feat: initial commit

floryn08 · Jun 12, 2024 · 2de1b5b · 2de1b5b
commit 2de1b5b
Show file tree

Hide file tree

Showing 363 changed files with 7,137 additions and 0 deletions.
diff --git a/.github/workflows/patch-vault-pv-secret.yaml b/.github/workflows/patch-vault-pv-secret.yaml
@@ -0,0 +1,20 @@
+name: Patch Vault PV Secret
+
+on:
+  workflow_dispatch: 
+
+jobs:
+  patch:
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Set up Kubectl
+        uses: azure/k8s-set-context@v4.0.0
+        with:
+          method: service-account
+          k8s-url: "${{ secrets.API_SERVER }}"
+          k8s-secret: "${{ secrets.SA_SECRET }}"
+
+      - name: Patch PV path
+        run: |
+          kubectl --insecure-skip-tls-verify patch pv data-vault-pv -p '{"spec":{"hostPath":{"path":"${{ secrets.VAULT_PV_PATH }}"}}}'
diff --git a/.github/workflows/upgrade-argo-lint-dry-run.yaml b/.github/workflows/upgrade-argo-lint-dry-run.yaml
@@ -0,0 +1,32 @@
+name: Upgrade ArgoCD Dry Run
+
+on:
+  pull_request: 
+    paths: 
+      - argo-cd/** 
+
+jobs:
+  upgrade:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.1.6
+
+      - name: Set up Kubectl
+        uses: azure/k8s-set-context@v4.0.0
+        with:
+          method: service-account
+          k8s-url: "${{ secrets.API_SERVER }}"
+          k8s-secret: "${{ secrets.SA_SECRET }}"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4.2.0
+
+      - name: Lint
+        run: |
+          helm lint ./argo-cd
+
+      - name: Upgrade release dry run
+        run: |
+          helm dep update ./argo-cd
+          helm upgrade --kube-insecure-skip-tls-verify --dry-run argo-cd ./argo-cd --namespace argocd --install --values ./argo-cd/values.yaml
diff --git a/.github/workflows/upgrade-argo.yaml b/.github/workflows/upgrade-argo.yaml
@@ -0,0 +1,30 @@
+name: Upgrade ArgoCD
+
+on:
+  workflow_dispatch: 
+
+jobs:
+  upgrade:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.1.6
+
+      - name: Set up Kubectl
+        uses: azure/k8s-set-context@v4.0.0
+        with:
+          method: service-account
+          k8s-url: "${{ secrets.API_SERVER }}"
+          k8s-secret: "${{ secrets.SA_SECRET }}"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4.2.0
+
+      - name: Lint
+        run: |
+          helm lint ./argo-cd
+
+      - name: Upgrade release
+        run: |
+          helm dep update ./argo-cd
+          helm upgrade --kube-insecure-skip-tls-verify argo-cd ./argo-cd --namespace argocd --install --values ./argo-cd/values.yaml
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,3 @@
+.vscode/
+charts/**/charts
+argo-cd/charts
diff --git a/README.md b/README.md
@@ -0,0 +1,15 @@
+# Homeserver Deployment
+This repository contains helm charts organized using the `App of Apps` strategy.
+
+## TODO
+- [ ] add refresh for vault secrets
+- [ ] install stacker configmaps/secret watcher to restart pods when those change
+- [ ] rename `stack-apps` folder to `app-of-apps`
+- [ ] rename `services` folder to `apps`
+- [x] solve certificate issue for kubernetes api so that upgrade argocd action can work
+- [x] helm linting for argo-cd chart
+- [ ] find a way to use `sed` to replace the hostPath from vault pv.yaml
+- [ ] add prometheus/loki and grafana monitoring
+- [ ] better backup strategy?
+- [ ] better deployment strategy?
+- [ ] use ansible to faster deploy all requirements on a machine?
diff --git a/argo-cd/Chart.lock b/argo-cd/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: argo-cd
+  repository: https://argoproj.github.io/argo-helm
+  version: 7.1.2
+digest: sha256:acfac76b20ab9432494e7c3b896afbab863eea4e58db5a6d36ade3203fb53ca7
+generated: "2024-06-06T11:13:04.270690377Z"
diff --git a/argo-cd/Chart.yaml b/argo-cd/Chart.yaml
@@ -0,0 +1,7 @@
+apiVersion: v2
+name: argo-cd
+version: 1.0.0
+dependencies:
+- name: argo-cd
+  version: 7.1.2
+  repository: https://argoproj.github.io/argo-helm
diff --git a/argo-cd/templates/cmp.yaml b/argo-cd/templates/cmp.yaml
@@ -0,0 +1,58 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cmp-plugin
+  namespace: argocd
+data:
+  avp.yaml: |
+    apiVersion: argoproj.io/v1alpha1
+    kind: ConfigManagementPlugin
+    metadata:
+      name: argocd-vault-plugin
+    spec:
+      allowConcurrency: true
+      discover:
+        find:
+          command:
+            - sh
+            - "-c"
+            - "find . -name '*.yaml' | xargs -I {} grep \"<path\\|avp\\.kubernetes\\.io\" {} | grep ."
+      generate:
+        command:
+          - argocd-vault-plugin
+          - generate
+          - "-s"
+          - vault-configuration
+          - "."
+      lockRepo: false
+  avp-helm.yaml: |
+    apiVersion: argoproj.io/v1alpha1
+    kind: ConfigManagementPlugin
+    metadata:
+      name: argocd-vault-plugin-helm
+    spec:
+      allowConcurrency: true
+      discover:
+        find:
+          command:
+            - sh
+            - "-c"
+            - "find . -name 'Chart.yaml' && find . -name 'values.yaml'"
+      init:
+        command:
+          - bash
+          - "-c"
+          - |
+            helm repo add valheim-server-discord-bot https://floryn08.github.io/valheim-server-discord-bot
+            helm repo add traefik https://traefik.github.io/charts
+            helm repo add authentik https://charts.goauthentik.io
+            helm repo add hashicorp https://helm.releases.hashicorp.com
+            helm dependency build
+      generate:
+        command:
+          - bash
+          - "-c"
+          - |
+            helm template $ARGOCD_APP_NAME --include-crds -n $ARGOCD_APP_NAMESPACE ${ARGOCD_ENV_HELM_ARGS} . |
+            argocd-vault-plugin generate -s vault-configuration -
+      lockRepo: false
diff --git a/argo-cd/templates/vault-config.yaml b/argo-cd/templates/vault-config.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: vault-configuration
+  namespace: argocd
+data:
+  VAULT_ADDR: {{ .Values.argoVaultPlugin.vaultAddress | b64enc }}
+  AVP_AUTH_TYPE: {{ .Values.argoVaultPlugin.avpAuthType | b64enc }}
+  AVP_TYPE: {{ .Values.argoVaultPlugin.avpType | b64enc }}
+  AVP_K8S_ROLE: {{ .Values.argoVaultPlugin.avpK8SRole | b64enc }}
diff --git a/argo-cd/values.yaml b/argo-cd/values.yaml
@@ -0,0 +1,107 @@
+argo-cd:
+
+  configs:
+    cm:
+      exec.enabled: true
+
+  dex: 
+    enabled: false
+
+  server:
+    service:
+      type: LoadBalancer
+      servicePortHttp: 8090
+      servicePortHttps: 8092
+
+    extraArgs:
+      - --insecure
+
+  repoServer:
+    rbac:
+      - verbs:
+          - get
+          - list
+          - watch
+        apiGroups:
+          - ''
+        resources:
+          - secrets
+          - configmaps
+    initContainers:
+      - name: download-tools
+        image: registry.access.redhat.com/ubi8
+        env:
+          - name: AVP_VERSION
+            value: 1.17.0
+        command: [sh, -c]
+        args:
+          - >-
+            curl -L https://github.com/argoproj-labs/argocd-vault-plugin/releases/download/v$(AVP_VERSION)/argocd-vault-plugin_$(AVP_VERSION)_linux_amd64 -o argocd-vault-plugin &&
+            chmod +x argocd-vault-plugin &&
+            mv argocd-vault-plugin /custom-tools/
+        volumeMounts:
+          - mountPath: /custom-tools
+            name: custom-tools
+
+    extraContainers:
+      - name: avp
+        command: [/var/run/argocd/argocd-cmp-server]
+        image: quay.io/argoproj/argocd:v2.11.3
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 999
+        volumeMounts:
+          - mountPath: /var/run/argocd
+            name: var-files
+          - mountPath: /home/argocd/cmp-server/plugins
+            name: plugins
+          - mountPath: /tmp
+            name: tmp
+
+          # Register plugins into sidecar
+          - mountPath: /home/argocd/cmp-server/config/plugin.yaml
+            subPath: avp.yaml
+            name: cmp-plugin
+
+          # Important: Mount tools into $PATH
+          - name: custom-tools
+            subPath: argocd-vault-plugin
+            mountPath: /usr/local/bin/argocd-vault-plugin
+
+      - name: avp-helm
+        command: [/var/run/argocd/argocd-cmp-server]
+        image: quay.io/argoproj/argocd:v2.11.3
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 999
+        volumeMounts:
+          - mountPath: /var/run/argocd
+            name: var-files
+          - mountPath: /home/argocd/cmp-server/plugins
+            name: plugins
+          - mountPath: /tmp
+            name: tmp
+
+          # Register plugins into sidecar
+          - mountPath: /home/argocd/cmp-server/config/plugin.yaml
+            subPath: avp-helm.yaml
+            name: cmp-plugin
+
+          # Important: Mount tools into $PATH
+          - name: custom-tools
+            subPath: argocd-vault-plugin
+            mountPath: /usr/local/bin/argocd-vault-plugin
+
+    volumes:
+      - name: cmp-plugin
+        configMap:
+          name: cmp-plugin
+      - name: custom-tools
+        emptyDir: {}
+
+argoVaultPlugin:
+  vaultAddress: http://vault.core-services.svc:8200
+  avpAuthType: k8s
+  avpType: vault
+  avpK8SRole: argocd
+
diff --git a/charts/master-app/.helmignore b/charts/master-app/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/master-app/Chart.yaml b/charts/master-app/Chart.yaml
@@ -0,0 +1,7 @@
+apiVersion: v2
+name: master-app
+description: A Helm chart for Kubernetes
+
+type: application
+
+version: 0.1.0
diff --git a/charts/master-app/templates/ai-services.yaml b/charts/master-app/templates/ai-services.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ .Values.aiServices.namespace }}
+  namespace: {{ .Values.argocdNamespace }}
+spec:
+  destination:
+    namespace: {{ .Values.aiServices.namespace }}
+    server: {{ .Values.server }}
+  source:
+    path: {{ .Values.aiServices.path }}
+    repoURL: {{ .Values.repoUrl }}
+    targetRevision: {{ .Values.targetRevision }}
+    helm:
+      valueFiles:
+        - values.yaml
+  project: {{ .Values.project }}
+  syncPolicy:
+    automated:
+      prune: {{ .Values.syncPolicy.automated.prune }}
+      selfHeal: {{ .Values.syncPolicy.automated.selfHeal }}
diff --git a/charts/master-app/templates/core-services.yaml b/charts/master-app/templates/core-services.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ .Values.coreServices.namespace }}
+  namespace: {{ .Values.argocdNamespace }}
+spec:
+  destination:
+    namespace: {{ .Values.coreServices.namespace }}
+    server: {{ .Values.server }}
+  source:
+    path: {{ .Values.coreServices.path }}
+    repoURL: {{ .Values.repoUrl }}
+    targetRevision: {{ .Values.targetRevision }}
+    helm:
+      valueFiles:
+        - values.yaml
+  project: {{ .Values.project }}
+  syncPolicy:
+    automated:
+      prune: {{ .Values.syncPolicy.automated.prune }}
+      selfHeal: {{ .Values.syncPolicy.automated.selfHeal }}