diff --git a/lma/base/resources.yaml b/lma/base/resources.yaml index e172888..21dfe8c 100644 --- a/lma/base/resources.yaml +++ b/lma/base/resources.yaml @@ -757,7 +757,7 @@ spec: type: helmrepo repository: https://harbor.taco-cat.xyz/chartrepo/tks name: lma-addons - version: 1.8.4 + version: 1.8.5 origin: https://openinfradev.github.io/helm-repo releaseName: addons targetNamespace: lma diff --git a/lma/base/site-values.yaml b/lma/base/site-values.yaml index 3cb2094..0b563d6 100644 --- a/lma/base/site-values.yaml +++ b/lma/base/site-values.yaml @@ -173,10 +173,10 @@ charts: versioning: true objectlocking: false customCommands: - - command: ilm rule add --expire-days 90 myminio/thanos - - command: ilm rule add --expire-days 15 myminio/loki - - command: ilm ls myminio/thanos - - command: ilm ls myminio/loki + - command: ilm rule add --expire-days 90 myminio/tks-thanos + - command: ilm rule add --expire-days 15 myminio/tks-loki + - command: ilm ls myminio/tks-thanos + - command: ilm ls myminio/tks-loki persistence.storageClass: $(storageClassName) persistence.accessMode: ReadWriteOnce persistence.size: 20Gi diff --git a/policy/base/kustomization.yaml b/policy/base/kustomization.yaml new file mode 100644 index 0000000..fdb088d --- /dev/null +++ b/policy/base/kustomization.yaml @@ -0,0 +1,5 @@ +resources: + - resources.yaml + +transformers: + - site-values.yaml diff --git a/policy/base/resources.yaml b/policy/base/resources.yaml new file mode 100644 index 0000000..b846bf7 --- /dev/null +++ b/policy/base/resources.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: helm.fluxcd.io/v1 +kind: HelmRelease +metadata: + labels: + name: opa-gatekeeper + name: opa-gatekeeper +spec: + chart: + type: helmrepo + repository: https://harbor.taco-cat.xyz/chartrepo/tks + name: gatekeeper + version: 3.13.0 + origin: https://open-policy-agent.github.io/gatekeeper/charts + helmVersion: v3 + releaseName: opa-gatekeeper + targetNamespace: gatekeeper-system + values: + enableDeleteOperations: true +--- +apiVersion: helm.fluxcd.io/v1 +kind: HelmRelease +metadata: + labels: + name: policy-resources + name: policy-resources +spec: + chart: + type: helmrepo + repository: https://harbor.taco-cat.xyz/chartrepo/tks + name: policy-resources + version: 1.0.0 + origin: https://openinfradev.github.io/helm-charts/policy-resources + helmVersion: v3 + releaseName: policy-resources + targetNamespace: gatekeeper-system + values: {} \ No newline at end of file diff --git a/policy/base/site-values.yaml b/policy/base/site-values.yaml new file mode 100644 index 0000000..8b181ee --- /dev/null +++ b/policy/base/site-values.yaml @@ -0,0 +1,27 @@ +apiVersion: openinfradev.github.com/v1 +kind: HelmValuesTransformer +metadata: + name: site + +global: + # Specify nodes to install workload + nodeSelector: + taco-lma: enabled + # Specify cluster name. It is useful in multi-cluster env. + clusterName: cluster.local + # Storageclass to install persistant + storageClassName: taco-storage + +charts: +- name: opa-gatekeeper + override: + postUpgrade.nodeSelector: $(nodeSelector) + postInstall.nodeSelector: $(nodeSelector) + preUninstall.nodeSelector: $(nodeSelector) + controllerManager.nodeSelector: $(nodeSelector) + audit.nodeSelector: $(nodeSelector) + crds.nodeSelector: $(nodeSelector) + + enableDeleteOperations: true + +- name: policy-resources diff --git a/service-mesh/base/resources.yaml b/service-mesh/base/resources.yaml index 55cb349..8df5713 100644 --- a/service-mesh/base/resources.yaml +++ b/service-mesh/base/resources.yaml @@ -460,6 +460,7 @@ spec: servers: cassandra-dc-service.tks-msa.svc keyspace: jaeger_v1_datacenter cassandraCreateSchema: + image: harbor.taco-cat.xyz/tks/jaeger-cassandra-schema:1.35.0 datacenter: "dc" mode: "prod" timeout: "3m" diff --git a/service-mesh/base/site-values.yaml b/service-mesh/base/site-values.yaml index 0b3074a..ef7c8de 100644 --- a/service-mesh/base/site-values.yaml +++ b/service-mesh/base/site-values.yaml @@ -162,6 +162,11 @@ charts: options: servers: cassandra-dc-service.tks-msa.svc keyspace: jaeger_v1_datacenter + cassandraCreateSchema: + image: harbor.taco-cat.xyz/tks/jaeger-cassandra-schema:1.35.0 + datacenter: "dc" + mode: "prod" + timeout: "3m" dependencies: enabled: true image: harbor.taco-cat.xyz/tks/spark-dependencies:1.35.0 diff --git a/tks-admin-tools/base/kustomization.yaml b/tks-admin-tools/base/kustomization.yaml new file mode 100644 index 0000000..fdb088d --- /dev/null +++ b/tks-admin-tools/base/kustomization.yaml @@ -0,0 +1,5 @@ +resources: + - resources.yaml + +transformers: + - site-values.yaml diff --git a/tks-admin-tools/base/resources.yaml b/tks-admin-tools/base/resources.yaml new file mode 100644 index 0000000..abb5ef6 --- /dev/null +++ b/tks-admin-tools/base/resources.yaml @@ -0,0 +1,246 @@ +--- +apiVersion: helm.fluxcd.io/v1 +kind: HelmRelease +metadata: + labels: + name: keycloak + name: keycloak +spec: + chart: + type: helmrepo + repository: https://harbor.taco-cat.xyz/chartrepo/tks + name: keycloak + version: 15.1.6 + origin: https://github.com/bitnami/charts/tree/main/bitnami/keycloak + releaseName: keycloak + targetNamespace: keycloak + values: + global: + storageClass: "taco-storage" + auth: + adminUser: "admin" + adminPassword: password + proxy: edge + httpRelativePath: "/auth/" + production: true + replicaCount: 1 # tunable + ingress: + enabled: true + ingressClassName: nginx # tunable + hostname: TO_BE_FIXED + annotations: + nginx.ingress.kubernetes.io/proxy-buffer-size: 20k + acme.cert-manager.io/http01-edit-in-place: "true" + cert-manager.io/cluster-issuer: http0issuer + tls: true + selfSigned: false + cache: + enabled: true + stackName: kubernetes + postgresql: + enabled: false + externalDatabase: + host: "postgresql.tks-db.svc" # tunable + port: 5432 + password: password + readinessProbe: + failureThreshold: 10 + extraEnvVars: + - name: QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY + value: "true" + +--- +apiVersion: helm.fluxcd.io/v1 +kind: HelmRelease +metadata: + labels: + name: tks-apis + name: tks-apis +spec: + chart: + type: helmrepo + repository: https://harbor.taco-cat.xyz/chartrepo/tks + name: tks-apis + version: 0.1.2 + origin: https://openinfradev.github.io/helm-repo + releaseName: tks-apis + targetNamespace: tks + values: + gitBaseUrl: https://github.com + gitAccount: decapod10 + db: + dbHost: postgresql.tks-db.svc + adminUser: postgres + adminPassword: password # tunable + dbUser: tksuser + dbPassword: password # tunable + tksapi: + replicaCount: 1 + image: + repository: harbor.taco-cat.xyz/tks/tks-api + tag: v3.0.1 + # Master org's admin password + tksAccount: + password: admin # tunable + args: + imageRegistryUrl: "harbor.taco-cat.xyz/appserving" # tunable + harborPwSecret: "harbor-core" + gitRepositoryUrl: "github.com/openinfradev" # tunable + keycloakAddress: http://keycloak.keycloak.svc:80/auth + tksbatch: + replicaCount: 1 + image: + repository: harbor.taco-cat.xyz/tks/tks-batch + tag: v3.0.0 + tksconsole: + replicaCount: 1 + image: + repository: harbor.taco-cat.xyz/tks/tks-console + tag: v3.0.1 + +--- +apiVersion: helm.fluxcd.io/v1 +kind: HelmRelease +metadata: + labels: + name: harbor + name: harbor +spec: + chart: + type: helmrepo + repository: https://harbor.taco-cat.xyz/chartrepo/tks + name: harbor + version: 1.11.0 + origin: https://github.com/goharbor/harbor-helm + releaseName: harbor + targetNamespace: harbor + values: + expose: + tls: + certSource: secret + secret: + secretName: "harbor.taco-cat-tls" # tunable + ingress: + hosts: + core: TO_BE_FIXED + className: "nginx" # tunable + annotations: + cert-manager.io/cluster-issuer: http0issuer + acme.cert-manager.io/http01-edit-in-place: "true" + externalURL: TO_BE_FIXED + ####################################################### + ## all values under persistence are tunable (for HA) ## + ####################################################### + persistence: + persistentVolumeClaim: + registry: + storageClass: taco-storage + accessMode: ReadWriteOnce + size: 200Gi + chartmuseum: + storageClass: taco-storage + accessMode: ReadWriteOnce + size: 20Gi + jobservice: + jobLog: + storageClass: taco-storage + accessMode: ReadWriteOnce + scanDataExports: + storageClass: taco-storage + accessMode: ReadWriteOnce + redis: + storageClass: taco-storage + accessMode: ReadWriteOnce + trivy: + storageClass: taco-storage + database: + type: external + external: + host: "postgresql.tks-db.svc" # tunable + port: "5432" + username: "harbor" + password: password # tunable + existingSecret: "" + # "disable" - No SSL + # "require" - Always SSL (skip verification) + # "verify-ca" - Always SSL (verify that the certificate presented by the + # server was signed by a trusted CA) + # "verify-full" - Always SSL (verify that the certification presented by the + # server was signed by a trusted CA and the server host name matches the one + # in the certificate) + sslmode: "require" # tunable + notary: + enabled: false + cache: + enabled: true + core: + replicas: 1 # tunable + jobservice: + replicas: 1 # tunable + registry: + replicas: 1 # tunable + chartmuseum: + replicas: 1 # tunable + trivy: + replicas: 1 # tunable + portal: + replicas: 1 # tunable + harborAdminPassword: password # tunable +--- +apiVersion: helm.fluxcd.io/v1 +kind: HelmRelease +metadata: + labels: + name: ingress-nginx + name: ingress-nginx +spec: + helmVersion: v3 + chart: + type: helmrepo + repository: https://harbor.taco-cat.xyz/chartrepo/tks + name: ingress-nginx + version: 4.0.17 + origin: https://kubernetes.github.io/ingress-nginx + releaseName: ingress-nginx + targetNamespace: ingress-nginx + values: + controller: + image: + registry: harbor.taco-cat.xyz + image: tks/controller + digest: "" + admissionWebhooks: + patch: + image: + registry: harbor.taco-cat.xyz + image: tks/kube-webhook-certgen + digest: "" + replicaCount: 1 + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - ingress-nginx + topologyKey: "kubernetes.io/hostname" + service: + externalTrafficPolicy: Local + annotations: {} + type: TO_BE_FIXED + config: + enable-underscores-in-headers: "true" + use-proxy-protocol: "false" + enable-real-ip: "true" + proxy-body-size: "10m" + hostPort: + enabled: true + resources: + requests: + cpu: 100m + memory: 4Gi + wait: true diff --git a/tks-admin-tools/base/site-values.yaml b/tks-admin-tools/base/site-values.yaml new file mode 100644 index 0000000..170affa --- /dev/null +++ b/tks-admin-tools/base/site-values.yaml @@ -0,0 +1,91 @@ +apiVersion: openinfradev.github.com/v1 +kind: HelmValuesTransformer +metadata: + name: site + +global: + dbHost: ${DATABASE_HOST} + commonPassword: ${COMMON_PASSWORD} + storageClass: ${STORAGE_CLASS} + storageClassHa: ${STORAGE_CLASS_HA} + +charts: +- name: keycloak + override: + global.storageClass: $(storageClass) + auth.adminPassword: $(commonPassword) + ingress.enabled: true + ingress.hostname: TO_BE_FIXED + externalDatabase.host: $(dbHost) + externalDatabase.password: $(commonPassword) + +- name: tks-apis + override: + gitBaseUrl: https://github.com + gitAccount: decapod10 + db: + dbHost: $(dbHost) + adminPassword: $(commonPassword) + dbUser: tksuser + dbPassword: $(commonPassword) + tksapi: + replicaCount: 1 + tksAccount: + password: $(commonPassword) + args: + imageRegistryUrl: "harbor.taco-cat.xyz/appserving" + gitRepositoryUrl: "github.com/openinfradev" + keycloakAddress: http://keycloak.keycloak.svc:80/auth + tksbatch: + replicaCount: 1 + tksconsole: + replicaCount: 1 + +- name: harbor + override: + expose: + ingress: + hosts: + core: TO_BE_FIXED + className: "nginx" + externalURL: TO_BE_FIXED + persistence: + persistentVolumeClaim: + registry: + storageClass: $(storageClassHa) + accessMode: ReadWriteMany + size: 200Gi + chartmuseum: + storageClass: $(storageClassHa) + accessMode: ReadWriteMany + size: 20Gi + jobservice: + jobLog: + storageClass: $(storageClassHa) + accessMode: ReadWriteMany + scanDataExports: + storageClass: $(storageClassHa) + accessMode: ReadWriteMany + redis: + storageClass: $(storageClass) + accessMode: ReadWriteOnce + trivy: + storageClass: $(storageClass) + database: + type: external + external: + host: $(dbHost) + password: $(commonPassword) + core: + replicas: 2 + jobservice: + replicas: 2 + registry: + replicas: 2 + chartmuseum: + replicas: 2 + trivy: + replicas: 2 + portal: + replicas: 2 + harborAdminPassword: $(commonPassword) diff --git a/tks-admin-tools/image/image-values.yaml b/tks-admin-tools/image/image-values.yaml new file mode 100644 index 0000000..cd95f60 --- /dev/null +++ b/tks-admin-tools/image/image-values.yaml @@ -0,0 +1,78 @@ +apiVersion: openinfradev.github.com/v1 +kind: HelmValuesTransformer +metadata: + name: image + +global: + registry: harbor.taco-cat.xyz + +charts: +- name: keycloak + override: + image: + registry: $(registry) + repository: bitnami/keycloak + tag: 21.1.2-debian-11-r0 +- name: tks-api + override: + tks-api: + image: + repository: $(registry)/tks/tks-api + tag: v3.0.1 + tksbatch: + image: + repository: $(registry)/tks/tks-batch + tag: v3.0.0 + tksconsole: + image: + repository: $(registry)/tks/tks-console + tag: v3.0.1 +- name: harbor + override: + portal: + image: + repository: $(registry)/goharbor/harbor-portal + tag: v2.7.0 + core: + image: + repository: $(registry)/goharbor/harbor-core + tag: v2.7.0 + jobservice: + image: + repository: $(registry)/goharbor/harbor-jobservice + tag: v2.7.0 + registry: + registry: + image: + repository: $(registry)/goharbor/registry-photon + tag: v2.7.0 + controller: + image: + repository: $(registry)/goharbor/harbor-registryctl + tag: v2.7.0 + chartmuseum: + image: + repository: $(registry)/goharbor/chartmuseum-photon + tag: v2.7.0 + trivy: + image: + repository: $(registry)/goharbor/trivy-adapter-photon + tag: v2.7.0 + notary: + server: + image: + repository: $(registry)/goharbor/notary-server-photon + tag: v2.7.0 + signer: + image: + repository: $(registry)/goharbor/notary-signer-photon + tag: v2.7.0 + redis: + internal: + image: + repository: $(registry)/goharbor/redis-photon + tag: v2.7.0 + exporter: + image: + repository: $(registry)/goharbor/harbor-exporter + tag: v2.7.0 diff --git a/tks-cluster/base/resources.yaml b/tks-cluster/base/resources.yaml index 59566ef..6c80df8 100644 --- a/tks-cluster/base/resources.yaml +++ b/tks-cluster/base/resources.yaml @@ -95,7 +95,7 @@ spec: registry: harbor.taco-cat.xyz image: tks/kube-webhook-certgen digest: "" - replicaCount: 2 + replicaCount: 1 affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -119,6 +119,10 @@ spec: proxy-body-size: "10m" hostPort: enabled: true + resources: + requests: + cpu: 100m + memory: 4Gi wait: true # --- # apiVersion: helm.fluxcd.io/v1 diff --git a/tks-cluster/infra/byoh/resources.yaml b/tks-cluster/infra/byoh/resources.yaml index 6d9d2e3..5d6ba0f 100644 --- a/tks-cluster/infra/byoh/resources.yaml +++ b/tks-cluster/infra/byoh/resources.yaml @@ -11,7 +11,7 @@ spec: type: helmrepo repository: https://harbor.taco-cat.xyz/chartrepo/tks name: cluster-api-byoh - version: 0.1.0 + version: 0.3.0 releaseName: cluster-api-byoh targetNamespace: argo values: