From b8fc6835f20b40cf7748e2965005aabb0450fbd5 Mon Sep 17 00:00:00 2001 From: Alexander Ulyanov Date: Wed, 23 Oct 2024 16:58:54 +0200 Subject: [PATCH 1/4] initial --- .../argo-workflows/application.yaml | 1 + .../components/argocd/argocd-sa.yaml | 49 +++++++++++++++++++ .../components/argocd/externalsecrets.yaml | 26 +++++++++- .../components/argocd/kustomization.yaml | 1 + .../components/atlantis/application.yaml | 2 + .../components/atlantis/externalsecret.yaml | 26 +++++++++- .../components/backstage/application.yaml | 3 +- .../components/backstage/externalsecret.yaml | 24 +++++++++ .../devsecops/kyverno/externalsecret.yaml | 24 +++++++++ .../components/devsecops/kyverno/kyverno.yaml | 3 ++ .../devsecops/trivy/trivy-operator.yaml | 3 ++ .../components/harbor/externalsecret.yaml | 27 +++++++++- .../components/harbor/harbor.yaml | 2 + .../kube-system/reloader/application.yaml | 3 ++ .../kube-system/reloader/externalsecret.yaml | 24 +++++++++ .../components/loki/externalsecret.yaml | 24 +++++++++ .../core-services/components/loki/loki.yaml | 2 + .../components/monitoring/externalsecret.yaml | 1 + .../monitoring/kube-prometheus-stack.yaml | 3 ++ .../application.yaml | 3 +- .../externalsecret.yaml | 27 +++++++++- .../cluster-autoscaler/application.yaml | 3 ++ .../cluster-autoscaler/externalsecret.yaml | 24 +++++++++ .../components/scalers/keda/application.yaml | 2 + .../scalers/keda/externalsecret.yaml | 24 +++++++++ .../components/sonarqube/externalsecret.yaml | 25 ++++++++++ .../components/sonarqube/sonarqube.yaml | 3 ++ .../modules/secrets_vault/secrets.tf | 6 ++- .../modules/secrets_vault/variables.tf | 6 +++ platform/terraform/secrets/main.tf | 1 + platform/terraform/secrets/variable.tf | 6 +++ tools/cli/commands/setup.py | 21 ++++++-- tools/cli/common/const/parameter_names.py | 1 + 33 files changed, 390 insertions(+), 10 deletions(-) create mode 100644 platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argocd/argocd-sa.yaml create mode 100644 platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/backstage/externalsecret.yaml create mode 100644 platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/kyverno/externalsecret.yaml create mode 100644 platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kube-system/reloader/externalsecret.yaml create mode 100644 platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/loki/externalsecret.yaml create mode 100644 platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/cluster-autoscaler/externalsecret.yaml create mode 100644 platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/keda/externalsecret.yaml diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argo-workflows/application.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argo-workflows/application.yaml index 87c98d88..3a40fbbb 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argo-workflows/application.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argo-workflows/application.yaml @@ -43,6 +43,7 @@ spec: pullPolicy: IfNotPresent pullSecrets: - name: proxy-docker-config + - name: docker-config mainContainer: resources: requests: diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argocd/argocd-sa.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argocd/argocd-sa.yaml new file mode 100644 index 00000000..2e6d6ce5 --- /dev/null +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argocd/argocd-sa.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argocd-application-controller +imagePullSecrets: + - name: docker-config +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argocd-applicationset-controller +imagePullSecrets: + - name: docker-config +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argocd-notifications-controller +imagePullSecrets: + - name: docker-config +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argocd-redis-ha +imagePullSecrets: + - name: docker-config +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argocd-redis-ha-haproxy +imagePullSecrets: + - name: docker-config +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argocd-repo-server +imagePullSecrets: + - name: docker-config +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argocd-server +imagePullSecrets: + - name: docker-config \ No newline at end of file diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argocd/externalsecrets.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argocd/externalsecrets.yaml index 7a45436f..913f67fa 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argocd/externalsecrets.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argocd/externalsecrets.yaml @@ -43,4 +43,28 @@ spec: - remoteRef: key: cd-secrets property: cd_webhook_secret - secretKey: cd_webhook_secret \ No newline at end of file + secretKey: cd_webhook_secret +--- +apiVersion: 'external-secrets.io/v1beta1' +kind: ExternalSecret +metadata: + name: docker-config + annotations: + argocd.argoproj.io/sync-wave: '0' +spec: + target: + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: "{{ .dockerconfig | toString }}" + name: docker-config + creationPolicy: Owner + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + refreshInterval: 10s + data: + - secretKey: "dockerconfig" + remoteRef: + property: dockerconfig + key: dockerconfigjson \ No newline at end of file diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argocd/kustomization.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argocd/kustomization.yaml index e887943b..6e2027fe 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argocd/kustomization.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argocd/kustomization.yaml @@ -15,6 +15,7 @@ patches: - path: argocd-cmd-params-cm.yaml - path: argocd-rbac-cm.yaml - path: argocd-secret.yaml +- path: argocd-sa.yaml generatorOptions: disableNameSuffixHash: true diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/atlantis/application.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/atlantis/application.yaml index 7f37bb85..b3ded9ce 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/atlantis/application.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/atlantis/application.yaml @@ -69,6 +69,8 @@ spec: apply_requirements: [mergeable] volumeClaim: dataStorage: 20Gi + imagePullSecrets: + - docker-config destination: server: 'https://kubernetes.default.svc' namespace: atlantis diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/atlantis/externalsecret.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/atlantis/externalsecret.yaml index 52efe44f..94417a3f 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/atlantis/externalsecret.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/atlantis/externalsecret.yaml @@ -30,4 +30,28 @@ spec: refreshInterval: 10s dataFrom: - extract: - key: /atlantis/basic-auth-secrets \ No newline at end of file + key: /atlantis/basic-auth-secrets +--- +apiVersion: 'external-secrets.io/v1beta1' +kind: ExternalSecret +metadata: + name: docker-config + annotations: + argocd.argoproj.io/sync-wave: '0' +spec: + target: + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: "{{ .dockerconfig | toString }}" + name: docker-config + creationPolicy: Owner + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + refreshInterval: 10s + data: + - secretKey: "dockerconfig" + remoteRef: + property: dockerconfig + key: dockerconfigjson \ No newline at end of file diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/backstage/application.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/backstage/application.yaml index 8d540ea3..aa6d7693 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/backstage/application.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/backstage/application.yaml @@ -21,7 +21,8 @@ spec: cg-devx.metadata.version: 1.17.0-next.2 global: imageRegistry: "" - imagePullSecrets: [] + imagePullSecrets: + - docker-config kubeVersion: "" nameOverride: "" fullnameOverride: "" diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/backstage/externalsecret.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/backstage/externalsecret.yaml new file mode 100644 index 00000000..16298ac9 --- /dev/null +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/backstage/externalsecret.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: 'external-secrets.io/v1beta1' +kind: ExternalSecret +metadata: + name: docker-config + annotations: + argocd.argoproj.io/sync-wave: '0' +spec: + target: + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: "{{ .dockerconfig | toString }}" + name: docker-config + creationPolicy: Owner + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + refreshInterval: 10s + data: + - secretKey: "dockerconfig" + remoteRef: + property: dockerconfig + key: dockerconfigjson \ No newline at end of file diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/kyverno/externalsecret.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/kyverno/externalsecret.yaml new file mode 100644 index 00000000..16298ac9 --- /dev/null +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/kyverno/externalsecret.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: 'external-secrets.io/v1beta1' +kind: ExternalSecret +metadata: + name: docker-config + annotations: + argocd.argoproj.io/sync-wave: '0' +spec: + target: + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: "{{ .dockerconfig | toString }}" + name: docker-config + creationPolicy: Owner + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + refreshInterval: 10s + data: + - secretKey: "dockerconfig" + remoteRef: + property: dockerconfig + key: dockerconfigjson \ No newline at end of file diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/kyverno/kyverno.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/kyverno/kyverno.yaml index c583f54e..72caa578 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/kyverno/kyverno.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/kyverno/kyverno.yaml @@ -23,6 +23,9 @@ spec: cg-devx.metadata.service: policy-engine.kyverno cg-devx.metadata.chart-version: 3.2.7 cg-devx.metadata.version: 1.12.6 + global: + imagePullSecrets: + - name: docker-config syncPolicy: automated: prune: true diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/trivy/trivy-operator.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/trivy/trivy-operator.yaml index b7b479fa..aed503f3 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/trivy/trivy-operator.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/devsecops/trivy/trivy-operator.yaml @@ -19,6 +19,9 @@ spec: helm: releaseName: trivy-operator values: | + image: + pullSecrets: + - name: docker-config trivy: ignoreUnfixed: false labels: diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/harbor/externalsecret.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/harbor/externalsecret.yaml index 0b9bd2de..47e40e91 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/harbor/externalsecret.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/harbor/externalsecret.yaml @@ -1,4 +1,5 @@ -apiVersion: external-secrets.io/v1beta1 +--- +apiVersion: 'external-secrets.io/v1beta1' kind: ExternalSecret metadata: name: harbor-admin @@ -14,3 +15,27 @@ spec: dataFrom: - extract: key: secret/harbor/admin-auth +--- +apiVersion: 'external-secrets.io/v1beta1' +kind: ExternalSecret +metadata: + name: docker-config + annotations: + argocd.argoproj.io/sync-wave: '0' +spec: + target: + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: "{{ .dockerconfig | toString }}" + name: docker-config + creationPolicy: Owner + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + refreshInterval: 10s + data: + - secretKey: "dockerconfig" + remoteRef: + property: dockerconfig + key: dockerconfigjson \ No newline at end of file diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/harbor/harbor.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/harbor/harbor.yaml index 02247709..c1921672 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/harbor/harbor.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/harbor/harbor.yaml @@ -20,6 +20,8 @@ spec: releaseName: harbor values: | externalURL: https:// + imagePullSecrets: + - name: docker-config expose: type: ingress tls: diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kube-system/reloader/application.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kube-system/reloader/application.yaml index b3a30830..c1283261 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kube-system/reloader/application.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kube-system/reloader/application.yaml @@ -13,6 +13,9 @@ spec: chart: reloader helm: values: |- + global: + imagePullSecrets: + - name: docker-config reloader: ignoreSecrets: false reloadStrategy: annotations diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kube-system/reloader/externalsecret.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kube-system/reloader/externalsecret.yaml new file mode 100644 index 00000000..16298ac9 --- /dev/null +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kube-system/reloader/externalsecret.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: 'external-secrets.io/v1beta1' +kind: ExternalSecret +metadata: + name: docker-config + annotations: + argocd.argoproj.io/sync-wave: '0' +spec: + target: + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: "{{ .dockerconfig | toString }}" + name: docker-config + creationPolicy: Owner + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + refreshInterval: 10s + data: + - secretKey: "dockerconfig" + remoteRef: + property: dockerconfig + key: dockerconfigjson \ No newline at end of file diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/loki/externalsecret.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/loki/externalsecret.yaml new file mode 100644 index 00000000..16298ac9 --- /dev/null +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/loki/externalsecret.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: 'external-secrets.io/v1beta1' +kind: ExternalSecret +metadata: + name: docker-config + annotations: + argocd.argoproj.io/sync-wave: '0' +spec: + target: + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: "{{ .dockerconfig | toString }}" + name: docker-config + creationPolicy: Owner + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + refreshInterval: 10s + data: + - secretKey: "dockerconfig" + remoteRef: + property: dockerconfig + key: dockerconfigjson \ No newline at end of file diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/loki/loki.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/loki/loki.yaml index 2165ad54..54ad6984 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/loki/loki.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/loki/loki.yaml @@ -16,6 +16,8 @@ spec: chart: loki helm: values: |- + imagePullSecrets: + - name: docker-config loki: auth_enabled: false commonConfig: diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/monitoring/externalsecret.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/monitoring/externalsecret.yaml index 44efbca9..5d03250b 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/monitoring/externalsecret.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/monitoring/externalsecret.yaml @@ -1,3 +1,4 @@ +--- apiVersion: 'external-secrets.io/v1beta1' kind: ExternalSecret metadata: diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/monitoring/kube-prometheus-stack.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/monitoring/kube-prometheus-stack.yaml index aee292e9..f7ff097a 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/monitoring/kube-prometheus-stack.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/monitoring/kube-prometheus-stack.yaml @@ -17,6 +17,9 @@ spec: helm: skipCrds: true values: |- + global: + imagePullSecrets: + - name: docker-config commonLabels: cg-devx.cost-allocation.cost-center: platform cg-devx.metadata.owner: -admin diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/runners/github/actions-runner-controller/application.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/runners/github/actions-runner-controller/application.yaml index 3a14dea3..d8a5e9b2 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/runners/github/actions-runner-controller/application.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/runners/github/actions-runner-controller/application.yaml @@ -40,7 +40,8 @@ spec: # It's added to spec.ImagePullSecrets of self-hosted runner pods. actionsRunnerImagePullSecrets: [] - imagePullSecrets: [] + imagePullSecrets: + - name: docker-config nameOverride: "" fullnameOverride: "" diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/runners/github/actions-runner-controller/externalsecret.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/runners/github/actions-runner-controller/externalsecret.yaml index f917c32c..25179837 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/runners/github/actions-runner-controller/externalsecret.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/runners/github/actions-runner-controller/externalsecret.yaml @@ -1,3 +1,4 @@ +--- apiVersion: external-secrets.io/v1alpha1 kind: ExternalSecret metadata: @@ -14,4 +15,28 @@ spec: - remoteRef: key: ci-secrets property: PERSONAL_ACCESS_TOKEN - secretKey: github_token \ No newline at end of file + secretKey: github_token +--- +apiVersion: 'external-secrets.io/v1beta1' +kind: ExternalSecret +metadata: + name: docker-config + annotations: + argocd.argoproj.io/sync-wave: '0' +spec: + target: + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: "{{ .dockerconfig | toString }}" + name: docker-config + creationPolicy: Owner + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + refreshInterval: 10s + data: + - secretKey: "dockerconfig" + remoteRef: + property: dockerconfig + key: dockerconfigjson \ No newline at end of file diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/cluster-autoscaler/application.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/cluster-autoscaler/application.yaml index 9a6e5478..eb5b779d 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/cluster-autoscaler/application.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/cluster-autoscaler/application.yaml @@ -14,6 +14,9 @@ spec: helm: values: |- affinity: {} + image: + pullSecrets: + - name: docker-config additionalLabels: cg-devx.cost-allocation.cost-center: platform cg-devx.metadata.owner: -admin diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/cluster-autoscaler/externalsecret.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/cluster-autoscaler/externalsecret.yaml new file mode 100644 index 00000000..16298ac9 --- /dev/null +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/cluster-autoscaler/externalsecret.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: 'external-secrets.io/v1beta1' +kind: ExternalSecret +metadata: + name: docker-config + annotations: + argocd.argoproj.io/sync-wave: '0' +spec: + target: + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: "{{ .dockerconfig | toString }}" + name: docker-config + creationPolicy: Owner + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + refreshInterval: 10s + data: + - secretKey: "dockerconfig" + remoteRef: + property: dockerconfig + key: dockerconfigjson \ No newline at end of file diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/keda/application.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/keda/application.yaml index d7a4e5d7..b7439737 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/keda/application.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/keda/application.yaml @@ -14,6 +14,8 @@ spec: helm: values: |- clusterName: + imagePullSecrets: + - name: docker-config additionalLabels: cg-devx.cost-allocation.cost-center: platform cg-devx.metadata.owner: -admin diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/keda/externalsecret.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/keda/externalsecret.yaml new file mode 100644 index 00000000..16298ac9 --- /dev/null +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/scalers/keda/externalsecret.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: 'external-secrets.io/v1beta1' +kind: ExternalSecret +metadata: + name: docker-config + annotations: + argocd.argoproj.io/sync-wave: '0' +spec: + target: + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: "{{ .dockerconfig | toString }}" + name: docker-config + creationPolicy: Owner + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + refreshInterval: 10s + data: + - secretKey: "dockerconfig" + remoteRef: + property: dockerconfig + key: dockerconfigjson \ No newline at end of file diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/sonarqube/externalsecret.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/sonarqube/externalsecret.yaml index 6d4e8f73..e328cc9c 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/sonarqube/externalsecret.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/sonarqube/externalsecret.yaml @@ -1,3 +1,4 @@ +--- apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: @@ -14,3 +15,27 @@ spec: dataFrom: - extract: key: secret/sonarqube/admin-auth +--- +apiVersion: 'external-secrets.io/v1beta1' +kind: ExternalSecret +metadata: + name: docker-config + annotations: + argocd.argoproj.io/sync-wave: '0' +spec: + target: + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: "{{ .dockerconfig | toString }}" + name: docker-config + creationPolicy: Owner + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + refreshInterval: 10s + data: + - secretKey: "dockerconfig" + remoteRef: + property: dockerconfig + key: dockerconfigjson \ No newline at end of file diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/sonarqube/sonarqube.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/sonarqube/sonarqube.yaml index 9414f3bb..653f47a5 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/sonarqube/sonarqube.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/sonarqube/sonarqube.yaml @@ -19,6 +19,9 @@ spec: helm: releaseName: sonarqube values: | + image: + pullSecrets: + - name: docker-config persistence: enabled: false plugins: diff --git a/platform/terraform/modules/secrets_vault/secrets.tf b/platform/terraform/modules/secrets_vault/secrets.tf index b9560d96..239b01d2 100644 --- a/platform/terraform/modules/secrets_vault/secrets.tf +++ b/platform/terraform/modules/secrets_vault/secrets.tf @@ -4,6 +4,7 @@ locals { grafana_admin_user = "admin" atlantis_admin_user = "admin" sonarqube_admin_user = "admin" + image_registry_auth = tomap({ for key, value in var.image_registry_auth: key => base64encode("${value.name}:${value.token}") }) } resource "vault_generic_secret" "docker_config" { @@ -11,7 +12,10 @@ resource "vault_generic_secret" "docker_config" { data_json = jsonencode( { - dockerconfig = jsonencode({ "auths" : { "" : { "auth" : "${local.b64_docker_auth}" } } }), + dockerconfig = jsonencode({ "auths" : merge( + { "" : { "auth" : "${local.b64_docker_auth}" }}, + local.image_registry_auth) + }) } ) diff --git a/platform/terraform/modules/secrets_vault/variables.tf b/platform/terraform/modules/secrets_vault/variables.tf index 8031f48c..b0df569b 100644 --- a/platform/terraform/modules/secrets_vault/variables.tf +++ b/platform/terraform/modules/secrets_vault/variables.tf @@ -82,3 +82,9 @@ variable "cloud_binary_artifacts_store_access_key" { type = string default = "" } + +variable "image_registry_auth" { + description = "Specifies the access keys for image registries" + type = map(object({name = string, token = string})) + default = {} +} diff --git a/platform/terraform/secrets/main.tf b/platform/terraform/secrets/main.tf index c1e31d78..604aef31 100644 --- a/platform/terraform/secrets/main.tf +++ b/platform/terraform/secrets/main.tf @@ -35,4 +35,5 @@ module "secrets" { cluster_ssh_public_key = var.cluster_ssh_public_key tf_backend_storage_access_key = var.tf_backend_storage_access_key cloud_binary_artifacts_store_access_key = var.cloud_binary_artifacts_store_access_key + image_registry_auth = var.image_registry_auth } diff --git a/platform/terraform/secrets/variable.tf b/platform/terraform/secrets/variable.tf index e17faa42..63ecc967 100644 --- a/platform/terraform/secrets/variable.tf +++ b/platform/terraform/secrets/variable.tf @@ -75,3 +75,9 @@ variable "cloud_binary_artifacts_store_access_key" { type = string default = "" } + +variable "image_registry_auth" { + description = "Specifies the access keys for image registries" + type = map(object({name = string, token = string})) + default = {} +} \ No newline at end of file diff --git a/tools/cli/commands/setup.py b/tools/cli/commands/setup.py index 7d9e9b95..574a19ee 100644 --- a/tools/cli/commands/setup.py +++ b/tools/cli/commands/setup.py @@ -19,7 +19,7 @@ CLOUD_ACCOUNT_ACCESS_SECRET, CLOUD_REGION, PRIMARY_CLUSTER_NAME, DNS_REGISTRAR, DNS_REGISTRAR_ACCESS_TOKEN, \ DNS_REGISTRAR_ACCESS_KEY, DNS_REGISTRAR_ACCESS_SECRET, DOMAIN_NAME, GIT_PROVIDER, GIT_ORGANIZATION_NAME, \ GIT_ACCESS_TOKEN, GITOPS_REPOSITORY_NAME, GITOPS_REPOSITORY_TEMPLATE_URL, GITOPS_REPOSITORY_TEMPLATE_BRANCH, \ - DEMO_WORKLOAD, OPTIONAL_SERVICES + DEMO_WORKLOAD, OPTIONAL_SERVICES, IMAGE_REGISTRY_AUTH from common.enums.cloud_providers import CloudProviders from common.enums.dns_registrars import DnsRegistrars from common.enums.git_providers import GitProviders @@ -74,6 +74,7 @@ is_flag=True) @click.option('--optional-services', '-ops', 'optional_services', help='Optional services', type=click.STRING, multiple=True) +@click.option('--image-registry-auth', '-ra', 'image_registry_auth', help='Image registry auth map') @click.option('--config-file', '-f', 'config', help='Load parameters from file', type=click.File(mode='r')) @click.option('--verbosity', type=click.Choice( ['DEBUG', 'INFO', 'WARNING', 'ERROR', 'CRITICAL'], @@ -84,7 +85,7 @@ def setup( cloud_region: str, cluster_name: str, dns_reg: DnsRegistrars, dns_reg_token: str, dns_reg_key: str, dns_reg_secret: str, domain: str, git_provider: GitProviders, git_org: str, git_token: str, gitops_repo_name: str, gitops_template_url: str, gitops_template_branch: str, install_demo: bool, - optional_services: List[str], config: click.File, verbosity: str + optional_services: List[str], image_registry_auth, config: click.File, verbosity: str ): """Creates new CG DevX installation.""" click.echo("Setup CG DevX installation...") @@ -126,7 +127,8 @@ def setup( GITOPS_REPOSITORY_TEMPLATE_URL: gitops_template_url, GITOPS_REPOSITORY_TEMPLATE_BRANCH: gitops_template_branch, DEMO_WORKLOAD: install_demo, - OPTIONAL_SERVICES: optional_services + OPTIONAL_SERVICES: optional_services, + IMAGE_REGISTRY_AUTH: image_registry_auth }) # validate parameters @@ -757,6 +759,9 @@ def setup( if "CLOUD_BINARY_ARTIFACTS_STORE_ACCESS_KEY" in p.internals: sec_man_tf_params["cloud_binary_artifacts_store_access_key"] = p.internals["CLOUD_BINARY_ARTIFACTS_STORE_ACCESS_KEY"] + if "IMAGE_REGISTRY_AUTH" in p.internals: + sec_man_tf_params["image_registry_auth"] = p.internals["IMAGE_REGISTRY_AUTH"] + tf_wrapper.apply(sec_man_tf_params) sec_man_out = tf_wrapper.output() @@ -996,6 +1001,7 @@ def prepare_parameters(p): p.parameters[""] = p.get_input_param(PRIMARY_CLUSTER_NAME) p.parameters[""] = p.git_provider p.internals["GIT_ACCESS_TOKEN"] = p.get_input_param(GIT_ACCESS_TOKEN) + p.internals["IMAGE_REGISTRY_AUTH"] = p.get_input_param(IMAGE_REGISTRY_AUTH) p.parameters[""] = p.get_input_param(GITOPS_REPOSITORY_NAME).lower() org_name = p.get_input_param(GIT_ORGANIZATION_NAME).lower() p.parameters[""] = org_name @@ -1089,4 +1095,13 @@ def setup_param_validator(params: StateStore) -> bool: f"Features list parsing error: unsupported features found - {str.join(', ', incorrect_services)}") return False + if params.get_input_param(IMAGE_REGISTRY_AUTH): + for k, v in params.get_input_param(IMAGE_REGISTRY_AUTH).items(): + if "name" not in v and "token" not in v: + click.echo(f"Image registry auth {k} has incorrect structure") + return False + if not v["name"] and not v["token"]: + click.echo(f"Image registry {k} should have name and token specified") + return False + return True diff --git a/tools/cli/common/const/parameter_names.py b/tools/cli/common/const/parameter_names.py index d4bed75e..307dd981 100644 --- a/tools/cli/common/const/parameter_names.py +++ b/tools/cli/common/const/parameter_names.py @@ -18,3 +18,4 @@ GITOPS_REPOSITORY_TEMPLATE_BRANCH = 'gitops-template-branch' DEMO_WORKLOAD = 'setup-demo-workload' OPTIONAL_SERVICES = 'optional-services' +IMAGE_REGISTRY_AUTH = 'image-registry-auth' From fa5b55aec4cb4a7e01a0c76d31ecf4a91174a7b6 Mon Sep 17 00:00:00 2001 From: Alexander Ulyanov Date: Wed, 23 Oct 2024 19:47:32 +0200 Subject: [PATCH 2/4] add support for kubecost --- .../components/kubecost/externalsecret.yaml | 24 +++++++++++++++++++ .../components/kubecost/kubecost.yaml | 2 ++ 2 files changed, 26 insertions(+) create mode 100644 platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kubecost/externalsecret.yaml diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kubecost/externalsecret.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kubecost/externalsecret.yaml new file mode 100644 index 00000000..16298ac9 --- /dev/null +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kubecost/externalsecret.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: 'external-secrets.io/v1beta1' +kind: ExternalSecret +metadata: + name: docker-config + annotations: + argocd.argoproj.io/sync-wave: '0' +spec: + target: + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: "{{ .dockerconfig | toString }}" + name: docker-config + creationPolicy: Owner + secretStoreRef: + kind: ClusterSecretStore + name: vault-kv-secret + refreshInterval: 10s + data: + - secretKey: "dockerconfig" + remoteRef: + property: dockerconfig + key: dockerconfigjson \ No newline at end of file diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kubecost/kubecost.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kubecost/kubecost.yaml index 9726e844..10386480 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kubecost/kubecost.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/kubecost/kubecost.yaml @@ -19,6 +19,8 @@ spec: helm: releaseName: kubecost values: | + imagePullSecrets: + - name: docker-config global: additionalLabels: cg-devx.cost-allocation.cost-center: platform From 5a82b616c144cf64c4d359fe4a5430d4eda802c5 Mon Sep 17 00:00:00 2001 From: Alexander Ulyanov Date: Thu, 24 Oct 2024 18:29:03 +0200 Subject: [PATCH 3/4] drop not used secret --- .../argo-workflows/externalsecret.yaml | 19 ------------------- .../modules/secrets_vault/secrets.tf | 14 +------------- 2 files changed, 1 insertion(+), 32 deletions(-) diff --git a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argo-workflows/externalsecret.yaml b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argo-workflows/externalsecret.yaml index 019789bd..eaf4db13 100644 --- a/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argo-workflows/externalsecret.yaml +++ b/platform/gitops-pipelines/delivery/clusters/cc-cluster/core-services/components/argo-workflows/externalsecret.yaml @@ -40,25 +40,6 @@ spec: --- apiVersion: 'external-secrets.io/v1beta1' kind: ExternalSecret -metadata: - name: container-registry-auth - annotations: - argocd.argoproj.io/sync-wave: '0' -spec: - target: - name: container-registry-auth - secretStoreRef: - kind: ClusterSecretStore - name: vault-kv-secret - refreshInterval: 10s - data: - - remoteRef: - key: registry-auth - property: auth - secretKey: config.json ---- -apiVersion: 'external-secrets.io/v1beta1' -kind: ExternalSecret metadata: name: docker-config annotations: diff --git a/platform/terraform/modules/secrets_vault/secrets.tf b/platform/terraform/modules/secrets_vault/secrets.tf index 239b01d2..4f60d93c 100644 --- a/platform/terraform/modules/secrets_vault/secrets.tf +++ b/platform/terraform/modules/secrets_vault/secrets.tf @@ -8,7 +8,7 @@ locals { } resource "vault_generic_secret" "docker_config" { - path = "secret/dockerconfigjson" + path = "secret/dockerconfigjson" data_json = jsonencode( { @@ -22,18 +22,6 @@ resource "vault_generic_secret" "docker_config" { depends_on = [vault_mount.secret] } -resource "vault_generic_secret" "registry_auth" { - path = "secret/registry-auth" - - data_json = jsonencode( - { - auth = jsonencode({ "auths" : { "" : { "auth" : "${local.b64_docker_auth}" } } }), - } - ) - - depends_on = [vault_mount.secret] -} - resource "vault_generic_secret" "ci_secrets" { path = "secret/ci-secrets" From 3df88ab98fe209c0e409c85db9533e7c7d102ca5 Mon Sep 17 00:00:00 2001 From: Alexander Ulyanov Date: Thu, 24 Oct 2024 18:49:12 +0200 Subject: [PATCH 4/4] update readme --- tools/cli/commands/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tools/cli/commands/README.md b/tools/cli/commands/README.md index 2e2a39ad..8682bfc8 100644 --- a/tools/cli/commands/README.md +++ b/tools/cli/commands/README.md @@ -46,6 +46,7 @@ for checkpointing, allowing the command to be rerun if necessary. | -gtb, --gitops-template-branch | TEXT | GitOps repository template branch | | -dw, --setup-demo-workload | Flag | Flag to set up a demo workload | | -ops, --optional-services | TEXT | Setup optional services | +| -ra, --image-registry-auth | TEXT | Image registry auth config, JSON | | -f, --config-file | FILENAME | File to load setup parameters from | | --verbosity | [DEBUG, INFO, WARNING, ERROR, CRITICAL] | Logging verbosity level, defaults to CRITICAL | @@ -95,6 +96,13 @@ git-provider: github git-org: acmeinc git-access-token: ghp_xxx gitops-repo-name: gitops-repo-name +optional-services: + - keda + - vpa +image-registry-auth: + docker.io: + name: user + token: token ``` ### Troubleshooting