Merge pull request #124 from pluralsh/marcin/prod-4388-refactor-plural-up-to-no-longer-use-git-crypt

michaeljguarino · web-flow · commit 577c9184cf57 · 2026-02-17T12:30:58.000-05:00
feat: Refactor plural up to no longer use git crypt
diff --git a/.gitignore b/.gitignore
@@ -33,9 +33,10 @@ override.tf.json
 .terraformrc
 terraform.rc
 
-test/helm-values
-
 # IDE
 .idea/
 
-**/values.secret.yaml
+**/values.secret.yaml
+
+# Temporary files used during bootstrap
+temp/
diff --git a/README.md b/README.md
@@ -22,11 +22,9 @@ Our defaults are meant to be tweaked, feel free to reference the documentation o
 A plural installation repo will have a folder structure like this:
 
 ```
-helm-values/ # git-crypted helm values to be used to bootstrap your setup.  Avoid editing unless necessary
+helm/ # helm values files
 - ${app}.yaml # value overrides
 - ${app}-defaults.yaml # default values we generate on install
-
-helm/ # helm values files that are meant to be user-editable, used for setup of many common components
 - *.yaml{.liquid} # `.liquid` extension signifies the helm values file can be templated
 
 bootstrap/ # setup for apps within your cluster fleet, this is the root service-of-services that bootstraps everything recursively
@@ -40,6 +38,8 @@ terraform/
   - - clusters
   - - - {cloud} # we've crafted some reusable modules for setting up clusters on most major clouds, feel free to use these in stacks or wherever
   - ${app}/ - submodule for individual app's terraform
+
+temp/ # a temp folder used during bootstrap that is gitignored
 ```
 
 You're free to extend this as you'd like, although if you use the plural marketplace that structure will be expected.  You can also deploy services w/ manifests in other repos, this is meant to serve as a base to define the core infrastructure and get you started in a sane way.
@@ -113,7 +113,7 @@ spec:
       namespace: infra
     git:
       ref: main
-      folder: helm-values # or wherever else you want to store the helm values
+      folder: helm # or wherever else you want to store the helm values
     helm:
       version: 6.31.4
       chart: externaldns
diff --git a/charts/runtime/values.yaml.liquid.tpl b/charts/runtime/values.yaml.liquid.tpl
@@ -0,0 +1,78 @@
+ownerEmail: {{ "{{ configuration.ownerEmail }}" }}
+
+{{ if not .Cloud }}
+external-dns:
+  extraArgs:
+    plural-cluster: {{ .Cluster }}
+    plural-provider: {{ .Provider }}
+  domainFilters:
+  - {{ .Subdomain }}
+
+dnsSolver: 
+  webhook:
+    groupName: acme.plural.sh
+    solverName: plural-solver
+    config:
+      cluster: {{ .Cluster }}
+      provider: {{ .Provider }}
+
+pluralToken: {{ "{{ configuration.pluralToken }}" }}
+
+acmeEAB:
+  kid: {{ "{{ configuration.acmeEABKid }}" }}
+  secret: {{ "{{ configuration.acmeEABSecret }}" }}
+{{ end }}
+
+{{ if .Cloud }}
+external-dns:
+  enabled: false
+
+plural-certmanager-webhook:
+  enabled: false
+
+operator:
+  enabled: false
+
+application:
+  enabled: false
+
+plural:
+  enabled: false
+
+ingress-nginx:
+  enabled: false
+ingress-nginx-private:
+  enabled: false
+{{ end }}
+
+{{ if and (eq .Provider "aws") (not .Cloud) }}
+ingress-nginx:
+  controller:
+    service:
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+        service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
+        service.beta.kubernetes.io/aws-load-balancer-type: external
+        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
+        service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
+    config:
+      compute-full-forwarded-for: 'true'
+      use-forwarded-headers: 'true'
+      use-proxy-protocol: 'true'
+ingress-nginx-private:
+  controller:
+    service:
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+        service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
+        service.beta.kubernetes.io/aws-load-balancer-type: external
+        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
+        service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
+    config:
+      compute-full-forwarded-for: 'true'
+      use-forwarded-headers: 'true'
+      use-proxy-protocol: 'true'
+{{ end }}
diff --git a/charts/runtime/values.yaml.tpl b/charts/runtime/values.yaml.tpl
@@ -1,3 +1,5 @@
+ownerEmail: {{ .Config.Email }}
+
 {{ if not .Cloud }}
 external-dns:
   extraArgs:
@@ -14,7 +16,6 @@ dnsSolver:
       cluster: {{ .Cluster }}
       provider: {{ .Provider }}
 
-ownerEmail: {{ .Config.Email }}
 pluralToken: {{ .Config.Token }}
 
 acmeEAB:
@@ -23,10 +24,6 @@ acmeEAB:
 {{ end }}
 
 {{ if .Cloud }}
-
-ownerEmail: {{ .Config.Email }}
-
-
 external-dns:
   enabled: false
 
diff --git a/helm/runtime.yaml b/helm/runtime.yaml
diff --git a/setup/cert-manager.yaml b/setup/cert-manager.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   namespace: cert-manager
   git:
-    folder: helm-values
+    folder: helm
     ref: [[ or .Context.Branch "main" ]]
   repositoryRef:
     kind: GitRepository
diff --git a/setup/console.yaml b/setup/console.yaml
@@ -6,18 +6,21 @@ metadata:
 spec:
   namespace: plrl-console
   git:
-    folder: helm-values
+    folder: helm
     ref: [[ or .Context.Branch "main" ]]
   repositoryRef:
     kind: GitRepository
     name: infra
     namespace: infra
+  configurationRef:
+    name: console-config
+    namespace: infra
   helm:
     version: "0.x.x"
     chart: console
     url: https://pluralsh.github.io/console
     valuesFiles:
-    - console.yaml
+    - console.yaml.liquid
   clusterRef:
     kind: Cluster
     name: mgmt
diff --git a/setup/runtime.yaml b/setup/runtime.yaml
@@ -6,18 +6,21 @@ metadata:
 spec:
   namespace: plural-runtime
   git:
-    folder: helm-values
+    folder: helm
     ref: [[ or .Context.Branch "main" ]]
   repositoryRef:
     kind: GitRepository
     name: infra
     namespace: infra
+  configurationRef:
+    name: runtime-config
+    namespace: infra
   helm:
     version: "0.x.x"
     chart: runtime
     url: https://pluralsh.github.io/bootstrap
     valuesFiles:
-    - runtime.yaml
+    - runtime.yaml.liquid
   clusterRef:
     kind: Cluster
     name: mgmt
diff --git a/templates/providers/bootstrap/gcp.tf b/templates/providers/bootstrap/gcp.tf
@@ -35,6 +35,13 @@ terraform {
 
 data "google_client_config" "default" {}
 
+provider "kubernetes" {
+  alias                  = "bootstrap"
+  host                   = module.mgmt.cluster.endpoint
+  cluster_ca_certificate = base64decode(module.mgmt.cluster.ca_certificate)
+  token                  = data.google_client_config.default.access_token
+}
+
 provider "helm" {
   kubernetes {
     host                   = module.mgmt.cluster.endpoint
diff --git a/templates/setup/config-secrets.tf b/templates/setup/config-secrets.tf
diff --git a/templates/setup/console.tf b/templates/setup/console.tf
