From 01168b093bec6a6cb04bff981a1e480740e2db45 Mon Sep 17 00:00:00 2001 From: Johannes Kleinlercher Date: Thu, 23 May 2024 16:47:06 +0200 Subject: [PATCH 1/5] showcase how new teams could be onboarded for self-service app onboarding, part of https://github.com/suxess-it/sx-cnp-oss/issues/115 Signed-off-by: Johannes Kleinlercher --- .../argocd/templates/app-definition-ns.yaml | 7 +++ .../charts/argocd/templates/app-project.yaml | 21 +++++++ .../templates/kyverno-add-ns-quota.yaml | 58 +++++++++++++++++++ platform-apps/charts/argocd/values-k3d.yaml | 9 +++ platform-apps/charts/argocd/values.yaml | 3 +- 5 files changed, 97 insertions(+), 1 deletion(-) create mode 100644 platform-apps/charts/argocd/templates/app-definition-ns.yaml create mode 100644 platform-apps/charts/argocd/templates/app-project.yaml create mode 100644 platform-apps/charts/argocd/templates/kyverno-add-ns-quota.yaml diff --git a/platform-apps/charts/argocd/templates/app-definition-ns.yaml b/platform-apps/charts/argocd/templates/app-definition-ns.yaml new file mode 100644 index 00000000..9fbfba78 --- /dev/null +++ b/platform-apps/charts/argocd/templates/app-definition-ns.yaml @@ -0,0 +1,7 @@ +{{- range .Values.teams }} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .name }}-app-definitions +--- +{{- end }} \ No newline at end of file diff --git a/platform-apps/charts/argocd/templates/app-project.yaml b/platform-apps/charts/argocd/templates/app-project.yaml new file mode 100644 index 00000000..3719d86b --- /dev/null +++ b/platform-apps/charts/argocd/templates/app-project.yaml @@ -0,0 +1,21 @@ +{{- range .Values.teams }} +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: {{ .name }}-project +spec: + sourceNamespaces: + - {{ .name }}-app-definitions + clusterResourceWhitelist: + - group: "" + kind: Namespace + destinations: + - name: in-cluster + namespace: {{ .name }}-* + server: https://kubernetes.default.svc + sourceRepos: +{{- range .sourceRepos }} + - {{ quote . }} +{{- end }} +--- +{{- end }} \ No newline at end of file diff --git a/platform-apps/charts/argocd/templates/kyverno-add-ns-quota.yaml b/platform-apps/charts/argocd/templates/kyverno-add-ns-quota.yaml new file mode 100644 index 00000000..de260545 --- /dev/null +++ b/platform-apps/charts/argocd/templates/kyverno-add-ns-quota.yaml @@ -0,0 +1,58 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-ns-quota + annotations: + policies.kyverno.io/title: Add Quota + policies.kyverno.io/category: Multi-Tenancy, EKS Best Practices + policies.kyverno.io/subject: ResourceQuota, LimitRange + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/description: >- + To better control the number of resources that can be created in a given + Namespace and provide default resource consumption limits for Pods, + ResourceQuota and LimitRange resources are recommended. + This policy will generate ResourceQuota and LimitRange resources when + a new Namespace is created. +spec: + rules: + - name: generate-resourcequota + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: ResourceQuota + name: default-resourcequota + synchronize: true + namespace: "{{`{{request.object.metadata.name}}`}}" + data: + spec: + hard: + requests.cpu: '4' + requests.memory: '16Gi' + limits.cpu: '4' + limits.memory: '16Gi' + - name: generate-limitrange + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: LimitRange + name: default-limitrange + synchronize: true + namespace: "{{`{{request.object.metadata.name}}`}}" + data: + spec: + limits: + - default: + cpu: 500m + memory: 1Gi + defaultRequest: + cpu: 200m + memory: 256Mi + type: Container \ No newline at end of file diff --git a/platform-apps/charts/argocd/values-k3d.yaml b/platform-apps/charts/argocd/values-k3d.yaml index 04c55b5b..07263a2c 100644 --- a/platform-apps/charts/argocd/values-k3d.yaml +++ b/platform-apps/charts/argocd/values-k3d.yaml @@ -1,3 +1,11 @@ +teams: + - name: team1 + sourceRepos: + - '*' + - name: team2 + sourceRepos: + - '*' + argo-cd: global: domain: argocd-127-0-0-1.nip.io @@ -5,6 +13,7 @@ argo-cd: configs: params: server.insecure: true + application.namespaces: "team1-app-definitions,team2-app-definitions" secret: createSecret: false diff --git a/platform-apps/charts/argocd/values.yaml b/platform-apps/charts/argocd/values.yaml index 262f4a42..f7d5da50 100644 --- a/platform-apps/charts/argocd/values.yaml +++ b/platform-apps/charts/argocd/values.yaml @@ -1,2 +1,3 @@ cert: - enabled: false \ No newline at end of file + enabled: false +teams: ~ \ No newline at end of file From 9bbe921a1aa1cda3606cad46748515710e22e8eb Mon Sep 17 00:00:00 2001 From: Johannes Kleinlercher Date: Thu, 23 May 2024 16:54:56 +0200 Subject: [PATCH 2/5] kyvernoPolicies should be optional Signed-off-by: Johannes Kleinlercher --- .../charts/argocd/templates/kyverno-add-ns-quota.yaml | 4 +++- platform-apps/charts/argocd/values-k3d.yaml | 3 +++ platform-apps/charts/argocd/values.yaml | 3 ++- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/platform-apps/charts/argocd/templates/kyverno-add-ns-quota.yaml b/platform-apps/charts/argocd/templates/kyverno-add-ns-quota.yaml index de260545..2a4d23ef 100644 --- a/platform-apps/charts/argocd/templates/kyverno-add-ns-quota.yaml +++ b/platform-apps/charts/argocd/templates/kyverno-add-ns-quota.yaml @@ -1,3 +1,4 @@ +{{ if has "resourcequota" .Values.kyvernoPolicies }} apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: @@ -55,4 +56,5 @@ spec: defaultRequest: cpu: 200m memory: 256Mi - type: Container \ No newline at end of file + type: Container +{{- end }} \ No newline at end of file diff --git a/platform-apps/charts/argocd/values-k3d.yaml b/platform-apps/charts/argocd/values-k3d.yaml index 07263a2c..72ae830d 100644 --- a/platform-apps/charts/argocd/values-k3d.yaml +++ b/platform-apps/charts/argocd/values-k3d.yaml @@ -6,6 +6,9 @@ teams: sourceRepos: - '*' +kyvernoPolicies: + - resourcequota + argo-cd: global: domain: argocd-127-0-0-1.nip.io diff --git a/platform-apps/charts/argocd/values.yaml b/platform-apps/charts/argocd/values.yaml index f7d5da50..6ce9f409 100644 --- a/platform-apps/charts/argocd/values.yaml +++ b/platform-apps/charts/argocd/values.yaml @@ -1,3 +1,4 @@ cert: enabled: false -teams: ~ \ No newline at end of file +teams: ~ +kyvernoPolicies: ~ \ No newline at end of file From 9396647460e5012349f85c48930bb81b7cfa9415 Mon Sep 17 00:00:00 2001 From: Johannes Kleinlercher Date: Thu, 23 May 2024 17:12:18 +0200 Subject: [PATCH 3/5] add appOfApps to bootstrap team apps Signed-off-by: Johannes Kleinlercher --- .../charts/argocd/templates/app-of-apps.yaml | 22 +++++++++++++++++++ platform-apps/charts/argocd/values-k3d.yaml | 2 ++ 2 files changed, 24 insertions(+) create mode 100644 platform-apps/charts/argocd/templates/app-of-apps.yaml diff --git a/platform-apps/charts/argocd/templates/app-of-apps.yaml b/platform-apps/charts/argocd/templates/app-of-apps.yaml new file mode 100644 index 00000000..431f59b5 --- /dev/null +++ b/platform-apps/charts/argocd/templates/app-of-apps.yaml @@ -0,0 +1,22 @@ +{{- range .Values.teams }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: {{ .name }}-app-of-apps + namespace: {{ .name }}-app-definitions + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: {{ .name }}-app-definitions + server: https://kubernetes.default.svc + project: {{ .name }}-project + sources: + - path: . + repoURL: {{ .appOfAppsRepo }} + targetRevision: main + syncPolicy: + automated: + prune: true + selfHeal: true +{{- end }} \ No newline at end of file diff --git a/platform-apps/charts/argocd/values-k3d.yaml b/platform-apps/charts/argocd/values-k3d.yaml index 72ae830d..f50ae0b7 100644 --- a/platform-apps/charts/argocd/values-k3d.yaml +++ b/platform-apps/charts/argocd/values-k3d.yaml @@ -2,9 +2,11 @@ teams: - name: team1 sourceRepos: - '*' + appOfAppsRepo: https://github.com/suxess-it/approved-application - name: team2 sourceRepos: - '*' + appOfAppsRepo: https://github.com/suxess-it/approved-application kyvernoPolicies: - resourcequota From 5787d6222295373cb162adb7d80f5e427b0e3626 Mon Sep 17 00:00:00 2001 From: Johannes Kleinlercher Date: Thu, 23 May 2024 19:31:38 +0200 Subject: [PATCH 4/5] add some attribute to show that appset creation is also possible for teams who don't want to define apps by themselves Signed-off-by: Johannes Kleinlercher --- platform-apps/charts/argocd/values-k3d.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/platform-apps/charts/argocd/values-k3d.yaml b/platform-apps/charts/argocd/values-k3d.yaml index f50ae0b7..97c18ede 100644 --- a/platform-apps/charts/argocd/values-k3d.yaml +++ b/platform-apps/charts/argocd/values-k3d.yaml @@ -7,6 +7,9 @@ teams: sourceRepos: - '*' appOfAppsRepo: https://github.com/suxess-it/approved-application + # in the future maybe also some attributes for an scm / git application-set instead of appOfApps possible + scmAppSet: ~ + gitAppSet: ~ kyvernoPolicies: - resourcequota From e4185b7fbf9a38dd767458975bf7516540de3c20 Mon Sep 17 00:00:00 2001 From: Johannes Kleinlercher Date: Thu, 23 May 2024 19:37:42 +0200 Subject: [PATCH 5/5] add additonal attributes for appOfAppsRepo Signed-off-by: Johannes Kleinlercher --- platform-apps/charts/argocd/templates/app-of-apps.yaml | 6 +++--- platform-apps/charts/argocd/values-k3d.yaml | 10 ++++++++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/platform-apps/charts/argocd/templates/app-of-apps.yaml b/platform-apps/charts/argocd/templates/app-of-apps.yaml index 431f59b5..30d0274e 100644 --- a/platform-apps/charts/argocd/templates/app-of-apps.yaml +++ b/platform-apps/charts/argocd/templates/app-of-apps.yaml @@ -12,9 +12,9 @@ spec: server: https://kubernetes.default.svc project: {{ .name }}-project sources: - - path: . - repoURL: {{ .appOfAppsRepo }} - targetRevision: main + - path: {{ .appOfAppsRepo.path }} + repoURL: {{ .appOfAppsRepo.repoURL }} + targetRevision: {{ .appOfAppsRepo.revision }} syncPolicy: automated: prune: true diff --git a/platform-apps/charts/argocd/values-k3d.yaml b/platform-apps/charts/argocd/values-k3d.yaml index 97c18ede..50bbe14b 100644 --- a/platform-apps/charts/argocd/values-k3d.yaml +++ b/platform-apps/charts/argocd/values-k3d.yaml @@ -2,11 +2,17 @@ teams: - name: team1 sourceRepos: - '*' - appOfAppsRepo: https://github.com/suxess-it/approved-application + appOfAppsRepo: + repoURL: https://github.com/suxess-it/team1-apps + path: k3d-apps + revision: main - name: team2 sourceRepos: - '*' - appOfAppsRepo: https://github.com/suxess-it/approved-application + appOfAppsRepo: + repoURL: https://github.com/suxess-it/team2-apps + path: k3d-apps + revision: main # in the future maybe also some attributes for an scm / git application-set instead of appOfApps possible scmAppSet: ~ gitAppSet: ~