From b3933ccf6306dfed6ec50fbfcfa556dd045715c4 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 4 Apr 2021 10:12:19 +0100 Subject: [PATCH 01/70] Added dependency on azuread_service_principal for azuread_application_password --- terraform/argocd_sso.tf | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 25ce7ea..16e17d0 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -52,17 +52,19 @@ resource "azuread_application" "argocd" { } } +# TODO: add "SelfServiceAppAccess" tag to enable self-service options in Enterprise App +resource "azuread_service_principal" "argocd" { + application_id = azuread_application.argocd.application_id +} + # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password resource "azuread_application_password" "argocd" { application_object_id = azuread_application.argocd.id description = "argocd_secret" value = random_password.argocd.result end_date = "2099-01-01T01:02:03Z" -} -# TODO: add "SelfServiceAppAccess" tag to enable self-service options in Enterprise App -resource "azuread_service_principal" "argocd" { - application_id = azuread_application.argocd.application_id + depends_on = [azuread_service_principal.argocd] } data "azurerm_client_config" "current" { From 0d8852262e8e5fddf4a08433de746e50b2fe9bd9 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 4 Apr 2021 11:10:32 +0100 Subject: [PATCH 02/70] Added templatefile function test --- terraform/argocd_sso.tf | 24 +++++++++++++++-------- terraform/files/argocd-cm-patch.tmpl.yaml | 1 + 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 16e17d0..90948b2 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -73,13 +73,15 @@ data "azurerm_client_config" "current" { # argocd-cm patch # https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file -data "template_file" "argocd_cm" { - template = file(var.argocd_cm_yaml_path) - vars = { - tenantId = data.azurerm_client_config.current.tenant_id - appClientId = azuread_service_principal.argocd.application_id - } -} +# data "template_file" "argocd_cm" { +# template = file(var.argocd_cm_yaml_path) +# vars = { +# tenantId = data.azurerm_client_config.current.tenant_id +# appClientId = azuread_service_principal.argocd.application_id +# } +# } + +# TODO: use templatefile # https://www.terraform.io/docs/provisioners/local-exec.html resource "null_resource" "argocd_cm" { @@ -94,7 +96,13 @@ resource "null_resource" "argocd_cm" { KUBECONFIG = var.aks_config_path } command = < Date: Sun, 4 Apr 2021 11:23:47 +0100 Subject: [PATCH 03/70] Removed template_file data resource --- terraform/argocd_sso.tf | 14 +------------- terraform/files/argocd-cm-patch.tmpl.yaml | 1 - 2 files changed, 1 insertion(+), 14 deletions(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 90948b2..19f5f87 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -70,19 +70,6 @@ resource "azuread_application_password" "argocd" { data "azurerm_client_config" "current" { } - -# argocd-cm patch -# https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file -# data "template_file" "argocd_cm" { -# template = file(var.argocd_cm_yaml_path) -# vars = { -# tenantId = data.azurerm_client_config.current.tenant_id -# appClientId = azuread_service_principal.argocd.application_id -# } -# } - -# TODO: use templatefile - # https://www.terraform.io/docs/provisioners/local-exec.html resource "null_resource" "argocd_cm" { triggers = { @@ -95,6 +82,7 @@ resource "null_resource" "argocd_cm" { environment = { KUBECONFIG = var.aks_config_path } + # https://www.terraform.io/docs/language/functions/templatefile.html command = < Date: Sun, 4 Apr 2021 11:28:04 +0100 Subject: [PATCH 04/70] Added templatefile to local-exec env var --- terraform/argocd_sso.tf | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 19f5f87..bcbe22d 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -81,16 +81,15 @@ resource "null_resource" "argocd_cm" { interpreter = ["/bin/bash", "-c"] environment = { KUBECONFIG = var.aks_config_path - } - # https://www.terraform.io/docs/language/functions/templatefile.html - command = < Date: Sun, 4 Apr 2021 11:30:50 +0100 Subject: [PATCH 05/70] Changed bash var syntax --- terraform/argocd_sso.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index bcbe22d..43e4be9 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -89,7 +89,7 @@ resource "null_resource" "argocd_cm" { } # https://www.terraform.io/docs/language/functions/templatefile.html command = < Date: Sun, 4 Apr 2021 12:13:57 +0100 Subject: [PATCH 06/70] Changed template_file usage to templatefile() function --- terraform/argocd_sso.tf | 40 ++++++++++++++++++++-------------------- terraform/dns.tf | 18 ++++++++---------- 2 files changed, 28 insertions(+), 30 deletions(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 43e4be9..4468186 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -70,6 +70,8 @@ resource "azuread_application_password" "argocd" { data "azurerm_client_config" "current" { } + +# argocd-cm patch # https://www.terraform.io/docs/provisioners/local-exec.html resource "null_resource" "argocd_cm" { triggers = { @@ -81,11 +83,13 @@ resource "null_resource" "argocd_cm" { interpreter = ["/bin/bash", "-c"] environment = { KUBECONFIG = var.aks_config_path - ARGOCD_CM_PATCH_YAML = templatefile(var.argocd_cm_yaml_path, + ARGOCD_CM_PATCH_YAML = templatefile( + var.argocd_cm_yaml_path, { "tenantId" = data.azurerm_client_config.current.tenant_id "appClientId" = azuread_service_principal.argocd.application_id - }) + } + ) } # https://www.terraform.io/docs/language/functions/templatefile.html command = < Date: Tue, 6 Apr 2021 08:31:09 +0100 Subject: [PATCH 07/70] Fixed dns yaml kubectl cmd --- terraform/dns.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/dns.tf b/terraform/dns.tf index 51d5305..8397895 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -62,7 +62,7 @@ resource "null_resource" "azureIdentity_external_dns" { ) } command = < Date: Tue, 6 Apr 2021 08:41:31 +0100 Subject: [PATCH 08/70] Bumped argocd cli versions to 1.8.7 --- terraform/files/scripts/argocd_config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index aa79fb2..61bf45e 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -13,7 +13,7 @@ export ARGOCD_OPTS="--grpc-web" ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install -VERSION="v1.8.2" +VERSION="v1.8.7" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" From 7f8e1e8c129b5f9b13623c952e2f87aa9d205b32 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 7 Apr 2021 07:32:01 +0100 Subject: [PATCH 09/70] Bumped AKS to v1.19.7, plus bumped nginx, velero, and kured --- terraform/variables.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 2e89be3..cec05f8 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -6,7 +6,7 @@ # https://github.com/Azure/AKS/releases # az aks get-versions --location uksouth --output table variable "kubernetes_version" { - default = "1.18.14" + default = "1.19.7" } # Helm charts @@ -21,7 +21,7 @@ variable "kubernetes_version" { # helm search repo ingress-nginx/ingress-nginx # * also update terraform/helm/nginx_values.yaml variable "nginx_chart_version" { - default = "3.26.0" + default = "3.27.0" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -34,7 +34,7 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.15.0" + default = "2.16.0" } # https://hub.docker.com/r/velero/velero/tags @@ -78,7 +78,7 @@ variable "external_dns_chart_version" { # https://github.com/weaveworks/kured/tree/master/charts/kured # helm search repo kured/kured variable "kured_chart_version" { - default = "2.4.1" + default = "2.4.2" } # https://github.com/weaveworks/kured#kubernetes--os-compatibility From 96ade596809de4eaa8dc59f62c7896d98ca15bab Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 7 Apr 2021 08:18:22 +0100 Subject: [PATCH 10/70] Removed escape char in cm patch template --- terraform/files/argocd-cm-patch.tmpl.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/files/argocd-cm-patch.tmpl.yaml b/terraform/files/argocd-cm-patch.tmpl.yaml index 3473549..208dcfa 100644 --- a/terraform/files/argocd-cm-patch.tmpl.yaml +++ b/terraform/files/argocd-cm-patch.tmpl.yaml @@ -3,7 +3,7 @@ data: name: Azure issuer: https://login.microsoftonline.com/${tenantId}/v2.0 clientID: ${appClientId} - clientSecret: \$oidc.azure.clientSecret + clientSecret: $oidc.azure.clientSecret requestedIDTokenClaims: groups: essential: true From 291040671a6a6ed80aefba0b917abb2e10529215 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 8 Apr 2021 07:22:45 +0100 Subject: [PATCH 11/70] Added pessimistic constraint operator to aks module version --- terraform/aks.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index 9ec36cc..d3b03fc 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -54,7 +54,7 @@ resource "azurerm_log_analytics_solution" "aks" { # https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest module "aks" { source = "adamrushuk/aks/azurerm" - version = "0.8.0" + version = "~> 0.7" kubernetes_version = var.kubernetes_version location = azurerm_resource_group.aks.location From db37563f8d78b75e050ea15b4cfa862c4f749f0e Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 8 Apr 2021 07:44:56 +0100 Subject: [PATCH 12/70] Removed StatusCodeVariable to fix PowerShell 6 usage --- function_app/profile.ps1 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/function_app/profile.ps1 b/function_app/profile.ps1 index 0be2628..4ff91fd 100644 --- a/function_app/profile.ps1 +++ b/function_app/profile.ps1 @@ -56,9 +56,10 @@ function Send-IftttAppNotification { value3 = $Value3 } - Invoke-RestMethod -Method Get -Uri $webhookUrl -Body $body -ResponseHeadersVariable responseHeaders -StatusCodeVariable statusCode + # TEMP removal of "StatusCodeVariable" until PowerShell 7 function app issues are resolved + Invoke-RestMethod -Method Get -Uri $webhookUrl -Body $body -ResponseHeadersVariable responseHeaders #-StatusCodeVariable statusCode - Write-Host "Status Code: [$statusCode]" + # Write-Host "Status Code: [$statusCode]" Write-Host "Response Headers:`n" $responseHeaders | Out-String } From b685b6a2d28efced4ea41fe6560d8caf2691b6ce Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 8 Apr 2021 07:45:13 +0100 Subject: [PATCH 13/70] Bumped argocd to v2.0.0 --- terraform/files/scripts/argocd_config.sh | 2 +- terraform/variables.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index 61bf45e..3f17a73 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -13,7 +13,7 @@ export ARGOCD_OPTS="--grpc-web" ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install -VERSION="v1.8.7" +VERSION="v2.0.0" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" diff --git a/terraform/variables.tf b/terraform/variables.tf index cec05f8..1751354 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -91,12 +91,12 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "2.17.5" + default = "3.0.0" } # https://hub.docker.com/r/argoproj/argocd/tags variable "argocd_image_tag" { - default = "v1.8.7" + default = "v2.0.0" } #endregion Versions From 7afc640fb23e0dea6af38082105579396294344b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 8 Apr 2021 08:29:34 +0100 Subject: [PATCH 14/70] Changed argo cd default password check --- terraform/files/scripts/argocd_config.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index 3f17a73..a22a17f 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -29,9 +29,10 @@ echo "Showing Argo CD version info for [$ARGOCD_FQDN]..." "$ARGOCD_PATH" version --server "$ARGOCD_FQDN" # Get default admin password -# default password is server pod name, eg: "argocd-server-89c6cd7d4-xxxxx" +# Argo CD v1.9 and later: https://argoproj.github.io/argo-cd/getting_started/#4-login-using-the-cli +# check secret called "argocd-initial-admin-secret" echo "Getting default admin password..." -DEFAULT_ARGO_ADMIN_PASSWORD=$(kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2) +DEFAULT_ARGO_ADMIN_PASSWORD=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d) # Login echo "Logging in to Argo CD with default password..." From 30c7a0d6efdc60246de4a58a9c6be58187c16120 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 8 Apr 2021 08:37:37 +0100 Subject: [PATCH 15/70] Changed aks module version --- terraform/aks.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index d3b03fc..fd42e39 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -54,7 +54,7 @@ resource "azurerm_log_analytics_solution" "aks" { # https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest module "aks" { source = "adamrushuk/aks/azurerm" - version = "~> 0.7" + version = "~> 0.8.0" kubernetes_version = var.kubernetes_version location = azurerm_resource_group.aks.location From 3ed094310e4c1f5949e7539f37a75867afeac25e Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 9 Apr 2021 06:26:51 +0100 Subject: [PATCH 16/70] Changed debug config --- .vscode/launch.json | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/.vscode/launch.json b/.vscode/launch.json index 4027c7e..7c74a02 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -1,13 +1,11 @@ { - "version": "0.2.0", "configurations": [ - { - "name": "Attach to PowerShell Functions", - "type": "PowerShell", - "request": "attach", - "customPipeName": "AzureFunctionsPSWorker", - "runspaceId": 1, - "preLaunchTask": "func: host start" - } + { + "name": "PowerShell Launch Current File", + "type": "PowerShell", + "request": "launch", + "script": "${file}", + "cwd": "${file}" + } ] } From 730145122f9221bcab217f7953a4d28a4de7d5bf Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 9 Apr 2021 06:27:19 +0100 Subject: [PATCH 17/70] Changed terraform to v0.14.10 --- .devcontainer/Dockerfile | 2 +- .devcontainer/devcontainer.json | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index f48e60d..9b54dcd 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -45,7 +45,7 @@ RUN if [ "${INSTALL_AZURE_CLI}" = "true" ]; then bash /tmp/library-scripts/azcli # Install Terraform, tflint, Go, PowerShell, and other useful tools # TODO: move this into main "RUN" layer above -ARG TERRAFORM_VERSION=0.14.9 +ARG TERRAFORM_VERSION=0.14.10 ARG TFLINT_VERSION=0.18.0 RUN bash /tmp/library-scripts/terraform-debian.sh "${TERRAFORM_VERSION}" "${TFLINT_VERSION}" \ && bash /tmp/library-scripts/powershell-debian.sh \ diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 670c689..942a705 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "build": { "dockerfile": "Dockerfile", "args": { - "TERRAFORM_VERSION": "0.14.9", + "TERRAFORM_VERSION": "0.14.10", "TFLINT_VERSION": "0.22.0", "INSTALL_AZURE_CLI": "true", "INSTALL_DOCKER": "true", diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a8d9a51..d77efdf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -58,7 +58,7 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "0.14.9" + TF_VERSION: "0.14.10" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases TFLINT_RULESET_AZURERM_VERSION: "v0.9.0" diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index cac5aee..9a4a410 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -52,7 +52,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "0.14.9" + TF_VERSION: "0.14.10" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: From c6cab15b39c5a818460bf11a821e30e8ff7be1a5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 9 Apr 2021 07:45:47 +0100 Subject: [PATCH 18/70] Bumped nginx and cert-manager charts --- terraform/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 1751354..463cc02 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -21,13 +21,13 @@ variable "kubernetes_version" { # helm search repo ingress-nginx/ingress-nginx # * also update terraform/helm/nginx_values.yaml variable "nginx_chart_version" { - default = "3.27.0" + default = "3.29.0" } # https://hub.helm.sh/charts/jetstack/cert-manager # helm search repo jetstack/cert-manager variable "cert_manager_chart_version" { - default = "v1.2.0" + default = "v1.3.0" } # https://github.com/vmware-tanzu/helm-charts/releases From 37f4e394d26ccb366d0aa8cd35bdf25dee2f4b3f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 9 Apr 2021 07:46:06 +0100 Subject: [PATCH 19/70] Bumped azurerm to v2.55.0 --- terraform/versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index 37fc53c..f15f211 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.54.0" + version = "~> 2.55.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases From 6c10e36ad4242d197a7872164cccade06d769ef5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 14 Apr 2021 08:04:48 +0100 Subject: [PATCH 20/70] Changed velero to v1.6.0 --- terraform/helm/velero_values.yaml | 7 ++++--- terraform/variables.tf | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/terraform/helm/velero_values.yaml b/terraform/helm/velero_values.yaml index a806585..22f4fa7 100644 --- a/terraform/helm/velero_values.yaml +++ b/terraform/helm/velero_values.yaml @@ -1,4 +1,4 @@ -# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.15.0/charts/velero/values.yaml +# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.17.0/charts/velero/values.yaml ## ## Configuration settings that directly affect the Velero deployment YAML. @@ -9,7 +9,7 @@ image: # https://hub.docker.com/r/velero/velero/tags repository: velero/velero - tag: v1.5.3 + tag: v1.6.0 # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. If used, it will # take precedence over the image.tag. # digest: @@ -50,7 +50,7 @@ dnsPolicy: ClusterFirst initContainers: - name: velero-plugin-for-microsoft-azure # https://hub.docker.com/r/velero/velero-plugin-for-microsoft-azure/tags - image: velero/velero-plugin-for-microsoft-azure:v1.1.2 + image: velero/velero-plugin-for-microsoft-azure:v1.2.0 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /target @@ -221,6 +221,7 @@ serviceAccount: create: true name: annotations: + labels: # Info about the secret to be used by the Velero deployment, which # should contain credentials for the cloud provider IAM account you've diff --git a/terraform/variables.tf b/terraform/variables.tf index 463cc02..0aa7c71 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -34,7 +34,7 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.16.0" + default = "2.17.0" } # https://hub.docker.com/r/velero/velero/tags From 0fa9ac7540e7a0a1c851c891b29f4000afff88f5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 14 Apr 2021 08:14:57 +0100 Subject: [PATCH 21/70] Changed velero image tag to v1.6.0 --- terraform/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 0aa7c71..f78586b 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -39,7 +39,7 @@ variable "velero_chart_version" { # https://hub.docker.com/r/velero/velero/tags variable "velero_image_tag" { - default = "v1.5.4" + default = "v1.6.0" } # https://hub.docker.com/r/sonatype/nexus3/tags @@ -72,7 +72,7 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "4.9.4" + default = "4.10.0" } # https://github.com/weaveworks/kured/tree/master/charts/kured From c8a17738abcf946226009f3b0c7c3d0ce558d7cb Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 14 Apr 2021 08:20:33 +0100 Subject: [PATCH 22/70] Changed argocd chart to v3.1.0 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index f78586b..5bb35a1 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -91,7 +91,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.0.0" + default = "3.1.0" } # https://hub.docker.com/r/argoproj/argocd/tags From 146d98d3d446340126adf42163eee476a1b3176f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 16 Apr 2021 07:46:32 +0100 Subject: [PATCH 23/70] Added only velero overrides to helm values --- terraform/helm/velero_default_values.yaml | 329 ++++++++++++++++++++++ terraform/helm/velero_values.yaml | 309 +------------------- 2 files changed, 332 insertions(+), 306 deletions(-) create mode 100644 terraform/helm/velero_default_values.yaml diff --git a/terraform/helm/velero_default_values.yaml b/terraform/helm/velero_default_values.yaml new file mode 100644 index 0000000..f74499a --- /dev/null +++ b/terraform/helm/velero_default_values.yaml @@ -0,0 +1,329 @@ +# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.17.2/charts/velero/values.yaml + +## +## Configuration settings that directly affect the Velero deployment YAML. +## + +# Details of the container image to use in the Velero deployment & daemonset (if +# enabling restic). Required. +image: + repository: velero/velero + tag: v1.6.0 + # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. If used, it will + # take precedence over the image.tag. + # digest: + pullPolicy: IfNotPresent + # One or more secrets to be used when pulling images + imagePullSecrets: [] + # - registrySecretName + +# Annotations to add to the Velero deployment's. Optional. +# +# If you are using reloader use the following annotation with your VELERO_SECRET_NAME +annotations: {} +# secret.reloader.stakater.com/reload: "" + +# Labels to add to the Velero deployment's. Optional. +labels: {} + +# Annotations to add to the Velero deployment's pod template. Optional. +# +# If using kube2iam or kiam, use the following annotation with your AWS_ACCOUNT_ID +# and VELERO_ROLE_NAME filled in: +podAnnotations: {} + # iam.amazonaws.com/role: "arn:aws:iam:::role/" + +# Additional pod labels for Velero deployment's template. Optional +# ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +podLabels: {} + +# Resource requests/limits to specify for the Velero deployment. Optional. +resources: {} + +# Configure the dnsPolicy of the Velero deployment +# See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: ClusterFirst + +# Init containers to add to the Velero deployment's pod spec. At least one plugin provider image is required. +initContainers: [] + # - name: velero-plugin-for-aws + # image: velero/velero-plugin-for-aws:v1.2.0 + # imagePullPolicy: IfNotPresent + # volumeMounts: + # - mountPath: /target + # name: plugins + +# SecurityContext to use for the Velero deployment. Optional. +# Set fsGroup for `AWS IAM Roles for Service Accounts` +# see more informations at: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html +securityContext: {} + # fsGroup: 1337 + +# Pod priority class name to use for the Velero deployment. Optional. +priorityClassName: "" + +# Tolerations to use for the Velero deployment. Optional. +tolerations: [] + +# Affinity to use for the Velero deployment. Optional. +affinity: {} + +# Node selector to use for the Velero deployment. Optional. +nodeSelector: {} + +# Extra volumes for the Velero deployment. Optional. +extraVolumes: [] + +# Extra volumeMounts for the Velero deployment. Optional. +extraVolumeMounts: [] + +# Settings for Velero's prometheus metrics. Enabled by default. +metrics: + enabled: true + scrapeInterval: 30s + scrapeTimeout: 10s + + # service metdata if metrics are enabled + service: + annotations: {} + labels: {} + + # Pod annotations for Prometheus + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8085" + prometheus.io/path: "/metrics" + + serviceMonitor: + enabled: false + additionalLabels: {} + # ServiceMonitor namespace. Default to Velero namespace. + # namespace: + +## +## End of deployment-related settings. +## + + +## +## Parameters for the `default` BackupStorageLocation and VolumeSnapshotLocation, +## and additional server settings. +## +configuration: + # Cloud provider being used (e.g. aws, azure, gcp). + provider: + + # Parameters for the `default` BackupStorageLocation. See + # https://velero.io/docs/v1.5/api-types/backupstoragelocation/ + backupStorageLocation: + # name is the name of the backup storage location where backups should be stored. If a name is not provided, + # a backup storage location will be created with the name "default". Optional. + name: + # provider is the name for the backup storage location provider. If omitted + # `configuration.provider` will be used instead. + provider: + # bucket is the name of the bucket to store backups in. Required. + bucket: + # caCert defines a base64 encoded CA bundle to use when verifying TLS connections to the provider. + caCert: + # prefix is the directory under which all Velero data should be stored within the bucket. Optional. + prefix: + # Additional provider-specific configuration. See link above + # for details of required/optional fields for your provider. + config: {} + # region: + # s3ForcePathStyle: + # s3Url: + # kmsKeyId: + # resourceGroup: + # The ID of the subscription containing the storage account, if different from the cluster’s subscription. (Azure only) + # subscriptionId: + # storageAccount: + # publicUrl: + # Name of the GCP service account to use for this backup storage location. Specify the + # service account here if you want to use workload identity instead of providing the key file.(GCP only) + # serviceAccount: + + # Parameters for the `default` VolumeSnapshotLocation. See + # https://velero.io/docs/v1.5/api-types/volumesnapshotlocation/ + volumeSnapshotLocation: + # name is the name of the volume snapshot location where snapshots are being taken. Required. + name: + # provider is the name for the volume snapshot provider. If omitted + # `configuration.provider` will be used instead. + provider: + # Additional provider-specific configuration. See link above + # for details of required/optional fields for your provider. + config: {} + # region: + # apitimeout: + # resourceGroup: + # The ID of the subscription where volume snapshots should be stored, if different from the cluster’s subscription. If specified, also requires `configuration.volumeSnapshotLocation.config.resourceGroup`to be set. (Azure only) + # subscriptionId: + # snapshotLocation: + # project: + + # These are server-level settings passed as CLI flags to the `velero server` command. Velero + # uses default values if they're not passed in, so they only need to be explicitly specified + # here if using a non-default value. The `velero server` default values are shown in the + # comments below. + # -------------------- + # `velero server` default: 1m + backupSyncPeriod: + # `velero server` default: 1h + resticTimeout: + # `velero server` default: namespaces,persistentvolumes,persistentvolumeclaims,secrets,configmaps,serviceaccounts,limitranges,pods + restoreResourcePriorities: + # `velero server` default: false + restoreOnlyMode: + # `velero server` default: 20.0 + clientQPS: + # `velero server` default: 30 + clientBurst: + # `velero server` default: empty + disableControllers: + # + + # additional key/value pairs to be used as environment variables such as "AWS_CLUSTER_NAME: 'yourcluster.domain.tld'" + extraEnvVars: {} + + # Comma separated list of velero feature flags. default: empty + features: + + # Set log-level for Velero pod. Default: info. Other options: debug, warning, error, fatal, panic. + logLevel: + + # Set log-format for Velero pod. Default: text. Other option: json. + logFormat: + + # Set true for backup all pod volumes without having to apply annotation on the pod when used restic Default: false. Other option: false. + defaultVolumesToRestic: + +## +## End of backup/snapshot location settings. +## + + +## +## Settings for additional Velero resources. +## + +rbac: + # Whether to create the Velero role and role binding to give all permissions to the namespace to Velero. + create: true + # Whether to create the cluster role binding to give administrator permissions to Velero + clusterAdministrator: true + +# Information about the Kubernetes service account Velero uses. +serviceAccount: + server: + create: true + name: + annotations: + labels: + +# Info about the secret to be used by the Velero deployment, which +# should contain credentials for the cloud provider IAM account you've +# set up for Velero. +credentials: + # Whether a secret should be used as the source of IAM account + # credentials. Set to false if, for example, using kube2iam or + # kiam to provide IAM credentials for the Velero pod. + useSecret: true + # Name of the secret to create if `useSecret` is true and `existingSecret` is empty + name: + # Name of a pre-existing secret (if any) in the Velero namespace + # that should be used to get IAM account credentials. Optional. + existingSecret: + # Data to be stored in the Velero secret, if `useSecret` is true and `existingSecret` is empty. + # As of the current Velero release, Velero only uses one secret key/value at a time. + # The key must be named `cloud`, and the value corresponds to the entire content of your IAM credentials file. + # Note that the format will be different for different providers, please check their documentation. + # Here is a list of documentation for plugins maintained by the Velero team: + # [AWS] https://github.com/vmware-tanzu/velero-plugin-for-aws/blob/main/README.md + # [GCP] https://github.com/vmware-tanzu/velero-plugin-for-gcp/blob/main/README.md + # [Azure] https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/blob/main/README.md + secretContents: {} + # cloud: | + # [default] + # aws_access_key_id= + # aws_secret_access_key= + # additional key/value pairs to be used as environment variables such as "DIGITALOCEAN_TOKEN: ". Values will be stored in the secret. + extraEnvVars: {} + # Name of a pre-existing secret (if any) in the Velero namespace + # that will be used to load environment variables into velero and restic. + # Secret should be in format - https://kubernetes.io/docs/concepts/configuration/secret/#use-case-as-container-environment-variables + extraSecretRef: "" + +# Whether to create backupstoragelocation crd, if false => do not create a default backup location +backupsEnabled: true +# Whether to create volumesnapshotlocation crd, if false => disable snapshot feature +snapshotsEnabled: true + +# Whether to deploy the restic daemonset. +deployRestic: false + +restic: + podVolumePath: /var/lib/kubelet/pods + privileged: false + # Pod priority class name to use for the Restic daemonset. Optional. + priorityClassName: "" + # Resource requests/limits to specify for the Restic daemonset deployment. Optional. + resources: {} + # Tolerations to use for the Restic daemonset. Optional. + tolerations: [] + + # Annotations to set for the Restic daemonset. Optional. + annotations: {} + + # labels to set for the Restic daemonset. Optional. + labels: {} + + # Extra volumes for the Restic daemonset. Optional. + extraVolumes: [] + + # Extra volumeMounts for the Restic daemonset. Optional. + extraVolumeMounts: [] + + # Configure the dnsPolicy of the Restic daemonset + # See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + # SecurityContext to use for the Velero deployment. Optional. + # Set fsGroup for `AWS IAM Roles for Service Accounts` + # see more informations at: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + securityContext: {} + # fsGroup: 1337 + + # Node selector to use for the Restic daemonset. Optional. + nodeSelector: {} + +# Backup schedules to create. +# Eg: +# schedules: +# mybackup: +# labels: +# myenv: foo +# annotations: +# myenv: foo +# schedule: "0 0 * * *" +# template: +# ttl: "240h" +# includedNamespaces: +# - foo +schedules: {} + +# Velero ConfigMaps. +# Eg: +# configMaps: +# restic-restore-action-config: +# labels: +# velero.io/plugin-config: "" +# velero.io/restic: RestoreItemAction +# data: +# image: velero/velero-restic-restore-helper:v1.3.1 +configMaps: {} + +## +## End of additional Velero resource settings. +## diff --git a/terraform/helm/velero_values.yaml b/terraform/helm/velero_values.yaml index 22f4fa7..0018069 100644 --- a/terraform/helm/velero_values.yaml +++ b/terraform/helm/velero_values.yaml @@ -1,51 +1,6 @@ -# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.17.0/charts/velero/values.yaml +# velero helm values +# source (with full comments): https://github.com/vmware-tanzu/helm-charts/blob/velero-2.17.0/charts/velero/values.yaml -## -## Configuration settings that directly affect the Velero deployment YAML. -## - -# Details of the container image to use in the Velero deployment & daemonset (if -# enabling restic). Required. -image: - # https://hub.docker.com/r/velero/velero/tags - repository: velero/velero - tag: v1.6.0 - # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. If used, it will - # take precedence over the image.tag. - # digest: - pullPolicy: IfNotPresent - # One or more secrets to be used when pulling images - imagePullSecrets: [] - # - registrySecretName - -# Annotations to add to the Velero deployment's. Optional. -# -# If you are using reloader use the following annotation with your VELERO_SECRET_NAME -annotations: {} -# secret.reloader.stakater.com/reload: "" - -# Labels to add to the Velero deployment's. Optional. -labels: {} - -# Annotations to add to the Velero deployment's pod template. Optional. -# -# If using kube2iam or kiam, use the following annotation with your AWS_ACCOUNT_ID -# and VELERO_ROLE_NAME filled in: -podAnnotations: {} - # iam.amazonaws.com/role: "arn:aws:iam:::role/" - -# Additional pod labels for Velero deployment's template. Optional -# ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -podLabels: {} - -# Resource requests/limits to specify for the Velero deployment. Optional. -resources: {} - -# Configure the dnsPolicy of the Velero deployment -# See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy -dnsPolicy: ClusterFirst - -# Init containers to add to the Velero deployment's pod spec. At least one plugin provider image is required. # https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/releases initContainers: - name: velero-plugin-for-microsoft-azure @@ -56,275 +11,17 @@ initContainers: - mountPath: /target name: plugins -# SecurityContext to use for the Velero deployment. Optional. -# Set fsGroup for `AWS IAM Roles for Service Accounts` -# see more informations at: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html -securityContext: {} - # fsGroup: 1337 - -# Pod priority class name to use for the Velero deployment. Optional. -priorityClassName: "" - -# Tolerations to use for the Velero deployment. Optional. -tolerations: [] - -# Affinity to use for the Velero deployment. Optional. -affinity: {} - -# Node selector to use for the Velero deployment. Optional. -nodeSelector: {} -# Extra volumes for the Velero deployment. Optional. -extraVolumes: [] - -# Extra volumeMounts for the Velero deployment. Optional. -extraVolumeMounts: [] - -# Settings for Velero's prometheus metrics. Enabled by default. -metrics: - enabled: true - scrapeInterval: 30s - scrapeTimeout: 10s - - # service metdata if metrics are enabled - service: - annotations: {} - labels: {} - - # Pod annotations for Prometheus - podAnnotations: - prometheus.io/scrape: "true" - prometheus.io/port: "8085" - prometheus.io/path: "/metrics" - - serviceMonitor: - enabled: false - additionalLabels: {} - # ServiceMonitor namespace. Default to Velero namespace. - # namespace: - -## -## End of deployment-related settings. -## - - -## -## Parameters for the `default` BackupStorageLocation and VolumeSnapshotLocation, -## and additional server settings. -## +# BackupStorageLocation and VolumeSnapshotLocation configuration: - # Cloud provider being used (e.g. aws, azure, gcp). provider: azure - - # Parameters for the `default` BackupStorageLocation. See - # https://velero.io/docs/v1.5/api-types/backupstoragelocation/ backupStorageLocation: - # name is the name of the backup storage location where backups should be stored. If a name is not provided, - # a backup storage location will be created with the name "default". Optional. name: default - # provider is the name for the backup storage location provider. If omitted - # `configuration.provider` will be used instead. provider: - # bucket is the name of the bucket to store backups in. Required. bucket: velero - # caCert defines a base64 encoded CA bundle to use when verifying TLS connections to the provider. - caCert: - # prefix is the directory under which all Velero data should be stored within the bucket. Optional. - prefix: - # Additional provider-specific configuration. See link above - # for details of required/optional fields for your provider. - config: {} - # region: - # s3ForcePathStyle: - # s3Url: - # kmsKeyId: - # resourceGroup: - # The ID of the subscription containing the storage account, if different from the cluster’s subscription. (Azure only) - # subscriptionId: - # storageAccount: - # publicUrl: - # Name of the GCP service account to use for this backup storage location. Specify the - # service account here if you want to use workload identity instead of providing the key file.(GCP only) - # serviceAccount: - - # Parameters for the `default` VolumeSnapshotLocation. See - # https://velero.io/docs/v1.5/api-types/volumesnapshotlocation/ volumeSnapshotLocation: - # name is the name of the volume snapshot location where snapshots are being taken. Required. name: default - # provider is the name for the volume snapshot provider. If omitted - # `configuration.provider` will be used instead. - provider: - # Additional provider-specific configuration. See link above - # for details of required/optional fields for your provider. - config: {} - # region: - # apitimeout: - # resourceGroup: - # The ID of the subscription where volume snapshots should be stored, if different from the cluster’s subscription. If specified, also requires `configuration.volumeSnapshotLocation.config.resourceGroup`to be set. (Azure only) - # subscriptionId: - # snapshotLocation: - # project: - - # These are server-level settings passed as CLI flags to the `velero server` command. Velero - # uses default values if they're not passed in, so they only need to be explicitly specified - # here if using a non-default value. The `velero server` default values are shown in the - # comments below. - # -------------------- - # `velero server` default: 1m - backupSyncPeriod: - # `velero server` default: 1h - resticTimeout: - # `velero server` default: namespaces,persistentvolumes,persistentvolumeclaims,secrets,configmaps,serviceaccounts,limitranges,pods - restoreResourcePriorities: - # `velero server` default: false - restoreOnlyMode: - # `velero server` default: 20.0 - clientQPS: - # `velero server` default: 30 - clientBurst: - # - # additional key/value pairs to be used as environment variables such as "AWS_CLUSTER_NAME: 'yourcluster.domain.tld'" - extraEnvVars: {} - - # Comma separated list of velero feature flags. default: empty - features: - - # Set log-level for Velero pod. Default: info. Other options: debug, warning, error, fatal, panic. - logLevel: - - # Set log-format for Velero pod. Default: text. Other option: json. - logFormat: - - # Set true for backup all pod volumes without having to apply annotation on the pod when used restic Default: false. Other option: false. - defaultVolumesToRestic: - -## -## End of backup/snapshot location settings. -## - - -## -## Settings for additional Velero resources. -## - -rbac: - # Whether to create the Velero role and role binding to give all permissions to the namespace to Velero. - create: true - # Whether to create the cluster role binding to give administrator permissions to Velero - clusterAdministrator: true - -# Information about the Kubernetes service account Velero uses. -serviceAccount: - server: - create: true - name: - annotations: - labels: - -# Info about the secret to be used by the Velero deployment, which -# should contain credentials for the cloud provider IAM account you've -# set up for Velero. credentials: - # Whether a secret should be used as the source of IAM account - # credentials. Set to false if, for example, using kube2iam or - # kiam to provide IAM credentials for the Velero pod. useSecret: true - # Name of the secret to create if `useSecret` is true and `existingSecret` is empty - name: - # Name of a pre-existing secret (if any) in the Velero namespace - # that should be used to get IAM account credentials. Optional. existingSecret: velero-credentials - # Data to be stored in the Velero secret, if `useSecret` is true and `existingSecret` is empty. - # As of the current Velero release, Velero only uses one secret key/value at a time. - # The key must be named `cloud`, and the value corresponds to the entire content of your IAM credentials file. - # Note that the format will be different for different providers, please check their documentation. - # Here is a list of documentation for plugins maintained by the Velero team: - # [AWS] https://github.com/vmware-tanzu/velero-plugin-for-aws/blob/main/README.md - # [GCP] https://github.com/vmware-tanzu/velero-plugin-for-gcp/blob/main/README.md - # [Azure] https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/blob/main/README.md - secretContents: {} - # cloud: | - # [default] - # aws_access_key_id= - # aws_secret_access_key= - # additional key/value pairs to be used as environment variables such as "DIGITALOCEAN_TOKEN: ". Values will be stored in the secret. - extraEnvVars: {} - # Name of a pre-existing secret (if any) in the Velero namespace - # that will be used to load environment variables into velero and restic. - # Secret should be in format - https://kubernetes.io/docs/concepts/configuration/secret/#use-case-as-container-environment-variables - extraSecretRef: "" - -# Whether to create backupstoragelocation crd, if false => do not create a default backup location -backupsEnabled: true -# Whether to create volumesnapshotlocation crd, if false => disable snapshot feature -snapshotsEnabled: true - -# Whether to deploy the restic daemonset. -deployRestic: false - -restic: - podVolumePath: /var/lib/kubelet/pods - privileged: false - # Pod priority class name to use for the Restic daemonset. Optional. - priorityClassName: "" - # Resource requests/limits to specify for the Restic daemonset deployment. Optional. - resources: {} - # Tolerations to use for the Restic daemonset. Optional. - tolerations: [] - - # Annotations to set for the Restic daemonset. Optional. - annotations: {} - - # labels to set for the Restic daemonset. Optional. - labels: {} - - # Extra volumes for the Restic daemonset. Optional. - extraVolumes: [] - - # Extra volumeMounts for the Restic daemonset. Optional. - extraVolumeMounts: [] - - # Configure the dnsPolicy of the Restic daemonset - # See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy - dnsPolicy: ClusterFirst - - # SecurityContext to use for the Velero deployment. Optional. - # Set fsGroup for `AWS IAM Roles for Service Accounts` - # see more informations at: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html - securityContext: {} - # fsGroup: 1337 - - # Node selector to use for the Restic daemonset. Optional. - nodeSelector: {} - -# Backup schedules to create. -# Eg: -# schedules: -# mybackup: -# labels: -# myenv: foo -# annotations: -# myenv: foo -# schedule: "0 0 * * *" -# template: -# ttl: "240h" -# includedNamespaces: -# - foo -schedules: {} - -# Velero ConfigMaps. -# Eg: -# configMaps: -# restic-restore-action-config: -# labels: -# velero.io/plugin-config: "" -# velero.io/restic: RestoreItemAction -# data: -# image: velero/velero-restic-restore-helper:v1.3.1 -configMaps: {} - -## -## End of additional Velero resource settings. -## From 19d3c3efa522545bb2f5b8edc1d0f66afa6020c7 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 16 Apr 2021 07:47:01 +0100 Subject: [PATCH 24/70] Changed azurerm and k8s tf provider versions --- terraform/versions.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index f15f211..13139e5 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.55.0" + version = "~> 2.56.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases @@ -35,7 +35,7 @@ terraform { # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.0.3" + version = "~> 2.1.0" } # https://github.com/hashicorp/terraform-provider-helm/releases From fcb2ffc3f4269e081e861d86b7d90bc596c8149b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 16 Apr 2021 07:47:19 +0100 Subject: [PATCH 25/70] Changed tool versions --- terraform/variables.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 5bb35a1..4969255 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -6,7 +6,7 @@ # https://github.com/Azure/AKS/releases # az aks get-versions --location uksouth --output table variable "kubernetes_version" { - default = "1.19.7" + default = "1.19.9" } # Helm charts @@ -27,14 +27,14 @@ variable "nginx_chart_version" { # https://hub.helm.sh/charts/jetstack/cert-manager # helm search repo jetstack/cert-manager variable "cert_manager_chart_version" { - default = "v1.3.0" + default = "v1.3.1" } # https://github.com/vmware-tanzu/helm-charts/releases # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.17.0" + default = "2.17.2" } # https://hub.docker.com/r/velero/velero/tags @@ -91,12 +91,12 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.1.0" + default = "3.1.1" } # https://hub.docker.com/r/argoproj/argocd/tags variable "argocd_image_tag" { - default = "v2.0.0" + default = "v2.0.1" } #endregion Versions From 097baa4d3b89e11530dce41d982a5619a9fd00c9 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 16 Apr 2021 07:54:04 +0100 Subject: [PATCH 26/70] Change aks version to v1.19.7 --- terraform/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 4969255..e2f81fd 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -4,9 +4,9 @@ #region Versions # version used for both main AKS API service, and default node pool # https://github.com/Azure/AKS/releases -# az aks get-versions --location uksouth --output table +# az aks get-versions --location eastus --output table variable "kubernetes_version" { - default = "1.19.9" + default = "1.19.7" } # Helm charts From 9fab8a10733cd12734c8423b04b9bf7392531075 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 21 Apr 2021 08:49:00 +0100 Subject: [PATCH 27/70] Bumped versions --- terraform/variables.tf | 8 ++++---- terraform/versions.tf | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index e2f81fd..c730537 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -6,7 +6,7 @@ # https://github.com/Azure/AKS/releases # az aks get-versions --location eastus --output table variable "kubernetes_version" { - default = "1.19.7" + default = "1.19.9" } # Helm charts @@ -34,7 +34,7 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.17.2" + default = "2.18.2" } # https://hub.docker.com/r/velero/velero/tags @@ -72,13 +72,13 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "4.10.0" + default = "4.11.0" } # https://github.com/weaveworks/kured/tree/master/charts/kured # helm search repo kured/kured variable "kured_chart_version" { - default = "2.4.2" + default = "2.4.3" } # https://github.com/weaveworks/kured#kubernetes--os-compatibility diff --git a/terraform/versions.tf b/terraform/versions.tf index 13139e5..40daa79 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -41,7 +41,7 @@ terraform { # https://github.com/hashicorp/terraform-provider-helm/releases helm = { source = "hashicorp/helm" - version = "~> 2.1.0" + version = "~> 2.1.1" } random = { From c6e49a77fabb1b2788ca8840cabcedd99063e7c3 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 22 Apr 2021 07:51:22 +0100 Subject: [PATCH 28/70] Changed velero chart to v2.19.0 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index c730537..e62c5df 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -34,7 +34,7 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.18.2" + default = "2.19.0" } # https://hub.docker.com/r/velero/velero/tags From fe035d630add0407e19c0de1dd9c64861045dbc7 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 5 May 2021 07:45:48 +0100 Subject: [PATCH 29/70] Bumped charts and tf providers --- terraform/variables.tf | 13 ++++++------- terraform/versions.tf | 4 ++-- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index e62c5df..147bb42 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -19,9 +19,8 @@ variable "kubernetes_version" { # # helm repo update # helm search repo ingress-nginx/ingress-nginx -# * also update terraform/helm/nginx_values.yaml variable "nginx_chart_version" { - default = "3.29.0" + default = "3.30.0" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -34,7 +33,7 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.19.0" + default = "2.19.3" } # https://hub.docker.com/r/velero/velero/tags @@ -44,7 +43,7 @@ variable "velero_image_tag" { # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.30.0" + default = "3.30.1" } # https://github.com/adamrushuk/charts/releases @@ -59,7 +58,7 @@ variable "nexus_chart_version" { # https://github.com/SparebankenVest/public-helm-charts/blob/master/stable/akv2k8s/Chart.yaml#L5 # helm search repo spv-charts/akv2k8s variable "akv2k8s_chart_version" { - default = "2.0.10" + default = "2.0.11" } # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 @@ -72,7 +71,7 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "4.11.0" + default = "4.12.3" } # https://github.com/weaveworks/kured/tree/master/charts/kured @@ -91,7 +90,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.1.1" + default = "3.2.2" } # https://hub.docker.com/r/argoproj/argocd/tags diff --git a/terraform/versions.tf b/terraform/versions.tf index 40daa79..8acf5ca 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.56.0" + version = "~> 2.57.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases @@ -41,7 +41,7 @@ terraform { # https://github.com/hashicorp/terraform-provider-helm/releases helm = { source = "hashicorp/helm" - version = "~> 2.1.1" + version = "~> 2.1.2" } random = { From 8af643ee010a2abaca1b2bf128191d2b75d38a84 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 13 May 2021 07:44:27 +0100 Subject: [PATCH 30/70] Bumped charts and tf providers --- terraform/helm/velero_default_values.yaml | 59 ++++++++++++++++++----- terraform/variables.tf | 8 +-- terraform/versions.tf | 4 +- 3 files changed, 54 insertions(+), 17 deletions(-) diff --git a/terraform/helm/velero_default_values.yaml b/terraform/helm/velero_default_values.yaml index f74499a..5bdaa59 100644 --- a/terraform/helm/velero_default_values.yaml +++ b/terraform/helm/velero_default_values.yaml @@ -1,4 +1,4 @@ -# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.17.2/charts/velero/values.yaml +# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.21.0/charts/velero/values.yaml ## ## Configuration settings that directly affect the Velero deployment YAML. @@ -9,8 +9,8 @@ image: repository: velero/velero tag: v1.6.0 - # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. If used, it will - # take precedence over the image.tag. + # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. + # If used, it will take precedence over the image.tag. # digest: pullPolicy: IfNotPresent # One or more secrets to be used when pulling images @@ -37,8 +37,15 @@ podAnnotations: {} # ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ podLabels: {} -# Resource requests/limits to specify for the Velero deployment. Optional. -resources: {} +# Resource requests/limits to specify for the Velero deployment. +# https://velero.io/docs/v1.6/customize-installation/#customize-resource-requests-and-limits +resources: + requests: + cpu: 500m + memory: 128Mi + limits: + cpu: 1000m + memory: 512Mi # Configure the dnsPolicy of the Velero deployment # See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy @@ -100,6 +107,25 @@ metrics: # ServiceMonitor namespace. Default to Velero namespace. # namespace: +kubectl: + image: + repository: docker.io/bitnami/kubectl + tag: 1.14.3 + # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. + # If used, it will take precedence over the kubectl.image.tag. + # digest: + # Annotations to set for the upgrade/cleanup job. Optional. + annotations: {} + # Labels to set for the upgrade/cleanup job. Optional. + labels: {} + +# This job upgrades the CRDs. +upgradeCRDs: true + +# This job is meant primarily for cleaning up CRDs on CI systems. +# Using this on production systems, especially those that have multiple releases of Velero, will be destructive. +cleanUpCRDs: false + ## ## End of deployment-related settings. ## @@ -114,7 +140,7 @@ configuration: provider: # Parameters for the `default` BackupStorageLocation. See - # https://velero.io/docs/v1.5/api-types/backupstoragelocation/ + # https://velero.io/docs/v1.6/api-types/backupstoragelocation/ backupStorageLocation: # name is the name of the backup storage location where backups should be stored. If a name is not provided, # a backup storage location will be created with the name "default". Optional. @@ -124,10 +150,12 @@ configuration: provider: # bucket is the name of the bucket to store backups in. Required. bucket: - # caCert defines a base64 encoded CA bundle to use when verifying TLS connections to the provider. + # caCert defines a base64 encoded CA bundle to use when verifying TLS connections to the provider. Optional. caCert: # prefix is the directory under which all Velero data should be stored within the bucket. Optional. prefix: + # default indicates this location is the default backup storage location. Optional. + default: # Additional provider-specific configuration. See link above # for details of required/optional fields for your provider. config: {} @@ -145,7 +173,7 @@ configuration: # serviceAccount: # Parameters for the `default` VolumeSnapshotLocation. See - # https://velero.io/docs/v1.5/api-types/volumesnapshotlocation/ + # https://velero.io/docs/v1.6/api-types/volumesnapshotlocation/ volumeSnapshotLocation: # name is the name of the volume snapshot location where snapshots are being taken. Required. name: @@ -156,10 +184,11 @@ configuration: # for details of required/optional fields for your provider. config: {} # region: - # apitimeout: + # apiTimeout: # resourceGroup: # The ID of the subscription where volume snapshots should be stored, if different from the cluster’s subscription. If specified, also requires `configuration.volumeSnapshotLocation.config.resourceGroup`to be set. (Azure only) # subscriptionId: + # incremental: # snapshotLocation: # project: @@ -269,7 +298,15 @@ restic: # Pod priority class name to use for the Restic daemonset. Optional. priorityClassName: "" # Resource requests/limits to specify for the Restic daemonset deployment. Optional. - resources: {} + # https://velero.io/docs/v1.6/customize-installation/#customize-resource-requests-and-limits + resources: + requests: + cpu: 500m + memory: 512Mi + limits: + cpu: 1000m + memory: 1024Mi + # Tolerations to use for the Restic daemonset. Optional. tolerations: [] @@ -321,7 +358,7 @@ schedules: {} # velero.io/plugin-config: "" # velero.io/restic: RestoreItemAction # data: -# image: velero/velero-restic-restore-helper:v1.3.1 +# image: velero/velero-restic-restore-helper:v1.6.0 configMaps: {} ## diff --git a/terraform/variables.tf b/terraform/variables.tf index 147bb42..c3a463b 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -33,7 +33,7 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.19.3" + default = "2.21.0" } # https://hub.docker.com/r/velero/velero/tags @@ -64,14 +64,14 @@ variable "akv2k8s_chart_version" { # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity variable "aad_pod_identity_chart_version" { - default = "4.0.0" + default = "4.1.0" } # https://bitnami.com/stack/external-dns/helm # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "4.12.3" + default = "5.0.0" } # https://github.com/weaveworks/kured/tree/master/charts/kured @@ -90,7 +90,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.2.2" + default = "3.2.4" } # https://hub.docker.com/r/argoproj/argocd/tags diff --git a/terraform/versions.tf b/terraform/versions.tf index 8acf5ca..501e09f 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.57.0" + version = "~> 2.58.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases @@ -35,7 +35,7 @@ terraform { # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.1.0" + version = "~> 2.2.0" } # https://github.com/hashicorp/terraform-provider-helm/releases From e0ab5f7ef934ff337a6fcd5b3e3856fede2c73b0 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 13 May 2021 08:18:46 +0100 Subject: [PATCH 31/70] Added latest aad-pod-binding values --- terraform/aad_pod_identity_helm.tf | 1 + .../helm/aad_pod_identity_default_values.yaml | 285 ++++++++++++++++++ terraform/helm/aad_pod_identity_values.yaml | 278 +---------------- 3 files changed, 289 insertions(+), 275 deletions(-) create mode 100644 terraform/helm/aad_pod_identity_default_values.yaml diff --git a/terraform/aad_pod_identity_helm.tf b/terraform/aad_pod_identity_helm.tf index 8451639..fd84211 100644 --- a/terraform/aad_pod_identity_helm.tf +++ b/terraform/aad_pod_identity_helm.tf @@ -47,6 +47,7 @@ resource "helm_release" "aad_pod_identity" { atomic = true values = [ + # see default values: /helm/aad_pod_identity_default_values.yaml file("helm/aad_pod_identity_values.yaml"), data.template_file.azureIdentities.rendered ] diff --git a/terraform/helm/aad_pod_identity_default_values.yaml b/terraform/helm/aad_pod_identity_default_values.yaml new file mode 100644 index 0000000..25a11b6 --- /dev/null +++ b/terraform/helm/aad_pod_identity_default_values.yaml @@ -0,0 +1,285 @@ +# source: https://github.com/Azure/aad-pod-identity/blob/v1.8.0/charts/aad-pod-identity/values.yaml + +# Default values for aad-pod-identity-helm. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +nameOverride: "" +fullnameOverride: "" + +image: + repository: mcr.microsoft.com/oss/azure/aad-pod-identity + imagePullPolicy: IfNotPresent + +# One or more secrets to be used when pulling images +# imagePullSecrets: +# - name: myRegistryKeySecretName + +# https://github.com/Azure/aad-pod-identity#4-optional-match-pods-in-the-namespace +# By default, AAD Pod Identity matches pods to identities across namespaces. +# To match only pods in the namespace containing AzureIdentity set this to true. +forceNamespaced: "false" + +# When NMI runs on a node where MIC is running, then MIC token request call is also +# intercepted by NMI. MIC can't get a valid token as to initialize and then +# assign the identity. Installing an exception for MIC would ensure all token requests +# for MIC pods directly go to IMDS and not go through the pod-identity validation +# https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.app-exception.md +installMICException: "true" + +## If using a separate service principal for aad-pod-identity instead of cluster service principal specify the following +## (The chart will perform the base64 encoding for you for values that are stored in secrets.) +adminsecret: {} +# cloud: +# subscriptionID: +# resourceGroup: +# vmType: <`standard` for normal virtual machine nodes, and `vmss` for cluster deployed with a virtual machine scale set> +# tenantID: +# clientID: +# clientSecret: +# useMSI: +# userAssignedMSIClientID: +# Operation mode for pod-identity. Default is standard mode that has MIC doing identity assignment +# Allowed values: "standard", "managed" +operationMode: "standard" + +mic: + image: mic + tag: v1.8.0 + + # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical + priorityClassName: "" + + # log level. Uses V logs (klog) + logVerbosity: 0 + loggingFormat: "" + + replicas: 2 + + resources: + limits: + cpu: 200m + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + + podAnnotations: {} + + podLabels: {} + + ## Node labels for pod assignment + ## aad-pod-identity is currently only supported on linux + nodeSelector: + kubernetes.io/os: linux + + tolerations: [] + # - key: "CriticalAddonsOnly" + # operator: "Exists" + + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + affinity: {} + # nodeAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight 1 + # preference: + # matchExpressions: + # - key: kubernetes.azure.com/mode + # operator: In + # values: + # - system + + # Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: failure-domain.beta.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/component: mic + + # Limit the number of concurrent disruptions that your application experiences, + # allowing for higher availability while permitting the cluster administrator to manage the clusters nodes. + # ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + podDisruptionBudget: {} + # minAvailable: 1 + + leaderElection: + # Override leader election instance name (default is 'hostname') + instance: "" + # Override the namespace to create leader election objects (default is default namespace) + namespace: "" + # Override leader election name (default is aad-pod-identity-mic) + name: "" + # Override leader election duration (default is 15s) + duration: "" + + # Override http liveliness probe port (default is 8080) + probePort: "" + + # Override interval in seconds at which sync loop should periodically check for errors and reconcile (default is 3600s) + syncRetryDuration: "" + + # Override the defult value of immutable identities. + immutableUserMSIs: [] + # Example of MSIs (should be replaced with the real client ids) + #- "00000000-0000-0000-0000-000000000000" + #- "11111111-1111-1111-1111-111111111111" + + # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#batch-create-delete-flag + # default value is 20 + createDeleteBatch: "" + + # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#client-qps-flag + # default value is 5 + clientQps: "" + + # default value is 8888 + # prometheus port for metrics + prometheusPort: "" + + # cloud configuration used to authenticate with Azure + cloudConfig: "/etc/kubernetes/azure.json" + + # The maximum retry of UpdateUserMSI call. MIC updates all the identities in a batch. If a single identity contains an error + # or is invalid, then the entire operation fails. Configuring this flag will make MIC retry by removing the erroneous identities + # returned in the error + # Default value is 2. + updateUserMSIMaxRetry: "" + + # The duration to wait before retrying UpdateUserMSI (batch assigning/un-assigning identity from VM/VMSS) in case of errors + # Default value is 1s + updateUserMSIRetryInterval: "" + + # The interval between reconciling identity assignment on Azure based on an existing list of AzureAssignedIdentities + # Default value is 3m + identityAssignmentReconcileInterval: "" + +nmi: + image: nmi + tag: v1.8.0 + + # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical + priorityClassName: "" + + # log level. Uses V logs (klog) + logVerbosity: 0 + loggingFormat: "" + + resources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + + podAnnotations: {} + + podLabels: {} + + ## Node labels for pod assignment + ## aad-pod-identity is currently only supported on linux + nodeSelector: + kubernetes.io/os: linux + + tolerations: [] + # - key: "CriticalAddonsOnly" + # operator: "Exists" + + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + affinity: {} + # nodeAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight 1 + # preference: + # matchExpressions: + # - key: kubernetes.azure.com/mode + # operator: In + # values: + # - system + + # Override iptables update interval in seconds (default is 60) + ipTableUpdateTimeIntervalInSeconds: "" + + # Override mic namespace to short circuit MIC token requests (default is default namespace) + micNamespace: "" + + # Override http liveliness probe port (default is 8080) + probePort: "8085" + + # Override number of retries in NMI to find assigned identity in CREATED state (default is 16) + retryAttemptsForCreated: "" + + # Override number of retries in NMI to find assigned identity in ASSIGNED state (default is 4) + retryAttemptsForAssigned: "" + + # Override retry interval to find assigned identities in seconds (default is 5) + findIdentityRetryIntervalInSeconds: "" + + # Enable scale features - https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#enable-scale-features-flag + # Accepted values are true/false. Default is false. + enableScaleFeatures: "" + + # default value is 9090 + # prometheus port for metrics + prometheusPort: "" + + # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#block-instance-metadata-flag + # default is false + blockInstanceMetadata: "" + + # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#metadata-header-required-flag + # default is false + metadataHeaderRequired: "" + + # enable running aad-pod-identity on clusters with kubenet + # default is false + allowNetworkPluginKubenet: false + + # Path to kubelet default config. + # default is /etc/default/kubelet + kubeletConfig: "/etc/default/kubelet" + +rbac: + enabled: true + # NMI requires permissions to get secrets when service principal (type: 1) is used in AzureIdentity. + # If using only MSI (type: 0) in AzureIdentity, secret get permission can be disabled by setting this to false. + allowAccessToSecrets: true + pspEnabled: false + # If set to true, then view and edit cluster roles will be created with annotations + # that agrigate to the admin, edit and view built-in cluster roles. These roles will + # be able to create the necessary resources to allow pod identity binding on pods. + createUserFacingClusterRoles: false + +# Create azure identities and bindings +# This is a map with the AzureIdentityName being the key and the rest of the blob as value in accordance +# to helm best practices: https://helm.sh/docs/chart_best_practices/values/#consider-how-users-will-use-your-values +azureIdentities: + # "azure-identity": + # # if not defined, then the azure identity will be deployed in the same namespace as the chart + # namespace: "" + # # if not defined, then the name of azure identity will be the same as the key + # name: "" + # # type 0: User-assigned identity, type 1: Service Principal, type 2: Service principal with certificate + # type: 0 + # # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name + # # Required for type 0 + # resourceID: "" + # # Required for type 0, 1 and 2 + # clientID: "" + # # Required for type 1 and 2 + # tenantID: "" + # # Required for type 1 and 2 + # clientPassword: "{\"name\":\"\",\"namespace\":\"\"}" + # # Optional for type 1 and 2 (multi-tenant) + # auxiliaryTenantIDs: [] + # binding: + # name: "azure-identity-binding" + # # The selector will also need to be included in labels for app deployment + # selector: "demo" + +# If provided, the userAgent string will be appended to the pod identity user agents for all +# ADAL, ARM and Kube API server requests. +customUserAgent: "" diff --git a/terraform/helm/aad_pod_identity_values.yaml b/terraform/helm/aad_pod_identity_values.yaml index 153206f..7593e87 100644 --- a/terraform/helm/aad_pod_identity_values.yaml +++ b/terraform/helm/aad_pod_identity_values.yaml @@ -1,277 +1,5 @@ -# source: https://github.com/Azure/aad-pod-identity/blob/v1.7.5/charts/aad-pod-identity/values.yaml - -# Default values for aad-pod-identity-helm. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -nameOverride: "" -fullnameOverride: "" - -image: - repository: mcr.microsoft.com/oss/azure/aad-pod-identity - imagePullPolicy: Always - -# One or more secrets to be used when pulling images -# imagePullSecrets: -# - name: myRegistryKeySecretName - -# https://github.com/Azure/aad-pod-identity#4-optional-match-pods-in-the-namespace -# By default, AAD Pod Identity matches pods to identities across namespaces. -# To match only pods in the namespace containing AzureIdentity set this to true. -forceNamespaced: "false" - -# When NMI runs on a node where MIC is running, then MIC token request call is also -# intercepted by NMI. MIC can't get a valid token as to initialize and then -# assign the identity. Installing an exception for MIC would ensure all token requests -# for MIC pods directly go to IMDS and not go through the pod-identity validation -# https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.app-exception.md -installMICException: "true" - -## If using a separate service principal for aad-pod-identity instead of cluster service principal specify the following -## (The chart will perform the base64 encoding for you for values that are stored in secrets.) -adminsecret: {} -# cloud: -# subscriptionID: -# resourceGroup: -# vmType: <`standard` for normal virtual machine nodes, and `vmss` for cluster deployed with a virtual machine scale set> -# tenantID: -# clientID: -# clientSecret: -# useMSI: -# userAssignedMSIClientID: -# Operation mode for pod-identity. Default is standard mode that has MIC doing identity assignment -# Allowed values: "standard", "managed" -operationMode: "standard" +# source: https://github.com/Azure/aad-pod-identity/blob/v1.8.0/charts/aad-pod-identity/values.yaml +# only use 1 replica during testing mic: - image: mic - tag: v1.7.5 - - # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical - priorityClassName: "" - - # log level. Uses V logs (klog) - logVerbosity: 0 - loggingFormat: "" - - resources: - limits: - cpu: 200m - memory: 1024Mi - requests: - cpu: 100m - memory: 256Mi - - podAnnotations: {} - - podLabels: {} - - ## Node labels for pod assignment - ## aad-pod-identity is currently only supported on linux - nodeSelector: - kubernetes.io/os: linux - - tolerations: [] - # - key: "CriticalAddonsOnly" - # operator: "Exists" - - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - affinity: {} - # nodeAffinity: - # preferredDuringSchedulingIgnoredDuringExecution: - # - weight 1 - # preference: - # matchExpressions: - # - key: kubernetes.azure.com/mode - # operator: In - # values: - # - system - - # Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. - # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: failure-domain.beta.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - # labelSelector: - # matchLabels: - # app.kubernetes.io/component: mic - - # Limit the number of concurrent disruptions that your application experiences, - # allowing for higher availability while permitting the cluster administrator to manage the clusters nodes. - # ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ - podDisruptionBudget: {} - # minAvailable: 1 - - leaderElection: - # Override leader election instance name (default is 'hostname') - instance: "" - # Override the namespace to create leader election objects (default is default namespace) - namespace: "" - # Override leader election name (default is aad-pod-identity-mic) - name: "" - # Override leader election duration (default is 15s) - duration: "" - - # Override http liveliness probe port (default is 8080) - probePort: "" - - # Override interval in seconds at which sync loop should periodically check for errors and reconcile (default is 3600s) - syncRetryDuration: "" - - # Override the defult value of immutable identities. - immutableUserMSIs: [] - # Example of MSIs (should be replaced with the real client ids) - #- "00000000-0000-0000-0000-000000000000" - #- "11111111-1111-1111-1111-111111111111" - - # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#batch-create-delete-flag - # default value is 20 - createDeleteBatch: "" - - # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#client-qps-flag - # default value is 5 - clientQps: "" - - # default value is 8888 - # prometheus port for metrics - prometheusPort: "" - - # cloud configuration used to authenticate with Azure - cloudConfig: "/etc/kubernetes/azure.json" - - # The maximum retry of UpdateUserMSI call. MIC updates all the identities in a batch. If a single identity contains an error - # or is invalid, then the entire operation fails. Configuring this flag will make MIC retry by removing the erroneous identities - # returned in the error - # Default value is 2. - updateUserMSIMaxRetry: "" - - # The duration to wait before retrying UpdateUserMSI (batch assigning/un-assigning identity from VM/VMSS) in case of errors - # Default value is 1s - updateUserMSIRetryInterval: "" - - # The interval between reconciling identity assignment on Azure based on an existing list of AzureAssignedIdentities - # Default value is 3m - identityAssignmentReconcileInterval: "" - -nmi: - image: nmi - tag: v1.7.5 - - # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical - priorityClassName: "" - - # log level. Uses V logs (klog) - logVerbosity: 0 - loggingFormat: "" - - resources: - limits: - cpu: 200m - memory: 512Mi - requests: - cpu: 100m - memory: 256Mi - - podAnnotations: {} - - podLabels: {} - - ## Node labels for pod assignment - ## aad-pod-identity is currently only supported on linux - nodeSelector: - kubernetes.io/os: linux - - tolerations: [] - # - key: "CriticalAddonsOnly" - # operator: "Exists" - - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - affinity: {} - # nodeAffinity: - # preferredDuringSchedulingIgnoredDuringExecution: - # - weight 1 - # preference: - # matchExpressions: - # - key: kubernetes.azure.com/mode - # operator: In - # values: - # - system - - # Override iptables update interval in seconds (default is 60) - ipTableUpdateTimeIntervalInSeconds: "" - - # Override mic namespace to short circuit MIC token requests (default is default namespace) - micNamespace: "" - - # Override http liveliness probe port (default is 8080) - probePort: "8085" - - # Override number of retries in NMI to find assigned identity in CREATED state (default is 16) - retryAttemptsForCreated: "" - - # Override number of retries in NMI to find assigned identity in ASSIGNED state (default is 4) - retryAttemptsForAssigned: "" - - # Override retry interval to find assigned identities in seconds (default is 5) - findIdentityRetryIntervalInSeconds: "" - - # Enable scale features - https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#enable-scale-features-flag - # Accepted values are true/false. Default is false. - enableScaleFeatures: "" - - # default value is 9090 - # prometheus port for metrics - prometheusPort: "" - - # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#block-instance-metadata-flag - # default is false - blockInstanceMetadata: "" - - # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#metadata-header-required-flag - # default is false - metadataHeaderRequired: "" - - # enable running aad-pod-identity on clusters with kubenet - # default is false - allowNetworkPluginKubenet: false - - # Path to kubelet default config. - # default is /etc/default/kubelet - kubeletConfig: "/etc/default/kubelet" - -rbac: - enabled: true - # NMI requires permissions to get secrets when service principal (type: 1) is used in AzureIdentity. - # If using only MSI (type: 0) in AzureIdentity, secret get permission can be disabled by setting this to false. - allowAccessToSecrets: true - pspEnabled: false - -# Create azure identities and bindings -# This is a map with the AzureIdentityName being the key and the rest of the blob as value in accordance -# to helm best practices: https://helm.sh/docs/chart_best_practices/values/#consider-how-users-will-use-your-values -azureIdentities: - # "azure-identity": - # # if not defined, then the azure identity will be deployed in the same namespace as the chart - # namespace: "" - # # type 0: User-assigned identity, type 1: Service Principal, type 2: Service principal with certificate - # type: 0 - # # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name - # # Required for type 0 - # resourceID: "" - # # Required for type 0, 1 and 2 - # clientID: "" - # # Required for type 1 and 2 - # tenantID: "" - # # Required for type 1 and 2 - # clientPassword: "{\"name\":\"\",\"namespace\":\"\"}" - # # Optional for type 1 and 2 (multi-tenant) - # auxiliaryTenantIDs: [] - # binding: - # name: "azure-identity-binding" - # # The selector will also need to be included in labels for app deployment - # selector: "demo" - -# If provided, the userAgent string will be appended to the pod identity user agents for all -# ADAL, ARM and Kube API server requests. -customUserAgent: "" + replicas: 1 From 8ca911198d0dfb27b0f24ec933effe8f6cb66c49 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 13 May 2021 08:29:51 +0100 Subject: [PATCH 32/70] Added spec urls --- terraform/files/azureIdentity-external-dns.yaml.tpl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/files/azureIdentity-external-dns.yaml.tpl b/terraform/files/azureIdentity-external-dns.yaml.tpl index f699e04..556e137 100644 --- a/terraform/files/azureIdentity-external-dns.yaml.tpl +++ b/terraform/files/azureIdentity-external-dns.yaml.tpl @@ -1,4 +1,5 @@ # https://github.com/Azure/aad-pod-identity +# https://azure.github.io/aad-pod-identity/docs/concepts/azureidentity/ apiVersion: "aadpodidentity.k8s.io/v1" kind: AzureIdentity metadata: @@ -9,6 +10,7 @@ spec: resourceID: ${managedIdentityResourceID} clientID: ${managedIdentityClientID} --- +# https://azure.github.io/aad-pod-identity/docs/concepts/azureidentitybinding/ apiVersion: "aadpodidentity.k8s.io/v1" kind: AzureIdentityBinding metadata: From d610ff015d354b0ef1143b153dabe58403bac942 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 13 May 2021 08:30:05 +0100 Subject: [PATCH 33/70] Added name field --- terraform/files/azureIdentities.yaml.tpl | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/files/azureIdentities.yaml.tpl b/terraform/files/azureIdentities.yaml.tpl index 345dfa9..db2a039 100644 --- a/terraform/files/azureIdentities.yaml.tpl +++ b/terraform/files/azureIdentities.yaml.tpl @@ -2,6 +2,7 @@ azureIdentities: "velero": # if not defined, then the azure identity will be deployed in the same namespace as the chart namespace: "" + name: "velero" # type 0: MSI, type 1: Service Principal type: 0 # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name From c5f72327de7bda15313b5c9cabbfb9e3a1bc1ca3 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 14 May 2021 08:15:06 +0100 Subject: [PATCH 34/70] Added identity comment --- terraform/files/azureIdentities.yaml.tpl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/files/azureIdentities.yaml.tpl b/terraform/files/azureIdentities.yaml.tpl index db2a039..59a06cb 100644 --- a/terraform/files/azureIdentities.yaml.tpl +++ b/terraform/files/azureIdentities.yaml.tpl @@ -1,8 +1,9 @@ azureIdentities: "velero": + # if not defined, then the name of azure identity will be the same as the key + name: "velero" # if not defined, then the azure identity will be deployed in the same namespace as the chart namespace: "" - name: "velero" # type 0: MSI, type 1: Service Principal type: 0 # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name From 33552649fdb8c4950e9faa188be268a45ed0a791 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 14 May 2021 08:15:18 +0100 Subject: [PATCH 35/70] Changed azurerm to 2.59.0 --- terraform/versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index 501e09f..c8a8e29 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.58.0" + version = "~> 2.59.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases From 289d0c1a698fc27b1283c3717fa068e7458134ee Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 18 May 2021 07:52:46 +0100 Subject: [PATCH 36/70] Changed argocd chart to v3.3.3 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index c3a463b..afdd7c0 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -90,7 +90,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.2.4" + default = "3.3.3" } # https://hub.docker.com/r/argoproj/argocd/tags From b2dbc9f2704016ddcf508210aea325cb2fe92559 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 18 May 2021 07:54:23 +0100 Subject: [PATCH 37/70] Changed terraform to v0.14.11 --- .devcontainer/Dockerfile | 2 +- .devcontainer/devcontainer.json | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 9b54dcd..0bba63b 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -45,7 +45,7 @@ RUN if [ "${INSTALL_AZURE_CLI}" = "true" ]; then bash /tmp/library-scripts/azcli # Install Terraform, tflint, Go, PowerShell, and other useful tools # TODO: move this into main "RUN" layer above -ARG TERRAFORM_VERSION=0.14.10 +ARG TERRAFORM_VERSION=0.14.11 ARG TFLINT_VERSION=0.18.0 RUN bash /tmp/library-scripts/terraform-debian.sh "${TERRAFORM_VERSION}" "${TFLINT_VERSION}" \ && bash /tmp/library-scripts/powershell-debian.sh \ diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 942a705..d9f52dd 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "build": { "dockerfile": "Dockerfile", "args": { - "TERRAFORM_VERSION": "0.14.10", + "TERRAFORM_VERSION": "0.14.11", "TFLINT_VERSION": "0.22.0", "INSTALL_AZURE_CLI": "true", "INSTALL_DOCKER": "true", diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d77efdf..9cf3e8e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -58,7 +58,7 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "0.14.10" + TF_VERSION: "0.14.11" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases TFLINT_RULESET_AZURERM_VERSION: "v0.9.0" diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 9a4a410..b3fd0fd 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -52,7 +52,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "0.14.10" + TF_VERSION: "0.14.11" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: From 67415b70c80c04adc8753db0477dc40d1b0c6323 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 20 May 2021 13:25:26 +0100 Subject: [PATCH 38/70] Changed terraform to v0.15.4 --- .devcontainer/Dockerfile | 2 +- .devcontainer/devcontainer.json | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 0bba63b..62206b1 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -45,7 +45,7 @@ RUN if [ "${INSTALL_AZURE_CLI}" = "true" ]; then bash /tmp/library-scripts/azcli # Install Terraform, tflint, Go, PowerShell, and other useful tools # TODO: move this into main "RUN" layer above -ARG TERRAFORM_VERSION=0.14.11 +ARG TERRAFORM_VERSION=0.15.4 ARG TFLINT_VERSION=0.18.0 RUN bash /tmp/library-scripts/terraform-debian.sh "${TERRAFORM_VERSION}" "${TFLINT_VERSION}" \ && bash /tmp/library-scripts/powershell-debian.sh \ diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index d9f52dd..e51054d 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "build": { "dockerfile": "Dockerfile", "args": { - "TERRAFORM_VERSION": "0.14.11", + "TERRAFORM_VERSION": "0.15.4", "TFLINT_VERSION": "0.22.0", "INSTALL_AZURE_CLI": "true", "INSTALL_DOCKER": "true", diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9cf3e8e..18c52c5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -58,7 +58,7 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "0.14.11" + TF_VERSION: "0.15.4" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases TFLINT_RULESET_AZURERM_VERSION: "v0.9.0" diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index b3fd0fd..39e943c 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -52,7 +52,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "0.14.11" + TF_VERSION: "0.15.4" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: From aba3923080eee9b80a5d05b9ff3832e2b94ef83d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 21 May 2021 07:14:50 +0100 Subject: [PATCH 39/70] Changed argocd chart to v2.0.2 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index afdd7c0..257e977 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -95,7 +95,7 @@ variable "argocd_chart_version" { # https://hub.docker.com/r/argoproj/argocd/tags variable "argocd_image_tag" { - default = "v2.0.1" + default = "v2.0.2" } #endregion Versions From 3e3ee65855bbcbc892752e12966f6c19e6a9b2de Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 21 May 2021 07:15:20 +0100 Subject: [PATCH 40/70] Changed azurerm to 2.60.0, and azuread to v1.5.0 --- terraform/versions.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index c8a8e29..0f1f62e 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,13 +23,13 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.59.0" + version = "~> 2.60.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 1.4.0" + version = "~> 1.5.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases From 818e4692b96ece17428d312ea67e9b8f6954ee10 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 21 May 2021 08:02:24 +0100 Subject: [PATCH 41/70] Changed azurerm back to v2.59.0 --- terraform/versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index 0f1f62e..ea81cc7 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.60.0" + version = "~> 2.59.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases From af93fa38497f9808e22cc32d2597128d49295133 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 28 May 2021 07:48:31 +0100 Subject: [PATCH 42/70] Added Fix-FunctionApp.ps1 script --- .github/workflows/build.yml | 10 ++++++++-- scripts/Fix-FunctionApp.ps1 | 16 ++++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 scripts/Fix-FunctionApp.ps1 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 18c52c5..4db50b3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -190,9 +190,15 @@ jobs: run: ./scripts/push_docker_images.sh # TODO: Remove once issue has been fixed + - name: Fix Function App version + run: pwsh -command "./scripts/Fix-FunctionApp.ps1" + env: + FUNCTION_APP_NAME: "${{ env.PREFIX }}-funcapp" + FUNCTION_APP_RG: "${{ env.PREFIX }}-rg-function-app" + # https://github.com/terraform-providers/terraform-provider-azurerm/issues/8546 - - name: Restart Function App - run: az functionapp restart --name "${{ env.PREFIX }}-funcapp" --resource-group "${{ env.PREFIX }}-rg-function-app" + # - name: Restart Function App + # run: az functionapp restart --name "${{ env.PREFIX }}-funcapp" --resource-group "${{ env.PREFIX }}-rg-function-app" # Pester tests - name: 🧪 Run Pester tests diff --git a/scripts/Fix-FunctionApp.ps1 b/scripts/Fix-FunctionApp.ps1 new file mode 100644 index 0000000..e49e3cb --- /dev/null +++ b/scripts/Fix-FunctionApp.ps1 @@ -0,0 +1,16 @@ +# source: https://github.com/terraform-providers/terraform-provider-azurerm/issues/8867#issuecomment-849842849 + +# Fixes PowerShell function app stack version to 7 + +# Change function app to PS 7 +Write-Host 'Change function app to PS 7' +$function = az functionapp show --name $env:FUNCTION_APP_NAME --resource-group $env:FUNCTION_APP_RG | ConvertFrom-Json + +if ($function.siteConfig.powerShellVersion -ne "~7") { + Write-Host "Updating powershell version to ~7..." + az functionapp update --name $env:FUNCTION_APP_NAME --resource-group $env:FUNCTION_APP_RG --set "siteConfig.powerShellVersion=~7" +} else { + Write-Host "Powershell version already set to to ~7" +} + +Write-Host '' From 799efefd6039dbfdeb138026189faf097682bff1 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 2 Jun 2021 07:30:03 +0100 Subject: [PATCH 43/70] Moved function app restart into script --- .github/workflows/build.yml | 4 ---- scripts/Fix-FunctionApp.ps1 | 3 +++ 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4db50b3..f8e8d0b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -196,10 +196,6 @@ jobs: FUNCTION_APP_NAME: "${{ env.PREFIX }}-funcapp" FUNCTION_APP_RG: "${{ env.PREFIX }}-rg-function-app" - # https://github.com/terraform-providers/terraform-provider-azurerm/issues/8546 - # - name: Restart Function App - # run: az functionapp restart --name "${{ env.PREFIX }}-funcapp" --resource-group "${{ env.PREFIX }}-rg-function-app" - # Pester tests - name: 🧪 Run Pester tests continue-on-error: true diff --git a/scripts/Fix-FunctionApp.ps1 b/scripts/Fix-FunctionApp.ps1 index e49e3cb..2ce126f 100644 --- a/scripts/Fix-FunctionApp.ps1 +++ b/scripts/Fix-FunctionApp.ps1 @@ -9,6 +9,9 @@ $function = az functionapp show --name $env:FUNCTION_APP_NAME --resource-group $ if ($function.siteConfig.powerShellVersion -ne "~7") { Write-Host "Updating powershell version to ~7..." az functionapp update --name $env:FUNCTION_APP_NAME --resource-group $env:FUNCTION_APP_RG --set "siteConfig.powerShellVersion=~7" + + # Restart Function App + # az functionapp restart --name $env:FUNCTION_APP_NAME --resource-group $env:FUNCTION_APP_RG } else { Write-Host "Powershell version already set to to ~7" } From 34fc81a73e0808b581a5f9827b8725242bf6f012 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 2 Jun 2021 10:54:22 +0100 Subject: [PATCH 44/70] Changed aad pod identity chart to v4.1.1 to fix binding issue --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 257e977..9cc1449 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -64,7 +64,7 @@ variable "akv2k8s_chart_version" { # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity variable "aad_pod_identity_chart_version" { - default = "4.1.0" + default = "4.1.1" } # https://bitnami.com/stack/external-dns/helm From af2907f983ac9a64f858c8330cc89e912c674621 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 3 Jun 2021 07:40:17 +0100 Subject: [PATCH 45/70] Changed chart / binary versions --- .devcontainer/Dockerfile | 2 +- .devcontainer/devcontainer.json | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- terraform/variables.tf | 16 ++++++++-------- terraform/versions.tf | 4 ++-- 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 62206b1..e70b49b 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -45,7 +45,7 @@ RUN if [ "${INSTALL_AZURE_CLI}" = "true" ]; then bash /tmp/library-scripts/azcli # Install Terraform, tflint, Go, PowerShell, and other useful tools # TODO: move this into main "RUN" layer above -ARG TERRAFORM_VERSION=0.15.4 +ARG TERRAFORM_VERSION=0.15.5 ARG TFLINT_VERSION=0.18.0 RUN bash /tmp/library-scripts/terraform-debian.sh "${TERRAFORM_VERSION}" "${TFLINT_VERSION}" \ && bash /tmp/library-scripts/powershell-debian.sh \ diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index e51054d..81752ad 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "build": { "dockerfile": "Dockerfile", "args": { - "TERRAFORM_VERSION": "0.15.4", + "TERRAFORM_VERSION": "0.15.5", "TFLINT_VERSION": "0.22.0", "INSTALL_AZURE_CLI": "true", "INSTALL_DOCKER": "true", diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f8e8d0b..5ed2d38 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -58,7 +58,7 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "0.15.4" + TF_VERSION: "0.15.5" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases TFLINT_RULESET_AZURERM_VERSION: "v0.9.0" diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 39e943c..e054682 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -52,7 +52,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "0.15.4" + TF_VERSION: "0.15.5" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: diff --git a/terraform/variables.tf b/terraform/variables.tf index 9cc1449..2b047dc 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -6,7 +6,7 @@ # https://github.com/Azure/AKS/releases # az aks get-versions --location eastus --output table variable "kubernetes_version" { - default = "1.19.9" + default = "1.19.11" } # Helm charts @@ -20,7 +20,7 @@ variable "kubernetes_version" { # helm repo update # helm search repo ingress-nginx/ingress-nginx variable "nginx_chart_version" { - default = "3.30.0" + default = "3.32.0" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -33,7 +33,7 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.21.0" + default = "2.21.1" } # https://hub.docker.com/r/velero/velero/tags @@ -71,18 +71,18 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "5.0.0" + default = "5.0.2" } # https://github.com/weaveworks/kured/tree/master/charts/kured # helm search repo kured/kured variable "kured_chart_version" { - default = "2.4.3" + default = "2.6.0" } # https://github.com/weaveworks/kured#kubernetes--os-compatibility variable "kured_image_tag" { - default = "1.6.1" + default = "1.7.0" } @@ -90,12 +90,12 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.3.3" + default = "3.6.6" } # https://hub.docker.com/r/argoproj/argocd/tags variable "argocd_image_tag" { - default = "v2.0.2" + default = "v2.0.3" } #endregion Versions diff --git a/terraform/versions.tf b/terraform/versions.tf index ea81cc7..81e6d4c 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.59.0" + version = "~> 2.61.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases @@ -35,7 +35,7 @@ terraform { # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.2.0" + version = "~> 2.3.0" } # https://github.com/hashicorp/terraform-provider-helm/releases From 695f7e7ce356ef9c7c334ea7cea1f1e37b229995 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 3 Jun 2021 07:41:57 +0100 Subject: [PATCH 46/70] Changed tflint versions --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5ed2d38..88241b4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -61,9 +61,9 @@ env: TF_VERSION: "0.15.5" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases - TFLINT_RULESET_AZURERM_VERSION: "v0.9.0" + TFLINT_RULESET_AZURERM_VERSION: "v0.9.1" # https://github.com/terraform-linters/tflint/releases - TFLINT_VERSION: "v0.25.0" + TFLINT_VERSION: "v0.28.1" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 From a1ebe88e23f69bc2680416609369a32d41cf460c Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 10 Jun 2021 07:42:51 +0100 Subject: [PATCH 47/70] Changed chart / binary versions --- .devcontainer/Dockerfile | 4 ++-- .devcontainer/devcontainer.json | 4 ++-- .github/workflows/build.yml | 6 +++--- .github/workflows/destroy.yml | 2 +- terraform/variables.tf | 8 ++++---- terraform/versions.tf | 4 ++-- 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index e70b49b..ab3a04f 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -45,8 +45,8 @@ RUN if [ "${INSTALL_AZURE_CLI}" = "true" ]; then bash /tmp/library-scripts/azcli # Install Terraform, tflint, Go, PowerShell, and other useful tools # TODO: move this into main "RUN" layer above -ARG TERRAFORM_VERSION=0.15.5 -ARG TFLINT_VERSION=0.18.0 +ARG TERRAFORM_VERSION=1.0.0 +ARG TFLINT_VERSION=0.29.0 RUN bash /tmp/library-scripts/terraform-debian.sh "${TERRAFORM_VERSION}" "${TFLINT_VERSION}" \ && bash /tmp/library-scripts/powershell-debian.sh \ && bash /tmp/library-scripts/kubectl-helm-debian.sh \ diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 81752ad..a781456 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,8 +5,8 @@ "build": { "dockerfile": "Dockerfile", "args": { - "TERRAFORM_VERSION": "0.15.5", - "TFLINT_VERSION": "0.22.0", + "TERRAFORM_VERSION": "1.0.0", + "TFLINT_VERSION": "0.29.0", "INSTALL_AZURE_CLI": "true", "INSTALL_DOCKER": "true", "INSTALL_NODE": "true" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 88241b4..f6be0ee 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -58,12 +58,12 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "0.15.5" + TF_VERSION: "1.0.0" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases - TFLINT_RULESET_AZURERM_VERSION: "v0.9.1" + TFLINT_RULESET_AZURERM_VERSION: "v0.10.0" # https://github.com/terraform-linters/tflint/releases - TFLINT_VERSION: "v0.28.1" + TFLINT_VERSION: "v0.29.0" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index e054682..40991b6 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -52,7 +52,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "0.15.5" + TF_VERSION: "1.0.0" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: diff --git a/terraform/variables.tf b/terraform/variables.tf index 2b047dc..2b02356 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -20,7 +20,7 @@ variable "kubernetes_version" { # helm repo update # helm search repo ingress-nginx/ingress-nginx variable "nginx_chart_version" { - default = "3.32.0" + default = "3.33.0" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -33,7 +33,7 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.21.1" + default = "2.22.0" } # https://hub.docker.com/r/velero/velero/tags @@ -71,7 +71,7 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "5.0.2" + default = "5.0.3" } # https://github.com/weaveworks/kured/tree/master/charts/kured @@ -90,7 +90,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.6.6" + default = "3.6.8" } # https://hub.docker.com/r/argoproj/argocd/tags diff --git a/terraform/versions.tf b/terraform/versions.tf index 81e6d4c..0973fbf 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.61.0" + version = "~> 2.62.1" } # https://github.com/terraform-providers/terraform-provider-azuread/releases @@ -35,7 +35,7 @@ terraform { # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.3.0" + version = "~> 2.3.1" } # https://github.com/hashicorp/terraform-provider-helm/releases From 5158118587aa2cbbaf2673d39673f701d187b8ff Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 11 Jun 2021 08:55:40 +0100 Subject: [PATCH 48/70] Changed terraform provider versions --- terraform/versions.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index 0973fbf..e703429 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,25 +23,25 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.62.1" + version = "~> 2.63.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 1.5.0" + version = "~> 1.5.1" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.3.1" + version = "~> 2.3.2" } # https://github.com/hashicorp/terraform-provider-helm/releases helm = { source = "hashicorp/helm" - version = "~> 2.1.2" + version = "~> 2.2.0" } random = { From c63c1165ed6899e8a3a16f01b7f25af68b7adb8c Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 13 Jun 2021 09:25:23 +0100 Subject: [PATCH 49/70] Added splunk build config --- splunk/README.md | 109 +++++++++++++++++++++++++++++++++++++++++++++++ splunk/main.tf | 92 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 201 insertions(+) create mode 100644 splunk/README.md create mode 100644 splunk/main.tf diff --git a/splunk/README.md b/splunk/README.md new file mode 100644 index 0000000..fd695d1 --- /dev/null +++ b/splunk/README.md @@ -0,0 +1,109 @@ +# Splunk + +Used for Splunk related testing. + +## Install + +### Terraform + +```bash +# Init +cd ./splunk +terraform init #-upgrade + +# Apply +terraform apply + +# Outputs +terraform output + +--- + +# Delete +terraform destroy +``` + +### Splunk Operator + +There is a current issue with [Admin Installation for All Namespaces](https://github.com/splunk/splunk-operator/issues/206), +so use the [non-admin user method](https://github.com/splunk/splunk-operator/blob/develop/docs/Install.md#installation-using-a-non-admin-user). + +```bash +# install +kubectl create namespace splunk-operator +kubectl apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.0/splunk-operator-install.yaml --namespace splunk-operator + + +# install custom resource definitions +kubectl apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.1/splunk-operator-crds.yaml +kubectl apply -f wget -O splunk-operator.yaml https://github.com/splunk/splunk-operator/releases/download/1.0.1/splunk-operator-install.yaml +kubectl apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.1/splunk-operator-cluster.yaml + + + +# install splunk operator into namespace +kubectl create namespace splunk-operator +kubectl config set-context --current --namespace= +kubectl apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.1/splunk-operator-noadmin.yaml +``` + +### Splunk Deployments + +After deploying one of the methods below, [get the password](https://github.com/splunk/splunk-operator/blob/develop/docs/Examples.md#reading-global-kubernetes-secret-object) +by running the following code: + +```bash +# kubectl get secret splunk--secret -o go-template=' {{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}' +kubectl get secret --namespace splunk-operator splunk-splunk-operator-secret -o go-template=' {{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}' +``` + +You can then port-forward to the pod and view the web interface: + +```bash +kubectl port-forward splunk-s1-standalone-0 8000 +kubectl port-forward --namespace splunk-operator splunk-single-standalone-0 8000 +``` + +#### Standalone + +https://github.com/splunk/splunk-operator/blob/develop/docs/Examples.md#creating-a-clustered-deployment + +```bash +cat < Date: Sun, 13 Jun 2021 11:01:17 +0100 Subject: [PATCH 50/70] Changed aks version --- splunk/main.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/splunk/main.tf b/splunk/main.tf index ce49853..6162b96 100644 --- a/splunk/main.tf +++ b/splunk/main.tf @@ -42,9 +42,10 @@ locals { # version used for both main AKS API service, and default node pool # https://github.com/Azure/AKS/releases # az aks get-versions --location uksouth --output table - kubernetes_version = "1.20.7" + kubernetes_version = "1.18.19" location = "uksouth" - prefix = "ar${random_string.aks.result}" # aks dns_prefix must start with a letter + # prefix = "ar${random_string.aks.result}" # aks dns_prefix must start with a letter + prefix = "arsplunk" # aks dns_prefix must start with a letter resource_group_name = "${local.prefix}-rg-azurerm-kubernetes-cluster" name = "${local.prefix}-aks-cluster" From 16c15df7877a7142bbb934ea6fe79231788c1e1c Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 13 Jun 2021 11:01:50 +0100 Subject: [PATCH 51/70] Changed installation steps --- splunk/README.md | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/splunk/README.md b/splunk/README.md index fd695d1..83f27c2 100644 --- a/splunk/README.md +++ b/splunk/README.md @@ -2,10 +2,12 @@ Used for Splunk related testing. -## Install +## Installation ### Terraform +Build an AKS cluster: + ```bash # Init cd ./splunk @@ -28,23 +30,25 @@ terraform destroy There is a current issue with [Admin Installation for All Namespaces](https://github.com/splunk/splunk-operator/issues/206), so use the [non-admin user method](https://github.com/splunk/splunk-operator/blob/develop/docs/Install.md#installation-using-a-non-admin-user). +#### Install + +Install the Splunk Operator as a non-admin user. + ```bash -# install +# create namespace kubectl create namespace splunk-operator -kubectl apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.0/splunk-operator-install.yaml --namespace splunk-operator - -# install custom resource definitions +# an admin needs to install the CRDs kubectl apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.1/splunk-operator-crds.yaml -kubectl apply -f wget -O splunk-operator.yaml https://github.com/splunk/splunk-operator/releases/download/1.0.1/splunk-operator-install.yaml -kubectl apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.1/splunk-operator-cluster.yaml +# install splunk operator into namespace +# v1.0.1 doesnt currently work - I've raised this issue: https://github.com/splunk/splunk-operator/issues/373 +kubectl apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.1/splunk-operator-noadmin.yaml --namespace splunk-operator -# install splunk operator into namespace -kubectl create namespace splunk-operator -kubectl config set-context --current --namespace= -kubectl apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.1/splunk-operator-noadmin.yaml +# 1.0.0 works +kubectl apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.0/splunk-operator-crds.yaml +kubectl apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.0/splunk-operator-noadmin.yaml --namespace splunk-operator ``` ### Splunk Deployments From 573a5dae9eb9b74779e4b6f446c325644423fbfa Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 13 Jun 2021 12:16:47 +0100 Subject: [PATCH 52/70] Added tf lock file --- splunk/.terraform.lock.hcl | 116 +++++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 splunk/.terraform.lock.hcl diff --git a/splunk/.terraform.lock.hcl b/splunk/.terraform.lock.hcl new file mode 100644 index 0000000..3d92178 --- /dev/null +++ b/splunk/.terraform.lock.hcl @@ -0,0 +1,116 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azuread" { + version = "1.5.1" + constraints = "~> 1.0, ~> 1.5.1" + hashes = [ + "h1:y98vgkLxJsyhyb5oZU1lM/EIQDixKcKAxgFYpQIH+kY=", + "zh:1a7a6313731ad4a1fbe9d52ae030a13b9b9ab9b155890872304dcb9daed402f5", + "zh:34cf80bc53f263ed79695a485331787cb7fb42c8617371599805e827079fe225", + "zh:3a9c68db7cd8c40472ac02ef3b42e81b6a8195c047e7d3dfa93c0458217efb89", + "zh:518a2139c0f0126e7bd43e1f92ad959164a065397de4b85e5650ab11221695e1", + "zh:743b4133d2ec47ec9d3706f5ae9848db4d27d09edacebcd18f878aaf79411cce", + "zh:8c2dfeee0cdfb873a0e8cf72e77ae4b747981d2efb6466a04abc0101ae27f5bc", + "zh:9a129fa81dcf8d49b8b66b11d4b207d173166b68e7a8322314ec81692478ef32", + "zh:c6d533931f79507cb4e497e9aec38d4ff2f2ba1102b9cdd7ed258ea70c7fe330", + "zh:d5c85d9e2b08aa445f07237e82644583261d9311efc749621af96b83879c0601", + "zh:f244da502572a9a2c657015af24239cdd798db8ceaa332b52d8e7c8bb770bc24", + "zh:f368f8dde9986196cf2fbd1dd53c6398c6ba243ce1d1709e7c8fa82b7775c5dc", + ] +} + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "2.63.0" + constraints = "~> 2.0, ~> 2.63.0" + hashes = [ + "h1:X/+2FPiqmwu/sZDl5FhY071o9uWHrZIlb4hr24GlN2E=", + "zh:050254861e4481c905945dc1ba0aa222373ae92d549a0168b7a271260497ca5b", + "zh:053f7de4ff0c6f3878e70c31258b5e23fc63905ef9f31d49440746b4a43a1971", + "zh:1afe053ff2807e5c78e8c95d79a9a1fda809836ec85c68533b109ce49eeb55ae", + "zh:2cad35e7bbbd02a4aefa369235ef4a5a563ff3dee05b6bf78b40aece205a8902", + "zh:3749ab4bad6108b6b0718c3cab05ff72b61e3eebaf37b5b4017ae938499f2b45", + "zh:4b6370d88fff833a33104b1c70df1992f7fdf2cdb21ae0719dbd9d0a3388ee55", + "zh:9e0f1f0432b61fa89d8358f869b405b539ffe63951b384b5d36456213a881e98", + "zh:b1de4dc52af843a265a7f7f5190a529bc70e77a684b10c855b9cf39b2c1bdcf2", + "zh:d9b6ac7b6a27c367a12bf86ce09bc4d1661de796f371c2da2c31e20ac0dce4a9", + "zh:f95256d93f41d1e6252bc090b2a2ababcb9ea7be9fe45706bccb21b859c3c04f", + "zh:fae8bb6f824f38088ce06f64dd0bbf506f70cc8ffdffd6b8a6ba6a678efcc596", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.2.0" + constraints = "~> 2.2.0" + hashes = [ + "h1:rxDS2QQuG/M9aRSKlvW2oHsp5eGAoB1J9KZthCOVbeQ=", + "zh:01341dd1e9cc7e7f6999e11e7473bcdca2dd72dd27f91beed1f4fb599a15dfba", + "zh:20e86c9eccd3a81ef5ac243af31b61fc4d2d679437384bd0870e92fa1b3ed6c9", + "zh:22a71127c5dbea4f62edb5bcf00b5c163de04aa19d45a7a1f621f973ffd09d20", + "zh:28ab7c84a5f8ed82fc520668db93d650571ddf59d98845cb18a1fa1a7888efc0", + "zh:3985a30929ad8fdc6b94f0e1cbd62a63db75ee961b8ba7db1cf4bfd29e8009ff", + "zh:477d92e26ba0c906087a5dd827ac3917dad7d5af770ee0ab4b08d0f273150586", + "zh:750928ec5ef54b2090bd6a6d8a19630a8712bbbccc0429251e88ccd361c1d3c0", + "zh:a615841fd90094bddc1269127e501fa60453c441b9548ff73752fe14efc38ed0", + "zh:e762aca7883374fa255efba50f5bdf791fece7d61e3920e593fb1a2cbb598981", + "zh:f76f372ead52948ca53610b371cb80c80ebcf058ef0a5c0ce9f0ce38dcc9a8eb", + "zh:fa36fe93ed977f4478cc6547ec3c45c28e56f10632e85446b0c3d71449f8c4bb", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.3.2" + constraints = "~> 2.3.2" + hashes = [ + "h1:X+wKrZNYF+qtoBNcMD3cL0+bXSWUDZ7RpHm+2vAwvhE=", + "zh:10f71c170be13538374a4b9553fcb3d98a6036bcd1ca5901877773116c3f828e", + "zh:11d2230e531b7480317e988207a73cb67b332f225b0892304983b19b6014ebe0", + "zh:3317387a9a6cc27fd7536b8f3cad4b8a9285e9461f125c5a15d192cef3281856", + "zh:458a9858362900fbe97e00432ae8a5bef212a4dacf97a57ede7534c164730da4", + "zh:50ea297007d9fe53e5411577f87a4b13f3877ce732089b42f938430e6aadff0d", + "zh:56705c959e4cbea3b115782d04c62c68ac75128c5c44ee7aa4043df253ffbfe3", + "zh:7eb3722f7f036e224824470c3e0d941f1f268fcd5fa2f8203e0eee425d0e1484", + "zh:9f408a6df4d74089e6ce18f9206b06b8107ddb57e2bc9b958a6b7dc352c62980", + "zh:aadd25ccc3021040808feb2645779962f638766eb583f586806e59f24dde81bb", + "zh:b101c3456e4309b09aab129b0118561178c92cb4be5d96dec553189c3084dca1", + "zh:ec08478573b4953764099fbfd670fae81dc24b60e467fb3b023e6fab50b70a9e", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "2.3.1" + constraints = "~> 2.0" + hashes = [ + "h1:bPBDLMpQzOjKhDlP9uH2UPIz9tSjcbCtLdiJ5ASmCx4=", + "zh:322ec2b56765162c193d0ff0f7634351bf4ca09d719558df82b92d31059995a1", + "zh:34c500857d14148bc6f7f21f9fc0d832ba31d00e1b911b0437d99dda29aeb108", + "zh:a3372514add474fcb07d2026a49b0c0d8a699e365f540e43e5f590eb924b95f7", + "zh:a54acd50f13f38a86454acad16b3487701608188fd2cc454fd48beee00127ae5", + "zh:b1285c47ab01fc11b6086f080da7d17b9155b3fac6a4175948a2abb5d52c60af", + "zh:c7e7bd46218cf504ca31d8a1e4eab5cad625c9951fb89d4f56861d5bddec9afb", + "zh:d9f95764480d7b884db7247a5ee9d1c72aaf1c1cde3d7b5e34bc33c4ef5ccf48", + "zh:ddf11fb807d61ff93c08206733129bf9668fc0c4adedf8a6ac38a7c382a24b35", + "zh:f631a0c1ffa94991d87cd5fe4e08c0dd6d36c780585f35a582c05ee2affb7e86", + "zh:fb5f5fb19e8a9ff73dbdee85a97f548099e480497a7a1f4ca4725c83db300b8d", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "2.2.0" + constraints = "~> 2.0" + hashes = [ + "h1:BRvNNW/32RAFXRcEAovtJWVbFt8zesIKkQm2N0GBCn8=", + "zh:0e99d1b3710f30df818cd662e2ea7b2005cec2a0c64cedd31c459b214f45e9b5", + "zh:43a97fd341c66113aeecfa2f976eb8f5e0b83a6a8824828fac2afef2682d9957", + "zh:501aa0ed294c7befb8bf6e00fd9d8cf4055e1135cb8872f83488ebcde9a89985", + "zh:51862aeed0f28092c877a5f64ddac55b8f6c05cf5278fb51afab5d20b3819934", + "zh:52c22bf8621a120080c7c8c11bfab51678ab9dc3e5c88dc89df8b2c0434a8c89", + "zh:658cce07951f8ba8f170b71198c198e526a82ba56cb74d27b24adf2574eb07b2", + "zh:80a7db37b00c5d9054f68dc62283ce11dcc83b714d550fc56e6b8544bc01d1a8", + "zh:935dd4f4995286c871162bb96ebb49c2d80ef09f2225be62a4ef06c0fcbd72d4", + "zh:af89f57dc41c4d09fd9b7d1277e5ad1d4989cd672f3e58e1891d59020015d21a", + "zh:d45870cf06ed9910d5956175c996cc7bb677f3a8edd94c66a48a3fb93c8d2a84", + "zh:de96c5fadb346adb5e39ea8901c93335b0f3408dd8d477a996b4eb845a8d2343", + "zh:e0f3c179975b7fa5898ebe9cc70621f9da301a14e5262399b074ccb675308bd3", + ] +} From ba48cf470ec027ec1ef84ad010b7f43ee4bdcc45 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 18 Jun 2021 06:51:10 +0100 Subject: [PATCH 53/70] Changed chart / binary versions. Bumped AKS to v1.20 --- .github/workflows/build.yml | 4 ++-- scripts/tflint.sh | 4 ++-- terraform/variables.tf | 10 +++++----- terraform/versions.tf | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f6be0ee..e7540c5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -61,9 +61,9 @@ env: TF_VERSION: "1.0.0" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases - TFLINT_RULESET_AZURERM_VERSION: "v0.10.0" + TFLINT_RULESET_AZURERM_VERSION: "v0.10.1" # https://github.com/terraform-linters/tflint/releases - TFLINT_VERSION: "v0.29.0" + TFLINT_VERSION: "v0.29.1" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 diff --git a/scripts/tflint.sh b/scripts/tflint.sh index 57482d9..e6ad448 100644 --- a/scripts/tflint.sh +++ b/scripts/tflint.sh @@ -9,8 +9,8 @@ trap "echo 'error: Script failed: see failed command above'" ERR # vars # Set local vars from env var, with default fallbacks -TFLINT_VERSION="${TFLINT_VERSION:-v0.23.1}" -TFLINT_RULESET_AZURERM_VERSION="${TFLINT_RULESET_AZURERM_VERSION:-v0.7.0}" +TFLINT_VERSION="${TFLINT_VERSION:-v0.29.1}" +TFLINT_RULESET_AZURERM_VERSION="${TFLINT_RULESET_AZURERM_VERSION:-v0.10.1}" TF_FLAGS=("$TF_WORKING_DIR") export TFLINT_LOG=debug # use empty array to skip adding disabled rules, eg: "DISABLED_RULES=()" diff --git a/terraform/variables.tf b/terraform/variables.tf index 2b02356..e5448fd 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -6,7 +6,7 @@ # https://github.com/Azure/AKS/releases # az aks get-versions --location eastus --output table variable "kubernetes_version" { - default = "1.19.11" + default = "1.20.7" } # Helm charts @@ -26,7 +26,7 @@ variable "nginx_chart_version" { # https://hub.helm.sh/charts/jetstack/cert-manager # helm search repo jetstack/cert-manager variable "cert_manager_chart_version" { - default = "v1.3.1" + default = "v1.4.0" } # https://github.com/vmware-tanzu/helm-charts/releases @@ -43,7 +43,7 @@ variable "velero_image_tag" { # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.30.1" + default = "3.31.0" } # https://github.com/adamrushuk/charts/releases @@ -71,13 +71,13 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "5.0.3" + default = "5.1.1" } # https://github.com/weaveworks/kured/tree/master/charts/kured # helm search repo kured/kured variable "kured_chart_version" { - default = "2.6.0" + default = "2.7.0" } # https://github.com/weaveworks/kured#kubernetes--os-compatibility diff --git a/terraform/versions.tf b/terraform/versions.tf index e703429..19ca5d1 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.63.0" + version = "~> 2.64.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases From 04e188abbdbd4081a826568b433fceece55ea0fe Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 23 Jun 2021 08:21:56 +0100 Subject: [PATCH 54/70] Changed chart versions --- terraform/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index e5448fd..8cb2509 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -20,7 +20,7 @@ variable "kubernetes_version" { # helm repo update # helm search repo ingress-nginx/ingress-nginx variable "nginx_chart_version" { - default = "3.33.0" + default = "3.34.0" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -95,7 +95,7 @@ variable "argocd_chart_version" { # https://hub.docker.com/r/argoproj/argocd/tags variable "argocd_image_tag" { - default = "v2.0.3" + default = "v2.0.4" } #endregion Versions From 57bd9e90b7a712de4c2aaa514cc2dc877c810d55 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Wed, 23 Jun 2021 08:22:59 +0100 Subject: [PATCH 55/70] Changed aks and azurerm versions for splunk --- splunk/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/splunk/main.tf b/splunk/main.tf index 6162b96..38681e2 100644 --- a/splunk/main.tf +++ b/splunk/main.tf @@ -5,7 +5,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.63.0" + version = "~> 2.64.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases @@ -42,7 +42,7 @@ locals { # version used for both main AKS API service, and default node pool # https://github.com/Azure/AKS/releases # az aks get-versions --location uksouth --output table - kubernetes_version = "1.18.19" + kubernetes_version = "1.20.7" location = "uksouth" # prefix = "ar${random_string.aks.result}" # aks dns_prefix must start with a letter prefix = "arsplunk" # aks dns_prefix must start with a letter From 720bfc0746d7b0728aad8f843604a5292715c3ca Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 26 Jun 2021 08:01:18 +0100 Subject: [PATCH 56/70] Added inline yaml schema association --- .github/workflows/build.yml | 3 +++ .github/workflows/destroy.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7540c5..5172832 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,3 +1,6 @@ +# build - github workflow +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + # https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions name: build diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 40991b6..8739683 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -1,3 +1,6 @@ +# destroy - github workflow +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + # https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions name: destroy From 1dc8f7c938064ac8f859b4bf211d6fc1ab2f01d1 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 26 Jun 2021 08:01:37 +0100 Subject: [PATCH 57/70] Changed chart / binary versions --- terraform/variables.tf | 4 ++-- terraform/versions.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 8cb2509..ffab8f5 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -38,12 +38,12 @@ variable "velero_chart_version" { # https://hub.docker.com/r/velero/velero/tags variable "velero_image_tag" { - default = "v1.6.0" + default = "v1.6.1" } # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.31.0" + default = "3.31.1" } # https://github.com/adamrushuk/charts/releases diff --git a/terraform/versions.tf b/terraform/versions.tf index 19ca5d1..bea475a 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,13 +23,13 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.64.0" + version = "~> 2.65.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 1.5.1" + version = "~> 1.6.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases From 7a17ac4fb88eaae9f80f2dadec4feb42b3696769 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 3 Jul 2021 08:14:57 +0100 Subject: [PATCH 58/70] Changed chart / binary versions --- terraform/variables.tf | 6 +++--- terraform/versions.tf | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index ffab8f5..b581e07 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -33,7 +33,7 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.22.0" + default = "2.23.1" } # https://hub.docker.com/r/velero/velero/tags @@ -71,7 +71,7 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "5.1.1" + default = "5.1.3" } # https://github.com/weaveworks/kured/tree/master/charts/kured @@ -90,7 +90,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.6.8" + default = "3.6.11" } # https://hub.docker.com/r/argoproj/argocd/tags diff --git a/terraform/versions.tf b/terraform/versions.tf index bea475a..0ae3149 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.65.0" + version = "~> 2.66.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases From fe1d74f3d1b5d01a6dcdf8507821c7421ac62883 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 15 Jul 2021 08:29:54 +0100 Subject: [PATCH 59/70] Changed chart / binary versions --- terraform/variables.tf | 10 +++++----- terraform/versions.tf | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index b581e07..c6ff937 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -33,7 +33,7 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.23.1" + default = "2.23.3" } # https://hub.docker.com/r/velero/velero/tags @@ -43,7 +43,7 @@ variable "velero_image_tag" { # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.31.1" + default = "3.32.0" } # https://github.com/adamrushuk/charts/releases @@ -64,14 +64,14 @@ variable "akv2k8s_chart_version" { # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity variable "aad_pod_identity_chart_version" { - default = "4.1.1" + default = "4.1.2" } # https://bitnami.com/stack/external-dns/helm # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "5.1.3" + default = "5.1.4" } # https://github.com/weaveworks/kured/tree/master/charts/kured @@ -90,7 +90,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.6.11" + default = "3.9.0" } # https://hub.docker.com/r/argoproj/argocd/tags diff --git a/terraform/versions.tf b/terraform/versions.tf index 0ae3149..8912015 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.66.0" + version = "~> 2.67.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases From c1e332929d2a814c3012cb8f40abe6f709f4d40e Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Jul 2021 08:28:55 +0100 Subject: [PATCH 60/70] Bumped chart / binary versions --- .github/workflows/build.yml | 6 +++--- .github/workflows/destroy.yml | 2 +- terraform/helm/velero_default_values.yaml | 24 +++++++++++++++++++---- terraform/helm/velero_values.yaml | 2 +- terraform/variables.tf | 18 ++++++++--------- terraform/versions.tf | 12 ++++++------ 6 files changed, 40 insertions(+), 24 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5172832..5602027 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -61,12 +61,12 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.0.0" + TF_VERSION: "1.0.3" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases - TFLINT_RULESET_AZURERM_VERSION: "v0.10.1" + TFLINT_RULESET_AZURERM_VERSION: "v0.11.0" # https://github.com/terraform-linters/tflint/releases - TFLINT_VERSION: "v0.29.1" + TFLINT_VERSION: "v0.30.0" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 8739683..65d4777 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -55,7 +55,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.0.0" + TF_VERSION: "1.0.3" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: diff --git a/terraform/helm/velero_default_values.yaml b/terraform/helm/velero_default_values.yaml index 5bdaa59..191ec44 100644 --- a/terraform/helm/velero_default_values.yaml +++ b/terraform/helm/velero_default_values.yaml @@ -8,7 +8,7 @@ # enabling restic). Required. image: repository: velero/velero - tag: v1.6.0 + tag: v1.6.2 # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. # If used, it will take precedence over the image.tag. # digest: @@ -63,9 +63,18 @@ initContainers: [] # SecurityContext to use for the Velero deployment. Optional. # Set fsGroup for `AWS IAM Roles for Service Accounts` # see more informations at: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html -securityContext: {} +podSecurityContext: {} # fsGroup: 1337 +# Container Level Security Context for the 'velero' container of the Velero deployment. Optional. +# See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +containerSecurityContext: {} + # allowPrivilegeEscalation: false + # capabilities: + # drop: ["ALL"] + # add: [] + # readOnlyRootFilesystem: true + # Pod priority class name to use for the Velero deployment. Optional. priorityClassName: "" @@ -329,9 +338,14 @@ restic: # SecurityContext to use for the Velero deployment. Optional. # Set fsGroup for `AWS IAM Roles for Service Accounts` # see more informations at: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html - securityContext: {} + podSecurityContext: + runAsUser: 0 # fsGroup: 1337 + # Container Level Security Context for the 'restic' container of the restic DaemonSet. Optional. + # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} + # Node selector to use for the Restic daemonset. Optional. nodeSelector: {} @@ -339,11 +353,13 @@ restic: # Eg: # schedules: # mybackup: +# disabled: false # labels: # myenv: foo # annotations: # myenv: foo # schedule: "0 0 * * *" +# useOwnerReferencesInBackup: true # template: # ttl: "240h" # includedNamespaces: @@ -358,7 +374,7 @@ schedules: {} # velero.io/plugin-config: "" # velero.io/restic: RestoreItemAction # data: -# image: velero/velero-restic-restore-helper:v1.6.0 +# image: velero/velero-restic-restore-helper:v1.6.2 configMaps: {} ## diff --git a/terraform/helm/velero_values.yaml b/terraform/helm/velero_values.yaml index 0018069..6c59cc2 100644 --- a/terraform/helm/velero_values.yaml +++ b/terraform/helm/velero_values.yaml @@ -5,7 +5,7 @@ initContainers: - name: velero-plugin-for-microsoft-azure # https://hub.docker.com/r/velero/velero-plugin-for-microsoft-azure/tags - image: velero/velero-plugin-for-microsoft-azure:v1.2.0 + image: velero/velero-plugin-for-microsoft-azure:v1.2.1 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /target diff --git a/terraform/variables.tf b/terraform/variables.tf index c6ff937..b1164de 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -6,7 +6,7 @@ # https://github.com/Azure/AKS/releases # az aks get-versions --location eastus --output table variable "kubernetes_version" { - default = "1.20.7" + default = "1.19.11" } # Helm charts @@ -26,19 +26,19 @@ variable "nginx_chart_version" { # https://hub.helm.sh/charts/jetstack/cert-manager # helm search repo jetstack/cert-manager variable "cert_manager_chart_version" { - default = "v1.4.0" + default = "v1.4.1" } # https://github.com/vmware-tanzu/helm-charts/releases # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.23.3" + default = "2.23.5" } # https://hub.docker.com/r/velero/velero/tags variable "velero_image_tag" { - default = "v1.6.1" + default = "v1.6.2" } # https://hub.docker.com/r/sonatype/nexus3/tags @@ -64,20 +64,20 @@ variable "akv2k8s_chart_version" { # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity variable "aad_pod_identity_chart_version" { - default = "4.1.2" + default = "4.1.3" } # https://bitnami.com/stack/external-dns/helm # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "5.1.4" + default = "5.2.2" } # https://github.com/weaveworks/kured/tree/master/charts/kured # helm search repo kured/kured variable "kured_chart_version" { - default = "2.7.0" + default = "2.8.0" } # https://github.com/weaveworks/kured#kubernetes--os-compatibility @@ -90,12 +90,12 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.9.0" + default = "3.11.1" } # https://hub.docker.com/r/argoproj/argocd/tags variable "argocd_image_tag" { - default = "v2.0.4" + default = "v2.0.5" } #endregion Versions diff --git a/terraform/versions.tf b/terraform/versions.tf index 8912015..3a55fef 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.67.0" + version = "~> 2.70.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases @@ -46,27 +46,27 @@ terraform { random = { source = "hashicorp/random" - version = "~> 2.2" + version = "~> 3.1" } tls = { source = "hashicorp/tls" - version = "~> 2.1" + version = "~> 3.1" } local = { source = "hashicorp/local" - version = "~> 2.0" + version = "~> 2.1" } null = { source = "hashicorp/null" - version = "~> 3.0" + version = "~> 3.1" } template = { source = "hashicorp/template" - version = "~> 2.0" + version = "~> 2.2" } } } From 5924b2eda568220d28ab928d98ace0b2dd2c2b23 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Jul 2021 09:11:00 +0100 Subject: [PATCH 61/70] Changed aks module versions to v0.9.0 --- terraform/aks.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index fd42e39..1bd4111 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -54,7 +54,7 @@ resource "azurerm_log_analytics_solution" "aks" { # https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest module "aks" { source = "adamrushuk/aks/azurerm" - version = "~> 0.8.0" + version = "~> 0.9.0" kubernetes_version = var.kubernetes_version location = azurerm_resource_group.aks.location From 99bebc6b1d9c093b882e6c775f1a84885aebe53e Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Jul 2021 09:45:13 +0100 Subject: [PATCH 62/70] Fixed azuread_application deprecated warnings --- terraform/argocd_sso.tf | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 4468186..fbb446f 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -12,15 +12,20 @@ resource "random_password" "argocd" { # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application resource "azuread_application" "argocd" { - display_name = var.argocd_app_reg_name - prevent_duplicate_names = true - homepage = "https://${var.argocd_fqdn}" - identifier_uris = ["https://${var.argocd_app_reg_name}"] - reply_urls = ["https://${var.argocd_fqdn}/auth/callback"] - available_to_other_tenants = false - oauth2_allow_implicit_flow = false - # owners = [] + display_name = var.argocd_app_reg_name + identifier_uris = ["https://${var.argocd_app_reg_name}"] + sign_in_audience = "AzureADMyOrg" group_membership_claims = "All" + prevent_duplicate_names = true + + web { + homepage_url = "https://${var.argocd_fqdn}" + redirect_uris = ["https://${var.argocd_fqdn}/auth/callback"] + + implicit_grant { + access_token_issuance_enabled = false + } + } # you can check manually created app reg info in the app reg manifest tab # reference: https://github.com/mjisaak/azure-active-directory/blob/master/README.md#well-known-appids @@ -67,8 +72,7 @@ resource "azuread_application_password" "argocd" { depends_on = [azuread_service_principal.argocd] } -data "azurerm_client_config" "current" { -} +data "azurerm_client_config" "current" {} # argocd-cm patch From 94e49bafc99c770375919ed995df451c31e6022c Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Jul 2021 12:03:27 +0100 Subject: [PATCH 63/70] Changed argo chart and image to older versions --- terraform/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index b1164de..009a75c 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -90,12 +90,12 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.11.1" + default = "2.17.2" } # https://hub.docker.com/r/argoproj/argocd/tags variable "argocd_image_tag" { - default = "v2.0.5" + default = "v1.8.7" } #endregion Versions From 39d57d05e6beda71f94a3d005c90879a0d1aa7ea Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Jul 2021 12:36:53 +0100 Subject: [PATCH 64/70] Changed argocd cli to v1.8.7 --- terraform/files/scripts/argocd_config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index a22a17f..7ca25e4 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -13,7 +13,7 @@ export ARGOCD_OPTS="--grpc-web" ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install -VERSION="v2.0.0" +VERSION="v1.8.7" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" From fb3ec43ecf67363d6c2176656b685afa3d95473c Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Jul 2021 12:37:03 +0100 Subject: [PATCH 65/70] Changed group_membership_claims to a list --- terraform/argocd_sso.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index fbb446f..47e8ce1 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -15,7 +15,7 @@ resource "azuread_application" "argocd" { display_name = var.argocd_app_reg_name identifier_uris = ["https://${var.argocd_app_reg_name}"] sign_in_audience = "AzureADMyOrg" - group_membership_claims = "All" + group_membership_claims = ["All"] prevent_duplicate_names = true web { @@ -65,7 +65,7 @@ resource "azuread_service_principal" "argocd" { # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password resource "azuread_application_password" "argocd" { application_object_id = azuread_application.argocd.id - description = "argocd_secret" + display_name = "argocd_secret" value = random_password.argocd.result end_date = "2099-01-01T01:02:03Z" From 6539a92f141fa07d03d42084c3214b40a64db61f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Jul 2021 12:42:44 +0100 Subject: [PATCH 66/70] Changed group_membership_claims back to string --- terraform/argocd_sso.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 47e8ce1..19ab3b5 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -15,7 +15,7 @@ resource "azuread_application" "argocd" { display_name = var.argocd_app_reg_name identifier_uris = ["https://${var.argocd_app_reg_name}"] sign_in_audience = "AzureADMyOrg" - group_membership_claims = ["All"] + group_membership_claims = "All" prevent_duplicate_names = true web { From 166a5c7b83cd0da442c10fdb0f6bee081a59d5d5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Jul 2021 12:47:41 +0100 Subject: [PATCH 67/70] Revert argocd cli password logic --- terraform/files/scripts/argocd_config.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index 7ca25e4..61bf45e 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -29,10 +29,9 @@ echo "Showing Argo CD version info for [$ARGOCD_FQDN]..." "$ARGOCD_PATH" version --server "$ARGOCD_FQDN" # Get default admin password -# Argo CD v1.9 and later: https://argoproj.github.io/argo-cd/getting_started/#4-login-using-the-cli -# check secret called "argocd-initial-admin-secret" +# default password is server pod name, eg: "argocd-server-89c6cd7d4-xxxxx" echo "Getting default admin password..." -DEFAULT_ARGO_ADMIN_PASSWORD=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d) +DEFAULT_ARGO_ADMIN_PASSWORD=$(kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2) # Login echo "Logging in to Argo CD with default password..." From e4d0cb51c208655e6c02a7a2e217cacdbde6485b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Jul 2021 13:08:36 +0100 Subject: [PATCH 68/70] Revert argocd cli script --- terraform/files/scripts/argocd_config.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index 61bf45e..eced4e9 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -13,7 +13,7 @@ export ARGOCD_OPTS="--grpc-web" ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install -VERSION="v1.8.7" +VERSION="v2.0.5" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" @@ -29,9 +29,10 @@ echo "Showing Argo CD version info for [$ARGOCD_FQDN]..." "$ARGOCD_PATH" version --server "$ARGOCD_FQDN" # Get default admin password -# default password is server pod name, eg: "argocd-server-89c6cd7d4-xxxxx" +# Argo CD v1.9 and later: https://argoproj.github.io/argo-cd/getting_started/#4-login-using-the-cli +# check secret called "argocd-initial-admin-secret" echo "Getting default admin password..." -DEFAULT_ARGO_ADMIN_PASSWORD=$(kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2) +DEFAULT_ARGO_ADMIN_PASSWORD=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d) # Login echo "Logging in to Argo CD with default password..." From 6ba3bea33271c83c1315b8539bda06bab95587b7 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Jul 2021 13:09:05 +0100 Subject: [PATCH 69/70] Bumped argocd chart and image tag --- terraform/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 009a75c..b1164de 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -90,12 +90,12 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "2.17.2" + default = "3.11.1" } # https://hub.docker.com/r/argoproj/argocd/tags variable "argocd_image_tag" { - default = "v1.8.7" + default = "v2.0.5" } #endregion Versions From 32672d5a9d585a0b9c37a15021e7b55bf45bd59f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sat, 31 Jul 2021 13:27:08 +0100 Subject: [PATCH 70/70] Added cli version comment --- terraform/variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/variables.tf b/terraform/variables.tf index b1164de..0c7be55 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -94,6 +94,7 @@ variable "argocd_chart_version" { } # https://hub.docker.com/r/argoproj/argocd/tags +# * also update cli version: terraform/files/scripts/argocd_config.sh#L16 variable "argocd_image_tag" { default = "v2.0.5" }