diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/automations-tools/webhook-receiver/argocd-apps-webhook-receiver-app.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/automations-tools/webhook-receiver/argocd-apps-webhook-receiver-app.yaml new file mode 100644 index 0000000..fdd8379 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/automations-tools/webhook-receiver/argocd-apps-webhook-receiver-app.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: webhook-receiver + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: webhook-receiver + destination: + server: https://kubernetes.default.svc + namespace: avroid-prod + sources: + - repoURL: https://git.avroid.tech/K8s/k8s-configs.git + targetRevision: master + ref: values + - repoURL: https://actual-devops.github.io/helm-charts + chart: "webhook-receiver" + targetRevision: 0.2.0 + helm: + valueFiles: + - $values/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/automations-tools/webhook-receiver/values-override.yaml + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - ApplyOutOfSyncOnly=true + - CreateNamespace=true +--- +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: webhook-receiver + namespace: argocd + # Finalizer that ensures that project is not deleted until it is not referenced by any application + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + sourceRepos: + - https://actual-devops.github.io/helm-charts + - https://git.avroid.tech/K8s/k8s-configs.git + # Only permit applications to deploy to the guestbook namespace in the same cluster + destinations: + - namespace: avroid-prod + server: https://kubernetes.default.svc + # Deny all cluster-scoped resources from being created, except for Namespace + clusterResourceWhitelist: + - group: '' + kind: Namespace diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/automations-tools/webhook-receiver/argocd-apps-webhook-receiver-network-policy.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/automations-tools/webhook-receiver/argocd-apps-webhook-receiver-network-policy.yaml new file mode 100644 index 0000000..abc2b03 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/automations-tools/webhook-receiver/argocd-apps-webhook-receiver-network-policy.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: webhook-receiver-in + namespace: avroid-prod + labels: + app.kubernetes.io/managed-by: argocd +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: webhook-receiver + policyTypes: + - Ingress + ingress: + - ports: + - port: 8081 + protocol: TCP + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress-nginx +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: webhook-receiver-out + namespace: avroid-prod + labels: + app.kubernetes.io/managed-by: argocd +spec: + podSelector: {} + policyTypes: + - Egress + ingress: [] + egress: + - to: + - ipBlock: + # office-balancer.avroid.tech + cidr: 10.2.16.2/32 + ports: + - port: 443 + protocol: TCP diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/automations-tools/webhook-receiver/values-override.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/automations-tools/webhook-receiver/values-override.yaml new file mode 100644 index 0000000..6e663cc --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/automations-tools/webhook-receiver/values-override.yaml @@ -0,0 +1,67 @@ +replicaCount: 2 + +image: + repository: ghcr.io/actual-devops/webhook-receiver + pullPolicy: IfNotPresent + tag: "0.2.0-1" + +serviceAccount: + create: false + automount: true + annotations: {} + name: "vault" + +ingress: + enabled: true + className: "nginx" + annotations: + kubernetes.io/ingress.class: nginx + hosts: + - host: webhook-receiver.avroid.tech + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + +resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 64Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + +volumeMounts: [] + +configMap: + configPath: "/vault/secrets/config.yaml" + config: | + {{ with secret "team-devops/data/services/ci-cd/webhook-receiver" }} + server_port: 8081 + jenkins: + url: "https://jenkins.avroid.tech" + user: {{ .Data.data.jenkins_user }} + pass: {{ .Data.data.jenkins_pass }} + token: {{ .Data.data.jenkins_token }} + allowed_webhooks: + - repo_name: 'ansible' + run_jobs: + - job_path: job/Automation/job/DevOps/job/vault-policies-and-roles-update + parameterized_job: false + - repo_name: 'jenkins-pipelines' + run_jobs: + - job_path: 'job/jobs-dsl/job/jobs-dsl' + parameterized_job: false + {{ end }} + annotations: + vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech" + vault.security.banzaicloud.io/vault-role: "avroid-prod" + vault.security.banzaicloud.io/vault-skip-verify: "false" + vault.security.banzaicloud.io/vault-path: "avroid-office" + vault.security.banzaicloud.io/run-as-user: "100"