Initial commit

README.md

@@ -0,0 +1,23 @@
+# Welcome to your tenant-demo tenant
+
+## Usefull links
+
+* [Get me to my Namespace](https://console-openshift-console.apps.production.kvant.cloud/k8s/cluster/projects/tenant-tpl)
+* [WIKI](https://git.kvant.cloud/phoenix/tenant-tpl/wiki/Tenant--Wiki)
+
+## Command cheatsheet
+
+* Get all your tenant ressources from flux
+
+```shell
+
+  $ flux get all -n tenant-tpl
+
+```
+* Get all your tenant ressources from openshift
+
+```shell
+
+  $ oc get all -n tenant-tpl
+
+```

echo-server/app/helmrelease.yaml

@@ -0,0 +1,103 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app echo-server
+spec:
+  serviceAccountName: ${TECHNICAL_ACCOUNT}
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.2.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: ${TENANT_NAMESPACE}
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    controllers:
+      echo-server:
+        replicas: 2
+        strategy: RollingUpdate
+        containers:
+          app:
+            image:
+              repository: ghcr.io/mendhak/http-https-echo
+              tag: 33
+            env:
+              HTTP_PORT: &port 8080
+              LOG_WITHOUT_NEWLINE: true
+              LOG_IGNORE_PATH: /healthz
+              PROMETHEUS_ENABLED: true
+            probes:
+              liveness: &probes
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /healthz
+                    port: *port
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  timeoutSeconds: 1
+                  failureThreshold: 3
+              readiness: *probes
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+              seccompProfile:
+                type: RuntimeDefault
+            resources:
+              requests:
+                cpu: 10m
+                memory: 64Mi
+              limits:
+                memory: 64Mi
+                cpu: 100m
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile: { type: RuntimeDefault }
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: *app
+    service:
+      app:
+        controller: echo-server
+        ports:
+          http:
+            port: *port
+    serviceMonitor:
+      app:
+        serviceName: echo-server
+        endpoints:
+          - port: http
+            scheme: http
+            path: /metrics
+            interval: 1m
+            scrapeTimeout: 10s
+    ingress:
+      app:
+        className: external
+        hosts:
+          - host: "{{ .Release.Name }}-${TENANT_DOMAIN}"
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: http
+

echo-server/ks.yaml

@@ -0,0 +1,20 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app echo-server
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./echo-server/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: tenant-repos
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - vars/ks.yaml
+  - repos/ks.yaml
+  - echo-server/ks.yaml

renovate.json5

@@ -0,0 +1,16 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "local>phoenix/renovate-config",
+    "local>phoenix/renovate-config:tenant-deps"
+  ],
+  "flux": {
+    "fileMatch": [".+\\.ya?ml$"]
+  },
+  "helm-values": {
+    "fileMatch": [".+\\.ya?ml$"]
+  },
+  "kubernetes": {
+    "fileMatch": [".+\\.ya?ml$"]
+  }
+}

repos/helm/bjw-s.yaml

@@ -0,0 +1,12 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: bjw-s
+  namespace: ${TENANT_NAMESPACE}-ns
+spec:
+  type: oci
+  interval: 5m
+  url: oci://ghcr.io/bjw-s/helm
+

repos/ks.yaml

@@ -0,0 +1,20 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app repos-sync
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./repos/helm
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: tenant-repos
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

scripts/rewrap-secrets.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+FOLDER="$(dirname "$(dirname "$(readlink -f "$0")")")"
+#find $FOLDER -type f -name ".+\.secret(\.sops)?\.ya?ml"
+for f in $(find $FOLDER -type f -name "*secret.sops.yaml"); do
+  cd $(dirname $f)
+  sops updatekeys --yes $f
+done

vars/ks.yaml

@@ -0,0 +1,21 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app vars
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  targetNamespace: ${TENANT_NAMESPACE}
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./vars/${TENANT_NAMESPACE}
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: tenant-repos
+  wait: false
+  interval: 10m
+  retryInterval: 1m
+  timeout: 5m

vars/tenant-tpl/.sops.yaml

@@ -0,0 +1,24 @@
+---
+
+# This example uses YAML anchors which allows reuse of multiple keys 
+# without having to repeat yourself.
+# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
+# for a more complex example.
+keys:
+  age:
+  - &tenant_age_key "@{AGE-PUBLIC-KEY}"
+creation_rules:
+  - path_regex: .+secret(\.sops)?\.ya?ml
+    input_type: yaml
+    encrypted_regex: ^(data|stringData)$
+    key_groups:
+      - age: &key_groups
+          - *tenant_age_key
+  - path_regex: .+secret(\.sops)?\.env
+    input_type: env
+    key_groups:
+      - age: *key_groups
+stores:
+  yaml:
+    indent: 2
+

vars/tenant-tpl/README.md

@@ -0,0 +1,11 @@
+# Settings and Secrets
+
+Add here settings that depend on the tenant name. This is needed when you
+include this git ${REPO_NAME} into multiple tenants. You need to ensure this
+folder is called the same way as the kvant tenant you got.
+
+You can add Config Maps and secrets to this folder. The secrets should be
+encripted using SOPS (see
+[WIKI](https://git.kvant.cloud/phoenix/tenant-tpl/wiki/Tenant--Wiki)). Please
+do not forget adding your own key to the [.sops.yaml](.sops.yaml) before
+encrypting your secrets if you want to be able to edit them afterwards.

vars/tenant-tpl/example.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: example-vars
+data:
+  EXAMPLE: foo