DeepCypher/dc-kc
1
0
Fork 0
mirror of https://gitlab.com/deepcypher/dc-kc.git synced 2026-01-27 11:12:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
aef97ea13c262c6215a4912e7a78dc887fbb0f75
dc-kc/Taskfile.yaml
GeorgeRaven 85800085c6 Added basic opencloud
2025-08-13 22:42:20 +01:00

168 lines
6.2 KiB
YAML
Raw Blame History

version: '3'
env:
MINIKUBE_KUBE_VERSION: 1.31.0
ARGO_CHART_RELEASE_NAME: argo-cd
ARGO_NAMESPACE: "argocd"
CHART_DIR_PATH_INIT: "charts/init"
CHART_DIR_PATH_ARGOCD: "charts/argocd"
CHART_DIR_PATH_CNI: "charts/cilium"
KUBESEAL_PRIVATE_KEY: "./private.key"
KUBESEAL_PUBLIC_CERT: "./public.cert"
CHARTS_DIR: "./charts"
tasks:
minikube:
desc: "(Re-)Create minikube instance."
cmds:
- minikube delete
- minikube start --cni cilium --kubernetes-version=${MINIKUBE_KUBE_VERSION}
- helm upgrade --install --create-namespace --namespace traefik traefik traefik/traefik --set service.externalIPs={192.168.49.2}
argocd:
desc: "(Re-)Install ArgoCD."
cmds:
- helm repo add argocd https://argoproj.github.io/argo-helm/
- helm repo update argocd
- helm dependency update ${CHART_DIR_PATH_ARGOCD}
- helm dependency build ${CHART_DIR_PATH_ARGOCD}
- helm upgrade --install --create-namespace --namespace ${ARGO_NAMESPACE} ${ARGO_CHART_RELEASE_NAME} ${CHART_DIR_PATH_ARGOCD}
argocd-late:
desc: "(Re-)Install late stage ArgoCD resources like encrypted secrets from local chart."
cmds:
- helm upgrade --install --namespace ${ARGO_NAMESPACE} argocd-late charts/argocd-late
argocd-forward:
desc: "Kubectl port forward ArgoCD"
cmds:
- kubectl wait --timeout=600s --for=condition=Available=True -n ${ARGO_NAMESPACE} deployment ${ARGO_CHART_RELEASE_NAME}-argocd-server
- echo Credentials user=${ARGO_USER} password=${ARGO_PASSWORD}
- kubectl port-forward svc/${ARGO_CHART_RELEASE_NAME}-argocd-server -n ${ARGO_NAMESPACE} ${FORWARD_PORT}:443
vars:
ARGO_USER: admin
ARGO_PASSWORD:
sh: kubectl get -n ${ARGO_NAMESPACE} secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
cni:
desc: "(Re-)Install CNI helm chart to cluster"
cmds:
- helm dependency build ${CHART_DIR_PATH_CNI}
- helm upgrade --install --create-namespace --namespace ${CNI_NAMESPACE} ${CNI_NAME} ${CHART_DIR_PATH_CNI}
get-gpu-nodes:
desc: "List GPU enabled nodes"
cmds:
- kubectl get nodes -o jsonpath='{.items[?(@.metadata.annotations.nfd\.node\.kubernetes\.io/extended-resources=="nvidia.com/gpu")].metadata.name}'
rook-tools:
desc: "Exec rook-tools container"
cmds:
- kubectl -n rook-ceph exec -it {{ .PODS }} -- ceph status
- kubectl -n rook-ceph exec -it {{ .PODS }} -- bash
vars:
PODS:
sh: kubectl -n rook-ceph get pod -l "app=rook-ceph-tools" -o jsonpath='{.items[*].metadata.name}'
sealed-secrets:
desc: "(Re-)Install sealed-secrets controller."
cmds:
- helm repo add bitnami https://charts.bitnami.com/bitnami
- helm repo update bitnami
- helm dependency update charts/sealed-secrets
- helm dependency build charts/sealed-secrets
- helm upgrade --install --create-namespace --namespace sealed-secrets sealed-secrets charts/sealed-secrets
init:
desc: "(Re-)Install GitOps initialisation chart to make ArgoCD watch infrastructure."
cmds:
- helm upgrade --install --create-namespace --namespace ${ARGO_NAMESPACE} --set="environment.revision=${REVISION}" init ${CHART_DIR_PATH_INIT}
vars:
REVISION:
sh: git rev-parse --abbrev-ref HEAD
seal:
desc: "Kubeseal all *.unsealed.yaml secrets into and over adjacent *.sealed.yaml files."
cmds:
- task: generic-seal
- task: env-specific-seal
vars:
ENV: "dev"
- task: env-specific-seal
vars:
ENV: "stg"
- task: env-specific-seal
vars:
ENV: "prd"
env-specific-seal:
desc: "Kubeseal environment specific secrets into and over adjacent *.sealed.yaml files."
silent: true
requires:
vars:
- ENV
sources:
- "{{ .CHARTS_DIR }}/**/*.{{ .ENV }}.unsealed.yaml"
generates:
- "{{ .CHARTS_DIR }}/**/*.{{ .ENV }}.sealed.yaml"
cmds:
- for: sources
cmd: |
echo "Sealing - {{ .ITEM }} with {{ .KUBESEAL_PUBLIC_CERT }}"
condition='\{\{- if eq .Values.environment.mode "{{ .ENV }}" \}\}'
outfile=$(sed -e 's/.unsealed.yaml/.sealed.yaml/' <<< "{{ .ITEM }}")
if [ -s "{{ .ITEM }}" ]; then
echo $condition > $outfile
cat {{ .ITEM }} | kubeseal --cert {{ .KUBESEAL_PUBLIC_CERT }} -o yaml >> $outfile
echo "\{\{- end \}\}" >> $outfile
sed -i 's/\\{/{/g' $outfile
sed -i 's/\\}/}/g' $outfile
echo "Sealed - $outfile"
else
echo "WARNING: no content in {{ .ITEM }}. Skipping."
fi
method: none
generic-seal:
desc: "Kubeseal all *.unsealed.yaml secrets into and over adjacent *.sealed.yaml files."
silent: true
sources:
- "{{ .CHARTS_DIR }}/**/*.unsealed.yaml"
generates:
- "{{ .CHARTS_DIR }}/**/*.sealed.yaml"
cmds:
- for: sources
cmd: |
echo "Sealing - {{ .ITEM }} with {{ .KUBESEAL_PUBLIC_CERT }}"
outfile=$(sed -e 's/.unsealed.yaml/.sealed.yaml/' <<< "{{ .ITEM }}")
if [ -s "{{ .ITEM }}" ]; then
cat {{ .ITEM }} | kubeseal --cert {{ .KUBESEAL_PUBLIC_CERT }} -o yaml > $outfile
echo "Sealed - $outfile"
else
echo "WARNING: no content in {{ .ITEM }}. Skipping."
fi
method: none
unseal:
desc: "Un-Kubeseal all *.sealed.yaml secrets into and over adjacent *.unsealed.yaml files."
silent: true
sources:
- "{{ .CHARTS_DIR }}/**/*.sealed.yaml"
generates:
- "{{ .CHARTS_DIR }}/**/*.unsealed.yaml"
cmds:
- for: sources
cmd: |
echo "Unsealing - {{ .ITEM }} with {{ .KUBESEAL_PRIVATE_KEY }}"
outfile=$(sed -e 's/.sealed.yaml/.unsealed.yaml/' <<< "{{ .ITEM }}")
if [[ ! $(cat {{ .ITEM }} | yq ' .spec.template.metadata.labels."cromwell-tools.co.uk/binarysecret"') = 'true' ]]; then
cat {{ .ITEM }} | sed 's/.*{-.*//' | kubeseal --recovery-unseal --recovery-private-key {{ .KUBESEAL_PRIVATE_KEY }} -o yaml | yq '.data |= map_values(@base64d) | .stringData = .data | del(.data) | del(.metadata.ownerReferences)' > $outfile
else
cat {{ .ITEM }} | kubeseal --recovery-unseal --recovery-private-key {{ .KUBESEAL_PRIVATE_KEY }} -o yaml > $outfile
echo "WARNING: secret is binary. Skipping base64 decode."
fi
echo "Unsealed - $outfile"
method: none
Reference in New Issue View Git Blame Copy Permalink