From 989647eb713f57f745e504be0c060ff236d8ed10 Mon Sep 17 00:00:00 2001 From: Michael Thomson Date: Thu, 23 Nov 2023 23:57:19 -0500 Subject: [PATCH] weave gitops --- .../helmrepository-weave-gitops.yaml | 9 + .../kustomization-weave-gitops.yaml | 18 ++ .../namespaces/namespace-weave-gitops.yaml | 4 + weave-gitops-dashboard.yaml | 36 +++ weave-gitops/dns-endpoint-weave-gitops.yaml | 12 + weave-gitops/helmrelease-weave-gitops.yaml | 219 ++++++++++++++++++ 6 files changed, 298 insertions(+) create mode 100644 bootstrap/helmrepositories/helmrepository-weave-gitops.yaml create mode 100644 bootstrap/kustomizations/kustomization-weave-gitops.yaml create mode 100644 bootstrap/namespaces/namespace-weave-gitops.yaml create mode 100644 weave-gitops-dashboard.yaml create mode 100644 weave-gitops/dns-endpoint-weave-gitops.yaml create mode 100644 weave-gitops/helmrelease-weave-gitops.yaml diff --git a/bootstrap/helmrepositories/helmrepository-weave-gitops.yaml b/bootstrap/helmrepositories/helmrepository-weave-gitops.yaml new file mode 100644 index 0000000..0a8aa99 --- /dev/null +++ b/bootstrap/helmrepositories/helmrepository-weave-gitops.yaml @@ -0,0 +1,9 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: weave-gitops + namespace: flux-system +spec: + interval: 15m + type: oci + url: oci://ghcr.io/weaveworks/charts diff --git a/bootstrap/kustomizations/kustomization-weave-gitops.yaml b/bootstrap/kustomizations/kustomization-weave-gitops.yaml new file mode 100644 index 0000000..a53b7bb --- /dev/null +++ b/bootstrap/kustomizations/kustomization-weave-gitops.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: weave-gitops + namespace: flux-system +spec: + interval: 15m + path: ./weave-gitops + prune: true # remove any elements later removed from the above path + timeout: 2m # if not set, this defaults to interval duration, which is 1h + sourceRef: + kind: GitRepository + name: flux-system + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2beta1 + kind: HelmRelease + name: weave-gitops + namespace: weave-gitops diff --git a/bootstrap/namespaces/namespace-weave-gitops.yaml b/bootstrap/namespaces/namespace-weave-gitops.yaml new file mode 100644 index 0000000..4319604 --- /dev/null +++ b/bootstrap/namespaces/namespace-weave-gitops.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: weave-gitops diff --git a/weave-gitops-dashboard.yaml b/weave-gitops-dashboard.yaml new file mode 100644 index 0000000..85cbb11 --- /dev/null +++ b/weave-gitops-dashboard.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + annotations: + metadata.weave.works/description: This is the source location for the Weave GitOps + Dashboard's helm chart. + labels: + app.kubernetes.io/component: ui + app.kubernetes.io/created-by: weave-gitops-cli + app.kubernetes.io/name: weave-gitops-dashboard + app.kubernetes.io/part-of: weave-gitops + name: ww-gitops + namespace: flux-system +spec: + interval: 1h0m0s + type: oci + url: oci://ghcr.io/weaveworks/charts +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + annotations: + metadata.weave.works/description: This is the Weave GitOps Dashboard. It provides + a simple way to get insights into your GitOps workloads. + name: ww-gitops + namespace: flux-system +spec: + chart: + spec: + chart: weave-gitops + sourceRef: + kind: HelmRepository + name: ww-gitops + interval: 1h0m0s + diff --git a/weave-gitops/dns-endpoint-weave-gitops.yaml b/weave-gitops/dns-endpoint-weave-gitops.yaml new file mode 100644 index 0000000..0f48e16 --- /dev/null +++ b/weave-gitops/dns-endpoint-weave-gitops.yaml @@ -0,0 +1,12 @@ +apiVersion: externaldns.k8s.io/v1alpha1 +kind: DNSEndpoint +metadata: + name: weave-gitops.michaelthomson.dev + namespace: weave-gitops +spec: + endpoints: + - dnsName: weave-gitops.michaelthomson.dev + recordTTL: 180 + recordType: CNAME + targets: + - server.michaelthomson.dev diff --git a/weave-gitops/helmrelease-weave-gitops.yaml b/weave-gitops/helmrelease-weave-gitops.yaml new file mode 100644 index 0000000..8b7c496 --- /dev/null +++ b/weave-gitops/helmrelease-weave-gitops.yaml @@ -0,0 +1,219 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: weave-gitops + namespace: weave-gitops +spec: + chart: + spec: + chart: weave-gitops + version: 4.x + sourceRef: + kind: HelmRepository + name: weave-gitops + namespace: flux-system + interval: 15m + timeout: 5m + releaseName: weave-gitops + values: + # Default values for chart. + # This is a YAML-formatted file. + # Declare variables to be passed into your templates. + + # Note: paragraphs starting with `# --` will end up in our manual - + # see https://github.com/norwoodj/helm-docs + replicaCount: 1 + image: + # FIXME check the app name + repository: ghcr.io/weaveworks/wego-app + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "v0.37.0" + imagePullSecrets: [] + nameOverride: "" + fullnameOverride: "" + # -- What log level to output. Valid levels are 'debug', 'info', 'warn' and 'error' + logLevel: info + # -- Additional arguments to pass in to the gitops-server + additionalArgs: [] + # Any other environment variables: + envVars: + - name: WEAVE_GITOPS_FEATURE_TENANCY + value: "true" + - name: WEAVE_GITOPS_FEATURE_CLUSTER + value: "false" + # -- Annotations to add to the deployment + annotations: {} + # Should the 'oidc-auth' secret be created. For a detailed + # explanation of these attributes please see our documentation: + # https://docs.gitops.weave.works/docs/configuration/securing-access-to-the-dashboard/#login-via-an-oidc-provider + oidcSecret: + create: false + # clientID: + # clientSecret: + # issuerURL: + # redirectURL: + # -- If non empty, additional keys can be added to the OIDC secret + additionalKeys: {} + # additionalKeys: + # claimUsername: "email" + # claimGroups: "groups" + # customScopes: "openid,offline_access,email,groups" + serviceAccount: + # -- Specifies whether a service account should be created + create: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + rbac: + # -- Specifies whether the clusterRole & binding to the service account should be created + create: true + # -- If non-empty, this limits the resources that the service + # account can impersonate. This applies to both users and groups, e.g. + # `['user1@corporation.com', 'user2@corporation.com', 'operations']` + impersonationResourceNames: [] + # -- Limit the type of principal that can be impersonated + impersonationResources: ["users", "groups"] + # -- If non-empty, this limits the secrets that can be accessed by + # the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']` + viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"] + # -- If non-empty, these additional rules will be appended to the RBAC role and the cluster role. + # for example, + # additionalRules: + # - apiGroups: ["infra.contrib.fluxcd.io"] + # resources: ["terraforms"] + # verbs: [ "get", "list", "patch" ] + additionalRules: [] + adminUser: + # -- Whether the local admin user should be created. + # If you use this make sure you add it to `rbac.impersonationResourceNames`. + create: false + # -- Specifies whether the clusterRole & binding to the admin user should be created. + # Will be created only if `adminUser.create` is enabled. Without this, + # the adminUser will only be able to see resources in the target namespace. + createClusterRole: true + # -- Whether we should create the secret for the local + # adminUser. Will be created only if `adminUser.create` is + # enabled. Without this, we'll still set up the roles and + # permissions, but the secret with username and password has to be + # provided separately. + createSecret: true + # -- Set username for local admin user, this should match the value in the secret `cluster-user-auth` + # which can be created with `adminUser.createSecret`. Requires `adminUser.create`. + username: gitops-test-user + # -- (string) Set the password for local admin user. Requires `adminUser.create` and `adminUser.createSecret` + # This needs to have been hashed using bcrypt. + # You can do this via our CLI with `gitops get bcrypt-hash`. + passwordHash: + podAnnotations: {} + podLabels: {} + # aadpodidbinding: identity + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + runAsUser: 1000 + readOnlyRootFilesystem: true + service: + create: true + type: ClusterIP + port: 9001 + # nodePort: + annotations: {} + ingress: + enabled: true + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: weave-gitops.michaelthomson.dev + paths: + - path: / + pathType: ImplementationSpecific + tls: + - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + hosts: + - weave-gitops.michaelthomson.dev + extraVolumes: [] + extraVolumeMounts: [] + # Example using extraVolumes and extraVolumeMounts to load 'oidc-auth' secret + # with a secrets store CSI driver. Specify the secretName 'oidc-auth' in the + # secretProviderClass so this will be created by the secrets store CSI driver. + # See https://secrets-store-csi-driver.sigs.k8s.io/topics/sync-as-kubernetes-secret.html + # extraVolumeMounts: + # - name: ww-gitops-oauth-volume + # mountPath: /mnt/secrets + # readOnly: true + # extraVolumes: + # - name: ww-gitops-oauth-volume + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: ww-gitops-oauth-provider + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + networkPolicy: + # -- Specifies whether default network policies should be created. + create: true + nodeSelector: {} + tolerations: [] + affinity: {} + serverTLS: + # -- Enable TLS termination in gitops itself. If you enable this, + # you need to create a secret, and specify the secretName. Another + # option is to create an ingress. + enable: false + # -- Specify the tls secret name. This type of secrets have a key called `tls.crt` and `tls.key` containing their corresponding values in base64 format. + # See + # https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more details and examples + secretName: "my-secret-tls" + # Example of tls secret + # + # apiVersion: v1 + # kind: Secret + # metadata: + # name: my-secret-tls + # type: kubernetes.io/tls + # data: + # # the data is abbreviated in this example + # tls.crt: | + # MIIC2DCCAcCgAwIBAgIBATANBgkqh ... + # tls.key: | + # MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ... + # + # You can also create a tls secre t from files whith this k8s command: + # kubectl create secret tls my-tls-secret \ + # --cert=path/to/cert/file \ + # --key=path/to/key/file + metrics: + # -- Start the metrics exporter + enabled: false + service: + # -- Port to start the metrics exporter on + port: 2112 + # -- Annotations to set on the service + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: "/metrics" + prometheus.io/port: "{{ .Values.metrics.service.port }}"