From 5053f5e9ea154472cc62fac12654fe505dff60db Mon Sep 17 00:00:00 2001 From: Dan Manners Date: Fri, 10 Nov 2023 09:55:52 -0600 Subject: [PATCH] Adding Reflector and KubeClarity --- manifests/workloads/applicationset-helm.yaml | 36 +++++++++++++ .../kubeclarity/ingress-basicAuth.yaml | 7 +++ .../workloads/kubeclarity/kustomization.yaml | 2 + .../workloads/kubeclarity/postgresSecret.yaml | 15 ++++++ manifests/workloads/kubeclarity/values.yaml | 50 ++++++------------- manifests/workloads/kustomization.yaml | 1 + manifests/workloads/reflector/values.yaml | 0 7 files changed, 75 insertions(+), 36 deletions(-) create mode 100644 manifests/workloads/applicationset-helm.yaml create mode 100644 manifests/workloads/kubeclarity/ingress-basicAuth.yaml create mode 100644 manifests/workloads/kubeclarity/postgresSecret.yaml create mode 100644 manifests/workloads/reflector/values.yaml diff --git a/manifests/workloads/applicationset-helm.yaml b/manifests/workloads/applicationset-helm.yaml new file mode 100644 index 00000000..7fc58b5d --- /dev/null +++ b/manifests/workloads/applicationset-helm.yaml @@ -0,0 +1,36 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: helm-workloads +spec: + generators: + - list: + elements: + - namespace: kube-system + helmRepo: emberstack.github.io/helm-charts + appName: reflector + helmTargetRev: 7.1.216 + valueBranch: main + template: + metadata: + name: '{{appName}}' + spec: + project: default + sources: + - repoURL: https://github.com/danmanners/homelab-kube-cluster.git + targetRevision: '{{targetRev}}' + ref: values + - repoUrl: '{{ helmRepo }}' + chart: '{{ appName }}' + targetRevision: '{{ helmTargetRev }}' + helm: + valueFiles: + - '$values/manifests/workloads/{{ appName }}/values.yaml' + destination: + server: https://kubernetes.default.svc + namespace: '{{namespace}}' + syncPolicy: + automated: + prune: true + syncOptions: + - CreateNamespace=true diff --git a/manifests/workloads/kubeclarity/ingress-basicAuth.yaml b/manifests/workloads/kubeclarity/ingress-basicAuth.yaml new file mode 100644 index 00000000..042289be --- /dev/null +++ b/manifests/workloads/kubeclarity/ingress-basicAuth.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: basic-auth +type: Opaque +stringData: + auth: dan:$apr1$QHLOMISK$KVnciXqcww8PDTflRKtTZ1 diff --git a/manifests/workloads/kubeclarity/kustomization.yaml b/manifests/workloads/kubeclarity/kustomization.yaml index 3713a82e..69a4e94e 100644 --- a/manifests/workloads/kubeclarity/kustomization.yaml +++ b/manifests/workloads/kubeclarity/kustomization.yaml @@ -4,3 +4,5 @@ namespace: kubeclarity resources: - external-dns.yaml +- postgresSecret.yaml +- ingress-basicAuth.yaml diff --git a/manifests/workloads/kubeclarity/postgresSecret.yaml b/manifests/workloads/kubeclarity/postgresSecret.yaml new file mode 100644 index 00000000..a6cedea4 --- /dev/null +++ b/manifests/workloads/kubeclarity/postgresSecret.yaml @@ -0,0 +1,15 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: kubeclarity-postgresql-external + namespace: kubeclarity +spec: + encryptedData: + secretKey: AgBPP/TI3HUni5Cy5nFvEDPS/zvo8rZqx+vWRNNgajuq/nUEJFxoJ6CkcvZKBZTfiJnjYsqduwQ+bEbCN0RsKitMWhJGMCVBPdvPTF6qqfrXurck7+DIacShz53ZUQ81Q0ngns7PaDZnzHSqNyJe9+Nb8hMjfM6WzNTR8KBAbbpFg7Aj0oINhqCoqbMa+CTNJp0MdTGb5aOC5om6KHudWg4r195MsQ4MyA5NZgKMtBDSDK/NeJA055D47alcSFzVA5ukyFmeREJl4TepCXjKmJYNEzYoNPM1JR5wGLru2MvsRznYdwXpDuvEMzABKKxhAFyUkdZXiGge4uTt+G7bamy+wmRkQNqSAp2/sZnh988n7yOujey0vrVBBrf/pgU5iIPi1AvZJ715zwopfwRe3opMcMqsDic1FpBp7Qgg8xy22bROvBCip7NflxJthy73XY5adClesU4it6GWK/c8pQnW/K+1LgyX9nHVb53d1T3+u4kh3uFm+PH3YfVTFNhkbeUFgmAPCrKHPIWNZLxV3vu7Fne0R6vwTY5gxni9SFDxWeON3OlNNL4a5f58D7jODTSC2baeq5X/7w9BrqfL/tQ1A5S9TvA1Z1W4mDFGnyLDFvsk1FyIdQ/PDyj3U5e6I7EzRu1XVQe+C0vpjt14PI6iIoj6o/0dCB0W7K/F+QcPNEH2syYvcjhVCOeR2p1D1olN1fNoxdmW1RbKebeZSZP588d6bL0q4oP0v5tIGfoBJ9p1aDeF9kbl5qdZE1Un4gj1Xv1Who99HnugUSA= + template: + metadata: + creationTimestamp: null + name: kubeclarity-postgresql-external + namespace: kubeclarity + type: Opaque diff --git a/manifests/workloads/kubeclarity/values.yaml b/manifests/workloads/kubeclarity/values.yaml index 9987212f..581cfe21 100644 --- a/manifests/workloads/kubeclarity/values.yaml +++ b/manifests/workloads/kubeclarity/values.yaml @@ -35,21 +35,18 @@ kubeclarity: service: type: ClusterIP port: 8080 - annotations: {} ingress: - # Be careful when using ingress. As there is no authentication on Kubeclarity yet, your instance may be accessible. - # Make sure the ingress remains internal if you decide to enable it. enabled: true - labels: {} - annotations: {} - - # Optionally use ingressClassName instead of deprecated annotation. - # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation ingressClassName: "nginx" + labels: {} + annotations: + cert-manager.io/cluster-issuer: acme-prod + nginx.ingress.kubernetes.io/auth-type: basic + nginx.ingress.kubernetes.io/auth-secret: basic-auth + nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required' hosts: - # hostname you want to use - host: kubeclarity.homelab.danmanners.com tls: @@ -57,9 +54,6 @@ kubeclarity: hosts: - kubeclarity.homelab.danmanners.com - ## In case of postgres refresh interval of refreshing materialized views in seconds - # dbViewRefreshInterval: 5 - resources: requests: memory: "200Mi" @@ -77,14 +71,6 @@ kubeclarity: memory: "200Mi" cpu: "200m" - ## Overrides global.affinity - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - # affinity: {} - - ## Overrides global.nodeSelector - # nodeSelector: - # key1: value1 - ## End of KubeClarity Values ####################################################################################### @@ -270,7 +256,10 @@ kubeclarity-trivy-server: ## By default disable requirement for persistent storage persistence: - enabled: false + enabled: true + storageClass: ceph-rbd + accessMode: ReadWriteOnce + size: 5Gi podSecurityContext: runAsUser: 1001 @@ -302,17 +291,10 @@ kubeclarity-trivy-server: ## KubeClarity SBOM DB Values kubeclarity-sbom-db: - ## Docker Image values. - docker: - ## Use to overwrite the global docker params - ## - imageName: "" - ## Logging level (debug, info, warning, error, fatal, panic). logLevel: warning servicePort: 8080 - resources: requests: memory: "20Mi" @@ -340,20 +322,16 @@ kubeclarity-postgresql: # Use kubeclarity-postgresql-external if you want to reach an already existing PostgreSQL instance kubeclarity-postgresql-external: - enabled: false + enabled: true auth: existingSecret: kubeclarity-postgresql-secret username: kubeclarity - host: pgsql.hostname # replace this to reach your PostgreSQL instance + host: primary-rw.postgres.svc.cluster.local # replace this to reach your PostgreSQL instance port: 5432 database: kubeclarity sslMode: disable # PostgreSQL connection information kubeclarity-postgresql-secret: - # Set create to true if you want this helm chart to create a secret holding pgsql password - # based on global.databasePassword value - # If create is set to false, a secret should already exist which has PostgreSQL - # password under secretKey key - create: true - secretKey: "postgres-password" + create: false + secretKey: "secretKey" diff --git a/manifests/workloads/kustomization.yaml b/manifests/workloads/kustomization.yaml index 7b378198..6dc30331 100644 --- a/manifests/workloads/kustomization.yaml +++ b/manifests/workloads/kustomization.yaml @@ -4,3 +4,4 @@ namespace: argocd resources: - applicationset.yaml +- applicationset-helm.yaml diff --git a/manifests/workloads/reflector/values.yaml b/manifests/workloads/reflector/values.yaml new file mode 100644 index 00000000..e69de29b