├── components ├── openshift-pipeline-as-code-repo-config │ ├── values.yaml │ └── Chart.yaml ├── gitops-bootstrap-policy │ ├── manifests │ │ ├── gitops-bootstrap │ │ │ └── base │ │ │ │ └── kustomization.yaml │ │ ├── gitops-subscription │ │ │ └── base │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── namespace.yaml │ │ │ │ ├── subscription.yaml │ │ │ │ └── cluster-rolebinding.yaml │ │ └── gitops-instance │ │ │ └── base │ │ │ ├── kustomization.yaml │ │ │ ├── setenv-cmp-plugin-configmap.yaml │ │ │ └── environment-variables-configmap.yaml │ ├── managedclustersetbinding.yaml │ ├── kustomization.yaml │ └── placement.yaml ├── external-secrets-chart │ ├── namespace.yaml │ ├── kustomization.yaml │ └── cluster-secret-store.yaml ├── openshift-nmstate-config │ ├── nmstate.yaml │ └── kustomization.yaml ├── argocd-rollout │ ├── rollout-manager.yaml │ └── kustomization.yaml ├── cluster-rbac-config │ ├── kustomization.yaml │ └── crb.yaml ├── lvm-storage │ ├── kustomization.yaml │ └── lvm-cluster.yaml ├── aap-config │ ├── kustomization.yaml │ └── externalsecret.yaml ├── acm-config │ ├── kustomization.yaml │ └── multi-cluster-hub.yaml ├── ldap-sync-config │ ├── service-account.yaml │ ├── namespace.yaml │ ├── cluster-role.yaml │ ├── cluster-role-binding.yaml │ ├── kustomization.yaml │ ├── externalsecret.yaml │ └── ldap-sync.yaml ├── root-application │ └── kustomization.yaml ├── kubernetes-imagepuller-config │ ├── kustomization.yaml │ └── image-puller.yaml ├── virtualization-config │ ├── kustomization.yaml │ └── hyper-converged.yaml ├── log-forwarder-config │ ├── service-account.yaml │ ├── kustomization.yaml │ ├── crb.yaml │ └── cluster-log-forwarder.yaml ├── openshift-pipelines-operator │ ├── kustomization.yaml │ └── subscription.yaml ├── web-terminal-config │ ├── kustomization.yaml │ └── dev-workspace-template.yaml ├── agent-service-config │ ├── config-map.yaml │ ├── kustomization.yaml │ ├── provisioning.yaml │ └── agent-service-config.yaml ├── metallb-hcp-config │ ├── l2advertisement.yaml │ ├── kustomization.yaml │ ├── ipaddress-pool.yaml │ └── service.yaml ├── reflector │ ├── namespace.yaml │ ├── rbac.yaml │ └── kustomization.yaml ├── vault-chart │ ├── kustomization.yaml │ ├── namespace.yaml │ └── rolebinding.yaml ├── vault-config │ ├── namespace.yaml │ ├── kustomization.yaml │ ├── secret-engine-mount.yaml │ ├── external-secret.yaml │ └── external-secret-store.yaml ├── acm-policies-config │ ├── nodeport-policies │ │ ├── kustomization.yaml │ │ └── policy-generator.yaml │ ├── sops-auth-policy │ │ ├── kustomization.yaml │ │ ├── policy-generator.yaml │ │ └── configuration-policy.yaml │ ├── secured-cluster-policy │ │ ├── kustomization.yaml │ │ ├── placement-rule.yaml │ │ └── policy-generator.yaml │ ├── argocd-notification-annotation-policy │ │ ├── kustomization.yaml │ │ ├── policy-generator.yaml │ │ └── configuration-policy.yaml │ ├── configmap-copy-policy │ │ ├── kustomization.yaml │ │ ├── policy-generator.yaml │ │ ├── config-map.yaml │ │ └── configuration-policy.yaml │ └── governance-standalone-hub-templating-addon │ │ └── managed-cluster-addon.yaml ├── cloudflared │ ├── namespace.yaml │ ├── kustomization.yaml │ └── external-secret.yaml ├── metallb-config │ ├── kustomization.yaml │ └── metallb.yaml ├── reloader-chart │ ├── namespace.yaml │ └── kustomization.yaml ├── virtualization-storageprofile-config │ ├── kustomization.yaml │ └── storage-profile.yaml ├── cert-manager-application │ ├── kustomization.yaml │ ├── openshift-api │ │ ├── kustomization.yaml │ │ ├── openshift-api-certificate.yaml │ │ └── api-server.yaml │ └── openshift-wildcard │ │ ├── kustomization.yaml │ │ ├── openshift-wildcard-certificate.yaml │ │ └── ingress-controller.yaml ├── image-registry-config │ ├── kustomization.yaml │ ├── config.yaml │ └── externalsecret.yaml ├── kubechecks-chart │ ├── namespace.yaml │ ├── rolebinding.yaml │ ├── kustomization.yaml │ └── externalsecret.yaml ├── rhdh-operator │ ├── operator.yaml │ ├── kustomization.yaml │ ├── namespace.yaml │ └── subscription.yaml ├── argocd-webhook │ ├── kustomization.yaml │ └── externalsecrets.yaml ├── crossplane-chart │ └── namespace.yaml ├── kyverno-policy-config │ ├── namespace.yaml │ └── namespace-config-vault-access │ │ └── kustomization.yaml ├── metallb-operator │ ├── namespace.yaml │ └── kustomization.yaml ├── onepassword-connect-chart │ ├── secret-generator.yaml │ ├── kustomization.yaml │ ├── rb.yaml │ └── service.yaml ├── synology-csi-chart │ ├── namespace.yaml │ ├── volume-snapshot-class.yaml │ ├── storage-class.yaml │ ├── synology-csi-scc.yaml │ ├── externalsecret.yaml │ └── kustomization.yaml ├── aap-operator │ ├── operator.yaml │ ├── kustomization.yaml │ ├── namespace.yaml │ └── subscription.yaml ├── apache-devlake-chart │ ├── namespace.yaml │ ├── external-secret-regred.yaml │ └── ingress.yaml ├── devspaces-config │ ├── namespace.yaml │ ├── kustomization.yaml │ ├── configmap.yaml │ └── external-secret.yaml ├── devspaces-operator │ ├── kustomization.yaml │ └── subscription.yaml ├── kyverno-chart │ ├── kustomization.yaml │ ├── namespace.yaml │ └── rbac.yaml ├── openshift-nmstate │ ├── namespace.yaml │ └── kustomization.yaml ├── metallb-l2-config │ ├── l2advertisement.yaml │ ├── ipaddress-pool.yaml │ └── kustomization.yaml ├── acm-operator │ ├── kustomization.yaml │ ├── operator.yaml │ ├── namespace.yaml │ └── subscription.yaml ├── lvm-operator │ ├── kustomization.yaml │ ├── operator-group.yaml │ ├── namespace.yaml │ └── subscription.yaml ├── patch-operator │ ├── operator.yaml │ ├── namespace.yaml │ ├── kustomization.yaml │ ├── rbac.yaml │ └── subscription.yaml ├── external-secrets-operator │ ├── operator-group.yaml │ ├── kustomization.yaml │ ├── namespace.yaml │ └── subscription.yaml ├── keycloak-operator │ ├── kustomization.yaml │ ├── operator.yaml │ ├── namespace.yaml │ └── subscription.yaml ├── vault-config-operator │ ├── operator-group.yaml │ ├── kustomization.yaml │ ├── namespace.yaml │ └── subscription.yaml ├── acm-placement │ ├── kustomization.yaml │ ├── clustersetbinding.yaml │ ├── gitops-cluster.yaml │ └── placement.yaml ├── csvwatchdog-operator │ └── kustomization.yaml ├── openshift-gitops-operator │ ├── kustomization.yaml │ ├── operator-group.yaml │ ├── namespace.yaml │ └── subscription.yaml ├── virtualization-operator │ ├── kustomization.yaml │ ├── operator-group.yaml │ ├── namespace.yaml │ └── subscription.yaml ├── acm-policies │ ├── kustomization.yaml │ ├── namespace.yaml │ └── service-account.yaml ├── crossplane-compositions │ └── azure │ │ └── storage │ │ └── kustomization.yaml ├── sonarqube │ ├── namespace.yaml │ ├── pvc.yaml │ ├── kustomization.yaml │ ├── pgsql-cluster.yaml │ ├── service.yaml │ └── ingress.yaml ├── argocd-events-config │ ├── kustomization.yaml │ ├── event-bus.yaml │ └── event-source.yaml ├── argocd-notifications │ ├── kustomization.yaml │ └── externalsecrets.yaml ├── cloudnative-pg-operator │ ├── namespace.yaml │ └── kustomization.yaml ├── acs-central-configuration │ ├── namespace.yaml │ ├── central-default-tls-cert.yaml │ ├── kustomization.yaml │ ├── secured-cluster.yaml │ ├── central.yaml │ └── create-cluster-init-bundle-sa.yaml ├── acs-secured-configuration │ ├── namespace.yaml │ ├── kustomization.yaml │ └── secured-cluster.yaml ├── developer-hub-config │ ├── rbac-policies.csv │ ├── dynamic-plugin-pvc.yaml │ ├── namespace.yaml │ ├── rbac-conditional-policies.yaml │ ├── externalsecret-pullsecret.yaml │ ├── config │ │ └── home-page.json │ ├── rolebindings.yaml │ ├── aap-tools-deployment.yaml │ ├── backstage.yaml │ ├── externalsecret-devhub-read.yaml │ └── kustomization.yaml ├── external-secrets-config │ ├── kustomization.yaml │ ├── default-operatorconfig.yaml │ └── vault-cluster-secret-store.yaml ├── oauth-config │ ├── kustomization.yaml │ ├── externalsecret.yaml │ └── oauth.yaml ├── openshift-pipelines-application │ ├── kustomization.yaml │ └── external-secret.yaml ├── keycloak-config │ ├── kustomization.yaml │ ├── keycloak-tls-cert.yaml │ ├── devhub-realm.yaml │ ├── keycloak.yaml │ └── externalsecret.yaml ├── opendora-chart │ ├── kustomization.yaml │ ├── service-account.yaml │ ├── service.yaml │ └── ingress.yaml ├── tekton-dashboard │ ├── kustomization.yaml │ ├── ingress.yaml │ └── crb.yaml ├── cert-manager-config │ ├── kustomization.yaml │ ├── certmanager.yaml │ ├── externalsecret.yaml │ ├── prod-cluster-issuer.yaml │ └── staging-cluster-issuer.yaml ├── openshift-gitops-config │ ├── kustomization.yaml │ ├── plugin-configmap.yaml │ ├── cluster-rolebinding.yaml │ └── setenv-cmp-plugin.yaml ├── acs-operator │ ├── namespace.yaml │ └── kustomization.yaml ├── argocd-events │ └── kustomization.yaml ├── cert-manager-operator │ ├── namespace.yaml │ └── kustomization.yaml ├── argocd-workflows │ ├── cluster-rolebinding.yaml │ ├── route.yaml │ ├── service-account.yaml │ └── externalsecret.yaml ├── argocd-image-updater │ └── kustomization.yaml ├── alertmanager-config │ ├── kustomization.yaml │ ├── externalsecret.yaml │ └── values.yaml ├── openshift-pipelines-config │ ├── kustomization.yaml │ ├── tekton-config.yaml │ ├── pac-externalsecret.yaml │ └── task-replace-string.yaml ├── argocd-chart │ └── kustomization.yaml ├── web-terminal-operator │ └── kustomization.yaml ├── volsync-operator │ └── kustomization.yaml ├── openshift-logging-operator │ └── kustomization.yaml └── kubernetes-imagepuller-operator │ └── kustomization.yaml ├── .gitattributes ├── .github ├── linters │ ├── .prettierrc.yaml │ ├── .prettierignore │ ├── .yamllint.yaml │ └── .markdownlint.yaml └── CODEOWNERS ├── helm └── charts │ ├── cluster-registration │ ├── values.yaml │ ├── templates │ │ ├── managed-cluster.yaml │ │ ├── gitops-operator-manifest-work.yaml │ │ └── klusterlet-config.yaml │ └── .helmignore │ ├── hcp-cluster-deployment │ ├── templates │ │ ├── namespace.yaml │ │ ├── secret-sshkey.yaml │ │ ├── managed-cluster.yaml │ │ ├── certificate.yaml │ │ ├── klusterlet-addon-config.yaml │ │ ├── node-pool.yaml │ │ └── externalsecret.yaml │ ├── values.yaml │ └── .helmignore │ ├── tenants-iac-gitops │ ├── values.yaml │ └── .helmignore │ ├── argocd-app-of-app │ ├── values.yaml │ ├── README.md │ └── Chart.yaml │ ├── pac-repository │ ├── values.yaml │ ├── templates │ │ ├── namespace.yaml │ │ ├── repository.yaml │ │ └── role-binding.yaml │ └── .helmignore │ ├── infra-env │ ├── templates │ │ ├── namespace.yaml │ │ ├── role.yaml │ │ ├── externalsecret.yaml │ │ └── infraenv.yaml │ ├── .helmignore │ └── values.yaml │ ├── cluster-deployment │ ├── templates │ │ ├── namespace.yaml │ │ ├── externalsecret.yaml │ │ ├── patches-rbac.yaml │ │ └── cluster-deployment.yaml │ ├── .helmignore │ └── values.yaml │ └── create-cluster │ ├── templates │ ├── namespace.yaml │ ├── managed-cluster.yaml │ ├── klusterlet-addon.yaml │ ├── machine-pool.yaml │ ├── external-secret-vsphere-certs.yaml │ ├── externalsecret-pullsecret.yaml │ ├── external-secret-vsphere-sshkey.yaml │ └── external-secret-vsphere-creds.yaml │ ├── values.yaml │ └── .helmignore ├── apps └── virt-vm │ ├── namespace.yaml │ ├── kustomization.yaml │ ├── svc.yaml │ └── secret.yaml ├── .sops.yaml ├── clusters ├── proxmox │ ├── image-registry.yaml │ ├── reflector.yaml │ ├── cloudflared.yaml │ ├── alertmanager.yaml │ ├── cloudnative-pg.yaml │ ├── onepassword-connect.yaml │ ├── reloader.yaml │ ├── devspaces.yaml │ ├── acs.yaml │ ├── developer-hub.yaml │ ├── synology-csi.yaml │ ├── logging.yaml │ ├── external-secrets.yaml │ ├── volsync.yaml │ ├── lvm.yaml │ ├── virtualization.yaml │ ├── oauth.yaml │ ├── web-terminal.yaml │ ├── nmstate.yaml │ ├── kubernetes-imagepuller.yaml │ └── cert-manager.yaml └── vsphere │ ├── reflector.yaml │ ├── cloudflared.yaml │ ├── alertmanager.yaml │ ├── onepassword-connect.yaml │ ├── reloader.yaml │ ├── keycloak.yaml │ ├── rhdh.yaml │ ├── external-secrets.yaml │ ├── web-terminal.yaml │ ├── oauth.yaml │ ├── cert-manager.yaml │ └── overlays │ └── vsphere1-cluster-config │ └── kustomization.yaml ├── Taskfile.yml ├── groups ├── all │ └── kustomization.yaml └── dev │ ├── kustomization.yaml │ └── values.yaml ├── .bootstrap └── openshift │ ├── setup.sh │ └── kustomization.yaml ├── .taskfiles └── volsync │ └── resources │ ├── scripts │ ├── wait-for-job.sh │ └── which-controller.sh │ └── templates │ ├── list.yaml.j2 │ ├── unlock.yaml.j2 │ └── replicationdestination.yaml.j2 ├── devfile.yaml ├── .gitignore ├── code-workspace ├── .yamllint.yaml └── .pre-commit-config.yaml /components/openshift-pipeline-as-code-repo-config/values.yaml: -------------------------------------------------------------------------------- 1 | repositories: [] 2 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto eol=lf 2 | *.sops.* diff=sopsdiffer 3 | *.sops.toml linguist-language=JSON 4 | -------------------------------------------------------------------------------- /.github/linters/.prettierrc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | trailingComma: "es5" 3 | tabWidth: 2 4 | semi: false 5 | singleQuote: false 6 | -------------------------------------------------------------------------------- /components/gitops-bootstrap-policy/manifests/gitops-bootstrap/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - bootstrap-app.yaml 3 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners 2 | * @vikaspogu 3 | -------------------------------------------------------------------------------- /components/external-secrets-chart/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: external-secrets 6 | -------------------------------------------------------------------------------- /components/openshift-nmstate-config/nmstate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: nmstate.io/v1 3 | kind: NMState 4 | metadata: 5 | name: nmstate 6 | -------------------------------------------------------------------------------- /helm/charts/cluster-registration/values.yaml: -------------------------------------------------------------------------------- 1 | clusterSet: default 2 | repoURL: https://github.com/vikaspogu/openshift-multicluster.git 3 | -------------------------------------------------------------------------------- /components/argocd-rollout/rollout-manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: RolloutManager 3 | metadata: 4 | name: argo-rollout 5 | spec: {} 6 | -------------------------------------------------------------------------------- /components/cluster-rbac-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./crb.yaml 6 | -------------------------------------------------------------------------------- /components/lvm-storage/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./lvm-cluster.yaml 6 | -------------------------------------------------------------------------------- /components/aap-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | -------------------------------------------------------------------------------- /components/acm-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - ./multi-cluster-hub.yaml 7 | -------------------------------------------------------------------------------- /components/ldap-sync-config/service-account.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: ServiceAccount 3 | apiVersion: v1 4 | metadata: 5 | name: ldap-group-syncer 6 | namespace: ldap-sync 7 | -------------------------------------------------------------------------------- /components/openshift-nmstate-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./nmstate.yaml 6 | -------------------------------------------------------------------------------- /components/root-application/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./root-application.yaml 6 | -------------------------------------------------------------------------------- /components/kubernetes-imagepuller-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - image-puller.yaml -------------------------------------------------------------------------------- /components/virtualization-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./hyper-converged.yaml 6 | -------------------------------------------------------------------------------- /.github/linters/.prettierignore: -------------------------------------------------------------------------------- 1 | *.sops.* 2 | gotk-components.yaml 3 | argocd-apps 4 | xanmanning.k3s 5 | charts/ 6 | docs/ 7 | .private/ 8 | .terraform/ 9 | .vscode/ 10 | -------------------------------------------------------------------------------- /apps/virt-vm/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: team-a-vm 6 | labels: 7 | argocd.argoproj.io/managed-by: openshift-gitops 8 | -------------------------------------------------------------------------------- /components/log-forwarder-config/service-account.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: logging-admin 6 | namespace: openshift-logging 7 | -------------------------------------------------------------------------------- /components/openshift-pipelines-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./subscription.yaml 6 | -------------------------------------------------------------------------------- /components/web-terminal-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./dev-workspace-template.yaml 6 | -------------------------------------------------------------------------------- /components/agent-service-config/config-map.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: assisted-service-config 5 | namespace: multicluster-engine 6 | data: {} 7 | -------------------------------------------------------------------------------- /components/gitops-bootstrap-policy/manifests/gitops-subscription/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - cluster-rolebinding.yaml 3 | - subscription.yaml 4 | - namespace.yaml 5 | -------------------------------------------------------------------------------- /components/metallb-hcp-config/l2advertisement.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: metallb.io/v1beta1 3 | kind: L2Advertisement 4 | metadata: 5 | name: ingress-public-ip 6 | namespace: metallb 7 | -------------------------------------------------------------------------------- /components/reflector/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: reflector 6 | labels: 7 | argocd.argoproj.io/managed-by: openshift-gitops 8 | -------------------------------------------------------------------------------- /components/vault-chart/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./rolebinding.yaml 7 | -------------------------------------------------------------------------------- /components/vault-config/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: vault-admin 5 | labels: 6 | argocd.argoproj.io/managed-by: openshift-gitops 7 | -------------------------------------------------------------------------------- /components/acm-policies-config/nodeport-policies/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | generators: 5 | - policy-generator.yaml 6 | -------------------------------------------------------------------------------- /components/acm-policies-config/sops-auth-policy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | generators: 5 | - policy-generator.yaml 6 | -------------------------------------------------------------------------------- /components/cloudflared/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: networking 6 | labels: 7 | argocd.argoproj.io/managed-by: openshift-gitops 8 | -------------------------------------------------------------------------------- /components/metallb-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | namespace: metallb-system 5 | resources: 6 | - ./metallb.yaml 7 | -------------------------------------------------------------------------------- /components/reloader-chart/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: reloader 6 | labels: 7 | argocd.argoproj.io/managed-by: openshift-gitops 8 | -------------------------------------------------------------------------------- /components/virtualization-storageprofile-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./storage-profile.yaml 6 | -------------------------------------------------------------------------------- /components/acm-policies-config/secured-cluster-policy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | generators: 5 | - policy-generator.yaml 6 | -------------------------------------------------------------------------------- /components/cert-manager-application/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - openshift-api 6 | - openshift-wildcard 7 | -------------------------------------------------------------------------------- /components/image-registry-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./config.yaml 7 | -------------------------------------------------------------------------------- /components/kubechecks-chart/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kubechecks 6 | labels: 7 | argocd.argoproj.io/managed-by: openshift-gitops 8 | -------------------------------------------------------------------------------- /components/rhdh-operator/operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1 3 | kind: OperatorGroup 4 | metadata: 5 | name: rhdh-operator 6 | namespace: rhdh-operator 7 | spec: {} 8 | -------------------------------------------------------------------------------- /components/argocd-rollout/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: openshift-gitops 5 | resources: 6 | - ./rollout-manager.yaml 7 | -------------------------------------------------------------------------------- /components/argocd-webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: openshift-gitops 5 | resources: 6 | - ./externalsecrets.yaml 7 | -------------------------------------------------------------------------------- /components/crossplane-chart/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: crossplane-system 6 | labels: 7 | argocd.argoproj.io/managed-by: openshift-gitops 8 | -------------------------------------------------------------------------------- /components/kyverno-policy-config/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: vault-admin 6 | labels: 7 | argocd.argoproj.io/managed-by: openshift-gitops 8 | -------------------------------------------------------------------------------- /components/metallb-operator/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: metallb-system 6 | labels: 7 | argocd.argoproj.io/managed-by: openshift-gitops 8 | -------------------------------------------------------------------------------- /components/onepassword-connect-chart/secret-generator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: viaduct.ai/v1 3 | kind: ksops 4 | metadata: 5 | name: onepassword-connect-secret 6 | files: 7 | - ./secret.sops.yaml 8 | -------------------------------------------------------------------------------- /components/synology-csi-chart/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: synology-csi 6 | labels: 7 | argocd.argoproj.io/managed-by: openshift-gitops 8 | -------------------------------------------------------------------------------- /components/aap-operator/operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1 3 | kind: OperatorGroup 4 | metadata: 5 | name: ansible-automation-platform-operator 6 | namespace: aap 7 | spec: {} 8 | -------------------------------------------------------------------------------- /components/apache-devlake-chart/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: apache-devlake 6 | labels: 7 | argocd.argoproj.io/managed-by: openshift-gitops 8 | -------------------------------------------------------------------------------- /components/devspaces-config/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: openshift-devspaces 6 | labels: 7 | argocd.argoproj.io/managed-by: openshift-gitops 8 | -------------------------------------------------------------------------------- /components/devspaces-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: openshift-operators 5 | resources: 6 | - ./subscription.yaml 7 | -------------------------------------------------------------------------------- /components/gitops-bootstrap-policy/manifests/gitops-instance/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - setenv-cmp-plugin-configmap.yaml 3 | - environment-variables-configmap.yaml 4 | - argocd.yaml 5 | -------------------------------------------------------------------------------- /components/kyverno-chart/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: kyverno 5 | resources: 6 | # - ./namespace.yaml 7 | - rbac.yaml 8 | -------------------------------------------------------------------------------- /components/openshift-nmstate/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: openshift-nmstate 6 | labels: 7 | argocd.argoproj.io/managed-by: openshift-gitops 8 | -------------------------------------------------------------------------------- /components/acm-policies-config/argocd-notification-annotation-policy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | generators: 5 | - policy-generator.yaml 6 | -------------------------------------------------------------------------------- /.sops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | creation_rules: 3 | - path_regex: components/.*\.ya?ml 4 | encrypted_regex: "^(data|stringData)$" 5 | age: >- 6 | age1ulfhs490lug3kres5qm5kfdmpqmcrwsfsc03eln0s3xffndnrcwq5u86tt 7 | -------------------------------------------------------------------------------- /clusters/proxmox/image-registry.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | image-registry-config: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "25" 5 | source: 6 | path: components/image-registry-config 7 | -------------------------------------------------------------------------------- /components/metallb-l2-config/l2advertisement.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: metallb.io/v1beta1 3 | kind: L2Advertisement 4 | metadata: 5 | name: pool1-l2-advertisement 6 | spec: 7 | ipAddressPools: 8 | - pool-1 9 | -------------------------------------------------------------------------------- /components/acm-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - ./namespace.yaml 7 | - ./operator.yaml 8 | - ./subscription.yaml 9 | -------------------------------------------------------------------------------- /components/devspaces-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./checluster.yaml 7 | - ./external-secret.yaml 8 | -------------------------------------------------------------------------------- /components/lvm-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./operator-group.yaml 7 | - ./subscription.yaml 8 | -------------------------------------------------------------------------------- /components/patch-operator/operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1 3 | kind: OperatorGroup 4 | metadata: 5 | name: patch-operator 6 | namespace: patch-operator 7 | spec: 8 | targetNamespaces: [] 9 | -------------------------------------------------------------------------------- /components/rhdh-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - ./namespace.yaml 7 | - ./operator.yaml 8 | - ./subscription.yaml 9 | -------------------------------------------------------------------------------- /components/cert-manager-application/openshift-api/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | resources: 5 | - openshift-api-certificate.yaml 6 | - api-server.yaml 7 | -------------------------------------------------------------------------------- /components/external-secrets-operator/operator-group.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1 3 | kind: OperatorGroup 4 | metadata: 5 | name: external-secrets-operator 6 | namespace: external-secrets 7 | spec: {} 8 | -------------------------------------------------------------------------------- /components/gitops-bootstrap-policy/manifests/gitops-subscription/base/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | openshift.io/cluster-monitoring: "true" 6 | name: openshift-gitops 7 | -------------------------------------------------------------------------------- /components/keycloak-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - ./namespace.yaml 7 | - ./operator.yaml 8 | - ./subscription.yaml 9 | -------------------------------------------------------------------------------- /components/metallb-hcp-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | resources: 5 | - ./ipaddress-pool.yaml 6 | - ./l2advertisement.yaml 7 | - ./service.yaml 8 | -------------------------------------------------------------------------------- /components/metallb-l2-config/ipaddress-pool.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: metallb.io/v1beta1 3 | kind: IPAddressPool 4 | metadata: 5 | name: pool-1 6 | spec: 7 | autoAssign: true 8 | addresses: 9 | - 10 | -------------------------------------------------------------------------------- /components/vault-config-operator/operator-group.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1 3 | kind: OperatorGroup 4 | metadata: 5 | name: vault-config-operator 6 | namespace: vault-config-operator 7 | spec: {} 8 | -------------------------------------------------------------------------------- /components/aap-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: aap 5 | resources: 6 | - ./namespace.yaml 7 | - ./operator.yaml 8 | - ./subscription.yaml 9 | -------------------------------------------------------------------------------- /components/acm-config/multi-cluster-hub.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operator.open-cluster-management.io/v1 3 | kind: MultiClusterHub 4 | metadata: 5 | name: multiclusterhub 6 | namespace: open-cluster-management 7 | spec: {} 8 | -------------------------------------------------------------------------------- /components/acm-placement/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - ./clustersetbinding.yaml 7 | - ./placement.yaml 8 | - ./gitops-cluster.yaml 9 | -------------------------------------------------------------------------------- /components/csvwatchdog-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - https://github.com/Vikaspogu/csvwatchdog-operator/blob/main/dist/install.yaml 6 | -------------------------------------------------------------------------------- /components/external-secrets-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./operator-group.yaml 7 | - ./subscription.yaml 8 | -------------------------------------------------------------------------------- /components/log-forwarder-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./service-account.yaml 6 | - ./crb.yaml 7 | - ./cluster-log-forwarder.yaml 8 | -------------------------------------------------------------------------------- /components/openshift-gitops-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./operator-group.yaml 7 | - ./subscription.yaml 8 | -------------------------------------------------------------------------------- /components/vault-config-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./operator-group.yaml 7 | - ./subscription.yaml 8 | -------------------------------------------------------------------------------- /components/virtualization-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./operator-group.yaml 7 | - ./subscription.yaml 8 | -------------------------------------------------------------------------------- /helm/charts/hcp-cluster-deployment/templates/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: {{ .Values.clusterName }} 5 | labels: 6 | {{- include "hcp-cluster-deployment.labels" . | nindent 4 }} 7 | -------------------------------------------------------------------------------- /clusters/proxmox/reflector.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | reflector: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: reflector 7 | source: 8 | path: components/reflector 9 | -------------------------------------------------------------------------------- /clusters/vsphere/reflector.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | reflector: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: reflector 7 | source: 8 | path: components/reflector 9 | -------------------------------------------------------------------------------- /components/acm-policies/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | namespace: acm-policies 6 | 7 | resources: 8 | - namespace.yaml 9 | - service-account.yaml 10 | -------------------------------------------------------------------------------- /components/agent-service-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./agent-service-config.yaml 6 | # - ./provisioning.yaml 7 | - ./config-map.yaml 8 | -------------------------------------------------------------------------------- /components/crossplane-compositions/azure/storage/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./composite-resource-definition.yaml 6 | - ./composition.yaml 7 | -------------------------------------------------------------------------------- /components/keycloak-operator/operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1 3 | kind: OperatorGroup 4 | metadata: 5 | name: keycloak 6 | namespace: keycloak 7 | spec: 8 | targetNamespaces: 9 | - keycloak 10 | -------------------------------------------------------------------------------- /components/sonarqube/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: cicd-tools 6 | labels: 7 | openshift.io/cluster-monitoring: "true" 8 | argocd.argoproj.io/managed-by: openshift-gitops 9 | -------------------------------------------------------------------------------- /components/vault-chart/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: vault 6 | labels: 7 | openshift.io/cluster-monitoring: "true" 8 | argocd.argoproj.io/managed-by: openshift-gitops 9 | -------------------------------------------------------------------------------- /helm/charts/tenants-iac-gitops/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for tenants-iac-gitops. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | git: 6 | url: 7 | revision: 8 | path: 9 | -------------------------------------------------------------------------------- /components/ldap-sync-config/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: ldap-sync 6 | labels: 7 | argocd.argoproj.io/managed-by: openshift-gitops 8 | openshift.io/cluster-monitoring: "true" 9 | -------------------------------------------------------------------------------- /apps/virt-vm/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: team-a-vm 5 | resources: 6 | - ./namespace.yaml 7 | - ./secret.yaml 8 | - ./vm.yaml 9 | - ./svc.yaml 10 | -------------------------------------------------------------------------------- /clusters/proxmox/cloudflared.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | cloudflared: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "25" 5 | destination: 6 | namespace: networking 7 | source: 8 | path: components/cloudflared 9 | -------------------------------------------------------------------------------- /clusters/vsphere/cloudflared.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | cloudflared: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "25" 5 | destination: 6 | namespace: networking 7 | source: 8 | path: components/cloudflared 9 | -------------------------------------------------------------------------------- /components/cert-manager-application/openshift-wildcard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | resources: 5 | - openshift-wildcard-certificate.yaml 6 | - ingress-controller.yaml 7 | -------------------------------------------------------------------------------- /components/patch-operator/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: patch-operator 6 | labels: 7 | openshift.io/cluster-monitoring: "true" 8 | argocd.argoproj.io/managed-by: openshift-gitops 9 | -------------------------------------------------------------------------------- /components/acm-placement/clustersetbinding.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cluster.open-cluster-management.io/v1beta2 3 | kind: ManagedClusterSetBinding 4 | metadata: 5 | name: default 6 | namespace: openshift-gitops 7 | spec: 8 | clusterSet: default 9 | -------------------------------------------------------------------------------- /components/argocd-events-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: openshift-gitops 5 | resources: 6 | - ./event-bus.yaml 7 | - ./event-source.yaml 8 | - ./sensor.yaml 9 | -------------------------------------------------------------------------------- /components/argocd-notifications/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: openshift-gitops 5 | resources: 6 | - ./externalsecrets.yaml 7 | - ./notification-configuration.yaml 8 | -------------------------------------------------------------------------------- /components/patch-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - ./namespace.yaml 7 | - ./operator.yaml 8 | - ./subscription.yaml 9 | - ./rbac.yaml 10 | -------------------------------------------------------------------------------- /components/vault-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: vault-admin 5 | resources: 6 | - ./namespace.yaml 7 | - ./secret-engine-mount.yaml 8 | - ./admin-policy.yaml 9 | -------------------------------------------------------------------------------- /helm/charts/hcp-cluster-deployment/values.yaml: -------------------------------------------------------------------------------- 1 | clusterName: 2 | baseDomain: 3 | openshiftVersion: 4.16.15 4 | automaticHostBinding: true 5 | sshKeyPub: 6 | nodePort: 7 | ip: 8 | port: 9 | inventoryName: 10 | additionalConfiguration: {} 11 | -------------------------------------------------------------------------------- /components/cloudnative-pg-operator/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: cloudnative-pg 6 | labels: 7 | openshift.io/cluster-monitoring: "true" 8 | argocd.argoproj.io/managed-by: openshift-gitops 9 | -------------------------------------------------------------------------------- /components/gitops-bootstrap-policy/managedclustersetbinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cluster.open-cluster-management.io/v1beta2 2 | kind: ManagedClusterSetBinding 3 | metadata: 4 | name: global 5 | namespace: acm-policies 6 | spec: 7 | clusterSet: global 8 | -------------------------------------------------------------------------------- /components/openshift-gitops-operator/operator-group.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1 2 | kind: OperatorGroup 3 | metadata: 4 | name: openshift-gitops-operator 5 | namespace: openshift-gitops-operator 6 | spec: 7 | upgradeStrategy: Default 8 | -------------------------------------------------------------------------------- /Taskfile.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 | version: "3" 4 | 5 | set: [pipefail] 6 | shopt: [globstar] 7 | 8 | includes: 9 | volsync: .taskfiles/volsync 10 | 11 | tasks: 12 | default: task --list 13 | -------------------------------------------------------------------------------- /components/acm-policies/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: acm-policies 5 | annotations: 6 | argocd.argoproj.io/sync-options: Delete=false 7 | labels: 8 | argocd.argoproj.io/managed-by: openshift-gitops 9 | -------------------------------------------------------------------------------- /components/acs-central-configuration/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | annotations: 6 | argocd.argoproj.io/sync-wave: "0" 7 | openshift.io/display-name: Red Hat Advanced Cluster Security 8 | name: stackrox 9 | -------------------------------------------------------------------------------- /components/acs-secured-configuration/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | annotations: 6 | argocd.argoproj.io/sync-wave: "0" 7 | openshift.io/display-name: Red Hat Advanced Cluster Security 8 | name: stackrox 9 | -------------------------------------------------------------------------------- /components/developer-hub-config/rbac-policies.csv: -------------------------------------------------------------------------------- 1 | p, role:default/team1, catalog-entity, read, allow 2 | g, user:default/user1, role:default/team1 3 | p, role:default/team2, catalog.entity.create, create, allow 4 | g, user:default/user2, role:default/team2 5 | -------------------------------------------------------------------------------- /components/external-secrets-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: external-secrets 5 | resources: 6 | - ./default-operatorconfig.yaml 7 | - ./vault-cluster-secret-store.yaml 8 | -------------------------------------------------------------------------------- /components/oauth-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | commonAnnotations: 5 | argocd.argoproj.io/sync-options: Delete=false 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./oauth.yaml 9 | -------------------------------------------------------------------------------- /components/openshift-pipeline-as-code-repo-config/Chart.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v2 3 | version: 1.0.0 4 | name: pac-repository 5 | dependencies: 6 | - name: pac-repository 7 | version: 0.1.0 8 | repository: "file://../../helm/charts/pac-repository" 9 | -------------------------------------------------------------------------------- /components/openshift-pipelines-application/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: cicd-openshift-multicluster-repo 5 | resources: 6 | - ./external-secret.yaml 7 | - ./pipeline.yaml 8 | -------------------------------------------------------------------------------- /components/vault-config-operator/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | labels: 6 | openshift.io/cluster-monitoring: "true" 7 | argocd.argoproj.io/managed-by: openshift-gitops 8 | name: vault-config-operator 9 | -------------------------------------------------------------------------------- /components/acm-policies-config/configmap-copy-policy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: acm-policies 5 | resources: 6 | - config-map.yaml 7 | generators: 8 | - policy-generator.yaml 9 | -------------------------------------------------------------------------------- /components/metallb-hcp-config/ipaddress-pool.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: metallb.io/v1beta1 3 | kind: IPAddressPool 4 | metadata: 5 | name: ingress-public-ip 6 | namespace: metallb 7 | spec: 8 | autoAssign: false 9 | addresses: 10 | - 11 | -------------------------------------------------------------------------------- /clusters/proxmox/alertmanager.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | alertmanager-config: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "20" 5 | destination: 6 | namespace: openshift-monitoring 7 | source: 8 | path: components/alertmanager-config 9 | -------------------------------------------------------------------------------- /clusters/vsphere/alertmanager.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | alertmanager-config: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "20" 5 | destination: 6 | namespace: openshift-monitoring 7 | source: 8 | path: components/alertmanager-config 9 | -------------------------------------------------------------------------------- /components/sonarqube/pvc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: sonarqube-data 5 | spec: 6 | accessModes: 7 | - ReadWriteOnce 8 | volumeMode: Filesystem 9 | resources: 10 | requests: 11 | storage: 5Gi 12 | -------------------------------------------------------------------------------- /clusters/proxmox/cloudnative-pg.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | cloudnative-pg-operator: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: cloudnative-pg 7 | source: 8 | path: components/cloudnative-pg-operator 9 | -------------------------------------------------------------------------------- /components/acm-operator/operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1 3 | kind: OperatorGroup 4 | metadata: 5 | name: open-cluster-management 6 | namespace: open-cluster-management 7 | spec: 8 | targetNamespaces: 9 | - open-cluster-management 10 | -------------------------------------------------------------------------------- /components/agent-service-config/provisioning.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: metal3.io/v1alpha1 2 | kind: Provisioning 3 | metadata: 4 | name: provisioning-configuration 5 | annotations: 6 | argocd.argoproj.io/sync-options: ServerSideApply=true 7 | spec: 8 | watchAllNamespaces: true 9 | -------------------------------------------------------------------------------- /components/keycloak-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: keycloak 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./keycloak-tls-cert.yaml 8 | - ./db.yaml 9 | - ./keycloak.yaml 10 | -------------------------------------------------------------------------------- /components/lvm-operator/operator-group.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1 3 | kind: OperatorGroup 4 | metadata: 5 | name: openshift-storage-operatorgroup 6 | namespace: openshift-storage 7 | spec: 8 | targetNamespaces: 9 | - openshift-storage 10 | -------------------------------------------------------------------------------- /components/opendora-chart/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: apache-devlake 5 | resources: 6 | - ./service-account.yaml 7 | - ./service.yaml 8 | - ./deployment.yaml 9 | - ./ingress.yaml 10 | -------------------------------------------------------------------------------- /components/virtualization-operator/operator-group.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1 3 | kind: OperatorGroup 4 | metadata: 5 | name: kubevirt-hyperconverged-group 6 | namespace: openshift-cnv 7 | spec: 8 | targetNamespaces: 9 | - openshift-cnv 10 | -------------------------------------------------------------------------------- /clusters/proxmox/onepassword-connect.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | onepassword-connect-chart: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: external-secrets 7 | source: 8 | path: components/onepassword-connect-chart 9 | -------------------------------------------------------------------------------- /clusters/vsphere/onepassword-connect.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | onepassword-connect-chart: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "10" 5 | destination: 6 | namespace: external-secrets 7 | source: 8 | path: components/onepassword-connect-chart 9 | -------------------------------------------------------------------------------- /components/developer-hub-config/dynamic-plugin-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: PersistentVolumeClaim 3 | apiVersion: v1 4 | metadata: 5 | name: dynamic-plugins-root 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | resources: 10 | requests: 11 | storage: 5Gi 12 | -------------------------------------------------------------------------------- /groups/all/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | 4 | helmGlobals: 5 | chartHome: ../../helm/charts 6 | 7 | helmCharts: 8 | - name: argocd-app-of-app 9 | valuesFile: values.yaml 10 | namespace: openshift-gitops 11 | -------------------------------------------------------------------------------- /apps/virt-vm/svc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: small-fedora-vm 6 | spec: 7 | selector: 8 | kubevirt.io/domain: small-fedora-vm 9 | ports: 10 | - port: 22 11 | protocol: TCP 12 | targetPort: 22 13 | type: LoadBalancer 14 | -------------------------------------------------------------------------------- /groups/dev/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1alpha1 3 | kind: Component 4 | 5 | helmGlobals: 6 | chartHome: ../../helm/charts/ 7 | 8 | helmCharts: 9 | - name: argocd-app-of-app 10 | valuesFile: values.yaml 11 | namespace: openshift-gitops 12 | -------------------------------------------------------------------------------- /components/onepassword-connect-chart/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: external-secrets 5 | resources: 6 | - ./rb.yaml 7 | - ./service.yaml 8 | - ./deployment.yaml 9 | generators: 10 | - ./secret-generator.yaml 11 | -------------------------------------------------------------------------------- /components/tekton-dashboard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: tekton-dashboard 5 | resources: 6 | - https://github.com/tektoncd/dashboard/releases/download/v0.52.0/release-full.yaml 7 | - ./ingress.yaml 8 | - ./crb.yaml 9 | -------------------------------------------------------------------------------- /components/cert-manager-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: cert-manager 5 | resources: 6 | - ./certmanager.yaml 7 | - ./externalsecret.yaml 8 | - ./prod-cluster-issuer.yaml 9 | - ./staging-cluster-issuer.yaml 10 | -------------------------------------------------------------------------------- /components/gitops-bootstrap-policy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | namespace: acm-policies 5 | 6 | resources: 7 | - placement.yaml 8 | - managedclustersetbinding.yaml 9 | 10 | generators: 11 | - policy-generator-config.yaml 12 | -------------------------------------------------------------------------------- /components/openshift-gitops-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: openshift-gitops 5 | resources: 6 | - ./argocd.yaml 7 | - ./cluster-rolebinding.yaml 8 | - ./plugin-configmap.yaml 9 | - ./setenv-cmp-plugin.yaml 10 | -------------------------------------------------------------------------------- /clusters/proxmox/reloader.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | reloader-chart: 3 | annotations: 4 | argocd.argoproj.io/compare-options: IgnoreExtraneous 5 | argocd.argoproj.io/sync-wave: "5" 6 | destination: 7 | namespace: reloader 8 | source: 9 | path: components/reloader-chart 10 | -------------------------------------------------------------------------------- /clusters/vsphere/reloader.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | reloader-chart: 3 | annotations: 4 | argocd.argoproj.io/compare-options: IgnoreExtraneous 5 | argocd.argoproj.io/sync-wave: "5" 6 | destination: 7 | namespace: reloader 8 | source: 9 | path: components/reloader-chart 10 | -------------------------------------------------------------------------------- /components/aap-operator/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: aap 6 | annotations: 7 | argocd.argoproj.io/sync-options: Delete=false 8 | labels: 9 | openshift.io/cluster-monitoring: "true" 10 | argocd.argoproj.io/managed-by: openshift-gitops 11 | -------------------------------------------------------------------------------- /components/sonarqube/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: cicd-tools 5 | resources: 6 | - ./namespace.yaml 7 | - ./pgsql-cluster.yaml 8 | - ./pvc.yaml 9 | - ./deployment.yaml 10 | - ./service.yaml 11 | - ./ingress.yaml 12 | -------------------------------------------------------------------------------- /components/synology-csi-chart/volume-snapshot-class.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: snapshot.storage.k8s.io/v1 2 | kind: VolumeSnapshotClass 3 | metadata: 4 | name: synology-snapshotclass 5 | annotations: 6 | storageclass.kubernetes.io/is-default-class: "false" 7 | driver: csi.san.synology.com 8 | deletionPolicy: Delete 9 | -------------------------------------------------------------------------------- /components/rhdh-operator/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: rhdh-operator 6 | annotations: 7 | argocd.argoproj.io/sync-options: Delete=false 8 | labels: 9 | openshift.io/cluster-monitoring: "true" 10 | argocd.argoproj.io/managed-by: openshift-gitops 11 | -------------------------------------------------------------------------------- /components/lvm-operator/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | annotations: 6 | argocd.argoproj.io/sync-options: Delete=false 7 | labels: 8 | openshift.io/cluster-monitoring: "true" 9 | argocd.argoproj.io/managed-by: openshift-gitops 10 | name: openshift-storage 11 | -------------------------------------------------------------------------------- /components/acm-operator/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: open-cluster-management 6 | annotations: 7 | argocd.argoproj.io/sync-options: Delete=false 8 | labels: 9 | openshift.io/cluster-monitoring: "true" 10 | argocd.argoproj.io/managed-by: openshift-gitops 11 | -------------------------------------------------------------------------------- /components/developer-hub-config/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: developer-hub 6 | annotations: 7 | argocd.argoproj.io/sync-options: Delete=false 8 | labels: 9 | argocd.argoproj.io/managed-by: openshift-gitops 10 | openshift.io/cluster-monitoring: "true" 11 | -------------------------------------------------------------------------------- /components/virtualization-config/hyper-converged.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: HyperConverged 3 | apiVersion: hco.kubevirt.io/v1beta1 4 | metadata: 5 | annotations: 6 | deployOVS: "false" 7 | name: kubevirt-hyperconverged 8 | namespace: openshift-cnv 9 | spec: 10 | featureGates: 11 | enableCommonBootImageImport: false 12 | -------------------------------------------------------------------------------- /components/virtualization-operator/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: openshift-cnv 6 | annotations: 7 | argocd.argoproj.io/sync-options: Delete=false 8 | labels: 9 | openshift.io/cluster-monitoring: "true" 10 | argocd.argoproj.io/managed-by: openshift-gitops 11 | -------------------------------------------------------------------------------- /components/devspaces-operator/subscription.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: Subscription 4 | metadata: 5 | name: devspaces 6 | spec: 7 | channel: stable 8 | installPlanApproval: Automatic 9 | name: devspaces 10 | source: redhat-operators 11 | sourceNamespace: openshift-marketplace 12 | -------------------------------------------------------------------------------- /components/external-secrets-operator/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: external-secrets 6 | annotations: 7 | argocd.argoproj.io/sync-options: Delete=false 8 | labels: 9 | openshift.io/cluster-monitoring: "true" 10 | argocd.argoproj.io/managed-by: openshift-gitops 11 | -------------------------------------------------------------------------------- /components/kyverno-chart/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kyverno 6 | annotations: 7 | argocd.argoproj.io/sync-options: Delete=false,ServerSideApply=true 8 | labels: 9 | argocd.argoproj.io/managed-by: openshift-gitops 10 | openshift.io/cluster-monitoring: "true" 11 | -------------------------------------------------------------------------------- /helm/charts/argocd-app-of-app/values.yaml: -------------------------------------------------------------------------------- 1 | default: 2 | project: 3 | 4 | app: 5 | enableAutoSync: null 6 | autoSyncPrune: true 7 | destination: 8 | namespace: null 9 | server: null 10 | project: null 11 | source: 12 | path: null 13 | repoURL: null 14 | targetRevision: HEAD 15 | -------------------------------------------------------------------------------- /helm/charts/pac-repository/values.yaml: -------------------------------------------------------------------------------- 1 | repositories: [] 2 | # - url: https://github.com/Vikaspogu/httpd-demo 3 | # pacNamespace: cicd-tools 4 | # additionalSettings: 5 | # github_app_token_scope_repos: 6 | # - "owner/project" 7 | # - "owner1/project1" 8 | # appNamespaces: 9 | # - dummy 10 | -------------------------------------------------------------------------------- /.bootstrap/openshift/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | export KUBECONFIG=./kubeconfig 3 | oc apply -k ../components/openshift-gitops-operator 4 | sleep 60s 5 | cat ~/.config/sops/age/keys.txt | oc create secret generic sops-age -n openshift-gitops --from-file=keys.txt=/dev/stdin 6 | oc apply -k ../components/openshift-gitops-config -n openshift-gitops 7 | -------------------------------------------------------------------------------- /components/metallb-config/metallb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: metallb.io/v1beta1 3 | kind: MetalLB 4 | metadata: 5 | name: metallb 6 | spec: 7 | logLevel: debug 8 | controllerConfig: 9 | resources: 10 | limits: 11 | cpu: "200m" 12 | speakerConfig: 13 | resources: 14 | limits: 15 | cpu: "300m" 16 | -------------------------------------------------------------------------------- /components/acs-secured-configuration/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | namespace: stackrox 6 | 7 | commonAnnotations: 8 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 9 | 10 | resources: 11 | - namespace.yaml 12 | - secured-cluster.yaml 13 | -------------------------------------------------------------------------------- /components/openshift-gitops-operator/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | annotations: 6 | argocd.argoproj.io/sync-options: Delete=false 7 | labels: 8 | openshift.io/cluster-monitoring: "true" 9 | argocd.argoproj.io/managed-by: openshift-gitops 10 | name: openshift-gitops-operator 11 | -------------------------------------------------------------------------------- /components/vault-chart/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: vault-edit 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: edit 10 | subjects: 11 | - kind: ServiceAccount 12 | name: vault 13 | namespace: vault 14 | -------------------------------------------------------------------------------- /components/vault-config/secret-engine-mount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: redhatcop.redhat.io/v1alpha1 2 | kind: SecretEngineMount 3 | metadata: 4 | name: developer-hub 5 | namespace: developer-hub 6 | spec: 7 | authentication: 8 | namespace: vault-admin 9 | path: kubernetes 10 | role: policy-admin 11 | type: kv 12 | path: proxmox 13 | -------------------------------------------------------------------------------- /components/rhdh-operator/subscription.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: Subscription 4 | metadata: 5 | name: rhdh-operator 6 | namespace: rhdh-operator 7 | spec: 8 | channel: fast 9 | installPlanApproval: Automatic 10 | name: rhdh 11 | source: redhat-operators 12 | sourceNamespace: openshift-marketplace 13 | -------------------------------------------------------------------------------- /components/sonarqube/pgsql-cluster.yaml: -------------------------------------------------------------------------------- 1 | kind: Cluster 2 | apiVersion: postgresql.cnpg.io/v1 3 | metadata: 4 | name: cicd-tools-pgsql 5 | namespace: cicd-tools 6 | spec: 7 | instances: 1 8 | enablePDB: false 9 | logLevel: info 10 | primaryUpdateStrategy: unsupervised 11 | storage: 12 | size: 1Gi 13 | walStorage: 14 | size: 1Gi 15 | -------------------------------------------------------------------------------- /components/sonarqube/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | labels: 6 | app: sonarqube 7 | name: sonarqube 8 | spec: 9 | ports: 10 | - name: 9000-tcp 11 | port: 9000 12 | protocol: TCP 13 | targetPort: 9000 14 | selector: 15 | app: sonarqube 16 | name: sonarqube 17 | type: ClusterIP 18 | -------------------------------------------------------------------------------- /helm/charts/argocd-app-of-app/README.md: -------------------------------------------------------------------------------- 1 | A simple helm chart that can generate one or more Argo CD AppProject and Applications to support the App of App concept. 2 | 3 | Use `helm package .` to package updates. 4 | 5 | Chart adapted from example at [https://github.com/stevesea/argocd-helm-app-of-apps-example](https://github.com/stevesea/argocd-helm-app-of-apps-example) 6 | -------------------------------------------------------------------------------- /components/keycloak-config/keycloak-tls-cert.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: keycloak-tls-cert 6 | namespace: stackrox 7 | spec: 8 | secretName: keycloak-tls-cert 9 | issuerRef: 10 | name: letsencrypt-prod 11 | kind: ClusterIssuer 12 | dnsNames: 13 | - keycloak.apps.vsphere.v3socp.boo 14 | -------------------------------------------------------------------------------- /components/ldap-sync-config/cluster-role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: ldap-group-syncer 6 | rules: 7 | - apiGroups: 8 | - "" 9 | - user.openshift.io 10 | resources: 11 | - groups 12 | verbs: 13 | - get 14 | - list 15 | - create 16 | - update 17 | -------------------------------------------------------------------------------- /components/cluster-rbac-config/crb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: cluster-admin-groups 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: cluster-admin 10 | subjects: 11 | - apiGroup: rbac.authorization.k8s.io 12 | kind: Group 13 | name: admins 14 | -------------------------------------------------------------------------------- /components/reflector/rbac.yaml: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: "system-openshift-scc-nonroot" 5 | subjects: 6 | - kind: ServiceAccount 7 | name: reflector 8 | namespace: reflector 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: "system:openshift:scc:nonroot" 13 | -------------------------------------------------------------------------------- /components/keycloak-operator/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | annotations: 6 | openshift.io/description: "Red Hat Keycloak project" 7 | openshift.io/display-name: "Red Hat Keycloak" 8 | name: keycloak 9 | labels: 10 | openshift.io/cluster-monitoring: "true" 11 | argocd.argoproj.io/managed-by: openshift-gitops 12 | -------------------------------------------------------------------------------- /components/patch-operator/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: patch-operator-cluster-admin 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: cluster-admin 10 | subjects: 11 | - kind: ServiceAccount 12 | name: default 13 | namespace: patch-operator 14 | -------------------------------------------------------------------------------- /components/kubechecks-chart/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: kubechecks-scc-privileged 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: system:openshift:scc:privileged 9 | subjects: 10 | - kind: ServiceAccount 11 | name: kubechecks 12 | namespace: kubechecks 13 | -------------------------------------------------------------------------------- /components/acm-policies-config/secured-cluster-policy/placement-rule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps.open-cluster-management.io/v1 3 | kind: PlacementRule 4 | metadata: 5 | name: secured-cluster-secret-placement 6 | namespace: stackrox 7 | spec: 8 | # This will go to all managed clusters 9 | clusterConditions: 10 | - status: "True" 11 | type: ManagedClusterConditionAvailable 12 | -------------------------------------------------------------------------------- /components/acs-central-configuration/central-default-tls-cert.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: central-default-tls-cert 6 | namespace: stackrox 7 | spec: 8 | secretName: central-default-tls-cert 9 | issuerRef: 10 | name: letsencrypt-prod 11 | kind: ClusterIssuer 12 | dnsNames: 13 | - 14 | -------------------------------------------------------------------------------- /components/acs-operator/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: rhacs-operator 6 | annotations: 7 | openshift.io/display-name: Red Hat Advanced Cluster Security Operator 8 | argocd.argoproj.io/sync-options: Delete=false 9 | labels: 10 | openshift.io/cluster-monitoring: "true" 11 | argocd.argoproj.io/managed-by: openshift-gitops 12 | -------------------------------------------------------------------------------- /components/ldap-sync-config/cluster-role-binding.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: ldap-group-syncer 6 | subjects: 7 | - kind: ServiceAccount 8 | name: ldap-group-syncer 9 | namespace: ldap-sync 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: ldap-group-syncer 14 | -------------------------------------------------------------------------------- /components/metallb-l2-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | namespace: metallb-system 5 | resources: 6 | - ./ipaddress-pool.yaml 7 | - ./l2advertisement.yaml 8 | patches: 9 | - patch: | 10 | - op: replace 11 | path: /spec/addresses 12 | value: "" 13 | target: 14 | kind: IPAddressPool 15 | -------------------------------------------------------------------------------- /helm/charts/argocd-app-of-app/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: argocd-app-of-app 3 | version: 0.3.0 4 | description: Generic chart for creating series of Argo CD Applications and AppProjects following the app-of-apps pattern 5 | type: application 6 | kubeVersion: '>=1.14.6' 7 | sources: 8 | - https://github.com/Vikaspogu/openshift-multicluster 9 | maintainers: 10 | - name: Vikas Pogu 11 | -------------------------------------------------------------------------------- /components/aap-operator/subscription.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: Subscription 4 | metadata: 5 | name: ansible-automation-platform-operator 6 | namespace: aap 7 | spec: 8 | channel: 9 | installPlanApproval: Automatic 10 | name: ansible-automation-platform-operator 11 | source: redhat-operators 12 | sourceNamespace: openshift-marketplace 13 | -------------------------------------------------------------------------------- /components/argocd-events/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: openshift-gitops 5 | 6 | helmCharts: 7 | - name: argo-events 8 | releaseName: argo-events 9 | namespace: openshift-gitops 10 | repo: https://argoproj.github.io/argo-helm 11 | version: "2.4.16" 12 | valuesInline: 13 | openshift: true 14 | -------------------------------------------------------------------------------- /components/lvm-operator/subscription.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: Subscription 4 | metadata: 5 | name: lvms 6 | namespace: openshift-storage 7 | spec: 8 | channel: 9 | installPlanApproval: Automatic 10 | name: lvms-operator 11 | source: redhat-operators 12 | sourceNamespace: openshift-marketplace 13 | startingCSV: lvms-operator.v4.19 14 | -------------------------------------------------------------------------------- /components/acm-operator/subscription.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: Subscription 4 | metadata: 5 | name: advanced-cluster-management 6 | namespace: open-cluster-management 7 | spec: 8 | channel: 9 | installPlanApproval: Automatic 10 | name: advanced-cluster-management 11 | source: redhat-operators 12 | sourceNamespace: openshift-marketplace 13 | -------------------------------------------------------------------------------- /components/cert-manager-application/openshift-api/openshift-api-certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: openshift-api 6 | namespace: openshift-config 7 | spec: 8 | secretName: openshift-api-certificate 9 | issuerRef: 10 | name: letsencrypt-prod 11 | kind: ClusterIssuer 12 | dnsNames: 13 | - api.${PLATFORM_BASE_DOMAIN} 14 | -------------------------------------------------------------------------------- /components/cert-manager-operator/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | annotations: 6 | openshift.io/display-name: Red Hat Certificate Manager Operator 7 | argocd.argoproj.io/sync-options: Delete=false 8 | labels: 9 | openshift.io/cluster-monitoring: "true" 10 | argocd.argoproj.io/managed-by: openshift-gitops 11 | name: cert-manager-operator 12 | -------------------------------------------------------------------------------- /components/external-secrets-operator/subscription.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: Subscription 4 | metadata: 5 | name: external-secrets-operator 6 | namespace: external-secrets 7 | spec: 8 | channel: stable 9 | installPlanApproval: Automatic 10 | name: external-secrets-operator 11 | source: community-operators 12 | sourceNamespace: openshift-marketplace 13 | -------------------------------------------------------------------------------- /components/kubernetes-imagepuller-config/image-puller.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: che.eclipse.org/v1alpha1 2 | kind: KubernetesImagePuller 3 | metadata: 4 | name: k8s-image-puller-images 5 | namespace: kubernetes-imagepuller-operator 6 | spec: 7 | images: udi-rhel8=registry.redhat.io/devspaces/udi-rhel8:3.16;idea-rhel8=registry.redhat.io/devspaces/idea-rhel8:3.16;code-rhel8=registry.redhat.io/devspaces/code-rhel8:3.16 -------------------------------------------------------------------------------- /helm/charts/infra-env/templates/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: {{ .Release.Namespace }} 5 | annotations: 6 | argocd.argoproj.io/sync-options: Delete=false,ServerSideApply=true 7 | labels: 8 | openshift.io/cluster-monitoring: "true" 9 | argocd.argoproj.io/managed-by: openshift-gitops 10 | {{- include "infra-env.labels" . | nindent 4 }} 11 | -------------------------------------------------------------------------------- /components/keycloak-config/devhub-realm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: keycloak.org/v1alpha1 2 | kind: KeycloakRealm 3 | metadata: 4 | labels: 5 | app: devhub 6 | name: devhub-realm 7 | namespace: keycloak 8 | spec: 9 | realm: 10 | id: devhub 11 | realm: devhub 12 | enabled: true 13 | displayName: DevHub Authentication Realm 14 | instanceSelector: 15 | matchLabels: 16 | app: sso 17 | -------------------------------------------------------------------------------- /components/openshift-gitops-operator/subscription.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: Subscription 4 | metadata: 5 | name: openshift-gitops-operator 6 | namespace: openshift-gitops-operator 7 | spec: 8 | channel: latest 9 | installPlanApproval: Automatic 10 | name: openshift-gitops-operator 11 | source: redhat-operators 12 | sourceNamespace: openshift-marketplace 13 | -------------------------------------------------------------------------------- /helm/charts/infra-env/templates/role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Role 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: capi-provider-role 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "infra-env.labels" . | nindent 4 }} 9 | rules: 10 | - verbs: 11 | - '*' 12 | apiGroups: 13 | - agent-install.openshift.io 14 | resources: 15 | - agents 16 | -------------------------------------------------------------------------------- /clusters/proxmox/devspaces.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | devspaces-operator: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | source: 6 | path: components/devspaces-operator 7 | devspaces-config: 8 | annotations: 9 | argocd.argoproj.io/sync-wave: "15" 10 | destination: 11 | namespace: openshift-gitops 12 | source: 13 | path: components/devspaces-config 14 | -------------------------------------------------------------------------------- /components/argocd-workflows/cluster-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: argo-workflows-admin-user-sc 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: cluster-admin 10 | subjects: 11 | - kind: ServiceAccount 12 | name: argo-workflows-admin-user 13 | namespace: openshift-gitops 14 | -------------------------------------------------------------------------------- /components/argocd-workflows/route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: route.openshift.io/v1 3 | kind: Route 4 | metadata: 5 | name: argo-workflows 6 | namespace: openshift-gitops 7 | spec: 8 | path: / 9 | to: 10 | name: argo-workflows-server 11 | weight: 100 12 | kind: Service 13 | tls: 14 | insecureEdgeTerminationPolicy: Redirect 15 | termination: edge 16 | port: 17 | targetPort: 2746 18 | -------------------------------------------------------------------------------- /components/external-secrets-config/default-operatorconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operator.external-secrets.io/v1alpha1 3 | kind: OperatorConfig 4 | metadata: 5 | name: cluster 6 | spec: 7 | prometheus: 8 | enabled: true 9 | service: 10 | port: 8080 11 | resources: 12 | requests: 13 | cpu: 10m 14 | memory: 96Mi 15 | limits: 16 | cpu: 100m 17 | memory: 256Mi 18 | -------------------------------------------------------------------------------- /components/openshift-pipelines-operator/subscription.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: Subscription 4 | metadata: 5 | name: openshift-pipelines-operator 6 | namespace: openshift-operators 7 | spec: 8 | channel: latest 9 | installPlanApproval: Automatic 10 | name: openshift-pipelines-operator-rh 11 | source: redhat-operators 12 | sourceNamespace: openshift-marketplace 13 | -------------------------------------------------------------------------------- /helm/charts/cluster-deployment/templates/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: {{ .Release.Name }} 5 | annotations: 6 | argocd.argoproj.io/sync-options: Delete=false,ServerSideApply=true 7 | labels: 8 | openshift.io/cluster-monitoring: "true" 9 | argocd.argoproj.io/managed-by: openshift-gitops 10 | {{- include "cluster-deployment.labels" . | nindent 4 }} 11 | -------------------------------------------------------------------------------- /components/developer-hub-config/rbac-conditional-policies.yaml: -------------------------------------------------------------------------------- 1 | result: CONDITIONAL 2 | roleEntityRef: role:default/team2 3 | pluginId: catalog 4 | permissionMapping: 5 | - read 6 | - update 7 | - delete 8 | conditions: 9 | rule: IS_ENTITY_OWNER # replace with label, not create or update 10 | resourceType: catalog-entity 11 | params: 12 | claims: 13 | - "$currentUser" 14 | # allOf, anyOf, not 15 | -------------------------------------------------------------------------------- /components/virtualization-storageprofile-config/storage-profile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cdi.kubevirt.io/v1beta1 3 | kind: StorageProfile 4 | metadata: 5 | name: synology-csi-iscsi-delete 6 | annotations: 7 | argocd.argoproj.io/sync-options: ServerSideApply=true 8 | spec: 9 | claimPropertySets: 10 | - accessModes: 11 | - ReadWriteMany 12 | volumeMode: Block 13 | cloneStrategy: csi-clone 14 | -------------------------------------------------------------------------------- /helm/charts/hcp-cluster-deployment/templates/secret-sshkey.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: sshkey-cluster-{{ .Values.clusterName }} 6 | namespace: {{ .Values.clusterName }} 7 | annotations: 8 | argocd.argoproj.io/sync-wave: '5' 9 | labels: 10 | {{- include "hcp-cluster-deployment.labels" . | nindent 4 }} 11 | stringData: 12 | id_rsa.pub: {{ .Values.sshKeyPub }} 13 | -------------------------------------------------------------------------------- /components/argocd-events-config/event-bus.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: EventBus 3 | metadata: 4 | name: default 5 | spec: 6 | nats: 7 | native: 8 | # Optional, defaults to 3. If it is < 3, set it to 3, that is the minimal requirement. 9 | replicas: 3 10 | # Optional, authen strategy, "none" or "token", defaults to "none" 11 | auth: none 12 | securityContext: {} 13 | -------------------------------------------------------------------------------- /helm/charts/create-cluster/templates/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: {{ .Values.clusterName }} 6 | annotations: 7 | argocd.argoproj.io/sync-options: Delete=false,ServerSideApply=true 8 | labels: 9 | openshift.io/cluster-monitoring: "true" 10 | argocd.argoproj.io/managed-by: openshift-gitops 11 | {{- include "create-cluster.labels" . | nindent 4 }} 12 | -------------------------------------------------------------------------------- /components/onepassword-connect-chart/rb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: system:openshift:scc:anyuid 6 | namespace: external-secrets 7 | roleRef: 8 | apiGroup: rbac.authorization.k8s.io 9 | kind: ClusterRole 10 | name: system:openshift:scc:anyuid 11 | subjects: 12 | - kind: ServiceAccount 13 | name: default 14 | namespace: external-secrets 15 | -------------------------------------------------------------------------------- /components/keycloak-operator/subscription.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: Subscription 4 | metadata: 5 | labels: 6 | operators.coreos.com/rhbk-operator.keycloak: "" 7 | name: rhbk-operator 8 | namespace: keycloak 9 | spec: 10 | channel: "stable-v22" 11 | installPlanApproval: Automatic 12 | name: rhbk-operator 13 | source: redhat-operators 14 | sourceNamespace: openshift-marketplace 15 | -------------------------------------------------------------------------------- /components/kyverno-policy-config/namespace-config-vault-access/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: vault-admin 5 | resources: 6 | - ./01_secret-engine-mount.yaml 7 | - ./02_kube-auth-engine-mount.yaml 8 | - ./03_kube-auth-engine-config.yaml 9 | - ./04_policy-secret-reader.yaml 10 | - ./05_auth-engine-role.yaml 11 | - ./06_external-secret-store.yaml 12 | -------------------------------------------------------------------------------- /.taskfiles/volsync/resources/scripts/wait-for-job.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | JOB=$1 4 | NAMESPACE="${2:-default}" 5 | 6 | [[ -z "${JOB}" ]] && echo "Job name not specified" && exit 1 7 | 8 | while true; do 9 | STATUS="$(kubectl --namespace "${NAMESPACE}" get pod -l job-name="${JOB}" -o jsonpath='{.items[*].status.phase}')" 10 | if [[ "${STATUS}" == "Pending" ]]; then 11 | break 12 | fi 13 | sleep 1 14 | done 15 | -------------------------------------------------------------------------------- /components/argocd-image-updater/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: openshift-gitops 5 | 6 | helmCharts: 7 | - name: argocd-image-updater 8 | releaseName: argocd-image-updater 9 | namespace: openshift-gitops 10 | repo: https://argoproj.github.io/argo-helm 11 | version: "0.13.0" 12 | valuesInline: 13 | image: 14 | tag: "v0.15.0" 15 | -------------------------------------------------------------------------------- /components/alertmanager-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: openshift-monitoring 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./externalsecret-alertmanager.yaml 8 | helmCharts: 9 | - name: app-template 10 | releaseName: alertmanager-gotify 11 | repo: https://bjw-s-labs.github.io/helm-charts 12 | version: "4.3.0" 13 | valuesFile: values.yaml 14 | -------------------------------------------------------------------------------- /helm/charts/pac-repository/templates/namespace.yaml: -------------------------------------------------------------------------------- 1 | {{- $releaseLabels := include "pac-repository.labels" . -}} 2 | {{- range $key, $val := .Values.repositories }} 3 | {{- range $appNamespace := $val.appNamespaces }} 4 | apiVersion: v1 5 | kind: Namespace 6 | metadata: 7 | name: {{ $appNamespace }} 8 | labels: 9 | argocd.argoproj.io/managed-by: openshift-gitops 10 | {{- $releaseLabels | nindent 4 }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /components/acs-central-configuration/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | namespace: stackrox 6 | 7 | resources: 8 | - namespace.yaml 9 | - central-default-tls-cert.yaml 10 | - create-cluster-init-bundle-sa.yaml 11 | - central.yaml 12 | - create-cluster-init-bundle-job.yaml 13 | - secured-cluster.yaml 14 | - job-create-auth-provider.yaml 15 | - ./console-link.yaml 16 | -------------------------------------------------------------------------------- /components/opendora-chart/service-account.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Source: open-dora-helm-chart/templates/serviceaccount.yaml 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: open-dora-user 7 | labels: 8 | helm.sh/chart: open-dora-helm-chart-0.3.1 9 | app.kubernetes.io/name: open-dora-helm-chart 10 | app.kubernetes.io/instance: open-dora 11 | app.kubernetes.io/version: "0.3.1" 12 | app.kubernetes.io/managed-by: Helm 13 | -------------------------------------------------------------------------------- /helm/charts/create-cluster/values.yaml: -------------------------------------------------------------------------------- 1 | 2 | clusterName: 3 | baseDomain: 4 | vips: 5 | api: 6 | ingress: 7 | masterNode: 8 | replicas: 3 9 | cpus: 4 10 | corePerSocket: 2 11 | memoryMB: 16384 12 | diskSizeGB: 120 13 | workerNode: 14 | replicas: 0 15 | cpus: 4 16 | corePerSocket: 2 17 | memoryMB: 16384 18 | diskSizeGB: 120 19 | 20 | vcenter: 21 | server: 22 | cluster: 23 | datastore: 24 | network: 25 | datacenter: 26 | -------------------------------------------------------------------------------- /clusters/vsphere/keycloak.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | keycloak-operator: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: keycloak 7 | source: 8 | path: components/keycloak-operator 9 | 10 | keycloak-config: 11 | annotations: 12 | argocd.argoproj.io/sync-wave: "30" 13 | destination: 14 | namespace: keycloak 15 | source: 16 | path: components/keycloak-config 17 | -------------------------------------------------------------------------------- /components/acm-policies/service-account.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: policy-admin 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: cluster-admin 9 | subjects: 10 | - kind: ServiceAccount 11 | name: policy-admin 12 | namespace: acm-policies 13 | --- 14 | kind: ServiceAccount 15 | apiVersion: v1 16 | metadata: 17 | name: policy-admin 18 | -------------------------------------------------------------------------------- /components/cert-manager-application/openshift-api/api-server.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: config.openshift.io/v1 3 | kind: APIServer 4 | metadata: 5 | annotations: 6 | argocd.argoproj.io/sync-options: ServerSideApply=true,Delete=false 7 | name: cluster 8 | spec: 9 | servingCerts: 10 | namedCertificates: 11 | - names: 12 | - api.${PLATFORM_BASE_DOMAIN} 13 | servingCertificate: 14 | name: openshift-api-certificate 15 | -------------------------------------------------------------------------------- /components/external-secrets-chart/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./cluster-secret-store.yaml 7 | 8 | helmCharts: 9 | - name: external-secrets 10 | releaseName: external-secrets 11 | namespace: external-secrets 12 | repo: https://charts.external-secrets.io 13 | version: 0.20.3 14 | valuesInline: 15 | installCRDs: true 16 | -------------------------------------------------------------------------------- /helm/charts/cluster-registration/templates/managed-cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cluster.open-cluster-management.io/v1 2 | kind: ManagedCluster 3 | metadata: 4 | labels: 5 | cloud: BareMetal 6 | vendor: OpenShift 7 | name: {{ .Release.Name }} 8 | cluster.open-cluster-management.io/clusterset: 'default' 9 | {{- include "cluster-registration.labels" . | nindent 4 }} 10 | name: {{ .Release.Name }} 11 | spec: 12 | hubAcceptsClient: true 13 | -------------------------------------------------------------------------------- /components/cert-manager-config/certmanager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operator.openshift.io/v1alpha1 2 | kind: CertManager 3 | metadata: 4 | name: cluster 5 | spec: 6 | logLevel: Normal 7 | managementState: Managed 8 | observedConfig: null 9 | operatorLogLevel: Normal 10 | unsupportedConfigOverrides: 11 | controller: 12 | args: 13 | - "--dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53" 14 | - "--dns01-recursive-nameservers-only" 15 | -------------------------------------------------------------------------------- /components/reflector/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./rbac.yaml 7 | 8 | helmCharts: 9 | - name: reflector 10 | releaseName: reflector 11 | namespace: reflector 12 | repo: https://emberstack.github.io/helm-charts 13 | version: "9.1.34" 14 | valuesInline: 15 | nameOverride: reflector 16 | fullnameOverride: reflector 17 | -------------------------------------------------------------------------------- /components/vault-config/external-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1beta1 2 | kind: ExternalSecret 3 | metadata: 4 | name: vault-example 5 | namespace: test-team-a 6 | spec: 7 | refreshInterval: "15s" 8 | secretStoreRef: 9 | name: vault-backend 10 | kind: SecretStore 11 | target: 12 | name: example-sync 13 | data: 14 | - secretKey: foobar 15 | remoteRef: 16 | key: test-secret 17 | property: password 18 | -------------------------------------------------------------------------------- /clusters/proxmox/acs.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | acs-operator: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: rhacs-operator 7 | source: 8 | path: components/acs-operator 9 | 10 | acs-central-configuration: 11 | annotations: 12 | argocd.argoproj.io/sync-wave: "15" 13 | destination: 14 | namespace: stackrox 15 | source: 16 | path: components/acs-central-configuration 17 | -------------------------------------------------------------------------------- /clusters/proxmox/developer-hub.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | rhdh-operator: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: rhdh-operator 7 | source: 8 | path: components/rhdh-operator 9 | developer-hub-config: 10 | annotations: 11 | argocd.argoproj.io/sync-wave: "35" 12 | destination: 13 | namespace: developer-hub 14 | source: 15 | path: components/developer-hub-config 16 | -------------------------------------------------------------------------------- /clusters/vsphere/rhdh.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | rhdh-operator: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: rhdh-operator 7 | source: 8 | path: components/rhdh-operator 9 | 10 | developer-hub-config: 11 | annotations: 12 | argocd.argoproj.io/sync-wave: "15" 13 | destination: 14 | namespace: rhdh-operator 15 | source: 16 | path: components/developer-hub-config 17 | -------------------------------------------------------------------------------- /components/kubechecks-chart/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: kubechecks 5 | resources: 6 | - ./namespace.yaml 7 | - ./rolebinding.yaml 8 | - ./externalsecret.yaml 9 | 10 | helmCharts: 11 | - name: kubechecks 12 | releaseName: kubechecks 13 | namespace: kubechecks 14 | repo: https://zapier.github.io/kubechecks/ 15 | version: "0.5.6" 16 | valuesFile: values.yaml 17 | -------------------------------------------------------------------------------- /clusters/proxmox/synology-csi.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | synology-csi-chart: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "10" 5 | destination: 6 | namespace: synology-csi 7 | source: 8 | path: components/synology-csi-chart 9 | ignoreDifferences: 10 | - kind: SecurityContextConstraints 11 | group: security.openshift.io 12 | name: synology-csi-scc 13 | jsonPointers: 14 | - /metadata/namespace 15 | -------------------------------------------------------------------------------- /helm/charts/hcp-cluster-deployment/templates/managed-cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cluster.open-cluster-management.io/v1 2 | kind: ManagedCluster 3 | metadata: 4 | labels: 5 | cloud: BareMetal 6 | vendor: OpenShift 7 | name: {{ .Values.clusterName }} 8 | {{- include "hcp-cluster-deployment.labels" . | nindent 4 }} 9 | name: {{ .Values.clusterName }} 10 | annotations: 11 | argocd.argoproj.io/sync-wave: '35' 12 | spec: 13 | hubAcceptsClient: true 14 | -------------------------------------------------------------------------------- /components/acm-placement/gitops-cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps.open-cluster-management.io/v1beta1 2 | kind: GitOpsCluster 3 | metadata: 4 | name: gitops-cluster 5 | namespace: openshift-gitops 6 | spec: 7 | argoServer: 8 | cluster: local-cluster 9 | argoNamespace: openshift-gitops 10 | placementRef: 11 | apiVersion: cluster.open-cluster-management.io/v1alpha1 12 | kind: Placement 13 | name: default-clusterset 14 | namespace: openshift-gitops 15 | -------------------------------------------------------------------------------- /components/cert-manager-application/openshift-wildcard/openshift-wildcard-certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: openshift-wildcard 6 | namespace: openshift-ingress 7 | spec: 8 | secretName: openshift-wildcard-certificate 9 | issuerRef: 10 | name: letsencrypt-prod 11 | kind: ClusterIssuer 12 | commonName: "*.apps.${PLATFORM_BASE_DOMAIN}" 13 | dnsNames: 14 | - "*.apps.${PLATFORM_BASE_DOMAIN}" 15 | -------------------------------------------------------------------------------- /components/lvm-storage/lvm-cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: lvm.topolvm.io/v1alpha1 3 | kind: LVMCluster 4 | metadata: 5 | name: lvmcluster 6 | namespace: openshift-storage 7 | spec: 8 | storage: 9 | deviceClasses: 10 | - fstype: xfs 11 | default: true 12 | name: vg1 13 | thinPoolConfig: 14 | chunkSizeCalculationPolicy: Static 15 | name: thin-pool-1 16 | overprovisionRatio: 10 17 | sizePercent: 90 18 | -------------------------------------------------------------------------------- /helm/charts/infra-env/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /components/synology-csi-chart/storage-class.yaml: -------------------------------------------------------------------------------- 1 | kind: StorageClass 2 | apiVersion: storage.k8s.io/v1 3 | metadata: 4 | name: synology-csi-iscsi-delete 5 | annotations: 6 | storageclass.kubevirt.io/is-default-virt-class: "true" 7 | provisioner: csi.san.synology.com 8 | parameters: 9 | formatOptions: "--nodiscard" 10 | fsType: btrfs 11 | location: /volume1 12 | protocol: iscsi 13 | reclaimPolicy: Delete 14 | allowVolumeExpansion: true 15 | volumeBindingMode: Immediate 16 | -------------------------------------------------------------------------------- /helm/charts/create-cluster/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /helm/charts/pac-repository/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /components/acm-placement/placement.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cluster.open-cluster-management.io/v1beta1 3 | kind: Placement 4 | metadata: 5 | name: default-clusterset 6 | namespace: openshift-gitops 7 | spec: 8 | clusterSets: 9 | - default 10 | predicates: 11 | - requiredClusterSelector: 12 | labelSelector: 13 | matchExpressions: 14 | - key: gitops-bootstrap 15 | operator: In 16 | values: 17 | - "true" 18 | -------------------------------------------------------------------------------- /helm/charts/cluster-deployment/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /helm/charts/tenants-iac-gitops/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /clusters/proxmox/logging.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | openshift-logging-operator: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: openshift-logging 7 | source: 8 | path: components/openshift-logging-operator 9 | log-forwarder-config: 10 | annotations: 11 | argocd.argoproj.io/sync-wave: "25" 12 | destination: 13 | namespace: openshift-logging 14 | source: 15 | path: components/log-forwarder-config 16 | -------------------------------------------------------------------------------- /components/virtualization-operator/subscription.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: Subscription 4 | metadata: 5 | name: kubevirt-hyperconverged 6 | namespace: openshift-cnv 7 | spec: 8 | channel: stable 9 | installPlanApproval: Automatic 10 | name: kubevirt-hyperconverged 11 | source: redhat-operators 12 | sourceNamespace: openshift-marketplace 13 | config: 14 | selector: 15 | matchLabels: 16 | name: hyperconverged-cluster-operator 17 | -------------------------------------------------------------------------------- /helm/charts/cluster-registration/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /helm/charts/hcp-cluster-deployment/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /clusters/proxmox/external-secrets.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | external-secrets-chart: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: external-secrets 7 | source: 8 | path: components/external-secrets-chart 9 | external-secret-config: 10 | annotations: 11 | argocd.argoproj.io/sync-wave: "10" 12 | destination: 13 | namespace: external-secrets 14 | source: 15 | path: components/external-secrets-config 16 | -------------------------------------------------------------------------------- /clusters/vsphere/external-secrets.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | external-secrets-operator: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: external-secrets 7 | source: 8 | path: components/external-secrets-operator 9 | external-secret-config: 10 | annotations: 11 | argocd.argoproj.io/sync-wave: "10" 12 | destination: 13 | namespace: external-secrets 14 | source: 15 | path: components/external-secrets-config 16 | -------------------------------------------------------------------------------- /components/devspaces-config/configmap.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: profile 5 | namespace: vikas-devspaces 6 | labels: 7 | controller.devfile.io/mount-to-devworkspace: "true" 8 | controller.devfile.io/watch-configmap: "true" 9 | annotations: 10 | controller.devfile.io/mount-as: subpath 11 | controller.devfile.io/mount-path: /home/user 12 | data: 13 | .gitconfig: | 14 | [user] 15 | name = vikaspogu 16 | email = vikaspoguadf@gmail.com 17 | -------------------------------------------------------------------------------- /components/acm-policies-config/secured-cluster-policy/policy-generator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy.open-cluster-management.io/v1 3 | kind: PolicyGenerator 4 | metadata: 5 | name: secured-cluster-secret-policy-generator 6 | policyDefaults: 7 | namespace: stackrox 8 | severity: high 9 | placement: 10 | placementRulePath: placement-rule.yaml 11 | policies: 12 | - name: secured-cluster-secret-policy 13 | manifests: 14 | - path: configuration-policy.yaml 15 | remediationAction: enforce 16 | -------------------------------------------------------------------------------- /components/ldap-sync-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: ldap-sync 5 | resources: 6 | - ./namespace.yaml 7 | - ./service-account.yaml 8 | - ./cluster-role.yaml 9 | - ./cluster-role-binding.yaml 10 | - ./externalsecret.yaml 11 | - ./cron-job.yaml 12 | 13 | configMapGenerator: 14 | - name: ldap-group-syncer 15 | files: 16 | - sync.yaml=./ldap-sync.yaml 17 | generatorOptions: 18 | disableNameSuffixHash: true 19 | -------------------------------------------------------------------------------- /components/patch-operator/subscription.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: Subscription 4 | metadata: 5 | name: patch-operator 6 | namespace: patch-operator 7 | spec: 8 | channel: alpha 9 | installPlanApproval: Automatic 10 | name: patch-operator 11 | source: community-operators 12 | sourceNamespace: openshift-marketplace 13 | config: 14 | resources: 15 | limits: 16 | memory: 2000Mi 17 | requests: 18 | cpu: 100m 19 | memory: 500Mi 20 | -------------------------------------------------------------------------------- /components/openshift-pipelines-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: openshift-pipelines 5 | resources: 6 | - ./tekton-config.yaml 7 | - ./pac-externalsecret.yaml 8 | - ./task-s2i.yaml 9 | - ./task-kube-tools.yaml 10 | - ./task-helm-uninstall.yaml 11 | - ./task-rhacs-image-scan.yaml 12 | - ./task-open-pr.yaml 13 | - ./task-replace-string.yaml 14 | - ./task-helm-upgrade-from-source.yaml 15 | - ./task-git-cli-custom.yaml 16 | -------------------------------------------------------------------------------- /helm/charts/cluster-deployment/values.yaml: -------------------------------------------------------------------------------- 1 | location: insert-location-here 2 | openshiftVersion: 4.14.16 3 | inventoryName: 4 | workers: 0 5 | masters: 3 6 | ingressVIP: 7 | apiVIP: 8 | holdInstallation: false 9 | networking: 10 | clusterCidr: 10.128.0.0/14 11 | machineCidr: 12 | serviceNetwork: 172.30.0.0/16 13 | clusterSet: default 14 | baseDomain: example.com 15 | automaticHostBinding: true 16 | agentLabelSelector: 17 | patch: agent-install.openshift.io/bmh 18 | deployment: {} 19 | hostNames: 20 | - host1 21 | -------------------------------------------------------------------------------- /components/image-registry-config/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: imageregistry.operator.openshift.io/v1 3 | kind: Config 4 | metadata: 5 | name: cluster 6 | annotations: 7 | argocd.argoproj.io/sync-options: ServerSideApply=true 8 | spec: 9 | managementState: Managed 10 | storage: 11 | managementState: Unmanaged 12 | s3: 13 | bucket: image-registry 14 | region: us-1 15 | regionEndpoint: "https://s3.vikaspogu.com" 16 | trustedCA: 17 | name: "" 18 | virtualHostedStyle: false 19 | -------------------------------------------------------------------------------- /components/acm-policies-config/sops-auth-policy/policy-generator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy.open-cluster-management.io/v1 3 | kind: PolicyGenerator 4 | metadata: 5 | name: sops-auth-policy-generator 6 | policyDefaults: 7 | namespace: openshift-gitops 8 | severity: high 9 | placement: 10 | clusterSelectors: 11 | cluster.open-cluster-management.io/clusterset: default 12 | policies: 13 | - name: sops-auth-policy 14 | manifests: 15 | - path: configuration-policy.yaml 16 | remediationAction: enforce 17 | -------------------------------------------------------------------------------- /components/external-secrets-config/vault-cluster-secret-store.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ClusterSecretStore 4 | metadata: 5 | name: onepassword-connect 6 | spec: 7 | provider: 8 | onepassword: 9 | connectHost: http://onepassword-connect:8080 10 | vaults: 11 | Kubernetes: 1 12 | auth: 13 | secretRef: 14 | connectTokenSecretRef: 15 | name: onepassword-connect-token 16 | key: token 17 | namespace: external-secrets 18 | -------------------------------------------------------------------------------- /components/sonarqube/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | annotations: 6 | route.openshift.io/termination: "edge" 7 | name: sonarqube 8 | spec: 9 | rules: 10 | - host: sonarqube-cicd-tools.apps.${PLATFORM_BASE_DOMAIN} 11 | http: 12 | paths: 13 | - path: / 14 | pathType: Prefix 15 | backend: 16 | service: 17 | name: sonarqube 18 | port: 19 | name: 9000-tcp 20 | -------------------------------------------------------------------------------- /devfile.yaml: -------------------------------------------------------------------------------- 1 | schemaVersion: 2.2.0 2 | attributes: 3 | controller.devfile.io/storage-type: per-workspace 4 | metadata: 5 | name: openshift-multicluster 6 | components: 7 | - name: dev-tools 8 | container: 9 | image: quay.io/rhn_gps_vpogu/devspaces-fedora40-tooling:2.0.0 10 | memoryLimit: 4Gi 11 | mountSources: true 12 | env: 13 | - name: SHELL 14 | value: "/bin/zsh" 15 | - name: VSCODE_DEFAULT_WORKSPACE 16 | value: "/projects/openshift-multicluster/code-workspace" 17 | -------------------------------------------------------------------------------- /components/tekton-dashboard/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: tekton-dashboard 6 | annotations: 7 | route.openshift.io/termination: "edge" 8 | spec: 9 | rules: 10 | - host: tekton-dashboard.apps.${PLATFORM_BASE_DOMAIN} 11 | http: 12 | paths: 13 | - pathType: ImplementationSpecific 14 | backend: 15 | service: 16 | name: tekton-dashboard 17 | port: 18 | number: 9097 19 | -------------------------------------------------------------------------------- /components/acm-policies-config/configmap-copy-policy/policy-generator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy.open-cluster-management.io/v1 3 | kind: PolicyGenerator 4 | metadata: 5 | name: configmap-copy-policy-generator 6 | policyDefaults: 7 | namespace: openshift-gitops 8 | severity: high 9 | placement: 10 | clusterSelectors: 11 | cluster.open-cluster-management.io/clusterset: default 12 | policies: 13 | - name: configmap-copy-policy 14 | manifests: 15 | - path: configuration-policy.yaml 16 | remediationAction: enforce 17 | -------------------------------------------------------------------------------- /components/gitops-bootstrap-policy/manifests/gitops-subscription/base/subscription.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: Subscription 4 | metadata: 5 | name: openshift-gitops-operator 6 | namespace: openshift-operators 7 | spec: 8 | channel: latest 9 | installPlanApproval: Automatic 10 | name: openshift-gitops-operator 11 | source: redhat-operators 12 | sourceNamespace: openshift-marketplace 13 | config: 14 | env: 15 | - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES 16 | value: openshift-gitops 17 | -------------------------------------------------------------------------------- /components/vault-config-operator/subscription.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: Subscription 4 | metadata: 5 | name: vault-config-operator 6 | namespace: vault-config-operator 7 | spec: 8 | channel: 9 | installPlanApproval: Automatic 10 | name: vault-config-operator 11 | source: community-operators 12 | sourceNamespace: openshift-marketplace 13 | config: 14 | env: 15 | - name: VAULT_ADDR 16 | value: 17 | - name: VAULT_SKIP_VERIFY 18 | value: "true" 19 | -------------------------------------------------------------------------------- /components/vault-config/external-secret-store.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1beta1 2 | kind: SecretStore 3 | metadata: 4 | name: vault-backend 5 | namespace: test-team-a 6 | spec: 7 | provider: 8 | vault: 9 | auth: 10 | kubernetes: 11 | mountPath: proxmox/team-a-kubernetes 12 | role: team-a-secret-reader 13 | serviceAccountRef: 14 | name: default 15 | path: "proxmox/team-a-kubernetes" 16 | server: "http://vault.vault.svc.cluster.local:8200" 17 | version: v1 18 | -------------------------------------------------------------------------------- /components/argocd-events-config/event-source.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: EventSource 3 | metadata: 4 | name: resource 5 | spec: 6 | template: 7 | serviceAccountName: argo-workflows-admin-user 8 | resource: 9 | install-plan-add-update-filter: 10 | group: operators.coreos.com 11 | version: "v1alpha1" 12 | resource: installplans 13 | eventTypes: 14 | - ADD 15 | filter: 16 | fields: 17 | - key: spec.approval 18 | operation: == 19 | value: Manual 20 | -------------------------------------------------------------------------------- /.github/linters/.yamllint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ignore: | 3 | *.sops.* 4 | gotk-components.yaml 5 | argocd-apps 6 | xanmanning.k3s 7 | charts/ 8 | docs/ 9 | .private/ 10 | .terraform/ 11 | .vscode/ 12 | extends: default 13 | rules: 14 | truthy: 15 | allowed-values: ["true", "false", "on"] 16 | comments: 17 | min-spaces-from-content: 1 18 | line-length: disable 19 | braces: 20 | min-spaces-inside: 0 21 | max-spaces-inside: 1 22 | brackets: 23 | min-spaces-inside: 0 24 | max-spaces-inside: 0 25 | indentation: enable 26 | -------------------------------------------------------------------------------- /components/aap-config/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: aap-user-token 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: aap-user-token 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | token: "{{ .USER_TOKEN }}" 17 | host: "{{ .HOST }}" 18 | verify_ssl: "false" 19 | dataFrom: 20 | - extract: 21 | key: aap 22 | -------------------------------------------------------------------------------- /components/cloudflared/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: networking 5 | resources: 6 | - namespace.yaml 7 | - ./external-secret.yaml 8 | 9 | generatorOptions: 10 | disableNameSuffixHash: true 11 | annotations: 12 | reloader.stakater.com/match: "true" 13 | 14 | helmCharts: 15 | - name: cloudflared 16 | releaseName: cloudflared 17 | namespace: networking 18 | repo: https://xunholy.github.io/charts 19 | version: "0.1.2" 20 | valuesFile: values.yaml 21 | -------------------------------------------------------------------------------- /helm/charts/create-cluster/templates/managed-cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cluster.open-cluster-management.io/v1 3 | kind: ManagedCluster 4 | metadata: 5 | labels: 6 | cloud: vSphere 7 | name: {{ .Values.clusterName }} 8 | vendor: OpenShift 9 | cluster.open-cluster-management.io/clusterset: {{.Values.acmClusterSet}} 10 | {{- if .Values.gitopsDeploy }} 11 | gitops: 'deploy' 12 | {{- end }} 13 | {{- include "create-cluster.labels" . | nindent 4 }} 14 | name: {{ .Values.clusterName }} 15 | spec: 16 | hubAcceptsClient: true 17 | -------------------------------------------------------------------------------- /clusters/proxmox/volsync.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | volsync-operator: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: volsync-operator 7 | source: 8 | path: components/volsync-operator 9 | plugin: 10 | name: argocd-lovely-plugin 11 | env: 12 | - name: LOVELY_PREPROCESSORS 13 | value: yq -i '.helmCharts.0.valuesInline.operators.0.channel="stable"' kustomization.yaml,yq -i '.helmCharts.0.valuesInline.operators.0.csv="volsync-product.v0.11.1"' kustomization.yaml 14 | -------------------------------------------------------------------------------- /helm/charts/cluster-deployment/templates/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: pull-secret-{{ .Release.Name }} 6 | namespace: {{ .Release.Namespace }} 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: pull-secret-{{ .Release.Name }} 13 | creationPolicy: Owner 14 | data: 15 | - secretKey: .dockerconfigjson 16 | remoteRef: 17 | key: redhat-pull-secret 18 | property: pull-secret 19 | -------------------------------------------------------------------------------- /helm/charts/cluster-deployment/templates/patches-rbac.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.automaticHostBinding }} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: cluster-patches-rbac-{{ .Release.Name }} 6 | namespace: {{ .Release.Name }} 7 | labels: 8 | {{- include "cluster-deployment.labels" . | nindent 4 }} 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: {{ .Release.Name }} 13 | roleRef: 14 | kind: ClusterRole 15 | name: edit 16 | apiGroup: rbac.authorization.k8s.io 17 | {{ end }} 18 | -------------------------------------------------------------------------------- /components/acm-policies-config/configmap-copy-policy/config-map.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: machineset 5 | data: 6 | ingress-cpu: "15" 7 | zone1-cpu: "25" 8 | ops-cpu: "35" 9 | --- 10 | apiVersion: v1 11 | kind: ConfigMap 12 | metadata: 13 | name: machineset-zone1 14 | data: 15 | cpu: "15" 16 | --- 17 | apiVersion: v1 18 | kind: ConfigMap 19 | metadata: 20 | name: machineset-ingress 21 | data: 22 | cpu: "20" 23 | --- 24 | apiVersion: v1 25 | kind: ConfigMap 26 | metadata: 27 | name: machineset-ops 28 | data: 29 | cpu: "25" 30 | -------------------------------------------------------------------------------- /components/metallb-hcp-config/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Service 3 | apiVersion: v1 4 | metadata: 5 | annotations: 6 | metallb.universe.tf/address-pool: ingress-public-ip 7 | name: metallb-ingress 8 | namespace: openshift-ingress 9 | spec: 10 | ports: 11 | - name: http 12 | protocol: TCP 13 | port: 80 14 | targetPort: 80 15 | - name: https 16 | protocol: TCP 17 | port: 443 18 | targetPort: 443 19 | selector: 20 | ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default 21 | type: LoadBalancer 22 | -------------------------------------------------------------------------------- /components/openshift-gitops-config/plugin-configmap.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: helm-multivalues-plugin 6 | data: 7 | plugin.yaml: | 8 | apiVersion: argoproj.io/v1alpha1 9 | kind: ConfigManagementPlugin 10 | metadata: 11 | name: helm-multivalues-plugin 12 | spec: 13 | init: 14 | command: [sh, -c, 'helm plugin list'] 15 | generate: 16 | command: [sh, -c, 'helm multivalues template $ARGOCD_APP_NAME $ARGOCD_ENV_CHART_PATH --values $ARGOCD_ENV_VALUES_FILE -f $ARGOCD_ENV_VALUES_FOLDER'] 17 | -------------------------------------------------------------------------------- /components/agent-service-config/agent-service-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: agent-install.openshift.io/v1beta1 3 | kind: AgentServiceConfig 4 | metadata: 5 | name: agent 6 | annotations: 7 | unsupported.agent-install.openshift.io/assisted-service-configmap: "assisted-service-config" 8 | spec: 9 | databaseStorage: 10 | accessModes: 11 | - ReadWriteOnce 12 | resources: 13 | requests: 14 | storage: 40Gi 15 | filesystemStorage: 16 | accessModes: 17 | - ReadWriteOnce 18 | resources: 19 | requests: 20 | storage: 40Gi 21 | -------------------------------------------------------------------------------- /components/cert-manager-config/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: cert-manager-secret 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: cert-manager-secret 12 | creationPolicy: Owner 13 | data: 14 | - secretKey: api-key 15 | remoteRef: 16 | conversionStrategy: Default 17 | decodingStrategy: None 18 | key: cloudflare 19 | property: api_key_v3s 20 | metadataPolicy: None 21 | -------------------------------------------------------------------------------- /components/kyverno-chart/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: kyverno:cluster-admin 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: cluster-admin 10 | subjects: 11 | - kind: ServiceAccount 12 | name: kyverno-admission-controller 13 | namespace: kyverno 14 | - kind: ServiceAccount 15 | name: kyverno-cleanup-controller 16 | namespace: kyverno 17 | - kind: ServiceAccount 18 | name: kyverno-background-controller 19 | namespace: kyverno 20 | -------------------------------------------------------------------------------- /components/external-secrets-chart/cluster-secret-store.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ClusterSecretStore 4 | metadata: 5 | name: onepassword-connect 6 | annotations: 7 | argocd.argoproj.io/sync-wave: "35" 8 | spec: 9 | provider: 10 | onepassword: 11 | connectHost: http://onepassword-connect:8080 12 | vaults: 13 | Kubernetes: 1 14 | auth: 15 | secretRef: 16 | connectTokenSecretRef: 17 | name: onepassword-connect-token 18 | key: token 19 | namespace: external-secrets 20 | -------------------------------------------------------------------------------- /helm/charts/hcp-cluster-deployment/templates/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: oauth-cert 6 | namespace: {{ .Values.clusterName }} 7 | annotations: 8 | argocd.argoproj.io/sync-wave: '5' 9 | labels: 10 | {{- include "hcp-cluster-deployment.labels" . | nindent 4 }} 11 | spec: 12 | secretName: oauth-cert 13 | issuerRef: 14 | name: letsencrypt-staging 15 | kind: ClusterIssuer 16 | dnsNames: 17 | - oauth-{{ .Values.clusterName }}-{{ .Values.clusterName }}.apps.proxmox.{{ .Values.baseDomain }} 18 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Editors 2 | .vscode/ 3 | # Trash 4 | .DS_Store 5 | Thumbs.db 6 | # k8s 7 | kubeconfig 8 | # vscode-sops 9 | .decrypted~*.yaml 10 | .config.env 11 | *.agekey 12 | # Ansible 13 | xanmanning.k3s* 14 | mrlesmithjr.manage-lvm* 15 | zaxos.glances-ansible-role* 16 | # Terraform 17 | .terraform 18 | .terraform.lock.hcl 19 | .terraform.tfstate* 20 | terraform.tfstate* 21 | tmpl 22 | old_work 23 | .cluster-secrets.env 24 | provision/kubeadmin-password 25 | tls.* 26 | /helm/charts/**/charts 27 | /**/**/charts 28 | !/helm/**/charts 29 | openshift-install* 30 | installer/pxm* 31 | archived/ 32 | -------------------------------------------------------------------------------- /components/gitops-bootstrap-policy/manifests/gitops-subscription/base/cluster-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: cluster-admin-gitops-sc 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: cluster-admin 10 | subjects: 11 | - kind: ServiceAccount 12 | name: openshift-gitops-argocd-application-controller 13 | namespace: openshift-gitops 14 | - kind: ServiceAccount 15 | name: openshift-gitops-applicationset-controller 16 | namespace: openshift-gitops 17 | -------------------------------------------------------------------------------- /components/acm-policies-config/argocd-notification-annotation-policy/policy-generator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy.open-cluster-management.io/v1 3 | kind: PolicyGenerator 4 | metadata: 5 | name: argocd-notification-annotation-policy-generator 6 | policyDefaults: 7 | namespace: openshift-gitops 8 | severity: high 9 | placement: 10 | clusterSelectors: 11 | cluster.open-cluster-management.io/clusterset: default 12 | policies: 13 | - name: argocd-notification-annotation-policy 14 | manifests: 15 | - path: configuration-policy.yaml 16 | remediationAction: enforce 17 | -------------------------------------------------------------------------------- /components/ldap-sync-config/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: ldap-secret 6 | namespace: ldap-sync 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: ldap-secret 13 | creationPolicy: Owner 14 | data: 15 | - secretKey: bindPassword 16 | remoteRef: 17 | conversionStrategy: Default 18 | decodingStrategy: None 19 | key: lldap 20 | property: LLDAP_LDAP_USER_PASS 21 | metadataPolicy: None 22 | -------------------------------------------------------------------------------- /.github/linters/.markdownlint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | default: true 3 | 4 | # MD013/line-length - Line length 5 | MD013: 6 | # Number of characters 7 | line_length: 240 8 | # Number of characters for headings 9 | heading_line_length: 80 10 | # Number of characters for code blocks 11 | code_block_line_length: 80 12 | # Include code blocks 13 | code_blocks: true 14 | # Include tables 15 | tables: true 16 | # Include headings 17 | headings: true 18 | # Include headings 19 | headers: true 20 | # Strict length checking 21 | strict: false 22 | # Stern length checking 23 | stern: false 24 | -------------------------------------------------------------------------------- /.taskfiles/volsync/resources/templates/list.yaml.j2: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | name: volsync-list-{{ ENV.APP }} 6 | namespace: {{ ENV.NS }} 7 | spec: 8 | ttlSecondsAfterFinished: 3600 9 | template: 10 | spec: 11 | automountServiceAccountToken: false 12 | restartPolicy: OnFailure 13 | containers: 14 | - name: main 15 | image: docker.io/restic/restic:latest 16 | args: ["snapshots"] 17 | envFrom: 18 | - secretRef: 19 | name: {{ ENV.APP }}-volsync-secret 20 | resources: {} 21 | -------------------------------------------------------------------------------- /components/argocd-chart/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: argo-system 4 | resources: 5 | - ./namespace.yaml 6 | - ./ingress-route.yaml 7 | - ./external-secret.yaml 8 | 9 | configMapGenerator: 10 | - files: 11 | - plugin.yaml=setenv-cmp-plugin.yaml 12 | name: setenv-cmp-plugin 13 | 14 | helmCharts: 15 | - name: argo-cd 16 | releaseName: argo-cd 17 | repo: https://argoproj.github.io/argo-helm 18 | version: 8.6.1 19 | valuesFile: values.yaml 20 | 21 | generatorOptions: 22 | disableNameSuffixHash: true 23 | -------------------------------------------------------------------------------- /components/cloudflared/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: cloudflared 6 | namespace: networking 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: cloudflared 13 | creationPolicy: Owner 14 | data: 15 | - secretKey: credential.json 16 | remoteRef: 17 | conversionStrategy: Default 18 | decodingStrategy: None 19 | metadataPolicy: None 20 | key: cloudflare 21 | property: openshift_credentials.json 22 | -------------------------------------------------------------------------------- /components/cert-manager-application/openshift-wildcard/ingress-controller.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operator.openshift.io/v1 3 | kind: IngressController 4 | metadata: 5 | annotations: 6 | argocd.argoproj.io/sync-options: ServerSideApply=true,Delete=false 7 | name: default 8 | namespace: openshift-ingress-operator 9 | spec: 10 | defaultCertificate: 11 | name: "openshift-wildcard-certificate" 12 | httpCompression: 13 | mimeTypes: 14 | - "text/html" 15 | - "text/css; charset=utf-8" 16 | - "application/json" 17 | tuningOptions: 18 | maxConnections: 7500 19 | threadCount: 8 20 | -------------------------------------------------------------------------------- /components/apache-devlake-chart/external-secret-regred.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: regcred 6 | namespace: apache-devlake 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: regcred 13 | creationPolicy: Owner 14 | data: 15 | - secretKey: .dockerconfigjson 16 | remoteRef: 17 | conversionStrategy: Default 18 | decodingStrategy: None 19 | metadataPolicy: None 20 | property: .dockerconfigjson 21 | key: ghrc_regcred 22 | -------------------------------------------------------------------------------- /components/argocd-webhook/externalsecrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: argocd-secret 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: argocd-secret 12 | creationPolicy: Merge 13 | template: 14 | engineVersion: v2 15 | data: 16 | webhook.github.secret: "{{.WEBHOOK_SECRET}}" 17 | dataFrom: 18 | - extract: 19 | conversionStrategy: Default 20 | decodingStrategy: None 21 | key: argocd 22 | metadataPolicy: None 23 | -------------------------------------------------------------------------------- /helm/charts/pac-repository/templates/repository.yaml: -------------------------------------------------------------------------------- 1 | {{- $releaseLabels := include "pac-repository.labels" . -}} 2 | {{- range $key, $val := .Values.repositories }} 3 | {{- $repoName := ( splitList "/" $val.url | last | replace ".git" "")}} 4 | --- 5 | apiVersion: "pipelinesascode.tekton.dev/v1alpha1" 6 | kind: Repository 7 | metadata: 8 | name: {{ $repoName }} 9 | namespace: {{ $val.pacNamespace }} 10 | labels: 11 | {{- $releaseLabels | nindent 4 }} 12 | spec: 13 | url: {{ $val.url }} 14 | {{- with $val.additionalSettings }} 15 | settings: 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | {{- end }} -------------------------------------------------------------------------------- /components/acm-policies-config/sops-auth-policy/configuration-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy.open-cluster-management.io/v1 3 | kind: ConfigurationPolicy 4 | metadata: 5 | name: sops-auth-policy 6 | spec: 7 | object-templates: 8 | - complianceType: musthave 9 | objectDefinition: 10 | apiVersion: v1 11 | kind: Secret 12 | metadata: 13 | name: sops-age 14 | namespace: openshift-gitops 15 | data: 16 | keys.txt: '{{hub fromSecret "" "sops-age" "keys.txt" hub}}' 17 | type: Opaque 18 | remediationAction: enforce 19 | pruneObjectBehavior: DeleteAll 20 | -------------------------------------------------------------------------------- /components/oauth-config/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: oauth-secret 6 | namespace: openshift-config 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: oauth-secret 13 | creationPolicy: Owner 14 | template: 15 | engineVersion: v2 16 | data: 17 | clientSecret: "" 18 | dataFrom: 19 | - extract: 20 | conversionStrategy: Default 21 | decodingStrategy: None 22 | key: openshift 23 | metadataPolicy: None 24 | -------------------------------------------------------------------------------- /clusters/proxmox/lvm.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | lvm-operator: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: openshift-storage 7 | source: 8 | path: components/lvm-operator 9 | plugin: 10 | name: argocd-lovely-plugin 11 | env: 12 | - name: LOVELY_PREPROCESSORS 13 | value: yq -i '.spec.channel="stable-4.17"' subscription.yaml 14 | lvm-storage: 15 | annotations: 16 | argocd.argoproj.io/sync-wave: "10" 17 | destination: 18 | namespace: openshift-storage 19 | source: 20 | path: components/lvm-storage 21 | -------------------------------------------------------------------------------- /components/argocd-workflows/service-account.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: argo-workflows-admin-user 6 | namespace: openshift-gitops 7 | annotations: 8 | kubernetes.io/service-account.name: argo-workflows-admin-user 9 | type: kubernetes.io/service-account-token 10 | --- 11 | apiVersion: v1 12 | kind: ServiceAccount 13 | metadata: 14 | name: argo-workflows-admin-user 15 | namespace: openshift-gitops 16 | annotations: 17 | workflows.argoproj.io/rbac-rule: "'admins' in groups" 18 | workflows.argoproj.io/rbac-rule-precedence: "1" 19 | secrets: 20 | - name: argo-workflows-admin-user 21 | -------------------------------------------------------------------------------- /components/web-terminal-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | helmCharts: 6 | - name: operators-installer 7 | releaseName: web-terminal-operator 8 | namespace: web-terminal-operator 9 | repo: https://redhat-cop.github.io/helm-charts 10 | version: "3.3.0" 11 | valuesInline: 12 | operators: 13 | - channel: 14 | installPlanApproval: Automatic 15 | name: web-terminal 16 | source: redhat-operators 17 | sourceNamespace: openshift-marketplace 18 | operatorGroups: 19 | - createNamespace: true 20 | -------------------------------------------------------------------------------- /components/cert-manager-config/prod-cluster-issuer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: letsencrypt-prod 6 | spec: 7 | acme: 8 | server: https://acme-v02.api.letsencrypt.org/directory 9 | email: "vikaspoguadf@gmail.com" 10 | privateKeySecretRef: 11 | name: letsencrypt-prod 12 | solvers: 13 | - dns01: 14 | cloudflare: 15 | email: "vikaspoguadf@gmail.com" 16 | apiTokenSecretRef: 17 | name: cert-manager-secret 18 | key: api-key 19 | selector: 20 | dnsZones: 21 | - ${CLUSTER_BASE_DOMAIN} 22 | -------------------------------------------------------------------------------- /components/keycloak-config/keycloak.yaml: -------------------------------------------------------------------------------- 1 | kind: Keycloak 2 | apiVersion: k8s.keycloak.org/v2alpha1 3 | metadata: 4 | name: keycloak 5 | annotations: 6 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 7 | labels: 8 | app: sso 9 | namespace: keycloak 10 | spec: 11 | instances: 1 12 | hostname: 13 | hostname: keycloak.apps.vsphere.v3socp.boo 14 | db: 15 | vendor: postgres 16 | host: postgres-db 17 | usernameSecret: 18 | name: keycloak-db-secret 19 | key: username 20 | passwordSecret: 21 | name: keycloak-db-secret 22 | key: password 23 | http: 24 | tlsSecret: keycloak-tls-cert 25 | -------------------------------------------------------------------------------- /components/acs-secured-configuration/secured-cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: platform.stackrox.io/v1alpha1 2 | kind: SecuredCluster 3 | metadata: 4 | name: secured-cluster 5 | namespace: stackrox 6 | spec: 7 | clusterName: 8 | auditLogs: 9 | collection: Auto 10 | admissionControl: 11 | listenOnUpdates: true 12 | bypass: BreakGlassAnnotation 13 | contactImageScanners: DoNotScanInline 14 | listenOnCreates: true 15 | timeoutSeconds: 3 16 | listenOnEvents: true 17 | centralEndpoint: 18 | perNode: 19 | collector: 20 | collection: EBPF 21 | imageFlavor: Regular 22 | taintToleration: TolerateTaints 23 | -------------------------------------------------------------------------------- /clusters/proxmox/virtualization.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | virtualization-operator: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: openshift-cnv 7 | source: 8 | path: components/virtualization-operator 9 | virtualization-config: 10 | annotations: 11 | argocd.argoproj.io/sync-wave: "15" 12 | destination: 13 | namespace: openshift-cnv 14 | source: 15 | path: components/virtualization-config 16 | virtualization-storageprofile-config: 17 | annotations: 18 | argocd.argoproj.io/sync-wave: "25" 19 | source: 20 | path: components/kubervirt-storageprofile-config 21 | -------------------------------------------------------------------------------- /components/cert-manager-config/staging-cluster-issuer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: letsencrypt-staging 6 | spec: 7 | acme: 8 | server: https://acme-staging-v02.api.letsencrypt.org/directory 9 | email: "vikaspoguadf@gmail.com" 10 | privateKeySecretRef: 11 | name: letsencrypt-staging 12 | solvers: 13 | - dns01: 14 | cloudflare: 15 | email: "vikaspoguadf@gmail.com" 16 | apiTokenSecretRef: 17 | name: cert-manager-secret 18 | key: api-key 19 | selector: 20 | dnsZones: 21 | - ${CLUSTER_BASE_DOMAIN} 22 | -------------------------------------------------------------------------------- /components/volsync-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | helmCharts: 6 | - name: operators-installer 7 | releaseName: volsync-operator 8 | namespace: volsync-operator 9 | repo: https://redhat-cop.github.io/helm-charts 10 | version: "3.3.0" 11 | valuesInline: 12 | operators: 13 | - channel: 14 | installPlanApproval: Automatic 15 | name: volsync-product 16 | source: redhat-operators 17 | sourceNamespace: openshift-marketplace 18 | csv: 19 | operatorGroups: 20 | - createNamespace: true 21 | -------------------------------------------------------------------------------- /helm/charts/pac-repository/templates/role-binding.yaml: -------------------------------------------------------------------------------- 1 | {{- $releaseLabels := include "pac-repository.labels" . -}} 2 | {{- range $key, $val := .Values.repositories }} 3 | {{- range $appNamespace := $val.appNamespaces }} 4 | --- 5 | apiVersion: rbac.authorization.k8s.io/v1 6 | kind: RoleBinding 7 | metadata: 8 | name: {{ $appNamespace }}-pipeline-edit 9 | namespace: {{ $appNamespace }} 10 | labels: 11 | {{- $releaseLabels | nindent 4 }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: edit 16 | subjects: 17 | - kind: ServiceAccount 18 | name: pipeline 19 | namespace: {{ $val.pacNamespace }} 20 | {{- end }} 21 | {{- end }} -------------------------------------------------------------------------------- /components/kubechecks-chart/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: kubechecks 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: kubechecks 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | KUBECHECKS_VCS_TOKEN: "{{ .GH_TOKEN }}" 17 | KUBECHECKS_ARGOCD_API_TOKEN: "{{.ARGOCD_TOKEN}}" 18 | dataFrom: 19 | - extract: 20 | conversionStrategy: Default 21 | decodingStrategy: None 22 | key: developer-hub 23 | metadataPolicy: None 24 | -------------------------------------------------------------------------------- /helm/charts/cluster-registration/templates/gitops-operator-manifest-work.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: work.open-cluster-management.io/v1 2 | kind: ManifestWork 3 | metadata: 4 | namespace: {{ .Release.Name }} 5 | name: gitops-operator 6 | spec: 7 | workload: 8 | manifests: 9 | - apiVersion: operators.coreos.com/v1alpha1 10 | kind: Subscription 11 | metadata: 12 | name: openshift-gitops-operator 13 | namespace: openshift-operators 14 | spec: 15 | channel: latest 16 | installPlanApproval: Automatic 17 | name: openshift-gitops-operator 18 | source: redhat-operators 19 | sourceNamespace: openshift-marketplace 20 | -------------------------------------------------------------------------------- /components/acm-policies-config/nodeport-policies/policy-generator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy.open-cluster-management.io/v1 3 | kind: PolicyGenerator 4 | metadata: 5 | name: restrict-secret-policy-generator 6 | policyDefaults: 7 | namespace: open-cluster-management 8 | severity: high 9 | placement: 10 | clusterSelectors: 11 | cluster.open-cluster-management.io/clusterset: default 12 | policies: 13 | - name: restrict-auth-policy 14 | manifests: 15 | - path: configuration-policy.yaml 16 | remediationAction: enforce 17 | - name: disallow-nodeport-policy 18 | manifests: 19 | - path: disallow-nodeport.yaml 20 | remediationAction: enforce 21 | -------------------------------------------------------------------------------- /helm/charts/create-cluster/templates/klusterlet-addon.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: agent.open-cluster-management.io/v1 3 | kind: KlusterletAddonConfig 4 | metadata: 5 | name: {{ .Values.clusterName }} 6 | namespace: {{ .Values.clusterName }} 7 | labels: 8 | {{- include "create-cluster.labels" . | nindent 4 }} 9 | spec: 10 | clusterName: {{ .Values.clusterName }} 11 | clusterNamespace: {{ .Values.clusterName }} 12 | clusterLabels: 13 | cloud: vSphere 14 | vendor: OpenShift 15 | applicationManager: 16 | enabled: true 17 | policyController: 18 | enabled: true 19 | searchCollector: 20 | enabled: true 21 | certPolicyController: 22 | enabled: true 23 | -------------------------------------------------------------------------------- /components/keycloak-config/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: keycloak-db-secret 6 | namespace: keycloak 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: keycloak-db-secret 13 | creationPolicy: Owner 14 | template: 15 | engineVersion: v2 16 | data: 17 | username: "{{ .PG_USER }}" 18 | password: "{{ .PG_PASS }}" 19 | dataFrom: 20 | - extract: 21 | conversionStrategy: Default 22 | decodingStrategy: None 23 | key: developer-hub 24 | metadataPolicy: None 25 | -------------------------------------------------------------------------------- /components/opendora-chart/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Source: open-dora-helm-chart/templates/service.yaml 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: open-dora-helm-chart 7 | labels: 8 | helm.sh/chart: open-dora-helm-chart-0.3.1 9 | app.kubernetes.io/name: open-dora-helm-chart 10 | app.kubernetes.io/instance: open-dora 11 | app.kubernetes.io/version: "0.3.1" 12 | app.kubernetes.io/managed-by: Helm 13 | spec: 14 | type: ClusterIP 15 | ports: 16 | - port: 10666 17 | targetPort: http 18 | protocol: TCP 19 | name: http 20 | selector: 21 | app.kubernetes.io/name: open-dora-helm-chart 22 | app.kubernetes.io/instance: open-dora 23 | -------------------------------------------------------------------------------- /components/acs-central-configuration/secured-cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: platform.stackrox.io/v1alpha1 3 | kind: SecuredCluster 4 | metadata: 5 | annotations: 6 | argocd.argoproj.io/sync-wave: "3" 7 | name: local-cluster 8 | spec: 9 | clusterName: local-cluster 10 | admissionControl: 11 | listenOnCreates: false 12 | listenOnEvents: true 13 | listenOnUpdates: false 14 | perNode: 15 | collector: 16 | collection: EBPF 17 | imageFlavor: Regular 18 | resources: 19 | limits: 20 | cpu: 750m 21 | memory: 640Mi 22 | requests: 23 | cpu: 50m 24 | memory: 320Mi 25 | taintToleration: TolerateTaints 26 | -------------------------------------------------------------------------------- /components/acs-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: rhacs-operator 5 | resources: 6 | - ./namespace.yaml 7 | 8 | helmCharts: 9 | - name: operators-installer 10 | releaseName: rhacs-operator 11 | namespace: rhacs-operator 12 | repo: https://redhat-cop.github.io/helm-charts 13 | version: "3.3.0" 14 | valuesInline: 15 | operators: 16 | - channel: stable 17 | installPlanApproval: Automatic 18 | name: rhacs-operator 19 | source: redhat-operators 20 | sourceNamespace: openshift-marketplace 21 | operatorGroups: 22 | - createNamespace: false 23 | -------------------------------------------------------------------------------- /components/argocd-workflows/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: argo-workflows 6 | namespace: openshift-gitops 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: argo-workflows-sso 13 | creationPolicy: Owner 14 | template: 15 | engineVersion: v2 16 | data: 17 | client-id: "{{ .CLIENT_ID }}" 18 | client-secret: "{{ .CLIENT_SECRET }}" 19 | dataFrom: 20 | - extract: 21 | conversionStrategy: Default 22 | decodingStrategy: None 23 | key: argocd-workflows 24 | metadataPolicy: None 25 | -------------------------------------------------------------------------------- /components/metallb-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | 7 | helmCharts: 8 | - name: operators-installer 9 | releaseName: metallb-operator 10 | namespace: metallb-system 11 | repo: https://redhat-cop.github.io/helm-charts 12 | version: "3.3.0" 13 | valuesInline: 14 | operators: 15 | - channel: 16 | installPlanApproval: Automatic 17 | name: metallb-operator 18 | source: redhat-operators 19 | sourceNamespace: openshift-marketplace 20 | csv: 21 | operatorGroups: 22 | - createNamespace: false 23 | -------------------------------------------------------------------------------- /clusters/vsphere/web-terminal.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | web-terminal-operator: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: web-terminal-operator 7 | source: 8 | path: components/web-terminal-operator 9 | plugin: 10 | name: argocd-lovely-plugin 11 | env: 12 | - name: LOVELY_PREPROCESSORS 13 | value: yq -i '.helmCharts.0.valuesInline.operators.0.channel="fast"' kustomization.yaml 14 | 15 | web-terminal-config: 16 | annotations: 17 | argocd.argoproj.io/sync-wave: "15" 18 | destination: 19 | namespace: web-terminal-operator 20 | source: 21 | path: components/web-terminal-config 22 | -------------------------------------------------------------------------------- /components/cloudnative-pg-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: cloudnative-pg 5 | resources: 6 | - ./namespace.yaml 7 | helmCharts: 8 | - name: operators-installer 9 | releaseName: cloudnative-pg 10 | namespace: cloudnative-pg 11 | repo: https://redhat-cop.github.io/helm-charts 12 | version: "3.3.0" 13 | valuesInline: 14 | operators: 15 | - channel: stable-v1 16 | installPlanApproval: Automatic 17 | name: cloudnative-pg 18 | source: certified-operators 19 | sourceNamespace: openshift-marketplace 20 | operatorGroups: 21 | - createNamespace: false 22 | -------------------------------------------------------------------------------- /components/developer-hub-config/externalsecret-pullsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: rhdh-pull-secret 6 | namespace: developer-hub 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: rhdh-pull-secret 13 | creationPolicy: Owner 14 | template: 15 | type: kubernetes.io/dockerconfigjson 16 | data: 17 | .dockerconfigjson: "{{ .quay_pull_secret | toString }}" 18 | dataFrom: 19 | - extract: 20 | conversionStrategy: Default 21 | decodingStrategy: None 22 | key: redhat-pull-secret 23 | metadataPolicy: None 24 | -------------------------------------------------------------------------------- /components/openshift-logging-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | helmCharts: 6 | - name: operators-installer 7 | releaseName: openshift-logging-operator 8 | namespace: openshift-logging 9 | repo: https://redhat-cop.github.io/helm-charts 10 | version: "3.3.0" 11 | valuesInline: 12 | operators: 13 | - channel: stable-6.1 14 | installPlanApproval: Automatic 15 | name: cluster-logging 16 | source: redhat-operators 17 | sourceNamespace: openshift-marketplace 18 | startingCSV: cluster-logging.v6.2.9 19 | operatorGroups: 20 | - createNamespace: true 21 | -------------------------------------------------------------------------------- /helm/charts/cluster-registration/templates/klusterlet-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: agent.open-cluster-management.io/v1 2 | kind: KlusterletAddonConfig 3 | metadata: 4 | name: {{ .Release.Name }} 5 | namespace: {{ .Release.Name }} 6 | labels: 7 | {{- include "cluster-registration.labels" . | nindent 4 }} 8 | spec: 9 | clusterName: {{ .Release.Name }} 10 | clusterNamespace: {{ .Release.Name }} 11 | clusterLabels: 12 | cloud: BareMetal 13 | vendor: OpenShift 14 | applicationManager: 15 | enabled: true 16 | policyController: 17 | enabled: true 18 | searchCollector: 19 | enabled: true 20 | certPolicyController: 21 | enabled: true 22 | iamPolicyController: 23 | enabled: true 24 | -------------------------------------------------------------------------------- /components/developer-hub-config/config/home-page.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "title": "CI/CD Tools", 4 | "isExpanded": false, 5 | "links": [ 6 | { 7 | "iconUrl": "/homepage/icons/argo-icon-color.svg", 8 | "label": "ArgoCD", 9 | "url": "https://openshift-gitops-server-openshift-gitops.apps.${PLATFORM_BASE_DOMAIN}/" 10 | } 11 | ] 12 | }, 13 | { 14 | "title": "OpenShift clusters", 15 | "isExpanded": true, 16 | "links": [ 17 | { 18 | "iconUrl": "/homepage/icons/icons8/openshift.png", 19 | "label": "OpenShift ACM", 20 | "url": "https://console-openshift-console.apps.${PLATFORM_BASE_DOMAIN}/dashboards" 21 | } 22 | ] 23 | } 24 | ] 25 | -------------------------------------------------------------------------------- /helm/charts/create-cluster/templates/machine-pool.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: hive.openshift.io/v1 3 | kind: MachinePool 4 | metadata: 5 | name: {{ .Values.clusterName }}-worker 6 | namespace: {{ .Values.clusterName }} 7 | labels: 8 | {{- include "create-cluster.labels" . | nindent 4 }} 9 | spec: 10 | clusterDeploymentRef: 11 | name: {{ .Values.clusterName }} 12 | name: worker 13 | platform: 14 | vsphere: 15 | cpus: {{ .Values.workerNode.cpus }} 16 | coresPerSocket: {{ .Values.workerNode.corePerSocket }} 17 | memoryMB: {{ .Values.workerNode.memoryMB }} 18 | osDisk: 19 | diskSizeGB: {{ .Values.workerNode.diskSizeGB }} 20 | replicas: {{ .Values.workerNode.replicas }} 21 | -------------------------------------------------------------------------------- /components/cert-manager-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | 7 | helmCharts: 8 | - name: operators-installer 9 | releaseName: openshift-cert-manager-operator 10 | namespace: cert-manager-operator 11 | repo: https://redhat-cop.github.io/helm-charts 12 | version: "3.3.0" 13 | valuesInline: 14 | operators: 15 | - channel: 16 | installPlanApproval: Automatic 17 | name: openshift-cert-manager-operator 18 | source: redhat-operators 19 | sourceNamespace: openshift-marketplace 20 | operatorGroups: 21 | - targetOwnNamespace: true 22 | -------------------------------------------------------------------------------- /components/kubernetes-imagepuller-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | helmCharts: 6 | - name: operators-installer 7 | releaseName: kubernetes-imagepuller-operator 8 | namespace: kubernetes-imagepuller-operator 9 | repo: https://redhat-cop.github.io/helm-charts 10 | version: "3.3.0" 11 | valuesInline: 12 | operators: 13 | - channel: 14 | installPlanApproval: Automatic 15 | name: kubernetes-imagepuller-operator 16 | source: community-operators 17 | sourceNamespace: openshift-marketplace 18 | csv: 19 | operatorGroups: 20 | - createNamespace: true 21 | -------------------------------------------------------------------------------- /components/onepassword-connect-chart/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | labels: 6 | app.kubernetes.io/instance: onepassword-connect 7 | app.kubernetes.io/managed-by: Helm 8 | app.kubernetes.io/name: onepassword-connect 9 | app.kubernetes.io/service: onepassword-connect 10 | helm.sh/chart: app-template-2.4.0 11 | name: onepassword-connect 12 | namespace: external-secrets 13 | spec: 14 | ports: 15 | - name: http 16 | port: 8080 17 | protocol: TCP 18 | targetPort: 8080 19 | selector: 20 | app.kubernetes.io/component: main 21 | app.kubernetes.io/instance: onepassword-connect 22 | app.kubernetes.io/name: onepassword-connect 23 | type: ClusterIP 24 | -------------------------------------------------------------------------------- /helm/charts/infra-env/templates/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: pull-secret-{{ .Release.Namespace }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "infra-env.labels" . | nindent 4 }} 9 | spec: 10 | secretStoreRef: 11 | kind: ClusterSecretStore 12 | name: onepassword-connect 13 | target: 14 | name: pull-secret-{{ .Release.Namespace }} 15 | creationPolicy: Owner 16 | data: 17 | - secretKey: .dockerconfigjson 18 | remoteRef: 19 | conversionStrategy: Default 20 | decodingStrategy: None 21 | metadataPolicy: None 22 | key: redhat-pull-secret 23 | property: pull-secret 24 | -------------------------------------------------------------------------------- /helm/charts/hcp-cluster-deployment/templates/klusterlet-addon-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: agent.open-cluster-management.io/v1 2 | kind: KlusterletAddonConfig 3 | metadata: 4 | name: {{ .Values.clusterName }} 5 | namespace: {{ .Values.clusterName }} 6 | annotations: 7 | argocd.argoproj.io/sync-wave: '35' 8 | labels: 9 | {{- include "hcp-cluster-deployment.labels" . | nindent 4 }} 10 | spec: 11 | clusterName: {{ .Values.clusterName }} 12 | clusterNamespace: {{ .Values.clusterName }} 13 | clusterLabels: 14 | cloud: BareMetal 15 | vendor: OpenShift 16 | applicationManager: 17 | enabled: true 18 | policyController: 19 | enabled: true 20 | searchCollector: 21 | enabled: true 22 | certPolicyController: 23 | enabled: true 24 | -------------------------------------------------------------------------------- /components/log-forwarder-config/crb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: logging-admin-application-logs-crb 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: collect-application-logs 10 | subjects: 11 | - kind: ServiceAccount 12 | name: logging-admin 13 | namespace: openshift-logging 14 | --- 15 | apiVersion: rbac.authorization.k8s.io/v1 16 | kind: ClusterRoleBinding 17 | metadata: 18 | name: logging-admin-infra-logs-crb 19 | roleRef: 20 | apiGroup: rbac.authorization.k8s.io 21 | kind: ClusterRole 22 | name: collect-infrastructure-logs 23 | subjects: 24 | - kind: ServiceAccount 25 | name: logging-admin 26 | namespace: openshift-logging 27 | -------------------------------------------------------------------------------- /components/oauth-config/oauth.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: config.openshift.io/v1 3 | kind: OAuth 4 | metadata: 5 | name: cluster 6 | spec: 7 | identityProviders: 8 | - mappingMethod: claim 9 | name: authentik 10 | openID: 11 | extraScopes: 12 | - email 13 | - profile 14 | extraAuthorizeParameters: 15 | include_granted_scopes: "true" 16 | claims: 17 | groups: 18 | - groups 19 | email: 20 | - email 21 | name: 22 | - name 23 | preferredUsername: 24 | - preferred_username 25 | clientID: "" 26 | clientSecret: 27 | name: oauth-secret 28 | issuer: "" 29 | type: OpenID 30 | -------------------------------------------------------------------------------- /components/openshift-nmstate/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | 7 | helmCharts: 8 | - name: operators-installer 9 | releaseName: openshift-nmstate 10 | namespace: openshift-nmstate 11 | repo: https://redhat-cop.github.io/helm-charts 12 | version: "3.3.0" 13 | valuesInline: 14 | operators: 15 | - channel: 16 | installPlanApproval: Automatic 17 | name: kubernetes-nmstate-operator 18 | source: redhat-operators 19 | sourceNamespace: openshift-marketplace 20 | csv: 21 | operatorGroups: 22 | - createNamespace: false 23 | targetOwnNamespace: true 24 | -------------------------------------------------------------------------------- /groups/dev/values.yaml: -------------------------------------------------------------------------------- 1 | default: 2 | app: 3 | enabled: true 4 | enableAutoSync: true 5 | autoSyncPrune: true 6 | project: cluster-config 7 | labels: 8 | app-source: group-prod 9 | repo: cluster-config 10 | destination: 11 | namespace: openshift-gitops 12 | server: https://kubernetes.default.svc 13 | source: 14 | repoURL: https://github.com/Vikaspogu/openshift-multicluster.git 15 | targetRevision: HEAD 16 | syncOptions: 17 | - ApplyOutOfSyncOnly=true 18 | - PrunePropagationPolicy=foreground 19 | - PruneLast=true 20 | - ServerSideApply=true 21 | - FailOnSharedResource=true 22 | - RespectIgnoreDifferences=true 23 | - CreateNamespace=false 24 | 25 | applications: {} 26 | -------------------------------------------------------------------------------- /components/tekton-dashboard/crb.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: tekton-dashboard 5 | rules: 6 | - apiGroups: 7 | - tekton.dev 8 | resources: 9 | - tasks 10 | - taskruns 11 | - pipelines 12 | - pipelineruns 13 | verbs: 14 | - get 15 | - create 16 | - update 17 | - patch 18 | --- 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | kind: RoleBinding 21 | metadata: 22 | name: tekton-dashboard 23 | namespace: tekton-dashboard 24 | roleRef: 25 | apiGroup: rbac.authorization.k8s.io 26 | kind: ClusterRole 27 | name: tekton-dashboard-tutorial 28 | subjects: 29 | - kind: ServiceAccount 30 | name: tekton-dashboard 31 | namespace: tekton-dashboard 32 | -------------------------------------------------------------------------------- /helm/charts/infra-env/templates/infraenv.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: agent-install.openshift.io/v1beta1 3 | kind: InfraEnv 4 | metadata: 5 | name: {{ .Release.Name }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "infra-env.labels" . | nindent 4 }} 9 | agentclusterinstalls.extensions.hive.openshift.io/location: {{ .Values.location }} 10 | networkType: static 11 | spec: 12 | sshAuthorizedKey: {{ .Values.sshPublicKey }} 13 | pullSecretRef: 14 | name: pull-secret-{{ .Release.Name }} 15 | agentLabels: 16 | 'agentclusterinstalls.extensions.hive.openshift.io/location': {{ .Values.location }} 17 | nmStateConfigLabelSelector: 18 | matchLabels: 19 | infraenvs.agent-install.openshift.io: {{ .Release.Name }} 20 | cpuArchitecture: x86_64 21 | -------------------------------------------------------------------------------- /components/alertmanager-config/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: alertmanager-gotify 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: alertmanager-gotify-secret 13 | creationPolicy: Owner 14 | template: 15 | engineVersion: v2 16 | data: 17 | GOTIFY_ENDPOINT: "{{.ENDPOINT}}" 18 | GOTIFY_TOKEN: "{{.OCP_TOKEN}}" 19 | dataFrom: 20 | - extract: 21 | key: gotify 22 | conversionStrategy: Default 23 | decodingStrategy: None 24 | metadataPolicy: None 25 | -------------------------------------------------------------------------------- /components/openshift-gitops-config/cluster-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: cluster-admin-gitops-sc 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: cluster-admin 10 | subjects: 11 | - kind: ServiceAccount 12 | name: openshift-gitops-argocd-application-controller 13 | namespace: openshift-gitops 14 | --- 15 | kind: RoleBinding 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: kubechecks-gitops-ns-admin 19 | namespace: openshift-gitops 20 | subjects: 21 | - kind: ServiceAccount 22 | name: kubechecks 23 | namespace: kubechecks 24 | roleRef: 25 | apiGroup: rbac.authorization.k8s.io 26 | kind: ClusterRole 27 | name: admin 28 | -------------------------------------------------------------------------------- /.taskfiles/volsync/resources/scripts/which-controller.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | APP=$1 4 | NAMESPACE="${2:-default}" 5 | 6 | is_deployment() { 7 | kubectl --namespace "${NAMESPACE}" get deployment "${APP}" &>/dev/null 8 | } 9 | 10 | is_deploymentconfig() { 11 | kubectl --namespace "${NAMESPACE}" get deploymentconfig "${APP}" &>/dev/null 12 | } 13 | 14 | is_statefulset() { 15 | kubectl --namespace "${NAMESPACE}" get statefulset "${APP}" &>/dev/null 16 | } 17 | 18 | if is_deployment; then 19 | echo "deployment.apps/${APP}" 20 | elif is_deploymentconfig; then 21 | echo "deploymentconfig.apps.openshift.io/${APP}" 22 | elif is_statefulset; then 23 | echo "statefulset.apps/${APP}" 24 | else 25 | echo "No deployment or statefulset found for ${APP}" 26 | exit 1 27 | fi 28 | -------------------------------------------------------------------------------- /helm/charts/create-cluster/templates/external-secret-vsphere-certs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: {{ .Values.clusterName }}-vsphere-certs 6 | namespace: {{ .Values.clusterName }} 7 | labels: 8 | {{- include "create-cluster.labels" . | nindent 4 }} 9 | spec: 10 | secretStoreRef: 11 | kind: ClusterSecretStore 12 | name: onepassword-connect 13 | target: 14 | name: {{ .Values.clusterName }}-vsphere-certs 15 | creationPolicy: Owner 16 | template: 17 | engineVersion: v2 18 | data: 19 | .cacert: '{{`{{.CA_CERT}}`}}' 20 | dataFrom: 21 | - extract: 22 | conversionStrategy: Default 23 | decodingStrategy: None 24 | key: vcenter 25 | metadataPolicy: None 26 | -------------------------------------------------------------------------------- /clusters/proxmox/oauth.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | cluster-rbac-config: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "15" 5 | source: 6 | path: components/cluster-rbac-config 7 | 8 | oauth-config: 9 | annotations: 10 | argocd.argoproj.io/sync-wave: "15" 11 | source: 12 | path: components/oauth-config 13 | plugin: 14 | name: argocd-lovely-plugin 15 | env: 16 | - name: LOVELY_PREPROCESSORS 17 | value: yq -i '.spec.target.template.data.clientSecret="{{ .CLIENT_SECRET_PROXMOX }}"' externalsecret.yaml, yq -i '.spec.identityProviders.0.openID.clientID="V9zsZk0StvJ2tPc9cipZ8rui7sejAqWS8PHCSgOQ"' oauth.yaml, yq -i '.spec.identityProviders.0.openID.issuer="https://id.vikaspogu.com/application/o/openshift-proxmox"' oauth.yaml 18 | -------------------------------------------------------------------------------- /clusters/proxmox/web-terminal.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | web-terminal-operator: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: web-terminal-operator 7 | source: 8 | path: components/web-terminal-operator 9 | plugin: 10 | name: argocd-lovely-plugin 11 | env: 12 | - name: LOVELY_PREPROCESSORS 13 | value: yq -i '.helmCharts.0.valuesInline.operators.0.channel="fast"' kustomization.yaml,yq -i '.helmCharts.0.valuesInline.operators.0.csv="web-terminal.v1.12.1"' kustomization.yaml 14 | web-terminal-config: 15 | annotations: 16 | argocd.argoproj.io/sync-wave: "15" 17 | destination: 18 | namespace: web-terminal-operator 19 | source: 20 | path: components/web-terminal-config 21 | -------------------------------------------------------------------------------- /code-workspace: -------------------------------------------------------------------------------- 1 | { 2 | "folders": [ 3 | { 4 | "path": "." 5 | }, 6 | { 7 | "name": "openshift-multicluster", 8 | "path": "/projects/openshift-multicluster" 9 | } 10 | ], 11 | "extensions": { 12 | "recommendations": [ 13 | "redhat.vscode-yaml", 14 | "mhutchie.git-graph", 15 | "eamodio.gitlens", 16 | "catppuccin.catppuccin-vsc" 17 | ] 18 | }, 19 | "settings": { 20 | "workbench.colorTheme": "Catppuccin Frappé", 21 | "editor.fontFamily": "'CaskaydiaCove Nerd Font'", 22 | "editor.tabSize": 2, 23 | "editor.wordWrap": "on", 24 | "files.autoSave": "off", 25 | "editor.semanticHighlighting.enabled": true, 26 | "terminal.integrated.minimumContrastRatio": 1, 27 | "window.titleBarStyle": "custom", 28 | "gopls": { 29 | "ui.semanticTokens": true 30 | } 31 | } 32 | } -------------------------------------------------------------------------------- /components/openshift-pipelines-application/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: gitauth 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: gitauth 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | .gitconfig: | 17 | [credential "https://github.com"] 18 | helper = store 19 | .git-credentials: | 20 | https://{{.GH_USER}}:{{.GH_TOKEN}}@github.com 21 | token: "{{.TOKEN}}" 22 | dataFrom: 23 | - extract: 24 | conversionStrategy: Default 25 | decodingStrategy: None 26 | key: ocp-pipelines 27 | metadataPolicy: None 28 | -------------------------------------------------------------------------------- /clusters/vsphere/oauth.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | cluster-rbac-config: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "15" 5 | source: 6 | path: components/cluster-rbac-config 7 | 8 | oauth-config: 9 | annotations: 10 | argocd.argoproj.io/sync-wave: "15" 11 | source: 12 | path: components/oauth-config 13 | plugin: 14 | name: argocd-lovely-plugin 15 | env: 16 | - name: LOVELY_PREPROCESSORS 17 | value: yq -i '.spec.target.template.data.clientSecret="{{ .CLIENT_SECRET_VSPHERE }}"' externalsecret.yaml, yq -i '.spec.identityProviders.0.openID.clientID="oztcmkQD4zn8D68KYoRNbyXPKmo6brfu8dMHXyGEr4WdA"' oauth.yaml, yq -i '.spec.identityProviders.0.openID.issuer="https://id.vikaspogu.com/application/o/openshift-vsphere"' oauth.yaml 18 | -------------------------------------------------------------------------------- /components/openshift-gitops-config/setenv-cmp-plugin.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: setenv-cmp-plugin 6 | namespace: openshift-gitops 7 | data: 8 | plugin.yaml: | 9 | apiVersion: argoproj.io/v1alpha1 10 | kind: ConfigManagementPlugin 11 | metadata: 12 | name: setenv-cmp-plugin 13 | spec: 14 | version: v1.0 15 | init: 16 | command: [sh, -c, 'echo "Initializing setenv-plugin-cmp..."'] 17 | generate: 18 | command: 19 | - sh 20 | - "-c" 21 | - "set -o pipefail && kustomize build --load-restrictor LoadRestrictionsNone --enable-helm --enable-alpha-plugins . | envsub" 22 | discover: 23 | find: 24 | command: [sh, -c, 'find . -maxdepth 1 -name kustomization.yaml'] 25 | -------------------------------------------------------------------------------- /helm/charts/hcp-cluster-deployment/templates/node-pool.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: hypershift.openshift.io/v1beta1 2 | kind: NodePool 3 | metadata: 4 | name: 'nodepool-{{ .Values.clusterName }}' 5 | namespace: {{ .Values.clusterName }} 6 | annotations: 7 | argocd.argoproj.io/sync-wave: '35' 8 | labels: 9 | {{- include "hcp-cluster-deployment.labels" . | nindent 4 }} 10 | spec: 11 | clusterName: {{ .Values.clusterName }} 12 | replicas: 1 13 | management: 14 | autoRepair: false 15 | upgradeType: InPlace 16 | platform: 17 | type: Agent 18 | agent: 19 | agentLabelSelector: 20 | matchLabels: 21 | infraenvs.agent-install.openshift.io: {{ .Values.inventoryName }} 22 | release: 23 | image: quay.io/openshift-release-dev/ocp-release:{{ .Values.openshiftVersion }}-multi 24 | -------------------------------------------------------------------------------- /clusters/proxmox/nmstate.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | openshift-nmstate: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: openshift-nmstate 7 | source: 8 | path: components/openshift-nmstate 9 | plugin: 10 | name: argocd-lovely-plugin 11 | env: 12 | - name: LOVELY_PREPROCESSORS 13 | value: yq -i '.helmCharts.0.valuesInline.operators.0.channel="stable"' kustomization.yaml,yq -i '.helmCharts.0.valuesInline.operators.0.csv="kubernetes-nmstate-operator.4.17.0-202501301304"' kustomization.yaml 14 | openshift-nmstate-config: 15 | annotations: 16 | argocd.argoproj.io/sync-wave: "15" 17 | destination: 18 | namespace: openshift-nmstate 19 | source: 20 | path: components/openshift-nmstate-config 21 | -------------------------------------------------------------------------------- /components/apache-devlake-chart/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: devlake-ui 6 | namespace: apache-devlake 7 | annotations: 8 | route.openshift.io/termination: "edge" 9 | labels: 10 | app.kubernetes.io/instance: apache-devlake-chart 11 | app.kubernetes.io/managed-by: Helm 12 | app.kubernetes.io/name: devlake 13 | app.kubernetes.io/version: v0.21.0-beta7 14 | helm.sh/chart: devlake-0.21.0-beta7 15 | spec: 16 | rules: 17 | - host: devlake-ui-apache-devlake.apps.${PLATFORM_BASE_DOMAIN} 18 | http: 19 | paths: 20 | - path: / 21 | pathType: Prefix 22 | backend: 23 | service: 24 | name: devlake-ui 25 | port: 26 | name: ui 27 | -------------------------------------------------------------------------------- /components/ldap-sync-config/ldap-sync.yaml: -------------------------------------------------------------------------------- 1 | kind: LDAPSyncConfig 2 | apiVersion: v1 3 | url: ldap://10.30.30.157:389 4 | insecure: true 5 | bindDN: "uid=admin,ou=people,dc=home,dc=arpa" 6 | bindPassword: 7 | file: "/etc/secrets/bindPassword" 8 | rfc2307: 9 | groupsQuery: 10 | baseDN: "ou=groups,dc=home,dc=arpa" 11 | scope: sub 12 | derefAliases: never 13 | pageSize: 0 14 | filter: "(&(objectClass=*)(cn=*openshift*))" 15 | groupUIDAttribute: dn 16 | groupNameAttributes: [cn] 17 | groupMembershipAttributes: [member] 18 | usersQuery: 19 | baseDN: "ou=people,dc=home,dc=arpa" 20 | scope: sub 21 | derefAliases: never 22 | pageSize: 0 23 | userUIDAttribute: dn 24 | userNameAttributes: [uid] 25 | tolerateMemberNotFoundErrors: false 26 | tolerateMemberOutOfScopeErrors: false 27 | -------------------------------------------------------------------------------- /components/web-terminal-config/dev-workspace-template.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: workspace.devfile.io/v1alpha2 3 | kind: DevWorkspaceTemplate 4 | metadata: 5 | annotations: 6 | controller.devfile.io/allow-import-from: "*" 7 | name: web-terminal-tooling 8 | labels: 9 | console.openshift.io/terminal: "true" 10 | spec: 11 | components: 12 | - container: 13 | args: 14 | - tail 15 | - "-f" 16 | - /dev/null 17 | cpuLimit: 400m 18 | cpuRequest: 100m 19 | image: registry.redhat.io/web-terminal/web-terminal-tooling-rhel8@sha256:657874adad93a9e6c2b746b836015de410d2e280f85c079c81e24ae81343fa6c 20 | memoryLimit: 512Mi 21 | memoryRequest: 128Mi 22 | mountSources: false 23 | sourceMapping: /projects 24 | name: web-terminal-tooling 25 | -------------------------------------------------------------------------------- /helm/charts/create-cluster/templates/externalsecret-pullsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: {{ .Values.clusterName }}-pull-secret 6 | namespace: {{ .Values.clusterName }} 7 | annotations: 8 | argocd.argoproj.io/sync-wave: '5' 9 | labels: 10 | {{- include "create-cluster.labels" . | nindent 4 }} 11 | spec: 12 | secretStoreRef: 13 | kind: ClusterSecretStore 14 | name: onepassword-connect 15 | target: 16 | name: {{ .Values.clusterName }}-pull-secret 17 | creationPolicy: Owner 18 | data: 19 | - secretKey: .dockerconfigjson 20 | remoteRef: 21 | conversionStrategy: Default 22 | decodingStrategy: None 23 | key: redhat-pull-secret 24 | property: pull-secret 25 | metadataPolicy: None 26 | -------------------------------------------------------------------------------- /components/alertmanager-config/values.yaml: -------------------------------------------------------------------------------- 1 | controllers: 2 | alertmanager-gotify: 3 | annotations: 4 | reloader.stakater.com/auto: "true" 5 | containers: 6 | app: 7 | image: 8 | repository: ghcr.io/druggeri/alertmanager_gotify_bridge 9 | tag: 2.3.2 10 | envFrom: 11 | - secretRef: 12 | name: alertmanager-gotify-secret 13 | securityContext: 14 | allowPrivilegeEscalation: false 15 | readOnlyRootFilesystem: true 16 | capabilities: { drop: ["ALL"] } 17 | resources: 18 | requests: 19 | cpu: 5m 20 | memory: 50Mi 21 | limits: 22 | memory: 150Mi 23 | service: 24 | app: 25 | controller: alertmanager-gotify 26 | ports: 27 | http: 28 | port: 8080 29 | -------------------------------------------------------------------------------- /components/opendora-chart/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | annotations: 6 | route.openshift.io/termination: "edge" 7 | labels: 8 | app.kubernetes.io/instance: apache-devlake-chart 9 | app.kubernetes.io/managed-by: Helm 10 | app.kubernetes.io/name: open-dora-helm-chart 11 | app.kubernetes.io/version: 0.3.1 12 | helm.sh/chart: open-dora-helm-chart-0.3.1 13 | name: open-dora 14 | namespace: apache-devlake 15 | spec: 16 | rules: 17 | - host: open-dora-apache-devlake.apps.${PLATFORM_BASE_DOMAIN} 18 | http: 19 | paths: 20 | - path: / 21 | pathType: Prefix 22 | backend: 23 | service: 24 | name: open-dora-helm-chart 25 | port: 26 | name: http 27 | -------------------------------------------------------------------------------- /components/synology-csi-chart/synology-csi-scc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: SecurityContextConstraints 3 | apiVersion: security.openshift.io/v1 4 | metadata: 5 | name: synology-csi-scc 6 | allowHostDirVolumePlugin: true 7 | allowHostNetwork: true 8 | allowPrivilegedContainer: true 9 | allowedCapabilities: 10 | - "SYS_ADMIN" 11 | defaultAddCapabilities: [] 12 | fsGroup: 13 | type: RunAsAny 14 | groups: [] 15 | priority: 16 | readOnlyRootFilesystem: false 17 | requiredDropCapabilities: [] 18 | runAsUser: 19 | type: RunAsAny 20 | seLinuxContext: 21 | type: RunAsAny 22 | supplementalGroups: 23 | type: RunAsAny 24 | users: 25 | - system:serviceaccount:synology-csi:synology-csi-controller 26 | - system:serviceaccount:synology-csi:synology-csi-node 27 | - system:serviceaccount:synology-csi:synology-csi-snapshotter 28 | volumes: 29 | - "*" 30 | -------------------------------------------------------------------------------- /components/openshift-pipelines-config/tekton-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operator.tekton.dev/v1alpha1 2 | kind: TektonConfig 3 | metadata: 4 | name: config 5 | annotations: 6 | argocd.argoproj.io/sync-options: ServerSideApply=true,Delete=false 7 | spec: 8 | platforms: 9 | openshift: 10 | pipelinesAsCode: 11 | settings: 12 | secret-github-app-token-scoped: "false" 13 | pipeline: 14 | default-timeout-minutes: 60 15 | cluster-resolver-config: 16 | default-kind: task 17 | default-namespace: openshift-pipelines 18 | enable-cel-in-whenexpression: true 19 | performance: 20 | disable-ha: false 21 | buckets: 5 22 | replicas: 3 23 | pruner: 24 | disabled: false 25 | keep: 5 26 | resources: 27 | - taskrun 28 | - pipelinerun 29 | schedule: 0 * * * * 30 | -------------------------------------------------------------------------------- /helm/charts/create-cluster/templates/external-secret-vsphere-sshkey.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: {{ .Values.clusterName }}-ssh-private-key 6 | namespace: {{ .Values.clusterName }} 7 | labels: 8 | {{- include "create-cluster.labels" . | nindent 4 }} 9 | spec: 10 | secretStoreRef: 11 | kind: ClusterSecretStore 12 | name: onepassword-connect 13 | target: 14 | name: {{ .Values.clusterName }}-ssh-private-key 15 | creationPolicy: Owner 16 | template: 17 | engineVersion: v2 18 | data: 19 | ssh-privatekey: | 20 | '{{`{{.SSH_PRIVATE_KEY_MACOS}}`}}' 21 | dataFrom: 22 | - extract: 23 | conversionStrategy: Default 24 | decodingStrategy: None 25 | key: vcenter 26 | metadataPolicy: None 27 | -------------------------------------------------------------------------------- /components/developer-hub-config/rolebindings.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: developer-hub-cluster-reader 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: cluster-reader 10 | subjects: 11 | - kind: ServiceAccount 12 | name: developer-hub 13 | namespace: developer-hub 14 | - kind: ServiceAccount 15 | name: developer-hub-ocm 16 | namespace: developer-hub 17 | --- 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | kind: ClusterRoleBinding 20 | metadata: 21 | name: developer-hub-tekton-plugin 22 | roleRef: 23 | apiGroup: rbac.authorization.k8s.io 24 | kind: ClusterRole 25 | name: janus-idp-tekton-plugin 26 | subjects: 27 | - kind: ServiceAccount 28 | name: developer-hub 29 | namespace: developer-hub 30 | -------------------------------------------------------------------------------- /components/synology-csi-chart/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: synology-csi-secret 6 | namespace: synology-csi 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: synology-csi-secret 13 | creationPolicy: Owner 14 | template: 15 | engineVersion: v2 16 | data: 17 | client-info.yaml: | 18 | clients: 19 | - host: {{.NAS_IP}} 20 | https: false 21 | password: {{.password}} 22 | port: 5000 23 | username: {{.username}} 24 | dataFrom: 25 | - extract: 26 | conversionStrategy: Default 27 | decodingStrategy: None 28 | key: nas-csi 29 | metadataPolicy: None 30 | -------------------------------------------------------------------------------- /helm/charts/create-cluster/templates/external-secret-vsphere-creds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: {{ .Values.clusterName }}-vsphere-creds 6 | namespace: {{ .Values.clusterName }} 7 | labels: 8 | {{- include "create-cluster.labels" . | nindent 4 }} 9 | spec: 10 | secretStoreRef: 11 | kind: ClusterSecretStore 12 | name: onepassword-connect 13 | target: 14 | name: {{ .Values.clusterName }}-vsphere-creds 15 | creationPolicy: Owner 16 | template: 17 | engineVersion: v2 18 | data: 19 | username: '{{`{{.username}}`}}' 20 | password: '{{`{{.password}}`}}' 21 | dataFrom: 22 | - extract: 23 | conversionStrategy: Default 24 | decodingStrategy: None 25 | key: vcenter 26 | metadataPolicy: None 27 | -------------------------------------------------------------------------------- /helm/charts/hcp-cluster-deployment/templates/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: pullsecret-cluster-{{ .Values.clusterName }} 6 | namespace: {{ .Values.clusterName }} 7 | annotations: 8 | argocd.argoproj.io/sync-wave: '5' 9 | labels: 10 | {{- include "hcp-cluster-deployment.labels" . | nindent 4 }} 11 | spec: 12 | secretStoreRef: 13 | kind: ClusterSecretStore 14 | name: onepassword-connect 15 | target: 16 | name: pullsecret-cluster-{{ .Values.clusterName }} 17 | creationPolicy: Owner 18 | data: 19 | - secretKey: .dockerconfigjson 20 | remoteRef: 21 | conversionStrategy: Default 22 | decodingStrategy: None 23 | key: redhat-pull-secret 24 | property: pull-secret 25 | metadataPolicy: None 26 | -------------------------------------------------------------------------------- /components/gitops-bootstrap-policy/manifests/gitops-instance/base/setenv-cmp-plugin-configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: setenv-cmp-plugin 5 | namespace: openshift-gitops 6 | data: 7 | plugin.yaml: | 8 | apiVersion: argoproj.io/v1alpha1 9 | kind: ConfigManagementPlugin 10 | metadata: 11 | name: setenv-cmp-plugin 12 | spec: 13 | version: v1.0 14 | init: 15 | command: [sh, -c, 'echo "Initializing setenv-plugin-cmp..."'] 16 | generate: 17 | command: 18 | - sh 19 | - "-c" 20 | - "set -o pipefail && SSL_CERT_DIR=/app/config/tls kustomize build --load-restrictor LoadRestrictionsNone --enable-helm --enable-alpha-plugins . | envsub" 21 | discover: 22 | find: 23 | command: [sh, -c, 'find . -maxdepth 1 -name kustomization.yaml'] 24 | -------------------------------------------------------------------------------- /.taskfiles/volsync/resources/templates/unlock.yaml.j2: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | name: volsync-unlock-{{ ENV.APP') }} 6 | namespace: {{ ENV.NS }} 7 | spec: 8 | ttlSecondsAfterFinished: 3600 9 | template: 10 | spec: 11 | automountServiceAccountToken: false 12 | restartPolicy: OnFailure 13 | containers: 14 | - name: minio 15 | image: docker.io/restic/restic:latest 16 | args: ["unlock", "--remove-all"] 17 | envFrom: 18 | - secretRef: 19 | name: {{ ENV.APP }}-volsync-secret 20 | resources: {} 21 | - name: r2 22 | image: docker.io/restic/restic:latest 23 | args: ["unlock", "--remove-all"] 24 | envFrom: 25 | - secretRef: 26 | name: {{ ENV.APP }}-volsync-r2-secret 27 | resources: {} 28 | -------------------------------------------------------------------------------- /components/acm-policies-config/governance-standalone-hub-templating-addon/managed-cluster-addon.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy.open-cluster-management.io/v1 3 | kind: ConfigurationPolicy 4 | metadata: 5 | name: managed-cluster-addon-policy 6 | spec: 7 | object-templates-raw: | 8 | {{- range $mc := (lookup "cluster.open-cluster-management.io/v1" "ManagedCluster" "" "" "local-cluster!=true").items }} 9 | - complianceType: musthave 10 | objectDefinition: 11 | apiVersion: addon.open-cluster-management.io/v1alpha1 12 | kind: ManagedClusterAddOn 13 | metadata: 14 | name: governance-standalone-hub-templating 15 | namespace: '{{ $mc.metadata.name }}' 16 | labels: 17 | cluster.open-cluster-management.io/backup: '' 18 | spec: 19 | installNamespace: open-cluster-management-agent-addon 20 | {{- end 21 | -------------------------------------------------------------------------------- /clusters/proxmox/kubernetes-imagepuller.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | kubernetes-imagepuller-operator: 3 | annotations: 4 | argocd.argoproj.io/sync-wave: "5" 5 | destination: 6 | namespace: kubernetes-imagepuller-operator 7 | source: 8 | path: components/kubernetes-imagepuller-operator 9 | plugin: 10 | name: argocd-lovely-plugin 11 | env: 12 | - name: LOVELY_PREPROCESSORS 13 | value: yq -i '.helmCharts.0.valuesInline.operators.0.channel="stable"' kustomization.yaml,yq -i '.helmCharts.0.valuesInline.operators.0.csv="kubernetes-imagepuller-operator.v1.1.0"' kustomization.yaml 14 | kubernetes-imagepuller-config: 15 | annotations: 16 | argocd.argoproj.io/sync-wave: "15" 17 | destination: 18 | namespace: kubernetes-imagepuller-operator 19 | source: 20 | path: components/kubernetes-imagepuller-config 21 | -------------------------------------------------------------------------------- /components/acs-central-configuration/central.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: platform.stackrox.io/v1alpha1 3 | kind: Central 4 | metadata: 5 | annotations: 6 | argocd.argoproj.io/sync-wave: "1" 7 | name: central 8 | spec: 9 | central: 10 | exposure: 11 | loadBalancer: 12 | enabled: false 13 | port: 443 14 | nodePort: 15 | enabled: false 16 | route: 17 | enabled: true 18 | db: 19 | isEnabled: Default 20 | persistence: 21 | persistentVolumeClaim: 22 | claimName: central-db 23 | persistence: 24 | persistentVolumeClaim: 25 | claimName: stackrox-db 26 | egress: 27 | connectivityPolicy: Online 28 | scanner: 29 | analyzer: 30 | scaling: 31 | autoScaling: Enabled 32 | maxReplicas: 5 33 | minReplicas: 2 34 | replicas: 2 35 | scannerComponent: Enabled 36 | -------------------------------------------------------------------------------- /components/acm-policies-config/argocd-notification-annotation-policy/configuration-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy.open-cluster-management.io/v1 3 | kind: ConfigurationPolicy 4 | metadata: 5 | name: argocd-notification-annotation-policy 6 | spec: 7 | object-templates-raw: | 8 | {{- range (lookup "argoproj.io/v1alpha1" "Application" "" "" "").items }} 9 | - complianceType: musthave 10 | objectDefinition: 11 | apiVersion: argoproj.io/v1alpha1 12 | kind: Application 13 | metadata: 14 | name: {{ .metadata.name }} 15 | namespace: {{ .metadata.namespace }} 16 | annotations: 17 | notifications.argoproj.io/subscribe.on-sync-succeeded.pushover: '{{ fromSecret "openshift-gitops" "argocd-notifications-secret" "pushover-user" | base64dec }}' 18 | {{- end }} 19 | remediationAction: enforce 20 | pruneObjectBehavior: DeleteAll 21 | -------------------------------------------------------------------------------- /components/image-registry-config/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: image-registry-private-configuration-user 6 | namespace: openshift-image-registry 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: image-registry-private-configuration-user 13 | creationPolicy: Owner 14 | data: 15 | - secretKey: REGISTRY_STORAGE_S3_ACCESSKEY 16 | remoteRef: 17 | conversionStrategy: Default 18 | decodingStrategy: None 19 | metadataPolicy: None 20 | key: minio 21 | property: access_key 22 | - secretKey: REGISTRY_STORAGE_S3_SECRETKEY 23 | remoteRef: 24 | conversionStrategy: Default 25 | decodingStrategy: None 26 | metadataPolicy: None 27 | key: minio 28 | property: secret_key 29 | -------------------------------------------------------------------------------- /helm/charts/cluster-deployment/templates/cluster-deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: hive.openshift.io/v1 2 | kind: ClusterDeployment 3 | metadata: 4 | annotations: 5 | agentBareMetal-agentSelector/autoSelect: "true" 6 | labels: 7 | "cluster.open-cluster-management.io/clusterset": {{ .Values.clusterSet }} 8 | {{- include "cluster-deployment.labels" . | nindent 4 }} 9 | name: {{ .Release.Name }} 10 | namespace: {{ .Release.Name }} 11 | spec: 12 | baseDomain: {{.Values.baseDomain}} 13 | clusterInstallRef: 14 | group: extensions.hive.openshift.io 15 | kind: AgentClusterInstall 16 | name: {{ .Release.Name }} 17 | version: v1beta1 18 | clusterName: {{ .Release.Name }} 19 | platform: 20 | agentBareMetal: 21 | {{- with .Values.agentLabelSelector.deployment }} 22 | {{- toYaml . | nindent 6 }} 23 | {{- end }} 24 | pullSecretRef: 25 | name: pull-secret-{{ .Release.Name }} 26 | -------------------------------------------------------------------------------- /.bootstrap/openshift/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../components/openshift-gitops-config 5 | - ../components/root-application 6 | patches: 7 | - target: 8 | kind: Application 9 | patch: |- 10 | - op: replace 11 | path: /spec/source/repoURL 12 | value: "https://github.com/Vikaspogu/openshift-multicluster.git" 13 | - op: replace 14 | path: /spec/source/path 15 | value: "" 16 | configMapGenerator: 17 | - name: environment-variables 18 | literals: 19 | - KUSTOMIZE_PLUGIN_HOME=/etc/kustomize/plugin 20 | - CLUSTER_NAME=${CLUSTER_NAME} 21 | - CLUSTER_BASE_DOMAIN=${CLUSTER_BASE_DOMAIN} 22 | - PLATFORM_BASE_DOMAIN=${PLATFORM_BASE_DOMAIN} 23 | - INFRA_GITOPS_REPO=https://github.com/Vikaspogu/openshift-multicluster.git 24 | generatorOptions: 25 | disableNameSuffixHash: true 26 | -------------------------------------------------------------------------------- /clusters/proxmox/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | cert-manager-operator: 3 | annotations: 4 | argocd.argoproj.io/compare-options: IgnoreExtraneous 5 | argocd.argoproj.io/sync-wave: "5" 6 | destination: 7 | namespace: cert-manager 8 | source: 9 | path: components/cert-manager-operator 10 | plugin: 11 | name: argocd-lovely-plugin 12 | env: 13 | - name: LOVELY_PREPROCESSORS 14 | value: yq -i '.helmCharts.0.valuesInline.operators.0.channel="stable-v1"' kustomization.yaml 15 | 16 | cert-manager-config: 17 | annotations: 18 | argocd.argoproj.io/sync-wave: "15" 19 | destination: 20 | namespace: cert-manager 21 | source: 22 | path: components/cert-manager-config 23 | 24 | cert-manager-application: 25 | annotations: 26 | argocd.argoproj.io/sync-wave: "25" 27 | source: 28 | path: components/cert-manager-application 29 | -------------------------------------------------------------------------------- /clusters/vsphere/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | applications: 2 | cert-manager-operator: 3 | annotations: 4 | argocd.argoproj.io/compare-options: IgnoreExtraneous 5 | argocd.argoproj.io/sync-wave: "5" 6 | destination: 7 | namespace: cert-manager 8 | source: 9 | path: components/cert-manager-operator 10 | plugin: 11 | name: argocd-lovely-plugin 12 | env: 13 | - name: LOVELY_PREPROCESSORS 14 | value: yq -i '.helmCharts.0.valuesInline.operators.0.channel="stable-v1"' kustomization.yaml 15 | 16 | cert-manager-config: 17 | annotations: 18 | argocd.argoproj.io/sync-wave: "15" 19 | destination: 20 | namespace: cert-manager 21 | source: 22 | path: components/cert-manager-config 23 | 24 | cert-manager-application: 25 | annotations: 26 | argocd.argoproj.io/sync-wave: "25" 27 | source: 28 | path: components/cert-manager-application 29 | -------------------------------------------------------------------------------- /components/acm-policies-config/configmap-copy-policy/configuration-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy.open-cluster-management.io/v1 3 | kind: ConfigurationPolicy 4 | metadata: 5 | name: configmap-copy-policy 6 | spec: 7 | object-templates-raw: | 8 | {{hub- range $var := list "zone1" "ingress" "ops" hub}} 9 | {{hub- $var_cpu := (printf "%s-cpu" $var) hub}} 10 | - complianceType: musthave 11 | objectDefinition: 12 | apiVersion: v1 13 | kind: ConfigMap 14 | metadata: 15 | name: configmap-copy-{{hub $var hub}} 16 | namespace: acm-policies 17 | data: 18 | cpu: '{{hub index (lookup "v1" "ConfigMap" "acm-policies" "machineset").data $var_cpu hub}}' 19 | {{hub- end hub}} 20 | remediationAction: enforce 21 | pruneObjectBehavior: DeleteAll 22 | # {{- $cm := lookup "v1" "ConfigMap" "acm-policies" (printf "machineset-%s" $var) }} 23 | # {{- $cpu := $cm.data.cpu }} 24 | -------------------------------------------------------------------------------- /components/openshift-pipelines-config/pac-externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: pipelines-as-code-secret 6 | namespace: openshift-pipelines 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: pipelines-as-code-secret 13 | creationPolicy: Owner 14 | template: 15 | engineVersion: v2 16 | metadata: 17 | annotations: 18 | appUrl: "https://github.com/apps/openshift-pipelines-vpogu" 19 | appName: "OpenShift Pipelines VPogu" 20 | data: 21 | github-private-key: "{{ .PRIVATE_KEY }}" 22 | github-application-id: "{{ .APP_ID }}" 23 | webhook.secret: "{{ .WEBHOOK_SECRET }}" 24 | dataFrom: 25 | - extract: 26 | conversionStrategy: Default 27 | decodingStrategy: None 28 | key: ocp-pipelines 29 | metadataPolicy: None 30 | -------------------------------------------------------------------------------- /components/gitops-bootstrap-policy/manifests/gitops-instance/base/environment-variables-configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: environment-variables 5 | namespace: openshift-gitops 6 | data: 7 | KUSTOMIZE_PLUGIN_HOME: /etc/kustomize/plugin 8 | CLUSTER_NAME: '{{ fromClusterClaim "name" }}' 9 | CLUSTER_BASE_DOMAIN: 10 | '{{ fromClusterClaim "name" }}.{{hub (lookup "v1" "ConfigMap" "openshift-gitops" "environment-variables").data.PLATFORM_BASE_DOMAIN hub}}' 11 | # all created clusters base domain should be . 12 | PLATFORM_BASE_DOMAIN: '{{hub (lookup "v1" "ConfigMap" "openshift-gitops" "environment-variables").data.PLATFORM_BASE_DOMAIN hub}}' 13 | HUB_BASE_DOMAIN: '{{hub (lookup "v1" "ConfigMap" "openshift-gitops" "environment-variables").data.CLUSTER_BASE_DOMAIN hub}}' 14 | INFRA_GITOPS_REPO: '{{hub (lookup "v1" "ConfigMap" "openshift-gitops" "environment-variables").data.INFRA_GITOPS_REPO hub}}' 15 | -------------------------------------------------------------------------------- /components/developer-hub-config/aap-tools-deployment.yaml: -------------------------------------------------------------------------------- 1 | kind: Deployment 2 | apiVersion: apps/v1 3 | metadata: 4 | name: ansible-dev-tools-rhel8 5 | spec: 6 | replicas: 1 7 | selector: 8 | matchLabels: 9 | app: ansible-dev-tools-rhel8 10 | template: 11 | metadata: 12 | labels: 13 | app: ansible-dev-tools-rhel8 14 | spec: 15 | containers: 16 | - name: ansible-dev-tools-rhel8 17 | command: 18 | - adt 19 | - server 20 | image: registry.redhat.io/ansible-automation-platform-25/ansible-dev-tools-rhel8:latest 21 | ports: 22 | - name: http 23 | containerPort: 8000 24 | protocol: TCP 25 | --- 26 | kind: Service 27 | apiVersion: v1 28 | metadata: 29 | name: ansible-dev-tools-rhel8-svc 30 | spec: 31 | ports: 32 | - name: http-8000 33 | port: 8000 34 | protocol: TCP 35 | targetPort: 8000 36 | selector: 37 | app: ansible-dev-tools-rhel8 38 | -------------------------------------------------------------------------------- /components/log-forwarder-config/cluster-log-forwarder.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: observability.openshift.io/v1 3 | kind: ClusterLogForwarder 4 | metadata: 5 | name: loki-forwarder 6 | namespace: openshift-logging 7 | spec: 8 | serviceAccount: 9 | name: logging-admin 10 | # filters: 11 | # - name: important-logs 12 | # type: drop 13 | # drop: 14 | # - test: 15 | # - field: .level 16 | # matches: "notice" #"default|debug|notice" 17 | outputs: 18 | - name: loki 19 | type: "loki" 20 | loki: 21 | url: http://10.30.30.160:80 22 | tuning: 23 | compression: gzip 24 | deliveryMode: AtLeastOnce 25 | maxRetryDuration: 20 26 | maxWrite: 10M 27 | minRetryDuration: 5 28 | pipelines: 29 | - name: logs 30 | # filterRefs: 31 | # - important-logs 32 | inputRefs: 33 | - application 34 | - infrastructure 35 | outputRefs: 36 | - loki 37 | -------------------------------------------------------------------------------- /.yamllint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | yaml-files: 3 | - "*.yaml" 4 | - "*.yml" 5 | - ".yamllint" 6 | 7 | ignore: 8 | - helm/** 9 | - installer/** 10 | 11 | rules: 12 | # 80 chars should be enough, but don't fail if a line is longer 13 | line-length: 14 | max: 80 15 | level: warning 16 | anchors: enable 17 | braces: 18 | level: warning 19 | max-spaces-inside: 1 20 | brackets: enable 21 | colons: enable 22 | commas: enable 23 | comments: 24 | level: warning 25 | comments-indentation: 26 | level: warning 27 | document-end: disable 28 | document-start: 29 | level: warning 30 | empty-lines: enable 31 | empty-values: disable 32 | float-values: disable 33 | hyphens: enable 34 | indentation: 35 | level: warning 36 | key-duplicates: enable 37 | key-ordering: disable 38 | new-line-at-end-of-file: enable 39 | new-lines: enable 40 | octal-values: disable 41 | quoted-strings: disable 42 | trailing-spaces: enable 43 | truthy: 44 | level: warning 45 | -------------------------------------------------------------------------------- /components/gitops-bootstrap-policy/placement.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cluster.open-cluster-management.io/v1beta1 2 | kind: Placement 3 | metadata: 4 | name: placement-policy-gitops 5 | namespace: acm-policies 6 | spec: 7 | clusterSets: 8 | - global 9 | predicates: 10 | - requiredClusterSelector: 11 | labelSelector: 12 | matchExpressions: 13 | - key: gitops 14 | operator: In 15 | values: 16 | - deploy 17 | - key: local-cluster 18 | operator: NotIn 19 | values: 20 | - "true" 21 | --- 22 | apiVersion: policy.open-cluster-management.io/v1 23 | kind: PlacementBinding 24 | metadata: 25 | name: binding-policy-gitops 26 | namespace: acm-policies 27 | placementRef: 28 | apiGroup: cluster.open-cluster-management.io 29 | kind: Placement 30 | name: placement-policy-gitops 31 | subjects: 32 | - apiGroup: policy.open-cluster-management.io 33 | kind: PolicySet 34 | name: gitops 35 | -------------------------------------------------------------------------------- /components/synology-csi-chart/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | resources: 6 | - ./namespace.yaml 7 | - ./externalsecret.yaml 8 | - ./synology-csi-scc.yaml 9 | - ./storage-class.yaml 10 | - ./volume-snapshot-class.yaml 11 | 12 | helmCharts: 13 | - name: synology-csi 14 | releaseName: synology-csi 15 | namespace: synology-csi 16 | repo: https://christian-schlichtherle.github.io/synology-csi-chart 17 | version: "0.10.1" 18 | valuesInline: 19 | clientInfoSecret: 20 | create: false 21 | name: synology-csi-secret 22 | installCSIDriver: true 23 | storageClasses: 24 | iscsi-delete: 25 | disabled: true 26 | iscsi-retain: 27 | disabled: true 28 | nfs-delete: 29 | disabled: true 30 | nfs-retain: 31 | disabled: true 32 | smb-delete: 33 | disabled: true 34 | smb-retain: 35 | disabled: true 36 | -------------------------------------------------------------------------------- /components/argocd-notifications/externalsecrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: argocd-notifications-secret 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: argocd-notifications-secret 12 | creationPolicy: Merge 13 | template: 14 | engineVersion: v2 15 | data: 16 | pushover-user: "{{.user_key}}" 17 | pushover-token: "{{.ARGOCD_API_KEY}}" 18 | appID: "{{ .AUTH_ORG_APP_ID }}" 19 | installationID: "{{ .APP_INSTALLATION_ID }}" 20 | github-privateKey: | 21 | {{ .AUTH_ORG1_PRIVATE_KEY }} 22 | dataFrom: 23 | - extract: 24 | conversionStrategy: Default 25 | decodingStrategy: None 26 | key: developer-hub 27 | metadataPolicy: None 28 | - extract: 29 | conversionStrategy: Default 30 | decodingStrategy: None 31 | key: Pushover 32 | metadataPolicy: None 33 | -------------------------------------------------------------------------------- /components/developer-hub-config/backstage.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rhdh.redhat.com/v1alpha2 3 | kind: Backstage 4 | metadata: 5 | name: developer-hub 6 | namespace: rhdh-operator 7 | spec: 8 | deployment: 9 | patch: 10 | spec: 11 | template: 12 | spec: 13 | volumes: 14 | - $patch: replace 15 | name: dynamic-plugins-root 16 | persistentVolumeClaim: 17 | claimName: dynamic-plugins-root 18 | application: 19 | appConfig: 20 | mountPath: /opt/app-root/src 21 | configMaps: 22 | - name: app-config-rhdh 23 | dynamicPluginsConfigMapName: dynamic-plugins-rhdh 24 | extraEnvs: 25 | secrets: 26 | - name: rhdh-secrets 27 | - key: token 28 | name: developer-hub-ocm 29 | extraFiles: 30 | mountPath: /opt/app-root/src 31 | configMaps: 32 | - name: rbac-policies 33 | replicas: 1 34 | route: 35 | enabled: true 36 | database: 37 | enableLocalDb: true 38 | -------------------------------------------------------------------------------- /components/developer-hub-config/externalsecret-devhub-read.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: developer-hub-user 6 | namespace: developer-hub 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: developer-hub-user 13 | creationPolicy: Owner 14 | template: 15 | engineVersion: v2 16 | metadata: 17 | annotations: 18 | reflector.v1.k8s.emberstack.com/reflection-allowed: "true" 19 | reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "[a-z-0-9]*-cicd" 20 | reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" 21 | reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "[a-z-0-9]*-cicd" 22 | data: 23 | password: "{{ .ARGOCD_DEV_HUB_PASSWORD }}" 24 | dataFrom: 25 | - extract: 26 | conversionStrategy: Default 27 | decodingStrategy: None 28 | key: developer-hub 29 | metadataPolicy: None 30 | -------------------------------------------------------------------------------- /clusters/vsphere/overlays/vsphere1-cluster-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | 5 | helmGlobals: 6 | chartHome: ../../../../helm/charts 7 | 8 | helmCharts: 9 | - name: create-cluster 10 | releaseName: create-cluster 11 | valuesInline: 12 | gitopsDeploy: "true" 13 | acmClusterSet: global 14 | clusterName: vsphere1 15 | baseDomain: v3socp.boo 16 | vips: 17 | api: 10.30.30.149 18 | ingress: 10.30.30.150 19 | masterNode: 20 | replicas: 3 21 | cpus: 4 22 | corePerSocket: 2 23 | memoryMB: 16384 24 | diskSizeGB: 120 25 | workerNode: 26 | replicas: 0 27 | cpus: 4 28 | corePerSocket: 2 29 | memoryMB: 16384 30 | diskSizeGB: 120 31 | 32 | vcenter: 33 | server: vcenter.vikaspogu.internal 34 | cluster: "/homelab/host/cluster1" 35 | datastore: "/homelab/datastore/datastore1" 36 | network: "VM Network" 37 | datacenter: homelab 38 | -------------------------------------------------------------------------------- /components/developer-hub-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: developer-hub 5 | resources: 6 | - ./namespace.yaml 7 | - ./dynamic-plugin-pvc.yaml 8 | - ./backstage.yaml 9 | - ./externalsecret.yaml 10 | - ./externalsecret-pullsecret.yaml 11 | # - ./externalsecret-devhub-read.yaml 12 | # - ./externalsecret-pipeline-build.yaml 13 | - ./rolebindings.yaml 14 | - ./ocm-rolebindings.yaml 15 | - ./console-link.yaml 16 | # - ./aap-tools-deployment.yaml 17 | 18 | configMapGenerator: 19 | - name: app-config-rhdh 20 | files: 21 | - app-config-rhdh.yaml=./app-config-rhdh.yaml 22 | - name: dynamic-plugins-rhdh 23 | files: 24 | - dynamic-plugins.yaml=./dynamic-plugins-rhdh.yaml 25 | - name: rbac-policies 26 | files: 27 | - rbac-policies.csv=./rbac-policies.csv 28 | - rbac-conditional-policies.yaml=./rbac-conditional-policies.yaml 29 | generatorOptions: 30 | disableNameSuffixHash: true 31 | annotations: 32 | reloader.stakater.com/match: "true" 33 | -------------------------------------------------------------------------------- /.taskfiles/volsync/resources/templates/replicationdestination.yaml.j2: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | name: volsync-dst-{{ ENV.APP }} 6 | namespace: {{ ENV.NS }} 7 | spec: 8 | trigger: 9 | manual: restore-once 10 | restic: 11 | repository: {{ ENV.APP }}-restic-secret 12 | destinationPVC: {{ ENV.CLAIM }} 13 | copyMethod: Direct 14 | storageClassName: {{ ENV.CLASS_NAME }} 15 | {% if ENV.RESTORE_AS_OF | default(None) %} 16 | {# 17 | On bootstrap set `restoreAsOf` to the time the old cluster was destroyed. 18 | This will essentially prevent volsync from trying to restore a backup 19 | from a application that started with default data in the PVC. 20 | Do not restore snapshots made after the following RFC3339 Timestamp. 21 | date --rfc-3339=seconds (--utc) 22 | #} 23 | restoreAsOf: {{ ENV.RESTORE_AS_OF }} 24 | {% else %} 25 | {# 26 | Set to the last X number of snapshots to restore from 27 | #} 28 | previous: {{ ENV.PREVIOUS }} 29 | {% endif %} 30 | -------------------------------------------------------------------------------- /components/devspaces-config/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: github-oauth-config 6 | namespace: openshift-devspaces 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: github-oauth-config 13 | creationPolicy: Owner 14 | template: 15 | engineVersion: v2 16 | metadata: 17 | labels: 18 | app.kubernetes.io/part-of: che.eclipse.org 19 | app.kubernetes.io/component: oauth-scm-configuration 20 | annotations: 21 | che.eclipse.org/oauth-scm-server: github 22 | che.eclipse.org/scm-server-endpoint: https://github.com 23 | che.eclipse.org/scm-github-disable-subdomain-isolation: "false" 24 | data: 25 | id: "{{.client_id}}" 26 | secret: "{{.client_secret}}" 27 | dataFrom: 28 | - extract: 29 | conversionStrategy: Default 30 | decodingStrategy: None 31 | key: devspaces 32 | metadataPolicy: None 33 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fail_fast: false 3 | repos: 4 | - repo: https://github.com/adrienverge/yamllint 5 | rev: v1.31.0 6 | hooks: 7 | - args: 8 | - --config-file 9 | - .github/linters/.yamllint.yaml 10 | id: yamllint 11 | - repo: https://github.com/pre-commit/pre-commit-hooks 12 | rev: v4.4.0 13 | hooks: 14 | - id: check-merge-conflict 15 | - id: end-of-file-fixer 16 | - id: mixed-line-ending 17 | - id: trailing-whitespace 18 | args: [--markdown-linebreak-ext=md] 19 | - repo: https://github.com/Lucas-C/pre-commit-hooks 20 | rev: v1.5.1 21 | hooks: 22 | - id: remove-crlf 23 | - id: remove-tabs 24 | - repo: https://github.com/sirosen/texthooks 25 | rev: 0.5.0 26 | hooks: 27 | - id: fix-smartquotes 28 | - repo: https://github.com/k8s-at-home/sops-pre-commit 29 | rev: v2.1.1 30 | hooks: 31 | - id: forbid-secrets 32 | - repo: https://github.com/pre-commit/mirrors-prettier 33 | rev: v3.0.3 34 | hooks: 35 | - id: prettier 36 | exclude: ^(helm/|docs/) 37 | -------------------------------------------------------------------------------- /components/acs-central-configuration/create-cluster-init-bundle-sa.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | annotations: 5 | argocd.argoproj.io/sync-wave: "1" 6 | name: create-cluster-init 7 | namespace: stackrox 8 | rules: 9 | - apiGroups: 10 | - "" 11 | resources: 12 | - secrets 13 | verbs: 14 | - get 15 | - list 16 | - create 17 | - patch 18 | - update 19 | - apiGroups: 20 | - platform.stackrox.io 21 | resources: 22 | - securedclusters 23 | verbs: 24 | - get 25 | - list 26 | - patch 27 | - update 28 | --- 29 | apiVersion: rbac.authorization.k8s.io/v1 30 | kind: RoleBinding 31 | metadata: 32 | name: create-cluster-init 33 | namespace: stackrox 34 | roleRef: 35 | apiGroup: rbac.authorization.k8s.io 36 | kind: Role 37 | name: create-cluster-init 38 | subjects: 39 | - kind: ServiceAccount 40 | name: create-cluster-init 41 | namespace: stackrox 42 | --- 43 | apiVersion: v1 44 | kind: ServiceAccount 45 | metadata: 46 | name: create-cluster-init 47 | namespace: stackrox 48 | -------------------------------------------------------------------------------- /components/reloader-chart/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | 7 | helmCharts: 8 | - name: reloader 9 | releaseName: reloader 10 | namespace: reloader 11 | repo: https://stakater.github.io/stakater-charts 12 | version: "2.2.3" 13 | valuesInline: 14 | nameOverride: reloader 15 | fullnameOverride: reloader 16 | reloader: 17 | isOpenshift: true 18 | 19 | patches: 20 | - target: 21 | kind: Deployment 22 | name: reloader 23 | patch: |- 24 | - op: replace 25 | path: /spec/template/spec/securityContext 26 | value: {} 27 | - op: replace 28 | path: /spec/template/spec/containers/0/env 29 | value: 30 | - name: GOMAXPROCS 31 | valueFrom: 32 | resourceFieldRef: 33 | divisor: '0' 34 | resource: limits.cpu 35 | - name: GOMEMLIMIT 36 | valueFrom: 37 | resourceFieldRef: 38 | divisor: '0' 39 | resource: limits.memory 40 | -------------------------------------------------------------------------------- /apps/virt-vm/secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: vm-ssh-creds 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: vm-ssh-creds 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | key: "{{.SSH_KEY}}" 17 | dataFrom: 18 | - extract: 19 | conversionStrategy: Default 20 | decodingStrategy: None 21 | key: vm-user-password 22 | metadataPolicy: None 23 | --- 24 | apiVersion: external-secrets.io/v1beta1 25 | kind: ExternalSecret 26 | metadata: 27 | name: vm-user-creds 28 | spec: 29 | secretStoreRef: 30 | kind: ClusterSecretStore 31 | name: onepassword-connect 32 | target: 33 | name: vm-user-creds 34 | creationPolicy: Owner 35 | template: 36 | engineVersion: v2 37 | data: 38 | password: "{{ .password }}" 39 | dataFrom: 40 | - extract: 41 | conversionStrategy: Default 42 | decodingStrategy: None 43 | key: vm-user-password 44 | metadataPolicy: None 45 | -------------------------------------------------------------------------------- /helm/charts/infra-env/values.yaml: -------------------------------------------------------------------------------- 1 | # note this chart expects the secret: pull-secret-{{ .Release.Name }} to be present. 2 | 3 | 4 | location: insert-location-here 5 | sshPublicKey: insert-public-key-here 6 | 7 | dnsResolvers: 8 | - 192.168.0.1 9 | 10 | routesConfig: 11 | - destination: 0.0.0.0/0 12 | next-hop-address: 192.168.30.1 13 | next-hop-interface: en0 14 | table-id: 254 15 | 16 | servers: 17 | - hostname: server1.mydomain.example 18 | role: worker 19 | bmc: 20 | enabled: false 21 | bmcAddress: idrac-virtualmedia://10.1.177.44/redfish/v1/Systems/System.Embedded.1 22 | bootMACAddress: E4:43:4B:4E:40:35 23 | labels: 24 | mylabel: myvalue 25 | nmstate: 26 | enabled: true 27 | spec: 28 | interfaces: 29 | en0: 30 | config: 31 | interfaces: 32 | - name: en0 33 | type: ethernet 34 | state: up 35 | mac-address: 36 | ipv4: 37 | enabled: true 38 | address: 39 | - ip: 192.168.1.1 40 | prefix-length: 23 41 | dhcp: false 42 | -------------------------------------------------------------------------------- /components/openshift-pipelines-config/task-replace-string.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: tekton.dev/v1beta1 3 | kind: Task 4 | metadata: 5 | annotations: 6 | tekton.dev/pipelines.minVersion: 0.12.1 7 | name: replace-string 8 | labels: 9 | app.kubernetes.io/version: 0.1.0 10 | spec: 11 | description: >- 12 | This task will update the image tag in the values file for the app's corresponding environment. 13 | params: 14 | - name: REPLACE_STRING 15 | type: string 16 | - name: SEARCH_STRING 17 | type: string 18 | 19 | results: 20 | - description: returns exit status of command 21 | name: exit_status 22 | type: string 23 | 24 | workspaces: 25 | - name: output 26 | description: workspace onto which the file is updated 27 | 28 | steps: 29 | - name: replace-string 30 | image: alpine:edge 31 | resources: {} 32 | workingDir: $(workspaces.output.path) 33 | script: | 34 | #!/bin/bash 35 | 36 | # Find and replace the string in all files 37 | find . -type f -exec sed -i '' "s/$(params.SEARCH_STRING)/$(params.REPLACE_STRING)/g" {} + 38 | 39 | echo "String replacement completed!"" 40 | --------------------------------------------------------------------------------