platform: k3s: version: v1.30.0+k3s1 # version: v1.27.1+k3s1 packaged_components: - name: traefik namespace: kube-system config: |2 additionalArguments: - "--certificatesResolvers.stepca.acme.caserver=https://step-certificates.step-ca.svc.cluster.local/acme/acme/directory" - "--certificatesResolvers.stepca.acme.email=admin" - "--certificatesResolvers.stepca.acme.storage=/data/acme.json" - "--certificatesResolvers.stepca.acme.tlsChallenge=true" - "--certificatesresolvers.stepca.acme.certificatesduration=24" globalArguments: [] ingressRoute: dashboard: enabled: false ports: ssh: port: 8022 protocol: TCP web: redirectTo: port: websecure websecure: tls: certResolver: stepca updateStrategy: type: Recreate rollingUpdate: null helm_repositories: - name: argo url: https://argoproj.github.io/argo-helm - name: bitnami url: https://charts.bitnami.com/bitnami - name: dexidp url: https://charts.dexidp.io - name: gitea-charts url: https://dl.gitea.io/charts/ - name: harbor url: https://helm.goharbor.io - name: jetstack url: https://charts.jetstack.io - name: longhorn url: https://charts.longhorn.io - name: prometheus-community url: https://prometheus-community.github.io/helm-charts - name: smallstep url: https://smallstep.github.io/helm-charts/ - name: spamasaurus url: https://code.spamasaurus.com/api/packages/djpbessems/helm components: argo-cd: helm: version: 6.7.7 # (=ArgoCD v.2.10.5) chart: argo/argo-cd parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' chart_values: !unsafe | configs: cm: resource.compareoptions: | ignoreAggregatedRoles: true resource.customizations.ignoreDifferences.all: | jsonPointers: - /spec/conversion/webhook/clientConfig/caBundle params: server.insecure: true secret: argocdServerAdminPassword: "{{ vapp['metacluster.password'] | password_hash('bcrypt') }}" global: domain: gitops.{{ vapp['metacluster.fqdn'] | lower }} server: ingress: enabled: true cert-manager: helm: version: 1.14.4 chart: jetstack/cert-manager parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' chart_values: !unsafe | installCRDs: true clusterapi: management: version: # Must match the version referenced at `dependencies.static_binaries[.filename==clusterctl].url` base: v1.6.3 # Must match the version referenced at `components.cert-manager.helm.version` cert_manager: v1.14.4 infrastructure_vsphere: v1.9.2 ipam_incluster: v0.1.0 # Refer to `https://console.cloud.google.com/gcr/images/cloud-provider-vsphere/GLOBAL/cpi/release/manager` for available tags cpi_vsphere: v1.30.1 workload: version: calico: v3.27.3 k8s: v1.30.1 node_template: # url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2204-kube-v1.27.1.ova url: https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/releases/download/templates%2Fv1.30.0/ubuntu-2204-kube-v1.30.0.ova dex: helm: version: 0.15.3 # (= Dex 2.37.0) chart: dexidp/dex parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' chart_values: !unsafe | config: issuer: https://idps.{{ vapp['metacluster.fqdn'] }} storage: type: kubernetes config: inCluster: true staticClients: - id: pinniped-supervisor secret: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) }}" name: Pinniped Supervisor client redirectURIs: - https://auth.{{ vapp['metacluster.fqdn'] }}/sso/callback enablePasswordDB: true staticPasswords: - email: user@{{ vapp['metacluster.fqdn'] }} hash: "{{ vapp['metacluster.password'] | password_hash('bcrypt') }}" username: user userID: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['metacluster.fqdn']) | to_uuid }}" ingress: enabled: true hosts: - host: idps.{{ vapp['metacluster.fqdn'] }} paths: - path: / pathType: Prefix gitea: helm: version: v10.1.3 # (= Gitea v1.21.7) chart: gitea-charts/gitea parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | sed '/:/!s/$/:latest/' chart_values: !unsafe | extraVolumes: - secret: defaultMode: 420 secretName: step-certificates-certs name: step-certificates-certs extraVolumeMounts: - mountPath: /etc/ssl/certs/ca-chain.crt name: step-certificates-certs readOnly: true subPath: ca_chain.crt gitea: admin: username: administrator password: "{{ vapp['metacluster.password'] }}" email: administrator@{{ vapp['metacluster.fqdn'] | lower }} config: cache: ADAPTER: memory server: OFFLINE_MODE: true PROTOCOL: http ROOT_URL: https://git.{{ vapp['metacluster.fqdn'] | lower }}/ session: PROVIDER: db image: pullPolicy: IfNotPresent ingress: enabled: true hosts: - host: git.{{ vapp['metacluster.fqdn'] | lower }} paths: - path: / pathType: Prefix postgresql: enabled: true image: tag: 16.1.0-debian-11-r25 postgresql-ha: enabled: false redis-cluster: enabled: false service: ssh: type: ClusterIP port: 22 clusterIP: harbor: helm: version: 1.14.1 # (= Harbor v2.10.1) chart: harbor/harbor parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' chart_values: !unsafe | expose: ingress: annotations: {} hosts: core: registry.{{ vapp['metacluster.fqdn'] | lower }} tls: certSource: none enabled: false externalURL: https://registry.{{ vapp['metacluster.fqdn'] | lower }} harborAdminPassword: "{{ vapp['metacluster.password'] }}" notary: enabled: false persistence: persistentVolumeClaim: registry: size: 25Gi json-server: helm: version: v0.8.4 chart: spamasaurus/json-server parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' chart_values: !unsafe | ingress: enabled: true hosts: - host: version.{{ vapp['metacluster.fqdn'] }} paths: - path: / pathType: Prefix jsonServer: image: repository: code.spamasaurus.com/djpbessems/json-server seedData: configInline: {} sidecar: targetUrl: version.{{ vapp['metacluster.fqdn'] }} image: repository: code.spamasaurus.com/djpbessems/json-server kube-prometheus-stack: helm: version: 45.2.0 chart: prometheus-community/kube-prometheus-stack parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' chart_values: !unsafe | alertmanager: enabled: false global: imageRegistry: registry.{{ vapp['metacluster.fqdn'] }} kubevip: # Must match the version referenced at `dependencies.container_images` version: v0.6.3 longhorn: helm: version: 1.5.4 chart: longhorn/longhorn parse_logic: cat values.yaml | yq eval '.. | select(has("repository")) | .repository + ":" + .tag' chart_values: !unsafe | defaultSettings: concurrentReplicaRebuildPerNodeLimit: 10 defaultDataPath: /mnt/blockstorage logLevel: Info nodeDrainPolicy: block-for-eviction-if-contains-last-replica replicaSoftAntiAffinity: true priorityClass: system-node-critical storageOverProvisioningPercentage: 200 storageReservedPercentageForDefaultDisk: 0 ingress: enabled: true host: storage.{{ vapp['metacluster.fqdn'] | lower }} longhornManager: priorityClass: system-node-critical longhornDriver: priorityClass: system-node-critical pinniped: helm: version: 1.3.10 # (= Pinniped v0.27.0) chart: bitnami/pinniped parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' chart_values: !unsafe | concierge: enabled: false supervisor: service: public: type: ClusterIP local-user-authenticator: # Must match the appVersion (!=chart version) referenced at `components.pinniped.helm.version` version: v0.27.0 users: - username: metauser password: !unsafe "{{ vapp['metacluster.password'] | password_hash('bcrypt') }}" - username: metaguest password: !unsafe "{{ vapp['metacluster.password'] | password_hash('bcrypt') }}" step-certificates: helm: version: 1.25.2 # (= step-ca v0.25.2) chart: smallstep/step-certificates parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sed '/:/!s/$/:latest/' | sort -u chart_values: !unsafe | inject: secrets: ca_password: "{{ vapp['metacluster.password'] | b64encode }}" provisioner_password: "{{ vapp['metacluster.password'] | b64encode }}" dependencies: ansible_galaxy_collections: - ansible.posix - ansible.utils - community.crypto - community.general - community.vmware - kubernetes.core - lvrfrc87.git_acp container_images: # This should match the image tag referenced at `platform.packaged_components[.name==traefik].config` - busybox:1 - ghcr.io/kube-vip/kube-vip:v0.6.3 # The following list is generated by running the following commands: # $ clusterctl init -i vsphere: [...] # $ clusterctl generate cluster [...] | yq eval '.data.data' | yq --no-doc eval '.. | .image? | select(.)' | sort -u - gcr.io/cloud-provider-vsphere/cpi/release/manager:v1.27.0 - gcr.io/cloud-provider-vsphere/csi/release/driver:v3.1.0 - gcr.io/cloud-provider-vsphere/csi/release/syncer:v3.1.0 - registry.k8s.io/sig-storage/csi-attacher:v4.3.0 - registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0 - registry.k8s.io/sig-storage/csi-provisioner:v3.5.0 - registry.k8s.io/sig-storage/csi-resizer:v1.8.0 - registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2 - registry.k8s.io/sig-storage/livenessprobe:v2.10.0 static_binaries: - filename: clusterctl url: https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.6.3/clusterctl-linux-amd64 - filename: govc url: https://github.com/vmware/govmomi/releases/download/v0.36.3/govc_Linux_x86_64.tar.gz archive: compressed - filename: helm url: https://get.helm.sh/helm-v3.14.3-linux-amd64.tar.gz archive: compressed extra_opts: --strip-components=1 - filename: kubectl-slice url: https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.2.9/kubectl-slice_linux_x86_64.tar.gz archive: compressed - filename: pinniped url: https://github.com/vmware-tanzu/pinniped/releases/download/v0.25.0/pinniped-cli-linux-amd64 - filename: skopeo url: https://code.spamasaurus.com/api/packages/djpbessems/generic/skopeo/v1.12.0/skopeo_linux_amd64 - filename: step url: https://dl.step.sm/gh-release/cli/gh-release-header/v0.25.2/step_linux_0.25.2_amd64.tar.gz archive: compressed extra_opts: --strip-components=2 - filename: yq url: https://github.com/mikefarah/yq/releases/download/v4.43.1/yq_linux_amd64 packages: apt: - lvm2 pip: - jmespath - kubernetes - netaddr - passlib - pyvmomi