feat: add physical gitlab support in gcp and vultr (#861)

Author: jokestax

google-gitlab/templates/workload-cluster/0-providerconfig.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-provider-config
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/provider-config
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: crossplane-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

google-gitlab/templates/workload-cluster/10-infrastructure.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-infrastructure
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/infrastructure
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: <WORKLOAD_CLUSTER_NAME>
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

google-gitlab/templates/workload-cluster/20-argocd-connection.yaml

@@ -0,0 +1,55 @@
+apiVersion: "external-secrets.io/v1beta1"
+kind: ExternalSecret
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  labels:
+    app.kubernetes.io/part-of: argocd
+spec:
+  target:
+    name: <WORKLOAD_CLUSTER_NAME>
+    template:
+      metadata:
+        labels:
+          argocd.argoproj.io/secret-type: cluster
+      engineVersion: v2
+      data:
+        name: "{{ .cluster_name }}"
+        server: "{{ .host }}"
+        clusterResources: "true"
+        config: |
+          {
+            "execProviderConfig": {
+                "command": "argocd-k8s-auth",
+                "args": ["gcp"],
+                "apiVersion": "client.authentication.k8s.io/v1beta1"
+            },
+            "bearerToken": "{{ .argocd_manager_sa_token }}",
+            "tlsClientConfig": {
+                "caData": "{{ .cluster_ca_certificate | b64enc }}",
+                "insecure": false
+            }
+          }
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: argocd_manager_sa_token
+      secretKey: argocd_manager_sa_token
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: host
+      secretKey: host
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: cluster_name
+      secretKey: cluster_name
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: cluster_ca_certificate
+        conversionStrategy: Default
+      secretKey: cluster_ca_certificate

google-gitlab/templates/workload-cluster/30-cert-manager.yaml

@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cert-manager
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://charts.jetstack.io
+    targetRevision: v1.14.4
+    helm:
+      values: |-
+        serviceAccount:
+          create: true
+          name: cert-manager
+        installCRDs: true
+    chart: cert-manager
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

google-gitlab/templates/workload-cluster/30-external-dns.yaml

@@ -0,0 +1,46 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-external-dns
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://kubernetes-sigs.github.io/external-dns
+    targetRevision: 1.14.4
+    helm:
+      releaseName: external-dns
+      values: |
+        image:
+          repository: registry.k8s.io/external-dns/external-dns
+          tag: "v0.13.2"
+        serviceAccount:
+          create: true
+          name: external-dns
+        provider: google
+        sources:
+        - ingress
+        env:
+        - name: GOOGLE_APPLICATION_CREDENTIALS
+          value: "/tmp/credentials.json"
+        domainFilters:
+        - <WORKLOAD_EXTERNAL_DNS_DOMAIN_NAME>
+        extraVolumes:
+        - name: secrets
+          secret:
+            secretName: external-dns
+        extraVolumeMounts:
+        - name: secrets
+          mountPath: /tmp
+    chart: external-dns
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: external-dns
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

google-gitlab/templates/workload-cluster/30-external-secrets-operator.yaml

@@ -0,0 +1,71 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-external-secrets-operator
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://charts.external-secrets.io
+    targetRevision: 0.8.1
+    helm:
+      values: |-
+        serviceAccount:
+          create: false
+          name: external-secrets
+    chart: external-secrets
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: external-secrets-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - RespectIgnoreDifferences=true
+  ignoreDifferences:
+    - group: apiextensions.k8s.io
+      kind: CustomResourceDefinition
+      jqPathExpressions:
+        - .spec.conversion.webhook.clientConfig.caBundle
+        - .spec.conversion.webhook.clientConfig.service.name
+        - .spec.conversion.webhook.clientConfig.service.namespace
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      jqPathExpressions:
+        - .webhooks[]?.clientConfig.caBundle
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-eso-kubernetes-external-secrets-auth
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'system:auth-delegator'
+subjects:
+  - kind: ServiceAccount
+    name: external-secrets
+    namespace: external-secrets-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-eso-kubernetes-external-secrets-auth2
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'cluster-admin'
+subjects:
+  - kind: ServiceAccount
+    name: external-secrets
+    namespace: external-secrets-operator

google-gitlab/templates/workload-cluster/30-ingress-nginx.yaml

@@ -0,0 +1,38 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-ingress-nginx
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://kubernetes.github.io/ingress-nginx
+    targetRevision: 4.10.0
+    helm:
+      values: |-
+        controller:
+          podAnnotations:
+            linkerd.io/inject: enabled
+          ingressClass: nginx
+          publishService:
+            enabled: true
+          service:
+            annotations:
+              service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
+              service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
+          extraArgs:
+            enable-ssl-passthrough: true
+    chart: ingress-nginx
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: ingress-nginx
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

google-gitlab/templates/workload-cluster/30-reloader.yaml

@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-reloader
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: 'https://stakater.github.io/stakater-charts'
+    targetRevision: v1.0.10
+    chart: reloader
+    helm:
+      values: |-
+        ignoreSecrets: false
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: reloader
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2

google-gitlab/templates/workload-cluster/40-clusterissuers.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cert-issuers
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/cert-issuers
+    targetRevision: HEAD
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

google-gitlab/templates/workload-cluster/40-clustersecretstore.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cluster-secret-store
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/cluster-secret-store
+    targetRevision: HEAD
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: external-secrets-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true