Skip to content

add david-epa cluster #487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
meoflynn merged 1 commit into from
Jan 30, 2026
Merged

add david-epa cluster #487

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
133 changes: 133 additions & 0 deletions clusters/staging/davidepa/apps.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cloud-deployed-apps
namespace: argocd
spec:
destination:
namespace: argocd
server: https://kubernetes.default.svc
project: default
source:
repoURL: https://github.com/stfc/cloud-deployed-apps.git
targetRevision: david-epa-branch
path: clusters/staging/davidepa
syncPolicy:
automated:
prune: false
selfHeal: true
allowEmpty: true
syncOptions:
- CreateNamespace=true

---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: staging-david-epa-apps
namespace: argocd
spec:
goTemplate: true
goTemplateOptions: ["missingkey=invalid"]
generators:
- list:
elements:
- name: argocd
chartName: argocd

# NOTE: each chart needs a valuesFile for this to work
# so create one for each chart - even if its empty

# argocd and all dependencies use the same file "argocd-setup-values.yaml"
namespace: argocd
valuesFile: ../../../clusters/staging/davidepa/argocd-setup-values.yaml
secretsFile: ../../../clusters/staging/davidepa/secrets/apps/argocd.yaml

- name: logging
chartName: logging
namespace: logging-system
valuesFile: ../../../clusters/staging/davidepa/logging.yaml
secretsFile: ../../../clusters/staging/davidepa/secrets/apps/logging.yaml

- name: cert-manager
chartName: cert-manager
namespace: cert-manager
valuesFile: ../../../clusters/staging/davidepa/argocd-setup-values.yaml

- name: cluster-api-addon-provider
chartName: cluster-api-addon-provider
namespace: clusters
valuesFile: ../../../clusters/staging/davidepa/argocd-setup-values.yaml

- name: ingress-nginx-external
chartName: ingress-nginx-external
namespace: ingress-nginx-external
valuesFile: ../../../clusters/staging/davidepa/ingress-nginx-external-values.yaml

- name: manila-csi
chartName: manila-csi
namespace: manila-csi
valuesFile: ../../../clusters/staging/davidepa/argocd-setup-values.yaml
secretsFile: ../../../clusters/staging/davidepa/secrets/apps/manila-csi.yaml

- name: longhorn
chartName: longhorn
namespace: longhorn-system
valuesFile: ../../../clusters/staging/davidepa/argocd-setup-values.yaml


syncPolicy:
# Don't remove everything if we remove the appset
preserveResourcesOnDeletion: true

template:
metadata:
name: "{{.name}}"
namespace: argocd
spec:
project: default
source:
repoURL: "https://github.com/stfc/cloud-deployed-apps.git"
targetRevision: david-epa-branch
path: "charts/staging/{{.chartName}}"
helm:
valueFiles:
- '{{.valuesFile | default "../../../clusters/_shared/dummy.yaml"}}'
- secrets://{{ .secretsFile | default "../../../clusters/_shared/dummy.yaml"}}

destination:
server: https://kubernetes.default.svc
namespace: "{{.namespace}}"

syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true

# ignore outofsync issues with longhorn CRDs with "preserveUnknownField"
# https://github.com/argoproj/argo-cd/issues/6401#issuecomment-854995249
ignoreDifferences:
- group: apiextensions.k8s.io
kind: CustomResourceDefinition
jsonPointers:
- /spec/preserveUnknownFields

templatePatch: |
{{- if eq .name "manila-csi" }}
spec:
ignoreDifferences:
- group: rbac.authorization.k8s.io
kind: ClusterRole
name: manila-csi-openstack-manila-csi-controllerplugin
jsonPointers:
- /rules
- group: rbac.authorization.k8s.io
kind: ClusterRole
name: manila-csi-openstack-manila-csi-nodeplugin
jsonPointers:
- /rules
{{- end }}
27 changes: 27 additions & 0 deletions clusters/staging/davidepa/argocd-setup-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
argo-cd:
global:
domain: "argocd.david-epa.nubes.stfc.ac.uk"

server:
ingress:
ingressClassName: internal-nginx

stfc-cloud-longhorn:
longhorn:
ingress:
ingressClassName: internal-nginx
host: "longhorn.david-epa.nubes.stfc.ac.uk"
persistence:
# can't be set for RWX
migratable: false

stfc-cloud-cert-manager:
le-staging:
enabled: true
ingressClassName: ingress-nginx-external

le-prod:
email: cloud-support@stfc.ac.uk
enabled: true
ingressClassName: ingress-nginx-external

94 changes: 94 additions & 0 deletions clusters/staging/davidepa/infra-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
stfc-cloud-openstack-cluster:
openstack-cluster:
machineSSHKeyName: k8s-david-epa
cloudCredentialsSecretName: david-epa-cluster-cloud-credentials

controlPlane:
machineFlavor: dep-l2.tiny

nodeGroups:
- name: default-md-0
machineCount: 2
machineFlavor: l3.nano

nodeGroupDefaults:
machineFlavor: dep-l2.xsmall
nodeLabels:
# we're running longhorn on this cluster
# set label so worker nodes can host longhorn volumes
longhorn.store.nodeselect/longhorn-storage-node: true

addons:
ingress:
enabled: true
nginx:
release:
values:
controller:
electionID: ingress-controller-leader
ingressClass: internal-nginx
ingressClassResource:
name: internal-nginx
enabled: true
default: true
controllerValue: "k8s.io/ingress-internal-nginx"
service:
annotations:
# Don't delete the floating ip when deleting loadbalancers
# prevents errors when deleting clusters, leave as true
loadbalancer.openstack.org/keep-floatingip: true
# *.david-epa.nubes.stfc.ac.uk
loadBalancerIP: "130.246.83.76"

monitoring:
enabled: true
kubePrometheusStack:
release:
values:
prometheus:
prometheusSpec:
externalLabels:
cluster: david-epa-cluster
env: staging
ingress:
ingressClassName: internal-nginx
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required - David EPA Cluster"
hosts:
- prometheus.david-epa.nubes.stfc.ac.uk
tls:
- hosts:
- prometheus.david-epa.nubes.stfc.ac.uk
secretName: tls-keypair
grafana:
grafana.ini:
server:
root_url: https://grafana.david-epa.nubes.stfc.ac.uk
ingress:
ingressClassName: internal-nginx
hosts:
- grafana.david-epa.nubes.stfc.ac.uk
tls:
- hosts:
- grafana.david-epa.nubes.stfc.ac.uk
secretName: tls-keypair
alertmanager:
enabled: true
ingress:
ingressClassName: internal-nginx
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required - David EPA Cluster"
hosts:
- alertmanager.david-epa.nubes.stfc.ac.uk
tls:
- hosts:
- alertmanager.david-epa.nubes.stfc.ac.uk
secretName: tls-keypair
etcdDefrag:
release:
values:
schedule: 1 12 * * * # smearing the time for defrag job 1:12pm daily
20 changes: 20 additions & 0 deletions clusters/staging/davidepa/ingress-nginx-external-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
ingress-nginx-external:
controller:
metrics:
enabled: true
serviceMonitor:
enabled: true
electionID: external-ingress-controller-leader
ingressClass: ingress-nginx-external
ingressClassResource:
name: ingress-nginx-external
enabled: true
default: false
controllerValue: "k8s.io/ingress-nginx-external"
service:
annotations:
# Don't delete the floating ip when deleting loadbalancers
# prevents errors when deleting clusters, leave as true
loadbalancer.openstack.org/keep-floatingip: true
loadBalancerIP: "130.246.83.62"
allowSnippetAnnotations: true
18 changes: 18 additions & 0 deletions clusters/staging/davidepa/logging.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
stfc-cloud-logging:
includePrometheusRules: true
opensearchCredentials:
username: writer-staging
fluent-operator:
operator:
disableComponentControllers: fluentd
fluentd:
crdsEnable: false
fluentbit:
output:
loki:
enable: false
opensearch:
logstashPrefix: kube_logs_staging_david-epa
# staging worker opensearch for now, with plans to move it to prod/olaf
host: opensearch.staging.nubes.stfc.ac.uk
port: 443
10 changes: 10 additions & 0 deletions clusters/staging/davidepa/secrets/apps/.sops.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
creation_rules:
- unencrypted_regex: "^(apiVersion|metadata|kind|type)$"
key_groups:
- age:
# Temporary key for ArgoCD
- age1pwxlgd3pzdkwudzjrx6fun8ddhgdl3m25jr24rd9wc9qh2wpkfaszccvv6

# Access Keys
# Staging Access Key
- age1vhunptck6gfu8u2uwrymx6ud0jgwxxjmn0rqh4hftfma6wxjrf6sgdg7dz
32 changes: 32 additions & 0 deletions clusters/staging/davidepa/secrets/apps/argocd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
argo-cd:
configs:
secret:
extra:
oidc.irisiam.clientID: ENC[AES256_GCM,data:5FQOmlOi9VcDhKURGh4UDRbr6jVlDMnVTKSGN3QYYSmN9D9O,iv:pcgc5WsUBPEceLnH/zye4XNUdF9xgjPC/JxWOM3W5ow=,tag:k4xyVO4pq+qXjW9fonkBMw==,type:str]
oidc.irisiam.clientSecret: ENC[AES256_GCM,data:x6ycGmAQg0HNEk+He+f8pT4HNkbqSNXdkytmHkkhSgTrascA3jJVlmR34+Ev1C3kSFHKZCm3C/q7xH3cKSGNsZbbMvXJF/MYjCX4+/6PW9TXWM99FV8=,iv:1JP77XJRA6/kRxlEWQ7Nt473ZLnA5JResPgN4YGvXRU=,tag:iu/se72hP1zXQEDxALx16w==,type:str]
#ENC[AES256_GCM,data:CDF4eNTciDrJReEUW1/QUOHPXGj5rqGSs3RJ92sYBwu4lAg=,iv:pZDknmYYLV74RD6bcSScmO8I0ZG5ZWookWhr732DRT4=,tag:2j1Ml6hIbgdqYaOXVR09bA==,type:comment]
argocdServerAdminPassword: ENC[AES256_GCM,data:tTCM3nhOt9Ztwr076FySqqGo/5x2pa/zDCTcNrPBJCuoKSh+wg5FBHQ57VBhxhpzwFCAMWYIOk6uy4FP,iv:h6mNwz3Vrl7W6vEA7qfzZnS9xl7nN7mP0XPDV2t9cTQ=,tag:S1wul+kGBs7KEPKC6nWRJQ==,type:str]
sops:
age:
- recipient: age1pwxlgd3pzdkwudzjrx6fun8ddhgdl3m25jr24rd9wc9qh2wpkfaszccvv6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVi8wQUtqVjRYSWVqeXhS
ejhmajZ5V2I2VHpRQ3lnZWlLOEhlU0RsL25zClZJczhwUGRYRm52QkJJYlpJaUFG
eElZNzJ2bk9zZmR6OHZZS1B6RXdtTnMKLS0tIGpkZy9JZHhjU011Tzc3SVhUSmhB
ZUJPbUwxbXdXb1B2dWc4TFpId2pNNW8KjiK8DA4UZdAjbz0Q46cpoM5c2rvJAN+i
CcFQXJ8dp3SgYCfKcz+usYE1XAscMVEI/0q6XTflHXNupyr7nCIPSA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vhunptck6gfu8u2uwrymx6ud0jgwxxjmn0rqh4hftfma6wxjrf6sgdg7dz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYai9WV1RvR0p2aVorYU8z
ZGNMTmlEZG1vUnE0OU52TmJUMW1WeVkwbjN3CnhOUzZydzRtakhhM2tqNlJOMjIr
QStUZUtFd0c5NUhFMWl2QzVmTGlqRVEKLS0tIFB5MHNqNnIxMXRLbGVlZ21kUVNP
RXB6VHpxdWRMdDJvYnRia0hEcG41WHcKaa0+3cJsUkptBzBmDJVEK7LmObr37loc
6PsM+q++S/8Oy73Bo88wS5oN10DnNt92ljNk6sEQNE6Kb17C2rf/eQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-30T12:58:58Z"
mac: ENC[AES256_GCM,data:sb51nM9XR6vYY7ykdwwU/F3SStUD/AvnI2AclhucBxPAFFQRdNrHXbfhD889dF4mnpBA3iuNegP3uERwr0ceQLDVmXnaVEFUY8HlVg30IHikCrxZYlbzSTxNXr54BsHbGaCXzVTHiOFxdmXnuxp973kRC31d9ONNzQQuoXAE8Xg=,iv:XLym1ymS0I9kUobOGyQ8N1HRx2GwSt+nr6MDSBC973I=,tag:e6dxkY4fTTdcfWcEK3DoJA==,type:str]
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.11.0
27 changes: 27 additions & 0 deletions clusters/staging/davidepa/secrets/apps/logging.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
stfc-cloud-logging:
opensearchCredentials:
password: ENC[AES256_GCM,data:NzFWxPbmcNyD5tPsxWFAJO3spes=,iv:wyMIRNr8ED/9dFrhfe1XlnyYg7s9s+iBhCWaovnUnOI=,tag:m+VkErCPqqSADE1ff+uKJA==,type:str]
sops:
age:
- recipient: age1pwxlgd3pzdkwudzjrx6fun8ddhgdl3m25jr24rd9wc9qh2wpkfaszccvv6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqQWNpbEhsZisvenJvTUhI
L3RZUTRVNTZxdmFndWpDUThOekpjb2pLNlJRCkg5ekFpblhkbjd0TXpma0ExL3B2
NkIrYjdvNHN5ZEJ2VStrZzNsUWNIancKLS0tIE44MzZsdThkVHZHTE9BSVVjY25S
dUw3LzFsbm00Mk9XMjFEYmh2RWNHRTQKoCADHiBSlL38+KXCa/11Qb1YBpGO7eQe
D7ArshFbwxxEWEe3848L0nMIx6nlty8qfxW/I6l7geyLC4cpI83eOQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vhunptck6gfu8u2uwrymx6ud0jgwxxjmn0rqh4hftfma6wxjrf6sgdg7dz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSR3BtcWtLaEw2UVdSTk9R
ZnN1eXJIbWNRNk5nS09LWjdER2xZdXhRN1JRCnpwS1ZvT25lU1hzaTFscWg2ckI0
Y1hsSHRycUpQUHROVHo5UGFScCtzd2cKLS0tIHNRczNFMnlIVVg3WDZKeUtidXd4
bVFzQTI5TkJtYkQ2a29qRkNGQ3FGWTQKu+Y2qvtFmXUtQsw7+UqkE+2z2HLwnn5h
+ukkBCn0aWtsSuKiwBa0v+HS07+vJicCpgFKPTs3eBkfS68LOZEQ1g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-30T12:55:54Z"
mac: ENC[AES256_GCM,data:pj39lfvFgZrdJ+tXfsYebFszSsQCXMyV0Hx6Yz6z7vDmsf85UapgNxD7zUgGS+bLWUbzosL+FyaPM9zEgWa0PAy07AeppRQkNFSJkOQR5+J1jvb9pATdARAuRL3e/tuA2K+yy2TKZ9lr30cxvbJZ3+Px1Q2t/G8U5vMxHIiZCI4=,iv:dx1oNAD1J4OMb4FyrMAHu7e/2dZc8FnpvMUHxOnAWPw=,tag:Y2HiJLL6kxHYJD0pJnfaaA==,type:str]
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.11.0
10 changes: 10 additions & 0 deletions clusters/staging/davidepa/secrets/infra/.sops.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
creation_rules:
- unencrypted_regex: "^(apiVersion|metadata|kind|type)$"
key_groups:
- age:
# Temporary key for ArgoCD
- age1tgfg98jddwc2crr869aa9phe9ufflnyya4t3mcltqsmcvca0k46q2m04se

# Access Keys
# Staging Access Key
- age1hsll27prywydttq7dtnqtdnu2jpr8zhaulx00l7n4pqmxkhr55vspqmj6l
Loading