platform:

  k3s:
    # version: v1.25.4+k3s1
    # max supported version by Longhorn is <v1.25.0
    version: v1.24.8+k3s1

  gitops:
    repository:
      uri: https://code.spamasaurus.com/djpbessems/GitOps.MetaCluster.git
      # revision: v0.1.0
      revision: HEAD

  packaged_components:
    - name: traefik
      namespace: kube-system
      config: |2
            additionalArguments:
              - "--certificatesResolvers.stepca.acme.caserver=https://step-certificates.step-ca.svc.cluster.local/acme/acme/directory"
              - "--certificatesResolvers.stepca.acme.email=admin"
              - "--certificatesResolvers.stepca.acme.storage=/data/acme.json"
              - "--certificatesResolvers.stepca.acme.tlsChallenge=true"
              - "--certificatesresolvers.stepca.acme.certificatesduration=24"
            globalArguments: []
            ingressRoute:
              dashboard:
                enabled: false
            ports:
              ssh:
                port: 8022
                protocol: TCP
              web:
                redirectTo: websecure
              websecure:
                tls:
                  certResolver: stepca

  helm_repositories:
    - name: argo
      url: https://argoproj.github.io/argo-helm
    - name: gitea-charts
      url: https://dl.gitea.io/charts/
    - name: harbor
      url: https://helm.goharbor.io
    - name: jetstack
      url: https://charts.jetstack.io
    - name: longhorn
      url: https://charts.longhorn.io
    - name: sealed-secrets
      url: https://bitnami-labs.github.io/sealed-secrets
    - name: smallstep
      url: https://smallstep.github.io/helm-charts/

components:

  argo-cd:
    helm:
      # version: 4.9.7  # (= ArgoCD v2.4.2)
      version: 5.14.1  # (= ArgoCD v2.5.2)
      chart: argo/argo-cd
      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
      chart_values: !unsafe |
        configs:
          secret:
            argocdServerAdminPassword: "{{ vapp['guestinfo.rootpw'] | password_hash('bcrypt') }}"
        server:
          extraArgs:
            - --insecure
          ingress:
            enabled: true
            hosts:
              - gitops.{{ vapp['metacluster.fqdn'] }}

  cert-manager:
    helm:
      version: 1.10.1
      chart: jetstack/cert-manager
      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
      # chart_values: !unsafe |
      #   installCRDs: true

  clusterapi:
    management:
      version:
        # Must match the version referenced at `dependencies.static_binaries[.filename==clusterctl].url`
        base: v1.3.0
        # Must match the version referenced at `components.cert-manager.helm.version`
        cert_manager: v1.10.1
        infrastructure_vsphere: v1.5.0
        ipam_incluster: v0.1.0-alpha.1
    workload:
      version:
        calico: v3.24.5
        k8s: v1.23.5
      node_template:
        # Refer to `https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/blob/v1.3.5/README.md#kubernetes-versions-with-published-ovas` for a list of supported node templates
        url: https://storage.googleapis.com/capv-images/release/v1.23.5/ubuntu-2004-kube-v1.23.5.ova
        name: ubuntu-2004-kube-v1.23.5.ova

  gitea:
    helm:
      version: v6.0.3 # (= Gitea v1.17.3)
      chart: gitea-charts/gitea
      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | sed '/:/!s/$/:latest/'
      chart_values: !unsafe |
        gitea:
          admin:
            username: administrator
            password: "{{ vapp['guestinfo.rootpw'] }}"
            email: admin@{{ vapp['metacluster.fqdn'] }}
          config:
            server:
              OFFLINE_MODE: true
              PROTOCOL: http
              ROOT_URL: https://git.{{ vapp['metacluster.fqdn'] }}/
        image:
          pullPolicy: IfNotPresent
        ingress:
          enabled: true
          hosts:
            - host: git.{{ vapp['metacluster.fqdn'] }}
              paths:
                - path: /
                  pathType: Prefix
        service:
          ssh:
            type: ClusterIP
            port: 22
            clusterIP:

  harbor:
    helm:
      version: 1.10.2  # (= Harbor v2.6.2)
      chart: harbor/harbor
      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
      chart_values: !unsafe |
        expose:
          ingress:
            annotations: {}
            hosts:
              core: registry.{{ vapp['metacluster.fqdn'] }}
          tls:
            certSource: none
            enabled: false
        externalURL: https://registry.{{ vapp['metacluster.fqdn'] }}
        harborAdminPassword: "{{ vapp['guestinfo.rootpw'] }}"
        notary:
          enabled: false
        persistence:
          persistentVolumeClaim:
            registry:
              size: 25Gi

  longhorn:
    helm:
      version: 1.3.2
      chart: longhorn/longhorn
      parse_logic: cat values.yaml | yq eval '.. | select(has("repository")) | .repository + ":" + .tag'
      chart_values: !unsafe |
        defaultSettings:
          defaultDataPath: /mnt/blockstorage
          defaultReplicaCount: 1
        ingress:
          enabled: true
          host: storage.{{ vapp['metacluster.fqdn'] }}
        persistence:
          defaultClassReplicaCount: 1

  sealed-secrets:
    helm:
      # Must match the version referenced within `https://code.spamasaurus.com/djpbessems/GitOps.MetaCluster.git`
      version: 2.7.1  # (= SealedSecrets v0.19.2)
      chart: sealed-secrets/sealed-secrets
      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'

  step-certificates:
    helm:
      version: 1.18.2+20220324
      chart: smallstep/step-certificates
      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sed '/:/!s/$/:latest/' | sort -u
      chart_values: !unsafe |
        ca:
          bootstrap:
            postInitHook: |
              echo '{{ vapp["guestinfo.rootpw"] }}' > ~/pwfile
              step ca provisioner add acme \
                --type ACME \
                --password-file=~/pwfile \
                --force-cn
              rm ~/pwfile
          dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1
          password: "{{ vapp['guestinfo.rootpw'] }}"
          provisioner:
            name: admin
            password: "{{ vapp['guestinfo.rootpw'] }}"
        inject:
          secrets:
            ca_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}"
            provisioner_password: "{{ vapp['guestinfo.rootpw'] | b64encode }}"
        service:
          targetPort: 9000

dependencies:

  ansible_galaxy_collections:
    - ansible.posix
    - ansible.utils
    - community.crypto
    - community.general
    - community.vmware
    - kubernetes.core

  container_images:
    - vmware/powerclicore:12.7
    # The following list is generated by running the following commands:
    #   $ clusterctl init -i vsphere:<version> [...]
    #   $ clusterctl generate cluster <name> [...] | yq eval '.data.data' | yq --no-doc eval '.. | .image? | select(.)' | sort -u
    - gcr.io/cloud-provider-vsphere/cpi/release/manager:v1.18.1
    - gcr.io/cloud-provider-vsphere/csi/release/driver:v2.1.0
    - gcr.io/cloud-provider-vsphere/csi/release/syncer:v2.1.0
    - quay.io/k8scsi/csi-attacher:v3.0.0
    - quay.io/k8scsi/csi-node-driver-registrar:v2.0.1
    - quay.io/k8scsi/csi-provisioner:v2.0.0
    - quay.io/k8scsi/livenessprobe:v2.1.0

  static_binaries:
    - filename: clusterctl
      url: https://github.com/kubernetes-sigs/cluster-api/releases/download/v1.3.0/clusterctl-linux-amd64
    - filename: govc
      url: https://github.com/vmware/govmomi/releases/download/v0.29.0/govc_Linux_x86_64.tar.gz
      archive: compressed
    - filename: helm
      url: https://get.helm.sh/helm-v3.10.2-linux-amd64.tar.gz
      archive: compressed
      extra_opts: --strip-components=1
    - filename: kubeseal
      url: https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.2/kubeseal-0.19.2-linux-amd64.tar.gz
      archive: compressed
    - filename: skopeo
      url: https://code.spamasaurus.com/api/packages/djpbessems/generic/skopeo/v1.11.0-dev/skopeo
    - filename: step
      url: https://dl.step.sm/gh-release/cli/gh-release-header/v0.23.0/step_linux_0.23.0_amd64.tar.gz
      archive: compressed
      extra_opts: --strip-components=2
    - filename: yq
      url: http://github.com/mikefarah/yq/releases/download/v4.30.5/yq_linux_amd64
    - filename: vappprop-manager
      url: https://code.spamasaurus.com/api/packages/djpbessems/generic/vappprop-manager/v0.2.0/vappprop-manager

  packages:
    apt:
      - lvm2
    pip:
      - jmespath
      - kubernetes
      - netaddr
      - passlib
      - pyvmomi