From bb18b44fb8bb1de59bdc019723222cd3cfda378b Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 23 May 2024 21:21:34 +0000 Subject: [PATCH] Feat: Argo integrate helm-secrets and vals --- charts/kubezero-argo/README.md | 36 +++++++++++++++--- charts/kubezero-argo/README.md.gotmpl | 1 + charts/kubezero-argo/values.yaml | 53 ++++++++++++++++++++++----- 3 files changed, 74 insertions(+), 16 deletions(-) diff --git a/charts/kubezero-argo/README.md b/charts/kubezero-argo/README.md index 7bec4692..bfdee1be 100644 --- a/charts/kubezero-argo/README.md +++ b/charts/kubezero-argo/README.md @@ -1,6 +1,6 @@ # kubezero-argo -![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) +![Version: 0.2.2](https://img.shields.io/badge/Version-0.2.2-informational?style=flat-square) KubeZero Argo - Events, Workflow, CD @@ -18,23 +18,22 @@ Kubernetes: `>= 1.26.0` | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 6.7.10 | +| https://argoproj.github.io/argo-helm | argo-cd | 6.9.2 | | https://argoproj.github.io/argo-helm | argo-events | 2.4.4 | | https://argoproj.github.io/argo-helm | argocd-apps | 2.0.0 | -| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.9.6 | +| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.10.0 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| argo-cd.applicationSet.enabled | bool | `false` | | | argo-cd.configs.cm."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | | | argo-cd.configs.cm."timeout.reconciliation" | string | `"300s"` | | -| argo-cd.configs.cm."ui.bannercontent" | string | `"KubeZero v1.27 - Release notes"` | | +| argo-cd.configs.cm."ui.bannercontent" | string | `"KubeZero v1.28 - Release notes"` | | | argo-cd.configs.cm."ui.bannerpermanent" | string | `"true"` | | | argo-cd.configs.cm."ui.bannerposition" | string | `"bottom"` | | -| argo-cd.configs.cm."ui.bannerurl" | string | `"https://kubezero.com/releases/v1.27"` | | +| argo-cd.configs.cm."ui.bannerurl" | string | `"https://kubezero.com/releases/v1.28"` | | | argo-cd.configs.cm.url | string | `"https://argocd.example.com"` | | | argo-cd.configs.params."controller.operation.processors" | string | `"5"` | | | argo-cd.configs.params."controller.status.processors" | string | `"10"` | | @@ -50,13 +49,37 @@ Kubernetes: `>= 1.26.0` | argo-cd.controller.resources.requests.memory | string | `"512Mi"` | | | argo-cd.dex.enabled | bool | `false` | | | argo-cd.enabled | bool | `false` | | +| argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` | | +| argo-cd.global.image.tag | string | `"v2.11.0"` | | | argo-cd.global.logging.format | string | `"json"` | | | argo-cd.istio.enabled | bool | `false` | | | argo-cd.istio.gateway | string | `"istio-ingress/ingressgateway"` | | | argo-cd.istio.ipBlocks | list | `[]` | | | argo-cd.notifications.enabled | bool | `false` | | +| argo-cd.repoServer.clusterRoleRules.enabled | bool | `true` | | +| argo-cd.repoServer.clusterRoleRules.rules[0].apiGroups[0] | string | `""` | | +| argo-cd.repoServer.clusterRoleRules.rules[0].resources[0] | string | `"secrets"` | | +| argo-cd.repoServer.clusterRoleRules.rules[0].verbs[0] | string | `"get"` | | +| argo-cd.repoServer.clusterRoleRules.rules[0].verbs[1] | string | `"watch"` | | +| argo-cd.repoServer.clusterRoleRules.rules[0].verbs[2] | string | `"list"` | | +| argo-cd.repoServer.initContainers[0].command[0] | string | `"/usr/local/bin/sa2kubeconfig.sh"` | | +| argo-cd.repoServer.initContainers[0].command[1] | string | `"/home/argocd/.kube/config"` | | +| argo-cd.repoServer.initContainers[0].image | string | `"public.ecr.aws/zero-downtime/zdt-argocd:v2.11.0"` | | +| argo-cd.repoServer.initContainers[0].imagePullPolicy | string | `"IfNotPresent"` | | +| argo-cd.repoServer.initContainers[0].name | string | `"create-kubeconfig"` | | +| argo-cd.repoServer.initContainers[0].securityContext.allowPrivilegeEscalation | bool | `false` | | +| argo-cd.repoServer.initContainers[0].securityContext.capabilities.drop[0] | string | `"ALL"` | | +| argo-cd.repoServer.initContainers[0].securityContext.readOnlyRootFilesystem | bool | `true` | | +| argo-cd.repoServer.initContainers[0].securityContext.runAsNonRoot | bool | `true` | | +| argo-cd.repoServer.initContainers[0].securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | +| argo-cd.repoServer.initContainers[0].volumeMounts[0].mountPath | string | `"/home/argocd/.kube"` | | +| argo-cd.repoServer.initContainers[0].volumeMounts[0].name | string | `"kubeconfigs"` | | | argo-cd.repoServer.metrics.enabled | bool | `false` | | | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | | +| argo-cd.repoServer.volumeMounts[0].mountPath | string | `"/home/argocd/.kube"` | | +| argo-cd.repoServer.volumeMounts[0].name | string | `"kubeconfigs"` | | +| argo-cd.repoServer.volumes[0].emptyDir | object | `{}` | | +| argo-cd.repoServer.volumes[0].name | string | `"kubeconfigs"` | | | argo-cd.server.metrics.enabled | bool | `false` | | | argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | | | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | | @@ -87,6 +110,7 @@ Kubernetes: `>= 1.26.0` | argocd-image-updater.sshConfig.config | string | `"Host *\n PubkeyAcceptedAlgorithms +ssh-rsa\n HostkeyAlgorithms +ssh-rsa\n"` | | ## Resources +- https://github.com/argoproj/argoproj/blob/main/docs/end_user_threat_model.pdf - https://argoproj.github.io/argo-cd/operator-manual/metrics/ - https://raw.githubusercontent.com/argoproj/argo-cd/master/examples/dashboard.json diff --git a/charts/kubezero-argo/README.md.gotmpl b/charts/kubezero-argo/README.md.gotmpl index f2d17e4f..cd73b3f4 100644 --- a/charts/kubezero-argo/README.md.gotmpl +++ b/charts/kubezero-argo/README.md.gotmpl @@ -16,6 +16,7 @@ {{ template "chart.valuesSection" . }} ## Resources +- https://github.com/argoproj/argoproj/blob/main/docs/end_user_threat_model.pdf - https://argoproj.github.io/argo-cd/operator-manual/metrics/ - https://raw.githubusercontent.com/argoproj/argo-cd/master/examples/dashboard.json diff --git a/charts/kubezero-argo/values.yaml b/charts/kubezero-argo/values.yaml index 86c440d1..3bcab229 100644 --- a/charts/kubezero-argo/values.yaml +++ b/charts/kubezero-argo/values.yaml @@ -36,19 +36,16 @@ argocd-apps: projects: {} applications: {} + argo-cd: enabled: false - #configs: - # secret: - # `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'` - # argocdServerAdminPassword: "$2a$10$ivKzaXVxMqdeDSfS3nqi1Od3iDbnL7oXrixzDfZFRHlXHnAG6LydG" - # argocdServerAdminPasswordMtime: "2020-04-24T15:33:09BST" global: logging: format: json - # image: - # tag: v2.1.6 + image: + repository: public.ecr.aws/zero-downtime/zdt-argocd + tag: v2.11.0 configs: styles: | @@ -94,6 +91,10 @@ argo-cd: secret: createSecret: false + # `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'` + # argocdServerAdminPassword: "$2a$10$ivKzaXVxMqdeDSfS3nqi1Od3iDbnL7oXrixzDfZFRHlXHnAG6LydG" + # argocdServerAdminPassword: "ref+file://secrets.yaml#/test" + # argocdServerAdminPasswordMtime: "2020-04-24T15:33:09BST" ssh: extraHosts: "git.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8YdJ4YcOK7A0K7qOWsRjCS+wHTStXRcwBe7gjG43HPSNijiCKoGf/c+tfNsRhyouawg7Law6M6ahmS/jKWBpznRIM+OdOFVSuhnK/nr6h6wG3/ZfdLicyAPvx1/STGY/Fc6/zXA88i/9PV+g84gSVmhf3fGY92wokiASiu9DU4T9dT1gIkdyOX6fbMi1/mMKLSrHnAQcjyasYDvw9ISCJ95EoSwbj7O4c+7jo9fxYvdCfZZZAEZGozTRLAAO0AnjVcRah7bZV/jfHJuhOipV/TB7UVAhlVv1dfGV7hoTp9UKtKZFJF4cjIrSGxqQA/mdhSdLgkepK7yc4Jp2xGnaarhY29DfqsQqop+ugFpTbj7Xy5Rco07mXc6XssbAZhI1xtCOX20N4PufBuYippCK5AE6AiAyVtJmvfGQk4HP+TjOyhFo7PZm3wc9Hym7IBBVC0Sl30K8ddufkAgHwNGvvu1ZmD9ZWaMOXJDHBCZGMMr16QREZwVtZTwMEQalc7/yqmuqMhmcJIfs/GA2Lt91y+pq9C8XyeUL0VFPch0vkcLSRe3ghMZpRFJ/ht307xPcLzgTJqN6oQtNNDzSQglSEjwhge2K4GyWcIh+oGsWxWz5dHyk1iJmw90Y976BZIl/mYVgbTtZAJ81oGe/0k5rAe+LDL+Yq6tG28QFOg0QmiQ==" @@ -125,6 +126,41 @@ argo-cd: serviceMonitor: enabled: true + volumes: + - name: kubeconfigs + emptyDir: {} + volumeMounts: + - mountPath: /home/argocd/.kube + name: kubeconfigs + + # Allow vals to read internal secrets across all namespaces + clusterRoleRules: + enabled: true + rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + initContainers: + - name: create-kubeconfig + image: public.ecr.aws/zero-downtime/zdt-argocd:v2.11.0 + imagePullPolicy: IfNotPresent + command: + - /usr/local/bin/sa2kubeconfig.sh + - /home/argocd/.kube/config + volumeMounts: + - mountPath: /home/argocd/.kube + name: kubeconfigs + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + server: # Rename former https port to grpc, works with istio + insecure service: @@ -141,9 +177,6 @@ argo-cd: dex: enabled: false - applicationSet: - enabled: false - notifications: enabled: false