├── .gitmodules ├── LICENSE ├── README.md ├── authentication ├── .gitignore ├── admin-role.yml ├── dex-values.yml ├── google-sa-secret.yml └── install_dex.sh ├── cluster ├── .gitignore ├── README.md ├── apply.sh ├── configure_dns.sh ├── default.tfvars ├── destroy.sh ├── export_kubeconfig.sh ├── install_ansible.sh ├── install_nginx_ingress_controller.sh ├── nginx-values.yml ├── run_ansible.sh └── setup.sh ├── container-registry ├── .gitignore ├── README.md ├── harbor-oidc.png ├── install_harbor.sh └── values.yaml ├── continuous-delivery ├── .gitignore ├── argocd-ingress.yaml ├── argocd.yaml └── install_argocd.sh ├── database └── install_postgres.sh ├── logging ├── elasticsearch.yml ├── filebeat.yml ├── install_elasticsearch.sh └── install_filebeat.sh ├── monitoring ├── .gitignore ├── install_monitoring.sh └── values.yaml ├── network-security ├── .gitignore ├── install_cert-manager.sh ├── prod-issuer.yml └── staging-issuer.yml └── persistent-storage ├── cluster-test.yaml ├── install_rook_ceph.sh └── storageclass-test.yaml /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "cluster/kubespray"] 2 | path = cluster/kubespray 3 | url = git@github.com:kubernetes-sigs/kubespray.git 4 | [submodule "database/postgres-operator"] 5 | path = database/postgres-operator 6 | url = git@github.com:zalando/postgres-operator.git 7 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # cloud-native-platform 2 | 3 | Repo for "How to build your own cloud-native platform on IaaS clouds in 2021" 4 | 5 | This repo uses Exoscale as if it were just an IaaS cloud provider, that is, it does not leverage their Kubernetes service, but rather, just virtual machines. It is therefore almost exactly what you would use if you were deploying on bare metal, bare VMs (what we are doing), or some cloud provider that lacks all kinds of fancy load balancing or storage services. Truly bare-bones! 6 | 7 | But the goal is that we get a cluster that supports: 8 | 9 | - ✅ Network security (Calico, cert-manager, Network Policies) 10 | - ✅ Authentication (Dex IdP) 11 | - ✅ Storage service (Rook and Ceph) 12 | - ✅ Database services (Zalando Postgres Operator) 13 | - ✅ Log handling and analysis (Elasticsearch and Filebeat) 14 | - ✅ Application-aware detailed monitoring (Prometheus and Grafana) 15 | - ✅ Container image registry (Harbor) 16 | - ✅ Continuous delivery (ArgoCD) 17 | 18 | ...so we're fine with just bare VMs. :) 19 | 20 | ## Prerequisites 21 | 22 | You will need a good local stack with bash, kubectl (with `krew` to manage plugins and the `oidc-login` plugin installed), terraform, the `exo` command line tool for working with Exoscale, and Python 3 on your laptop. And a web browser, of course. 23 | 24 | Get yourself an Exoscale account, and set up API access. You should also make your Exoscale API access credentials available in the `~/.cloudstack.ini` file if you want the Terraform provider to Just Work. 25 | 26 | You will also need a Google account and administrative permissions so you can give privileges to a service account for single-sign on (SSO) purposes. Follow the guide [here](https://elastisys.com/elastisys-engineering-how-to-use-dex-with-google-accounts-to-manage-access-in-kubernetes/). 27 | 28 | Finally, do note that this repo has git submodules, so go fetch them as part of cloning this repo. You can easily add `--recurse-submodules` as part of your `git clone` command. Or just go `git submodule update --init --recursive` to fetch them after the fact. 29 | 30 | ## Usage 31 | 32 | ### Configuration 33 | 34 | First, `export` some environment variables: 35 | 36 | - `TOP_LEVEL_DOMAIN`, the TLD under which your cluster should register itself and the services that it will expose. For instance, if you want to deploy a cluster called `my-demo-cluster` and it should register itself under `example.com`, `TOP_LEVEL_DOMAIN` should be `example.com`. You will then be able to access e.g. ArgoCD under `arg.my-demo-cluster.example.com` once you've installed it. 37 | - `ADMIN_GROUP`, the group in your Google account that administrators belongs to. Will typically look like `admins@yourcompany.com`. 38 | - `EMAIL`, your email address, used for Let's Encrypt certificates. 39 | - `ADMIN_EMAIL`, the email address of an administrator in your Google account. Could be yours? 40 | - `DEX_CLIENT_ID`, the client ID that your Google SSO account integration gives you (see guide above). 41 | - `DEX_CLIENT_SECRET`, the secret associated to the Google SSO client ID. 42 | - `SA_FILE`, the service account JSON file that you downloaded from Google as part of following the SSO guide above. 43 | - `OIDC_CLIENT_SECRET`, a string value that your applications will use as a client secret value for OpenID Connect integrations with your Dex. 44 | 45 | Optionally, if you don't want your cluster to be called `xxx-demo-cluster`, where `xxx` is your local username (determined via `whoami`), you can export `CLUSTER` to be whatever you want it to be called. Regular DNS name rules apply, so no spaces or similar. 46 | 47 | ### Installation 48 | 49 | Now, you can set up your cluster. Do that via: 50 | 51 | 1. `cd cluster/` 52 | 1. `./setup.sh` to render the initial configuration files to deploy the cluster. 53 | 1. `./install_ansible.sh` to install Ansible and its dependencies in a virtualenv, so don't worry, it won't explode Python dependencies all over your system. 54 | 1. `./apply.sh` to run Terraform and get your cluster's VMs up and running. This step costs money. 55 | 1. `./run_ansible.sh` to install Kubernetes. 56 | 1. `./install_nginx_ingress_controller.sh` to install the NGINX Ingress Controller, so we can get traffic into the cluster. 57 | 1. `./configure_dns.sh` to set up a DNS wildcard record for `*.${CLUSTER}.${TOP_LEVEL_DOMAIN}`, so that any service we expose under that wildcard will be accessible via the NGINX Ingress Controller. 58 | 1. `source export_kubeconfig.sh` to make your `kubectl` know where the cluster is. 59 | 60 | If you at this point issue a `kubectl get nodes` command, you should see your cluster present itself. Success! 61 | 62 | Install network security features (cert-manager) next: 63 | 64 | 1. `cd ../network-security/` 65 | 1. `./install_cert-manager.sh` 66 | 67 | Install authentication via SSO capabilities: 68 | 69 | 1. `cd ../authentication/` 70 | 1. `./install_dex.sh` 71 | 72 | Try a `kubectl get nodes` command, and it'll now make you log in via your Google account! 73 | 74 | Install persistent storage support so you can provision Persistent Volumes: 75 | 76 | 1. `cd ../persistent-storage/` 77 | 1. `./install_rook_ceph.sh` 78 | 79 | Install a database service, namely, the Zalando Postgres Operator: 80 | 81 | 1. `cd ../database/` 82 | 1. `./install_postgres.sh` 83 | 84 | You can now easily request PostgreSQL databases as per the [Postgres Operator Quickstart](https://github.com/zalando/postgres-operator/blob/master/docs/quickstart.md#create-a-postgres-cluster) documentation. 85 | 86 | Install logging support, with your very own Elasticsearch and Filebeat: 87 | 88 | 1. `cd ../logging/` 89 | 1. `./install_elasticsearch.sh` (you might want to wait a bit here at this stage) 90 | 1. `./install_filebeat.sh` 91 | 92 | You can go to your very own Kibana instance by following the instructions that appear in your terminal. We are not exposing it to the Internet, because we can't do OIDC integration without paying for the Enterprise licence. 🙄 93 | 94 | Install monitoring support with Prometheus and Grafana, supporting OIDC logins via Dex: 95 | 96 | 1. `cd ../monitoring/` 97 | 1. `./install_monitoring.sh` 98 | 99 | You can go to `grafana.${CLUSTER}.${TOP_LEVEL_DOMAIN}` to interact with it. 100 | 101 | Install container image registry via Harbor, also supporting OIDC logins via Dex: 102 | 103 | 1. `cd ../container-registry/` 104 | 1. `./install_harbor.sh` 105 | 106 | Read the [container registry README](container-registry/README.md) to find out how to integrate OIDC with Dex. 107 | 108 | You can go to `harbor.${CLUSTER}.${TOP_LEVEL_DOMAIN}` to interact with it. 109 | 110 | Install continuous delivery tooling (ArgoCD), that also supports OIDC logins via Dex: 111 | 112 | 1. `cd ../continuous-delivery/` 113 | 1. `./install_argocd.sh` 114 | 115 | You can go to `argo.${CLUSTER}.${TOP_LEVEL_DOMAIN}` to interact with it. 116 | 117 | # Questions? 118 | 119 | Don't hesitate to send questions either via GitHub Issues in this repo or to me directly at [lars.larsson@elastisys.com](mailto:lars.larsson@elastisys.com)! 120 | -------------------------------------------------------------------------------- /authentication/.gitignore: -------------------------------------------------------------------------------- 1 | rendered-* 2 | *.json 3 | -------------------------------------------------------------------------------- /authentication/admin-role.yml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: user-admin 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: cluster-admin 9 | subjects: 10 | - apiGroup: rbac.authorization.k8s.io 11 | kind: Group 12 | name: ADMIN_GROUP_PLACEHOLDER 13 | -------------------------------------------------------------------------------- /authentication/dex-values.yml: -------------------------------------------------------------------------------- 1 | imageTag: "v2.26.0" 2 | #crds are installed in the k8s apply step 3 | crd: 4 | present: true 5 | ingress: 6 | enabled: true 7 | annotations: 8 | cert-manager.io/cluster-issuer: letsencrypt-prod 9 | 10 | tls: 11 | - secretName: dex-tls 12 | hosts: 13 | - dex.DOMAIN_PLACEHOLDER 14 | hosts: 15 | - host: dex.DOMAIN_PLACEHOLDER 16 | paths: 17 | - path: / 18 | pathType: Prefix 19 | 20 | # https termination by ingress instead of through dex 21 | https: 22 | enabled: false 23 | volumeMounts: 24 | - mountPath: /etc/dex/google 25 | name: google-sa 26 | volumes: 27 | - name: google-sa 28 | secret: 29 | secretName: google-sa 30 | config: 31 | issuer: https://dex.DOMAIN_PLACEHOLDER 32 | storage: 33 | type: kubernetes 34 | config: 35 | inCluster: true 36 | connectors: 37 | - type: google 38 | id: google 39 | name: Google 40 | config: 41 | # Connector config values starting with a "$" will read from the environment. 42 | clientID: CLIENT_ID_PLACEHOLDER 43 | clientSecret: CLIENT_SECRET_PLACEHOLDER 44 | # Dex's issuer URL + "/callback" 45 | redirectURI: https://dex.DOMAIN_PLACEHOLDER/callback 46 | serviceAccountFilePath: /etc/dex/google/sa.json 47 | adminEmail: ADMIN_EMAIL_PLACEHOLDER 48 | hostedDomains: 49 | - elastisys.com 50 | groups: 51 | - cnosa@elastisys.com 52 | staticClients: 53 | - id: kubelogin 54 | name: 'Kubernetes CLI' 55 | secret: OIDC_CLIENT_SECRET_PLACEHOLDER 56 | redirectURIs: 57 | - http://localhost:8000 58 | - http://localhost:8080/oauth2/callback 59 | - https://grafana.DOMAIN_PLACEHOLDER/login/generic_oauth 60 | - https://harbor.DOMAIN_PLACEHOLDER/c/oidc/callback 61 | - https://argo.DOMAIN_PLACEHOLDER/auth/callback 62 | -------------------------------------------------------------------------------- /authentication/google-sa-secret.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: google-sa 5 | namespace: default 6 | type: Opaque 7 | data: 8 | sa.json: SA_FILE_PLACEHOLDER 9 | -------------------------------------------------------------------------------- /authentication/install_dex.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eou pipefail 4 | CLUSTER=${CLUSTER:-$(whoami)-demo-cluster} 5 | 6 | cp dex-values.yml rendered-dex-values.yml 7 | sed -i -e "s/OIDC_CLIENT_SECRET_PLACEHOLDER/${OIDC_CLIENT_SECRET}/g" rendered-dex-values.yml 8 | sed -i -e "s/CLIENT_ID_PLACEHOLDER/${DEX_CLIENT_ID}/g" rendered-dex-values.yml 9 | sed -i -e "s/CLIENT_SECRET_PLACEHOLDER/${DEX_CLIENT_SECRET}/g" rendered-dex-values.yml 10 | sed -i -e "s/DOMAIN_PLACEHOLDER/${CLUSTER}.${TOP_LEVEL_DOMAIN}/g" rendered-dex-values.yml 11 | sed -i -e "s/ADMIN_EMAIL_PLACEHOLDER/${ADMIN_EMAIL}/g" rendered-dex-values.yml 12 | 13 | SA_FILE_CONTENTS=$(base64 -w0 ${SA_FILE}) 14 | sed -e "s/SA_FILE_PLACEHOLDER/${SA_FILE_CONTENTS}/g" google-sa-secret.yml > rendered-google-sa-secret.yml 15 | 16 | kubectl apply -f rendered-google-sa-secret.yml 17 | helm repo add dex https://charts.dexidp.io 18 | helm repo update 19 | helm upgrade --install --values rendered-dex-values.yml dex dex/dex 20 | 21 | cp admin-role.yml rendered-admin-role.yml 22 | sed -i -e "s/ADMIN_GROUP_PLACEHOLDER/${ADMIN_GROUP}/g" rendered-admin-role.yml 23 | kubectl apply -f rendered-admin-role.yml 24 | 25 | pushd ../cluster/ 26 | sed -i -e "s!# kube_oidc_auth: false!kube_oidc_auth: true!g" kubespray/inventory/${CLUSTER}/group_vars/k8s-cluster/k8s-cluster.yml 27 | sed -i -e "s!# kube_oidc_url: .*!kube_oidc_url: https://dex.${CLUSTER}.${TOP_LEVEL_DOMAIN}!g" kubespray/inventory/${CLUSTER}/group_vars/k8s-cluster/k8s-cluster.yml 28 | sed -i -e "s!# kube_oidc_client_id: .*!kube_oidc_client_id: kubelogin!g" kubespray/inventory/${CLUSTER}/group_vars/k8s-cluster/k8s-cluster.yml 29 | sed -i -e "s!# kube_oidc_username_claim: .*!kube_oidc_username_claim: email!g" kubespray/inventory/${CLUSTER}/group_vars/k8s-cluster/k8s-cluster.yml 30 | sed -i -e "s!# kube_oidc_groups_claim: .*!kube_oidc_groups_claim: groups!g" kubespray/inventory/${CLUSTER}/group_vars/k8s-cluster/k8s-cluster.yml 31 | ./run_ansible.sh 32 | 33 | cat >> $KUBECONFIG <: 275 | type: string 276 | type: array 277 | namePrefix: 278 | description: NamePrefix is a prefix appended to resources for Kustomize apps 279 | type: string 280 | nameSuffix: 281 | description: NameSuffix is a suffix appended to resources for Kustomize apps 282 | type: string 283 | version: 284 | description: Version controls which version of Kustomize to use for rendering manifests 285 | type: string 286 | type: object 287 | path: 288 | description: Path is a directory path within the Git repository, and is only valid for applications sourced from Git. 289 | type: string 290 | plugin: 291 | description: ConfigManagementPlugin holds config management plugin specific options 292 | properties: 293 | env: 294 | description: Env is a list of environment variable entries 295 | items: 296 | description: EnvEntry represents an entry in the application's environment 297 | properties: 298 | name: 299 | description: Name is the name of the variable, usually expressed in uppercase 300 | type: string 301 | value: 302 | description: Value is the value of the variable 303 | type: string 304 | required: 305 | - name 306 | - value 307 | type: object 308 | type: array 309 | name: 310 | type: string 311 | type: object 312 | repoURL: 313 | description: RepoURL is the URL to the repository (Git or Helm) that contains the application manifests 314 | type: string 315 | targetRevision: 316 | description: TargetRevision defines the revision of the source to sync the application to. In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. In case of Helm, this is a semver tag for the Chart's version. 317 | type: string 318 | required: 319 | - repoURL 320 | type: object 321 | syncOptions: 322 | description: SyncOptions provide per-sync sync-options, e.g. Validate=false 323 | items: 324 | type: string 325 | type: array 326 | syncStrategy: 327 | description: SyncStrategy describes how to perform the sync 328 | properties: 329 | apply: 330 | description: Apply will perform a `kubectl apply` to perform the sync. 331 | properties: 332 | force: 333 | description: Force indicates whether or not to supply the --force flag to `kubectl apply`. The --force flag deletes and re-create the resource, when PATCH encounters conflict and has retried for 5 times. 334 | type: boolean 335 | type: object 336 | hook: 337 | description: Hook will submit any referenced resources to perform the sync. This is the default strategy 338 | properties: 339 | force: 340 | description: Force indicates whether or not to supply the --force flag to `kubectl apply`. The --force flag deletes and re-create the resource, when PATCH encounters conflict and has retried for 5 times. 341 | type: boolean 342 | type: object 343 | type: object 344 | type: object 345 | type: object 346 | spec: 347 | description: ApplicationSpec represents desired application state. Contains link to repository with application definition and additional parameters link definition revision. 348 | properties: 349 | destination: 350 | description: Destination is a reference to the target Kubernetes server and namespace 351 | properties: 352 | name: 353 | description: Name is an alternate way of specifying the target cluster by its symbolic name 354 | type: string 355 | namespace: 356 | description: Namespace specifies the target namespace for the application's resources. The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace 357 | type: string 358 | server: 359 | description: Server specifies the URL of the target cluster and must be set to the Kubernetes control plane API 360 | type: string 361 | type: object 362 | ignoreDifferences: 363 | description: IgnoreDifferences is a list of resources and their fields which should be ignored during comparison 364 | items: 365 | description: ResourceIgnoreDifferences contains resource filter and list of json paths which should be ignored during comparison with live state. 366 | properties: 367 | group: 368 | type: string 369 | jsonPointers: 370 | items: 371 | type: string 372 | type: array 373 | kind: 374 | type: string 375 | name: 376 | type: string 377 | namespace: 378 | type: string 379 | required: 380 | - jsonPointers 381 | - kind 382 | type: object 383 | type: array 384 | info: 385 | description: Info contains a list of information (URLs, email addresses, and plain text) that relates to the application 386 | items: 387 | properties: 388 | name: 389 | type: string 390 | value: 391 | type: string 392 | required: 393 | - name 394 | - value 395 | type: object 396 | type: array 397 | project: 398 | description: Project is a reference to the project this application belongs to. The empty string means that application belongs to the 'default' project. 399 | type: string 400 | revisionHistoryLimit: 401 | description: RevisionHistoryLimit limits the number of items kept in the application's revision history, which is used for informational purposes as well as for rollbacks to previous versions. This should only be changed in exceptional circumstances. Setting to zero will store no history. This will reduce storage used. Increasing will increase the space used to store the history, so we do not recommend increasing it. Default is 10. 402 | format: int64 403 | type: integer 404 | source: 405 | description: Source is a reference to the location of the application's manifests or chart 406 | properties: 407 | chart: 408 | description: Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo. 409 | type: string 410 | directory: 411 | description: Directory holds path/directory specific options 412 | properties: 413 | exclude: 414 | description: Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation 415 | type: string 416 | include: 417 | description: Include contains a glob pattern to match paths against that should be explicitly included during manifest generation 418 | type: string 419 | jsonnet: 420 | description: Jsonnet holds options specific to Jsonnet 421 | properties: 422 | extVars: 423 | description: ExtVars is a list of Jsonnet External Variables 424 | items: 425 | description: JsonnetVar represents a variable to be passed to jsonnet during manifest generation 426 | properties: 427 | code: 428 | type: boolean 429 | name: 430 | type: string 431 | value: 432 | type: string 433 | required: 434 | - name 435 | - value 436 | type: object 437 | type: array 438 | libs: 439 | description: Additional library search dirs 440 | items: 441 | type: string 442 | type: array 443 | tlas: 444 | description: TLAS is a list of Jsonnet Top-level Arguments 445 | items: 446 | description: JsonnetVar represents a variable to be passed to jsonnet during manifest generation 447 | properties: 448 | code: 449 | type: boolean 450 | name: 451 | type: string 452 | value: 453 | type: string 454 | required: 455 | - name 456 | - value 457 | type: object 458 | type: array 459 | type: object 460 | recurse: 461 | description: Recurse specifies whether to scan a directory recursively for manifests 462 | type: boolean 463 | type: object 464 | helm: 465 | description: Helm holds helm specific options 466 | properties: 467 | fileParameters: 468 | description: FileParameters are file parameters to the helm template 469 | items: 470 | description: HelmFileParameter is a file parameter that's passed to helm template during manifest generation 471 | properties: 472 | name: 473 | description: Name is the name of the Helm parameter 474 | type: string 475 | path: 476 | description: Path is the path to the file containing the values for the Helm parameter 477 | type: string 478 | type: object 479 | type: array 480 | parameters: 481 | description: Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation 482 | items: 483 | description: HelmParameter is a parameter that's passed to helm template during manifest generation 484 | properties: 485 | forceString: 486 | description: ForceString determines whether to tell Helm to interpret booleans and numbers as strings 487 | type: boolean 488 | name: 489 | description: Name is the name of the Helm parameter 490 | type: string 491 | value: 492 | description: Value is the value for the Helm parameter 493 | type: string 494 | type: object 495 | type: array 496 | releaseName: 497 | description: ReleaseName is the Helm release name to use. If omitted it will use the application name 498 | type: string 499 | valueFiles: 500 | description: ValuesFiles is a list of Helm value files to use when generating a template 501 | items: 502 | type: string 503 | type: array 504 | values: 505 | description: Values specifies Helm values to be passed to helm template, typically defined as a block 506 | type: string 507 | version: 508 | description: Version is the Helm version to use for templating (either "2" or "3") 509 | type: string 510 | type: object 511 | ksonnet: 512 | description: Ksonnet holds ksonnet specific options 513 | properties: 514 | environment: 515 | description: Environment is a ksonnet application environment name 516 | type: string 517 | parameters: 518 | description: Parameters are a list of ksonnet component parameter override values 519 | items: 520 | description: KsonnetParameter is a ksonnet component parameter 521 | properties: 522 | component: 523 | type: string 524 | name: 525 | type: string 526 | value: 527 | type: string 528 | required: 529 | - name 530 | - value 531 | type: object 532 | type: array 533 | type: object 534 | kustomize: 535 | description: Kustomize holds kustomize specific options 536 | properties: 537 | commonAnnotations: 538 | additionalProperties: 539 | type: string 540 | description: CommonAnnotations is a list of additional annotations to add to rendered manifests 541 | type: object 542 | commonLabels: 543 | additionalProperties: 544 | type: string 545 | description: CommonLabels is a list of additional labels to add to rendered manifests 546 | type: object 547 | images: 548 | description: Images is a list of Kustomize image override specifications 549 | items: 550 | description: KustomizeImage represents a Kustomize image definition in the format [old_image_name=]: 551 | type: string 552 | type: array 553 | namePrefix: 554 | description: NamePrefix is a prefix appended to resources for Kustomize apps 555 | type: string 556 | nameSuffix: 557 | description: NameSuffix is a suffix appended to resources for Kustomize apps 558 | type: string 559 | version: 560 | description: Version controls which version of Kustomize to use for rendering manifests 561 | type: string 562 | type: object 563 | path: 564 | description: Path is a directory path within the Git repository, and is only valid for applications sourced from Git. 565 | type: string 566 | plugin: 567 | description: ConfigManagementPlugin holds config management plugin specific options 568 | properties: 569 | env: 570 | description: Env is a list of environment variable entries 571 | items: 572 | description: EnvEntry represents an entry in the application's environment 573 | properties: 574 | name: 575 | description: Name is the name of the variable, usually expressed in uppercase 576 | type: string 577 | value: 578 | description: Value is the value of the variable 579 | type: string 580 | required: 581 | - name 582 | - value 583 | type: object 584 | type: array 585 | name: 586 | type: string 587 | type: object 588 | repoURL: 589 | description: RepoURL is the URL to the repository (Git or Helm) that contains the application manifests 590 | type: string 591 | targetRevision: 592 | description: TargetRevision defines the revision of the source to sync the application to. In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. In case of Helm, this is a semver tag for the Chart's version. 593 | type: string 594 | required: 595 | - repoURL 596 | type: object 597 | syncPolicy: 598 | description: SyncPolicy controls when and how a sync will be performed 599 | properties: 600 | automated: 601 | description: Automated will keep an application synced to the target revision 602 | properties: 603 | allowEmpty: 604 | description: 'AllowEmpty allows apps have zero live resources (default: false)' 605 | type: boolean 606 | prune: 607 | description: 'Prune specifies whether to delete resources from the cluster that are not found in the sources anymore as part of automated sync (default: false)' 608 | type: boolean 609 | selfHeal: 610 | description: 'SelfHeal specifes whether to revert resources back to their desired state upon modification in the cluster (default: false)' 611 | type: boolean 612 | type: object 613 | retry: 614 | description: Retry controls failed sync retry behavior 615 | properties: 616 | backoff: 617 | description: Backoff controls how to backoff on subsequent retries of failed syncs 618 | properties: 619 | duration: 620 | description: Duration is the amount to back off. Default unit is seconds, but could also be a duration (e.g. "2m", "1h") 621 | type: string 622 | factor: 623 | description: Factor is a factor to multiply the base duration after each failed retry 624 | format: int64 625 | type: integer 626 | maxDuration: 627 | description: MaxDuration is the maximum amount of time allowed for the backoff strategy 628 | type: string 629 | type: object 630 | limit: 631 | description: Limit is the maximum number of attempts for retrying a failed sync. If set to 0, no retries will be performed. 632 | format: int64 633 | type: integer 634 | type: object 635 | syncOptions: 636 | description: Options allow you to specify whole app sync-options 637 | items: 638 | type: string 639 | type: array 640 | type: object 641 | required: 642 | - destination 643 | - project 644 | - source 645 | type: object 646 | status: 647 | description: ApplicationStatus contains status information for the application 648 | properties: 649 | conditions: 650 | description: Conditions is a list of currently observed application conditions 651 | items: 652 | description: ApplicationCondition contains details about an application condition, which is usally an error or warning 653 | properties: 654 | lastTransitionTime: 655 | description: LastTransitionTime is the time the condition was last observed 656 | format: date-time 657 | type: string 658 | message: 659 | description: Message contains human-readable message indicating details about condition 660 | type: string 661 | type: 662 | description: Type is an application condition type 663 | type: string 664 | required: 665 | - message 666 | - type 667 | type: object 668 | type: array 669 | health: 670 | description: Health contains information about the application's current health status 671 | properties: 672 | message: 673 | description: Message is a human-readable informational message describing the health status 674 | type: string 675 | status: 676 | description: Status holds the status code of the application or resource 677 | type: string 678 | type: object 679 | history: 680 | description: History contains information about the application's sync history 681 | items: 682 | description: RevisionHistory contains history information about a previous sync 683 | properties: 684 | deployStartedAt: 685 | description: DeployStartedAt holds the time the sync operation started 686 | format: date-time 687 | type: string 688 | deployedAt: 689 | description: DeployedAt holds the time the sync operation completed 690 | format: date-time 691 | type: string 692 | id: 693 | description: ID is an auto incrementing identifier of the RevisionHistory 694 | format: int64 695 | type: integer 696 | revision: 697 | description: Revision holds the revision the sync was performed against 698 | type: string 699 | source: 700 | description: Source is a reference to the application source used for the sync operation 701 | properties: 702 | chart: 703 | description: Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo. 704 | type: string 705 | directory: 706 | description: Directory holds path/directory specific options 707 | properties: 708 | exclude: 709 | description: Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation 710 | type: string 711 | include: 712 | description: Include contains a glob pattern to match paths against that should be explicitly included during manifest generation 713 | type: string 714 | jsonnet: 715 | description: Jsonnet holds options specific to Jsonnet 716 | properties: 717 | extVars: 718 | description: ExtVars is a list of Jsonnet External Variables 719 | items: 720 | description: JsonnetVar represents a variable to be passed to jsonnet during manifest generation 721 | properties: 722 | code: 723 | type: boolean 724 | name: 725 | type: string 726 | value: 727 | type: string 728 | required: 729 | - name 730 | - value 731 | type: object 732 | type: array 733 | libs: 734 | description: Additional library search dirs 735 | items: 736 | type: string 737 | type: array 738 | tlas: 739 | description: TLAS is a list of Jsonnet Top-level Arguments 740 | items: 741 | description: JsonnetVar represents a variable to be passed to jsonnet during manifest generation 742 | properties: 743 | code: 744 | type: boolean 745 | name: 746 | type: string 747 | value: 748 | type: string 749 | required: 750 | - name 751 | - value 752 | type: object 753 | type: array 754 | type: object 755 | recurse: 756 | description: Recurse specifies whether to scan a directory recursively for manifests 757 | type: boolean 758 | type: object 759 | helm: 760 | description: Helm holds helm specific options 761 | properties: 762 | fileParameters: 763 | description: FileParameters are file parameters to the helm template 764 | items: 765 | description: HelmFileParameter is a file parameter that's passed to helm template during manifest generation 766 | properties: 767 | name: 768 | description: Name is the name of the Helm parameter 769 | type: string 770 | path: 771 | description: Path is the path to the file containing the values for the Helm parameter 772 | type: string 773 | type: object 774 | type: array 775 | parameters: 776 | description: Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation 777 | items: 778 | description: HelmParameter is a parameter that's passed to helm template during manifest generation 779 | properties: 780 | forceString: 781 | description: ForceString determines whether to tell Helm to interpret booleans and numbers as strings 782 | type: boolean 783 | name: 784 | description: Name is the name of the Helm parameter 785 | type: string 786 | value: 787 | description: Value is the value for the Helm parameter 788 | type: string 789 | type: object 790 | type: array 791 | releaseName: 792 | description: ReleaseName is the Helm release name to use. If omitted it will use the application name 793 | type: string 794 | valueFiles: 795 | description: ValuesFiles is a list of Helm value files to use when generating a template 796 | items: 797 | type: string 798 | type: array 799 | values: 800 | description: Values specifies Helm values to be passed to helm template, typically defined as a block 801 | type: string 802 | version: 803 | description: Version is the Helm version to use for templating (either "2" or "3") 804 | type: string 805 | type: object 806 | ksonnet: 807 | description: Ksonnet holds ksonnet specific options 808 | properties: 809 | environment: 810 | description: Environment is a ksonnet application environment name 811 | type: string 812 | parameters: 813 | description: Parameters are a list of ksonnet component parameter override values 814 | items: 815 | description: KsonnetParameter is a ksonnet component parameter 816 | properties: 817 | component: 818 | type: string 819 | name: 820 | type: string 821 | value: 822 | type: string 823 | required: 824 | - name 825 | - value 826 | type: object 827 | type: array 828 | type: object 829 | kustomize: 830 | description: Kustomize holds kustomize specific options 831 | properties: 832 | commonAnnotations: 833 | additionalProperties: 834 | type: string 835 | description: CommonAnnotations is a list of additional annotations to add to rendered manifests 836 | type: object 837 | commonLabels: 838 | additionalProperties: 839 | type: string 840 | description: CommonLabels is a list of additional labels to add to rendered manifests 841 | type: object 842 | images: 843 | description: Images is a list of Kustomize image override specifications 844 | items: 845 | description: KustomizeImage represents a Kustomize image definition in the format [old_image_name=]: 846 | type: string 847 | type: array 848 | namePrefix: 849 | description: NamePrefix is a prefix appended to resources for Kustomize apps 850 | type: string 851 | nameSuffix: 852 | description: NameSuffix is a suffix appended to resources for Kustomize apps 853 | type: string 854 | version: 855 | description: Version controls which version of Kustomize to use for rendering manifests 856 | type: string 857 | type: object 858 | path: 859 | description: Path is a directory path within the Git repository, and is only valid for applications sourced from Git. 860 | type: string 861 | plugin: 862 | description: ConfigManagementPlugin holds config management plugin specific options 863 | properties: 864 | env: 865 | description: Env is a list of environment variable entries 866 | items: 867 | description: EnvEntry represents an entry in the application's environment 868 | properties: 869 | name: 870 | description: Name is the name of the variable, usually expressed in uppercase 871 | type: string 872 | value: 873 | description: Value is the value of the variable 874 | type: string 875 | required: 876 | - name 877 | - value 878 | type: object 879 | type: array 880 | name: 881 | type: string 882 | type: object 883 | repoURL: 884 | description: RepoURL is the URL to the repository (Git or Helm) that contains the application manifests 885 | type: string 886 | targetRevision: 887 | description: TargetRevision defines the revision of the source to sync the application to. In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. In case of Helm, this is a semver tag for the Chart's version. 888 | type: string 889 | required: 890 | - repoURL 891 | type: object 892 | required: 893 | - deployedAt 894 | - id 895 | - revision 896 | type: object 897 | type: array 898 | observedAt: 899 | description: 'ObservedAt indicates when the application state was updated without querying latest git state Deprecated: controller no longer updates ObservedAt field' 900 | format: date-time 901 | type: string 902 | operationState: 903 | description: OperationState contains information about any ongoing operations, such as a sync 904 | properties: 905 | finishedAt: 906 | description: FinishedAt contains time of operation completion 907 | format: date-time 908 | type: string 909 | message: 910 | description: Message holds any pertinent messages when attempting to perform operation (typically errors). 911 | type: string 912 | operation: 913 | description: Operation is the original requested operation 914 | properties: 915 | info: 916 | description: Info is a list of informational items for this operation 917 | items: 918 | properties: 919 | name: 920 | type: string 921 | value: 922 | type: string 923 | required: 924 | - name 925 | - value 926 | type: object 927 | type: array 928 | initiatedBy: 929 | description: InitiatedBy contains information about who initiated the operations 930 | properties: 931 | automated: 932 | description: Automated is set to true if operation was initiated automatically by the application controller. 933 | type: boolean 934 | username: 935 | description: Username contains the name of a user who started operation 936 | type: string 937 | type: object 938 | retry: 939 | description: Retry controls the strategy to apply if a sync fails 940 | properties: 941 | backoff: 942 | description: Backoff controls how to backoff on subsequent retries of failed syncs 943 | properties: 944 | duration: 945 | description: Duration is the amount to back off. Default unit is seconds, but could also be a duration (e.g. "2m", "1h") 946 | type: string 947 | factor: 948 | description: Factor is a factor to multiply the base duration after each failed retry 949 | format: int64 950 | type: integer 951 | maxDuration: 952 | description: MaxDuration is the maximum amount of time allowed for the backoff strategy 953 | type: string 954 | type: object 955 | limit: 956 | description: Limit is the maximum number of attempts for retrying a failed sync. If set to 0, no retries will be performed. 957 | format: int64 958 | type: integer 959 | type: object 960 | sync: 961 | description: Sync contains parameters for the operation 962 | properties: 963 | dryRun: 964 | description: DryRun specifies to perform a `kubectl apply --dry-run` without actually performing the sync 965 | type: boolean 966 | manifests: 967 | description: Manifests is an optional field that overrides sync source with a local directory for development 968 | items: 969 | type: string 970 | type: array 971 | prune: 972 | description: Prune specifies to delete resources from the cluster that are no longer tracked in git 973 | type: boolean 974 | resources: 975 | description: Resources describes which resources shall be part of the sync 976 | items: 977 | description: SyncOperationResource contains resources to sync. 978 | properties: 979 | group: 980 | type: string 981 | kind: 982 | type: string 983 | name: 984 | type: string 985 | namespace: 986 | type: string 987 | required: 988 | - kind 989 | - name 990 | type: object 991 | type: array 992 | revision: 993 | description: Revision is the revision (Git) or chart version (Helm) which to sync the application to If omitted, will use the revision specified in app spec. 994 | type: string 995 | source: 996 | description: Source overrides the source definition set in the application. This is typically set in a Rollback operation and is nil during a Sync operation 997 | properties: 998 | chart: 999 | description: Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo. 1000 | type: string 1001 | directory: 1002 | description: Directory holds path/directory specific options 1003 | properties: 1004 | exclude: 1005 | description: Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation 1006 | type: string 1007 | include: 1008 | description: Include contains a glob pattern to match paths against that should be explicitly included during manifest generation 1009 | type: string 1010 | jsonnet: 1011 | description: Jsonnet holds options specific to Jsonnet 1012 | properties: 1013 | extVars: 1014 | description: ExtVars is a list of Jsonnet External Variables 1015 | items: 1016 | description: JsonnetVar represents a variable to be passed to jsonnet during manifest generation 1017 | properties: 1018 | code: 1019 | type: boolean 1020 | name: 1021 | type: string 1022 | value: 1023 | type: string 1024 | required: 1025 | - name 1026 | - value 1027 | type: object 1028 | type: array 1029 | libs: 1030 | description: Additional library search dirs 1031 | items: 1032 | type: string 1033 | type: array 1034 | tlas: 1035 | description: TLAS is a list of Jsonnet Top-level Arguments 1036 | items: 1037 | description: JsonnetVar represents a variable to be passed to jsonnet during manifest generation 1038 | properties: 1039 | code: 1040 | type: boolean 1041 | name: 1042 | type: string 1043 | value: 1044 | type: string 1045 | required: 1046 | - name 1047 | - value 1048 | type: object 1049 | type: array 1050 | type: object 1051 | recurse: 1052 | description: Recurse specifies whether to scan a directory recursively for manifests 1053 | type: boolean 1054 | type: object 1055 | helm: 1056 | description: Helm holds helm specific options 1057 | properties: 1058 | fileParameters: 1059 | description: FileParameters are file parameters to the helm template 1060 | items: 1061 | description: HelmFileParameter is a file parameter that's passed to helm template during manifest generation 1062 | properties: 1063 | name: 1064 | description: Name is the name of the Helm parameter 1065 | type: string 1066 | path: 1067 | description: Path is the path to the file containing the values for the Helm parameter 1068 | type: string 1069 | type: object 1070 | type: array 1071 | parameters: 1072 | description: Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation 1073 | items: 1074 | description: HelmParameter is a parameter that's passed to helm template during manifest generation 1075 | properties: 1076 | forceString: 1077 | description: ForceString determines whether to tell Helm to interpret booleans and numbers as strings 1078 | type: boolean 1079 | name: 1080 | description: Name is the name of the Helm parameter 1081 | type: string 1082 | value: 1083 | description: Value is the value for the Helm parameter 1084 | type: string 1085 | type: object 1086 | type: array 1087 | releaseName: 1088 | description: ReleaseName is the Helm release name to use. If omitted it will use the application name 1089 | type: string 1090 | valueFiles: 1091 | description: ValuesFiles is a list of Helm value files to use when generating a template 1092 | items: 1093 | type: string 1094 | type: array 1095 | values: 1096 | description: Values specifies Helm values to be passed to helm template, typically defined as a block 1097 | type: string 1098 | version: 1099 | description: Version is the Helm version to use for templating (either "2" or "3") 1100 | type: string 1101 | type: object 1102 | ksonnet: 1103 | description: Ksonnet holds ksonnet specific options 1104 | properties: 1105 | environment: 1106 | description: Environment is a ksonnet application environment name 1107 | type: string 1108 | parameters: 1109 | description: Parameters are a list of ksonnet component parameter override values 1110 | items: 1111 | description: KsonnetParameter is a ksonnet component parameter 1112 | properties: 1113 | component: 1114 | type: string 1115 | name: 1116 | type: string 1117 | value: 1118 | type: string 1119 | required: 1120 | - name 1121 | - value 1122 | type: object 1123 | type: array 1124 | type: object 1125 | kustomize: 1126 | description: Kustomize holds kustomize specific options 1127 | properties: 1128 | commonAnnotations: 1129 | additionalProperties: 1130 | type: string 1131 | description: CommonAnnotations is a list of additional annotations to add to rendered manifests 1132 | type: object 1133 | commonLabels: 1134 | additionalProperties: 1135 | type: string 1136 | description: CommonLabels is a list of additional labels to add to rendered manifests 1137 | type: object 1138 | images: 1139 | description: Images is a list of Kustomize image override specifications 1140 | items: 1141 | description: KustomizeImage represents a Kustomize image definition in the format [old_image_name=]: 1142 | type: string 1143 | type: array 1144 | namePrefix: 1145 | description: NamePrefix is a prefix appended to resources for Kustomize apps 1146 | type: string 1147 | nameSuffix: 1148 | description: NameSuffix is a suffix appended to resources for Kustomize apps 1149 | type: string 1150 | version: 1151 | description: Version controls which version of Kustomize to use for rendering manifests 1152 | type: string 1153 | type: object 1154 | path: 1155 | description: Path is a directory path within the Git repository, and is only valid for applications sourced from Git. 1156 | type: string 1157 | plugin: 1158 | description: ConfigManagementPlugin holds config management plugin specific options 1159 | properties: 1160 | env: 1161 | description: Env is a list of environment variable entries 1162 | items: 1163 | description: EnvEntry represents an entry in the application's environment 1164 | properties: 1165 | name: 1166 | description: Name is the name of the variable, usually expressed in uppercase 1167 | type: string 1168 | value: 1169 | description: Value is the value of the variable 1170 | type: string 1171 | required: 1172 | - name 1173 | - value 1174 | type: object 1175 | type: array 1176 | name: 1177 | type: string 1178 | type: object 1179 | repoURL: 1180 | description: RepoURL is the URL to the repository (Git or Helm) that contains the application manifests 1181 | type: string 1182 | targetRevision: 1183 | description: TargetRevision defines the revision of the source to sync the application to. In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. In case of Helm, this is a semver tag for the Chart's version. 1184 | type: string 1185 | required: 1186 | - repoURL 1187 | type: object 1188 | syncOptions: 1189 | description: SyncOptions provide per-sync sync-options, e.g. Validate=false 1190 | items: 1191 | type: string 1192 | type: array 1193 | syncStrategy: 1194 | description: SyncStrategy describes how to perform the sync 1195 | properties: 1196 | apply: 1197 | description: Apply will perform a `kubectl apply` to perform the sync. 1198 | properties: 1199 | force: 1200 | description: Force indicates whether or not to supply the --force flag to `kubectl apply`. The --force flag deletes and re-create the resource, when PATCH encounters conflict and has retried for 5 times. 1201 | type: boolean 1202 | type: object 1203 | hook: 1204 | description: Hook will submit any referenced resources to perform the sync. This is the default strategy 1205 | properties: 1206 | force: 1207 | description: Force indicates whether or not to supply the --force flag to `kubectl apply`. The --force flag deletes and re-create the resource, when PATCH encounters conflict and has retried for 5 times. 1208 | type: boolean 1209 | type: object 1210 | type: object 1211 | type: object 1212 | type: object 1213 | phase: 1214 | description: Phase is the current phase of the operation 1215 | type: string 1216 | retryCount: 1217 | description: RetryCount contains time of operation retries 1218 | format: int64 1219 | type: integer 1220 | startedAt: 1221 | description: StartedAt contains time of operation start 1222 | format: date-time 1223 | type: string 1224 | syncResult: 1225 | description: SyncResult is the result of a Sync operation 1226 | properties: 1227 | resources: 1228 | description: Resources contains a list of sync result items for each individual resource in a sync operation 1229 | items: 1230 | description: ResourceResult holds the operation result details of a specific resource 1231 | properties: 1232 | group: 1233 | description: Group specifies the API group of the resource 1234 | type: string 1235 | hookPhase: 1236 | description: HookPhase contains the state of any operation associated with this resource OR hook This can also contain values for non-hook resources. 1237 | type: string 1238 | hookType: 1239 | description: HookType specifies the type of the hook. Empty for non-hook resources 1240 | type: string 1241 | kind: 1242 | description: Kind specifies the API kind of the resource 1243 | type: string 1244 | message: 1245 | description: Message contains an informational or error message for the last sync OR operation 1246 | type: string 1247 | name: 1248 | description: Name specifies the name of the resource 1249 | type: string 1250 | namespace: 1251 | description: Namespace specifies the target namespace of the resource 1252 | type: string 1253 | status: 1254 | description: Status holds the final result of the sync. Will be empty if the resources is yet to be applied/pruned and is always zero-value for hooks 1255 | type: string 1256 | syncPhase: 1257 | description: SyncPhase indicates the particular phase of the sync that this result was acquired in 1258 | type: string 1259 | version: 1260 | description: Version specifies the API version of the resource 1261 | type: string 1262 | required: 1263 | - group 1264 | - kind 1265 | - name 1266 | - namespace 1267 | - version 1268 | type: object 1269 | type: array 1270 | revision: 1271 | description: Revision holds the revision this sync operation was performed to 1272 | type: string 1273 | source: 1274 | description: Source records the application source information of the sync, used for comparing auto-sync 1275 | properties: 1276 | chart: 1277 | description: Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo. 1278 | type: string 1279 | directory: 1280 | description: Directory holds path/directory specific options 1281 | properties: 1282 | exclude: 1283 | description: Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation 1284 | type: string 1285 | include: 1286 | description: Include contains a glob pattern to match paths against that should be explicitly included during manifest generation 1287 | type: string 1288 | jsonnet: 1289 | description: Jsonnet holds options specific to Jsonnet 1290 | properties: 1291 | extVars: 1292 | description: ExtVars is a list of Jsonnet External Variables 1293 | items: 1294 | description: JsonnetVar represents a variable to be passed to jsonnet during manifest generation 1295 | properties: 1296 | code: 1297 | type: boolean 1298 | name: 1299 | type: string 1300 | value: 1301 | type: string 1302 | required: 1303 | - name 1304 | - value 1305 | type: object 1306 | type: array 1307 | libs: 1308 | description: Additional library search dirs 1309 | items: 1310 | type: string 1311 | type: array 1312 | tlas: 1313 | description: TLAS is a list of Jsonnet Top-level Arguments 1314 | items: 1315 | description: JsonnetVar represents a variable to be passed to jsonnet during manifest generation 1316 | properties: 1317 | code: 1318 | type: boolean 1319 | name: 1320 | type: string 1321 | value: 1322 | type: string 1323 | required: 1324 | - name 1325 | - value 1326 | type: object 1327 | type: array 1328 | type: object 1329 | recurse: 1330 | description: Recurse specifies whether to scan a directory recursively for manifests 1331 | type: boolean 1332 | type: object 1333 | helm: 1334 | description: Helm holds helm specific options 1335 | properties: 1336 | fileParameters: 1337 | description: FileParameters are file parameters to the helm template 1338 | items: 1339 | description: HelmFileParameter is a file parameter that's passed to helm template during manifest generation 1340 | properties: 1341 | name: 1342 | description: Name is the name of the Helm parameter 1343 | type: string 1344 | path: 1345 | description: Path is the path to the file containing the values for the Helm parameter 1346 | type: string 1347 | type: object 1348 | type: array 1349 | parameters: 1350 | description: Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation 1351 | items: 1352 | description: HelmParameter is a parameter that's passed to helm template during manifest generation 1353 | properties: 1354 | forceString: 1355 | description: ForceString determines whether to tell Helm to interpret booleans and numbers as strings 1356 | type: boolean 1357 | name: 1358 | description: Name is the name of the Helm parameter 1359 | type: string 1360 | value: 1361 | description: Value is the value for the Helm parameter 1362 | type: string 1363 | type: object 1364 | type: array 1365 | releaseName: 1366 | description: ReleaseName is the Helm release name to use. If omitted it will use the application name 1367 | type: string 1368 | valueFiles: 1369 | description: ValuesFiles is a list of Helm value files to use when generating a template 1370 | items: 1371 | type: string 1372 | type: array 1373 | values: 1374 | description: Values specifies Helm values to be passed to helm template, typically defined as a block 1375 | type: string 1376 | version: 1377 | description: Version is the Helm version to use for templating (either "2" or "3") 1378 | type: string 1379 | type: object 1380 | ksonnet: 1381 | description: Ksonnet holds ksonnet specific options 1382 | properties: 1383 | environment: 1384 | description: Environment is a ksonnet application environment name 1385 | type: string 1386 | parameters: 1387 | description: Parameters are a list of ksonnet component parameter override values 1388 | items: 1389 | description: KsonnetParameter is a ksonnet component parameter 1390 | properties: 1391 | component: 1392 | type: string 1393 | name: 1394 | type: string 1395 | value: 1396 | type: string 1397 | required: 1398 | - name 1399 | - value 1400 | type: object 1401 | type: array 1402 | type: object 1403 | kustomize: 1404 | description: Kustomize holds kustomize specific options 1405 | properties: 1406 | commonAnnotations: 1407 | additionalProperties: 1408 | type: string 1409 | description: CommonAnnotations is a list of additional annotations to add to rendered manifests 1410 | type: object 1411 | commonLabels: 1412 | additionalProperties: 1413 | type: string 1414 | description: CommonLabels is a list of additional labels to add to rendered manifests 1415 | type: object 1416 | images: 1417 | description: Images is a list of Kustomize image override specifications 1418 | items: 1419 | description: KustomizeImage represents a Kustomize image definition in the format [old_image_name=]: 1420 | type: string 1421 | type: array 1422 | namePrefix: 1423 | description: NamePrefix is a prefix appended to resources for Kustomize apps 1424 | type: string 1425 | nameSuffix: 1426 | description: NameSuffix is a suffix appended to resources for Kustomize apps 1427 | type: string 1428 | version: 1429 | description: Version controls which version of Kustomize to use for rendering manifests 1430 | type: string 1431 | type: object 1432 | path: 1433 | description: Path is a directory path within the Git repository, and is only valid for applications sourced from Git. 1434 | type: string 1435 | plugin: 1436 | description: ConfigManagementPlugin holds config management plugin specific options 1437 | properties: 1438 | env: 1439 | description: Env is a list of environment variable entries 1440 | items: 1441 | description: EnvEntry represents an entry in the application's environment 1442 | properties: 1443 | name: 1444 | description: Name is the name of the variable, usually expressed in uppercase 1445 | type: string 1446 | value: 1447 | description: Value is the value of the variable 1448 | type: string 1449 | required: 1450 | - name 1451 | - value 1452 | type: object 1453 | type: array 1454 | name: 1455 | type: string 1456 | type: object 1457 | repoURL: 1458 | description: RepoURL is the URL to the repository (Git or Helm) that contains the application manifests 1459 | type: string 1460 | targetRevision: 1461 | description: TargetRevision defines the revision of the source to sync the application to. In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. In case of Helm, this is a semver tag for the Chart's version. 1462 | type: string 1463 | required: 1464 | - repoURL 1465 | type: object 1466 | required: 1467 | - revision 1468 | type: object 1469 | required: 1470 | - operation 1471 | - phase 1472 | - startedAt 1473 | type: object 1474 | reconciledAt: 1475 | description: ReconciledAt indicates when the application state was reconciled using the latest git version 1476 | format: date-time 1477 | type: string 1478 | resources: 1479 | description: Resources is a list of Kubernetes resources managed by this application 1480 | items: 1481 | description: 'ResourceStatus holds the current sync and health status of a resource TODO: describe members of this type' 1482 | properties: 1483 | group: 1484 | type: string 1485 | health: 1486 | description: HealthStatus contains information about the currently observed health state of an application or resource 1487 | properties: 1488 | message: 1489 | description: Message is a human-readable informational message describing the health status 1490 | type: string 1491 | status: 1492 | description: Status holds the status code of the application or resource 1493 | type: string 1494 | type: object 1495 | hook: 1496 | type: boolean 1497 | kind: 1498 | type: string 1499 | name: 1500 | type: string 1501 | namespace: 1502 | type: string 1503 | requiresPruning: 1504 | type: boolean 1505 | status: 1506 | description: SyncStatusCode is a type which represents possible comparison results 1507 | type: string 1508 | version: 1509 | type: string 1510 | type: object 1511 | type: array 1512 | sourceType: 1513 | description: SourceType specifies the type of this application 1514 | type: string 1515 | summary: 1516 | description: Summary contains a list of URLs and container images used by this application 1517 | properties: 1518 | externalURLs: 1519 | description: ExternalURLs holds all external URLs of application child resources. 1520 | items: 1521 | type: string 1522 | type: array 1523 | images: 1524 | description: Images holds all images of application child resources. 1525 | items: 1526 | type: string 1527 | type: array 1528 | type: object 1529 | sync: 1530 | description: Sync contains information about the application's current sync status 1531 | properties: 1532 | comparedTo: 1533 | description: ComparedTo contains information about what has been compared 1534 | properties: 1535 | destination: 1536 | description: Destination is a reference to the application's destination used for comparison 1537 | properties: 1538 | name: 1539 | description: Name is an alternate way of specifying the target cluster by its symbolic name 1540 | type: string 1541 | namespace: 1542 | description: Namespace specifies the target namespace for the application's resources. The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace 1543 | type: string 1544 | server: 1545 | description: Server specifies the URL of the target cluster and must be set to the Kubernetes control plane API 1546 | type: string 1547 | type: object 1548 | source: 1549 | description: Source is a reference to the application's source used for comparison 1550 | properties: 1551 | chart: 1552 | description: Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo. 1553 | type: string 1554 | directory: 1555 | description: Directory holds path/directory specific options 1556 | properties: 1557 | exclude: 1558 | description: Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during manifest generation 1559 | type: string 1560 | include: 1561 | description: Include contains a glob pattern to match paths against that should be explicitly included during manifest generation 1562 | type: string 1563 | jsonnet: 1564 | description: Jsonnet holds options specific to Jsonnet 1565 | properties: 1566 | extVars: 1567 | description: ExtVars is a list of Jsonnet External Variables 1568 | items: 1569 | description: JsonnetVar represents a variable to be passed to jsonnet during manifest generation 1570 | properties: 1571 | code: 1572 | type: boolean 1573 | name: 1574 | type: string 1575 | value: 1576 | type: string 1577 | required: 1578 | - name 1579 | - value 1580 | type: object 1581 | type: array 1582 | libs: 1583 | description: Additional library search dirs 1584 | items: 1585 | type: string 1586 | type: array 1587 | tlas: 1588 | description: TLAS is a list of Jsonnet Top-level Arguments 1589 | items: 1590 | description: JsonnetVar represents a variable to be passed to jsonnet during manifest generation 1591 | properties: 1592 | code: 1593 | type: boolean 1594 | name: 1595 | type: string 1596 | value: 1597 | type: string 1598 | required: 1599 | - name 1600 | - value 1601 | type: object 1602 | type: array 1603 | type: object 1604 | recurse: 1605 | description: Recurse specifies whether to scan a directory recursively for manifests 1606 | type: boolean 1607 | type: object 1608 | helm: 1609 | description: Helm holds helm specific options 1610 | properties: 1611 | fileParameters: 1612 | description: FileParameters are file parameters to the helm template 1613 | items: 1614 | description: HelmFileParameter is a file parameter that's passed to helm template during manifest generation 1615 | properties: 1616 | name: 1617 | description: Name is the name of the Helm parameter 1618 | type: string 1619 | path: 1620 | description: Path is the path to the file containing the values for the Helm parameter 1621 | type: string 1622 | type: object 1623 | type: array 1624 | parameters: 1625 | description: Parameters is a list of Helm parameters which are passed to the helm template command upon manifest generation 1626 | items: 1627 | description: HelmParameter is a parameter that's passed to helm template during manifest generation 1628 | properties: 1629 | forceString: 1630 | description: ForceString determines whether to tell Helm to interpret booleans and numbers as strings 1631 | type: boolean 1632 | name: 1633 | description: Name is the name of the Helm parameter 1634 | type: string 1635 | value: 1636 | description: Value is the value for the Helm parameter 1637 | type: string 1638 | type: object 1639 | type: array 1640 | releaseName: 1641 | description: ReleaseName is the Helm release name to use. If omitted it will use the application name 1642 | type: string 1643 | valueFiles: 1644 | description: ValuesFiles is a list of Helm value files to use when generating a template 1645 | items: 1646 | type: string 1647 | type: array 1648 | values: 1649 | description: Values specifies Helm values to be passed to helm template, typically defined as a block 1650 | type: string 1651 | version: 1652 | description: Version is the Helm version to use for templating (either "2" or "3") 1653 | type: string 1654 | type: object 1655 | ksonnet: 1656 | description: Ksonnet holds ksonnet specific options 1657 | properties: 1658 | environment: 1659 | description: Environment is a ksonnet application environment name 1660 | type: string 1661 | parameters: 1662 | description: Parameters are a list of ksonnet component parameter override values 1663 | items: 1664 | description: KsonnetParameter is a ksonnet component parameter 1665 | properties: 1666 | component: 1667 | type: string 1668 | name: 1669 | type: string 1670 | value: 1671 | type: string 1672 | required: 1673 | - name 1674 | - value 1675 | type: object 1676 | type: array 1677 | type: object 1678 | kustomize: 1679 | description: Kustomize holds kustomize specific options 1680 | properties: 1681 | commonAnnotations: 1682 | additionalProperties: 1683 | type: string 1684 | description: CommonAnnotations is a list of additional annotations to add to rendered manifests 1685 | type: object 1686 | commonLabels: 1687 | additionalProperties: 1688 | type: string 1689 | description: CommonLabels is a list of additional labels to add to rendered manifests 1690 | type: object 1691 | images: 1692 | description: Images is a list of Kustomize image override specifications 1693 | items: 1694 | description: KustomizeImage represents a Kustomize image definition in the format [old_image_name=]: 1695 | type: string 1696 | type: array 1697 | namePrefix: 1698 | description: NamePrefix is a prefix appended to resources for Kustomize apps 1699 | type: string 1700 | nameSuffix: 1701 | description: NameSuffix is a suffix appended to resources for Kustomize apps 1702 | type: string 1703 | version: 1704 | description: Version controls which version of Kustomize to use for rendering manifests 1705 | type: string 1706 | type: object 1707 | path: 1708 | description: Path is a directory path within the Git repository, and is only valid for applications sourced from Git. 1709 | type: string 1710 | plugin: 1711 | description: ConfigManagementPlugin holds config management plugin specific options 1712 | properties: 1713 | env: 1714 | description: Env is a list of environment variable entries 1715 | items: 1716 | description: EnvEntry represents an entry in the application's environment 1717 | properties: 1718 | name: 1719 | description: Name is the name of the variable, usually expressed in uppercase 1720 | type: string 1721 | value: 1722 | description: Value is the value of the variable 1723 | type: string 1724 | required: 1725 | - name 1726 | - value 1727 | type: object 1728 | type: array 1729 | name: 1730 | type: string 1731 | type: object 1732 | repoURL: 1733 | description: RepoURL is the URL to the repository (Git or Helm) that contains the application manifests 1734 | type: string 1735 | targetRevision: 1736 | description: TargetRevision defines the revision of the source to sync the application to. In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD. In case of Helm, this is a semver tag for the Chart's version. 1737 | type: string 1738 | required: 1739 | - repoURL 1740 | type: object 1741 | required: 1742 | - destination 1743 | - source 1744 | type: object 1745 | revision: 1746 | description: Revision contains information about the revision the comparison has been performed to 1747 | type: string 1748 | status: 1749 | description: Status is the sync state of the comparison 1750 | type: string 1751 | required: 1752 | - status 1753 | type: object 1754 | type: object 1755 | required: 1756 | - metadata 1757 | - spec 1758 | type: object 1759 | served: true 1760 | storage: true 1761 | subresources: {} 1762 | --- 1763 | apiVersion: apiextensions.k8s.io/v1 1764 | kind: CustomResourceDefinition 1765 | metadata: 1766 | labels: 1767 | app.kubernetes.io/name: appprojects.argoproj.io 1768 | app.kubernetes.io/part-of: argocd 1769 | name: appprojects.argoproj.io 1770 | spec: 1771 | group: argoproj.io 1772 | names: 1773 | kind: AppProject 1774 | listKind: AppProjectList 1775 | plural: appprojects 1776 | shortNames: 1777 | - appproj 1778 | - appprojs 1779 | singular: appproject 1780 | scope: Namespaced 1781 | versions: 1782 | - name: v1alpha1 1783 | schema: 1784 | openAPIV3Schema: 1785 | description: 'AppProject provides a logical grouping of applications, providing controls for: * where the apps may deploy to (cluster whitelist) * what may be deployed (repository whitelist, resource whitelist/blacklist) * who can access these applications (roles, OIDC group claims bindings) * and what they can do (RBAC policies) * automation access to these roles (JWT tokens)' 1786 | properties: 1787 | apiVersion: 1788 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1789 | type: string 1790 | kind: 1791 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1792 | type: string 1793 | metadata: 1794 | type: object 1795 | spec: 1796 | description: AppProjectSpec is the specification of an AppProject 1797 | properties: 1798 | clusterResourceBlacklist: 1799 | description: ClusterResourceBlacklist contains list of blacklisted cluster level resources 1800 | items: 1801 | description: GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying concepts during lookup stages without having partially valid types 1802 | properties: 1803 | group: 1804 | type: string 1805 | kind: 1806 | type: string 1807 | required: 1808 | - group 1809 | - kind 1810 | type: object 1811 | type: array 1812 | clusterResourceWhitelist: 1813 | description: ClusterResourceWhitelist contains list of whitelisted cluster level resources 1814 | items: 1815 | description: GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying concepts during lookup stages without having partially valid types 1816 | properties: 1817 | group: 1818 | type: string 1819 | kind: 1820 | type: string 1821 | required: 1822 | - group 1823 | - kind 1824 | type: object 1825 | type: array 1826 | description: 1827 | description: Description contains optional project description 1828 | type: string 1829 | destinations: 1830 | description: Destinations contains list of destinations available for deployment 1831 | items: 1832 | description: ApplicationDestination holds information about the application's destination 1833 | properties: 1834 | name: 1835 | description: Name is an alternate way of specifying the target cluster by its symbolic name 1836 | type: string 1837 | namespace: 1838 | description: Namespace specifies the target namespace for the application's resources. The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace 1839 | type: string 1840 | server: 1841 | description: Server specifies the URL of the target cluster and must be set to the Kubernetes control plane API 1842 | type: string 1843 | type: object 1844 | type: array 1845 | namespaceResourceBlacklist: 1846 | description: NamespaceResourceBlacklist contains list of blacklisted namespace level resources 1847 | items: 1848 | description: GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying concepts during lookup stages without having partially valid types 1849 | properties: 1850 | group: 1851 | type: string 1852 | kind: 1853 | type: string 1854 | required: 1855 | - group 1856 | - kind 1857 | type: object 1858 | type: array 1859 | namespaceResourceWhitelist: 1860 | description: NamespaceResourceWhitelist contains list of whitelisted namespace level resources 1861 | items: 1862 | description: GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying concepts during lookup stages without having partially valid types 1863 | properties: 1864 | group: 1865 | type: string 1866 | kind: 1867 | type: string 1868 | required: 1869 | - group 1870 | - kind 1871 | type: object 1872 | type: array 1873 | orphanedResources: 1874 | description: OrphanedResources specifies if controller should monitor orphaned resources of apps in this project 1875 | properties: 1876 | ignore: 1877 | description: Ignore contains a list of resources that are to be excluded from orphaned resources monitoring 1878 | items: 1879 | description: OrphanedResourceKey is a reference to a resource to be ignored from 1880 | properties: 1881 | group: 1882 | type: string 1883 | kind: 1884 | type: string 1885 | name: 1886 | type: string 1887 | type: object 1888 | type: array 1889 | warn: 1890 | description: Warn indicates if warning condition should be created for apps which have orphaned resources 1891 | type: boolean 1892 | type: object 1893 | roles: 1894 | description: Roles are user defined RBAC roles associated with this project 1895 | items: 1896 | description: ProjectRole represents a role that has access to a project 1897 | properties: 1898 | description: 1899 | description: Description is a description of the role 1900 | type: string 1901 | groups: 1902 | description: Groups are a list of OIDC group claims bound to this role 1903 | items: 1904 | type: string 1905 | type: array 1906 | jwtTokens: 1907 | description: JWTTokens are a list of generated JWT tokens bound to this role 1908 | items: 1909 | description: JWTToken holds the issuedAt and expiresAt values of a token 1910 | properties: 1911 | exp: 1912 | format: int64 1913 | type: integer 1914 | iat: 1915 | format: int64 1916 | type: integer 1917 | id: 1918 | type: string 1919 | required: 1920 | - iat 1921 | type: object 1922 | type: array 1923 | name: 1924 | description: Name is a name for this role 1925 | type: string 1926 | policies: 1927 | description: Policies Stores a list of casbin formated strings that define access policies for the role in the project 1928 | items: 1929 | type: string 1930 | type: array 1931 | required: 1932 | - name 1933 | type: object 1934 | type: array 1935 | signatureKeys: 1936 | description: SignatureKeys contains a list of PGP key IDs that commits in Git must be signed with in order to be allowed for sync 1937 | items: 1938 | description: SignatureKey is the specification of a key required to verify commit signatures with 1939 | properties: 1940 | keyID: 1941 | description: The ID of the key in hexadecimal notation 1942 | type: string 1943 | required: 1944 | - keyID 1945 | type: object 1946 | type: array 1947 | sourceRepos: 1948 | description: SourceRepos contains list of repository URLs which can be used for deployment 1949 | items: 1950 | type: string 1951 | type: array 1952 | syncWindows: 1953 | description: SyncWindows controls when syncs can be run for apps in this project 1954 | items: 1955 | description: SyncWindow contains the kind, time, duration and attributes that are used to assign the syncWindows to apps 1956 | properties: 1957 | applications: 1958 | description: Applications contains a list of applications that the window will apply to 1959 | items: 1960 | type: string 1961 | type: array 1962 | clusters: 1963 | description: Clusters contains a list of clusters that the window will apply to 1964 | items: 1965 | type: string 1966 | type: array 1967 | duration: 1968 | description: Duration is the amount of time the sync window will be open 1969 | type: string 1970 | kind: 1971 | description: Kind defines if the window allows or blocks syncs 1972 | type: string 1973 | manualSync: 1974 | description: ManualSync enables manual syncs when they would otherwise be blocked 1975 | type: boolean 1976 | namespaces: 1977 | description: Namespaces contains a list of namespaces that the window will apply to 1978 | items: 1979 | type: string 1980 | type: array 1981 | schedule: 1982 | description: Schedule is the time the window will begin, specified in cron format 1983 | type: string 1984 | type: object 1985 | type: array 1986 | type: object 1987 | status: 1988 | description: AppProjectStatus contains status information for AppProject CRs 1989 | properties: 1990 | jwtTokensByRole: 1991 | additionalProperties: 1992 | description: JWTTokens represents a list of JWT tokens 1993 | properties: 1994 | items: 1995 | items: 1996 | description: JWTToken holds the issuedAt and expiresAt values of a token 1997 | properties: 1998 | exp: 1999 | format: int64 2000 | type: integer 2001 | iat: 2002 | format: int64 2003 | type: integer 2004 | id: 2005 | type: string 2006 | required: 2007 | - iat 2008 | type: object 2009 | type: array 2010 | type: object 2011 | description: JWTTokensByRole contains a list of JWT tokens issued for a given role 2012 | type: object 2013 | type: object 2014 | required: 2015 | - metadata 2016 | - spec 2017 | type: object 2018 | served: true 2019 | storage: true 2020 | --- 2021 | apiVersion: v1 2022 | kind: ServiceAccount 2023 | metadata: 2024 | labels: 2025 | app.kubernetes.io/component: application-controller 2026 | app.kubernetes.io/name: argocd-application-controller 2027 | app.kubernetes.io/part-of: argocd 2028 | name: argocd-application-controller 2029 | --- 2030 | apiVersion: v1 2031 | kind: ServiceAccount 2032 | metadata: 2033 | labels: 2034 | app.kubernetes.io/component: dex-server 2035 | app.kubernetes.io/name: argocd-dex-server 2036 | app.kubernetes.io/part-of: argocd 2037 | name: argocd-dex-server 2038 | --- 2039 | apiVersion: v1 2040 | kind: ServiceAccount 2041 | metadata: 2042 | labels: 2043 | app.kubernetes.io/component: redis 2044 | app.kubernetes.io/name: argocd-redis 2045 | app.kubernetes.io/part-of: argocd 2046 | name: argocd-redis 2047 | --- 2048 | apiVersion: v1 2049 | kind: ServiceAccount 2050 | metadata: 2051 | labels: 2052 | app.kubernetes.io/component: server 2053 | app.kubernetes.io/name: argocd-server 2054 | app.kubernetes.io/part-of: argocd 2055 | name: argocd-server 2056 | --- 2057 | apiVersion: rbac.authorization.k8s.io/v1 2058 | kind: Role 2059 | metadata: 2060 | labels: 2061 | app.kubernetes.io/component: application-controller 2062 | app.kubernetes.io/name: argocd-application-controller 2063 | app.kubernetes.io/part-of: argocd 2064 | name: argocd-application-controller 2065 | rules: 2066 | - apiGroups: 2067 | - "" 2068 | resources: 2069 | - secrets 2070 | - configmaps 2071 | verbs: 2072 | - get 2073 | - list 2074 | - watch 2075 | - apiGroups: 2076 | - argoproj.io 2077 | resources: 2078 | - applications 2079 | - appprojects 2080 | verbs: 2081 | - create 2082 | - get 2083 | - list 2084 | - watch 2085 | - update 2086 | - patch 2087 | - delete 2088 | - apiGroups: 2089 | - "" 2090 | resources: 2091 | - events 2092 | verbs: 2093 | - create 2094 | - list 2095 | --- 2096 | apiVersion: rbac.authorization.k8s.io/v1 2097 | kind: Role 2098 | metadata: 2099 | labels: 2100 | app.kubernetes.io/component: dex-server 2101 | app.kubernetes.io/name: argocd-dex-server 2102 | app.kubernetes.io/part-of: argocd 2103 | name: argocd-dex-server 2104 | rules: 2105 | - apiGroups: 2106 | - "" 2107 | resources: 2108 | - secrets 2109 | - configmaps 2110 | verbs: 2111 | - get 2112 | - list 2113 | - watch 2114 | --- 2115 | apiVersion: rbac.authorization.k8s.io/v1 2116 | kind: Role 2117 | metadata: 2118 | labels: 2119 | app.kubernetes.io/component: redis 2120 | app.kubernetes.io/name: argocd-redis 2121 | app.kubernetes.io/part-of: argocd 2122 | name: argocd-redis 2123 | rules: 2124 | - apiGroups: 2125 | - security.openshift.io 2126 | resourceNames: 2127 | - nonroot 2128 | resources: 2129 | - securitycontextconstraints 2130 | verbs: 2131 | - use 2132 | --- 2133 | apiVersion: rbac.authorization.k8s.io/v1 2134 | kind: Role 2135 | metadata: 2136 | labels: 2137 | app.kubernetes.io/component: server 2138 | app.kubernetes.io/name: argocd-server 2139 | app.kubernetes.io/part-of: argocd 2140 | name: argocd-server 2141 | rules: 2142 | - apiGroups: 2143 | - "" 2144 | resources: 2145 | - secrets 2146 | - configmaps 2147 | verbs: 2148 | - create 2149 | - get 2150 | - list 2151 | - watch 2152 | - update 2153 | - patch 2154 | - delete 2155 | - apiGroups: 2156 | - argoproj.io 2157 | resources: 2158 | - applications 2159 | - appprojects 2160 | verbs: 2161 | - create 2162 | - get 2163 | - list 2164 | - watch 2165 | - update 2166 | - delete 2167 | - patch 2168 | - apiGroups: 2169 | - "" 2170 | resources: 2171 | - events 2172 | verbs: 2173 | - create 2174 | - list 2175 | --- 2176 | apiVersion: rbac.authorization.k8s.io/v1 2177 | kind: ClusterRole 2178 | metadata: 2179 | labels: 2180 | app.kubernetes.io/component: application-controller 2181 | app.kubernetes.io/name: argocd-application-controller 2182 | app.kubernetes.io/part-of: argocd 2183 | name: argocd-application-controller 2184 | rules: 2185 | - apiGroups: 2186 | - '*' 2187 | resources: 2188 | - '*' 2189 | verbs: 2190 | - '*' 2191 | - nonResourceURLs: 2192 | - '*' 2193 | verbs: 2194 | - '*' 2195 | --- 2196 | apiVersion: rbac.authorization.k8s.io/v1 2197 | kind: ClusterRole 2198 | metadata: 2199 | labels: 2200 | app.kubernetes.io/component: server 2201 | app.kubernetes.io/name: argocd-server 2202 | app.kubernetes.io/part-of: argocd 2203 | name: argocd-server 2204 | rules: 2205 | - apiGroups: 2206 | - '*' 2207 | resources: 2208 | - '*' 2209 | verbs: 2210 | - delete 2211 | - get 2212 | - patch 2213 | - apiGroups: 2214 | - "" 2215 | resources: 2216 | - events 2217 | verbs: 2218 | - list 2219 | - apiGroups: 2220 | - "" 2221 | resources: 2222 | - pods 2223 | - pods/log 2224 | verbs: 2225 | - get 2226 | --- 2227 | apiVersion: rbac.authorization.k8s.io/v1 2228 | kind: RoleBinding 2229 | metadata: 2230 | labels: 2231 | app.kubernetes.io/component: application-controller 2232 | app.kubernetes.io/name: argocd-application-controller 2233 | app.kubernetes.io/part-of: argocd 2234 | name: argocd-application-controller 2235 | roleRef: 2236 | apiGroup: rbac.authorization.k8s.io 2237 | kind: Role 2238 | name: argocd-application-controller 2239 | subjects: 2240 | - kind: ServiceAccount 2241 | name: argocd-application-controller 2242 | --- 2243 | apiVersion: rbac.authorization.k8s.io/v1 2244 | kind: RoleBinding 2245 | metadata: 2246 | labels: 2247 | app.kubernetes.io/component: dex-server 2248 | app.kubernetes.io/name: argocd-dex-server 2249 | app.kubernetes.io/part-of: argocd 2250 | name: argocd-dex-server 2251 | roleRef: 2252 | apiGroup: rbac.authorization.k8s.io 2253 | kind: Role 2254 | name: argocd-dex-server 2255 | subjects: 2256 | - kind: ServiceAccount 2257 | name: argocd-dex-server 2258 | --- 2259 | apiVersion: rbac.authorization.k8s.io/v1 2260 | kind: RoleBinding 2261 | metadata: 2262 | labels: 2263 | app.kubernetes.io/component: redis 2264 | app.kubernetes.io/name: argocd-redis 2265 | app.kubernetes.io/part-of: argocd 2266 | name: argocd-redis 2267 | roleRef: 2268 | apiGroup: rbac.authorization.k8s.io 2269 | kind: Role 2270 | name: argocd-redis 2271 | subjects: 2272 | - kind: ServiceAccount 2273 | name: argocd-redis 2274 | --- 2275 | apiVersion: rbac.authorization.k8s.io/v1 2276 | kind: RoleBinding 2277 | metadata: 2278 | labels: 2279 | app.kubernetes.io/component: server 2280 | app.kubernetes.io/name: argocd-server 2281 | app.kubernetes.io/part-of: argocd 2282 | name: argocd-server 2283 | roleRef: 2284 | apiGroup: rbac.authorization.k8s.io 2285 | kind: Role 2286 | name: argocd-server 2287 | subjects: 2288 | - kind: ServiceAccount 2289 | name: argocd-server 2290 | --- 2291 | apiVersion: rbac.authorization.k8s.io/v1 2292 | kind: ClusterRoleBinding 2293 | metadata: 2294 | labels: 2295 | app.kubernetes.io/component: application-controller 2296 | app.kubernetes.io/name: argocd-application-controller 2297 | app.kubernetes.io/part-of: argocd 2298 | name: argocd-application-controller 2299 | roleRef: 2300 | apiGroup: rbac.authorization.k8s.io 2301 | kind: ClusterRole 2302 | name: argocd-application-controller 2303 | subjects: 2304 | - kind: ServiceAccount 2305 | name: argocd-application-controller 2306 | namespace: argocd 2307 | --- 2308 | apiVersion: rbac.authorization.k8s.io/v1 2309 | kind: ClusterRoleBinding 2310 | metadata: 2311 | labels: 2312 | app.kubernetes.io/component: server 2313 | app.kubernetes.io/name: argocd-server 2314 | app.kubernetes.io/part-of: argocd 2315 | name: argocd-server 2316 | roleRef: 2317 | apiGroup: rbac.authorization.k8s.io 2318 | kind: ClusterRole 2319 | name: argocd-server 2320 | subjects: 2321 | - kind: ServiceAccount 2322 | name: argocd-server 2323 | namespace: argocd 2324 | --- 2325 | apiVersion: v1 2326 | kind: ConfigMap 2327 | metadata: 2328 | labels: 2329 | app.kubernetes.io/name: argocd-cm 2330 | app.kubernetes.io/part-of: argocd 2331 | name: argocd-cm 2332 | data: 2333 | url: https://argo.DOMAIN_PLACEHOLDER 2334 | oidc.config: | 2335 | name: Dex 2336 | issuer: https://dex.DOMAIN_PLACEHOLDER 2337 | clientID: kubelogin 2338 | clientSecret: OIDC_CLIENT_SECRET_PLACEHOLDER 2339 | requestedScopes: ["openid", "email", "groups"] 2340 | requestedIDTokenClaims: {"groups": {"essential": true}} 2341 | --- 2342 | apiVersion: v1 2343 | kind: ConfigMap 2344 | metadata: 2345 | labels: 2346 | app.kubernetes.io/name: argocd-gpg-keys-cm 2347 | app.kubernetes.io/part-of: argocd 2348 | name: argocd-gpg-keys-cm 2349 | --- 2350 | apiVersion: v1 2351 | kind: ConfigMap 2352 | metadata: 2353 | labels: 2354 | app.kubernetes.io/name: argocd-rbac-cm 2355 | app.kubernetes.io/part-of: argocd 2356 | name: argocd-rbac-cm 2357 | --- 2358 | apiVersion: v1 2359 | data: 2360 | ssh_known_hosts: | 2361 | bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== 2362 | github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== 2363 | gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= 2364 | gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf 2365 | gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 2366 | ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H 2367 | vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H 2368 | kind: ConfigMap 2369 | metadata: 2370 | labels: 2371 | app.kubernetes.io/name: argocd-ssh-known-hosts-cm 2372 | app.kubernetes.io/part-of: argocd 2373 | name: argocd-ssh-known-hosts-cm 2374 | --- 2375 | apiVersion: v1 2376 | data: null 2377 | kind: ConfigMap 2378 | metadata: 2379 | labels: 2380 | app.kubernetes.io/name: argocd-tls-certs-cm 2381 | app.kubernetes.io/part-of: argocd 2382 | name: argocd-tls-certs-cm 2383 | --- 2384 | apiVersion: v1 2385 | kind: Secret 2386 | metadata: 2387 | labels: 2388 | app.kubernetes.io/name: argocd-secret 2389 | app.kubernetes.io/part-of: argocd 2390 | name: argocd-secret 2391 | type: Opaque 2392 | --- 2393 | apiVersion: v1 2394 | kind: Service 2395 | metadata: 2396 | labels: 2397 | app.kubernetes.io/component: dex-server 2398 | app.kubernetes.io/name: argocd-dex-server 2399 | app.kubernetes.io/part-of: argocd 2400 | name: argocd-dex-server 2401 | spec: 2402 | ports: 2403 | - name: http 2404 | port: 5556 2405 | protocol: TCP 2406 | targetPort: 5556 2407 | - name: grpc 2408 | port: 5557 2409 | protocol: TCP 2410 | targetPort: 5557 2411 | - name: metrics 2412 | port: 5558 2413 | protocol: TCP 2414 | targetPort: 5558 2415 | selector: 2416 | app.kubernetes.io/name: argocd-dex-server 2417 | --- 2418 | apiVersion: v1 2419 | kind: Service 2420 | metadata: 2421 | labels: 2422 | app.kubernetes.io/component: metrics 2423 | app.kubernetes.io/name: argocd-metrics 2424 | app.kubernetes.io/part-of: argocd 2425 | name: argocd-metrics 2426 | spec: 2427 | ports: 2428 | - name: metrics 2429 | port: 8082 2430 | protocol: TCP 2431 | targetPort: 8082 2432 | selector: 2433 | app.kubernetes.io/name: argocd-application-controller 2434 | --- 2435 | apiVersion: v1 2436 | kind: Service 2437 | metadata: 2438 | labels: 2439 | app.kubernetes.io/component: redis 2440 | app.kubernetes.io/name: argocd-redis 2441 | app.kubernetes.io/part-of: argocd 2442 | name: argocd-redis 2443 | spec: 2444 | ports: 2445 | - name: tcp-redis 2446 | port: 6379 2447 | targetPort: 6379 2448 | selector: 2449 | app.kubernetes.io/name: argocd-redis 2450 | --- 2451 | apiVersion: v1 2452 | kind: Service 2453 | metadata: 2454 | labels: 2455 | app.kubernetes.io/component: repo-server 2456 | app.kubernetes.io/name: argocd-repo-server 2457 | app.kubernetes.io/part-of: argocd 2458 | name: argocd-repo-server 2459 | spec: 2460 | ports: 2461 | - name: server 2462 | port: 8081 2463 | protocol: TCP 2464 | targetPort: 8081 2465 | - name: metrics 2466 | port: 8084 2467 | protocol: TCP 2468 | targetPort: 8084 2469 | selector: 2470 | app.kubernetes.io/name: argocd-repo-server 2471 | --- 2472 | apiVersion: v1 2473 | kind: Service 2474 | metadata: 2475 | labels: 2476 | app.kubernetes.io/component: server 2477 | app.kubernetes.io/name: argocd-server 2478 | app.kubernetes.io/part-of: argocd 2479 | name: argocd-server 2480 | spec: 2481 | ports: 2482 | - name: http 2483 | port: 80 2484 | protocol: TCP 2485 | targetPort: 8080 2486 | - name: https 2487 | port: 443 2488 | protocol: TCP 2489 | targetPort: 8080 2490 | selector: 2491 | app.kubernetes.io/name: argocd-server 2492 | --- 2493 | apiVersion: v1 2494 | kind: Service 2495 | metadata: 2496 | labels: 2497 | app.kubernetes.io/component: server 2498 | app.kubernetes.io/name: argocd-server-metrics 2499 | app.kubernetes.io/part-of: argocd 2500 | name: argocd-server-metrics 2501 | spec: 2502 | ports: 2503 | - name: metrics 2504 | port: 8083 2505 | protocol: TCP 2506 | targetPort: 8083 2507 | selector: 2508 | app.kubernetes.io/name: argocd-server 2509 | --- 2510 | apiVersion: apps/v1 2511 | kind: Deployment 2512 | metadata: 2513 | labels: 2514 | app.kubernetes.io/component: dex-server 2515 | app.kubernetes.io/name: argocd-dex-server 2516 | app.kubernetes.io/part-of: argocd 2517 | name: argocd-dex-server 2518 | spec: 2519 | selector: 2520 | matchLabels: 2521 | app.kubernetes.io/name: argocd-dex-server 2522 | template: 2523 | metadata: 2524 | labels: 2525 | app.kubernetes.io/name: argocd-dex-server 2526 | spec: 2527 | affinity: 2528 | podAntiAffinity: 2529 | preferredDuringSchedulingIgnoredDuringExecution: 2530 | - podAffinityTerm: 2531 | labelSelector: 2532 | matchLabels: 2533 | app.kubernetes.io/part-of: argocd 2534 | topologyKey: kubernetes.io/hostname 2535 | weight: 5 2536 | containers: 2537 | - command: 2538 | - /shared/argocd-dex 2539 | - rundex 2540 | image: ghcr.io/dexidp/dex:v2.27.0 2541 | imagePullPolicy: Always 2542 | name: dex 2543 | ports: 2544 | - containerPort: 5556 2545 | - containerPort: 5557 2546 | - containerPort: 5558 2547 | volumeMounts: 2548 | - mountPath: /shared 2549 | name: static-files 2550 | initContainers: 2551 | - command: 2552 | - cp 2553 | - -n 2554 | - /usr/local/bin/argocd 2555 | - /shared/argocd-dex 2556 | image: quay.io/argoproj/argocd:v2.0.0 2557 | imagePullPolicy: Always 2558 | name: copyutil 2559 | volumeMounts: 2560 | - mountPath: /shared 2561 | name: static-files 2562 | serviceAccountName: argocd-dex-server 2563 | volumes: 2564 | - emptyDir: {} 2565 | name: static-files 2566 | --- 2567 | apiVersion: apps/v1 2568 | kind: Deployment 2569 | metadata: 2570 | labels: 2571 | app.kubernetes.io/component: redis 2572 | app.kubernetes.io/name: argocd-redis 2573 | app.kubernetes.io/part-of: argocd 2574 | name: argocd-redis 2575 | spec: 2576 | selector: 2577 | matchLabels: 2578 | app.kubernetes.io/name: argocd-redis 2579 | template: 2580 | metadata: 2581 | labels: 2582 | app.kubernetes.io/name: argocd-redis 2583 | spec: 2584 | affinity: 2585 | podAntiAffinity: 2586 | preferredDuringSchedulingIgnoredDuringExecution: 2587 | - podAffinityTerm: 2588 | labelSelector: 2589 | matchLabels: 2590 | app.kubernetes.io/name: argocd-redis 2591 | topologyKey: kubernetes.io/hostname 2592 | weight: 100 2593 | - podAffinityTerm: 2594 | labelSelector: 2595 | matchLabels: 2596 | app.kubernetes.io/part-of: argocd 2597 | topologyKey: kubernetes.io/hostname 2598 | weight: 5 2599 | containers: 2600 | - args: 2601 | - --save 2602 | - "" 2603 | - --appendonly 2604 | - "no" 2605 | image: redis:6.2.1-alpine 2606 | imagePullPolicy: Always 2607 | name: redis 2608 | ports: 2609 | - containerPort: 6379 2610 | securityContext: 2611 | fsGroup: 1000 2612 | runAsGroup: 1000 2613 | runAsNonRoot: true 2614 | runAsUser: 1000 2615 | serviceAccountName: argocd-redis 2616 | --- 2617 | apiVersion: apps/v1 2618 | kind: Deployment 2619 | metadata: 2620 | labels: 2621 | app.kubernetes.io/component: repo-server 2622 | app.kubernetes.io/name: argocd-repo-server 2623 | app.kubernetes.io/part-of: argocd 2624 | name: argocd-repo-server 2625 | spec: 2626 | selector: 2627 | matchLabels: 2628 | app.kubernetes.io/name: argocd-repo-server 2629 | template: 2630 | metadata: 2631 | labels: 2632 | app.kubernetes.io/name: argocd-repo-server 2633 | spec: 2634 | affinity: 2635 | podAntiAffinity: 2636 | preferredDuringSchedulingIgnoredDuringExecution: 2637 | - podAffinityTerm: 2638 | labelSelector: 2639 | matchLabels: 2640 | app.kubernetes.io/name: argocd-repo-server 2641 | topologyKey: kubernetes.io/hostname 2642 | weight: 100 2643 | - podAffinityTerm: 2644 | labelSelector: 2645 | matchLabels: 2646 | app.kubernetes.io/part-of: argocd 2647 | topologyKey: kubernetes.io/hostname 2648 | weight: 5 2649 | automountServiceAccountToken: false 2650 | containers: 2651 | - command: 2652 | - uid_entrypoint.sh 2653 | - argocd-repo-server 2654 | - --redis 2655 | - argocd-redis:6379 2656 | image: quay.io/argoproj/argocd:v2.0.0 2657 | imagePullPolicy: Always 2658 | livenessProbe: 2659 | failureThreshold: 3 2660 | httpGet: 2661 | path: /healthz?full=true 2662 | port: 8084 2663 | initialDelaySeconds: 30 2664 | periodSeconds: 5 2665 | name: argocd-repo-server 2666 | ports: 2667 | - containerPort: 8081 2668 | - containerPort: 8084 2669 | readinessProbe: 2670 | httpGet: 2671 | path: /healthz 2672 | port: 8084 2673 | initialDelaySeconds: 5 2674 | periodSeconds: 10 2675 | securityContext: 2676 | allowPrivilegeEscalation: false 2677 | capabilities: 2678 | drop: 2679 | - all 2680 | volumeMounts: 2681 | - mountPath: /app/config/ssh 2682 | name: ssh-known-hosts 2683 | - mountPath: /app/config/tls 2684 | name: tls-certs 2685 | - mountPath: /app/config/gpg/source 2686 | name: gpg-keys 2687 | - mountPath: /app/config/gpg/keys 2688 | name: gpg-keyring 2689 | - mountPath: /app/config/reposerver/tls 2690 | name: argocd-repo-server-tls 2691 | volumes: 2692 | - configMap: 2693 | name: argocd-ssh-known-hosts-cm 2694 | name: ssh-known-hosts 2695 | - configMap: 2696 | name: argocd-tls-certs-cm 2697 | name: tls-certs 2698 | - configMap: 2699 | name: argocd-gpg-keys-cm 2700 | name: gpg-keys 2701 | - emptyDir: {} 2702 | name: gpg-keyring 2703 | - name: argocd-repo-server-tls 2704 | secret: 2705 | items: 2706 | - key: tls.crt 2707 | path: tls.crt 2708 | - key: tls.key 2709 | path: tls.key 2710 | - key: ca.crt 2711 | path: ca.crt 2712 | optional: true 2713 | secretName: argocd-repo-server-tls 2714 | --- 2715 | apiVersion: apps/v1 2716 | kind: Deployment 2717 | metadata: 2718 | labels: 2719 | app.kubernetes.io/component: server 2720 | app.kubernetes.io/name: argocd-server 2721 | app.kubernetes.io/part-of: argocd 2722 | name: argocd-server 2723 | spec: 2724 | selector: 2725 | matchLabels: 2726 | app.kubernetes.io/name: argocd-server 2727 | template: 2728 | metadata: 2729 | labels: 2730 | app.kubernetes.io/name: argocd-server 2731 | spec: 2732 | affinity: 2733 | podAntiAffinity: 2734 | preferredDuringSchedulingIgnoredDuringExecution: 2735 | - podAffinityTerm: 2736 | labelSelector: 2737 | matchLabels: 2738 | app.kubernetes.io/name: argocd-server 2739 | topologyKey: kubernetes.io/hostname 2740 | weight: 100 2741 | - podAffinityTerm: 2742 | labelSelector: 2743 | matchLabels: 2744 | app.kubernetes.io/part-of: argocd 2745 | topologyKey: kubernetes.io/hostname 2746 | weight: 5 2747 | containers: 2748 | - command: 2749 | - argocd-server 2750 | - --staticassets 2751 | - /shared/app 2752 | image: quay.io/argoproj/argocd:v2.0.0 2753 | imagePullPolicy: Always 2754 | livenessProbe: 2755 | httpGet: 2756 | path: /healthz?full=true 2757 | port: 8080 2758 | initialDelaySeconds: 3 2759 | periodSeconds: 30 2760 | name: argocd-server 2761 | ports: 2762 | - containerPort: 8080 2763 | - containerPort: 8083 2764 | readinessProbe: 2765 | httpGet: 2766 | path: /healthz 2767 | port: 8080 2768 | initialDelaySeconds: 3 2769 | periodSeconds: 30 2770 | securityContext: 2771 | allowPrivilegeEscalation: false 2772 | capabilities: 2773 | drop: 2774 | - all 2775 | volumeMounts: 2776 | - mountPath: /app/config/ssh 2777 | name: ssh-known-hosts 2778 | - mountPath: /app/config/tls 2779 | name: tls-certs 2780 | - mountPath: /app/config/server/tls 2781 | name: argocd-repo-server-tls 2782 | serviceAccountName: argocd-server 2783 | volumes: 2784 | - emptyDir: {} 2785 | name: static-files 2786 | - configMap: 2787 | name: argocd-ssh-known-hosts-cm 2788 | name: ssh-known-hosts 2789 | - configMap: 2790 | name: argocd-tls-certs-cm 2791 | name: tls-certs 2792 | - name: argocd-repo-server-tls 2793 | secret: 2794 | items: 2795 | - key: tls.crt 2796 | path: tls.crt 2797 | - key: tls.key 2798 | path: tls.key 2799 | - key: ca.crt 2800 | path: ca.crt 2801 | optional: true 2802 | secretName: argocd-repo-server-tls 2803 | --- 2804 | apiVersion: apps/v1 2805 | kind: StatefulSet 2806 | metadata: 2807 | labels: 2808 | app.kubernetes.io/component: application-controller 2809 | app.kubernetes.io/name: argocd-application-controller 2810 | app.kubernetes.io/part-of: argocd 2811 | name: argocd-application-controller 2812 | spec: 2813 | replicas: 1 2814 | selector: 2815 | matchLabels: 2816 | app.kubernetes.io/name: argocd-application-controller 2817 | serviceName: argocd-application-controller 2818 | template: 2819 | metadata: 2820 | labels: 2821 | app.kubernetes.io/name: argocd-application-controller 2822 | spec: 2823 | affinity: 2824 | podAntiAffinity: 2825 | preferredDuringSchedulingIgnoredDuringExecution: 2826 | - podAffinityTerm: 2827 | labelSelector: 2828 | matchLabels: 2829 | app.kubernetes.io/name: argocd-application-controller 2830 | topologyKey: kubernetes.io/hostname 2831 | weight: 100 2832 | - podAffinityTerm: 2833 | labelSelector: 2834 | matchLabels: 2835 | app.kubernetes.io/part-of: argocd 2836 | topologyKey: kubernetes.io/hostname 2837 | weight: 5 2838 | containers: 2839 | - command: 2840 | - argocd-application-controller 2841 | - --status-processors 2842 | - "20" 2843 | - --operation-processors 2844 | - "10" 2845 | image: quay.io/argoproj/argocd:v2.0.0 2846 | imagePullPolicy: Always 2847 | livenessProbe: 2848 | httpGet: 2849 | path: /healthz 2850 | port: 8082 2851 | initialDelaySeconds: 5 2852 | periodSeconds: 10 2853 | name: argocd-application-controller 2854 | ports: 2855 | - containerPort: 8082 2856 | readinessProbe: 2857 | httpGet: 2858 | path: /healthz 2859 | port: 8082 2860 | initialDelaySeconds: 5 2861 | periodSeconds: 10 2862 | securityContext: 2863 | allowPrivilegeEscalation: false 2864 | capabilities: 2865 | drop: 2866 | - all 2867 | volumeMounts: 2868 | - mountPath: /app/config/controller/tls 2869 | name: argocd-repo-server-tls 2870 | serviceAccountName: argocd-application-controller 2871 | volumes: 2872 | - name: argocd-repo-server-tls 2873 | secret: 2874 | items: 2875 | - key: tls.crt 2876 | path: tls.crt 2877 | - key: tls.key 2878 | path: tls.key 2879 | - key: ca.crt 2880 | path: ca.crt 2881 | optional: true 2882 | secretName: argocd-repo-server-tls 2883 | -------------------------------------------------------------------------------- /continuous-delivery/install_argocd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | CLUSTER=${CLUSTER:-$(whoami)-demo-cluster} 6 | 7 | cp argocd.yaml rendered-argocd.yaml 8 | sed -i -e "s/DOMAIN_PLACEHOLDER/${CLUSTER}.${TOP_LEVEL_DOMAIN}/g" rendered-argocd.yaml 9 | sed -i -e "s/OIDC_CLIENT_SECRET_PLACEHOLDER/${OIDC_CLIENT_SECRET}/g" rendered-argocd.yaml 10 | 11 | cp argocd-ingress.yaml rendered-argocd-ingress.yaml 12 | sed -i -e "s/DOMAIN_PLACEHOLDER/${CLUSTER}.${TOP_LEVEL_DOMAIN}/g" rendered-argocd-ingress.yaml 13 | 14 | if ! kubectl get namespace argocd; then 15 | kubectl create namespace argocd 16 | fi 17 | kubectl apply --namespace argocd -f rendered-argocd.yaml 18 | kubectl apply --namespace argocd -f rendered-argocd-ingress.yaml 19 | -------------------------------------------------------------------------------- /database/install_postgres.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | pushd postgres-operator 6 | 7 | helm install postgres-operator ./charts/postgres-operator -f ./charts/postgres-operator/values-crd.yaml --wait 8 | 9 | kubectl get pod -l app.kubernetes.io/name=postgres-operator 10 | -------------------------------------------------------------------------------- /logging/elasticsearch.yml: -------------------------------------------------------------------------------- 1 | apiVersion: elasticsearch.k8s.elastic.co/v1 2 | kind: Elasticsearch 3 | metadata: 4 | name: quickstart 5 | spec: 6 | version: 7.12.1 7 | nodeSets: 8 | - name: default 9 | count: 1 10 | config: 11 | node.store.allow_mmap: false 12 | --- 13 | apiVersion: kibana.k8s.elastic.co/v1 14 | kind: Kibana 15 | metadata: 16 | name: quickstart 17 | spec: 18 | version: 7.12.1 19 | count: 1 20 | elasticsearchRef: 21 | name: quickstart 22 | -------------------------------------------------------------------------------- /logging/filebeat.yml: -------------------------------------------------------------------------------- 1 | apiVersion: beat.k8s.elastic.co/v1beta1 2 | kind: Beat 3 | metadata: 4 | name: quickstart 5 | spec: 6 | type: filebeat 7 | version: 7.12.1 8 | elasticsearchRef: 9 | name: quickstart 10 | kibanaRef: 11 | name: quickstart 12 | config: 13 | filebeat.inputs: 14 | - type: container 15 | paths: 16 | - /var/log/containers/*.log 17 | daemonSet: 18 | podTemplate: 19 | spec: 20 | dnsPolicy: ClusterFirstWithHostNet 21 | hostNetwork: true 22 | securityContext: 23 | runAsUser: 0 24 | containers: 25 | - name: filebeat 26 | volumeMounts: 27 | - name: varlogcontainers 28 | mountPath: /var/log/containers 29 | - name: varlogpods 30 | mountPath: /var/log/pods 31 | - name: varlibdockercontainers 32 | mountPath: /var/lib/docker/containers 33 | volumes: 34 | - name: varlogcontainers 35 | hostPath: 36 | path: /var/log/containers 37 | - name: varlogpods 38 | hostPath: 39 | path: /var/log/pods 40 | - name: varlibdockercontainers 41 | hostPath: 42 | path: /var/lib/docker/containers 43 | -------------------------------------------------------------------------------- /logging/install_elasticsearch.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | kubectl apply -f https://download.elastic.co/downloads/eck/1.5.0/all-in-one.yaml 6 | 7 | sleep 30 8 | 9 | kubectl apply -f elasticsearch.yml 10 | 11 | sleep 30 12 | 13 | echo "Kibana lets you log in using the 'elastic' user with the following password: $(kubectl get secret quickstart-es-elastic-user -o=jsonpath='{.data.elastic}' | base64 --decode; echo)" 14 | echo "To log in to Kibana, run the following: kubectl port-forward service/quickstart-kb-http 5601" 15 | -------------------------------------------------------------------------------- /logging/install_filebeat.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | kubectl apply -f filebeat.yml 6 | -------------------------------------------------------------------------------- /monitoring/.gitignore: -------------------------------------------------------------------------------- 1 | rendered-* 2 | -------------------------------------------------------------------------------- /monitoring/install_monitoring.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | CLUSTER=${CLUSTER:-$(whoami)-demo-cluster} 6 | 7 | helm repo add prometheus-community https://prometheus-community.github.io/helm-charts 8 | helm repo update 9 | 10 | cp values.yaml rendered-values.yaml 11 | sed -i -e "s/DOMAIN_PLACEHOLDER/${CLUSTER}.${TOP_LEVEL_DOMAIN}/g" rendered-values.yaml 12 | sed -i -e "s/OIDC_CLIENT_SECRET_PLACEHOLDER/${OIDC_CLIENT_SECRET}/g" rendered-values.yaml 13 | 14 | helm upgrade --install --namespace=monitoring monitoring prometheus-community/kube-prometheus-stack --values=rendered-values.yaml --create-namespace 15 | -------------------------------------------------------------------------------- /monitoring/values.yaml: -------------------------------------------------------------------------------- 1 | grafana: 2 | ingress: 3 | enabled: true 4 | annotations: 5 | cert-manager.io/cluster-issuer: letsencrypt-prod 6 | hosts: 7 | - "grafana.DOMAIN_PLACEHOLDER" 8 | tls: 9 | - secretName: grafana-tls 10 | hosts: 11 | - "grafana.DOMAIN_PLACEHOLDER" 12 | 13 | grafana.ini: 14 | server: 15 | root_url: https://grafana.DOMAIN_PLACEHOLDER/ 16 | auth.generic_oauth: 17 | name: Dex 18 | enabled: true 19 | client_id: kubelogin 20 | client_secret: OIDC_CLIENT_SECRET_PLACEHOLDER 21 | scopes: openid email groups 22 | api_url: https://dex.DOMAIN_PLACEHOLDER/userinfo 23 | auth_url: https://dex.DOMAIN_PLACEHOLDER/auth 24 | token_url: https://dex.DOMAIN_PLACEHOLDER/token 25 | email_attribute_path: email 26 | -------------------------------------------------------------------------------- /network-security/.gitignore: -------------------------------------------------------------------------------- 1 | rendered-issuer.yml 2 | -------------------------------------------------------------------------------- /network-security/install_cert-manager.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | helm repo add jetstack https://charts.jetstack.io 6 | helm repo update 7 | helm upgrade cert-manager jetstack/cert-manager --namespace cert-manager --install --create-namespace --version v1.3.1 --set installCRDs=true --wait 8 | 9 | sed -e "s/EMAIL_PLACEHOLDER/${EMAIL}/g" prod-issuer.yml > rendered-issuer.yml 10 | kubectl apply -f rendered-issuer.yml 11 | -------------------------------------------------------------------------------- /network-security/prod-issuer.yml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: ClusterIssuer 3 | metadata: 4 | name: letsencrypt-prod 5 | namespace: default 6 | spec: 7 | acme: 8 | email: EMAIL_PLACEHOLDER 9 | privateKeySecretRef: 10 | name: letsencrypt-prod 11 | server: https://acme-v02.api.letsencrypt.org/directory 12 | solvers: 13 | # An empty selector will 'match' all Certificate resources that 14 | # reference this Issuer. 15 | - selector: {} 16 | http01: 17 | ingress: 18 | class: nginx 19 | -------------------------------------------------------------------------------- /network-security/staging-issuer.yml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: Issuer 3 | metadata: 4 | name: letsencrypt-staging 5 | namespace: default 6 | spec: 7 | acme: 8 | email: EMAIL_PLACEHOLDER 9 | privateKeySecretRef: 10 | name: letsencrypt-staging 11 | server: https://acme-staging-v02.api.letsencrypt.org/directory 12 | solvers: 13 | # An empty selector will 'match' all Certificate resources that 14 | # reference this Issuer. 15 | - selector: {} 16 | http01: 17 | ingress: 18 | class: nginx 19 | -------------------------------------------------------------------------------- /persistent-storage/cluster-test.yaml: -------------------------------------------------------------------------------- 1 | ################################################################################################################# 2 | # Define the settings for the rook-ceph cluster with common settings for a small test cluster. 3 | # All nodes with available raw devices will be used for the Ceph cluster. One node is sufficient 4 | # in this example. 5 | 6 | # For example, to create the cluster: 7 | # kubectl create -f crds.yaml -f common.yaml -f operator.yaml 8 | # kubectl create -f cluster-test.yaml 9 | ################################################################################################################# 10 | kind: ConfigMap 11 | apiVersion: v1 12 | metadata: 13 | name: rook-config-override 14 | namespace: rook-ceph # namespace:cluster 15 | data: 16 | config: | 17 | [global] 18 | osd_pool_default_size = 1 19 | mon_warn_on_pool_no_redundancy = false 20 | --- 21 | apiVersion: ceph.rook.io/v1 22 | kind: CephCluster 23 | metadata: 24 | name: my-cluster 25 | namespace: rook-ceph # namespace:cluster 26 | spec: 27 | dataDirHostPath: /var/lib/rook 28 | cephVersion: 29 | image: ceph/ceph:v15.2.7 30 | allowUnsupported: true 31 | mon: 32 | count: 1 33 | allowMultiplePerNode: true 34 | dashboard: 35 | enabled: true 36 | crashCollector: 37 | disable: true 38 | storage: 39 | useAllNodes: true 40 | useAllDevices: true 41 | #deviceFilter: 42 | healthCheck: 43 | daemonHealth: 44 | mon: 45 | interval: 45s 46 | timeout: 600s 47 | -------------------------------------------------------------------------------- /persistent-storage/install_rook_ceph.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | if ! kubectl describe namespace rook-ceph; then 6 | kubectl create namespace rook-ceph 7 | fi 8 | 9 | helm repo add rook-release https://charts.rook.io/release 10 | helm upgrade rook-ceph rook-release/rook-ceph --install --namespace rook-ceph --version v1.5.3 --wait 11 | 12 | # Need to use ceph v15.2.7 to be able to use partitions 13 | # See https://github.com/rook/rook/issues/6849 14 | kubectl apply --namespace rook-ceph -f cluster-test.yaml 15 | kubectl apply --namespace rook-ceph -f storageclass-test.yaml 16 | 17 | kubectl --namespace rook-ceph get cephclusters.ceph.rook.io --watch 18 | -------------------------------------------------------------------------------- /persistent-storage/storageclass-test.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: ceph.rook.io/v1 2 | kind: CephBlockPool 3 | metadata: 4 | name: replicapool 5 | namespace: rook-ceph # namespace:cluster 6 | spec: 7 | failureDomain: host 8 | replicated: 9 | size: 1 10 | # Disallow setting pool with replica 1, this could lead to data loss without recovery. 11 | # Make sure you're *ABSOLUTELY CERTAIN* that is what you want 12 | requireSafeReplicaSize: false 13 | # gives a hint (%) to Ceph in terms of expected consumption of the total cluster capacity of a given pool 14 | # for more info: https://docs.ceph.com/docs/master/rados/operations/placement-groups/#specifying-expected-pool-size 15 | #targetSizeRatio: .5 16 | --- 17 | apiVersion: storage.k8s.io/v1 18 | kind: StorageClass 19 | metadata: 20 | name: rook-ceph-block 21 | annotations: 22 | storageclass.kubernetes.io/is-default-class: "true" 23 | # Change "rook-ceph" provisioner prefix to match the operator namespace if needed 24 | provisioner: rook-ceph.rbd.csi.ceph.com # driver:namespace:operator 25 | parameters: 26 | # clusterID is the namespace where the rook cluster is running 27 | # If you change this namespace, also change the namespace below where the secret namespaces are defined 28 | clusterID: rook-ceph # namespace:cluster 29 | 30 | # If you want to use erasure coded pool with RBD, you need to create 31 | # two pools. one erasure coded and one replicated. 32 | # You need to specify the replicated pool here in the `pool` parameter, it is 33 | # used for the metadata of the images. 34 | # The erasure coded pool must be set as the `dataPool` parameter below. 35 | #dataPool: ec-data-pool 36 | pool: replicapool 37 | 38 | # RBD image format. Defaults to "2". 39 | imageFormat: "2" 40 | 41 | # RBD image features. Available for imageFormat: "2". CSI RBD currently supports only `layering` feature. 42 | imageFeatures: layering 43 | 44 | # The secrets contain Ceph admin credentials. These are generated automatically by the operator 45 | # in the same namespace as the cluster. 46 | csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner 47 | csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph # namespace:cluster 48 | csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner 49 | csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph # namespace:cluster 50 | csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node 51 | csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph # namespace:cluster 52 | # Specify the filesystem type of the volume. If not specified, csi-provisioner 53 | # will set default as `ext4`. 54 | csi.storage.k8s.io/fstype: ext4 55 | # uncomment the following to use rbd-nbd as mounter on supported nodes 56 | #mounter: rbd-nbd 57 | allowVolumeExpansion: true 58 | reclaimPolicy: Delete 59 | --------------------------------------------------------------------------------