hosts + # @default -- See [values.yaml] + ssh_known_hosts: | + bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== + github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= + github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl + github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= + gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf + gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 + ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H + vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H + # -- TLS certificate configmap annotations + tlsCertsAnnotations: {} + # -- TLS certificate + # @default -- See [values.yaml] + tlsCerts: + {} + # data: + # argocd.example.com: | + # -----BEGIN CERTIFICATE----- + # MIIF1zCCA7+gAwIBAgIUQdTcSHY2Sxd3Tq/v1eIEZPCNbOowDQYJKoZIhvcNAQEL + # BQAwezELMAkGA1UEBhMCREUxFTATBgNVBAgMDExvd2VyIFNheG9ueTEQMA4GA1UE + # BwwHSGFub3ZlcjEVMBMGA1UECgwMVGVzdGluZyBDb3JwMRIwEAYDVQQLDAlUZXN0 + # c3VpdGUxGDAWBgNVBAMMD2Jhci5leGFtcGxlLmNvbTAeFw0xOTA3MDgxMzU2MTda + # Fw0yMDA3MDcxMzU2MTdaMHsxCzAJBgNVBAYTAkRFMRUwEwYDVQQIDAxMb3dlciBT + # YXhvbnkxEDAOBgNVBAcMB0hhbm92ZXIxFTATBgNVBAoMDFRlc3RpbmcgQ29ycDES + # MBAGA1UECwwJVGVzdHN1aXRlMRgwFgYDVQQDDA9iYXIuZXhhbXBsZS5jb20wggIi + # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCv4mHMdVUcafmaSHVpUM0zZWp5 + # NFXfboxA4inuOkE8kZlbGSe7wiG9WqLirdr39Ts+WSAFA6oANvbzlu3JrEQ2CHPc + # CNQm6diPREFwcDPFCe/eMawbwkQAPVSHPts0UoRxnpZox5pn69ghncBR+jtvx+/u + # P6HdwW0qqTvfJnfAF1hBJ4oIk2AXiip5kkIznsAh9W6WRy6nTVCeetmIepDOGe0G + # ZJIRn/OfSz7NzKylfDCat2z3EAutyeT/5oXZoWOmGg/8T7pn/pR588GoYYKRQnp+ + # YilqCPFX+az09EqqK/iHXnkdZ/Z2fCuU+9M/Zhrnlwlygl3RuVBI6xhm/ZsXtL2E + # Gxa61lNy6pyx5+hSxHEFEJshXLtioRd702VdLKxEOuYSXKeJDs1x9o6cJ75S6hko + # Ml1L4zCU+xEsMcvb1iQ2n7PZdacqhkFRUVVVmJ56th8aYyX7KNX6M9CD+kMpNm6J + # kKC1li/Iy+RI138bAvaFplajMF551kt44dSvIoJIbTr1LigudzWPqk31QaZXV/4u + # kD1n4p/XMc9HYU/was/CmQBFqmIZedTLTtK7clkuFN6wbwzdo1wmUNgnySQuMacO + # gxhHxxzRWxd24uLyk9Px+9U3BfVPaRLiOPaPoC58lyVOykjSgfpgbus7JS69fCq7 + # bEH4Jatp/10zkco+UQIDAQABo1MwUTAdBgNVHQ4EFgQUjXH6PHi92y4C4hQpey86 + # r6+x1ewwHwYDVR0jBBgwFoAUjXH6PHi92y4C4hQpey86r6+x1ewwDwYDVR0TAQH/ + # BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAFE4SdKsX9UsLy+Z0xuHSxhTd0jfn + # Iih5mtzb8CDNO5oTw4z0aMeAvpsUvjJ/XjgxnkiRACXh7K9hsG2r+ageRWGevyvx + # CaRXFbherV1kTnZw4Y9/pgZTYVWs9jlqFOppz5sStkfjsDQ5lmPJGDii/StENAz2 + # XmtiPOgfG9Upb0GAJBCuKnrU9bIcT4L20gd2F4Y14ccyjlf8UiUi192IX6yM9OjT + # +TuXwZgqnTOq6piVgr+FTSa24qSvaXb5z/mJDLlk23npecTouLg83TNSn3R6fYQr + # d/Y9eXuUJ8U7/qTh2Ulz071AO9KzPOmleYPTx4Xty4xAtWi1QE5NHW9/Ajlv5OtO + # OnMNWIs7ssDJBsB7VFC8hcwf79jz7kC0xmQqDfw51Xhhk04kla+v+HZcFW2AO9so + # 6ZdVHHQnIbJa7yQJKZ+hK49IOoBR6JgdB5kymoplLLiuqZSYTcwSBZ72FYTm3iAr + # jzvt1hxpxVDmXvRnkhRrIRhK4QgJL0jRmirBjDY+PYYd7bdRIjN7WNZLFsgplnS8 + # 9w6CwG32pRlm0c8kkiQ7FXA6BYCqOsDI8f1VGQv331OpR2Ck+FTv+L7DAmg6l37W + # +LB9LGh4OAp68ImTjqf6ioGKG0RBSznwME+r4nXtT1S/qLR6ASWUS4ViWRhbRlNK + # XWyb96wrUlv+E8I= + # -----END CERTIFICATE----- + + # -- Repository credentials to be used as Templates for other repos + ## Creates a secret for each key/value specified below to create repository credentials + credentialTemplates: {} + # github-enterprise-creds-1: + # url: https://github.com/argoproj + # githubAppID: 1 + # githubAppInstallationID: 2 + # githubAppEnterpriseBaseUrl: https://ghe.example.com/api/v3 + # githubAppPrivateKey: | + # -----BEGIN OPENSSH PRIVATE KEY----- + # ... + # -----END OPENSSH PRIVATE KEY----- + # https-creds: + # url: https://github.com/argoproj + # password: my-password + # username: my-username + # ssh-creds: + # url: git@github.com:argoproj-labs + # sshPrivateKey: | + # -----BEGIN OPENSSH PRIVATE KEY----- + # ... + # -----END OPENSSH PRIVATE KEY----- + + # -- Annotations to be added to `configs.credentialTemplates` Secret + credentialTemplatesAnnotations: {} + + # -- Repositories list to be used by applications + ## Creates a secret for each key/value specified below to create repositories + ## Note: the last example in the list would use a repository credential template, configured under "configs.repositoryCredentials". + repositories: {} + # istio-helm-repo: + # url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts + # name: istio.io + # type: helm + # private-helm-repo: + # url: https://my-private-chart-repo.internal + # name: private-repo + # type: helm + # password: my-password + # username: my-username + # private-repo: + # url: https://github.com/argoproj/private-repo + + # -- Annotations to be added to `configs.repositories` Secret + repositoriesAnnotations: {} + + secret: + # -- Create the argocd-secret + createSecret: true + # -- Annotations to be added to argocd-secret + annotations: {} + + # -- Shared secret for authenticating GitHub webhook events + githubSecret: "" + # -- Shared secret for authenticating GitLab webhook events + gitlabSecret: "" + # -- Shared secret for authenticating BitbucketServer webhook events + bitbucketServerSecret: "" + # -- UUID for authenticating Bitbucket webhook events + bitbucketUUID: "" + # -- Shared secret for authenticating Gogs webhook events + gogsSecret: "" + + # -- add additional secrets to be added to argocd-secret + ## Custom secrets. Useful for injecting SSO secrets into environment variables. + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sensitive-data-and-sso-client-secrets + ## Note that all values must be non-empty. + extra: + {} + # LDAP_PASSWORD: "mypassword" + + # -- Argo TLS Data + argocdServerTlsConfig: + {} + # key: + # crt: | + # -----BEGIN CERTIFICATE----- + # + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # + # -----END CERTIFICATE----- + + # -- Bcrypt hashed admin password + ## Argo expects the password in the secret to be bcrypt hashed. You can create this hash with + ## `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'` + argocdServerAdminPassword: "" + # -- Admin password modification time. Eg. `"2006-01-02T15:04:05Z"` + # @default -- `""` (defaults to current time) + argocdServerAdminPasswordMtime: "" + + # -- Define custom [CSS styles] for your argo instance. + # This setting will automatically mount the provided CSS and reference it in the argo configuration. + # @default -- `""` (See [values.yaml]) + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/ + styles: "" + # styles: | + # .nav-bar { + # background: linear-gradient(to bottom, #999, #777, #333, #222, #111); + # } + + # Argo CD configuration parameters + ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cmd-params-cm.yaml + params: + # -- Annotations to be added to the argocd-cmd-params-cm ConfigMap + annotations: {} + + ## Generic parameters + # -- Open-Telemetry collector address: (e.g. "otel-collector:4317") + otlp.address: '' + + ## Controller Properties + # -- Number of application status processors + controller.status.processors: 20 + # -- Number of application operation processors + controller.operation.processors: 10 + # -- Specifies timeout between application self heal attempts + controller.self.heal.timeout.seconds: 5 + # -- Repo server RPC call timeout seconds. + controller.repo.server.timeout.seconds: 60 + + ## Server properties + # -- Run server without TLS + server.insecure: false + # -- Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from / + server.basehref: / + # -- Used if Argo CD is running behind reverse proxy under subpath different from / + server.rootpath: '' + # -- Directory path that contains additional static assets + server.staticassets: /shared/app + # -- Disable Argo CD RBAC for user authentication + server.disable.auth: false + # -- Enable GZIP compression + server.enable.gzip: false + # -- Set X-Frame-Options header in HTTP responses to value. To disable, set to "". + server.x.frame.options: sameorigin + + ## Repo-server properties + # -- Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit. + reposerver.parallelism.limit: 0 # -- Array of extra K8s manifests to deploy extraObjects: [] @@ -88,11 +366,32 @@ extraObjects: [] # labels: # app.kubernetes.io/part-of: argocd -## Controller +## Application controller controller: # -- Application controller name string name: application-controller + # -- The number of application controller pods to run. + # Additional replicas will cause sharding of managed clusters across number of replicas. + replicas: 1 + + ## Application controller Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDisruptionBudget] for the application controller + enabled: false + # -- Labels to be added to application controller pdb + labels: {} + # -- Annotations to be added to application controller pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). + ## Has higher precedence over `controller.pdb.minAvailable` + maxUnavailable: "" + + ## Application controller image image: # -- Repository to use for the application controller # @default -- `""` (defaults to global.image.repository) @@ -104,39 +403,39 @@ controller: # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" - # -- The number of application controller pods to run. - # If changing the number of replicas you must pass the number as `ARGOCD_CONTROLLER_REPLICAS` as an environment variable - replicas: 1 - - # -- Deploy the application controller as a StatefulSet instead of a Deployment, this is required for HA capability. - enableStatefulSet: true - - ## Application controller commandline flags - args: - # -- define the application controller `--status-processors` - statusProcessors: "20" - # -- define the application controller `--operation-processors` - operationProcessors: "10" - # -- define the application controller `--app-resync` - appResyncPeriod: "180" - # -- define the application controller `--self-heal-timeout-seconds` - selfHealTimeout: "5" - # -- define the application controller `--repo-server-timeout-seconds` - repoServerTimeoutSeconds: "60" + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + # -- DEPRECATED - Application controller commandline flags + args: {} + # DEPRECATED - Use configs.params to override + # # -- define the application controller `--status-processors` + # statusProcessors: "20" + # # -- define the application controller `--operation-processors` + # operationProcessors: "10" + # # -- define the application controller `--app-hard-resync` + # appHardResyncPeriod: "0" + # # -- define the application controller `--app-resync` + # appResyncPeriod: "180" + # # -- define the application controller `--self-heal-timeout-seconds` + # selfHealTimeout: "5" + # # -- define the application controller `--repo-server-timeout-seconds` + # repoServerTimeoutSeconds: "60" + + # DEPRECATED - Use configs.params to override # -- Application controller log format. Either `text` or `json` - logFormat: text - # -- Application controller log level - logLevel: info + # @default -- `""` (defaults to global.logging.format) + # logFormat: "" + # -- Application controller log level. One of: `debug`, `info`, `warn` or `error` + # @default -- `""` (defaults to global.logging.level) + # logLevel: "" # -- Additional command line arguments to pass to application controller extraArgs: [] # -- Environment variables to pass to application controller - env: - [] - # - name: "ARGOCD_CONTROLLER_REPLICAS" - # value: "" + env: [] # -- envFrom to pass to application controller # @default -- `[]` (See [values.yaml]) @@ -241,6 +540,8 @@ controller: name: argocd-application-controller # -- Annotations applied to created service account annotations: {} + # -- Labels applied to created service account + labels: {} # -- Automount API credentials for the Service Account automountServiceAccountToken: true @@ -290,7 +591,7 @@ controller: spec: [] # - alert: ArgoAppMissing # expr: | - # absent(argocd_app_info) + # absent(argocd_app_info) == 1 # for: 15m # labels: # severity: critical @@ -352,20 +653,6 @@ controller: # name: custom-tools # subPath: helm - pdb: - # -- Labels to be added to application controller pdb - labels: {} - # -- Annotations to be added to application controller pdb - annotations: {} - - # -- Deploy a Poddisruptionbudget for the application controller - enabled: false - # minAvailable: 1 - # maxUnavailable: 0 - - # -- Secrets with credentials to pull images from a private registry - imagePullSecrets: [] - ## Dex dex: # -- Enable dex @@ -408,14 +695,36 @@ dex: # -- Prometheus ServiceMonitor labels additionalLabels: {} + ## Dex Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDisruptionBudget] for the Dex server + enabled: false + # -- Labels to be added to Dex server pdb + labels: {} + # -- Annotations to be added to Dex server pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). + ## Has higher precedence over `dex.pdb.minAvailable` + maxUnavailable: "" + + ## Dex image image: # -- Dex image repository repository: ghcr.io/dexidp/dex # -- Dex image tag - tag: v2.30.2 + tag: v2.35.1-distroless # -- Dex imagePullPolicy # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" + + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + initImage: # -- Argo CD init image repository # @default -- `""` (defaults to global.image.repository) @@ -484,20 +793,10 @@ dex: automountServiceAccountToken: true # -- Additional volumeMounts to the dex main container - volumeMounts: - - name: static-files - mountPath: /shared + volumeMounts: [] # -- Additional volumes to the dex pod - volumes: - - name: static-files - emptyDir: {} - - # -- Extra volumes to the dex pod - extraVolumes: [] - - # -- Extra volumeMounts to the dex pod - extraVolumeMounts: [] + volumes: [] # -- Container port for HTTP access containerPortHttp: 5556 @@ -542,7 +841,7 @@ dex: # - all # readOnlyRootFilesystem: true -# -- Resource limits and requests for dex + # -- Resource limits and requests for dex resources: {} # limits: # cpu: 50m @@ -570,20 +869,6 @@ dex: # name: custom-tools # subPath: helm - pdb: - # -- Labels to be added to Dex server pdb - labels: {} - # -- Annotations to be added to Dex server pdb - annotations: {} - - # -- Deploy a Poddisruptionbudget for the Dex server - enabled: false - # minAvailable: 1 - # maxUnavailable: 0 - - # -- Secrets with credentials to pull images from a private registry - imagePullSecrets: [] - ## Redis redis: # -- Enable redis @@ -591,14 +876,35 @@ redis: # -- Redis name name: redis + ## Redis Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDisruptionBudget] for the Redis + enabled: false + # -- Labels to be added to Redis pdb + labels: {} + # -- Annotations to be added to Redis pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). + ## Has higher precedence over `redis.pdb.minAvailable` + maxUnavailable: "" + + ## Redis image image: # -- Redis repository - repository: redis + repository: public.ecr.aws/docker/library/redis # -- Redis tag - tag: 6.2.6-alpine + tag: 7.0.5-alpine # -- Redis imagePullPolicy imagePullPolicy: IfNotPresent + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + # -- Additional command line arguments to pass to redis-server extraArgs: [] # - --bind @@ -711,7 +1017,7 @@ redis: enabled: false image: # -- redis-exporter image repository - repository: bitnami/redis-exporter + repository: public.ecr.aws/bitnami/redis-exporter # -- redis-exporter image tag tag: 1.26.0-debian-10-r2 # -- redis-exporter image PullPolicy @@ -761,19 +1067,6 @@ redis: # -- Prometheus ServiceMonitor labels additionalLabels: {} - pdb: - # -- Labels to be added to Redis server pdb - labels: {} - # -- Annotations to be added to Redis server pdb - annotations: {} - - # -- Deploy a Poddisruptionbudget for the Redis server - enabled: false - # minAvailable: 1 - # maxUnavailable: 0 - - # -- Secrets with credentials to pull images from a private registry - imagePullSecrets: [] # This key configures Redis-HA subchart and when enabled (redis-ha.enabled=true) # the custom redis deployment is omitted @@ -784,12 +1077,6 @@ redis-ha: exporter: # -- If `true`, the prometheus exporter sidecar is enabled enabled: true - # -- Exporter image - # @default -- `nil` (follows subchart default) - image: ~ - # -- Exporter tag - # @default -- `nil` (follows subchart default) - tag: ~ persistentVolume: # -- Configures persistency on Redis nodes enabled: false @@ -805,22 +1092,12 @@ redis-ha: haproxy: # -- Enabled HAProxy LoadBalancing/Proxy enabled: true - image: - # -- HAProxy Image Repository - # @default -- `nil` (follows subchart default) - repository: ~ - # -- HAProxy Image Tag - # @default -- `nil` (follows subchart default) - tag: ~ metrics: # -- HAProxy enable prometheus metric scraping enabled: true image: - # -- Redis image repository - # @default -- `nil` (follows subchart default) - repository: ~ # -- Redis tag - tag: 6.2.6-alpine + tag: 7.0.5-alpine ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ topologySpreadConstraints: @@ -840,6 +1117,8 @@ redis-ha: externalRedis: # -- External Redis server host host: "" + # -- External Redis username + username: "" # -- External Redis password password: "" # -- External Redis server port @@ -847,6 +1126,8 @@ externalRedis: # -- The name of an existing secret with Redis credentials (must contain key `redis-password`). # When it's set, the `externalRedis.password` parameter is ignored existingSecret: "" + # -- External Redis Secret annotations + secretAnnotations: {} ## Server server: @@ -856,6 +1137,7 @@ server: # -- The number of server pods to run replicas: 1 + ## Argo CD server Horizontal Pod Autoscaler autoscaling: # -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo CD server enabled: false @@ -867,7 +1149,39 @@ server: targetCPUUtilizationPercentage: 50 # -- Average memory utilization percentage for the Argo CD server [HPA] targetMemoryUtilizationPercentage: 50 - + # -- Configures the scaling behavior of the target in both Up and Down directions. + # This is only available on HPA apiVersion `autoscaling/v2beta2` and newer + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + + ## Argo CD server Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDisruptionBudget] for the Argo CD server + enabled: false + # -- Labels to be added to Argo CD server pdb + labels: {} + # -- Annotations to be added to Argo CD server pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). + ## Has higher precedence over `server.pdb.minAvailable` + maxUnavailable: "" + + ## Argo CD server image image: # -- Repository to use for the Argo CD server # @default -- `""` (defaults to global.image.repository) @@ -879,14 +1193,12 @@ server: # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" # IfNotPresent + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + # -- Additional command line arguments to pass to Argo CD server extraArgs: [] - # - --insecure - - # This flag is used to either remove or pass the CLI flag --staticassets /shared/app to the Argo CD server app - staticAssets: - # -- Disable deprecated flag `--staticassets` - enabled: true # -- Environment variables to pass to Argo CD server env: [] @@ -902,10 +1214,13 @@ server: # -- Specify postStart and preStop lifecycle hooks for your argo-cd-server container lifecycle: {} + # DEPRECATED - Use configs.params to override # -- Argo CD server log format: Either `text` or `json` - logFormat: text - # -- Argo CD server log level - logLevel: info + # @default -- `""` (defaults to global.logging.format) + # logFormat: "" + # -- Argo CD server log level. One of: `debug`, `info`, `warn` or `error` + # @default -- `""` (defaults to global.logging.level) + # logLevel: "" # -- Annotations to be added to server pods podAnnotations: {} @@ -993,6 +1308,16 @@ server: duration: "" # -- How long before the currently issued certificate's expiry cert-manager should renew the certificate. Value must be in units accepted by Go time.ParseDuration renewBefore: "" + # Private key of the certificate + privateKey: + # -- Rotation policy of private key when certificate is re-issued. Either: `Never` or `Always` + rotationPolicy: Never + # -- The private key cryptography standards (PKCS) encoding for private key. Either: `PCKS1` or `PKCS8` + encoding: PKCS1 + # -- Algorithm used to generate certificate private key. One of: `RSA`, `Ed25519` or `ECDSA` + algorithm: RSA + # -- Key bit size of the private key. If algorithm is set to `Ed25519`, size is ignored. + size: 2048 issuer: # -- Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io` group: "" @@ -1082,6 +1407,8 @@ server: name: argocd-server # -- Annotations applied to created service account annotations: {} + # -- Labels applied to created service account + labels: {} # -- Automount API credentials for the Service Account automountServiceAccountToken: true @@ -1135,7 +1462,7 @@ server: https: false # dedicated ingress for gRPC as documented at - # Ref: https://argoproj.github.io/argo-cd/operator-manual/ingress/ + # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/ ingressGrpc: # -- Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress] enabled: false @@ -1224,22 +1551,43 @@ server: config: # Argo CD's externally facing base URL (optional). Required when configuring SSO url: "" + # Argo CD instance label key application.instanceLabelKey: argocd.argoproj.io/instance - # DEPRECATED: Please instead use configs.credentialTemplates and configs.repositories - # repositories: | - # - url: git@github.com:group/repo.git - # sshPrivateKeySecret: - # name: secret-name - # key: sshPrivateKey - # - type: helm - # url: https://charts.helm.sh/stable - # name: stable - # - type: helm - # url: https://argoproj.github.io/argo-helm - # name: argo - + # Enable logs RBAC enforcement + # Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/2.3-2.4/#enable-logs-rbac-enforcement + server.rbac.log.enforce.enable: "false" + + # exec.enabled indicates whether the UI exec feature is enabled. It is disabled by default. + # Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac/#exec-resource + exec.enabled: "false" + + # admin.enabled indicates whether the admin user is enabled. It is enabled by default. + # https://argo-cd.readthedocs.io/en/latest/faq/#how-to-disable-admin-user + admin.enabled: "true" + + # Application reconciliation timeout is the max amount of time required to discover if a new manifests version got + # published to the repository. Reconciliation by timeout is disabled if timeout is set to 0. Three minutes by default. + timeout.reconciliation: 180s + + # Timeout to refresh application data as well as target manifests cache + timeout.hard.reconciliation: "0" + + # Dex configuration + # dex.config: | + # connectors: + # # GitHub example + # - type: github + # id: github + # name: GitHub + # config: + # clientID: aabbccddeeff00112233 + # clientSecret: $dex.github.clientSecret # Alternatively $:dex.github.clientSecret + # orgs: + # - name: your-github-org + + # OIDC configuration as an alternative to dex (optional). # oidc.config: | # name: AzureAD # issuer: https://login.microsoftonline.com/TENANT_ID/v2.0 @@ -1286,82 +1634,6 @@ server: # by something else. Argo CD will not work if there is no configMap created with the name above. rbacConfigCreate: true - # -- Deploy Argo CD Applications within this helm release - # @default -- `[]` (See [values.yaml]) - ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ - additionalApplications: [] - # - name: guestbook - # namespace: argocd - # additionalLabels: {} - # additionalAnnotations: {} - # finalizers: - # - resources-finalizer.argocd.argoproj.io - # project: guestbook - # source: - # repoURL: https://github.com/argoproj/argocd-example-apps.git - # targetRevision: HEAD - # path: guestbook - # directory: - # recurse: true - # destination: - # server: https://kubernetes.default.svc - # namespace: guestbook - # syncPolicy: - # automated: - # prune: false - # selfHeal: false - # ignoreDifferences: - # - group: apps - # kind: Deployment - # jsonPointers: - # - /spec/replicas - # info: - # - name: url - # value: https://argoproj.github.io/ - - # -- Deploy Argo CD Projects within this helm release - # @default -- `[]` (See [values.yaml]) - ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ - additionalProjects: [] - # - name: guestbook - # namespace: argocd - # additionalLabels: {} - # additionalAnnotations: {} - # finalizers: - # - resources-finalizer.argocd.argoproj.io - # description: Example Project - # sourceRepos: - # - '*' - # destinations: - # - namespace: guestbook - # server: https://kubernetes.default.svc - # clusterResourceWhitelist: [] - # namespaceResourceBlacklist: - # - group: '' - # kind: ResourceQuota - # - group: '' - # kind: LimitRange - # - group: '' - # kind: NetworkPolicy - # orphanedResources: {} - # roles: [] - # namespaceResourceWhitelist: - # - group: 'apps' - # kind: Deployment - # - group: 'apps' - # kind: StatefulSet - # orphanedResources: {} - # roles: [] - # syncWindows: - # - kind: allow - # schedule: '10 1 * * *' - # duration: 1h - # applications: - # - '*-prod' - # manualSync: true - # signatureKeys: - # - keyID: ABCDEF1234567890 - ## Enable Admin ClusterRole resources. ## Enable if you would like to grant rights to Argo CD to deploy to the local Kubernetes cluster. clusterAdminAccess: @@ -1443,11 +1715,14 @@ server: # name: custom-tools # subPath: helm + ## Argo UI extensions + ## This function in tech preview stage, do expect unstability or breaking changes in newer versions. + ## Ref: https://github.com/argoproj-labs/argocd-extensions extensions: - # -- Enable support for extensions - ## This function in tech preview stage, do expect unstability or breaking changes in newer versions. Bump image.tag if necessary. + # -- Enable support for Argo UI extensions enabled: false + ## Argo UI extensions image image: # -- Repository to use for extensions image repository: "ghcr.io/argoproj-labs/argocd-extensions" @@ -1465,25 +1740,6 @@ server: # cpu: 10m # memory: 64Mi - # -- Extensions to be loaded into the server - contents: [] - # - name: argo-rollouts - # url: https://github.com/argoproj-labs/rollout-extension/releases/download/v0.1.0/extension.tar - - pdb: - # -- Labels to be added to server pdb - labels: {} - # -- Annotations to be added to server pdb - annotations: {} - - # -- Deploy a Poddisruptionbudget for the server - enabled: false - # minAvailable: 1 - # maxUnavailable: 0 - - # -- Secrets with credentials to pull images from a private registry - imagePullSecrets: [] - ## Repo Server repoServer: # -- Repo server name @@ -1492,6 +1748,7 @@ repoServer: # -- The number of repo server pods to run replicas: 1 + ## Repo server Horizontal Pod Autoscaler autoscaling: # -- Enable Horizontal Pod Autoscaler ([HPA]) for the repo server enabled: false @@ -1503,7 +1760,39 @@ repoServer: targetCPUUtilizationPercentage: 50 # -- Average memory utilization percentage for the repo server [HPA] targetMemoryUtilizationPercentage: 50 - + # -- Configures the scaling behavior of the target in both Up and Down directions. + # This is only available on HPA apiVersion `autoscaling/v2beta2` and newer + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + + ## Repo server Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDisruptionBudget] for the repo server + enabled: false + # -- Labels to be added to repo server pdb + labels: {} + # -- Annotations to be added to repo server pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). + ## Has higher precedence over `repoServer.pdb.minAvailable` + maxUnavailable: "" + + ## Repo server image image: # -- Repository to use for the repo server # @default -- `""` (defaults to global.image.repository) @@ -1515,6 +1804,10 @@ repoServer: # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" # IfNotPresent + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + # -- Additional command line arguments to pass to repo server extraArgs: [] @@ -1529,10 +1822,13 @@ repoServer: # - secretRef: # name: secret-name + # DEPRECATED - Use configs.params to override # -- Repo server log format: Either `text` or `json` - logFormat: text - # -- Repo server log level - logLevel: info + # @default -- `""` (defaults to global.logging.level) + # logFormat: "" + # -- Repo server log level. One of: `debug`, `info`, `warn` or `error` + # @default -- `""` (defaults to global.logging.format) + # logLevel: "" # -- Annotations to be added to repo server pods podAnnotations: {} @@ -1575,406 +1871,193 @@ repoServer: # -- Additional volumes to the repo server pod volumes: [] ## Use init containers to configure custom tooling - ## https://argoproj.github.io/argo-cd/operator-manual/custom_tools/ + ## https://argo-cd.readthedocs.io/en/stable/operator-manual/custom_tools/ ## When using the volumes & volumeMounts section bellow, please comment out those above. # - name: custom-tools # emptyDir: {} - # -- [Node selector] - nodeSelector: {} - # -- [Tolerations] for use with node taints - tolerations: [] - # -- Assign custom [affinity] rules to the deployment - affinity: {} - - # -- Assign custom [TopologySpreadConstraints] rules to the repo server - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - - # -- Priority class for the repo server - priorityClassName: "" - - # -- Repo server container-level security context - containerSecurityContext: - {} - # capabilities: - # drop: - # - all - # readOnlyRootFilesystem: true - - # -- Resource limits and requests for the repo server pods - resources: {} - # limits: - # cpu: 50m - # memory: 128Mi - # requests: - # cpu: 10m - # memory: 64Mi - - ## Repo server service configuration - service: - # -- Repo server service annotations - annotations: {} - # -- Repo server service labels - labels: {} - # -- Repo server service port - port: 8081 - # -- Repo server service port name - portName: https-repo-server - - ## Repo server metrics service configuration - metrics: - # -- Deploy metrics service - enabled: false - service: - # -- Metrics service annotations - annotations: {} - # -- Metrics service labels - labels: {} - # -- Metrics service port - servicePort: 8084 - # -- Metrics service port name - portName: http-metrics - serviceMonitor: - # -- Enable a prometheus ServiceMonitor - enabled: false - # -- Prometheus ServiceMonitor interval - interval: 30s - # -- Prometheus [RelabelConfigs] to apply to samples before scraping - relabelings: [] - # -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion - metricRelabelings: [] - # -- Prometheus ServiceMonitor selector - selector: {} - # prometheus: kube-prometheus - - # -- Prometheus ServiceMonitor scheme - scheme: "" - # -- Prometheus ServiceMonitor tlsConfig - tlsConfig: {} - # -- Prometheus ServiceMonitor namespace - namespace: "" # "monitoring" - # -- Prometheus ServiceMonitor labels - additionalLabels: {} - - ## Enable Admin ClusterRole resources. - ## Enable if you would like to grant cluster rights to Argo CD repo server. - clusterAdminAccess: - # -- Enable RBAC for local cluster deployments - enabled: false - ## Enable Custom Rules for the Repo server's Cluster Role resource - ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. - ## Defaults to off - clusterRoleRules: - # -- Enable custom rules for the Repo server's Cluster Role resource - enabled: false - # -- List of custom rules for the Repo server's Cluster Role resource - rules: [] - - ## Repo server service account - ## If create is set to true, make sure to uncomment the name and update the rbac section below - serviceAccount: - # -- Create repo server service account - create: true - # -- Repo server service account name - name: "" # "argocd-repo-server" - # -- Annotations applied to created service account - annotations: {} - # -- Automount API credentials for the Service Account - automountServiceAccountToken: true - - # -- Additional containers to be added to the repo server pod - extraContainers: [] - - # -- Repo server rbac rules - rbac: [] - # - apiGroups: - # - argoproj.io - # resources: - # - applications - # verbs: - # - get - # - list - # - watch - - # Init container to copy argocd binary - copyutil: - # -- Resource limits and requests for the copyutil initContainer - resources: {} - # limits: - # cpu: 50m - # memory: 64Mi - # requests: - # cpu: 10m - # memory: 32Mi - - # -- Init containers to add to the repo server pods - initContainers: [] - # - name: download-tools - # image: alpine:3.8 - # command: [sh, -c] - # args: - # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && - # mv linux-amd64/helm /custom-tools/ - # volumeMounts: - # - mountPath: /custom-tools - # name: custom-tools - # volumeMounts: - # - mountPath: /usr/local/bin/helm - # name: custom-tools - # subPath: helm - - pdb: - # -- Labels to be added to Repo server pdb - labels: {} - # -- Annotations to be added to Repo server pdb - annotations: {} - - # -- Deploy a Poddisruptionbudget for the Repo server - enabled: false - # minAvailable: 1 - # maxUnavailable: 0 - - # -- Secrets with credentials to pull images from a private registry - imagePullSecrets: [] - -## Argo Configs -configs: - # -- Provide one or multiple [external cluster credentials] - # @default -- `[]` (See [values.yaml]) - ## Ref: - ## - https://argoproj.github.io/argo-cd/operator-manual/declarative-setup/#clusters - ## - https://argoproj.github.io/argo-cd/operator-manual/security/#external-cluster-credentials - clusterCredentials: [] - # - name: mycluster - # server: https://mycluster.com - # labels: {} - # annotations: {} - # config: - # bearerToken: "" - # tlsClientConfig: - # insecure: false - # caData: "" - # - name: mycluster2 - # server: https://mycluster2.com - # labels: {} - # annotations: {} - # namespaces: namespace1,namespace2 - # clusterResources: true - # config: - # bearerToken: "" - # tlsClientConfig: - # insecure: false - # caData: "" - - # -- GnuPG key ring annotations - gpgKeysAnnotations: {} - # -- [GnuPG](https://argoproj.github.io/argo-cd/user-guide/gpg-verification/) keys to add to the key ring - # @default -- `{}` (See [values.yaml]) - gpgKeys: {} - # 4AEE18F83AFDEB23: | - # -----BEGIN PGP PUBLIC KEY BLOCK----- - # - # mQENBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta - # x15OklctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrT - # SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ - # 7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa - # buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v - # yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAG0NUdpdEh1YiAod2ViLWZs - # b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+iQEiBBMBCAAW - # BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEH/iATWFmi2oxlBh3wAsySNCNV4IPf - # DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6 - # 9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws - # +8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5 - # 4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O - # j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48= - # =Bvzs - # -----END PGP PUBLIC KEY BLOCK----- - - # -- Known Hosts configmap annotations - knownHostsAnnotations: {} - knownHosts: - data: - # -- Known Hosts - # @default -- See [values.yaml] - ssh_known_hosts: | - bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== - github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= - github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl - github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== - gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= - gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf - gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 - ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H - vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H - # -- TLS certificate configmap annotations - tlsCertsAnnotations: {} - # -- TLS certificate - # @default -- See [values.yaml] - tlsCerts: - {} - # data: - # argocd.example.com: | - # -----BEGIN CERTIFICATE----- - # MIIF1zCCA7+gAwIBAgIUQdTcSHY2Sxd3Tq/v1eIEZPCNbOowDQYJKoZIhvcNAQEL - # BQAwezELMAkGA1UEBhMCREUxFTATBgNVBAgMDExvd2VyIFNheG9ueTEQMA4GA1UE - # BwwHSGFub3ZlcjEVMBMGA1UECgwMVGVzdGluZyBDb3JwMRIwEAYDVQQLDAlUZXN0 - # c3VpdGUxGDAWBgNVBAMMD2Jhci5leGFtcGxlLmNvbTAeFw0xOTA3MDgxMzU2MTda - # Fw0yMDA3MDcxMzU2MTdaMHsxCzAJBgNVBAYTAkRFMRUwEwYDVQQIDAxMb3dlciBT - # YXhvbnkxEDAOBgNVBAcMB0hhbm92ZXIxFTATBgNVBAoMDFRlc3RpbmcgQ29ycDES - # MBAGA1UECwwJVGVzdHN1aXRlMRgwFgYDVQQDDA9iYXIuZXhhbXBsZS5jb20wggIi - # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCv4mHMdVUcafmaSHVpUM0zZWp5 - # NFXfboxA4inuOkE8kZlbGSe7wiG9WqLirdr39Ts+WSAFA6oANvbzlu3JrEQ2CHPc - # CNQm6diPREFwcDPFCe/eMawbwkQAPVSHPts0UoRxnpZox5pn69ghncBR+jtvx+/u - # P6HdwW0qqTvfJnfAF1hBJ4oIk2AXiip5kkIznsAh9W6WRy6nTVCeetmIepDOGe0G - # ZJIRn/OfSz7NzKylfDCat2z3EAutyeT/5oXZoWOmGg/8T7pn/pR588GoYYKRQnp+ - # YilqCPFX+az09EqqK/iHXnkdZ/Z2fCuU+9M/Zhrnlwlygl3RuVBI6xhm/ZsXtL2E - # Gxa61lNy6pyx5+hSxHEFEJshXLtioRd702VdLKxEOuYSXKeJDs1x9o6cJ75S6hko - # Ml1L4zCU+xEsMcvb1iQ2n7PZdacqhkFRUVVVmJ56th8aYyX7KNX6M9CD+kMpNm6J - # kKC1li/Iy+RI138bAvaFplajMF551kt44dSvIoJIbTr1LigudzWPqk31QaZXV/4u - # kD1n4p/XMc9HYU/was/CmQBFqmIZedTLTtK7clkuFN6wbwzdo1wmUNgnySQuMacO - # gxhHxxzRWxd24uLyk9Px+9U3BfVPaRLiOPaPoC58lyVOykjSgfpgbus7JS69fCq7 - # bEH4Jatp/10zkco+UQIDAQABo1MwUTAdBgNVHQ4EFgQUjXH6PHi92y4C4hQpey86 - # r6+x1ewwHwYDVR0jBBgwFoAUjXH6PHi92y4C4hQpey86r6+x1ewwDwYDVR0TAQH/ - # BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAFE4SdKsX9UsLy+Z0xuHSxhTd0jfn - # Iih5mtzb8CDNO5oTw4z0aMeAvpsUvjJ/XjgxnkiRACXh7K9hsG2r+ageRWGevyvx - # CaRXFbherV1kTnZw4Y9/pgZTYVWs9jlqFOppz5sStkfjsDQ5lmPJGDii/StENAz2 - # XmtiPOgfG9Upb0GAJBCuKnrU9bIcT4L20gd2F4Y14ccyjlf8UiUi192IX6yM9OjT - # +TuXwZgqnTOq6piVgr+FTSa24qSvaXb5z/mJDLlk23npecTouLg83TNSn3R6fYQr - # d/Y9eXuUJ8U7/qTh2Ulz071AO9KzPOmleYPTx4Xty4xAtWi1QE5NHW9/Ajlv5OtO - # OnMNWIs7ssDJBsB7VFC8hcwf79jz7kC0xmQqDfw51Xhhk04kla+v+HZcFW2AO9so - # 6ZdVHHQnIbJa7yQJKZ+hK49IOoBR6JgdB5kymoplLLiuqZSYTcwSBZ72FYTm3iAr - # jzvt1hxpxVDmXvRnkhRrIRhK4QgJL0jRmirBjDY+PYYd7bdRIjN7WNZLFsgplnS8 - # 9w6CwG32pRlm0c8kkiQ7FXA6BYCqOsDI8f1VGQv331OpR2Ck+FTv+L7DAmg6l37W - # +LB9LGh4OAp68ImTjqf6ioGKG0RBSznwME+r4nXtT1S/qLR6ASWUS4ViWRhbRlNK - # XWyb96wrUlv+E8I= - # -----END CERTIFICATE----- - - # -- *DEPRECATED:* Instead, use `configs.credentialTemplates` and/or `configs.repositories` - repositoryCredentials: {} + # -- [Node selector] + nodeSelector: {} + # -- [Tolerations] for use with node taints + tolerations: [] + # -- Assign custom [affinity] rules to the deployment + affinity: {} - # -- Repository credentials to be used as Templates for other repos - ## Creates a secret for each key/value specified below to create repository credentials - credentialTemplates: {} - # github-enterprise-creds-1: - # url: https://github.com/argoproj - # githubAppID: 1 - # githubAppInstallationID: 2 - # githubAppEnterpriseBaseUrl: https://ghe.example.com/api/v3 - # githubAppPrivateKey: | - # -----BEGIN OPENSSH PRIVATE KEY----- - # ... - # -----END OPENSSH PRIVATE KEY----- - # https-creds: - # url: https://github.com/argoproj - # password: my-password - # username: my-username - # ssh-creds: - # url: git@github.com:argoproj-labs - # sshPrivateKey: | - # -----BEGIN OPENSSH PRIVATE KEY----- - # ... - # -----END OPENSSH PRIVATE KEY----- + # -- Assign custom [TopologySpreadConstraints] rules to the repo server + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule - # -- Repositories list to be used by applications - ## Creates a secret for each key/value specified below to create repositories - ## Note: the last example in the list would use a repository credential template, configured under "configs.repositoryCredentials". - repositories: {} - # istio-helm-repo: - # url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts - # name: istio.io - # type: helm - # private-helm-repo: - # url: https://my-private-chart-repo.internal - # name: private-repo - # type: helm - # password: my-password - # username: my-username - # private-repo: - # url: https://github.com/argoproj/private-repo + # -- Priority class for the repo server + priorityClassName: "" - secret: - # -- Create the argocd-secret - createSecret: true - # -- Annotations to be added to argocd-secret + # -- Repo server container-level security context + containerSecurityContext: + {} + # capabilities: + # drop: + # - all + # readOnlyRootFilesystem: true + + # -- Resource limits and requests for the repo server pods + resources: {} + # limits: + # cpu: 50m + # memory: 128Mi + # requests: + # cpu: 10m + # memory: 64Mi + + ## Repo server service configuration + service: + # -- Repo server service annotations annotations: {} + # -- Repo server service labels + labels: {} + # -- Repo server service port + port: 8081 + # -- Repo server service port name + portName: https-repo-server - # -- Shared secret for authenticating GitHub webhook events - githubSecret: "" - # -- Shared secret for authenticating GitLab webhook events - gitlabSecret: "" - # -- Shared secret for authenticating BitbucketServer webhook events - bitbucketServerSecret: "" - # -- UUID for authenticating Bitbucket webhook events - bitbucketUUID: "" - # -- Shared secret for authenticating Gogs webhook events - gogsSecret: "" + ## Repo server metrics service configuration + metrics: + # -- Deploy metrics service + enabled: false + service: + # -- Metrics service annotations + annotations: {} + # -- Metrics service labels + labels: {} + # -- Metrics service port + servicePort: 8084 + # -- Metrics service port name + portName: http-metrics + serviceMonitor: + # -- Enable a prometheus ServiceMonitor + enabled: false + # -- Prometheus ServiceMonitor interval + interval: 30s + # -- Prometheus [RelabelConfigs] to apply to samples before scraping + relabelings: [] + # -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion + metricRelabelings: [] + # -- Prometheus ServiceMonitor selector + selector: {} + # prometheus: kube-prometheus - # -- add additional secrets to be added to argocd-secret - ## Custom secrets. Useful for injecting SSO secrets into environment variables. - ## Ref: https://argoproj.github.io/argo-cd/operator-manual/sso/ - ## Note that all values must be non-empty. - extra: - {} - # LDAP_PASSWORD: "mypassword" + # -- Prometheus ServiceMonitor scheme + scheme: "" + # -- Prometheus ServiceMonitor tlsConfig + tlsConfig: {} + # -- Prometheus ServiceMonitor namespace + namespace: "" # "monitoring" + # -- Prometheus ServiceMonitor labels + additionalLabels: {} - # -- Argo TLS Data - argocdServerTlsConfig: - {} - # key: - # crt: | - # -----BEGIN CERTIFICATE----- - # - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # - # -----END CERTIFICATE----- + ## Enable Admin ClusterRole resources. + ## Enable if you would like to grant cluster rights to Argo CD repo server. + clusterAdminAccess: + # -- Enable RBAC for local cluster deployments + enabled: false + ## Enable Custom Rules for the Repo server's Cluster Role resource + ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. + ## Defaults to off + clusterRoleRules: + # -- Enable custom rules for the Repo server's Cluster Role resource + enabled: false + # -- List of custom rules for the Repo server's Cluster Role resource + rules: [] - # -- Bcrypt hashed admin password - ## Argo expects the password in the secret to be bcrypt hashed. You can create this hash with - ## `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'` - argocdServerAdminPassword: "" - # -- Admin password modification time. Eg. `"2006-01-02T15:04:05Z"` - # @default -- `""` (defaults to current time) - argocdServerAdminPasswordMtime: "" + ## Repo server service account + ## If create is set to true, make sure to uncomment the name and update the rbac section below + serviceAccount: + # -- Create repo server service account + create: true + # -- Repo server service account name + name: "" # "argocd-repo-server" + # -- Annotations applied to created service account + annotations: {} + # -- Labels applied to created service account + labels: {} + # -- Automount API credentials for the Service Account + automountServiceAccountToken: true - # -- Define custom [CSS styles] for your argo instance. - # This setting will automatically mount the provided CSS and reference it in the argo configuration. - # @default -- `""` (See [values.yaml]) - ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/ - styles: "" - # styles: | - # .nav-bar { - # background: linear-gradient(to bottom, #999, #777, #333, #222, #111); - # } + # -- Additional containers to be added to the repo server pod + extraContainers: [] -openshift: - # -- enables using arbitrary uid for argo repo server - enabled: false + # -- Repo server rbac rules + rbac: [] + # - apiGroups: + # - argoproj.io + # resources: + # - applications + # verbs: + # - get + # - list + # - watch + + # -- Init containers to add to the repo server pods + initContainers: [] + # - name: download-tools + # image: alpine:3.8 + # command: [sh, -c] + # args: + # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && + # mv linux-amd64/helm /custom-tools/ + # volumeMounts: + # - mountPath: /custom-tools + # name: custom-tools + # volumeMounts: + # - mountPath: /usr/local/bin/helm + # name: custom-tools + # subPath: helm +## ApplicationSet controller applicationSet: - # -- Enable Application Set controller + # -- Enable ApplicationSet controller enabled: true # -- Application Set controller name string name: applicationset-controller - # -- The number of controller pods to run + # -- The number of ApplicationSet controller pods to run replicaCount: 1 + ## ApplicationSet controller Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDisruptionBudget] for the ApplicationSet controller + enabled: false + # -- Labels to be added to ApplicationSet controller pdb + labels: {} + # -- Annotations to be added to ApplicationSet controller pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). + ## Has higher precedence over `applicationSet.pdb.minAvailable` + maxUnavailable: "" + + ## ApplicationSet controller image image: # -- Repository to use for the application set controller - repository: quay.io/argoproj/argocd-applicationset + # @default -- `""` (defaults to global.image.repository) + repository: "" # -- Tag to use for the application set controller - tag: "v0.4.1" + # @default -- `""` (defaults to global.image.tag) + tag: "" # -- Image pull policy for the application set controller # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" + # -- If defined, uses a Secret to pull an image from a private Docker registry or repository. + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + args: # -- The default metric address metricsAddr: :8080 @@ -1989,6 +2072,13 @@ applicationSet: # -- Enable dry run mode dryRun: false + # -- ApplicationSet controller log format. Either `text` or `json` + # @default -- `""` (defaults to global.logging.format) + logFormat: "" + # -- ApplicationSet controller log level. One of: `debug`, `info`, `warn`, `error` + # @default -- `""` (defaults to global.logging.level) + logLevel: "" + # -- Additional containers to be added to the applicationset controller pod extraContainers: [] @@ -2027,9 +2117,6 @@ applicationSet: # -- Prometheus ServiceMonitor labels additionalLabels: {} - # -- If defined, uses a Secret to pull an image from a private Docker registry or repository. - imagePullSecrets: [] - ## Application set service configuration service: # -- Application set service annotations @@ -2046,6 +2133,8 @@ applicationSet: create: true # -- Annotations to add to the service account annotations: {} + # -- Labels applied to created service account + labels: {} # -- The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" @@ -2106,7 +2195,6 @@ applicationSet: # -- List of extra cli args to add extraArgs: [] - # - --loglevel=warn # -- Environment variables to pass to the controller extraEnv: [] @@ -2166,8 +2254,9 @@ applicationSet: # hosts: # - argocd-applicationset.example.com +## Notifications controller notifications: - # -- Enable Notifications controller + # -- Enable notifications controller enabled: true # -- Notifications controller name string @@ -2179,6 +2268,23 @@ notifications: # -- Argo CD dashboard url; used in place of {{.context.argocdUrl}} in templates argocdUrl: + ## Notifications controller Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDisruptionBudget] for the notifications controller + enabled: false + # -- Labels to be added to notifications controller pdb + labels: {} + # -- Annotations to be added to notifications controller pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). + ## Has higher precedence over `notifications.pdb.minAvailable` + maxUnavailable: "" + + ## Notifications controller image image: # -- Repository to use for the notifications controller # @default -- `""` (defaults to global.image.repository) @@ -2191,15 +2297,12 @@ notifications: imagePullPolicy: "" # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) imagePullSecrets: [] # -- [Node selector] nodeSelector: {} - # -- The deployment strategy to use to replace existing pods with new ones - updateStrategy: - type: Recreate - # -- Define user-defined context ## For more information: https://argocd-notifications.readthedocs.io/en/stable/templates/#defining-user-defined-context context: {} @@ -2213,10 +2316,6 @@ notifications: # -- key:value pairs of annotations to be added to the secret annotations: {} - # -- The name of the secret to use. - ## If not set and create is true, the default name 'argocd-notifications-secret' is used - name: "" - # -- Generic key:value pairs to be inserted into the secret ## Can be used for templates, notification services etc. Some examples given below. ## For more information: https://argocd-notifications.readthedocs.io/en/stable/services/overview/ @@ -2233,10 +2332,12 @@ notifications: # email-password: # For more information: https://argocd-notifications.readthedocs.io/en/stable/services/email/ - # -- Set the logging level. (One of: `debug`, `info`, `warn`, `error`) - logLevel: info # -- Application controller log format. Either `text` or `json` - logFormat: text + # @default -- `""` (defaults to global.logging.format) + logFormat: "" + # -- Application controller log level. One of: `debug`, `info`, `warn`, `error` + # @default -- `""` (defaults to global.logging.level) + logLevel: "" # -- Extra arguments to provide to the controller extraArgs: [] @@ -2244,6 +2345,14 @@ notifications: # -- Additional container environment variables extraEnv: [] + # -- envFrom to pass to the controller + # @default -- `[]` (See [values.yaml]) + extraEnvFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + # -- List of extra mounts to add (normally used with extraVolumes) extraVolumeMounts: [] # - mountPath: /tmp/foobar @@ -2295,13 +2404,12 @@ notifications: # -- Labels to be applied to the controller Pods podLabels: {} - # -- Pod Security Context - securityContext: - runAsNonRoot: true - # -- Container Security Context containerSecurityContext: {} + # -- Priority class for the controller pods + priorityClassName: "" + # -- Resource limits and requests for the controller resources: {} # limits: @@ -2322,14 +2430,12 @@ notifications: # -- Annotations applied to created service account annotations: {} + # -- Labels applied to created service account + labels: {} cm: # -- Whether helm chart creates controller config map create: true - # -- The name of the config map to use. - ## If not set and create is true, the default name 'argocd-notifications-cm' is used - name: "" - # -- Contains centrally managed global application subscriptions ## For more information: https://argocd-notifications.readthedocs.io/en/stable/subscriptions/ subscriptions: [] @@ -2617,6 +2723,23 @@ notifications: updateStrategy: type: Recreate + ## Slack bot Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDisruptionBudget] for the Slack bot + enabled: false + # -- Labels to be added to Slack bot pdb + labels: {} + # -- Annotations to be added to Slack bot pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailble after eviction as number or percentage (eg.: 50%). + ## Has higher precedence over `notifications.bots.slack.pdb.minAvailable` + maxUnavailable: "" + + ## Slack bot imabe image: # -- Repository to use for the Slack bot # @default -- `""` (defaults to global.image.repository) @@ -2629,6 +2752,7 @@ notifications: imagePullPolicy: "" # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) imagePullSecrets: [] service: diff --git a/terraform/helm/nginx_values.yaml b/terraform/helm/nginx_values.yaml index adc9fd4..aba30eb 100644 --- a/terraform/helm/nginx_values.yaml +++ b/terraform/helm/nginx_values.yaml @@ -1,4 +1,4 @@ -# default values: https://github.com/kubernetes/ingress-nginx/blob/helm-chart-4.0.19/charts/ingress-nginx/values.yaml +# default values: https://github.com/kubernetes/ingress-nginx/blob/helm-chart-4.3.0/charts/ingress-nginx/values.yaml ## nginx configuration ## Ref: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/ diff --git a/terraform/helm/velero_default_values.yaml b/terraform/helm/velero_default_values.yaml index 273daf0..6a7f955 100644 --- a/terraform/helm/velero_default_values.yaml +++ b/terraform/helm/velero_default_values.yaml @@ -1,4 +1,4 @@ -# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.29.4/charts/velero/values.yaml +# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.32.1/charts/velero/values.yaml ## ## Configuration settings that directly affect the Velero deployment YAML. @@ -8,7 +8,7 @@ # enabling restic). Required. image: repository: velero/velero - tag: v1.8.1 + tag: v1.9.2 # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. # If used, it will take precedence over the image.tag. # digest: @@ -55,13 +55,13 @@ dnsPolicy: ClusterFirst # If the value is a string then it is evaluated as a template. initContainers: # - name: velero-plugin-for-csi - # image: velero/velero-plugin-for-csi:v0.2.0 + # image: velero/velero-plugin-for-csi:v0.3.1 # imagePullPolicy: IfNotPresent # volumeMounts: # - mountPath: /target # name: plugins # - name: velero-plugin-for-aws - # image: velero/velero-plugin-for-aws:v1.4.1 + # image: velero/velero-plugin-for-aws:v1.5.1 # imagePullPolicy: IfNotPresent # volumeMounts: # - mountPath: /target @@ -82,9 +82,15 @@ containerSecurityContext: {} # add: [] # readOnlyRootFilesystem: true +# Container Lifecycle Hooks to use for the Velero deployment. Optional. +lifecycle: {} + # Pod priority class name to use for the Velero deployment. Optional. priorityClassName: "" +# The number of seconds to allow for graceful termination of the pod. Optional. +terminationGracePeriodSeconds: 3600 + # Tolerations to use for the Velero deployment. Optional. tolerations: [] @@ -94,6 +100,9 @@ affinity: {} # Node selector to use for the Velero deployment. Optional. nodeSelector: {} +# DNS configuration to use for the Velero deployment. Optional. +dnsConfig: {} + # Extra volumes for the Velero deployment. Optional. extraVolumes: [] @@ -148,6 +157,35 @@ metrics: additionalLabels: {} # ServiceMonitor namespace. Default to Velero namespace. # namespace: + # ServiceMonitor connection scheme. Defaults to HTTP. + # scheme: "" + # ServiceMonitor connection tlsConfig. Defaults to {}. + # tlsConfig: {} + + prometheusRule: + enabled: false + # Additional labels to add to deployed PrometheusRule + additionalLabels: {} + # PrometheusRule namespace. Defaults to Velero namespace. + # namespace: "" + # Rules to be deployed + spec: [] + # - alert: VeleroBackupPartialFailures + # annotations: + # message: Velero backup {{ $labels.schedule }} has {{ $value | humanizePercentage }} partialy failed backups. + # expr: |- + # velero_backup_partial_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} > 0.25 + # for: 15m + # labels: + # severity: warning + # - alert: VeleroBackupFailures + # annotations: + # message: Velero backup {{ $labels.schedule }} has {{ $value | humanizePercentage }} failed backups. + # expr: |- + # velero_backup_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} > 0.25 + # for: 15m + # labels: + # severity: warning kubectl: image: @@ -204,6 +242,9 @@ configuration: prefix: # default indicates this location is the default backup storage location. Optional. default: + # accessMode determines if velero can write to this backup storage location. Optional. + # default to ReadWrite, ReadOnly is used during migrations and restores. + accessMode: ReadWrite # Additional provider-specific configuration. See link above # for details of required/optional fields for your provider. config: {} @@ -258,7 +299,13 @@ configuration: # `velero server` default: 30 clientBurst: # `velero server` default: empty + clientPageSize: + # `velero server` default: empty disableControllers: + # `velero server` default: 1m + storeValidationFrequency: + # `velero server` default: 1h + garbageCollectionFrequency: # # additional key/value pairs to be used as environment variables such as "AWS_CLUSTER_NAME: 'yourcluster.domain.tld'" @@ -381,6 +428,9 @@ restic: # Extra volumeMounts for the Restic daemonset. Optional. extraVolumeMounts: [] + # Key/value pairs to be used as environment variables for the Restic daemonset. Optional. + extraEnvVars: {} + # Configure the dnsPolicy of the Restic daemonset # See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: ClusterFirst @@ -396,9 +446,18 @@ restic: # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: {} + # Container Lifecycle Hooks to use for the Restic daemonset. Optional. + lifecycle: {} + # Node selector to use for the Restic daemonset. Optional. nodeSelector: {} + # Affinity to use with Restic daemonset. Optional. + affinity: {} + + # DNS configuration to use for the Restic daemonset. Optional. + dnsConfig: {} + # Backup schedules to create. # Eg: # schedules: @@ -424,7 +483,7 @@ schedules: {} # velero.io/plugin-config: "" # velero.io/restic: RestoreItemAction # data: -# image: velero/velero-restic-restore-helper:v1.8.1 +# image: velero/velero-restic-restore-helper:v1.9.2 configMaps: {} ## diff --git a/terraform/helm/velero_values.yaml b/terraform/helm/velero_values.yaml index 27bbdf0..ec03373 100644 --- a/terraform/helm/velero_values.yaml +++ b/terraform/helm/velero_values.yaml @@ -5,7 +5,7 @@ initContainers: - name: velero-plugin-for-microsoft-azure # https://hub.docker.com/r/velero/velero-plugin-for-microsoft-azure/tags - image: velero/velero-plugin-for-microsoft-azure:v1.4.0 + image: velero/velero-plugin-for-microsoft-azure:v1.5.1 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /target diff --git a/terraform/variables.tf b/terraform/variables.tf index 1a08791..7b41eb4 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -10,24 +10,18 @@ variable "kubernetes_version" { } # Helm charts -# Migrated to newer kubernetes nginx helm chart: -# https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx#migrating-from-stablenginx-ingress -# -# https://kubernetes.github.io/ingress-nginx/deploy/#using-helm # https://github.com/kubernetes/ingress-nginx/releases -# https://github.com/kubernetes/ingress-nginx/blob/ingress-nginx-3.11.0/charts/ingress-nginx/Chart.yaml#L3 -# # helm repo update # helm search repo ingress-nginx/ingress-nginx # helm search repo -l ingress-nginx/ingress-nginx | head -5 variable "nginx_chart_version" { - default = "4.1.3" + default = "4.3.0" } # https://hub.helm.sh/charts/jetstack/cert-manager # helm search repo jetstack/cert-manager variable "cert_manager_chart_version" { - default = "v1.8.0" + default = "v1.10.0" } # https://github.com/vmware-tanzu/helm-charts/releases @@ -35,17 +29,17 @@ variable "cert_manager_chart_version" { # * also update terraform/helm/velero_default_values.yaml # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.29.7" + default = "2.32.1" } # https://hub.docker.com/r/velero/velero/tags variable "velero_image_tag" { - default = "v1.8.1" + default = "v1.9.2" } # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.39.0" + default = "3.42.0" } # https://github.com/adamrushuk/charts/releases @@ -55,12 +49,11 @@ variable "nexus_chart_version" { } # https://github.com/SparebankenVest/azure-key-vault-to-kubernetes -# https://github.com/SparebankenVest/public-helm-charts/releases # https://github.com/SparebankenVest/helm-charts/tree/gh-pages/akv2k8s # https://github.com/SparebankenVest/public-helm-charts/blob/master/stable/akv2k8s/Chart.yaml#L5 # helm search repo spv-charts/akv2k8s variable "akv2k8s_chart_version" { - default = "2.2.0" + default = "2.2.2" } # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 @@ -74,7 +67,7 @@ variable "aad_pod_identity_chart_version" { # helm search repo bitnami/external-dns # helm search repo -l bitnami/external-dns variable "external_dns_chart_version" { - default = "6.5.1" + default = "6.10.2" } # https://github.com/kubereboot/charts/tree/main/charts/kured @@ -95,13 +88,13 @@ variable "kured_image_tag" { # helm search repo -l argo/argo-cd | head -n 20 # * also update terraform/helm/argocd_default_values.yaml variable "argocd_chart_version" { - default = "4.8.2" + default = "5.6.0" } # https://hub.docker.com/r/argoproj/argocd/tags # * also update cli version: terraform/files/scripts/argocd_config.sh#L22 variable "argocd_image_tag" { - default = "v2.3.4" + default = "v2.4.15" } #endregion Versions From 9dfc65156a4080e7998ef61f47ef0545dccc322c Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 19 Oct 2022 07:16:10 +0100 Subject: [PATCH 093/147] Bumped TF providers --- terraform/versions.tf | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index 33861f4..b9abe1c 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -19,25 +19,25 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 3.9.0" + version = "~> 3.27.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.22.0" + version = "~> 2.29.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.11.0" + version = "~> 2.14.0" } # https://github.com/hashicorp/terraform-provider-helm/releases helm = { source = "hashicorp/helm" - version = "~> 2.5.1" + version = "~> 2.7.1" } random = { @@ -75,7 +75,6 @@ terraform { } } -# must include blank features block # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/features-block @@ -103,9 +102,4 @@ provider "helm" { client_key = base64decode(module.aks.full_object.kube_admin_config[0].client_key) cluster_ca_certificate = base64decode(module.aks.full_object.kube_admin_config[0].cluster_ca_certificate) } - - # TODO: currently has issues when enabled - # experiments { - # manifest = true - # } } From f824406b810e31324c9ed5a2edb5dc87c45318b9 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 19 Oct 2022 08:54:16 +0100 Subject: [PATCH 094/147] Updated checkout GH action to v3 --- .github/workflows/build.yml | 4 ++-- .github/workflows/cleanup-resource-groups.yml | 2 +- .github/workflows/destroy.yml | 2 +- .github/workflows/start_aks_cluster.yml | 2 +- .github/workflows/stop_aks_cluster.yml | 2 +- .github/workflows/test.yml | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a8295e1..7af1344 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -84,7 +84,7 @@ jobs: steps: # Checkout # https://github.com/marketplace/actions/checkout - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # specify different branch # NOT required as I've changed the default branch to develop # with: @@ -251,7 +251,7 @@ jobs: steps: # Checkout - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Init tasks - inc Env var concatenation # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#environment-files diff --git a/.github/workflows/cleanup-resource-groups.yml b/.github/workflows/cleanup-resource-groups.yml index c6810a7..9a63a34 100644 --- a/.github/workflows/cleanup-resource-groups.yml +++ b/.github/workflows/cleanup-resource-groups.yml @@ -42,7 +42,7 @@ jobs: # Checkout # Reference the major version of a release # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-versioned-actions - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Init tasks - name: Init diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 4c9aa3a..d774088 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -75,7 +75,7 @@ jobs: # Checkout # Reference the major version of a release # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-versioned-actions - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # specify different branch # NOT required as I've changed the default branch to develop # with: diff --git a/.github/workflows/start_aks_cluster.yml b/.github/workflows/start_aks_cluster.yml index b6fbedd..658218b 100644 --- a/.github/workflows/start_aks_cluster.yml +++ b/.github/workflows/start_aks_cluster.yml @@ -33,7 +33,7 @@ jobs: steps: # Checkout - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # specify different branch # NOT required as I've changed the default branch to develop # with: diff --git a/.github/workflows/stop_aks_cluster.yml b/.github/workflows/stop_aks_cluster.yml index a77fc80..d52c21c 100644 --- a/.github/workflows/stop_aks_cluster.yml +++ b/.github/workflows/stop_aks_cluster.yml @@ -33,7 +33,7 @@ jobs: steps: # Checkout - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # specify different branch # NOT required as I've changed the default branch to develop # with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 489b025..f69f22e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -46,7 +46,7 @@ jobs: steps: # Checkout - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 # Show event info - name: Show triggered event data From 079986b5d16dc7aafa86f87a5729497f5e6de3a7 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 19 Oct 2022 08:54:30 +0100 Subject: [PATCH 095/147] Bumped nexus chart to v0.3.0 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 7b41eb4..e68f71b 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -45,7 +45,7 @@ variable "nexus_image_tag" { # https://github.com/adamrushuk/charts/releases # helm search repo adamrushuk/sonatype-nexus variable "nexus_chart_version" { - default = "0.2.8" + default = "0.3.0" } # https://github.com/SparebankenVest/azure-key-vault-to-kubernetes From 45ef1d3d4de352d77c8d6360b90b98c6a78ac06e Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 19 Oct 2022 09:28:16 +0100 Subject: [PATCH 096/147] Bumped GitHub Actions --- .github/workflows/build.yml | 22 ++++++++++--------- .github/workflows/cleanup-resource-groups.yml | 2 +- .github/workflows/destroy.yml | 6 ++--- .github/workflows/start_aks_cluster.yml | 2 +- .github/workflows/stop_aks_cluster.yml | 2 +- .github/workflows/test.yml | 2 +- 6 files changed, 19 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7af1344..305620e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,12 +57,8 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.2.1" + TF_VERSION: "1.3.2" TF_WORKING_DIR: ./terraform - # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases - TFLINT_RULESET_AZURERM_VERSION: "v0.16.0" - # https://github.com/terraform-linters/tflint/releases - TFLINT_VERSION: "v0.36.2" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 @@ -71,7 +67,7 @@ jobs: build-and-deploy: # always pin versions # view installed software: https://docs.github.com/en/free-pro-team@latest/actions/reference/specifications-for-github-hosted-runners#supported-software - runs-on: ubuntu-18.04 + runs-on: ubuntu-22.04 # https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment environment: @@ -129,7 +125,8 @@ jobs: IFTTT_WEBHOOK_KEY: ${{ secrets.IFTTT_WEBHOOK_KEY }} # Terraform - - uses: hashicorp/setup-terraform@v1 + # https://github.com/hashicorp/setup-terraform + - uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ env.TF_VERSION }} @@ -139,12 +136,14 @@ jobs: terraform validate working-directory: ${{ env.TF_WORKING_DIR }} + # https://github.com/aquasecurity/tfsec-action - name: Run tfsec security scan - uses: aquasecurity/tfsec-action@v1.0.0 + uses: aquasecurity/tfsec-action@v1.0.2 with: working_directory: ${{ env.TF_WORKING_DIR }} soft_fail: true + # https://github.com/bridgecrewio/checkov-action - name: Run Checkov security scan id: checkov uses: bridgecrewio/checkov-action@master @@ -189,6 +188,7 @@ jobs: NEXUS_USER_PASSWORD: ${{ secrets.NEXUS_USER_PASSWORD }} # Docker + # https://github.com/Azure/docker-login - name: Docker repo login uses: Azure/docker-login@v1 with: @@ -211,8 +211,9 @@ jobs: continue-on-error: true run: pwsh -command "./scripts/Start-Test.ps1" + # https://github.com/actions/upload-artifact - name: Archive test artifacts - uses: actions/upload-artifact@v1 + uses: actions/upload-artifact@v3 with: name: test results path: test/pester-test-results.xml @@ -223,6 +224,7 @@ jobs: run: pwsh -command "Unregister-PSRepository -Name nuget.org-proxy -Verbose" # Shows at the bottom of a run: https://github.com/adamrushuk/devops-lab/runs/1035347513?check_suite_focus=true + # https://github.com/zyborg/pester-tests-report - name: Pester report uses: zyborg/pester-tests-report@v1 with: @@ -244,7 +246,7 @@ jobs: needs: build-and-deploy # https://github.com/actions/virtual-environments - runs-on: windows-2019 + runs-on: windows-2022 # only run if owner triggered action if: github.actor == github.event.repository.owner.login diff --git a/.github/workflows/cleanup-resource-groups.yml b/.github/workflows/cleanup-resource-groups.yml index 9a63a34..51bda54 100644 --- a/.github/workflows/cleanup-resource-groups.yml +++ b/.github/workflows/cleanup-resource-groups.yml @@ -33,7 +33,7 @@ jobs: # always pin versions # view installed software: https://help.github.com/en/actions/reference/software-installed-on-github-hosted-runners - runs-on: ubuntu-18.04 + runs-on: ubuntu-22.04 # only run if owner triggered action if: github.actor == github.event.repository.owner.login diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index d774088..0b5d26a 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -55,7 +55,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.2.1" + TF_VERSION: "1.3.2" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: @@ -66,7 +66,7 @@ jobs: # always pin versions # view installed software: https://help.github.com/en/actions/reference/software-installed-on-github-hosted-runners - runs-on: ubuntu-18.04 + runs-on: ubuntu-22.04 # only run if owner triggered action if: github.actor == github.event.repository.owner.login @@ -117,7 +117,7 @@ jobs: # run: pwsh -command "./function_app/CreateFunctionAppZip.ps1" # Terraform - - uses: hashicorp/setup-terraform@v1 + - uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ env.TF_VERSION }} diff --git a/.github/workflows/start_aks_cluster.yml b/.github/workflows/start_aks_cluster.yml index 658218b..8f76460 100644 --- a/.github/workflows/start_aks_cluster.yml +++ b/.github/workflows/start_aks_cluster.yml @@ -26,7 +26,7 @@ env: jobs: start_aks_cluster: - runs-on: ubuntu-18.04 + runs-on: ubuntu-22.04 # only run if owner triggered action if: github.actor == github.event.repository.owner.login diff --git a/.github/workflows/stop_aks_cluster.yml b/.github/workflows/stop_aks_cluster.yml index d52c21c..8fe41a4 100644 --- a/.github/workflows/stop_aks_cluster.yml +++ b/.github/workflows/stop_aks_cluster.yml @@ -26,7 +26,7 @@ env: jobs: stop_aks_cluster: - runs-on: ubuntu-18.04 + runs-on: ubuntu-22.04 # only run if owner triggered action if: github.actor == github.event.repository.owner.login diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f69f22e..c5b9583 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -36,7 +36,7 @@ jobs: # always pin versions # # view installed software: https://help.github.com/en/actions/reference/software-installed-on-github-hosted-runners - runs-on: ubuntu-18.04 + runs-on: ubuntu-22.04 env: MY_JOB_VAR: job From 6b5cbd138feea804bd8f50f6e3f88730234c5a00 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 19 Oct 2022 12:00:30 +0100 Subject: [PATCH 097/147] Bumped nexus chart to v0.3.1 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index e68f71b..0f5ae88 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -45,7 +45,7 @@ variable "nexus_image_tag" { # https://github.com/adamrushuk/charts/releases # helm search repo adamrushuk/sonatype-nexus variable "nexus_chart_version" { - default = "0.3.0" + default = "0.3.1" } # https://github.com/SparebankenVest/azure-key-vault-to-kubernetes From 499e6e50b4d76beba26cfc1e4e8ae82e533470be Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 20 Oct 2022 07:31:25 +0100 Subject: [PATCH 098/147] Fixed kubectl cp issue with nexus --- ansible/roles/init/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ansible/roles/init/tasks/main.yml b/ansible/roles/init/tasks/main.yml index bcebd5b..ad8562a 100644 --- a/ansible/roles/init/tasks/main.yml +++ b/ansible/roles/init/tasks/main.yml @@ -4,7 +4,8 @@ shell: | podName=$(kubectl get pod --namespace {{ nexus_namespace }} -l app.kubernetes.io/name=sonatype-nexus -o jsonpath="{.items[0].metadata.name}") - kubectl cp --namespace {{ nexus_namespace }} {{role_path}}/files/get_admin_password.sh "$podName":/tmp/get_admin_password.sh + # kubectl cp --namespace {{ nexus_namespace }} {{role_path}}/files/get_admin_password.sh "$podName":/tmp/get_admin_password.sh + cat {{role_path}}/files/get_admin_password.sh | kubectl exec -i -n {{ nexus_namespace }} "$podName" "--" sh -c "cat > /tmp/get_admin_password.sh" kubectl exec --namespace {{ nexus_namespace }} "$podName" -- sh -c "chmod +x /tmp/get_admin_password.sh; timeout {{ admin_password_script_timeout_mins }}m /tmp/get_admin_password.sh" From dd68c3753ab74d475cd0266383f8965d974e3ccc Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 20 Oct 2022 08:01:03 +0100 Subject: [PATCH 099/147] Added azure/login GH action with federated creds --- .github/workflows/build.yml | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 305620e..6d65476 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -101,8 +101,17 @@ jobs: echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV # Login - - name: Login to Azure - run: ./scripts/azure_login.sh + # - name: Login to Azure + # run: ./scripts/azure_login.sh + + # https://github.com/Azure/login + - name: OIDC Login to Azure Public Cloud (az cli and az powershell) + uses: azure/login@v1 + with: + client-id: ${{ secrets.ARM_CLIENT_ID }} + tenant-id: ${{ secrets.ARM_TENANT_ID }} + subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }} + enable-AzPSSession: true # This is required when developing after the initial build, and the AKS cluster may have been stopped # Ensure AKS cluster is running, else timeouts will occur on k8s Terraform apply tasks @@ -265,8 +274,17 @@ jobs: echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" | Out-File -Append -Encoding utf8 -FilePath "$env:GITHUB_ENV" # Login - - name: Login to Azure - run: ./scripts/azure_login.ps1 + # - name: Login to Azure + # run: ./scripts/azure_login.ps1 + + # https://github.com/Azure/login + - name: OIDC Login to Azure Public Cloud (az cli and az powershell) + uses: azure/login@v1 + with: + client-id: ${{ secrets.ARM_CLIENT_ID }} + tenant-id: ${{ secrets.ARM_TENANT_ID }} + subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }} + enable-AzPSSession: true # Chocolatey - name: Test Nexus Chocolatey proxy repo From a2d334c979ba74de7e92c6272b43d5124d5ddead Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 20 Oct 2022 08:04:35 +0100 Subject: [PATCH 100/147] Added permissions for oidc login --- .github/workflows/build.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6d65476..2c2e60e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -17,6 +17,11 @@ on: workflow_dispatch: inputs: {} +# permissions for oidc login +# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect +permissions: + id-token: write # This is required for requesting the JWT + # global environment variables # https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables env: From 42f11bd85dbc6ee589daa2fc1999d60a4059b013 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 20 Oct 2022 08:24:51 +0100 Subject: [PATCH 101/147] Added pester test reporter --- .github/workflows/build.yml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2c2e60e..d4b7949 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -229,7 +229,7 @@ jobs: - name: Archive test artifacts uses: actions/upload-artifact@v3 with: - name: test results + name: test-results path: test/pester-test-results.xml if: always() @@ -239,13 +239,20 @@ jobs: # Shows at the bottom of a run: https://github.com/adamrushuk/devops-lab/runs/1035347513?check_suite_focus=true # https://github.com/zyborg/pester-tests-report - - name: Pester report - uses: zyborg/pester-tests-report@v1 + # - name: Pester report + # uses: zyborg/pester-tests-report@v1 + # with: + # test_results_path: test/pester-test-results.xml + # report_name: pester_tests + # report_title: Pester Tests + # github_token: ${{ secrets.GITHUB_TOKEN }} + + - uses: dorny/test-reporter@v1 with: - test_results_path: test/pester-test-results.xml - report_name: pester_tests - report_title: Pester Tests - github_token: ${{ secrets.GITHUB_TOKEN }} + artifact: test-results # artifact name + name: Pester Tests # Name of the check run which will be created + path: '*.xml' # Path to test results (inside artifact .zip) + reporter: dotnet-trx # Format of test results # Notify - name: Notify slack From 7aef7e03b9b8ab918da2b32eb55c412d22239603 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 20 Oct 2022 08:34:58 +0100 Subject: [PATCH 102/147] Fixed test reporter --- .github/workflows/build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d4b7949..5e196f9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -247,12 +247,12 @@ jobs: # report_title: Pester Tests # github_token: ${{ secrets.GITHUB_TOKEN }} - - uses: dorny/test-reporter@v1 + - uses: dorny/test-reporter@v1.6.0 with: - artifact: test-results # artifact name - name: Pester Tests # Name of the check run which will be created - path: '*.xml' # Path to test results (inside artifact .zip) - reporter: dotnet-trx # Format of test results + # artifact: test-results # artifact name + name: Pester Tests Results # Name of the check run which will be created + path: 'test/pester-test-results.xml' # Path to test results (inside artifact .zip) + reporter: dotnet-trx # Format of test results # Notify - name: Notify slack From 2ebec3e52a971a0c61b71b2e1a435c2bd0342a74 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 20 Oct 2022 08:47:54 +0100 Subject: [PATCH 103/147] Fixed pester test reporter --- .github/workflows/build.yml | 2 +- scripts/Start-Test.ps1 | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5e196f9..ba5e54d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -252,7 +252,7 @@ jobs: # artifact: test-results # artifact name name: Pester Tests Results # Name of the check run which will be created path: 'test/pester-test-results.xml' # Path to test results (inside artifact .zip) - reporter: dotnet-trx # Format of test results + reporter: java-junit # Format of test results # Notify - name: Notify slack diff --git a/scripts/Start-Test.ps1 b/scripts/Start-Test.ps1 index 6b7db6a..652b76f 100755 --- a/scripts/Start-Test.ps1 +++ b/scripts/Start-Test.ps1 @@ -18,7 +18,7 @@ $taskMessage = "Installing Pester " Write-Verbose "STARTED: $taskMessage..." try { Set-PSRepository -Name "PSGallery" -InstallationPolicy "Trusted" - Install-Module -Name "Pester" -Scope "CurrentUser" -Repository "PSGallery" -MinimumVersion 5.1.0 -Verbose + Install-Module -Name "Pester" -Scope "CurrentUser" -Repository "PSGallery" -MinimumVersion 5.3.0 -Verbose Write-Verbose "FINISHED: $taskMessage." } @@ -32,7 +32,7 @@ $taskMessage = "Running Pester tests" Write-Verbose "STARTED: $taskMessage..." try { $testScripts = Get-ChildItem -Path "*.tests.ps1" - Invoke-Pester -Script $testScripts -PassThru -OutputFormat "NUnitXml" -OutputFile "pester-test-results.xml" -Verbose -ErrorAction "Stop" + Invoke-Pester -Script $testScripts -PassThru -OutputFormat "JUnitXml" -OutputFile "pester-test-results.xml" -Verbose -ErrorAction "Stop" Write-Verbose "FINISHED: $taskMessage." } From 05f670469c8ce36ca418886087eb48f9ae7d38e9 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 20 Oct 2022 08:58:07 +0100 Subject: [PATCH 104/147] Testing latest pester syntax --- .github/workflows/build.yml | 12 ++++++------ scripts/Start-Test.ps1 | 9 +++------ .../integration.Tests.ps1 | 0 3 files changed, 9 insertions(+), 12 deletions(-) rename test/integration.tests.ps1 => tests/integration.Tests.ps1 (100%) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ba5e54d..ea98955 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -247,12 +247,12 @@ jobs: # report_title: Pester Tests # github_token: ${{ secrets.GITHUB_TOKEN }} - - uses: dorny/test-reporter@v1.6.0 - with: - # artifact: test-results # artifact name - name: Pester Tests Results # Name of the check run which will be created - path: 'test/pester-test-results.xml' # Path to test results (inside artifact .zip) - reporter: java-junit # Format of test results + # - uses: dorny/test-reporter@v1.6.0 + # with: + # # artifact: test-results # artifact name + # name: Pester Tests Results # Name of the check run which will be created + # path: 'test/pester-test-results.xml' # Path to test results (inside artifact .zip) + # reporter: java-junit # Format of test results # Notify - name: Notify slack diff --git a/scripts/Start-Test.ps1 b/scripts/Start-Test.ps1 index 652b76f..78bd895 100755 --- a/scripts/Start-Test.ps1 +++ b/scripts/Start-Test.ps1 @@ -8,9 +8,6 @@ $ErrorActionPreference = "Stop" #endregion Write-Verbose "Started in folder: [$(Get-Location)]" -Write-Verbose "Changing directory to test folder..." -Set-Location "test" - Write-Verbose "STARTED: pwsh test task in current folder: [$(Get-Location)]" # Install Pester @@ -31,9 +28,9 @@ catch { $taskMessage = "Running Pester tests" Write-Verbose "STARTED: $taskMessage..." try { - $testScripts = Get-ChildItem -Path "*.tests.ps1" - Invoke-Pester -Script $testScripts -PassThru -OutputFormat "JUnitXml" -OutputFile "pester-test-results.xml" -Verbose -ErrorAction "Stop" - + # $testScripts = Get-ChildItem -Path "*.Tests.ps1" + # Invoke-Pester -Script $testScripts -PassThru -OutputFormat "JUnitXml" -OutputFile "pester-test-results.xml" -Verbose -ErrorAction "Stop" + Invoke-Pester -Path './tests' -CI -Verbose Write-Verbose "FINISHED: $taskMessage." } catch { diff --git a/test/integration.tests.ps1 b/tests/integration.Tests.ps1 similarity index 100% rename from test/integration.tests.ps1 rename to tests/integration.Tests.ps1 From da66bdee822295d825d4b9a05d449d266219d9a9 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 20 Oct 2022 09:21:04 +0100 Subject: [PATCH 105/147] Fixed path --- tests/integration.Tests.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration.Tests.ps1 b/tests/integration.Tests.ps1 index 0ec2729..ed34783 100644 --- a/tests/integration.Tests.ps1 +++ b/tests/integration.Tests.ps1 @@ -89,7 +89,7 @@ Describe "Integration Tests" { $expectedIssuerName = "Let's Encrypt Authority" # Get common cert info - . ../scripts/Get-CertInfo.ps1 + . ./scripts/Get-CertInfo.ps1 $certResult = Get-CertInfo -ComputerName $hostname -Port $port # DEBUG Output From 8822e6b2c16e90ef5280a2fdce5b274f920d8eea Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 20 Oct 2022 09:21:11 +0100 Subject: [PATCH 106/147] Changed GH dev env --- .github/workflows/build.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ea98955..d3982b0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -76,7 +76,7 @@ jobs: # https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment environment: - name: dev_environment + name: dev url: "https://argocd.${{ env.ROOT_DOMAIN_NAME }}" # only run if owner triggered action @@ -269,6 +269,10 @@ jobs: # https://github.com/actions/virtual-environments runs-on: windows-2022 + # https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment + environment: + name: dev + # only run if owner triggered action if: github.actor == github.event.repository.owner.login From 4ed3be3e47ad82947737cf530f844d6d44cd1983 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 20 Oct 2022 09:38:19 +0100 Subject: [PATCH 107/147] Added OIDC Login to destroy workflow --- .github/workflows/destroy.yml | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 0b5d26a..6ea1b93 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -17,6 +17,11 @@ on: workflow_dispatch: inputs: {} +# permissions for oidc login +# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect +permissions: + id-token: write # This is required for requesting the JWT + # global environment variables # https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables env: @@ -68,6 +73,10 @@ jobs: # view installed software: https://help.github.com/en/actions/reference/software-installed-on-github-hosted-runners runs-on: ubuntu-22.04 + # https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment + environment: + name: dev + # only run if owner triggered action if: github.actor == github.event.repository.owner.login @@ -95,8 +104,17 @@ jobs: echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV # Login - - name: Login to Azure - run: ./scripts/azure_login.sh + # - name: Login to Azure + # run: ./scripts/azure_login.sh + + # https://github.com/Azure/login + - name: OIDC Login to Azure Public Cloud (az cli and az powershell) + uses: azure/login@v1 + with: + client-id: ${{ secrets.ARM_CLIENT_ID }} + tenant-id: ${{ secrets.ARM_TENANT_ID }} + subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }} + enable-AzPSSession: true # Ensure AKS cluster is running, else timeouts will occur on k8s Terraform resource destroy tasks - name: Start AKS Cluster @@ -112,10 +130,6 @@ jobs: env: IFTTT_WEBHOOK_KEY: ${{ secrets.IFTTT_WEBHOOK_KEY }} - # TODO remove - # - name: Create zip file of Function App - # run: pwsh -command "./function_app/CreateFunctionAppZip.ps1" - # Terraform - uses: hashicorp/setup-terraform@v2 with: From c9006ad9c7b63a75211988e83d5edd94fcb44150 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 21 Oct 2022 06:54:30 +0100 Subject: [PATCH 108/147] Fixed pre-commit issues --- .devcontainer/library-scripts/azcli-debian.sh | 2 +- .../library-scripts/docker-debian.sh | 2 +- .devcontainer/library-scripts/node-debian.sh | 2 +- .pre-commit-config.yaml | 48 +++-- .../Public/Edge/Get-CIEdgeSecurityCheck.ps1 | 2 +- scripts/aks-csi-disk-expand.sh | 1 - splunk/main.tf | 4 +- terraform/README.md | 186 +++++++++++++++++- .../function-app/functions/.funcignore | 2 +- .../function-app/functions/.gitignore | 2 +- .../function-app/functions/requirements.psd1 | 2 +- .../main.tf | 4 +- velero/examples/README.md | 2 +- 13 files changed, 219 insertions(+), 40 deletions(-) diff --git a/.devcontainer/library-scripts/azcli-debian.sh b/.devcontainer/library-scripts/azcli-debian.sh index cde7fd7..8e265ff 100644 --- a/.devcontainer/library-scripts/azcli-debian.sh +++ b/.devcontainer/library-scripts/azcli-debian.sh @@ -30,4 +30,4 @@ echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $(lsb_rel curl -sL https://packages.microsoft.com/keys/microsoft.asc | (OUT=$(apt-key add - 2>&1) || echo $OUT) apt-get update apt-get install -y azure-cli -echo "Done!" \ No newline at end of file +echo "Done!" diff --git a/.devcontainer/library-scripts/docker-debian.sh b/.devcontainer/library-scripts/docker-debian.sh index 7ca6d54..d046837 100644 --- a/.devcontainer/library-scripts/docker-debian.sh +++ b/.devcontainer/library-scripts/docker-debian.sh @@ -178,4 +178,4 @@ exec "\$@" EOF chmod +x /usr/local/share/docker-init.sh chown ${USERNAME}:root /usr/local/share/docker-init.sh -echo "Done!" \ No newline at end of file +echo "Done!" diff --git a/.devcontainer/library-scripts/node-debian.sh b/.devcontainer/library-scripts/node-debian.sh index d61046d..a1b747e 100644 --- a/.devcontainer/library-scripts/node-debian.sh +++ b/.devcontainer/library-scripts/node-debian.sh @@ -121,4 +121,4 @@ EOF ) | tee -a /etc/bash.bashrc >> /etc/zsh/zshrc fi -echo "Done!" \ No newline at end of file +echo "Done!" diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8bddb06..15961d2 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,31 +1,27 @@ +# See http://pre-commit.com for more information +# See http://pre-commit.com/hooks.html for more hooks +# +# Install git hooks +# pre-commit install +# Update this file: +# pre-commit autoupdate +# Apply to all files without committing: +# pre-commit run --all-files repos: + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.76.0 + hooks: + - id: terraform_docs + - id: terraform_fmt + # - id: terraform_validate # this downloads ALL modules locally and takes too long - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.4.0 # "" gets replaced with latest repo release versions by running "pre-commit autoupdate" + rev: v4.3.0 hooks: - - id: check-merge-conflict - # - id: trailing-whitespace # find way to ignore markdown files (.md) - # - id: check-yaml - id: check-added-large-files + - id: check-json + - id: check-merge-conflict + - id: check-yaml - id: detect-private-key - - - repo: https://github.com/antonbabenko/pre-commit-terraform.git - rev: v1.45.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases - hooks: - - id: terraform_docs - - id: terraform_fmt - - id: terraform_validate - - id: terraform_tflint - - id: terraform_tfsec - - # ! WIP: unhandled errors running tflint with pre-commit - # - repo: https://github.com/gruntwork-io/pre-commit - # rev: v0.1.12 # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases - # hooks: - # - id: tflint - # args: - # - "terraform" - # # - "--module" - # # - "--deep" - # - "--config=.tflint.hcl" - # # # - id: terraform-validate - # # # - id: terraform-fmt + - id: end-of-file-fixer + - id: fix-byte-order-marker + - id: trailing-whitespace diff --git a/nexus/repositories/nuget/PSvCloud/Public/Edge/Get-CIEdgeSecurityCheck.ps1 b/nexus/repositories/nuget/PSvCloud/Public/Edge/Get-CIEdgeSecurityCheck.ps1 index 6c256bd..7741434 100644 --- a/nexus/repositories/nuget/PSvCloud/Public/Edge/Get-CIEdgeSecurityCheck.ps1 +++ b/nexus/repositories/nuget/PSvCloud/Public/Edge/Get-CIEdgeSecurityCheck.ps1 @@ -154,4 +154,4 @@ function Get-CIEdgeSecurityCheck { } } # End process -} # End function \ No newline at end of file +} # End function diff --git a/scripts/aks-csi-disk-expand.sh b/scripts/aks-csi-disk-expand.sh index f6291ee..0ed2ed6 100644 --- a/scripts/aks-csi-disk-expand.sh +++ b/scripts/aks-csi-disk-expand.sh @@ -31,4 +31,3 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi # check disk size in pod kubectl exec -it nginx-azuredisk -- df -h /mnt/azuredisk - diff --git a/splunk/main.tf b/splunk/main.tf index 38681e2..a57c403 100644 --- a/splunk/main.tf +++ b/splunk/main.tf @@ -42,8 +42,8 @@ locals { # version used for both main AKS API service, and default node pool # https://github.com/Azure/AKS/releases # az aks get-versions --location uksouth --output table - kubernetes_version = "1.20.7" - location = "uksouth" + kubernetes_version = "1.20.7" + location = "uksouth" # prefix = "ar${random_string.aks.result}" # aks dns_prefix must start with a letter prefix = "arsplunk" # aks dns_prefix must start with a letter resource_group_name = "${local.prefix}-rg-azurerm-kubernetes-cluster" diff --git a/terraform/README.md b/terraform/README.md index da6d44b..c74a065 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -33,5 +33,189 @@ terraform destroy --- -*auto populated information +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [archive](#requirement\_archive) | 2.2.0 | +| [azuread](#requirement\_azuread) | ~> 2.29.0 | +| [azurerm](#requirement\_azurerm) | ~> 3.27.0 | +| [helm](#requirement\_helm) | ~> 2.7.1 | +| [kubernetes](#requirement\_kubernetes) | ~> 2.14.0 | +| [local](#requirement\_local) | ~> 2.2 | +| [null](#requirement\_null) | ~> 3.1 | +| [random](#requirement\_random) | ~> 3.1 | +| [template](#requirement\_template) | ~> 2.2 | +| [tls](#requirement\_tls) | ~> 3.3 | + +## Providers + +| Name | Version | +|------|---------| +| [archive](#provider\_archive) | 2.2.0 | +| [azuread](#provider\_azuread) | ~> 2.29.0 | +| [azurerm](#provider\_azurerm) | ~> 3.27.0 | +| [helm](#provider\_helm) | ~> 2.7.1 | +| [kubernetes](#provider\_kubernetes) | ~> 2.14.0 | +| [local](#provider\_local) | ~> 2.2 | +| [null](#provider\_null) | ~> 3.1 | +| [template](#provider\_template) | ~> 2.2 | +| [tls](#provider\_tls) | ~> 3.3 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aks](#module\_aks) | adamrushuk/aks/azurerm | ~> 1.1.0 | + +## Resources + +| Name | Type | +|------|------| +| [azuread_application.argocd](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource | +| [azuread_application_password.argocd](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password) | resource | +| [azuread_service_principal.argocd](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource | +| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource | +| [azurerm_application_insights.appinsights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_insights) | resource | +| [azurerm_linux_function_app.func_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app) | resource | +| [azurerm_log_analytics_solution.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution) | resource | +| [azurerm_log_analytics_workspace.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource | +| [azurerm_resource_group.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azurerm_role_assignment.aks_dns_mi_to_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.aks_dns_mi_to_zone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.aks_mi_aks_node_rg_mi_operator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.aks_mi_aks_node_rg_vm_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.aks_mi_kv_certs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.aks_mi_kv_keys](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.aks_mi_kv_secrets](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.func_app_aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.func_app_storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.velero_mi_aks_node_rg_vm_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.velero_mi_velero_storage_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_service_plan.func_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_plan) | resource | +| [azurerm_storage_account.func_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource | +| [azurerm_storage_account.velero](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource | +| [azurerm_storage_blob.func_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_blob) | resource | +| [azurerm_storage_container.func_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource | +| [azurerm_storage_container.velero](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource | +| [azurerm_user_assigned_identity.external_dns](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | +| [azurerm_user_assigned_identity.velero](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | +| [helm_release.aad_pod_identity](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.akv2k8s](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.argocd](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.cert_manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.external_dns](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.kured](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.nexus](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.velero](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [kubernetes_namespace.aad_pod_identity](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_namespace.akv2k8s](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_namespace.argocd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_namespace.external_dns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_namespace.gitlab](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_namespace.ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_namespace.kured](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_namespace.nexus](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_namespace.velero](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_secret.velero_credentials](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource | +| [local_sensitive_file.kubeconfig](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource | +| [null_resource.argocd_apps](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.argocd_cert_sync](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.argocd_cm](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.argocd_configure](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.argocd_rbac_cm](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.argocd_secret](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.azureIdentity_external_dns](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.gitlab_cert_sync](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.nexus_cert_sync](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [tls_private_key.ssh](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | +| [archive_file.func_app](https://registry.terraform.io/providers/hashicorp/archive/2.2.0/docs/data-sources/file) | data source | +| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids) | data source | +| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/client_config) | data source | +| [azuread_group.argocd_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | +| [azurerm_dns_zone.dns](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_zone) | data source | +| [azurerm_key_vault.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | +| [azurerm_resource_group.aks_node_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | +| [azurerm_resource_group.dns](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | +| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [template_file.azureIdentities](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aad\_pod\_identity\_chart\_version](#input\_aad\_pod\_identity\_chart\_version) | https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 helm search repo aad-pod-identity/aad-pod-identity | `string` | `"4.1.10"` | no | +| [admin\_username](#input\_admin\_username) | The admin username of the VMs that will be deployed | `string` | `"sysadmin"` | no | +| [agent\_pool\_enable\_auto\_scaling](#input\_agent\_pool\_enable\_auto\_scaling) | n/a | `bool` | `false` | no | +| [agent\_pool\_node\_count](#input\_agent\_pool\_node\_count) | Agent Pool | `number` | `1` | no | +| [agent\_pool\_node\_max\_count](#input\_agent\_pool\_node\_max\_count) | n/a | `any` | `null` | no | +| [agent\_pool\_node\_min\_count](#input\_agent\_pool\_node\_min\_count) | n/a | `any` | `null` | no | +| [agent\_pool\_profile\_disk\_size\_gb](#input\_agent\_pool\_profile\_disk\_size\_gb) | n/a | `number` | `30` | no | +| [agent\_pool\_profile\_name](#input\_agent\_pool\_profile\_name) | n/a | `string` | `"default"` | no | +| [agent\_pool\_profile\_os\_type](#input\_agent\_pool\_profile\_os\_type) | n/a | `string` | `"Linux"` | no | +| [agent\_pool\_profile\_vm\_size](#input\_agent\_pool\_profile\_vm\_size) | n/a | `string` | `"Standard_D4s_v3"` | no | +| [aks\_admins\_aad\_group\_name](#input\_aks\_admins\_aad\_group\_name) | Name an existing Azure AD group for AKS admins | `string` | `"AKS-Admins"` | no | +| [aks\_config\_path](#input\_aks\_config\_path) | n/a | `string` | `"./azurek8s_config"` | no | +| [aks\_container\_insights\_enabled](#input\_aks\_container\_insights\_enabled) | Should Container Insights monitoring be enabled | `bool` | `true` | no | +| [akv2k8s\_chart\_version](#input\_akv2k8s\_chart\_version) | https://github.com/SparebankenVest/azure-key-vault-to-kubernetes https://github.com/SparebankenVest/helm-charts/tree/gh-pages/akv2k8s https://github.com/SparebankenVest/public-helm-charts/blob/master/stable/akv2k8s/Chart.yaml#L5 helm search repo spv-charts/akv2k8s | `string` | `"2.2.2"` | no | +| [argocd\_admin\_password](#input\_argocd\_admin\_password) | n/a | `string` | `"__ARGOCD_ADMIN_PASSWORD__"` | no | +| [argocd\_admins\_aad\_group\_name](#input\_argocd\_admins\_aad\_group\_name) | argo cd | `string` | `"ArgoCD_Admins"` | no | +| [argocd\_app\_reg\_name](#input\_argocd\_app\_reg\_name) | n/a | `string` | `"sp_argocd_oidc"` | no | +| [argocd\_apps\_path](#input\_argocd\_apps\_path) | n/a | `string` | `"files/argocd-apps.yaml"` | no | +| [argocd\_cert\_sync\_yaml\_path](#input\_argocd\_cert\_sync\_yaml\_path) | n/a | `string` | `"files/argocd-akvs-certificate-sync.yaml"` | no | +| [argocd\_chart\_version](#input\_argocd\_chart\_version) | argo cd https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 helm search repo argo/argo-cd helm search repo -l argo/argo-cd \| head -n 20 * also update terraform/helm/argocd\_default\_values.yaml | `string` | `"5.6.0"` | no | +| [argocd\_cm\_yaml\_path](#input\_argocd\_cm\_yaml\_path) | n/a | `string` | `"files/argocd-cm-patch.tmpl.yaml"` | no | +| [argocd\_fqdn](#input\_argocd\_fqdn) | n/a | `string` | `"__ARGOCD_FQDN__"` | no | +| [argocd\_image\_tag](#input\_argocd\_image\_tag) | https://hub.docker.com/r/argoproj/argocd/tags * also update cli version: terraform/files/scripts/argocd\_config.sh#L22 | `string` | `"v2.4.15"` | no | +| [argocd\_rbac\_cm\_yaml\_path](#input\_argocd\_rbac\_cm\_yaml\_path) | n/a | `string` | `"files/argocd-rbac-cm-patch.tmpl.yaml"` | no | +| [argocd\_secret\_yaml\_path](#input\_argocd\_secret\_yaml\_path) | n/a | `string` | `"files/argocd-secret-patch.tmpl.yaml"` | no | +| [azure\_resourcegroup\_name](#input\_azure\_resourcegroup\_name) | n/a | `string` | `"__AKS_RG_NAME__"` | no | +| [azureidentity\_external\_dns\_yaml\_path](#input\_azureidentity\_external\_dns\_yaml\_path) | n/a | `string` | `"files/azureIdentity-external-dns.yaml.tpl"` | no | +| [azurerm\_kubernetes\_cluster\_name](#input\_azurerm\_kubernetes\_cluster\_name) | AKS | `string` | `"__AKS_CLUSTER_NAME__"` | no | +| [cert\_manager\_chart\_version](#input\_cert\_manager\_chart\_version) | https://hub.helm.sh/charts/jetstack/cert-manager helm search repo jetstack/cert-manager | `string` | `"v1.10.0"` | no | +| [dns\_resource\_group\_name](#input\_dns\_resource\_group\_name) | DNS | `string` | `"__DNS_RG_NAME__"` | no | +| [dns\_zone\_name](#input\_dns\_zone\_name) | n/a | `string` | `"__ROOT_DOMAIN_NAME__"` | no | +| [external\_dns\_chart\_version](#input\_external\_dns\_chart\_version) | https://bitnami.com/stack/external-dns/helm https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml helm search repo bitnami/external-dns helm search repo -l bitnami/external-dns | `string` | `"6.10.2"` | no | +| [func\_app\_sas\_expires\_in\_hours](#input\_func\_app\_sas\_expires\_in\_hours) | Function Apps | `string` | `"2190h"` | no | +| [gitlab\_cert\_sync\_yaml\_path](#input\_gitlab\_cert\_sync\_yaml\_path) | gitlab | `string` | `"files/gitlab-akvs-certificate-sync.yaml"` | no | +| [helm\_chart\_repo\_deploy\_private\_key](#input\_helm\_chart\_repo\_deploy\_private\_key) | n/a | `string` | `"__HELM_CHART_REPO_DEPLOY_PRIVATE_KEY__\n"` | no | +| [ifttt\_webhook\_key](#input\_ifttt\_webhook\_key) | n/a | `string` | `"__IFTTT_WEBHOOK_KEY__"` | no | +| [key\_vault\_name](#input\_key\_vault\_name) | n/a | `string` | `"__KEY_VAULT_NAME__"` | no | +| [key\_vault\_resource\_group\_name](#input\_key\_vault\_resource\_group\_name) | n/a | `string` | `"__KEY_VAULT_RESOURCE_GROUP_NAME__"` | no | +| [kubernetes\_version](#input\_kubernetes\_version) | region Versions version used for both main AKS API service, and default node pool https://github.com/Azure/AKS/releases az aks get-versions --location eastus --output table pwsh -Command "(az aks get-versions --location uksouth \| convertfrom-json).orchestrators \| where default" | `string` | `"1.23.12"` | no | +| [kured\_chart\_version](#input\_kured\_chart\_version) | https://github.com/kubereboot/charts/tree/main/charts/kured helm search repo kubereboot/kured | `string` | `"4.0.2"` | no | +| [kured\_image\_tag](#input\_kured\_image\_tag) | https://github.com/kubereboot/kured#kubernetes--os-compatibility | `string` | `"1.10.2"` | no | +| [location](#input\_location) | n/a | `string` | `"__LOCATION__"` | no | +| [log\_analytics\_workspace\_name](#input\_log\_analytics\_workspace\_name) | n/a | `string` | `"__PREFIX__-la-workspace-001"` | no | +| [nexus\_base\_domain](#input\_nexus\_base\_domain) | Nexus | `string` | `"__ROOT_DOMAIN_NAME__"` | no | +| [nexus\_cert\_email](#input\_nexus\_cert\_email) | n/a | `string` | `"__EMAIL_ADDRESS__"` | no | +| [nexus\_cert\_sync\_yaml\_path](#input\_nexus\_cert\_sync\_yaml\_path) | akv2k8s | `string` | `"files/nexus-akvs-certificate-sync.yaml"` | no | +| [nexus\_chart\_version](#input\_nexus\_chart\_version) | https://github.com/adamrushuk/charts/releases helm search repo adamrushuk/sonatype-nexus | `string` | `"0.3.1"` | no | +| [nexus\_image\_tag](#input\_nexus\_image\_tag) | https://hub.docker.com/r/sonatype/nexus3/tags | `string` | `"3.42.0"` | no | +| [nexus\_ingress\_enabled](#input\_nexus\_ingress\_enabled) | n/a | `string` | `"__ENABLE_TLS_INGRESS__"` | no | +| [nexus\_letsencrypt\_environment](#input\_nexus\_letsencrypt\_environment) | n/a | `string` | `"__CERT_API_ENVIRONMENT__"` | no | +| [nexus\_tls\_secret\_name](#input\_nexus\_tls\_secret\_name) | n/a | `string` | `"__K8S_TLS_SECRET_NAME__"` | no | +| [nginx\_chart\_version](#input\_nginx\_chart\_version) | Helm charts https://github.com/kubernetes/ingress-nginx/releases helm repo update helm search repo ingress-nginx/ingress-nginx helm search repo -l ingress-nginx/ingress-nginx \| head -5 | `string` | `"4.3.0"` | no | +| [prefix](#input\_prefix) | Common | `string` | `"__PREFIX__"` | no | +| [sla\_sku](#input\_sla\_sku) | Define the SLA under which the managed master control plane of AKS is running | `string` | `"Free"` | no | +| [ssh\_public\_key](#input\_ssh\_public\_key) | Public key for SSH access to the VMs | `string` | `""` | no | +| [tags](#input\_tags) | A map of the tags to use on the resources | `map` | 
{
  "Env": "Dev",
  "Owner": "Adam Rush",
  "Source": "terraform"
}
| no | +| [velero\_backup\_included\_namespaces](#input\_velero\_backup\_included\_namespaces) | n/a | `list(string)` | 
[
  "nexus"
]
| no | +| [velero\_backup\_retention](#input\_velero\_backup\_retention) | n/a | `string` | `"2h0m0s"` | no | +| [velero\_backup\_schedule](#input\_velero\_backup\_schedule) | Velero backup schedule in cron format | `string` | `"0 */1 * * *"` | no | +| [velero\_chart\_version](#input\_velero\_chart\_version) | https://github.com/vmware-tanzu/helm-charts/releases helm search repo vmware-tanzu/velero * also update terraform/helm/velero\_default\_values.yaml * also update terraform/helm/velero\_values.yaml | `string` | `"2.32.1"` | no | +| [velero\_enabled](#input\_velero\_enabled) | Should Velero be enabled | `string` | `"__VELERO_ENABLED__"` | no | +| [velero\_image\_tag](#input\_velero\_image\_tag) | https://hub.docker.com/r/velero/velero/tags | `string` | `"v1.9.2"` | no | +| [velero\_service\_principle\_name](#input\_velero\_service\_principle\_name) | n/a | `string` | `"sp_velero"` | no | +| [velero\_storage\_account\_name](#input\_velero\_storage\_account\_name) | n/a | `string` | `"__VELERO_STORAGE_ACCOUNT__"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [aks\_credentials\_command](#output\_aks\_credentials\_command) | n/a | +| [aks\_node\_resource\_group](#output\_aks\_node\_resource\_group) | n/a | diff --git a/terraform/examples/function-app/functions/.funcignore b/terraform/examples/function-app/functions/.funcignore index 414df2f..8817d3f 100644 --- a/terraform/examples/function-app/functions/.funcignore +++ b/terraform/examples/function-app/functions/.funcignore @@ -1,4 +1,4 @@ .git* .vscode local.settings.json -test \ No newline at end of file +test diff --git a/terraform/examples/function-app/functions/.gitignore b/terraform/examples/function-app/functions/.gitignore index 4563a76..b5c0e84 100644 --- a/terraform/examples/function-app/functions/.gitignore +++ b/terraform/examples/function-app/functions/.gitignore @@ -8,4 +8,4 @@ local.settings.json # Azurite artifacts __blobstorage__ __queuestorage__ -__azurite_db*__.json \ No newline at end of file +__azurite_db*__.json diff --git a/terraform/examples/function-app/functions/requirements.psd1 b/terraform/examples/function-app/functions/requirements.psd1 index 79d277a..dd10ff5 100644 --- a/terraform/examples/function-app/functions/requirements.psd1 +++ b/terraform/examples/function-app/functions/requirements.psd1 @@ -5,4 +5,4 @@ # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'. # To use the Az module in your function app, please uncomment the line below. # 'Az' = '8.*' -} \ No newline at end of file +} diff --git a/terraform/examples/setproduct-multiple-list-variations/main.tf b/terraform/examples/setproduct-multiple-list-variations/main.tf index 793f85d..5d1f44e 100644 --- a/terraform/examples/setproduct-multiple-list-variations/main.tf +++ b/terraform/examples/setproduct-multiple-list-variations/main.tf @@ -74,8 +74,8 @@ locals { role_scopes_map_of_maps = { for role_scope in local.role_scopes_product : "${role_scope[0]}-${role_scope[1]}" => { - "role_name" = role_scope[0], - "scope" = role_scope[1] + "role_name" = role_scope[0], + "scope" = role_scope[1] } } diff --git a/velero/examples/README.md b/velero/examples/README.md index 94fd7fe..deffcf3 100644 --- a/velero/examples/README.md +++ b/velero/examples/README.md @@ -2,7 +2,7 @@ This directory contains sample YAML config files that can be used for exploring Velero. -* `minio/`: Used in the [Quickstart][0] to set up [Minio][1], a local S3-compatible object storage service. +* `minio/`: Used in the [Quickstart][0] to set up [Minio][1], a local S3-compatible object storage service. It provides a convenient way to test Velero without tying you to a specific cloud provider. * `nginx-app/`: A sample nginx app that can be used to test backups and restores. From 60bf8cb741a2634cf7d41996866bf97330d269f8 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 21 Oct 2022 07:20:55 +0100 Subject: [PATCH 109/147] Changed func app time range --- terraform/function_app.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/function_app.tf b/terraform/function_app.tf index 4e9c5d0..b331f24 100644 --- a/terraform/function_app.tf +++ b/terraform/function_app.tf @@ -87,7 +87,7 @@ resource "azurerm_linux_function_app" "func_app" { # "HASH" = base64encode(filesha256("${path.module}/files/function_app.zip")) "WEBSITE_RUN_FROM_PACKAGE" = azurerm_storage_blob.func_app.url "IFTTT_WEBHOOK_KEY" = var.ifttt_webhook_key - "WEEKDAY_ALLOWED_TIME_RANGE" = "06:30 -> 09:00" + "WEEKDAY_ALLOWED_TIME_RANGE" = "06:30 -> 08:00" } lifecycle { From 25a970d877e4fa6938c5323ce43137f92b79aa55 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 21 Oct 2022 07:23:06 +0100 Subject: [PATCH 110/147] Removed old login steps --- .github/workflows/build.yml | 10 ++-------- .github/workflows/destroy.yml | 5 +---- 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d3982b0..f05420e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -106,11 +106,8 @@ jobs: echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV # Login - # - name: Login to Azure - # run: ./scripts/azure_login.sh - # https://github.com/Azure/login - - name: OIDC Login to Azure Public Cloud (az cli and az powershell) + - name: Login via OIDC to Azure Public Cloud (az cli and az powershell) uses: azure/login@v1 with: client-id: ${{ secrets.ARM_CLIENT_ID }} @@ -290,11 +287,8 @@ jobs: echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" | Out-File -Append -Encoding utf8 -FilePath "$env:GITHUB_ENV" # Login - # - name: Login to Azure - # run: ./scripts/azure_login.ps1 - # https://github.com/Azure/login - - name: OIDC Login to Azure Public Cloud (az cli and az powershell) + - name: Login via OIDC to Azure Public Cloud (az cli and az powershell) uses: azure/login@v1 with: client-id: ${{ secrets.ARM_CLIENT_ID }} diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 6ea1b93..5ef452d 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -104,11 +104,8 @@ jobs: echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV # Login - # - name: Login to Azure - # run: ./scripts/azure_login.sh - # https://github.com/Azure/login - - name: OIDC Login to Azure Public Cloud (az cli and az powershell) + - name: Login via OIDC to Azure Public Cloud (az cli and az powershell) uses: azure/login@v1 with: client-id: ${{ secrets.ARM_CLIENT_ID }} From f47e5e25ab6f60d5ddc5f9f81446c48728fd5016 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 21 Oct 2022 07:42:39 +0100 Subject: [PATCH 111/147] Removed ARM_CLIENT_SECRET to ensure OIDC auth is used --- .github/workflows/build.yml | 2 +- .github/workflows/cleanup-resource-groups.yml | 13 +++++++++++-- .github/workflows/destroy.yml | 2 +- .github/workflows/start_aks_cluster.yml | 12 +++++++++--- .github/workflows/stop_aks_cluster.yml | 12 +++++++++--- README.md | 2 +- 6 files changed, 32 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f05420e..68b9f9a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -33,7 +33,7 @@ env: # azure creds ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + # ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} # TODO Remove once OIDC working ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} diff --git a/.github/workflows/cleanup-resource-groups.yml b/.github/workflows/cleanup-resource-groups.yml index 51bda54..e4b3045 100644 --- a/.github/workflows/cleanup-resource-groups.yml +++ b/.github/workflows/cleanup-resource-groups.yml @@ -24,7 +24,7 @@ env: PREFIX: arshz # azure creds ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + # ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} # TODO Remove once OIDC working ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} @@ -49,13 +49,22 @@ jobs: run: | chmod -R +x ./scripts/ + # Login + # https://github.com/Azure/login + - name: Login via OIDC to Azure Public Cloud (az cli and az powershell) + uses: azure/login@v1 + with: + client-id: ${{ secrets.ARM_CLIENT_ID }} + tenant-id: ${{ secrets.ARM_TENANT_ID }} + subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }} + enable-AzPSSession: true + # Cleanup - name: Delete all resource groups uses: azure/powershell@v1 with: azPSVersion: "latest" inlineScript: | - ./scripts/azure_login.ps1 ./scripts/Delete-ResourceGroups.ps1 -Prefixes "${{ env.PREFIX }}" -MaxLimit 2 -WhatIf # Notify diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 5ef452d..151c57f 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -33,7 +33,7 @@ env: # azure creds ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} # TODO Remove once OIDC working ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} diff --git a/.github/workflows/start_aks_cluster.yml b/.github/workflows/start_aks_cluster.yml index 8f76460..e2f64b1 100644 --- a/.github/workflows/start_aks_cluster.yml +++ b/.github/workflows/start_aks_cluster.yml @@ -20,7 +20,7 @@ env: # azure creds ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + # ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} # TODO Remove once OIDC working ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} @@ -47,8 +47,14 @@ jobs: echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV # Login - - name: Login to Azure - run: ./scripts/azure_login.sh + # https://github.com/Azure/login + - name: Login via OIDC to Azure Public Cloud (az cli and az powershell) + uses: azure/login@v1 + with: + client-id: ${{ secrets.ARM_CLIENT_ID }} + tenant-id: ${{ secrets.ARM_TENANT_ID }} + subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }} + enable-AzPSSession: true # Start # Prereqs: https://docs.microsoft.com/en-us/azure/aks/start-stop-cluster diff --git a/.github/workflows/stop_aks_cluster.yml b/.github/workflows/stop_aks_cluster.yml index 8fe41a4..8abcf60 100644 --- a/.github/workflows/stop_aks_cluster.yml +++ b/.github/workflows/stop_aks_cluster.yml @@ -20,7 +20,7 @@ env: # azure creds ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + # ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} # TODO Remove once OIDC working ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} @@ -47,8 +47,14 @@ jobs: echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV # Login - - name: Login to Azure - run: ./scripts/azure_login.sh + # https://github.com/Azure/login + - name: Login via OIDC to Azure Public Cloud (az cli and az powershell) + uses: azure/login@v1 + with: + client-id: ${{ secrets.ARM_CLIENT_ID }} + tenant-id: ${{ secrets.ARM_TENANT_ID }} + subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }} + enable-AzPSSession: true # Stop # Prereqs: https://docs.microsoft.com/en-us/azure/aks/start-stop-cluster diff --git a/README.md b/README.md index ffc7b81..5151a8a 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ Once Azure authentication has been configured, the Service Principle credential [Use these instructions](https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository) to create the following secrets for your repository: - `ARM_CLIENT_ID` -- `ARM_CLIENT_SECRET` +- `ARM_CLIENT_SECRET` # TODO: Remove this once OIDC auth has been configured throughout - `ARM_SUBSCRIPTION_ID` - `ARM_TENANT_ID` From b4ef8032c30fd06c97f7214aa342ef469c050818 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 21 Oct 2022 07:44:43 +0100 Subject: [PATCH 112/147] Changed GH action perms --- .github/workflows/build.yml | 1 + .github/workflows/destroy.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 68b9f9a..b7d0a2d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,6 +21,7 @@ on: # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect permissions: id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout # global environment variables # https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 151c57f..c000d7a 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -21,6 +21,7 @@ on: # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect permissions: id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout # global environment variables # https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables From 26a192d3874507838a89a25c251394443dd07a7b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 21 Oct 2022 07:54:45 +0100 Subject: [PATCH 113/147] Changed TF auth to OIDC --- terraform/versions.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index b9abe1c..c83b952 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -6,10 +6,11 @@ terraform { # terraform remote state backend "azurerm" { - access_key = "__STORAGE_KEY__" + # access_key = "__STORAGE_KEY__" # TODO Remove once OIDC working container_name = "terraform" key = "terraform.tfstate" storage_account_name = "__TERRAFORM_STORAGE_ACCOUNT__" + use_oidc = true } # providers (pin all versions) @@ -77,6 +78,8 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases provider "azurerm" { + # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc#configuring-the-service-principal-in-terraform + use_oidc = true # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/features-block features { resource_group { From 326796ae2925d1365e439237d474b348089d0a85 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 21 Oct 2022 08:04:39 +0100 Subject: [PATCH 114/147] Added TF storage RG name for backend --- terraform/versions.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/versions.tf b/terraform/versions.tf index c83b952..64054cc 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -9,6 +9,7 @@ terraform { # access_key = "__STORAGE_KEY__" # TODO Remove once OIDC working container_name = "terraform" key = "terraform.tfstate" + resource_group_name = "__TERRAFORM_STORAGE_RG__" storage_account_name = "__TERRAFORM_STORAGE_ACCOUNT__" use_oidc = true } From 95fb87c52dd3147936c38755d4528df0e9fff069 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 29 Oct 2022 13:19:21 +0100 Subject: [PATCH 115/147] Removed ARM_CLIENT_SECRET as using OIDC auth --- .github/workflows/build.yml | 3 +-- .github/workflows/cleanup-resource-groups.yml | 3 +-- .github/workflows/destroy.yml | 3 +-- .github/workflows/start_aks_cluster.yml | 3 +-- .github/workflows/stop_aks_cluster.yml | 3 +-- 5 files changed, 5 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b7d0a2d..ee303ac 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -32,9 +32,8 @@ env: # debug CI_DEBUG: true - # azure creds + # azure creds (used of OIDC auth) ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - # ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} # TODO Remove once OIDC working ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} diff --git a/.github/workflows/cleanup-resource-groups.yml b/.github/workflows/cleanup-resource-groups.yml index e4b3045..3362caf 100644 --- a/.github/workflows/cleanup-resource-groups.yml +++ b/.github/workflows/cleanup-resource-groups.yml @@ -22,9 +22,8 @@ on: env: # prefix: used for some globally unique name requirements PREFIX: arshz - # azure creds + # azure creds (used of OIDC auth) ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - # ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} # TODO Remove once OIDC working ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index c000d7a..a21dca6 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -32,9 +32,8 @@ env: # debug CI_DEBUG: true - # azure creds + # azure creds (used of OIDC auth) ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} # TODO Remove once OIDC working ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} diff --git a/.github/workflows/start_aks_cluster.yml b/.github/workflows/start_aks_cluster.yml index e2f64b1..a8dd693 100644 --- a/.github/workflows/start_aks_cluster.yml +++ b/.github/workflows/start_aks_cluster.yml @@ -18,9 +18,8 @@ env: # debug CI_DEBUG: true - # azure creds + # azure creds (used of OIDC auth) ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - # ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} # TODO Remove once OIDC working ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} diff --git a/.github/workflows/stop_aks_cluster.yml b/.github/workflows/stop_aks_cluster.yml index 8abcf60..c3b5820 100644 --- a/.github/workflows/stop_aks_cluster.yml +++ b/.github/workflows/stop_aks_cluster.yml @@ -18,9 +18,8 @@ env: # debug CI_DEBUG: true - # azure creds + # azure creds (used of OIDC auth) ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - # ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} # TODO Remove once OIDC working ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} From 10c7a59a5d660f1f33ea38a5f4ed1e6c19fac44e Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 29 Oct 2022 13:19:48 +0100 Subject: [PATCH 116/147] Added wait logic --- scripts/aks-csi-disk-expand.sh | 54 +++++++++++++++++++++++++++++----- 1 file changed, 47 insertions(+), 7 deletions(-) diff --git a/scripts/aks-csi-disk-expand.sh b/scripts/aks-csi-disk-expand.sh index 0ed2ed6..91381ca 100644 --- a/scripts/aks-csi-disk-expand.sh +++ b/scripts/aks-csi-disk-expand.sh @@ -13,16 +13,56 @@ kubectl exec -it nginx-azuredisk -- df -h /mnt/azuredisk # [optional] delete pod to unattach disk kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/master/deploy/example/nginx-pod-azuredisk.yaml -# TODO: add code that waits for disk state to be "unattached" -# where tag is: "kubernetes.io-created-for-pvc-name": "pvc-azuredisk" -PVC_NAME='pvc-azuredisk' + + +# Waits for an AKS disk to report "Unattached" + +# vars +SUBSCRIPTION_NAME="" +AKS_CLUSTER_RESOURCEGROUP_NAME="" +AKS_CLUSTER_NAME="" +PVC_NAME="pvc-azuredisk" + +# login +az login +az account set --subscription "$SUBSCRIPTION_NAME" + +# get cluster and associated "node resource group" (where resources live) +DISK_RESOURCEGROUP_NAME=$(az aks show --name "$AKS_CLUSTER_NAME" --resource-group "$AKS_CLUSTER_RESOURCEGROUP_NAME" --query "nodeResourceGroup" --output tsv) + +# define reusable function +get_disk_info() { + az disk list --resource-group "$DISK_RESOURCEGROUP_NAME" --query "[?tags.\"kubernetes.io-created-for-pvc-name\" == '$PVC_NAME' ].{state:diskState, diskSizeGb:diskSizeGb, name:name, pvcname:tags.\"kubernetes.io-created-for-pvc-name\"}" --output table +} + +# get disk associated with AKS PVC name +echo 'Waiting for disk to become "Unattached"...' +get_disk_info + +# wait for disk state to detach +START_TIME=$SECONDS + while true; do - # body - az disk list --query "[?tags.\"kubernetes.io-created-for-pvc-name\" == '$PVC_NAME'].{state:diskState, diskSizeGb:diskSizeGb, name:name, pvcname:tags.\"kubernetes.io-created-for-pvc-name\"}" -o table - echo - sleep 2 + # get disk info + DISK_OUTPUT=$(get_disk_info) + + # check disk state + if echo "$DISK_OUTPUT" | grep Attached; then + sleep 10 + elif echo "$DISK_OUTPUT" | grep Unattached; then + echo "Disk is now Unattached." + break + fi done +ELAPSED_TIME=$(($SECONDS - $START_TIME)) +echo "Disk took [$(($ELAPSED_TIME / 60))m$(($ELAPSED_TIME % 60))s] to change states" + +# final disk info +get_disk_info + + + # expand pvc kubectl patch pvc pvc-azuredisk --type merge --patch '{"spec": {"resources": {"requests": {"storage": "15Gi"}}}}' From 3d0dfa9f0686356757a31c0300826cd4e8b7228a Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 29 Oct 2022 13:20:00 +0100 Subject: [PATCH 117/147] Removed AKS version section --- scripts/storage_create.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/scripts/storage_create.sh b/scripts/storage_create.sh index 8473fab..c6f1099 100644 --- a/scripts/storage_create.sh +++ b/scripts/storage_create.sh @@ -23,9 +23,3 @@ taskMessage="Creating Storage Container" echo "STARTED: $taskMessage..." az storage container create --name "terraform" --account-name "$TERRAFORM_STORAGE_ACCOUNT" echo "FINISHED: $taskMessage." - -# Get latest supported AKS version -taskMessage="Finding latest supported AKS version" -echo "STARTED: $taskMessage..." -az aks get-versions -l "$LOCATION" --query "orchestrators[-1].orchestratorVersion" -o tsv -echo "FINISHED: $taskMessage." From 7395fde51a92d38a470a0d9ff0433c751142523b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 29 Oct 2022 13:20:13 +0100 Subject: [PATCH 118/147] Added oidc_issuer_enabled TODO --- terraform/aks.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/aks.tf b/terraform/aks.tf index 0f5d8dd..3687204 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -39,6 +39,9 @@ resource "azurerm_log_analytics_solution" "aks" { } # AKS +# TODO: change to use direct resources and enable "oidc_issuer_enabled" +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#oidc_issuer_enabled +# # https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest module "aks" { source = "adamrushuk/aks/azurerm" From 887f98ddbd6add8d233e9cff584f09d235a829cd Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 29 Oct 2022 13:26:57 +0100 Subject: [PATCH 119/147] Changed minimum TF version to 1.3 --- terraform/versions.tf | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index 64054cc..aabc6e6 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -2,11 +2,10 @@ terraform { # https://github.com/hashicorp/terraform/releases # https://github.com/hashicorp/terraform/blob/main/CHANGELOG.md - required_version = ">= 1.0" + required_version = ">= 1.3" # terraform remote state backend "azurerm" { - # access_key = "__STORAGE_KEY__" # TODO Remove once OIDC working container_name = "terraform" key = "terraform.tfstate" resource_group_name = "__TERRAFORM_STORAGE_RG__" @@ -21,7 +20,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 3.27.0" + version = "~> 3.29.1" } # https://github.com/terraform-providers/terraform-provider-azuread/releases @@ -81,6 +80,12 @@ terraform { provider "azurerm" { # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc#configuring-the-service-principal-in-terraform use_oidc = true + + # TODO test "storage_use_azuread" + # Should the AzureRM Provider use AzureAD to connect to the Storage Blob & Queue API's, rather than the SharedKey from the Storage Account? + # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#storage_use_azuread + # storage_use_azuread = true + # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/features-block features { resource_group { From 56a6cbfed0235432ca5c30f22180463393a29a2a Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 29 Oct 2022 13:27:52 +0100 Subject: [PATCH 120/147] TF DOCS --- terraform/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/README.md b/terraform/README.md index c74a065..5f12177 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -37,10 +37,10 @@ terraform destroy | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | +| [terraform](#requirement\_terraform) | >= 1.3 | | [archive](#requirement\_archive) | 2.2.0 | | [azuread](#requirement\_azuread) | ~> 2.29.0 | -| [azurerm](#requirement\_azurerm) | ~> 3.27.0 | +| [azurerm](#requirement\_azurerm) | ~> 3.29.1 | | [helm](#requirement\_helm) | ~> 2.7.1 | | [kubernetes](#requirement\_kubernetes) | ~> 2.14.0 | | [local](#requirement\_local) | ~> 2.2 | @@ -55,7 +55,7 @@ terraform destroy |------|---------| | [archive](#provider\_archive) | 2.2.0 | | [azuread](#provider\_azuread) | ~> 2.29.0 | -| [azurerm](#provider\_azurerm) | ~> 3.27.0 | +| [azurerm](#provider\_azurerm) | ~> 3.29.1 | | [helm](#provider\_helm) | ~> 2.7.1 | | [kubernetes](#provider\_kubernetes) | ~> 2.14.0 | | [local](#provider\_local) | ~> 2.2 | From c80f0c81291b2c07c8f45290d14cb30887090095 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 29 Oct 2022 13:28:04 +0100 Subject: [PATCH 121/147] Removed ARM_CLIENT_SECRET --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5151a8a..7a35115 100644 --- a/README.md +++ b/README.md @@ -53,12 +53,13 @@ configured for Azure. ### Create Secrets +TODO: Update this for OIDC auth (federated credential): https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc#configuring-the-service-principal-in-terraform + Once Azure authentication has been configured, the Service Principle credential values can be [passed as environment variables](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/service_principal_client_secret#configuring-the-service-principal-in-terraform). [Use these instructions](https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository) to create the following secrets for your repository: - `ARM_CLIENT_ID` -- `ARM_CLIENT_SECRET` # TODO: Remove this once OIDC auth has been configured throughout - `ARM_SUBSCRIPTION_ID` - `ARM_TENANT_ID` From 4c3fce38e007af2fab8d5fe9692a889e02208e31 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 9 Nov 2022 08:12:50 +0000 Subject: [PATCH 122/147] Added separate AKS TF resources --- terraform/aks.tf | 166 +++++++++++++++++++++++++++++++++-------- terraform/variables.tf | 40 +--------- 2 files changed, 137 insertions(+), 69 deletions(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index 3687204..c0d87b5 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -1,3 +1,6 @@ +# AKS +# https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest + # Common resource "tls_private_key" "ssh" { algorithm = "RSA" @@ -38,40 +41,141 @@ resource "azurerm_log_analytics_solution" "aks" { } } -# AKS -# TODO: change to use direct resources and enable "oidc_issuer_enabled" -# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#oidc_issuer_enabled -# -# https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest -module "aks" { - source = "adamrushuk/aks/azurerm" - version = "~> 1.1.0" - - kubernetes_version = var.kubernetes_version - location = azurerm_resource_group.aks.location - resource_group_name = azurerm_resource_group.aks.name - name = var.azurerm_kubernetes_cluster_name - sla_sku = var.sla_sku - aad_auth_enabled = true - azure_policy_enabled = true - tags = var.tags - - # override defaults - default_node_pool = { - name = var.agent_pool_profile_name - count = var.agent_pool_node_count +# NOTE: Requires "Azure Active Directory Graph" "Directory.ReadWrite.All" Application API permission to create, and +# also requires "User Access Administrator" role to delete +# ! You can assign one of the required Azure Active Directory Roles with the AzureAD PowerShell Module +# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group +resource "azuread_group" "aks_admins" { + display_name = "${var.azurerm_kubernetes_cluster_name}-aks-administrators" + description = "${var.azurerm_kubernetes_cluster_name} Kubernetes cluster administrators" + prevent_duplicate_names = true + security_enabled = true +} + +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster +resource "azurerm_kubernetes_cluster" "aks" { + name = var.azurerm_kubernetes_cluster_name + location = azurerm_resource_group.aks.location + resource_group_name = azurerm_resource_group.aks.name + dns_prefix = var.azurerm_kubernetes_cluster_name + kubernetes_version = var.kubernetes_version + sku_tier = "Free" + role_based_access_control_enabled = true + tags = var.tags + + default_node_pool { + name = "default" orchestrator_version = var.kubernetes_version vm_size = var.agent_pool_profile_vm_size - enable_auto_scaling = var.agent_pool_enable_auto_scaling - max_count = var.agent_pool_node_max_count - max_pods = 90 - min_count = var.agent_pool_node_min_count - os_disk_size_gb = var.agent_pool_profile_disk_size_gb + node_count = 1 } - # add-ons - log_analytics_workspace_id = var.aks_container_insights_enabled == true ? azurerm_log_analytics_workspace.aks[0].id : "" + linux_profile { + admin_username = var.admin_username - # Add existing group to the new AKS cluster admin group - aks_admin_group_member_name = var.aks_admins_aad_group_name + ssh_key { + key_data = chomp( + coalesce( + var.ssh_public_key, + tls_private_key.ssh.public_key_openssh, + ) + ) + } + } + + # managed identity block + # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#identity + identity { + type = "SystemAssigned" + } + + # https://docs.microsoft.com/en-us/azure/aks/azure-ad-rbac + azure_active_directory_role_based_access_control { + managed = true + admin_group_object_ids = [ + azuread_group.aks_admins.id + ] + } + + # https://docs.microsoft.com/en-ie/azure/governance/policy/concepts/policy-for-kubernetes + azure_policy_enabled = false + + # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#oms_agent + # conditional dynamic block + dynamic "oms_agent" { + for_each = var.aks_container_insights_enabled == true ? [1] : [] + content { + log_analytics_workspace_id = azurerm_log_analytics_workspace.aks[0].id + } + } + + # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#network_plugin + network_profile { + load_balancer_sku = "basic" + outbound_type = "loadBalancer" + network_plugin = "azure" + network_policy = "azure" + service_cidr = "10.0.0.0/16" + dns_service_ip = "10.0.0.10" + docker_bridge_cidr = "172.17.0.1/16" + } + + # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#workload_identity_enabled + # https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster#register-the-enableworkloadidentitypreview-feature-flag + oidc_issuer_enabled = true + workload_identity_enabled = true +} + +# Add role to access AKS Resource View +# https://docs.microsoft.com/en-us/azure/aks/kubernetes-portal +resource "azurerm_role_assignment" "aks_portal_resource_view" { + principal_id = azuread_group.aks_admins.id + role_definition_name = "Azure Kubernetes Service RBAC Cluster Admin" + scope = azurerm_kubernetes_cluster.aks.id +} + +# Add existing AAD group as a member to the -aks-administrators group +data "azuread_group" "existing_aks_admins" { + display_name = var.aks_admins_aad_group_name + security_enabled = true } + +resource "azuread_group_member" "existing_aks_admins" { + group_object_id = azuread_group.aks_admins.id + member_object_id = data.azuread_group.existing_aks_admins.id +} + +# AKS module +# https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest +# module "aks" { +# source = "adamrushuk/aks/azurerm" +# version = "~> 1.1.0" + +# kubernetes_version = var.kubernetes_version +# location = azurerm_resource_group.aks.location +# resource_group_name = azurerm_resource_group.aks.name +# name = var.azurerm_kubernetes_cluster_name +# sla_sku = var.sla_sku +# aad_auth_enabled = true +# azure_policy_enabled = true +# tags = var.tags + +# # override defaults +# default_node_pool = { +# name = var.agent_pool_profile_name +# count = var.agent_pool_node_count +# orchestrator_version = var.kubernetes_version +# vm_size = var.agent_pool_profile_vm_size +# enable_auto_scaling = var.agent_pool_enable_auto_scaling +# max_count = var.agent_pool_node_max_count +# max_pods = 90 +# min_count = var.agent_pool_node_min_count +# os_disk_size_gb = var.agent_pool_profile_disk_size_gb +# } + +# # add-ons +# log_analytics_workspace_id = var.aks_container_insights_enabled == true ? azurerm_log_analytics_workspace.aks[0].id : "" + +# # Add existing group to the new AKS cluster admin group +# aks_admin_group_member_name = var.aks_admins_aad_group_name +# } diff --git a/terraform/variables.tf b/terraform/variables.tf index 0f5ae88..5c2dde0 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -73,12 +73,12 @@ variable "external_dns_chart_version" { # https://github.com/kubereboot/charts/tree/main/charts/kured # helm search repo kubereboot/kured variable "kured_chart_version" { - default = "4.0.2" + default = "4.1.0" } # https://github.com/kubereboot/kured#kubernetes--os-compatibility variable "kured_image_tag" { - default = "1.10.2" + default = "1.11.0" } @@ -159,12 +159,6 @@ variable "aks_admins_aad_group_name" { default = "AKS-Admins" } -variable "sla_sku" { - description = "Define the SLA under which the managed master control plane of AKS is running" - type = string - default = "Free" -} - variable "aks_container_insights_enabled" { description = "Should Container Insights monitoring be enabled" default = true @@ -174,29 +168,7 @@ variable "aks_config_path" { default = "./azurek8s_config" } - - # Agent Pool -variable "agent_pool_node_count" { - default = 1 -} - -variable "agent_pool_enable_auto_scaling" { - default = false -} - -variable "agent_pool_node_min_count" { - default = null -} - -variable "agent_pool_node_max_count" { - default = null -} - -variable "agent_pool_profile_name" { - default = "default" -} - variable "agent_pool_profile_vm_size" { # https://azureprice.net/?region=ukwest¤cy=GBP # Standard_D2s_v3 - £0.086455 per hour @@ -219,14 +191,6 @@ variable "agent_pool_profile_vm_size" { default = "Standard_D4s_v3" } -variable "agent_pool_profile_os_type" { - default = "Linux" -} - -variable "agent_pool_profile_disk_size_gb" { - default = 30 -} - # Velero From f703f47a937930fe8336506ae851254daa56ba89 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 9 Nov 2022 08:25:27 +0000 Subject: [PATCH 123/147] Bumped helm chart versions --- terraform/files/scripts/argocd_config.sh | 2 +- .../helm/aad_pod_identity_default_values.yaml | 21 +- terraform/helm/argocd_default_values.yaml | 628 +++++++++++------- terraform/variables.tf | 12 +- 4 files changed, 399 insertions(+), 264 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index 20707a8..743001c 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -19,7 +19,7 @@ ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install # https://github.com/argoproj/argo-cd/releases/ -VERSION="v2.4.15" +VERSION="v2.5.2" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" diff --git a/terraform/helm/aad_pod_identity_default_values.yaml b/terraform/helm/aad_pod_identity_default_values.yaml index fce412f..301b69b 100644 --- a/terraform/helm/aad_pod_identity_default_values.yaml +++ b/terraform/helm/aad_pod_identity_default_values.yaml @@ -1,4 +1,4 @@ -# source: https://github.com/Azure/aad-pod-identity/blob/v1.8.3/charts/aad-pod-identity/values.yaml +# source: https://github.com/Azure/aad-pod-identity/blob/v1.8.13/charts/aad-pod-identity/values.yaml # Default values for aad-pod-identity-helm. # This is a YAML-formatted file. @@ -45,7 +45,7 @@ operationMode: "standard" mic: image: mic - tag: v1.8.3 + tag: v1.8.13 # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical priorityClassName: "" @@ -143,6 +143,12 @@ mic: # cloud configuration used to authenticate with Azure cloudConfig: "/etc/kubernetes/azure.json" + # Configures for a custom cloud per the example here: + # https://azure.github.io/aad-pod-identity/docs/configure/custom_cloud/ + customCloud: + enabled: false + configPath: "/etc/kubernetes/akscustom.json" + # The maximum retry of UpdateUserMSI call. MIC updates all the identities in a batch. If a single identity contains an error # or is invalid, then the entire operation fails. Configuring this flag will make MIC retry by removing the erroneous identities # returned in the error @@ -159,7 +165,7 @@ mic: nmi: image: nmi - tag: v1.8.3 + tag: v1.8.13 # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical priorityClassName: "" @@ -198,7 +204,7 @@ nmi: affinity: {} # nodeAffinity: # preferredDuringSchedulingIgnoredDuringExecution: - # - weight 1 + # - weight: 1 # preference: # matchExpressions: # - key: kubernetes.azure.com/mode @@ -237,8 +243,8 @@ nmi: blockInstanceMetadata: "" # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#metadata-header-required-flag - # default is false - metadataHeaderRequired: "" + # default is true + metadataHeaderRequired: true # enable running aad-pod-identity on clusters with kubenet # default is false @@ -251,6 +257,9 @@ nmi: # Set retry-after header in the NMI responses when the identity is still being assigned. setRetryAfterHeader: false + # Enable/Disable deletion of conntrack entries for pre-existing connections to metadata endpoint + enableConntrackDeletion: false + rbac: enabled: true # NMI requires permissions to get secrets when service principal (type: 1) is used in AzureIdentity. diff --git a/terraform/helm/argocd_default_values.yaml b/terraform/helm/argocd_default_values.yaml index 2ab6310..cd8cb19 100644 --- a/terraform/helm/argocd_default_values.yaml +++ b/terraform/helm/argocd_default_values.yaml @@ -1,4 +1,4 @@ -# https://github.com/argoproj/argo-helm/blob/argo-cd-5.6.0/charts/argo-cd/values.yaml +# https://github.com/argoproj/argo-helm/blob/argo-cd-5.13.6/charts/argo-cd/values.yaml ## Argo CD configuration ## Ref: https://github.com/argoproj/argo-cd @@ -14,7 +14,7 @@ kubeVersionOverride: "" # If you want to template helm charts but cannot access k8s API server # you can set api versions here apiVersionOverrides: - # -- String to override apiVersion of certmanager resources rendered by this helm chart + # -- String to override apiVersion of cert-manager resources rendered by this helm chart certmanager: "" # cert-manager.io/v1 # -- String to override apiVersion of GKE resources rendered by this helm chart cloudgoogle: "" # cloud.google.com/v1 @@ -42,7 +42,16 @@ crds: # -- Annotations to be added to all CRDs annotations: {} +## Globally shared configuration global: + # -- Common labels for the all resources + additionalLabels: {} + # app: argo-cd + + # -- Number of old deployment ReplicaSets to retain. The rest will be garbage collected. + revisionHistoryLimit: 3 + + # Default image used by all components image: # -- If defined, a repository applied to all Argo CD deployments repository: quay.io/argoproj/argocd @@ -54,16 +63,21 @@ global: # -- Secrets with credentials to pull images from a private registry imagePullSecrets: [] + # Default logging options used by all components logging: # -- Set the global logging format. Either: `text` or `json` format: text # -- Set the global logging level. One of: `debug`, `info`, `warn` or `error` level: info + # -- Annotations for the all deployed pods podAnnotations: {} + # -- Labels for the all deployed pods podLabels: {} - # -- Toggle and define securityContext. See [values.yaml] + + # -- Toggle and define pod-level security context. + # @default -- `{}` (See [values.yaml]) securityContext: {} # runAsUser: 999 # runAsGroup: 999 @@ -75,10 +89,6 @@ global: # hostnames: # - git.myhostname - # -- Additional labels to add to all resources - additionalLabels: {} - # app: argo-cd - networkPolicy: # -- Create NetworkPolicy objects for all components create: false @@ -87,6 +97,145 @@ global: ## Argo Configs configs: + # General Argo CD configuration + ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml + cm: + # -- Create the argocd-cm configmap for [Declarative setup] + create: true + + # -- Annotations to be added to argocd-cm configmap + annotations: {} + + # -- Argo CD's externally facing base URL (optional). Required when configuring SSO + url: "" + + # -- The name of tracking label used by Argo CD for resource pruning + # @default -- Defaults to app.kubernetes.io/instance + application.instanceLabelKey: argocd.argoproj.io/instance + + # -- Enable logs RBAC enforcement + ## Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/2.3-2.4/#enable-logs-rbac-enforcement + server.rbac.log.enforce.enable: false + + # -- Enable exec feature in Argo UI + ## Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac/#exec-resource + exec.enabled: false + + # -- Enable local admin user + ## Ref: https://argo-cd.readthedocs.io/en/latest/faq/#how-to-disable-admin-user + admin.enabled: true + + # -- Timeout to discover if a new manifests version got published to the repository + timeout.reconciliation: 180s + + # -- Timeout to refresh application data as well as target manifests cache + timeout.hard.reconciliation: 0 + + # Dex configuration + # dex.config: | + # connectors: + # # GitHub example + # - type: github + # id: github + # name: GitHub + # config: + # clientID: aabbccddeeff00112233 + # clientSecret: $dex.github.clientSecret # Alternatively $:dex.github.clientSecret + # orgs: + # - name: your-github-org + + # OIDC configuration as an alternative to dex (optional). + # oidc.config: | + # name: AzureAD + # issuer: https://login.microsoftonline.com/TENANT_ID/v2.0 + # clientID: CLIENT_ID + # clientSecret: $oidc.azuread.clientSecret + # rootCA: | + # -----BEGIN CERTIFICATE----- + # ... encoded certificate data here ... + # -----END CERTIFICATE----- + # requestedIDTokenClaims: + # groups: + # essential: true + # requestedScopes: + # - openid + # - profile + # - email + + # Argo CD configuration parameters + ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cmd-params-cm.yaml + params: + # -- Annotations to be added to the argocd-cmd-params-cm ConfigMap + annotations: {} + + ## Generic parameters + # -- Open-Telemetry collector address: (e.g. "otel-collector:4317") + otlp.address: '' + + ## Controller Properties + # -- Number of application status processors + controller.status.processors: 20 + # -- Number of application operation processors + controller.operation.processors: 10 + # -- Specifies timeout between application self heal attempts + controller.self.heal.timeout.seconds: 5 + # -- Repo server RPC call timeout seconds. + controller.repo.server.timeout.seconds: 60 + + ## Server properties + # -- Run server without TLS + server.insecure: false + # -- Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from / + server.basehref: / + # -- Used if Argo CD is running behind reverse proxy under subpath different from / + server.rootpath: '' + # -- Directory path that contains additional static assets + server.staticassets: /shared/app + # -- Disable Argo CD RBAC for user authentication + server.disable.auth: false + # -- Enable GZIP compression + server.enable.gzip: false + # -- Set X-Frame-Options header in HTTP responses to value. To disable, set to "". + server.x.frame.options: sameorigin + + ## Repo-server properties + # -- Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit. + reposerver.parallelism.limit: 0 + + # Argo CD RBAC policy configuration + ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md + rbac: + # -- Create the argocd-rbac-cm configmap with ([Argo CD RBAC policy]) definitions. + # If false, it is expected the configmap will be created by something else. + # Argo CD will not work if there is no configmap created with the name above. + create: true + + # -- Annotations to be added to argocd-rbac-cm configmap + annotations: {} + + # -- The name of the default role which Argo CD will falls back to, when authorizing API requests (optional). + # If omitted or empty, users may be still be able to login, but will see no apps, projects, etc... + policy.default: '' + + # -- File containing user-defined policies and role definitions. + # @default -- `''` (See [values.yaml]) + policy.csv: '' + # Policy rules are in the form: + # p, subject, resource, action, object, effect + # Role definitions and bindings are in the form: + # g, subject, inherited-subject + # policy.csv | + # p, role:org-admin, applications, *, */*, allow + # p, role:org-admin, clusters, get, *, allow + # p, role:org-admin, repositories, *, *, allow + # p, role:org-admin, logs, get, *, allow + # p, role:org-admin, exec, create, */*, allow + # g, your-github-org:your-team, role:org-admin + + # -- OIDC scopes to examine during rbac enforcement (in addition to `sub` scope). + # The scope value can be a string, or a list of strings. + scopes: "[groups]" + # -- Provide one or multiple [external cluster credentials] # @default -- `[]` (See [values.yaml]) ## Ref: @@ -243,6 +392,8 @@ configs: # -- Annotations to be added to `configs.repositories` Secret repositoriesAnnotations: {} + # Argo CD sensitive data + # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sensitive-data-and-sso-client-secrets secret: # -- Create the argocd-secret createSecret: true @@ -269,16 +420,10 @@ configs: # LDAP_PASSWORD: "mypassword" # -- Argo TLS Data - argocdServerTlsConfig: - {} - # key: - # crt: | - # -----BEGIN CERTIFICATE----- - # - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # - # -----END CERTIFICATE----- + # DEPRECATED - Use server.certificate or server.certificateSecret + # argocdServerTlsConfig: + # key: '' + # crt: '' # -- Bcrypt hashed admin password ## Argo expects the password in the secret to be bcrypt hashed. You can create this hash with @@ -298,46 +443,6 @@ configs: # background: linear-gradient(to bottom, #999, #777, #333, #222, #111); # } - # Argo CD configuration parameters - ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cmd-params-cm.yaml - params: - # -- Annotations to be added to the argocd-cmd-params-cm ConfigMap - annotations: {} - - ## Generic parameters - # -- Open-Telemetry collector address: (e.g. "otel-collector:4317") - otlp.address: '' - - ## Controller Properties - # -- Number of application status processors - controller.status.processors: 20 - # -- Number of application operation processors - controller.operation.processors: 10 - # -- Specifies timeout between application self heal attempts - controller.self.heal.timeout.seconds: 5 - # -- Repo server RPC call timeout seconds. - controller.repo.server.timeout.seconds: 60 - - ## Server properties - # -- Run server without TLS - server.insecure: false - # -- Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from / - server.basehref: / - # -- Used if Argo CD is running behind reverse proxy under subpath different from / - server.rootpath: '' - # -- Directory path that contains additional static assets - server.staticassets: /shared/app - # -- Disable Argo CD RBAC for user authentication - server.disable.auth: false - # -- Enable GZIP compression - server.enable.gzip: false - # -- Set X-Frame-Options header in HTTP responses to value. To disable, set to "". - server.x.frame.options: sameorigin - - ## Repo-server properties - # -- Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit. - reposerver.parallelism.limit: 0 - # -- Array of extra K8s manifests to deploy extraObjects: [] # - apiVersion: secrets-store.csi.x-k8s.io/v1 @@ -452,20 +557,22 @@ controller: podLabels: {} # -- Application controller container-level security context + # @default -- See [values.yaml] containerSecurityContext: - {} - # capabilities: - # drop: - # - all - # readOnlyRootFilesystem: true - # runAsNonRoot: true + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL # -- Application controller listening port containerPort: 8082 - ## Readiness and liveness probes for default backend + # Rediness probe for application controller ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - ## readinessProbe: # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 @@ -477,17 +584,6 @@ controller: successThreshold: 1 # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 - livenessProbe: - # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded - failureThreshold: 3 - # -- Number of seconds after the container has started before [probe] is initiated - initialDelaySeconds: 10 - # -- How often (in seconds) to perform the [probe] - periodSeconds: 10 - # -- Minimum consecutive successes for the [probe] to be considered successful after having failed - successThreshold: 1 - # -- Number of seconds after which the [probe] times out - timeoutSeconds: 1 # -- Additional volumeMounts to the application controller main container volumeMounts: [] @@ -495,21 +591,12 @@ controller: # -- Additional volumes to the application controller pod volumes: [] - ## Controller service configuration - service: - # -- Application controller service annotations - annotations: {} - # -- Application controller service labels - labels: {} - # -- Application controller service port - port: 8082 - # -- Application controller service port name - portName: https-controller - # -- [Node selector] nodeSelector: {} + # -- [Tolerations] for use with node taints tolerations: [] + # -- Assign custom [affinity] rules to the deployment affinity: {} @@ -584,6 +671,8 @@ controller: namespace: "" # "monitoring" # -- Prometheus ServiceMonitor labels additionalLabels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} rules: # -- Deploy a PrometheusRule for the application controller enabled: false @@ -694,6 +783,8 @@ dex: namespace: "" # "monitoring" # -- Prometheus ServiceMonitor labels additionalLabels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} ## Dex Pod Disruption Budget ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ @@ -716,7 +807,7 @@ dex: # -- Dex image repository repository: ghcr.io/dexidp/dex # -- Dex image tag - tag: v2.35.1-distroless + tag: v2.35.3 # -- Dex imagePullPolicy # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" @@ -725,6 +816,7 @@ dex: # @default -- `[]` (defaults to global.imagePullSecrets) imagePullSecrets: [] + # Argo CD init image that creates Dex config initImage: # -- Argo CD init image repository # @default -- `""` (defaults to global.image.repository) @@ -747,12 +839,41 @@ dex: # - secretRef: # name: secret-name + # TLS certificate configuration via Secret + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#configuring-tls-to-argocd-dex-server + ## Note: Issuing certificates via cert-manager in not supported right now because it's not possible to restart Dex automatically without extra controllers. + certificateSecret: + # -- Create argocd-dex-server-tls secret + enabled: false + # -- Labels to be added to argocd-dex-server-tls secret + labels: {} + # -- Annotations to be added to argocd-dex-server-tls secret + annotations: {} + # -- Certificate authority. Required for self-signed certificates. + ca: '' + # -- Certificate private key + key: '' + # -- Certificate data. Must contain SANs of Dex service (ie: argocd-dex-server, argocd-dex-server.argo-cd.svc) + crt: '' + # -- Annotations to be added to the Dex server pods podAnnotations: {} # -- Labels to be added to the Dex server pods podLabels: {} + # -- Dex container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + ## Probes for Dex server ## Supported from Dex >= 2.28.0 livenessProbe: @@ -833,14 +954,6 @@ dex: # -- Priority class for dex priorityClassName: "" - # -- Dex container-level security context - containerSecurityContext: - {} - # capabilities: - # drop: - # - all - # readOnlyRootFilesystem: true - # -- Resource limits and requests for dex resources: {} # limits: @@ -932,6 +1045,22 @@ redis: # -- Labels to be added to the Redis server pods podLabels: {} + # -- Redis pod-level security context + # @default -- See [values.yaml] + securityContext: + runAsNonRoot: true + runAsUser: 999 + seccompProfile: + type: RuntimeDefault + + # -- Redis container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + # -- [Node selector] nodeSelector: {} # -- [Tolerations] for use with node taints @@ -950,19 +1079,6 @@ redis: # -- Priority class for redis priorityClassName: "" - # -- Redis container-level security context - containerSecurityContext: - {} - # capabilities: - # drop: - # - all - # readOnlyRootFilesystem: true - - # -- Redis pod-level security context - securityContext: - runAsNonRoot: true - runAsUser: 999 - serviceAccount: # -- Create a service account for the redis pod create: false @@ -1024,6 +1140,19 @@ redis: imagePullPolicy: IfNotPresent # -- Port to use for redis-exporter sidecar containerPort: 9121 + + # -- Redis exporter security context + # @default -- See [values.yaml] + containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + # -- Resource limits and requests for redis-exporter sidecar resources: {} # limits: @@ -1066,6 +1195,8 @@ redis: namespace: "" # "monitoring" # -- Prometheus ServiceMonitor labels additionalLabels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} # This key configures Redis-HA subchart and when enabled (redis-ha.enabled=true) @@ -1233,7 +1364,6 @@ server: ## Readiness and liveness probes for default backend ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - ## readinessProbe: # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 @@ -1281,13 +1411,17 @@ server: # -- Priority class for the Argo CD server priorityClassName: "" - # -- Servers container-level security context + # -- Server container-level security context + # @default -- See [values.yaml] containerSecurityContext: - {} - # capabilities: - # drop: - # - all - # readOnlyRootFilesystem: true + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL # -- Resource limits and requests for the Argo CD server resources: {} @@ -1298,16 +1432,34 @@ server: # cpu: 50m # memory: 64Mi - ## Certificate configuration + # TLS certificate configuration via cert-manager + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#tls-certificates-used-by-argocd-server certificate: # -- Deploy a Certificate resource (requires cert-manager) enabled: false + # -- The name of the Secret that will be automatically created and managed by this Certificate resource + secretName: argocd-server-tls # -- Certificate primary domain (commonName) domain: argocd.example.com - # -- The requested 'duration' (i.e. lifetime) of the Certificate. Value must be in units accepted by Go time.ParseDuration + # -- Certificate Subject Alternate Names (SANs) + additionalHosts: [] + # -- The requested 'duration' (i.e. lifetime) of the certificate. + # @default -- `""` (defaults to 2160h = 90d if not specified) + ## Ref: https://cert-manager.io/docs/usage/certificate/#renewal duration: "" - # -- How long before the currently issued certificate's expiry cert-manager should renew the certificate. Value must be in units accepted by Go time.ParseDuration + # -- How long before the expiry a certificate should be renewed. + # @default -- `""` (defaults to 360h = 15d if not specified) + ## Ref: https://cert-manager.io/docs/usage/certificate/#renewal renewBefore: "" + # Certificate issuer + ## Ref: https://cert-manager.io/docs/concepts/issuer + issuer: + # -- Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io` + group: "" + # -- Certificate issuer kind. Either `Issuer` or `ClusterIssuer` + kind: "" + # -- Certificate isser name. Eg. `letsencrypt` + name: "" # Private key of the certificate privateKey: # -- Rotation policy of private key when certificate is re-issued. Either: `Never` or `Always` @@ -1318,17 +1470,20 @@ server: algorithm: RSA # -- Key bit size of the private key. If algorithm is set to `Ed25519`, size is ignored. size: 2048 - issuer: - # -- Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io` - group: "" - # -- Certificate issuer kind. Either `Issuer` or `ClusterIssuer` - kind: "" - # -- Certificate isser name. Eg. `letsencrypt` - name: "" - # -- Certificate manager additional hosts - additionalHosts: [] - # -- The name of the Secret that will be automatically created and managed by this Certificate resource - secretName: argocd-server-tls + + # TLS certificate configuration via Secret + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#tls-certificates-used-by-argocd-server + certificateSecret: + # -- Create argocd-server-tls secret + enabled: false + # -- Annotations to be added to argocd-server-tls secret + annotations: {} + # -- Labels to be added to argocd-server-tls secret + labels: {} + # -- Private Key of the certificate + key: '' + # -- Certificate data + crt: '' ## Server service configuration service: @@ -1399,6 +1554,8 @@ server: namespace: "" # monitoring # -- Prometheus ServiceMonitor labels additionalLabels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} serviceAccount: # -- Create server service account @@ -1454,7 +1611,7 @@ server: # -- Ingress TLS configuration tls: [] - # - secretName: argocd-tls-certificate + # - secretName: your-certificate-name # hosts: # - argocd.example.com @@ -1520,7 +1677,7 @@ server: # -- Ingress TLS configuration for dedicated [gRPC-ingress] tls: [] - # - secretName: argocd-tls-certificate + # - secretName: your-certificate-name # hosts: # - argocd.example.com @@ -1543,97 +1700,6 @@ server: # -- Termination policy of Openshift Route termination_policy: None - # -- Manage Argo CD configmap (Declarative Setup) - ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml - configEnabled: true - # -- [General Argo CD configuration] - # @default -- See [values.yaml] - config: - # Argo CD's externally facing base URL (optional). Required when configuring SSO - url: "" - - # Argo CD instance label key - application.instanceLabelKey: argocd.argoproj.io/instance - - # Enable logs RBAC enforcement - # Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/2.3-2.4/#enable-logs-rbac-enforcement - server.rbac.log.enforce.enable: "false" - - # exec.enabled indicates whether the UI exec feature is enabled. It is disabled by default. - # Ref: https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac/#exec-resource - exec.enabled: "false" - - # admin.enabled indicates whether the admin user is enabled. It is enabled by default. - # https://argo-cd.readthedocs.io/en/latest/faq/#how-to-disable-admin-user - admin.enabled: "true" - - # Application reconciliation timeout is the max amount of time required to discover if a new manifests version got - # published to the repository. Reconciliation by timeout is disabled if timeout is set to 0. Three minutes by default. - timeout.reconciliation: 180s - - # Timeout to refresh application data as well as target manifests cache - timeout.hard.reconciliation: "0" - - # Dex configuration - # dex.config: | - # connectors: - # # GitHub example - # - type: github - # id: github - # name: GitHub - # config: - # clientID: aabbccddeeff00112233 - # clientSecret: $dex.github.clientSecret # Alternatively $:dex.github.clientSecret - # orgs: - # - name: your-github-org - - # OIDC configuration as an alternative to dex (optional). - # oidc.config: | - # name: AzureAD - # issuer: https://login.microsoftonline.com/TENANT_ID/v2.0 - # clientID: CLIENT_ID - # clientSecret: $oidc.azuread.clientSecret - # requestedIDTokenClaims: - # groups: - # essential: true - # requestedScopes: - # - openid - # - profile - # - email - - # -- Annotations to be added to Argo CD ConfigMap - configAnnotations: {} - - # -- Argo CD rbac config ([Argo CD RBAC policy]) - ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md - rbacConfig: - {} - # policy.csv is a file containing user-defined RBAC policies and role definitions (optional). - # Policy rules are in the form: - # p, subject, resource, action, object, effect - # Role definitions and bindings are in the form: - # g, subject, inherited-subject - # See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md for additional information. - # policy.csv: | - # # Grant all members of the group 'my-org:team-alpha; the ability to sync apps in 'my-project' - # p, my-org:team-alpha, applications, sync, my-project/*, allow - # # Grant all members of 'my-org:team-beta' admins - # g, my-org:team-beta, role:admin - # policy.default is the name of the default role which Argo CD will falls back to, when - # authorizing API requests (optional). If omitted or empty, users may be still be able to login, - # but will see no apps, projects, etc... - # policy.default: role:readonly - # scopes controls which OIDC scopes to examine during rbac enforcement (in addition to `sub` scope). - # If omitted, defaults to: '[groups]'. The scope value can be a string, or a list of strings. - # scopes: '[cognito:groups, email]' - - # -- Annotations to be added to Argo CD rbac ConfigMap - rbacConfigAnnotations: {} - - # -- Whether or not to create the configmap. If false, it is expected the configmap will be created - # by something else. Argo CD will not work if there is no configMap created with the name above. - rbacConfigCreate: true - ## Enable Admin ClusterRole resources. ## Enable if you would like to grant rights to Argo CD to deploy to the local Kubernetes cluster. clusterAdminAccess: @@ -1731,6 +1797,18 @@ server: # -- Image pull policy for extensions imagePullPolicy: IfNotPresent + # -- Server UI extensions container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + # -- Resource limits and requests for the argocd-extensions container resources: {} # limits: @@ -1841,7 +1919,6 @@ repoServer: ## Readiness and liveness probes for default backend ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - ## readinessProbe: # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 @@ -1895,12 +1972,16 @@ repoServer: priorityClassName: "" # -- Repo server container-level security context + # @default -- See [values.yaml] containerSecurityContext: - {} - # capabilities: - # drop: - # - all - # readOnlyRootFilesystem: true + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL # -- Resource limits and requests for the repo server pods resources: {} @@ -1956,6 +2037,8 @@ repoServer: namespace: "" # "monitoring" # -- Prometheus ServiceMonitor labels additionalLabels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} ## Enable Admin ClusterRole resources. ## Enable if you would like to grant cluster rights to Argo CD repo server. @@ -2116,6 +2199,8 @@ applicationSet: namespace: "" # monitoring # -- Prometheus ServiceMonitor labels additionalLabels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} ## Application set service configuration service: @@ -2145,18 +2230,47 @@ applicationSet: # -- Labels for the controller pods podLabels: {} - # -- Pod Security Context - podSecurityContext: {} - # fsGroup: 2000 + # -- ApplicationSet controller container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + + ## Probes for ApplicationSet controller (optional) + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + readinessProbe: + # -- Enable Kubernetes liveness probe for ApplicationSet controller + enabled: false + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 10 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 - # -- Security Context - securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 + livenessProbe: + # -- Enable Kubernetes liveness probe for ApplicationSet controller + enabled: false + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 10 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 # -- Resource limits and requests for the controller pods. resources: {} @@ -2383,6 +2497,8 @@ notifications: # prometheus: kube-prometheus # -- Prometheus ServiceMonitor labels additionalLabels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} # namespace: monitoring # interval: 30s # scrapeTimeout: 10s @@ -2404,8 +2520,17 @@ notifications: # -- Labels to be applied to the controller Pods podLabels: {} - # -- Container Security Context - containerSecurityContext: {} + # -- Notification controller container-level security Context + # @default -- See [values.yaml] + containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL # -- Priority class for the controller pods priorityClassName: "" @@ -2719,10 +2844,6 @@ notifications: ## You have to set secret.notifiers.slack.signingSecret enabled: false - # -- The deployment strategy to use to replace existing pods with new ones - updateStrategy: - type: Recreate - ## Slack bot Pod Disruption Budget ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ pdb: @@ -2774,12 +2895,17 @@ notifications: # -- Annotations applied to created service account annotations: {} - # -- Pod Security Context - securityContext: + # -- Slack bot container-level security Context + # @default -- See [values.yaml] + containerSecurityContext: runAsNonRoot: true - - # -- Container Security Context - containerSecurityContext: {} + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL # -- Resource limits and requests for the Slack bot resources: {} diff --git a/terraform/variables.tf b/terraform/variables.tf index 5c2dde0..3604b3c 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -4,7 +4,7 @@ # version used for both main AKS API service, and default node pool # https://github.com/Azure/AKS/releases # az aks get-versions --location eastus --output table -# pwsh -Command "(az aks get-versions --location uksouth | convertfrom-json).orchestrators | where default" +# az aks get-versions --location uksouth --output tsv --query "orchestrators | [?default].orchestratorVersion" variable "kubernetes_version" { default = "1.23.12" } @@ -39,7 +39,7 @@ variable "velero_image_tag" { # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.42.0" + default = "3.43.0" } # https://github.com/adamrushuk/charts/releases @@ -59,7 +59,7 @@ variable "akv2k8s_chart_version" { # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity variable "aad_pod_identity_chart_version" { - default = "4.1.10" + default = "4.1.14" } # https://bitnami.com/stack/external-dns/helm @@ -67,7 +67,7 @@ variable "aad_pod_identity_chart_version" { # helm search repo bitnami/external-dns # helm search repo -l bitnami/external-dns variable "external_dns_chart_version" { - default = "6.10.2" + default = "6.11.3" } # https://github.com/kubereboot/charts/tree/main/charts/kured @@ -88,13 +88,13 @@ variable "kured_image_tag" { # helm search repo -l argo/argo-cd | head -n 20 # * also update terraform/helm/argocd_default_values.yaml variable "argocd_chart_version" { - default = "5.6.0" + default = "5.13.6" } # https://hub.docker.com/r/argoproj/argocd/tags # * also update cli version: terraform/files/scripts/argocd_config.sh#L22 variable "argocd_image_tag" { - default = "v2.4.15" + default = "v2.5.2" } #endregion Versions From 3d4d91bb3770abb35b3086544e1f68704675eb41 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 9 Nov 2022 08:37:15 +0000 Subject: [PATCH 124/147] Changed all module.aks refs to azurerm_kubernetes_cluster.aks --- terraform/aad_pod_identity_helm.tf | 6 +++--- terraform/akv2k8s_helm.tf | 14 +++++++------- terraform/argocd_helm.tf | 2 +- terraform/data.tf | 2 +- terraform/dns.tf | 4 ++-- terraform/gitlab_helm.tf | 2 +- terraform/kured_helm.tf | 2 +- terraform/nexus_helm.tf | 2 +- terraform/nginx_helm.tf | 2 +- terraform/outputs.tf | 10 +++++----- terraform/velero.tf | 4 ++-- terraform/velero_mi_auth.tf | 2 +- terraform/versions.tf | 16 ++++++++-------- 13 files changed, 34 insertions(+), 34 deletions(-) diff --git a/terraform/aad_pod_identity_helm.tf b/terraform/aad_pod_identity_helm.tf index fd84211..672b06e 100644 --- a/terraform/aad_pod_identity_helm.tf +++ b/terraform/aad_pod_identity_helm.tf @@ -3,14 +3,14 @@ # role assignment for aad-pod-identity # https://azure.github.io/aad-pod-identity/docs/getting-started/role-assignment/#performing-role-assignments resource "azurerm_role_assignment" "aks_mi_aks_node_rg_vm_contributor" { - principal_id = module.aks.kubelet_identity[0].object_id + principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id role_definition_name = "Virtual Machine Contributor" scope = data.azurerm_resource_group.aks_node_rg.id skip_service_principal_aad_check = true } resource "azurerm_role_assignment" "aks_mi_aks_node_rg_mi_operator" { - principal_id = module.aks.kubelet_identity[0].object_id + principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id role_definition_name = "Managed Identity Operator" scope = data.azurerm_resource_group.aks_node_rg.id skip_service_principal_aad_check = true @@ -33,7 +33,7 @@ resource "kubernetes_namespace" "aad_pod_identity" { delete = "15m" } - depends_on = [module.aks] + depends_on = [azurerm_kubernetes_cluster.aks] } # https://www.terraform.io/docs/providers/helm/r/release.html diff --git a/terraform/akv2k8s_helm.tf b/terraform/akv2k8s_helm.tf index 1aa31a4..312dc22 100644 --- a/terraform/akv2k8s_helm.tf +++ b/terraform/akv2k8s_helm.tf @@ -16,7 +16,7 @@ data "azurerm_key_vault" "kv" { # key_vault_id = data.azurerm_key_vault.kv.id # tenant_id = data.azurerm_subscription.current.tenant_id -# object_id = module.aks.kubelet_identity[0].object_id +# object_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id # certificate_permissions = [ # "get" @@ -36,21 +36,21 @@ data "azurerm_key_vault" "kv" { resource "azurerm_role_assignment" "aks_mi_kv_certs" { scope = data.azurerm_key_vault.kv.id role_definition_name = "Key Vault Certificates Officer" - principal_id = module.aks.kubelet_identity[0].object_id + principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id description = "Perform any action on the keys of a key vault, except manage permissions" } resource "azurerm_role_assignment" "aks_mi_kv_keys" { scope = data.azurerm_key_vault.kv.id role_definition_name = "Key Vault Crypto User" - principal_id = module.aks.kubelet_identity[0].object_id + principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id description = "Perform cryptographic operations using keys" } resource "azurerm_role_assignment" "aks_mi_kv_secrets" { scope = data.azurerm_key_vault.kv.id role_definition_name = "Key Vault Secrets User" - principal_id = module.aks.kubelet_identity[0].object_id + principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id description = "Provides read-only access to secret contents" } @@ -58,10 +58,10 @@ resource "azurerm_role_assignment" "aks_mi_kv_secrets" { # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#kube_admin_config_raw # https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file resource "local_sensitive_file" "kubeconfig" { - content = module.aks.full_object.kube_admin_config_raw + content = azurerm_kubernetes_cluster.aks.kube_admin_config_raw filename = var.aks_config_path - depends_on = [module.aks] + depends_on = [azurerm_kubernetes_cluster.aks] } # https://www.terraform.io/docs/providers/kubernetes/r/namespace.html @@ -73,7 +73,7 @@ resource "kubernetes_namespace" "akv2k8s" { delete = "15m" } - depends_on = [module.aks] + depends_on = [azurerm_kubernetes_cluster.aks] } # https://www.terraform.io/docs/providers/helm/r/release.html diff --git a/terraform/argocd_helm.tf b/terraform/argocd_helm.tf index 479e01c..1d2b70f 100644 --- a/terraform/argocd_helm.tf +++ b/terraform/argocd_helm.tf @@ -11,7 +11,7 @@ resource "kubernetes_namespace" "argocd" { delete = "15m" } - depends_on = [module.aks] + depends_on = [azurerm_kubernetes_cluster.aks] } # https://www.terraform.io/docs/provisioners/local-exec.html diff --git a/terraform/data.tf b/terraform/data.tf index d251f4d..701481c 100644 --- a/terraform/data.tf +++ b/terraform/data.tf @@ -2,5 +2,5 @@ data "azurerm_subscription" "current" {} data "azurerm_resource_group" "aks_node_rg" { - name = module.aks.node_resource_group + name = azurerm_kubernetes_cluster.aks.node_resource_group } diff --git a/terraform/dns.tf b/terraform/dns.tf index c1c6d17..e4129ae 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -10,7 +10,7 @@ data "azurerm_dns_zone" "dns" { # external-dns managed identity resource "azurerm_user_assigned_identity" "external_dns" { - resource_group_name = module.aks.node_resource_group + resource_group_name = azurerm_kubernetes_cluster.aks.node_resource_group location = var.location name = "mi-external-dns" } @@ -40,7 +40,7 @@ resource "kubernetes_namespace" "external_dns" { delete = "15m" } - depends_on = [module.aks] + depends_on = [azurerm_kubernetes_cluster.aks] } # https://www.terraform.io/docs/provisioners/local-exec.html diff --git a/terraform/gitlab_helm.tf b/terraform/gitlab_helm.tf index 0c397c1..9dee70d 100644 --- a/terraform/gitlab_helm.tf +++ b/terraform/gitlab_helm.tf @@ -10,7 +10,7 @@ resource "kubernetes_namespace" "gitlab" { delete = "15m" } - depends_on = [module.aks] + depends_on = [azurerm_kubernetes_cluster.aks] } # https://www.terraform.io/docs/provisioners/local-exec.html diff --git a/terraform/kured_helm.tf b/terraform/kured_helm.tf index 655d071..7073d15 100644 --- a/terraform/kured_helm.tf +++ b/terraform/kured_helm.tf @@ -11,7 +11,7 @@ resource "kubernetes_namespace" "kured" { delete = "15m" } - depends_on = [module.aks] + depends_on = [azurerm_kubernetes_cluster.aks] } # https://www.terraform.io/docs/providers/helm/r/release.html diff --git a/terraform/nexus_helm.tf b/terraform/nexus_helm.tf index 64c2d3d..e3e3cc3 100644 --- a/terraform/nexus_helm.tf +++ b/terraform/nexus_helm.tf @@ -9,7 +9,7 @@ resource "kubernetes_namespace" "nexus" { delete = "15m" } - depends_on = [module.aks] + depends_on = [azurerm_kubernetes_cluster.aks] } # https://www.terraform.io/docs/provisioners/local-exec.html diff --git a/terraform/nginx_helm.tf b/terraform/nginx_helm.tf index 391464e..8267892 100644 --- a/terraform/nginx_helm.tf +++ b/terraform/nginx_helm.tf @@ -9,7 +9,7 @@ resource "kubernetes_namespace" "ingress" { delete = "15m" } - depends_on = [module.aks] + depends_on = [azurerm_kubernetes_cluster.aks] } # https://www.terraform.io/docs/providers/helm/r/release.html diff --git a/terraform/outputs.tf b/terraform/outputs.tf index dd91373..8944140 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -1,14 +1,14 @@ # WARNING: this outputs credential / login config # output "aks_config" { -# value = module.aks +# value = azurerm_kubernetes_cluster.aks # } output "aks_credentials_command" { - value = "az aks get-credentials --resource-group ${azurerm_resource_group.aks.name} --name ${module.aks.name} --overwrite-existing" + value = "az aks get-credentials --resource-group ${azurerm_resource_group.aks.name} --name ${azurerm_kubernetes_cluster.aks.name} --overwrite-existing" } output "aks_node_resource_group" { - value = module.aks.node_resource_group + value = azurerm_kubernetes_cluster.aks.node_resource_group } # output "ssh_private_key" { @@ -25,9 +25,9 @@ output "aks_node_resource_group" { # } # output "client_certificate" { -# value = module.aks.kube_config[0].client_certificate +# value = azurerm_kubernetes_cluster.aks.kube_config[0].client_certificate # } # output "kube_config" { -# value = module.aks.kube_config_raw +# value = azurerm_kubernetes_cluster.aks.kube_config_raw # } diff --git a/terraform/velero.tf b/terraform/velero.tf index 6be5357..0fef0e3 100644 --- a/terraform/velero.tf +++ b/terraform/velero.tf @@ -34,7 +34,7 @@ resource "kubernetes_namespace" "velero" { delete = "15m" } - depends_on = [module.aks] + depends_on = [azurerm_kubernetes_cluster.aks] } resource "kubernetes_secret" "velero_credentials" { @@ -51,7 +51,7 @@ resource "kubernetes_secret" "velero_credentials" { data = { cloud = < Date: Wed, 9 Nov 2022 08:44:42 +0000 Subject: [PATCH 125/147] Bumped terraform to 1.3.4 --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ee303ac..f64cb0d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -62,7 +62,7 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.3.2" + TF_VERSION: "1.3.4" TF_WORKING_DIR: ./terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index a21dca6..156017f 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -60,7 +60,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.3.2" + TF_VERSION: "1.3.4" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: From f558a84d0af588268c486e311a18b88c0aa3f6f2 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Nov 2022 07:45:58 +0000 Subject: [PATCH 126/147] Changed terraform backend config --- .github/workflows/build.yml | 19 ++++- .github/workflows/destroy.yml | 148 +++++++++++++++++----------------- terraform/versions.tf | 13 +-- 3 files changed, 99 insertions(+), 81 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f64cb0d..9290767 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,7 +21,7 @@ on: # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect permissions: id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout + contents: read # This is required for actions/checkout # global environment variables # https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables @@ -64,6 +64,10 @@ env: # https://github.com/hashicorp/terraform/releases TF_VERSION: "1.3.4" TF_WORKING_DIR: ./terraform + # azurerm provider oidc + # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc + # https://developer.hashicorp.com/terraform/language/settings/backends/azurerm#oidc_request_token + ARM_USE_OIDC: "true" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 @@ -125,8 +129,9 @@ jobs: - name: Create Storage Account for Terraform state run: ./scripts/storage_create.sh - - name: Lookup Storage Key - run: ./scripts/storage_key.sh + # TODO remove this step + # - name: Lookup Storage Key + # run: ./scripts/storage_key.sh - name: Replace tokens in Terraform config files run: pwsh -command "./scripts/Replace-Tokens.ps1" @@ -143,7 +148,13 @@ jobs: - name: Terraform Init / Validate run: | - terraform init + echo 'Running terraform init...' + terraform init \ + -backend-config="resource_group_name=$TERRAFORM_STORAGE_RG" \ + -backend-config="storage_account_name=$TERRAFORM_STORAGE_ACCOUNT" + + # validate + echo 'Running terraform validate...' terraform validate working-directory: ${{ env.TF_WORKING_DIR }} diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 156017f..1a0ee38 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -21,7 +21,7 @@ on: # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect permissions: id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout + contents: read # This is required for actions/checkout # global environment variables # https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables @@ -62,13 +62,16 @@ env: # https://github.com/hashicorp/terraform/releases TF_VERSION: "1.3.4" TF_WORKING_DIR: terraform + # azurerm provider oidc + # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc + # https://developer.hashicorp.com/terraform/language/settings/backends/azurerm#oidc_request_token + ARM_USE_OIDC: "true" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 jobs: destroy: - # always pin versions # view installed software: https://help.github.com/en/actions/reference/software-installed-on-github-hosted-runners runs-on: ubuntu-22.04 @@ -81,78 +84,79 @@ jobs: if: github.actor == github.event.repository.owner.login steps: - # Checkout - # Reference the major version of a release - # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-versioned-actions - - uses: actions/checkout@v3 + # Checkout + # Reference the major version of a release + # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-versioned-actions + - uses: actions/checkout@v3 # specify different branch # NOT required as I've changed the default branch to develop # with: # ref: develop - # Env var concatenation - # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#environment-files - - name: Concatenate env vars (Workaround) - run: | - chmod -R +x ./scripts/ - echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV - echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV - echo "ARGOCD_FQDN=argocd.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV - echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV - echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV - echo "TERRAFORM_STORAGE_RG=${{ env.PREFIX }}-rg-tfstate-dev-001" >> $GITHUB_ENV - echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV - - # Login - # https://github.com/Azure/login - - name: Login via OIDC to Azure Public Cloud (az cli and az powershell) - uses: azure/login@v1 - with: - client-id: ${{ secrets.ARM_CLIENT_ID }} - tenant-id: ${{ secrets.ARM_TENANT_ID }} - subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }} - enable-AzPSSession: true - - # Ensure AKS cluster is running, else timeouts will occur on k8s Terraform resource destroy tasks - - name: Start AKS Cluster - continue-on-error: true - run: ./scripts/start_aks_cluster.sh - - # Prereqs - - name: Lookup Storage Key - run: ./scripts/storage_key.sh - - - name: Replace tokens in Terraform config files - run: pwsh -command "./scripts/Replace-Tokens.ps1" - env: - IFTTT_WEBHOOK_KEY: ${{ secrets.IFTTT_WEBHOOK_KEY }} - - # Terraform - - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: ${{ env.TF_VERSION }} - - - name: 💀 Terraform destroy - run: | - terraform init - terraform destroy -no-color -auto-approve - working-directory: ${{ env.TF_WORKING_DIR }} - - - name: Terraform logs - uses: actions/upload-artifact@v2 - with: - name: Terraform logs - path: ${{ env.TF_WORKING_DIR }}/${{ env.TF_LOG_PATH }} - if: always() - - # Cleanup - - name: Delete Storage - run: ./scripts/storage_delete.sh - - # Notify - - name: Notify slack - continue-on-error: true - env: - SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} - SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - run: ./scripts/send_slack_message.sh "[devops-lab] Destroy complete" + # Env var concatenation + # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#environment-files + - name: Concatenate env vars (Workaround) + run: | + chmod -R +x ./scripts/ + echo "AKS_CLUSTER_NAME=${{ env.PREFIX }}-aks-001" >> $GITHUB_ENV + echo "AKS_RG_NAME=${{ env.PREFIX }}-rg-aks-dev-001" >> $GITHUB_ENV + echo "ARGOCD_FQDN=argocd.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV + echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV + echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV + echo "TERRAFORM_STORAGE_RG=${{ env.PREFIX }}-rg-tfstate-dev-001" >> $GITHUB_ENV + echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV + + # Login + # https://github.com/Azure/login + - name: Login via OIDC to Azure Public Cloud (az cli and az powershell) + uses: azure/login@v1 + with: + client-id: ${{ secrets.ARM_CLIENT_ID }} + tenant-id: ${{ secrets.ARM_TENANT_ID }} + subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }} + enable-AzPSSession: true + + # Ensure AKS cluster is running, else timeouts will occur on k8s Terraform resource destroy tasks + - name: Start AKS Cluster + continue-on-error: true + run: ./scripts/start_aks_cluster.sh + + # Prereqs + # TODO remove this step + # - name: Lookup Storage Key + # run: ./scripts/storage_key.sh + + - name: Replace tokens in Terraform config files + run: pwsh -command "./scripts/Replace-Tokens.ps1" + env: + IFTTT_WEBHOOK_KEY: ${{ secrets.IFTTT_WEBHOOK_KEY }} + + # Terraform + - uses: hashicorp/setup-terraform@v2 + with: + terraform_version: ${{ env.TF_VERSION }} + + - name: 💀 Terraform destroy + run: | + terraform init + terraform destroy -no-color -auto-approve + working-directory: ${{ env.TF_WORKING_DIR }} + + - name: Terraform logs + uses: actions/upload-artifact@v2 + with: + name: Terraform logs + path: ${{ env.TF_WORKING_DIR }}/${{ env.TF_LOG_PATH }} + if: always() + + # Cleanup + - name: Delete Storage + run: ./scripts/storage_delete.sh + + # Notify + - name: Notify slack + continue-on-error: true + env: + SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: ./scripts/send_slack_message.sh "[devops-lab] Destroy complete" diff --git a/terraform/versions.tf b/terraform/versions.tf index 8ba5907..94648fd 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -6,11 +6,14 @@ terraform { # terraform remote state backend "azurerm" { - container_name = "terraform" - key = "terraform.tfstate" - resource_group_name = "__TERRAFORM_STORAGE_RG__" - storage_account_name = "__TERRAFORM_STORAGE_ACCOUNT__" - use_oidc = true + container_name = "terraform" + key = "terraform.tfstate" + use_oidc = true # or use "ARM_USE_OIDC" env var + # requires "Storage Blob Data Contributor" on the container + use_azuread_auth = true + # TODO remove + # resource_group_name = "__TERRAFORM_STORAGE_RG__" + # storage_account_name = "__TERRAFORM_STORAGE_ACCOUNT__" } # providers (pin all versions) From 02ebeefdc3e69aad3e8e97c60ca11ec3deac631a Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Nov 2022 07:55:15 +0000 Subject: [PATCH 127/147] Added terraform container rbac --- .github/workflows/build.yml | 1 + .github/workflows/destroy.yml | 8 +++++++- scripts/storage_create.sh | 17 +++++++++++++++-- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9290767..33d6797 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -106,6 +106,7 @@ jobs: echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "DOCKER_FQDN=docker.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV + echo "TERRAFORM_STORAGE_CONTAINER=terraform" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_RG=${{ env.PREFIX }}-rg-tfstate-dev-001" >> $GITHUB_ENV echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 1a0ee38..7854471 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -103,6 +103,7 @@ jobs: echo "ARGOCD_FQDN=argocd.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "DNS_DOMAIN_NAME=nexus.${{ env.ROOT_DOMAIN_NAME }}" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_ACCOUNT=${{ env.PREFIX }}sttfstate${{ env.LOCATION }}001" >> $GITHUB_ENV + echo "TERRAFORM_STORAGE_CONTAINER=terraform" >> $GITHUB_ENV echo "TERRAFORM_STORAGE_RG=${{ env.PREFIX }}-rg-tfstate-dev-001" >> $GITHUB_ENV echo "VELERO_STORAGE_ACCOUNT=${{ env.PREFIX }}stbckuksouth001" >> $GITHUB_ENV @@ -138,7 +139,12 @@ jobs: - name: 💀 Terraform destroy run: | - terraform init + echo 'Running terraform init...' + terraform init \ + -backend-config="resource_group_name=$TERRAFORM_STORAGE_RG" \ + -backend-config="storage_account_name=$TERRAFORM_STORAGE_ACCOUNT" + + echo 'Running terraform destroy...' terraform destroy -no-color -auto-approve working-directory: ${{ env.TF_WORKING_DIR }} diff --git a/scripts/storage_create.sh b/scripts/storage_create.sh index c6f1099..a133bf8 100644 --- a/scripts/storage_create.sh +++ b/scripts/storage_create.sh @@ -15,11 +15,24 @@ echo "FINISHED: $taskMessage." # Storage Account taskMessage="Creating Storage Account" echo "STARTED: $taskMessage..." -az storage account create --name "$TERRAFORM_STORAGE_ACCOUNT" --resource-group "$TERRAFORM_STORAGE_RG" --location "$LOCATION" --sku "Standard_LRS" +STORAGE_ID=$(az storage account create --name "$TERRAFORM_STORAGE_ACCOUNT" \ + --resource-group "$TERRAFORM_STORAGE_RG" --location "$LOCATION" --sku "Standard_LRS" --query id --output tsv) echo "FINISHED: $taskMessage." # Storage Container taskMessage="Creating Storage Container" echo "STARTED: $taskMessage..." -az storage container create --name "terraform" --account-name "$TERRAFORM_STORAGE_ACCOUNT" +az storage container create --name "$TERRAFORM_STORAGE_CONTAINER" --account-name "$TERRAFORM_STORAGE_ACCOUNT" +echo "FINISHED: $taskMessage." + +# Storage Container Role Assignment +taskMessage="Storage Container Role Assignment" +echo "STARTED: $taskMessage..." +# define container scope +TERRAFORM_STORAGE_CONTAINER_SCOPE="$STORAGE_ID/blobServices/default/containers/$TERRAFORM_STORAGE_CONTAINER" +echo "$TERRAFORM_STORAGE_CONTAINER_SCOPE" + +# assign rbac +az role assignment create --assignee "$ARM_CLIENT_ID" --role "Storage Blob Data Contributor" \ + --scope "$TERRAFORM_STORAGE_CONTAINER_SCOPE" echo "FINISHED: $taskMessage." From 6aeb1bb2443526f3153e7570eaafceafd2c3ee3b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Nov 2022 08:01:36 +0000 Subject: [PATCH 128/147] Added TF_LOG INFO --- .github/workflows/build.yml | 1 + .github/workflows/destroy.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 33d6797..ab7f98e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,6 +60,7 @@ env: # terraform TF_IN_AUTOMATION: "true" TF_INPUT: "false" + TF_LOG: "INFO" # https://developer.hashicorp.com/terraform/internals/debugging TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases TF_VERSION: "1.3.4" diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 7854471..c97ac82 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -58,7 +58,7 @@ env: TF_IN_AUTOMATION: "true" TF_INPUT: "false" TF_LOG_PATH: terraform.log - TF_LOG: TRACE + TF_LOG: "INFO" # https://developer.hashicorp.com/terraform/internals/debugging # https://github.com/hashicorp/terraform/releases TF_VERSION: "1.3.4" TF_WORKING_DIR: terraform From a3d45f1ed354dafdc08156285d73018c8957d5f6 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Nov 2022 08:13:22 +0000 Subject: [PATCH 129/147] Changed max_pods to 90 --- terraform/aks.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/aks.tf b/terraform/aks.tf index c0d87b5..964d0a8 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -68,6 +68,7 @@ resource "azurerm_kubernetes_cluster" "aks" { orchestrator_version = var.kubernetes_version vm_size = var.agent_pool_profile_vm_size node_count = 1 + max_pods = 90 } linux_profile { From 1e0a6d617d2b566fa3cca51977c08a022f1e8633 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Nov 2022 08:15:02 +0000 Subject: [PATCH 130/147] Changed TF_LOG --- .github/workflows/build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ab7f98e..16ce52a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,7 +60,8 @@ env: # terraform TF_IN_AUTOMATION: "true" TF_INPUT: "false" - TF_LOG: "INFO" # https://developer.hashicorp.com/terraform/internals/debugging + # https://developer.hashicorp.com/terraform/internals/debugging + TF_LOG: "WARN" # TRACE, DEBUG, INFO, WARN or ERROR TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases TF_VERSION: "1.3.4" From 258470eaf7798783ccd156037f0c277694ab15e0 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Nov 2022 08:20:52 +0000 Subject: [PATCH 131/147] Added write permissions to id-token in cleanup workflow --- .github/workflows/cleanup-resource-groups.yml | 69 ++++++++++--------- 1 file changed, 37 insertions(+), 32 deletions(-) diff --git a/.github/workflows/cleanup-resource-groups.yml b/.github/workflows/cleanup-resource-groups.yml index 3362caf..40730cd 100644 --- a/.github/workflows/cleanup-resource-groups.yml +++ b/.github/workflows/cleanup-resource-groups.yml @@ -17,6 +17,12 @@ on: workflow_dispatch: inputs: {} +# permissions for oidc login +# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + # global environment variables # https://help.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables env: @@ -29,7 +35,6 @@ env: jobs: cleanup: - # always pin versions # view installed software: https://help.github.com/en/actions/reference/software-installed-on-github-hosted-runners runs-on: ubuntu-22.04 @@ -38,38 +43,38 @@ jobs: if: github.actor == github.event.repository.owner.login steps: - # Checkout - # Reference the major version of a release - # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-versioned-actions - - uses: actions/checkout@v3 + # Checkout + # Reference the major version of a release + # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-versioned-actions + - uses: actions/checkout@v3 - # Init tasks - - name: Init - run: | - chmod -R +x ./scripts/ + # Init tasks + - name: Init + run: | + chmod -R +x ./scripts/ - # Login - # https://github.com/Azure/login - - name: Login via OIDC to Azure Public Cloud (az cli and az powershell) - uses: azure/login@v1 - with: - client-id: ${{ secrets.ARM_CLIENT_ID }} - tenant-id: ${{ secrets.ARM_TENANT_ID }} - subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }} - enable-AzPSSession: true + # Login + # https://github.com/Azure/login + - name: Login via OIDC to Azure Public Cloud (az cli and az powershell) + uses: azure/login@v1 + with: + client-id: ${{ secrets.ARM_CLIENT_ID }} + tenant-id: ${{ secrets.ARM_TENANT_ID }} + subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }} + enable-AzPSSession: true - # Cleanup - - name: Delete all resource groups - uses: azure/powershell@v1 - with: - azPSVersion: "latest" - inlineScript: | - ./scripts/Delete-ResourceGroups.ps1 -Prefixes "${{ env.PREFIX }}" -MaxLimit 2 -WhatIf + # Cleanup + - name: Delete all resource groups + uses: azure/powershell@v1 + with: + azPSVersion: "latest" + inlineScript: | + ./scripts/Delete-ResourceGroups.ps1 -Prefixes "${{ env.PREFIX }}" -MaxLimit 2 -WhatIf - # Notify - - name: Notify slack - continue-on-error: true - env: - SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} - SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} - run: ./scripts/send_slack_message.sh "[devops-lab] Cleanup complete" + # Notify + - name: Notify slack + continue-on-error: true + env: + SLACK_CHANNEL_ID: ${{ secrets.SLACK_CHANNEL_ID }} + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} + run: ./scripts/send_slack_message.sh "[devops-lab] Cleanup complete" From fb2575e102851259bb51f1628775e71a45eb3554 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Nov 2022 08:26:47 +0000 Subject: [PATCH 132/147] Added missing dev environment --- .github/workflows/build.yml | 2 +- .github/workflows/cleanup-resource-groups.yml | 6 +++++- .github/workflows/destroy.yml | 2 +- .github/workflows/start_aks_cluster.yml | 14 +++++++++----- .github/workflows/stop_aks_cluster.yml | 14 +++++++++----- 5 files changed, 25 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 16ce52a..1c17793 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -32,7 +32,7 @@ env: # debug CI_DEBUG: true - # azure creds (used of OIDC auth) + # azure creds (used with OIDC auth) ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} diff --git a/.github/workflows/cleanup-resource-groups.yml b/.github/workflows/cleanup-resource-groups.yml index 40730cd..d1006d3 100644 --- a/.github/workflows/cleanup-resource-groups.yml +++ b/.github/workflows/cleanup-resource-groups.yml @@ -28,7 +28,7 @@ permissions: env: # prefix: used for some globally unique name requirements PREFIX: arshz - # azure creds (used of OIDC auth) + # azure creds (used with OIDC auth) ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} @@ -39,6 +39,10 @@ jobs: # view installed software: https://help.github.com/en/actions/reference/software-installed-on-github-hosted-runners runs-on: ubuntu-22.04 + # https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment + environment: + name: dev + # only run if owner triggered action if: github.actor == github.event.repository.owner.login diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index c97ac82..3d1688a 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -32,7 +32,7 @@ env: # debug CI_DEBUG: true - # azure creds (used of OIDC auth) + # azure creds (used with OIDC auth) ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} diff --git a/.github/workflows/start_aks_cluster.yml b/.github/workflows/start_aks_cluster.yml index a8dd693..aad037d 100644 --- a/.github/workflows/start_aks_cluster.yml +++ b/.github/workflows/start_aks_cluster.yml @@ -18,7 +18,7 @@ env: # debug CI_DEBUG: true - # azure creds (used of OIDC auth) + # azure creds (used with OIDC auth) ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} @@ -27,16 +27,20 @@ jobs: start_aks_cluster: runs-on: ubuntu-22.04 + # https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment + environment: + name: dev + # only run if owner triggered action if: github.actor == github.event.repository.owner.login steps: # Checkout - uses: actions/checkout@v3 - # specify different branch - # NOT required as I've changed the default branch to develop - # with: - # ref: develop + # specify different branch + # NOT required as I've changed the default branch to develop + # with: + # ref: develop # Init tasks - inc env var concatenation - name: Init tasks - inc Env var concatenation (Workaround) diff --git a/.github/workflows/stop_aks_cluster.yml b/.github/workflows/stop_aks_cluster.yml index c3b5820..dacf8d1 100644 --- a/.github/workflows/stop_aks_cluster.yml +++ b/.github/workflows/stop_aks_cluster.yml @@ -18,7 +18,7 @@ env: # debug CI_DEBUG: true - # azure creds (used of OIDC auth) + # azure creds (used with OIDC auth) ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} @@ -27,16 +27,20 @@ jobs: stop_aks_cluster: runs-on: ubuntu-22.04 + # https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment + environment: + name: dev + # only run if owner triggered action if: github.actor == github.event.repository.owner.login steps: # Checkout - uses: actions/checkout@v3 - # specify different branch - # NOT required as I've changed the default branch to develop - # with: - # ref: develop + # specify different branch + # NOT required as I've changed the default branch to develop + # with: + # ref: develop # Init tasks - inc env var concatenation - name: Init tasks - inc Env var concatenation (Workaround) From e833435fe5bacc7e9262451fc866782501229665 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Nov 2022 08:34:48 +0000 Subject: [PATCH 133/147] Changed cleanup script --- .github/workflows/cleanup-resource-groups.yml | 2 +- scripts/cleanup.ps1 | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cleanup-resource-groups.yml b/.github/workflows/cleanup-resource-groups.yml index d1006d3..5c4e8cb 100644 --- a/.github/workflows/cleanup-resource-groups.yml +++ b/.github/workflows/cleanup-resource-groups.yml @@ -73,7 +73,7 @@ jobs: with: azPSVersion: "latest" inlineScript: | - ./scripts/Delete-ResourceGroups.ps1 -Prefixes "${{ env.PREFIX }}" -MaxLimit 2 -WhatIf + ./scripts/cleanup.ps1 -ResourceGroupPrefix "${{ env.PREFIX }}" # Notify - name: Notify slack diff --git a/scripts/cleanup.ps1 b/scripts/cleanup.ps1 index 8bfb927..49ca24d 100644 --- a/scripts/cleanup.ps1 +++ b/scripts/cleanup.ps1 @@ -9,9 +9,9 @@ param( $ResourceGroupPrefix ) -Write-Output "Authenticating PowerShell sessions using env vars..." -$servicePrincipleCredential = [pscredential]::new($env:ARM_CLIENT_ID, (ConvertTo-SecureString $env:ARM_CLIENT_SECRET -AsPlainText -Force)) -Connect-AzAccount -ServicePrincipal -Tenant $env:ARM_TENANT_ID -Credential $servicePrincipleCredential -Subscription $env:ARM_SUBSCRIPTION_ID -Verbose +# Write-Output "Authenticating PowerShell sessions using env vars..." +# $servicePrincipleCredential = [pscredential]::new($env:ARM_CLIENT_ID, (ConvertTo-SecureString $env:ARM_CLIENT_SECRET -AsPlainText -Force)) +# Connect-AzAccount -ServicePrincipal -Tenant $env:ARM_TENANT_ID -Credential $servicePrincipleCredential -Subscription $env:ARM_SUBSCRIPTION_ID -Verbose $taskMessage = "Deleting all devops lab resource groups" Write-Output "STARTED: $taskMessage..." @@ -21,7 +21,7 @@ $resourceGroupsToDelete = Get-AzResourceGroup -Name "$ResourceGroupPrefix*" $resourceGroupsToDelete.ResourceGroupName Write-Output "Deleting 'AsJob' for async removal..." -$jobs = $resourceGroupsToDelete | Remove-AzResourceGroup -Force -AsJob +# $jobs = $resourceGroupsToDelete | Remove-AzResourceGroup -Force -AsJob Write-Output "Waiting for [$($jobs.Count)] jobs to finish..." $jobs | Wait-Job From 070ef20c00e4e738846d579ba4aa03c9e4b30efe Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Nov 2022 08:38:23 +0000 Subject: [PATCH 134/147] Fixed cleanup --- scripts/cleanup.ps1 | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/scripts/cleanup.ps1 b/scripts/cleanup.ps1 index 49ca24d..cd042e6 100644 --- a/scripts/cleanup.ps1 +++ b/scripts/cleanup.ps1 @@ -1,4 +1,3 @@ -# TODO: delete this file if not required # cleanup all resource groups # useful after failed build/destroy workflows @@ -9,10 +8,6 @@ param( $ResourceGroupPrefix ) -# Write-Output "Authenticating PowerShell sessions using env vars..." -# $servicePrincipleCredential = [pscredential]::new($env:ARM_CLIENT_ID, (ConvertTo-SecureString $env:ARM_CLIENT_SECRET -AsPlainText -Force)) -# Connect-AzAccount -ServicePrincipal -Tenant $env:ARM_TENANT_ID -Credential $servicePrincipleCredential -Subscription $env:ARM_SUBSCRIPTION_ID -Verbose - $taskMessage = "Deleting all devops lab resource groups" Write-Output "STARTED: $taskMessage..." @@ -21,7 +16,7 @@ $resourceGroupsToDelete = Get-AzResourceGroup -Name "$ResourceGroupPrefix*" $resourceGroupsToDelete.ResourceGroupName Write-Output "Deleting 'AsJob' for async removal..." -# $jobs = $resourceGroupsToDelete | Remove-AzResourceGroup -Force -AsJob +$jobs = $resourceGroupsToDelete | Remove-AzResourceGroup -Force -AsJob Write-Output "Waiting for [$($jobs.Count)] jobs to finish..." $jobs | Wait-Job From 8f5f4191437edbec3a89f2f0d4b45fced20b86e8 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Nov 2022 08:50:25 +0000 Subject: [PATCH 135/147] Bumped terraform providers --- terraform/versions.tf | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index 94648fd..40fa133 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,19 +23,19 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 3.29.1" + version = "~> 3.30.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.29.0" + version = "~> 2.30.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.14.0" + version = "~> 2.15.0" } # https://github.com/hashicorp/terraform-provider-helm/releases @@ -44,24 +44,28 @@ terraform { version = "~> 2.7.1" } + # https://github.com/hashicorp/terraform-provider-random/releases random = { source = "hashicorp/random" - version = "~> 3.1" + version = "~> 3.4" } + # https://github.com/hashicorp/terraform-provider-tls/releases tls = { source = "hashicorp/tls" - version = "~> 3.3" + version = "~> 3.4" } + # https://github.com/hashicorp/terraform-provider-local/releases local = { source = "hashicorp/local" - version = "~> 2.2" + version = "~> 4.0" } + # https://github.com/hashicorp/terraform-provider-null/releases null = { source = "hashicorp/null" - version = "~> 3.1" + version = "~> 3.2" } # https://registry.terraform.io/providers/hashicorp/archive/latest From 96e10904ec0e48c6623dbbf2093aab5ac4699d5b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Nov 2022 08:54:41 +0000 Subject: [PATCH 136/147] Fixed terraform providers --- terraform/versions.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index 40fa133..60af047 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -53,13 +53,13 @@ terraform { # https://github.com/hashicorp/terraform-provider-tls/releases tls = { source = "hashicorp/tls" - version = "~> 3.4" + version = "~> 4.0" } # https://github.com/hashicorp/terraform-provider-local/releases local = { source = "hashicorp/local" - version = "~> 4.0" + version = "~> 2.2" } # https://github.com/hashicorp/terraform-provider-null/releases From 5577493120becc527cb417cc8330363b295ceae1 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 11 Nov 2022 08:48:20 +0000 Subject: [PATCH 137/147] Bumped azurerm to 3.31.0 --- terraform/versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index 60af047..3f953e5 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 3.30.0" + version = "~> 3.31.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases From e99c7ceabcd31f1f2909494d71de0b60b15f85dc Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 11 Nov 2022 08:55:35 +0000 Subject: [PATCH 138/147] Changed TF_LOG to ERROR --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1c17793..8f6959b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -61,7 +61,7 @@ env: TF_IN_AUTOMATION: "true" TF_INPUT: "false" # https://developer.hashicorp.com/terraform/internals/debugging - TF_LOG: "WARN" # TRACE, DEBUG, INFO, WARN or ERROR + TF_LOG: "ERROR" # TRACE, DEBUG, INFO, WARN or ERROR TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases TF_VERSION: "1.3.4" diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 3d1688a..f5e08f6 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -58,7 +58,7 @@ env: TF_IN_AUTOMATION: "true" TF_INPUT: "false" TF_LOG_PATH: terraform.log - TF_LOG: "INFO" # https://developer.hashicorp.com/terraform/internals/debugging + TF_LOG: "ERROR" # https://developer.hashicorp.com/terraform/internals/debugging # https://github.com/hashicorp/terraform/releases TF_VERSION: "1.3.4" TF_WORKING_DIR: terraform From 2ac7dda80b75ab71d3aa8dfdaf25eaa847683cef Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 28 Jan 2023 18:39:03 +0000 Subject: [PATCH 139/147] Added tfsec workflow --- .github/workflows/tfsec.yml | 38 +++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/tfsec.yml diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml new file mode 100644 index 0000000..99c7c14 --- /dev/null +++ b/.github/workflows/tfsec.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: tfsec + +on: + push: + branches: [ "develop" ] + pull_request: + branches: [ "develop" ] + schedule: + - cron: '44 10 * * 5' + +jobs: + tfsec: + name: Run tfsec sarif report + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Clone repo + uses: actions/checkout@v3 + + - name: Run tfsec + uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f + with: + sarif_file: tfsec.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: tfsec.sarif From 76d4d01cad6c6048a228b2dc1cf379c579b67f67 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 28 Jan 2023 18:39:51 +0000 Subject: [PATCH 140/147] Added workload identity notes --- workload-identity/README.md | 125 ++++++++++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 workload-identity/README.md diff --git a/workload-identity/README.md b/workload-identity/README.md new file mode 100644 index 0000000..8090125 --- /dev/null +++ b/workload-identity/README.md @@ -0,0 +1,125 @@ +# Workload Identity + +## Reference + +- + +## User Assigned Identity Example + +```bash +# vars +AKS_RESOURCE_GROUP='arshz-rg-aks-dev-001' +AKS_CLUSTER_NAME='arshz-aks-001' +LOCATION='eastus' + +# update aks creds +az aks get-credentials --resource-group "$AKS_RESOURCE_GROUP" --name "$AKS_CLUSTER_NAME" --overwrite-existing --admin + +# test kubectl +kubectl get node +kubectl get pod -A + +# Export environmental variables +export AKS_OIDC_ISSUER="$(az aks show --resource-group "$AKS_RESOURCE_GROUP" --name "$AKS_CLUSTER_NAME" --query "oidcIssuerProfile.issuerUrl" -otsv)" +echo $AKS_OIDC_ISSUER + +# environment variables for the Kubernetes Service account & federated identity credential +export SERVICE_ACCOUNT_NAMESPACE="wi-test" +export SERVICE_ACCOUNT_NAME="workload-identity-sa" + +# environment variables for the Federated Identity +export SUBSCRIPTION="$(az account show --query id --output tsv)" +# user assigned identity name +export UAID="fic-test-ua" +# federated identity name +export FICID="fic-test-fic-name" + + +# Create a managed identity and grant permissions to read from sub +az identity create --name "${UAID}" --resource-group "${AKS_RESOURCE_GROUP}" --location "${LOCATION}" --subscription "${SUBSCRIPTION}" + +export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${AKS_RESOURCE_GROUP}" --name "${UAID}" --query 'clientId' -otsv)" +export USER_ASSIGNED_PRINCIPAL_ID="$(az identity show --resource-group "${AKS_RESOURCE_GROUP}" --name "${UAID}" --query 'principalId' -otsv)" + +# doesnt work using USER_ASSIGNED_CLIENT_ID +# az role assignment create --assignee-object-id "$USER_ASSIGNED_CLIENT_ID" --role "Reader" --subscription "${SUBSCRIPTION}" --assignee-principal-type 'ServicePrincipal' + +# TODO test +# az role assignment create --assignee-object-id "$USER_ASSIGNED_PRINCIPAL_ID" --role "Reader" --subscription "${SUBSCRIPTION}" --assignee-principal-type 'ServicePrincipal' +az role assignment create --assignee "$USER_ASSIGNED_PRINCIPAL_ID" --role "Reader" --subscription "${SUBSCRIPTION}" + + +# Create Kubernetes service account +kubectl create namespace ${SERVICE_ACCOUNT_NAMESPACE} + +cat < Date: Sat, 28 Jan 2023 19:19:04 +0000 Subject: [PATCH 141/147] Bumped tfsec action to 1.0.3 to fix rate limiting --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8f6959b..d1cfb85 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -163,7 +163,7 @@ jobs: # https://github.com/aquasecurity/tfsec-action - name: Run tfsec security scan - uses: aquasecurity/tfsec-action@v1.0.2 + uses: aquasecurity/tfsec-action@v1.0.3 with: working_directory: ${{ env.TF_WORKING_DIR }} soft_fail: true From b9d96f92ae0eba7660b54e2729debb38fca9a2ed Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 28 Jan 2023 19:30:58 +0000 Subject: [PATCH 142/147] Removed warn from ansible shell task --- ansible/roles/helm_repo/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/ansible/roles/helm_repo/tasks/main.yml b/ansible/roles/helm_repo/tasks/main.yml index 7252a4c..d01e30b 100644 --- a/ansible/roles/helm_repo/tasks/main.yml +++ b/ansible/roles/helm_repo/tasks/main.yml @@ -24,6 +24,5 @@ - name: Upload Helm Charts to Nexus shell: cmd: "curl --insecure -v -u {{ api_user }}:{{ admin_password }} {{ api_base_uri }}/repository/{{ helm_repo_request_body.name }}/ --upload-file {{ item.name }}-{{ item.version }}.tgz" - warn: false with_items: - "{{ helm_charts }}" From fa08c216e00dc02e6dfd1b7329c1fddc4b800275 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 28 Jan 2023 19:31:14 +0000 Subject: [PATCH 143/147] Added ansible version output --- scripts/ansible.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/ansible.sh b/scripts/ansible.sh index 6e1c833..b215658 100755 --- a/scripts/ansible.sh +++ b/scripts/ansible.sh @@ -6,6 +6,10 @@ set -euo pipefail trap "echo 'error: Script failed: see failed command above'" ERR +# Info +echo "Ansible version info..." +ansible --version + # Init # Get AKS Cluster credentials message="Merging AKS credentials" From be400890f56051b8433c093b6ae14080c522cb97 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 29 Jan 2023 08:19:43 +0000 Subject: [PATCH 144/147] Bumped binary and TF provider versions --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- terraform/files/scripts/argocd_config.sh | 2 +- terraform/helm/argocd_default_values.yaml | 1225 +++++++++++---------- terraform/helm/velero_default_values.yaml | 117 +- terraform/helm/velero_values.yaml | 2 +- terraform/variables.tf | 26 +- terraform/versions.tf | 11 +- 8 files changed, 708 insertions(+), 679 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d1cfb85..936c967 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -64,7 +64,7 @@ env: TF_LOG: "ERROR" # TRACE, DEBUG, INFO, WARN or ERROR TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.3.4" + TF_VERSION: "1.3.7" TF_WORKING_DIR: ./terraform # azurerm provider oidc # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index f5e08f6..aa5e210 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -60,7 +60,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: "ERROR" # https://developer.hashicorp.com/terraform/internals/debugging # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.3.4" + TF_VERSION: "1.3.7" TF_WORKING_DIR: terraform # azurerm provider oidc # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index 743001c..4c0b1b1 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -19,7 +19,7 @@ ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install # https://github.com/argoproj/argo-cd/releases/ -VERSION="v2.5.2" +VERSION="v2.5.9" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" diff --git a/terraform/helm/argocd_default_values.yaml b/terraform/helm/argocd_default_values.yaml index cd8cb19..d67f354 100644 --- a/terraform/helm/argocd_default_values.yaml +++ b/terraform/helm/argocd_default_values.yaml @@ -20,14 +20,13 @@ apiVersionOverrides: cloudgoogle: "" # cloud.google.com/v1 # -- String to override apiVersion of autoscaling rendered by this helm chart autoscaling: "" # autoscaling/v2 - # -- String to override apiVersion of ingresses rendered by this helm chart - ingress: "" # networking.k8s.io/v1beta1 - # -- String to override apiVersion of pod disruption budgets rendered by this helm chart - pdb: "" # policy/v1 -# -- Create clusterroles that extend existing clusterroles to interact with argo-cd crds +# -- Create aggregated roles that extend existing cluster roles to interact with argo-cd resources ## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles createAggregateRoles: false +# -- Create cluster roles for cluster-wide installation. +## Used when you manage applications in the same cluster where Argo CD runs +createClusterRoles: true openshift: # -- enables using arbitrary uid for argo repo server @@ -70,6 +69,12 @@ global: # -- Set the global logging level. One of: `debug`, `info`, `warn` or `error` level: info + # -- Annotations for the all deployed Statefulsets + statefulsetAnnotations: {} + + # -- Annotations for the all deployed Deployments + deploymentAnnotations: {} + # -- Annotations for the all deployed pods podAnnotations: {} @@ -100,7 +105,7 @@ configs: # General Argo CD configuration ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml cm: - # -- Create the argocd-cm configmap for [Declarative setup] + # -- Create the argocd-cm configmap for [declarative setup] create: true # -- Annotations to be added to argocd-cm configmap @@ -129,7 +134,7 @@ configs: timeout.reconciliation: 180s # -- Timeout to refresh application data as well as target manifests cache - timeout.hard.reconciliation: 0 + timeout.hard.reconciliation: 0s # Dex configuration # dex.config: | @@ -236,6 +241,57 @@ configs: # The scope value can be a string, or a list of strings. scopes: "[groups]" + # GnuPG public keys for commit verification + ## Ref: https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/ + gpg: + # -- Annotations to be added to argocd-gpg-keys-cm configmap + annotations: {} + + # -- [GnuPG] public keys to add to the keyring + # @default -- `{}` (See [values.yaml]) + ## Note: Public keys should be exported with `gpg --export --armor ` + keys: {} + # 4AEE18F83AFDEB23: | + # -----BEGIN PGP PUBLIC KEY BLOCK----- + # ... + # -----END PGP PUBLIC KEY BLOCK----- + + # SSH known hosts for Git repositories + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#ssh-known-host-public-keys + ssh: + # -- Annotations to be added to argocd-ssh-known-hosts-cm configmap + annotations: {} + + # -- Known hosts to be added to the known host list by default. + # @default -- See [values.yaml] + knownHosts: | + bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== + github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= + github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl + github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= + gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf + gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 + ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H + vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H + + # -- Additional known hosts for private repositories + extraHosts: '' + + # Repository TLS certificates + # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories-using-self-signed-tls-certificates-or-are-signed-by-custom-ca + tls: + # -- Annotations to be added to argocd-tls-certs-cm configmap + annotations: {} + + # -- TLS certificates for Git repositories + # @default -- `{}` (See [values.yaml]) + certificates: {} + # server.example.com: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -- Provide one or multiple [external cluster credentials] # @default -- `[]` (See [values.yaml]) ## Ref: @@ -263,88 +319,15 @@ configs: # insecure: false # caData: "" - # -- GnuPG key ring annotations - gpgKeysAnnotations: {} - # -- [GnuPG](https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/) keys to add to the key ring - # @default -- `{}` (See [values.yaml]) - gpgKeys: {} - # 4AEE18F83AFDEB23: | - # -----BEGIN PGP PUBLIC KEY BLOCK----- - # - # mQENBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta - # x15OklctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrT - # SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ - # 7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa - # buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v - # yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAG0NUdpdEh1YiAod2ViLWZs - # b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+iQEiBBMBCAAW - # BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEH/iATWFmi2oxlBh3wAsySNCNV4IPf - # DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6 - # 9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws - # +8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5 - # 4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O - # j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48= - # =Bvzs - # -----END PGP PUBLIC KEY BLOCK----- - - # -- Known Hosts configmap annotations - knownHostsAnnotations: {} - knownHosts: - data: - # -- Known Hosts - # @default -- See [values.yaml] - ssh_known_hosts: | - bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== - github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= - github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl - github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== - gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= - gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf - gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 - ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H - vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H - # -- TLS certificate configmap annotations - tlsCertsAnnotations: {} - # -- TLS certificate - # @default -- See [values.yaml] - tlsCerts: - {} - # data: - # argocd.example.com: | - # -----BEGIN CERTIFICATE----- - # MIIF1zCCA7+gAwIBAgIUQdTcSHY2Sxd3Tq/v1eIEZPCNbOowDQYJKoZIhvcNAQEL - # BQAwezELMAkGA1UEBhMCREUxFTATBgNVBAgMDExvd2VyIFNheG9ueTEQMA4GA1UE - # BwwHSGFub3ZlcjEVMBMGA1UECgwMVGVzdGluZyBDb3JwMRIwEAYDVQQLDAlUZXN0 - # c3VpdGUxGDAWBgNVBAMMD2Jhci5leGFtcGxlLmNvbTAeFw0xOTA3MDgxMzU2MTda - # Fw0yMDA3MDcxMzU2MTdaMHsxCzAJBgNVBAYTAkRFMRUwEwYDVQQIDAxMb3dlciBT - # YXhvbnkxEDAOBgNVBAcMB0hhbm92ZXIxFTATBgNVBAoMDFRlc3RpbmcgQ29ycDES - # MBAGA1UECwwJVGVzdHN1aXRlMRgwFgYDVQQDDA9iYXIuZXhhbXBsZS5jb20wggIi - # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCv4mHMdVUcafmaSHVpUM0zZWp5 - # NFXfboxA4inuOkE8kZlbGSe7wiG9WqLirdr39Ts+WSAFA6oANvbzlu3JrEQ2CHPc - # CNQm6diPREFwcDPFCe/eMawbwkQAPVSHPts0UoRxnpZox5pn69ghncBR+jtvx+/u - # P6HdwW0qqTvfJnfAF1hBJ4oIk2AXiip5kkIznsAh9W6WRy6nTVCeetmIepDOGe0G - # ZJIRn/OfSz7NzKylfDCat2z3EAutyeT/5oXZoWOmGg/8T7pn/pR588GoYYKRQnp+ - # YilqCPFX+az09EqqK/iHXnkdZ/Z2fCuU+9M/Zhrnlwlygl3RuVBI6xhm/ZsXtL2E - # Gxa61lNy6pyx5+hSxHEFEJshXLtioRd702VdLKxEOuYSXKeJDs1x9o6cJ75S6hko - # Ml1L4zCU+xEsMcvb1iQ2n7PZdacqhkFRUVVVmJ56th8aYyX7KNX6M9CD+kMpNm6J - # kKC1li/Iy+RI138bAvaFplajMF551kt44dSvIoJIbTr1LigudzWPqk31QaZXV/4u - # kD1n4p/XMc9HYU/was/CmQBFqmIZedTLTtK7clkuFN6wbwzdo1wmUNgnySQuMacO - # gxhHxxzRWxd24uLyk9Px+9U3BfVPaRLiOPaPoC58lyVOykjSgfpgbus7JS69fCq7 - # bEH4Jatp/10zkco+UQIDAQABo1MwUTAdBgNVHQ4EFgQUjXH6PHi92y4C4hQpey86 - # r6+x1ewwHwYDVR0jBBgwFoAUjXH6PHi92y4C4hQpey86r6+x1ewwDwYDVR0TAQH/ - # BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAFE4SdKsX9UsLy+Z0xuHSxhTd0jfn - # Iih5mtzb8CDNO5oTw4z0aMeAvpsUvjJ/XjgxnkiRACXh7K9hsG2r+ageRWGevyvx - # CaRXFbherV1kTnZw4Y9/pgZTYVWs9jlqFOppz5sStkfjsDQ5lmPJGDii/StENAz2 - # XmtiPOgfG9Upb0GAJBCuKnrU9bIcT4L20gd2F4Y14ccyjlf8UiUi192IX6yM9OjT - # +TuXwZgqnTOq6piVgr+FTSa24qSvaXb5z/mJDLlk23npecTouLg83TNSn3R6fYQr - # d/Y9eXuUJ8U7/qTh2Ulz071AO9KzPOmleYPTx4Xty4xAtWi1QE5NHW9/Ajlv5OtO - # OnMNWIs7ssDJBsB7VFC8hcwf79jz7kC0xmQqDfw51Xhhk04kla+v+HZcFW2AO9so - # 6ZdVHHQnIbJa7yQJKZ+hK49IOoBR6JgdB5kymoplLLiuqZSYTcwSBZ72FYTm3iAr - # jzvt1hxpxVDmXvRnkhRrIRhK4QgJL0jRmirBjDY+PYYd7bdRIjN7WNZLFsgplnS8 - # 9w6CwG32pRlm0c8kkiQ7FXA6BYCqOsDI8f1VGQv331OpR2Ck+FTv+L7DAmg6l37W - # +LB9LGh4OAp68ImTjqf6ioGKG0RBSznwME+r4nXtT1S/qLR6ASWUS4ViWRhbRlNK - # XWyb96wrUlv+E8I= - # -----END CERTIFICATE----- + # DEPRECATED - Moved to configs.ssh.annotations + # knownHostsAnnotations: {} + # DEPRECATED - Moved to configs.ssh.knownHosts + # knownHosts: {} + + # DEPRECATED - Moved to configs.tls.annotations + # tlsCertsAnnotations: {} + # DEPRECATED - Moved to configs.tls.certificates + # tlsCerts: {} # -- Repository credentials to be used as Templates for other repos ## Creates a secret for each key/value specified below to create repository credentials @@ -397,6 +380,8 @@ configs: secret: # -- Create the argocd-secret createSecret: true + # -- Labels to be added to argocd-secret + labels: {} # -- Annotations to be added to argocd-secret annotations: {} @@ -444,6 +429,7 @@ configs: # } # -- Array of extra K8s manifests to deploy +## Note: Supports use of custom Helm templates extraObjects: [] # - apiVersion: secrets-store.csi.x-k8s.io/v1 # kind: SecretProviderClass @@ -528,14 +514,6 @@ controller: # # -- define the application controller `--repo-server-timeout-seconds` # repoServerTimeoutSeconds: "60" - # DEPRECATED - Use configs.params to override - # -- Application controller log format. Either `text` or `json` - # @default -- `""` (defaults to global.logging.format) - # logFormat: "" - # -- Application controller log level. One of: `debug`, `info`, `warn` or `error` - # @default -- `""` (defaults to global.logging.level) - # logLevel: "" - # -- Additional command line arguments to pass to application controller extraArgs: [] @@ -550,12 +528,60 @@ controller: # - secretRef: # name: secret-name + # -- Additional containers to be added to the application controller pod + ## Note: Supports use of custom Helm templates + extraContainers: [] + + # -- Init containers to add to the application controller pod + ## If your target Kubernetes cluster(s) require a custom credential (exec) plugin + ## you could use this (and the same in the server pod) to provide such executable + ## Ref: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins + ## Note: Supports use of custom Helm templates + initContainers: [] + # - name: download-tools + # image: alpine:3 + # command: [sh, -c] + # args: + # - wget -qO kubelogin.zip https://github.com/Azure/kubelogin/releases/download/v0.0.25/kubelogin-linux-amd64.zip && + # unzip kubelogin.zip && mv bin/linux_amd64/kubelogin /custom-tools/ + # volumeMounts: + # - mountPath: /custom-tools + # name: custom-tools + + # -- Additional volumeMounts to the application controller main container + volumeMounts: [] + # - mountPath: /usr/local/bin/kubelogin + # name: custom-tools + # subPath: kubelogin + + # -- Additional volumes to the application controller pod + volumes: [] + # - name: custom-tools + # emptyDir: {} + + # -- Annotations for the application controller StatefulSet + statefulsetAnnotations: {} + # -- Annotations to be added to application controller pods podAnnotations: {} # -- Labels to be added to application controller pods podLabels: {} + # -- Resource limits and requests for the application controller pods + resources: {} + # limits: + # cpu: 500m + # memory: 512Mi + # requests: + # cpu: 250m + # memory: 256Mi + + # Application controller container ports + containerPorts: + # -- Metrics container port + metrics: 8082 + # -- Application controller container-level security context # @default -- See [values.yaml] containerSecurityContext: @@ -568,9 +594,6 @@ controller: drop: - ALL - # -- Application controller listening port - containerPort: 8082 - # Rediness probe for application controller ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ readinessProbe: @@ -585,12 +608,6 @@ controller: # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 - # -- Additional volumeMounts to the application controller main container - volumeMounts: [] - - # -- Additional volumes to the application controller pod - volumes: [] - # -- [Node selector] nodeSelector: {} @@ -611,15 +628,6 @@ controller: # -- Priority class for the application controller pods priorityClassName: "" - # -- Resource limits and requests for the application controller pods - resources: {} - # limits: - # cpu: 500m - # memory: 512Mi - # requests: - # cpu: 250m - # memory: 256Mi - serviceAccount: # -- Create a service account for the application controller create: true @@ -706,11 +714,7 @@ controller: # prometheus: kube-prometheus # namespace: monitoring # additionalLabels: {} - - ## Enable if you would like to grant rights to Argo CD to deploy to the local Kubernetes cluster. - clusterAdminAccess: - # -- Enable RBAC for local cluster deployments - enabled: true + # annotations: {} ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. ## Defaults to off @@ -720,28 +724,6 @@ controller: # -- List of custom rules for the application controller's ClusterRole resource rules: [] - # -- Additional containers to be added to the application controller pod - extraContainers: [] - - # -- Init containers to add to the application controller pod - ## If your target Kubernetes cluster(s) require a custom auth provider executable - ## you could use this (and the same in the server pod) to bootstrap - ## that executable into your Argo CD container - initContainers: [] - # - name: download-tools - # image: alpine:3.8 - # command: [sh, -c] - # args: - # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && - # mv linux-amd64/helm /custom-tools/ - # volumeMounts: - # - mountPath: /custom-tools - # name: custom-tools - # volumeMounts: - # - mountPath: /usr/local/bin/helm - # name: custom-tools - # subPath: helm - ## Dex dex: # -- Enable dex @@ -839,6 +821,20 @@ dex: # - secretRef: # name: secret-name + # -- Additional containers to be added to the dex pod + ## Note: Supports use of custom Helm templates + extraContainers: [] + + # -- Init containers to add to the dex pod + ## Note: Supports use of custom Helm templates + initContainers: [] + + # -- Additional volumeMounts to the dex main container + volumeMounts: [] + + # -- Additional volumes to the dex pod + volumes: [] + # TLS certificate configuration via Secret ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#configuring-tls-to-argocd-dex-server ## Note: Issuing certificates via cert-manager in not supported right now because it's not possible to restart Dex automatically without extra controllers. @@ -856,12 +852,34 @@ dex: # -- Certificate data. Must contain SANs of Dex service (ie: argocd-dex-server, argocd-dex-server.argo-cd.svc) crt: '' + # -- Annotations to be added to the Dex server Deployment + deploymentAnnotations: {} + # -- Annotations to be added to the Dex server pods podAnnotations: {} # -- Labels to be added to the Dex server pods podLabels: {} + # -- Resource limits and requests for dex + resources: {} + # limits: + # cpu: 50m + # memory: 64Mi + # requests: + # cpu: 10m + # memory: 32Mi + + # Dex container ports + # NOTE: These ports are currently hardcoded and cannot be changed + containerPorts: + # -- HTTP container port + http: 5556 + # -- gRPC container port + grpc: 5557 + # -- Metrics container port + metrics: 5558 + # -- Dex container-level security context # @default -- See [values.yaml] containerSecurityContext: @@ -889,6 +907,7 @@ dex: successThreshold: 1 # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 + readinessProbe: # -- Enable Kubernetes readiness probe for Dex >= 2.28.0 enabled: false @@ -913,26 +932,14 @@ dex: # -- Automount API credentials for the Service Account automountServiceAccountToken: true - # -- Additional volumeMounts to the dex main container - volumeMounts: [] - - # -- Additional volumes to the dex pod - volumes: [] - - # -- Container port for HTTP access - containerPortHttp: 5556 # -- Service port for HTTP access servicePortHttp: 5556 # -- Service port name for HTTP access servicePortHttpName: http - # -- Container port for gRPC access - containerPortGrpc: 5557 # -- Service port for gRPC access servicePortGrpc: 5557 # -- Service port name for gRPC access servicePortGrpcName: grpc - # -- Container port for metrics access - containerPortMetrics: 5558 # -- Service port for metrics access servicePortMetrics: 5558 @@ -954,34 +961,6 @@ dex: # -- Priority class for dex priorityClassName: "" - # -- Resource limits and requests for dex - resources: {} - # limits: - # cpu: 50m - # memory: 64Mi - # requests: - # cpu: 10m - # memory: 32Mi - - # -- Additional containers to be added to the dex pod - extraContainers: [] - - # -- Init containers to add to the dex pod - initContainers: [] - # - name: download-tools - # image: alpine:3.8 - # command: [sh, -c] - # args: - # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && - # mv linux-amd64/helm /custom-tools/ - # volumeMounts: - # - mountPath: /custom-tools - # name: custom-tools - # volumeMounts: - # - mountPath: /usr/local/bin/helm - # name: custom-tools - # subPath: helm - ## Redis redis: # -- Enable redis @@ -1010,9 +989,45 @@ redis: # -- Redis repository repository: public.ecr.aws/docker/library/redis # -- Redis tag - tag: 7.0.5-alpine - # -- Redis imagePullPolicy - imagePullPolicy: IfNotPresent + tag: 7.0.7-alpine + # -- Redis image pull policy + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" + + ## Prometheus redis-exporter sidecar + exporter: + # -- Enable Prometheus redis-exporter sidecar + enabled: false + ## Prometheus redis-exporter image + image: + # -- Repository to use for the redis-exporter + repository: public.ecr.aws/bitnami/redis-exporter + # -- Tag to use for the redis-exporter + tag: 1.45.0 + # -- Image pull policy for the redis-exporter + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" + + # -- Redis exporter security context + # @default -- See [values.yaml] + containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + + # -- Resource limits and requests for redis-exporter sidecar + resources: {} + # limits: + # cpu: 50m + # memory: 64Mi + # requests: + # cpu: 10m + # memory: 32Mi # -- Secrets with credentials to pull images from a private registry # @default -- `[]` (defaults to global.imagePullSecrets) @@ -1023,11 +1038,6 @@ redis: # - --bind # - "0.0.0.0" - # -- Redis container port - containerPort: 6379 - # -- Redis service port - servicePort: 6379 - # -- Environment variables to pass to the Redis server env: [] @@ -1039,12 +1049,38 @@ redis: # - secretRef: # name: secret-name + # -- Additional containers to be added to the redis pod + ## Note: Supports use of custom Helm templates + extraContainers: [] + + # -- Init containers to add to the redis pod + ## Note: Supports use of custom Helm templates + initContainers: [] + + # -- Additional volumeMounts to the redis container + volumeMounts: [] + + # -- Additional volumes to the redis pod + volumes: [] + + # -- Annotations to be added to the Redis server Deployment + deploymentAnnotations: {} + # -- Annotations to be added to the Redis server pods podAnnotations: {} # -- Labels to be added to the Redis server pods podLabels: {} + # -- Resource limits and requests for redis + resources: {} + # limits: + # cpu: 200m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 64Mi + # -- Redis pod-level security context # @default -- See [values.yaml] securityContext: @@ -1053,6 +1089,13 @@ redis: seccompProfile: type: RuntimeDefault + # Redis container ports + containerPorts: + # -- Redis container port + redis: 6379 + # -- Metrics container port + metrics: 9121 + # -- Redis container-level security context # @default -- See [values.yaml] containerSecurityContext: @@ -1061,10 +1104,15 @@ redis: drop: - ALL + # -- Redis service port + servicePort: 6379 + # -- [Node selector] nodeSelector: {} + # -- [Tolerations] for use with node taints tolerations: [] + # -- Assign custom [affinity] rules to the deployment affinity: {} @@ -1089,39 +1137,6 @@ redis: # -- Automount API credentials for the Service Account automountServiceAccountToken: false - # -- Resource limits and requests for redis - resources: {} - # limits: - # cpu: 200m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 64Mi - - # -- Additional volumeMounts to the redis container - volumeMounts: [] - # -- Additional volumes to the redis pod - volumes: [] - - # -- Additional containers to be added to the redis pod - extraContainers: [] - - # -- Init containers to add to the redis pod - initContainers: [] - # - name: download-tools - # image: alpine:3.8 - # command: [sh, -c] - # args: - # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && - # mv linux-amd64/helm /custom-tools/ - # volumeMounts: - # - mountPath: /custom-tools - # name: custom-tools - # volumeMounts: - # - mountPath: /usr/local/bin/helm - # name: custom-tools - # subPath: helm - service: # -- Redis service annotations annotations: {} @@ -1129,38 +1144,10 @@ redis: labels: {} metrics: - # -- Deploy metrics service and redis-exporter sidecar + # -- Deploy metrics service enabled: false - image: - # -- redis-exporter image repository - repository: public.ecr.aws/bitnami/redis-exporter - # -- redis-exporter image tag - tag: 1.26.0-debian-10-r2 - # -- redis-exporter image PullPolicy - imagePullPolicy: IfNotPresent - # -- Port to use for redis-exporter sidecar - containerPort: 9121 - - # -- Redis exporter security context - # @default -- See [values.yaml] - containerSecurityContext: - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - # -- Resource limits and requests for redis-exporter sidecar - resources: {} - # limits: - # cpu: 50m - # memory: 64Mi - # requests: - # cpu: 10m - # memory: 32Mi + # Redis metrics service configuration service: # -- Metrics service type type: ClusterIP @@ -1174,6 +1161,7 @@ redis: servicePort: 9121 # -- Metrics service port name portName: http-metrics + serviceMonitor: # -- Enable a prometheus ServiceMonitor enabled: false @@ -1198,16 +1186,20 @@ redis: # -- Prometheus ServiceMonitor annotations annotations: {} - # This key configures Redis-HA subchart and when enabled (redis-ha.enabled=true) # the custom redis deployment is omitted # Check the redis-ha chart for more properties redis-ha: # -- Enables the Redis HA subchart and disables the custom Redis single node deployment enabled: false + ## Prometheus redis-exporter sidecar exporter: - # -- If `true`, the prometheus exporter sidecar is enabled - enabled: true + # -- Enable Prometheus redis-exporter sidecar + enabled: false + # -- Repository to use for the redis-exporter + image: public.ecr.aws/bitnami/redis-exporter + # -- Tag to use for the redis-exporter + tag: 1.45.0 persistentVolume: # -- Configures persistency on Redis nodes enabled: false @@ -1228,7 +1220,7 @@ redis-ha: enabled: true image: # -- Redis tag - tag: 7.0.5-alpine + tag: 7.0.7-alpine ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ topologySpreadConstraints: @@ -1345,22 +1337,130 @@ server: # -- Specify postStart and preStop lifecycle hooks for your argo-cd-server container lifecycle: {} - # DEPRECATED - Use configs.params to override - # -- Argo CD server log format: Either `text` or `json` - # @default -- `""` (defaults to global.logging.format) - # logFormat: "" - # -- Argo CD server log level. One of: `debug`, `info`, `warn` or `error` - # @default -- `""` (defaults to global.logging.level) - # logLevel: "" - + ## Argo UI extensions + ## This function in tech preview stage, do expect unstability or breaking changes in newer versions. + ## Ref: https://github.com/argoproj-labs/argocd-extensions + extensions: + # -- Enable support for Argo UI extensions + enabled: false + + ## Argo UI extensions image + image: + # -- Repository to use for extensions image + repository: "ghcr.io/argoproj-labs/argocd-extensions" + # -- Tag to use for extensions image + tag: "v0.2.1" + # -- Image pull policy for extensions + # @default -- `""` (defaults to global.image.imagePullPolicy) + imagePullPolicy: "" + + # -- Server UI extensions container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + + # -- Resource limits and requests for the argocd-extensions container + resources: {} + # limits: + # cpu: 50m + # memory: 128Mi + # requests: + # cpu: 10m + # memory: 64Mi + + # -- Additional containers to be added to the server pod + ## Note: Supports use of custom Helm templates + extraContainers: [] + # - name: my-sidecar + # image: nginx:latest + # - name: lemonldap-ng-controller + # image: lemonldapng/lemonldap-ng-controller:0.2.0 + # args: + # - /lemonldap-ng-controller + # - --alsologtostderr + # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration + # env: + # - name: POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + # - name: POD_NAMESPACE + # valueFrom: + # fieldRef: + # fieldPath: metadata.namespace + # volumeMounts: + # - name: copy-portal-skins + # mountPath: /srv/var/lib/lemonldap-ng/portal/skins + + # -- Init containers to add to the server pod + ## If your target Kubernetes cluster(s) require a custom credential (exec) plugin + ## you could use this (and the same in the application controller pod) to provide such executable + ## Ref: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins + initContainers: [] + # - name: download-tools + # image: alpine:3 + # command: [sh, -c] + # args: + # - wget -qO kubelogin.zip https://github.com/Azure/kubelogin/releases/download/v0.0.25/kubelogin-linux-amd64.zip && + # unzip kubelogin.zip && mv bin/linux_amd64/kubelogin /custom-tools/ + # volumeMounts: + # - mountPath: /custom-tools + # name: custom-tools + + # -- Additional volumeMounts to the server main container + volumeMounts: [] + # - mountPath: /usr/local/bin/kubelogin + # name: custom-tools + # subPath: kubelogin + + # -- Additional volumes to the server pod + volumes: [] + # - name: custom-tools + # emptyDir: {} + + # -- Annotations to be added to server Deployment + deploymentAnnotations: {} + # -- Annotations to be added to server pods podAnnotations: {} # -- Labels to be added to server pods podLabels: {} - # -- Configures the server port - containerPort: 8080 + # -- Resource limits and requests for the Argo CD server + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 50m + # memory: 64Mi + + # Server container ports + containerPorts: + # -- Server container port + server: 8080 + # -- Metrics container port + metrics: 8082 + + # -- Server container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL ## Readiness and liveness probes for default backend ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ @@ -1375,6 +1475,7 @@ server: successThreshold: 1 # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 + livenessProbe: # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 @@ -1387,12 +1488,6 @@ server: # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 - # -- Additional volumeMounts to the server main container - volumeMounts: [] - - # -- Additional volumes to the server pod - volumes: [] - # -- [Node selector] nodeSelector: {} # -- [Tolerations] for use with node taints @@ -1411,27 +1506,6 @@ server: # -- Priority class for the Argo CD server priorityClassName: "" - # -- Server container-level security context - # @default -- See [values.yaml] - containerSecurityContext: - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - - # -- Resource limits and requests for the Argo CD server - resources: {} - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 50m - # memory: 64Mi - # TLS certificate configuration via cert-manager ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#tls-certificates-used-by-argocd-server certificate: @@ -1505,10 +1579,6 @@ server: servicePortHttpName: http # -- Server service https port name, can be used to route traffic via istio servicePortHttpsName: https - # -- Use named target port for argocd - ## Named target ports are not supported by GCE health checks, so when deploying argocd on GKE - ## and exposing it via GCE ingress, the health checks fail and the load balancer returns a 502. - namedTargetPort: true # -- LoadBalancer will get created with the IP specified in this field loadBalancerIP: "" # -- Source IP ranges to allow access to service from @@ -1583,8 +1653,7 @@ server: ## Argo Ingress. ## Hostnames must be provided if Ingress is enabled. ## Secrets must be manually created in the namespace - hosts: - [] + hosts: [] # - argocd.example.com # -- List of ingress paths @@ -1593,13 +1662,7 @@ server: # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` pathType: Prefix # -- Additional ingress paths - extraPaths: - [] - # - path: /* - # backend: - # serviceName: ssl-redirect - # servicePort: use-annotation - ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used) + extraPaths: [] # - path: /* # pathType: Prefix # backend: @@ -1609,8 +1672,7 @@ server: # name: use-annotation # -- Ingress TLS configuration - tls: - [] + tls: [] # - secretName: your-certificate-name # hosts: # - argocd.example.com @@ -1649,8 +1711,7 @@ server: ## Hostnames must be provided if Ingress is enabled. ## Secrets must be manually created in the namespace ## - hosts: - [] + hosts: [] # - argocd.example.com # -- List of ingress paths for dedicated [gRPC-ingress] @@ -1659,13 +1720,7 @@ server: # -- Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific` pathType: Prefix # -- Additional ingress paths for dedicated [gRPC-ingress] - extraPaths: - [] - # - path: /* - # backend: - # serviceName: ssl-redirect - # servicePort: use-annotation - ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used) + extraPaths: [] # - path: /* # pathType: Prefix # backend: @@ -1675,8 +1730,7 @@ server: # name: use-annotation # -- Ingress TLS configuration for dedicated [gRPC-ingress] - tls: - [] + tls: [] # - secretName: your-certificate-name # hosts: # - argocd.example.com @@ -1700,12 +1754,6 @@ server: # -- Termination policy of Openshift Route termination_policy: None - ## Enable Admin ClusterRole resources. - ## Enable if you would like to grant rights to Argo CD to deploy to the local Kubernetes cluster. - clusterAdminAccess: - # -- Enable RBAC for local cluster deployments - enabled: true - GKEbackendConfig: # -- Enable BackendConfig custom resource for Google Kubernetes Engine enabled: false @@ -1738,86 +1786,6 @@ server: # enabled: true # responseCodeName: RESPONSE_CODE - # -- Additional containers to be added to the server pod - ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. - extraContainers: [] - # - name: my-sidecar - # image: nginx:latest - # - name: lemonldap-ng-controller - # image: lemonldapng/lemonldap-ng-controller:0.2.0 - # args: - # - /lemonldap-ng-controller - # - --alsologtostderr - # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration - # env: - # - name: POD_NAME - # valueFrom: - # fieldRef: - # fieldPath: metadata.name - # - name: POD_NAMESPACE - # valueFrom: - # fieldRef: - # fieldPath: metadata.namespace - # volumeMounts: - # - name: copy-portal-skins - # mountPath: /srv/var/lib/lemonldap-ng/portal/skins - - # -- Init containers to add to the server pod - ## If your target Kubernetes cluster(s) require a custom auth provider executable - ## you could use this (and the same in the application controller pod) to bootstrap - ## that executable into your Argo CD container - initContainers: [] - # - name: download-tools - # image: alpine:3.8 - # command: [sh, -c] - # args: - # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && - # mv linux-amd64/helm /custom-tools/ - # volumeMounts: - # - mountPath: /custom-tools - # name: custom-tools - # volumeMounts: - # - mountPath: /usr/local/bin/helm - # name: custom-tools - # subPath: helm - - ## Argo UI extensions - ## This function in tech preview stage, do expect unstability or breaking changes in newer versions. - ## Ref: https://github.com/argoproj-labs/argocd-extensions - extensions: - # -- Enable support for Argo UI extensions - enabled: false - - ## Argo UI extensions image - image: - # -- Repository to use for extensions image - repository: "ghcr.io/argoproj-labs/argocd-extensions" - # -- Tag to use for extensions image - tag: "v0.1.0" - # -- Image pull policy for extensions - imagePullPolicy: IfNotPresent - - # -- Server UI extensions container-level security context - # @default -- See [values.yaml] - containerSecurityContext: - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - - # -- Resource limits and requests for the argocd-extensions container - resources: {} - # limits: - # cpu: 50m - # memory: 128Mi - # requests: - # cpu: 10m - # memory: 64Mi - ## Repo Server repoServer: # -- Repo server name @@ -1874,13 +1842,13 @@ repoServer: image: # -- Repository to use for the repo server # @default -- `""` (defaults to global.image.repository) - repository: "" # defaults to global.image.repository + repository: "" # -- Tag to use for the repo server # @default -- `""` (defaults to global.image.tag) - tag: "" # defaults to global.image.tag + tag: "" # -- Image pull policy for the repo server # @default -- `""` (defaults to global.image.imagePullPolicy) - imagePullPolicy: "" # IfNotPresent + imagePullPolicy: "" # -- Secrets with credentials to pull images from a private registry # @default -- `[]` (defaults to global.imagePullSecrets) @@ -1900,13 +1868,48 @@ repoServer: # - secretRef: # name: secret-name - # DEPRECATED - Use configs.params to override - # -- Repo server log format: Either `text` or `json` - # @default -- `""` (defaults to global.logging.level) - # logFormat: "" - # -- Repo server log level. One of: `debug`, `info`, `warn` or `error` - # @default -- `""` (defaults to global.logging.format) - # logLevel: "" + # -- Additional containers to be added to the repo server pod + ## Ref: https://argo-cd.readthedocs.io/en/stable/user-guide/config-management-plugins/ + ## Note: Supports use of custom Helm templates + extraContainers: [] + # - name: cmp + # # Entrypoint should be Argo CD lightweight CMP server i.e. argocd-cmp-server + # command: [/var/run/argocd/argocd-cmp-server] + # # This can be off-the-shelf or custom-built image + # image: busybox + # securityContext: + # runAsNonRoot: true + # runAsUser: 999 + # volumeMounts: + # - mountPath: /var/run/argocd + # name: var-files + # - mountPath: /home/argocd/cmp-server/plugins + # name: plugins + # # Remove this volumeMount if you've chosen to bake the config file into the sidecar image. + # - mountPath: /home/argocd/cmp-server/config/plugin.yaml + # subPath: plugin.yaml + # name: cmp-plugin + # # Starting with v2.4, do NOT mount the same tmp volume as the repo-server container. The filesystem separation helps + # # mitigate path traversal attacks. + # - mountPath: /tmp + # name: cmp-tmp + + # -- Init containers to add to the repo server pods + initContainers: [] + + # -- Additional volumeMounts to the repo server main container + volumeMounts: [] + + # -- Additional volumes to the repo server pod + volumes: [] + # - name: cmp-plugin + # configMap: + # name: cmp-plugin + # - name: cmp-tmp + # emptyDir: {} + + # -- Annotations to be added to repo server Deployment + deploymentAnnotations: {} # -- Annotations to be added to repo server pods podAnnotations: {} @@ -1914,8 +1917,33 @@ repoServer: # -- Labels to be added to repo server pods podLabels: {} - # -- Configures the repo server port - containerPort: 8081 + # -- Resource limits and requests for the repo server pods + resources: {} + # limits: + # cpu: 50m + # memory: 128Mi + # requests: + # cpu: 10m + # memory: 64Mi + + # Repo server container ports + containerPorts: + # -- Repo server container port + server: 8081 + # -- Metrics container port + metrics: 8084 + + # -- Repo server container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL ## Readiness and liveness probes for default backend ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ @@ -1930,6 +1958,7 @@ repoServer: successThreshold: 1 # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 + livenessProbe: # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 @@ -1942,17 +1971,6 @@ repoServer: # -- Number of seconds after which the [probe] times out timeoutSeconds: 1 - # -- Additional volumeMounts to the repo server main container - volumeMounts: [] - - # -- Additional volumes to the repo server pod - volumes: [] - ## Use init containers to configure custom tooling - ## https://argo-cd.readthedocs.io/en/stable/operator-manual/custom_tools/ - ## When using the volumes & volumeMounts section bellow, please comment out those above. - # - name: custom-tools - # emptyDir: {} - # -- [Node selector] nodeSelector: {} # -- [Tolerations] for use with node taints @@ -1971,26 +1989,22 @@ repoServer: # -- Priority class for the repo server priorityClassName: "" - # -- Repo server container-level security context - # @default -- See [values.yaml] - containerSecurityContext: - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - - # -- Resource limits and requests for the repo server pods - resources: {} - # limits: - # cpu: 50m - # memory: 128Mi - # requests: - # cpu: 10m - # memory: 64Mi + # TLS certificate configuration via Secret + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#configuring-tls-to-argocd-repo-server + ## Note: Issuing certificates via cert-manager in not supported right now because it's not possible to restart repo server automatically without extra controllers. + certificateSecret: + # -- Create argocd-repo-server-tls secret + enabled: false + # -- Annotations to be added to argocd-repo-server-tls secret + annotations: {} + # -- Labels to be added to argocd-repo-server-tls secret + labels: {} + # -- Certificate authority. Required for self-signed certificates. + ca: '' + # -- Certificate private key + key: '' + # -- Certificate data. Must contain SANs of Repo service (ie: argocd-repo-server, argocd-repo-server.argo-cd.svc) + crt: '' ## Repo server service configuration service: @@ -2040,11 +2054,6 @@ repoServer: # -- Prometheus ServiceMonitor annotations annotations: {} - ## Enable Admin ClusterRole resources. - ## Enable if you would like to grant cluster rights to Argo CD repo server. - clusterAdminAccess: - # -- Enable RBAC for local cluster deployments - enabled: false ## Enable Custom Rules for the Repo server's Cluster Role resource ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. ## Defaults to off @@ -2068,9 +2077,6 @@ repoServer: # -- Automount API credentials for the Service Account automountServiceAccountToken: true - # -- Additional containers to be added to the repo server pod - extraContainers: [] - # -- Repo server rbac rules rbac: [] # - apiGroups: @@ -2082,28 +2088,12 @@ repoServer: # - list # - watch - # -- Init containers to add to the repo server pods - initContainers: [] - # - name: download-tools - # image: alpine:3.8 - # command: [sh, -c] - # args: - # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && - # mv linux-amd64/helm /custom-tools/ - # volumeMounts: - # - mountPath: /custom-tools - # name: custom-tools - # volumeMounts: - # - mountPath: /usr/local/bin/helm - # name: custom-tools - # subPath: helm - ## ApplicationSet controller applicationSet: # -- Enable ApplicationSet controller enabled: true - # -- Application Set controller name string + # -- ApplicationSet controller name string name: applicationset-controller # -- The number of ApplicationSet controller pods to run @@ -2127,13 +2117,13 @@ applicationSet: ## ApplicationSet controller image image: - # -- Repository to use for the application set controller + # -- Repository to use for the ApplicationSet controller # @default -- `""` (defaults to global.image.repository) repository: "" - # -- Tag to use for the application set controller + # -- Tag to use for the ApplicationSet controller # @default -- `""` (defaults to global.image.tag) tag: "" - # -- Image pull policy for the application set controller + # -- Image pull policy for the ApplicationSet controller # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" @@ -2141,20 +2131,6 @@ applicationSet: # @default -- `[]` (defaults to global.imagePullSecrets) imagePullSecrets: [] - args: - # -- The default metric address - metricsAddr: :8080 - # -- The default health check port - probeBindAddr: :8081 - # -- The default leader election setting - enableLeaderElection: false - # -- How application is synced between the generator and the cluster - policy: sync - # -- Print debug logs - debug: false - # -- Enable dry run mode - dryRun: false - # -- ApplicationSet controller log format. Either `text` or `json` # @default -- `""` (defaults to global.logging.format) logFormat: "" @@ -2162,9 +2138,42 @@ applicationSet: # @default -- `""` (defaults to global.logging.level) logLevel: "" - # -- Additional containers to be added to the applicationset controller pod + args: + # -- How application is synced between the generator and the cluster + policy: sync + # -- Enable dry run mode + dryRun: false + + # -- List of extra cli args to add + extraArgs: [] + + # -- Environment variables to pass to the ApplicationSet controller + extraEnv: [] + # - name: "MY_VAR" + # value: "value" + + # -- envFrom to pass to the ApplicationSet controller + # @default -- `[]` (See [values.yaml]) + extraEnvFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # -- Additional containers to be added to the ApplicationSet controller pod + ## Note: Supports use of custom Helm templates extraContainers: [] + # -- Init containers to add to the ApplicationSet controller pod + ## Note: Supports use of custom Helm templates + initContainers: [] + + # -- List of extra mounts to add (normally used with extraVolumes) + extraVolumeMounts: [] + + # -- List of extra volumes to add + extraVolumes: [] + ## Metrics service configuration metrics: # -- Deploy metrics service @@ -2202,34 +2211,56 @@ applicationSet: # -- Prometheus ServiceMonitor annotations annotations: {} - ## Application set service configuration + ## ApplicationSet service configuration service: - # -- Application set service annotations + # -- ApplicationSet service annotations annotations: {} - # -- Application set service labels + # -- ApplicationSet service labels labels: {} - # -- Application set service port + # -- ApplicationSet service port port: 7000 - # -- Application set service port name + # -- ApplicationSet service port name portName: webhook serviceAccount: - # -- Specifies whether a service account should be created + # -- Create ApplicationSet controller service account create: true - # -- Annotations to add to the service account + # -- ApplicationSet controller service account name + name: argocd-applicationset-controller + # -- Annotations applied to created service account annotations: {} # -- Labels applied to created service account labels: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" + # -- Automount API credentials for the Service Account + automountServiceAccountToken: true - # -- Annotations for the controller pods + # -- Annotations to be added to ApplicationSet controller Deployment + deploymentAnnotations: {} + + # -- Annotations for the ApplicationSet controller pods podAnnotations: {} - # -- Labels for the controller pods + # -- Labels for the ApplicationSet controller pods podLabels: {} + # -- Resource limits and requests for the ApplicationSet controller pods. + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # ApplicationSet controller container ports + containerPorts: + # -- Metrics container port + metrics: 8080 + # -- Probe container port + probe: 8081 + # -- Webhook container port + webhook: 7000 + # -- ApplicationSet controller container-level security context # @default -- See [values.yaml] containerSecurityContext: @@ -2272,19 +2303,6 @@ applicationSet: # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded failureThreshold: 3 - # -- Resource limits and requests for the controller pods. - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - # -- [Node selector] nodeSelector: {} @@ -2297,32 +2315,6 @@ applicationSet: # -- If specified, indicates the pod's priority. If not specified, the pod priority will be default or zero if there is no default. priorityClassName: "" - # -- List of extra mounts to add (normally used with extraVolumes) - extraVolumeMounts: [] - # - mountPath: /tmp/foobar - # name: foobar - - # -- List of extra volumes to add - extraVolumes: [] - # - name: foobar - # emptyDir: {} - - # -- List of extra cli args to add - extraArgs: [] - - # -- Environment variables to pass to the controller - extraEnv: [] - # - name: "MY_VAR" - # value: "value" - - # -- envFrom to pass to the controller - # @default -- `[]` (See [values.yaml]) - extraEnvFrom: [] - # - configMapRef: - # name: config-map-name - # - secretRef: - # name: secret-name - ## Webhook for the Git Generator ## Ref: https://argocd-applicationset.readthedocs.io/en/master/Generators-Git/#webhook-configuration) webhook: @@ -2333,7 +2325,7 @@ applicationSet: annotations: {} # -- Additional ingress labels labels: {} - # -- Defines which ingress controller will implement the resource + # -- Defines which ingress ApplicationSet controller will implement the resource ingressClassName: "" # -- List of ingress hosts @@ -2376,9 +2368,6 @@ notifications: # -- Notifications controller name string name: notifications-controller - # -- Assign custom [affinity] rules - affinity: {} - # -- Argo CD dashboard url; used in place of {{.context.argocdUrl}} in templates argocdUrl: @@ -2414,8 +2403,40 @@ notifications: # @default -- `[]` (defaults to global.imagePullSecrets) imagePullSecrets: [] - # -- [Node selector] - nodeSelector: {} + # -- Notifications controller log format. Either `text` or `json` + # @default -- `""` (defaults to global.logging.format) + logFormat: "" + # -- Notifications controller log level. One of: `debug`, `info`, `warn`, `error` + # @default -- `""` (defaults to global.logging.level) + logLevel: "" + + # -- Extra arguments to provide to the notifications controller + extraArgs: [] + + # -- Additional container environment variables + extraEnv: [] + + # -- envFrom to pass to the notifications controller + # @default -- `[]` (See [values.yaml]) + extraEnvFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # -- Additional containers to be added to the notifications controller pod + ## Note: Supports use of custom Helm templates + extraContainers: [] + + # -- Init containers to add to the notifications controller pod + ## Note: Supports use of custom Helm templates + initContainers: [] + + # -- List of extra mounts to add (normally used with extraVolumes) + extraVolumeMounts: [] + + # -- List of extra volumes to add + extraVolumes: [] # -- Define user-defined context ## For more information: https://argocd-notifications.readthedocs.io/en/stable/templates/#defining-user-defined-context @@ -2424,7 +2445,7 @@ notifications: # environmentName: staging secret: - # -- Whether helm chart creates controller secret + # -- Whether helm chart creates notifications controller secret create: true # -- key:value pairs of annotations to be added to the secret @@ -2446,37 +2467,6 @@ notifications: # email-password: # For more information: https://argocd-notifications.readthedocs.io/en/stable/services/email/ - # -- Application controller log format. Either `text` or `json` - # @default -- `""` (defaults to global.logging.format) - logFormat: "" - # -- Application controller log level. One of: `debug`, `info`, `warn`, `error` - # @default -- `""` (defaults to global.logging.level) - logLevel: "" - - # -- Extra arguments to provide to the controller - extraArgs: [] - - # -- Additional container environment variables - extraEnv: [] - - # -- envFrom to pass to the controller - # @default -- `[]` (See [values.yaml]) - extraEnvFrom: [] - # - configMapRef: - # name: config-map-name - # - secretRef: - # name: secret-name - - # -- List of extra mounts to add (normally used with extraVolumes) - extraVolumeMounts: [] - # - mountPath: /tmp/foobar - # name: foobar - - # -- List of extra volumes to add - extraVolumes: [] - # - name: foobar - # emptyDir: {} - metrics: # -- Enables prometheus metrics server enabled: false @@ -2506,6 +2496,10 @@ notifications: scheme: "" # -- Prometheus ServiceMonitor tlsConfig tlsConfig: {} + # -- Prometheus [RelabelConfigs] to apply to samples before scraping + relabelings: [] + # -- Prometheus [MetricRelabelConfigs] to apply to samples before ingestion + metricRelabelings: [] # -- Configures notification services such as slack, email or custom webhook # @default -- See [values.yaml] @@ -2514,12 +2508,29 @@ notifications: # service.slack: | # token: $slack-token - # -- Annotations to be applied to the controller Pods + # -- Annotations to be applied to the notifications controller Deployment + deploymentAnnotations: {} + + # -- Annotations to be applied to the notifications controller Pods podAnnotations: {} - # -- Labels to be applied to the controller Pods + # -- Labels to be applied to the notifications controller Pods podLabels: {} + # -- Resource limits and requests for the notifications controller + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # Notification controller container ports + containerPorts: + # -- Metrics container port + metrics: 9001 + # -- Notification controller container-level security Context # @default -- See [values.yaml] containerSecurityContext: @@ -2532,33 +2543,32 @@ notifications: drop: - ALL - # -- Priority class for the controller pods - priorityClassName: "" + # -- [Node selector] + nodeSelector: {} - # -- Resource limits and requests for the controller - resources: {} - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi + # -- [Tolerations] for use with node taints + tolerations: [] + + # -- Assign custom [affinity] rules + affinity: {} + + # -- Priority class for the notifications controller pods + priorityClassName: "" serviceAccount: - # -- Specifies whether a service account should be created + # -- Create notifications controller service account create: true - - # -- The name of the service account to use. - ## If not set and create is true, a name is generated using the fullname template + # -- Notification controller service account name name: argocd-notifications-controller - # -- Annotations applied to created service account annotations: {} - # -- Labels applied to created service account labels: {} + # -- Automount API credentials for the Service Account + automountServiceAccountToken: true + cm: - # -- Whether helm chart creates controller config map + # -- Whether helm chart creates notifications controller config map create: true # -- Contains centrally managed global application subscriptions @@ -2794,9 +2804,6 @@ notifications: # ] # }] - # -- [Tolerations] for use with node taints - tolerations: [] - # -- The trigger defines the condition when the notification should be sent ## For more information: https://argocd-notifications.readthedocs.io/en/stable/triggers/ triggers: {} @@ -2860,7 +2867,7 @@ notifications: ## Has higher precedence over `notifications.bots.slack.pdb.minAvailable` maxUnavailable: "" - ## Slack bot imabe + ## Slack bot image image: # -- Repository to use for the Slack bot # @default -- `""` (defaults to global.image.repository) @@ -2876,6 +2883,16 @@ notifications: # @default -- `[]` (defaults to global.imagePullSecrets) imagePullSecrets: [] + # -- Slack bot log format. Either `text` or `json` + # @default -- `""` (defaults to global.logging.format) + logFormat: "" + # -- Slack bot log level. One of: `debug`, `info`, `warn`, `error` + # @default -- `""` (defaults to global.logging.level) + logLevel: "" + + # -- List of extra cli args to add for Slack bot + extraArgs: [] + service: # -- Service annotations for Slack bot annotations: {} diff --git a/terraform/helm/velero_default_values.yaml b/terraform/helm/velero_default_values.yaml index 6a7f955..0803345 100644 --- a/terraform/helm/velero_default_values.yaml +++ b/terraform/helm/velero_default_values.yaml @@ -1,14 +1,14 @@ -# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.32.1/charts/velero/values.yaml +# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-3.1.0/charts/velero/values.yaml ## ## Configuration settings that directly affect the Velero deployment YAML. ## # Details of the container image to use in the Velero deployment & daemonset (if -# enabling restic). Required. +# enabling node-agent). Required. image: repository: velero/velero - tag: v1.9.2 + tag: v1.10.0 # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. # If used, it will take precedence over the image.tag. # digest: @@ -55,13 +55,13 @@ dnsPolicy: ClusterFirst # If the value is a string then it is evaluated as a template. initContainers: # - name: velero-plugin-for-csi - # image: velero/velero-plugin-for-csi:v0.3.1 + # image: velero/velero-plugin-for-csi:v0.3.2 # imagePullPolicy: IfNotPresent # volumeMounts: # - mountPath: /target # name: plugins # - name: velero-plugin-for-aws - # image: velero/velero-plugin-for-aws:v1.5.1 + # image: velero/velero-plugin-for-aws:v1.5.2 # imagePullPolicy: IfNotPresent # volumeMounts: # - mountPath: /target @@ -154,6 +154,7 @@ metrics: serviceMonitor: enabled: false + annotations: {} additionalLabels: {} # ServiceMonitor namespace. Default to Velero namespace. # namespace: @@ -286,46 +287,60 @@ configuration: # here if using a non-default value. The `velero server` default values are shown in the # comments below. # -------------------- + # `velero server` default: restic + uploaderType: # `velero server` default: 1m backupSyncPeriod: - # `velero server` default: 1h - resticTimeout: - # `velero server` default: namespaces,persistentvolumes,persistentvolumeclaims,secrets,configmaps,serviceaccounts,limitranges,pods - restoreResourcePriorities: - # `velero server` default: false - restoreOnlyMode: - # `velero server` default: 20.0 - clientQPS: + # `velero server` default: 4h + fsBackupTimeout: # `velero server` default: 30 clientBurst: - # `velero server` default: empty + # `velero server` default: 500 clientPageSize: + # `velero server` default: 20.0 + clientQPS: + # Name of the default backup storage location. Default: default + defaultBackupStorageLocation: + # How long to wait by default before backups can be garbage collected. Default: 72h + defaultBackupTTL: + # Name of the default volume snapshot location. + defaultVolumeSnapshotLocations: # `velero server` default: empty disableControllers: - # `velero server` default: 1m - storeValidationFrequency: # `velero server` default: 1h garbageCollectionFrequency: - # - - # additional key/value pairs to be used as environment variables such as "AWS_CLUSTER_NAME: 'yourcluster.domain.tld'" - extraEnvVars: {} - + # Set log-format for Velero pod. Default: text. Other option: json. + logFormat: + # Set log-level for Velero pod. Default: info. Other options: debug, warning, error, fatal, panic. + logLevel: + # The address to expose prometheus metrics. Default: :8085 + metricsAddress: + # Directory containing Velero plugins. Default: /plugins + pluginDir: + # The address to expose the pprof profiler. Default: localhost:6060 + profilerAddress: + # `velero server` default: false + restoreOnlyMode: + # `velero server` default: customresourcedefinitions,namespaces,storageclasses,volumesnapshotclass.snapshot.storage.k8s.io,volumesnapshotcontents.snapshot.storage.k8s.io,volumesnapshots.snapshot.storage.k8s.io,persistentvolumes,persistentvolumeclaims,secrets,configmaps,serviceaccounts,limitranges,pods,replicasets.apps,clusterclasses.cluster.x-k8s.io,clusters.cluster.x-k8s.io,clusterresourcesets.addons.cluster.x-k8s.io + restoreResourcePriorities: + # `velero server` default: 1m + storeValidationFrequency: + # How long to wait on persistent volumes and namespaces to terminate during a restore before timing out. Default: 10m + terminatingResourceTimeout: # Comma separated list of velero feature flags. default: empty # features: EnableCSI features: + # `velero server` default: velero + namespace: - # Set log-level for Velero pod. Default: info. Other options: debug, warning, error, fatal, panic. - logLevel: - - # Set log-format for Velero pod. Default: text. Other option: json. - logFormat: + # additional key/value pairs to be used as environment variables such as "AWS_CLUSTER_NAME: 'yourcluster.domain.tld'" + extraEnvVars: {} - # Set true for backup all pod volumes without having to apply annotation on the pod when used restic Default: false. Other option: false. - defaultVolumesToRestic: + # Set true for backup all pod volumes without having to apply annotation on the pod when used file system backup Default: false. + defaultVolumesToFsBackup: - # How often 'restic prune' is run for restic repositories by default. Default: 168h. Optional. - defaultResticPruneFrequency: + # How often repository maintain is run for repositories by default. + defaultRepoMaintainFrequency: ## ## End of backup/snapshot location settings. @@ -381,7 +396,7 @@ credentials: # additional key/value pairs to be used as environment variables such as "DIGITALOCEAN_TOKEN: ". Values will be stored in the secret. extraEnvVars: {} # Name of a pre-existing secret (if any) in the Velero namespace - # that will be used to load environment variables into velero and restic. + # that will be used to load environment variables into velero and node-agent. # Secret should be in format - https://kubernetes.io/docs/concepts/configuration/secret/#use-case-as-container-environment-variables extraSecretRef: "" @@ -390,15 +405,15 @@ backupsEnabled: true # Whether to create volumesnapshotlocation crd, if false => disable snapshot feature snapshotsEnabled: true -# Whether to deploy the restic daemonset. -deployRestic: false +# Whether to deploy the node-agent daemonset. +deployNodeAgent: false -restic: +nodeAgent: podVolumePath: /var/lib/kubelet/pods privileged: false - # Pod priority class name to use for the Restic daemonset. Optional. + # Pod priority class name to use for the node-agent daemonset. Optional. priorityClassName: "" - # Resource requests/limits to specify for the Restic daemonset deployment. Optional. + # Resource requests/limits to specify for the node-agent daemonset deployment. Optional. # https://velero.io/docs/v1.6/customize-installation/#customize-resource-requests-and-limits resources: requests: @@ -408,13 +423,13 @@ restic: cpu: 1000m memory: 1024Mi - # Tolerations to use for the Restic daemonset. Optional. + # Tolerations to use for the node-agent daemonset. Optional. tolerations: [] - # Annotations to set for the Restic daemonset. Optional. + # Annotations to set for the node-agent daemonset. Optional. annotations: {} - # labels to set for the Restic daemonset. Optional. + # labels to set for the node-agent daemonset. Optional. labels: {} # will map /scratch to emptyDir. Set to false and specify your own volume @@ -422,16 +437,16 @@ restic: # if you don't want to use emptyDir. useScratchEmptyDir: true - # Extra volumes for the Restic daemonset. Optional. + # Extra volumes for the node-agent daemonset. Optional. extraVolumes: [] - # Extra volumeMounts for the Restic daemonset. Optional. + # Extra volumeMounts for the node-agent daemonset. Optional. extraVolumeMounts: [] - # Key/value pairs to be used as environment variables for the Restic daemonset. Optional. + # Key/value pairs to be used as environment variables for the node-agent daemonset. Optional. extraEnvVars: {} - # Configure the dnsPolicy of the Restic daemonset + # Configure the dnsPolicy of the node-agent daemonset # See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: ClusterFirst @@ -442,20 +457,20 @@ restic: runAsUser: 0 # fsGroup: 1337 - # Container Level Security Context for the 'restic' container of the restic DaemonSet. Optional. + # Container Level Security Context for the 'node-agent' container of the node-agent daemonset. Optional. # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: {} - # Container Lifecycle Hooks to use for the Restic daemonset. Optional. + # Container Lifecycle Hooks to use for the node-agent daemonset. Optional. lifecycle: {} - # Node selector to use for the Restic daemonset. Optional. + # Node selector to use for the node-agent daemonset. Optional. nodeSelector: {} - # Affinity to use with Restic daemonset. Optional. + # Affinity to use with node-agent daemonset. Optional. affinity: {} - # DNS configuration to use for the Restic daemonset. Optional. + # DNS configuration to use for the node-agent daemonset. Optional. dnsConfig: {} # Backup schedules to create. @@ -478,12 +493,12 @@ schedules: {} # Velero ConfigMaps. # Eg: # configMaps: -# restic-restore-action-config: +# fs-restore-action-config: # labels: # velero.io/plugin-config: "" -# velero.io/restic: RestoreItemAction +# velero.io/pod-volume-restore: RestoreItemAction # data: -# image: velero/velero-restic-restore-helper:v1.9.2 +# image: velero/velero-restore-helper:v1.10.0 configMaps: {} ## diff --git a/terraform/helm/velero_values.yaml b/terraform/helm/velero_values.yaml index ec03373..c8eddb8 100644 --- a/terraform/helm/velero_values.yaml +++ b/terraform/helm/velero_values.yaml @@ -5,7 +5,7 @@ initContainers: - name: velero-plugin-for-microsoft-azure # https://hub.docker.com/r/velero/velero-plugin-for-microsoft-azure/tags - image: velero/velero-plugin-for-microsoft-azure:v1.5.1 + image: velero/velero-plugin-for-microsoft-azure:v1.6.0 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /target diff --git a/terraform/variables.tf b/terraform/variables.tf index 3604b3c..6a81916 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -6,7 +6,7 @@ # az aks get-versions --location eastus --output table # az aks get-versions --location uksouth --output tsv --query "orchestrators | [?default].orchestratorVersion" variable "kubernetes_version" { - default = "1.23.12" + default = "1.24.6" } # Helm charts @@ -21,7 +21,7 @@ variable "nginx_chart_version" { # https://hub.helm.sh/charts/jetstack/cert-manager # helm search repo jetstack/cert-manager variable "cert_manager_chart_version" { - default = "v1.10.0" + default = "v1.11.0" } # https://github.com/vmware-tanzu/helm-charts/releases @@ -29,17 +29,17 @@ variable "cert_manager_chart_version" { # * also update terraform/helm/velero_default_values.yaml # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.32.1" + default = "3.1.0" } # https://hub.docker.com/r/velero/velero/tags variable "velero_image_tag" { - default = "v1.9.2" + default = "v1.10.0" } # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.43.0" + default = "3.45.1" } # https://github.com/adamrushuk/charts/releases @@ -53,13 +53,13 @@ variable "nexus_chart_version" { # https://github.com/SparebankenVest/public-helm-charts/blob/master/stable/akv2k8s/Chart.yaml#L5 # helm search repo spv-charts/akv2k8s variable "akv2k8s_chart_version" { - default = "2.2.2" + default = "2.3.2" } # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity variable "aad_pod_identity_chart_version" { - default = "4.1.14" + default = "4.1.15" } # https://bitnami.com/stack/external-dns/helm @@ -67,18 +67,18 @@ variable "aad_pod_identity_chart_version" { # helm search repo bitnami/external-dns # helm search repo -l bitnami/external-dns variable "external_dns_chart_version" { - default = "6.11.3" + default = "6.13.1" } # https://github.com/kubereboot/charts/tree/main/charts/kured # helm search repo kubereboot/kured variable "kured_chart_version" { - default = "4.1.0" + default = "4.2.0" } -# https://github.com/kubereboot/kured#kubernetes--os-compatibility +# https://kured.dev/docs/installation/#kubernetes--os-compatibility variable "kured_image_tag" { - default = "1.11.0" + default = "1.12.0" } @@ -88,13 +88,13 @@ variable "kured_image_tag" { # helm search repo -l argo/argo-cd | head -n 20 # * also update terraform/helm/argocd_default_values.yaml variable "argocd_chart_version" { - default = "5.13.6" + default = "5.19.11" } # https://hub.docker.com/r/argoproj/argocd/tags # * also update cli version: terraform/files/scripts/argocd_config.sh#L22 variable "argocd_image_tag" { - default = "v2.5.2" + default = "v2.5.9" } #endregion Versions diff --git a/terraform/versions.tf b/terraform/versions.tf index 3f953e5..09baf47 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -11,9 +11,6 @@ terraform { use_oidc = true # or use "ARM_USE_OIDC" env var # requires "Storage Blob Data Contributor" on the container use_azuread_auth = true - # TODO remove - # resource_group_name = "__TERRAFORM_STORAGE_RG__" - # storage_account_name = "__TERRAFORM_STORAGE_ACCOUNT__" } # providers (pin all versions) @@ -23,25 +20,25 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 3.31.0" + version = "~> 3.41.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.30.0" + version = "~> 2.33.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.15.0" + version = "~> 2.17.0" } # https://github.com/hashicorp/terraform-provider-helm/releases helm = { source = "hashicorp/helm" - version = "~> 2.7.1" + version = "~> 2.8.0" } # https://github.com/hashicorp/terraform-provider-random/releases From 4fe48bacfa9a13d16df42d36f7fa035c93259357 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 29 Jan 2023 09:38:46 +0000 Subject: [PATCH 145/147] Fixed docker script --- scripts/push_docker_images.sh | 39 +++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/scripts/push_docker_images.sh b/scripts/push_docker_images.sh index 34ee7ed..42aa619 100644 --- a/scripts/push_docker_images.sh +++ b/scripts/push_docker_images.sh @@ -5,31 +5,44 @@ set -euo pipefail trap "echo 'error: Script failed: see failed command above'" ERR +# vars +# DOCKER_FQDN='docker.thehypepipe.co.uk' +DOCKER_SERVER="https://$DOCKER_FQDN" + # Check if images already exist -message="Pushing docker images" -echo -e "\nSTARTED: $message..." +main_message="Pushing docker image tasks" +echo -e "\nSTARTED: $main_message..." # List repositories -repos=$(curl -s "$DOCKER_FQDN/v2/_catalog" | jq ".repositories") +repos=$(curl -s "$DOCKER_SERVER/v2/_catalog" | jq ".repositories") if [[ "$repos" == "[]" ]]; then + message="Pulling base images..." + echo -e "\nSTARTED: $message..." docker pull busybox docker pull nginxdemos/hello + echo -e "\nFINISHED: $message." - docker image tag busybox "$DOCKER_FQDN/busybox" - docker image tag nginxdemos/hello "$DOCKER_FQDN/hello" - - docker image ls "$DOCKER_FQDN/busybox" - docker image ls "$DOCKER_FQDN/hello" + message="Tagging images..." + docker image tag busybox "$DOCKER_SERVER/busybox" + docker image tag nginxdemos/hello "$DOCKER_SERVER/hello" + echo -e "\nFINISHED: $message." - docker push "$DOCKER_FQDN/busybox" - docker push "$DOCKER_FQDN/hello" + message="Listing images..." + docker image ls "$DOCKER_SERVER/busybox" + docker image ls "$DOCKER_SERVER/hello" + echo -e "\nFINISHED: $message." + message="Pushing images..." + docker push "$DOCKER_SERVER/busybox" + docker push "$DOCKER_SERVER/hello" echo -e "\nFINISHED: $message." + + echo -e "\nFINISHED: $main_message." else - echo -e "\nSKIPPING: $message...they already exist in repo." + echo -e "\nSKIPPING: $main_message...they already exist in repo." # List tags - curl -s "$DOCKER_FQDN/v2/busybox/tags/list" - curl -s "$DOCKER_FQDN/v2/hello/tags/list" + curl -s "$DOCKER_SERVER/v2/busybox/tags/list" + curl -s "$DOCKER_SERVER/v2/hello/tags/list" fi From f592bd0b597054335c4e977a4dfeece110d1a118 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 29 Jan 2023 09:40:14 +0000 Subject: [PATCH 146/147] Disabled tfsec workflow on push --- .github/workflows/tfsec.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 99c7c14..29010f2 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -6,10 +6,10 @@ name: tfsec on: - push: - branches: [ "develop" ] - pull_request: - branches: [ "develop" ] + # push: + # branches: [ "develop" ] + # pull_request: + # branches: [ "develop" ] schedule: - cron: '44 10 * * 5' From 84e047037bf875d0cf860457928d6c958959bda3 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 29 Jan 2023 10:00:39 +0000 Subject: [PATCH 147/147] Fixed docker script --- scripts/push_docker_images.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts/push_docker_images.sh b/scripts/push_docker_images.sh index 42aa619..f235f86 100644 --- a/scripts/push_docker_images.sh +++ b/scripts/push_docker_images.sh @@ -24,18 +24,18 @@ if [[ "$repos" == "[]" ]]; then echo -e "\nFINISHED: $message." message="Tagging images..." - docker image tag busybox "$DOCKER_SERVER/busybox" - docker image tag nginxdemos/hello "$DOCKER_SERVER/hello" + docker image tag busybox "$DOCKER_FQDN/busybox" + docker image tag nginxdemos/hello "$DOCKER_FQDN/hello" echo -e "\nFINISHED: $message." message="Listing images..." - docker image ls "$DOCKER_SERVER/busybox" - docker image ls "$DOCKER_SERVER/hello" + docker image ls "$DOCKER_FQDN/busybox" + docker image ls "$DOCKER_FQDN/hello" echo -e "\nFINISHED: $message." message="Pushing images..." - docker push "$DOCKER_SERVER/busybox" - docker push "$DOCKER_SERVER/hello" + docker push "$DOCKER_FQDN/busybox" + docker push "$DOCKER_FQDN/hello" echo -e "\nFINISHED: $message." echo -e "\nFINISHED: $main_message."