Merge pull request #7 from songleo/main

merge to release br

.config/.yamllint.yml

@@ -4,3 +4,6 @@ rules:
   indentation: disable
   line-length: disable
   document-start: disable
+
+ignore:
+  - apps/olm/

.config/ansible-lint.yml

@@ -2,6 +2,8 @@ exclude_paths:
   - apps/kube-prometheus/manifests
   - apps/awx/playbooks/configure_awx.yml
   - apps/awx/playbooks/launch_job.yml
+  - apps/olm/olm.yaml
+  - apps/olm/crds.yaml
 
 skip_list:
   - yaml[indentation]

.github/workflows/e2e-test.yml

@@ -14,17 +14,17 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - name: checkout repository
+    - name: Checkout repository
       uses: actions/checkout@v4
 
-    - name: install k8s cluster and deploy flux to install all apps
+    - name: Install k8s cluster and deploy flux to install all apps
       env:
         GITHUB_USER: ${{ secrets.FLUX_USER }}
         GITHUB_TOKEN: ${{ secrets.FLUX_TOKEN }}
       run: bash ./install.sh
 
-    - name: run deployment test
+    - name: Run deployment test
       run: bash ./test/deployment-test.sh
 
-    - name: run ingress test
+    - name: Run ingress test
       run: bash ./test/ingress-test.sh

.github/workflows/lint.yml

@@ -14,16 +14,16 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - name: checkout repository
+    - name: Checkout repository
       uses: actions/checkout@v4
 
-    - name: run shell check
+    - name: Run shell check
       uses: ludeeus/action-shellcheck@master
 
-    - name: run yaml lint
+    - name: Run yaml lint
       uses: ibiqlik/action-yamllint@v3
       with:
         config_file: '.config/.yamllint.yml'
 
-    - name: run ansible lint
+    - name: Run ansible lint
       uses: ansible/ansible-lint@v6

README.md

@@ -35,6 +35,10 @@ Please ensure that you add the mapping of IP addresses and domain names in your
   - [x] [Alertmanager](http://www.private-cloud.com/alertmanager)
 - Cloud Native Storage
   - [x] [MinIO](https://www.private-cloud.com/minio/)
+- Key Management
+  - [x] Vault
+- Security & Compliance
+  - [x] external-secrets
 
 # Deploy
 

apps/external-secrets/README.md

@@ -0,0 +1,7 @@
+```
+k create ns operators
+k apply -f external-secrets-operator.yaml
+kubectl get csv -n operators
+kubectl get csv -n operators
+wget https://operatorhub.io/install/external-secrets-operator.yaml
+```

apps/external-secrets/external-secrets-operator.yaml

@@ -0,0 +1,10 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: external-secrets-operator
+  namespace: operators
+spec:
+  channel: alpha
+  name: external-secrets-operator
+  source: operatorhubio-catalog
+  sourceNamespace: olm

apps/olm/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - crds.yaml
+  - olm.yaml

apps/olm/olm.yaml

@@ -67,7 +67,7 @@ metadata:
     app: olm-operator
 spec:
   strategy:
-    type: RollingUpdate
+    type: Recreate
   replicas: 1
   selector:
     matchLabels:
@@ -87,15 +87,15 @@ spec:
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
-              drop: ["ALL"]
+              drop: [ "ALL" ]
           command:
           - /bin/olm
           args:
           - --namespace
           - $(OPERATOR_NAMESPACE)
           - --writeStatusName
           - ""
-          image: quay.io/operator-framework/olm@sha256:30481639e89a0cb282fc1855c1bfdde96ec5ee36d1c651c2d0d79c8d249e3ed5
+          image: quay.io/operator-framework/olm@sha256:1b6002156f568d722c29138575733591037c24b4bfabc67946f268ce4752c3e6
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080
@@ -134,7 +134,7 @@ metadata:
     app: catalog-operator
 spec:
   strategy:
-    type: RollingUpdate
+    type: Recreate
   replicas: 1
   selector:
     matchLabels:
@@ -154,17 +154,17 @@ spec:
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
-              drop: ["ALL"]
+              drop: [ "ALL" ]
           command:
           - /bin/catalog
           args:
           - '--namespace'
           - olm
           - --configmapServerImage=quay.io/operator-framework/configmap-operator-registry:latest
           - --util-image
-          - quay.io/operator-framework/olm@sha256:30481639e89a0cb282fc1855c1bfdde96ec5ee36d1c651c2d0d79c8d249e3ed5
+          -  quay.io/operator-framework/olm@sha256:1b6002156f568d722c29138575733591037c24b4bfabc67946f268ce4752c3e6
           - --set-workload-user-id=true
-          image: quay.io/operator-framework/olm@sha256:30481639e89a0cb282fc1855c1bfdde96ec5ee36d1c651c2d0d79c8d249e3ed5
+          image: quay.io/operator-framework/olm@sha256:1b6002156f568d722c29138575733591037c24b4bfabc67946f268ce4752c3e6
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080
@@ -239,7 +239,7 @@ metadata:
   name: packageserver
   namespace: olm
   labels:
-    olm.version: v0.26.0
+    olm.version: v0.27.0
 spec:
   displayName: Package Server
   description: Represents an Operator package that is available from a given CatalogSource which will resolve to a ClusterServiceVersion.
@@ -327,15 +327,15 @@ spec:
                 securityContext:
                   allowPrivilegeEscalation: false
                   capabilities:
-                    drop: ["ALL"]
+                    drop: [ "ALL" ]
                 command:
                 - /bin/package-server
                 - -v=4
                 - --secure-port
                 - "5443"
                 - --global-namespace
                 - olm
-                image: quay.io/operator-framework/olm@sha256:30481639e89a0cb282fc1855c1bfdde96ec5ee36d1c651c2d0d79c8d249e3ed5
+                image: quay.io/operator-framework/olm@sha256:1b6002156f568d722c29138575733591037c24b4bfabc67946f268ce4752c3e6
                 imagePullPolicy: Always
                 ports:
                 - containerPort: 5443
@@ -362,7 +362,7 @@ spec:
               - name: tmpfs
                 emptyDir: {}
   maturity: alpha
-  version: v0.26.0
+  version: v0.27.0
   apiservicedefinitions:
     owned:
     - group: packages.operators.coreos.com

clusters/private-cloud/argocd/argocd-kustomization.yaml

@@ -5,10 +5,9 @@ metadata:
   name: argocd
   namespace: flux-system
 spec:
-  interval: 1m0s
+  interval: 5m0s
   path: ./apps/argocd
   prune: true
-  retryInterval: 1m0s
   sourceRef:
     kind: GitRepository
     name: apps

clusters/private-cloud/awx/awx-kustomization.yaml

@@ -5,10 +5,9 @@ metadata:
   name: awx
   namespace: flux-system
 spec:
-  interval: 1m0s
+  interval: 5m0s
   path: ./apps/awx
   prune: true
-  retryInterval: 1m0s
   sourceRef:
     kind: GitRepository
     name: apps

clusters/private-cloud/external-secrets/external-secrets.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: external-secrets
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: external-secrets
+  namespace: flux-system
+spec:
+  interval: 1m
+  releaseName: external-secrets
+  targetNamespace: external-secrets
+  chart:
+    spec:
+      chart: external-secrets
+      version: 0.9.13
+      sourceRef:
+        kind: HelmRepository
+        name: external-secrets
+        namespace: flux-system
+  values:
+    installCRDs: true

clusters/private-cloud/ingress-nginx/ingress-nginx-kustomization.yaml

@@ -5,10 +5,9 @@ metadata:
   name: ingress-nginx
   namespace: flux-system
 spec:
-  interval: 1m0s
+  interval: 5m0s
   path: ./apps/ingress-nginx
   prune: true
-  retryInterval: 1m0s
   sourceRef:
     kind: GitRepository
     name: apps

clusters/private-cloud/kube-prometheus/kube-prometheus-kustomization.yaml

@@ -5,10 +5,9 @@ metadata:
   name: kube-prometheus
   namespace: flux-system
 spec:
-  interval: 1m0s
+  interval: 5m0s
   path: ./apps/kube-prometheus
   prune: true
-  retryInterval: 1m0s
   sourceRef:
     kind: GitRepository
     name: apps

clusters/private-cloud/metrics-server/metrics-server-kustomization.yaml

@@ -5,10 +5,9 @@ metadata:
   name: metrics-server
   namespace: flux-system
 spec:
-  interval: 1m0s
+  interval: 5m0s
   path: ./apps/metrics-server
   prune: true
-  retryInterval: 1m0s
   sourceRef:
     kind: GitRepository
     name: apps

clusters/private-cloud/minio/nginx-kustomization.yaml

@@ -5,10 +5,9 @@ metadata:
   name: minio
   namespace: flux-system
 spec:
-  interval: 1m0s
+  interval: 5m0s
   path: ./apps/minio
   prune: true
-  retryInterval: 1m0s
   sourceRef:
     kind: GitRepository
     name: apps

clusters/private-cloud/nginx/nginx-kustomization.yaml

@@ -5,10 +5,9 @@ metadata:
   name: nginx
   namespace: flux-system
 spec:
-  interval: 1m0s
+  interval: 5m0s
   path: ./apps/nginx
   prune: true
-  retryInterval: 1m0s
   sourceRef:
     kind: GitRepository
     name: apps

clusters/private-cloud/sources/external-secrets-helm-repo.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: external-secrets
+  namespace: flux-system
+spec:
+  interval: 10m
+  url: https://charts.external-secrets.io

clusters/private-cloud/sources/vault-helm-repo.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: hashicorp
+  namespace: flux-system
+spec:
+  interval: 10m
+  url: https://helm.releases.hashicorp.com

clusters/private-cloud/vault/vault.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: vault
+  namespace: flux-system
+spec:
+  interval: 1m
+  releaseName: vault
+  targetNamespace: vault
+  chart:
+    spec:
+      chart: vault
+      version: 0.27.0
+      sourceRef:
+        kind: HelmRepository
+        name: hashicorp
+        namespace: flux-system
+  values:
+    server:
+      enabled: false
+    injector:
+      enabled: false
+    csi:
+      enabled: true

clusters/private-cloud/weave-gitops/weave-gitops-dashboard.yaml

@@ -5,10 +5,9 @@ metadata:
   name: weave-gitops
   namespace: flux-system
 spec:
-  interval: 1m0s
+  interval: 5m0s
   path: ./apps/weave-gitops
   prune: true
-  retryInterval: 1m0s
   sourceRef:
     kind: GitRepository
     name: apps

doc/plan.md

@@ -13,17 +13,21 @@
 - [ ] certmgr
 - [ ] diff all app mainifests and check if it need a blog
 - [ ] argo ingress issue
-- [ ] argo deploy podinfo
-- [ ] mysql ingress issue
 - [x] check yaml format
 - [x] add shell lint
 - [x] auto e2e test
 - [ ] use Ginkgo refactor e2e
 - [ ] go thru repo and list the topic to share with blog
 - [x] blog for lint tool: yaml and shell
 - [x] add minio to flux
-- [ ] ansible-lint
-- [ ] fix pulp web issue
+- [x] ansible-lint
+- [ ] add galaxy
 - [ ] add loki
-- [ ] add key vault
-- [ ] use key vault in ansible
+- [ ] add redis
+- [x] add vault
+- [ ] use vault for k8s secret: https://www.hashicorp.com/blog/manage-kubernetes-secrets-for-flux-with-hashicorp-vault
+- [ ] add test for vault
+- [ ] add test for external-secrets
+- [ ] use vault in ansible
+- [x] add external-secrets: https://github.com/external-secrets/external-secrets
+- [ ] use external-secrets with vault