Move chart definition to helm3, secrets with sops

c1b62b0e · Ricardo Rocha · 989a538a · c1b62b0e · 989a538a · 989a538a
Commit c1b62b0e authored 4 years ago by Ricardo Rocha
--- a/charts/gitops-getting-started/Chart.yaml
+++ b/charts/gitops-getting-started/Chart.yaml
-apiVersion: v1
+apiVersion: v2
 description: A Helm chart for a sample gitops application
 name: gitops-getting-started
 version: 0.1.0
+dependencies:
+  - name: wordpress
+    version: 8.1.1
+    repository: https://kubernetes-charts.storage.googleapis.com
+maintainers:
+  - name: Ricardo Rocha
+    email: ricardo.rocha@cern.ch
--- a/charts/gitops-getting-started/requirements.yaml
+++ b/charts/gitops-getting-started/requirements.yaml
-dependencies:
-  - name: wordpress
-    version: 8.1.1
-    repository: https://kubernetes-charts.storage.googleapis.com
--- a/charts/gitops-getting-started/templates/psp.yaml
+++ b/charts/gitops-getting-started/templates/psp.yaml
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ .Release.Name }}.restricted
-spec:
-  privileged: false
-  # Required to prevent escalations to root.
-  allowPrivilegeEscalation: false
-  # This is redundant with non-root + disallow privilege escalation,
-  # but we can provide it for defense in depth.
-  requiredDropCapabilities:
-    - ALL
-  # Allow core volume types.
-  volumes:
-    - 'hostPath'
-    - 'configMap'
-    - 'emptyDir'
-    - 'secret'
-    - 'persistentVolumeClaim'
-  allowedHostPaths:
-    - pathPrefix: "/var/eos"
-      readOnly: true 
-    - pathPrefix: "/opt/nvidia-driver"
-      readOnly: true
-  hostNetwork: false
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    # Require the container to run without root privileges.
-    rule: 'MustRunAsNonRoot'
-  seLinux:
-    # This policy assumes the nodes are using AppArmor rather than SELinux.
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-      # Forbid adding the root group.
-      - min: 1
-        max: 65535
-  fsGroup:
-    rule: 'MustRunAs'
-    ranges:
-      # Forbid adding the root group.
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ .Release.Name }}.psp.restricted
-rules:
- apiGroups: ['extensions']
-  resources: ['podsecuritypolicies']
-  verbs: ['use']
-  resourceNames: ['{{ .Release.Name }}.restricted']
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ .Release.Name }}.psp.restricted
-roleRef:
-  kind: ClusterRole
-  name: {{ .Release.Name }}.psp.restricted
-  apiGroup: rbac.authorization.k8s.io
-subjects:
- kind: Group
-  name: system:authenticated
-  apiGroup: rbac.authorization.k8s.io
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ .Release.Name }}.psp.restricted
-rules:
- apiGroups: ['extensions']
-  resources: ['podsecuritypolicies']
-  verbs: ['use']
-  resourceNames: ['{{ .Release.Name}}.restricted']
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ .Release.Name }}.psp.restricted
-roleRef:
-  kind: Role
-  name: {{ .Release.Name }}.psp.restricted
-  apiGroup: rbac.authorization.k8s.io
-subjects:
- kind: ServiceAccount
-  name: default
--- a/flux-values.yaml
+++ b/flux-values.yaml
 git:
  path: releases,namespaces
-  pollInterval: 5m
+  pollInterval: 1m
  readonly: true
+image:
+  pullPolicy: Always
+  repository: gitlab-registry.cern.ch/cloud/atomic-system-containers/flux
+  tag: 1.19.0-barbican
+prometheus:
+  enabled: true
 rbac:
  create: true
+registry:
+  disableScanning: true
+resources:
+  requests:
+    cpu: "100m"
+    memory: "64Mi"
+  limits:
+    cpu: "500m"
+    memory: "256Mi"
+sops:
+  enabled: true
+extraVolumeMounts:
+- mountPath: /etc/kubernetes
+  name: cloud-config
+  readOnly: true
+extraVolumes:
+- name: cloud-config
+  hostPath:
+    path: /etc/kubernetes
+extraEnvs:
+- name: GOPHERCLOUD_CONFIG
+  value: /etc/kubernetes/cloud-config-occm
--- a/helm-operator-values.yaml
+++ b/helm-operator-values.yaml
-createCRD: true
 chartsSyncInterval: 1m
 configureRepositories:
  enable: true
@@ -11,3 +10,18 @@ rbac:
  create: true
 git:
  pollInterval: 5m
+helm:
+  versions: v3
+prometheus:
+  enabled: true
+  serviceMonitor:
+    create: true
+rbac:
+  create: true
+resources:
+  requests:
+    cpu: 50m
+    memory: 64Mi
+  limits:
+    cpu: 100m
+    memory: 512Mi
--- a/releases/prod/values.yaml
+++ b/releases/prod/values.yaml
---
 apiVersion: helm.fluxcd.io/v1
 kind: HelmRelease
 metadata:
-  name: gitops-getting-started
-  namespace: prod
-  annotations:
-    fluxcd.io/automated: "true"
+    name: gitops-getting-started
+    namespace: prod
+    annotations:
+        fluxcd.io/automated: "true"
 spec:
-  releaseName: gitops-getting-started-prod
-  chart:
-    git: https://gitlab.cern.ch/helm/releases/gitops-getting-started.git
-    path: charts/gitops-getting-started
-    ref: master
-  valuesFrom:
-  - secretKeyRef:
-      namespace: prod
-      name: gitops-getting-started-secrets
-      key: values.yaml
-  values:
-    wordpress:
-      service:
-        nodePorts:
-          http: "32700"
-      mariadb:
-        image:
-          tag: "10.3.21"
+    releaseName: gitops-getting-started-prod
+    chart:
+        git: https://gitlab.cern.ch/helm/releases/gitops-getting-started.git
+        path: charts/gitops-getting-started
+        ref: helm3
+    values:
+        wordpress:
+            service:
+                nodePorts:
+                    http: "32700"
+            mariadb:
+                db:
+                    password: ENC[AES256_GCM,data:mzk92Hy2,iv:ZakB8bgbfUxydPH3KQ5n4a7LTnYmAGshNL94lEmSYL4=,tag:H+/cFv4syetYJjh1PoAtGA==,type:str]
+                image:
+                    tag: 10.3.21
+                rootUser:
+                    password: ENC[AES256_GCM,data:6b9oJL0f,iv:Ojc+suZiLcHB/6M7gXDpQzPYhpclxVAPLyZrBe9u0K0=,tag:FfAfLoWo+Or4ut31/DhJbw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    barbican:
+    -   secret_href: https://openstack.cern.ch:9311/v1/secrets/44270a95-0589-4853-bd7a-c7aaa51be101
+        created_at: '2020-06-11T21:44:15Z'
+        enc: Wr3rCMXd/vmkqD69QwGzmbKq2rLiHnuSejKFxr3W2sp+g1Vr0XqEeKY79G8NELrB
+    lastmodified: '2020-06-11T21:44:15Z'
+    mac: ENC[AES256_GCM,data:sLqit2kTbcm/zyunB0Tty3Zis519HQVR8dVkAwYCy8BEptIYBkdgKdZtgENjdU7GcMQo+V6DiUY/sINQGnyK95qq2ZREctNYxRhCbXpKJhuPyw3XVgMAR0UpFB0mHWJeK1VrdGbhx1YgeB0gJcvjNqfLFeDhpeRCJMY3/U2Up7s=,iv:I4/gDPALvxihTWGbmibaDZZVoK8Md7bgeeFyrtFjh8U=,tag:phRXzsJm4oITuq/ajEvnkw==,type:str]
+    pgp: []
+    encrypted_regex: ^(password)$
+    version: 3.5.0
--- a/releases/stg/values.yaml
+++ b/releases/stg/values.yaml
---
 apiVersion: helm.fluxcd.io/v1
 kind: HelmRelease
 metadata:
-  name: gitops-getting-started-stg
-  namespace: stg
-  annotations:
-    fluxcd.io/automated: "true"
+    name: gitops-getting-started
+    namespace: stg
+    annotations:
+        fluxcd.io/automated: "true"
 spec:
-  releaseName: gitops-getting-started-stg
-  chart:
-    git: https://gitlab.cern.ch/helm/releases/gitops-getting-started.git
-    path: charts/gitops-getting-started
-    ref: master
-  valuesFrom:
-  - secretKeyRef:
-      namespace: stg
-      name: gitops-getting-started-secrets
-      key: values.yaml
-  values:
-    wordpress:
-      service:
-        nodePorts:
-          http: "32701"
-      mariadb:
-        image:
-          tag: "10.4.11"
+    releaseName: gitops-getting-started-stg
+    chart:
+        git: https://gitlab.cern.ch/helm/releases/gitops-getting-started.git
+        path: charts/gitops-getting-started
+        ref: helm3
+    values:
+        wordpress:
+            service:
+                nodePorts:
+                    http: "32701"
+            mariadb:
+                db:
+                    password: ENC[AES256_GCM,data:068aZH0N,iv:8zY2BaC8vexj023ooXFcUKsl6rEbJtZGStCin9yvFZo=,tag:pj1z5noQhLjWC1lzWSTwZw==,type:str]
+                image:
+                    tag: 10.3.21
+                rootUser:
+                    password: ENC[AES256_GCM,data:4dgheckJ,iv:h1B7FSolrPV6KtQNpLbpcUBv0td7aeSJvFPTnzMzODY=,tag:kP9ibBe6F8A2aEjrjsPYhw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    barbican:
+    -   secret_href: https://openstack.cern.ch:9311/v1/secrets/44270a95-0589-4853-bd7a-c7aaa51be101
+        created_at: '2020-06-11T21:43:41Z'
+        enc: Vea/n836ih7TcozF7shCistVZ1ITsLjB39MfcExI//ZqZmyKGGTMTpawkd+5zkGp
+    lastmodified: '2020-06-11T21:43:41Z'
+    mac: ENC[AES256_GCM,data:L8KAV0RbeKg29L2wRNVm/+4tE9MW91fTkYe90v6qSjzwuGtvYdjZyluh5kViR03tlxGbYpzDkpS9sscrU09iXTGZZTKJN4gvWV7CbhRm0k7AcPXoPPprJUngSs+aH+csS57HTn2oGxjeI4wLx2MKsrerkqNlFLfpGluGxqFUoKM=,iv:tjrbpWu4ec/89J/Tom1r5WMYcCsz5fznmvBnEc9AhdM=,tag:mMcEoBBgmH3gerpqMU6S/w==,type:str]
+    pgp: []
+    encrypted_regex: ^(password)$
+    version: 3.5.0
--- a/secrets/prod/secrets.yaml
+++ b/secrets/prod/secrets.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: gitops-getting-started-secrets
-  namespace: prod
-type: Opaque
-stringData:
-  values.yaml: |-
-    wordpress:
-      mariadb:
-        rootUser:
-          password: "rootsecret"
-        db:
-          password: "supersecret"
--- a/secrets/stg/secrets.yaml
+++ b/secrets/stg/secrets.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: gitops-getting-started-secrets
-  namespace: stg
-type: Opaque
-stringData:
-  values.yaml: |-
-    wordpress:
-      mariadb:
-        rootUser:
-          password: "rootsecret"
-        db:
-          password: "supersecret"