25 Commits

Author SHA1 Message Date
unkinben f03eb6f651 feat: deploy argocd-image-updater via Helm
Deploys ArgoCD Image Updater into the argocd-image-updater namespace.
Vault-managed secrets provide registry credentials for git.unkin.net
and an ArgoCD API token.

Prerequisites before syncing:
- Create Vault role argocd-image-updater in k8s/au/syd1
- Populate kv/service/argocd-image-updater/registry-creds (key: creds, value: <user>:<token>)
- Create ArgoCD local user image-updater and store token at kv/service/argocd-image-updater/argocd-token
2026-05-10 22:53:06 +10:00
unkinben 296c569cc8 feat: move artifactapi to image-updater ApplicationSet with annotations
Moves artifactapi out of platform-apps ApplicationSet and into a dedicated
image-updater-apps ApplicationSet so image updater annotations are scoped
only to artifactapi. Reserves apps/overlays/*/argocd-image-updater in
platform-apps for the image updater deployment (followup).
2026-05-10 22:51:25 +10:00
unkinben c1d831176d feat(artifactapi): add argo-helm as a remote and virtual helm member
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
2026-05-10 22:50:14 +10:00
unkinben 1cefd3b78e feat: change argocd crds source to artifactapi (#118)
- migrate argocd crds to come from the artifactapi service

Reviewed-on: #118
2026-05-10 21:12:44 +10:00
unkinben 842d774fc3 feat: deploy gatewayapi crds (#117)
- enable gateway api crds

Reviewed-on: #117
2026-05-10 21:05:56 +10:00
unkinben 4c8827ce35 feat: add traefik/gatewayapi (#116)
enable access to charts/containers/api-specs so that we can migrate from
nginx-ingress to gateway api and traefik

Reviewed-on: #116
2026-05-10 17:07:33 +10:00
unkinben 5e03215f4d chore: migrate reloader/reflector to virtual/helm (#115)
Reviewed-on: #115
2026-05-05 21:42:23 +10:00
unkinben 02ee82da1e feat: update vso to 1.3.0 (#114)
- updates the vso helm chart from 1.2.0 to 1.3.0

Reviewed-on: #114
2026-05-05 00:01:58 +10:00
unkinben 18c519f979 chore: remove hashicorp helm repo (#113)
- no longer required, this is in virtual/helm repo in artifactapi

Reviewed-on: #113
2026-05-03 23:51:44 +10:00
unkinben dd0e297c14 chore: mount vault CA for helm TLS trust and add ArgoCD self-management (#112)
- Patch argocd-repo-server to mount vault-ca-cert and set SSL_CERT_DIR
  so helm subprocesses trust the internal CA when pulling charts
- Add argocd Application pointing at clusters/au-syd1/bootstrap so
  ArgoCD manages its own install going forward

Reviewed-on: #112
2026-05-03 22:47:53 +10:00
unkinben 6fb98d66b0 chore: add vault CA cert to argocd-tls-certs-cm for helm TLS trust (#111)
Patches argocd-tls-certs-cm with the Vault CA chain so ArgoCD can
verify TLS when pulling Helm charts from artifactapi.k8s.syd1.au.unkin.net.

Reviewed-on: #111
2026-05-03 17:13:25 +10:00
unkinben bcea7df925 chore: swap vso to virtual helm repo (#109)
- testing if there will be any changes after merging, before merging all of them

Reviewed-on: #109
2026-05-03 16:49:53 +10:00
unkinben f45194282b chore: add resource requests/limits to workflows (#110)
have seen some contention on woodpecker jobs, because they are not being
scheduled correctly. we need to set correct limits/requests so that they
can be accurately scheduled.

- set limits/requests for all workflows

Reviewed-on: #110
2026-05-03 16:49:46 +10:00
unkinben 260b2d4364 chore: mount vault CA cert for Node.js TLS trust in paperclip (#108)
Mount the vault-ca-cert secret and set NODE_EXTRA_CA_CERTS so Node.js
trusts the internal CA chain when making outbound TLS connections.

Reviewed-on: #108
2026-05-03 00:10:08 +10:00
unkinben 156b545249 fix: set Host header on paperclip health probes to bypass hostname guard (#107)
The privateHostnameGuard middleware blocks requests where the Host header
is not in the allowlist. Kubelet httpGet probes use the pod IP as the
Host header, which is never in the allowlist. Setting Host: localhost
ensures probes are always permitted.

Reviewed-on: #107
2026-05-02 23:01:59 +10:00
unkinben 0883f327e9 chore: update trusted hostnames (#106)
- remove scheme from paperclip.k8s..
- add localhost (what probe is hitting)

Reviewed-on: #106
2026-05-02 22:40:21 +10:00
unkinben 04b7c04366 chore: fix livenessProbe for paperclip (#105)
Reviewed-on: #105
2026-05-02 22:28:52 +10:00
unkinben 9914186fd5 chore: additional papaerclip environemnt variables (#104)
https://github.com/paperclipai/paperclip/issues/3121
Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/104
2026-05-02 22:11:38 +10:00
unkinben f55b7065f1 fix: rename pgpooler to include rw (#103)
- undo previous change (target pgcluster name)
- actually rename the pgpooler

Reviewed-on: #103
2026-05-02 21:39:51 +10:00
unkinben 87a5a271c3 fix: set pgpooler name to include -rw (#102)
- this matches the credentials set for paperclip

Reviewed-on: #102
2026-05-02 21:35:23 +10:00
unkinben 8e7bc289f6 chore: enable access to paperclip namespace (#101)
Reviewed-on: #101
2026-05-02 21:30:59 +10:00
unkinben e156cd10bd feat: deploy paperclip to au-syd1 via ArgoCD (aitooling project) (#100)
Adds base manifests and au-syd1 overlay for Paperclip (AI agent
orchestration platform), following the litellm deployment pattern.
Updates aitooling ApplicationSet to include the paperclip path.

Closes #99

Reviewed-on: #100
2026-05-02 21:27:51 +10:00
unkinben fe714694bf chore: bump artifactapi to 2.7.2 (#98)
Reviewed-on: #98
2026-05-02 17:19:56 +10:00
unkinben 6138afb98b feat: add litellm-env configmap with STORE_MODEL_IN_DB=True (#97)
Reviewed-on: #97
2026-05-01 22:17:53 +10:00
unkinben 949ddb76e4 chore: litellm ooming (#95)
- update memory and cpu resources

Reviewed-on: #95
2026-05-01 21:54:00 +10:00
45 changed files with 692 additions and 28 deletions
+10
View File
@@ -6,3 +6,13 @@ steps:
image: git.unkin.net/unkin/almalinux9-kubetest:20260319
commands:
- make kubeconform
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+10
View File
@@ -6,3 +6,13 @@ steps:
image: git.unkin.net/unkin/almalinux9-base:20260308
commands:
- uvx pre-commit run --all-files
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 1Gi
cpu: 1
@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: argocd-image-updater
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: argocd-image-updater
spec:
allowedNamespaces:
- argocd-image-updater
kubernetes:
audiences:
- vault
role: argocd-image-updater
serviceAccount: argocd-image-updater
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
@@ -0,0 +1,40 @@
---
# Credentials for polling the git.unkin.net container registry.
# Vault KV path: kv/service/argocd-image-updater/registry-creds
# Required key: creds — value format: "<username>:<token>"
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: registry-creds
namespace: argocd-image-updater
spec:
destination:
create: true
name: registry-creds
overwrite: true
hmacSecretData: true
mount: kv
path: service/argocd-image-updater/registry-creds
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
# ArgoCD API token for image updater to discover and update Applications.
# Vault KV path: kv/service/argocd-image-updater/argocd-token
# Required key: token — generate via: argocd account generate-token --account image-updater
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: argocd-token
namespace: argocd-image-updater
spec:
destination:
create: true
name: argocd-token
overwrite: true
hmacSecretData: true
mount: kv
path: service/argocd-image-updater/argocd-token
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
@@ -19,7 +19,7 @@ spec:
automountServiceAccountToken: true
containers:
- name: artifactapi
image: git.unkin.net/unkin/artifactapi:v2.7.1
image: git.unkin.net/unkin/artifactapi:v2.7.2
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8000
@@ -30,6 +30,7 @@ remotes:
- "^hashicorp/vault-secrets-operator"
- "^jfrog/"
- "^rancher/"
- "^traefik/"
- "^ubi9/ubi-minimal"
- "^victoriametrics/"
- "^woodpeckerci/"
@@ -26,6 +26,7 @@ remotes:
- "helmfile/helmfile/.*/helmfile_.*_linux_amd64.tar.gz$"
- "helmfile/vals/.*/vals_.*_linux_amd64.tar.gz$"
- "jesseduffield/lazydocker/.*/lazydocker_.*_Linux_x86_64.tar.gz$"
- "kubernetes-sigs/gateway-api/.*/standard-install.yaml$"
- "lxc/incus/.*.tar.gz$"
- "mikefarah/yq/.*/yq_linux_amd64$"
- "neovim/neovim-releases/.*/nvim-linux-x86_64.tar.gz$"
@@ -109,6 +109,17 @@ remotes:
immutable_ttl: 0
mutable_ttl: 3600
traefik:
base_url: "https://traefik.github.io/charts"
package: "helm"
description: "Traefik Helm charts"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
victoriametrics:
base_url: "https://victoriametrics.github.io/helm-charts/"
package: "helm"
@@ -119,3 +130,14 @@ remotes:
cache:
immutable_ttl: 0
mutable_ttl: 3600
argo-helm:
base_url: "https://argoproj.github.io/argo-helm"
package: "helm"
description: "Argo Project Helm charts (ArgoCD, Image Updater, Rollouts, etc.)"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
@@ -13,4 +13,6 @@ virtuals:
- purelb
- rancher-stable
- stakater
- traefik
- victoriametrics
- argo-helm
@@ -7,12 +7,12 @@ resources:
helmCharts:
- name: intel-device-plugins-operator
repo: https://intel.github.io/helm-charts/
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.35.0"
releaseName: intel-device-plugins-operator
namespace: inteldeviceplugins-system
- name: intel-device-plugins-gpu
repo: https://intel.github.io/helm-charts/
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.34.1"
releaseName: intel-gpu-plugin
namespace: inteldeviceplugins-system
+7 -3
View File
@@ -10,6 +10,8 @@ spec:
app: litellm
template:
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app: litellm
spec:
@@ -31,6 +33,8 @@ spec:
envFrom:
- secretRef:
name: litellm-credentials
- configMapRef:
name: litellm-env
livenessProbe:
httpGet:
path: /health/liveliness
@@ -51,11 +55,11 @@ spec:
timeoutSeconds: 5
resources:
limits:
cpu: "1"
memory: 2Gi
cpu: "2"
memory: 6Gi
requests:
cpu: 250m
memory: 512Mi
memory: 2Gi
volumeMounts:
- mountPath: /app/config.yaml
name: config
+5
View File
@@ -21,3 +21,8 @@ configMapGenerator:
- config.yaml=resources/config.yaml
options:
disableNameSuffixHash: true
- name: litellm-env
literals:
- STORE_MODEL_IN_DB=True
options:
disableNameSuffixHash: true
+91
View File
@@ -0,0 +1,91 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: paperclip-postgres
namespace: paperclip
spec:
affinity:
podAntiAffinityType: preferred
bootstrap:
initdb:
database: paperclip
encoding: UTF8
localeCType: C
localeCollate: C
owner: paperclip
secret:
name: postgres-credentials
enablePDB: true
enableSuperuserAccess: false
failoverDelay: 0
imageName: ghcr.io/cloudnative-pg/postgresql:17-minimal-trixie
instances: 3
logLevel: info
maxSyncReplicas: 0
minSyncReplicas: 0
monitoring:
customQueriesConfigMap:
- key: queries
name: cnpg-default-monitoring
disableDefaultQueries: false
enablePodMonitor: false
postgresql:
parameters:
archive_mode: "on"
archive_timeout: 5min
dynamic_shared_memory_type: posix
effective_cache_size: 256MB
full_page_writes: "on"
log_destination: csvlog
log_directory: /controller/log
log_filename: postgres
log_rotation_age: "0"
log_rotation_size: "0"
log_truncate_on_rotation: "false"
logging_collector: "on"
max_connections: "200"
max_parallel_workers: "16"
max_replication_slots: "16"
max_worker_processes: "16"
shared_buffers: 128MB
shared_memory_type: mmap
ssl_max_protocol_version: TLSv1.3
ssl_min_protocol_version: TLSv1.3
wal_keep_size: 256MB
wal_level: logical
wal_log_hints: "on"
wal_receiver_timeout: 5s
wal_sender_timeout: 5s
syncReplicaElectionConstraint:
enabled: false
primaryUpdateMethod: restart
primaryUpdateStrategy: unsupervised
probes:
liveness:
isolationCheck:
connectionTimeout: 1000
enabled: true
requestTimeout: 1000
replicationSlots:
highAvailability:
enabled: true
slotPrefix: _cnpg_
synchronizeReplicas:
enabled: true
updateInterval: 30
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
smartShutdownTimeout: 180
startDelay: 3600
stopDelay: 1800
storage:
resizeInUseVolumes: true
size: 10Gi
storageClass: cephrbd-fast-delete
switchoverDelay: 3600
+33
View File
@@ -0,0 +1,33 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: paperclip-pooler-rw
namespace: paperclip
spec:
cluster:
name: paperclip-postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: pooler
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- pooler
topologyKey: kubernetes.io/hostname
containers: []
type: rw
+108
View File
@@ -0,0 +1,108 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: paperclip
namespace: paperclip
spec:
selector:
matchLabels:
app: paperclip
template:
metadata:
labels:
app: paperclip
spec:
containers:
- name: paperclip
image: ghcr.io/paperclipai/paperclip:latest
imagePullPolicy: Always
ports:
- containerPort: 3100
name: http
protocol: TCP
env:
- name: PORT
value: "3100"
- name: PAPERCLIP_BIND
value: custom
- name: PAPERCLIP_BIND_HOST
value: 0.0.0.0
- name: PAPERCLIP_API_URL
value: https://paperclip.k8s.syd1.au.unkin.net
- name: BETTER_AUTH_BASE_URL
value: https://paperclip.k8s.syd1.au.unkin.net
- name: PAPERCLIP_ALLOWED_HOSTNAMES
value: paperclip.k8s.syd1.au.unkin.net,localhost
- name: PAPERCLIP_HOME
value: /paperclip
- name: PAPERCLIP_INSTANCE_ID
value: default
- name: PAPERCLIP_DEPLOYMENT_MODE
value: authenticated
- name: PAPERCLIP_DEPLOYMENT_EXPOSURE
value: private
- name: SERVE_UI
value: "true"
- name: HEARTBEAT_SCHEDULER_ENABLED
value: "true"
- name: PAPERCLIP_MIGRATION_AUTO_APPLY
value: "true"
- name: PAPERCLIP_STORAGE_PROVIDER
value: s3
- name: PAPERCLIP_STORAGE_S3_BUCKET
value: paperclip
- name: PAPERCLIP_STORAGE_S3_REGION
value: us-east-1
- name: PAPERCLIP_STORAGE_S3_ENDPOINT
value: https://radosgw.service.consul
- name: PAPERCLIP_STORAGE_S3_FORCE_PATH_STYLE
value: "true"
- name: NODE_EXTRA_CA_CERTS
value: /etc/ssl/paperclip/ca.crt
envFrom:
- secretRef:
name: paperclip-credentials
volumeMounts:
- name: vault-ca-cert
mountPath: /etc/ssl/paperclip
readOnly: true
livenessProbe:
httpGet:
path: /api/health
port: 3100
httpHeaders:
- name: Host
value: localhost
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /api/health
port: 3100
httpHeaders:
- name: Host
value: localhost
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: "1"
memory: 2Gi
requests:
cpu: 250m
memory: 512Mi
volumes:
- name: vault-ca-cert
secret:
secretName: vault-ca-cert
items:
- key: ca.crt
path: ca.crt
restartPolicy: Always
+29
View File
@@ -0,0 +1,29 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
external-dns.alpha.kubernetes.io/hostname: paperclip.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: paperclip.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
name: paperclip
namespace: paperclip
spec:
rules:
- host: paperclip.k8s.syd1.au.unkin.net
http:
paths:
- backend:
service:
name: paperclip
port:
number: 3100
path: /
pathType: Prefix
tls:
- hosts:
- paperclip.k8s.syd1.au.unkin.net
secretName: paperclip-tls
+13
View File
@@ -0,0 +1,13 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cnpg_cluster.yaml
- cnpg_pooler.yaml
- deployment.yaml
- ingress.yaml
- namespace.yaml
- services.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: paperclip
+17
View File
@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: Service
metadata:
name: paperclip
namespace: paperclip
spec:
internalTrafficPolicy: Cluster
ports:
- name: http
port: 3100
protocol: TCP
targetPort: http
selector:
app: paperclip
sessionAffinity: None
type: ClusterIP
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: paperclip
spec:
allowedNamespaces:
- paperclip
kubernetes:
audiences:
- vault
role: default
serviceAccount: default
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
@@ -0,0 +1,34 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: postgres-credentials
namespace: paperclip
spec:
destination:
create: true
name: postgres-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/paperclip/default/postgres-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: paperclip-credentials
namespace: paperclip
spec:
destination:
create: true
name: paperclip-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/paperclip/default/paperclip-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
@@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/argocd-image-updater
helmCharts:
- name: argocd-image-updater
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.10.3"
releaseName: argocd-image-updater
namespace: argocd-image-updater
valuesFile: values.yaml
@@ -0,0 +1,33 @@
config:
argocd:
grpcWeb: false
serverAddress: argocd-server.argocd
insecure: true
plaintext: false
registries:
- name: git.unkin.net
api_url: https://git.unkin.net
prefix: git.unkin.net
credentials: secret:argocd-image-updater/registry-creds#creds
insecure: false
authScripts:
enabled: false
extraEnv:
- name: ARGOCD_TOKEN
valueFrom:
secretKeyRef:
name: argocd-token
key: token
gitCommitUser: "ArgoCD Image Updater"
gitCommitEmail: "argocd-image-updater@unkin.net"
rbac:
enabled: true
serviceAccount:
create: true
name: argocd-image-updater
@@ -7,7 +7,7 @@ resources:
helmCharts:
- name: rancher
repo: https://releases.rancher.com/server-charts/stable
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "2.13.1"
releaseName: rancher
namespace: cattle-system
@@ -7,7 +7,7 @@ resources:
helmCharts:
- name: cert-manager
repo: https://charts.jetstack.io
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "v1.19.2"
releaseName: cert-manager
namespace: cert-manager
@@ -7,7 +7,7 @@ resources:
helmCharts:
- name: cloudnative-pg
repo: https://cloudnative-pg.github.io/charts
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.27.0"
releaseName: cloudnative-pg-operator
namespace: cnpg-system
@@ -9,7 +9,7 @@ resources:
helmCharts:
- name: eck-operator
repo: https://helm.elastic.co
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "3.2.0"
releaseName: elastic-operator
namespace: elastic-system
@@ -7,7 +7,7 @@ resources:
helmCharts:
- name: external-dns
repo: https://kubernetes-sigs.github.io/external-dns/
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "1.19.0"
releaseName: externaldns
namespace: externaldns
@@ -9,13 +9,13 @@ resources:
helmCharts:
- name: victoria-metrics-cluster
repo: https://victoriametrics.github.io/helm-charts/
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.33.0"
releaseName: victoria-metrics-cluster
namespace: observability
valuesFile: values-vmcluster.yaml
- name: victoria-metrics-agent
repo: https://victoriametrics.github.io/helm-charts/
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "0.30.0"
releaseName: victoria-metrics-agent
namespace: observability
@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/paperclip
@@ -7,7 +7,7 @@ resources:
helmCharts:
- name: reloader
repo: https://stakater.github.io/stakater-charts
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "2.2.8"
releaseName: reloader
namespace: reloader-system
@@ -9,8 +9,8 @@ resources:
helmCharts:
- name: vault-secrets-operator
repo: https://helm.releases.hashicorp.com
version: "1.2.0"
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "1.3.0"
releaseName: vault-secrets-operator
namespace: vso-system
valuesFile: values.yaml
+1
View File
@@ -11,6 +11,7 @@ spec:
revision: HEAD
directories:
- path: apps/overlays/*/litellm
- path: apps/overlays/*/paperclip
template:
metadata:
name: 'aitooling-{{path[3]}}'
+36
View File
@@ -0,0 +1,36 @@
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: image-updater-apps
namespace: argocd
spec:
generators:
- git:
repoURL: https://git.unkin.net/unkin/argocd-apps
revision: HEAD
directories:
- path: apps/overlays/*/artifactapi
template:
metadata:
name: 'platform-{{path[3]}}'
annotations:
argocd-image-updater.argoproj.io/image-list: "artifactapi=git.unkin.net/unkin/artifactapi"
argocd-image-updater.argoproj.io/artifactapi.update-strategy: semver
argocd-image-updater.argoproj.io/write-back-method: git
argocd-image-updater.argoproj.io/git-branch: main
spec:
project: platform
source:
repoURL: https://git.unkin.net/unkin/argocd-apps
targetRevision: HEAD
path: '{{path}}'
destination:
server: https://kubernetes.default.svc
namespace: '{{path[3]}}'
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- ServerSideApply=true
@@ -4,6 +4,7 @@ kind: Kustomization
resources:
- aitooling.yaml
- imageupdater.yaml
- observability.yaml
- platform.yaml
- storage.yaml
+1 -1
View File
@@ -10,7 +10,7 @@ spec:
repoURL: https://git.unkin.net/unkin/argocd-apps
revision: HEAD
directories:
- path: apps/overlays/*/artifactapi
- path: apps/overlays/*/argocd-image-updater
- path: apps/overlays/*/cattle-system
- path: apps/overlays/*/cert-manager
- path: apps/overlays/*/certificates
+2
View File
@@ -11,6 +11,8 @@ spec:
destinations:
- namespace: 'litellm'
server: https://kubernetes.default.svc
- namespace: 'paperclip'
server: https://kubernetes.default.svc
clusterResourceWhitelist:
- group: ''
kind: Namespace
-1
View File
@@ -8,7 +8,6 @@ spec:
description: Observability stack (metrics, monitoring)
sourceRepos:
- https://git.unkin.net/unkin/argocd-apps
- https://victoriametrics.github.io/helm-charts/
destinations:
- namespace: 'observability'
server: https://kubernetes.default.svc
+1 -9
View File
@@ -8,17 +8,9 @@ spec:
description: Platform infrastructure and core services
sourceRepos:
- https://git.unkin.net/unkin/argocd-apps
- https://charts.jetstack.io
- https://cloudnative-pg.github.io/charts
- https://helm.elastic.co
- https://helm.releases.hashicorp.com
- https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
- https://purelb.github.io/purelb/charts
- https://intel.github.io/helm-charts/
- https://kubernetes-sigs.github.io/external-dns/
- https://releases.rancher.com/server-charts/stable
- https://victoriametrics.github.io/helm-charts/
- oci://gcr.io/k8s-staging-nfd/charts
- oci://ghcr.io/emberstack/helm-charts
- oci://ghcr.io/woodpecker-ci/helm/woodpecker
destinations:
- namespace: '*-system'
@@ -0,0 +1,25 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-repo-server
namespace: argocd
spec:
template:
spec:
volumes:
- name: vault-ca-cert
secret:
secretName: vault-ca-cert
items:
- key: ca.crt
path: ca.crt
containers:
- name: argocd-repo-server
env:
- name: SSL_CERT_DIR
value: /etc/ssl/certs:/custom-certs
volumeMounts:
- name: vault-ca-cert
mountPath: /custom-certs
readOnly: true
@@ -0,0 +1,21 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: argocd
namespace: argocd
spec:
project: default
source:
repoURL: https://git.unkin.net/unkin/argocd-apps
targetRevision: HEAD
path: clusters/au-syd1/bootstrap
destination:
server: https://kubernetes.default.svc
namespace: argocd
syncPolicy:
automated:
prune: false
selfHeal: true
syncOptions:
- ServerSideApply=true
@@ -0,0 +1,50 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-tls-certs-cm
namespace: argocd
data:
artifactapi.k8s.syd1.au.unkin.net: |
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgIULZAR/QcvAnxdi04S6bXhNeazozYwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDQyNzExMzcyMloXDTI5MDQy
NjExMzc1MlowKzEpMCcGA1UEAxMgdW5raW4ubmV0IEludGVybWVkaWF0ZSBBdXRo
b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDq0ZU2DnuYW5s
E3lPjVe2Ns6cPu64yx1GLVqB5VbOUs71ThRjPjvEwE98YtGMza8ok0CQSqS2qX8z
vnMbnVCaWKjCnem/dtQtB+8WCu5uQuNHhwqxgw1tD/klAkVLWGgTPDEgasvjDMkc
sW8in/BhtrV9YA/lQGpge+j9/MFXhlnvaLCPybFifPRX9Yc5CcnhSzLSzFPO4PJx
VH4Qu9eByyKHMTvgcCy6p9qjjzz+8dtAlxeIsgfTEdvtfCPowsF+v2XooutTsJt0
xUDvUDu4xV6tVCEOYRA2cZHkLRBhV289M0hocHrsGqMmA1+j0skwwt/6UkVHqlCT
mitItX+RAgMBAAGjgewwgekwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
Af8wHQYDVR0OBBYEFEp/+grAdVqRSeb9xJjSeZYNW32MMB8GA1UdIwQYMBaAFBqc
v6Y+hfHt4EjgKa/uoQGEHTknMEcGCCsGAQUFBwEBBDswOTA3BggrBgEFBQcwAoYr
aHR0cHM6Ly92YXVsdC5zZXJ2aWNlLmNvbnN1bC92MS9wa2lfcm9vdC9jYTA9BgNV
HR8ENjA0MDKgMKAuhixodHRwczovL3ZhdWx0LnNlcnZpY2UuY29uc3VsL3YxL3Br
aV9yb290L2NybDANBgkqhkiG9w0BAQsFAAOCAQEAM0FS8tscZe7yly/gM7jO6lx5
muMFusifjUIrcQGnZBkoECeuUVPNTs3e/Th+XaxjCnmSpqSNT3z9Irr6Hhxf7n03
4+hpF3G0bf1yh4DRex/0ua3szvgo91RwyKVQM1BHIA1PwdF8csO+LT4FTMILzo4U
DdSVvDEIaxYYQCDNfAD81n+8lmFbabupfsKbkSTR+sNTS+TMnLpN8YwSXdB0e+RU
eEZRNVu0jKmbE8U/66Sc33YLe6cxbCclHA+G4giGwEP+lYZk+rFjmr6ci9bj5yyN
Sznr7xdW0ofOdACAQFFy5KTZqCDjIrvk12vUn4bSsXmWVIQEd+jPx6wuxD/rSw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIUIDADwsHIrQ8dfncpechBdIUCQdIwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDQyNzExMjcwMloXDTM0MDQy
NTExMjczMlowFDESMBAGA1UEAxMJdW5raW4ubmV0MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA3ENPv7R7gCUJAg8Q4hB2LEZSdvbK155YbcrguLDDnu6m
2fkJn8jYMMW3Z6/+Y04ouGwi6sKup8ggTb217sY+dC4IUZjotDPAhruxfXVQAh0v
Yr3RYoxVDrm4nRSFLo1RA4Qt+1KK299mHGQf9iAiwbsFp5mDrJT9uz15FE2uWmbK
8/onMyJC4fnkMihVN6NIgTtjpHYNm5aAJwxoWldTopgF0ucb7X3XVPNbKAmd3Avd
lsOo6m751zSZ0HvJOxgRSy7lvPzMuUfCQsOcmI4O4+Z2FL4Y7p+T9DvWkciC7L3i
tBiK30fPfGKNpWaof1ONCcPQNjMwWcEFXqSiWUOXkwIDAQABo3kwdzAOBgNVHQ8B
Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUGpy/pj6F8e3gSOAp
r+6hAYQdOScwHwYDVR0jBBgwFoAUGpy/pj6F8e3gSOApr+6hAYQdOScwFAYDVR0R
BA0wC4IJdW5raW4ubmV0MA0GCSqGSIb3DQEBCwUAA4IBAQA5xocILzuvD+R2Iub1
UnTdcVpgNcxJmESz0eX4UrkcBmddtuFINXvDTv5//XTFs78LsVVSf00xZ+2C62Xe
xRdCdluHN8VDCAKulP4XJY1BiZ7im0v+iMgPDKhq4OXb86WFYI/8J6uRm7oIAwj1
zhhKxMimkzli+yHB8ipL15W7l68CMUgmOjFA+EG6sbfadFpQTX/h6TVj3FQPkU/p
UJEm2XjlGNAKGJrNRU47PM4vRDv5Joyowp9zv/pHFXvUJladaJupMKRJQVWQz1US
EXE67rawG79s3vm8dDolnbli/IhPHtjDRIprxAwrMs5tt9cY0xsRkFBZVcAOjrpb
4gqd
-----END CERTIFICATE-----
+11 -1
View File
@@ -3,11 +3,21 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://raw.githubusercontent.com/argoproj/argo-cd/refs/tags/v3.3.2/manifests/ha/install.yaml
- https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github_user/argoproj/argo-cd/refs/tags/v3.3.2/manifests/ha/install.yaml
- https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
- au-syd1-apps.yaml
- argocd-self-app.yaml
patches:
- path: argocd-cm-patch.yaml
target:
kind: ConfigMap
name: argocd-cm
- path: argocd-tls-certs-patch.yaml
target:
kind: ConfigMap
name: argocd-tls-certs-cm
- path: argocd-repo-server-vault-ca-patch.yaml
target:
kind: Deployment
name: argocd-repo-server