diff --git a/charts/application-sets/Chart.yaml b/charts/application-sets/Chart.yaml index a4ef5d3..c4a117a 100644 --- a/charts/application-sets/Chart.yaml +++ b/charts/application-sets/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.2.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.0.0" \ No newline at end of file +appVersion: "1.0.0" diff --git a/charts/application-sets/examples/addons.yaml b/charts/application-sets/examples/addons.yaml index 3e0bcd2..ab6eec3 100644 --- a/charts/application-sets/examples/addons.yaml +++ b/charts/application-sets/examples/addons.yaml @@ -10,71 +10,71 @@ spec: goTemplateOptions: - missingkey=error generators: - - matrix: - generators: - - matrix: - generators: - - clusters: - selector: - matchLabels: - fleet_member: hub-cluster - values: - chartName: application-sets - chartRepo: "12345678910.dkr.ecr.eu-west-2.amazonaws.com" - chartPath: "charts/application-sets" - applicationSetGroup: "addons" - groupRelease: '{{default "" (index .metadata.labels "addonsRelease")}}' - useSelectors: "false" - useVersionSelectors: "true" - - git: - repoURL: '{{ .metadata.annotations.fleet_repo_url }}' - revision: '{{ .metadata.annotations.fleet_repo_revision }}' - files: - - path: "{{ .metadata.annotations.fleet_repo_basepath }}/bootstrap/versions/applicationSets.yaml" - - list: - elementsYaml: | - {{- $releaseTypes := index .releases .values.applicationSetGroup | toJson | fromJson -}} - {{- $result := list -}} - {{- $defaultVersion := dict -}} - {{- /* Defining the Default Version in case we need to fall back */ -}} - {{- range $releaseType := $releaseTypes -}} - {{- if eq $releaseType.type "default" -}} - {{- $defaultVersion = $releaseType -}} - {{- end -}} + - matrix: + generators: + - matrix: + generators: + - clusters: + selector: + matchLabels: + fleet_member: hub-cluster + values: + chartName: application-sets + chartRepo: "1234567890.dkr.ecr.eu-west-2.amazonaws.com" + chartPath: "charts/application-sets" + applicationSetGroup: "addons" + groupRelease: '{{default "" (index .metadata.labels "addonsRelease")}}' + useSelectors: "false" + useVersionSelectors: "true" + - git: + repoURL: "{{ .metadata.annotations.fleet_repo_url }}" + revision: "{{ .metadata.annotations.fleet_repo_revision }}" + files: + - path: "{{ .metadata.annotations.fleet_repo_basepath }}/bootstrap/versions/applicationSets.yaml" + - list: + elementsYaml: | + {{- $globals := .releases.globals -}} + {{- $releaseNames := index .releases .values.applicationSetGroup | toJson | fromJson -}} + {{- $groupRelease := .values.groupRelease}} + {{- $firstRelease := index $releaseNames 0 -}} + {{- $result := list -}} + {{- /* If the values of the group release is empty or we dont use version selectors then we use only the first element of the list */ -}} + {{- if or (eq $groupRelease "") (eq .values.useVersionSelectors "false") -}} + {{- $mergedRelease := merge $firstRelease $globals -}} + {{- $mergedRelease = merge $mergedRelease (dict "totalReleases" (len $releaseNames)) -}} + {{- $result = append $result $mergedRelease -}} + {{- else -}} + {{- /* We look for the defined releases */ -}} + {{- $found := false -}} + {{- range $releaseName := $releaseNames -}} + {{- if eq $releaseName.releaseName $groupRelease -}} + {{- $found = true -}} {{- end -}} - {{- /* We look for the defined releases */ -}} - {{- range $releaseType := $releaseTypes -}} - {{- /* Case 1: If selectors is true, include all group releases */ -}} - {{- if eq $.values.useSelectors "true" -}} - {{- $result = append $result $releaseType -}} - {{- /* Case 2: If group version Release value exists, only include matching releases */ -}} - {{- else if $.values.groupRelease -}} - {{- if or (not $releaseType.type) (eq $releaseType.type $.values.groupRelease) -}} - {{- $result = append $result $releaseType -}} - {{- end -}} - {{- /* Case 3: Default case - include version if it's the default type */ -}} - {{- else -}} - {{- if eq $releaseType.type "default" -}} - {{- $result = append $result $releaseType -}} - {{- end -}} - {{- end -}} + {{- end -}} + {{- if $found -}} + {{- range $releaseName := $releaseNames -}} + {{- $mergedReleaseValues := merge $releaseName $globals -}} + {{- $mergedReleaseValues = merge $mergedReleaseValues (dict "totalReleases" (len $releaseNames)) -}} + {{- $result = append $result $mergedReleaseValues -}} {{- end -}} - {{- /* If no releases were selected, use default */ -}} - {{- if eq (len $result) 0 -}} - {{- $result = append $result $defaultVersion -}} - {{- end -}} - {{ $result | toJson }} + {{- else -}} + {{- $mergedRelease := merge $firstRelease $globals -}} + {{- $mergedRelease = merge $mergedRelease (dict "totalReleases" (len $releaseNames)) -}} + {{- $result = append $result $mergedRelease -}} + {{- end -}} + {{- end -}} + {{ $result | toJson }} ################################################### #base template (everything common) ################################################### template: metadata: - name: 'cluster-{{.values.applicationSetGroup}}-{{.name}}-{{.type | lower }}' + name: "cluster-{{.values.applicationSetGroup}}-{{.name}}-{{.releaseName | lower }}" spec: project: default destination: namespace: argocd - name: '{{ .name }}' + name: "{{ .name }}" # syncPolicy is identical for both variants syncPolicy: automated: @@ -90,46 +90,78 @@ spec: # conditional sources ################################################### templatePatch: | + {{- $commonValuesPath := printf "%s/%s.yaml" .values.chartName .values.applicationSetGroup -}} + {{- $repoNames := list "addons" -}} + + {{- $environment := .metadata.labels.environment -}} + + {{- $tenantPath := "" -}} + {{- if and (hasKey . "tenant") .tenant -}} + {{- $tenantPath = printf "%s" .tenant -}} + {{- else if (index .metadata.labels "tenant") -}} + {{- $tenantPath = printf "%s" .metadata.labels.tenant -}} + {{- end -}} + + + {{- $clusterName := "" -}} + {{- if and (hasKey . "clusterName") .clusterName -}} + {{- $clusterName = .clusterName -}} + {{- else -}} + {{- $clusterName = .name -}} + {{- end -}} + + {{- $pathPatterns := list + (printf "%s/defaults" $tenantPath) + (printf "%s/environments/%s/defaults" $tenantPath $environment) + (printf "%s/environments/%s/clusters/%s" $tenantPath $environment $clusterName) + -}} + spec: sources: - - ref: values - repoURL: '{{ .metadata.annotations.addons_repo_url }}' - targetRevision: '{{ .metadata.annotations.addons_repo_revision }}' + {{- range $repoName := $repoNames }} + - repoURL: '{{default (index $.metadata.annotations (printf "%s_repo_url" $repoName)) (index $ "repoUrl")}}' + targetRevision: '{{default (index $.metadata.annotations (printf "%s_repo_revision" $repoName)) (index $ "targetRevision")}}' + ref: {{$repoName}}Values + {{- end }} {{- if eq .use_helm_repo_path "false" }} - repoURL: '{{default .values.chartRepo .chartRepo }}' chart: '{{ default .values.chartName .ecrChartName }}' targetRevision: '{{.version}}' {{- else }} - - repoURL: '{{ .metadata.annotations.addons_repo_url }}' - path: '{{ .values.chartPath }}' - targetRevision: '{{ .metadata.annotations.addons_repo_revision }}' + - repoURL: '{{default (index .metadata.annotations "chartRepoUrl") (index . "chartRepoUrl") }}' + path: '{{ default .values.chartPath (index . "chartRepoPath")}}' + targetRevision: '{{default (index .metadata.annotations "chartRepoRevision") (index . "chartRepoRevision") }}' {{- end }} helm: ignoreMissingValueFiles: true valuesObject: - useSelectors: false + useSelectors: '{{.values.useSelectors}}' useVersionSelectors: '{{.values.useVersionSelectors}}' + applicationSetGroup: {{.values.applicationSetGroup}} + groupRelease: '{{.values.groupRelease}}' # Defining the way to group addons This application set will handly Addons and ACK values mergeValues: addons: use: true ack: use: true - releaseType: '{{.type | lower }}' + releaseName: '{{default "" .releaseName | lower }}' # If we are using version selector we add the version of the releases on the matchlabels - {{- if eq .values.useVersionSelectors "true"}} + {{- if and (eq .values.useVersionSelectors "true") (or (eq .releaseName .values.groupRelease) (gt (int .totalReleases) 1)) }} releases: - {{.values.applicationSetGroup}}Release: '{{.type | lower}}' + {{.values.applicationSetGroup}}Release: '{{.releaseName | lower}}' {{- end }} {{- if eq .values.useSelectors "false"}} globalSelectors: fleet_member: hub-cluster {{- end }} - valueFiles: - - defaults/{{.values.applicationSetGroup}} - - clusters/{{`{{ .nameNormalized }}`}}/{{.values.applicationSetGroup}} + # Those are the Value files to read for the Whole group of applciationsdts valueFiles: - - $values/{{ .metadata.annotations.addons_repo_basepath }}/bootstrap/defaults/{{.values.applicationSetGroup}}.yaml - - $values/{{ .metadata.annotations.addons_repo_basepath }}/{{ .metadata.labels.tenant }}/defaults/{{ .values.chartName }}/{{.values.applicationSetGroup}}.yaml - - $values/{{ .metadata.annotations.addons_repo_basepath }}/{{ .metadata.labels.tenant }}/clusters/{{ .name }}/{{ .values.chartName }}/{{.values.applicationSetGroup}}.yaml - - $values/{{ .metadata.annotations.addons_repo_basepath }}/{{ .metadata.labels.tenant }}/environments/{{ .metadata.labels.environment }}/{{ .values.chartName }}/{{.values.applicationSetGroup}}.yaml \ No newline at end of file + - $addonsValues/addons/bootstrap/defaults/{{.values.applicationSetGroup}}.yaml + {{- range $repoName := $repoNames }} + {{- $repoRef := printf "%sValues" $repoName }} + {{- $basePath := default (index $.metadata.annotations (printf "%s_repo_basepath" $repoName)) (index $ (printf "%s_repo_basepath" $repoName)) }} + {{- range $pattern := $pathPatterns }} + - ${{ $repoRef }}/{{ $basePath }}/{{ $pattern }}/{{ $commonValuesPath }} + {{- end }} + {{- end }} diff --git a/charts/application-sets/examples/monitoring.yaml b/charts/application-sets/examples/monitoring.yaml index 3b9829b..3b84847 100644 --- a/charts/application-sets/examples/monitoring.yaml +++ b/charts/application-sets/examples/monitoring.yaml @@ -10,71 +10,71 @@ spec: goTemplateOptions: - missingkey=error generators: - - matrix: - generators: - - matrix: - generators: - - clusters: - selector: - matchLabels: - fleet_member: hub-cluster - values: - chartName: application-sets - chartRepo: "12345678910.dkr.ecr.eu-west-2.amazonaws.com" - chartPath: "charts/application-sets" - applicationSetGroup: "monitoring" - groupRelease: '{{default "" (index .metadata.labels "monitoringRelease")}}' - useSelectors: "false" - useVersionSelectors: "true" - - git: - repoURL: '{{ .metadata.annotations.fleet_repo_url }}' - revision: '{{ .metadata.annotations.fleet_repo_revision }}' - files: - - path: "{{ .metadata.annotations.fleet_repo_basepath }}/bootstrap/versions/applicationSets.yaml" - - list: - elementsYaml: | - {{- $releaseTypes := index .releases .values.applicationSetGroup | toJson | fromJson -}} - {{- $result := list -}} - {{- $defaultVersion := dict -}} - {{- /* Defining the Default Version in case we need to fall back */ -}} - {{- range $releaseType := $releaseTypes -}} - {{- if eq $releaseType.type "default" -}} - {{- $defaultVersion = $releaseType -}} - {{- end -}} + - matrix: + generators: + - matrix: + generators: + - clusters: + selector: + matchLabels: + fleet_member: hub-cluster + values: + chartName: application-sets + chartRepo: "1234567890.dkr.ecr.eu-west-2.amazonaws.com" + chartPath: "charts/application-sets" + applicationSetGroup: "monitoring" + groupRelease: '{{default "" (index .metadata.labels "monitoringRelease")}}' + useSelectors: "false" + useVersionSelectors: "true" + - git: + repoURL: "{{ .metadata.annotations.fleet_repo_url }}" + revision: "{{ .metadata.annotations.fleet_repo_revision }}" + files: + - path: "{{ .metadata.annotations.fleet_repo_basepath }}/bootstrap/versions/applicationSets.yaml" + - list: + elementsYaml: | + {{- $globals := .releases.globals -}} + {{- $releaseNames := index .releases .values.applicationSetGroup | toJson | fromJson -}} + {{- $groupRelease := .values.groupRelease}} + {{- $firstRelease := index $releaseNames 0 -}} + {{- $result := list -}} + {{- /* If the values of the group release is empty or we dont use version selectors then we use only the first element of the list */ -}} + {{- if or (eq $groupRelease "") (eq .values.useVersionSelectors "false") -}} + {{- $mergedRelease := merge $firstRelease $globals -}} + {{- $mergedRelease = merge $mergedRelease (dict "totalReleases" (len $releaseNames)) -}} + {{- $result = append $result $mergedRelease -}} + {{- else -}} + {{- /* We look for the defined releases */ -}} + {{- $found := false -}} + {{- range $releaseName := $releaseNames -}} + {{- if eq $releaseName.releaseName $groupRelease -}} + {{- $found = true -}} {{- end -}} - {{- /* We look for the defined releases */ -}} - {{- range $releaseType := $releaseTypes -}} - {{- /* Case 1: If selectors is true, include all group releases */ -}} - {{- if eq $.values.useSelectors "true" -}} - {{- $result = append $result $releaseType -}} - {{- /* Case 2: If group version Release value exists, only include matching releases */ -}} - {{- else if $.values.groupRelease -}} - {{- if or (not $releaseType.type) (eq $releaseType.type $.values.groupRelease) -}} - {{- $result = append $result $releaseType -}} - {{- end -}} - {{- /* Case 3: Default case - include version if it's the default type */ -}} - {{- else -}} - {{- if eq $releaseType.type "default" -}} - {{- $result = append $result $releaseType -}} - {{- end -}} - {{- end -}} + {{- end -}} + {{- if $found -}} + {{- range $releaseName := $releaseNames -}} + {{- $mergedReleaseValues := merge $releaseName $globals -}} + {{- $mergedReleaseValues = merge $mergedReleaseValues (dict "totalReleases" (len $releaseNames)) -}} + {{- $result = append $result $mergedReleaseValues -}} {{- end -}} - {{- /* If no releases were selected, use default */ -}} - {{- if eq (len $result) 0 -}} - {{- $result = append $result $defaultVersion -}} - {{- end -}} - {{ $result | toJson }} + {{- else -}} + {{- $mergedRelease := merge $firstRelease $globals -}} + {{- $mergedRelease = merge $mergedRelease (dict "totalReleases" (len $releaseNames)) -}} + {{- $result = append $result $mergedRelease -}} + {{- end -}} + {{- end -}} + {{ $result | toJson }} ################################################### #base template (everything common) ################################################### template: metadata: - name: 'cluster-{{.values.applicationSetGroup}}-{{.name}}-{{.type | lower }}' + name: "cluster-{{.values.applicationSetGroup}}-{{.name}}-{{.releaseName | lower }}" spec: project: default destination: namespace: argocd - name: '{{ .name }}' + name: "{{ .name }}" # syncPolicy is identical for both variants syncPolicy: automated: @@ -90,43 +90,76 @@ spec: # conditional sources ################################################### templatePatch: | + {{- $commonValuesPath := printf "%s/%s.yaml" .values.chartName .values.applicationSetGroup -}} + {{- $repoNames := list "addons" -}} + + {{- $environment := .metadata.labels.environment -}} + + {{- $tenantPath := "" -}} + {{- if and (hasKey . "tenant") .tenant -}} + {{- $tenantPath = printf "%s" .tenant -}} + {{- else if (index .metadata.labels "tenant") -}} + {{- $tenantPath = printf "%s" .metadata.labels.tenant -}} + {{- end -}} + + + {{- $clusterName := "" -}} + {{- if and (hasKey . "clusterName") .clusterName -}} + {{- $clusterName = .clusterName -}} + {{- else -}} + {{- $clusterName = .name -}} + {{- end -}} + + {{- $pathPatterns := list + (printf "%s/defaults" $tenantPath) + (printf "%s/environments/%s/defaults" $tenantPath $environment) + (printf "%s/environments/%s/clusters/%s" $tenantPath $environment $clusterName) + -}} + spec: sources: - - ref: values - repoURL: '{{ .metadata.annotations.addons_repo_url }}' - targetRevision: '{{ .metadata.annotations.addons_repo_revision }}' + {{- range $repoName := $repoNames }} + - repoURL: '{{default (index $.metadata.annotations (printf "%s_repo_url" $repoName)) (index $ "repoUrl")}}' + targetRevision: '{{default (index $.metadata.annotations (printf "%s_repo_revision" $repoName)) (index $ "targetRevision")}}' + ref: {{$repoName}}Values + {{- end }} {{- if eq .use_helm_repo_path "false" }} - repoURL: '{{default .values.chartRepo .chartRepo }}' chart: '{{ default .values.chartName .ecrChartName }}' targetRevision: '{{.version}}' {{- else }} - - repoURL: '{{ .metadata.annotations.addons_repo_url }}' - path: '{{ .values.chartPath }}' - targetRevision: '{{ .metadata.annotations.addons_repo_revision }}' + - repoURL: '{{default (index .metadata.annotations "chartRepoUrl") (index . "chartRepoUrl") }}' + path: '{{ default .values.chartPath (index . "chartRepoPath")}}' + targetRevision: '{{default (index .metadata.annotations "chartRepoRevision") (index . "chartRepoRevision") }}' {{- end }} helm: ignoreMissingValueFiles: true valuesObject: - useSelectors: false + useSelectors: '{{.values.useSelectors}}' useVersionSelectors: '{{.values.useVersionSelectors}}' - # Defining the way to group monitoring This application set will handly monitoring and ACK values + applicationSetGroup: {{.values.applicationSetGroup}} + groupRelease: '{{.values.groupRelease}}' + # Defining the way to group addons This application set will handly Addons and ACK values mergeValues: monitoring: use: true - releaseType: '{{.type | lower }}' - {{- if eq .values.useVersionSelectors "true"}} + releaseName: '{{default "" .releaseName | lower }}' + # If we are using version selector we add the version of the releases on the matchlabels + {{- if and (eq .values.useVersionSelectors "true") (or (eq .releaseName .values.groupRelease) (gt (int .totalReleases) 1)) }} releases: - {{.values.applicationSetGroup}}Release: '{{.type | lower}}' + {{.values.applicationSetGroup}}Release: '{{.releaseName | lower}}' {{- end }} {{- if eq .values.useSelectors "false"}} globalSelectors: fleet_member: hub-cluster {{- end }} - valueFiles: - - defaults/{{.values.applicationSetGroup}} - - clusters/{{`{{ .nameNormalized }}`}}/{{.values.applicationSetGroup}} + # Those are the Value files to read for the Whole group of applciationsdts valueFiles: - - $values/{{ .metadata.annotations.addons_repo_basepath }}/bootstrap/defaults/{{.values.applicationSetGroup}}.yaml - - $values/{{ .metadata.annotations.addons_repo_basepath }}/{{ .metadata.labels.tenant }}/defaults/{{ .values.chartName }}/{{.values.applicationSetGroup}}.yaml - - $values/{{ .metadata.annotations.addons_repo_basepath }}/{{ .metadata.labels.tenant }}/clusters/{{ .name }}/{{ .values.chartName }}/{{.values.applicationSetGroup}}.yaml - - $values/{{ .metadata.annotations.addons_repo_basepath }}/{{ .metadata.labels.tenant }}/environments/{{ .metadata.labels.environment }}/{{ .values.chartName }}/{{.values.applicationSetGroup}}.yaml \ No newline at end of file + - $addonsValues/addons/bootstrap/defaults/{{.values.applicationSetGroup}}.yaml + {{- range $repoName := $repoNames }} + {{- $repoRef := printf "%sValues" $repoName }} + {{- $basePath := default (index $.metadata.annotations (printf "%s_repo_basepath" $repoName)) (index $ (printf "%s_repo_basepath" $repoName)) }} + {{- range $pattern := $pathPatterns }} + - ${{ $repoRef }}/{{ $basePath }}/{{ $pattern }}/{{ $commonValuesPath }} + {{- end }} + {{- end }} diff --git a/charts/application-sets/examples/versions/applicationSets.yaml b/charts/application-sets/examples/versions/applicationSets.yaml index faa0113..60e7f2f 100644 --- a/charts/application-sets/examples/versions/applicationSets.yaml +++ b/charts/application-sets/examples/versions/applicationSets.yaml @@ -1,31 +1,22 @@ # applicationSets.yaml releases: - addons: - - type: "default" - use_helm_repo_path: "true" - chartRepo: "12345678910.dkr.ecr.eu-west-2.amazonaws.com" - ecrChartName: "application-sets" - version: 0.1.0 - - type: "release1" - use_helm_repo_path: "false" - chartRepo: "12345678910.dkr.ecr.eu-west-2.amazonaws.com" + globals: + # if we use the chart repo we need to be conected to remote + chartRepoUrl: https://github.com/markoskandylis/gitops-bridge-helm-charts + chartRepoPath: charts/application-sets + chartRepoRevision: main + chartRepo: "12345678901.dkr.ecr.eu-west-2.amazonaws.com" ecrChartName: "application-sets" - version: 0.2.0 + version: 0.3.1 + addons: + - releaseName: "default" + use_helm_repo_path: "true" monitoring: - - type: "default" - use_helm_repo_path: "true" - chartRepo: "12345678910.dkr.ecr.eu-west-2.amazonaws.com" - ecrChartName: "application-sets" - version: 0.1.0 + - releaseName: "default" + use_helm_repo_path: "true" resources: - - type: "default" - use_helm_repo_path: "true" - ecrChartName: "application-sets" - chartRepo: "12345678910.dkr.ecr.eu-west-2.amazonaws.com" - version: 0.1.0 + - releaseName: "default" + use_helm_repo_path: "true" fleet: - - type: "default" - use_helm_repo_path: "true" - ecrChartName: "application-sets" - chartRepo: "12345678910.dkr.ecr.eu-west-2.amazonaws.com" - version: 0.1.0 \ No newline at end of file + - releaseName: "default" + use_helm_repo_path: "true" diff --git a/charts/application-sets/templates/_application_set.tpl b/charts/application-sets/templates/_application_set.tpl index e4c29ff..9d4bfd8 100644 --- a/charts/application-sets/templates/_application_set.tpl +++ b/charts/application-sets/templates/_application_set.tpl @@ -25,9 +25,17 @@ Template to generate additional resources configuration {{- if $chartConfig.additionalResources.helm }} helm: releaseName: '{{`{{ .name }}`}}-{{ $chartConfig.additionalResources.helm.releaseName }}' + {{- if or $values.globalValuesObject $chartConfig.additionalResources.helm.valuesObject }} + {{/* Create a fresh copy for this component only */}} + {{- $chartValuesObject := dict }} + {{- if $values.globalValuesObject }} + {{- $chartValuesObject = deepCopy $values.globalValuesObject }} + {{- end }} {{- if $chartConfig.additionalResources.helm.valuesObject }} + {{- $chartValuesObject = mergeOverwrite $chartValuesObject $chartConfig.additionalResources.helm.valuesObject }} + {{- end }} valuesObject: - {{- $chartConfig.additionalResources.helm.valuesObject | toYaml | nindent 6 }} + {{- toYaml $chartValuesObject | nindent 12 }} {{- end }} ignoreMissingValueFiles: true valueFiles: @@ -39,7 +47,6 @@ Template to generate additional resources configuration {{- end }} {{- end }} - {{/* Define the values path for reusability */}} @@ -49,10 +56,22 @@ Define the values path for reusability {{- $valueFiles := .valueFiles -}} {{- $chartType := .chartType -}} {{- $values := .values -}} +{{- $valuesFileName := default "values.yaml" $chartConfig.valuesFileName -}} +{{- $applicationSetGroup := default "" $values.applicationSetGroup -}} + {{- with .valueFiles }} {{- range . }} -- $values/{{ $values.repoURLGitBasePath }}/{{ . }}/{{ $nameNormalize }}{{ if $chartType }}/{{ $chartType }}{{ end }}/{{ if $chartConfig.valuesFileName }}{{ $chartConfig.valuesFileName }}{{ else }}values.yaml{{ end }} -- $values/{{ $values.repoURLGitBasePath }}/{{ if $values.useValuesFilePrefix }}{{ $values.valuesFilePrefix }}{{ end }}{{ . }}/{{ $nameNormalize }}{{ if $chartType }}/{{ $chartType }}{{ end }}/{{ if $chartConfig.valuesFileName }}{{ $chartConfig.valuesFileName }}{{ else }}values.yaml{{ end }} +{{/* Path with applicationSetGroup if available */}} +{{- if ne $values.repoURLGitBasePath "" }} +- $values/{{$values.repoURLGitBasePath}} +{{- else}} +- $values{{$values.repoURLGitBasePath}} +{{- end }} +{{- if $values.useValuesFilePrefix -}}/{{$values.valuesFilePrefix}}{{- end -}}/{{.}} +{{- if $applicationSetGroup -}}/{{$applicationSetGroup}}{{- end -}}/{{$nameNormalize}} +{{- if $chartType -}}/{{$chartType}}{{- end -}} +{{- if $chartConfig.valuesFileName -}}/{{$chartConfig.valuesFileName}} +{{- else -}}/values.yaml{{- end -}} {{- end }} {{- end }} {{- end }} diff --git a/charts/application-sets/templates/_git_matrix.tpl b/charts/application-sets/templates/_git_matrix.tpl index 61353d3..7c3471a 100644 --- a/charts/application-sets/templates/_git_matrix.tpl +++ b/charts/application-sets/templates/_git_matrix.tpl @@ -21,7 +21,7 @@ generators: {{- if $chartConfig.selectorMatchLabels }} {{- toYaml $chartConfig.selectorMatchLabels | nindent 18 }} {{- end }} - {{- if and $chartConfig.selector $useSelectors }} + {{- if and $chartConfig.selector (eq $useSelectors "true") }} {{- toYaml $chartConfig.selector | nindent 16 }} {{- end }} values: diff --git a/charts/application-sets/templates/_helpers.tpl b/charts/application-sets/templates/_helpers.tpl index c705613..3fb0fdc 100644 --- a/charts/application-sets/templates/_helpers.tpl +++ b/charts/application-sets/templates/_helpers.tpl @@ -35,6 +35,9 @@ app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.commonLabels }} +{{- toYaml .Values.commonLabels | nindent 0 }} +{{- end }} {{- end }} {{/* @@ -46,3 +49,16 @@ helm.sh/chart: {{ include "application-sets.chart" . }} {{ toYaml .Values.annotations }} {{- end }} {{- end }} + +{{/* +Merge common labels from global and chart-specific configurations +Usage: {{ $mergedLabels := include "application-sets.mergeCommonLabels" (dict "global" .Values.commonLabels "chart" $chartConfig.commonLabels) | fromYaml }} +*/}} +{{- define "application-sets.mergeCommon" -}} +{{- $global := .global | default dict }} +{{- $chart := .chart | default dict }} +{{- $merged := mergeOverwrite $global $chart }} +{{- if $merged }} +{{- toYaml $merged }} +{{- end }} +{{- end }} diff --git a/charts/application-sets/templates/application-set.yaml b/charts/application-sets/templates/application-set.yaml index b1191d6..8e8d289 100644 --- a/charts/application-sets/templates/application-set.yaml +++ b/charts/application-sets/templates/application-set.yaml @@ -1,8 +1,8 @@ {{/* First, import and merge all values files based on enabled components */}} {{- $values := .Values }} -{{- $releaseType := .Values.releaseType }} -{{- $useVersionSelectors := .Values.useVersionSelectors}} -{{- $useSelectors:= .Values.useSelectors -}} +{{- $releaseName := .Values.releaseName }} +{{- $useVersionSelectors := .Values.useVersionSelectors | toString }} +{{- $useSelectors := .Values.useSelectors | toString -}} {{- $globalSelectors := .Values.globalSelectors -}} {{- $chartType := .Values.chartType }} {{- $namespace := .Values.namespace }} @@ -13,9 +13,12 @@ {{- $repoURLGitRevision := .Values.repoURLGitRevision -}} {{- $repoURLGitBasePath := .Values.repoURLGitBasePath -}} {{- $valueFiles := .Values.valueFiles -}} +{{- $globalValuesObject := .Values.globalValuesObject | default dict -}} {{- $valuesFilePrefix := .Values.valuesFilePrefix -}} {{- $useValuesFilePrefix := (default false .Values.useValuesFilePrefix ) -}} {{- $argoProjectName := (default "default" .Values.argoProjectName ) -}} +{{- $applyNestedSelectors := default "false" .Values.applyNestedSelectors -}} +{{- $templatePatch := .Values.templatePatch -}} {{/* Merge values From Default */}} {{- if .Values.mergeValues -}} @@ -25,14 +28,15 @@ {{- end -}} {{- range $chartName, $chartConfig := .Values }} +{{- $mergedValuesObject := dict }} {{- if and (kindIs "map" $chartConfig) (hasKey $chartConfig "enabled") }} -{{- if eq (toString $chartConfig.enabled) "true" }} +{{- if eq ($chartConfig.enabled | toString) "true" }} {{- $nameNormalize := printf "%s" $chartName | replace "_" "-" | trunc 63 | trimSuffix "-" -}} apiVersion: argoproj.io/v1alpha1 kind: ApplicationSet metadata: - {{- if $releaseType }} - name: '{{ $nameNormalize }}-{{$releaseType}}' + {{- if $releaseName }} + name: '{{ $nameNormalize }}-{{$releaseName}}' {{- else }} name: {{ $nameNormalize }} {{- end }} @@ -45,18 +49,44 @@ metadata: {{- if $chartConfig.labelsAppSet }}{{- toYaml $chartConfig.labelsAppSet | nindent 4 }}{{- end }} spec: goTemplate: true + {{- if $chartConfig.syncPolicyAppSet }} + syncPolicy: + {{- toYaml $chartConfig.syncPolicyAppSet | nindent 4 }} + {{- else }} + syncPolicy: + {{- toYaml $syncPolicyAppSet | nindent 4 }} + {{- end }} {{- if $chartConfig.goTemplateOptions }} goTemplateOptions: {{ toYaml $chartConfig.goTemplateOptions | nindent 2 }} {{- else }} goTemplateOptions: {{ default (list "missingkey=error") $goTemplateOptions }} {{- end }} - {{- if $chartConfig.syncPolicyAppSet }} - syncPolicy: - {{- toYaml $chartConfig.syncPolicyAppSet | nindent 4 }} + {{- if $chartConfig.ignoreApplicationDifferences }} + ignoreApplicationDifferences: + {{- toYaml $chartConfig.ignoreApplicationDifferences | nindent 2 }} + {{- end }} + {{- if $chartConfig.preservedFields }} + preservedFields: + {{- toYaml $chartConfig.preservedFields | nindent 4 }} + {{- end }} + {{- if $chartConfig.strategy }} + strategy: + {{- toYaml $chartConfig.strategy | nindent 4 }} + {{- end }} + {{- if $chartConfig.templatePatch }} + templatePatch: {{- $chartConfig.templatePatch | toYaml | indent 1 }} {{- else }} - syncPolicy: - {{- toYaml $syncPolicyAppSet | nindent 4 }} + {{- if $templatePatch }} + templatePatch: {{- $templatePatch | toYaml | indent 1 }} + {{- end }} + {{- end }} + {{- if $applyNestedSelectors }} + applyNestedSelectors: {{ $applyNestedSelectors }} + {{- else }} + {{- if $chartConfig.applyNestedSelectors }} + applyNestedSelectors: {{ $chartConfig.applyNestedSelectors }} + {{- end }} {{- end }} {{- if $chartConfig.gitMatrix }} {{ include "application-sets.git-matrix" (dict @@ -74,7 +104,7 @@ spec: - clusters: selector: matchLabels: - {{- if eq (toString $useVersionSelectors) "true" }} + {{- if eq $useVersionSelectors "true" }} {{- if $values.releases }} {{- range $releaseName, $release := $values.releases}} {{ $releaseName }}: {{ $release }} @@ -88,20 +118,20 @@ spec: {{- if $chartConfig.selectorMatchLabels }} {{- toYaml $chartConfig.selectorMatchLabels | nindent 18 }} {{- end }} - {{- if and $chartConfig.selector $useSelectors }} + {{- if and $chartConfig.selector (eq $useSelectors "true") }} {{- toYaml $chartConfig.selector | nindent 16 }} {{- end }} {{- if not $chartConfig.resourceGroup }} values: - addonChart: {{ $chartConfig.chartName | default $nameNormalize | quote }} + chart: {{ $chartConfig.chartName | default $nameNormalize | quote }} {{- if $chartConfig.defaultVersion }} - addonChartVersion: {{ $chartConfig.defaultVersion | quote }} + chartVersion: {{ $chartConfig.defaultVersion | quote }} {{- end }} {{- if $chartConfig.chartRepository }} - addonChartRepository: {{ $chartConfig.chartRepository | quote }} + chartRepository: {{ $chartConfig.chartRepository | quote }} {{- end }} {{- if $chartConfig.chartNamespace }} - addonChartRepositoryNamespace: {{ $chartConfig.chartNamespace | quote }} + chartRepositoryNamespace: {{ $chartConfig.chartNamespace | quote }} chart: {{ printf "%s/%s" $chartConfig.chartNamespace ($chartConfig.chartName | default $nameNormalize) | quote }} {{- else }} chart: {{ $chartConfig.chartName | default $nameNormalize | quote }} @@ -114,24 +144,33 @@ spec: matchLabels: {{- toYaml .selector | nindent 18 }} values: - addonChartVersion: {{ .chartVersion | default $chartConfig.defaultVersion | quote }} + chartVersion: {{ .chartVersion | default $chartConfig.defaultVersion | quote }} {{- end }} {{- end }} {{- end }} template: metadata: {{- if $chartConfig.appSetName }} - name: '{{$releaseType}}-{{ $chartConfig.appSetName }}-{{`{{ .values.addonChartVersion }}`}}' + name: '{{$releaseName}}-{{ $chartConfig.appSetName }}-{{`{{ .values.chartVersion }}`}}' {{- else }} - name: '{{$releaseType}}-{{`{{ .name | trunc 30 }}`}}-{{ $nameNormalize | trunc 20 }}-{{`{{ .values.addonChartVersion }}`}}' + name: '{{$releaseName}}-{{`{{ .name | trunc 30 }}`}}-{{ $nameNormalize | trunc 20 }}-{{`{{ .values.chartVersion }}`}}' {{- end }} + annotations: + {{- include "application-sets.annotations" $ | nindent 8 }} + {{- if $chartConfig.annotationsApp }}{{- toYaml $chartConfig.annotationsApp | nindent 8 }}{{- end }} + labels: + {{- include "application-sets.labels" $ | nindent 8 }} + {{- if $chartConfig.labelsApp }}{{- toYaml $chartConfig.labelsApp | nindent 8 }}{{- end }} + component: '{{ $nameNormalize }}' + environment: '{{`{{.metadata.labels.environment}}`}}' + cluster: '{{`{{.name}}`}}' spec: project: {{ $argoProjectName }} sources: - repoURL: {{ $repoURLGit | squote}} targetRevision: {{ $repoURLGitRevision | squote }} ref: values - {{- if eq (toString $chartConfig.enableAckPodIdentity) "true" }} + {{- if eq ($chartConfig.enableAckPodIdentity | toString) "true" }} {{ include "application-sets.pod-identity" (dict "chartName" ($chartConfig.chartName | default $nameNormalize) "valueFiles" $valueFiles @@ -142,17 +181,25 @@ spec: path: {{$chartConfig.path | squote }} targetRevision: {{ $repoURLGitRevision | squote }} {{- else }} - - repoURL: '{{`{{ .values.addonChartRepository }}`}}' + - repoURL: '{{`{{ .values.chartRepository }}`}}' chart: '{{`{{ .values.chart }}`}}' - targetRevision: '{{`{{.values.addonChartVersion }}`}}' + targetRevision: '{{`{{.values.chartVersion }}`}}' {{- end }} {{- if ne (default "" $chartConfig.type) "manifest" }} helm: - releaseName: {{ default "{{ .values.addonChart }}" $chartConfig.releaseName | squote }} + releaseName: {{ default "{{ .values.chart }}" $chartConfig.releaseName | squote }} ignoreMissingValueFiles: true + {{- if or $globalValuesObject $chartConfig.valuesObject }} + {{/* Create a fresh copy for this component only */}} + {{- $chartValuesObject := dict }} + {{- if $globalValuesObject }} + {{- $chartValuesObject = deepCopy $globalValuesObject }} + {{- end }} {{- if $chartConfig.valuesObject }} + {{- $chartValuesObject = mergeOverwrite $chartValuesObject $chartConfig.valuesObject }} + {{- end }} valuesObject: - {{- $chartConfig.valuesObject | toYaml | nindent 12 }} + {{- toYaml $chartValuesObject | nindent 12 }} {{- end }} {{- if $valueFiles }} valueFiles: diff --git a/charts/application-sets/test-values.yaml b/charts/application-sets/test-values.yaml new file mode 100644 index 0000000..54f2b1d --- /dev/null +++ b/charts/application-sets/test-values.yaml @@ -0,0 +1,30 @@ +# Test values for globalValuesObject functionality +globalValuesObject: + commonLabels: + app.kubernetes.io/part-of: "eks-fleet-management" + managed-by: "gitops-fleet-management" + team: "platform" + global-test: "true" + commonAnnotations: + managed-by: "gitops-fleet-management" + global-annotation: "test-value" + +# Enable merging from component files +mergeValues: + test: + use: true + +# Test components to verify globalValuesObject merging in the values/test.yaml +# Common configuration +syncPolicy: + automated: + selfHeal: true + allowEmpty: true + prune: true + +repoURLGit: "https://github.com/test/repo.git" +repoURLGitRevision: "main" +repoURLGitBasePath: "test-path" +valueFiles: + - "defaults" + - "environments/test" diff --git a/charts/application-sets/values.yaml b/charts/application-sets/values.yaml index 91c740b..1f1f5f3 100644 --- a/charts/application-sets/values.yaml +++ b/charts/application-sets/values.yaml @@ -1,3 +1,12 @@ +# Common labels to be applied to all ApplicationSet-generated Applications and resources +globalValuesObject: + commonLabels: + app.kubernetes.io/part-of: "eks-fleet-management" + managed-by: "eks-fleet-management" + team: "platform" + commonAnnotations: + managed-by: "eks-fleet-management" + syncPolicy: automated: selfHeal: false @@ -11,22 +20,22 @@ syncPolicy: maxDuration: 10m # the maximum amount of time allowed for the backoff strategy syncOptions: - CreateNamespace=true - - ServerSideApply=true # Big CRDs. + - ServerSideApply=true # Big CRDs. syncPolicyAppSet: preserveResourcesOnDeletion: true -repoURLGit: '{{.metadata.annotations.addons_repo_url}}' -repoURLGitRevision: '{{.metadata.annotations.addons_repo_revision}}' -repoURLGitBasePath: '{{.metadata.annotations.addons_repo_basepath}}' -useValuesFilePrefix: true -valuesFilePrefix: '{{.metadata.labels.tenant}}/' ackPodIdentity: path: "charts/pod-identity" # If we Define the Merge we will use the values files included in the folder values. That will enable us to have default helm charts -useSelectors: false -useVersionSelectors: true -# mergeValues: -# fleetBootstrap: -# use: true +useSelectors: "false" +useVersionSelectors: "true" # globalSelectors: # fleet_member: spoke # use_remote_argo: "true" +# Default Values files that will apply to all applciationSets +repoURLGit: "{{.metadata.annotations.addons_repo_url}}" +repoURLGitRevision: "{{.metadata.annotations.addons_repo_revision}}" +repoURLGitBasePath: "{{.metadata.annotations.addons_repo_basepath}}" +valueFiles: + - "{{if .metadata.labels.tenant}}{{.metadata.labels.tenant}}{{end}}/defaults" + - "{{if .metadata.labels.tenant}}{{.metadata.labels.tenant}}{{end}}/environments/{{.metadata.labels.environment}}/defaults" + - "{{if .metadata.labels.tenant}}{{.metadata.labels.tenant}}{{end}}/environments/{{.metadata.labels.environment}}/clusters/{{.name}}" diff --git a/charts/application-sets/values/addons.yaml b/charts/application-sets/values/addons.yaml index f847139..bfaa79c 100644 --- a/charts/application-sets/values/addons.yaml +++ b/charts/application-sets/values/addons.yaml @@ -4,50 +4,46 @@ argocd: chartName: argo-cd namespace: argocd releaseName: argocd - defaultVersion: "7.7.8" + defaultVersion: "8.5.8" chartRepository: "https://argoproj.github.io/argo-helm" + additionalResources: + path: "charts/argocd-ingress" + type: "ingress" + helm: + releaseName: ingress + valuesObject: + ingressClass: + useAutomode: '{{default "false" (index .metadata.annotations "enable_automode")}}' + ingress: + domain: '{{default "" (index .metadata.annotations "argocd_dns")}}' + privateCertificate: '{{default "" (index .metadata.annotations "argocd_ingress_certificate")}}' + rules: + - host: '{{default "argocd.example.com" (index .metadata.annotations "argocd_dns")}}' selector: matchExpressions: - key: enable_argocd operator: In - values: ['true'] -route53-chart: - enabled: true - enableAckPodIdentity: false - namespace: ack-system - chartName: route53-chart - defaultVersion: "0.0.20" - chartNamespace: aws-controllers-k8s - chartRepository: public.ecr.aws - selector: - matchExpressions: - - key: enable_route53_controller - operator: In - values: ['true'] + values: ["true"] valuesObject: - aws: - region: '{{.metadata.annotations.aws_region}}' - serviceAccount: - name: 'route53-controller' - annotations: - eks.amazonaws.com/role-arn: '{{default "" (index .metadata.annotations "ack_route53_controller_role_arn")}}' + global: + domain: '{{default "" (index .metadata.annotations "argocd_dns")}}' external-secrets: enabled: true enableAckPodIdentity: false namespace: external-secrets chartName: external-secrets - defaultVersion: "0.10.3" + defaultVersion: "0.18.2" chartRepository: "https://charts.external-secrets.io" additionalResources: path: "charts/fleet-secret" type: "ecr-token" helm: - releaseName: ecr-token + releaseName: ecr-token selector: matchExpressions: - key: enable_external_secrets operator: In - values: ['true'] + values: ["true"] valuesObject: serviceAccount: name: "external-secrets-sa" @@ -63,22 +59,22 @@ aws-load-balancer-controller: matchExpressions: - key: enable_aws_load_balancer_controller operator: In - values: ['true'] + values: ["true"] valuesObject: serviceAccount: - name: "aws-load-balancer-controller-sa" - vpcId: '{{.metadata.annotations.aws_vpc_id}}' - clusterName: '{{.name}}' + name: "aws-load-balancer-controller-sa" + vpcId: "{{.metadata.annotations.aws_vpc_id}}" + clusterName: "{{.name}}" ignoreDifferences: - kind: Secret name: aws-load-balancer-tls jsonPointers: [/data] - group: admissionregistration.k8s.io kind: MutatingWebhookConfiguration - jqPathExpressions: ['.webhooks[].clientConfig.caBundle'] + jqPathExpressions: [".webhooks[].clientConfig.caBundle"] - group: admissionregistration.k8s.io kind: ValidatingWebhookConfiguration - jqPathExpressions: ['.webhooks[].clientConfig.caBundle'] + jqPathExpressions: [".webhooks[].clientConfig.caBundle"] metrics-server: enabled: true enableAckPodIdentity: false @@ -89,24 +85,24 @@ metrics-server: matchExpressions: - key: enable_metrics_server operator: In - values: ['true'] + values: ["true"] karpenter: enabled: false enableAckPodIdentity: false releaseName: karpenter - namespace: 'kube-system' + namespace: "kube-system" chartNamespace: karpenter chartName: karpenter chartRepository: public.ecr.aws - defaultVersion: "1.3.3" + defaultVersion: "1.4.3" selector: matchExpressions: - key: enable_karpenter operator: In - values: ['true'] + values: ["true"] valuesObject: settings: - clusterName: '{{.metadata.annotations.aws_cluster_name}}' + clusterName: "{{.metadata.annotations.aws_cluster_name}}" interruptionQueue: '{{default "" (index .metadata.annotations "karpenter_sqs_queue_name")}}' serviceAccount: name: '{{default "karpenter" (index .metadata.annotations "karpenter_service_account")}}' @@ -124,7 +120,7 @@ aws_efs_csi_driver: matchExpressions: - key: enable_aws_efs_csi_driver operator: In - values: ['true'] + values: ["true"] valuesObject: controller: serviceAccount: @@ -148,7 +144,7 @@ cert_manager: matchExpressions: - key: enable_cert_manager operator: In - values: ['true'] + values: ["true"] valuesObject: installCRDs: true serviceAccount: @@ -156,25 +152,24 @@ cert_manager: annotations: eks.amazonaws.com/role-arn: '{{default "" (index .metadata.annotations "cert_manager_iam_role_arn") }}' external-dns: - enabled: false + enabled: true enableAckPodIdentity: false releaseName: external-dns namespace: '{{default "external-dns" (index .metadata.annotations "external_dns_namespace") }}' chartName: external-dns chartRepository: https://kubernetes-sigs.github.io/external-dns - defaultVersion: "1.14.3" + defaultVersion: "1.16.1" selector: matchExpressions: - key: enable_external_dns operator: In - values: ['true'] + values: ["true"] valuesObject: provider: aws serviceAccount: name: '{{default "" (index .metadata.annotations "external_dns_service_account") }}' annotations: - eks.amazonaws.com/role-arn: '{{default "" (index .metadata.annotations "external_dns_iam_role_arn") }}' - domainFilters: '{{.metadata.annotations.external_dns_domain_filters}}' - txtOwnerId: '{{.metadata.annotations.aws_cluster_name}}' - policy: '{{default "upsert-only" .metadata.annotations.external_dns_policy}}' - extraArgs: '{{default "[]" .metadata.annotations.external_dns_extra_args}}' \ No newline at end of file + eks.amazonaws.com/role-arn: '{{default "" (index .metadata.annotations "external_dns_iam_role_arn")}}' + domainFilters: ["{{.metadata.annotations.external_dns_domain_filters}}"] + txtOwnerId: "{{.metadata.annotations.aws_cluster_name}}" + policy: '{{default "upsert-only" (index .metadata.annotations "external_dns_policy")}}' diff --git a/charts/application-sets/values/fleetBootstrap.yaml b/charts/application-sets/values/fleetBootstrap.yaml index f2e8063..0d1e75e 100644 --- a/charts/application-sets/values/fleetBootstrap.yaml +++ b/charts/application-sets/values/fleetBootstrap.yaml @@ -4,26 +4,42 @@ fleet-external-secrets: namespace: platform-system releaseName: fleet-external-secrets chartName: external-secrets - defaultVersion: "0.10.3" + defaultVersion: "0.18.0" chartRepository: "https://charts.external-secrets.io" additionalResources: path: "charts/fleet-secret" type: "ecr-token" helm: - releaseName: ecr-token + releaseName: ecr-token valuesObject: serviceAccount: name: "external-secrets-sa" scopedNamespace: "platform-system" scopedRBAC: true fleet-argocd: - enabled: true + enabled: true enableAckPodIdentity: false chartName: argo-cd namespace: platform-system releaseName: fleet-argocd - defaultVersion: "7.5.2" + defaultVersion: "8.5.8" chartRepository: "https://argoproj.github.io/argo-helm" + valuesObject: + global: + domain: '{{default "" (index .metadata.annotations "argocd_dns")}}' + additionalResources: + path: "charts/argocd-ingress" + type: "ingress" + helm: + releaseName: ingress + valuesObject: + ingressClass: + useAutomode: '{{default "false" (index .metadata.annotations "enable_automode")}}' + ingress: + domain: '{{default "" (index .metadata.annotations "argocd_dns")}}' + privateCertificate: '{{default "" (index .metadata.annotations "argocd_ingress_certificate")}}' + rules: + - host: '{{default "argocd.example.com" (index .metadata.annotations "argocd_dns")}}' fleet-iam-chart: chartName: iam-chart releaseName: fleet-iam-ack @@ -33,9 +49,9 @@ fleet-iam-chart: chartRepository: public.ecr.aws valuesObject: aws: - region: '{{.metadata.annotations.aws_region}}' + region: "{{.metadata.annotations.aws_region}}" serviceAccount: - name: '{{.metadata.annotations.ack_iam_service_account}}' + name: "{{.metadata.annotations.ack_iam_service_account}}" fleet-ack-eks: chartName: eks-chart namespace: ack-system @@ -45,7 +61,6 @@ fleet-ack-eks: chartRepository: public.ecr.aws valuesObject: aws: - region: '{{.metadata.annotations.aws_region}}' + region: "{{.metadata.annotations.aws_region}}" serviceAccount: - name: '{{.metadata.annotations.ack_eks_service_account}}' - \ No newline at end of file + name: "{{.metadata.annotations.ack_eks_service_account}}" diff --git a/charts/application-sets/values/monitoring.yaml b/charts/application-sets/values/monitoring.yaml index 811a0ec..1ae5345 100644 --- a/charts/application-sets/values/monitoring.yaml +++ b/charts/application-sets/values/monitoring.yaml @@ -5,12 +5,12 @@ cw-prometheus: namespace: '{{default "amazon-cloudwatch" (index .metadata.annotations "cw_prometheus_namespace")}}' chartName: cw-prometheus defaultVersion: "0.1.0" - path: 'charts/cw-prometheus' + path: "charts/cw-prometheus" selector: matchExpressions: - key: enable_cw_prometheus operator: In - values: ['true'] + values: ["true"] kube-prometheus-stack: enabled: true enableAckPodIdentity: false @@ -22,7 +22,7 @@ kube-prometheus-stack: matchExpressions: - key: enable_kube_prometheus_stack operator: In - values: ['true'] + values: ["true"] cni-metrics-helper: enabled: true enableAckPodIdentity: false @@ -32,14 +32,14 @@ cni-metrics-helper: defaultVersion: "1.18.5" valuesObject: env: - AWS_CLUSTER_ID: '{{.metadata.annotations.aws_cluster_name}}' + AWS_CLUSTER_ID: "{{.metadata.annotations.aws_cluster_name}}" selector: matchExpressions: - key: enable_cni_metrics_helper operator: In - values: ['true'] + values: ["true"] amp-prometheus: - enabled: true + enabled: false enableAckPodIdentity: false releaseName: amp-prometheus namespace: '{{default "amp-prometheus" (index .metadata.annotations "amp_prometheus_namespace")}}' @@ -50,17 +50,16 @@ amp-prometheus: matchExpressions: - key: enable_amp_prometheus operator: In - values: ['true'] + values: ["true"] valuesObject: serviceAccounts: server: - name: '{{default "amp-prometheus-server-sa" (index .metadata.annotations "amp_prometheus_server_sa")}}' - annotations: - eks.amazonaws.com/role-arn: '{{default "" (index .metadata.annotations "amp_prometheus_iam_role_arn")}}' + name: '{{default "amp-prometheus-server-sa" (index .metadata.annotations "amp_prometheus_server_sa")}}' + annotations: + eks.amazonaws.com/role-arn: '{{default "" (index .metadata.annotations "amp_prometheus_iam_role_arn")}}' server: remoteWrite: - - - url: '{{(index .metadata.annotations "amp_endpoint_url")}}.api/v1/remote_write' + - url: '{{(index .metadata.annotations "amp_endpoint_url")}}.api/v1/remote_write' sigv4: - region: '{{.metadata.annotations.aws_region}}' - role_arn: '{{default "" (index .metadata.annotations "amp_prometheus_crossaccount_role")}}' + region: "{{.metadata.annotations.aws_region}}" + role_arn: '{{default "" (index .metadata.annotations "amp_prometheus_crossaccount_role")}}' diff --git a/charts/argocd-ingress/.helmignore b/charts/argocd-ingress/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/argocd-ingress/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/argocd-ingress/Chart.yaml b/charts/argocd-ingress/Chart.yaml new file mode 100644 index 0000000..d148d87 --- /dev/null +++ b/charts/argocd-ingress/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: argo-ingress +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/charts/argocd-ingress/templates/_helpers.tpl b/charts/argocd-ingress/templates/_helpers.tpl new file mode 100644 index 0000000..f7e078c --- /dev/null +++ b/charts/argocd-ingress/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "argo-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "argo-ingress.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "argo-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "argo-ingress.labels" -}} +helm.sh/chart: {{ include "argo-ingress.chart" . }} +{{ include "argo-ingress.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "argo-ingress.selectorLabels" -}} +app.kubernetes.io/name: {{ include "argo-ingress.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "argo-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "argo-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/argocd-ingress/templates/argoService.yaml b/charts/argocd-ingress/templates/argoService.yaml new file mode 100644 index 0000000..cc82771 --- /dev/null +++ b/charts/argocd-ingress/templates/argoService.yaml @@ -0,0 +1,24 @@ +# ArgoCD Service Required for Ingress with AWS alb Controller +{{- if eq .Values.enableIngress "true" }} +{{- if .Values.argoService }} +apiVersion: v1 +kind: Service +metadata: + annotations: + argocd.argoproj.io/sync-wave: "1" + alb.ingress.kubernetes.io/backend-protocol-version: HTTP2 #This tells AWS to send traffic from the ALB using HTTP2. Can use GRPC as well if you want to leverage GRPC specific features + labels: + app: argogrpc + name: {{.Values.argoService.argoIngressServiceName }} +spec: + ports: + - name: "443" + port: 443 + protocol: TCP + targetPort: 8080 + selector: + app.kubernetes.io/name: {{.Values.argoService.argoServerSericeName }} + sessionAffinity: None + type: NodePort +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/argocd-ingress/templates/ingress.yaml b/charts/argocd-ingress/templates/ingress.yaml new file mode 100644 index 0000000..476d63a --- /dev/null +++ b/charts/argocd-ingress/templates/ingress.yaml @@ -0,0 +1,75 @@ +{{- if eq .Values.enableIngress "true" }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "argo-ingress.fullname" . }} + annotations: + {{- if .Values.ingress.annotations }} + {{- .Values.ingress.annotations | toYaml | nindent 4 }} + {{- end }} + argocd.argoproj.io/sync-wave: "4" + {{- if .Values.ingress.useExternalDns}} + external-dns.alpha.kubernetes.io/hostname: {{ .Values.ingress.domain }} + external-dns.alpha.kubernetes.io/ingress-hostname-source: annotation-only + external-dns.alpha.kubernetes.io/ttl: "300" + {{- end }} + alb.ingress.kubernetes.io/backend-protocol: {{ default "HTTPS" .Values.ingress.backendProtocol }} + alb.ingress.kubernetes.io/load-balancer-attributes: routing.http.drop_invalid_header_fields.enabled={{default false .Values.ingress.dropHttpHeader}} + alb.ingress.kubernetes.io/target-type: {{ default "ip" .Values.ingress.targetType }} + alb.ingress.kubernetes.io/inbound-cidrs: {{ default "0.0.0.0/0" .Values.ingress.inboundCidrs }} + {{- if .Values.ingress.grpcService }} + alb.ingress.kubernetes.io/conditions.{{ .Values.ingress.grpcService }}: | + [{"field":"http-header","httpHeaderConfig":{"httpHeaderName": "Content-Type", "values":["application/grpc"]}}] + {{- end }} + {{- if .Values.ingress.privateCertificate }} + alb.ingress.kubernetes.io/certificate-arn: {{ .Values.ingress.privateCertificate }} + {{- end }} + alb.ingress.kubernetes.io/listen-ports: '{{ default "[{\"HTTPS\":443}]" .Values.ingress.listenPorts }}' + alb.ingress.kubernetes.io/ssl-policy: {{ default "ELBSecurityPolicy-TLS13-1-2-2021-06" .Values.ingress.sslPolicy }} + {{- if .Values.ingress.tls }} + alb.ingress.kubernetes.io/certificate-arn: {{ .Values.ingress.tls.certificateArn }} + {{- if .Values.ingress.tls.sslPolicy }} + {{- end }} + {{- end }} +spec: + ingressClassName: {{ default "alb" .Values.ingressClass.name }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls.hosts }} + - hosts: + - {{ . }} + {{- if $.Values.ingress.tls.secretName }} + secretName: {{ $.Values.ingress.tls.secretName }} + {{- end }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.rules }} + - host: {{ .host }} + http: + paths: + {{- if .paths }} + {{- range .paths }} + - backend: + service: + name: {{ .serviceName }} + port: + number: {{ .port | default 443 }} + pathType: {{ .pathType | default "ImplementationSpecific" }} + {{- end }} + {{- else }} + - backend: + service: + name: argogrpc + port: + number: 443 + pathType: ImplementationSpecific + - backend: + service: + name: argocd-server + port: + number: 443 + pathType: ImplementationSpecific + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/argocd-ingress/templates/ingressClass.yaml b/charts/argocd-ingress/templates/ingressClass.yaml new file mode 100644 index 0000000..a5a6577 --- /dev/null +++ b/charts/argocd-ingress/templates/ingressClass.yaml @@ -0,0 +1,29 @@ +{{- if eq .Values.enableIngress "true" }} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{.Values.ingressClass.name}} + annotations: + {{- if .Values.ingressClass.annotations }} + {{- .Values.ingressClass.annotations | toYaml | nindent 10 }} + {{- end }} + # Use this annotation to set an IngressClass as Default + # If an Ingress doesn't specify a class, it will use the Default + ingressclass.kubernetes.io/is-default-class: {{ default "true" .Values.ingressClass.isDefault | quote }} + argocd.argoproj.io/sync-wave: "3" +spec: + controller: {{- if .Values.ingressClass.useAutomode }} + "eks.amazonaws.com/alb" + {{- else }} + {{ required "When useAutomode is false, you must specify a valid controllerType (e.g., 'controllerType: ingress.k8s.aws/alb')" .Values.ingressClass.controllerType }} + {{- end }} + parameters: + apiGroup: {{- if .Values.ingressClass.useAutomode }} + "eks.amazonaws.com" + {{- else }} + "elbv2.k8s.aws" + {{- end }} + kind: IngressClassParams + # Use the name of the IngressClassParams set in the previous step + name: {{ .Values.ingressClass.name }} +{{- end }} \ No newline at end of file diff --git a/charts/argocd-ingress/templates/ingressClassParams.yaml b/charts/argocd-ingress/templates/ingressClassParams.yaml new file mode 100644 index 0000000..012b519 --- /dev/null +++ b/charts/argocd-ingress/templates/ingressClassParams.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.enableIngress "true" }} + apiVersion: {{- if .Values.ingressClass.useAutomode }} + "eks.amazonaws.com/v1" + {{- else }} + "elbv2.k8s.aws/v1beta1" + {{- end }} +kind: IngressClassParams +metadata: + annotations: + argocd.argoproj.io/sync-wave: "2" + name: {{.Values.ingressClass.name}} +spec: + scheme: {{.Values.ingressClass.scheme}} +{{- end }} \ No newline at end of file diff --git a/charts/argocd-ingress/values.yaml b/charts/argocd-ingress/values.yaml new file mode 100644 index 0000000..6ef5024 --- /dev/null +++ b/charts/argocd-ingress/values.yaml @@ -0,0 +1,15 @@ +enableIngress: "true" +ingressClass: + name: alb + scheme: internal + controllerType: "" +argoService: + argoIngressServiceName: argogrpc + argoServerSericeName: argocd-server +ingress: + grpcService: argogrpc + inboundCidrs: "0.0.0.0/0" + dropHttpHeader: false + privateCertificate: "" + rules: + - host: "" diff --git a/charts/fleet-secret/Chart.yaml b/charts/fleet-secret/Chart.yaml index c9ce855..d0a9e3d 100644 --- a/charts/fleet-secret/Chart.yaml +++ b/charts/fleet-secret/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.2.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/fleet-secret/README.MD b/charts/fleet-secret/README.MD index 5f0d9b5..5522090 100644 --- a/charts/fleet-secret/README.MD +++ b/charts/fleet-secret/README.MD @@ -1,9 +1,11 @@ # Fleet Secret Helm Chart ## Overview + A Helm chart for managing Kubernetes secrets in a GitOps environment, specifically designed for cluster registration and secret management. This chart handles multiple secret types including cluster credentials, repository access, and ECR authentication, with support for both direct secret creation and external secrets management through External Secrets Operator. ## Prerequisites + - Kubernetes 1.16+ - Helm 3.x - External Secrets Operator installed in the cluster (required for external secrets functionality) @@ -13,24 +15,27 @@ A Helm chart for managing Kubernetes secrets in a GitOps environment, specifical ## Secret Types Supported ### Cluster Secrets + - Manages ArgoCD cluster secrets for registration -- Supports both direct and external secrets management -- Configurable through `externalSecret` or `secret` values +- Manages gitExternalSecrets for conecting spoke clusters to relevant repos - Automatically adds required ArgoCD secret labels ### Repository Secrets + - Handles Git repository authentication - Supports GitHub App authentication - Configurable through `gitExternalSecrets` values - Supports multiple repository configurations ### ECR Authentication + - Manages ECR authentication token rotation - Creates tokens for container registry access - Configurable through `ecrAuthenticationToken` values - Supports automatic token refresh ### AWS Secret Store + - Sets up SecretStore/ClusterSecretStore for AWS Secrets Manager - Configurable through `secretStore` values - Supports IAM role configuration for cross account @@ -41,11 +46,11 @@ A Helm chart for managing Kubernetes secrets in a GitOps environment, specifical ```yaml secretStore: - enabled: true # Enable/disable SecretStore creation - kind: "SecretStore" # Type of store - SecretStore or ClusterSecretStore - name: "aws-secrets-manager" # Name of the SecretStore resource - region: "" # AWS region where Secrets Manager is located - role: "" # Optional IAM role ARN for accessing Secrets Manager + enabled: true # Enable/disable SecretStore creation + kind: 'SecretStore' # Type of store - SecretStore or ClusterSecretStore + name: 'aws-secrets-manager' # Name of the SecretStore resource + region: '' # AWS region where Secrets Manager is located + role: '' # Optional IAM role ARN for accessing Secrets Manager ``` ### External Secret Configuration @@ -53,77 +58,77 @@ secretStore: ```yaml # Configuration for cluster registration secret via External Secrets externalSecret: - enabled: true # Enable/disable cluster registration secret - secretStoreRefName: "fleet-eks-secret-store" # Reference to SecretStore - secretStoreRefKind: "SecretStore" # Type of secret store to reference - server: "self" # Cluster API server - 'self' for local, 'remote' for external - secretManagerSecretName: "" # AWS Secrets Manager secret name containing cluster credentials - clusterName: "" # Name for the registered cluster + enabled: true # Enable/disable cluster registration secret + secretStoreRefName: 'fleet-eks-secret-store' # Reference to SecretStore + secretStoreRefKind: 'SecretStore' # Type of secret store to reference + server: 'self' # Cluster API server - 'self' for local, 'remote' for external + secretManagerSecretName: '' # AWS Secrets Manager secret name containing cluster credentials + clusterName: '' # Name for the registered cluster ``` ### Git External Secrets Configuration ```yaml gitExternalSecrets: - enabled: true # Enable/disable git repository external secrets - secretStoreRefName: "fleet-eks-secret-store" # Reference to SecretStore - secretStoreRefKind: "SecretStore" # Type of secret store to reference + enabled: true # Enable/disable git repository external secrets + secretStoreRefName: 'fleet-eks-secret-store' # Reference to SecretStore + secretStoreRefKind: 'SecretStore' # Type of secret store to reference externalSecrets: - addons: # Configuration for addons repository and external secret name - gitUrl: "" # Git repository URL - secretName: "git-addons" # K8s secret name to create - secretManagerSecretName: "" # AWS Secrets Manager secret name containing git credentials + addons: # Configuration for addons repository and external secret name + gitUrl: '' # Git repository URL + secretName: 'git-addons' # K8s secret name to create + secretManagerSecretName: '' # AWS Secrets Manager secret name containing git credentials ``` ### ECR Authentication Configuration ```yaml ecrAuthenticationToken: - enabled: true # Enable/disable ECR token generation - region: eu-west-2 # AWS region where ECR is located - name: "ecr-token" # Name of the token generator - namespace: "argocd" # Namespace where to create the secret - secretName: "argocd-ecr-credentials" # Name of the K8s secret for ECR credentials + enabled: true # Enable/disable ECR token generation + region: eu-west-2 # AWS region where ECR is located + name: 'ecr-token' # Name of the token generator + namespace: 'argocd' # Namespace where to create the secret + secretName: 'argocd-ecr-credentials' # Name of the K8s secret for ECR credentials ``` ## Parameters ### Global Parameters -| Parameter | Description | Default | -|-----------|-------------|---------| -| `secretStore.enabled` | Enable AWS Secrets Manager store | `false` | -| `secretStore.kind` | Type of secret store | `"SecretStore"` | -| `secretStore.name` | Name of the secret store | `"aws-secrets-manager"` | -| `secretStore.region` | AWS region for Secrets Manager | `""` | -| `secretStore.role` | IAM role ARN for AWS access | `""` | +| Parameter | Description | Default | +| --------------------- | -------------------------------- | ----------------------- | +| `secretStore.enabled` | Enable AWS Secrets Manager store | `false` | +| `secretStore.kind` | Type of secret store | `"SecretStore"` | +| `secretStore.name` | Name of the secret store | `"aws-secrets-manager"` | +| `secretStore.region` | AWS region for Secrets Manager | `""` | +| `secretStore.role` | IAM role ARN for AWS access | `""` | ### External Secret Parameters -| Parameter | Description | Default | -|-----------|-------------|---------| -| `externalSecret.enabled` | Enable external secret creation | `false` | -| `externalSecret.secretStoreRefName` | Reference to secret store | `"fleet-eks-secret-store"` | -| `externalSecret.server` | Server type (self/remote) | `"self"` | -| `externalSecret.clusterName` | Name of the cluster | `""` | -| `externalSecret.secretManagerSecretName` | Name of secret in AWS Secrets Manager | `""` | +| Parameter | Description | Default | +| ---------------------------------------- | ------------------------------------- | -------------------------- | +| `externalSecret.enabled` | Enable external secret creation | `false` | +| `externalSecret.secretStoreRefName` | Reference to secret store | `"fleet-eks-secret-store"` | +| `externalSecret.server` | Server type (self/remote) | `"self"` | +| `externalSecret.clusterName` | Name of the cluster | `""` | +| `externalSecret.secretManagerSecretName` | Name of secret in AWS Secrets Manager | `""` | ### ECR Authentication Parameters -| Parameter | Description | Default | -|-----------|-------------|---------| -| `ecrAuthenticationToken.enabled` | Enable ECR authentication | `false` | -| `ecrAuthenticationToken.region` | AWS region for ECR | `"eu-west-2"` | -| `ecrAuthenticationToken.namespace` | Namespace for ECR secret | `"argocd"` | -| `ecrAuthenticationToken.name` | Name of ECR token generator | `"ecr-token"` | -| `ecrAuthenticationToken.secretName` | Name of ECR secret | `"argocd-ecr-credentials"` | +| Parameter | Description | Default | +| ----------------------------------- | --------------------------- | -------------------------- | +| `ecrAuthenticationToken.enabled` | Enable ECR authentication | `false` | +| `ecrAuthenticationToken.region` | AWS region for ECR | `"eu-west-2"` | +| `ecrAuthenticationToken.namespace` | Namespace for ECR secret | `"argocd"` | +| `ecrAuthenticationToken.name` | Name of ECR token generator | `"ecr-token"` | +| `ecrAuthenticationToken.secretName` | Name of ECR secret | `"argocd-ecr-credentials"` | ### Git Secrets Parameters -| Parameter | Description | Default | -|-----------|-------------|---------| -| `gitExternalSecrets.enabled` | Enable external Git secrets | `false` | -| `gitExternalSecrets.secretStoreRefName` | Reference to secret store | `"fleet-eks-secret-store"` | +| Parameter | Description | Default | +| --------------------------------------- | --------------------------- | -------------------------- | +| `gitExternalSecrets.enabled` | Enable external Git secrets | `false` | +| `gitExternalSecrets.secretStoreRefName` | Reference to secret store | `"fleet-eks-secret-store"` | ## Usage Examples @@ -132,10 +137,10 @@ ecrAuthenticationToken: ```yaml externalSecret: enabled: true - secretStoreRefName: "fleet-eks-secret-store" - server: "remote" - clusterName: "prod-cluster-01" - secretManagerSecretName: "cluster-prod-01" + secretStoreRefName: 'fleet-eks-secret-store' + server: 'remote' + clusterName: 'prod-cluster-01' + secretManagerSecretName: 'cluster-prod-01' ``` ### ECR Authentication Setup @@ -144,8 +149,8 @@ externalSecret: ecrAuthenticationToken: enabled: true region: eu-west-2 - namespace: "argocd" - secretName: "ecr-creds" + namespace: 'argocd' + secretName: 'ecr-creds' ``` ### Git Repository Authentication @@ -153,13 +158,27 @@ ecrAuthenticationToken: ```yaml gitExternalSecrets: enabled: true - secretStoreRefName: "fleet-eks-secret-store" + secretStoreRefName: 'fleet-eks-secret-store' + secretStoreRefKind: 'SecretStore' + useGitHubApp: true externalSecrets: addons: - secretName: "git-addons" - secretManagerSecretName: "git-addons-creds" + secretName: 'git-addons' + secretManagerSecretName: 'git-addons-creds' + resources: + secretName: 'git-resources' + secretManagerSecretName: 'git-resources-creds' + secretStoreRefName: 'cluster-git-eks-secret-store' + secretStoreRefKind: 'ClusterSecretStore' + usePrivateKey: true ``` +- `secretStoreRefName`, `secretStoreRefKind`, and authentication flags (`useGitHubApp`, `useHttp`, + `usePrivateKey`) can be supplied globally under `gitExternalSecrets` and overridden per secret + by setting the same keys inside each `externalSecrets` entry. +- Per-secret overrides merge shallowly: specify only the fields you need to change for that + repository while inheriting the rest from the top-level configuration. + ## Notes - All secrets are created in the ArgoCD namespace by default @@ -178,4 +197,7 @@ gitExternalSecrets: ## License This chart is licensed under the Apache License 2.0. -``` \ No newline at end of file + +``` + +``` diff --git a/charts/fleet-secret/packages/fleet-secret-0.2.0.tgz b/charts/fleet-secret/packages/fleet-secret-0.2.0.tgz deleted file mode 100644 index 7f28308..0000000 Binary files a/charts/fleet-secret/packages/fleet-secret-0.2.0.tgz and /dev/null differ diff --git a/charts/fleet-secret/packages/infra-tooling-fleet-secret-0.1.0.tgz b/charts/fleet-secret/packages/infra-tooling-fleet-secret-0.1.0.tgz deleted file mode 100644 index 589696a..0000000 Binary files a/charts/fleet-secret/packages/infra-tooling-fleet-secret-0.1.0.tgz and /dev/null differ diff --git a/charts/fleet-secret/packages/infra-tooling-fleet-secret-0.2.0.tgz b/charts/fleet-secret/packages/infra-tooling-fleet-secret-0.2.0.tgz deleted file mode 100644 index 9b8b3d7..0000000 Binary files a/charts/fleet-secret/packages/infra-tooling-fleet-secret-0.2.0.tgz and /dev/null differ diff --git a/charts/fleet-secret/templates/_helpers.tpl b/charts/fleet-secret/templates/_helpers.tpl index 8c69997..ac8b803 100644 --- a/charts/fleet-secret/templates/_helpers.tpl +++ b/charts/fleet-secret/templates/_helpers.tpl @@ -60,3 +60,16 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Merge Global Values with Cluster Specific to give more flexibility +Usage: {{ $merge := include "fleet-secret.mergeCommon" (dict "global" .Values.global.someConfig "cluster" .Values.someConfig) | fromYaml }} +*/}} +{{- define "fleet-secret.mergeCommon" -}} +{{- $global := .global | default dict }} +{{- $cluster := .cluster | default dict }} +{{- $merged := mergeOverwrite $global $cluster }} +{{- if $merged }} +{{- toYaml $merged }} +{{- end }} +{{- end }} diff --git a/charts/fleet-secret/templates/ecrToken.yaml b/charts/fleet-secret/templates/ecrToken.yaml index 05ecc27..aadd953 100644 --- a/charts/fleet-secret/templates/ecrToken.yaml +++ b/charts/fleet-secret/templates/ecrToken.yaml @@ -1,4 +1,14 @@ {{- if .Values.ecrAuthenticationToken.enabled }} +{{- $globalEndpoints := list }} +{{- if and .Values.global .Values.global.ecrAuthenticationToken .Values.global.ecrAuthenticationToken.registry_endpoints }} +{{- $globalEndpoints = .Values.global.ecrAuthenticationToken.registry_endpoints }} +{{- end }} +{{- $clusterEndpoints := .Values.ecrAuthenticationToken.registry_endpoints | default list }} +{{/* +Merging unique ECR Endpoints +*/}} +{{- $mergedEndpoints := concat $globalEndpoints $clusterEndpoints | uniq }} + apiVersion: generators.external-secrets.io/v1alpha1 kind: ECRAuthorizationToken metadata: @@ -7,9 +17,9 @@ metadata: spec: region: {{.Values.ecrAuthenticationToken.region}} -{{- range $idx, $endpoint := .Values.ecrAuthenticationToken.registry_endpoints }} +{{- range $idx, $endpoint := $mergedEndpoints }} --- -apiVersion: external-secrets.io/v1beta1 +apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: {{$.Values.ecrAuthenticationToken.name}}-{{$idx}} diff --git a/charts/fleet-secret/templates/externalSecret.yaml b/charts/fleet-secret/templates/externalSecret.yaml index 796c4ca..0ce450f 100644 --- a/charts/fleet-secret/templates/externalSecret.yaml +++ b/charts/fleet-secret/templates/externalSecret.yaml @@ -1,5 +1,5 @@ {{- if (eq (toString .Values.externalSecret.enabled) "true")}} -apiVersion: external-secrets.io/v1beta1 +apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: {{ include "fleet-secret.fullname" . }} diff --git a/charts/fleet-secret/templates/gitExternalSecret.yaml b/charts/fleet-secret/templates/gitExternalSecret.yaml index 587fa42..8a08251 100644 --- a/charts/fleet-secret/templates/gitExternalSecret.yaml +++ b/charts/fleet-secret/templates/gitExternalSecret.yaml @@ -1,19 +1,20 @@ {{- if .Values.gitExternalSecrets.enabled }} -{{- $secretStoreRefName := .Values.gitExternalSecrets.secretStoreRefName -}} -{{- $secretStoreRefKind := .Values.gitExternalSecrets.secretStoreRefKind -}} -{{- $useHttp := .Values.gitExternalSecrets.useHttp -}} -{{- $useGitHubApp := .Values.gitExternalSecrets.useGitHubApp | default false -}} -{{- $usePrivateKey := .Values.gitExternalSecrets.usePrivateKey | default false -}} -{{- range $externalSecretName, $externalSecret := .Values.gitExternalSecrets.externalSecrets }} +{{- $secretStoreRefName := .Values.gitExternalSecrets.secretStoreRefName | default "" -}} +{{- $secretStoreRefKind := .Values.gitExternalSecrets.secretStoreRefKind | default "" -}} +{{- $useHttp := .Values.gitExternalSecrets.useHttp | default false -}} +{{- $useGitHubApp := .Values.gitExternalSecrets.useGitHubApp | default false -}} +{{- $usePrivateKey := .Values.gitExternalSecrets.usePrivateKey | default false -}} +{{- $clusterGitSecrets := .Values.gitExternalSecrets.externalSecrets | default dict }} -apiVersion: external-secrets.io/v1beta1 +{{- range $externalSecretName, $externalSecret := $clusterGitSecrets }} +apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: {{ $externalSecretName }} spec: secretStoreRef: - kind: {{ $secretStoreRefKind }} - name: {{ $secretStoreRefName }} + kind: {{ $externalSecret.secretStoreRefKind | default $secretStoreRefKind }} + name: {{ $externalSecret.secretStoreRefName | default $secretStoreRefName }} refreshInterval: "1m" target: name: {{ $externalSecret.secretName }} @@ -22,7 +23,7 @@ spec: engineVersion: v2 templateFrom: - target: Labels - literal: "argocd.argoproj.io/secret-type: repository" + literal: "argocd.argoproj.io/secret-type: {{default "repository" $externalSecret.secretType }}" data: type: "git" {{- if $externalSecret.gitUrl }} @@ -30,21 +31,21 @@ spec: {{- else }} url: "{{`{{ .url }}`}}" {{- end }} - {{- if $useHttp }} + {{- if $externalSecret.useHttp | default $useHttp }} username: "{{`{{ .username }}`}}" password: "{{`{{ .password }}`}}" - {{- end }} - {{- if $usePrivateKey }} + {{- else if $externalSecret.usePrivateKey | default $usePrivateKey }} insecureIgnoreHostKey: "true" sshPrivateKey: "{{`{{ .private_key }}`}}" - {{- end }} - {{- if $useGitHubApp }} + {{- else if $externalSecret.useGitHubApp | default $useGitHubApp }} githubAppID: "{{`{{ .github_app_id }}`}}" githubAppInstallationID: "{{`{{ .github_app_installation_id }}`}}" githubAppPrivateKey: "{{`{{ .github_private_key }}`}}" {{- end }} dataFrom: - extract: + conversionStrategy: {{ default "Default" $externalSecret.conversionStrategy }} + metadataPolicy: {{ default "None" $externalSecret.metadataPolicy }} key: {{ $externalSecret.secretManagerSecretName }} decodingStrategy: Auto --- diff --git a/charts/fleet-secret/templates/secretstore.yaml b/charts/fleet-secret/templates/secretstore.yaml index e2ce6ea..ded3f0b 100644 --- a/charts/fleet-secret/templates/secretstore.yaml +++ b/charts/fleet-secret/templates/secretstore.yaml @@ -1,5 +1,5 @@ {{- if .Values.secretStore.enabled }} -apiVersion: external-secrets.io/v1beta1 +apiVersion: external-secrets.io/v1 kind: {{ .Values.secretStore.kind }} metadata: name: {{ .Values.secretStore.name }} diff --git a/charts/fleet-secret/values.yaml b/charts/fleet-secret/values.yaml index 83bce84..11718ac 100644 --- a/charts/fleet-secret/values.yaml +++ b/charts/fleet-secret/values.yaml @@ -1,3 +1,9 @@ +# Example of global values to append if we want to add more endpoints withough replciation +global: + # ecrAuthenticationToken: + # registry_endpoints: + # - 1234456698772.dkr.ecr.eu-west-2.amazonaws.com + secretStore: enabled: false kind: "SecretStore" @@ -5,6 +11,27 @@ secretStore: region: "" role: "" +gitExternalSecrets: + enabled: false + useGitHubApp: true + secretStoreRefName: fleet-git-eks-secret-store + secretStoreRefKind: SecretStore + externalSecrets: {} + # We can overwrite above values on the cluster secret level + # Example: + # externalSecrets: + # addons: + # secretName: git-addons + # secretManagerSecretName: shared/addons + # secretType: repository + # resources: + # useHttp: true + # secretName: git-resources + # secretStoreRefName: cluster-git-eks-secret-store + # secretStoreRefKind: ClusterSecretStore + # secretManagerSecretName: shared/resources + # secretType: repository + externalSecret: enabled: false secretStoreRefName: "fleet-eks-secret-store" @@ -13,18 +40,12 @@ externalSecret: secretManagerSecretName: "" clusterName: "" -gitExternalSecrets: - enabled: false - secretStoreRefName: "fleet-eks-secret-store" - secretStoreRefKind: "SecretStore" - externalSecrets: {} - ecrAuthenticationToken: enabled: false name: ecr-token-secret namespace: argocd region: "eu-west-2" secretName: argocd-ecr-credentials - registry_endpoints: + registry_endpoints: - 12345678910.dkr.ecr.eu-west-2.amazonaws.com - 10987654321.dkr.ecr.eu-west-2.amazonaws.com