diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..7f4fa1f --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,15 @@ +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 # Use the ref you want to point at + hooks: + - id: trailing-whitespace + - repo: https://github.com/google/yamlfmt + rev: v0.13.0 + hooks: + - id: yamlfmt + - repo: local + hooks: + - id: check-sops-secrets + name: check-sops-secrets + entry: ./scripts/sops_check.sh + language: script diff --git a/common/templates.yaml b/common/templates.yaml index bbe1ade..539c90a 100644 --- a/common/templates.yaml +++ b/common/templates.yaml @@ -10,33 +10,33 @@ templates: args: - -c - | - helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl replace -f - \ - || helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl create -f - \ + helm show crds {{ `{{ .Release.Chart }}` }} --version {{ `{{ .Release.Version }}` }} | kubectl replace -f - \ + || helm show crds {{ `{{ .Release.Chart }}` }} --version {{ `{{ .Release.Version }}` }} | kubectl create -f - \ || true - events: ["prepare"] showlogs: true command: "sh" args: - -c - - "helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl diff -f - || true" + - "helm show crds {{ `{{ .Release.Chart }}` }} --version {{ `{{ .Release.Version }}` }} | kubectl diff -f - || true" - events: ["postuninstall"] showlogs: true command: "sh" args: - -c - - "helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl delete -f - || true" + - "helm show crds {{ `{{ .Release.Chart }}` }} --version {{ `{{ .Release.Version }}` }} | kubectl delete -f - || true" # ---------------------------- # -- Configs # ---------------------------- default-common-values: values: - - '{{ requiredEnv "PWD" }}/values/common/values.{{ .Release.Name }}.yaml' + - '{{ requiredEnv "PWD" }}/values/common/values.{{ `{{ .Release.Name }}` }}.yaml' default-env-values: values: - - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/values.{{ .Release.Name }}.yaml' + - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/values.{{ `{{ .Release.Name }}` }}.yaml' default-env-secrets: secrets: - - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/secrets.{{ .Release.Name }}.yaml' + - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/secrets.{{ `{{ .Release.Name }}` }}.yaml' # ---------------------------- # -- Extensions # ---------------------------- @@ -47,7 +47,6 @@ templates: alias: istio-gateway values: - '{{ requiredEnv "PWD" }}/values/common/values.istio-gateway.yaml' - ext-tcp-routes: dependencies: - chart: bedag/raw @@ -55,7 +54,6 @@ templates: alias: traefik values: - '{{ requiredEnv "PWD" }}/values/common/values.tcp-route.yaml' - ext-istio-resource: dependencies: - chart: bedag/raw @@ -63,7 +61,6 @@ templates: alias: istio values: - '{{ requiredEnv "PWD" }}/values/common/values.istio.yaml' - ext-certificate: dependencies: - chart: bedag/raw @@ -93,7 +90,6 @@ templates: inherit: - template: default-values/common-values - template: default-env-values - ext-database: dependencies: - chart: bedag/raw @@ -101,7 +97,6 @@ templates: alias: ext-database values: - '{{ requiredEnv "PWD" }}/values/common/values.database.yaml' - ext-secret: dependencies: - chart: bedag/raw diff --git a/helmfile.yaml b/helmfile.yaml index 8bf8d62..8213fb8 100644 --- a/helmfile.yaml +++ b/helmfile.yaml @@ -1,6 +1,6 @@ bases: - ./common/environments.yaml - + - ./common/templates.yaml helmfiles: - ./installations/system/ - ./installations/storage/ @@ -10,4 +10,3 @@ helmfiles: - ./installations/monitoring/ - ./installations/applications/ - ./installations/games/ - - ./installations/development/ diff --git a/installations/applications/helmfile.yaml b/installations/applications/helmfile.yaml index 34d221d..6d89bb0 100644 --- a/installations/applications/helmfile.yaml +++ b/installations/applications/helmfile.yaml @@ -1,8 +1,6 @@ -{{ readFile "../../common/templates.yaml" }} - bases: - ../../common/environments.yaml - + - ../../common/templates.yaml repositories: - name: softplayer-oci url: zot.badhouseplants.net/softplayer/helm @@ -22,18 +20,16 @@ repositories: url: https://charts.min.io/ - name: bedag url: https://bedag.github.io/helm-charts/ - - name: grafana + - name: grafana url: https://grafana.github.io/helm-charts - name: bitnami url: https://charts.bitnami.com/bitnami - name: allangers-charts url: ghcr.io/allanger/allangers-charts oci: true - - name: robjuz + - name: robjuz url: https://robjuz.github.io/helm-charts/ - releases: - - name: funkwhale chart: ananace-charts/funkwhale namespace: applications @@ -42,7 +38,6 @@ releases: - template: default-env-values - template: default-env-secrets - template: ext-database - - name: gitea chart: gitea/gitea version: 10.4.0 @@ -52,7 +47,6 @@ releases: - template: default-env-secrets - template: ext-database - template: ext-tcp-routes - - name: minio chart: minio-standalone/minio version: 5.2.0 @@ -60,7 +54,6 @@ releases: inherit: - template: default-env-values - template: default-env-secrets - - name: nrodionov chart: bitnami/wordpress version: 23.1.7 @@ -70,7 +63,6 @@ releases: - template: default-env-values - template: default-env-secrets - template: ext-database - - name: openvpn chart: allangers-charts/openvpn version: 0.0.1 @@ -78,7 +70,6 @@ releases: inherit: - template: default-env-values - template: ext-tcp-routes - - name: vaultwarden chart: allangers-charts/vaultwarden version: 2.2.0 @@ -87,7 +78,6 @@ releases: - template: default-env-values - template: default-env-secrets - template: ext-database - - name: stalwart chart: allangers-charts/stalwart version: 0.2.0 @@ -95,7 +85,6 @@ releases: inherit: - template: default-env-values - template: ext-tcp-routes - #- name: vaultwardentest # chart: allangers-charts/vaultwarden # version: 2.1.0 @@ -103,7 +92,6 @@ releases: # inherit: # - template: default-env-values # - template: default-env-secrets - - name: shadowsocks-libev chart: allangers-charts/shadowsocks-libev namespace: applications @@ -112,14 +100,12 @@ releases: - template: default-env-secrets - template: default-env-values - template: ext-tcp-routes - - name: navidrome chart: allangers-charts/navidrome namespace: applications version: 0.1.0 inherit: - template: default-env-values - - name: grafana chart: grafana/grafana namespace: applications @@ -128,4 +114,3 @@ releases: inherit: - template: default-env-values - template: default-env-secrets - diff --git a/installations/databases/helmfile.yaml b/installations/databases/helmfile.yaml index 67b7086..5a984dd 100644 --- a/installations/databases/helmfile.yaml +++ b/installations/databases/helmfile.yaml @@ -1,14 +1,11 @@ -{{ readFile "../../common/templates.yaml" }} - bases: - ../../common/environments.yaml - + - ../../common/templates.yaml repositories: - name: bitnami url: https://charts.bitnami.com/bitnami - name: bedag url: https://bedag.github.io/helm-charts/ - releases: - name: mariadb chart: bitnami/mariadb @@ -18,7 +15,6 @@ releases: inherit: - template: default-env-values - template: default-env-secrets - - name: redis chart: bitnami/redis namespace: databases @@ -26,7 +22,6 @@ releases: inherit: - template: default-env-values - template: default-env-secrets - - name: postgres16 labels: bundle: postgres @@ -36,7 +31,6 @@ releases: inherit: - template: default-env-values - template: default-env-secrets - - name: postgres16-gitea labels: bundle: postgres diff --git a/installations/development/helmfile.yaml b/installations/development/helmfile.yaml index 05596e8..b0abfa3 100644 --- a/installations/development/helmfile.yaml +++ b/installations/development/helmfile.yaml @@ -1,12 +1,9 @@ -{{ readFile "../../common/templates.yaml" }} - bases: - ../../common/environments.yaml - + - ../../common/templates.yaml repositories: - name: argo url: https://argoproj.github.io/argo-helm - releases: - name: badhouseplants namespace: platform diff --git a/installations/games/helmfile.yaml b/installations/games/helmfile.yaml index 4d515a8..d96c72f 100644 --- a/installations/games/helmfile.yaml +++ b/installations/games/helmfile.yaml @@ -1,15 +1,11 @@ ---- -{{ readFile "../../common/templates.yaml" }} - bases: - ../../common/environments.yaml - + - ../../common/templates.yaml repositories: - name: bedag url: https://bedag.github.io/helm-charts/ - name: minecraft url: https://itzg.github.io/minecraft-server-charts/ - releases: - name: minecraft chart: minecraft/minecraft diff --git a/installations/monitoring/helmfile.yaml b/installations/monitoring/helmfile.yaml index 39b1e26..fc3dab0 100644 --- a/installations/monitoring/helmfile.yaml +++ b/installations/monitoring/helmfile.yaml @@ -1,15 +1,11 @@ -{{ readFile "../../common/templates.yaml" }} - bases: - ../../common/environments.yaml - + - ../../common/templates.yaml repositories: - name: bedag url: https://bedag.github.io/helm-charts/ - name: prometheus-community url: https://prometheus-community.github.io/helm-charts - - releases: - name: prometheus chart: prometheus-community/kube-prometheus-stack diff --git a/installations/pipelines/helmfile.yaml b/installations/pipelines/helmfile.yaml index e9892b7..ef08250 100644 --- a/installations/pipelines/helmfile.yaml +++ b/installations/pipelines/helmfile.yaml @@ -1,16 +1,13 @@ -{{ readFile "../../common/templates.yaml" }} - bases: - ../../common/environments.yaml - + - ../../common/templates.yaml repositories: - name: woodpecker url: https://woodpecker-ci.org - - name: renovate + - name: renovate url: https://docs.renovatebot.com/helm-charts - name: bedag url: https://bedag.github.io/helm-charts/ - releases: - name: woodpecker-ci chart: woodpecker/woodpecker @@ -20,7 +17,6 @@ releases: - template: ext-database - template: default-env-values - template: default-env-secrets - - name: renovate chart: renovate/renovate namespace: pipelines @@ -28,4 +24,3 @@ releases: inherit: - template: default-env-values - template: default-env-secrets - diff --git a/installations/platform/helmfile.yaml b/installations/platform/helmfile.yaml index 36b7f32..59463e9 100644 --- a/installations/platform/helmfile.yaml +++ b/installations/platform/helmfile.yaml @@ -1,8 +1,6 @@ -{{ readFile "../../common/templates.yaml" }} - bases: - ../../common/environments.yaml - + - ../../common/templates.yaml repositories: - name: argo url: https://argoproj.github.io/argo-helm @@ -14,15 +12,14 @@ repositories: url: https://bedag.github.io/helm-charts/ - name: minio-standalone url: https://charts.min.io/ - - name: minio + - name: minio url: https://operator.min.io/ - - name: fluxcd-community + - name: fluxcd-community url: https://fluxcd-community.github.io/helm-charts - - name: crossplane-stable + - name: crossplane-stable url: https://charts.crossplane.io/stable - name: goauthentik url: https://charts.goauthentik.io/ - releases: - name: argocd chart: argo/argo-cd @@ -33,20 +30,17 @@ releases: inherit: - template: default-env-values - template: default-env-secrets - - name: flux chart: fluxcd-community/flux2 namespace: platform condition: workload.enabled version: 2.13.0 installed: false - - name: db-operator namespace: platform chart: db-operator/db-operator condition: workload.enabled version: 1.29.0 - - name: db-instances chart: db-operator/db-instances namespace: platform @@ -57,7 +51,6 @@ releases: inherit: - template: default-env-values - template: default-env-secrets - - name: zot chart: zot/zot version: 0.1.60 @@ -68,7 +61,6 @@ releases: inherit: - template: default-env-values - template: default-env-secrets - - name: minio chart: minio-standalone/minio version: 5.2.0 @@ -77,7 +69,6 @@ releases: inherit: - template: default-env-values - template: default-env-secrets - - name: minio-operator chart: minio/operator version: 6.0.3 @@ -86,7 +77,6 @@ releases: condition: workload.enabled inherit: - template: default-env-values - - name: minio-tenant chart: minio/tenant version: 6.0.3 @@ -97,17 +87,16 @@ releases: - platform/minio-operator inherit: - template: default-env-values - # - template: default-env-secrets - - name: crossplane + # - template: default-env-secrets + chart: crossplane-stable/crossplane version: 1.17.0 namespace: platform condition: workload.enabled - installed: false + installed: true inherit: - template: default-env-values - - name: authentik chart: goauthentik/authentik version: 2024.8.1 diff --git a/installations/storage/helmfile.yaml b/installations/storage/helmfile.yaml index 5716b98..35d1bba 100644 --- a/installations/storage/helmfile.yaml +++ b/installations/storage/helmfile.yaml @@ -1,14 +1,11 @@ -{{ readFile "../../common/templates.yaml" }} - bases: - ../../common/environments.yaml - + - ../../common/templates.yaml repositories: - name: longhorn url: https://charts.longhorn.io - - name: rook-release + - name: rook-release url: https://charts.rook.io/release - releases: - name: rook-ceph chart: rook-release/rook-ceph @@ -17,7 +14,6 @@ releases: version: v1.14.6 inherit: - template: default-env-values - - name: rook-ceph-cluster chart: rook-release/rook-ceph-cluster installed: true @@ -27,7 +23,6 @@ releases: - rook-ceph/rook-ceph inherit: - template: default-env-values - - name: longhorn chart: longhorn/longhorn namespace: longhorn-system @@ -37,4 +32,3 @@ releases: - template: default-env-values - template: default-env-secrets - template: ext-secret - diff --git a/installations/system/helmfile.yaml b/installations/system/helmfile.yaml index 413ea81..f69b107 100644 --- a/installations/system/helmfile.yaml +++ b/installations/system/helmfile.yaml @@ -1,8 +1,6 @@ -{{ readFile "../../common/templates.yaml" }} - bases: - ../../common/environments.yaml - + - ../../common/templates.yaml repositories: - name: metrics-server url: https://kubernetes-sigs.github.io/metrics-server/ @@ -20,11 +18,10 @@ repositories: url: https://helm.cilium.io/ - name: bedag url: https://bedag.github.io/helm-charts/ - - name: piraeus-charts + - name: piraeus-charts url: https://piraeus.io/helm-charts/ - - name: vmware-tanzu + - name: vmware-tanzu url: https://vmware-tanzu.github.io/helm-charts/ - releases: - name: namespaces chart: '{{ requiredEnv "PWD" }}/charts/namespaces/chart' @@ -32,7 +29,6 @@ releases: createNamespace: false inherit: - template: default-env-values - - name: roles chart: '{{ requiredEnv "PWD" }}/charts/roles' namespace: kube-public @@ -41,14 +37,12 @@ releases: - kube-public/namespaces inherit: - template: default-env-values - - name: coredns chart: coredns/coredns version: 1.32.0 namespace: kube-system inherit: - template: default-env-values - - name: snapshot-controller chart: piraeus-charts/snapshot-controller installed: true @@ -59,7 +53,6 @@ releases: - kube-system/cilium inherit: - template: crd-management-hook - - name: cilium chart: cilium/cilium version: 1.16.1 @@ -68,7 +61,6 @@ releases: - kube-system/coredns inherit: - template: default-env-values - - name: cert-manager chart: jetstack/cert-manager version: 1.15.3 @@ -77,15 +69,13 @@ releases: - kube-system/cilium inherit: - template: default-env-values - - name: issuer chart: '{{ requiredEnv "PWD" }}/charts/issuer' namespace: kube-public - needs: + needs: - kube-system/cert-manager inherit: - template: default-env-values - - name: metrics-server chart: metrics-server/metrics-server version: 3.12.1 @@ -94,7 +84,6 @@ releases: - kube-system/cilium inherit: - template: default-common-values - - name: metallb chart: metallb/metallb namespace: kube-system @@ -103,7 +92,6 @@ releases: - kube-system/cilium inherit: - template: default-env-values - - name: metallb-resources chart: bedag/raw version: 2.0.0 @@ -113,7 +101,6 @@ releases: inherit: - template: ext-metallb - template: default-env-values - - name: traefik chart: traefik/traefik version: 31.0.0 @@ -122,7 +109,6 @@ releases: - kube-system/cilium inherit: - template: default-env-values - - name: velero chart: vmware-tanzu/velero namespace: kube-system diff --git a/scripts/sops_check.sh b/scripts/sops_check.sh new file mode 100755 index 0000000..2991770 --- /dev/null +++ b/scripts/sops_check.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +set -e + +for secrets in $(find . -type 'f' -name 'secrets.*'); + do sops filestatus $secrets; +done | grep false && \ +echo "There are unencrypted secrets in the repo" && exit 1 || \ +exit 0 diff --git a/values/badhouseplants/values.crossplane.yaml b/values/badhouseplants/values.crossplane.yaml index b61e90f..1c19d22 100644 --- a/values/badhouseplants/values.crossplane.yaml +++ b/values/badhouseplants/values.crossplane.yaml @@ -1,3 +1,3 @@ provider: - packages: [] - #- xpkg.upbound.io/upbound/provider-terraform:v0.17.0 + packages: + - xpkg.upbound.io/crossplane-contrib/provider-kubernetes:v0.13.0