From 38031eae215acea4f949778e21b1426ca8b360b7 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 23 Aug 2021 08:11:03 +0100 Subject: [PATCH 01/52] Bumped chart / binary versions --- .github/workflows/build.yml | 6 +++--- .github/workflows/destroy.yml | 2 +- terraform/variables.tf | 18 +++++++++--------- terraform/versions.tf | 4 ++-- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5602027..158a2ae 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -61,12 +61,12 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.0.3" + TF_VERSION: "1.0.5" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases - TFLINT_RULESET_AZURERM_VERSION: "v0.11.0" + TFLINT_RULESET_AZURERM_VERSION: "v0.12.0" # https://github.com/terraform-linters/tflint/releases - TFLINT_VERSION: "v0.30.0" + TFLINT_VERSION: "v0.31.0" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 65d4777..a370dc3 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -55,7 +55,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.0.3" + TF_VERSION: "1.0.5" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: diff --git a/terraform/variables.tf b/terraform/variables.tf index 0c7be55..09e7a56 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -20,30 +20,30 @@ variable "kubernetes_version" { # helm repo update # helm search repo ingress-nginx/ingress-nginx variable "nginx_chart_version" { - default = "3.34.0" + default = "3.36.0" } # https://hub.helm.sh/charts/jetstack/cert-manager # helm search repo jetstack/cert-manager variable "cert_manager_chart_version" { - default = "v1.4.1" + default = "v1.5.2" } # https://github.com/vmware-tanzu/helm-charts/releases # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.23.5" + default = "2.23.6" } # https://hub.docker.com/r/velero/velero/tags variable "velero_image_tag" { - default = "v1.6.2" + default = "v1.6.3" } # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.32.0" + default = "3.33.1" } # https://github.com/adamrushuk/charts/releases @@ -58,7 +58,7 @@ variable "nexus_chart_version" { # https://github.com/SparebankenVest/public-helm-charts/blob/master/stable/akv2k8s/Chart.yaml#L5 # helm search repo spv-charts/akv2k8s variable "akv2k8s_chart_version" { - default = "2.0.11" + default = "2.1.0" } # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 @@ -71,13 +71,13 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "5.2.2" + default = "5.4.1" } # https://github.com/weaveworks/kured/tree/master/charts/kured # helm search repo kured/kured variable "kured_chart_version" { - default = "2.8.0" + default = "2.9.0" } # https://github.com/weaveworks/kured#kubernetes--os-compatibility @@ -90,7 +90,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.11.1" + default = "3.12.1" } # https://hub.docker.com/r/argoproj/argocd/tags diff --git a/terraform/versions.tf b/terraform/versions.tf index 3a55fef..4cdc2b1 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.70.0" + version = "~> 2.73.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases @@ -35,7 +35,7 @@ terraform { # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.3.2" + version = "~> 2.4.1" } # https://github.com/hashicorp/terraform-provider-helm/releases From 799b35a71c3a0369dfce0c9afe235e8ce2b77d1f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 29 Aug 2021 07:30:19 +0100 Subject: [PATCH 02/52] Added argocd default helm values --- terraform/helm/argocd_default_values.yaml | 1158 +++++++++++++++++++++ 1 file changed, 1158 insertions(+) create mode 100644 terraform/helm/argocd_default_values.yaml diff --git a/terraform/helm/argocd_default_values.yaml b/terraform/helm/argocd_default_values.yaml new file mode 100644 index 0000000..adb1eb4 --- /dev/null +++ b/terraform/helm/argocd_default_values.yaml @@ -0,0 +1,1158 @@ +# https://github.com/argoproj/argo-helm/blob/argo-cd-3.12.1/charts/argo-cd/values.yaml + +## ArgoCD configuration +## Ref: https://github.com/argoproj/argo-cd +## +nameOverride: argocd +fullnameOverride: "" +kubeVersionOverride: "" + +global: + image: + repository: quay.io/argoproj/argocd + tag: v2.0.5 + imagePullPolicy: IfNotPresent + securityContext: {} + # runAsUser: 999 + # runAsGroup: 999 + # fsGroup: 999 + imagePullSecrets: [] + hostAliases: [] + # - ip: 10.20.30.40 + # hostnames: + # - git.myhostname + + networkPolicy: + create: false + defaultDenyIngress: false + +# Override APIVersions +# If you want to template helm charts but cannot access k8s API server +# you can set api versions here +apiVersionOverrides: + certmanager: "" # cert-manager.io/v1 + ingress: "" # networking.k8s.io/v1beta1 + +## Create clusterroles that extend existing clusterroles to interact with argo-cd crds +## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles +createAggregateRoles: false + +## Controller +controller: + name: application-controller + + image: + repository: # defaults to global.image.repository + tag: # defaults to global.image.tag + imagePullPolicy: # IfNotPresent + + # If changing the number of replicas you must pass the number as ARGOCD_CONTROLLER_REPLICAS as an environment variable + replicas: 1 + + # Deploy the application as a StatefulSet instead of a Deployment, this is required for HA capability. + # This is a feature flag that will become the default in chart version 3.x + enableStatefulSet: false + + ## Argo controller commandline flags + args: + statusProcessors: "20" + operationProcessors: "10" + appResyncPeriod: "180" + selfHealTimeout: "5" + + ## Argo controller log format: text|json + logFormat: text + ## Argo controller log level + logLevel: info + + ## Additional command line arguments to pass to argocd-controller + ## + extraArgs: [] + + ## Environment variables to pass to argocd-controller + ## + env: + [] + # - name: "ARGOCD_CONTROLLER_REPLICAS" + # value: "" + + ## envFrom to pass to argocd-controller + ## + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + ## Annotations to be added to controller pods + ## + podAnnotations: {} + + ## Labels to be added to controller pods + ## + podLabels: {} + + ## Labels to set container specific security contexts + containerSecurityContext: + {} + # capabilities: + # drop: + # - all + # readOnlyRootFilesystem: true + + ## Configures the controller port + containerPort: 8082 + + ## Readiness and liveness probes for default backend + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + ## + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + + ## Additional volumeMounts to the controller main container. + volumeMounts: [] + + ## Additional volumes to the controller pod. + volumes: [] + + ## Controller service configuration + service: + annotations: {} + labels: {} + port: 8082 + portName: https-controller + + ## Node selectors and tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + nodeSelector: {} + tolerations: [] + affinity: {} + + priorityClassName: "" + + resources: {} + # limits: + # cpu: 500m + # memory: 512Mi + # requests: + # cpu: 250m + # memory: 256Mi + + serviceAccount: + create: true + name: argocd-application-controller + ## Annotations applied to created service account + annotations: {} + ## Automount API credentials for the Service Account + automountServiceAccountToken: true + + ## Server metrics controller configuration + metrics: + enabled: false + service: + annotations: {} + labels: {} + servicePort: 8082 + serviceMonitor: + enabled: false + interval: 30s + # selector: + # prometheus: kube-prometheus + # namespace: monitoring + # additionalLabels: {} + rules: + enabled: false + spec: [] + # - alert: ArgoAppMissing + # expr: | + # absent(argocd_app_info) + # for: 15m + # labels: + # severity: critical + # annotations: + # summary: "[ArgoCD] No reported applications" + # description: > + # ArgoCD has not reported any applications data for the past 15 minutes which + # means that it must be down or not functioning properly. This needs to be + # resolved for this cloud to continue to maintain state. + # - alert: ArgoAppNotSynced + # expr: | + # argocd_app_info{sync_status!="Synced"} == 1 + # for: 12h + # labels: + # severity: warning + # annotations: + # summary: "[{{`{{$labels.name}}`}}] Application not synchronized" + # description: > + # The application [{{`{{$labels.name}}`}} has not been synchronized for over + # 12 hours which means that the state of this cloud has drifted away from the + # state inside Git. + # selector: + # prometheus: kube-prometheus + # namespace: monitoring + # additionalLabels: {} + + ## Enable Admin ClusterRole resources. + ## Enable if you would like to grant rights to ArgoCD to deploy to the local Kubernetes cluster. + clusterAdminAccess: + enabled: true + ## Enable Custom Rules for the Application Controller's Cluster Role resource + ## Enable this and set the rules: to whatever custom rules you want for the Cluster Role resource. + ## Defaults to off + clusterRoleRules: + enabled: false + rules: [] + + +## Dex +dex: + enabled: true + name: dex-server + + metrics: + enabled: false + service: + annotations: {} + labels: {} + serviceMonitor: + enabled: false + interval: 30s + # selector: + # prometheus: kube-prometheus + # namespace: monitoring + # additionalLabels: {} + + image: + repository: ghcr.io/dexidp/dex + tag: v2.28.1 + imagePullPolicy: IfNotPresent + initImage: + repository: + tag: + imagePullPolicy: + + ## Environment variables to pass to the Dex server + ## + env: [] + + ## envFrom to pass to the Dex server + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + ## Annotations to be added to the Dex server pods + ## + podAnnotations: {} + + ## Labels to be added to the Dex server pods + ## + podLabels: {} + + serviceAccount: + create: true + name: argocd-dex-server + ## Annotations applied to created service account + annotations: {} + ## Automount API credentials for the Service Account + automountServiceAccountToken: true + + ## Additional volumeMounts to the controller main container. + volumeMounts: + - name: static-files + mountPath: /shared + + ## Additional volumes to the controller pod. + volumes: + - name: static-files + emptyDir: {} + + ## Dex deployment container ports + containerPortHttp: 5556 + servicePortHttp: 5556 + containerPortGrpc: 5557 + servicePortGrpc: 5557 + containerPortMetrics: 5558 + servicePortMetrics: 5558 + + ## Node selectors and tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + nodeSelector: {} + tolerations: [] + affinity: {} + + priorityClassName: "" + + ## Labels to set container specific security contexts + containerSecurityContext: + {} + # capabilities: + # drop: + # - all + # readOnlyRootFilesystem: true + + resources: {} + # limits: + # cpu: 50m + # memory: 64Mi + # requests: + # cpu: 10m + # memory: 32Mi + +## Redis +redis: + enabled: true + name: redis + + image: + repository: redis + tag: 6.2.4-alpine + imagePullPolicy: IfNotPresent + + ## Additional command line arguments to pass to redis-server + ## + extraArgs: [] + # - --bind + # - "0.0.0.0" + + containerPort: 6379 + servicePort: 6379 + + ## Environment variables to pass to the Redis server + ## + env: [] + + ## envFrom to pass to the Redis server + ## + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + ## Annotations to be added to the Redis server pods + ## + podAnnotations: {} + + ## Labels to be added to the Redis server pods + ## + podLabels: {} + + ## Node selectors and tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + nodeSelector: {} + tolerations: [] + affinity: {} + + priorityClassName: "" + + ## Labels to set container specific security contexts + containerSecurityContext: + {} + # capabilities: + # drop: + # - all + # readOnlyRootFilesystem: true + + ## Redis Pod specific security context + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + runAsNonRoot: true + + serviceAccount: + create: false + name: "" + ## Annotations applied to created service account + annotations: {} + ## Automount API credentials for the Service Account + automountServiceAccountToken: false + + resources: {} + # limits: + # cpu: 200m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 64Mi + + volumeMounts: [] + volumes: [] + +# This key configures Redis-HA subchart and when enabled (redis-ha.enabled=true) +# the custom redis deployment is omitted +redis-ha: + enabled: false + # Check the redis-ha chart for more properties + exporter: + enabled: true + persistentVolume: + enabled: false + redis: + masterGroupName: argocd + config: + save: '""' + haproxy: + enabled: true + metrics: + enabled: true + image: + tag: 6.2.4-alpine + +## Server +server: + name: server + + replicas: 1 + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + + image: + repository: # defaults to global.image.repository + tag: # defaults to global.image.tag + imagePullPolicy: # IfNotPresent + + ## Additional command line arguments to pass to argocd-server + ## + extraArgs: [] + # - --insecure + + # This flag is used to either remove or pass the CLI flag --staticassets /shared/app to the argocd-server app + staticAssets: + enabled: true + + ## Environment variables to pass to argocd-server + ## + env: [] + + ## envFrom to pass to argocd-server + ## + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + ## Specify postStart and preStop lifecycle hooks for your argo-cd-server container + ## + lifecycle: {} + + ## Argo server log format: text|json + logFormat: text + ## Argo server log level + logLevel: info + + ## Annotations to be added to controller pods + ## + podAnnotations: {} + + ## Labels to be added to controller pods + ## + podLabels: {} + + ## Configures the server port + containerPort: 8080 + + ## Readiness and liveness probes for default backend + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + ## + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + + ## Additional volumeMounts to the server main container. + volumeMounts: [] + + ## Additional volumes to the controller pod. + volumes: [] + + ## Node selectors and tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + nodeSelector: {} + tolerations: [] + affinity: {} + + priorityClassName: "" + + ## Labels to set container specific security contexts + containerSecurityContext: + {} + # capabilities: + # drop: + # - all + # readOnlyRootFilesystem: true + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 50m + # memory: 64Mi + + ## Certificate configuration + certificate: + enabled: false + domain: argocd.example.com + issuer: + kind: # ClusterIssuer + name: # letsencrypt + additionalHosts: [] + secretName: argocd-server-tls + + ## Server service configuration + service: + annotations: {} + labels: {} + type: ClusterIP + ## For node port default ports + nodePortHttp: 30080 + nodePortHttps: 30443 + servicePortHttp: 80 + servicePortHttps: 443 + servicePortHttpName: http + servicePortHttpsName: https + namedTargetPort: true + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalIPs: [] + externalTrafficPolicy: "" + sessionAffinity: "" + + ## Server metrics service configuration + metrics: + enabled: false + service: + annotations: {} + labels: {} + servicePort: 8083 + serviceMonitor: + enabled: false + interval: 30s + # selector: + # prometheus: kube-prometheus + # namespace: monitoring + # additionalLabels: {} + + serviceAccount: + create: true + name: argocd-server + ## Annotations applied to created service account + annotations: {} + ## Automount API credentials for the Service Account + automountServiceAccountToken: true + + ingress: + enabled: false + annotations: {} + labels: {} + ingressClassName: "" + + ## Argo Ingress. + ## Hostnames must be provided if Ingress is enabled. + ## Secrets must be manually created in the namespace + ## + hosts: + [] + # - argocd.example.com + paths: + - / + pathType: Prefix + extraPaths: + [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used) + # - path: /* + # pathType: Prefix + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + tls: + [] + # - secretName: argocd-tls-certificate + # hosts: + # - argocd.example.com + https: false + # dedicated ingress for gRPC as documented at + # https://argoproj.github.io/argo-cd/operator-manual/ingress/ + ingressGrpc: + enabled: false + isAWSALB: false + annotations: {} + labels: {} + ingressClassName: "" + + ## Service Type if isAWSALB is set to true + ## Can be of type NodePort or ClusterIP depending on which mode you are + ## are running. Instance mode needs type NodePort, IP mode needs type + ## ClusterIP + ## Ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/how-it-works/#ingress-traffic + ## + awsALB: + serviceType: NodePort + + ## Argo Ingress. + ## Hostnames must be provided if Ingress is enabled. + ## Secrets must be manually created in the namespace + ## + hosts: + [] + # - argocd.example.com + paths: + - / + pathType: Prefix + extraPaths: + [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used) + # - path: /* + # pathType: Prefix + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + tls: + [] + # - secretName: argocd-tls-certificate + # hosts: + # - argocd.example.com + https: false + + # Create a OpenShift Route with SSL passthrough for UI and CLI + # Consider setting 'hostname' e.g. https://argocd.apps-crc.testing/ using your Default Ingress Controller Domain + # Find your domain with: kubectl describe --namespace=openshift-ingress-operator ingresscontroller/default | grep Domain: + # If 'hostname' is an empty string "" OpenShift will create a hostname for you. + route: + enabled: false + hostname: "" + + ## ArgoCD config + ## reference https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml + configEnabled: true + config: + # Argo CD's externally facing base URL (optional). Required when configuring SSO + url: https://argocd.example.com + # Argo CD instance label key + application.instanceLabelKey: argocd.argoproj.io/instance + # repositories: | + # - url: git@github.com:group/repo.git + # sshPrivateKeySecret: + # name: secret-name + # key: sshPrivateKey + # - type: helm + # url: https://charts.helm.sh/stable + # name: stable + # - type: helm + # url: https://argoproj.github.io/argo-helm + # name: argo + # oidc.config: | + # name: AzureAD + # issuer: https://login.microsoftonline.com/TENANT_ID/v2.0 + # clientID: CLIENT_ID + # clientSecret: $oidc.azuread.clientSecret + # requestedIDTokenClaims: + # groups: + # essential: true + # requestedScopes: + # - openid + # - profile + # - email + + ## Annotations to be added to ArgoCD ConfigMap + configAnnotations: {} + + ## ArgoCD rbac config + ## reference https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md + rbacConfig: + {} + # policy.csv is an file containing user-defined RBAC policies and role definitions (optional). + # Policy rules are in the form: + # p, subject, resource, action, object, effect + # Role definitions and bindings are in the form: + # g, subject, inherited-subject + # See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md for additional information. + # policy.csv: | + # # Grant all members of the group 'my-org:team-alpha; the ability to sync apps in 'my-project' + # p, my-org:team-alpha, applications, sync, my-project/*, allow + # # Grant all members of 'my-org:team-beta' admins + # g, my-org:team-beta, role:admin + # policy.default is the name of the default role which Argo CD will falls back to, when + # authorizing API requests (optional). If omitted or empty, users may be still be able to login, + # but will see no apps, projects, etc... + # policy.default: role:readonly + # scopes controls which OIDC scopes to examine during rbac enforcement (in addition to `sub` scope). + # If omitted, defaults to: '[groups]'. The scope value can be a string, or a list of strings. + # scopes: '[cognito:groups, email]' + + ## Annotations to be added to ArgoCD rbac ConfigMap + rbacConfigAnnotations: {} + + # Boolean determining whether or not to create the configmap. If false, it is expected the configmap will be created + # by something else. ArgoCD will not work if there is no configMap created with the name above. + rbacConfigCreate: true + + ## Not well tested and not well supported on release v1.0.0. + ## Applications + ## reference: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ + additionalApplications: [] + # - name: guestbook + # namespace: argocd + # additionalLabels: {} + # additionalAnnotations: {} + # project: guestbook + # source: + # repoURL: https://github.com/argoproj/argocd-example-apps.git + # targetRevision: HEAD + # path: guestbook + # directory: + # recurse: true + # destination: + # server: https://kubernetes.default.svc + # namespace: guestbook + # syncPolicy: + # automated: + # prune: false + # selfHeal: false + + ## Projects + ## reference: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ + additionalProjects: [] + # - name: guestbook + # namespace: argocd + # additionalLabels: {} + # additionalAnnotations: {} + # description: Example Project + # sourceRepos: + # - '*' + # destinations: + # - namespace: guestbook + # server: https://kubernetes.default.svc + # clusterResourceWhitelist: [] + # namespaceResourceBlacklist: + # - group: '' + # kind: ResourceQuota + # - group: '' + # kind: LimitRange + # - group: '' + # kind: NetworkPolicy + # orphanedResources: {} + # roles: [] + # namespaceResourceWhitelist: + # - group: 'apps' + # kind: Deployment + # - group: 'apps' + # kind: StatefulSet + # orphanedResources: {} + # roles: [] + # syncWindows: + # - kind: allow + # schedule: '10 1 * * *' + # duration: 1h + # applications: + # - '*-prod' + # manualSync: true + + ## Enable Admin ClusterRole resources. + ## Enable if you would like to grant rights to ArgoCD to deploy to the local Kubernetes cluster. + clusterAdminAccess: + enabled: true + + ## Enable BackendConfig custom resource for Google Kubernetes Engine + GKEbackendConfig: + enabled: false + spec: {} + # spec: + # iap: + # enabled: true + # oauthclientCredentials: + # secretName: argocd-secret + + extraContainers: [] + ## Additional containers to be added to the controller pod. + ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. + # - name: my-sidecar + # image: nginx:latest + # - name: lemonldap-ng-controller + # image: lemonldapng/lemonldap-ng-controller:0.2.0 + # args: + # - /lemonldap-ng-controller + # - --alsologtostderr + # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration + # env: + # - name: POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + # - name: POD_NAMESPACE + # valueFrom: + # fieldRef: + # fieldPath: metadata.namespace + # volumeMounts: + # - name: copy-portal-skins + # mountPath: /srv/var/lib/lemonldap-ng/portal/skins + +## Repo Server +repoServer: + name: repo-server + + replicas: 1 + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + + image: + repository: # defaults to global.image.repository + tag: # defaults to global.image.tag + imagePullPolicy: # IfNotPresent + + ## Additional command line arguments to pass to argocd-repo-server + ## + extraArgs: [] + + ## Environment variables to pass to argocd-repo-server + ## + env: [] + + ## envFrom to pass to argocd-repo-server + ## + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + ## Argo repoServer log format: text|json + logFormat: text + ## Argo repoServer log level + logLevel: info + + ## Annotations to be added to repo server pods + ## + podAnnotations: {} + + ## Labels to be added to repo server pods + ## + podLabels: {} + + ## Configures the repo server port + containerPort: 8081 + + ## Readiness and liveness probes for default backend + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + ## + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + + ## Additional volumeMounts to the repo server main container. + volumeMounts: [] + + ## Additional volumes to the repo server pod. + volumes: [] + + ## Node selectors and tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + nodeSelector: {} + tolerations: [] + affinity: {} + + priorityClassName: "" + + ## Labels to set container specific security contexts + containerSecurityContext: + {} + # capabilities: + # drop: + # - all + # readOnlyRootFilesystem: true + + resources: {} + # limits: + # cpu: 50m + # memory: 128Mi + # requests: + # cpu: 10m + # memory: 64Mi + + ## Repo server service configuration + service: + annotations: {} + labels: {} + port: 8081 + portName: https-repo-server + + ## Repo server metrics service configuration + metrics: + enabled: false + service: + annotations: {} + labels: {} + servicePort: 8084 + serviceMonitor: + enabled: false + interval: 30s + # selector: + # prometheus: kube-prometheus + # namespace: monitoring + # additionalLabels: {} + + ## Repo server service account + ## If create is set to true, make sure to uncomment the name and update the rbac section below + serviceAccount: + create: false + # name: argocd-repo-server + ## Annotations applied to created service account + annotations: {} + ## Automount API credentials for the Service Account + automountServiceAccountToken: true + + ## Repo server rbac rules + # rbac: + # - apiGroups: + # - argoproj.io + # resources: + # - applications + # verbs: + # - get + # - list + # - watch + + ## Use init containers to configure custom tooling + ## https://argoproj.github.io/argo-cd/operator-manual/custom_tools/ + ## When using the volumes & volumeMounts section bellow, please comment out those above. + # volumes: + # - name: custom-tools + # emptyDir: {} + # + # initContainers: + # - name: download-tools + # image: alpine:3.8 + # command: [sh, -c] + # args: + # - wget -qO- https://get.helm.sh/helm-v2.16.1-linux-amd64.tar.gz | tar -xvzf - && + # mv linux-amd64/helm /custom-tools/ + # volumeMounts: + # - mountPath: /custom-tools + # name: custom-tools + # volumeMounts: + # - mountPath: /usr/local/bin/helm + # name: custom-tools + # subPath: helm + +## Argo Configs +configs: + ## External Cluster Credentials + ## reference: + ## - https://argoproj.github.io/argo-cd/operator-manual/declarative-setup/#clusters + ## - https://argoproj.github.io/argo-cd/operator-manual/security/#external-cluster-credentials + clusterCredentials: [] + # - name: mycluster + # server: https://mycluster.com + # labels: {} + # annotations: {} + # config: + # bearerToken: "" + # tlsClientConfig: + # insecure: false + # caData: "" + # - name: mycluster2 + # server: https://mycluster2.com + # labels: {} + # annotations: {} + # namespaces: namespace1,namespace2 + # config: + # bearerToken: "" + # tlsClientConfig: + # insecure: false + # caData: "" + + gpgKeysAnnotations: {} + gpgKeys: {} + # 4AEE18F83AFDEB23: | + # -----BEGIN PGP PUBLIC KEY BLOCK----- + # + # mQENBFmUaEEBCACzXTDt6ZnyaVtueZASBzgnAmK13q9Urgch+sKYeIhdymjuMQta + # x15OklctmrZtqre5kwPUosG3/B2/ikuPYElcHgGPL4uL5Em6S5C/oozfkYzhwRrT + # SQzvYjsE4I34To4UdE9KA97wrQjGoz2Bx72WDLyWwctD3DKQtYeHXswXXtXwKfjQ + # 7Fy4+Bf5IPh76dA8NJ6UtjjLIDlKqdxLW4atHe6xWFaJ+XdLUtsAroZcXBeWDCPa + # buXCDscJcLJRKZVc62gOZXXtPfoHqvUPp3nuLA4YjH9bphbrMWMf810Wxz9JTd3v + # yWgGqNY0zbBqeZoGv+TuExlRHT8ASGFS9SVDABEBAAG0NUdpdEh1YiAod2ViLWZs + # b3cgY29tbWl0IHNpZ25pbmcpIDxub3JlcGx5QGdpdGh1Yi5jb20+iQEiBBMBCAAW + # BQJZlGhBCRBK7hj4Ov3rIwIbAwIZAQAAmQEH/iATWFmi2oxlBh3wAsySNCNV4IPf + # DDMeh6j80WT7cgoX7V7xqJOxrfrqPEthQ3hgHIm7b5MPQlUr2q+UPL22t/I+ESF6 + # 9b0QWLFSMJbMSk+BXkvSjH9q8jAO0986/pShPV5DU2sMxnx4LfLfHNhTzjXKokws + # +8ptJ8uhMNIDXfXuzkZHIxoXk3rNcjDN5c5X+sK8UBRH092BIJWCOfaQt7v7wig5 + # 4Ra28pM9GbHKXVNxmdLpCFyzvyMuCmINYYADsC848QQFFwnd4EQnupo6QvhEVx1O + # j7wDwvuH5dCrLuLwtwXaQh0onG4583p0LGms2Mf5F+Ick6o/4peOlBoZz48= + # =Bvzs + # -----END PGP PUBLIC KEY BLOCK----- + + knownHostsAnnotations: {} + knownHosts: + data: + ssh_known_hosts: | + bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== + github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= + gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf + gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 + ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H + vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H + tlsCertsAnnotations: {} + tlsCerts: + {} + # data: + # argocd.example.com: | + # -----BEGIN CERTIFICATE----- + # MIIF1zCCA7+gAwIBAgIUQdTcSHY2Sxd3Tq/v1eIEZPCNbOowDQYJKoZIhvcNAQEL + # BQAwezELMAkGA1UEBhMCREUxFTATBgNVBAgMDExvd2VyIFNheG9ueTEQMA4GA1UE + # BwwHSGFub3ZlcjEVMBMGA1UECgwMVGVzdGluZyBDb3JwMRIwEAYDVQQLDAlUZXN0 + # c3VpdGUxGDAWBgNVBAMMD2Jhci5leGFtcGxlLmNvbTAeFw0xOTA3MDgxMzU2MTda + # Fw0yMDA3MDcxMzU2MTdaMHsxCzAJBgNVBAYTAkRFMRUwEwYDVQQIDAxMb3dlciBT + # YXhvbnkxEDAOBgNVBAcMB0hhbm92ZXIxFTATBgNVBAoMDFRlc3RpbmcgQ29ycDES + # MBAGA1UECwwJVGVzdHN1aXRlMRgwFgYDVQQDDA9iYXIuZXhhbXBsZS5jb20wggIi + # MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCv4mHMdVUcafmaSHVpUM0zZWp5 + # NFXfboxA4inuOkE8kZlbGSe7wiG9WqLirdr39Ts+WSAFA6oANvbzlu3JrEQ2CHPc + # CNQm6diPREFwcDPFCe/eMawbwkQAPVSHPts0UoRxnpZox5pn69ghncBR+jtvx+/u + # P6HdwW0qqTvfJnfAF1hBJ4oIk2AXiip5kkIznsAh9W6WRy6nTVCeetmIepDOGe0G + # ZJIRn/OfSz7NzKylfDCat2z3EAutyeT/5oXZoWOmGg/8T7pn/pR588GoYYKRQnp+ + # YilqCPFX+az09EqqK/iHXnkdZ/Z2fCuU+9M/Zhrnlwlygl3RuVBI6xhm/ZsXtL2E + # Gxa61lNy6pyx5+hSxHEFEJshXLtioRd702VdLKxEOuYSXKeJDs1x9o6cJ75S6hko + # Ml1L4zCU+xEsMcvb1iQ2n7PZdacqhkFRUVVVmJ56th8aYyX7KNX6M9CD+kMpNm6J + # kKC1li/Iy+RI138bAvaFplajMF551kt44dSvIoJIbTr1LigudzWPqk31QaZXV/4u + # kD1n4p/XMc9HYU/was/CmQBFqmIZedTLTtK7clkuFN6wbwzdo1wmUNgnySQuMacO + # gxhHxxzRWxd24uLyk9Px+9U3BfVPaRLiOPaPoC58lyVOykjSgfpgbus7JS69fCq7 + # bEH4Jatp/10zkco+UQIDAQABo1MwUTAdBgNVHQ4EFgQUjXH6PHi92y4C4hQpey86 + # r6+x1ewwHwYDVR0jBBgwFoAUjXH6PHi92y4C4hQpey86r6+x1ewwDwYDVR0TAQH/ + # BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAFE4SdKsX9UsLy+Z0xuHSxhTd0jfn + # Iih5mtzb8CDNO5oTw4z0aMeAvpsUvjJ/XjgxnkiRACXh7K9hsG2r+ageRWGevyvx + # CaRXFbherV1kTnZw4Y9/pgZTYVWs9jlqFOppz5sStkfjsDQ5lmPJGDii/StENAz2 + # XmtiPOgfG9Upb0GAJBCuKnrU9bIcT4L20gd2F4Y14ccyjlf8UiUi192IX6yM9OjT + # +TuXwZgqnTOq6piVgr+FTSa24qSvaXb5z/mJDLlk23npecTouLg83TNSn3R6fYQr + # d/Y9eXuUJ8U7/qTh2Ulz071AO9KzPOmleYPTx4Xty4xAtWi1QE5NHW9/Ajlv5OtO + # OnMNWIs7ssDJBsB7VFC8hcwf79jz7kC0xmQqDfw51Xhhk04kla+v+HZcFW2AO9so + # 6ZdVHHQnIbJa7yQJKZ+hK49IOoBR6JgdB5kymoplLLiuqZSYTcwSBZ72FYTm3iAr + # jzvt1hxpxVDmXvRnkhRrIRhK4QgJL0jRmirBjDY+PYYd7bdRIjN7WNZLFsgplnS8 + # 9w6CwG32pRlm0c8kkiQ7FXA6BYCqOsDI8f1VGQv331OpR2Ck+FTv+L7DAmg6l37W + # +LB9LGh4OAp68ImTjqf6ioGKG0RBSznwME+r4nXtT1S/qLR6ASWUS4ViWRhbRlNK + # XWyb96wrUlv+E8I= + # -----END CERTIFICATE----- + # Creates a secret with optional repository credentials + repositoryCredentials: + {} + # sample-ssh-key: | + # -----BEGIN RSA PRIVATE KEY----- + # MIICXAIBAAKBgQCcmiVJXGUvL8zqWmRRETbCKgFadtjJ9WDQpSwiZzMiktpYBo0N + # z0cThzGQfWqvdiJYEy72MrKCaSYssV3eHP5zTffk4VBDktNfdl1kgkOpqnh7tQO4 + # nBONRLzcK6KEbKUsmiTbW8Jb4UFYDhyyyveby7y3vYePmaRQIrlEenVfKwIDAQAB + # AoGAbbg+WZjnt9jYzHWKhZX29LDzg8ty9oT6URT4yB3gIOAdJMFqQHuyg8cb/e0x + # O0AcrfK623oHwgEj4vpeFwnfaBdtM5GfH9zaj6pnXV7VZc3oBHrBnHUgFT3NEYUe + # tt6rtatIguBH61Aj/pyij9sOfF0xDj0s1nwFTbdHtZR/31kCQQDIwcVTqhKkDNW6 + # cvdz+Wt3v9x1wNg+VhZhyA/pKILz3+qtn3GogLrQqhpVi+Y7tdvEv9FvgKaCjUp8 + # 6Lfp6dDFAkEAx7HpQbXFdrtcveOi9kosKRDX1PT4zdhB08jAXGlV8jr0jkrZazVM + # hV5rVCuu35Vh6x1fiyGwwiVsqhgWE+KPLwJAWrDemasM/LsnmjDxhJy6ZcBwsWlK + # xu5Q8h9UwLmiXtVayNBsofh1bGpLtzWZ7oN7ImidDkgJ8JQvgDoJS0xrGQJBALPJ + # FkMFnrjtqGqBVkc8shNqyZY90v6oM2OzupO4dht2PpUZCDPAMZtlTWXjSjabbCPc + # NxexBk1UmkdtFftjHxsCQGjG+nhRYH92MsmrbvZyFzgxg9SIOu6xel7D3Dq9l5Le + # XG+bpHPF4SiCpAxthP5WNa17zuvk+CDsMZgZNuhYNMo= + # -----END RSA PRIVATE KEY----- + secret: + createSecret: true + ## Annotations to be added to argocd-secret + ## + annotations: {} + + # Webhook Configs + githubSecret: "" + gitlabSecret: "" + bitbucketServerSecret: "" + bitbucketUUID: "" + gogsSecret: "" + + # Custom secrets. Useful for injecting SSO secrets into environment variables. + # Ref: https://argoproj.github.io/argo-cd/operator-manual/sso/ + # Note that all values must be non-empty. + extra: + {} + # LDAP_PASSWORD: "mypassword" + + # Argo TLS Data. + argocdServerTlsConfig: + {} + # key: + # crt: | + # -----BEGIN CERTIFICATE----- + # + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # + # -----END CERTIFICATE----- + + # Argo expects the password in the secret to be bcrypt hashed. You can create this hash with + # `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'` + # argocdServerAdminPassword: "" + # Password modification time defaults to current time if not set + # argocdServerAdminPasswordMtime: "2006-01-02T15:04:05Z" + + ## Custom CSS Styles + ## Reference: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/ + # styles: | + # .nav-bar { + # background: linear-gradient(to bottom, #999, #777, #333, #222, #111); + # } + +openshift: + enabled: false From 2fc4588816cc2a292119d1d35c91c5b7f3caca36 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 29 Aug 2021 07:34:49 +0100 Subject: [PATCH 03/52] Bumped chart / binary versions --- .../helm/aad_pod_identity_default_values.yaml | 41 +++--- terraform/helm/argocd_default_values.yaml | 120 +++++++++++++----- terraform/helm/nginx_values.yaml | 6 +- terraform/helm/velero_default_values.yaml | 8 +- terraform/variables.tf | 8 +- terraform/versions.tf | 2 +- 6 files changed, 126 insertions(+), 59 deletions(-) diff --git a/terraform/helm/aad_pod_identity_default_values.yaml b/terraform/helm/aad_pod_identity_default_values.yaml index 25a11b6..fce412f 100644 --- a/terraform/helm/aad_pod_identity_default_values.yaml +++ b/terraform/helm/aad_pod_identity_default_values.yaml @@ -1,4 +1,4 @@ -# source: https://github.com/Azure/aad-pod-identity/blob/v1.8.0/charts/aad-pod-identity/values.yaml +# source: https://github.com/Azure/aad-pod-identity/blob/v1.8.3/charts/aad-pod-identity/values.yaml # Default values for aad-pod-identity-helm. # This is a YAML-formatted file. @@ -45,7 +45,7 @@ operationMode: "standard" mic: image: mic - tag: v1.8.0 + tag: v1.8.3 # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical priorityClassName: "" @@ -77,17 +77,18 @@ mic: # - key: "CriticalAddonsOnly" # operator: "Exists" - # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - affinity: {} - # nodeAffinity: - # preferredDuringSchedulingIgnoredDuringExecution: - # - weight 1 - # preference: - # matchExpressions: - # - key: kubernetes.azure.com/mode - # operator: In - # values: - # - system + # Affinity rules to apply to the mic deployment. + # Uses an anti-affinity rule to prefer not to co-locate pods on the same node as default. + # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + app.kubernetes.io/component: mic # Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ @@ -158,7 +159,7 @@ mic: nmi: image: nmi - tag: v1.8.0 + tag: v1.8.3 # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical priorityClassName: "" @@ -175,6 +176,11 @@ nmi: cpu: 100m memory: 256Mi + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + podAnnotations: {} podLabels: {} @@ -219,8 +225,8 @@ nmi: findIdentityRetryIntervalInSeconds: "" # Enable scale features - https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#enable-scale-features-flag - # Accepted values are true/false. Default is false. - enableScaleFeatures: "" + # Accepted values are true/false. Default is true for v1.8.1+. + enableScaleFeatures: true # default value is 9090 # prometheus port for metrics @@ -242,6 +248,9 @@ nmi: # default is /etc/default/kubelet kubeletConfig: "/etc/default/kubelet" + # Set retry-after header in the NMI responses when the identity is still being assigned. + setRetryAfterHeader: false + rbac: enabled: true # NMI requires permissions to get secrets when service principal (type: 1) is used in AzureIdentity. diff --git a/terraform/helm/argocd_default_values.yaml b/terraform/helm/argocd_default_values.yaml index adb1eb4..8e26b6e 100644 --- a/terraform/helm/argocd_default_values.yaml +++ b/terraform/helm/argocd_default_values.yaml @@ -1,4 +1,4 @@ -# https://github.com/argoproj/argo-helm/blob/argo-cd-3.12.1/charts/argo-cd/values.yaml +# https://github.com/argoproj/argo-helm/blob/argo-cd-3.17.5/charts/argo-cd/values.yaml ## ArgoCD configuration ## Ref: https://github.com/argoproj/argo-cd @@ -10,8 +10,12 @@ kubeVersionOverride: "" global: image: repository: quay.io/argoproj/argocd - tag: v2.0.5 + tag: v2.1.1 imagePullPolicy: IfNotPresent + ## Annotations applied to all pods + podAnnotations: {} + ## Labels applied to all pods + podLabels: {} securityContext: {} # runAsUser: 999 # runAsGroup: 999 @@ -59,6 +63,7 @@ controller: operationProcessors: "10" appResyncPeriod: "180" selfHealTimeout: "5" + repoServerTimeoutSeconds: "60" ## Argo controller log format: text|json logFormat: text @@ -99,6 +104,7 @@ controller: # drop: # - all # readOnlyRootFilesystem: true + # runAsNonRoot: true ## Configures the controller port containerPort: 8082 @@ -167,6 +173,8 @@ controller: serviceMonitor: enabled: false interval: 30s + relabelings: [] + metricRelabelings: [] # selector: # prometheus: kube-prometheus # namespace: monitoring @@ -228,6 +236,8 @@ dex: serviceMonitor: enabled: false interval: 30s + relabelings: [] + metricRelabelings: [] # selector: # prometheus: kube-prometheus # namespace: monitoring @@ -235,7 +245,7 @@ dex: image: repository: ghcr.io/dexidp/dex - tag: v2.28.1 + tag: v2.30.0 imagePullPolicy: IfNotPresent initImage: repository: @@ -261,6 +271,23 @@ dex: ## podLabels: {} + ## Probes for Dex server + ## Supported from Dex >= 2.28.0 + livenessProbe: + enabled: false + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + enabled: false + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + serviceAccount: create: true name: argocd-dex-server @@ -282,8 +309,10 @@ dex: ## Dex deployment container ports containerPortHttp: 5556 servicePortHttp: 5556 + servicePortHttpName: http containerPortGrpc: 5557 servicePortGrpc: 5557 + servicePortGrpcName: grpc containerPortMetrics: 5558 servicePortMetrics: 5558 @@ -370,10 +399,8 @@ redis: ## Redis Pod specific security context securityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 runAsNonRoot: true + runAsUser: 999 serviceAccount: create: false @@ -559,6 +586,8 @@ server: serviceMonitor: enabled: false interval: 30s + relabelings: [] + metricRelabelings: [] # selector: # prometheus: kube-prometheus # namespace: monitoring @@ -617,14 +646,15 @@ server: labels: {} ingressClassName: "" - ## Service Type if isAWSALB is set to true - ## Can be of type NodePort or ClusterIP depending on which mode you are - ## are running. Instance mode needs type NodePort, IP mode needs type - ## ClusterIP - ## Ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/how-it-works/#ingress-traffic - ## awsALB: + ## Service Type if isAWSALB is set to true + ## Can be of type NodePort or ClusterIP depending on which mode you are + ## are running. Instance mode needs type NodePort, IP mode needs type + ## ClusterIP + ## Ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/how-it-works/#ingress-traffic serviceType: NodePort + # This tells AWS to send traffic from the ALB using HTTP2. Can use GRPC as well if you want to leverage GRPC specific features + backendProtocolVersion: HTTP2 ## Argo Ingress. ## Hostnames must be provided if Ingress is enabled. @@ -673,6 +703,8 @@ server: url: https://argocd.example.com # Argo CD instance label key application.instanceLabelKey: argocd.argoproj.io/instance + + # DEPRECATED: Please instead use configs.credentialTemplates and configs.repositories # repositories: | # - url: git@github.com:group/repo.git # sshPrivateKeySecret: @@ -684,6 +716,7 @@ server: # - type: helm # url: https://argoproj.github.io/argo-helm # name: argo + # oidc.config: | # name: AzureAD # issuer: https://login.microsoftonline.com/TENANT_ID/v2.0 @@ -944,6 +977,8 @@ repoServer: serviceMonitor: enabled: false interval: 30s + relabelings: [] + metricRelabelings: [] # selector: # prometheus: kube-prometheus # namespace: monitoring @@ -1090,25 +1125,48 @@ configs: # +LB9LGh4OAp68ImTjqf6ioGKG0RBSznwME+r4nXtT1S/qLR6ASWUS4ViWRhbRlNK # XWyb96wrUlv+E8I= # -----END CERTIFICATE----- - # Creates a secret with optional repository credentials - repositoryCredentials: - {} - # sample-ssh-key: | - # -----BEGIN RSA PRIVATE KEY----- - # MIICXAIBAAKBgQCcmiVJXGUvL8zqWmRRETbCKgFadtjJ9WDQpSwiZzMiktpYBo0N - # z0cThzGQfWqvdiJYEy72MrKCaSYssV3eHP5zTffk4VBDktNfdl1kgkOpqnh7tQO4 - # nBONRLzcK6KEbKUsmiTbW8Jb4UFYDhyyyveby7y3vYePmaRQIrlEenVfKwIDAQAB - # AoGAbbg+WZjnt9jYzHWKhZX29LDzg8ty9oT6URT4yB3gIOAdJMFqQHuyg8cb/e0x - # O0AcrfK623oHwgEj4vpeFwnfaBdtM5GfH9zaj6pnXV7VZc3oBHrBnHUgFT3NEYUe - # tt6rtatIguBH61Aj/pyij9sOfF0xDj0s1nwFTbdHtZR/31kCQQDIwcVTqhKkDNW6 - # cvdz+Wt3v9x1wNg+VhZhyA/pKILz3+qtn3GogLrQqhpVi+Y7tdvEv9FvgKaCjUp8 - # 6Lfp6dDFAkEAx7HpQbXFdrtcveOi9kosKRDX1PT4zdhB08jAXGlV8jr0jkrZazVM - # hV5rVCuu35Vh6x1fiyGwwiVsqhgWE+KPLwJAWrDemasM/LsnmjDxhJy6ZcBwsWlK - # xu5Q8h9UwLmiXtVayNBsofh1bGpLtzWZ7oN7ImidDkgJ8JQvgDoJS0xrGQJBALPJ - # FkMFnrjtqGqBVkc8shNqyZY90v6oM2OzupO4dht2PpUZCDPAMZtlTWXjSjabbCPc - # NxexBk1UmkdtFftjHxsCQGjG+nhRYH92MsmrbvZyFzgxg9SIOu6xel7D3Dq9l5Le - # XG+bpHPF4SiCpAxthP5WNa17zuvk+CDsMZgZNuhYNMo= - # -----END RSA PRIVATE KEY----- +## # Creates a secret with optional repository credentials +## DEPRECATED: Instead, use configs.credentialTemplates and/or configs.repositories + repositoryCredentials: {} + +## Creates a secret for each key/value specified below to create repository credentials + credentialTemplates: {} + # github-enterprise-creds-1: + # url: https://github.com/argoproj + # githubAppID: 1 + # githubAppInstallationID: 2 + # githubAppEnterpriseBaseUrl: https://ghe.example.com/api/v3 + # githubAppPrivateKey: | + # -----BEGIN OPENSSH PRIVATE KEY----- + # ... + # -----END OPENSSH PRIVATE KEY----- + # https-creds: + # url: https://github.com/argoproj + # password: my-password + # username: my-username + # ssh-creds: + # url: git@github.com:argoproj-labs + # sshPrivateKey: | + # -----BEGIN OPENSSH PRIVATE KEY----- + # ... + # -----END OPENSSH PRIVATE KEY----- + +## Creates a secret for each key/value specified below to create repositories +## Note: the last example in the list would use a repository credential template, configured under "configs.repositoryCredentials". + repositories: {} + # istio-helm-repo: + # url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts + # name: istio.io + # type: helm + # private-helm-repo: + # url: https://my-private-chart-repo.internal + # name: private-repo + # type: helm + # password: my-password + # username: my-username + # private-repo: + # url: https://github.com/argoproj/private-repo + secret: createSecret: true ## Annotations to be added to argocd-secret diff --git a/terraform/helm/nginx_values.yaml b/terraform/helm/nginx_values.yaml index 6407621..063160a 100644 --- a/terraform/helm/nginx_values.yaml +++ b/terraform/helm/nginx_values.yaml @@ -1,5 +1,5 @@ ## nginx configuration -## Ref: https://github.com/kubernetes/ingress/blob/master/controllers/nginx/configuration.md +## Ref: https://github.com/kubernetes/ingress/blob/main/controllers/nginx/configuration.md ## controller: @@ -19,8 +19,8 @@ controller: ## node or nodes where an ingress controller pod is running. publishService: # ! This is required for external-dns to work properly - # ! https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/azure.md#deploy-externaldns - # ! https://github.com/kubernetes-sigs/external-dns/blob/master/docs/faq.md#why-is-externaldns-only-adding-a-single-ip-address-in-route-53-on-aws-when-using-the-nginx-ingress-controller-how-do-i-get-it-to-use-the-fqdn-of-the-elb-assigned-to-my-nginx-ingress-controller-service-instead + # ! https://github.com/kubernetes-sigs/external-dns/blob/main/docs/tutorials/azure.md#deploy-externaldns + # ! https://github.com/kubernetes-sigs/external-dns/blob/main/docs/faq.md#why-is-externaldns-only-adding-a-single-ip-address-in-route-53-on-aws-when-using-the-nginx-ingress-controller-how-do-i-get-it-to-use-the-fqdn-of-the-elb-assigned-to-my-nginx-ingress-controller-service-instead enabled: true ## Allows overriding of the publish service to bind to ## Must be / diff --git a/terraform/helm/velero_default_values.yaml b/terraform/helm/velero_default_values.yaml index 191ec44..895b4a8 100644 --- a/terraform/helm/velero_default_values.yaml +++ b/terraform/helm/velero_default_values.yaml @@ -1,4 +1,4 @@ -# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.21.0/charts/velero/values.yaml +# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.23.6/charts/velero/values.yaml ## ## Configuration settings that directly affect the Velero deployment YAML. @@ -8,7 +8,7 @@ # enabling restic). Required. image: repository: velero/velero - tag: v1.6.2 + tag: v1.6.3 # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. # If used, it will take precedence over the image.tag. # digest: @@ -119,7 +119,7 @@ metrics: kubectl: image: repository: docker.io/bitnami/kubectl - tag: 1.14.3 + tag: 1.16.15 # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. # If used, it will take precedence over the kubectl.image.tag. # digest: @@ -374,7 +374,7 @@ schedules: {} # velero.io/plugin-config: "" # velero.io/restic: RestoreItemAction # data: -# image: velero/velero-restic-restore-helper:v1.6.2 +# image: velero/velero-restic-restore-helper:v1.6.3 configMaps: {} ## diff --git a/terraform/variables.tf b/terraform/variables.tf index 09e7a56..50f0ca6 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -20,13 +20,13 @@ variable "kubernetes_version" { # helm repo update # helm search repo ingress-nginx/ingress-nginx variable "nginx_chart_version" { - default = "3.36.0" + default = "4.0.1" } # https://hub.helm.sh/charts/jetstack/cert-manager # helm search repo jetstack/cert-manager variable "cert_manager_chart_version" { - default = "v1.5.2" + default = "v1.5.3" } # https://github.com/vmware-tanzu/helm-charts/releases @@ -64,14 +64,14 @@ variable "akv2k8s_chart_version" { # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity variable "aad_pod_identity_chart_version" { - default = "4.1.3" + default = "4.1.4" } # https://bitnami.com/stack/external-dns/helm # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "5.4.1" + default = "5.4.4" } # https://github.com/weaveworks/kured/tree/master/charts/kured diff --git a/terraform/versions.tf b/terraform/versions.tf index 4cdc2b1..b0b252f 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,7 +23,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.73.0" + version = "~> 2.74.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases From 1f3f21e1d3bda17fe8e841423810653308574395 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 29 Aug 2021 08:12:09 +0100 Subject: [PATCH 04/52] Bumped argocd chart to v3.17.5 and image to v2.1.1 --- terraform/files/argocd-values.yaml | 2 -- terraform/variables.tf | 4 ++-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/terraform/files/argocd-values.yaml b/terraform/files/argocd-values.yaml index 91d952c..605cdcf 100644 --- a/terraform/files/argocd-values.yaml +++ b/terraform/files/argocd-values.yaml @@ -1,5 +1,3 @@ -installCRDs: false - server: # this is required to disable SSL redirection, as ingress handles this extraArgs: diff --git a/terraform/variables.tf b/terraform/variables.tf index 50f0ca6..cd91c76 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -90,13 +90,13 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.12.1" + default = "3.17.5" } # https://hub.docker.com/r/argoproj/argocd/tags # * also update cli version: terraform/files/scripts/argocd_config.sh#L16 variable "argocd_image_tag" { - default = "v2.0.5" + default = "v2.1.1" } #endregion Versions From a8039a59a1e54ba0f91ec1ac0c75ffa772265b53 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 29 Aug 2021 08:28:47 +0100 Subject: [PATCH 05/52] Bumped argocd cli to v2.1.1 --- terraform/files/scripts/argocd_config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index eced4e9..dc83c24 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -13,7 +13,7 @@ export ARGOCD_OPTS="--grpc-web" ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install -VERSION="v2.0.5" +VERSION="v2.1.1" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" From 66a477fdfd50071110e0d515dcf3efdf8aa4cf19 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 29 Aug 2021 09:44:18 +0100 Subject: [PATCH 06/52] Moved argocd version check --- terraform/files/scripts/argocd_config.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index dc83c24..d40cfbc 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -6,6 +6,11 @@ set -euo pipefail trap "echo 'error: Script failed: see failed command above'" ERR +# Manual Testing +# ARGOCD_FQDN="argocd.thehypepipe.co.uk" +# ARGOCD_PATH="argocd" +# ARGOCD_ADMIN_PASSWORD="[SEE VAULT]" + # Vars ARGOCD_PATH="./argocd" REPO_SSH_PRIVATE_KEY_PATH="./id_ed25519_argocd" @@ -24,10 +29,6 @@ while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' $ARGOCD_HEALTH_CHECK_URL)" sleep 10 done -# Show version -echo "Showing Argo CD version info for [$ARGOCD_FQDN]..." -"$ARGOCD_PATH" version --server "$ARGOCD_FQDN" - # Get default admin password # Argo CD v1.9 and later: https://argoproj.github.io/argo-cd/getting_started/#4-login-using-the-cli # check secret called "argocd-initial-admin-secret" @@ -46,6 +47,10 @@ else "$ARGOCD_PATH" login "$ARGOCD_FQDN" --username admin --password "$ARGOCD_ADMIN_PASSWORD" fi +# Show version +echo "Showing Argo CD version info for [$ARGOCD_FQDN]..." +"$ARGOCD_PATH" version "$ARGOCD_FQDN" + # Show info echo "Showing Argo CD cluster info..." "$ARGOCD_PATH" account list From 2c1a21aa03b317e0279644fb9cec7a43341eca71 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 29 Aug 2021 09:57:44 +0100 Subject: [PATCH 07/52] Bumped azuread tf provider to v2.0.1 --- terraform/versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index b0b252f..0515fc0 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -29,7 +29,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 1.6.0" + version = "~> 2.0.1" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases From 3ca430b9895775baf0afb68a5db1dfd320324f03 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 29 Aug 2021 10:00:05 +0100 Subject: [PATCH 08/52] Revert azuread tf provider to v1.6.0 --- terraform/versions.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index 0515fc0..8968143 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -29,7 +29,8 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.0.1" + # TODO: update to "2.0.1" + version = "~> 1.6.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases From 76cd9e8aea45532aefd0989428665f29183e5d8b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 07:05:26 +0100 Subject: [PATCH 09/52] Bumped chart / binary versions --- terraform/files/scripts/argocd_config.sh | 2 +- terraform/variables.tf | 10 +++++----- terraform/versions.tf | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index d40cfbc..1960453 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -18,7 +18,7 @@ export ARGOCD_OPTS="--grpc-web" ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install -VERSION="v2.1.1" +VERSION="v2.1.2" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" diff --git a/terraform/variables.tf b/terraform/variables.tf index cd91c76..5459651 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -43,7 +43,7 @@ variable "velero_image_tag" { # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.33.1" + default = "3.34.0" } # https://github.com/adamrushuk/charts/releases @@ -71,7 +71,7 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "5.4.4" + default = "5.4.6" } # https://github.com/weaveworks/kured/tree/master/charts/kured @@ -90,13 +90,13 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.17.5" + default = "3.17.6" } # https://hub.docker.com/r/argoproj/argocd/tags -# * also update cli version: terraform/files/scripts/argocd_config.sh#L16 +# * also update cli version: terraform/files/scripts/argocd_config.sh#L21 variable "argocd_image_tag" { - default = "v2.1.1" + default = "v2.1.2" } #endregion Versions diff --git a/terraform/versions.tf b/terraform/versions.tf index 8968143..2bd4a7b 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,13 +23,13 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.74.0" + version = "~> 2.76.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - # TODO: update to "2.0.1" + # TODO: update to "2.1.0" version = "~> 1.6.0" } From 22b9f0f1a2d1347d3bb1c5cfcd802ad0e0c755dd Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 07:44:10 +0100 Subject: [PATCH 10/52] Testing concat env vars --- .github/workflows/test.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c8fbc17..f3fad9d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -28,8 +28,8 @@ on: env: MY_WORKFLOW_VAR: work - # UNSUPPORTED: Cannot concatenante at Workflow level - # MY_WORKFLOW_VAR2: ${{ env.MY_WORKFLOW_VAR }}-workvalue01 + # TODO Currently Unsupported: Cannot concatenante at Workflow level + MY_WORKFLOW_VAR2: ${{ env.MY_WORKFLOW_VAR }}-workvalue01 jobs: build: @@ -41,8 +41,8 @@ jobs: env: MY_JOB_VAR: job - # UNSUPPORTED: Cannot concatenante at Job level - # MY_WORK_JOB_VAR: ${{ env.MY_WORKFLOW_VAR }} + # TODO Currently Unsupported: Cannot concatenante at Job level + MY_WORK_JOB_VAR: ${{ env.MY_WORKFLOW_VAR }} steps: # Checkout From a0b1709cc80b7be576935c8065b424e3c1b492d1 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 07:50:29 +0100 Subject: [PATCH 11/52] test --- .github/workflows/test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f3fad9d..ca8e033 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,5 +1,5 @@ # https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions -name: Webhook +name: Test-Workflow # name of GitHub event that triggers workflow # https://help.github.com/en/actions/reference/events-that-trigger-workflows#external-events-repository_dispatch @@ -29,7 +29,7 @@ env: MY_WORKFLOW_VAR: work # TODO Currently Unsupported: Cannot concatenante at Workflow level - MY_WORKFLOW_VAR2: ${{ env.MY_WORKFLOW_VAR }}-workvalue01 + MY_WORKFLOW_VAR2: "${{ env.MY_WORKFLOW_VAR }}-workvalue01" jobs: build: @@ -42,7 +42,7 @@ jobs: MY_JOB_VAR: job # TODO Currently Unsupported: Cannot concatenante at Job level - MY_WORK_JOB_VAR: ${{ env.MY_WORKFLOW_VAR }} + MY_WORK_JOB_VAR: "${{ env.MY_WORKFLOW_VAR }}" steps: # Checkout From a5c0eea1ab4d8bcfd9ea84bbdccfd0a40deb7a8f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 07:52:19 +0100 Subject: [PATCH 12/52] test --- .github/workflows/test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ca8e033..1f18cea 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -29,7 +29,7 @@ env: MY_WORKFLOW_VAR: work # TODO Currently Unsupported: Cannot concatenante at Workflow level - MY_WORKFLOW_VAR2: "${{ env.MY_WORKFLOW_VAR }}-workvalue01" + MY_WORKFLOW_VAR2: "${MY_WORKFLOW_VAR}-workvalue02" jobs: build: @@ -42,7 +42,7 @@ jobs: MY_JOB_VAR: job # TODO Currently Unsupported: Cannot concatenante at Job level - MY_WORK_JOB_VAR: "${{ env.MY_WORKFLOW_VAR }}" + # MY_WORK_JOB_VAR: "${{ env.MY_WORKFLOW_VAR }}-test" steps: # Checkout From 76a3d43e8a1972aa0f8107542f9ae76eb495f77f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 07:55:29 +0100 Subject: [PATCH 13/52] test --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1f18cea..64589ae 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -58,7 +58,7 @@ jobs: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 - name: BASH - Concatenate env vars (Workaround) run: | - echo "MY_CONCATENATED_BASH_VAR=${{ env.MY_WORKFLOW_VAR }}-${{ env.MY_JOB_VAR }}-bash-stepvalue01 >> $GITHUB_ENV + echo "MY_CONCATENATED_BASH_VAR=${{ env.MY_WORKFLOW_VAR }}-${{ env.MY_JOB_VAR }}-bash-stepvalue01" >> $GITHUB_ENV - name: PWSH - Concatenate env vars (Workaround) # override the default bash shell, as running on ubuntu From 0452eeaf79164c23bd8c208838b2cc0055109c85 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 07:56:32 +0100 Subject: [PATCH 14/52] test --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 64589ae..3a5bbc4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -66,7 +66,7 @@ jobs: shell: pwsh # pwsh requires double quotes when setting env vars run: | - echo ""MY_CONCATENATED_PWSH_VAR=${{ env.MY_WORKFLOW_VAR }}-${{ env.MY_JOB_VAR }}-pwsh-stepvalue01" >> $GITHUB_ENV + echo "MY_CONCATENATED_PWSH_VAR=${{ env.MY_WORKFLOW_VAR }}-${{ env.MY_JOB_VAR }}-pwsh-stepvalue01" >> $GITHUB_ENV - name: Output event data shell: pwsh From 41d1432c2d4e45c6e00a9eebb21328b3f62a5b66 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 08:02:47 +0100 Subject: [PATCH 15/52] test --- .github/workflows/test.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3a5bbc4..b9540b4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -29,7 +29,7 @@ env: MY_WORKFLOW_VAR: work # TODO Currently Unsupported: Cannot concatenante at Workflow level - MY_WORKFLOW_VAR2: "${MY_WORKFLOW_VAR}-workvalue02" + MY_CONCATENATED_WORKFLOW_VAR: "${MY_WORKFLOW_VAR}-workflowvalue02" jobs: build: @@ -66,7 +66,7 @@ jobs: shell: pwsh # pwsh requires double quotes when setting env vars run: | - echo "MY_CONCATENATED_PWSH_VAR=${{ env.MY_WORKFLOW_VAR }}-${{ env.MY_JOB_VAR }}-pwsh-stepvalue01" >> $GITHUB_ENV + echo "MY_CONCATENATED_PWSH_VAR=${{ env.MY_WORKFLOW_VAR }}-${{ env.MY_JOB_VAR }}-pwsh-stepvalue01" | Out-File -Append -Encoding utf8 -FilePath "$env:GITHUB_ENV" - name: Output event data shell: pwsh @@ -77,6 +77,7 @@ jobs: Write-Output "MY_WORKFLOW_VAR is: [$env:MY_WORKFLOW_VAR]" Write-Output "MY_JOB_VAR is: [$env:MY_JOB_VAR]" Write-Output "MY_STEP_VAR is: [$env:MY_STEP_VAR]" + Write-Output "MY_CONCATENATED_WORKFLOW_VAR is: [$env:MY_CONCATENATED_WORKFLOW_VAR]" Write-Output "MY_CONCATENATED_BASH_VAR is: [$env:MY_CONCATENATED_BASH_VAR]" Write-Output "MY_CONCATENATED_PWSH_VAR is: [$env:MY_CONCATENATED_PWSH_VAR]" Write-Output "SLACK_JSON is: [$env:SLACK_JSON]" From ef9c6be3155d541deb7eac917c686443f18f31d7 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 08:06:45 +0100 Subject: [PATCH 16/52] test --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b9540b4..50fbd01 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -29,7 +29,7 @@ env: MY_WORKFLOW_VAR: work # TODO Currently Unsupported: Cannot concatenante at Workflow level - MY_CONCATENATED_WORKFLOW_VAR: "${MY_WORKFLOW_VAR}-workflowvalue02" + MY_CONCATENATED_WORKFLOW_VAR: "$MY_WORKFLOW_VAR-workflowvalue02" jobs: build: From 8a5eed3a4f3b112eb850973cc6c519ca34dcb47f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 08:07:20 +0100 Subject: [PATCH 17/52] Bumped terraform version --- .github/workflows/build.yml | 6 +++--- .github/workflows/destroy.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 158a2ae..de2a504 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -61,12 +61,12 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.0.5" + TF_VERSION: "1.0.6" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases - TFLINT_RULESET_AZURERM_VERSION: "v0.12.0" + TFLINT_RULESET_AZURERM_VERSION: "v0.13.0" # https://github.com/terraform-linters/tflint/releases - TFLINT_VERSION: "v0.31.0" + TFLINT_VERSION: "v0.32.0" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index a370dc3..f1e8884 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -55,7 +55,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.0.5" + TF_VERSION: "1.0.6" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: From ceac035740235047e17a30fc0164b26613c17a4e Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 08:12:11 +0100 Subject: [PATCH 18/52] Bumped azuread to v2.x --- terraform/versions.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index 2bd4a7b..17a5980 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -30,7 +30,8 @@ terraform { azuread = { source = "hashicorp/azuread" # TODO: update to "2.1.0" - version = "~> 1.6.0" + version = "~> 2.2.1" + # version = "~> 1.6.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases From 9ac276617897accf64d85d4d5a4f332ebd3bf9e5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 09:13:29 +0100 Subject: [PATCH 19/52] Bumped aks tf module to v0.10.0 --- terraform/aks.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index 1bd4111..e1b012b 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -54,7 +54,7 @@ resource "azurerm_log_analytics_solution" "aks" { # https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest module "aks" { source = "adamrushuk/aks/azurerm" - version = "~> 0.9.0" + version = "~> 0.10.0" kubernetes_version = var.kubernetes_version location = azurerm_resource_group.aks.location From ad2a2a2f0d699e78aaae2930d37662e42af38fb8 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 09:13:47 +0100 Subject: [PATCH 20/52] Fixed breaking changes in latest azuread provider version --- terraform/argocd_sso.tf | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 19ab3b5..4974f2b 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -15,7 +15,7 @@ resource "azuread_application" "argocd" { display_name = var.argocd_app_reg_name identifier_uris = ["https://${var.argocd_app_reg_name}"] sign_in_audience = "AzureADMyOrg" - group_membership_claims = "All" + group_membership_claims = ["All"] prevent_duplicate_names = true web { @@ -57,9 +57,12 @@ resource "azuread_application" "argocd" { } } -# TODO: add "SelfServiceAppAccess" tag to enable self-service options in Enterprise App resource "azuread_service_principal" "argocd" { - application_id = azuread_application.argocd.application_id + application_id = azuread_application.argocd.application_id + owners = [data.azuread_client_config.current.object_id] + description = "Argo CD Service Principle" + notes = "Operational notes can go here" + preferred_single_sign_on_mode = "oidc" } # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password @@ -68,8 +71,7 @@ resource "azuread_application_password" "argocd" { display_name = "argocd_secret" value = random_password.argocd.result end_date = "2099-01-01T01:02:03Z" - - depends_on = [azuread_service_principal.argocd] + depends_on = [azuread_service_principal.argocd] } data "azurerm_client_config" "current" {} From 2dd3910f79e88a993f841d257d4fc5a86adbf39b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 09:38:01 +0100 Subject: [PATCH 21/52] Added azuread_client_config data resource --- terraform/argocd_sso.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 4974f2b..7d34b9e 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -57,6 +57,8 @@ resource "azuread_application" "argocd" { } } +data "azuread_client_config" "current" {} + resource "azuread_service_principal" "argocd" { application_id = azuread_application.argocd.application_id owners = [data.azuread_client_config.current.object_id] From ea6a5e9ed031783765373ab002e7f57cdd634a16 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 09:46:51 +0100 Subject: [PATCH 22/52] Removed setting value in azuread_application_password --- terraform/argocd_sso.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 7d34b9e..bb54efc 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -71,7 +71,7 @@ resource "azuread_service_principal" "argocd" { resource "azuread_application_password" "argocd" { application_object_id = azuread_application.argocd.id display_name = "argocd_secret" - value = random_password.argocd.result + # value = random_password.argocd.result end_date = "2099-01-01T01:02:03Z" depends_on = [azuread_service_principal.argocd] } From 118f4f90ebdfa22839866e81295e8db71f6abdee Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 09:50:18 +0100 Subject: [PATCH 23/52] Added azuread_application_password.argocd.result usage --- terraform/argocd_sso.tf | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index bb54efc..e0a8b0c 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -2,13 +2,14 @@ # # https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/microsoft/#azure-ad-app-registration-auth-using-oidc -resource "random_password" "argocd" { - length = 32 - special = false - keepers = { - service_principal = azuread_application.argocd.id - } -} +# TODO: remove after testing with "azuread_application_password.argocd.result" +# resource "random_password" "argocd" { +# length = 32 +# special = false +# keepers = { +# service_principal = azuread_application.argocd.id +# } +# } # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application resource "azuread_application" "argocd" { @@ -119,7 +120,7 @@ resource "null_resource" "argocd_cm" { resource "null_resource" "argocd_secret" { triggers = { yaml_contents = filemd5(var.argocd_secret_yaml_path) - clientSecret = random_password.argocd.result + clientSecret = azuread_application_password.argocd.result } provisioner "local-exec" { @@ -129,7 +130,7 @@ resource "null_resource" "argocd_secret" { ARGOCD_SECRET_PATCH_YAML = templatefile( var.argocd_secret_yaml_path, { - "clientSecretBase64" = base64encode(random_password.argocd.result) + "clientSecretBase64" = base64encode(azuread_application_password.argocd.result) } ) } From bf32b43d89d10de01252c3f5b23bae9db896fb83 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 10:02:56 +0100 Subject: [PATCH 24/52] Fixed app pw typo --- terraform/argocd_sso.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index e0a8b0c..248439d 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -2,7 +2,7 @@ # # https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/microsoft/#azure-ad-app-registration-auth-using-oidc -# TODO: remove after testing with "azuread_application_password.argocd.result" +# TODO: remove after testing with "azuread_application_password.argocd.value" # resource "random_password" "argocd" { # length = 32 # special = false @@ -120,7 +120,7 @@ resource "null_resource" "argocd_cm" { resource "null_resource" "argocd_secret" { triggers = { yaml_contents = filemd5(var.argocd_secret_yaml_path) - clientSecret = azuread_application_password.argocd.result + clientSecret = azuread_application_password.argocd.value } provisioner "local-exec" { @@ -130,7 +130,7 @@ resource "null_resource" "argocd_secret" { ARGOCD_SECRET_PATCH_YAML = templatefile( var.argocd_secret_yaml_path, { - "clientSecretBase64" = base64encode(azuread_application_password.argocd.result) + "clientSecretBase64" = base64encode(azuread_application_password.argocd.value) } ) } From 735dc4cd199fed2597599851ce327a77d436fbeb Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 10:54:16 +0100 Subject: [PATCH 25/52] Removed old code/comments --- terraform/argocd_sso.tf | 13 +------------ terraform/versions.tf | 2 -- 2 files changed, 1 insertion(+), 14 deletions(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 248439d..5df7de7 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -2,15 +2,6 @@ # # https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/microsoft/#azure-ad-app-registration-auth-using-oidc -# TODO: remove after testing with "azuread_application_password.argocd.value" -# resource "random_password" "argocd" { -# length = 32 -# special = false -# keepers = { -# service_principal = azuread_application.argocd.id -# } -# } - # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application resource "azuread_application" "argocd" { display_name = var.argocd_app_reg_name @@ -72,14 +63,12 @@ resource "azuread_service_principal" "argocd" { resource "azuread_application_password" "argocd" { application_object_id = azuread_application.argocd.id display_name = "argocd_secret" - # value = random_password.argocd.result end_date = "2099-01-01T01:02:03Z" - depends_on = [azuread_service_principal.argocd] + # depends_on = [azuread_service_principal.argocd] # TODO: is this still required? } data "azurerm_client_config" "current" {} - # argocd-cm patch # https://www.terraform.io/docs/provisioners/local-exec.html resource "null_resource" "argocd_cm" { diff --git a/terraform/versions.tf b/terraform/versions.tf index 17a5980..b4a3b85 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -29,9 +29,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - # TODO: update to "2.1.0" version = "~> 2.2.1" - # version = "~> 1.6.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases From c665b7b04bcaab9bbd08f7ca845072a3026403b0 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 18:01:11 +0100 Subject: [PATCH 26/52] Added SP tags --- terraform/argocd_sso.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 5df7de7..2e82786 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -57,6 +57,7 @@ resource "azuread_service_principal" "argocd" { description = "Argo CD Service Principle" notes = "Operational notes can go here" preferred_single_sign_on_mode = "oidc" + tags = ["notApiConsumer", "webApp"] } # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password From b22ee78d0338a11470e4027f658881de037c2f54 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Sun, 12 Sep 2021 18:09:38 +0100 Subject: [PATCH 27/52] Removed tags --- terraform/argocd_sso.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 2e82786..0e1358c 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -57,7 +57,7 @@ resource "azuread_service_principal" "argocd" { description = "Argo CD Service Principle" notes = "Operational notes can go here" preferred_single_sign_on_mode = "oidc" - tags = ["notApiConsumer", "webApp"] + # tags = ["notApiConsumer", "webApp"] } # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password From 7c36d864c5421d03ce8a91261a3083c6ad2c6fea Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 17 Sep 2021 06:50:13 +0100 Subject: [PATCH 28/52] Bumped binary and provider versions --- terraform/helm/velero_default_values.yaml | 3 ++- terraform/variables.tf | 10 +++++----- terraform/versions.tf | 6 +++--- 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/terraform/helm/velero_default_values.yaml b/terraform/helm/velero_default_values.yaml index 895b4a8..1e5d651 100644 --- a/terraform/helm/velero_default_values.yaml +++ b/terraform/helm/velero_default_values.yaml @@ -119,10 +119,11 @@ metrics: kubectl: image: repository: docker.io/bitnami/kubectl - tag: 1.16.15 # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. # If used, it will take precedence over the kubectl.image.tag. # digest: + # kubectl image tag. If used, it will take precedence over the cluster Kubernetes version. + # tag: 1.16.15 # Annotations to set for the upgrade/cleanup job. Optional. annotations: {} # Labels to set for the upgrade/cleanup job. Optional. diff --git a/terraform/variables.tf b/terraform/variables.tf index 5459651..abefbd8 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -33,7 +33,7 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.23.6" + default = "2.23.8" } # https://hub.docker.com/r/velero/velero/tags @@ -64,20 +64,20 @@ variable "akv2k8s_chart_version" { # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity variable "aad_pod_identity_chart_version" { - default = "4.1.4" + default = "4.1.5" } # https://bitnami.com/stack/external-dns/helm # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "5.4.6" + default = "5.4.7" } # https://github.com/weaveworks/kured/tree/master/charts/kured # helm search repo kured/kured variable "kured_chart_version" { - default = "2.9.0" + default = "2.9.1" } # https://github.com/weaveworks/kured#kubernetes--os-compatibility @@ -90,7 +90,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.17.6" + default = "3.18.0" } # https://hub.docker.com/r/argoproj/argocd/tags diff --git a/terraform/versions.tf b/terraform/versions.tf index b4a3b85..4f2e7b5 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,19 +23,19 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.76.0" + version = "~> 2.77.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.2.1" + version = "~> 2.3.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.4.1" + version = "~> 2.5.0" } # https://github.com/hashicorp/terraform-provider-helm/releases From 5803b1a8e0195b603de1e1170d93ce9c0e0811ca Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 17 Sep 2021 07:23:18 +0100 Subject: [PATCH 29/52] Added full curl flags --- terraform/files/scripts/argocd_config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index 1960453..fc361bf 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -24,7 +24,7 @@ chmod +x "$ARGOCD_PATH" # Wait for URL to be responsive echo "Checking ArgoCD is ready on [$ARGOCD_HEALTH_CHECK_URL]..." -while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' $ARGOCD_HEALTH_CHECK_URL)" != "200" ]]; do +while [[ "$(curl --silent --output /dev/null --write-out ''%{http_code}'' --url "$ARGOCD_HEALTH_CHECK_URL")" != "200" ]]; do echo "Still waiting for ArgoCD to be ready on [$ARGOCD_HEALTH_CHECK_URL]..." sleep 10 done From c6ac7afdb4882d880dfc46e2d67d0d9681312745 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 17 Sep 2021 08:35:54 +0100 Subject: [PATCH 30/52] Added argocd logo image to app reg --- terraform/argocd_sso.tf | 1 + terraform/files/argocd-logo.png | Bin 0 -> 16358 bytes 2 files changed, 1 insertion(+) create mode 100644 terraform/files/argocd-logo.png diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 0e1358c..65c025f 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -9,6 +9,7 @@ resource "azuread_application" "argocd" { sign_in_audience = "AzureADMyOrg" group_membership_claims = ["All"] prevent_duplicate_names = true + logo_image = filebase64("${path.module}/files/argocd-logo.png") web { homepage_url = "https://${var.argocd_fqdn}" diff --git a/terraform/files/argocd-logo.png b/terraform/files/argocd-logo.png new file mode 100644 index 0000000000000000000000000000000000000000..1149ee6197caf055001500c9433047078dd939b9 GIT binary patch literal 16358 zcmb7rRa7NC)aAw9-K}wl4|jKWxHvR4esOnb+_kX=8X7L{?(XjHH100LKW{T@&BLTB zl~qY4C)r7M&Z?Y5sw&H%AQB=1000y@SxNP;aOr$<1Zel>h*58UP?L6aaYniV8di0NmIBfD;n{fIkBOz;nuORTKP5fHhN)kpz7H z&-J_GZ}L|RoU5FY6x;y<1}qb_7GFLY03duKCn=`sxq6=Cm2IizcG+c{=Q2dt3O))C z|E`K|ZB6)#q6AqOI}?W*6mg5bHTP}G+Q@eXA4}=KnSQJ9X4%vIk|?OtlyvYB91@&} z6VrEsI!m5IE)U)TXD+tw=5AU#It$PK!ar>;s;7jH&bADFsyZH4(Xsx29H&8IW@WeU z5gZXJfI?VK6B#lBK1%$~QBqY)^^uVBf^)HeE|@$pc2fs~Kd(Kqv!QEXfi;@!S`lOG zSz`QUD4eZRrA4zlA`oA2ini%qFNra30^T)}JzDeJOf#LbmRPq0Y#)e5E{kCbSm=On z!>E%n>1x>VHz7}zPY)*VUj=AMX)V_m=M)-`-@cgFarz-0qSQ2_LWuY_qitDKV*^62 zkq7c2l1DA@D4Yc;%e3w_``a}ug!CnG8CHXA5M?z-O9h!oK18$cnNCwROgZuC~Ei=a@WgJ zboe``x)M3aX9%{AF5V@BH&KF##K<3r)2U86wn zm`P4*9LR6`O2xB_bNoa4my)1FFiS5nis!4sCXF6Rs@y^QXEKWZw>AQE3S^OL?LJbP z?~FPVV-SpqsAMkYzV`GzcXhlMf{0@uI;&29F&411(WTgNBbyR;3HxRbMWRH1p7W26 z1^wAL2`!~g=}ALWu0yCDKYhKG;A&mC;;f{Z^H$XpBPwiSVy$=?w!)}t4@Uyh2o94N zJmncqVq2hN*}~euBdWFP;5TE*F&WVFj}1;g#v|yO=HkFCZe;X}22TZ{Kb$a7MSB>V z1*2JF#%Wgxapgn7?(uf32=W#-{qqq~_ejjx3TYqt37tI&zH(~A(ZfQJ#!`Lv85ULH zmZI>?z>Y@0V#o7x8r&tZ>W>j9>*GT0D@;;u`1DA2N415=;M{C^cta9W!*kMqfA}nd z!C^!-V(1J|EeW|F3HiYT`cY>4%G+c$58CF66#ZuXzZ=JK{<=-vRph3A_3pQ=uCBa% z-^j`fWZf+6sWwe5k%D8d(ojz%0l`)Q-=xUCTij^gpTnY)wNsNjJd`{DW5uV; zA^8L1+@r)Xw3~1@h3~DSb#Z;SBV>o=0j}r`QR#Q^54^O6x8#(H6 zMV&f&$!zLVBIK1dq6Ah3%A0KXfHIpd`dt(oK2gEG1KV8(Gsga1n;@dRe=>-$(2Dui zcKm+ySM<|v=LCJV4tWpdJaY@#*pS#`qn(``udm|bMb?s?f5Cau`vm1Kd`30J=EY_F zwh;ph-*|-iMHw>lfh?G2YeMW~ng@lsGXn~(zPKLGPtw-^{kbU+Af4P^F2i`2plI_R z-A9bVUm+hIf_r(`THkD;i>j&xg1nh(rN62ZOtzVGw7{z3GKA%YEd;qgRk7M+m7Jto z!z(6}ya?XFTlMo8gM+lB%P3*fs;1L6EdQ-FZM~~YaQ%T0jKR}l7yc>46<=pI;C`RN z$A%7hhRYt{0M$vEi_3^*r_;aD-})t_J5~i*jUoJxI;j~S#*U-beJzZAI8HRyAFSg1 z2FNRzv_Iq32Z-1YxXhMF`3yk~DHWJtOa>O3>PTnCpib#-tR5b5$`_w%vpU3A@3Avs zbd!pG$^B@Xz9|Y0Yr*EvHhbR_4G{N zZ5)5MO+AE6Xg=BoLu3JAxdH5*18>EA`k*(P6Jhp#!s+cxExH)eSYpuJhF;r*PMl<0 z8o^|V?9Yi))ho(kv9`%Ekfe|C%%k>>PYH)CPp|`?TSXmd7^g7x<`_~S6B&?~6 zhB$Fi8e`1VrL*4Y&8AvEN!UZz=1$|5+6Iiw8l%#OFGi~89PrNzqfm*ja{lR9l%nZ2 z*{pR_i44YCc8hw?D7hEQfK!MUXS*gUp2>ge$@_5<)~(( zaHS3n4GImaZ9qlSXtG&PzF@9cet8g93t(X0PJapS-B*l9eDC+CB}qK8%G9&WwjiM)OTjGI-J^|2yq>3MT3 zTSarVh}G*X>Ada5JC+~jwZ*ArBuhfFKkYK2ENMm!Lm10&hN#LIN zS@$7M3wIF}um_%hC7K34G2z zKPIVMRm)7U)^g|H{*MoU`S_#QR^ccF5iGEw@l;i~voA>(*d0ssf?>ssOX=K!(eYMN zB-bj?UL2;?IQrn*9b~qgR3|<_PMEaPmRT9w_2;(bRqk>lScf<`iW<}ONiFQ;`)_+o z6poTS@?+iM>6yRNJ~xcVA{WS`_J$FSn{NM6*3$~kDj}9*)3IJKB{ABVND6nl%yk5G z+?8;ug_bR`@ItFxURiEN+rIBXEqB-M-YL6_B)*n_{T;3$rv%JEwZ%|`WF@6Xv3qfu>4e7sXW`ws0N!J_cO+tBhf(iLs*pioCs9i(6U3&+s+w~j9sdH zi!C%Ncoo}Bn7IIt^ov$~ieKz8OvJ>8r6;44+;GcqOiS@+;oPfl8c%iIw;r!tI>?Lf z(F^2ZvuwOELQ1GRtT=O61w)lAhgpSi+YiZ_c3WFJ;f=7A<1}a4GMZALgck9=CLcRw zkfaU-K3~$|9uvN^-+JdV=8c*QqV0L%1$B0E+8*0I+J1C4NnN-*xkw4zh$$F~;Yh4a z#uDEacA4$$iAdNThjQr&5=7R3!>?sYmnTN=Kl?E}{IN7fo4%QqjhgJs*-4J#rMW&w zBxvshz?e2urUnunU9T^-<1D?%z{=vypX^Ky5t+49}9 zCi1y}{{%RzQ*zOg$o=SV4SAefr+CAI$kxb?Isy_yaRF0)f4j?oO>*auGOKRFL=iesXu2Ol1%I!Ifsf3GDsMj@v+%Hk=CoNiM=lp6G;*dSZa|FlK_LEAmo3t7 zBd3aOz(lYcVg1aKB66@_NlitPkVk2c15YQi*IOZjTcu-K)Z3w_U-ln>CPqUVw)-^3gjx%M#L{Zd{)hJ$TE{i+X#Tlnc5OrG%FRCp=C0>FsjP- z6~kjPT3vz~|={8Qqmx)FD$T;?xuZ zHCDJ?n%1ePBah^6Fnta*T}MkW=lr!}4y&%Yx0&*`P=}4K>>KvlB|uzVTD>2KILv7l zzQ4^23Cx=yt{AoDq|ay8*s!5S>2r7#O%)2O4(sO#HpVym=l2=QGjGs=ksh@mrNdNz zv7SKF8jcf_@3QyqD&)trS`cw7wkNtDO6%I-^Sd6QorMV|H}j`y`K>ar%E+H$P=Vac z2=yfi#=ap$t1cHgzRz1BE&unkD3B|B5|8wc-)(r!UO6J=^cI@XtIUTnba=SQmXUtu zmD|=|YQ}Fxl+k2Bm4dV@TXZmYy%B&!FFq6v473)klZSTrW##bfMO*1t1R*chqqBp# zMWx2*q9IPsIcjsx8qSP722+({^);PbAetKBp_bc6NPOJ;9xAThq=!-1OSdz%JIw@Z z*K+gs!hRYM`aob4>9WGi%IyW`YUxBK-uC0SJGb21{u&r(1XToh0z!K5K4nu}X5}Op z^n^}?&SPU5U`Nw{3fc<8XI?>#6)N1h-%v-ZZQ<;^Q5)^U-=_Cjs~5=Q)e|rNUJRy0 zGyAcs7R~<-u#2fPqWl)96Bd?ag~jYGX2o|a52TKD&%n}yY6T0KgZWpG6XKA6Y4NJo zR`4a`@N)|V=Uv)Xj&Z$Z!a}s6jQzO34gZpsc(Sq5dXH%T9#fb~7iC7E6apMS3Z&!)J zlH1_9qlcsvKKmAjb++x=dDx(cYIswN*uC8v zAT$5;4EN_I&?0-djcSjmP@+i}1hCT3IeR`L$T+B*{f5&RHLn{-gs*HNYjxv(BfH8`}xdJ`E1oP-*9PT z?iBgZ9GrM9sWBlAtubDAcC=;wFGr-iOj7SplG8rB)07L{~nnMCQmIIp(HI$J>yBhX-~c}x2w zuX~4SG`@B~REV?VH&4;B%COba>1Qs;#_7zV|Naq)WYr=GHmDpOGo|J-p^{`9fRtJH z6;in9oN+@CLQ@t*VQIxw)<+^iDp_rX_1?*p**W6ror~v>R*z_PUa9s9N`(#=TpFzi zs|<6RlyZ8IQU?A5`B;ZR++F-M7D4vdK%No`3#Bk5x)>xoGaqyO5Pr6l;i6`1IxSkv zaleWgm$9Ev0WF+7$Dj%$7BXuPnK3I|zVt*?bJ#nLa5-HQQK~KE7a}bh0$2@@n*7N8 zZ-np+bg^|t%I)8xjY+AQv^-aSI8C%|htAm;mmKvKSYAab?9{vLG?I0zI0mkhpHB%* zj*uGM>LTxwGos{`jGk|DS7~THy9dbvkI(5nsg5ur5OmQOZK;h) zD)~woIns|dMo$}MY^(!C8r5($QTgV3u&c(Ny&X=yrB^4mHi))coqp>cTYiE!!&Jzq zsM@Ua_{~plPP@N`%V?EF7vKln$h7i1pep@|n1l*WWGWiktAAj1y&bT6J*-$E^fBPd zL9?{?>WRPvRHsWlZbTszo1iQTYAp%k=v44XuLdcUXs&f;{+3+Y>*~cuN>FSGUzyRm zuWQ=!7jSHT&}Zqok!R_6bKZQ*; z3KI|dd@N!GtsJDg3@qr}u8y(nappZELqS1diDXamkF702z~@XkkT-bv^c~Ql_&{j1 zWW6w%8S($uONf-Cds_-5 zy7j*KsJd-y{ET>huH{^s=gChDLbmg!`Gt&oHKg^2IFcnbypAQN)dlN$Cf>jQ@5k8` zJ~3f0zJ#$cS>Eeu*Y}lLOW$oMvW%y&Jr(C6^T!t3^|$|?afV1!?thrxj`9t>)d6=8 zH5;NBRS7^{KI#HsnSq4Wu4u_mh{s+Kt4mxE!@AF9hv5CG@g6N^L^C~L>hXDi)xW21 zO4#5XngnV4DV^O;e&})6?(UcV(Y?Wa5_kYwtXt`HiIa^j@W|_8Jy#}Qcfa`lbmXY4 zAFG(dflv&(H}LG?=#-xu`osZM7JFTQ%zmjID}9^Por|X}3*F5TA9Tyf^>}o$_A@2g zA-jIJ4HLHE^6$I{8a+BRKkJa;mrk_ZN-vh$pNrU6Iwy#cQ}FpJ<*9Z;D>+eQy&d^6|8qYIh2_2EVq-bS*CK99Do6WWVu#zTL`w!|dB5 z)f&L>d#>_?vA4Hxm?CjA?J#4()VcSW8Fnre=gasxYPK1rumM#yOUH07>cp62tDebZ zTOHJUqM^K_B7BVyr`KT9Y|wZy&iOn~D>70b6>XDVH8D;uRtS^n=yjXrb=kJ1B=d7E zf+cI>CXJ^f^0D)=Ln+Om%U9*kg9Vp%( zfo303WfoHf&NXlPp=9dMzr4-ov}uOM#)mYN93>lg`A>U|bPNI$=jG z`1k*T#vFHxo%jKYB*Hr9Hml?rTr-d1Gl^-@>whcP)RxzRT`gP!c|o2>GBnAi{_cqG z+0$vmZS)}$yxyMIdK>v^a->a5+BHZyD*0a={r*l*8*s^q!4pI!_=p{$YE+$(ufeW1dDPbq(JwFJw&rxOQA>ru_>VPx;xA|UK?o2N)rA5Ud ztR{y+el=WWvR4QfaG{Rj|3QU+43+YMwWJPom7J)zMKC|{MhsCMNynzDh1=htbdH3t z(tgTLzZ!E{cbc#V8G3okV3SmOX_0Czz^Qsed#NVAhdiI`RVHZ#mk3!3N-UPma@D8h zYthcMy#SYYwN=>iM?88r_+{FygJ{9QR3Y5Qj3M{ zbXr87Bqbo*tY z5Tys*zjStS!g-zFmvU@B8p&EKH(=6xPU=i{k|NcxO^*kyRRrNZDt;;vZA|$|>HecB zH1u#2c;t;G_2$;>Z>w0;Iwntjm z6vc^wFXivW3d(OU(p87{!Y+%amtPistXRl+Wt+pvKv;Cd2UzQvcP3xm&+f&`Cdw<@ zG5t`{O>s?hkt!1uQ3cnK)dJEkh5`nn$c$CIA90T`uKk)kK?@3oZ>Co1uVVxea*L zx3f(eXGZ!w9=?N*$FlQA=wL(xkMv^#_yzpu5|fX`KYm89v(UGZUREuD;YUiOG!z@% z&V1sllg|8UV|^*$fGT|`i#nBMC^dbaeT#FdE)3orXuDn~$+$5JN95h3m1q4R7~jJ_ zdi{h0Q(Y4wGl@AM`At8O}L4Lfr&~F00;?YE4FzQ_!NGT&XcQZ`&q=Mrg$&ya$?$5Rc*Q2< z&3sT$wLUfkA~G!1m};v=c${R;JJfuVF$nq9=vx0we9LVq2@-)d3M&fwkl;$_(P&Uy z2L60!KTNAf(y%{{jj(QK(!4!UR~9R0jc0N#1Laug*6tzKgO5A4as{V6;X(0y{c1+& zlmwZsO?QhdT_G&i6yJG8E>q&x4vp%tsF}sM3BRG*1mw=x>w!pJhCNxO z&xToS!u2UnrrFA@06Hb*t7>PCtfe^BZJB_ssZkUX`9Hmv$0N~u0dk_pM>wu@X=GS= zz8A4eS^Tu(_Emk=0h(Esz513@y}D6d#qFDS(B;aiF1PUJO6H{b9b*D#-CL8Vm;ujz@wF z3o^0bI!~%s@rk|22P~?znk=mZ;`eGc?hL7SQY@I1YtiYW-oZr-8)2l2J@KKE$fZiwhDR!t^4z7v2dBjLJmhjY>w8&icB`oRi^@@N3gg`Zs$ou5+@Pj6X z;{1b~*y%$bHMP-)mt%W+`c{GJlDR$d-V_XkKxo`mq8J zfxqeb@a=|f663I;S=enx>d)+tU^9Ywf4u!eC@6||3DbKgS~o}{z~2i2zHbU zvn;U}Z9i9M>1_n<3SNX=A?u$>M_|X~<%4S5{wkJ0Q@&|53cZFdB!r5<@S$0;-|7Pa z=dA#0h{02+k5RDQ)`mu9i+YQAFFXlCl?{A?H!1f_>*7aW&v8 zH`eAeijq!5Eu<1~V`kuRvo5YAF#lkb-0>gYRF{Ix4S^Wooo$GDDMxrLvJX>oP>Q*Bq} zp5z3RkKu%ihWox6c8A7gw3Bs%Od{vV>nt{a-pIgWzWn~iX}3}fGuaNkc}>83X>$xb zhW_4H^OL=LSGW1DeEZL*3Aj;klkQz%=c?9 zscMbw?WH>*Ys&k4u^JZUoR$vOV$N{NEeEfyeZnR3vc z^3MxPz*l|4P&_sUy`uHAG8_F7Pie2DtRFjCUG#9o%g)wy%*d_Sr5)53RHBa#pbu^| z*0Oj{-^g*7=!}}Y5x%y2Wzkdq@we_-L9Myu(WTxitUaXQ5_bs7(dZeQbYk!)lS<(J zms-?-j%;b^6P&kkWv?v!D#+q>KcFnjsNy7p&l^n*X=E0&M+p!4ac^8{KJ##NonB$R zNr4$=Lyd(nE0_1Zk)=_4rJ-v)s0ZDAoT{6Q^83$koS`A_oLBRx#=8zXyp_PYxQOX4 zw+J@)E^5kvTt*v*(+kY!BzwB_(RNjiwZ+;a2RWLN+TVF1PscJXx03=xotMv($;Y%q zDF$@dPqSO^BufDY#(ZvS#RmxttU38YIp8eHir|LovcKbeKO(5X>VZD z?2p)q;@kykbD4n_D0r478ViYVG>}8KZ*z|hZmHjsncL(IWtfyznS}t7J#D4PHtoL< zjKBre1@lX73yZ2bP{MvhnOr9+RIwvKS4Y>w%H9qw!rS~i)nRyu>4rVB)AcHY4F z>ID*P#aT40((!xBcFy{n>B)BpgU1v)O^~ZK2Ul%z84fmXv7hiQkxY$)o`6_v>|S|m zz2haHCBdbTSFHm7w_0GKF^IIMqr>uRQ!tUyMo+S{=t>!blqDUOUAoyO?ua-W(G0{j zl4>i^ElMvE;kjuqz0XW}bG|8NuvuRxIVH-L?SKxW^heb($+lIK&kdBuYV1p_L%gO$ zxr$ui913O{qj_4^V|&%V1m#={5%oAed)(8U+RY*fv#VKuP=z9{!tS9hze`I{5mLNx^#_K z>lhFORD)QdqBI^j5iuEe59Wyay#vsx6fi4xd@uj9O8WNvJjKJ_Y)!C?zDFQlmXn*v z1HPdMn_KIH(DS$@o9py2-xzP;jO0Qf?b=VaGw|oO>1)SmfjRhGF?)7MzUkA%&>9~y0SaLKeB55-gNWD zx#JOPYj0hLsj4l=Q}MRn1B5u!)J3QWp9W33l-O`dS<2FI=ZP9NERAH-i_1J?8?wnQ zUMcN~k8~5eX7$27N$|zX*!h>f3lX}4E%42RPE}fK?pmOYI#r;KJ-9UnhXN&C$<0(N zDVTu~LpUNy9J*uQW5xq0IM?K&jBZdV_uH`pnHz{~wXtu6Z$wpPa)2EgAjKD7?#8!f zYSFHtBB{>jYS-e%$azvVy1WEV6JZwtqpwx7YaOxe6JH^tciSx6e*!zepoo?=m z9mU95R-s2i_DuDKrvA4}3e(A_K;Slxie5zTab6-odb-D-5S zn5%Q>dQje&qZq%<%_G5FzE~akNkd8ErCsht+I$n_ffVu9m?fmWBF=H#)3$+2RCkbB z7+#2H=G_|IF5Re1?-AqmTQ1t@(Pcld|GNs*g71RxW}qC(F9*!RQ)81gfzZ1BL-B&< zGMB5Fr60-5Mdi2`ifqGYHs*F%XkLRHXmb(r0&por`6$4JQgpj#ws=mEl;%~m8|l6d$Q}*`9oVnA$EZ;tV|LB5H23ULC|L$Dwx%_1vN@C=hI;M)+6RgfRK zdvGaOm)N7Rw8Wb%Cd-zHPlqhmPSUL~izNZ0Cay98u)?h><^P&5;k{+WS<|d9`Eh$u zEc};@k1Qd-q>Wd2N*{hz!tGv{hDXYbfOaC{<5HubKzm8U}$U(DYd^-d` z(auo;sn9P7nZO~sQo?O6#g}v0-*A^)^AW)?_4*-8kkcYPKIG7er@kDyG5#eSjlq=Q z1ty&cj%g>x^b9$yXj^Z33N6BR4rncA9l#xVGDbQwrMkV$ zYkeHm)5==8G*LuRH8X)MQk&zMof)Koxd;~&a$xqNFd!V|7ue^BCaRDU_*C7M% zDOV7A6b|ua5ECV~nY|L(m&GLtOm&I!nRn^K&idgV2_fH7LzZSVYr&nCmyqZ`nW1Qf z=;qSkj2~Y#>q-%L&m_;KV#um$wwqx~S1Vkh$AXuxCi$mn)Ca2 z{WAlWwS)*tuDc&Jjb2&Cok>HcnZp#0o(PcuG883<8Q|*pvbxr#+q2ZMa1>m)?`*+$;BM3fNE8=}MGupo?0EcbZ8mTC> zW53W0^uOa` z({$fsSqK8nfjN--VnXYX`%VOfI+SfrC7agye@O26$^9zJinWLdXG2aT zBH97ogZ;_2|1}ms>+6XeGNq#+K8@spTo$7d#`KW+*pA7J0r`{xZcB<=gM438GelD4 zjll!Y9w3331Na4SVG6B+`keuy1+#A}#GhnYR1Q{jgHi>D%cSfWgU0lFs!tt0G zk3uihTyzT7h5guzZisEwoLo2Ia(Bd^$v!cmAh_oDJ2@5!Nu1TO?(&f8r3UZOz_Qg} z$scg81b_74IP9aejS^ooWwM$s@a@Fv3gHPKv{*xTG;kJK?d61(n=| z#52wnT{RAVze(A5)VR_wy3kfblAfcp4b)JJgS3b9M-jYWijQg3!Ci(D3|xIh*BEre z+Cnd~bZM?xCJpC#A_z;6+5bVyw-G+9tSJ+%fFWLvY_iO=UZx4XLs(uZ^F|W!>`~r9 zmZ(EXJl5aO2fHAt`8XG72~Q+Oy4|u*s+_gYU4NUR3#=%>6{JTW4IzK5`=^t}$r=PC z=oO=b3ygG6j;Xzg3QG89mbP1aZG`kfGr0K)=QP5T&Q@cv9CCuh!ddwMn1U)BT2x>f zL=9>ozz2QOSBdQ#{5I|jf262|GVY4PIhr7zEGBAY>Wy@l{g&TB;_iTVB^aaM*$m~s zDLm&9pp6k-W*MH0-1_{-d@3k+(^{bInJ4YG;9G&OeZ84(wX>p6aj%>iWF8j zavG0%o0vz6(m-wF;3Jc%pr=Z#iu9G>zB}+F9fJ?!Zh{UWo2wPxle(A11S?1o<>gz( z-#{gJpXyC?ZE<-Rx_#5%Waw^V-<|S-?93P{Qz{TIKk-CM_xEVy;S8e_HNMJNC=8UM z`_WCtgn>_gFz{%mZk_cTM+T#3MRn#^WCKix#WG$M4)l2xK zzZpo0zzp#93}qHiP37$EXT|dc9NEG1ypJzV5<94yFi|7iMFIFqru7X0mZ0h174+LnJJH3 z(_GN`BEa(gdYp1Poje=Cnbe8q7;NqPUvTvD6ZPmNg`lE-K6>E2q2AYY_`tj)QEN&D zZEd04;2(F8KSHSFpY_sS7DGC5A{rq&vyumVt}AZU^2vOGg%@&ak`w66->C;z4iP8z zj~Gu}7nF2IbtCA6b%la#0FQGM{1&UgcWwrughojw)$|y&~VU=Wb zH>zYV<-XXqX||O!qgHa-pd!o{JtH;E$@QME4READ_6n73^1NU**C@lM6qc(Rs2X)E zT=pHBDv*@}1K%ccs4P8z$RSNZC+NAp(V|`P)rg6EqId;~-3(JYg`Su*qb;}qnS5`6 z;@9d=`K32wy(HdlJPpU(fTQQ9e$k{(^x*gs!F(d#JPXjIeYT|s3jsboS>Jk|se-8X z3MB?p$lm{|!$Gto@8`z1g|YwN?sm!`qyJoe3&EoBbZW10>)*lj_umt{4-7`|^?Ns{ zoe^t!WjO66F-6T>M)sOFKbq~-e1dv##{}_Pof6*_0!JtJLuTC0dp3@|Fkl49`WM0t zvRomYxSg0PF^UUMS$BKWxS`M>JR}2NX+f3Jt^g~@D#*#GlUj5<1^nH`(081xLYh&2 z*k<(Rh#je4^*jB=&DeHuflA$e-BV6u`mn#~+O%+?jv(-4mOQX8;L0)GFeQ&R5bXdC zeHGrDLMU#Le9-j}OWTAtmJ%)BcRNDzaNdj=o-PN!Vw4PAcmD;6 zBkQ+UW(D!|hN4W`wU zlh*w}5o+9J(-8v@L0a)kzE0dmx0cf40U-@*xquTYL?H5&2RgG&cCI-i%dG}yd;C9) zMeCq<$6dwgpEyUm?Pe2#-ISFIx4bNF%in*Ip$S1`&;MrmJLjuY9ca5A5A_IX3~9s< zF8>@DuB45PdslnE=;1@+-YF*d^?V`Gtw0D|dj4+&KdQAE?m2~KSA7Eo z#W~lVMPaVn=}rh>G}bVp316j}A;cSJbzP)$=XigL1S4sM7%xDPldS68JC zUIkx@Nwv9g&!>yymHu(IOEU|kdHo^#=I7tu(Mv+x2fS#y9kr<2geqK>MV)g!kRm-r z!evcqlS7dmMnW&3SU2i>Im!EuIx#Py=I17x_VmOYwlWfkEBkd{Gb-i5_u&ObR%qdM zNj>(tVR1s9U!UFY1w3Pk-5x|K&s;Q7g(SLL+df-=T8#G_nl}_}Qs;i2ax~U1yWu!Y zRvEo__Vkne4r@l(^6q`Xbb$C?R}Ym}*x5~Lb7M51h?TCkrT!K=BJ|tb$vj>Ezya2X z`$FJouUx<4aviad<81K=Yu<4@VDz}&X2M0#K~THwtU@vSv$efP=mWI^p-f!B$uGw_ zx|u#9gJ3s$-k(<>aEmvh)>y@UN*B=XvVQbguWb0R+gtT3A8IMKLTfRnxw&KH1{PRu zTye4dI^_4^crtH^G&!oAmJGU$Xc+B^(-UkF%reYHDj^fP-fGTh9l6oiPUqUZEpUnd z!{t&F-0+0JB3VM9y_-$E0Pkej)By)FY+7t#2|?-r*GJ1USup!YMB`*LsqExxFe?x7 zNq(oU(*r6vk(SyZ?+)TMKJS9lKngjJD&3KY**`Cq3GZr8;?-Y!SS|lx zXagq~j(^m!jOELdiVx9%?blZM@);fY%vvIb{&m5#A=hYpBo z{$*UVKF`~&lvnS6qw!jj!`xUq`(&agdd{-yI-_FG&XQH|!t@iw_pgjo@_b>%aGsQ? zQQRuWS-$@JJsRVes0a17F?Vc-**g=ypv0n+pHU=km8Vbit(BZVSYF-$4MdM-gO1%i ze9FZS!6W{tlbrm8<$lTOooKRbnW0N;Pxcj0+7Pdsv6O7l4KMi=Od6C`Ql)i4?(iHijtu(m zLZ{P+cvED06*ywHZTzGC#)E(0Uj2l1f^H|xy&iMUgM|fO`-c+HzB?AB^A^fRr9j7= z`YI1)v^_`fEIg0#js2cXJtA7WE8!)?lWa+;CGjwAUgd8y;G?|fd93;Py{<%ruMyvmx>ItZJ*q1#jY_f4@5RCl&(X=>v<;yJ|077 zhw&ou2*1LzsQ=D{^`z@>K;${J){H-ICMI(1^@1?|Qct=7>6g2xzlo*SbrC?$@{fNZhg<5_ei4-!JT`yy^s13-NY$UshHz_d54@Oq)xbE zUr=zlFs-?p55JhBX!Xe)t-`V}icj)eP&|9bN+fDSb9XG3NKgLjP6;iGQ)We@a-WyS z-t5f8>b-$W4s@mCC*|B0yiD|WlKTNI+ZE}$Z$Y1trxz3T&D~0sJbPYt51yDjTR2Fz zxK7-Y$&15%T9?Ogol@tZL6R8c*7*EJo(tt-2d5AD?4vq0@m%kr+wP^(oVrc|P>@UZ z8|MTc-O0wDqtjJsgE=a@J@3zM4-oy_FQxJpvZm=924MQxgrc1&R5Obr4AdJR7Th^s zHg%4CtCPct!H-VUbdVQxSD@{%m8!sxA9cHsR%)z+@9^i=JEWI!xnl>!FWtuygT8Ei zKeBCKfYQK)Xo3~-l28|lE_lJj5(6zLR`927zsgS9{by3*#f|bO`^ZteX>qqr*yNxHpp>y{24JCa*WO<1FZqWnt*ME*}i@ zl}J`egs)h;o{>RsNx|Z`-sXfsGg01S6V9XN<8Ucf{5?loaolu_zPViO3$c?vHyJed zI$ns6+||8&GW5&;Fgbtz=nF&CvVF@t*lxXz4GtC&n!_W*;>^jGKIa`GY0iE~?&Q{RZOT$ZVt;p0^H){kO=XAlnK4_n=i7zSk$(q~b58%zWC z;nlF|y>|2tD{=%)3C>6kEN2+&i2HmU{wGdUxJ&Dlky(4Syg>uDf6e~?98J$BT&~VQ zYTFS|^y?rzwX2k_tA(knCBM0| Date: Mon, 27 Sep 2021 07:40:12 +0100 Subject: [PATCH 31/52] Bumped binary and provider versions --- terraform/variables.tf | 10 +++++----- terraform/versions.tf | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index abefbd8..3bf4371 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -20,7 +20,7 @@ variable "kubernetes_version" { # helm repo update # helm search repo ingress-nginx/ingress-nginx variable "nginx_chart_version" { - default = "4.0.1" + default = "4.0.3" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -33,7 +33,7 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.23.8" + default = "2.23.9" } # https://hub.docker.com/r/velero/velero/tags @@ -43,7 +43,7 @@ variable "velero_image_tag" { # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.34.0" + default = "3.34.1" } # https://github.com/adamrushuk/charts/releases @@ -71,7 +71,7 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "5.4.7" + default = "5.4.8" } # https://github.com/weaveworks/kured/tree/master/charts/kured @@ -90,7 +90,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.18.0" + default = "3.21.0" } # https://hub.docker.com/r/argoproj/argocd/tags diff --git a/terraform/versions.tf b/terraform/versions.tf index 4f2e7b5..3e1d389 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,13 +23,13 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.77.0" + version = "~> 2.78.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.3.0" + version = "~> 2.4.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases From 5e0b972add9a08e9316427de44b91b321f1a865b Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 27 Sep 2021 07:59:11 +0100 Subject: [PATCH 32/52] Changed AKS version to v1.20.9 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 3bf4371..5f2b4b6 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -6,7 +6,7 @@ # https://github.com/Azure/AKS/releases # az aks get-versions --location eastus --output table variable "kubernetes_version" { - default = "1.19.11" + default = "1.20.9" } # Helm charts From 83d2fbd83a4b3e5a1cd39bb4711a051675f3a5b0 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 27 Sep 2021 08:23:43 +0100 Subject: [PATCH 33/52] Bumped terraform and tflint --- .github/workflows/build.yml | 6 +++--- .github/workflows/destroy.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index de2a504..8e0116c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -61,12 +61,12 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.0.6" + TF_VERSION: "1.0.7" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases - TFLINT_RULESET_AZURERM_VERSION: "v0.13.0" + TFLINT_RULESET_AZURERM_VERSION: "v0.13.1" # https://github.com/terraform-linters/tflint/releases - TFLINT_VERSION: "v0.32.0" + TFLINT_VERSION: "v0.32.1" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index f1e8884..1de3216 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -55,7 +55,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.0.6" + TF_VERSION: "1.0.7" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: From 580ec4f232d367e7927c66ca53bc20ff4b17f6cd Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 27 Sep 2021 09:56:29 +0100 Subject: [PATCH 34/52] Changed aks back to v1.19.11, bumped aks module to v0.11.0 --- terraform/aks.tf | 2 +- terraform/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/aks.tf b/terraform/aks.tf index e1b012b..42b9d78 100644 --- a/terraform/aks.tf +++ b/terraform/aks.tf @@ -54,7 +54,7 @@ resource "azurerm_log_analytics_solution" "aks" { # https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest module "aks" { source = "adamrushuk/aks/azurerm" - version = "~> 0.10.0" + version = "~> 0.11.0" kubernetes_version = var.kubernetes_version location = azurerm_resource_group.aks.location diff --git a/terraform/variables.tf b/terraform/variables.tf index 5f2b4b6..3bf4371 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -6,7 +6,7 @@ # https://github.com/Azure/AKS/releases # az aks get-versions --location eastus --output table variable "kubernetes_version" { - default = "1.20.9" + default = "1.19.11" } # Helm charts From 20098b8811b228736e9097e11dd10ee5965f5106 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Mon, 27 Sep 2021 10:15:59 +0100 Subject: [PATCH 35/52] Changed AKS version to v1.20.9 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 3bf4371..5f2b4b6 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -6,7 +6,7 @@ # https://github.com/Azure/AKS/releases # az aks get-versions --location eastus --output table variable "kubernetes_version" { - default = "1.19.11" + default = "1.20.9" } # Helm charts From 20f64df3046ce62d4f88abcf07498df4a9001239 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 30 Sep 2021 08:45:39 +0100 Subject: [PATCH 36/52] Bumped binary versions --- .github/workflows/build.yml | 2 +- .github/workflows/destroy.yml | 2 +- terraform/files/scripts/argocd_config.sh | 3 ++- terraform/variables.tf | 6 +++--- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8e0116c..db3c11c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -61,7 +61,7 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.0.7" + TF_VERSION: "1.0.8" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases TFLINT_RULESET_AZURERM_VERSION: "v0.13.1" diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 1de3216..4e1f5a3 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -55,7 +55,7 @@ env: TF_LOG_PATH: terraform.log TF_LOG: TRACE # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.0.7" + TF_VERSION: "1.0.8" TF_WORKING_DIR: terraform # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index fc361bf..bf2c005 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -18,7 +18,8 @@ export ARGOCD_OPTS="--grpc-web" ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install -VERSION="v2.1.2" +# https://github.com/argoproj/argo-cd/releases/ +VERSION="v2.1.3" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" diff --git a/terraform/variables.tf b/terraform/variables.tf index 5f2b4b6..bea4f52 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -90,13 +90,13 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.21.0" + default = "3.21.1" } # https://hub.docker.com/r/argoproj/argocd/tags -# * also update cli version: terraform/files/scripts/argocd_config.sh#L21 +# * also update cli version: terraform/files/scripts/argocd_config.sh#L22 variable "argocd_image_tag" { - default = "v2.1.2" + default = "v2.1.3" } #endregion Versions From 7017029580dec477f4ca924d644be5284c637a73 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 30 Sep 2021 08:47:34 +0100 Subject: [PATCH 37/52] Added azuread_application_published_app_ids data resource --- terraform/argocd_sso.tf | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 65c025f..48ede6b 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -2,6 +2,14 @@ # # https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/microsoft/#azure-ad-app-registration-auth-using-oidc +# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids +data "azuread_application_published_app_ids" "well_known" {} + +resource "azuread_service_principal" "msgraph" { + application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph + use_existing = true +} + # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application resource "azuread_application" "argocd" { display_name = var.argocd_app_reg_name @@ -24,13 +32,26 @@ resource "azuread_application" "argocd" { # reference: https://github.com/mjisaak/azure-active-directory/blob/master/README.md#well-known-appids required_resource_access { # Microsoft Graph - resource_app_id = "00000003-0000-0000-c000-000000000000" + resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph - # User.Read - e1fe6dd8-ba31-4d61-89e7-88639da4683d - Sign in and read user profile + # TODO: cleanup comments + # # User.Read - e1fe6dd8-ba31-4d61-89e7-88639da4683d - Sign in and read user profile + # resource_access { + # id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" + # type = "Scope" + # } + + # Oauth2Permissions are delegated permissions, type=Scope resource_access { - id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" + id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"] type = "Scope" } + + # # application permissions, type=Role + # resource_access { + # id = azuread_service_principal.msgraph.app_role_ids["User.Read.All"] + # type = "Role" + # } } optional_claims { From e711f53d1d82396135311abe6341842042857779 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 5 Oct 2021 07:34:59 +0100 Subject: [PATCH 38/52] Remove old code --- terraform/argocd_sso.tf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 48ede6b..6476660 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -34,13 +34,6 @@ resource "azuread_application" "argocd" { # Microsoft Graph resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph - # TODO: cleanup comments - # # User.Read - e1fe6dd8-ba31-4d61-89e7-88639da4683d - Sign in and read user profile - # resource_access { - # id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" - # type = "Scope" - # } - # Oauth2Permissions are delegated permissions, type=Scope resource_access { id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"] From 09907670fafa53dbbee6af20db1cf7c7db958451 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 5 Oct 2021 07:35:13 +0100 Subject: [PATCH 39/52] Bumped binary and provider versions --- terraform/helm/velero_default_values.yaml | 6 +++++- terraform/variables.tf | 8 ++++---- terraform/versions.tf | 4 ++-- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/terraform/helm/velero_default_values.yaml b/terraform/helm/velero_default_values.yaml index 1e5d651..edc9e94 100644 --- a/terraform/helm/velero_default_values.yaml +++ b/terraform/helm/velero_default_values.yaml @@ -1,4 +1,4 @@ -# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.23.6/charts/velero/values.yaml +# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.23.12/charts/velero/values.yaml ## ## Configuration settings that directly affect the Velero deployment YAML. @@ -124,6 +124,10 @@ kubectl: # digest: # kubectl image tag. If used, it will take precedence over the cluster Kubernetes version. # tag: 1.16.15 + # Resource requests/limits to specify for the upgrade/cleanup job. Optional + resources: {} + # Resource requests/limits to specify for the initContainer in the upgrade/cleanup job. Optional + initResources: {} # Annotations to set for the upgrade/cleanup job. Optional. annotations: {} # Labels to set for the upgrade/cleanup job. Optional. diff --git a/terraform/variables.tf b/terraform/variables.tf index bea4f52..f1c75a1 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -20,7 +20,7 @@ variable "kubernetes_version" { # helm repo update # helm search repo ingress-nginx/ingress-nginx variable "nginx_chart_version" { - default = "4.0.3" + default = "4.0.5" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -33,12 +33,12 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.23.9" + default = "2.23.12" } # https://hub.docker.com/r/velero/velero/tags variable "velero_image_tag" { - default = "v1.6.3" + default = "v1.7.0" } # https://hub.docker.com/r/sonatype/nexus3/tags @@ -90,7 +90,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.21.1" + default = "3.23.0" } # https://hub.docker.com/r/argoproj/argocd/tags diff --git a/terraform/versions.tf b/terraform/versions.tf index 3e1d389..3e6d152 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,13 +23,13 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.78.0" + version = "~> 2.79.1" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.4.0" + version = "~> 2.5.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases From b6b71e57669101f8a814861fb8cc2a7dcbcfbbee Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 5 Oct 2021 08:45:10 +0100 Subject: [PATCH 40/52] Revert azuread to v2.4.0 --- terraform/versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index 3e6d152..d9a840b 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -29,7 +29,7 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.5.0" + version = "~> 2.4.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases From f4a89f02f6475a4a37d0d76d1fde56577843d9a5 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 5 Oct 2021 08:48:07 +0100 Subject: [PATCH 41/52] Added temp fix using manicminer/azuread --- terraform/versions.tf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/terraform/versions.tf b/terraform/versions.tf index d9a840b..f5f127b 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -28,8 +28,10 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { - source = "hashicorp/azuread" - version = "~> 2.4.0" + # source = "hashicorp/azuread" + # version = "~> 2.5.0" + source = "manicminer/azuread" + version = "~> 12.1.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases From 4208a08660704f6eb19b6ecb5b15081a5b24ef72 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 8 Oct 2021 07:16:34 +0100 Subject: [PATCH 42/52] Added azuread fix in v2.6.0 --- terraform/variables.tf | 4 ++-- terraform/versions.tf | 8 +++----- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index f1c75a1..a70c119 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -71,7 +71,7 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "5.4.8" + default = "5.4.10" } # https://github.com/weaveworks/kured/tree/master/charts/kured @@ -90,7 +90,7 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.23.0" + default = "3.24.0" } # https://hub.docker.com/r/argoproj/argocd/tags diff --git a/terraform/versions.tf b/terraform/versions.tf index f5f127b..fa25787 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,15 +23,13 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.79.1" + version = "~> 2.80.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { - # source = "hashicorp/azuread" - # version = "~> 2.5.0" - source = "manicminer/azuread" - version = "~> 12.1.0" + source = "hashicorp/azuread" + version = "~> 2.6.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases From 0a0f8ad42b30239658deece865d9a7a432b29b5f Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 12 Oct 2021 08:15:11 +0100 Subject: [PATCH 43/52] Bumped binary / provider versions --- terraform/variables.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index a70c119..92e695f 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -26,7 +26,7 @@ variable "nginx_chart_version" { # https://hub.helm.sh/charts/jetstack/cert-manager # helm search repo jetstack/cert-manager variable "cert_manager_chart_version" { - default = "v1.5.3" + default = "v1.5.4" } # https://github.com/vmware-tanzu/helm-charts/releases @@ -64,7 +64,7 @@ variable "akv2k8s_chart_version" { # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4 # helm search repo aad-pod-identity/aad-pod-identity variable "aad_pod_identity_chart_version" { - default = "4.1.5" + default = "4.1.6" } # https://bitnami.com/stack/external-dns/helm @@ -77,12 +77,12 @@ variable "external_dns_chart_version" { # https://github.com/weaveworks/kured/tree/master/charts/kured # helm search repo kured/kured variable "kured_chart_version" { - default = "2.9.1" + default = "2.10.0" } # https://github.com/weaveworks/kured#kubernetes--os-compatibility variable "kured_image_tag" { - default = "1.7.0" + default = "1.8.0" } From 24762b4c401dfa2e3a1721a349b7ded7de7204b1 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 12 Oct 2021 08:38:31 +0100 Subject: [PATCH 44/52] Revert external-dns to v5.4.8 --- terraform/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 92e695f..a38838e 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -71,7 +71,7 @@ variable "aad_pod_identity_chart_version" { # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21 # helm search repo bitnami/external-dns variable "external_dns_chart_version" { - default = "5.4.10" + default = "5.4.8" } # https://github.com/weaveworks/kured/tree/master/charts/kured From 6cbfe5ad3bfcad88ef7649ae7c56af969aa2fa3d Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Tue, 12 Oct 2021 08:57:57 +0100 Subject: [PATCH 45/52] Reverted velero to v1.6.3 --- terraform/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index a38838e..53d8292 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -33,12 +33,12 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.23.12" + default = "2.23.9" } # https://hub.docker.com/r/velero/velero/tags variable "velero_image_tag" { - default = "v1.7.0" + default = "v1.6.3" } # https://hub.docker.com/r/sonatype/nexus3/tags From 4b140f2887585bac2d4beb8bcc34b611658b6769 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 21 Oct 2021 07:59:47 +0100 Subject: [PATCH 46/52] Bumped binary / provider versions --- terraform/variables.tf | 12 ++++++------ terraform/versions.tf | 6 +++--- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/terraform/variables.tf b/terraform/variables.tf index 53d8292..7ede2ab 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -20,7 +20,7 @@ variable "kubernetes_version" { # helm repo update # helm search repo ingress-nginx/ingress-nginx variable "nginx_chart_version" { - default = "4.0.5" + default = "4.0.6" } # https://hub.helm.sh/charts/jetstack/cert-manager @@ -33,17 +33,17 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.23.9" + default = "2.24.0" } # https://hub.docker.com/r/velero/velero/tags variable "velero_image_tag" { - default = "v1.6.3" + default = "v1.7.0" } # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.34.1" + default = "3.35.0" } # https://github.com/adamrushuk/charts/releases @@ -90,13 +90,13 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.24.0" + default = "3.26.1" } # https://hub.docker.com/r/argoproj/argocd/tags # * also update cli version: terraform/files/scripts/argocd_config.sh#L22 variable "argocd_image_tag" { - default = "v2.1.3" + default = "v2.1.5" } #endregion Versions diff --git a/terraform/versions.tf b/terraform/versions.tf index fa25787..3bf7b6f 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,19 +23,19 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.80.0" + version = "~> 2.81.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.6.0" + version = "~> 2.7.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.5.0" + version = "~> 2.6.0" } # https://github.com/hashicorp/terraform-provider-helm/releases From a19bb40d299213f196585c45ea54262ccfb02a00 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 21 Oct 2021 08:00:04 +0100 Subject: [PATCH 47/52] Removed grpc-web default option --- terraform/files/scripts/argocd_config.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index bf2c005..07fca2f 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -14,12 +14,12 @@ trap "echo 'error: Script failed: see failed command above'" ERR # Vars ARGOCD_PATH="./argocd" REPO_SSH_PRIVATE_KEY_PATH="./id_ed25519_argocd" -export ARGOCD_OPTS="--grpc-web" +# export ARGOCD_OPTS="--grpc-web" ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install # https://github.com/argoproj/argo-cd/releases/ -VERSION="v2.1.3" +VERSION="v2.1.5" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" From f29a9bf08b152e0fe6b2217d5bb5d93f63231204 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 21 Oct 2021 08:17:16 +0100 Subject: [PATCH 48/52] Added grpc-web default option --- terraform/files/scripts/argocd_config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index 07fca2f..75eb7e0 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -14,7 +14,7 @@ trap "echo 'error: Script failed: see failed command above'" ERR # Vars ARGOCD_PATH="./argocd" REPO_SSH_PRIVATE_KEY_PATH="./id_ed25519_argocd" -# export ARGOCD_OPTS="--grpc-web" +export ARGOCD_OPTS="--grpc-web" ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install From 85129357cf218d6c1c531b041fa6ab37af855de1 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Thu, 21 Oct 2021 08:43:48 +0100 Subject: [PATCH 49/52] Fixed app reg HostNameNotOnVerifiedDomain error --- terraform/argocd_sso.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 6476660..980ec77 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -13,7 +13,7 @@ resource "azuread_service_principal" "msgraph" { # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application resource "azuread_application" "argocd" { display_name = var.argocd_app_reg_name - identifier_uris = ["https://${var.argocd_app_reg_name}"] + identifier_uris = ["https://${var.argocd_fqdn}"] sign_in_audience = "AzureADMyOrg" group_membership_claims = ["All"] prevent_duplicate_names = true From 1efff524fca56d5bf0a16ee4415bbd4bca4304f8 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 29 Oct 2021 07:13:03 +0100 Subject: [PATCH 50/52] Bumped binary / provider versions --- .github/workflows/build.yml | 6 +++--- terraform/files/scripts/argocd_config.sh | 2 +- terraform/variables.tf | 8 ++++---- terraform/versions.tf | 6 +++--- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index db3c11c..46ea5eb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -61,12 +61,12 @@ env: TF_INPUT: "false" TF_PLAN: "tfplan" # https://github.com/hashicorp/terraform/releases - TF_VERSION: "1.0.8" + TF_VERSION: "1.0.10" TF_WORKING_DIR: ./terraform # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases - TFLINT_RULESET_AZURERM_VERSION: "v0.13.1" + TFLINT_RULESET_AZURERM_VERSION: "v0.13.2" # https://github.com/terraform-linters/tflint/releases - TFLINT_VERSION: "v0.32.1" + TFLINT_VERSION: "v0.33.0" # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below: # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489 diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh index 75eb7e0..fb2d72c 100644 --- a/terraform/files/scripts/argocd_config.sh +++ b/terraform/files/scripts/argocd_config.sh @@ -19,7 +19,7 @@ ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz" # Install # https://github.com/argoproj/argo-cd/releases/ -VERSION="v2.1.5" +VERSION="v2.1.6" curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64" chmod +x "$ARGOCD_PATH" diff --git a/terraform/variables.tf b/terraform/variables.tf index 7ede2ab..3ebd3fa 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -33,7 +33,7 @@ variable "cert_manager_chart_version" { # helm search repo vmware-tanzu/velero # * also update terraform/helm/velero_values.yaml variable "velero_chart_version" { - default = "2.24.0" + default = "2.26.1" } # https://hub.docker.com/r/velero/velero/tags @@ -43,7 +43,7 @@ variable "velero_image_tag" { # https://hub.docker.com/r/sonatype/nexus3/tags variable "nexus_image_tag" { - default = "3.35.0" + default = "3.36.0" } # https://github.com/adamrushuk/charts/releases @@ -90,13 +90,13 @@ variable "kured_image_tag" { # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5 # helm search repo argo/argo-cd variable "argocd_chart_version" { - default = "3.26.1" + default = "3.26.3" } # https://hub.docker.com/r/argoproj/argocd/tags # * also update cli version: terraform/files/scripts/argocd_config.sh#L22 variable "argocd_image_tag" { - default = "v2.1.5" + default = "v2.1.6" } #endregion Versions diff --git a/terraform/versions.tf b/terraform/versions.tf index 3bf7b6f..499e410 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -23,19 +23,19 @@ terraform { # https://github.com/terraform-providers/terraform-provider-azurerm/releases azurerm = { source = "hashicorp/azurerm" - version = "~> 2.81.0" + version = "~> 2.83.0" } # https://github.com/terraform-providers/terraform-provider-azuread/releases azuread = { source = "hashicorp/azuread" - version = "~> 2.7.0" + version = "~> 2.8.0" } # https://github.com/hashicorp/terraform-provider-kubernetes/releases kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.6.0" + version = "~> 2.6.1" } # https://github.com/hashicorp/terraform-provider-helm/releases From ea08d3b726f6bd3049731e2466e10dd928a4f5b7 Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 29 Oct 2021 07:32:13 +0100 Subject: [PATCH 51/52] Added latest velero default values --- terraform/helm/velero_default_values.yaml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/terraform/helm/velero_default_values.yaml b/terraform/helm/velero_default_values.yaml index edc9e94..8bd33d5 100644 --- a/terraform/helm/velero_default_values.yaml +++ b/terraform/helm/velero_default_values.yaml @@ -1,4 +1,4 @@ -# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.23.12/charts/velero/values.yaml +# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.26.1/charts/velero/values.yaml ## ## Configuration settings that directly affect the Velero deployment YAML. @@ -8,7 +8,7 @@ # enabling restic). Required. image: repository: velero/velero - tag: v1.6.3 + tag: v1.7.0 # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. # If used, it will take precedence over the image.tag. # digest: @@ -54,7 +54,7 @@ dnsPolicy: ClusterFirst # Init containers to add to the Velero deployment's pod spec. At least one plugin provider image is required. initContainers: [] # - name: velero-plugin-for-aws - # image: velero/velero-plugin-for-aws:v1.2.0 + # image: velero/velero-plugin-for-aws:v1.3.0 # imagePullPolicy: IfNotPresent # volumeMounts: # - mountPath: /target @@ -126,8 +126,6 @@ kubectl: # tag: 1.16.15 # Resource requests/limits to specify for the upgrade/cleanup job. Optional resources: {} - # Resource requests/limits to specify for the initContainer in the upgrade/cleanup job. Optional - initResources: {} # Annotations to set for the upgrade/cleanup job. Optional. annotations: {} # Labels to set for the upgrade/cleanup job. Optional. @@ -330,6 +328,11 @@ restic: # labels to set for the Restic daemonset. Optional. labels: {} + # will map /scratch to emptyDir. Set to false and specify your own volume + # via extraVolumes and extraVolumeMounts that maps to /scratch + # if you don't want to use emptyDir. + useScratchEmptyDir: true + # Extra volumes for the Restic daemonset. Optional. extraVolumes: [] @@ -379,7 +382,7 @@ schedules: {} # velero.io/plugin-config: "" # velero.io/restic: RestoreItemAction # data: -# image: velero/velero-restic-restore-helper:v1.6.3 +# image: velero/velero-restic-restore-helper:v1.7.0 configMaps: {} ## From c4095118ea4bc470daf0750724a0af8267e5d7bb Mon Sep 17 00:00:00 2001 From: Adam Rush Date: Fri, 29 Oct 2021 07:47:39 +0100 Subject: [PATCH 52/52] Removed extraneous depends_on --- terraform/argocd_sso.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf index 980ec77..1795316 100644 --- a/terraform/argocd_sso.tf +++ b/terraform/argocd_sso.tf @@ -40,6 +40,7 @@ resource "azuread_application" "argocd" { type = "Scope" } + # ? keeping for future reference # # application permissions, type=Role # resource_access { # id = azuread_service_principal.msgraph.app_role_ids["User.Read.All"] @@ -80,7 +81,6 @@ resource "azuread_application_password" "argocd" { application_object_id = azuread_application.argocd.id display_name = "argocd_secret" end_date = "2099-01-01T01:02:03Z" - # depends_on = [azuread_service_principal.argocd] # TODO: is this still required? } data "azurerm_client_config" "current" {}