diff --git a/charts/all-in-one/templates/gp2-extensible.yaml b/charts/all-in-one/templates/gp2-extensible.yaml index 30226c1ee..fde9432c4 100644 --- a/charts/all-in-one/templates/gp2-extensible.yaml +++ b/charts/all-in-one/templates/gp2-extensible.yaml @@ -1,3 +1,4 @@ +{{- if eq $.Values.provider "AWS" }} apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: @@ -10,3 +11,4 @@ parameters: provisioner: kubernetes.io/aws-ebs reclaimPolicy: {{ .Values.volumeReclaimPolicy }} allowVolumeExpansion: true +{{- end }} diff --git a/charts/all-in-one/templates/gp3-extensible.yaml b/charts/all-in-one/templates/gp3-extensible.yaml index 2ec2ff589..fc88d66e6 100644 --- a/charts/all-in-one/templates/gp3-extensible.yaml +++ b/charts/all-in-one/templates/gp3-extensible.yaml @@ -1,3 +1,4 @@ +{{- if eq $.Values.provider "AWS" }} apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: @@ -10,3 +11,4 @@ parameters: provisioner: ebs.csi.aws.com reclaimPolicy: {{ .Values.volumeReclaimPolicy }} allowVolumeExpansion: true +{{- end }} diff --git a/charts/all-in-one/templates/secret-store.yaml b/charts/all-in-one/templates/secret-store.yaml index 873041302..c404d0b8c 100644 --- a/charts/all-in-one/templates/secret-store.yaml +++ b/charts/all-in-one/templates/secret-store.yaml @@ -1,4 +1,4 @@ -{{ if .Values.externalSecret.enabled }} +{{- if .Values.externalSecret.enabled }} apiVersion: "external-secrets.io/v1beta1" kind: SecretStore metadata: @@ -6,7 +6,12 @@ metadata: namespace: {{ $.Release.Name }} spec: provider: + {{- if eq $.Values.provider "AWS" }} aws: service: SecretsManager region: us-east-2 -{{ end }} + {{- else if eq $.Values.provider "GCP" }} + gcpsm: + projectID: {{ $.Values.GCP.projectID }} + {{- end }} +{{- end }} diff --git a/charts/all-in-one/values.yaml b/charts/all-in-one/values.yaml index 2a5f91617..5aced13e5 100644 --- a/charts/all-in-one/values.yaml +++ b/charts/all-in-one/values.yaml @@ -4,6 +4,7 @@ clusterName: "9c-sample" logLevel: "debug" +provider: "AWS" global: image: diff --git a/charts/multiplanetary/templates/network.yaml b/charts/multiplanetary/templates/network.yaml index 872a3907a..48b22c1af 100644 --- a/charts/multiplanetary/templates/network.yaml +++ b/charts/multiplanetary/templates/network.yaml @@ -1,4 +1,4 @@ -{{ range $.Values.network }} +{{- range $.Values.network }} apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -7,16 +7,15 @@ metadata: spec: project: default source: - repoURL: https://github.com/planetarium/9c-infra.git - targetRevision: main + repoURL: {{ $.Values.repoURL | default "https://github.com/planetarium/9c-infra.git" }} + targetRevision: {{ $.Values.targetRevision | default "main" }} path: charts/all-in-one helm: valueFiles: - - "../../{{ $.Values.path }}/network/general.yaml" - - "../../{{ $.Values.path }}/network/{{ . }}.yaml" - + - /{{ $.Values.path }}/network/general.yaml + - /{{ $.Values.path }}/network/{{ . }}.yaml destination: server: https://kubernetes.default.svc namespace: {{ . }} --- -{{ end }} +{{- end }} diff --git a/common/bootstrap-v2/Chart.yaml b/common/bootstrap-v2/Chart.yaml new file mode 100644 index 000000000..983b564c2 --- /dev/null +++ b/common/bootstrap-v2/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +type: application +name: bootstrap-v2 +description: A Helm chart bootstrapping the cluster +version: 0.2.0 +appVersion: 1.0.0 diff --git a/common/bootstrap-v2/kustomization/amazon-eks-pod-identity-webhook/kustomization.yaml b/common/bootstrap-v2/kustomization/amazon-eks-pod-identity-webhook/kustomization.yaml new file mode 100644 index 000000000..e95a54335 --- /dev/null +++ b/common/bootstrap-v2/kustomization/amazon-eks-pod-identity-webhook/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +metadata: + name: amazon-eks-pod-identity-webhook +resources: + - https://raw.githubusercontent.com/aws/amazon-eks-pod-identity-webhook/refs/tags/v0.6.2/deploy/auth.yaml + - https://raw.githubusercontent.com/aws/amazon-eks-pod-identity-webhook/refs/tags/v0.6.2/deploy/deployment-base.yaml + - https://raw.githubusercontent.com/aws/amazon-eks-pod-identity-webhook/refs/tags/v0.6.2/deploy/mutatingwebhook.yaml + - https://raw.githubusercontent.com/aws/amazon-eks-pod-identity-webhook/refs/tags/v0.6.2/deploy/service.yaml +patches: + - target: + kind: Deployment + name: pod-identity-webhook + patch: |- + - op: replace + path: /spec/template/spec/containers/0/image + value: amazon/amazon-eks-pod-identity-webhook:latest diff --git a/common/bootstrap-v2/templates/amazon-eks-pod-identity-webhook.yaml b/common/bootstrap-v2/templates/amazon-eks-pod-identity-webhook.yaml new file mode 100644 index 000000000..6ccf6b0aa --- /dev/null +++ b/common/bootstrap-v2/templates/amazon-eks-pod-identity-webhook.yaml @@ -0,0 +1,18 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: amazon-eks-pod-identity-webhook + namespace: argocd +spec: + project: infra + syncPolicy: + automated: + prune: true + selfHeal: true + destination: + server: https://kubernetes.default.svc + namespace: default + source: + repoURL: https://github.com/planetarium/9c-infra.git + path: common/bootstrap-v2/kustomization/amazon-eks-pod-identity-webhook + targetRevision: gke diff --git a/common/bootstrap-v2/templates/argocd-appproject-infra.yaml b/common/bootstrap-v2/templates/argocd-appproject-infra.yaml new file mode 100644 index 000000000..650ee9ebb --- /dev/null +++ b/common/bootstrap-v2/templates/argocd-appproject-infra.yaml @@ -0,0 +1,17 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: infra +spec: + description: In-cluster applications managed by DevOps team + destinations: + - namespace: '*' + server: https://kubernetes.default.svc + sourceRepos: + - '*' + clusterResourceWhitelist: + - group: '*' + kind: '*' + namespaceResourceWhitelist: + - group: '*' + kind: '*' diff --git a/common/bootstrap-v2/templates/argocd-secret-github-ssh-client.yaml b/common/bootstrap-v2/templates/argocd-secret-github-ssh-client.yaml new file mode 100644 index 000000000..02d269435 --- /dev/null +++ b/common/bootstrap-v2/templates/argocd-secret-github-ssh-client.yaml @@ -0,0 +1,20 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: argocd-secret-github-ssh-client + namespace: argocd +spec: + refreshInterval: 1m + secretStoreRef: + kind: SecretStore + name: argocd-secretstore + target: + name: github-ssh-client + template: + metadata: + labels: + app.kubernetes.io/instance: argocd + app.kubernetes.io/part-of: argocd + dataFrom: + - extract: + key: {{ .Values.clusterName }}-argocd-github-ssh-client diff --git a/common/bootstrap-v2/templates/argocd-secretstore.yaml b/common/bootstrap-v2/templates/argocd-secretstore.yaml new file mode 100644 index 000000000..0468a007d --- /dev/null +++ b/common/bootstrap-v2/templates/argocd-secretstore.yaml @@ -0,0 +1,20 @@ +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: argocd-secretstore + namespace: argocd +spec: + provider: + {{- if eq .Values.provider "AWS" }} + aws: + service: SecretsManager + region: {{ .Values.AWS.region }} + {{- else if eq .Values.provider "GCP" }} + gcpsm: + projectID: {{ .Values.GCP.projectID }} + {{- else }} + fake: + data: + - key: {{ .Values.clusterName }}-argocd-github-ssh-client + value: '{"dex.github.clientId":"DUMMY","dex.github.clientSecret":""}' + {{- end }} diff --git a/common/bootstrap-v2/templates/argocd.yaml b/common/bootstrap-v2/templates/argocd.yaml new file mode 100644 index 000000000..5b5af31c0 --- /dev/null +++ b/common/bootstrap-v2/templates/argocd.yaml @@ -0,0 +1,58 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd + namespace: argocd +spec: + project: infra + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true + destination: + server: https://kubernetes.default.svc + namespace: argocd + source: + repoURL: https://argoproj.github.io/argo-helm + chart: argo-cd + targetRevision: 7.7.16 + helm: + values: |- + global: + domain: {{ .Values.argocd.domain }} + controller: + replicas: 1 + redis-ha: + enabled: true + repoServer: + autoscaling: + enabled: true + server: + autoscaling: + enabled: true + ingress: + enabled: true + ingressClassName: traefik + configs: + params: + server.insecure: true + rbac: + scopes: "[email, groups]" + policy.default: role:readonly + policy.csv: | + g, planetarium:DevOps, role:admin + cm: + admin.enabled: true + statusbadge.enabled: true + dex.config: |- + connectors: + - type: github + id: github + name: GitHub + config: + orgs: + - name: planetarium + clientID: "$github-ssh-client:dex.github.clientId" + clientSecret: "$github-ssh-client:dex.github.clientSecret" diff --git a/common/bootstrap-v2/templates/cert-manager-certificate.yaml b/common/bootstrap-v2/templates/cert-manager-certificate.yaml new file mode 100644 index 000000000..3ff8fe303 --- /dev/null +++ b/common/bootstrap-v2/templates/cert-manager-certificate.yaml @@ -0,0 +1,14 @@ +{{- with .Values.certManager.dnsNames }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: certificate + namespace: traefik +spec: + secretName: certificate-secret + dnsNames: + {{- toYaml . | nindent 4 }} + issuerRef: + name: cert-manager-letsencrypt-issuer + kind: ClusterIssuer +{{- end }} diff --git a/common/bootstrap-v2/templates/cert-manager-letsencrypt-issuer.yaml b/common/bootstrap-v2/templates/cert-manager-letsencrypt-issuer.yaml new file mode 100644 index 000000000..669f8cff1 --- /dev/null +++ b/common/bootstrap-v2/templates/cert-manager-letsencrypt-issuer.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: cert-manager-letsencrypt-issuer +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: "{{ .Values.certManager.issuer.email }}" + privateKeySecretRef: + name: cert-manager-letsencrypt-issuer-secret + solvers: + - dns01: + route53: + region: us-east-2 diff --git a/common/bootstrap-v2/templates/cert-manager.yaml b/common/bootstrap-v2/templates/cert-manager.yaml new file mode 100644 index 000000000..34f620f18 --- /dev/null +++ b/common/bootstrap-v2/templates/cert-manager.yaml @@ -0,0 +1,29 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager + namespace: argocd +spec: + project: infra + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true + destination: + server: https://kubernetes.default.svc + namespace: cert-manager + source: + repoURL: https://charts.jetstack.io + chart: cert-manager + targetRevision: v1.16.3 + helm: + values: |- + crds: + enabled: true + serviceAccount: + annotations: + {{- with .Values.certManager.serviceAccount.annotations }} + {{- toYaml . | nindent 12 }} + {{- end }} diff --git a/common/bootstrap-v2/templates/external-dns.yaml b/common/bootstrap-v2/templates/external-dns.yaml new file mode 100644 index 000000000..3d5320851 --- /dev/null +++ b/common/bootstrap-v2/templates/external-dns.yaml @@ -0,0 +1,40 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-dns + namespace: argocd +spec: + project: infra + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true + destination: + server: https://kubernetes.default.svc + namespace: external-dns + source: + repoURL: https://kubernetes-sigs.github.io/external-dns/ + chart: external-dns + targetRevision: 1.15.0 + helm: + values: |- + policy: sync + txtOwnerId: "{{ .Values.clusterName }}" + sources: + - service + - ingress + - gateway-httproute + - gateway-grpcroute + - crd + managedRecordTypes: + - A + - AAAA + - CNAME + - TXT + serviceAccount: + annotations: + {{- with .Values.externalDns.serviceAccount.annotations }} + {{- toYaml . | nindent 12 }} + {{- end }} diff --git a/common/bootstrap-v2/templates/external-secrets.yaml b/common/bootstrap-v2/templates/external-secrets.yaml new file mode 100644 index 000000000..bee7c66b1 --- /dev/null +++ b/common/bootstrap-v2/templates/external-secrets.yaml @@ -0,0 +1,31 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-secrets + namespace: argocd +spec: + project: infra + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true + destination: + server: https://kubernetes.default.svc + namespace: external-secrets + source: + repoURL: https://charts.external-secrets.io + chart: external-secrets + targetRevision: 0.12.1 + helm: + values: |- + certController: + create: false + webhook: + create: false + serviceAccount: + annotations: + {{- with .Values.externalSecrets.serviceAccount.annotations }} + {{- toYaml . | nindent 12 }} + {{- end }} diff --git a/common/bootstrap-v2/templates/traefik.yaml b/common/bootstrap-v2/templates/traefik.yaml new file mode 100644 index 000000000..ecfab53d9 --- /dev/null +++ b/common/bootstrap-v2/templates/traefik.yaml @@ -0,0 +1,31 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: traefik + namespace: argocd +spec: + project: infra + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true + destination: + server: https://kubernetes.default.svc + namespace: traefik + source: + repoURL: https://traefik.github.io/charts + chart: traefik + targetRevision: 34.1.0 + helm: + values: |- + service: + annotations: + {{- with .Values.global.service.annotations }} + {{- toYaml . | nindent 12 }} + {{- end }} + tlsStore: + default: + defaultCertificate: + secretName: certificate-secret diff --git a/common/bootstrap-v2/values.yaml b/common/bootstrap-v2/values.yaml new file mode 100644 index 000000000..184732218 --- /dev/null +++ b/common/bootstrap-v2/values.yaml @@ -0,0 +1,24 @@ +clusterName: +provider: + +global: + service: + annotations: + +argocd: + domain: + +externalSecrets: + serviceAccount: + annotations: + +externalDns: + serviceAccount: + annotations: + +certManager: + serviceAccount: + annotations: + dnsNames: + issuer: + email: diff --git a/gke-ninechronicles-internal/bootstrap.yaml b/gke-ninechronicles-internal/bootstrap.yaml new file mode 100644 index 000000000..274380b86 --- /dev/null +++ b/gke-ninechronicles-internal/bootstrap.yaml @@ -0,0 +1,27 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: bootstrap + namespace: argocd +spec: + project: infra + destination: + server: https://kubernetes.default.svc + namespace: argocd + sources: + - repoURL: https://github.com/planetarium/9c-infra + path: common/bootstrap-v2 + targetRevision: gke + helm: + valueFiles: + - /gke-ninechronicles-internal/values.yaml + - repoURL: https://github.com/planetarium/9c-infra.git + path: charts/multiplanetary + targetRevision: gke + helm: + values: |- + clusterName: ninechronicles-internal-test-1 + targetRevision: gke + path: gke-ninechronicles-internal + network: + - odin diff --git a/gke-ninechronicles-internal/network/general.yaml b/gke-ninechronicles-internal/network/general.yaml new file mode 100644 index 000000000..3b6be2b59 --- /dev/null +++ b/gke-ninechronicles-internal/network/general.yaml @@ -0,0 +1,18 @@ +clusterName: ninechronicles-internal-test-1 +provider: GCP +GCP: + projectID: devops-test-445104 + +global: + image: + repository: planetariumhq/ninechronicles-headless + tag: "git-5681ee3a468d8c550d70e0ebed6eb530a5caf82a" + + service: + annotations: + +seed: + image: + repository: planetariumhq/libplanet-seed + pullPolicy: Always + tag: "git-67d0ef91c52a71a9772cd7fdb241c9fc37b165b8" diff --git a/gke-ninechronicles-internal/network/odin.yaml b/gke-ninechronicles-internal/network/odin.yaml new file mode 100644 index 000000000..89a36eba4 --- /dev/null +++ b/gke-ninechronicles-internal/network/odin.yaml @@ -0,0 +1,97 @@ +logLevel: "debug" + +global: + validatorPath: "validator-5.9c-network.svc.cluster.local" + genesisBlockPath: "https://release.nine-chronicles.com/genesis-block-9c-main" + trustedAppProtocolVersionSigner: "02529a61b9002ba8f21c858224234af971e962cac9bd7e6b365e71e125c6463478" + headlessAppsettingsPath: "https://9c-cluster-config.s3.us-east-2.amazonaws.com/9c-internal/odin/appsettings.json" + + appProtocolVersion: "200190/54684Ac4ee5B933e72144C4968BEa26056880d71/MEUCIQCNQmMSk4nnbOXSpe9yk0Q2ecyoQYrnZpQxmMeVz+Ve0wIgb9v1jf4R6DL8iikurLgzH9gYQJ+zvEBsEqQqmS55nPc=/ZHU5OnRpbWVzdGFtcHUxMDoyMDI0LTA2LTE3ZQ==" + + peerStrings: + - "033369e95dbfd970dd9a7b4df31dcf5004d7cfd63289d26cc42bbdd01e25675b6f,tcp-seed-1.9c-network.svc.cluster.local,31234" + + iceServers: + - "turn://0ed3e48007413e7c2e638f13ddd75ad272c6c507e081bd76a75e4b7adc86c9af:0apejou+ycZFfwtREeXFKdfLj2gCclKzz5ZJ49Cmy6I=@turn-us.planetarium.dev:3478" + + networkType: Internal + planet: OdinInternal + consensusType: pbft + + resetSnapshot: true + rollbackSnapshot: false + +externalSecret: + enabled: true + +ingress: + enabled: false + +gateway: + enabled: true + services: + - name: remote-headless + hostnames: + - odin-internal-gke-rpc.nine-chronicles.com + backendRefs: + - name: remote-headless-1 + protocols: + - web + - grpc + +snapshot: + downloadSnapshot: true + slackChannel: "9c-internal" + image: "planetariumhq/ninechronicles-snapshot:git-45205b5ed6d978bb0dda6ad0b84fb0a393015711" + partition: + enabled: false + suspend: true + path: internal + nodeSelector: + +# if you want to delete PVC with the volume provisioned together, set this value "Delete" +volumeReclaimPolicy: "Retain" + +seed: + count: 1 + useTurnServer: false + image: + repository: planetariumhq/libplanet-seed + pullPolicy: Always # Overrides the image tag whose default is the chart appVersion. + + hosts: + - "odin-internal-gke-tcp-seed-1.nine-chronicles.com" + + nodeSelector: + +remoteHeadless: + image: + repository: planetariumhq/ninechronicles-headless + pullPolicy: Always + + hosts: + - "odin-internal-gke-rpc-1.nine-chronicles.com" + + ports: + headless: 31234 + graphql: 80 + rpc: 31238 + + storage: + data: 500Gi + + resources: + requests: + cpu: 1 + memory: 12Gi + + nodeSelector: + + loggingEnabled: true + + extraArgs: + - --tx-quota-per-signer=1 + - --remote-key-value-service + +validator: + count: 0 diff --git a/gke-ninechronicles-internal/values.yaml b/gke-ninechronicles-internal/values.yaml new file mode 100644 index 000000000..16a7bb0fb --- /dev/null +++ b/gke-ninechronicles-internal/values.yaml @@ -0,0 +1,27 @@ +clusterName: ninechronicles-internal-test-1 +provider: GCP +GCP: + projectID: devops-test-445104 +global: + service: + annotations: + cloud.google.com/network-tier: Standard +argocd: + domain: argocd-internal-gke.planetarium.network +externalSecrets: + serviceAccount: + annotations: + iam.gke.io/gcp-service-account: external-secrets@devops-test-445104.iam.gserviceaccount.com +externalDns: + serviceAccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::319679068466:role/gke-external-dns +certManager: + serviceAccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::319679068466:role/gke-external-dns + dnsNames: + - "*.nine-chronicles.com" + - "*.planetarium.network" + issuer: + email: devops@planetariumhq.com