feat: 🚀 add a chart dedicated to argocd managed zone

Author: mathieulaude

charts/dso-argocd-zone/Chart.yaml

@@ -0,0 +1,10 @@
+apiVersion: v2
+name: dso-argocd-zone
+description: Creates an ApplicationSet that will scan and deploy all Console-managed applications for its zone (multiple clusters).
+type: application
+version: 1.0.0
+appVersion: 1.0.0
+maintainers:
+  - name: cloud-pi-native
+    email: cloudpinative-relations@interieur.gouv.fr
+    url: https://cloud-pi-native.fr

charts/dso-argocd-zone/README.md

@@ -0,0 +1,26 @@
+# dso-argocd-zone
+
+![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
+
+Creates an ApplicationSet that will scan and deploy all Console-managed applications for its zone (multiple clusters).
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| cloud-pi-native | <cloudpinative-relations@interieur.gouv.fr> | <https://cloud-pi-native.fr> |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| clusters | list | `[]` | List of managed cluster names for the entire zone |
+| dsoZoneRepo | string | `"https://gitlab.com/infra/zone.git"` | Repository URL where DSO Cosnole stores application specifications that must be applied by ArgoCD in current zone |
+| openshift.enabled | bool | `false` | Indicates if OpenShift specificities are needed |
+| vault.kvName | string | `"zone-kv"` | Name of the key-value store to use for retreiving zone secrets |
+| vault.roleId | string | `"app-role"` | AppRole to use when connecting to Vault |
+| vault.secretId | string | `"secret"` | AppRole associated secret to autorize Vault connection |
+| vault.url | string | `"test.com"` | URL of the Vualt instance storing zone secrets (like kubeconfigs) |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/dso-argocd-zone/templates/cluster-secrets.yaml

@@ -0,0 +1,18 @@
+{{- range  $cluster := .Values.clusters }}
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: {{ $cluster }}-cluster-secret
+  namespace: argo-cpin
+spec:
+  vaultAuthRef: vault-auth
+  type: kv-v2
+  mount: {{ $.Values.vault.kvName }}
+  path: clusters/cluster-{{ $cluster }}/argocd-cluster-secret
+  destination:
+    create: true
+    name: {{ $cluster }}-cluster-secret
+    labels:
+      'argocd.argoproj.io/secret-type': 'cluster'
+{{- end }}

charts/dso-argocd-zone/templates/dso-appset.yaml

@@ -0,0 +1,67 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: dso-project # Pour les Applications déployées par la Console DSO
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "1" # Evite la suppression avant les Applications
+spec:
+  description: Project to deploy DSO Applications
+  destinations:
+    - name: "*"
+      namespace: "*"
+      server: "*"
+  sourceRepos:
+    - "https://github.com/cloud-pi-native/helm-charts.git"
+    - "{{ .Values.dsoZoneRepo }}"
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: dso-appset
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "2" # Evite la suppression avant l'instance ArgoCD
+spec:
+  goTemplate: true
+  generators:
+    - git:
+        repoURL: {{ .Values.dsoZoneRepo }}
+        revision: HEAD
+        files:
+          - path: "**/values.yaml" # project/cluster/environment/values.yaml
+  ignoreApplicationDifferences:
+    - jsonPointers:
+        - /spec/syncPolicy
+        - /spec/sources/0/targetRevision
+  template:
+    metadata:
+      name: {{"\"{{ index .path.segments 0 }}-{{ index .path.segments 1 }}-{{ index .path.segments 2 }}-root\"" }}
+      namespace: {{ .Release.Namespace }}
+      labels:
+        app.kubernetes.io/managed-by: dso-console
+        dso/projet: {{"\"{{ index .path.segments 0 }}\""}}
+        dso/environment: {{"\"{{ index .path.segments 2 }}\""}}
+    spec:
+      project: dso-project
+      sources:
+        - repoURL: https://github.com/cloud-pi-native/helm-charts.git
+          targetRevision: {{"\"{{ .argocd.envChartVersion }}\""}}
+          path: charts/dso-env
+          helm:
+            valueFiles:
+              - {{"\"$values/{{ .path.path }}/{{ .path.filename }}\""}}
+            values: |
+              argocd:
+                namespace: {{ .Release.Namespace }}
+        - repoURL: "{{ .Values.dsoZoneRepo }}"
+          targetRevision: HEAD
+          ref: values
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: {{ .Release.Namespace }}
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true

charts/dso-argocd-zone/templates/vso-auth.yaml

@@ -0,0 +1,31 @@
+{{ if not .Values.openshift.enabled -}}
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  name: default
+  namespace: {{ .Release.Namespace }}
+spec:
+  address: {{ .Values.vault.url }}
+{{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vso-approle
+  namespace: {{ .Release.Namespace }}
+stringData:
+  id: {{ .Values.vault.secretId }}
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vault-auth
+  namespace: {{ .Release.Namespace }}
+spec:
+  method: appRole
+  mount: approle
+  appRole:
+    roleId: {{ .Values.vault.roleId }}
+    secretRef: vso-approle
+  allowedNamespaces: 
+    - {{ .Release.Namespace }}

charts/dso-argocd-zone/values.yaml

@@ -0,0 +1,19 @@
+# -- Repository URL where DSO Cosnole stores application specifications that must be applied by ArgoCD in current zone
+dsoZoneRepo: https://gitlab.com/infra/zone.git
+
+openshift:
+  # -- Indicates if OpenShift specificities are needed
+  enabled: false
+
+vault:
+  # -- URL of the Vualt instance storing zone secrets (like kubeconfigs)
+  url: test.com
+  # -- Name of the key-value store to use for retreiving zone secrets
+  kvName: zone-kv
+  # -- AppRole to use when connecting to Vault
+  roleId: app-role
+  # -- AppRole associated secret to autorize Vault connection
+  secretId: secret
+
+# -- List of managed cluster names for the entire zone
+clusters: []