diff --git a/charts/infrastructure/templates/reloader.yaml b/charts/infrastructure/templates/reloader.yaml new file mode 100644 index 00000000..4787c683 --- /dev/null +++ b/charts/infrastructure/templates/reloader.yaml @@ -0,0 +1,85 @@ +apiVersion: v1 +kind: Namespace +metadata: + # annotations: + # volsync.backube/privileged-movers: "true" + labels: + kubernetes.io/metadata.name: reloader + name: reloader +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: reloader + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + name: '' + namespace: reloader + server: 'https://kubernetes.default.svc' + source: + path: charts/reloader + repoURL: {{ .Values.global.repo }} + targetRevision: {{ .Values.environment.revision }} + helm: + values: | + {{- include "defaultEnvironment" . | indent 8 }} + {{- if eq .Values.environment.mode "staging" }} + {{- else if eq .Values.environment.mode "production" }} + {{- end }} + #project: reloader + project: default + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + - RespectIgnoreDifferences=true +--- +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: reloader + namespace: argocd + # Finalizer that ensures that project is not deleted until it is not referenced by any application + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + description: Infra-level project to isolate reloader + # Allow manifests to deploy from any Git repos + sourceRepos: + - '*' + # Only permit applications to deploy to the guestbook namespace in the same cluster + destinations: + - namespace: reloader + server: https://kubernetes.default.svc + # Deny all cluster-scoped resources from being created, except for Namespace + clusterResourceWhitelist: + - group: '' + kind: Namespace + # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy + namespaceResourceBlacklist: + - group: '' + kind: ResourceQuota + - group: '' + kind: LimitRange + #- group: '' + # kind: NetworkPolicy + # # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet + # namespaceResourceWhitelist: + # - group: 'apps' + # kind: Deployment + # - group: 'apps' + # kind: StatefulSet + roles: + # A role which provides read-only access to all applications in the project + - name: read-only + description: Read-only privileges to reloader + policies: + - p, proj:my-project:read-only, applications, get, reloader/*, allow + groups: + - my-oidc-group diff --git a/charts/reloader/.helmignore b/charts/reloader/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/reloader/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/reloader/Chart.lock b/charts/reloader/Chart.lock new file mode 100644 index 00000000..23f81227 --- /dev/null +++ b/charts/reloader/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: reloader + repository: https://stakater.github.io/stakater-charts + version: 2.1.5 +digest: sha256:849f4c253e3a313f71332bb6aedf45d3dbb0dfcbc093604bacb2fd08a9edc772 +generated: "2025-07-11T20:02:31.367980858+01:00" diff --git a/charts/reloader/Chart.yaml b/charts/reloader/Chart.yaml new file mode 100644 index 00000000..a5851eba --- /dev/null +++ b/charts/reloader/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: reloader +description: A Helm chart for Kubernetes +type: application +version: 0.1.0 +appVersion: "1.16.0" + +dependencies: +- name: reloader + version: 2.1.5 + repository: "https://stakater.github.io/stakater-charts" diff --git a/charts/reloader/README.md b/charts/reloader/README.md new file mode 100644 index 00000000..b682096f --- /dev/null +++ b/charts/reloader/README.md @@ -0,0 +1,21 @@ +# reloader + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) + +A Helm chart for Kubernetes + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://charts.bitnami.com/bitnami | reloader | 2.5.15 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| reloader.createController | bool | `true` | | +| reloader.ingress.enabled | bool | `false` | | +| reloader.ingress.hostname | string | `"secrets.deepcypher.me"` | | +| reloader.networkPolicy.enabled | bool | `true` | | + diff --git a/charts/reloader/values.yaml b/charts/reloader/values.yaml new file mode 100644 index 00000000..b948d4e9 --- /dev/null +++ b/charts/reloader/values.yaml @@ -0,0 +1,7 @@ +reloader: + ingress: + enabled: false + hostname: secrets.deepcypher.me + createController: true + networkPolicy: + enabled: true