diff --git a/clusters/noble/apps/kustomization.yaml b/clusters/noble/apps/kustomization.yaml index ab3d642..bacd2dd 100644 --- a/clusters/noble/apps/kustomization.yaml +++ b/clusters/noble/apps/kustomization.yaml @@ -1,6 +1,5 @@ -# Single Argo CD **source** (**noble-platform** → **path: clusters/noble/apps**) so the UI shows the -# full resource tree. Helm charts are inlined via **helmCharts**; requires **argocd-cm** -# **kustomize.buildOptions: --enable-helm** (see **bootstrap/argocd/values.yaml**). +# Plain Kustomize only (namespaces + extra YAML). Helm charts are **Application** sources in +# **bootstrap/argocd/apps/noble-platform.yaml** — avoids **kustomize --enable-helm** on repo-server. apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization @@ -16,60 +15,3 @@ resources: - grafana-loki-datasource/loki-datasource.yaml - vault/unseal-cronjob.yaml - vault/cilium-network-policy.yaml - -helmCharts: - - name: kube-prometheus-stack - repo: https://prometheus-community.github.io/helm-charts - version: 82.15.1 - releaseName: kube-prometheus - namespace: monitoring - valuesFile: kube-prometheus-stack/values.yaml - includeCRDs: true - - name: loki - repo: https://grafana.github.io/helm-charts - version: 6.55.0 - releaseName: loki - namespace: loki - valuesFile: loki/values.yaml - - name: fluent-bit - repo: https://fluent.github.io/helm-charts - version: 0.56.0 - releaseName: fluent-bit - namespace: logging - valuesFile: fluent-bit/values.yaml - - name: sealed-secrets - repo: https://bitnami-labs.github.io/sealed-secrets - version: 2.18.4 - releaseName: sealed-secrets - namespace: sealed-secrets - valuesFile: sealed-secrets/values.yaml - - name: external-secrets - repo: https://charts.external-secrets.io - version: 2.2.0 - releaseName: external-secrets - namespace: external-secrets - valuesFile: external-secrets/values.yaml - - name: vault - repo: https://helm.releases.hashicorp.com - version: 0.32.0 - releaseName: vault - namespace: vault - valuesFile: vault/values.yaml - - name: kyverno - repo: https://kyverno.github.io/kyverno/ - version: 3.7.1 - releaseName: kyverno - namespace: kyverno - valuesFile: kyverno/values.yaml - - name: kyverno-policies - repo: https://kyverno.github.io/kyverno/ - version: 3.7.1 - releaseName: kyverno-policies - namespace: kyverno - valuesFile: kyverno/policies-values.yaml - - name: headlamp - repo: https://kubernetes-sigs.github.io/headlamp/ - version: 0.40.1 - releaseName: headlamp - namespace: headlamp - valuesFile: headlamp/values.yaml diff --git a/clusters/noble/bootstrap/argocd/README.md b/clusters/noble/bootstrap/argocd/README.md index 2b3c256..413298f 100644 --- a/clusters/noble/bootstrap/argocd/README.md +++ b/clusters/noble/bootstrap/argocd/README.md @@ -49,7 +49,7 @@ Use **Settings → Repositories** in the UI, or `argocd repo add` / a `Secret` o kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml ``` -**`apps/noble-platform.yaml`** uses one Git **`path`** (**`clusters/noble/apps`**) so the UI shows the full workload tree; **`kustomization.yaml`** there uses **helmCharts** plus **`values.yaml`** from each app. +**`apps/noble-platform.yaml`** uses **multiple sources** (Helm repos + Git **`ref`/`path`**); **`clusters/noble/apps/kustomization.yaml`** is plain resources only — chart installs are **Helm** sources, not Kustomize **helmCharts**. ## Versions diff --git a/clusters/noble/bootstrap/argocd/apps/README.md b/clusters/noble/bootstrap/argocd/apps/README.md index 6ed1986..10c9d94 100644 --- a/clusters/noble/bootstrap/argocd/apps/README.md +++ b/clusters/noble/bootstrap/argocd/apps/README.md @@ -1,5 +1,3 @@ # Argo CD — app-of-apps children -**`noble-root`** syncs this directory. Keep **one** child Application (**`noble-platform`**) so the UI does not list every Helm release separately. - -- **`noble-platform.yaml`** — a **single** **`source`** pointing at **`clusters/noble/apps`** (**`kustomization.yaml`**). Helm charts are **not** separate `sources` entries: multi-source apps are poorly represented in the UI (often only one source’s manifests appear in the tree). **`kustomize.buildOptions: --enable-helm`** is set in **`argocd-cm`** via **`values.yaml`** so Kustomize can expand **helmCharts**. +**`noble-root`** syncs this directory. **`noble-platform`** is the only child Application: **Helm** chart sources + Git **`ref: values`** for **`$values`** paths + Git **`path`** for plain **Kustomize** under **`clusters/noble/apps`** (no **`helmCharts`** in **`kustomization.yaml`**, so repo-server does **not** need **`kustomize --enable-helm`**). diff --git a/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml b/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml index e1fb4e8..58d77fe 100644 --- a/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml +++ b/clusters/noble/bootstrap/argocd/apps/noble-platform.yaml @@ -1,9 +1,10 @@ -# Noble cluster workloads — **single** `source` so Argo CD’s resource tree lists all rendered -# objects (Helm + Kustomize). **spec.sources** (multi-source) is limited in the UI and often -# shows only one source’s manifests (e.g. plain Kustomize without chart workloads). +# Multi-source: native Helm (no Kustomize helmCharts → no **--enable-helm**). Git **ref: values** +# supplies **$values/...** paths; second Git entry runs plain Kustomize over **clusters/noble/apps**. # -# Renders **clusters/noble/apps** via **kustomization.yaml** (helmCharts + resources). -# Requires **kustomize.buildOptions: --enable-helm** in **argocd-cm** (see **values.yaml**). +# UI: some Argo CD versions summarize multi-source apps oddly in the graph; the **Resource list** +# still reflects the merged set. **ServerSideApply** avoids huge CRD client-side apply annotations. +# +# https://argo-cd.readthedocs.io/en/stable/user-guide/multiple_sources/ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -13,10 +14,85 @@ metadata: - resources-finalizer.argocd.argoproj.io/background spec: project: default - source: - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git - targetRevision: main - path: clusters/noble/apps + sources: + - repoURL: https://prometheus-community.github.io/helm-charts + chart: kube-prometheus-stack + targetRevision: "82.15.1" + helm: + releaseName: kube-prometheus + namespace: monitoring + valueFiles: + - $values/clusters/noble/apps/kube-prometheus-stack/values.yaml + - repoURL: https://grafana.github.io/helm-charts + chart: loki + targetRevision: "6.55.0" + helm: + releaseName: loki + namespace: loki + valueFiles: + - $values/clusters/noble/apps/loki/values.yaml + - repoURL: https://fluent.github.io/helm-charts + chart: fluent-bit + targetRevision: "0.56.0" + helm: + releaseName: fluent-bit + namespace: logging + valueFiles: + - $values/clusters/noble/apps/fluent-bit/values.yaml + - repoURL: https://bitnami-labs.github.io/sealed-secrets + chart: sealed-secrets + targetRevision: "2.18.4" + helm: + releaseName: sealed-secrets + namespace: sealed-secrets + valueFiles: + - $values/clusters/noble/apps/sealed-secrets/values.yaml + - repoURL: https://charts.external-secrets.io + chart: external-secrets + targetRevision: "2.2.0" + helm: + releaseName: external-secrets + namespace: external-secrets + valueFiles: + - $values/clusters/noble/apps/external-secrets/values.yaml + - repoURL: https://helm.releases.hashicorp.com + chart: vault + targetRevision: "0.32.0" + helm: + releaseName: vault + namespace: vault + valueFiles: + - $values/clusters/noble/apps/vault/values.yaml + - repoURL: https://kyverno.github.io/kyverno/ + chart: kyverno + targetRevision: "3.7.1" + helm: + releaseName: kyverno + namespace: kyverno + valueFiles: + - $values/clusters/noble/apps/kyverno/values.yaml + - repoURL: https://kyverno.github.io/kyverno/ + chart: kyverno-policies + targetRevision: "3.7.1" + helm: + releaseName: kyverno-policies + namespace: kyverno + valueFiles: + - $values/clusters/noble/apps/kyverno/policies-values.yaml + - repoURL: https://kubernetes-sigs.github.io/headlamp/ + chart: headlamp + targetRevision: "0.40.1" + helm: + releaseName: headlamp + namespace: headlamp + valueFiles: + - $values/clusters/noble/apps/headlamp/values.yaml + - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git + targetRevision: main + ref: values + - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git + targetRevision: main + path: clusters/noble/apps destination: server: https://kubernetes.default.svc namespace: default @@ -26,6 +102,4 @@ spec: selfHeal: true syncOptions: - CreateNamespace=true - # Large CRDs (Prometheus Operator, Kyverno, ESO) exceed kubectl’s ~256KiB annotation limit - # for last-applied-configuration; server-side apply avoids that. - ServerSideApply=true diff --git a/clusters/noble/bootstrap/argocd/root-application.yaml b/clusters/noble/bootstrap/argocd/root-application.yaml index 0b4ed25..b5db2d1 100644 --- a/clusters/noble/bootstrap/argocd/root-application.yaml +++ b/clusters/noble/bootstrap/argocd/root-application.yaml @@ -4,9 +4,8 @@ # 2. kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml # # Syncs **Application** YAMLs under **apps/** (today: **noble-platform**). Cluster -# workloads are defined by **clusters/noble/apps/kustomization.yaml** (Kustomize + **helmCharts**); -# **apps/noble-platform.yaml** uses a single Git **source** for a full UI resource tree. Per-app **values.yaml** -# and READMEs stay the source of truth for chart versions. +# workloads: **apps/noble-platform.yaml** (Helm chart sources + Git/Kustomize); **clusters/noble/apps/** +# holds **values.yaml** and plain **kustomization.yaml** (resources only). Per-app READMEs stay the source of truth for versions. # apiVersion: argoproj.io/v1alpha1 kind: Application diff --git a/clusters/noble/bootstrap/argocd/values.yaml b/clusters/noble/bootstrap/argocd/values.yaml index e32499c..b606dab 100644 --- a/clusters/noble/bootstrap/argocd/values.yaml +++ b/clusters/noble/bootstrap/argocd/values.yaml @@ -17,10 +17,6 @@ global: domain: argo.apps.noble.lab.pcenicni.dev configs: - # Required for **helmCharts** in **clusters/noble/apps/kustomization.yaml** (Kustomize Helm inflation). - # After changing this, **helm upgrade** argo-cd; the chart rolls repo-server when **argocd-cm** checksum changes. - cm: - kustomize.buildOptions: "--enable-helm" params: # TLS terminates at Traefik / cert-manager; Argo CD serves HTTP behind the Ingress. server.insecure: true