add initial argocd apps

.github/workflows/terraform-kubernetes.yaml

@@ -75,6 +75,7 @@ jobs:
         AWS_ACCESS_KEY_ID : ${{ secrets.AWS_ACCESS_KEY_ID }}
         AWS_SECRET_ACCESS_KEY : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         TF_VAR_github_token : ${{ secrets.PAT_TOKEN }}
+        TF_VAR_scw_secret_key: ${{ secrets.SCW_SECRET_KEY }}
 
     - name: Terraform Validate
       id: validate
@@ -93,6 +94,7 @@ jobs:
         AWS_ACCESS_KEY_ID : ${{ secrets.AWS_ACCESS_KEY_ID }}
         AWS_SECRET_ACCESS_KEY : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         TF_VAR_github_token : ${{ secrets.PAT_TOKEN }}
+        TF_VAR_scw_secret_key: ${{ secrets.SCW_SECRET_KEY }}
 
     - name: Terraform Show
       id: show
@@ -106,6 +108,7 @@ jobs:
         AWS_ACCESS_KEY_ID : ${{ secrets.AWS_ACCESS_KEY_ID }}
         AWS_SECRET_ACCESS_KEY : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         TF_VAR_github_token : ${{ secrets.PAT_TOKEN }}
+        TF_VAR_scw_secret_key: ${{ secrets.SCW_SECRET_KEY }}
 
     # - uses: actions/github-script@v6
     #   if: github.event_name == 'pull_request'
@@ -159,4 +162,5 @@ jobs:
         TF_VAR_rancher_secret_key : ${{ secrets.RANCHER_SECRET_KEY }}
         AWS_ACCESS_KEY_ID : ${{ secrets.AWS_ACCESS_KEY_ID }}
         AWS_SECRET_ACCESS_KEY : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        TF_VAR_github_token : ${{ secrets.PAT_TOKEN }}
+        TF_VAR_github_token : ${{ secrets.PAT_TOKEN }}
+        TF_VAR_scw_secret_key: ${{ secrets.SCW_SECRET_KEY }}

kubernetes-terraform/kubernetes.tf

@@ -5,4 +5,20 @@ module "argocd-install" {
   cluster_host           = module.vsphere-k8s-rancher-cilium.cluster-endpoint
   cluster_token          = module.vsphere-k8s-rancher-cilium.kubeconfig-token
   cluster_ca_certificate = module.vsphere-k8s-rancher-cilium.certificate-authority-data
+}
+
+module "argocd-config" {
+  source                 = "./modules/argocd-config"
+  cluster_host           = module.vsphere-k8s-rancher-cilium.cluster-endpoint
+  cluster_token          = module.vsphere-k8s-rancher-cilium.kubeconfig-token
+  cluster_ca_certificate = module.vsphere-k8s-rancher-cilium.certificate-authority-data
+
+}
+
+module "external-secrets" {
+  source              = "./modules/external-secrets-argocd"
+  cluster_host        = module.vsphere-k8s-rancher-cilium.cluster-endpoint
+  cluster_token       = module.vsphere-k8s-rancher-cilium.kubeconfig-token
+  cluster_certificate = module.vsphere-k8s-rancher-cilium.certificate-authority-data
+  scw_secret_key      = var.scw_secret_key
 }

kubernetes-terraform/modules/argocd-config/argocd-app.tf

@@ -0,0 +1,9 @@
+resource "helm_release" "argocd-root-app" {
+  name             = "argocd-root-app"
+  repository       = "https://argoproj.github.io/argo-helm"
+  chart            = "argocd-apps"
+  namespace        = "argocd"
+  create_namespace = true
+  version          = "1.6.2"
+  values           = [file("${path.module}/argocd-root-app.yaml")]
+}

kubernetes-terraform/modules/argocd-config/argocd-root-app.yaml

@@ -0,0 +1,20 @@
+applications:
+  - name: production-argocd-aoa
+    namespace: "argocd"
+    finalizers:
+    - resources-finalizer.argocd.argoproj.io
+    destination:
+      server: https://kubernetes.default.svc
+#      name: in-cluster
+      namespace: argocd
+    project: default
+    source:
+      path: kubernetes/apps/production/argocd
+      repoURL: https://github.com/Haibread/infrastructure.git
+      targetRevision: "HEAD"
+      directory:
+        recurse: true
+    syncPolicy:
+      automated:
+        prune: true
+        selfHeal: true

kubernetes-terraform/modules/argocd-config/providers.tf

@@ -0,0 +1,30 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">=2.23.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "2.11.0"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "2.4.0"
+    }
+  }
+  required_version = ">= 1.0.0"
+}
+
+provider "kubernetes" {
+  host                   = var.cluster_host
+  token                  = var.cluster_token
+  cluster_ca_certificate = base64decode(var.cluster_ca_certificate)
+}
+provider "helm" {
+  kubernetes {
+    host                   = var.cluster_host
+    token                  = var.cluster_token
+    cluster_ca_certificate = base64decode(var.cluster_ca_certificate)
+  }
+}

kubernetes-terraform/modules/argocd-config/variables.tf

@@ -0,0 +1,11 @@
+variable "cluster_host" {
+  type = string
+}
+
+variable "cluster_token" {
+  type = string
+}
+
+variable "cluster_ca_certificate" {
+  type = string
+}

kubernetes-terraform/modules/argocd-install/argocd.tf

@@ -7,7 +7,7 @@ resource "helm_release" "argocd" {
   version          = "6.6.0"
   values           = [file("${path.module}/argocd.yaml")]
 
-  depends_on = [ kubernetes_namespace.argocd ]
+  depends_on = [kubernetes_namespace.argocd]
 }
 
 resource "kubernetes_secret" "github-repo" {

kubernetes-terraform/modules/external-secrets-argocd/external-secrets-app.tf

@@ -0,0 +1,28 @@
+resource "helm_release" "external-secrets" {
+  name             = "external-secrets"
+  repository       = "https://charts.external-secrets.io"
+  chart            = "external-secrets"
+  namespace        = "external-secrets"
+  create_namespace = false
+  version          = "0.9.13"
+  values           = [file("${path.module}/external-secrets-values.yaml")]
+
+  depends_on = [kubernetes_namespace.external-secrets]
+}
+
+resource "kubernetes_secret" "scw-secrets-store-secret-key" {
+  metadata {
+    name      = "scw-secrets-store-secret-key"
+    namespace = "external-secrets"
+  }
+  data = {
+    secretKey = var.scw_secret_key
+  }
+  depends_on = [helm_release.external-secrets]
+}
+
+resource "kubernetes_namespace" "external-secrets" {
+  metadata {
+    name = "external-secrets"
+  }
+}

kubernetes-terraform/modules/external-secrets-argocd/external-secrets-values.yaml

@@ -0,0 +1 @@
+---

kubernetes-terraform/modules/external-secrets-argocd/providers.tf

@@ -0,0 +1,48 @@
+terraform {
+  required_providers {
+    scaleway = {
+      source  = "scaleway/scaleway"
+      version = ">= 2.28.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">=2.23.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "2.11.0"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "2.4.0"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "1.14.0"
+    }
+  }
+  required_version = ">= 1.0.0"
+}
+
+provider "scaleway" {
+  region = "fr-par"
+}
+
+provider "kubernetes" {
+  host                   = var.cluster_host
+  token                  = var.cluster_token
+  cluster_ca_certificate = base64decode(var.cluster_certificate)
+}
+provider "kubectl" {
+  host                   = var.cluster_host
+  token                  = var.cluster_token
+  cluster_ca_certificate = base64decode(var.cluster_certificate)
+  load_config_file       = false
+}
+provider "helm" {
+  kubernetes {
+    host                   = var.cluster_host
+    token                  = var.cluster_token
+    cluster_ca_certificate = base64decode(var.cluster_certificate)
+  }
+}

kubernetes-terraform/modules/external-secrets-argocd/variables.tf

@@ -0,0 +1,15 @@
+variable "cluster_host" {
+  type = string
+}
+
+variable "cluster_token" {
+  type = string
+}
+
+variable "cluster_certificate" {
+  type = string
+}
+
+variable "scw_secret_key" {
+  type = string
+}

kubernetes-terraform/variables.tf

@@ -23,6 +23,11 @@ variable "github_token" {
   type      = string
 }
 
+variable "scw_secret_key" {
+  sensitive = true
+  type      = string
+}
+
 //variable "github_org" {
 //  type = string
 //}

kubernetes/apps/production/argocd/poc-project-observability-argocd-aoa.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: production-argocd-aoa
+  namespace: argocd
+spec:
+  destination:
+    namespace: argocd
+    #name: in-cluster
+  project: default
+  source:
+    repoURL: https://github.com/Haibread/infrastructure.git
+    path: kubernetes/apps/production/
+    targetRevision: "HEAD"
+    directory:
+      recurse: true
+  syncPolicy:
+    automated: {}

kubernetes/apps/production/argocd/poc-project-observability-argocd-app.yaml

@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: production-argocd
+  namespace: argocd
+spec:
+  destination:
+    namespace: argocd
+    name: in-cluster
+  project: default
+  sources:
+    - repoURL: https://argoproj.github.io/argo-helm
+      targetRevision: "6.6.0"
+      chart: argo-cd
+      helm:
+        releaseName: argocd
+        valueFiles:
+          - $values/kubernetes/values/production/argocd/values.yaml
+    - repoURL: https://github.com/Haibread/infrastructure.git
+      targetRevision: "HEAD"
+      ref: values
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+    - ServerSideApply=true #Needed for CRDs

kubernetes/apps/production/argocd/poc-project-observability-argocd-appproject.yaml

@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: production-argocd
+  namespace: argocd
+spec:
+  description: "Production Cluster"
+  sourceRepos:
+    - "https://github.com/Haibread/infrastructure.git"
+  destinations:
+    - namespace: "argocd"
+      server: https://kubernetes.default.svc
+    - namespace: "monitoring"
+  clusterResourceWhitelist:
+    - kind: "*"
+      group: "*"
+  namespaceResourceWhitelist:
+    - kind: "*"
+      group: "*"

kubernetes/apps/production/argocd/poc-project-observability-argocd-manifests.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: production-argocd-common
+  namespace: argocd
+spec:
+  destination:
+    namespace: argocd
+    name: in-cluster
+  project: production-argocd
+  source:
+    repoURL: https://github.com/Haibread/infrastructure.git
+    path: kubernetes/manifests/production/
+    targetRevision: "HEAD"
+    directory:
+      recurse: true
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+    - ServerSideApply=true #Needed for CRDs

kubernetes/apps/production/monitoring/grafana-loki.yml/grafana-loki.yml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: grafana-loki
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/compare-options: ServerSideDiff=true
+spec:
+  project: default
+  sources:
+  - repoURL: https://grafana.github.io/helm-charts
+    targetRevision: "0.78.4"
+    chart: loki-distributed
+    helm:
+      valueFiles:
+      - $values/kubernetes/values/production/grafana-loki/values.yaml
+  - repoURL: https://github.com/Haibread/infrastructure.git
+    targetRevision: "HEAD"
+    ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: grafana-loki
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+    - ServerSideApply=true #Needed for CRDs

kubernetes/apps/production/monitoring/namespace.yml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"

kubernetes/apps/testing/monitoring/namespace.yml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"