platform: k3s: version: v1.26.3+k3s1 packaged_components: - name: traefik namespace: kube-system config: |2 additionalArguments: - "--certificatesResolvers.stepca.acme.caserver=https://step-certificates.step-ca.svc.cluster.local/acme/acme/directory" - "--certificatesResolvers.stepca.acme.email=admin" - "--certificatesResolvers.stepca.acme.storage=/data/acme.json" - "--certificatesResolvers.stepca.acme.tlsChallenge=true" - "--certificatesresolvers.stepca.acme.certificatesduration=24" globalArguments: [] ingressRoute: dashboard: enabled: false ports: ssh: port: 8022 protocol: TCP web: redirectTo: websecure websecure: tls: certResolver: stepca updateStrategy: type: Recreate rollingUpdate: null helm_repositories: - name: argo url: https://argoproj.github.io/argo-helm - name: authentik url: https://charts.goauthentik.io # - name: codecentric # url: https://codecentric.github.io/helm-charts # - name: dex # url: https://charts.dexidp.io - name: gitea-charts url: https://dl.gitea.io/charts/ - name: harbor url: https://helm.goharbor.io - name: jetstack url: https://charts.jetstack.io - name: longhorn url: https://charts.longhorn.io - name: prometheus-community url: https://prometheus-community.github.io/helm-charts - name: smallstep url: https://smallstep.github.io/helm-charts/ components: argo-cd: helm: version: 5.27.4 # (= ArgoCD v2.6.7) chart: argo/argo-cd parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' chart_values: !unsafe | configs: secret: argocdServerAdminPassword: "{{ vapp['metacluster.password'] | password_hash('bcrypt') }}" server: extraArgs: - --insecure ingress: enabled: true hosts: - gitops.{{ vapp['metacluster.fqdn'] }} authentik: helm: version: 2023.3.1 chart: authentik/authentik parse_logic: helm template . --set postgresql.enabled=true,redis.enabled=true | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' chart_values: !unsafe | authentik: avatars: none secret_key: "{{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}" postgresql: password: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}" env: AUTHENTIK_BOOTSTRAP_PASSWORD: "{{ vapp['metacluster.password'] }}" ingress: enabled: true hosts: - host: auth.{{ vapp['metacluster.fqdn'] }} paths: - path: "/" pathType: Prefix postgresql: enabled: true postgresqlPassword: "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}" redis: enabled: true cert-manager: helm: version: 1.11.0 chart: jetstack/cert-manager parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' # chart_values: !unsafe | # installCRDs: true clusterapi: management: version: # Must match the version referenced at `dependencies.static_binaries[.filename==clusterctl].url` base: v1.4.0 # Must match the version referenced at `components.cert-manager.helm.version` cert_manager: v1.11.0 infrastructure_vsphere: v1.6.0 ipam_incluster: v0.1.0-alpha.2 # Refer to `https://console.cloud.google.com/gcr/images/cloud-provider-vsphere/GLOBAL/cpi/release/manager` for available tags cpi_vsphere: v1.26.0 workload: version: calico: v3.25.0 k8s: v1.26.3 node_template: url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2004-kube-v1.26.3.ova # dex: # helm: # version: 0.13.0 # (= Dex 2.35.3) # chart: dex/dex # parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' # chart_values: !unsafe | # config: # connectors: # - type: ldap # id: ldap # name: "LDAP" # config: # host: "{{ vapp['ldap.fqdn'] }}:636" # insecureNoSSL: false # insecureSkipVerify: true # bindDN: "{{ vapp['ldap.dn'] }}" # bindPW: "{{ vapp['ldap.password'] }}" # usernamePrompt: "Username" # userSearch: # baseDN: OU=Administrators,OU=Useraccounts,DC=bessems,DC=eu # filter: "(objectClass=person)" # username: userPrincipalName # idAttr: DN # emailAttr: userPrincipalName # nameAttr: cn # groupSearch: # baseDN: OU=Roles,OU=Groups,DC=bessems,DC=eu # filter: "(objectClass=group)" # userMatchers: # - userAttr: DN # groupAttr: member # nameAttr: cn # enablePasswordDB: true # issuer: https://oidc.{{ vapp['metacluster.fqdn'] }} # storage: # type: kubernetes # config: # inCluster: true # ingress: # enabled: true # hosts: # - host: oidc.{{ vapp['metacluster.fqdn'] }} # paths: # - path: / # pathType: Prefix gitea: helm: version: v7.0.2 # (= Gitea v1.18.3) chart: gitea-charts/gitea parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | sed '/:/!s/$/:latest/' chart_values: !unsafe | gitea: admin: username: administrator password: "{{ vapp['metacluster.password'] }}" email: admin@{{ vapp['metacluster.fqdn'] }} config: server: OFFLINE_MODE: true PROTOCOL: http ROOT_URL: https://git.{{ vapp['metacluster.fqdn'] }}/ image: pullPolicy: IfNotPresent ingress: enabled: true hosts: - host: git.{{ vapp['metacluster.fqdn'] }} paths: - path: / pathType: Prefix service: ssh: type: ClusterIP port: 22 clusterIP: harbor: helm: version: 1.11.0 # (= Harbor v2.7.0) chart: harbor/harbor parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' chart_values: !unsafe | expose: ingress: annotations: {} hosts: core: registry.{{ vapp['metacluster.fqdn'] }} tls: certSource: none enabled: false externalURL: https://registry.{{ vapp['metacluster.fqdn'] }} harborAdminPassword: "{{ vapp['metacluster.password'] }}" notary: enabled: false persistence: persistentVolumeClaim: registry: size: 25Gi # keycloakx: # helm: # version: 2.1.1 # (= Keycloak 20.0.3) # chart: codecentric/keycloakx # parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' # chart_values: !unsafe | # command: # - "/opt/keycloak/bin/kc.sh" # - "start" # - "--http-enabled=true" # - "--http-port=8080" # - "--hostname-strict=false" # - "--hostname-strict-https=false" # extraEnv: | # - name: KEYCLOAK_ADMIN # value: admin # - name: KEYCLOAK_ADMIN_PASSWORD # value: {{ vapp['metacluster.password'] }} # - name: KC_PROXY # value: "passthrough" # - name: JAVA_OPTS_APPEND # value: >- # -Djgroups.dns.query={% raw %}{{ include "keycloak.fullname" . }}{% endraw %}-headless # ingress: # enabled: true # rules: # - host: keycloak.{{ vapp['metacluster.fqdn'] }} # paths: # - path: / # pathType: Prefix # tls: [] kube-prometheus-stack: helm: version: 45.2.0 chart: prometheus-community/kube-prometheus-stack parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' chart_values: !unsafe | alertmanager: enabled: false global: imageRegistry: registry.{{ vapp['metacluster.fqdn'] }} kubevip: # Must match the version referenced at `dependencies.container_images` version: v0.5.8 longhorn: helm: version: 1.4.1 chart: longhorn/longhorn parse_logic: cat values.yaml | yq eval '.. | select(has("repository")) | .repository + ":" + .tag' chart_values: !unsafe | defaultSettings: allowNodeDrainWithLastHealthyReplica: true defaultDataPath: /mnt/blockstorage defaultReplicaCount: 1 ingress: enabled: true host: storage.{{ vapp['metacluster.fqdn'] }} persistence: defaultClassReplicaCount: 1 step-certificates: helm: version: 1.23.0 chart: smallstep/step-certificates parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sed '/:/!s/$/:latest/' | sort -u chart_values: !unsafe | ca: dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1 password: "{{ vapp['metacluster.password'] }}" provisioner: name: admin password: "{{ vapp['metacluster.password'] }}" inject: secrets: ca_password: "{{ vapp['metacluster.password'] | b64encode }}" provisioner_password: "{{ vapp['metacluster.password'] | b64encode }}" service: targetPort: 9000 dependencies: ansible_galaxy_collections: - ansible.posix - ansible.utils - community.crypto - community.general - community.vmware - kubernetes.core container_images: # This should match the image tag referenced at `platform.packaged_components[.name==traefik].config` - busybox:1 - ghcr.io/kube-vip/kube-vip:v0.5.8 # The following list is generated by running the following commands: # $ clusterctl init -i vsphere: [...] # $ clusterctl generate cluster [...] | yq eval '.data.data' | yq --no-doc eval '.. | .image? | select(.)' | sort -u - gcr.io/cloud-provider-vsphere/cpi/release/manager:v1.18.1 - gcr.io/cloud-provider-vsphere/csi/release/driver:v2.1.0 - gcr.io/cloud-provider-vsphere/csi/release/syncer:v2.1.0 - quay.io/k8scsi/csi-attacher:v3.0.0 - quay.io/k8scsi/csi-node-driver-registrar:v2.0.1 - quay.io/k8scsi/csi-provisioner:v2.0.0 - quay.io/k8scsi/livenessprobe:v2.1.0 static_binaries: - filename: clusterctl url: https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.4.0/clusterctl-linux-amd64 - filename: govc url: https://github.com/vmware/govmomi/releases/download/v0.29.0/govc_Linux_x86_64.tar.gz archive: compressed - filename: helm url: https://get.helm.sh/helm-v3.10.2-linux-amd64.tar.gz archive: compressed extra_opts: --strip-components=1 - filename: kubectl-slice url: https://github.com/patrickdappollonio/kubectl-slice/releases/download/v1.2.5/kubectl-slice_linux_x86_64.tar.gz archive: compressed - filename: skopeo url: https://code.spamasaurus.com/api/packages/djpbessems/generic/skopeo/v1.12.0/skopeo_linux_amd64 - filename: step url: https://dl.step.sm/gh-release/cli/gh-release-header/v0.23.0/step_linux_0.23.0_amd64.tar.gz archive: compressed extra_opts: --strip-components=2 - filename: yq url: http://github.com/mikefarah/yq/releases/download/v4.30.5/yq_linux_amd64 packages: apt: - lvm2 pip: - jmespath - kubernetes - netaddr - passlib - pyvmomi