glaciation-heu · matthewrossi · Nov 28, 2024 · Nov 28, 2024 · Nov 28, 2024 · Nov 28, 2024
@@ -6,14 +6,13 @@ metadata:
   finalizers:
   - resources-finalizer.argocd.argoproj.io
   annotations:
-    argocd.argoproj.io/hook: Sync
-    argocd.argoproj.io/sync-wave: "-2"
+    argocd.argoproj.io/sync-wave: "-7"
 spec:
   project: default
   sources:
   - repoURL: https://glaciation-heu.github.io/data-sanitization-service
     chart: data-sanitization
-    targetRevision: 0.2.2
+    targetRevision: 0.2.4
     helm:
       valuesObject:
         secret:

@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - spark-operator.yaml
-  - spark-history-server.yaml
+  - ./manual/data-sanitization-smoke-tests.yaml
   - data-sanitization-service.yaml
+  - spark-history-server.yaml
+  - spark-operator.yaml
@@ -4,16 +4,15 @@ metadata:
   name: spark-history-server
   namespace: argocd
   annotations:
-    argocd.argoproj.io/hook: Sync
-    argocd.argoproj.io/sync-wave: "-3"
+    argocd.argoproj.io/sync-wave: "-7"
   finalizers:
   - resources-finalizer.argocd.argoproj.io
 spec:
   project: default
   sources:
   - repoURL: https://glaciation-heu.github.io/spark-history-server
     chart: spark-history-server
-    targetRevision: 1.0.3
+    targetRevision: 1.0.4
     helm:
       valuesObject:
         secret:

@@ -5,17 +5,15 @@ metadata:
   labels:
     create-ca-bundle: "true"
   annotations:
-    argocd.argoproj.io/hook: PreSync
-    argocd.argoproj.io/sync-wave: "-3"
+    argocd.argoproj.io/sync-wave: "-8"
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: spark-operator
   namespace: argocd
   annotations:
-    argocd.argoproj.io/hook: Sync
-    argocd.argoproj.io/sync-wave: "-3"
+    argocd.argoproj.io/sync-wave: "-8"
   finalizers:
   - resources-finalizer.argocd.argoproj.io
 spec:

@@ -4,9 +4,8 @@ metadata:
   name: minio
   namespace: argocd
   annotations:
-    # argocd.argoproj.io/hook: Sync
     argocd.argoproj.io/compare-options: ServerSideDiff=true
-    argocd.argoproj.io/sync-wave: "-30"
+    argocd.argoproj.io/sync-wave: "-10"
   finalizers:
   - resources-finalizer.argocd.argoproj.io
 spec:

@@ -4,8 +4,7 @@ metadata:
   name: cert-manager
   namespace: argocd
   annotations:
-    # argocd.argoproj.io/hook: Sync
-    argocd.argoproj.io/sync-wave: "-30"
+    argocd.argoproj.io/sync-wave: "-25"
   finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:

@@ -6,7 +6,6 @@ metadata:
   finalizers:
    - resources-finalizer.argocd.argoproj.io
   annotations:
-    # argocd.argoproj.io/hook: Sync
     argocd.argoproj.io/sync-wave: "-30"
 spec:
   project: default

@@ -4,7 +4,6 @@ metadata:
   name: gatekeeper
   namespace: argocd
   annotations:
-    # argocd.argoproj.io/hook: Sync
     argocd.argoproj.io/sync-wave: "-30"
   finalizers:
    - resources-finalizer.argocd.argoproj.io

@@ -1,18 +1,17 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./manual/vault-extras.yaml
-  - ./manual/setup-ca-and-bundle.yaml
+  - ./manual/gatekeeper-smoke-tests.yaml
   - ./manual/minio-sse-smoke-tests.yaml
+  - ./manual/set-default-resource-requests-and-limits.yaml
+  - ./manual/setup-ca-and-bundle.yaml
+  - ./manual/validate-resource-requests-and-limits.yaml
+  - ./manual/vault-certificate.yaml
   - ./manual/vault-init.yaml
-  - ./manual/gatekeeper-smoke-tests.yaml
-  # - ./manual/set-default-resource-requests-and-limits.yaml
-  # - ./manual/gatekeeper-resource-constraint-templates.yaml
-  # - ./manual/gatekeeper-resource-constraints.yaml
   - cert-manager.yaml
+  - gatekeeper-policy-manager.yaml
   - gatekeeper.yaml
+  - minio-tenant.yaml
+  - replicator.yaml
   - trust-manager.yaml
   - vault.yaml
-  - gatekeeper-policy-manager.yaml
-  - replicator.yaml
-  - minio-tenant.yaml
@@ -11,7 +11,7 @@ spec:
     kinds: ["Pod"]
     versions: ["v1"]
   match:
-    namespace:
+    namespaces:
     - cert-manager
     - gatekeeper-system
     - minio-operator
@@ -41,7 +41,7 @@ spec:
     kinds: ["Pod"]
     versions: ["v1"]
   match:
-    namespace:
+    namespaces:
     - cert-manager
     - gatekeeper-system
     - minio-operator
@@ -71,7 +71,7 @@ spec:
     kinds: ["Pod"]
     versions: ["v1"]
   match:
-    namespace:
+    namespaces:
     - cert-manager
     - gatekeeper-system
     - minio-operator
@@ -101,7 +101,7 @@ spec:
     kinds: ["Pod"]
     versions: ["v1"]
   match:
-    namespace:
+    namespaces:
     - cert-manager
     - gatekeeper-system
     - minio-operator
@@ -131,7 +131,7 @@ spec:
     kinds: ["Pod"]
     versions: ["v1"]
   match:
-    namespace:
+    namespaces:
     - cert-manager
     - gatekeeper-system
     - minio-operator
@@ -161,7 +161,7 @@ spec:
     kinds: ["Pod"]
     versions: ["v1"]
   match:
-    namespace:
+    namespaces:
     - cert-manager
     - gatekeeper-system
     - minio-operator
@@ -191,7 +191,7 @@ spec:
     kinds: ["Pod"]
     versions: ["v1"]
   match:
-    namespace:
+    namespaces:
     - cert-manager
     - gatekeeper-system
     - minio-operator
@@ -221,7 +221,7 @@ spec:
     kinds: ["Pod"]
     versions: ["v1"]
   match:
-    namespace:
+    namespaces:
     - cert-manager
     - gatekeeper-system
     - minio-operator

@@ -4,7 +4,6 @@ kind: ClusterIssuer
 metadata:
   name: selfsigned-issuer
   annotations:
-    # argocd.argoproj.io/hook: Sync  
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
     argocd.argoproj.io/sync-wave: "-25"
 spec:
@@ -16,7 +15,6 @@ metadata:
   name: my-selfsigned-ca
   namespace: cert-manager
   annotations:
-    # argocd.argoproj.io/hook: Sync
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
     argocd.argoproj.io/sync-wave: "-25"
 spec:
@@ -36,7 +34,6 @@ kind: ClusterIssuer
 metadata:
   name: private-ca-issuer
   annotations:
-    # argocd.argoproj.io/hook: Sync
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
     argocd.argoproj.io/sync-wave: "-25"
 spec:
@@ -50,7 +47,6 @@ kind: Bundle
 metadata:
   name: ca-bundle
   annotations:
-    # argocd.argoproj.io/hook: Sync
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
     argocd.argoproj.io/sync-wave: "-25"
 spec:

@@ -1,12 +1,10 @@
----
 apiVersion: templates.gatekeeper.sh/v1
 kind: ConstraintTemplate
 metadata:
   name: k8scontainerrequests
   annotations:
-    # argocd.argoproj.io/hook: Sync
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/sync-wave: "-20"
+    argocd.argoproj.io/sync-wave: "-30"
     metadata.gatekeeper.sh/title: "Container Requests"
     metadata.gatekeeper.sh/version: 1.0.1
     description: >-
@@ -273,7 +271,7 @@ metadata:
   name: k8scontainerlimits
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/sync-wave: "-20"
+    argocd.argoproj.io/sync-wave: "-30"
     metadata.gatekeeper.sh/title: "Container Limits"
     metadata.gatekeeper.sh/version: 1.0.1
     description: >-
@@ -533,3 +531,53 @@ spec:
               prefix := trim_suffix(exemption, "*")
               startswith(img, prefix)
           }
+---
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sContainerRequests
+metadata:
+  name: container-must-have-requests
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: "-30"
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+    namespaces:
+    - cert-manager
+    - gatekeeper-system
+    - minio-operator
+    - minio-tenant
+    - replicator
+    - spark-app
+    - spark-operator
+    - vault
+  parameters:
+    cpu: "1"
+    memory: "4Gi"
+---
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sContainerLimits
+metadata:
+  name: container-must-have-limits
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: "-30"
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+    namespaces:
+    - cert-manager
+    - gatekeeper-system
+    - minio-operator
+    - minio-tenant
+    - replicator
+    - spark-app
+    - spark-operator
+    - vault
+  parameters:
+    cpu: "2"
+    memory: "8Gi"
@@ -1,13 +1,11 @@
----
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: vault-certificate
   namespace: vault
   annotations:    
-    # argocd.argoproj.io/hook: Sync
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/sync-wave: "-25"
+    argocd.argoproj.io/sync-wave: "-24"
 spec:
   secretName: vault-tls
   issuerRef:

@@ -4,8 +4,7 @@ metadata:
   name: init-vault-cluster
   namespace: vault
   annotations:
-    argocd.argoproj.io/hook: Sync
-    argocd.argoproj.io/sync-wave: "-20"
+    argocd.argoproj.io/sync-wave: "-9"
 spec:
   template:
     spec:
@@ -35,6 +34,9 @@ spec:
           echo '[*] Initialize HA Vault cluster'
           # Wait for the startup of the Vault pods
           sleep 30 # it does the job without requiring to create an ad hoc image
+          if vault operator init -address=https://vault-0.vault-internal:8200 -status; then
+            exit 0
+          fi
           # TODO: Persist PGP encrypted Vault unseal keys somewhere outside the cluster
           vault operator init \
             -address=https://vault-0.vault-internal:8200 \