diff --git a/charts/gitops-getting-started/Chart.yaml b/charts/gitops-getting-started/Chart.yaml
index ecafbdbcc888dd7a99c2af71bdae2d85e41bdf1a..763aad17fdaf06dd80f2acef82ff9bee2c569f2c 100644
--- a/charts/gitops-getting-started/Chart.yaml
+++ b/charts/gitops-getting-started/Chart.yaml
@@ -1,4 +1,11 @@
-apiVersion: v1
+apiVersion: v2
description: A Helm chart for a sample gitops application
name: gitops-getting-started
version: 0.1.0
+dependencies:
+ - name: wordpress
+ version: 8.1.1
+ repository: https://kubernetes-charts.storage.googleapis.com
+maintainers:
+ - name: Ricardo Rocha
+ email: ricardo.rocha@cern.ch
diff --git a/charts/gitops-getting-started/requirements.yaml b/charts/gitops-getting-started/requirements.yaml
deleted file mode 100644
index 2a7b6fa85af435856c21d2132014d9dbb12808cc..0000000000000000000000000000000000000000
--- a/charts/gitops-getting-started/requirements.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-dependencies:
- - name: wordpress
- version: 8.1.1
- repository: https://kubernetes-charts.storage.googleapis.com
diff --git a/charts/gitops-getting-started/templates/psp.yaml b/charts/gitops-getting-started/templates/psp.yaml
deleted file mode 100644
index f869a1bf286f76df070d0c705a7cabdb4d4b858d..0000000000000000000000000000000000000000
--- a/charts/gitops-getting-started/templates/psp.yaml
+++ /dev/null
@@ -1,91 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: {{ .Release.Name }}.restricted
-spec:
- privileged: false
- # Required to prevent escalations to root.
- allowPrivilegeEscalation: false
- # This is redundant with non-root + disallow privilege escalation,
- # but we can provide it for defense in depth.
- requiredDropCapabilities:
- - ALL
- # Allow core volume types.
- volumes:
- - 'hostPath'
- - 'configMap'
- - 'emptyDir'
- - 'secret'
- - 'persistentVolumeClaim'
- allowedHostPaths:
- - pathPrefix: "/var/eos"
- readOnly: true
- - pathPrefix: "/opt/nvidia-driver"
- readOnly: true
- hostNetwork: false
- hostIPC: false
- hostPID: false
- runAsUser:
- # Require the container to run without root privileges.
- rule: 'MustRunAsNonRoot'
- seLinux:
- # This policy assumes the nodes are using AppArmor rather than SELinux.
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 1
- max: 65535
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 1
- max: 65535
- readOnlyRootFilesystem: false
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: {{ .Release.Name }}.psp.restricted
-rules:
-- apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: ['{{ .Release.Name }}.restricted']
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: {{ .Release.Name }}.psp.restricted
-roleRef:
- kind: ClusterRole
- name: {{ .Release.Name }}.psp.restricted
- apiGroup: rbac.authorization.k8s.io
-subjects:
-- kind: Group
- name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: {{ .Release.Name }}.psp.restricted
-rules:
-- apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames: ['{{ .Release.Name}}.restricted']
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: {{ .Release.Name }}.psp.restricted
-roleRef:
- kind: Role
- name: {{ .Release.Name }}.psp.restricted
- apiGroup: rbac.authorization.k8s.io
-subjects:
-- kind: ServiceAccount
- name: default
diff --git a/flux-values.yaml b/flux-values.yaml
index 49901bbb09e6749639cdaf9292355e296da8ce95..72d7f076967da5c7d1cdd72acbfc53d1e7dfe5ed 100644
--- a/flux-values.yaml
+++ b/flux-values.yaml
@@ -1,6 +1,34 @@
git:
path: releases,namespaces
- pollInterval: 5m
+ pollInterval: 1m
readonly: true
+image:
+ pullPolicy: Always
+ repository: gitlab-registry.cern.ch/cloud/atomic-system-containers/flux
+ tag: 1.19.0-barbican
+prometheus:
+ enabled: true
rbac:
create: true
+registry:
+ disableScanning: true
+resources:
+ requests:
+ cpu: "100m"
+ memory: "64Mi"
+ limits:
+ cpu: "500m"
+ memory: "256Mi"
+sops:
+ enabled: true
+extraVolumeMounts:
+- mountPath: /etc/kubernetes
+ name: cloud-config
+ readOnly: true
+extraVolumes:
+- name: cloud-config
+ hostPath:
+ path: /etc/kubernetes
+extraEnvs:
+- name: GOPHERCLOUD_CONFIG
+ value: /etc/kubernetes/cloud-config-occm
diff --git a/helm-operator-values.yaml b/helm-operator-values.yaml
index d41472e2455542533d1250e64d2ead268d3b2e4d..25d45046d642db0224f05a7e409d1f9f58aa1398 100644
--- a/helm-operator-values.yaml
+++ b/helm-operator-values.yaml
@@ -1,4 +1,3 @@
-createCRD: true
chartsSyncInterval: 1m
configureRepositories:
enable: true
@@ -11,3 +10,18 @@ rbac:
create: true
git:
pollInterval: 5m
+helm:
+ versions: v3
+prometheus:
+ enabled: true
+ serviceMonitor:
+ create: true
+rbac:
+ create: true
+resources:
+ requests:
+ cpu: 50m
+ memory: 64Mi
+ limits:
+ cpu: 100m
+ memory: 512Mi
diff --git a/releases/prod/values.yaml b/releases/prod/values.yaml
index 4ce9ef00fdfe62f9dcb8b449e3f4fda0d41bd133..133db171236d10a26b99557e3364d8441d283b0b 100644
--- a/releases/prod/values.yaml
+++ b/releases/prod/values.yaml
@@ -1,27 +1,39 @@
----
apiVersion: helm.fluxcd.io/v1
kind: HelmRelease
metadata:
- name: gitops-getting-started
- namespace: prod
- annotations:
- fluxcd.io/automated: "true"
+ name: gitops-getting-started
+ namespace: prod
+ annotations:
+ fluxcd.io/automated: "true"
spec:
- releaseName: gitops-getting-started-prod
- chart:
- git: https://gitlab.cern.ch/helm/releases/gitops-getting-started.git
- path: charts/gitops-getting-started
- ref: master
- valuesFrom:
- - secretKeyRef:
- namespace: prod
- name: gitops-getting-started-secrets
- key: values.yaml
- values:
- wordpress:
- service:
- nodePorts:
- http: "32700"
- mariadb:
- image:
- tag: "10.3.21"
+ releaseName: gitops-getting-started-prod
+ chart:
+ git: https://gitlab.cern.ch/helm/releases/gitops-getting-started.git
+ path: charts/gitops-getting-started
+ ref: helm3
+ values:
+ wordpress:
+ service:
+ nodePorts:
+ http: "32700"
+ mariadb:
+ db:
+ password: ENC[AES256_GCM,data:mzk92Hy2,iv:ZakB8bgbfUxydPH3KQ5n4a7LTnYmAGshNL94lEmSYL4=,tag:H+/cFv4syetYJjh1PoAtGA==,type:str]
+ image:
+ tag: 10.3.21
+ rootUser:
+ password: ENC[AES256_GCM,data:6b9oJL0f,iv:Ojc+suZiLcHB/6M7gXDpQzPYhpclxVAPLyZrBe9u0K0=,tag:FfAfLoWo+Or4ut31/DhJbw==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ barbican:
+ - secret_href: https://openstack.cern.ch:9311/v1/secrets/44270a95-0589-4853-bd7a-c7aaa51be101
+ created_at: '2020-06-11T21:44:15Z'
+ enc: Wr3rCMXd/vmkqD69QwGzmbKq2rLiHnuSejKFxr3W2sp+g1Vr0XqEeKY79G8NELrB
+ lastmodified: '2020-06-11T21:44:15Z'
+ mac: ENC[AES256_GCM,data:sLqit2kTbcm/zyunB0Tty3Zis519HQVR8dVkAwYCy8BEptIYBkdgKdZtgENjdU7GcMQo+V6DiUY/sINQGnyK95qq2ZREctNYxRhCbXpKJhuPyw3XVgMAR0UpFB0mHWJeK1VrdGbhx1YgeB0gJcvjNqfLFeDhpeRCJMY3/U2Up7s=,iv:I4/gDPALvxihTWGbmibaDZZVoK8Md7bgeeFyrtFjh8U=,tag:phRXzsJm4oITuq/ajEvnkw==,type:str]
+ pgp: []
+ encrypted_regex: ^(password)$
+ version: 3.5.0
diff --git a/releases/stg/values.yaml b/releases/stg/values.yaml
index c373a4ced56d626db3e956fb7e5db0f9850f119f..885fef49d7a57a6e4e3746cf225a707dfe4ccc61 100644
--- a/releases/stg/values.yaml
+++ b/releases/stg/values.yaml
@@ -1,27 +1,39 @@
----
apiVersion: helm.fluxcd.io/v1
kind: HelmRelease
metadata:
- name: gitops-getting-started-stg
- namespace: stg
- annotations:
- fluxcd.io/automated: "true"
+ name: gitops-getting-started
+ namespace: stg
+ annotations:
+ fluxcd.io/automated: "true"
spec:
- releaseName: gitops-getting-started-stg
- chart:
- git: https://gitlab.cern.ch/helm/releases/gitops-getting-started.git
- path: charts/gitops-getting-started
- ref: master
- valuesFrom:
- - secretKeyRef:
- namespace: stg
- name: gitops-getting-started-secrets
- key: values.yaml
- values:
- wordpress:
- service:
- nodePorts:
- http: "32701"
- mariadb:
- image:
- tag: "10.4.11"
+ releaseName: gitops-getting-started-stg
+ chart:
+ git: https://gitlab.cern.ch/helm/releases/gitops-getting-started.git
+ path: charts/gitops-getting-started
+ ref: helm3
+ values:
+ wordpress:
+ service:
+ nodePorts:
+ http: "32701"
+ mariadb:
+ db:
+ password: ENC[AES256_GCM,data:068aZH0N,iv:8zY2BaC8vexj023ooXFcUKsl6rEbJtZGStCin9yvFZo=,tag:pj1z5noQhLjWC1lzWSTwZw==,type:str]
+ image:
+ tag: 10.3.21
+ rootUser:
+ password: ENC[AES256_GCM,data:4dgheckJ,iv:h1B7FSolrPV6KtQNpLbpcUBv0td7aeSJvFPTnzMzODY=,tag:kP9ibBe6F8A2aEjrjsPYhw==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ barbican:
+ - secret_href: https://openstack.cern.ch:9311/v1/secrets/44270a95-0589-4853-bd7a-c7aaa51be101
+ created_at: '2020-06-11T21:43:41Z'
+ enc: Vea/n836ih7TcozF7shCistVZ1ITsLjB39MfcExI//ZqZmyKGGTMTpawkd+5zkGp
+ lastmodified: '2020-06-11T21:43:41Z'
+ mac: ENC[AES256_GCM,data:L8KAV0RbeKg29L2wRNVm/+4tE9MW91fTkYe90v6qSjzwuGtvYdjZyluh5kViR03tlxGbYpzDkpS9sscrU09iXTGZZTKJN4gvWV7CbhRm0k7AcPXoPPprJUngSs+aH+csS57HTn2oGxjeI4wLx2MKsrerkqNlFLfpGluGxqFUoKM=,iv:tjrbpWu4ec/89J/Tom1r5WMYcCsz5fznmvBnEc9AhdM=,tag:mMcEoBBgmH3gerpqMU6S/w==,type:str]
+ pgp: []
+ encrypted_regex: ^(password)$
+ version: 3.5.0
diff --git a/secrets/prod/secrets.yaml b/secrets/prod/secrets.yaml
deleted file mode 100644
index 99c363e1c44f487e52287cd3cf4cb9d8b0e34f7b..0000000000000000000000000000000000000000
--- a/secrets/prod/secrets.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
- name: gitops-getting-started-secrets
- namespace: prod
-type: Opaque
-stringData:
- values.yaml: |-
- wordpress:
- mariadb:
- rootUser:
- password: "rootsecret"
- db:
- password: "supersecret"
diff --git a/secrets/stg/secrets.yaml b/secrets/stg/secrets.yaml
deleted file mode 100644
index debeacaececaf4baceab5213aa8ba98f38048995..0000000000000000000000000000000000000000
--- a/secrets/stg/secrets.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
- name: gitops-getting-started-secrets
- namespace: stg
-type: Opaque
-stringData:
- values.yaml: |-
- wordpress:
- mariadb:
- rootUser:
- password: "rootsecret"
- db:
- password: "supersecret"