Changes for spi (#128)

* new environment updates

* update production app url

* use spi org repositories

Co-authored-by: Yaser <[email protected]>

Author: Yas11r

applications/development.yaml

@@ -18,7 +18,7 @@ spec:
   project: default
   source:
     path: overlays/development/spi
-    repoURL: git@github.com:solarperformanceinsight/spi-deploy.git
+    repoURL: https://github.com/solarperformanceinsight/spi-deploy
     targetRevision: HEAD
   syncPolicy:
     automated:
@@ -37,7 +37,7 @@ spec:
   project: default
   source:
     path: overlays/development/mysql
-    repoURL: git@github.com:solarperformanceinsight/spi-deploy.git
+    repoURL: https://github.com/solarperformanceinsight/spi-deploy
     targetRevision: HEAD
   syncPolicy:
     automated:
@@ -56,7 +56,7 @@ spec:
   project: default
   source:
     path: overlays/development/redis
-    repoURL: git@github.com:solarperformanceinsight/spi-deploy.git
+    repoURL: https://github.com/solarperformanceinsight/spi-deploy
     targetRevision: HEAD
   syncPolicy:
     automated:

applications/production.yaml

@@ -18,8 +18,8 @@ spec:
   project: default
   source:
     path: overlays/production/spi
-    repoURL: git@github.com:solarperformanceinsight/spi-deploy.git
-    targetRevision: v0
+    repoURL: https://github.com/solarperformanceinsight/spi-deploy
+    targetRevision: v1
   syncPolicy:
     automated:
       prune: true
@@ -37,8 +37,8 @@ spec:
   project: default
   source:
     path: overlays/production/mysql
-    repoURL: git@github.com:solarperformanceinsight/spi-deploy.git
-    targetRevision: v0
+    repoURL: https://github.com/solarperformanceinsight/spi-deploy
+    targetRevision: v1
   syncPolicy:
     automated:
       prune: true
@@ -56,8 +56,8 @@ spec:
   project: default
   source:
     path: overlays/production/redis
-    repoURL: git@github.com:solarperformanceinsight/spi-deploy.git
-    targetRevision: v0
+    repoURL: https://github.com/solarperformanceinsight/spi-deploy
+    targetRevision: v1
   syncPolicy:
     automated:
       prune: true

cluster-setup/ansible/network.yml

@@ -4,7 +4,7 @@
   vars:
     aws_account_id: "{{ lookup('aws_ssm', 'account_id') }}"
     external_secrets:
-      iam_role: "k8s-secrets"
+      iam_role: "SecretAccessRoleSolarApp"
 
   tasks:
     - name: install cert-manager
@@ -50,18 +50,14 @@
             namespace: cert-manager
           spec:
             acme:
-              email: [email protected]
+              email: [email protected]
               server: https://acme-v02.api.letsencrypt.org/directory
               privateKeySecretRef:
                 name: letsencrypt-prod
               solvers:
-                - selector:
-                    dnsZones:
-                      - "solarperformanceinsight.org"
-                      - "*.solarperformanceinsight.org"
-                  dns01:
-                    route53:
-                      region: us-west-2
+                - http01:
+                    ingress:
+                      class: nginx
       tags:
         - networking
         - cert-manager
@@ -84,7 +80,6 @@
               kind: ClusterIssuer
             dnsNames:
               - "solarperformanceinsight.org"
-              - "*.solarperformanceinsight.org"
       tags:
         - networking
         - cert-manager

cluster-setup/ansible/templates/argocd.yml

@@ -2232,15 +2232,15 @@ subjects:
   namespace: argocd
 ---
 ### START USER CONFIG
-apiVersion: v1
-kind: Secret
-metadata:
-  labels:
-    app.kubernetes.io/name: github-credentials
-    app.kubernetes.io.part-of: argocd
-  name: github-credentials
-data:
-  sshPrivateKey: "{{ lookup('aws_ssm', '/argocd/github-ssh-private-key') | b64encode }}"
+##apiVersion: v1
+##kind: Secret
+##metadata:
+##  labels:
+##    app.kubernetes.io/name: github-credentials
+##    app.kubernetes.io.part-of: argocd
+#  name: github-credentials
+#data:
+#  sshPrivateKey: "{{ lookup('aws_ssm', '/argocd/github-ssh-private-key') | b64encode }}"
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -2254,36 +2254,36 @@ data:
   statusbadge.enabled: 'true'
   users.anonymous.enabled: 'false'
   ga.trackingid: ''
-  dex.config: |
-    connectors:
-    - type: github
-      id: github
-      name: GitHub
-      config:
-        clientID: $dex.github.clientId
-        clientSecret: $dex.github.clientSecret
-        teamNameField: slug
-        orgs:
-        - name: SolarPerformanceInsight
-          teams:
-          - deploy
-  repository.credentials: |
-    - url: [email protected]:solarperformanceinsight
-      sshPrivateKeySecret:
-        name: github-credentials
-        key: sshPrivateKey
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app.kubernetes.io/name: argocd-rbac-cm
-    app.kubernetes.io/part-of: argocd
-  name: argocd-rbac-cm
-data:
-  policy.default: role:readonly
-  policy.csv: |
-    g, SolarPerformanceInsight:deploy, role:admin
+#  dex.config: |
+#    connectors:
+#    - type: github
+#      id: github
+#      name: GitHub
+#      config:
+#        clientID: $dex.github.clientId
+#        clientSecret: $dex.github.clientSecret
+#        teamNameField: slug
+#        orgs:
+#        - name: SolarPerformanceInsight
+#          teams:
+#          - deploy
+#  repository.credentials: |
+#    - url: [email protected]:solarperformanceinsight
+#      sshPrivateKeySecret:
+#        name: github-credentials
+#        key: sshPrivateKey
+#---
+#apiVersion: v1
+#kind: ConfigMap
+#metadata:
+#  labels:
+#    app.kubernetes.io/name: argocd-rbac-cm
+#    app.kubernetes.io/part-of: argocd
+#  name: argocd-rbac-cm
+#data:
+#  policy.default: role:readonly
+#  policy.csv: |
+#    g, SolarPerformanceInsight:deploy, role:admin
 ---
 apiVersion: v1
 kind: Secret
@@ -2296,9 +2296,9 @@ type: Opaque
 data:
   admin.password: "{{ lookup('aws_ssm', '/argocd/admin_pw_bcrypt') | b64encode }}"
   admin.passwordMtime: "{{ ansible_date_time.epoch | b64encode }}"
-  webhook.github.secret: "{{ lookup('aws_ssm', '/argocd/github_webhook_secret') | b64encode }}"
-  dex.github.clientId: "{{ lookup('aws_ssm', '/argocd/github_clientid') | b64encode }}"
-  dex.github.clientSecret: "{{ lookup('aws_ssm', '/argocd/github_clientsecret') | b64encode }}"
+#  webhook.github.secret: "{{ lookup('aws_ssm', '/argocd/github_webhook_secret') | b64encode }}"
+#  dex.github.clientId: "{{ lookup('aws_ssm', '/argocd/github_clientid') | b64encode }}"
+#  dex.github.clientSecret: "{{ lookup('aws_ssm', '/argocd/github_clientsecret') | b64encode }}"
 ### END USER CONFIG
 ---
 apiVersion: v1

cluster-setup/ansible/templates/nginx.yml

@@ -40,8 +40,6 @@ data:
   ssl-protocols: "TLSv1.2 TLSv1.3"
   ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
   hsts-preload: "true"
-  use-proxy-protocol: "true"
-  real-ip-header: "proxy_protocol"
   ssl-redirect: "false"
   server-snippet: |
       if ( $proxy_protocol_server_port = 80 ) {

overlays/development/spi/ingress.yaml

@@ -7,6 +7,7 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: nginx
     nginx.ingress.kubernetes.io/proxy-body-size: 50m
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
 spec:
   rules:
   - host: dev.solarperformanceinsight.org

overlays/production/spi/ingress.yaml

@@ -7,6 +7,7 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: nginx
     nginx.ingress.kubernetes.io/proxy-body-size: 50m
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
 spec:
   rules:
   - host: app.solarperformanceinsight.org