diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/automations-tools/helm-aggregator/values.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/automations-tools/helm-aggregator/values.yaml index ed4c6fb..26eb146 100644 --- a/clusters/k8s-avroid-office.prod.local/namespaces/automations-tools/helm-aggregator/values.yaml +++ b/clusters/k8s-avroid-office.prod.local/namespaces/automations-tools/helm-aggregator/values.yaml @@ -42,6 +42,8 @@ nodeSelector: config: | port: "8080" repos: + - name: prometheus-community + url: https://prometheus-community.github.io/helm-charts - name: wiremind url: https://wiremind.github.io/wiremind-helm-charts - name: stevehipwell diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/.rbac/argocd-apps-harbor-registry-secret.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/.rbac/argocd-apps-harbor-registry-secret.yaml new file mode 100644 index 0000000..8b1dbdc --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/.rbac/argocd-apps-harbor-registry-secret.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + app.kubernetes.io/managed-by: argocd + name: harbor-registry-secret + namespace: cloud-prod + annotations: + vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech" + vault.security.banzaicloud.io/vault-role: "cloud-prod" + vault.security.banzaicloud.io/vault-skip-verify: "false" + vault.security.banzaicloud.io/vault-path: "avroid-office" +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IuYXZyb2lkLnRlY2giOnsidXNlcm5hbWUiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLmxvZ2luIiwicGFzc3dvcmQiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLnRva2VuIiwiYXV0aCI6ImNtOWliM1FrWTJrNlNGSnFPV2xJUVhoMlZVbDFlVlJhYjJkMVMxQmtSMjFVUzA4MlVqbGtVbm89In19fQo= diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/.rbac/argocd-apps-vault-service-account.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/.rbac/argocd-apps-vault-service-account.yaml new file mode 100644 index 0000000..cd426ae --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/.rbac/argocd-apps-vault-service-account.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/instance: vault-sa + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: vault-operator + app.kubernetes.io/part-of: vault-operator + app.kubernetes.io/managed-by: argocd + name: vault + namespace: cloud-prod diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/argocd-apps-cloud-prod.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/argocd-apps-cloud-prod.yaml new file mode 100644 index 0000000..0597d0f --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/argocd-apps-cloud-prod.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cloud-prod + labels: + name: cloud-prod + app.kubernetes.io/managed-by: argocd + annotations: + argocd.argoproj.io/sync-wave: "-1" + scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker= +--- +apiVersion: v1 +kind: ResourceQuota +metadata: + name: cloud-prod + namespace: cloud-prod + labels: + app.kubernetes.io/managed-by: argocd +spec: + hard: + requests.cpu: "4" + requests.memory: "8Gi" + requests.storage: "100Gi" + limits.cpu: "8" + limits.memory: 16Gi + configmaps: "100" + resourcequotas: "1" + secrets: "100" + services: "100" + pods: "50" + persistentvolumeclaims: "20" +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: cloud-prod-common + namespace: cloud-prod + labels: + app.kubernetes.io/managed-by: argocd +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: [] + egress: + - to: + - ipBlock: + # office-balancer.avroid.tech + cidr: 10.2.16.2/32 + ports: + - port: 443 + protocol: TCP + - ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/monitoring/redis-exporter/argocd-apps-redis_exporter-app.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/monitoring/redis-exporter/argocd-apps-redis_exporter-app.yaml new file mode 100644 index 0000000..8251099 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/monitoring/redis-exporter/argocd-apps-redis_exporter-app.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cloud-redis-exporter + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: cloud-redis-exporter + destination: + server: https://kubernetes.default.svc + namespace: cloud-prod + sources: + - repoURL: https://git.avroid.tech/K8s/k8s-configs.git + targetRevision: master + ref: values + - repoURL: https://nexus.avroid.tech/repository/devops-helm-proxy-helm/ + chart: "prometheus-community/prometheus-redis-exporter" + targetRevision: 6.9.0 + helm: + valueFiles: + - $values/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/monitoring/redis-exporter/values-ovveride.yaml + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - ApplyOutOfSyncOnly=true + - CreateNamespace=true +--- +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: cloud-redis-exporter + namespace: argocd + # Finalizer that ensures that project is not deleted until it is not referenced by any application + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + sourceRepos: + - https://git.avroid.tech/K8s/k8s-configs.git + - https://nexus.avroid.tech/repository/devops-helm-proxy-helm/ + # Only permit applications to deploy to the guestbook namespace in the same cluster + destinations: + - namespace: cloud-prod + server: https://kubernetes.default.svc + # Deny all cluster-scoped resources from being created, except for Namespace + clusterResourceWhitelist: + - group: '' + kind: Namespace diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/monitoring/redis-exporter/argocd-apps-redis_exporter-network-policy.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/monitoring/redis-exporter/argocd-apps-redis_exporter-network-policy.yaml new file mode 100644 index 0000000..3005691 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/monitoring/redis-exporter/argocd-apps-redis_exporter-network-policy.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: cloud-redis-exporter-in + namespace: cloud-prod + labels: + app.kubernetes.io/managed-by: argocd +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: cloud-redis-exporter + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: cloud-prod + podSelector: + matchLabels: + app.kubernetes.io/name: cloud-prometheus +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: cloud-redis-exporter-out + namespace: cloud-prod + labels: + app.kubernetes.io/managed-by: argocd +spec: + podSelector: {} + policyTypes: + - Egress + ingress: [] + egress: + - ports: + - port: 6379 + protocol: TCP diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/monitoring/redis-exporter/values-ovveride.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/monitoring/redis-exporter/values-ovveride.yaml new file mode 100644 index 0000000..f3945b3 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/cloud-prod/monitoring/redis-exporter/values-ovveride.yaml @@ -0,0 +1,36 @@ +# https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus-redis-exporter/values.yaml + +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: false + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: vault + +replicaCount: 1 +image: + repository: harbor.avroid.tech/docker-hub-proxy/oliver006/redis_exporter + +resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 100m + memory: 128Mi + +nodeSelector: + node-role.kubernetes.io/worker: "" + +# deployment additional annotations and labels +annotations: + vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech" + vault.security.banzaicloud.io/vault-role: "cloud-prod" + vault.security.banzaicloud.io/vault-skip-verify: "false" + vault.security.banzaicloud.io/vault-path: "avroid-office" + +auth: + # Use password authentication + enabled: true + # Redis password (when not stored in a secret) + redisPassword: vault:team-devops/data/services/monitoring/k8s/cloud-prod/redis-exporter#REDIS_PASSWORD