diff --git a/gitops/applications/base/kyverno/image-rewrite-policy.yaml b/gitops/applications/base/kyverno/image-rewrite-policy.yaml new file mode 100644 index 000000000..df77cff55 --- /dev/null +++ b/gitops/applications/base/kyverno/image-rewrite-policy.yaml @@ -0,0 +1,86 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: redirect-dockerio-to-mirrorgcrio +spec: + rules: + - name: redirect-dockerio-to-mirrorgcrio + match: + any: + - resources: + kinds: + - Pod + operations: + - CREATE + - UPDATE + exclude: + any: + - resources: + namespaces: + - istio-ingress-ext + - istio-ingress-int + mutate: + foreach: + - list: request.object.spec.containers[] + preconditions: + all: + - key: "{{ image_normalize(element.image) }}" + operator: AnyIn + value: + - docker.io/* + patchStrategicMerge: + metadata: + annotations: + kyverno/redirect-dockerio-to-mirrorgcrio: applied + spec: + containers: + - name: "{{ element.name }}" + env: + - name: ORIGINAL_IMAGE + value: "{{ element.image }}" + image: 'mirror.gcr.io/{{ images.containers."{{element.name}}".path}}:{{images.containers."{{element.name}}".tag}}' +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: redirect-xpkgupboundio-to-ghcr +spec: + rules: + - name: redirect-xpkgupboundio-to-ghcr + match: + any: + - resources: + kinds: + - Pod + operations: + - CREATE + - UPDATE + exclude: + any: + - resources: + namespaces: + - istio-ingress-ext + - istio-ingress-int + mutate: + foreach: + - list: request.object.spec.containers[] + preconditions: + all: + - key: "{{ image_normalize(element.image) }}" + operator: AnyIn + value: + - xpkg.upbound.io/* + - key: "{{ element.image }}" + operator: NotEquals + value: "auto:latest" + patchStrategicMerge: + metadata: + annotations: + kyverno/redirect-xpkgupboundio-to-ghcr: applied + spec: + containers: + - name: "{{ element.name }}" + env: + - name: ORIGINAL_IMAGE + value: "{{ element.image }}" + image: 'ghcr.io/mojaloop/infra/{{ images.containers."{{element.name}}".path}}:{{images.containers."{{element.name}}".tag}}' diff --git a/gitops/applications/base/kyverno/kustomization.yaml b/gitops/applications/base/kyverno/kustomization.yaml new file mode 100644 index 000000000..f1ae28c0a --- /dev/null +++ b/gitops/applications/base/kyverno/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespaces.yaml + - image-rewrite-policy.yaml + +helmCharts: + - name: kyverno + releaseName: kyverno + version: ${ARGOCD_ENV_kyverno_helm_version} + repo: https://kyverno.github.io/kyverno/ + valuesFile: kyverno-values.yaml + namespace: ${ARGOCD_ENV_kyverno_namespace} diff --git a/gitops/applications/base/kyverno/kyverno-values.yaml b/gitops/applications/base/kyverno/kyverno-values.yaml new file mode 100644 index 000000000..2108531cc --- /dev/null +++ b/gitops/applications/base/kyverno/kyverno-values.yaml @@ -0,0 +1,26 @@ +config: + + # TODO + # If possible we should not watch and mutate kube-system but image rewrite likely needs it + + # Enable Kyverno to touch resources in kube-system namespace + resourceFiltersExcludeNamespaces: + - kube-system + + # Enable Kyverno to watch resources in kube-system namespace + webhooks: + namespaceSelector: + matchExpressions: {} + +reportsController: + rbac: + coreClusterRole: + extraResources: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch diff --git a/gitops/applications/base/kyverno/namespaces.yaml b/gitops/applications/base/kyverno/namespaces.yaml new file mode 100644 index 000000000..06c6658f2 --- /dev/null +++ b/gitops/applications/base/kyverno/namespaces.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ${ARGOCD_ENV_kyverno_namespace} diff --git a/gitops/applications/base/vault/vault-init-crs.yaml b/gitops/applications/base/vault/vault-init-crs.yaml index 0c96cac2f..af335236b 100644 --- a/gitops/applications/base/vault/vault-init-crs.yaml +++ b/gitops/applications/base/vault/vault-init-crs.yaml @@ -81,7 +81,8 @@ spec: restartPolicy: OnFailure containers: - name: vault-client - image: hashicorp/vault + #TODO: this version tag needs another solution + image: hashicorp/vault:1.17.2 command: - /bin/sh - "-c" @@ -102,4 +103,3 @@ spec: name: ${ARGOCD_ENV_tf_post_config_output_secret} key: kv_path --- - diff --git a/gitops/applications/overlays/cloud_provider/aws/rook-ceph-cluster/pvc/ceph-cluster-crs.yaml b/gitops/applications/overlays/cloud_provider/aws/rook-ceph-cluster/pvc/ceph-cluster-crs.yaml index 81656039a..a2d253585 100644 --- a/gitops/applications/overlays/cloud_provider/aws/rook-ceph-cluster/pvc/ceph-cluster-crs.yaml +++ b/gitops/applications/overlays/cloud_provider/aws/rook-ceph-cluster/pvc/ceph-cluster-crs.yaml @@ -73,7 +73,7 @@ spec: operator: In values: - rook-ceph-osd-prepare - resources: + #resources: # These are the OSD daemon limits. For OSD prepare limits, see the separate section below for "prepareosd" resources # limits: # memory: "4Gi" @@ -92,7 +92,7 @@ spec: accessModes: - ReadWriteOnce onlyApplyOSDPlacement: false - resources: + #resources: # prepareosd: # requests: # cpu: "200m" @@ -106,4 +106,4 @@ spec: disruptionManagement: managePodBudgets: true osdMaintenanceTimeout: 30 - pgHealthCheckTimeout: 0 \ No newline at end of file + pgHealthCheckTimeout: 0 diff --git a/gitops/argo-apps/base/argocd-helm.yaml b/gitops/argo-apps/base/argocd-helm.yaml index 1fb0152e7..f8e37010e 100644 --- a/gitops/argo-apps/base/argocd-helm.yaml +++ b/gitops/argo-apps/base/argocd-helm.yaml @@ -35,7 +35,7 @@ spec: destination: server: "https://kubernetes.default.svc" - namespace: ${ARGOCD_ENV_utils_argocd_namespace} + namespace: ${ARGOCD_ENV_utils_argocd_helm_namespace} sources: - chart: argo-cd @@ -428,6 +428,11 @@ spec: server.enable.proxy.extension: "true" reposerver.enable.git.submodule: "false" applicationsetcontroller.enable.git.submodule: "false" + + #Enable Server-Side Diff so argocd play nicely with Kyverno mutating webhooks: + #https://argo-cd.readthedocs.io/en/stable/user-guide/diff-strategies/#mutation-webhooks + controller.diff.server.side: "true" + cmp: create: true plugins: diff --git a/gitops/argo-apps/base/kyverno.yaml b/gitops/argo-apps/base/kyverno.yaml new file mode 100644 index 000000000..ca0113569 --- /dev/null +++ b/gitops/argo-apps/base/kyverno.yaml @@ -0,0 +1,43 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: ${ARGOCD_ENV_utils_kyverno_app_name} + namespace: ${ARGOCD_ENV_argocd_app_namespace} + annotations: + argocd.argoproj.io/sync-wave: ${ARGOCD_ENV_utils_sync_wave} + + finalizers: + - resources-finalizer.argocd.argoproj.io + +spec: + project: default + syncPolicy: + automated: + prune: true + selfHeal: true + retry: + limit: 20 + backoff: + duration: 10s + maxDuration: 3m0s + factor: 2 + syncOptions: + - CreateNamespace=true + - PrunePropagationPolicy=foreground + - PruneLast=true + - ServerSideApply=true + destination: + server: "https://kubernetes.default.svc" + namespace: ${ARGOCD_ENV_utils_kyverno_namespace} + source: + repoURL: ${ARGOCD_ENV_argocd_repo_url} + targetRevision: ${ARGOCD_ENV_utils_application_gitrepo_tag} + path: gitops/applications/base/kyverno + plugin: + name: envsubst + env: + - name: "kyverno_namespace" + value: "${ARGOCD_ENV_utils_kyverno_namespace}" + + - name: "kyverno_helm_version" + value: "${ARGOCD_ENV_utils_kyverno_helm_version}" \ No newline at end of file diff --git a/gitops/argo-apps/base/netbird.yaml b/gitops/argo-apps/base/netbird.yaml index 42e93a323..adc4e5cf5 100644 --- a/gitops/argo-apps/base/netbird.yaml +++ b/gitops/argo-apps/base/netbird.yaml @@ -27,7 +27,7 @@ spec: - PruneLast=true destination: server: "https://kubernetes.default.svc" - namespace: ${ARGOCD_ENV_security_namespace} + namespace: ${ARGOCD_ENV_security_netbird_namespace} source: repoURL: ${ARGOCD_ENV_argocd_repo_url} diff --git a/gitops/argo-apps/overlays/local/root/kustomization.yaml b/gitops/argo-apps/overlays/local/root/kustomization.yaml index 9db65fa41..8f1994349 100644 --- a/gitops/argo-apps/overlays/local/root/kustomization.yaml +++ b/gitops/argo-apps/overlays/local/root/kustomization.yaml @@ -51,4 +51,6 @@ resources: - ../../../base/monitoring.yaml - ../../../base/monitoring-post-config.yaml # k8s - - ../../../base/k8s-post-config.yaml \ No newline at end of file + - ../../../base/k8s-post-config.yaml + # kyverno + - ../../../base/kyverno.yaml diff --git a/terraform/ccnew/ansible-k8s-deploy/templates/argoapps.yaml.tpl b/terraform/ccnew/ansible-k8s-deploy/templates/argoapps.yaml.tpl index f0d0c75fd..82b3dd59c 100644 --- a/terraform/ccnew/ansible-k8s-deploy/templates/argoapps.yaml.tpl +++ b/terraform/ccnew/ansible-k8s-deploy/templates/argoapps.yaml.tpl @@ -1,6 +1,6 @@ argocd_override: initial_application_gitrepo_tag: "${iac_terraform_modules_tag}" - apps: + apps: utils: application_gitrepo_tag: "${iac_terraform_modules_tag}" sub_apps: @@ -56,10 +56,12 @@ argocd_override: vault_crossplane_modules_version: "${vault_crossplane_modules_version}" terraform_crossplane_modules_version: "${terraform_crossplane_modules_version}" ansible_crossplane_modules_version: "${ansible_crossplane_modules_version}" - aws_crossplane_module_version: "${aws_crossplane_module_version}" + aws_crossplane_module_version: "${aws_crossplane_module_version}" crossplane_func_pat_version: "${crossplane_func_pat_version}" k8s_crossplane_module_version: "${k8s_crossplane_module_version}" crossplane_func_go_templating_version: "${crossplane_func_go_templating_version}" + kyverno: + helm_version: "${kyverno_helm_version}" maintenance: application_gitrepo_tag: "${iac_terraform_modules_tag}" sub_apps: @@ -126,7 +128,7 @@ argocd_override: postgres_replicas: "${zitadel_perc_postgres_replicas}" postgres_proxy_replicas: "${zitadel_perc_postgres_proxy_replicas}" postgres_storage_size: "${zitadel_perc_postgres_storage_size}" - pgdb_helm_version: "${zitadel_perc_pgdb_helm_version}" + pgdb_helm_version: "${zitadel_perc_pgdb_helm_version}" zitadel_rds_provider: engine: "${zitadel_rds_engine}" engine_version: "${zitadel_rds_engine_version}" @@ -142,8 +144,8 @@ argocd_override: backup_retention_period: "${zitadel_db_backup_retention_period}" preferred_backup_window: "${zitadel_db_preferred_backup_window}" storage_type: "${zitadel_rds_storage_type}" - storage_iops: "${zitadel_rds_storage_iops}" - zitadel_cockroachdb_provider: + storage_iops: "${zitadel_rds_storage_iops}" + zitadel_cockroachdb_provider: helm_version: "${cockroachdb_helm_version}" pvc_size: "${zitadel_db_storage_size}" netbird: @@ -162,21 +164,21 @@ argocd_override: rdbms_provider: "${netbird_rdbms_provider}" netbird_percona_provider: postgres_replicas: "${netbird_perc_postgres_replicas}" - postgres_proxy_replicas: "${netbird_perc_postgres_proxy_replicas}" + postgres_proxy_replicas: "${netbird_perc_postgres_proxy_replicas}" postgres_storage_size: "${netbird_perc_postgres_storage_size}" pgdb_helm_version: "${netbird_perc_pgdb_helm_version}" netbird_rds_provider: engine: "${netbird_rds_engine}" engine_version: "${netbird_rds_engine_version}" - replica_count: "${netbird_rds_replica_count}" + replica_count: "${netbird_rds_replica_count}" postgres_instance_class: "${netbird_rds_instance_class}" storage_encrypted: "${netbird_rds_storage_encrypted}" - skip_final_snapshot: "${netbird_rds_skip_final_snapshot}" + skip_final_snapshot: "${netbird_rds_skip_final_snapshot}" rdbms_subnet_list: "${join(",", rdbms_subnet_list)}" db_provider_cloud_region: "${cloud_region}" rdbms_vpc_id: "${rdbms_vpc_id}" vpc_cidr: "${vpc_cidr}" - postgres_storage_size: "${netbird_rds_postgres_storage_size}" + postgres_storage_size: "${netbird_rds_postgres_storage_size}" backup_retention_period: "${netbird_db_backup_retention_period}" preferred_backup_window: "${netbird_db_preferred_backup_window}" storage_type: "${netbird_rds_storage_type}" @@ -192,7 +194,7 @@ argocd_override: cpu_limit: "${nexus_cpu_limit}" memory_limit: "${nexus_memory_limit}" cpu_request: "${nexus_cpu_request}" - memory_request: "${nexus_memory_request}" + memory_request: "${nexus_memory_request}" post_config: ansible_collection_tag: "${nexus_ansible_collection_tag}" @@ -232,23 +234,23 @@ argocd_override: redis_cluster_size: "${gitlab_redis_cluster_size}" redis_storage_size: "${gitlab_redis_storage_size}" rdbms_provider: "${gitlab_postgres_rdbms_provider}" - webdb_percona_provider: + webdb_percona_provider: postgres_replicas: "${gitlab_perc_postgres_replicas}" postgres_proxy_replicas: "${gitlab_perc_postgres_proxy_replicas}" postgres_storage_size: "${gitlab_perc_postgres_storage_size}" pgdb_helm_version: "${gitlab_perc_pgdb_helm_version}" praefectdb_percona_provider: postgres_replicas: "${praefect_perc_postgres_replicas}" - postgres_proxy_replicas: "${praefect_perc_postgres_proxy_replicas}" + postgres_proxy_replicas: "${praefect_perc_postgres_proxy_replicas}" postgres_storage_size: "${praefect_perc_postgres_storage_size}" pgdb_helm_version: "${praefect_perc_pgdb_helm_version}" webdb_rds_provider: engine: "${gitlab_rds_engine}" engine_version: "${gitlab_rds_engine_version}" - replica_count: "${gitlab_rds_replica_count}" + replica_count: "${gitlab_rds_replica_count}" postgres_instance_class: "${gitlab_rds_instance_class}" storage_encrypted: "${gitlab_rds_storage_encrypted}" - skip_final_snapshot: "${gitlab_rds_skip_final_snapshot}" + skip_final_snapshot: "${gitlab_rds_skip_final_snapshot}" rdbms_subnet_list: "${join(",", rdbms_subnet_list)}" db_provider_cloud_region: "${cloud_region}" rdbms_vpc_id: "${rdbms_vpc_id}" @@ -261,21 +263,21 @@ argocd_override: praefectdb_rds_provider: engine: "${praefect_rds_engine}" engine_version: "${praefect_rds_engine_version}" - replica_count: "${praefect_rds_replica_count}" + replica_count: "${praefect_rds_replica_count}" postgres_instance_class: "${praefect_rds_instance_class}" storage_encrypted: "${praefect_rds_storage_encrypted}" - skip_final_snapshot: "${praefect_rds_skip_final_snapshot}" + skip_final_snapshot: "${praefect_rds_skip_final_snapshot}" rdbms_subnet_list: "${join(",", rdbms_subnet_list)}" db_provider_cloud_region: "${cloud_region}" rdbms_vpc_id: "${rdbms_vpc_id}" vpc_cidr: "${vpc_cidr}" - postgres_storage_size: "${praefect_rds_postgres_storage_size}" + postgres_storage_size: "${praefect_rds_postgres_storage_size}" backup_retention_period: "${praefect_db_backup_retention_period}" preferred_backup_window: "${praefect_db_preferred_backup_window}" storage_type: "${praefect_rds_storage_type}" storage_iops: "${praefect_rds_storage_iops}" - + deploy_env: application_gitrepo_tag: "${iac_terraform_modules_tag}" sub_apps: @@ -286,7 +288,7 @@ argocd_override: ceph_bucket_max_size: "${ceph_bucket_max_size}" env_token_ttl: "${env_token_ttl}" onboard: - terraform_modules_tag: "${iac_terraform_modules_tag}" + terraform_modules_tag: "${iac_terraform_modules_tag}" monitoring: diff --git a/terraform/ccnew/default-config/common-vars.yaml b/terraform/ccnew/default-config/common-vars.yaml index 47f0c035d..164e677d9 100644 --- a/terraform/ccnew/default-config/common-vars.yaml +++ b/terraform/ccnew/default-config/common-vars.yaml @@ -56,6 +56,7 @@ crossplane_func_go_templating_version: "0.8.0" velero_helm_version: "8.3.0" velero_plugin_version: "v1.11.1" coredns_localcache_version: "1.11.3" +kyverno_helm_version: "3.3.4" istio_egress_gateway_max_replicas: 5 istio_proxy_log_level: warn diff --git a/terraform/k8s/default-config/common-vars.yaml b/terraform/k8s/default-config/common-vars.yaml index 98bb886b5..ab4d09a8c 100644 --- a/terraform/k8s/default-config/common-vars.yaml +++ b/terraform/k8s/default-config/common-vars.yaml @@ -51,4 +51,4 @@ istio_proxy_log_level: warn longhorn_backup_job_enabled: false enable_central_observability_write: false enable_central_observability_read: false -coredns_localcache_version: "1.11.3" \ No newline at end of file +coredns_localcache_version: "1.11.3"