Skip to content
Snippets Groups Projects
Commit c1b62b0e authored by Ricardo Rocha's avatar Ricardo Rocha
Browse files

Move chart definition to helm3, secrets with sops

parent 989a538a
No related branches found
No related tags found
No related merge requests found
apiVersion: v1 apiVersion: v2
description: A Helm chart for a sample gitops application description: A Helm chart for a sample gitops application
name: gitops-getting-started name: gitops-getting-started
version: 0.1.0 version: 0.1.0
dependencies:
- name: wordpress
version: 8.1.1
repository: https://kubernetes-charts.storage.googleapis.com
maintainers:
- name: Ricardo Rocha
email: ricardo.rocha@cern.ch
dependencies:
- name: wordpress
version: 8.1.1
repository: https://kubernetes-charts.storage.googleapis.com
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ .Release.Name }}.restricted
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'hostPath'
- 'configMap'
- 'emptyDir'
- 'secret'
- 'persistentVolumeClaim'
allowedHostPaths:
- pathPrefix: "/var/eos"
readOnly: true
- pathPrefix: "/opt/nvidia-driver"
readOnly: true
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Release.Name }}.psp.restricted
rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['{{ .Release.Name }}.restricted']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Name }}.psp.restricted
roleRef:
kind: ClusterRole
name: {{ .Release.Name }}.psp.restricted
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .Release.Name }}.psp.restricted
rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['{{ .Release.Name}}.restricted']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}.psp.restricted
roleRef:
kind: Role
name: {{ .Release.Name }}.psp.restricted
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: default
git: git:
path: releases,namespaces path: releases,namespaces
pollInterval: 5m pollInterval: 1m
readonly: true readonly: true
image:
pullPolicy: Always
repository: gitlab-registry.cern.ch/cloud/atomic-system-containers/flux
tag: 1.19.0-barbican
prometheus:
enabled: true
rbac: rbac:
create: true create: true
registry:
disableScanning: true
resources:
requests:
cpu: "100m"
memory: "64Mi"
limits:
cpu: "500m"
memory: "256Mi"
sops:
enabled: true
extraVolumeMounts:
- mountPath: /etc/kubernetes
name: cloud-config
readOnly: true
extraVolumes:
- name: cloud-config
hostPath:
path: /etc/kubernetes
extraEnvs:
- name: GOPHERCLOUD_CONFIG
value: /etc/kubernetes/cloud-config-occm
createCRD: true
chartsSyncInterval: 1m chartsSyncInterval: 1m
configureRepositories: configureRepositories:
enable: true enable: true
...@@ -11,3 +10,18 @@ rbac: ...@@ -11,3 +10,18 @@ rbac:
create: true create: true
git: git:
pollInterval: 5m pollInterval: 5m
helm:
versions: v3
prometheus:
enabled: true
serviceMonitor:
create: true
rbac:
create: true
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 100m
memory: 512Mi
---
apiVersion: helm.fluxcd.io/v1 apiVersion: helm.fluxcd.io/v1
kind: HelmRelease kind: HelmRelease
metadata: metadata:
name: gitops-getting-started name: gitops-getting-started
namespace: prod namespace: prod
annotations: annotations:
fluxcd.io/automated: "true" fluxcd.io/automated: "true"
spec: spec:
releaseName: gitops-getting-started-prod releaseName: gitops-getting-started-prod
chart: chart:
git: https://gitlab.cern.ch/helm/releases/gitops-getting-started.git git: https://gitlab.cern.ch/helm/releases/gitops-getting-started.git
path: charts/gitops-getting-started path: charts/gitops-getting-started
ref: master ref: helm3
valuesFrom: values:
- secretKeyRef: wordpress:
namespace: prod service:
name: gitops-getting-started-secrets nodePorts:
key: values.yaml http: "32700"
values: mariadb:
wordpress: db:
service: password: ENC[AES256_GCM,data:mzk92Hy2,iv:ZakB8bgbfUxydPH3KQ5n4a7LTnYmAGshNL94lEmSYL4=,tag:H+/cFv4syetYJjh1PoAtGA==,type:str]
nodePorts: image:
http: "32700" tag: 10.3.21
mariadb: rootUser:
image: password: ENC[AES256_GCM,data:6b9oJL0f,iv:Ojc+suZiLcHB/6M7gXDpQzPYhpclxVAPLyZrBe9u0K0=,tag:FfAfLoWo+Or4ut31/DhJbw==,type:str]
tag: "10.3.21" sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
barbican:
- secret_href: https://openstack.cern.ch:9311/v1/secrets/44270a95-0589-4853-bd7a-c7aaa51be101
created_at: '2020-06-11T21:44:15Z'
enc: Wr3rCMXd/vmkqD69QwGzmbKq2rLiHnuSejKFxr3W2sp+g1Vr0XqEeKY79G8NELrB
lastmodified: '2020-06-11T21:44:15Z'
mac: ENC[AES256_GCM,data:sLqit2kTbcm/zyunB0Tty3Zis519HQVR8dVkAwYCy8BEptIYBkdgKdZtgENjdU7GcMQo+V6DiUY/sINQGnyK95qq2ZREctNYxRhCbXpKJhuPyw3XVgMAR0UpFB0mHWJeK1VrdGbhx1YgeB0gJcvjNqfLFeDhpeRCJMY3/U2Up7s=,iv:I4/gDPALvxihTWGbmibaDZZVoK8Md7bgeeFyrtFjh8U=,tag:phRXzsJm4oITuq/ajEvnkw==,type:str]
pgp: []
encrypted_regex: ^(password)$
version: 3.5.0
---
apiVersion: helm.fluxcd.io/v1 apiVersion: helm.fluxcd.io/v1
kind: HelmRelease kind: HelmRelease
metadata: metadata:
name: gitops-getting-started-stg name: gitops-getting-started
namespace: stg namespace: stg
annotations: annotations:
fluxcd.io/automated: "true" fluxcd.io/automated: "true"
spec: spec:
releaseName: gitops-getting-started-stg releaseName: gitops-getting-started-stg
chart: chart:
git: https://gitlab.cern.ch/helm/releases/gitops-getting-started.git git: https://gitlab.cern.ch/helm/releases/gitops-getting-started.git
path: charts/gitops-getting-started path: charts/gitops-getting-started
ref: master ref: helm3
valuesFrom: values:
- secretKeyRef: wordpress:
namespace: stg service:
name: gitops-getting-started-secrets nodePorts:
key: values.yaml http: "32701"
values: mariadb:
wordpress: db:
service: password: ENC[AES256_GCM,data:068aZH0N,iv:8zY2BaC8vexj023ooXFcUKsl6rEbJtZGStCin9yvFZo=,tag:pj1z5noQhLjWC1lzWSTwZw==,type:str]
nodePorts: image:
http: "32701" tag: 10.3.21
mariadb: rootUser:
image: password: ENC[AES256_GCM,data:4dgheckJ,iv:h1B7FSolrPV6KtQNpLbpcUBv0td7aeSJvFPTnzMzODY=,tag:kP9ibBe6F8A2aEjrjsPYhw==,type:str]
tag: "10.4.11" sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
barbican:
- secret_href: https://openstack.cern.ch:9311/v1/secrets/44270a95-0589-4853-bd7a-c7aaa51be101
created_at: '2020-06-11T21:43:41Z'
enc: Vea/n836ih7TcozF7shCistVZ1ITsLjB39MfcExI//ZqZmyKGGTMTpawkd+5zkGp
lastmodified: '2020-06-11T21:43:41Z'
mac: ENC[AES256_GCM,data:L8KAV0RbeKg29L2wRNVm/+4tE9MW91fTkYe90v6qSjzwuGtvYdjZyluh5kViR03tlxGbYpzDkpS9sscrU09iXTGZZTKJN4gvWV7CbhRm0k7AcPXoPPprJUngSs+aH+csS57HTn2oGxjeI4wLx2MKsrerkqNlFLfpGluGxqFUoKM=,iv:tjrbpWu4ec/89J/Tom1r5WMYcCsz5fznmvBnEc9AhdM=,tag:mMcEoBBgmH3gerpqMU6S/w==,type:str]
pgp: []
encrypted_regex: ^(password)$
version: 3.5.0
apiVersion: v1
kind: Secret
metadata:
name: gitops-getting-started-secrets
namespace: prod
type: Opaque
stringData:
values.yaml: |-
wordpress:
mariadb:
rootUser:
password: "rootsecret"
db:
password: "supersecret"
apiVersion: v1
kind: Secret
metadata:
name: gitops-getting-started-secrets
namespace: stg
type: Opaque
stringData:
values.yaml: |-
wordpress:
mariadb:
rootUser:
password: "rootsecret"
db:
password: "supersecret"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment