From 88aa742dfdb6123f4b025de06f45d8cf2c8ea510 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 10 Apr 2025 22:50:08 +0000 Subject: [PATCH] feat: introduce vals cmp plugin for argoCD --- charts/kubezero-argo/hooks.d/pre-install.sh | 6 -- .../argo-cd/kubezero-git-sync-secret.yaml | 7 +- charts/kubezero-argo/values.yaml | 30 ++++++ charts/kubezero/templates/_aws.tpl | 30 ++++++ charts/kubezero/templates/addons.yaml | 53 ++--------- charts/kubezero/templates/argo.yaml | 94 +++++++++---------- charts/kubezero/values.yaml | 4 +- 7 files changed, 121 insertions(+), 103 deletions(-) create mode 100644 charts/kubezero/templates/_aws.tpl diff --git a/charts/kubezero-argo/hooks.d/pre-install.sh b/charts/kubezero-argo/hooks.d/pre-install.sh index b3ca0f0f..a055a3c3 100755 --- a/charts/kubezero-argo/hooks.d/pre-install.sh +++ b/charts/kubezero-argo/hooks.d/pre-install.sh @@ -18,12 +18,6 @@ if [ -z "$PW" ]; then set_kubezero_secret argo-cd.adminPassword "$NEW_PW" fi -# GitSync privateKey -GITKEY=$(get_kubezero_secret argo-cd.kubezero.sshPrivateKey) -if [ -z "$GITKEY" ]; then - set_kubezero_secret argo-cd.kubezero.sshPrivateKey "Insert ssh Private Key from your git server" -fi - # Redis secret kubectl get secret argocd-redis -n argocd || kubectl create secret generic argocd-redis -n argocd \ --from-literal=auth=$(date +%s | sha256sum | base64 | head -c 16 ; echo) diff --git a/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml b/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml index 5939d617..a282d11b 100644 --- a/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml +++ b/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml @@ -1,4 +1,4 @@ -{{- if and (index .Values "argo-cd" "kubezero" "sshPrivateKey") (index .Values "argo-cd" "kubezero" "repoUrl") }} +{{- if index .Values "argo-cd" "kubezero" "repoUrl" }} apiVersion: v1 kind: Secret metadata: @@ -12,5 +12,10 @@ stringData: name: kubezero-git-sync type: git url: {{ index .Values "argo-cd" "kubezero" "repoUrl" }} + {{- if hasPrefix "https" (index .Values "argo-cd" "kubezero" "repoUrl") }} + username: {{ index .Values "argo-cd" "kubezero" "username" }} + password: {{ index .Values "argo-cd" "kubezero" "password" }} + {{- else }} sshPrivateKey: {{ index .Values "argo-cd" "kubezero" "sshPrivateKey" }} + {{- end }} {{- end }} diff --git a/charts/kubezero-argo/values.yaml b/charts/kubezero-argo/values.yaml index 7fb25834..86fa70b0 100644 --- a/charts/kubezero-argo/values.yaml +++ b/charts/kubezero-argo/values.yaml @@ -125,6 +125,34 @@ argo-cd: resources: ["secrets"] verbs: ["get", "watch", "list"] + # cmp vals plugin + # @ignored + extraContainers: + - name: cmp-vals + image: '{{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}' + imagePullPolicy: '{{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}' + command: ["/var/run/argocd/argocd-cmp-server"] + volumeMounts: + - mountPath: /var/run/argocd + name: var-files + - mountPath: /home/argocd/cmp-server/plugins + name: plugins + - mountPath: /tmp + name: cmp-tmp + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + runAsUser: 999 + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + volumes: + - name: cmp-tmp + emptyDir: {} + server: # Rename former https port to grpc, works with istio + insecure service: @@ -164,6 +192,8 @@ argo-cd: path: "/" targetRevision: HEAD sshPrivateKey: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey + username: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.username + password: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.password argocd-image-updater: enabled: false diff --git a/charts/kubezero/templates/_aws.tpl b/charts/kubezero/templates/_aws.tpl new file mode 100644 index 00000000..772e8e80 --- /dev/null +++ b/charts/kubezero/templates/_aws.tpl @@ -0,0 +1,30 @@ +{{- define "aws-iam-env" -}} +- name: AWS_ROLE_ARN + value: "arn:aws:iam::{{ $.Values.global.aws.accountId }}:role/{{ $.Values.global.aws.region }}.{{ $.Values.global.clusterName }}.{{ .roleName }}" +- name: AWS_WEB_IDENTITY_TOKEN_FILE + value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" +- name: AWS_STS_REGIONAL_ENDPOINTS + value: "regional" +- name: METADATA_TRIES + value: "0" +- name: AWS_REGION + value: {{ $.Values.global.aws.region }} +{{- end }} + + +{{- define "aws-iam-volumes" -}} +- name: aws-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 86400 + audience: "sts.amazonaws.com" +{{- end }} + + +{{- define "aws-iam-volumemounts" -}} +- name: aws-token + mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" + readOnly: true +{{- end }} diff --git a/charts/kubezero/templates/addons.yaml b/charts/kubezero/templates/addons.yaml index fe39b8ef..341e7f24 100644 --- a/charts/kubezero/templates/addons.yaml +++ b/charts/kubezero/templates/addons.yaml @@ -42,28 +42,11 @@ external-dns: - "--aws-zone-type=public" - "--aws-zones-cache-duration=1h" env: - - name: AWS_REGION - value: {{ .Values.global.aws.region }} - - name: AWS_ROLE_ARN - value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.externalDNS" - - name: AWS_WEB_IDENTITY_TOKEN_FILE - value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" - - name: AWS_STS_REGIONAL_ENDPOINTS - value: "regional" - - name: METADATA_TRIES - value: "0" + {{- include "aws-iam-env" (merge (dict "roleName" "externalDNS") .) | nindent 4 }} extraVolumes: - - name: aws-token - projected: - sources: - - serviceAccountToken: - path: token - expirationSeconds: 86400 - audience: "sts.amazonaws.com" + {{- include "aws-iam-volumes" . | nindent 4 }} extraVolumeMounts: - - name: aws-token - mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" - readOnly: true + {{- include "aws-iam-volumemounts" . | nindent 4 }} {{- end }} cluster-autoscaler: @@ -98,17 +81,9 @@ cluster-autoscaler: AWS_WEB_IDENTITY_TOKEN_FILE: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" AWS_STS_REGIONAL_ENDPOINTS: "regional" extraVolumes: - - name: aws-token - projected: - sources: - - serviceAccountToken: - path: token - expirationSeconds: 86400 - audience: "sts.amazonaws.com" + {{- include "aws-iam-volumes" . | nindent 4 }} extraVolumeMounts: - - name: aws-token - mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" - readOnly: true + {{- include "aws-iam-volumemounts" . | nindent 4 }} {{- end }} {{- with .Values.addons.fuseDevicePlugin }} @@ -155,14 +130,7 @@ aws-node-termination-handler: queueURL: "https://sqs.{{ .Values.global.aws.region }}.amazonaws.com/{{ .Values.global.aws.accountId }}/{{ .Values.global.clusterName }}_Nth" managedTag: "zdt:kubezero:nth:{{ .Values.global.clusterName }}" extraEnv: - - name: AWS_ROLE_ARN - value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsNth" - - name: AWS_WEB_IDENTITY_TOKEN_FILE - value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" - - name: AWS_STS_REGIONAL_ENDPOINTS - value: "regional" - - name: METADATA_TRIES - value: "0" + {{- include "aws-iam-env" (merge (dict "roleName" "awsNth") .) | nindent 4 }} aws-eks-asg-rolling-update-handler: enabled: {{ default "true" (index .Values "addons" "aws-eks-asg-rolling-update-handler" "enabled") }} @@ -172,10 +140,9 @@ aws-eks-asg-rolling-update-handler: {{- end }} environmentVars: + {{- include "aws-iam-env" (merge (dict "roleName" "awsRuh") .) | nindent 4 }} - name: CLUSTER_NAME value: {{ .Values.global.clusterName }} - - name: AWS_REGION - value: {{ .Values.global.aws.region }} - name: EXECUTION_INTERVAL value: "60" - name: METRICS @@ -184,12 +151,6 @@ aws-eks-asg-rolling-update-handler: value: "true" - name: SLOW_MODE value: "true" - - name: AWS_ROLE_ARN - value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsRuh" - - name: AWS_WEB_IDENTITY_TOKEN_FILE - value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" - - name: AWS_STS_REGIONAL_ENDPOINTS - value: "regional" {{- with (index .Values "addons" "neuron-helm-chart") }} neuron-helm-chart: diff --git a/charts/kubezero/templates/argo.yaml b/charts/kubezero/templates/argo.yaml index 0a828f38..cac9d1f3 100644 --- a/charts/kubezero/templates/argo.yaml +++ b/charts/kubezero/templates/argo.yaml @@ -23,38 +23,51 @@ argo-cd: metrics: enabled: {{ .Values.metrics.enabled }} repoServer: - metrics: - enabled: {{ .Values.metrics.enabled }} - - {{- if eq .Values.global.platform "aws" }} - env: - - name: AWS_ROLE_ARN - value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-repo-server" - - name: AWS_WEB_IDENTITY_TOKEN_FILE - value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" - - name: AWS_STS_REGIONAL_ENDPOINTS - value: "regional" - - name: METADATA_TRIES - value: "0" - - name: AWS_REGION - value: {{ .Values.global.aws.region }} - volumes: - - name: aws-token - projected: - sources: - - serviceAccountToken: - path: token - expirationSeconds: 86400 - audience: "sts.amazonaws.com" - volumeMounts: - - name: aws-token - mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" - readOnly: true - {{- end }} - {{- with index .Values "argo" "argo-cd" "repoServer" }} {{- toYaml . | nindent 4 }} {{- end }} + + metrics: + enabled: {{ .Values.metrics.enabled }} + + volumes: + - name: cmp-tmp + emptyDir: {} + {{- if eq .Values.global.platform "aws" }} + {{- include "aws-iam-volumes" . | nindent 6 }} + + env: + {{- include "aws-iam-env" (merge (dict "roleName" "argocd-repo-server") .) | nindent 6 }} + volumeMounts: + {{- include "aws-iam-volumemounts" . | nindent 6 }} + + extraContainers: + - name: cmp-vals + image: '{{ "{{" }} default .Values.global.image.repository .Values.repoServer.image.repository {{ "}}" }}:{{ "{{" }} default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag {{ "}}" }}' + imagePullPolicy: '{{ "{{" }} default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy {{ "}}" }}' + command: ["/var/run/argocd/argocd-cmp-server"] + env: + {{- include "aws-iam-env" (merge (dict "roleName" "argocd-repo-server") .) | nindent 10 }} + volumeMounts: + - mountPath: /var/run/argocd + name: var-files + - mountPath: /home/argocd/cmp-server/plugins + name: plugins + - mountPath: /tmp + name: cmp-tmp + {{- include "aws-iam-volumemounts" . | nindent 10 }} + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + runAsUser: 999 + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + {{- end }} + server: metrics: enabled: {{ .Values.metrics.enabled }} @@ -80,28 +93,11 @@ argocd-image-updater: {{- if eq .Values.global.platform "aws" }} extraEnv: - - name: AWS_ROLE_ARN - value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-image-updater" - - name: AWS_WEB_IDENTITY_TOKEN_FILE - value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" - - name: AWS_STS_REGIONAL_ENDPOINTS - value: "regional" - - name: METADATA_TRIES - value: "0" - - name: AWS_REGION - value: {{ .Values.global.aws.region }} + {{- include "aws-iam-env" (merge (dict "roleName" "argocd-image-updater") .) | nindent 4 }} volumes: - - name: aws-token - projected: - sources: - - serviceAccountToken: - path: token - expirationSeconds: 86400 - audience: "sts.amazonaws.com" + {{- include "aws-iam-volumes" . | nindent 4 }} volumeMounts: - - name: aws-token - mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" - readOnly: true + {{- include "aws-iam-volumemounts" . | nindent 4 }} {{- end }} metrics: diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index 7357ec22..31070a67 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -6,7 +6,9 @@ global: highAvailable: false - aws: {} + aws: + accountId: "123456789012" + region: the-moon gcp: {} addons: