diff --git a/README.md b/README.md index 7f3f0c9..6a694b2 100644 --- a/README.md +++ b/README.md @@ -21,4 +21,6 @@ target cluster and the deployment is defined externally. You can configure the r give a first impression how kluctl and Helm work together. 4. [microservices-demo](microservices-demo): This example is a more complex one and contains the files for the [microservices tutorial](https://kluctl.io/docs/guides/tutorials/microservices-demo/) inspired by the -[Google Online Boutique Demo](https://github.com/GoogleCloudPlatform/microservices-demo). \ No newline at end of file +[Google Online Boutique Demo](https://github.com/GoogleCloudPlatform/microservices-demo). +5. [namespace-separation-with-file-secrets](namespace-separation-with-file-secrets): This example shows a separation +to different dynamic namespaces and variables loaded for the corresponding environment. diff --git a/namespace-separation-with-file-secrets/.kluctl.yml b/namespace-separation-with-file-secrets/.kluctl.yml new file mode 100644 index 0000000..b2fe93e --- /dev/null +++ b/namespace-separation-with-file-secrets/.kluctl.yml @@ -0,0 +1,26 @@ +targets: + - name: dev + context: kind-kind + args: + environment: dev + sealingConfig: + secretSets: + - dev + - name: test + context: kind-kind + args: + environment: test + sealingConfig: + secretSets: + - test + +secretsConfig: + sealedSecrets: + namespace: kube-system + secretSets: + - name: dev + vars: + - file: .secrets-dev.yaml + - name: test + vars: + - file: .secrets-test.yaml diff --git a/namespace-separation-with-file-secrets/.secrets-dev.yaml b/namespace-separation-with-file-secrets/.secrets-dev.yaml new file mode 100644 index 0000000..1cc7f75 --- /dev/null +++ b/namespace-separation-with-file-secrets/.secrets-dev.yaml @@ -0,0 +1,4 @@ +secrets: + mongo: + username: admin + password: password diff --git a/namespace-separation-with-file-secrets/.secrets-template.yaml b/namespace-separation-with-file-secrets/.secrets-template.yaml new file mode 100644 index 0000000..4e2127e --- /dev/null +++ b/namespace-separation-with-file-secrets/.secrets-template.yaml @@ -0,0 +1,4 @@ +secrets: + mongo: + username: NOT-SET + password: NOT-SET diff --git a/namespace-separation-with-file-secrets/.secrets-test.yaml b/namespace-separation-with-file-secrets/.secrets-test.yaml new file mode 100644 index 0000000..6f5d975 --- /dev/null +++ b/namespace-separation-with-file-secrets/.secrets-test.yaml @@ -0,0 +1,4 @@ +secrets: + mongo: + username: mongo + password: mongo diff --git a/namespace-separation-with-file-secrets/deployment.yml b/namespace-separation-with-file-secrets/deployment.yml new file mode 100644 index 0000000..6376ad5 --- /dev/null +++ b/namespace-separation-with-file-secrets/deployment.yml @@ -0,0 +1,18 @@ +deployments: + - path: namespaces + - barrier: true + - include: misc + - barrier: true + - include: persistency + - include: services + +commonLabels: + examples.kluctl.io/environment: "{{ args.environment }}" + examples.kluctl.io/deployment-project: namespace-separation-with-file-secrets + +vars: + - file: environments/common.yml + - file: environments/{{ args.environment }}.yml + +args: + - name: environment diff --git a/namespace-separation-with-file-secrets/environments/common.yml b/namespace-separation-with-file-secrets/environments/common.yml new file mode 100644 index 0000000..3cad4f0 --- /dev/null +++ b/namespace-separation-with-file-secrets/environments/common.yml @@ -0,0 +1,4 @@ +namespaces: + persistency: kluctl-examples-{{ args.environment }}-persistency + services: kluctl-examples-{{ args.environment }}-services + misc: kluctl-examples-{{ args.environment }}-misc diff --git a/namespace-separation-with-file-secrets/environments/dev.yml b/namespace-separation-with-file-secrets/environments/dev.yml new file mode 100644 index 0000000..c330a1e --- /dev/null +++ b/namespace-separation-with-file-secrets/environments/dev.yml @@ -0,0 +1,2 @@ +scale: + nginx: 1 diff --git a/namespace-separation-with-file-secrets/environments/test.yml b/namespace-separation-with-file-secrets/environments/test.yml new file mode 100644 index 0000000..46f55d1 --- /dev/null +++ b/namespace-separation-with-file-secrets/environments/test.yml @@ -0,0 +1,2 @@ +scale: + nginx: 2 diff --git a/namespace-separation-with-file-secrets/misc/deployment.yml b/namespace-separation-with-file-secrets/misc/deployment.yml new file mode 100644 index 0000000..2ed7934 --- /dev/null +++ b/namespace-separation-with-file-secrets/misc/deployment.yml @@ -0,0 +1,4 @@ +deployments: + - path: sealed-secrets-operator + +overrideNamespace: kube-system diff --git a/namespace-separation-with-file-secrets/misc/sealed-secrets-operator/helm-chart.yml b/namespace-separation-with-file-secrets/misc/sealed-secrets-operator/helm-chart.yml new file mode 100644 index 0000000..9b92aed --- /dev/null +++ b/namespace-separation-with-file-secrets/misc/sealed-secrets-operator/helm-chart.yml @@ -0,0 +1,6 @@ +helmChart: + repo: https://bitnami-labs.github.io/sealed-secrets + chartName: sealed-secrets + chartVersion: 2.1.6 + releaseName: sealed-secrets-controller + output: deploy.yml diff --git a/namespace-separation-with-file-secrets/misc/sealed-secrets-operator/helm-values.yml b/namespace-separation-with-file-secrets/misc/sealed-secrets-operator/helm-values.yml new file mode 100644 index 0000000..8dfeb32 --- /dev/null +++ b/namespace-separation-with-file-secrets/misc/sealed-secrets-operator/helm-values.yml @@ -0,0 +1,22 @@ +podSecurityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + fsGroup: 65534 + seccompProfile: + type: RuntimeDefault + +containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - all + +resources: + limits: + cpu: 1 + memory: 256Mi + requests: + cpu: 1 + memory: 256Mi diff --git a/namespace-separation-with-file-secrets/misc/sealed-secrets-operator/kustomization.yml b/namespace-separation-with-file-secrets/misc/sealed-secrets-operator/kustomization.yml new file mode 100644 index 0000000..b24bc32 --- /dev/null +++ b/namespace-separation-with-file-secrets/misc/sealed-secrets-operator/kustomization.yml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - deploy.yml diff --git a/namespace-separation-with-file-secrets/namespaces/kustomization.yml b/namespace-separation-with-file-secrets/namespaces/kustomization.yml new file mode 100644 index 0000000..e1eb92f --- /dev/null +++ b/namespace-separation-with-file-secrets/namespaces/kustomization.yml @@ -0,0 +1,2 @@ +resources: + - namespace.yml diff --git a/namespace-separation-with-file-secrets/namespaces/namespace.yml b/namespace-separation-with-file-secrets/namespaces/namespace.yml new file mode 100644 index 0000000..ea8b489 --- /dev/null +++ b/namespace-separation-with-file-secrets/namespaces/namespace.yml @@ -0,0 +1,7 @@ +{% for ns in namespaces.values() %} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ ns }} +--- +{% endfor %} diff --git a/namespace-separation-with-file-secrets/persistency/deployment.yml b/namespace-separation-with-file-secrets/persistency/deployment.yml new file mode 100644 index 0000000..8ab57e2 --- /dev/null +++ b/namespace-separation-with-file-secrets/persistency/deployment.yml @@ -0,0 +1,7 @@ +deployments: + - path: mongodb + +commonLabels: + kluctl-example/environment: "{{ args.environment }}" + +overrideNamespace: {{ namespaces.persistency }} diff --git a/namespace-separation-with-file-secrets/persistency/mongodb/db-secrets.yml.sealme b/namespace-separation-with-file-secrets/persistency/mongodb/db-secrets.yml.sealme new file mode 100644 index 0000000..c59f628 --- /dev/null +++ b/namespace-separation-with-file-secrets/persistency/mongodb/db-secrets.yml.sealme @@ -0,0 +1,8 @@ +kind: Secret +apiVersion: v1 +metadata: + name: db-secrets + namespace: {{ namespaces.persistency }} +stringData: + DB_USERNAME: {{ secrets.mongo.username }} + DB_PASSWORD: {{ secrets.mongo.password }} diff --git a/namespace-separation-with-file-secrets/persistency/mongodb/deploy.yml b/namespace-separation-with-file-secrets/persistency/mongodb/deploy.yml new file mode 100644 index 0000000..f388626 --- /dev/null +++ b/namespace-separation-with-file-secrets/persistency/mongodb/deploy.yml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mongodb-deployment + labels: + app: mongodb +spec: + replicas: 1 + selector: + matchLabels: + app: mongodb + template: + metadata: + labels: + app: mongodb + spec: + containers: + - name: mongodb + image: mongo:5 + ports: + - containerPort: 27017 + env: + - name: MONGO_INITDB_ROOT_USERNAME + valueFrom: + secretKeyRef: + name: db-secrets + key: DB_USERNAME + optional: false + - name: MONGO_INITDB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: db-secrets + key: DB_PASSWORD + optional: false + diff --git a/namespace-separation-with-file-secrets/persistency/mongodb/kustomization.yml b/namespace-separation-with-file-secrets/persistency/mongodb/kustomization.yml new file mode 100644 index 0000000..7834ae2 --- /dev/null +++ b/namespace-separation-with-file-secrets/persistency/mongodb/kustomization.yml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - db-secrets.yml + - deploy.yml diff --git a/namespace-separation-with-file-secrets/services/deployment.yml b/namespace-separation-with-file-secrets/services/deployment.yml new file mode 100644 index 0000000..a963d60 --- /dev/null +++ b/namespace-separation-with-file-secrets/services/deployment.yml @@ -0,0 +1,11 @@ +deployments: + {% if args.environment == 'dev' %} + - path: ui + {% endif %} + - path: echo-headers + - path: nginx-helm + +commonLabels: + kluctl-example/environment: "{{ args.environment }}" + +overrideNamespace: {{ namespaces.services }} diff --git a/namespace-separation-with-file-secrets/services/echo-headers/deploy.yml b/namespace-separation-with-file-secrets/services/echo-headers/deploy.yml new file mode 100644 index 0000000..7bd7cf3 --- /dev/null +++ b/namespace-separation-with-file-secrets/services/echo-headers/deploy.yml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: echo-headers-deployment + labels: + app: echo-headers +spec: + replicas: 3 + selector: + matchLabels: + app: echo-headers + template: + metadata: + labels: + app: echo-headers + spec: + containers: + - name: echo-headers + image: "{{ images.get_image('mendhak/http-https-echo') }}" + ports: + - containerPort: 80 diff --git a/namespace-separation-with-file-secrets/services/echo-headers/kustomization.yml b/namespace-separation-with-file-secrets/services/echo-headers/kustomization.yml new file mode 100644 index 0000000..b24bc32 --- /dev/null +++ b/namespace-separation-with-file-secrets/services/echo-headers/kustomization.yml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - deploy.yml diff --git a/namespace-separation-with-file-secrets/services/nginx-helm/helm-chart.yml b/namespace-separation-with-file-secrets/services/nginx-helm/helm-chart.yml new file mode 100644 index 0000000..6f81903 --- /dev/null +++ b/namespace-separation-with-file-secrets/services/nginx-helm/helm-chart.yml @@ -0,0 +1,6 @@ +helmChart: + repo: https://charts.bitnami.com/bitnami + chartName: nginx + chartVersion: 11.1.5 #12.0.0 + releaseName: nginx + output: deploy.yml diff --git a/namespace-separation-with-file-secrets/services/nginx-helm/helm-values.yml b/namespace-separation-with-file-secrets/services/nginx-helm/helm-values.yml new file mode 100644 index 0000000..cfc1344 --- /dev/null +++ b/namespace-separation-with-file-secrets/services/nginx-helm/helm-values.yml @@ -0,0 +1,9 @@ +resources: +limits: + cpu: 100m + memory: 128Mi +requests: + cpu: 100m + memory: 128Mi + +replicaCount: {{ scale.nginx }} diff --git a/namespace-separation-with-file-secrets/services/nginx-helm/kustomization.yml b/namespace-separation-with-file-secrets/services/nginx-helm/kustomization.yml new file mode 100644 index 0000000..b24bc32 --- /dev/null +++ b/namespace-separation-with-file-secrets/services/nginx-helm/kustomization.yml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - deploy.yml diff --git a/namespace-separation-with-file-secrets/services/ui/deploy.yml b/namespace-separation-with-file-secrets/services/ui/deploy.yml new file mode 100644 index 0000000..7f78a64 --- /dev/null +++ b/namespace-separation-with-file-secrets/services/ui/deploy.yml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ui + labels: + app: ui +spec: + replicas: {{ scale.nginx }} + selector: + matchLabels: + app: ui + template: + metadata: + labels: + app: ui + spec: + containers: + - name: nginx + image: "{{ images.get_image('nginx') }}" + ports: + - containerPort: 80 diff --git a/namespace-separation-with-file-secrets/services/ui/kustomization.yml b/namespace-separation-with-file-secrets/services/ui/kustomization.yml new file mode 100644 index 0000000..4c846b2 --- /dev/null +++ b/namespace-separation-with-file-secrets/services/ui/kustomization.yml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yml + - deploy.yml diff --git a/namespace-separation-with-file-secrets/services/ui/namespace.yml b/namespace-separation-with-file-secrets/services/ui/namespace.yml new file mode 100644 index 0000000..1b561a9 --- /dev/null +++ b/namespace-separation-with-file-secrets/services/ui/namespace.yml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: "{{ args.environment }}"