diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1d653ca..b905b4a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -9,7 +9,6 @@ repos: - id: trailing-whitespace args: [--markdown-linebreak-ext=md] exclude_types: [sql] - - id: check-yaml - id: check-executables-have-shebangs # Cross platform - id: check-case-conflict diff --git a/src/aks-platform/05_argocd.tf b/src/aks-platform/05_argocd.tf index bd73473..88a3d90 100644 --- a/src/aks-platform/05_argocd.tf +++ b/src/aks-platform/05_argocd.tf @@ -18,7 +18,9 @@ resource "helm_release" "argocd" { wait = false values = [ - file("${path.module}/argocd/argocd_helm_setup_values.yaml") + templatefile("${path.module}/argocd/argocd_helm_setup_values.yaml", { + argocd_application_namespaces = var.argocd_application_namespaces + }) ] depends_on = [ @@ -52,7 +54,7 @@ resource "azurerm_key_vault_secret" "argocd_admin_username" { # tools # module "argocd_workload_identity_init" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init?ref=v8.42.1" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init?ref=v8.77.0" workload_identity_name_prefix = "argocd" workload_identity_resource_group_name = azurerm_resource_group.rg_aks.name @@ -60,7 +62,7 @@ module "argocd_workload_identity_init" { } module "argocd_workload_identity_configuration" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration?ref=v8.42.1" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration?ref=v8.77.0" workload_identity_name_prefix = "argocd" workload_identity_resource_group_name = azurerm_resource_group.rg_aks.name @@ -77,7 +79,7 @@ module "argocd_workload_identity_configuration" { } module "cert_mounter_argocd_internal" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter?ref=v8.42.1" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter?ref=v8.77.0" namespace = "argocd" certificate_name = replace(local.argocd_internal_url, ".", "-") kv_name = data.azurerm_key_vault.kv_core_ita.name diff --git a/src/aks-platform/99_variables.tf b/src/aks-platform/99_variables.tf index fdbdc9c..dd3e4be 100644 --- a/src/aks-platform/99_variables.tf +++ b/src/aks-platform/99_variables.tf @@ -587,7 +587,15 @@ variable "dns_zone_internal_prefix" { description = "The dns subdomain." } +# +# Argocd +# variable "argocd_helm_release_version" { type = string description = "ArgoCD helm chart release version" } + +variable "argocd_application_namespaces" { + type = list(string) + description = "In which namespaces argocd can create applications" +} diff --git a/src/aks-platform/README.md b/src/aks-platform/README.md index 71701d7..0dcea6f 100644 --- a/src/aks-platform/README.md +++ b/src/aks-platform/README.md @@ -43,9 +43,9 @@ Re-enable all the resource, commented before to complete the procedure | <a name="module_aks"></a> [aks](#module\_aks) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster | v8.42.1 | | <a name="module_aks_prometheus_install"></a> [aks\_prometheus\_install](#module\_aks\_prometheus\_install) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_prometheus_install | v8.34.0 | | <a name="module_aks_storage_class"></a> [aks\_storage\_class](#module\_aks\_storage\_class) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_storage_class | v8.34.0 | -| <a name="module_argocd_workload_identity_configuration"></a> [argocd\_workload\_identity\_configuration](#module\_argocd\_workload\_identity\_configuration) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration | v8.42.1 | -| <a name="module_argocd_workload_identity_init"></a> [argocd\_workload\_identity\_init](#module\_argocd\_workload\_identity\_init) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init | v8.42.1 | -| <a name="module_cert_mounter_argocd_internal"></a> [cert\_mounter\_argocd\_internal](#module\_cert\_mounter\_argocd\_internal) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter | v8.42.1 | +| <a name="module_argocd_workload_identity_configuration"></a> [argocd\_workload\_identity\_configuration](#module\_argocd\_workload\_identity\_configuration) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration | v8.77.0 | +| <a name="module_argocd_workload_identity_init"></a> [argocd\_workload\_identity\_init](#module\_argocd\_workload\_identity\_init) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init | v8.77.0 | +| <a name="module_cert_mounter_argocd_internal"></a> [cert\_mounter\_argocd\_internal](#module\_cert\_mounter\_argocd\_internal) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter | v8.77.0 | | <a name="module_keda_workload_identity_configuration"></a> [keda\_workload\_identity\_configuration](#module\_keda\_workload\_identity\_configuration) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration | v8.45.0 | | <a name="module_keda_workload_identity_init"></a> [keda\_workload\_identity\_init](#module\_keda\_workload\_identity\_init) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init | v8.45.0 | | <a name="module_nginx_ingress"></a> [nginx\_ingress](#module\_nginx\_ingress) | terraform-module/release/helm | 2.7.0 | @@ -134,6 +134,7 @@ Re-enable all the resource, commented before to complete the procedure | <a name="input_aks_system_node_pool"></a> [aks\_system\_node\_pool](#input\_aks\_system\_node\_pool) | AKS node pool system configuration | <pre>object({<br/> name = string,<br/> vm_size = string,<br/> os_disk_type = string,<br/> os_disk_size_gb = string,<br/> node_count_min = number,<br/> node_count_max = number,<br/> node_labels = map(any),<br/> node_tags = map(any),<br/> only_critical_addons_enabled = optional(bool, true)<br/> zones = optional(list(any), [1, 2, 3])<br/> })</pre> | n/a | yes | | <a name="input_aks_user_node_pool"></a> [aks\_user\_node\_pool](#input\_aks\_user\_node\_pool) | AKS node pool user configuration | <pre>object({<br/> enabled = optional(bool, true),<br/> name = string,<br/> vm_size = string,<br/> os_disk_type = string,<br/> os_disk_size_gb = string,<br/> node_count_min = number,<br/> node_count_max = number,<br/> node_labels = map(any),<br/> node_taints = list(string),<br/> node_tags = map(any),<br/> ultra_ssd_enabled = optional(bool, false),<br/> enable_host_encryption = optional(bool, true),<br/> max_pods = optional(number, 250),<br/> upgrade_settings_max_surge = optional(string, "30%"),<br/> zones = optional(list(any), [1, 2, 3]),<br/> })</pre> | n/a | yes | | <a name="input_aks_vm_size"></a> [aks\_vm\_size](#input\_aks\_vm\_size) | The size of the AKS Virtual Machine in the Node Pool. | `string` | `"Standard_DS3_v2"` | no | +| <a name="input_argocd_application_namespaces"></a> [argocd\_application\_namespaces](#input\_argocd\_application\_namespaces) | In which namespaces argocd can create applications | `list(string)` | n/a | yes | | <a name="input_argocd_helm_release_version"></a> [argocd\_helm\_release\_version](#input\_argocd\_helm\_release\_version) | ArgoCD helm chart release version | `string` | n/a | yes | | <a name="input_cidr_subnet_system_aks"></a> [cidr\_subnet\_system\_aks](#input\_cidr\_subnet\_system\_aks) | Subnet cluster kubernetes. | `list(string)` | n/a | yes | | <a name="input_cidr_subnet_user_aks"></a> [cidr\_subnet\_user\_aks](#input\_cidr\_subnet\_user\_aks) | Subnet cluster kubernetes. | `list(string)` | n/a | yes | diff --git a/src/aks-platform/argocd/argocd_helm_setup_values.yaml b/src/aks-platform/argocd/argocd_helm_setup_values.yaml index 8c4ff9e..582ca99 100644 --- a/src/aks-platform/argocd/argocd_helm_setup_values.yaml +++ b/src/aks-platform/argocd/argocd_helm_setup_values.yaml @@ -1,35 +1,62 @@ dex: enabled: true + server: replicas: 1 extraArgs: - --insecure - config: - repositories: | - - type: helm - name: argo-cd - url: https://argoproj.github.io/argo-helm ingress: enabled: true - labels: {} ingressClassName: "nginx" hostname: argocd.internal.devopslab.pagopa.it - annotations: nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTP" + tls: false # Cambiato a false per evitare il TLS host doppio extraTls: - hosts: - - argocd.internal.devopslab.pagopa.it - # Based on the ingress controller used secret might be optional + - argocd.internal.devopslab.pagopa.it secretName: argocd-internal-devopslab-pagopa-it - https: true + redis-ha: enabled: false + repoServer: replicas: 1 + applicationSet: replicas: 1 + configs: + params: + application.namespaces: "${join(",", argocd_application_namespaces)}" + cm: - timeout.reconciliation: 30s + timeout.reconciliation: 31s + application.resourceTrackingMethod: annotation + + rbac: + policy.csv: | + p, role:readonly, applications, get, */*, allow + p, role:readonly, projects, get, *, allow + p, role:admin, applications, create, */*, allow + p, role:admin, applications, update, */*, allow + p, role:admin, applications, delete, */*, allow + p, role:admin, applications, sync, */*, allow + p, role:admin, applications, override, */*, allow + p, role:admin, applications, action/*, */*, allow + p, role:admin, projects, create, *, allow + p, role:admin, projects, update, *, allow + p, role:admin, projects, delete, *, allow + +controller: + args: + - --application-namespaces=${join(",", argocd_application_namespaces)} + + clusterRoleRules: + enabled: true + rules: + - apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] + namespaces: "[${join(", ", argocd_application_namespaces)}]" diff --git a/src/aks-platform/env/itn-dev/terraform.tfvars b/src/aks-platform/env/itn-dev/terraform.tfvars index 1b3f399..f9713de 100644 --- a/src/aks-platform/env/itn-dev/terraform.tfvars +++ b/src/aks-platform/env/itn-dev/terraform.tfvars @@ -146,5 +146,9 @@ law_prometheus_sku = "PerGB2018" law_prometheus_retention_in_days = 30 law_prometheus_daily_quota_gb = 0.1 -# https://github.com/argoproj/argo-helm/releases/tag/argo-cd-7.7.7 -argocd_helm_release_version = "7.7.7" #2.13.0 +# +# Argocd +# +# https://github.com/argoproj/argo-helm/releases/tag/argo-cd-7.7.16 +argocd_helm_release_version = "7.7.16" #2.13.0+ +argocd_application_namespaces = ["argocd", "testit", "diego", "keda"] diff --git a/src/domains/diego-app/.terraform.lock.hcl b/src/domains/diego-app/.terraform.lock.hcl index b471247..9297e91 100644 --- a/src/domains/diego-app/.terraform.lock.hcl +++ b/src/domains/diego-app/.terraform.lock.hcl @@ -5,6 +5,7 @@ provider "registry.terraform.io/argoproj-labs/argocd" { version = "7.1.0" constraints = "~> 7.1.0" hashes = [ + "h1:3sVJshsbJa/vj3MtZgLqDI6jy1mqF22auycq6nTpbKY=", "h1:l2eyIy5lh96Z/zhxmS1MspxTOBRWV2Qdy2T9bnYwWNE=", "zh:16a54a33061054769b46f395070815b5c027ca793f8e8af0d0459404ec38018a", "zh:3d1e1fbf877d43a08896ca321e2b5951cd5e0397b95f9d46d45a462987eb1045", @@ -23,6 +24,7 @@ provider "registry.terraform.io/hashicorp/azuread" { version = "2.47.0" constraints = "<= 2.47.0" hashes = [ + "h1:g8+gBFM4QVOEQFqAEs5pR6iXpbGvgPvcEi1evHwziyw=", "h1:iRwDQBdXBpVBoYwM9au2RG01RQuJSm3TGQ2kioFVAas=", "zh:1372d81eb24ef3b4b00ea350fe87219f22da51691b8e42ce91d662f6c2a8af5e", "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", @@ -44,6 +46,7 @@ provider "registry.terraform.io/hashicorp/azurerm" { constraints = "~> 3.30, ~> 3.110" hashes = [ "h1:Ew2CcKxce0b1gv3KpztpPt54dw1y7qEnkda5n0fuoPg=", + "h1:pAXy9cKU+bX1rvWog4YWeLbg7VFHqRTAFKbjayIXK1k=", "zh:2e25f47492366821a786762369f0e0921cc9452d64bfd5075f6fdfcf1a9c6d70", "zh:41eb34f2f7469bf3eb1019dfb0e7fc28256f809824016f4f8b9d691bf473b2ac", "zh:48bb9c87b3d928da1abc1d3db75453c9725de4674c612daf3800160cc7145d30", @@ -64,6 +67,7 @@ provider "registry.terraform.io/hashicorp/helm" { constraints = "~> 2.12, <= 2.12.1" hashes = [ "h1:7wfYOAeSEchHB8idNl+2jf+OkFi9zFSOLWkEZFuTCik=", + "h1:aBfcqM4cbywa7TAxfT1YoFS+Cst9waerlm4XErFmJlk=", "zh:1d623fb1662703f2feb7860e3c795d849c77640eecbc5a776784d08807b15004", "zh:253a5bc62ba2c4314875139e3fbd2feaad5ef6b0fb420302a474ab49e8e51a38", "zh:282358f4ad4f20d0ccaab670b8645228bfad1c03ac0d0df5889f0aea8aeac01a", @@ -83,6 +87,7 @@ provider "registry.terraform.io/hashicorp/kubernetes" { version = "2.30.0" constraints = "~> 2.30.0" hashes = [ + "h1:+Je5UPTWMmO4eG5ep1WfujkXQI9tDk0OsMU4olU76Bg=", "h1:z0Gy1p59XfS9MawIqCck7m2eeEEhAj6D7n8Ngglu8vE=", "zh:06531333a72fe6d2829f37a328e08a3fc4ed66226344a003b62418a834ac6c69", "zh:34480263939ef5007ce65c9f4945df5cab363f91e5260ae552bcd9f2ffeed444", @@ -102,6 +107,7 @@ provider "registry.terraform.io/hashicorp/kubernetes" { provider "registry.terraform.io/hashicorp/local" { version = "2.5.2" hashes = [ + "h1:IyFbOIO6mhikFNL/2h1iZJ6kyN3U00jgkpCLUCThAfE=", "h1:p99F1AoV9z51aJ4EdItxz/vLwWIyhx/0Iw7L7sWSH1o=", "zh:136299545178ce281c56f36965bf91c35407c11897f7082b3b983d86cb79b511", "zh:3b4486858aa9cb8163378722b642c57c529b6c64bfbfc9461d940a84cd66ebea", @@ -123,6 +129,7 @@ provider "registry.terraform.io/hashicorp/null" { constraints = "~> 3.2, <= 3.2.1" hashes = [ "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=", + "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=", "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", diff --git a/src/domains/diego-app/05_argocd.tf b/src/domains/diego-app/05_argocd.tf index 5ebf409..5769a92 100644 --- a/src/domains/diego-app/05_argocd.tf +++ b/src/domains/diego-app/05_argocd.tf @@ -13,7 +13,7 @@ resource "argocd_project" "project" { spec { description = "${var.domain}-project" - source_namespaces = ["argocd"] + source_namespaces = ["argocd", var.domain] source_repos = ["*"] destination { @@ -44,13 +44,11 @@ resource "argocd_project" "project" { warn = true } - # role { - # name = "anotherrole" - # policies = [ - # "p, proj:myproject:testrole, applications, get, myproject/*, allow", - # "p, proj:myproject:testrole, applications, sync, myproject/*, deny", - # ] - # } + # role { + # name = "project-admin" + # policies = [ + # ] + # } } } @@ -90,7 +88,7 @@ resource "argocd_application" "diego_applications" { metadata { name = each.value.name - namespace = "argocd" + namespace = var.domain labels = { name = each.value.name domain = var.domain