From 46e2d7b8bd667e1a7a71e70682419d4d0d7ff92a Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Mon, 11 Nov 2024 19:48:17 +0000 Subject: [PATCH 01/22] Initial commit :rocket: --- .sops.yaml | 12 ++ .../cert-manager/app/helmrelease.yaml | 31 ++++ .../cert-manager/app/kustomization.yaml | 5 + .../cert-manager/issuers/issuers.yaml | 39 +++++ .../cert-manager/issuers/kustomization.yaml | 6 + .../cert-manager/issuers/secret.sops.yaml | 26 ++++ .../apps/cert-manager/cert-manager/ks.yaml | 40 +++++ .../apps/cert-manager/kustomization.yaml | 6 + kubernetes/apps/cert-manager/namespace.yaml | 7 + .../apps/flux-system/kustomization.yaml | 6 + kubernetes/apps/flux-system/namespace.yaml | 7 + .../webhooks/app/github/ingress.yaml | 20 +++ .../webhooks/app/github/kustomization.yaml | 7 + .../webhooks/app/github/receiver.yaml | 25 +++ .../webhooks/app/github/secret.sops.yaml | 26 ++++ .../webhooks/app/kustomization.yaml | 5 + kubernetes/apps/flux-system/webhooks/ks.yaml | 19 +++ .../kube-system/cilium/app/helm-values.yaml | 57 +++++++ .../kube-system/cilium/app/helmrelease.yaml | 74 +++++++++ .../kube-system/cilium/app/kustomization.yaml | 11 ++ .../cilium/app/kustomizeconfig.yaml | 7 + .../kube-system/cilium/config/cilium-l2.yaml | 24 +++ .../cilium/config/kustomization.yaml | 5 + kubernetes/apps/kube-system/cilium/ks.yaml | 40 +++++ .../kube-system/coredns/app/helm-values.yaml | 50 ++++++ .../kube-system/coredns/app/helmrelease.yaml | 26 ++++ .../coredns/app/kustomization.yaml | 11 ++ .../coredns/app/kustomizeconfig.yaml | 7 + kubernetes/apps/kube-system/coredns/ks.yaml | 19 +++ .../kubelet-csr-approver/app/helm-values.yaml | 3 + .../kubelet-csr-approver/app/helmrelease.yaml | 30 ++++ .../app/kustomization.yaml | 11 ++ .../app/kustomizeconfig.yaml | 7 + .../kube-system/kubelet-csr-approver/ks.yaml | 19 +++ .../apps/kube-system/kustomization.yaml | 11 ++ .../metrics-server/app/helmrelease.yaml | 31 ++++ .../metrics-server/app/kustomization.yaml | 5 + .../apps/kube-system/metrics-server/ks.yaml | 19 +++ kubernetes/apps/kube-system/namespace.yaml | 7 + .../kube-system/reloader/app/helmrelease.yaml | 29 ++++ .../reloader/app/kustomization.yaml | 5 + kubernetes/apps/kube-system/reloader/ks.yaml | 19 +++ .../kube-system/spegel/app/helm-values.yaml | 7 + .../kube-system/spegel/app/helmrelease.yaml | 30 ++++ .../kube-system/spegel/app/kustomization.yaml | 11 ++ .../spegel/app/kustomizeconfig.yaml | 7 + kubernetes/apps/kube-system/spegel/ks.yaml | 19 +++ .../cloudflared/app/configs/config.yaml | 10 ++ .../network/cloudflared/app/dnsendpoint.yaml | 10 ++ .../network/cloudflared/app/helmrelease.yaml | 109 ++++++++++++++ .../cloudflared/app/kustomization.yaml | 13 ++ .../network/cloudflared/app/secret.sops.yaml | 27 ++++ kubernetes/apps/network/cloudflared/ks.yaml | 21 +++ .../network/echo-server/app/helmrelease.yaml | 91 +++++++++++ .../echo-server/app/kustomization.yaml | 5 + kubernetes/apps/network/echo-server/ks.yaml | 19 +++ .../network/external-dns/app/helmrelease.yaml | 48 ++++++ .../external-dns/app/kustomization.yaml | 6 + .../network/external-dns/app/secret.sops.yaml | 26 ++++ kubernetes/apps/network/external-dns/ks.yaml | 19 +++ .../certificates/kustomization.yaml | 5 + .../certificates/production.yaml | 14 ++ .../ingress-nginx/certificates/staging.yaml | 14 ++ .../ingress-nginx/external/helmrelease.yaml | 75 +++++++++ .../ingress-nginx/external/kustomization.yaml | 5 + .../ingress-nginx/internal/helmrelease.yaml | 72 +++++++++ .../ingress-nginx/internal/kustomization.yaml | 5 + kubernetes/apps/network/ingress-nginx/ks.yaml | 63 ++++++++ .../network/k8s-gateway/app/helmrelease.yaml | 33 ++++ .../k8s-gateway/app/kustomization.yaml | 5 + kubernetes/apps/network/k8s-gateway/ks.yaml | 19 +++ kubernetes/apps/network/kustomization.yaml | 10 ++ kubernetes/apps/network/namespace.yaml | 7 + .../apps/observability/kustomization.yaml | 6 + kubernetes/apps/observability/namespace.yaml | 7 + .../app/helmrelease.yaml | 22 +++ .../app/kustomization.yaml | 5 + .../prometheus-operator-crds/ks.yaml | 19 +++ .../apps/openebs-system/kustomization.yaml | 6 + kubernetes/apps/openebs-system/namespace.yaml | 7 + .../openebs/app/helmrelease.yaml | 48 ++++++ .../openebs/app/kustomization.yaml | 5 + .../apps/openebs-system/openebs/ks.yaml | 19 +++ kubernetes/bootstrap/flux/kustomization.yaml | 61 ++++++++ kubernetes/bootstrap/helmfile.yaml | 59 ++++++++ kubernetes/bootstrap/talos/patches/README.md | 15 ++ .../talos/patches/controller/api-access.yaml | 8 + .../talos/patches/controller/cluster.yaml | 25 +++ .../disable-admission-controller.yaml | 2 + .../talos/patches/controller/etcd.yaml | 6 + .../patches/global/cluster-discovery.yaml | 7 + .../talos/patches/global/containerd.yaml | 12 ++ .../patches/global/disable-search-domain.yaml | 3 + .../bootstrap/talos/patches/global/dns.yaml | 6 + .../talos/patches/global/hostdns.yaml | 6 + .../talos/patches/global/kubelet.yaml | 7 + .../bootstrap/talos/patches/global/ntp.yaml | 6 + .../talos/patches/global/openebs-local.yaml | 10 ++ .../talos/patches/global/sysctl.yaml | 7 + kubernetes/bootstrap/talos/talconfig.yaml | 142 ++++++++++++++++++ kubernetes/flux/apps.yaml | 56 +++++++ kubernetes/flux/config/cluster.yaml | 40 +++++ kubernetes/flux/config/flux.yaml | 86 +++++++++++ kubernetes/flux/config/kustomization.yaml | 6 + .../flux/repositories/git/kustomization.yaml | 4 + kubernetes/flux/repositories/helm/bjw-s.yaml | 10 ++ kubernetes/flux/repositories/helm/cilium.yaml | 9 ++ .../flux/repositories/helm/coredns.yaml | 9 ++ .../flux/repositories/helm/external-dns.yaml | 9 ++ .../flux/repositories/helm/ingress-nginx.yaml | 9 ++ .../flux/repositories/helm/jetstack.yaml | 9 ++ .../flux/repositories/helm/k8s-gateway.yaml | 9 ++ .../flux/repositories/helm/kustomization.yaml | 17 +++ .../repositories/helm/metrics-server.yaml | 9 ++ .../flux/repositories/helm/openebs.yaml | 9 ++ .../flux/repositories/helm/postfinance.yaml | 9 ++ .../helm/prometheus-community.yaml | 10 ++ kubernetes/flux/repositories/helm/spegel.yaml | 10 ++ .../flux/repositories/helm/stakater.yaml | 10 ++ .../flux/repositories/kustomization.yaml | 7 + .../flux/repositories/oci/kustomization.yaml | 4 + .../flux/vars/cluster-secrets.sops.yaml | 29 ++++ kubernetes/flux/vars/cluster-settings.yaml | 8 + kubernetes/flux/vars/kustomization.yaml | 5 + 124 files changed, 2528 insertions(+) create mode 100644 .sops.yaml create mode 100644 kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml create mode 100644 kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml create mode 100644 kubernetes/apps/cert-manager/cert-manager/issuers/issuers.yaml create mode 100644 kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml create mode 100644 kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml create mode 100644 kubernetes/apps/cert-manager/cert-manager/ks.yaml create mode 100644 kubernetes/apps/cert-manager/kustomization.yaml create mode 100644 kubernetes/apps/cert-manager/namespace.yaml create mode 100644 kubernetes/apps/flux-system/kustomization.yaml create mode 100644 kubernetes/apps/flux-system/namespace.yaml create mode 100644 kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml create mode 100644 kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml create mode 100644 kubernetes/apps/flux-system/webhooks/app/github/receiver.yaml create mode 100644 kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml create mode 100644 kubernetes/apps/flux-system/webhooks/app/kustomization.yaml create mode 100644 kubernetes/apps/flux-system/webhooks/ks.yaml create mode 100644 kubernetes/apps/kube-system/cilium/app/helm-values.yaml create mode 100644 kubernetes/apps/kube-system/cilium/app/helmrelease.yaml create mode 100644 kubernetes/apps/kube-system/cilium/app/kustomization.yaml create mode 100644 kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml create mode 100644 kubernetes/apps/kube-system/cilium/config/cilium-l2.yaml create mode 100644 kubernetes/apps/kube-system/cilium/config/kustomization.yaml create mode 100644 kubernetes/apps/kube-system/cilium/ks.yaml create mode 100644 kubernetes/apps/kube-system/coredns/app/helm-values.yaml create mode 100644 kubernetes/apps/kube-system/coredns/app/helmrelease.yaml create mode 100644 kubernetes/apps/kube-system/coredns/app/kustomization.yaml create mode 100644 kubernetes/apps/kube-system/coredns/app/kustomizeconfig.yaml create mode 100644 kubernetes/apps/kube-system/coredns/ks.yaml create mode 100644 kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml create mode 100644 kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml create mode 100644 kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml create mode 100644 kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml create mode 100644 kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml create mode 100644 kubernetes/apps/kube-system/kustomization.yaml create mode 100644 kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml create mode 100644 kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml create mode 100644 kubernetes/apps/kube-system/metrics-server/ks.yaml create mode 100644 kubernetes/apps/kube-system/namespace.yaml create mode 100644 kubernetes/apps/kube-system/reloader/app/helmrelease.yaml create mode 100644 kubernetes/apps/kube-system/reloader/app/kustomization.yaml create mode 100644 kubernetes/apps/kube-system/reloader/ks.yaml create mode 100644 kubernetes/apps/kube-system/spegel/app/helm-values.yaml create mode 100644 kubernetes/apps/kube-system/spegel/app/helmrelease.yaml create mode 100644 kubernetes/apps/kube-system/spegel/app/kustomization.yaml create mode 100644 kubernetes/apps/kube-system/spegel/app/kustomizeconfig.yaml create mode 100644 kubernetes/apps/kube-system/spegel/ks.yaml create mode 100644 kubernetes/apps/network/cloudflared/app/configs/config.yaml create mode 100644 kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml create mode 100644 kubernetes/apps/network/cloudflared/app/helmrelease.yaml create mode 100644 kubernetes/apps/network/cloudflared/app/kustomization.yaml create mode 100644 kubernetes/apps/network/cloudflared/app/secret.sops.yaml create mode 100644 kubernetes/apps/network/cloudflared/ks.yaml create mode 100644 kubernetes/apps/network/echo-server/app/helmrelease.yaml create mode 100644 kubernetes/apps/network/echo-server/app/kustomization.yaml create mode 100644 kubernetes/apps/network/echo-server/ks.yaml create mode 100644 kubernetes/apps/network/external-dns/app/helmrelease.yaml create mode 100644 kubernetes/apps/network/external-dns/app/kustomization.yaml create mode 100644 kubernetes/apps/network/external-dns/app/secret.sops.yaml create mode 100644 kubernetes/apps/network/external-dns/ks.yaml create mode 100644 kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml create mode 100644 kubernetes/apps/network/ingress-nginx/certificates/production.yaml create mode 100644 kubernetes/apps/network/ingress-nginx/certificates/staging.yaml create mode 100644 kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml create mode 100644 kubernetes/apps/network/ingress-nginx/external/kustomization.yaml create mode 100644 kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml create mode 100644 kubernetes/apps/network/ingress-nginx/internal/kustomization.yaml create mode 100644 kubernetes/apps/network/ingress-nginx/ks.yaml create mode 100644 kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml create mode 100644 kubernetes/apps/network/k8s-gateway/app/kustomization.yaml create mode 100644 kubernetes/apps/network/k8s-gateway/ks.yaml create mode 100644 kubernetes/apps/network/kustomization.yaml create mode 100644 kubernetes/apps/network/namespace.yaml create mode 100644 kubernetes/apps/observability/kustomization.yaml create mode 100644 kubernetes/apps/observability/namespace.yaml create mode 100644 kubernetes/apps/observability/prometheus-operator-crds/app/helmrelease.yaml create mode 100644 kubernetes/apps/observability/prometheus-operator-crds/app/kustomization.yaml create mode 100644 kubernetes/apps/observability/prometheus-operator-crds/ks.yaml create mode 100644 kubernetes/apps/openebs-system/kustomization.yaml create mode 100644 kubernetes/apps/openebs-system/namespace.yaml create mode 100644 kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml create mode 100644 kubernetes/apps/openebs-system/openebs/app/kustomization.yaml create mode 100644 kubernetes/apps/openebs-system/openebs/ks.yaml create mode 100644 kubernetes/bootstrap/flux/kustomization.yaml create mode 100644 kubernetes/bootstrap/helmfile.yaml create mode 100644 kubernetes/bootstrap/talos/patches/README.md create mode 100644 kubernetes/bootstrap/talos/patches/controller/api-access.yaml create mode 100644 kubernetes/bootstrap/talos/patches/controller/cluster.yaml create mode 100644 kubernetes/bootstrap/talos/patches/controller/disable-admission-controller.yaml create mode 100644 kubernetes/bootstrap/talos/patches/controller/etcd.yaml create mode 100644 kubernetes/bootstrap/talos/patches/global/cluster-discovery.yaml create mode 100644 kubernetes/bootstrap/talos/patches/global/containerd.yaml create mode 100644 kubernetes/bootstrap/talos/patches/global/disable-search-domain.yaml create mode 100644 kubernetes/bootstrap/talos/patches/global/dns.yaml create mode 100644 kubernetes/bootstrap/talos/patches/global/hostdns.yaml create mode 100644 kubernetes/bootstrap/talos/patches/global/kubelet.yaml create mode 100644 kubernetes/bootstrap/talos/patches/global/ntp.yaml create mode 100644 kubernetes/bootstrap/talos/patches/global/openebs-local.yaml create mode 100644 kubernetes/bootstrap/talos/patches/global/sysctl.yaml create mode 100644 kubernetes/bootstrap/talos/talconfig.yaml create mode 100644 kubernetes/flux/apps.yaml create mode 100644 kubernetes/flux/config/cluster.yaml create mode 100644 kubernetes/flux/config/flux.yaml create mode 100644 kubernetes/flux/config/kustomization.yaml create mode 100644 kubernetes/flux/repositories/git/kustomization.yaml create mode 100644 kubernetes/flux/repositories/helm/bjw-s.yaml create mode 100644 kubernetes/flux/repositories/helm/cilium.yaml create mode 100644 kubernetes/flux/repositories/helm/coredns.yaml create mode 100644 kubernetes/flux/repositories/helm/external-dns.yaml create mode 100644 kubernetes/flux/repositories/helm/ingress-nginx.yaml create mode 100644 kubernetes/flux/repositories/helm/jetstack.yaml create mode 100644 kubernetes/flux/repositories/helm/k8s-gateway.yaml create mode 100644 kubernetes/flux/repositories/helm/kustomization.yaml create mode 100644 kubernetes/flux/repositories/helm/metrics-server.yaml create mode 100644 kubernetes/flux/repositories/helm/openebs.yaml create mode 100644 kubernetes/flux/repositories/helm/postfinance.yaml create mode 100644 kubernetes/flux/repositories/helm/prometheus-community.yaml create mode 100644 kubernetes/flux/repositories/helm/spegel.yaml create mode 100644 kubernetes/flux/repositories/helm/stakater.yaml create mode 100644 kubernetes/flux/repositories/kustomization.yaml create mode 100644 kubernetes/flux/repositories/oci/kustomization.yaml create mode 100644 kubernetes/flux/vars/cluster-secrets.sops.yaml create mode 100644 kubernetes/flux/vars/cluster-settings.yaml create mode 100644 kubernetes/flux/vars/kustomization.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 00000000000..c95bd8689bc --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,12 @@ +--- +creation_rules: + - # IMPORTANT: This rule MUST be above the others + path_regex: talos/.*\.sops\.ya?ml + key_groups: + - age: + - "age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7" + - path_regex: kubernetes/.*\.sops\.ya?ml + encrypted_regex: "^(data|stringData)$" + key_groups: + - age: + - "age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7" diff --git a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml new file mode 100644 index 00000000000..9d479bdfd06 --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cert-manager +spec: + interval: 30m + chart: + spec: + chart: cert-manager + version: v1.16.1 + sourceRef: + kind: HelmRepository + name: jetstack + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + crds: + enabled: true + dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query + dns01RecursiveNameserversOnly: true + prometheus: + enabled: true + servicemonitor: + enabled: true diff --git a/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml b/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml new file mode 100644 index 00000000000..5dd7baca73d --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/issuers.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/issuers.yaml new file mode 100644 index 00000000000..1cf7148ac54 --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/issuers.yaml @@ -0,0 +1,39 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: "${SECRET_ACME_EMAIL}" + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + cloudflare: + apiTokenSecretRef: + name: cert-manager-secret + key: api-token + selector: + dnsZones: + - "${SECRET_DOMAIN}" +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: "${SECRET_ACME_EMAIL}" + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - dns01: + cloudflare: + apiTokenSecretRef: + name: cert-manager-secret + key: api-token + selector: + dnsZones: + - "${SECRET_DOMAIN}" diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml new file mode 100644 index 00000000000..17754be63fa --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./issuers.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml new file mode 100644 index 00000000000..a337bf80dcc --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cert-manager-secret +stringData: + api-token: ENC[AES256_GCM,data:OflLbnwyjIGe7enhl67EQfjbCSyxV5dhbLkYXnQg17um/PsGt00JTg==,iv:4LAMgUjpyydf0fl1/lAIGhlXsZjSWrMXbHQixyvFCf0=,tag:eO/KchLD7x4GWIs21Fl6+A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzM3h6eGZxNmVVOVZnR1NG + clFvMjJqd2FvRXNZenR6c3RWamlmanJOVlIwCjZncUprQkJzYlRFQ2Q0QnBSeDJC + T0Fsb1RYUUFwSWlsSUFCdEpPbGxVVDAKLS0tIGxhdkNtcy9BMGwwdVMwZmZyekRH + TElBb0xtRFpoeWhPN2FCVVdDQm9TUmMKHFGpNu5swg2yZ+laHXp897PW6T3UMLUU + 1LTyK3Yjv8zRxE1rbGYf98BV5q/UQ2e8wKuC8qMXSsWBN2IhIzZawQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-11T19:48:00Z" + mac: ENC[AES256_GCM,data:EV1GHNs0Yp/lwTlhdRxKr/SuvSBnVis2j0t0XNygGqzBTD47jklMjudWm40aaET1CqatQPSolwMDTjDZDN7SQq/+YSUMkcDowd/Qet75sKjTVj7Pv3Jd/ATKJ9RPvRfbdfSTiLz5B6Jh7QHE27HU301SO4nAd2IS0c8IpZ89vf0=,iv:sqcOFZx4zOPMaZAbPJMP/TtzRegTo4dptExPJS9s0mk=,tag:/wmV/kmF6VLX784Iz2+WAA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/apps/cert-manager/cert-manager/ks.yaml b/kubernetes/apps/cert-manager/cert-manager/ks.yaml new file mode 100644 index 00000000000..31ef863501c --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/ks.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cert-manager + namespace: flux-system +spec: + targetNamespace: cert-manager + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/cert-manager/cert-manager/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cert-manager-issuers + namespace: flux-system +spec: + targetNamespace: cert-manager + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: cert-manager + path: ./kubernetes/apps/cert-manager/cert-manager/issuers + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + timeout: 5m diff --git a/kubernetes/apps/cert-manager/kustomization.yaml b/kubernetes/apps/cert-manager/kustomization.yaml new file mode 100644 index 00000000000..a0a3e5edf1b --- /dev/null +++ b/kubernetes/apps/cert-manager/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./cert-manager/ks.yaml diff --git a/kubernetes/apps/cert-manager/namespace.yaml b/kubernetes/apps/cert-manager/namespace.yaml new file mode 100644 index 00000000000..ed788350f1a --- /dev/null +++ b/kubernetes/apps/cert-manager/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/flux-system/kustomization.yaml b/kubernetes/apps/flux-system/kustomization.yaml new file mode 100644 index 00000000000..10587f8c9fe --- /dev/null +++ b/kubernetes/apps/flux-system/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./webhooks/ks.yaml diff --git a/kubernetes/apps/flux-system/namespace.yaml b/kubernetes/apps/flux-system/namespace.yaml new file mode 100644 index 00000000000..b48db4521b3 --- /dev/null +++ b/kubernetes/apps/flux-system/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: flux-system + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml b/kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml new file mode 100644 index 00000000000..e20604f0468 --- /dev/null +++ b/kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: flux-webhook + annotations: + external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}" +spec: + ingressClassName: external + rules: + - host: "flux-webhook.${SECRET_DOMAIN}" + http: + paths: + - path: /hook/ + pathType: Prefix + backend: + service: + name: webhook-receiver + port: + number: 80 diff --git a/kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml b/kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml new file mode 100644 index 00000000000..786e654a564 --- /dev/null +++ b/kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./ingress.yaml + - ./receiver.yaml diff --git a/kubernetes/apps/flux-system/webhooks/app/github/receiver.yaml b/kubernetes/apps/flux-system/webhooks/app/github/receiver.yaml new file mode 100644 index 00000000000..cca5931bd55 --- /dev/null +++ b/kubernetes/apps/flux-system/webhooks/app/github/receiver.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: notification.toolkit.fluxcd.io/v1 +kind: Receiver +metadata: + name: github-receiver +spec: + type: github + events: + - ping + - push + secretRef: + name: github-webhook-token-secret + resources: + - apiVersion: source.toolkit.fluxcd.io/v1 + kind: GitRepository + name: home-kubernetes + namespace: flux-system + - apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + name: cluster + namespace: flux-system + - apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + name: cluster-apps + namespace: flux-system diff --git a/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml b/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml new file mode 100644 index 00000000000..17ff9c38bdc --- /dev/null +++ b/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Secret +metadata: + name: github-webhook-token-secret +stringData: + token: ENC[AES256_GCM,data:zzy9BWKjrsSZbyXjn/x6m8lKmJuXXUojVkOVu7kfXWQ=,iv:hrDOUis1aLY2tK/aNv+H7piqophtZHjkQmahmYaDloU=,tag:VhhcDzrd+V8p1qR4FdKVYA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByaXlUTGdDK0p3RE1EL2Ft + K0FqVEZkQ01aYnFFN3JuVGVEbmtmSDRCSWhFCkNQSWxUWVdGbHIwNk96bnpTUExG + bkVXZzlLcm5NMVVFK0FoZ2ZqYVY2VnMKLS0tIGdlTWYxcGMyRExUVkg3S1JnQlRQ + WWI4R3NiTzdndE42Q2pTcjc4NURmL2MKyuCYpEq5js2Y+XqyKBE/rG/p6x8MVz95 + AqYkIF/uVnML9tGqpE1nGeu/FEWDDQS+LZ2k/stR6xUd8k0fu1rDww== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-11T19:48:00Z" + mac: ENC[AES256_GCM,data:tMvgI0+z2KJplpsRCT+xbe+sNOEccNda7wyhtUiGwwvzbi0EaNR85ufEW0JpyW8AuKsgSwN9Y66vGf52SB6BTzRNCFwSPSNmA0j0Uz80A5jg9Nl16ykSaysGiV4uTp4LTQ2rCweZ1GQmPV5IlZ83NXpJKAwvGeyLSbI7R+fYKzY=,iv:xKCgr7GvxOaE1ySHcADYhDEQ81KK72PE/a1Aud/C4lc=,tag:FQkv+bqUNCWDjAhyr0U1Zg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/apps/flux-system/webhooks/app/kustomization.yaml b/kubernetes/apps/flux-system/webhooks/app/kustomization.yaml new file mode 100644 index 00000000000..ccd8b3eb8d0 --- /dev/null +++ b/kubernetes/apps/flux-system/webhooks/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./github diff --git a/kubernetes/apps/flux-system/webhooks/ks.yaml b/kubernetes/apps/flux-system/webhooks/ks.yaml new file mode 100644 index 00000000000..25e4b9d5f7b --- /dev/null +++ b/kubernetes/apps/flux-system/webhooks/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app flux-webhooks + namespace: flux-system +spec: + targetNamespace: flux-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/flux-system/webhooks/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + timeout: 5m diff --git a/kubernetes/apps/kube-system/cilium/app/helm-values.yaml b/kubernetes/apps/kube-system/cilium/app/helm-values.yaml new file mode 100644 index 00000000000..bc66a62e786 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/helm-values.yaml @@ -0,0 +1,57 @@ +--- +autoDirectNodeRoutes: true +bpf: + masquerade: false # Required for Talos `.machine.features.hostDNS.forwardKubeDNSToHost` +cgroup: + automount: + enabled: false + hostRoot: /sys/fs/cgroup +cluster: + id: 1 + name: "home-kubernetes" +cni: + exclusive: false +# NOTE: devices might need to be set if you have more than one active NIC on your hosts +# devices: eno+ eth+ +endpointRoutes: + enabled: true +envoy: + enabled: false +hubble: + enabled: false +ipam: + mode: kubernetes +ipv4NativeRoutingCIDR: "10.69.0.0/16" +k8sServiceHost: 127.0.0.1 +k8sServicePort: 7445 +kubeProxyReplacement: true +kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 +l2announcements: + enabled: true +loadBalancer: + algorithm: maglev + mode: "dsr" +localRedirectPolicy: true +operator: + replicas: 1 + rollOutPods: true +rollOutCiliumPods: true +routingMode: native +securityContext: + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE diff --git a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml new file mode 100644 index 00000000000..8e38862cf78 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml @@ -0,0 +1,74 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cilium +spec: + interval: 30m + chart: + spec: + chart: cilium + version: 1.16.3 + sourceRef: + kind: HelmRepository + name: cilium + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + valuesFrom: + - kind: ConfigMap + name: cilium-helm-values + values: + hubble: + enabled: true + metrics: + enabled: + - dns:query + - drop + - tcp + - flow + - port-distribution + - icmp + - http + serviceMonitor: + enabled: true + dashboards: + enabled: true + annotations: + grafana_folder: Cilium + relay: + enabled: true + rollOutPods: true + prometheus: + serviceMonitor: + enabled: true + ui: + enabled: true + rollOutPods: true + ingress: + enabled: true + className: internal + hosts: ["hubble.${SECRET_DOMAIN}"] + operator: + prometheus: + enabled: true + serviceMonitor: + enabled: true + dashboards: + enabled: true + annotations: + grafana_folder: Cilium + prometheus: + enabled: true + serviceMonitor: + enabled: true + trustCRDsExist: true + dashboards: + enabled: true + annotations: + grafana_folder: Cilium diff --git a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml new file mode 100644 index 00000000000..b4f3860b0e2 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml +configMapGenerator: + - name: cilium-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml b/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml new file mode 100644 index 00000000000..58f92ba1530 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/kube-system/cilium/config/cilium-l2.yaml b/kubernetes/apps/kube-system/cilium/config/cilium-l2.yaml new file mode 100644 index 00000000000..219372597c4 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/config/cilium-l2.yaml @@ -0,0 +1,24 @@ +--- +# https://docs.cilium.io/en/latest/network/l2-announcements +apiVersion: cilium.io/v2alpha1 +kind: CiliumL2AnnouncementPolicy +metadata: + name: l2-policy +spec: + loadBalancerIPs: true + # NOTE: interfaces might need to be set if you have more than one active NIC on your hosts + # interfaces: + # - ^eno[0-9]+ + # - ^eth[0-9]+ + nodeSelector: + matchLabels: + kubernetes.io/os: linux +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumLoadBalancerIPPool +metadata: + name: l2-pool +spec: + allowFirstLastIPs: "Yes" + blocks: + - cidr: "10.0.40.0/24" diff --git a/kubernetes/apps/kube-system/cilium/config/kustomization.yaml b/kubernetes/apps/kube-system/cilium/config/kustomization.yaml new file mode 100644 index 00000000000..f6899653835 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/config/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./cilium-l2.yaml diff --git a/kubernetes/apps/kube-system/cilium/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml new file mode 100644 index 00000000000..2b0c235c496 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/ks.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cilium + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/kube-system/cilium/app + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cilium-config + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: cilium + path: ./kubernetes/apps/kube-system/cilium/config + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/apps/kube-system/coredns/app/helm-values.yaml b/kubernetes/apps/kube-system/coredns/app/helm-values.yaml new file mode 100644 index 00000000000..22da0298699 --- /dev/null +++ b/kubernetes/apps/kube-system/coredns/app/helm-values.yaml @@ -0,0 +1,50 @@ +--- +fullnameOverride: coredns +k8sAppLabelOverride: kube-dns +serviceAccount: + create: true +service: + name: kube-dns + clusterIP: "10.96.0.10" +servers: + - zones: + - zone: . + scheme: dns:// + use_tcp: true + port: 53 + plugins: + - name: errors + - name: health + configBlock: |- + lameduck 5s + - name: ready + - name: log + configBlock: |- + class error + - name: prometheus + parameters: 0.0.0.0:9153 + - name: kubernetes + parameters: cluster.local in-addr.arpa ip6.arpa + configBlock: |- + pods insecure + fallthrough in-addr.arpa ip6.arpa + - name: forward + parameters: . /etc/resolv.conf + - name: cache + parameters: 30 + - name: loop + - name: reload + - name: loadbalance +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists +tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule diff --git a/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml b/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml new file mode 100644 index 00000000000..72c947c2602 --- /dev/null +++ b/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: coredns +spec: + interval: 30m + chart: + spec: + chart: coredns + version: 1.36.1 + sourceRef: + kind: HelmRepository + name: coredns + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + valuesFrom: + - kind: ConfigMap + name: coredns-helm-values diff --git a/kubernetes/apps/kube-system/coredns/app/kustomization.yaml b/kubernetes/apps/kube-system/coredns/app/kustomization.yaml new file mode 100644 index 00000000000..691355b567d --- /dev/null +++ b/kubernetes/apps/kube-system/coredns/app/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml +configMapGenerator: + - name: coredns-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/apps/kube-system/coredns/app/kustomizeconfig.yaml b/kubernetes/apps/kube-system/coredns/app/kustomizeconfig.yaml new file mode 100644 index 00000000000..58f92ba1530 --- /dev/null +++ b/kubernetes/apps/kube-system/coredns/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/kube-system/coredns/ks.yaml b/kubernetes/apps/kube-system/coredns/ks.yaml new file mode 100644 index 00000000000..afa7ae2f151 --- /dev/null +++ b/kubernetes/apps/kube-system/coredns/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app coredns + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/kube-system/coredns/app + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml new file mode 100644 index 00000000000..122a9817f5b --- /dev/null +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml @@ -0,0 +1,3 @@ +--- +providerRegex: ^(k8s-m0|k8s-w0|k8s-m1|k8s-w1|k8s-m2|k8s-w2)$ +bypassDnsResolution: true diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml new file mode 100644 index 00000000000..f3e6a7d10a5 --- /dev/null +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: kubelet-csr-approver +spec: + interval: 30m + chart: + spec: + chart: kubelet-csr-approver + version: 1.2.3 + sourceRef: + kind: HelmRepository + name: postfinance + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + valuesFrom: + - kind: ConfigMap + name: kubelet-csr-approver-helm-values + values: + metrics: + enable: true + serviceMonitor: + enabled: true diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml new file mode 100644 index 00000000000..30dddafcbad --- /dev/null +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml +configMapGenerator: + - name: kubelet-csr-approver-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml new file mode 100644 index 00000000000..58f92ba1530 --- /dev/null +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml new file mode 100644 index 00000000000..8fc9282f8a0 --- /dev/null +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app kubelet-csr-approver + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/kube-system/kubelet-csr-approver/app + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml new file mode 100644 index 00000000000..7a71f70fdfc --- /dev/null +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./cilium/ks.yaml + - ./coredns/ks.yaml + - ./metrics-server/ks.yaml + - ./reloader/ks.yaml + - ./kubelet-csr-approver/ks.yaml + - ./spegel/ks.yaml diff --git a/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml b/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml new file mode 100644 index 00000000000..9c0b22b5254 --- /dev/null +++ b/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: metrics-server +spec: + interval: 30m + chart: + spec: + chart: metrics-server + version: 3.12.2 + sourceRef: + kind: HelmRepository + name: metrics-server + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + args: + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --metric-resolution=15s + metrics: + enabled: true + serviceMonitor: + enabled: true diff --git a/kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml b/kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml new file mode 100644 index 00000000000..5dd7baca73d --- /dev/null +++ b/kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/kube-system/metrics-server/ks.yaml b/kubernetes/apps/kube-system/metrics-server/ks.yaml new file mode 100644 index 00000000000..10828aaae2c --- /dev/null +++ b/kubernetes/apps/kube-system/metrics-server/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app metrics-server + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/kube-system/metrics-server/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/apps/kube-system/namespace.yaml b/kubernetes/apps/kube-system/namespace.yaml new file mode 100644 index 00000000000..5eeb2c9183c --- /dev/null +++ b/kubernetes/apps/kube-system/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: kube-system + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml b/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml new file mode 100644 index 00000000000..64dc3493ee9 --- /dev/null +++ b/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: reloader +spec: + interval: 30m + chart: + spec: + chart: reloader + version: 1.1.0 + sourceRef: + kind: HelmRepository + name: stakater + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + fullnameOverride: reloader + reloader: + readOnlyRootFileSystem: true + podMonitor: + enabled: true + namespace: "{{ .Release.Namespace }}" diff --git a/kubernetes/apps/kube-system/reloader/app/kustomization.yaml b/kubernetes/apps/kube-system/reloader/app/kustomization.yaml new file mode 100644 index 00000000000..5dd7baca73d --- /dev/null +++ b/kubernetes/apps/kube-system/reloader/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/kube-system/reloader/ks.yaml b/kubernetes/apps/kube-system/reloader/ks.yaml new file mode 100644 index 00000000000..c0e669e2cae --- /dev/null +++ b/kubernetes/apps/kube-system/reloader/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app reloader + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/kube-system/reloader/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/apps/kube-system/spegel/app/helm-values.yaml b/kubernetes/apps/kube-system/spegel/app/helm-values.yaml new file mode 100644 index 00000000000..a4185ae3689 --- /dev/null +++ b/kubernetes/apps/kube-system/spegel/app/helm-values.yaml @@ -0,0 +1,7 @@ +--- +spegel: + containerdSock: /run/containerd/containerd.sock + containerdRegistryConfigPath: /etc/cri/conf.d/hosts +service: + registry: + hostPort: 29999 diff --git a/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml b/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml new file mode 100644 index 00000000000..ea255fc4b11 --- /dev/null +++ b/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: spegel +spec: + interval: 30m + chart: + spec: + chart: spegel + version: v0.0.27 + sourceRef: + kind: HelmRepository + name: spegel + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + valuesFrom: + - kind: ConfigMap + name: spegel-helm-values + values: + grafanaDashboard: + enabled: true + serviceMonitor: + enabled: true diff --git a/kubernetes/apps/kube-system/spegel/app/kustomization.yaml b/kubernetes/apps/kube-system/spegel/app/kustomization.yaml new file mode 100644 index 00000000000..1e1aa1d17cf --- /dev/null +++ b/kubernetes/apps/kube-system/spegel/app/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml +configMapGenerator: + - name: spegel-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/apps/kube-system/spegel/app/kustomizeconfig.yaml b/kubernetes/apps/kube-system/spegel/app/kustomizeconfig.yaml new file mode 100644 index 00000000000..58f92ba1530 --- /dev/null +++ b/kubernetes/apps/kube-system/spegel/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/kube-system/spegel/ks.yaml b/kubernetes/apps/kube-system/spegel/ks.yaml new file mode 100644 index 00000000000..866bb6b966e --- /dev/null +++ b/kubernetes/apps/kube-system/spegel/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app spegel + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/kube-system/spegel/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/apps/network/cloudflared/app/configs/config.yaml b/kubernetes/apps/network/cloudflared/app/configs/config.yaml new file mode 100644 index 00000000000..05bcef5cff0 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/configs/config.yaml @@ -0,0 +1,10 @@ +--- +originRequest: + originServerName: "external.${SECRET_DOMAIN}" + +ingress: + - hostname: "${SECRET_DOMAIN}" + service: https://ingress-nginx-external-controller.network.svc.cluster.local:443 + - hostname: "*.${SECRET_DOMAIN}" + service: https://ingress-nginx-external-controller.network.svc.cluster.local:443 + - service: http_status:404 diff --git a/kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml b/kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml new file mode 100644 index 00000000000..43d7d7b2955 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: externaldns.k8s.io/v1alpha1 +kind: DNSEndpoint +metadata: + name: cloudflared +spec: + endpoints: + - dnsName: "external.${SECRET_DOMAIN}" + recordType: CNAME + targets: ["${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] diff --git a/kubernetes/apps/network/cloudflared/app/helmrelease.yaml b/kubernetes/apps/network/cloudflared/app/helmrelease.yaml new file mode 100644 index 00000000000..7e482f7d0b3 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/helmrelease.yaml @@ -0,0 +1,109 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cloudflared +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + controllers: + cloudflared: + strategy: RollingUpdate + annotations: + reloader.stakater.com/auto: "true" + containers: + app: + image: + repository: docker.io/cloudflare/cloudflared + tag: 2024.11.0 + env: + NO_AUTOUPDATE: true + TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json + TUNNEL_METRICS: 0.0.0.0:8080 + TUNNEL_ORIGIN_ENABLE_HTTP2: true + TUNNEL_TRANSPORT_PROTOCOL: quic + TUNNEL_POST_QUANTUM: true + TUNNEL_ID: + valueFrom: + secretKeyRef: + name: cloudflared-secret + key: TUNNEL_ID + args: + - tunnel + - --config + - /etc/cloudflared/config/config.yaml + - run + - "$(TUNNEL_ID)" + probes: + liveness: &probes + enabled: true + custom: true + spec: + httpGet: + path: /ready + port: &port 8080 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: *probes + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + resources: + requests: + cpu: 10m + limits: + memory: 256Mi + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: { type: RuntimeDefault } + service: + app: + controller: cloudflared + ports: + http: + port: *port + serviceMonitor: + app: + serviceName: cloudflared + endpoints: + - port: http + scheme: http + path: /metrics + interval: 1m + scrapeTimeout: 10s + persistence: + config: + type: configMap + name: cloudflared-configmap + globalMounts: + - path: /etc/cloudflared/config/config.yaml + subPath: config.yaml + readOnly: true + creds: + type: secret + name: cloudflared-secret + globalMounts: + - path: /etc/cloudflared/creds/credentials.json + subPath: credentials.json + readOnly: true diff --git a/kubernetes/apps/network/cloudflared/app/kustomization.yaml b/kubernetes/apps/network/cloudflared/app/kustomization.yaml new file mode 100644 index 00000000000..891a864adf7 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./dnsendpoint.yaml + - ./secret.sops.yaml + - ./helmrelease.yaml +configMapGenerator: + - name: cloudflared-configmap + files: + - ./configs/config.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/kubernetes/apps/network/cloudflared/app/secret.sops.yaml b/kubernetes/apps/network/cloudflared/app/secret.sops.yaml new file mode 100644 index 00000000000..470cadebbcf --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/secret.sops.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cloudflared-secret +stringData: + TUNNEL_ID: ENC[AES256_GCM,data:ByABpr4qDysmja6xLt2+Bvlk3nHAyUQI9hLeEzVlkAWRTb9w,iv:3ukmLwuXz49D4aR+ClXyzTWXFTOIlG+YBQA4kakoMoo=,tag:dSXNf3OYtUDSMcYq/WOypw==,type:str] + credentials.json: ENC[AES256_GCM,data:tvxIgB1FH+MBiQhDjDPdF8+tp10f/92jvaVJ0DV4dvGHaXxl8rQETHAUGuaF67UYRfOPT1VZertDSf0pCvzDWlEhKkGgFKIiOKTEzFh96qS8p0qMCMjk+RyZdY6kl71oLZUKilo6Lj8LEjyIbQOpe385/elFbIFogpbAKJZxVCzbawbRPK28s58MGMo2vailuNBzGSoS34fXqx5vibSmfqIBiHYmAelHIGbg5QhxUQ==,iv:8SLyg8CAWzHJmvZVgkruC0sEpZvkTYiY4DtjnY/6a5M=,tag:ICGEALhmbKjiAQE7iuR8DQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGbGlLT05nZmYzQzFVekxY + R2g1OGVEQzMxQzNuZTFWWXR3aDJqL3BTOEhnCk9SRG9KRzI4V3d6Slk5dWpaUHI1 + bWVGUUt2b0RHV2JWMCtFR1dnMmtub0kKLS0tIFozeXpndGlPUklTeU45K2xQUWZp + UlJEVnl1QktQL0ZKTHlDMHJxUXRpemcKnZ1Mb+SSXu4h1phNfqBqdofnPveANMHQ + f11nxAyNxp5VFtbkQvDsHd2XzFPvV0CSaZ5i7f2kb+RNBxT1jV0gLQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-11T19:48:00Z" + mac: ENC[AES256_GCM,data:PBc1/JvQEawSIx5SPCgMwiCXHohXKGTE5Kha+9Xkzc+kIMy1sV9aINu8V4T2kgqIoheH5jj1TV+ArT7FmYI2TaUJzgCQa5Kjuog8wSmOj90Qlki4GBFXY3flfqs8y/AWLlBGSC8afM1lpD5zwNL4a9Cw5OiVoHTB0L4k1UG4UnU=,iv:BDquUmR1ZmFnYpfa2aMGlhOT9EDKs9Lctd9IpeBKcCk=,tag:ZYavA0zSaDJmheL5SyxQpg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/apps/network/cloudflared/ks.yaml b/kubernetes/apps/network/cloudflared/ks.yaml new file mode 100644 index 00000000000..01eb3909bc6 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/ks.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cloudflared + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: external-dns + path: ./kubernetes/apps/network/cloudflared/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/apps/network/echo-server/app/helmrelease.yaml b/kubernetes/apps/network/echo-server/app/helmrelease.yaml new file mode 100644 index 00000000000..26c17a567ef --- /dev/null +++ b/kubernetes/apps/network/echo-server/app/helmrelease.yaml @@ -0,0 +1,91 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: echo-server +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + controllers: + echo-server: + strategy: RollingUpdate + containers: + app: + image: + repository: ghcr.io/mendhak/http-https-echo + tag: 35 + env: + HTTP_PORT: &port 8080 + LOG_WITHOUT_NEWLINE: true + LOG_IGNORE_PATH: /healthz + PROMETHEUS_ENABLED: true + probes: + liveness: &probes + enabled: true + custom: true + spec: + httpGet: + path: /healthz + port: *port + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: *probes + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + resources: + requests: + cpu: 10m + limits: + memory: 64Mi + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: { type: RuntimeDefault } + service: + app: + controller: echo-server + ports: + http: + port: *port + serviceMonitor: + app: + serviceName: echo-server + endpoints: + - port: http + scheme: http + path: /metrics + interval: 1m + scrapeTimeout: 10s + ingress: + app: + className: external + annotations: + external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}" + hosts: + - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + paths: + - path: / + service: + identifier: app + port: http diff --git a/kubernetes/apps/network/echo-server/app/kustomization.yaml b/kubernetes/apps/network/echo-server/app/kustomization.yaml new file mode 100644 index 00000000000..5dd7baca73d --- /dev/null +++ b/kubernetes/apps/network/echo-server/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/network/echo-server/ks.yaml b/kubernetes/apps/network/echo-server/ks.yaml new file mode 100644 index 00000000000..6440fc8a556 --- /dev/null +++ b/kubernetes/apps/network/echo-server/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app echo-server + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/network/echo-server/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/apps/network/external-dns/app/helmrelease.yaml b/kubernetes/apps/network/external-dns/app/helmrelease.yaml new file mode 100644 index 00000000000..5ce6867e7ae --- /dev/null +++ b/kubernetes/apps/network/external-dns/app/helmrelease.yaml @@ -0,0 +1,48 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app external-dns +spec: + interval: 30m + chart: + spec: + chart: external-dns + version: 1.15.0 + sourceRef: + kind: HelmRepository + name: external-dns + namespace: flux-system + install: + crds: CreateReplace + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + crds: CreateReplace + remediation: + strategy: rollback + retries: 3 + values: + fullnameOverride: *app + provider: cloudflare + env: + - name: CF_API_TOKEN + valueFrom: + secretKeyRef: + name: external-dns-secret + key: api-token + extraArgs: + - --ingress-class=external + - --cloudflare-proxied + - --crd-source-apiversion=externaldns.k8s.io/v1alpha1 + - --crd-source-kind=DNSEndpoint + policy: sync + sources: ["crd", "ingress"] + txtPrefix: k8s. + txtOwnerId: default + domainFilters: ["${SECRET_DOMAIN}"] + serviceMonitor: + enabled: true + podAnnotations: + secret.reloader.stakater.com/reload: external-dns-secret diff --git a/kubernetes/apps/network/external-dns/app/kustomization.yaml b/kubernetes/apps/network/external-dns/app/kustomization.yaml new file mode 100644 index 00000000000..95bf4747fd1 --- /dev/null +++ b/kubernetes/apps/network/external-dns/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/network/external-dns/app/secret.sops.yaml b/kubernetes/apps/network/external-dns/app/secret.sops.yaml new file mode 100644 index 00000000000..92bc7d99298 --- /dev/null +++ b/kubernetes/apps/network/external-dns/app/secret.sops.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Secret +metadata: + name: external-dns-secret +stringData: + api-token: ENC[AES256_GCM,data:FwyOsmvElO+GoMg8HhRyYPLzQBsn61Bzjf6tHWC8ubje7G8XUcXJKA==,iv:5UZ1ZC+aecU4g1a2VFuOnxTqGQq/I2no5RTtbsRnLxM=,tag:lg+5DVUz0Sri5vdDzkKL7w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1a0xqeUZraklKd1l1Tks4 + SVFIa3RpYkJvbWxDYWp4TlREeXB3M3RvaVZnCklaS1dtdERMeUwwRGVtZW50bms0 + RnFZYlo3dnFzNktmWlNIcHNJZElJZDQKLS0tIGt6bW1HMFlJZFpSa1dsMTM3enEw + M3pUMWJkTjU0N2x2STgvK29hTlNKbFkKUjrdABxcEMud068SrR/faLNtc1TbQFwP + HJzTM2SVpMzH4XR7h0Jv3jezEQuRB21Wvn7potNHCuKkRlX/uT8hgg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-11T19:48:00Z" + mac: ENC[AES256_GCM,data:QLhJdVvWZxptWbI58aFJD4SIQrmAKpSMre3dasX1V9kRqqT/yFuQh6qEBEN5afsT9kmp99kUO3WoGzIaVbDlC5Co0f4XJYnUKoP6Ajbze5AhUV2xcx39AR3NdhhLeJbQmh6vwG4d8awf1UrcrIqPen9e1ddyUhVU4PLw3GXmegk=,iv:Z8bVc+9PrqoJdvntYOwxZyh5O4RgWE5ZbLPHglUXpRM=,tag:gcOyxHTd7RsOZnj1fyEmNA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/apps/network/external-dns/ks.yaml b/kubernetes/apps/network/external-dns/ks.yaml new file mode 100644 index 00000000000..ca5826cc93e --- /dev/null +++ b/kubernetes/apps/network/external-dns/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app external-dns + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/network/external-dns/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + timeout: 5m diff --git a/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml b/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml new file mode 100644 index 00000000000..e7892580d76 --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./staging.yaml diff --git a/kubernetes/apps/network/ingress-nginx/certificates/production.yaml b/kubernetes/apps/network/ingress-nginx/certificates/production.yaml new file mode 100644 index 00000000000..b5afdf41986 --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/certificates/production.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: "${SECRET_DOMAIN/./-}-production" +spec: + secretName: "${SECRET_DOMAIN/./-}-production-tls" + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "${SECRET_DOMAIN}" + dnsNames: + - "${SECRET_DOMAIN}" + - "*.${SECRET_DOMAIN}" diff --git a/kubernetes/apps/network/ingress-nginx/certificates/staging.yaml b/kubernetes/apps/network/ingress-nginx/certificates/staging.yaml new file mode 100644 index 00000000000..9c869425177 --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/certificates/staging.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: "${SECRET_DOMAIN/./-}-staging" +spec: + secretName: "${SECRET_DOMAIN/./-}-staging-tls" + issuerRef: + name: letsencrypt-staging + kind: ClusterIssuer + commonName: "${SECRET_DOMAIN}" + dnsNames: + - "${SECRET_DOMAIN}" + - "*.${SECRET_DOMAIN}" diff --git a/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml b/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml new file mode 100644 index 00000000000..f2742314c19 --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml @@ -0,0 +1,75 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: ingress-nginx-external +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: 4.11.2 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + dependsOn: + - name: cloudflared + namespace: network + values: + fullnameOverride: ingress-nginx-external + controller: + service: + annotations: + external-dns.alpha.kubernetes.io/hostname: "external.${SECRET_DOMAIN}" + lbipam.cilium.io/ips: "10.0.40.233" + externalTrafficPolicy: Cluster + ingressClassResource: + name: external + default: false + controllerValue: k8s.io/external + admissionWebhooks: + objectSelector: + matchExpressions: + - key: ingress-class + operator: In + values: ["external"] + config: + client-body-buffer-size: 100M + client-body-timeout: 120 + client-header-timeout: 120 + enable-brotli: "true" + enable-real-ip: "true" + hsts-max-age: 31449600 + keep-alive-requests: 10000 + keep-alive: 120 + log-format-escape-json: "true" + log-format-upstream: > + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", + "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", + "http_user_agent": "$http_user_agent"} + proxy-body-size: 0 + proxy-buffer-size: 16k + ssl-protocols: TLSv1.3 TLSv1.2 + metrics: + enabled: true + serviceMonitor: + enabled: true + namespaceSelector: + any: true + extraArgs: + default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-staging-tls" + resources: + requests: + cpu: 100m + limits: + memory: 500Mi diff --git a/kubernetes/apps/network/ingress-nginx/external/kustomization.yaml b/kubernetes/apps/network/ingress-nginx/external/kustomization.yaml new file mode 100644 index 00000000000..5dd7baca73d --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/external/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml b/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml new file mode 100644 index 00000000000..2f46f54b4fa --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: ingress-nginx-internal + namespace: network +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: 4.11.2 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + fullnameOverride: ingress-nginx-internal + controller: + service: + annotations: + lbipam.cilium.io/ips: "10.0.40.231" + externalTrafficPolicy: Cluster + ingressClassResource: + name: internal + default: true + controllerValue: k8s.io/internal + admissionWebhooks: + objectSelector: + matchExpressions: + - key: ingress-class + operator: In + values: ["internal"] + config: + client-body-buffer-size: 100M + client-body-timeout: 120 + client-header-timeout: 120 + enable-brotli: "true" + enable-real-ip: "true" + hsts-max-age: 31449600 + keep-alive-requests: 10000 + keep-alive: 120 + log-format-escape-json: "true" + log-format-upstream: > + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", + "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", + "http_user_agent": "$http_user_agent"} + proxy-body-size: 0 + proxy-buffer-size: 16k + ssl-protocols: TLSv1.3 TLSv1.2 + metrics: + enabled: true + serviceMonitor: + enabled: true + namespaceSelector: + any: true + extraArgs: + default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-staging-tls" + resources: + requests: + cpu: 100m + limits: + memory: 500Mi diff --git a/kubernetes/apps/network/ingress-nginx/internal/kustomization.yaml b/kubernetes/apps/network/ingress-nginx/internal/kustomization.yaml new file mode 100644 index 00000000000..5dd7baca73d --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/internal/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/network/ingress-nginx/ks.yaml b/kubernetes/apps/network/ingress-nginx/ks.yaml new file mode 100644 index 00000000000..f7547d35156 --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/ks.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app ingress-nginx-certificates + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: cert-manager-issuers + path: ./kubernetes/apps/network/ingress-nginx/certificates + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app ingress-nginx-internal + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: ingress-nginx-certificates + path: ./kubernetes/apps/network/ingress-nginx/internal + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app ingress-nginx-external + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: ingress-nginx-certificates + path: ./kubernetes/apps/network/ingress-nginx/external + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml b/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml new file mode 100644 index 00000000000..5b33b17cac3 --- /dev/null +++ b/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: k8s-gateway +spec: + interval: 30m + chart: + spec: + chart: k8s-gateway + version: 2.4.0 + sourceRef: + kind: HelmRepository + name: k8s-gateway + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + fullnameOverride: k8s-gateway + domain: "${SECRET_DOMAIN}" + ttl: 1 + service: + type: LoadBalancer + port: 53 + annotations: + lbipam.cilium.io/ips: "10.0.40.232" + externalTrafficPolicy: Cluster + watchedResources: ["Ingress", "Service"] diff --git a/kubernetes/apps/network/k8s-gateway/app/kustomization.yaml b/kubernetes/apps/network/k8s-gateway/app/kustomization.yaml new file mode 100644 index 00000000000..5dd7baca73d --- /dev/null +++ b/kubernetes/apps/network/k8s-gateway/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/network/k8s-gateway/ks.yaml b/kubernetes/apps/network/k8s-gateway/ks.yaml new file mode 100644 index 00000000000..c5fcad8aadb --- /dev/null +++ b/kubernetes/apps/network/k8s-gateway/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app k8s-gateway + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/network/k8s-gateway/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/apps/network/kustomization.yaml b/kubernetes/apps/network/kustomization.yaml new file mode 100644 index 00000000000..e6f8ddc1b83 --- /dev/null +++ b/kubernetes/apps/network/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./cloudflared/ks.yaml + - ./echo-server/ks.yaml + - ./external-dns/ks.yaml + - ./ingress-nginx/ks.yaml + - ./k8s-gateway/ks.yaml diff --git a/kubernetes/apps/network/namespace.yaml b/kubernetes/apps/network/namespace.yaml new file mode 100644 index 00000000000..4d78d7b11b1 --- /dev/null +++ b/kubernetes/apps/network/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/observability/kustomization.yaml b/kubernetes/apps/observability/kustomization.yaml new file mode 100644 index 00000000000..b213c83e27f --- /dev/null +++ b/kubernetes/apps/observability/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./prometheus-operator-crds/ks.yaml diff --git a/kubernetes/apps/observability/namespace.yaml b/kubernetes/apps/observability/namespace.yaml new file mode 100644 index 00000000000..ce3a5bd22a0 --- /dev/null +++ b/kubernetes/apps/observability/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: observability + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/observability/prometheus-operator-crds/app/helmrelease.yaml b/kubernetes/apps/observability/prometheus-operator-crds/app/helmrelease.yaml new file mode 100644 index 00000000000..28766e082db --- /dev/null +++ b/kubernetes/apps/observability/prometheus-operator-crds/app/helmrelease.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: prometheus-operator-crds +spec: + interval: 30m + chart: + spec: + chart: prometheus-operator-crds + version: 16.0.0 + sourceRef: + kind: HelmRepository + name: prometheus-community + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 diff --git a/kubernetes/apps/observability/prometheus-operator-crds/app/kustomization.yaml b/kubernetes/apps/observability/prometheus-operator-crds/app/kustomization.yaml new file mode 100644 index 00000000000..5dd7baca73d --- /dev/null +++ b/kubernetes/apps/observability/prometheus-operator-crds/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/observability/prometheus-operator-crds/ks.yaml b/kubernetes/apps/observability/prometheus-operator-crds/ks.yaml new file mode 100644 index 00000000000..8f532a12498 --- /dev/null +++ b/kubernetes/apps/observability/prometheus-operator-crds/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app prometheus-operator-crds + namespace: flux-system +spec: + targetNamespace: observability + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/observability/prometheus-operator-crds/app + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/apps/openebs-system/kustomization.yaml b/kubernetes/apps/openebs-system/kustomization.yaml new file mode 100644 index 00000000000..9cd8d4e4f2f --- /dev/null +++ b/kubernetes/apps/openebs-system/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./openebs/ks.yaml diff --git a/kubernetes/apps/openebs-system/namespace.yaml b/kubernetes/apps/openebs-system/namespace.yaml new file mode 100644 index 00000000000..f173c6c9cd8 --- /dev/null +++ b/kubernetes/apps/openebs-system/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: openebs-system + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml b/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml new file mode 100644 index 00000000000..8cb7c52ef86 --- /dev/null +++ b/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml @@ -0,0 +1,48 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: openebs +spec: + interval: 30m + chart: + spec: + chart: openebs + version: 4.1.1 + sourceRef: + kind: HelmRepository + name: openebs + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + engines: + local: + lvm: + enabled: false + zfs: + enabled: false + replicated: + mayastor: + enabled: false + openebs-crds: + csi: + volumeSnapshots: + enabled: false + localpv-provisioner: + localpv: + image: + registry: quay.io/ + helperPod: + image: + registry: quay.io/ + hostpathClass: + enabled: true + name: openebs-hostpath + isDefaultClass: false + basePath: /var/openebs/local diff --git a/kubernetes/apps/openebs-system/openebs/app/kustomization.yaml b/kubernetes/apps/openebs-system/openebs/app/kustomization.yaml new file mode 100644 index 00000000000..5dd7baca73d --- /dev/null +++ b/kubernetes/apps/openebs-system/openebs/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/openebs-system/openebs/ks.yaml b/kubernetes/apps/openebs-system/openebs/ks.yaml new file mode 100644 index 00000000000..0a650df365c --- /dev/null +++ b/kubernetes/apps/openebs-system/openebs/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app openebs + namespace: flux-system +spec: + targetNamespace: openebs-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/openebs-system/openebs/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/bootstrap/flux/kustomization.yaml b/kubernetes/bootstrap/flux/kustomization.yaml new file mode 100644 index 00000000000..30f33642170 --- /dev/null +++ b/kubernetes/bootstrap/flux/kustomization.yaml @@ -0,0 +1,61 @@ +# IMPORTANT: This file is not tracked by flux and should never be. Its +# purpose is to only install the Flux components and CRDs into your cluster. +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - github.com/fluxcd/flux2/manifests/install?ref=v2.4.0 +patches: + # Remove the default network policies + - patch: |- + $patch: delete + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: not-used + target: + group: networking.k8s.io + kind: NetworkPolicy + # Resources renamed to match those installed by oci://ghcr.io/fluxcd/flux-manifests + - target: + kind: ResourceQuota + name: critical-pods + patch: | + - op: replace + path: /metadata/name + value: critical-pods-flux-system + - target: + kind: ClusterRoleBinding + name: cluster-reconciler + patch: | + - op: replace + path: /metadata/name + value: cluster-reconciler-flux-system + - target: + kind: ClusterRoleBinding + name: crd-controller + patch: | + - op: replace + path: /metadata/name + value: crd-controller-flux-system + - target: + kind: ClusterRole + name: crd-controller + patch: | + - op: replace + path: /metadata/name + value: crd-controller-flux-system + - target: + kind: ClusterRole + name: flux-edit + patch: | + - op: replace + path: /metadata/name + value: flux-edit-flux-system + - target: + kind: ClusterRole + name: flux-view + patch: | + - op: replace + path: /metadata/name + value: flux-view-flux-system diff --git a/kubernetes/bootstrap/helmfile.yaml b/kubernetes/bootstrap/helmfile.yaml new file mode 100644 index 00000000000..b4da58a97f0 --- /dev/null +++ b/kubernetes/bootstrap/helmfile.yaml @@ -0,0 +1,59 @@ +--- +helmDefaults: + wait: true + waitForJobs: true + timeout: 600 + recreatePods: true + force: true + +repositories: + - name: cilium + url: https://helm.cilium.io + - name: coredns + url: https://coredns.github.io/helm + - name: postfinance + url: https://postfinance.github.io/kubelet-csr-approver + +releases: + - name: prometheus-operator-crds + namespace: observability + chart: oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds + version: 16.0.0 + - name: cilium + namespace: kube-system + chart: cilium/cilium + version: 1.16.3 + values: + - ../apps/kube-system/cilium/app/helm-values.yaml + needs: + - observability/prometheus-operator-crds + - name: coredns + namespace: kube-system + chart: coredns/coredns + version: 1.36.1 + values: + - ../apps/kube-system/coredns/app/helm-values.yaml + needs: + - observability/prometheus-operator-crds + - kube-system/cilium + - name: kubelet-csr-approver + namespace: kube-system + chart: postfinance/kubelet-csr-approver + version: 1.2.3 + values: + - ../apps/kube-system/kubelet-csr-approver/app/helm-values.yaml + needs: + - observability/prometheus-operator-crds + - kube-system/cilium + - kube-system/coredns + - name: spegel + namespace: kube-system + chart: oci://ghcr.io/spegel-org/helm-charts/spegel + version: v0.0.27 + values: + - ../apps/kube-system/spegel/app/helm-values.yaml + needs: + - observability/prometheus-operator-crds + - kube-system/cilium + - kube-system/coredns + - kube-system/kubelet-csr-approver diff --git a/kubernetes/bootstrap/talos/patches/README.md b/kubernetes/bootstrap/talos/patches/README.md new file mode 100644 index 00000000000..b9681888752 --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/README.md @@ -0,0 +1,15 @@ +# Talos Patching + +This directory contains Kustomization patches that are added to the talhelper configuration file. + + + +## Patch Directories + +Under this `patches` directory, there are several sub-directories that can contain patches that are added to the talhelper configuration file. +Each directory is optional and therefore might not created by default. + +- `global/`: patches that are applied to both the controller and worker configurations +- `controller/`: patches that are applied to the controller configurations +- `worker/`: patches that are applied to the worker configurations +- `${node-hostname}/`: patches that are applied to the node with the specified name diff --git a/kubernetes/bootstrap/talos/patches/controller/api-access.yaml b/kubernetes/bootstrap/talos/patches/controller/api-access.yaml new file mode 100644 index 00000000000..77232844278 --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/controller/api-access.yaml @@ -0,0 +1,8 @@ +machine: + features: + kubernetesTalosAPIAccess: + enabled: true + allowedRoles: + - os:admin + allowedKubernetesNamespaces: + - system-upgrade diff --git a/kubernetes/bootstrap/talos/patches/controller/cluster.yaml b/kubernetes/bootstrap/talos/patches/controller/cluster.yaml new file mode 100644 index 00000000000..b4a9685b9a1 --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/controller/cluster.yaml @@ -0,0 +1,25 @@ +cluster: + allowSchedulingOnControlPlanes: true + controllerManager: + extraArgs: + bind-address: 0.0.0.0 + coreDNS: + disabled: true + proxy: + disabled: true + scheduler: + extraArgs: + bind-address: 0.0.0.0 + config: + apiVersion: kubescheduler.config.k8s.io/v1 + kind: KubeSchedulerConfiguration + profiles: + - schedulerName: default-scheduler + pluginConfig: + - name: PodTopologySpread + args: + defaultingType: List + defaultConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway diff --git a/kubernetes/bootstrap/talos/patches/controller/disable-admission-controller.yaml b/kubernetes/bootstrap/talos/patches/controller/disable-admission-controller.yaml new file mode 100644 index 00000000000..e311789f4ca --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/controller/disable-admission-controller.yaml @@ -0,0 +1,2 @@ +- op: remove + path: /cluster/apiServer/admissionControl diff --git a/kubernetes/bootstrap/talos/patches/controller/etcd.yaml b/kubernetes/bootstrap/talos/patches/controller/etcd.yaml new file mode 100644 index 00000000000..e2b501b59ab --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/controller/etcd.yaml @@ -0,0 +1,6 @@ +cluster: + etcd: + extraArgs: + listen-metrics-urls: http://0.0.0.0:2381 + advertisedSubnets: + - 10.0.40.0/24 diff --git a/kubernetes/bootstrap/talos/patches/global/cluster-discovery.yaml b/kubernetes/bootstrap/talos/patches/global/cluster-discovery.yaml new file mode 100644 index 00000000000..ecafec6ef11 --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/global/cluster-discovery.yaml @@ -0,0 +1,7 @@ +cluster: + discovery: + registries: + kubernetes: + disabled: false + service: + disabled: true diff --git a/kubernetes/bootstrap/talos/patches/global/containerd.yaml b/kubernetes/bootstrap/talos/patches/global/containerd.yaml new file mode 100644 index 00000000000..2952d6b41fa --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/global/containerd.yaml @@ -0,0 +1,12 @@ +machine: + files: + - op: create + path: /etc/cri/conf.d/20-customization.part + content: |- + [plugins."io.containerd.grpc.v1.cri"] + enable_unprivileged_ports = true + enable_unprivileged_icmp = true + [plugins."io.containerd.grpc.v1.cri".containerd] + discard_unpacked_layers = false + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + discard_unpacked_layers = false diff --git a/kubernetes/bootstrap/talos/patches/global/disable-search-domain.yaml b/kubernetes/bootstrap/talos/patches/global/disable-search-domain.yaml new file mode 100644 index 00000000000..8ba647c499e --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/global/disable-search-domain.yaml @@ -0,0 +1,3 @@ +machine: + network: + disableSearchDomain: true diff --git a/kubernetes/bootstrap/talos/patches/global/dns.yaml b/kubernetes/bootstrap/talos/patches/global/dns.yaml new file mode 100644 index 00000000000..d38c4e6ccd1 --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/global/dns.yaml @@ -0,0 +1,6 @@ +machine: + network: + nameservers: + - 10.0.40.1 + - 1.1.1.1 + - 8.8.8.8 diff --git a/kubernetes/bootstrap/talos/patches/global/hostdns.yaml b/kubernetes/bootstrap/talos/patches/global/hostdns.yaml new file mode 100644 index 00000000000..6033ccd272d --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/global/hostdns.yaml @@ -0,0 +1,6 @@ +machine: + features: + hostDNS: + enabled: true + resolveMemberNames: true + forwardKubeDNSToHost: true # Requires Cilium `bpf.masquerade: false` diff --git a/kubernetes/bootstrap/talos/patches/global/kubelet.yaml b/kubernetes/bootstrap/talos/patches/global/kubelet.yaml new file mode 100644 index 00000000000..a6aeafb60d4 --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/global/kubelet.yaml @@ -0,0 +1,7 @@ +machine: + kubelet: + extraArgs: + rotate-server-certificates: true + nodeIP: + validSubnets: + - 10.0.40.0/24 diff --git a/kubernetes/bootstrap/talos/patches/global/ntp.yaml b/kubernetes/bootstrap/talos/patches/global/ntp.yaml new file mode 100644 index 00000000000..b7d65948ac0 --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/global/ntp.yaml @@ -0,0 +1,6 @@ +machine: + time: + disabled: false + servers: + - 162.159.200.1 + - 162.159.200.123 diff --git a/kubernetes/bootstrap/talos/patches/global/openebs-local.yaml b/kubernetes/bootstrap/talos/patches/global/openebs-local.yaml new file mode 100644 index 00000000000..e4095d171cb --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/global/openebs-local.yaml @@ -0,0 +1,10 @@ +machine: + kubelet: + extraMounts: + - destination: /var/openebs/local + type: bind + source: /var/openebs/local + options: + - bind + - rshared + - rw diff --git a/kubernetes/bootstrap/talos/patches/global/sysctl.yaml b/kubernetes/bootstrap/talos/patches/global/sysctl.yaml new file mode 100644 index 00000000000..a7012f3a557 --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/global/sysctl.yaml @@ -0,0 +1,7 @@ +machine: + sysctls: + fs.inotify.max_user_watches: "1048576" + fs.inotify.max_user_instances: "8192" + net.core.rmem_max: "7500000" + net.core.wmem_max: "7500000" + vm.nr_hugepages: "1024" diff --git a/kubernetes/bootstrap/talos/talconfig.yaml b/kubernetes/bootstrap/talos/talconfig.yaml new file mode 100644 index 00000000000..027d443df4b --- /dev/null +++ b/kubernetes/bootstrap/talos/talconfig.yaml @@ -0,0 +1,142 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/budimanjojo/talhelper/master/pkg/config/schemas/talconfig.json +--- +# renovate: datasource=docker depName=ghcr.io/siderolabs/installer +talosVersion: v1.8.2 +# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet +kubernetesVersion: v1.31.2 + +clusterName: "home-kubernetes" +endpoint: https://10.0.40.230:6443 + +clusterPodNets: + - "10.69.0.0/16" +clusterSvcNets: + - "10.96.0.0/16" + +additionalApiServerCertSans: &sans + - "10.0.40.230" + - "127.0.0.1" +additionalMachineCertSans: *sans + +# Disable built-in Flannel to use Cilium +cniConfig: + name: none + +nodes: + - hostname: "k8s-m0" + ipAddress: "10.0.40.200" + installDisk: "/dev/sda" + talosImageURL: factory.talos.dev/installer/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + controlPlane: true + networkInterfaces: + - deviceSelector: + hardwareAddr: "bc:24:11:a1:16:2d" + dhcp: false + addresses: + - "10.0.40.200/24" + routes: + - network: 0.0.0.0/0 + gateway: "10.0.40.1" + mtu: 1500 + vip: + ip: "10.0.40.230" + - hostname: "k8s-w0" + ipAddress: "10.0.40.210" + installDisk: "/dev/sda" + talosImageURL: factory.talos.dev/installer/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + controlPlane: false + networkInterfaces: + - deviceSelector: + hardwareAddr: "bc:24:11:19:98:44" + dhcp: false + addresses: + - "10.0.40.210/24" + routes: + - network: 0.0.0.0/0 + gateway: "10.0.40.1" + mtu: 1500 + - hostname: "k8s-m1" + ipAddress: "10.0.40.201" + installDisk: "/dev/sda" + talosImageURL: factory.talos.dev/installer/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + controlPlane: true + networkInterfaces: + - deviceSelector: + hardwareAddr: "bc:24:11:3b:df:65" + dhcp: false + addresses: + - "10.0.40.201/24" + routes: + - network: 0.0.0.0/0 + gateway: "10.0.40.1" + mtu: 1500 + vip: + ip: "10.0.40.230" + - hostname: "k8s-w1" + ipAddress: "10.0.40.211" + installDisk: "/dev/sda" + talosImageURL: factory.talos.dev/installer/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + controlPlane: false + networkInterfaces: + - deviceSelector: + hardwareAddr: "bc:24:11:03:8f:4c" + dhcp: false + addresses: + - "10.0.40.211/24" + routes: + - network: 0.0.0.0/0 + gateway: "10.0.40.1" + mtu: 1500 + - hostname: "k8s-m2" + ipAddress: "10.0.40.202" + installDisk: "/dev/sda" + talosImageURL: factory.talos.dev/installer/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + controlPlane: true + networkInterfaces: + - deviceSelector: + hardwareAddr: "bc:24:11:a6:56:ea" + dhcp: false + addresses: + - "10.0.40.202/24" + routes: + - network: 0.0.0.0/0 + gateway: "10.0.40.1" + mtu: 1500 + vip: + ip: "10.0.40.230" + - hostname: "k8s-w2" + ipAddress: "10.0.40.212" + installDisk: "/dev/sda" + talosImageURL: factory.talos.dev/installer/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + controlPlane: false + networkInterfaces: + - deviceSelector: + hardwareAddr: "bc:24:11:4d:49:bf" + dhcp: false + addresses: + - "10.0.40.212/24" + routes: + - network: 0.0.0.0/0 + gateway: "10.0.40.1" + mtu: 1500 + +# Global patches +patches: + - "@./patches/global/cluster-discovery.yaml" + - "@./patches/global/containerd.yaml" + - "@./patches/global/disable-search-domain.yaml" + - "@./patches/global/dns.yaml" + - "@./patches/global/hostdns.yaml" + - "@./patches/global/kubelet.yaml" + - "@./patches/global/ntp.yaml" + - "@./patches/global/openebs-local.yaml" + - "@./patches/global/sysctl.yaml" + +# Controller patches +controlPlane: + patches: + - "@./patches/controller/api-access.yaml" + - "@./patches/controller/cluster.yaml" + - "@./patches/controller/disable-admission-controller.yaml" + - "@./patches/controller/etcd.yaml" + diff --git a/kubernetes/flux/apps.yaml b/kubernetes/flux/apps.yaml new file mode 100644 index 00000000000..c4ebba99933 --- /dev/null +++ b/kubernetes/flux/apps.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps + namespace: flux-system +spec: + interval: 30m + path: ./kubernetes/apps + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + decryption: + provider: sops + secretRef: + name: sops-age + postBuild: + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets + - kind: ConfigMap + name: cluster-user-settings + optional: true + - kind: Secret + name: cluster-user-secrets + optional: true + patches: + - patch: |- + apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + metadata: + name: not-used + spec: + decryption: + provider: sops + secretRef: + name: sops-age + postBuild: + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets + - kind: ConfigMap + name: cluster-user-settings + optional: true + - kind: Secret + name: cluster-user-secrets + optional: true + target: + group: kustomize.toolkit.fluxcd.io + kind: Kustomization + labelSelector: substitution.flux.home.arpa/disabled notin (true) diff --git a/kubernetes/flux/config/cluster.yaml b/kubernetes/flux/config/cluster.yaml new file mode 100644 index 00000000000..2aa239febc9 --- /dev/null +++ b/kubernetes/flux/config/cluster.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: home-kubernetes + namespace: flux-system +spec: + interval: 30m + url: "https://github.com/fabricesemti80/home-cluster-2024" + ref: + branch: "main" + ignore: | + # exclude all + /* + # include kubernetes directory + !/kubernetes +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster + namespace: flux-system +spec: + interval: 30m + path: ./kubernetes/flux + prune: true + wait: false + sourceRef: + kind: GitRepository + name: home-kubernetes + decryption: + provider: sops + secretRef: + name: sops-age + postBuild: + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets diff --git a/kubernetes/flux/config/flux.yaml b/kubernetes/flux/config/flux.yaml new file mode 100644 index 00000000000..973cbfe5042 --- /dev/null +++ b/kubernetes/flux/config/flux.yaml @@ -0,0 +1,86 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: OCIRepository +metadata: + name: flux-manifests + namespace: flux-system +spec: + interval: 10m + url: oci://ghcr.io/fluxcd/flux-manifests + ref: + tag: v2.4.0 +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: flux + namespace: flux-system +spec: + interval: 10m + path: ./ + prune: true + wait: true + sourceRef: + kind: OCIRepository + name: flux-manifests + patches: + # Remove the network policies + - patch: | + $patch: delete + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: not-used + target: + group: networking.k8s.io + kind: NetworkPolicy + # Increase the number of reconciliations that can be performed in parallel and bump the resources limits + # https://fluxcd.io/flux/cheatsheets/bootstrap/#increase-the-number-of-workers + - patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=8 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --kube-api-qps=500 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --kube-api-burst=1000 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --requeue-dependency=5s + target: + kind: Deployment + name: (kustomize-controller|helm-controller|source-controller) + - patch: | + apiVersion: apps/v1 + kind: Deployment + metadata: + name: not-used + spec: + template: + spec: + containers: + - name: manager + resources: + limits: + cpu: 2000m + memory: 2Gi + target: + kind: Deployment + name: (kustomize-controller|helm-controller|source-controller) + # Enable Helm near OOM detection + # https://fluxcd.io/flux/cheatsheets/bootstrap/#enable-helm-near-oom-detection + - patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --feature-gates=OOMWatch=true + - op: add + path: /spec/template/spec/containers/0/args/- + value: --oom-watch-memory-threshold=95 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --oom-watch-interval=500ms + target: + kind: Deployment + name: helm-controller diff --git a/kubernetes/flux/config/kustomization.yaml b/kubernetes/flux/config/kustomization.yaml new file mode 100644 index 00000000000..ef231746a31 --- /dev/null +++ b/kubernetes/flux/config/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./flux.yaml + - ./cluster.yaml diff --git a/kubernetes/flux/repositories/git/kustomization.yaml b/kubernetes/flux/repositories/git/kustomization.yaml new file mode 100644 index 00000000000..fe0f332a96c --- /dev/null +++ b/kubernetes/flux/repositories/git/kustomization.yaml @@ -0,0 +1,4 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: [] diff --git a/kubernetes/flux/repositories/helm/bjw-s.yaml b/kubernetes/flux/repositories/helm/bjw-s.yaml new file mode 100644 index 00000000000..a40b5d77897 --- /dev/null +++ b/kubernetes/flux/repositories/helm/bjw-s.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: bjw-s + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/bjw-s/helm diff --git a/kubernetes/flux/repositories/helm/cilium.yaml b/kubernetes/flux/repositories/helm/cilium.yaml new file mode 100644 index 00000000000..3aee367887e --- /dev/null +++ b/kubernetes/flux/repositories/helm/cilium.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: cilium + namespace: flux-system +spec: + interval: 1h + url: https://helm.cilium.io diff --git a/kubernetes/flux/repositories/helm/coredns.yaml b/kubernetes/flux/repositories/helm/coredns.yaml new file mode 100644 index 00000000000..3bdbbafbebf --- /dev/null +++ b/kubernetes/flux/repositories/helm/coredns.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: coredns + namespace: flux-system +spec: + interval: 1h + url: https://coredns.github.io/helm diff --git a/kubernetes/flux/repositories/helm/external-dns.yaml b/kubernetes/flux/repositories/helm/external-dns.yaml new file mode 100644 index 00000000000..a4451266751 --- /dev/null +++ b/kubernetes/flux/repositories/helm/external-dns.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: external-dns + namespace: flux-system +spec: + interval: 1h + url: https://kubernetes-sigs.github.io/external-dns diff --git a/kubernetes/flux/repositories/helm/ingress-nginx.yaml b/kubernetes/flux/repositories/helm/ingress-nginx.yaml new file mode 100644 index 00000000000..82a0d0fff38 --- /dev/null +++ b/kubernetes/flux/repositories/helm/ingress-nginx.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: ingress-nginx + namespace: flux-system +spec: + interval: 1h + url: https://kubernetes.github.io/ingress-nginx diff --git a/kubernetes/flux/repositories/helm/jetstack.yaml b/kubernetes/flux/repositories/helm/jetstack.yaml new file mode 100644 index 00000000000..737e06af097 --- /dev/null +++ b/kubernetes/flux/repositories/helm/jetstack.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: jetstack + namespace: flux-system +spec: + interval: 1h + url: https://charts.jetstack.io diff --git a/kubernetes/flux/repositories/helm/k8s-gateway.yaml b/kubernetes/flux/repositories/helm/k8s-gateway.yaml new file mode 100644 index 00000000000..63a90615e60 --- /dev/null +++ b/kubernetes/flux/repositories/helm/k8s-gateway.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: k8s-gateway + namespace: flux-system +spec: + interval: 1h + url: https://ori-edge.github.io/k8s_gateway diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml new file mode 100644 index 00000000000..004f10decdc --- /dev/null +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./bjw-s.yaml + - ./cilium.yaml + - ./coredns.yaml + - ./jetstack.yaml + - ./metrics-server.yaml + - ./openebs.yaml + - ./postfinance.yaml + - ./prometheus-community.yaml + - ./spegel.yaml + - ./stakater.yaml + - ./external-dns.yaml + - ./ingress-nginx.yaml + - ./k8s-gateway.yaml diff --git a/kubernetes/flux/repositories/helm/metrics-server.yaml b/kubernetes/flux/repositories/helm/metrics-server.yaml new file mode 100644 index 00000000000..27a44828a5c --- /dev/null +++ b/kubernetes/flux/repositories/helm/metrics-server.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: metrics-server + namespace: flux-system +spec: + interval: 1h + url: https://kubernetes-sigs.github.io/metrics-server diff --git a/kubernetes/flux/repositories/helm/openebs.yaml b/kubernetes/flux/repositories/helm/openebs.yaml new file mode 100644 index 00000000000..4f48013ee7d --- /dev/null +++ b/kubernetes/flux/repositories/helm/openebs.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: openebs + namespace: flux-system +spec: + interval: 1h + url: https://openebs.github.io/openebs diff --git a/kubernetes/flux/repositories/helm/postfinance.yaml b/kubernetes/flux/repositories/helm/postfinance.yaml new file mode 100644 index 00000000000..b14a64d8e73 --- /dev/null +++ b/kubernetes/flux/repositories/helm/postfinance.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: postfinance + namespace: flux-system +spec: + interval: 1h + url: https://postfinance.github.io/kubelet-csr-approver diff --git a/kubernetes/flux/repositories/helm/prometheus-community.yaml b/kubernetes/flux/repositories/helm/prometheus-community.yaml new file mode 100644 index 00000000000..318a1a51403 --- /dev/null +++ b/kubernetes/flux/repositories/helm/prometheus-community.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: prometheus-community + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/prometheus-community/charts diff --git a/kubernetes/flux/repositories/helm/spegel.yaml b/kubernetes/flux/repositories/helm/spegel.yaml new file mode 100644 index 00000000000..d9a8b2cd300 --- /dev/null +++ b/kubernetes/flux/repositories/helm/spegel.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: spegel + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/spegel-org/helm-charts diff --git a/kubernetes/flux/repositories/helm/stakater.yaml b/kubernetes/flux/repositories/helm/stakater.yaml new file mode 100644 index 00000000000..c727f37f129 --- /dev/null +++ b/kubernetes/flux/repositories/helm/stakater.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: stakater + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/stakater/charts diff --git a/kubernetes/flux/repositories/kustomization.yaml b/kubernetes/flux/repositories/kustomization.yaml new file mode 100644 index 00000000000..d158d426ee8 --- /dev/null +++ b/kubernetes/flux/repositories/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./git + - ./helm + - ./oci diff --git a/kubernetes/flux/repositories/oci/kustomization.yaml b/kubernetes/flux/repositories/oci/kustomization.yaml new file mode 100644 index 00000000000..fe0f332a96c --- /dev/null +++ b/kubernetes/flux/repositories/oci/kustomization.yaml @@ -0,0 +1,4 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: [] diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/flux/vars/cluster-secrets.sops.yaml new file mode 100644 index 00000000000..db8b1f0b9e8 --- /dev/null +++ b/kubernetes/flux/vars/cluster-secrets.sops.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cluster-secrets + namespace: flux-system +stringData: + SECRET_DOMAIN: ENC[AES256_GCM,data:p0P2PSp4B+F5ghmsja2msA==,iv:HkPJ+abDzMwg7cihFAePehUkqAQqFoGOaJlDMN183+Y=,tag:Eh1JM7TDEO2GcRI7Pp/yTA==,type:str] + SECRET_ACME_EMAIL: ENC[AES256_GCM,data:fSSF71yR5M4WiYKljeSwpxbMeIU6,iv:7+q4V0awJBZl1Y+A5yAzNyaa1+a4fF1ClKj9J0arMII=,tag:OwqGxIrRCEOGM1Yz05eSPA==,type:str] + SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:6zQzxKO/flyoj4jbjI6amWan/UQOrHh/deDFIHyRNDfWmLHJ,iv:5MsLr2cQLmA6Y007zGj04VyEa1cZ591+X9eOsSjOZds=,tag:XDCqtcx50w1IpGnsQm52hQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5eHBTSkJBWFYxYnozdVFQ + YmZTSjIrb2h5d0dmZVB4WkptS0cwOThWdGtnCjgrRzE1L2Fob21XeEhzRThGVDdt + eU5QZUNNMFJRZy9xOU1QUVp3MFg1c1kKLS0tIG1TV2lFazV5eS9HZnN1UU5PZFdW + bHk0VU9paUxkRUx5NThsd04xaHNKVEEKgoLibejabFKmMGY6RUa59TDGzlpwhISd + JgC3TZ6Q3C6rDRJxyDrU5FhDJeHZUJyRbRa42BDYzSyUs8Y6Iw7Mpg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-11T19:48:00Z" + mac: ENC[AES256_GCM,data:EQaEK3DMaeMh6b0xu+da7TU/NE/ku1xZdQUsbPMi+zt8oJb+qwqXBDfWDixZNAQRnzA70OFQr3HRbw4/YVN3S5TUfrcaf+mE9O7f3Tttju8cKucBipAyOxhUjRnJpwXJRTlHsbRGMXvkvdO7J2QVtWu6YQM8u4k9qDbtXggNzz4=,iv:jM1tYQZKHyHd9EPxjQYse44KD4MSBT/yqhb/pfQ9CWg=,tag:tzb/bRNFeT1MhTIgax2NxQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/flux/vars/cluster-settings.yaml b/kubernetes/flux/vars/cluster-settings.yaml new file mode 100644 index 00000000000..b64f194e152 --- /dev/null +++ b/kubernetes/flux/vars/cluster-settings.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cluster-settings + namespace: flux-system +data: + SETTING_EXAMPLE: Global settings for your cluster go in this file, this file is NOT encrypted diff --git a/kubernetes/flux/vars/kustomization.yaml b/kubernetes/flux/vars/kustomization.yaml new file mode 100644 index 00000000000..8db2fe91197 --- /dev/null +++ b/kubernetes/flux/vars/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./cluster-settings.yaml + - ./cluster-secrets.sops.yaml From c975f3bc6e7782c048e7dc20405588ae448c870c Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Mon, 11 Nov 2024 20:01:40 +0000 Subject: [PATCH 02/22] feat(bootstrap): :rocket: make things production --- .../cert-manager/issuers/secret.sops.yaml | 16 +++---- .../webhooks/app/github/secret.sops.yaml | 16 +++---- .../network/cloudflared/app/secret.sops.yaml | 18 ++++---- .../network/external-dns/app/secret.sops.yaml | 16 +++---- .../certificates/kustomization.yaml | 1 + .../ingress-nginx/external/helmrelease.yaml | 2 +- .../ingress-nginx/internal/helmrelease.yaml | 2 +- .../bootstrap/talos/clusterconfig/.gitignore | 7 +++ .../bootstrap/talos/talsecret.sops.yaml | 43 +++++++++++++++++++ .../flux/vars/cluster-secrets.sops.yaml | 20 ++++----- 10 files changed, 96 insertions(+), 45 deletions(-) create mode 100644 kubernetes/bootstrap/talos/clusterconfig/.gitignore create mode 100644 kubernetes/bootstrap/talos/talsecret.sops.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml index a337bf80dcc..58cc3c919ef 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml @@ -3,7 +3,7 @@ kind: Secret metadata: name: cert-manager-secret stringData: - api-token: ENC[AES256_GCM,data:OflLbnwyjIGe7enhl67EQfjbCSyxV5dhbLkYXnQg17um/PsGt00JTg==,iv:4LAMgUjpyydf0fl1/lAIGhlXsZjSWrMXbHQixyvFCf0=,tag:eO/KchLD7x4GWIs21Fl6+A==,type:str] + api-token: ENC[AES256_GCM,data:kmirQ+ux7iHfQv8YzPMQsu2MnQ3uIBqgzx/mGb3Tlamsq4lLT0gAtQ==,iv:6FDB5zOwTZ5mr4ny7fFnjfZVVsZGs9JSnmOE+kDQLZk=,tag:nmZusvxoHDC74o5gX2zaAQ==,type:str] sops: kms: [] gcp_kms: [] @@ -13,14 +13,14 @@ sops: - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzM3h6eGZxNmVVOVZnR1NG - clFvMjJqd2FvRXNZenR6c3RWamlmanJOVlIwCjZncUprQkJzYlRFQ2Q0QnBSeDJC - T0Fsb1RYUUFwSWlsSUFCdEpPbGxVVDAKLS0tIGxhdkNtcy9BMGwwdVMwZmZyekRH - TElBb0xtRFpoeWhPN2FCVVdDQm9TUmMKHFGpNu5swg2yZ+laHXp897PW6T3UMLUU - 1LTyK3Yjv8zRxE1rbGYf98BV5q/UQ2e8wKuC8qMXSsWBN2IhIzZawQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZXlabUoxZUU5TTdTZ3pY + RkpIVlIwdGN6ckphQ2Z6clZXZzdtMHJoTGlnCkE3Y2JJSU54NFl2bUo3ak5ULzk2 + Ulc3akR5NHlTcWtMcFNVOW5BWG5OZDAKLS0tIG00eTRhMUdRNEJ4YTUxSmFlc3U0 + elhXYkt6eW9vblVpajVMQUdRSlgvcnMKnNSqGfusmjQVDcdXl4+Xppwz9qmzxOM5 + h2KKA2QMqb7qCv7jUuf04ZX9Icpmona2eDTfxyfJE1yTMwJhlBn12A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T19:48:00Z" - mac: ENC[AES256_GCM,data:EV1GHNs0Yp/lwTlhdRxKr/SuvSBnVis2j0t0XNygGqzBTD47jklMjudWm40aaET1CqatQPSolwMDTjDZDN7SQq/+YSUMkcDowd/Qet75sKjTVj7Pv3Jd/ATKJ9RPvRfbdfSTiLz5B6Jh7QHE27HU301SO4nAd2IS0c8IpZ89vf0=,iv:sqcOFZx4zOPMaZAbPJMP/TtzRegTo4dptExPJS9s0mk=,tag:/wmV/kmF6VLX784Iz2+WAA==,type:str] + lastmodified: "2024-11-11T20:00:46Z" + mac: ENC[AES256_GCM,data:bq0VptCPEkkHIotl4b9kB9cxC6eUZkQO31ODqYuc+22J/NLiNQalmG+Aa/Zk2LGhu+8Wbv/WPnYrwof4ZUHNsspBefyJJE26u0belLIPRu9JezXDwID/VC967vzfAfxb3eBTG9PBljMd6ZHh8/+3N2gW1Gg5o5SMtA9uW5ztNVg=,iv:2czT0FESh72uvHN896hhyhbF8jAKNUW797QnYjv0oT8=,tag:KA1HtLpLWAlXZz+BbZvloA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml b/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml index 17ff9c38bdc..c0d5244c8cb 100644 --- a/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml +++ b/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml @@ -3,7 +3,7 @@ kind: Secret metadata: name: github-webhook-token-secret stringData: - token: ENC[AES256_GCM,data:zzy9BWKjrsSZbyXjn/x6m8lKmJuXXUojVkOVu7kfXWQ=,iv:hrDOUis1aLY2tK/aNv+H7piqophtZHjkQmahmYaDloU=,tag:VhhcDzrd+V8p1qR4FdKVYA==,type:str] + token: ENC[AES256_GCM,data:geZAlDHL7TBgJY4ITpa93/hP+dxRPlIJzQa4JlI8bAU=,iv:i/0QyKnUBGvL0BZrbSG4KhrfBOJkkFaGH7GlkV1f8+c=,tag:fXSeBYjNTwwjH7alNV1KMA==,type:str] sops: kms: [] gcp_kms: [] @@ -13,14 +13,14 @@ sops: - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByaXlUTGdDK0p3RE1EL2Ft - K0FqVEZkQ01aYnFFN3JuVGVEbmtmSDRCSWhFCkNQSWxUWVdGbHIwNk96bnpTUExG - bkVXZzlLcm5NMVVFK0FoZ2ZqYVY2VnMKLS0tIGdlTWYxcGMyRExUVkg3S1JnQlRQ - WWI4R3NiTzdndE42Q2pTcjc4NURmL2MKyuCYpEq5js2Y+XqyKBE/rG/p6x8MVz95 - AqYkIF/uVnML9tGqpE1nGeu/FEWDDQS+LZ2k/stR6xUd8k0fu1rDww== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0WDNiWk5wYTZ0bGdMNVB4 + S3AwL0hKOEszajN6bFlkRXYxWmk1ZWtleWdBClZuUjZWa2VYVHdkK25vSXU5NFpR + UnMwdFZBKzYvRkxObFRxdmthM1MrQlkKLS0tIDZ2bGRTenV2RFRiQzQ3YkNGb3Fl + WktaNkMvbUdTMFpqazJwTzhPZGZPRGsKVQa6rErvIt+aM44xgj3fYJYu2Ia/RaOY + UzqQhBiMn7SfTMRCLTA+CnmhB5+ERqZD8A5bnT6V/uSZhkQkgkWI8A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T19:48:00Z" - mac: ENC[AES256_GCM,data:tMvgI0+z2KJplpsRCT+xbe+sNOEccNda7wyhtUiGwwvzbi0EaNR85ufEW0JpyW8AuKsgSwN9Y66vGf52SB6BTzRNCFwSPSNmA0j0Uz80A5jg9Nl16ykSaysGiV4uTp4LTQ2rCweZ1GQmPV5IlZ83NXpJKAwvGeyLSbI7R+fYKzY=,iv:xKCgr7GvxOaE1ySHcADYhDEQ81KK72PE/a1Aud/C4lc=,tag:FQkv+bqUNCWDjAhyr0U1Zg==,type:str] + lastmodified: "2024-11-11T20:00:46Z" + mac: ENC[AES256_GCM,data:D3enBMQMehdaCRAQGxpTW5n7kz/5KNt4f+pw/7axXbxh6l23dXe/Ko9oGb/+wzTE8Bt9cy30pgYwqX5TGDHzL7d1rcfweF6IWzAr8otJZX7a48it1s4ZxhzELFEBtsQyx/afro8/3dIN42kztOD2CnJkrX2MlMNJr7PI+ndksEk=,iv:826i0pRc5TcGooDjBN3RsVvcNGgbj3rsbT7yLCM6Q8A=,tag:PIHt0wyCG/MWOXYTP+XnWg==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/apps/network/cloudflared/app/secret.sops.yaml b/kubernetes/apps/network/cloudflared/app/secret.sops.yaml index 470cadebbcf..edc4cc60375 100644 --- a/kubernetes/apps/network/cloudflared/app/secret.sops.yaml +++ b/kubernetes/apps/network/cloudflared/app/secret.sops.yaml @@ -3,8 +3,8 @@ kind: Secret metadata: name: cloudflared-secret stringData: - TUNNEL_ID: ENC[AES256_GCM,data:ByABpr4qDysmja6xLt2+Bvlk3nHAyUQI9hLeEzVlkAWRTb9w,iv:3ukmLwuXz49D4aR+ClXyzTWXFTOIlG+YBQA4kakoMoo=,tag:dSXNf3OYtUDSMcYq/WOypw==,type:str] - credentials.json: ENC[AES256_GCM,data:tvxIgB1FH+MBiQhDjDPdF8+tp10f/92jvaVJ0DV4dvGHaXxl8rQETHAUGuaF67UYRfOPT1VZertDSf0pCvzDWlEhKkGgFKIiOKTEzFh96qS8p0qMCMjk+RyZdY6kl71oLZUKilo6Lj8LEjyIbQOpe385/elFbIFogpbAKJZxVCzbawbRPK28s58MGMo2vailuNBzGSoS34fXqx5vibSmfqIBiHYmAelHIGbg5QhxUQ==,iv:8SLyg8CAWzHJmvZVgkruC0sEpZvkTYiY4DtjnY/6a5M=,tag:ICGEALhmbKjiAQE7iuR8DQ==,type:str] + TUNNEL_ID: ENC[AES256_GCM,data:ZAwY2QH2TzVz/Ka5WgaPkmKSjNUq04avVBD/6LxOo6LPOFH4,iv:u3r/+HfkXl+ocEophzSMb5ik0pFvxGO4gUuZeMcCKTM=,tag:Bon857v2YhEwDp1YTOV4iQ==,type:str] + credentials.json: ENC[AES256_GCM,data:Z5IeALIDcixLmUwtXkA7hEkaO8nU8MhCkSdckjCYAIcDN7iXV+l2x5QDVWhkoM2EDQKDnXt4myTKirlfpRi409DcKud5HMfxJ1vIv1/92hHeXXdn4/VONxRXSRdgwjNIwGaWVghm9XJD6EnLdZIuwkGer9mL3xla/MLuu/0TnL06KkYRT+Reo6vqMBkjKCcDsb+H1EcPXvnAstX9a/gsUPdtXRn2aoh9md+wJZOaaA==,iv:YqPnM4qcKlG0o/51ACO/4sqvUyEu3sGmR39o+csWwYs=,tag:mJyofWTU0Ne9IpfRrFZhAQ==,type:str] sops: kms: [] gcp_kms: [] @@ -14,14 +14,14 @@ sops: - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGbGlLT05nZmYzQzFVekxY - R2g1OGVEQzMxQzNuZTFWWXR3aDJqL3BTOEhnCk9SRG9KRzI4V3d6Slk5dWpaUHI1 - bWVGUUt2b0RHV2JWMCtFR1dnMmtub0kKLS0tIFozeXpndGlPUklTeU45K2xQUWZp - UlJEVnl1QktQL0ZKTHlDMHJxUXRpemcKnZ1Mb+SSXu4h1phNfqBqdofnPveANMHQ - f11nxAyNxp5VFtbkQvDsHd2XzFPvV0CSaZ5i7f2kb+RNBxT1jV0gLQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBeFJ2ODB0WS9TRklVY25h + Qm1ZZU9lKzVqUE5HTWRFQVFQMXYzQWJNV1NFCmU2bVZ5QzdMZnBvWTRWY011cThQ + NitDWWQ5emg3WUdUQWtEd212RjR6VlEKLS0tIEFnVmswSHlRNUo3dXd5Mzh4NGpX + TE9GVmxtdFZyYzhRYkVuT3JoSFhPOE0Kq1fEpJDtvPV7BWjWr8evAhPARZ0A3Yql + qaSLPimGXqV+ySzvl9eP793/azNIgg3wwfKaoSgSVE/g+KGYrVVP7A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T19:48:00Z" - mac: ENC[AES256_GCM,data:PBc1/JvQEawSIx5SPCgMwiCXHohXKGTE5Kha+9Xkzc+kIMy1sV9aINu8V4T2kgqIoheH5jj1TV+ArT7FmYI2TaUJzgCQa5Kjuog8wSmOj90Qlki4GBFXY3flfqs8y/AWLlBGSC8afM1lpD5zwNL4a9Cw5OiVoHTB0L4k1UG4UnU=,iv:BDquUmR1ZmFnYpfa2aMGlhOT9EDKs9Lctd9IpeBKcCk=,tag:ZYavA0zSaDJmheL5SyxQpg==,type:str] + lastmodified: "2024-11-11T20:00:46Z" + mac: ENC[AES256_GCM,data:ElDfp1si0EZrAPDKDFkLYL9KPvJmClz3uXwHcYXhNmbrsKXFULO52dXXcXV1oovKWCb+fNAGmXTQJ2zk5tLi7eVzhferikOlDNxAwiSt3LTz3v9ehx/mV5Pchlxl7+yTX6msSks9V1ffvc9drnZrb4cZrADljBupmzqbS3dwX6o=,iv:Cr2NUO2fVY8wvursNqSnZxeIs5zv1Ei9kMqEOw8POr8=,tag:IGpKIA9V25XjBErBDqYSOw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/apps/network/external-dns/app/secret.sops.yaml b/kubernetes/apps/network/external-dns/app/secret.sops.yaml index 92bc7d99298..9c15a179418 100644 --- a/kubernetes/apps/network/external-dns/app/secret.sops.yaml +++ b/kubernetes/apps/network/external-dns/app/secret.sops.yaml @@ -3,7 +3,7 @@ kind: Secret metadata: name: external-dns-secret stringData: - api-token: ENC[AES256_GCM,data:FwyOsmvElO+GoMg8HhRyYPLzQBsn61Bzjf6tHWC8ubje7G8XUcXJKA==,iv:5UZ1ZC+aecU4g1a2VFuOnxTqGQq/I2no5RTtbsRnLxM=,tag:lg+5DVUz0Sri5vdDzkKL7w==,type:str] + api-token: ENC[AES256_GCM,data:4l/ZMNmfe+14fofTx/LKDR5oMsnIZiDTp+z0hpKyyxPf+qj6lQd3VQ==,iv:Z7AcGfxAMTInlx8zDOyGM6lOOdc83Lt9Ga6eRdQu6gY=,tag:VPkDKfKc6q6mT+roYZDh+Q==,type:str] sops: kms: [] gcp_kms: [] @@ -13,14 +13,14 @@ sops: - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1a0xqeUZraklKd1l1Tks4 - SVFIa3RpYkJvbWxDYWp4TlREeXB3M3RvaVZnCklaS1dtdERMeUwwRGVtZW50bms0 - RnFZYlo3dnFzNktmWlNIcHNJZElJZDQKLS0tIGt6bW1HMFlJZFpSa1dsMTM3enEw - M3pUMWJkTjU0N2x2STgvK29hTlNKbFkKUjrdABxcEMud068SrR/faLNtc1TbQFwP - HJzTM2SVpMzH4XR7h0Jv3jezEQuRB21Wvn7potNHCuKkRlX/uT8hgg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUTUxFR1FaR2dxOENqWmZv + UXErL2ZERVhSTjQycXNnMXczbTBHbUpRTUVjCi9maWVJbDVWODV5NGpZRkFmd2JU + aFNwM3RydE9hZWJuM2lkbFJ2RGF1TkkKLS0tIEJHQVdxZ0Z5WFlrZVpUdkZRVVM3 + bklEU3plNU9EaTI5U0pUbUJzajUzM28KfFe6/GspS8H3EywmyKdK5KO9skoPC1U4 + u7N0sgJc2t5GDrXoNBSRgjKhn5QGDmKP2WKOg1xID9ddqxaJSj+cYQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T19:48:00Z" - mac: ENC[AES256_GCM,data:QLhJdVvWZxptWbI58aFJD4SIQrmAKpSMre3dasX1V9kRqqT/yFuQh6qEBEN5afsT9kmp99kUO3WoGzIaVbDlC5Co0f4XJYnUKoP6Ajbze5AhUV2xcx39AR3NdhhLeJbQmh6vwG4d8awf1UrcrIqPen9e1ddyUhVU4PLw3GXmegk=,iv:Z8bVc+9PrqoJdvntYOwxZyh5O4RgWE5ZbLPHglUXpRM=,tag:gcOyxHTd7RsOZnj1fyEmNA==,type:str] + lastmodified: "2024-11-11T20:00:46Z" + mac: ENC[AES256_GCM,data:gAQRegK/lMxUjzgQXdEGCwfBgswdgkGl6sMHq9fNNKbCs/RRm7PjECvOw5yjHYIGFEQIc858Yszb8E3W7/giE946aZXftXrxT7vfC+20dfcuwlgc9X4zUsuxe+igoW/UjRAJKpZNmdHla+NistbCfALsGiRHRJToIM6q42376rw=,iv:Xhgbg8TCH491FZnOGQ8rJYH0taL2x2zQp8j0XZl8Buc=,tag:W4FUJt17FCh9WKy5JkwLBw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml b/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml index e7892580d76..f58e4a76ffe 100644 --- a/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml +++ b/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml @@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./staging.yaml + - ./production.yaml diff --git a/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml b/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml index f2742314c19..24f68ab153b 100644 --- a/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml +++ b/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml @@ -67,7 +67,7 @@ spec: namespaceSelector: any: true extraArgs: - default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-staging-tls" + default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-production-tls" resources: requests: cpu: 100m diff --git a/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml b/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml index 2f46f54b4fa..b736d1eea69 100644 --- a/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml +++ b/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml @@ -64,7 +64,7 @@ spec: namespaceSelector: any: true extraArgs: - default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-staging-tls" + default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-production-tls" resources: requests: cpu: 100m diff --git a/kubernetes/bootstrap/talos/clusterconfig/.gitignore b/kubernetes/bootstrap/talos/clusterconfig/.gitignore new file mode 100644 index 00000000000..6d3da8a6803 --- /dev/null +++ b/kubernetes/bootstrap/talos/clusterconfig/.gitignore @@ -0,0 +1,7 @@ +home-kubernetes-k8s-m0.yaml +home-kubernetes-k8s-w0.yaml +home-kubernetes-k8s-m1.yaml +home-kubernetes-k8s-w1.yaml +home-kubernetes-k8s-m2.yaml +home-kubernetes-k8s-w2.yaml +talosconfig diff --git a/kubernetes/bootstrap/talos/talsecret.sops.yaml b/kubernetes/bootstrap/talos/talsecret.sops.yaml new file mode 100644 index 00000000000..ad19842ac76 --- /dev/null +++ b/kubernetes/bootstrap/talos/talsecret.sops.yaml @@ -0,0 +1,43 @@ +cluster: + id: ENC[AES256_GCM,data:R1QeWjWbm0zI4esvuD37Ff05TqvBjk4iCQ1mXEJh+Zy89DnO69TvJ6KW0IY=,iv:Ym3DHo08UrZ8INPChxoAR/LqczlIn1LRLUN1KWbmeY8=,tag:QramI8zAnlDEvBEkjiTCPw==,type:str] + secret: ENC[AES256_GCM,data:dZHmwEK6feJ86nY23Lx7RF5bwIE8RQpXzvPAjEo3GAFSZdQEwvBnITRxcN0=,iv:Uzr5IpCouzSuxcY1zY4Woxp77Umemf75XuVmlBu0iz8=,tag:V87I8crKm+TJeWRiuZhNRQ==,type:str] +secrets: + bootstraptoken: ENC[AES256_GCM,data:6598yKoRr5UkTIaIJH7hEFn/1jjoIGc=,iv:5Y5rbj3l8CcThSpSENhR4T8ivDjaeiVakmVz0sj2cAI=,tag:ANeQDgb3Q8lVauOSmYOrSg==,type:str] + secretboxencryptionsecret: ENC[AES256_GCM,data:nEr63VkvCk5aP5craWRYHNOcUAMCv14Ex+1+iKR8dgIhSbT9EXlmQFcf9A4=,iv:NF0LjXZ6Hgk9IwWUcjqF7oXsIj0PPdujU0L5c46ed7w=,tag:vxSuG4d5AgdNKeHM8uxaRQ==,type:str] +trustdinfo: + token: ENC[AES256_GCM,data:PWzl8sMR6/eorTbU/WhTvEuafjIRLfg=,iv:UfzxTdl4ToS1mdGFybfAz+R4K0RPq0mpdsW+kP+0SIM=,tag:UcvxGrJivvh4wXv8yTZdNA==,type:str] +certs: + etcd: + crt: ENC[AES256_GCM,data:lAY3gwmm6fSwvcYVpXG3uN06ZDkXF1tNaJeLawGHlP2zoVJN/fYOQXA5knI1lxeEYwgTUuY2uDjPaOhYvLf7UVOQ/wPq9or9sLonhBzYAZD6Lil1xX6FyvxIz2dWXx+/9KR70/PWTCH//TLm0lltQ8TRKq3Qal1UXCtFGZR2ZCgEA2MhjSuYX+lNUktVJKwLyksKddzQpWvyuwBgP+SjV5VhXr1kTdv8AsZA7/m+XdgVPTxSdmcZWH9FjJEaxS+JB8pqbOH+VaVr63OEQIx+Hqf3X2maJLI20Ym7Op7QciGjJgiOAPfl8FIzh0uIl8YQ6joze+rgUrW3R/yqqT3G0Od/gur+SZTRdfdGn7Kt/ZLvcY3yPZXTGCma0dBWnTbUPlTOFArREd4zOFY5sYrC5tj23jeL3VdA99Gwiu7e08MheRT/8zunOLS3Iix7dB9tCtHOW7lMauN490q5cccFxaGO5+cTxPKEDye4ZM2GVZS1X8bBQA7M8njCX1HegWokeBKGfGz2h1MBhIhN/FQqnWjPkf3VMPWkgmjMWg/FbA6EFka/6mTISYMNa/3jy3el1TuQpEaRGALZs2fkLvwna+3GgUxtI2kHPUqKK1Ob/dBAnKu2bMLyR4u5Yygi4S6UznOWS3nGvYuBH7FnvKDJPywWpTQfUYtO+2cih+1Q0Ch6apy+Y/vgAytMLRTLRqLgfHv7okyZnQieWeNaTRNIGnSJuZD9MI8FAIYw68WVliUEM2qeciezB68k7zL3XwkYAIEfqOXG7IIrB88AYWgNXNnI4ZV1kj+o/1t5+4tJ+Iq6GiyhxYe0vA8aawvPwZx+/G68psGUjEkT5h3OfpZjolubgBceZw1hlx0HrCJnzxAraKjj618/79PksB0k28tJuIhSCg3OMoqTc0wmLUee49xLaLaxmR5yE0loOskLdN0dvz8L5uqczfsC1nwK4nKmyAvXj5kcKGsq51QJldgfBRENhEJcWI+zIBytrsDXpnLhHVVO1Jh/ykI3caqatS9VDXqbKQ==,iv:Pz2YVGXiBfLNvFrDnTAI1g9Co7fy3ruXEFlFN1IuaDE=,tag:ytGayjTE7GTQN/xhXMic3g==,type:str] + key: ENC[AES256_GCM,data:V91lZA6g1vBbq+p8Bjj2GIR8BQhZqxKW7cMHbdKD6XGczDZhMZQA0H1vL2bZtCV21lHw67sQjOCoPWzS7FkkeXL3y38m45AjfwpnhP6ixYjSzl8O+p+2VkjvZa8mD0VORiwloyts+r7jNNWzWSOADu5+7EqWTZBz8q2k4AHI3ZFohWF2K2KJY2zBvZJIDR0xl1V1d8ro/2LP7fJlf/ttA4SN/5AEumU4zRq7NLKXaf9DCDqcGA4ARI2uaDgoH607CQ5E95xzV0KIMM4tethuP0lOlRF8kp5WqCFP7BdQC0zcN4tZ9ghG+LbKe0QMJWiunu2BSsxm4U6PW8m6KvVsEX4NGM++iLgEFgms1lZd+Qg2oEhCh9PbfYzYFa4z4CJfW9ZaPK/HWgvjCi86BsZ5aw==,iv:efspTQh/ZdLXVDBy9nE2xxe748gtZTUaWoD/NrZUQxI=,tag:Sq9U+gSi4NhCtCXL9g/QAg==,type:str] + k8s: + crt: ENC[AES256_GCM,data:kvNu3TTvLEQAZeJMJNJ/Lb6Z/4d2uF7GMZyF7XYxyoexXpADGXdupHjSJyB5OIagYbPkqsmkJWBm6kd9OeqDGx05tNgxZjhL8rKvGwqzfRvzdRRJKfVpyZbjohxdeiIIHMzDiKIhibUZ9jctZp66zuIYRqOH7MKhsOfLKGKWRa4tuqCVw81pworcWHdeBvZS2zwS4AoNRQdcYkqiVDDHswInNWoNr3g5fsuXyBxL7G8dxBhAgbi812ECGZyG+N9nyltuH1RR/ZZC7gts88ew/18X/NpPyC+yqOwnhzCW76a+bbehKtynMRzL77B4IJSIbaui9Lg2FygB2vHM1ltnS+sL47fNYtIFxEvWmRWUG1l6Cnt1/GxvdeeojYqZj5jAbJnvv4wW+OtJ/CAqgXEtb396IR8vxSWgCfZy4tBLhvJ+q6o+tYEIkWZPjCPtmMgekrR0s+KjtZfVLatK92tAaZsL129UFVgY9apeFct8YEdVk1Tx9+7lYpc071Hlz9xPc+mTYQg3rgW/fJLLVWhw884K0J70pSQD/I02iS4tnmxT0UA2MUv3gXAPLgfSTHTP4+ilRC0SzT4o9MRIValomi5/306uCpA8LpPWU/qNr8Ah3yx06BGIdlXGyv2i/e548N7XmpPWFdSW8dNyCdSPb7uilzVaLm0J20e9quPRsHQoWNEeXvkkTAiUuN67JDAEHstZ8Qeql9WhGOBULpmS5fz067/uSFP2N2exYW9qWKCWdz2RYm9JauC1byNxfnFNmIP29jffCrrMsrHKsJa0dzPN6ot4mHPeNaJ0x2xxvunRDy5GW5B9EWy6zfdYScXJ8ZkXIPeMCVwdvJKKT27wsMxlqxw7VCRx0K3NR+1UFQl1NJeJGgav/aEPx9Y/NvgwdapZc35ihVUp7bawc0MmKYEjqibsS4TITu7uDk4NxPxxP7lqR+SQxxEL0zZMzeYprFtvSf+eaBIG1u1oRPTpIHKEMu/NztjqE5qJgbG8YNhb8pdv7QiFhUdO+GxZFUurwpGzCRbvc+lmR1c1GDhRKFQu2dQhrgj3B35o6A==,iv:BF6I3UEC/qo+h7t6bU6Oy7itOwyL7VFhsCntrAzwojw=,tag:TDeZlIMO80wNYU3mOmrdpA==,type:str] + key: ENC[AES256_GCM,data:DynwvV5d2joKfOlDlMykhLCxlCVwRH8R//kVeh06EZyZPMiH/GiPGv0KvCPzvlVv8hzMMwKMNbBAd9uVEFWQneaUJP8OI2klnrKfhWnXG2Yc33BBSk6toB8j87sh/ZkpeRBif74YriFyuCZfyKAOP/bTjjbvRITfrhuJrqSul6z7gLza0HmUUbLT1PPuan+Y3C9BwJGDOn4jg1kRdraZ8kLBGFvDbg3T6n0DGgPu1q0yJ7WMjF/D9EyJMf6mUpT/KNczlkDmWp7KTMfBKpkFRks3fjQUtlAosPmS2JnarLAZsaNGf3mLF5Monr5fg74kk1aVPcdXDWJvsr0EvA9/QfsOKLh/FLxkPfCM6Nxglm1tNEsyCJzzJik2sogmA0HiZGU4Q4UBEc6IPWLfMfkpdw==,iv:+Srz/9KEacojrH6Rl65B59Rjstt1Rzxgqdugk7ylmeE=,tag:fHtiTM2OT8jeyY/wE/lCIw==,type:str] + k8saggregator: + crt: ENC[AES256_GCM,data:ZSr0qwZVsB4mNjiJie6qLc0V5nxmO71ChiXjSbkI/qiq9axa71zKHNrc6sOklAAElH/A/nMGzdv3IMDBufeRuXLNCEVl2T6FVKYh5etct+Uti71ihIZDOgReQT7JxuqCwBvo5AZ2maq/O4C2y89varXGEwM+oW6L32YaF50iPuwqJRCR+beKMitJgFZEbradaUyLrTrclRSzSs3UIM8WIYKurgPzXUX7vR96UEAjTGVLZ0bulxzPeCrpI5JIPZqLqgIxaVZxS1x9gxR2iRl15oT/RLH83gfLJHk3I7BN108z3CIPXEED3tLMRw7pNEJpA3lyAByD6tfEstCQLRR6VNYJW9rATs9KFNl2WDbMdOxy2q4ORdKcpBaDKQdZG54SaUTC9PUEijeBWKzLh7ipOZfOBFNatJYf59p9S7Bact2kKR8Q44Mi9i9xNE1iVW5oXT4CfF5Yg3ZGb+atllHaV49PY4NZL7iV9bMh2CqDpDoGgN2Cp6x0XBKBIBMkwX0MVuGa1GXR1ZB+ltm2V7pcywJ8zXY7xbCBE0Lj+HKWfohgqq4P36VpCF8S6aExLSrdYwRN/BDRHGb4v0f+tBa280fqYidEIxTqOwx5H/ur3ulAnCDcwv+0JZk7lWjrXanr9JT5NT6IcDhioBrktn63UR8MVy1iWqLM6VM5xA6SRF3TD0vioXFztvM5/zj8wQg+/0TJvAiOsdmjWjRKGw5xYM3yX3ciceAsuqIt4M0fl0VzTeTZre/JV65LYB0Dr8Ay1+zM7mLlRBa2MYKdORZCcqZOOL18UBT1J6Vj/jg37nsCgr+OxOFwFLySf/2BK2YE6pnVM5c68O6kKlSAW/SyI8FKFnT4vPusuzJjfJrqHPMoKQIfOlBaWfAHvohCgYl9e8LC00e1HvrFcg5BMKP69wpieS5nJ4D5NsJI3v2cZLH6PjEdIDfy4PoUrd5JX6dq,iv:pM5ty5FwJRAI9JpxQifq3CGmm4bV0mDjC/HEWvzeAPg=,tag:azCg8AdPlnQ0GwNVIlTccw==,type:str] + key: ENC[AES256_GCM,data:ljjvc1v9K7afsmTIvKHMNYG62t5CqRegZ0K9rc/ujdensGCvxsd9FZfMkrBb2WHO13PoKjtYzoi0sAICAvX5ySuIBKEFFiKgWzRNfFSUFOStYoUUAQNRvevM9m6olQ4YX2ZONw0QVLsOWLFcQ5bd3R9IrW7Ye1eChW8NwCt8x8DhBXOKZdreh6zY8DwFe9TB3P7tZLB5E4On1k0AnNYWZdfMH/3d6Emd7wSQeERs43MCRuyOWo59Mw9n+XpP6e09U2GEOVa9x7aYsJFxjkBsdmA/JazSTWjFbUDa41kL8B2LP3ljVqAWqwR4voF9bqqbGEWyKZiQLus6DIlp6nzQUuGfAQFm+47AvTpqzme0XnMKp0fyt1EiYvPSRBv466SXRfYNKJddeu2IbiZAQoFtdQ==,iv:TksRGK0E5G4W3fClWo5VU4tQ0M3oM5ldXgUeBHQNhIw=,tag:IAtCA4uz+v7xiHq8mdzKnw==,type:str] + k8sserviceaccount: + key: ENC[AES256_GCM,data:O9D9XwFBRWVsRTu8G5NBpHHDANSsyH7GEID50z3DQRWzYwAwubsm2Q1FSVdmSVJAAwc0PIBja1XaR9KFFrYt9Jl8yKvwAQBcQ02JtJ2m8vKY+SDWvsVadHVZk1WZascamWvJgasTe7oY3p2fp+deCsRhCSmrqCTPoeLYkL5SJ17lDGoCB96kFWEkmMkBhuGBMUGFvnDMjz07a09CpPTuTAplWNo1oZzpEfaYLCUBlUIQk6YaFoH9IwMjBTvFJ+NDF5VF1B4iy0xvUihbVmmbDYEMtcXHLL92cB+VFbL6JhNCzh1eCqDvgSFtiuZBQV7TXOuN3/AF637gMMy31HLcMDP0zC2/0XlD39cJee0mPY3FN3HpQKXeKGxV0UHDBj6y61/CMU3sQP4ry3IyjPVxSVH+zflcL6686up847febp3nsxOZUH4B+ZT5Pw/xNSZOk2/iEFFG7wA0FtzICCAUv9ovw4r7BNcRyFt6U0Re7VlcvUtB/hYUmquiQ1FjRN0T/Liub+wq7K72BcKjgkj1PdiTAAkw1AhJTOFqj+TMhBy484jyzvr3Br0vzTHk2i+eysaC5bYTlWDgvFu35x41VNLguIC7p+EVNaC/WRiRXNDaQOB3ScjZlmspx1noJWNcMsqZZSGBq5FHdOcIqaIgQJbyP28bcuIKCCWU0oIyW7uExCEM70Gl+SFUxfKM3bUpI2AgREsHayY8kdQFt02orInEhwb5K881hcw3OrmKyGUZPehy+kQnfnHcKFQjiZBV+qacWq7Cz9ZSIKeOnGqfh4BMri5eIo/QALXXnfjBakdHLV6e4u7S96B4s18Q5rpxgRUafGsaa6NZbvSoZpUpi8MOYAZl6oRQIKwO/u5ydsACLuO+nHra0UHz8IXfReumW4mIYB0b7Yjv/s9v3cKEUf8wtaBmsaNVV+Jb4wgsuru4zXH0CNL9pcw3TRURHNUuwArGiXELM0pz8wFLYQUqKzfXq4PhFXze2CRxMbpeOlKg7roa8t2QD/rLLkG+Hz6W7sSrHWVcO0ovJva+GEaySrtlw3PtLRGEFbkXz25n01A3j+Hi4dYV3JSXGI7fpSoq40MqIKmCX6DrJA5KMl3YMKWAwbUBzN7Ro27BzKCVujhWTSmm1cw/HgSZfuKZxB55WM5HAW4vK0O1wBubc34yvIWZhtKdrMs9BkRWoRG7HtjklxpnsKwlKBN7GxXtzrLkzkbt8fy5JkR+Sm7xlkbYxKAO+fXFWdlcvmqtOd1tAPeiWf0iKi+3OzNIdFhC4/HgTolIUsNQW2CKWOp59BEASFHsjDIclEJypxmvAb8hmhP8hqwDFSeRa1CeiEqFFKxJEcFPrgT5AT8V7B+Rbi+/Xzy5HYfqqAQLW5KGtB8yFAGdFh0HlIPOWNzhqwO50xgKfsd/yOkRucCFdT3HQlNpOggbA4t2zw35ozd/sTnZc1DH0B/HtyVDysugnp5gH3Rirl02O7vjJwns4bZQgXnmoXSM8h+WYQ0VPuRt9uYwqsIjDc8d39XIpkmfWfx8UAL18/NLpNXVID+5vSQK2n2tme0eUSK7bU7FIopV5fsTqTOCOX4fHPXIAQS6waVPUrHcFVsEc2EL/6s2F12lJxcVLrs6tgDl7eWBV0u9StTp9B9T5BdR+8p2mo99NDRgcXGTTiRTID9MeGxfqKIOTNzrxBXDloAWnEk5QZW7n4V+NYbUBdXbZM06A2FYugXLA9e4TuXBFxBnstNgCDx+yPbqTVifka6tQbwJzQ8eAeD+8hBIVdult2N8p61ZBPInUZAFy8u5CjFUENRSjTNrdWJeuO0Rt62MyNIUmcCpSm1IIglPCKcSeDC06+dMwoqxcd6sHYduUVODu0lhGLf3PG+PVQSWLB0Jw24jT64DA+dgjwxOY0zEHr7BxNHV/FeY+2m2YIrgi2yomySQbao7Lz9OG6jROBGlN0RUCu154nt7KF5OLYl1criKrwcmfl5Y5c7/bE546UjBfgAtd8ZwSAtc6Yayu48VvwpHjrcF2SZ8uxMV49ELwPk18jCDVd0r0OkYXR/FxBOodcnd4Lmva5aap/aSyvZYL88Izw7MXHHUI8IN1hkIBclPtHXc4E2C/BnLxnPrJTZ6HVb9L1EoVU+E/pBWec+3BF0w759TcxIXuFOzG2KWDNIjX6XGPS0lQ+HkoVsbOtGFj276t+BA4VnOLxiltxx1iG94DcRN9RwD9gxyIfskIDUG+lpD+n3slXj9UCRejOwzCCV9RK4TX/zmYufTtyrhoruoarSa2r176TvUniAVh/Sd2xpTYCqBTqM1/I6/rcxBReWQMEXEeK4VeK/gE3h+B8BHycUccdaqUllK15zhMWy5uiE17u7BsiFvqe0ZY7UN9pzLrRUECSRhl4RAbuwP1P4TtJbJx/cPjBOlZoLHohkMcljlh9tHk+uGupGFnUEIebQhOyIW5ixADubxdwvMpAI0UV1oGjrQCWeorgU+ItI5EmTzOkn4kEuVUyOpW1uFW9J9YAmO/qbf0MsK6i2/Q10Xz//rUGC0F6gOYdqV7sZairiV3oy/Q/Icldf+4HrJL3vVJFLz6vQ2XWiF9P60LlcLCvFAot4W8Whi1rm3aP8PMksk15NMDnbTjCaMyzsaqiwfKWjbJ7GnCcWzKTjDvZc6lXVOMBhPKLstf7GHUL2XOGIzJhUPd9IIxaftxfK6eV8lJ9zHnstJPgI+iWOHehaetInSztPQeggzrdasmuD5JXazz1FlfQdQCpwDHZhRfWapUccg1q3sPr3W4X2lfnq8tcAq4Twx72YC2BEbw779opJrhA9jdziVz4bPh/in+AC7agEDpeprDtSRmdiyNpwvbDiXb4arxov7uZlc0tvywSNOAKkw6rRSguj0nlxU0sHycLQ+N4uRbI6NHYuCW+dZgtxuPorGJBdNvwiMmyki1keCqFRw8oBy1v3I29AjcJ7VFt1bH3urjS6AERczRaTK0PID6AoMEiK1BDDSJOVfyLnXJWrjNGh+rBAs4XwXYvLym95bwGbbwy2nX+AZqnyyjAwBEkCA9ft08Ry9ULjl0/v5T8Icc2u/MiZMvIkqq9dYmsN1/311wZz/WhWyMQuYOwg/I03Ir79GGylZcosbCREazD/wcx05DmJY49uiY3196CBDSiUtQ338prPjcCEZ3RDC/KLeGWLn7t77A/KdZbfgGDgEn3mFfS3vI2HANdAEQVMAMsahdjAwJ7xIt5ojGoDETPm1R1Ubl5lZ67pacaSUxBMv/XNRbQ/6lZUUuBE9cYI/+XY4K919plV6yJXSk75S69zzLxub0BGd/SAVV1kmiCxy5gTyzrGvWoGGp5w7f6rAj76da4x/kotJZmFAbSJaWVlBAHAreYGiGg09/IA9ffAu+nVbOvT97/v2o86e1s4VIBum7VQQ0QWaeUZIgDES5utPjss7Ju4ptQl/CIrEVr8SYDa4Hn2b/U0Zarh9WX94AQO64gkyv4VAsDNQdYThyAILQ5lHDh/5SBqYzWm/v2jbIUcQ4h93CefjklOOZrphmZqiJQGuBAXOM9JWiILwBwWB77yjyB/ZdX7wf7M9XJ4jd4JWSK18RxklcUdbeQpvsyDo70Bv1/lWJSXYhU3REwW8KyL+63vdtdSgC1mfYvWIN4b4K2HyWwFrVPP3nCsr7gMF0e0DlDzaaaAVcFOJVDq7Pnj/nHeBbumyCreyVn0wVKv2fKnjfmlC3Hw2QeobR5lrfoohzaShsIZMRIHw3Uu8TcvPdS6rxTDHHjXrlVGIVcEJfhREmu9abF+EW6PWNEXm/xgMsQIOK969T3o7lrpEHc65ZF+jpT/VtBcK3hLPatvSOlhjs4Flvt21mO3GLnW78YGV0b3Wls32hLSSXRWJXjg3p1ZxiOnzivZZj1Y7rQwa684Lpq5t4jzmNVvnm6eSwNmWMo4gMh2G+XhQuoOzt+OxXmibui2K8kiWdCo1mw3SWx+Hxx3gv+8/HCsTEBhGnRTD+K6AJf0JQ1m3ygpEYyerZ5Fl73vZhLl0zn3cTjopdkzQV63NY7uNl2ZXvk5/alVe8TR9F2zSzOuKTHpEhpPZNBtv3KluBEcodz38nwZ2u5KaBCvbRUjZYDqcviZPRcb/iqBLu9z5mFdkXlw71y1TQH/1tedyTyn9vL+5zRdrmOddUAIhZyBa/CW2Bf+0AEfrcIuxdeqnuQAajZeylMb2SdQnDFVOtAoNS5AZOVQsMfh/WnYnfTjt174q7VP+/ipuS5yaQUc9GKyAye38oLWV25R4Vyqoi6xi5odmA9MFcG+zWD+P/iuVjiaWP0qPYayWKHC/S0/vr+UI1cogYEOwUY4XFnf2h81x34yS1iJZBRAyf+sSJdBS5GBrokkGYd+EncUk/8Iq2wyDTMjhy8RYUvehVY/mJjcLMpytlYlhpJoV9BpeOgeMs8m2/EEPpL2UNksWYRORINv4DnXB7WeKwiI1RiGSTGKxcbXZyBgHTisSnHqH/Td9AbmQjuA+un2cAHLhJivbj33AvhFgmD6JiRjXKqZx/YVdm2GgLKd2StEXhftN9RBb+lH6jNBpctd0+5tRNIq9HL/S/5a8Yzu32tevCYfPvfx74aU3Iel0FeyEX3GQeuvRWbmMy6lwdYh8fY1V0Lavzzijb4Xko6bskIrIGXvN/32iO/4d23vicYBOMHQBXUID1xL3mwKtoAZ7EVK8yBYcFBn4PnMcGTzz7GA3SkfM6TrTyGD7O6f8ZMfyV61kZL98AEKDiCrNWzRfM+88B7L+UX85drOTs08Hsqkx4ulXW5mJz9wVg/ip4RoVK6NpI5ciVrK0vS/UyS9BmnlVu+b7B+0J6TgyS6DdCF1B/0qNWz0udS7L4g2StN4tQlXsMmlZokm4zEYpu9UoOWuh7uGpVOgk9SNL2knb0AA571HA5QpuREBeWn6sqcc+Gfip5u7KUNid55KVu+Fn+G/V6Wx3W6z7VEu/CNdKhUAejXGpaf1fveZRT3SOvXTghkqLaeeQ+6HgaGyv7alUkEbzkhGjIg4OvEZIjkiKQLoTS6Icy8eUy72WKP3oDDiFi5WTeexV17UyjBKPs8OTbIblCtaPwHmDRBlB/GfhzGBpVgqtiaOUaAYHdJ/MeBySkTbgSLRAkQkqBwIYzEnzxJ36Y1BLKOLZe2uzyJ3T9ReXT47PMGoPgvtLEI8MEl3aDhcrKRQZYZi1vL44ul+uyRHK1MSyoYhk1GjAiq3SuZi543oCXPGdemAFJ8R+EaCLxlsexax2EZlrBLjYHptDjCEIFwawsEyp6ZxPPvB6EwrKJVpwj/N55IhUGLKmh58bZUpDmlPGOlSLQufgt72EPqtrzzR6SyPmAir7OrbHxk9rjFpMESUzZ8vtDe27ZTCix9FdmeKCWbogszuaOV+KjRmC3Ghn///4OypbMmKbrz5KWOPaJzjwfl/7R2YT72Tm9oHngBzqcMQ5KaflNIJdMfMsHJNoyIOvnwgRjhH95di11Z8fBnP216mktlGnqDUk5BDjMphVwRfsTOj2qkKZ5SUjDezeGXzjXUAnKDr3O36Cf+QzRNOtCeMGmKizSjKyXSfuN7ZDdhf6ne8fVBaNegCYMff68tro3Bbv1IWsqy26lQkCFqUubeWxmxP0HY4VUYLnHMUCDW39wKAtmR4F16FAAx3DFsIhlTuBG1X+Xr87nrVXWM2AbgmAK8Fd0D/UyVpzSKI1oD9tle4m7pXF2i2RTXBhxUASIV6JK1c3bONZxKobXfhDAuStkRHu0NVEo/pko+cSFraK,iv:kElEJYOSRE1WnPAxkVp9vCqXzrk0IGI51KIzWezfPkY=,tag:nXPtQyUAIV5o6GqXGLlTiA==,type:str] + os: + crt: ENC[AES256_GCM,data:eKRg19Y675ka6Q94iI2/y2XzpgBhJcS+8UMEqPQ31iiAeE4PUKgbsz3OdVh2/uwepfgks5xPXUOyKqh+zw/MkuEztBPh+rRjv1W3WnhZM3rTVBF42NnnIe3R6fd3ABMZ66iosogMnS0WO0R9STTBR2Oa6stAfRWpwK1lnfXg46IrpU/Gf1+wwWXqA8Y7tJQDsGMzJt/skd68tI1trBjcoqMSbTVYFwP/9Cq3HzWn+4qu38C/eqQB9BO7cZuB3yBbCsZAEziCsQkSmOL+I7w9wIZQYS86LWa3sO8cE9oZJSapUty3kV6TN+KrJC95YkpdHSEk8KNsLF+Az0qkvpDCpuJlEB8qURhWX2eoAVN8H9DZ+JxmHC2i5dElr/h6/uwM2yzZrVZHv40dwju/UcKA2yW7QLgMlImq8rJP5pbAsCaDAZmx6fdjGk2NsFqDOr4ibYY7vjxGtXeW8yKSldNc+dm9jAc+5Bic3+xPU4hyiSirrdQIUHdmFwqXGGsisspgW/8YFYr6ZOVj3AHj9F/t0Frs+z6TX+0lpeqgUtNA4iWwVANO3kyZXmhyFXtkIOPvnjtRHH7P9CIIZX17uPGIgYlxkeRnx+deNeNBT0x438Vbe/vDzH0d88CxlKkksmt0XoMoJvkX152ci79wn4UAnFvMYkxs5V5+uYWLPdMnVQKoqAwoMPhIGT5I44loM2sqFaR9VUCP8dXuiaQjywCbALf1MEpzQ7qLU8zUiuTAKzmp50Hasyo8jiws4f4qU5JexsOCazzYOvZzBeLbvWS6d6amhuP/Abgjg48eBKKyOESh2f6zbP80V3UPzLff05inJoef+njtNk9+BJTS1LyDlL1j3LKemyQ5KtC3TbzPlhtpmjZM,iv:zN2GfebCB1BhqqSdZRXTx2Xj7JhyPUeuXJQsao6sHH0=,tag:9GCH3cRU4e/A20MS82I2oQ==,type:str] + key: ENC[AES256_GCM,data:DVdLNpMRX+D/vkMXnv355TGNt8Sthufe7HLWo/+GMPlIS/YzwRg8DpgOTFbLtU3MISJRJ+lkAtM3xyJXBb64NGDYDmSey1JwoRHJ8FYDOuzv3ID1TbX0Xx0VDpzJSi4oflhYgcku6ztEgVf5wpHP+ZdBQVh+8f0f49BQBPbZ/Kp4yRtV93CVmPci8x4NKI+1xAIh6m65n1l2PpKPzEjEqx78nEOsUE8kUe1PgqdMCokKsivI,iv:WNEnq7NV+tA+yEqaclpwFbN3xRVQK1YIz5yWZVCK4iI=,tag:EZ2zY5jNTkX9Ruvlk6rV8Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrM050T0xHaC93S3ZxMXNu + Njd5eE0yd2NneG9pcCs5N1hPZUJuY3Vnem5jCnpkeUdJOU1MVDB0QkdVaGVRbWhM + L2s3aFFHMW0rS2VkdUE5N0FJYjdscHcKLS0tIFowOCtFN1NMMkprS1FpNSt2YjlZ + eVZqN2tzSjdFdW1qcEZTOCtTajNLSUkKNuqGC6J9U+kbx6uiAANzBy1QnNs3I8Qc + 7HqNFpaRMawOk//dBia6WkZhqshXeQNlI/HDk8c+fu2kK8+vlPZ5vQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-11T19:48:27Z" + mac: ENC[AES256_GCM,data:Tqc3F2doR6qd0XattJVsCqTCnDiRhDG2ABKB06pQlxCSdJq03RaXDxEj7s2yjLEqwINsV1K1wQ9vjyzbuIUnb/IC72N8IYh6LT0jl/HXOkz2eDuC9sXWYY7Je37Vb6SjytTVA3rhVE9AEIj2HBKv3fUGsmEejlfr5OH+cYygWRM=,iv:vngwN4WxQgcM0Bf8OMyFc15WCe+b2qbAVTMyalegHdM=,tag:GS70q/sbNtQuHKWh4KnOZA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/flux/vars/cluster-secrets.sops.yaml index db8b1f0b9e8..f3b7770f591 100644 --- a/kubernetes/flux/vars/cluster-secrets.sops.yaml +++ b/kubernetes/flux/vars/cluster-secrets.sops.yaml @@ -4,9 +4,9 @@ metadata: name: cluster-secrets namespace: flux-system stringData: - SECRET_DOMAIN: ENC[AES256_GCM,data:p0P2PSp4B+F5ghmsja2msA==,iv:HkPJ+abDzMwg7cihFAePehUkqAQqFoGOaJlDMN183+Y=,tag:Eh1JM7TDEO2GcRI7Pp/yTA==,type:str] - SECRET_ACME_EMAIL: ENC[AES256_GCM,data:fSSF71yR5M4WiYKljeSwpxbMeIU6,iv:7+q4V0awJBZl1Y+A5yAzNyaa1+a4fF1ClKj9J0arMII=,tag:OwqGxIrRCEOGM1Yz05eSPA==,type:str] - SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:6zQzxKO/flyoj4jbjI6amWan/UQOrHh/deDFIHyRNDfWmLHJ,iv:5MsLr2cQLmA6Y007zGj04VyEa1cZ591+X9eOsSjOZds=,tag:XDCqtcx50w1IpGnsQm52hQ==,type:str] + SECRET_DOMAIN: ENC[AES256_GCM,data:4fgslBqHadSWoDexGWmmsw==,iv:NfIQr0ogfbCC6lsHS13fAPEFlMR8CQ+UqwtbjGMMC5c=,tag:q1WKHcaXoQHetFIN6UxIdQ==,type:str] + SECRET_ACME_EMAIL: ENC[AES256_GCM,data:BdSHzbhrhxqUTF9Zaue7dZeTD1kq,iv:3/p5lsbyX1p7OFeQ5G5BnM4wR0zq4kgMgg0zDu/I1OI=,tag:AXPMzmg6p/8UQ1W9E3Ky4g==,type:str] + SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:Mo0K3OFf7/cZrqM0XelOP5vLFizXKI4ziaISCzpvJDWgsG/r,iv:1EvPy44TfTin0tVU2Bl2q9jS97lCZYdSMSsEaYMbX4U=,tag:E1MSkEVWqSbfq7FvhLrSqA==,type:str] sops: kms: [] gcp_kms: [] @@ -16,14 +16,14 @@ sops: - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5eHBTSkJBWFYxYnozdVFQ - YmZTSjIrb2h5d0dmZVB4WkptS0cwOThWdGtnCjgrRzE1L2Fob21XeEhzRThGVDdt - eU5QZUNNMFJRZy9xOU1QUVp3MFg1c1kKLS0tIG1TV2lFazV5eS9HZnN1UU5PZFdW - bHk0VU9paUxkRUx5NThsd04xaHNKVEEKgoLibejabFKmMGY6RUa59TDGzlpwhISd - JgC3TZ6Q3C6rDRJxyDrU5FhDJeHZUJyRbRa42BDYzSyUs8Y6Iw7Mpg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4cnJ3ZVdqdnhUTTlBUUhB + WGpjaEtjVCtUMlp4MU1MenM2cys2MXhKOFE0CkdVUW1Qd3lGTEhXZkpBWVBkL3RS + V2hRcGtVUVNPdDB5RjlsbThheldxRXMKLS0tIEE2UmR2REg0MS9rbTMvcmdhVGQ3 + eFozSzU1dlpYUXd3Z05GMG5ldTBXY3MK/0YvToOl3qYemTRDlJQ8tMeXgFl6dcnk + /DKr9jtNc9F2gFXhERspgGAfunmMYAKcZ+VUjkJvpN99gvOXR1r5gg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T19:48:00Z" - mac: ENC[AES256_GCM,data:EQaEK3DMaeMh6b0xu+da7TU/NE/ku1xZdQUsbPMi+zt8oJb+qwqXBDfWDixZNAQRnzA70OFQr3HRbw4/YVN3S5TUfrcaf+mE9O7f3Tttju8cKucBipAyOxhUjRnJpwXJRTlHsbRGMXvkvdO7J2QVtWu6YQM8u4k9qDbtXggNzz4=,iv:jM1tYQZKHyHd9EPxjQYse44KD4MSBT/yqhb/pfQ9CWg=,tag:tzb/bRNFeT1MhTIgax2NxQ==,type:str] + lastmodified: "2024-11-11T20:00:46Z" + mac: ENC[AES256_GCM,data:G1W9wfv3v6trKw0cj7txPE2ZukwdfsgjwyIHqtkB6AYGVTB4JanJOEYhMRGyOzzDCdmGFyQ9SF2c1EIypjM2Ac586Y/U9ZzsSGtCG1WfaeuUyGRX04w1xGTOiSAMFmMbeQdehqZd3xcHEflvyPoGBoj+MsRnBL21/ZuYzXAJqOg=,iv:tVb3ulzKZjENg1iU4uUWSr6iwOoeLYgYFODyFa4Afx0=,tag:AHteX3VuQUTTs576CKno9Q==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 From ecb66dea3733ecee05a1ef3921f9e5baac4a4035 Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Mon, 11 Nov 2024 20:43:52 +0000 Subject: [PATCH 03/22] feat(bootstrap): :fire: reconfigure certs --- .../cert-manager/issuers/secret.sops.yaml | 16 +++++++-------- .../webhooks/app/github/secret.sops.yaml | 16 +++++++-------- .../network/cloudflared/app/secret.sops.yaml | 18 ++++++++--------- .../network/external-dns/app/secret.sops.yaml | 16 +++++++-------- .../flux/vars/cluster-secrets.sops.yaml | 20 +++++++++---------- 5 files changed, 43 insertions(+), 43 deletions(-) diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml index 58cc3c919ef..606f164ca14 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml @@ -3,7 +3,7 @@ kind: Secret metadata: name: cert-manager-secret stringData: - api-token: ENC[AES256_GCM,data:kmirQ+ux7iHfQv8YzPMQsu2MnQ3uIBqgzx/mGb3Tlamsq4lLT0gAtQ==,iv:6FDB5zOwTZ5mr4ny7fFnjfZVVsZGs9JSnmOE+kDQLZk=,tag:nmZusvxoHDC74o5gX2zaAQ==,type:str] + api-token: ENC[AES256_GCM,data:pzC+fRqadMMs06RQHgx3TzeBCPZXyqERaN59VppzJILCqp7meiAZUw==,iv:NkhwG5qxuHcskekHZ7QLJCb1kYmVDE0GRtw6QFQYBmw=,tag:lbKfVVCiDupC/OB/8vyG6g==,type:str] sops: kms: [] gcp_kms: [] @@ -13,14 +13,14 @@ sops: - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZXlabUoxZUU5TTdTZ3pY - RkpIVlIwdGN6ckphQ2Z6clZXZzdtMHJoTGlnCkE3Y2JJSU54NFl2bUo3ak5ULzk2 - Ulc3akR5NHlTcWtMcFNVOW5BWG5OZDAKLS0tIG00eTRhMUdRNEJ4YTUxSmFlc3U0 - elhXYkt6eW9vblVpajVMQUdRSlgvcnMKnNSqGfusmjQVDcdXl4+Xppwz9qmzxOM5 - h2KKA2QMqb7qCv7jUuf04ZX9Icpmona2eDTfxyfJE1yTMwJhlBn12A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bWRJdUowaWs4Y2xTWnRL + WW1JNEE0c0tkTGRicDZzenRIRXRHOWpFOUJJCkdvRmxZTFlPejVwdWFiVHU4YS92 + Vjg2OGZUd2VqbUFVdHJZUHZoanBJbkUKLS0tIFBvK0ZkQk9UeGRLd0x4UnNvV1V3 + ZnJEcmFSd053UE9wbTgxWkY5N3d2R1UKigj3LYjAFvAkNVTka58oQ2H9E6e3Lpmq + UJARQFx9peccH+i9EcF0CyMr9gI+fOgFK5mLiRVBMGHr56rSQTc9wQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T20:00:46Z" - mac: ENC[AES256_GCM,data:bq0VptCPEkkHIotl4b9kB9cxC6eUZkQO31ODqYuc+22J/NLiNQalmG+Aa/Zk2LGhu+8Wbv/WPnYrwof4ZUHNsspBefyJJE26u0belLIPRu9JezXDwID/VC967vzfAfxb3eBTG9PBljMd6ZHh8/+3N2gW1Gg5o5SMtA9uW5ztNVg=,iv:2czT0FESh72uvHN896hhyhbF8jAKNUW797QnYjv0oT8=,tag:KA1HtLpLWAlXZz+BbZvloA==,type:str] + lastmodified: "2024-11-11T20:42:13Z" + mac: ENC[AES256_GCM,data:aLOR2YijCEMZ9gCPRCm4ojbuIEylR6VoRpsLil5u53bW8+I6fyjqHCQyKPcninC54XqJn7Vn71PLns8QGqBu4jdRhWe+aVIuCdjQ5b0dIZxiI3+CXyc8PsaXwguXs8uBkEiEtdRq/IwkX3wb/xvtJaOmV1TJFmltPTOMi/cuy/s=,iv:f3+JK/qGH/zdsMadnS8yqBXRWw3NveydANRzosZHz7g=,tag:PDNOM4TAyCWJRRSjzI+Tkg==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml b/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml index c0d5244c8cb..c37c8d90ad3 100644 --- a/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml +++ b/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml @@ -3,7 +3,7 @@ kind: Secret metadata: name: github-webhook-token-secret stringData: - token: ENC[AES256_GCM,data:geZAlDHL7TBgJY4ITpa93/hP+dxRPlIJzQa4JlI8bAU=,iv:i/0QyKnUBGvL0BZrbSG4KhrfBOJkkFaGH7GlkV1f8+c=,tag:fXSeBYjNTwwjH7alNV1KMA==,type:str] + token: ENC[AES256_GCM,data:/KvBKwNuDSX+TczIbWDdiFgQs1hZDR23kQuqJz4+VHk=,iv:JICqnr/LZ7+UHddOKntT9BPeaCWIsfSf2xMfF0U/WIQ=,tag:CipuYSpQv8tVlC2DUG4OPg==,type:str] sops: kms: [] gcp_kms: [] @@ -13,14 +13,14 @@ sops: - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0WDNiWk5wYTZ0bGdMNVB4 - S3AwL0hKOEszajN6bFlkRXYxWmk1ZWtleWdBClZuUjZWa2VYVHdkK25vSXU5NFpR - UnMwdFZBKzYvRkxObFRxdmthM1MrQlkKLS0tIDZ2bGRTenV2RFRiQzQ3YkNGb3Fl - WktaNkMvbUdTMFpqazJwTzhPZGZPRGsKVQa6rErvIt+aM44xgj3fYJYu2Ia/RaOY - UzqQhBiMn7SfTMRCLTA+CnmhB5+ERqZD8A5bnT6V/uSZhkQkgkWI8A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQ1RVN1Q0YUYwLy83Nkt2 + ZDlEKzBQZVI5c2xiR1NLdW9OMHNUNngzd0RFCmxBb0JxQzZHZDgzNE5kbC9LQS95 + L2ViTzNDTGtKVkVCaGQraGJKUWhMLzQKLS0tIEpNNlU1cXdIUkM5dis3aUo0SVBT + VEtTNGRBL2JGWjh2ZVFMdVBoVjFrZUUK07ssuFb3R/wOiV3T7j2e7oTT3xok3nQ6 + DZ6yWEQ/ugyUpBOpCWIttVwpgXMJiqOeuyn1NvEgxKNGb13TCLpIKQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T20:00:46Z" - mac: ENC[AES256_GCM,data:D3enBMQMehdaCRAQGxpTW5n7kz/5KNt4f+pw/7axXbxh6l23dXe/Ko9oGb/+wzTE8Bt9cy30pgYwqX5TGDHzL7d1rcfweF6IWzAr8otJZX7a48it1s4ZxhzELFEBtsQyx/afro8/3dIN42kztOD2CnJkrX2MlMNJr7PI+ndksEk=,iv:826i0pRc5TcGooDjBN3RsVvcNGgbj3rsbT7yLCM6Q8A=,tag:PIHt0wyCG/MWOXYTP+XnWg==,type:str] + lastmodified: "2024-11-11T20:42:13Z" + mac: ENC[AES256_GCM,data:kwFILWso4JbF5b0UrJ3dNAFFDHGpv5YpNeX9ZmDTHAgdlN0+icUL/IOWA+fyP68QmR1mc0kVeUmLHfwX+pARW468TacS0GrHBQFidRM+JJAwXNCLjduMGzcX30d4aGEtv+/Vl/HWGjMCq3LoGiyhKk1lbYvHzvIljcn/IlyKY94=,iv:VtS1qpUytiL6LnjRTT27Jk3v2ekxXVTmdFBg6rDbMJ4=,tag:lQyfNpKlIibR3m9sq4TbHw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/apps/network/cloudflared/app/secret.sops.yaml b/kubernetes/apps/network/cloudflared/app/secret.sops.yaml index edc4cc60375..214ada73084 100644 --- a/kubernetes/apps/network/cloudflared/app/secret.sops.yaml +++ b/kubernetes/apps/network/cloudflared/app/secret.sops.yaml @@ -3,8 +3,8 @@ kind: Secret metadata: name: cloudflared-secret stringData: - TUNNEL_ID: ENC[AES256_GCM,data:ZAwY2QH2TzVz/Ka5WgaPkmKSjNUq04avVBD/6LxOo6LPOFH4,iv:u3r/+HfkXl+ocEophzSMb5ik0pFvxGO4gUuZeMcCKTM=,tag:Bon857v2YhEwDp1YTOV4iQ==,type:str] - credentials.json: ENC[AES256_GCM,data:Z5IeALIDcixLmUwtXkA7hEkaO8nU8MhCkSdckjCYAIcDN7iXV+l2x5QDVWhkoM2EDQKDnXt4myTKirlfpRi409DcKud5HMfxJ1vIv1/92hHeXXdn4/VONxRXSRdgwjNIwGaWVghm9XJD6EnLdZIuwkGer9mL3xla/MLuu/0TnL06KkYRT+Reo6vqMBkjKCcDsb+H1EcPXvnAstX9a/gsUPdtXRn2aoh9md+wJZOaaA==,iv:YqPnM4qcKlG0o/51ACO/4sqvUyEu3sGmR39o+csWwYs=,tag:mJyofWTU0Ne9IpfRrFZhAQ==,type:str] + TUNNEL_ID: ENC[AES256_GCM,data:hnnyYveD4HaJI5923RMkR9QY1SufmIZ8HPXOzOeHVsgosoWy,iv:I63jenosi2S5gfqqcv3qa50iNnYwu2K5wKzanorq07s=,tag:YF89NqqlpN2rg1dghug8Dg==,type:str] + credentials.json: ENC[AES256_GCM,data:n5AkvwoC8D6KnablcFPaVlW7NN+ztBYI3Ng6xMLEHzjHaXZHeI4mO9gnQ8UrOLgAhGnAOzvFAATnTQuisXzvc+mh6wvZUqbmvgfQCGNvngx3vvAnCA7zEbx/u1hYGrUvH0uSAVjvuPLpLwNEk8Ugl991qSa3EnFZXsQ/LEqAY1Qh1Bjc5qdUz3rjIZ42nXxAhvUFoWa5Z/Ni+dWiDTC1AHwRIg9l4UNaJs/eJcDoeg==,iv:ZU9viShstmXcvz3FHk+A9txzQ6I1hQUhq/vvwc453Zw=,tag:IPlXE1b72Zi4p7Fp5mkeyg==,type:str] sops: kms: [] gcp_kms: [] @@ -14,14 +14,14 @@ sops: - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBeFJ2ODB0WS9TRklVY25h - Qm1ZZU9lKzVqUE5HTWRFQVFQMXYzQWJNV1NFCmU2bVZ5QzdMZnBvWTRWY011cThQ - NitDWWQ5emg3WUdUQWtEd212RjR6VlEKLS0tIEFnVmswSHlRNUo3dXd5Mzh4NGpX - TE9GVmxtdFZyYzhRYkVuT3JoSFhPOE0Kq1fEpJDtvPV7BWjWr8evAhPARZ0A3Yql - qaSLPimGXqV+ySzvl9eP793/azNIgg3wwfKaoSgSVE/g+KGYrVVP7A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4N1ZJUmJ4Z1pROHlSQUZK + cWNDRVFKM1E0eVNuZEFxd1plUGtZMitreEVrCnQ1UXovc1FpajdPYkkvSHIrMlV6 + TWhUV01TaCtZUGtmcU5QL2RpSHoyeGMKLS0tIE9oVWZPeE1jRTlNY05takJNZEh2 + azNlM2s2QzZ6Vi9oaFlJdU14cmhZdEkKSm5osgKQ7V4R5UbabOBmG9ZySwj6BRxr + IHKywUUb1Pyf2jU45QjbZcPVyoVD3uJwpMDMJsvgnKHiE+aErOFnRw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T20:00:46Z" - mac: ENC[AES256_GCM,data:ElDfp1si0EZrAPDKDFkLYL9KPvJmClz3uXwHcYXhNmbrsKXFULO52dXXcXV1oovKWCb+fNAGmXTQJ2zk5tLi7eVzhferikOlDNxAwiSt3LTz3v9ehx/mV5Pchlxl7+yTX6msSks9V1ffvc9drnZrb4cZrADljBupmzqbS3dwX6o=,iv:Cr2NUO2fVY8wvursNqSnZxeIs5zv1Ei9kMqEOw8POr8=,tag:IGpKIA9V25XjBErBDqYSOw==,type:str] + lastmodified: "2024-11-11T20:42:13Z" + mac: ENC[AES256_GCM,data:B9lpTJH/2/4EX0GKMX4hl5djwYgqgNlLeNWsvnfQaW6GpSZmabDnVqnNYKqASqI5X3nNMedRn+pBjFgOojMi7ihV4paDemuwq/gbgp9iT/jkVpODwd7nlo9HBVUzLJDdR4GHFuQEItq3inUtWCbmdMSL62sYVHugup8nhS9VjPQ=,iv:Rj5zzhHTeWWWzOKB4AFXSHbMv9hiaj4KMYD2g5/rIGY=,tag:RGpMeJml+lksI8eoCSMXSQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/apps/network/external-dns/app/secret.sops.yaml b/kubernetes/apps/network/external-dns/app/secret.sops.yaml index 9c15a179418..2ca153cf63e 100644 --- a/kubernetes/apps/network/external-dns/app/secret.sops.yaml +++ b/kubernetes/apps/network/external-dns/app/secret.sops.yaml @@ -3,7 +3,7 @@ kind: Secret metadata: name: external-dns-secret stringData: - api-token: ENC[AES256_GCM,data:4l/ZMNmfe+14fofTx/LKDR5oMsnIZiDTp+z0hpKyyxPf+qj6lQd3VQ==,iv:Z7AcGfxAMTInlx8zDOyGM6lOOdc83Lt9Ga6eRdQu6gY=,tag:VPkDKfKc6q6mT+roYZDh+Q==,type:str] + api-token: ENC[AES256_GCM,data:UqYwkZBOc3fN+V3gTe4x86yITReI+0XJZgaoFOmz1z6NmZZuhfdrKw==,iv:B8z/TzIvKS/VnXz8+czfGbZnEXG4VrQNZfRRIgL0ekQ=,tag:OI0q9dFzRH7S/hwhhmPCPg==,type:str] sops: kms: [] gcp_kms: [] @@ -13,14 +13,14 @@ sops: - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUTUxFR1FaR2dxOENqWmZv - UXErL2ZERVhSTjQycXNnMXczbTBHbUpRTUVjCi9maWVJbDVWODV5NGpZRkFmd2JU - aFNwM3RydE9hZWJuM2lkbFJ2RGF1TkkKLS0tIEJHQVdxZ0Z5WFlrZVpUdkZRVVM3 - bklEU3plNU9EaTI5U0pUbUJzajUzM28KfFe6/GspS8H3EywmyKdK5KO9skoPC1U4 - u7N0sgJc2t5GDrXoNBSRgjKhn5QGDmKP2WKOg1xID9ddqxaJSj+cYQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQMzkzdzdkNm1GczI2WFN3 + eG1CZ3VTZWxBdmFib2tPWkxta3lnR0tPMVFFCkF0TnF0YVJOczlyNEg5VXFZdlBY + eUowMzRTSXlEd25pblpLMDFyNWI0M2cKLS0tIHFCVVJqM0FGQjA0YWZ5V2drVTdC + YjVsVjdObDN1eDVXZnlmZW5OallDNVEKz86Cc/8jIatz2Umw/PnK2X/JuISbaaef + 3FkZvtUT7BkbsQDKXZWA8rYVZnZiVSNjSHdOL9DNN2rxYcH1NIsZ2w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T20:00:46Z" - mac: ENC[AES256_GCM,data:gAQRegK/lMxUjzgQXdEGCwfBgswdgkGl6sMHq9fNNKbCs/RRm7PjECvOw5yjHYIGFEQIc858Yszb8E3W7/giE946aZXftXrxT7vfC+20dfcuwlgc9X4zUsuxe+igoW/UjRAJKpZNmdHla+NistbCfALsGiRHRJToIM6q42376rw=,iv:Xhgbg8TCH491FZnOGQ8rJYH0taL2x2zQp8j0XZl8Buc=,tag:W4FUJt17FCh9WKy5JkwLBw==,type:str] + lastmodified: "2024-11-11T20:42:13Z" + mac: ENC[AES256_GCM,data:nd6/A0LLKwJWER/wwJ9hVnv1JmNmx5MccnG8SUuPnXU8rKc0Hu/heq1MwNEPxBHXpwHmwAUNaR+W7/JmZQ/5yZuUdtXnFatikwA4w8c+2BMvIQ1ztIYYPTuL6e/WZc1DVJZechI8PdzNmPZNceyUKYNtGfq06jVQLM2OYgLyF98=,iv:mKfLmBubcf3+cInBERSnVkRKvkGh0QV0AX3uS7j5qnk=,tag:IblDbAIDDjDlD4fyvrzqXA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/flux/vars/cluster-secrets.sops.yaml index f3b7770f591..0b37ea27170 100644 --- a/kubernetes/flux/vars/cluster-secrets.sops.yaml +++ b/kubernetes/flux/vars/cluster-secrets.sops.yaml @@ -4,9 +4,9 @@ metadata: name: cluster-secrets namespace: flux-system stringData: - SECRET_DOMAIN: ENC[AES256_GCM,data:4fgslBqHadSWoDexGWmmsw==,iv:NfIQr0ogfbCC6lsHS13fAPEFlMR8CQ+UqwtbjGMMC5c=,tag:q1WKHcaXoQHetFIN6UxIdQ==,type:str] - SECRET_ACME_EMAIL: ENC[AES256_GCM,data:BdSHzbhrhxqUTF9Zaue7dZeTD1kq,iv:3/p5lsbyX1p7OFeQ5G5BnM4wR0zq4kgMgg0zDu/I1OI=,tag:AXPMzmg6p/8UQ1W9E3Ky4g==,type:str] - SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:Mo0K3OFf7/cZrqM0XelOP5vLFizXKI4ziaISCzpvJDWgsG/r,iv:1EvPy44TfTin0tVU2Bl2q9jS97lCZYdSMSsEaYMbX4U=,tag:E1MSkEVWqSbfq7FvhLrSqA==,type:str] + SECRET_DOMAIN: ENC[AES256_GCM,data:oTTMLBH/ADmFKFLlvkwt9g==,iv:GbezTyN5za8jGou9Gx8sv39P9wixPpen5AyGse8HbR8=,tag:6SgaHC8EqJA9DUm04hcv3w==,type:str] + SECRET_ACME_EMAIL: ENC[AES256_GCM,data:ovXTfdHa4c0PkRZbCZ/dfI+GamdG,iv:z07D5ao2sNr1MIZ3kipIXNdImriV4LtXGq4mVfOHuKE=,tag:Pwt9ofeZKEqBVqlQZR9OIg==,type:str] + SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:7mEKcRJwTh5b3rDSxtNGmwv2lzUM1KH8q4iFMkOAgAF6jIrI,iv:H0DYJVc/X5SyjLrrmi4PVbwqJftoZwJFzaJ+4rgosKc=,tag:5Pp+cWzkjQOVE5EvvaQQfw==,type:str] sops: kms: [] gcp_kms: [] @@ -16,14 +16,14 @@ sops: - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4cnJ3ZVdqdnhUTTlBUUhB - WGpjaEtjVCtUMlp4MU1MenM2cys2MXhKOFE0CkdVUW1Qd3lGTEhXZkpBWVBkL3RS - V2hRcGtVUVNPdDB5RjlsbThheldxRXMKLS0tIEE2UmR2REg0MS9rbTMvcmdhVGQ3 - eFozSzU1dlpYUXd3Z05GMG5ldTBXY3MK/0YvToOl3qYemTRDlJQ8tMeXgFl6dcnk - /DKr9jtNc9F2gFXhERspgGAfunmMYAKcZ+VUjkJvpN99gvOXR1r5gg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxRkdJSy9NSXRlNG9BcWFU + Z2FsVXVmR3JXYUU4MU1ieFBzSWlQd0JaWmhVCldTTjNabjRWMHo5M0FjTVUzMk5J + UUplRHh3NjlueE01SmxMQ3FpYWZXbHcKLS0tIE1lQVo3MEROcldvVDFWd0w0VGJ5 + SHJWclpiSG40VnRrcVdDVG5OOEo5WkEKHaSeDnZS/PdYfv3Rnu/6uoirINM3ooDL + 48wm3l2MeML9u1NpbaBN2NQbCsm0H4tk5ZfhZwKNmBtmW1/VHfij9A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T20:00:46Z" - mac: ENC[AES256_GCM,data:G1W9wfv3v6trKw0cj7txPE2ZukwdfsgjwyIHqtkB6AYGVTB4JanJOEYhMRGyOzzDCdmGFyQ9SF2c1EIypjM2Ac586Y/U9ZzsSGtCG1WfaeuUyGRX04w1xGTOiSAMFmMbeQdehqZd3xcHEflvyPoGBoj+MsRnBL21/ZuYzXAJqOg=,iv:tVb3ulzKZjENg1iU4uUWSr6iwOoeLYgYFODyFa4Afx0=,tag:AHteX3VuQUTTs576CKno9Q==,type:str] + lastmodified: "2024-11-11T20:42:13Z" + mac: ENC[AES256_GCM,data:KbbRy00uhtsk048O1E/1fQ19cklqOVH3pBj19+rVBkGHASBDk3nTLV+kukk0tpNu2NETdBuXuTGfwca7ET7hFANDiRMmoJd9DLWCGOmfIsMYdZJzUbM/wFFk43o6law6YO4kdZ6rb6r4/vZX7y+u6CnyYarCaSwpU6pq94FPKlA=,iv:0n8+ucyN0OPGH/ZkprCRh45TDQu94bVc0pXckj5vcFE=,tag:SvKQO7CFNaqcRSOANKtJug==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 From 6b041bbc35877ae8b9b8d3b21db9d526e2e6f955 Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Mon, 11 Nov 2024 20:47:19 +0000 Subject: [PATCH 04/22] fix(bootstrap): :fire: reconfigure secrets --- .../cert-manager/issuers/secret.sops.yaml | 16 +++++++-------- .../webhooks/app/github/secret.sops.yaml | 16 +++++++-------- .../network/cloudflared/app/secret.sops.yaml | 18 ++++++++--------- .../network/external-dns/app/secret.sops.yaml | 16 +++++++-------- .../flux/vars/cluster-secrets.sops.yaml | 20 +++++++++---------- 5 files changed, 43 insertions(+), 43 deletions(-) diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml index 606f164ca14..6fbc4f3c81f 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml @@ -3,7 +3,7 @@ kind: Secret metadata: name: cert-manager-secret stringData: - api-token: ENC[AES256_GCM,data:pzC+fRqadMMs06RQHgx3TzeBCPZXyqERaN59VppzJILCqp7meiAZUw==,iv:NkhwG5qxuHcskekHZ7QLJCb1kYmVDE0GRtw6QFQYBmw=,tag:lbKfVVCiDupC/OB/8vyG6g==,type:str] + api-token: ENC[AES256_GCM,data:oHUeqLlKYNPKBAJRdPfOHls0qFpsJfJcKJEV5MpL/kCocWKP9UdlCA==,iv:W4O9DX9YToi+vbjLbyM0cMQz0cmmQ/DJNaYca4lCT5Q=,tag:swEymk8UHhXNiMm3sK7GKQ==,type:str] sops: kms: [] gcp_kms: [] @@ -13,14 +13,14 @@ sops: - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bWRJdUowaWs4Y2xTWnRL - WW1JNEE0c0tkTGRicDZzenRIRXRHOWpFOUJJCkdvRmxZTFlPejVwdWFiVHU4YS92 - Vjg2OGZUd2VqbUFVdHJZUHZoanBJbkUKLS0tIFBvK0ZkQk9UeGRLd0x4UnNvV1V3 - ZnJEcmFSd053UE9wbTgxWkY5N3d2R1UKigj3LYjAFvAkNVTka58oQ2H9E6e3Lpmq - UJARQFx9peccH+i9EcF0CyMr9gI+fOgFK5mLiRVBMGHr56rSQTc9wQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOd0duQVR6Z1UvUFo5VWN1 + QUwwSEsvTCtQeFFVRUlFZGlKRzhmSWloQ1JFCk04R2FoNUN4Q1FjNi9pN0psTmh3 + UlEyN3V1Vlc0bVlqVnhESklsY2FCSzQKLS0tIDlxaXBoeGRMTEtYMitxOUkrdTZH + eTIrSE9nb2hBK1p6MkZEaWU3UDUzaGsKoajdXevlahqNUzHTOZ0897uI++dj88UR + M3s5+Rg9GEPtEcEjPFu4Ly6CCC/uIDTzxS57DKlRlDMt/AqMHSaC8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T20:42:13Z" - mac: ENC[AES256_GCM,data:aLOR2YijCEMZ9gCPRCm4ojbuIEylR6VoRpsLil5u53bW8+I6fyjqHCQyKPcninC54XqJn7Vn71PLns8QGqBu4jdRhWe+aVIuCdjQ5b0dIZxiI3+CXyc8PsaXwguXs8uBkEiEtdRq/IwkX3wb/xvtJaOmV1TJFmltPTOMi/cuy/s=,iv:f3+JK/qGH/zdsMadnS8yqBXRWw3NveydANRzosZHz7g=,tag:PDNOM4TAyCWJRRSjzI+Tkg==,type:str] + lastmodified: "2024-11-11T20:46:35Z" + mac: ENC[AES256_GCM,data:NNzdW+E2FMVrLRE7iXqzEgnfe6xCWoQSjl6cDfDpi1zA9ERPgb5zN2D6VhPwNC0R5SkZw6qCkddgzpyDVo5JL2y7l8VAtQ8s/6jULAy5Pr8YXDk2IJG7eJXoXNfCAgx4yVCZs6qQr2msfrvOaSkNW77HTi9GeP3qrWOrKjmixTo=,iv:WD2E46Wi3jd/FsUtQW7HMY4ewsgNQLMHJPBrVH6WZYU=,tag:PA7rsmpWiAXrWlfT5/IUCA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml b/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml index c37c8d90ad3..752024a1dd5 100644 --- a/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml +++ b/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml @@ -3,7 +3,7 @@ kind: Secret metadata: name: github-webhook-token-secret stringData: - token: ENC[AES256_GCM,data:/KvBKwNuDSX+TczIbWDdiFgQs1hZDR23kQuqJz4+VHk=,iv:JICqnr/LZ7+UHddOKntT9BPeaCWIsfSf2xMfF0U/WIQ=,tag:CipuYSpQv8tVlC2DUG4OPg==,type:str] + token: ENC[AES256_GCM,data:c43NrMekbe8/hjtTbfC9XdW7BO+dciMiIwA8211On3k=,iv:YV3gVocbDIXQsGgJT5l7xIFfrxuITSuyYM9PQocDRgs=,tag:qmcutAhcZb1vmT60rSCIFw==,type:str] sops: kms: [] gcp_kms: [] @@ -13,14 +13,14 @@ sops: - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQ1RVN1Q0YUYwLy83Nkt2 - ZDlEKzBQZVI5c2xiR1NLdW9OMHNUNngzd0RFCmxBb0JxQzZHZDgzNE5kbC9LQS95 - L2ViTzNDTGtKVkVCaGQraGJKUWhMLzQKLS0tIEpNNlU1cXdIUkM5dis3aUo0SVBT - VEtTNGRBL2JGWjh2ZVFMdVBoVjFrZUUK07ssuFb3R/wOiV3T7j2e7oTT3xok3nQ6 - DZ6yWEQ/ugyUpBOpCWIttVwpgXMJiqOeuyn1NvEgxKNGb13TCLpIKQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUkY3NmZQaVVhR0cwSTVq + QlFTVDh1MnVJOE1uSEQ5WUZ3VHY1VkVQT0RjCksrcDFFZWhuY0ZOYThEWkNJUVZo + eXM3bk5VZGtXZS9YeDZOZGYrZGtoRkUKLS0tIFRDb2M4UGhOR1JCMFpyL1NQUWl4 + VmFvbGE0emR0R2NGMkE1MmxEeXladEUKoKjYAMMLy7SQY1/HoIFQgGa8Sw6QAn9P + vE2/TOTgVOJEJ5kMcMT+FIW1Ep5fJLeUjHjipdZ/LRDJnsQh7Orf1g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T20:42:13Z" - mac: ENC[AES256_GCM,data:kwFILWso4JbF5b0UrJ3dNAFFDHGpv5YpNeX9ZmDTHAgdlN0+icUL/IOWA+fyP68QmR1mc0kVeUmLHfwX+pARW468TacS0GrHBQFidRM+JJAwXNCLjduMGzcX30d4aGEtv+/Vl/HWGjMCq3LoGiyhKk1lbYvHzvIljcn/IlyKY94=,iv:VtS1qpUytiL6LnjRTT27Jk3v2ekxXVTmdFBg6rDbMJ4=,tag:lQyfNpKlIibR3m9sq4TbHw==,type:str] + lastmodified: "2024-11-11T20:46:35Z" + mac: ENC[AES256_GCM,data:22a1jDYw+3aEzDJYyMljhD4oTyiHe/y5NAHKj5fa5LaBQWWfy1OhqCyeLJJMgsdbkOOaFzGqurEDGbcC86Ljq1Jv+xN4+cA5CWn/8vg4Ysh+cHe7jX+UInXTrnB1LXN1zbeGc4s7cgU+nSsp8Qc0uCBmrz0CE6uGKsnlqVa8fvk=,iv:Ri9DdCYdj8Zv45dl+wbBelSFI8WfwJeN46l2LkgP4Ts=,tag:1yQEBp1WlPpFVfpM4/OI8w==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/apps/network/cloudflared/app/secret.sops.yaml b/kubernetes/apps/network/cloudflared/app/secret.sops.yaml index 214ada73084..dd0b0447ea7 100644 --- a/kubernetes/apps/network/cloudflared/app/secret.sops.yaml +++ b/kubernetes/apps/network/cloudflared/app/secret.sops.yaml @@ -3,8 +3,8 @@ kind: Secret metadata: name: cloudflared-secret stringData: - TUNNEL_ID: ENC[AES256_GCM,data:hnnyYveD4HaJI5923RMkR9QY1SufmIZ8HPXOzOeHVsgosoWy,iv:I63jenosi2S5gfqqcv3qa50iNnYwu2K5wKzanorq07s=,tag:YF89NqqlpN2rg1dghug8Dg==,type:str] - credentials.json: ENC[AES256_GCM,data:n5AkvwoC8D6KnablcFPaVlW7NN+ztBYI3Ng6xMLEHzjHaXZHeI4mO9gnQ8UrOLgAhGnAOzvFAATnTQuisXzvc+mh6wvZUqbmvgfQCGNvngx3vvAnCA7zEbx/u1hYGrUvH0uSAVjvuPLpLwNEk8Ugl991qSa3EnFZXsQ/LEqAY1Qh1Bjc5qdUz3rjIZ42nXxAhvUFoWa5Z/Ni+dWiDTC1AHwRIg9l4UNaJs/eJcDoeg==,iv:ZU9viShstmXcvz3FHk+A9txzQ6I1hQUhq/vvwc453Zw=,tag:IPlXE1b72Zi4p7Fp5mkeyg==,type:str] + TUNNEL_ID: ENC[AES256_GCM,data:vvOrQO2zkuaW5U7u73uHLyHvWbFku55YTO/a9FN1X2Oor+3Y,iv:al3zftWGC204tPP4iJQ5YCdLU67gHHvvcaZgWpfVaEs=,tag:TR64egXEUzjVFsxKR/DxaA==,type:str] + credentials.json: ENC[AES256_GCM,data:19NqI8P/282x7Dm9CilwxY5R/nXzFQJWyLSOzmlrCrxAWexpaPIjvXXdi1tH6ambmXsGksgZ6i64XmlaiAKY3yVtb/dpe8x/8uLX7gI4ea9T70Y4XHgYqMusp2zATjrFQ9/ykOmtYvmXf9USBfXGR76mHVggT9dngn2mJO+EGoW8vrvneq0Pocc+IMZq7RWzPrsb4ODgfU+m/MhM0+OSSwLIrFkm2s+5k27uSDgPnw==,iv:FGS2HIzQ2nR5E7rf1h9fVgED0lSmXOGWawJxVQiipJg=,tag:OpR+r6zN1tn5hVOLcHCTyQ==,type:str] sops: kms: [] gcp_kms: [] @@ -14,14 +14,14 @@ sops: - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4N1ZJUmJ4Z1pROHlSQUZK - cWNDRVFKM1E0eVNuZEFxd1plUGtZMitreEVrCnQ1UXovc1FpajdPYkkvSHIrMlV6 - TWhUV01TaCtZUGtmcU5QL2RpSHoyeGMKLS0tIE9oVWZPeE1jRTlNY05takJNZEh2 - azNlM2s2QzZ6Vi9oaFlJdU14cmhZdEkKSm5osgKQ7V4R5UbabOBmG9ZySwj6BRxr - IHKywUUb1Pyf2jU45QjbZcPVyoVD3uJwpMDMJsvgnKHiE+aErOFnRw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5QXcxR3RmY2tSdS9CZnVM + WVhLbUc2c1hzNWxrUnliQUdMOFhidXRWK2hRCkFDNmNXOVozRkhYcDc2UzFtRzVh + QUswVHJpN3hXeCs5N1RxbExyUUJvQzQKLS0tIE9wN1k3VmFrWTlmbHhOVFhvUXBY + WGNsckY3MkxzQVFyemQyZWtpdWdickEKxYWftcOcFoQx8tUiT7v2uVWMXAgsZ6GP + 0ZtfhAg0ASGCW7q//5aWId6eXmUVTnVgITBOScuhydQpxlyyZJZm4g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T20:42:13Z" - mac: ENC[AES256_GCM,data:B9lpTJH/2/4EX0GKMX4hl5djwYgqgNlLeNWsvnfQaW6GpSZmabDnVqnNYKqASqI5X3nNMedRn+pBjFgOojMi7ihV4paDemuwq/gbgp9iT/jkVpODwd7nlo9HBVUzLJDdR4GHFuQEItq3inUtWCbmdMSL62sYVHugup8nhS9VjPQ=,iv:Rj5zzhHTeWWWzOKB4AFXSHbMv9hiaj4KMYD2g5/rIGY=,tag:RGpMeJml+lksI8eoCSMXSQ==,type:str] + lastmodified: "2024-11-11T20:46:35Z" + mac: ENC[AES256_GCM,data:T6vm4Lfcrqoo+6Y+xMrZfemKMElCnsdMzpBEdkop8o24E2C3Ek1OJohhPgIBR06vmev0Bw3MV96pygiYulTFRt35kaC6Pfq+r7BMCCP5U480FmhFFQLBHBq6b0SMnyCGDv0RIBZ9535ZmRv9m0YsbFzNeXoacYtLIDGt3WFeotY=,iv:e67wlXj2SjOPcZao1WSKL8OaGozpGWN574BAuWvbQlM=,tag:A3bXVz4TyeCAQ3CGm0wh6A==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/apps/network/external-dns/app/secret.sops.yaml b/kubernetes/apps/network/external-dns/app/secret.sops.yaml index 2ca153cf63e..0c850a6af63 100644 --- a/kubernetes/apps/network/external-dns/app/secret.sops.yaml +++ b/kubernetes/apps/network/external-dns/app/secret.sops.yaml @@ -3,7 +3,7 @@ kind: Secret metadata: name: external-dns-secret stringData: - api-token: ENC[AES256_GCM,data:UqYwkZBOc3fN+V3gTe4x86yITReI+0XJZgaoFOmz1z6NmZZuhfdrKw==,iv:B8z/TzIvKS/VnXz8+czfGbZnEXG4VrQNZfRRIgL0ekQ=,tag:OI0q9dFzRH7S/hwhhmPCPg==,type:str] + api-token: ENC[AES256_GCM,data:KMMPMFrgAYmBqpwD6PuEFSfiaoTP4OcRhp/99H9szYgAXOKFAbXBCg==,iv:JjhtaC0BvO0zqnMWHNSzI0KTTf3QWzxrw5T/KjkVJXo=,tag:wIHi4qyCK5VDfJDrdsETSg==,type:str] sops: kms: [] gcp_kms: [] @@ -13,14 +13,14 @@ sops: - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQMzkzdzdkNm1GczI2WFN3 - eG1CZ3VTZWxBdmFib2tPWkxta3lnR0tPMVFFCkF0TnF0YVJOczlyNEg5VXFZdlBY - eUowMzRTSXlEd25pblpLMDFyNWI0M2cKLS0tIHFCVVJqM0FGQjA0YWZ5V2drVTdC - YjVsVjdObDN1eDVXZnlmZW5OallDNVEKz86Cc/8jIatz2Umw/PnK2X/JuISbaaef - 3FkZvtUT7BkbsQDKXZWA8rYVZnZiVSNjSHdOL9DNN2rxYcH1NIsZ2w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByNEZ5RmFkTlV4enVTQlgw + MVlxbVZ0VDUrVDRYcWg4RUxXZFFoMkxJK0dNCkZqeFRObzlZRXJ1ckxFOVd5Rndu + aHNUVXNESE9sVDRTb0l5eHdGNUcreEUKLS0tIGx0TGhBczg2SEdOVENTWkZaV1JP + MW1yWDhsb29PTXMyYWVzODJkeUFjMkUKfvjXz4sBFd5nUzvZABgcmuDzFpORtLSK + FCnaX3+zS4EgWqN9I/XK0AQ17tJz80l0/a4ozNnm8ly5+yiX/bUcPA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T20:42:13Z" - mac: ENC[AES256_GCM,data:nd6/A0LLKwJWER/wwJ9hVnv1JmNmx5MccnG8SUuPnXU8rKc0Hu/heq1MwNEPxBHXpwHmwAUNaR+W7/JmZQ/5yZuUdtXnFatikwA4w8c+2BMvIQ1ztIYYPTuL6e/WZc1DVJZechI8PdzNmPZNceyUKYNtGfq06jVQLM2OYgLyF98=,iv:mKfLmBubcf3+cInBERSnVkRKvkGh0QV0AX3uS7j5qnk=,tag:IblDbAIDDjDlD4fyvrzqXA==,type:str] + lastmodified: "2024-11-11T20:46:35Z" + mac: ENC[AES256_GCM,data:kd5s3J4TreCC3YpHJzExC5MZa85JROPTYUMIhnfU+nbj5uWvQylugoEQaZcZeegi9nUR4H05NIxHNRFwpjVqK8ZLDZ1cE7I24T2MJ7zsThmEiiQErP4XTxaU8EldL+r7G4tbNbNXux26MRJ1eB9Ytn1xDmEpsJio3clvA5jnnI0=,iv:NR+yATa6/HDDtIL24MOanNeBw3VPF5F1UOGOEOW8KLU=,tag:dkxoLTCI1FqnP8bWp4iNjA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/flux/vars/cluster-secrets.sops.yaml index 0b37ea27170..91d7789c76d 100644 --- a/kubernetes/flux/vars/cluster-secrets.sops.yaml +++ b/kubernetes/flux/vars/cluster-secrets.sops.yaml @@ -4,9 +4,9 @@ metadata: name: cluster-secrets namespace: flux-system stringData: - SECRET_DOMAIN: ENC[AES256_GCM,data:oTTMLBH/ADmFKFLlvkwt9g==,iv:GbezTyN5za8jGou9Gx8sv39P9wixPpen5AyGse8HbR8=,tag:6SgaHC8EqJA9DUm04hcv3w==,type:str] - SECRET_ACME_EMAIL: ENC[AES256_GCM,data:ovXTfdHa4c0PkRZbCZ/dfI+GamdG,iv:z07D5ao2sNr1MIZ3kipIXNdImriV4LtXGq4mVfOHuKE=,tag:Pwt9ofeZKEqBVqlQZR9OIg==,type:str] - SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:7mEKcRJwTh5b3rDSxtNGmwv2lzUM1KH8q4iFMkOAgAF6jIrI,iv:H0DYJVc/X5SyjLrrmi4PVbwqJftoZwJFzaJ+4rgosKc=,tag:5Pp+cWzkjQOVE5EvvaQQfw==,type:str] + SECRET_DOMAIN: ENC[AES256_GCM,data:BlwfPkOavFueElLikL6/+g==,iv:mgGkDLv7Qt/SMS8AhH2Nh2lkDMUqUdFRsUCR/WRiyL0=,tag:oGuDRWzvV6VfcitEellqVg==,type:str] + SECRET_ACME_EMAIL: ENC[AES256_GCM,data:2GUP+ciovGY05aaP2f2SdYJM+r+U,iv:lslkdrOThQgjjG2Pns+AkF1hEO5BuXAHZ/85yrioHB8=,tag:Gv6PDCZl89duzaQiMXEBJg==,type:str] + SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:1FMJHOY4BNCyK6YmrTgvgE/LGVb9x1HV8mwiERFJ71O/gz9z,iv:K5cqg/pIt3+c5eN2OsMd9UGmb9bHYW7/JAMrFR99Pbc=,tag:fFN+Dy1KW5FpbLeRP1OOXg==,type:str] sops: kms: [] gcp_kms: [] @@ -16,14 +16,14 @@ sops: - recipient: age17d79xwwv043mkvf45yfr372hc520nd468jxtm0a7wap4an3nxscsn8qtm7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxRkdJSy9NSXRlNG9BcWFU - Z2FsVXVmR3JXYUU4MU1ieFBzSWlQd0JaWmhVCldTTjNabjRWMHo5M0FjTVUzMk5J - UUplRHh3NjlueE01SmxMQ3FpYWZXbHcKLS0tIE1lQVo3MEROcldvVDFWd0w0VGJ5 - SHJWclpiSG40VnRrcVdDVG5OOEo5WkEKHaSeDnZS/PdYfv3Rnu/6uoirINM3ooDL - 48wm3l2MeML9u1NpbaBN2NQbCsm0H4tk5ZfhZwKNmBtmW1/VHfij9A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoVmV4cTIxVngvME9ySXk1 + VnVyV0swemRxYjQ2Z0Fnejl4M2xkZzNvbUNzCjIvTm8xVjFBY3NZa1JXMTZjN3Zw + VDJUVHpVa2RlVkN4azBQZE9FTGVacUkKLS0tIGFnRDZMcDJZeVYwa2FYejNibjFM + S21nNE8wcFJtNG9QWUtoYm82NERRb2cKhborrlU2XccYc2ul00mAjdwwM3jP10d9 + dvClK0QFY6+tYMjH5qTpTMel0Bo57wr4H5Ns/xnxA+JvIyKp3kAyXA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T20:42:13Z" - mac: ENC[AES256_GCM,data:KbbRy00uhtsk048O1E/1fQ19cklqOVH3pBj19+rVBkGHASBDk3nTLV+kukk0tpNu2NETdBuXuTGfwca7ET7hFANDiRMmoJd9DLWCGOmfIsMYdZJzUbM/wFFk43o6law6YO4kdZ6rb6r4/vZX7y+u6CnyYarCaSwpU6pq94FPKlA=,iv:0n8+ucyN0OPGH/ZkprCRh45TDQu94bVc0pXckj5vcFE=,tag:SvKQO7CFNaqcRSOANKtJug==,type:str] + lastmodified: "2024-11-11T20:46:35Z" + mac: ENC[AES256_GCM,data:tknZlL4nC+9bsO/5TYQfAQ7e+CcBpQoCglwsZK8YrWFhF6jO+MKGb7WtEtcgTfraGfMDeoIfVTyX6MSsGsW25nBEqxgKMmV2nJiWYK3KdDDQyoXc1AalijsKdR/DUsogFELxPbgSI5IRGeZu+Uotew6/KB6hNomFXWnNBq2M6Vs=,iv:S7cHsgJfFQVz0zy2/svK7POr1UwxxHapPvxLnHRswkQ=,tag:BizcOas2H4vbpKCtcnhRzA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 From 80fd2b6474e690e616b9ce14256b419e64755511 Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sat, 16 Nov 2024 21:56:58 +0000 Subject: [PATCH 05/22] build(storage): :art: update TaskFiles --- .taskfiles/secrets/Taskfile.yaml | 35 ++++++++++++++++++++++++++++++++ Taskfile.yaml | 1 + 2 files changed, 36 insertions(+) create mode 100644 .taskfiles/secrets/Taskfile.yaml diff --git a/.taskfiles/secrets/Taskfile.yaml b/.taskfiles/secrets/Taskfile.yaml new file mode 100644 index 00000000000..deccef20568 --- /dev/null +++ b/.taskfiles/secrets/Taskfile.yaml @@ -0,0 +1,35 @@ +version: '3' + +env: + EDITOR: nvim + +tasks: + edit-sops-k8s: + desc: Edit cluster secrets using SOPS with Neovim + cmds: + - EDITOR=nvim sops {{.KUBERNETES_DIR}}/flux/vars/cluster-secrets.sops.yaml + + view-sops-k8s: + desc: View decrypted cluster secrets file + cmds: + - sops -d {{.KUBERNETES_DIR}}/flux/vars/cluster-secrets.sops.yaml + + edit-sops-cf: + desc: Edit Cloudflare using SOPS with Neovim + cmds: + - EDITOR=nvim sops {{.KUBERNETES_DIR}}/apps/network/cloudflared/app/secret.sops.yaml + + view-sops-cf: + desc: View decrypted Cloudflare secrets file + cmds: + - sops -d {{.KUBERNETES_DIR}}/apps/network/cloudflared/app/secret.sops.yaml + + view-k8s: + desc: View current cluster secrets in Kubernetes + cmds: + - kubectl get secret cluster-secrets -n flux-system -o yaml + + view-k8s-decoded: + desc: View decoded cluster secrets in Kubernetes + cmds: + - kubectl get secret cluster-secrets -n flux-system -o yaml | yq '.data | map_values(@base64d)' diff --git a/Taskfile.yaml b/Taskfile.yaml index 184bc37d27c..e4b3ed90e90 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -23,6 +23,7 @@ includes: bootstrap: .taskfiles/bootstrap kubernetes: .taskfiles/kubernetes talos: .taskfiles/talos + secrets: .taskfiles/secrets workstation: .taskfiles/workstation user: taskfile: .taskfiles/User From 7e52dd863b116688be4e0ad2756ce6c140f189fe Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sat, 16 Nov 2024 21:58:25 +0000 Subject: [PATCH 06/22] build(storage): :zap: `add csi-driver-nfs` repo --- kubernetes/flux/repositories/helm/csi-driver-nfs.yaml | 9 +++++++++ kubernetes/flux/repositories/helm/kustomization.yaml | 1 + 2 files changed, 10 insertions(+) create mode 100644 kubernetes/flux/repositories/helm/csi-driver-nfs.yaml diff --git a/kubernetes/flux/repositories/helm/csi-driver-nfs.yaml b/kubernetes/flux/repositories/helm/csi-driver-nfs.yaml new file mode 100644 index 00000000000..2eb2fccc535 --- /dev/null +++ b/kubernetes/flux/repositories/helm/csi-driver-nfs.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: csi-driver-nfs + namespace: flux-system +spec: + interval: 30m + url: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index 004f10decdc..2c783599d3b 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -15,3 +15,4 @@ resources: - ./external-dns.yaml - ./ingress-nginx.yaml - ./k8s-gateway.yaml + - ./csi-driver-nfs.yaml From e281349064e92acded3c9bd527fe350ae77d8d9b Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sat, 16 Nov 2024 22:26:11 +0000 Subject: [PATCH 07/22] feat(storage): :zap: build nfs storage classes --- .../csi-driver-nfs/app/helmrelease.yaml | 19 +++++++++++++++++++ .../csi-driver-nfs/app/kustomization.yaml | 8 ++++++++ .../csi-driver-nfs/app/sc-config-nfs.yaml | 18 ++++++++++++++++++ .../csi-driver-nfs/app/sc-data-nfs.yaml | 18 ++++++++++++++++++ .../apps/storage/csi-driver-nfs/ks.yaml | 16 ++++++++++++++++ kubernetes/apps/storage/kustomization.yaml | 6 ++++++ kubernetes/apps/storage/namespace.yaml | 7 +++++++ kubernetes/flux/vars/cluster-settings.yaml | 3 +++ 8 files changed, 95 insertions(+) create mode 100644 kubernetes/apps/storage/csi-driver-nfs/app/helmrelease.yaml create mode 100644 kubernetes/apps/storage/csi-driver-nfs/app/kustomization.yaml create mode 100644 kubernetes/apps/storage/csi-driver-nfs/app/sc-config-nfs.yaml create mode 100644 kubernetes/apps/storage/csi-driver-nfs/app/sc-data-nfs.yaml create mode 100644 kubernetes/apps/storage/csi-driver-nfs/ks.yaml create mode 100644 kubernetes/apps/storage/kustomization.yaml create mode 100644 kubernetes/apps/storage/namespace.yaml diff --git a/kubernetes/apps/storage/csi-driver-nfs/app/helmrelease.yaml b/kubernetes/apps/storage/csi-driver-nfs/app/helmrelease.yaml new file mode 100644 index 00000000000..c13e9dfe8dd --- /dev/null +++ b/kubernetes/apps/storage/csi-driver-nfs/app/helmrelease.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: csi-driver-nfs + namespace: storage +spec: + interval: 30m + chart: + spec: + chart: csi-driver-nfs + version: v4.4.0 + sourceRef: + kind: HelmRepository + name: csi-driver-nfs + namespace: flux-system + values: + controller: + replicas: 1 diff --git a/kubernetes/apps/storage/csi-driver-nfs/app/kustomization.yaml b/kubernetes/apps/storage/csi-driver-nfs/app/kustomization.yaml new file mode 100644 index 00000000000..6b18aad2930 --- /dev/null +++ b/kubernetes/apps/storage/csi-driver-nfs/app/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: storage +resources: + - ./helmrelease.yaml + - ./sc-config-nfs.yaml + - ./sc-data-nfs.yaml diff --git a/kubernetes/apps/storage/csi-driver-nfs/app/sc-config-nfs.yaml b/kubernetes/apps/storage/csi-driver-nfs/app/sc-config-nfs.yaml new file mode 100644 index 00000000000..ae0aa02c2dc --- /dev/null +++ b/kubernetes/apps/storage/csi-driver-nfs/app/sc-config-nfs.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: config-nfs + annotations: + storageclass.kubernetes.io/is-default-class: "true" +provisioner: nfs.csi.k8s.io +parameters: + server: ${SETTINGS_NAS_IP} + share: ${SETTINGS_NAS_CONFIG_PATH} +mountOptions: + - nfsvers=3 + - hard + - noatime + - nolock +reclaimPolicy: Delete +volumeBindingMode: Immediate diff --git a/kubernetes/apps/storage/csi-driver-nfs/app/sc-data-nfs.yaml b/kubernetes/apps/storage/csi-driver-nfs/app/sc-data-nfs.yaml new file mode 100644 index 00000000000..724a5337568 --- /dev/null +++ b/kubernetes/apps/storage/csi-driver-nfs/app/sc-data-nfs.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: data-nfs + annotations: + storageclass.kubernetes.io/is-default-class: "true" +provisioner: nfs.csi.k8s.io +parameters: + server: ${SETTINGS_NAS_IP} + share: ${SETTINGS_NAS_DATA_PATH} +mountOptions: + - nfsvers=3 + - hard + - noatime + - nolock +reclaimPolicy: Retain +volumeBindingMode: Immediate diff --git a/kubernetes/apps/storage/csi-driver-nfs/ks.yaml b/kubernetes/apps/storage/csi-driver-nfs/ks.yaml new file mode 100644 index 00000000000..9114a283ce5 --- /dev/null +++ b/kubernetes/apps/storage/csi-driver-nfs/ks.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps-csi-driver-nfs + namespace: flux-system +spec: + path: ./kubernetes/apps/storage/csi-driver-nfs/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/storage/kustomization.yaml b/kubernetes/apps/storage/kustomization.yaml new file mode 100644 index 00000000000..aa0cf9543c5 --- /dev/null +++ b/kubernetes/apps/storage/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./csi-driver-nfs/ks.yaml diff --git a/kubernetes/apps/storage/namespace.yaml b/kubernetes/apps/storage/namespace.yaml new file mode 100644 index 00000000000..a8966521efe --- /dev/null +++ b/kubernetes/apps/storage/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: storage + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/flux/vars/cluster-settings.yaml b/kubernetes/flux/vars/cluster-settings.yaml index b64f194e152..dc656061e69 100644 --- a/kubernetes/flux/vars/cluster-settings.yaml +++ b/kubernetes/flux/vars/cluster-settings.yaml @@ -6,3 +6,6 @@ metadata: namespace: flux-system data: SETTING_EXAMPLE: Global settings for your cluster go in this file, this file is NOT encrypted + SETTINGS_NAS_IP: 10.0.40.250 + SETTINGS_NAS_CONFIG_PATH: /k8s-config + SETTINGS_NAS_DATA_PATH: /k8s-data From 3c757b20937f671e56ccc2d1d69006ce58a77991 Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sat, 16 Nov 2024 22:34:18 +0000 Subject: [PATCH 08/22] build(hajimari): :rocket: build hajimari application --- .../default/hajimari/app/helmrelease.yaml | 102 ++++++++++++++++++ .../default/hajimari/app/kustomization.yaml | 9 ++ kubernetes/apps/default/hajimari/app/pvc.yaml | 16 +++ kubernetes/apps/default/hajimari/ks.yaml | 18 ++++ kubernetes/apps/default/kustomization.yaml | 7 ++ kubernetes/apps/default/namespace.yaml | 7 ++ 6 files changed, 159 insertions(+) create mode 100644 kubernetes/apps/default/hajimari/app/helmrelease.yaml create mode 100644 kubernetes/apps/default/hajimari/app/kustomization.yaml create mode 100644 kubernetes/apps/default/hajimari/app/pvc.yaml create mode 100644 kubernetes/apps/default/hajimari/ks.yaml create mode 100644 kubernetes/apps/default/kustomization.yaml create mode 100644 kubernetes/apps/default/namespace.yaml diff --git a/kubernetes/apps/default/hajimari/app/helmrelease.yaml b/kubernetes/apps/default/hajimari/app/helmrelease.yaml new file mode 100644 index 00000000000..e36531568d9 --- /dev/null +++ b/kubernetes/apps/default/hajimari/app/helmrelease.yaml @@ -0,0 +1,102 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: hajimari + namespace: default +spec: + interval: 30m + chart: + spec: + chart: hajimari + version: 2.0.2 + sourceRef: + kind: HelmRepository + name: hajimari + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + controller: + strategy: RollingUpdate + + env: + - name: HAJIMARI_DEFAULT_GROUP + value: "default" + + persistence: + config: + enabled: true + storageClass: configs-nfs + accessMode: ReadWriteOnce + size: 1Gi + volumeAttributes: + server: ${NAS_IP} + share: ${SETTINGS_NAS_APPDATA_PATH} + + hajimari: + defaultEnable: true + namespaceSelector: + matchNames: + - default + - networking + name: "Fabrice" + customApps: + - name: Some App + url: http://some-app.default.svc.cluster.local + icon: test-tube + groups: + - name: Kubernetes + links: + - name: Rancher + url: "https://rancher.example.com" + - name: Grafana + url: "https://grafana.example.com" + + ingress: + main: + enabled: true + ingressClassName: external + annotations: + external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}" + hosts: + - host: &host "hajimari.${SECRET_DOMAIN}" + paths: + - path: / + pathType: Prefix + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + memory: 256Mi + + serviceMonitor: + main: + enabled: true + endpoints: + - port: http + scheme: http + path: /metrics + interval: 1m + scrapeTimeout: 10s + + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + + podSecurityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + fsGroup: 65534 + seccompProfile: + type: RuntimeDefault diff --git a/kubernetes/apps/default/hajimari/app/kustomization.yaml b/kubernetes/apps/default/hajimari/app/kustomization.yaml new file mode 100644 index 00000000000..d7364cb624a --- /dev/null +++ b/kubernetes/apps/default/hajimari/app/kustomization.yaml @@ -0,0 +1,9 @@ +# /kubernetes/apps/default/hajimari/app/kustomization.yaml +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: default +resources: + - ./helmrelease.yaml + - ./pvc.yaml +--- diff --git a/kubernetes/apps/default/hajimari/app/pvc.yaml b/kubernetes/apps/default/hajimari/app/pvc.yaml new file mode 100644 index 00000000000..cd146e4e636 --- /dev/null +++ b/kubernetes/apps/default/hajimari/app/pvc.yaml @@ -0,0 +1,16 @@ +# /kubernetes/apps/default/hajimari/app/pvc.yaml +--- +aapiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: hajimari-config + namespace: default +spec: + accessModes: + - ReadWriteOnce + storageClassName: config-nfs + resources: + requests: + storage: 1Gi + volumeAttributes: + subPath: hajimari-config diff --git a/kubernetes/apps/default/hajimari/ks.yaml b/kubernetes/apps/default/hajimari/ks.yaml new file mode 100644 index 00000000000..cc7f47b74a0 --- /dev/null +++ b/kubernetes/apps/default/hajimari/ks.yaml @@ -0,0 +1,18 @@ +# /kubernetes/apps/default/hajimari/ks.yaml +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps-hajimari + namespace: flux-system +spec: + path: ./kubernetes/apps/default/hajimari/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m +--- \ No newline at end of file diff --git a/kubernetes/apps/default/kustomization.yaml b/kubernetes/apps/default/kustomization.yaml new file mode 100644 index 00000000000..5ecb205db2b --- /dev/null +++ b/kubernetes/apps/default/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./hajimari/ks.yaml + diff --git a/kubernetes/apps/default/namespace.yaml b/kubernetes/apps/default/namespace.yaml new file mode 100644 index 00000000000..f659b055df0 --- /dev/null +++ b/kubernetes/apps/default/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: default + labels: + kustomize.toolkit.fluxcd.io/prune: disabled From 3847d822fa9e2b30e9092655e102f298e83c94b0 Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sat, 16 Nov 2024 22:36:13 +0000 Subject: [PATCH 09/22] build(hajimari): :ambulance: add repository --- kubernetes/flux/repositories/helm/hajimari.yaml | 10 ++++++++++ kubernetes/flux/repositories/helm/kustomization.yaml | 1 + 2 files changed, 11 insertions(+) create mode 100644 kubernetes/flux/repositories/helm/hajimari.yaml diff --git a/kubernetes/flux/repositories/helm/hajimari.yaml b/kubernetes/flux/repositories/helm/hajimari.yaml new file mode 100644 index 00000000000..5ab22fc624b --- /dev/null +++ b/kubernetes/flux/repositories/helm/hajimari.yaml @@ -0,0 +1,10 @@ +# /kubernetes/flux/repositories/helm/hajimari.yaml +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: hajimari + namespace: flux-system +spec: + interval: 1h + url: https://hajimari.io diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index 2c783599d3b..5cd244adb63 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -16,3 +16,4 @@ resources: - ./ingress-nginx.yaml - ./k8s-gateway.yaml - ./csi-driver-nfs.yaml + - ./hajimari.yaml From 74586085a599d91a5138ef2d485445227a742cfc Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sat, 16 Nov 2024 22:41:10 +0000 Subject: [PATCH 10/22] fix(hajimari): :ambulance: adjust persistence --- .../default/hajimari/app/helmrelease.yaml | 23 +++++++++++-------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/kubernetes/apps/default/hajimari/app/helmrelease.yaml b/kubernetes/apps/default/hajimari/app/helmrelease.yaml index e36531568d9..2bc1408ce97 100644 --- a/kubernetes/apps/default/hajimari/app/helmrelease.yaml +++ b/kubernetes/apps/default/hajimari/app/helmrelease.yaml @@ -29,15 +29,20 @@ spec: - name: HAJIMARI_DEFAULT_GROUP value: "default" - persistence: - config: - enabled: true - storageClass: configs-nfs - accessMode: ReadWriteOnce - size: 1Gi - volumeAttributes: - server: ${NAS_IP} - share: ${SETTINGS_NAS_APPDATA_PATH} +persistence: + config: + enabled: true + existingClaim: hajimari-config # Reference your existing PVC + + # persistence: + # config: + # enabled: true + # storageClass: configs-nfs + # accessMode: ReadWriteOnce + # size: 1Gi + # volumeAttributes: + # server: ${NAS_IP} + # share: ${SETTINGS_NAS_APPDATA_PATH} hajimari: defaultEnable: true From 03640c790fabacd4fac6293f8bed6ee33c68828e Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sat, 16 Nov 2024 22:49:01 +0000 Subject: [PATCH 11/22] fix(hajimari): :bug: fix kubevalidations --- kubernetes/apps/default/hajimari/app/pvc.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/kubernetes/apps/default/hajimari/app/pvc.yaml b/kubernetes/apps/default/hajimari/app/pvc.yaml index cd146e4e636..39c15df210a 100644 --- a/kubernetes/apps/default/hajimari/app/pvc.yaml +++ b/kubernetes/apps/default/hajimari/app/pvc.yaml @@ -1,6 +1,6 @@ # /kubernetes/apps/default/hajimari/app/pvc.yaml --- -aapiVersion: v1 +apiVersion: v1 kind: PersistentVolumeClaim metadata: name: hajimari-config @@ -12,5 +12,4 @@ spec: resources: requests: storage: 1Gi - volumeAttributes: - subPath: hajimari-config + From d4713d6f0a39ffa69bdfb2afe7ca817979daf1cd Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sat, 16 Nov 2024 22:52:44 +0000 Subject: [PATCH 12/22] fix(hajimari): :ambulance: missed indentation --- kubernetes/apps/default/hajimari/app/helmrelease.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kubernetes/apps/default/hajimari/app/helmrelease.yaml b/kubernetes/apps/default/hajimari/app/helmrelease.yaml index 2bc1408ce97..4d8d7d0ed19 100644 --- a/kubernetes/apps/default/hajimari/app/helmrelease.yaml +++ b/kubernetes/apps/default/hajimari/app/helmrelease.yaml @@ -29,10 +29,10 @@ spec: - name: HAJIMARI_DEFAULT_GROUP value: "default" -persistence: - config: - enabled: true - existingClaim: hajimari-config # Reference your existing PVC + persistence: + config: + enabled: true + existingClaim: hajimari-config # Reference your existing PVC # persistence: # config: From 6a07f38d32898148a0bc1a05516fed0db976239e Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sat, 16 Nov 2024 23:05:26 +0000 Subject: [PATCH 13/22] build(homepage): :zap: add homepage repository --- .../flux/repositories/helm/homepage-jameswynn.yaml | 9 +++++++++ kubernetes/flux/repositories/helm/kustomization.yaml | 1 + 2 files changed, 10 insertions(+) create mode 100644 kubernetes/flux/repositories/helm/homepage-jameswynn.yaml diff --git a/kubernetes/flux/repositories/helm/homepage-jameswynn.yaml b/kubernetes/flux/repositories/helm/homepage-jameswynn.yaml new file mode 100644 index 00000000000..4e9bed763b0 --- /dev/null +++ b/kubernetes/flux/repositories/helm/homepage-jameswynn.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: jameswynn + namespace: flux-system +spec: + interval: 1h + url: https://jameswynn.github.io/helm-charts diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index 5cd244adb63..c5bb12222fd 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -17,3 +17,4 @@ resources: - ./k8s-gateway.yaml - ./csi-driver-nfs.yaml - ./hajimari.yaml + - ./homepage-jameswynn.yaml From 3ce7d9311f14a65248a249ac80f99af072496290 Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sat, 16 Nov 2024 23:17:19 +0000 Subject: [PATCH 14/22] build(homepage): :rocket: try deploy this app --- .../default/homepage/app/helmrelease.yaml | 92 +++++++++++++++++++ kubernetes/apps/default/homepage/app/pvc.yaml | 14 +++ kubernetes/apps/default/homepage/ks.yaml | 17 ++++ .../flux/repositories/helm/kustomization.yaml | 2 +- kubernetes/flux/vars/cluster-settings.yaml | 1 + 5 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 kubernetes/apps/default/homepage/app/helmrelease.yaml create mode 100644 kubernetes/apps/default/homepage/app/pvc.yaml create mode 100644 kubernetes/apps/default/homepage/ks.yaml diff --git a/kubernetes/apps/default/homepage/app/helmrelease.yaml b/kubernetes/apps/default/homepage/app/helmrelease.yaml new file mode 100644 index 00000000000..1c9c6037974 --- /dev/null +++ b/kubernetes/apps/default/homepage/app/helmrelease.yaml @@ -0,0 +1,92 @@ +--- +#? https://github.com/gethomepage/homepage/blob/dev/kubernetes.md + +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: homepage + namespace: default +spec: + interval: 30m + chart: + spec: + chart: homepage + version: 0.9.12 + sourceRef: + kind: HelmRepository + name: jameswynn + namespace: flux-system + values: + image: + repository: ghcr.io/gethomepage/homepage + pullPolicy: IfNotPresent + + enableRbac: true + serviceAccount: + create: true + name: homepage-sa + + ingress: + main: + enabled: true + ingressClassName: external + annotations: + external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}" + hajimari.io/enable: "true" + hosts: + - host: &host "homepage.${SECRET_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host + secretName: homepage-tls + + persistence: + config: + enabled: true + existingClaim: homepage-config + logs: + enabled: true + type: emptyDir + mountPath: /app/config/logs + + config: + kubernetes: + mode: cluster + widgets: + - resources: + backend: kubernetes + expanded: true + cpu: true + memory: true + - kubernetes: + cluster: + show: true + cpu: true + memory: true + showLabel: true + - search: + provider: duckduckgo + target: _blank + services: + - Infrastructure: + - Kubernetes Dashboard: + href: https://kubernetes.${SECRET_DOMAIN} + description: Kubernetes Dashboard + - Flux: + href: https://flux.${SECRET_DOMAIN} + description: GitOps Operator + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + memory: 256Mi + + env: + - name: TZ + value: "${TIMEZONE}" diff --git a/kubernetes/apps/default/homepage/app/pvc.yaml b/kubernetes/apps/default/homepage/app/pvc.yaml new file mode 100644 index 00000000000..ed73b778138 --- /dev/null +++ b/kubernetes/apps/default/homepage/app/pvc.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: homepage-config + namespace: default +spec: + accessModes: + - ReadWriteOnce + storageClassName: config-nfs + resources: + requests: + storage: 1Gi + diff --git a/kubernetes/apps/default/homepage/ks.yaml b/kubernetes/apps/default/homepage/ks.yaml new file mode 100644 index 00000000000..53d3ca80ec8 --- /dev/null +++ b/kubernetes/apps/default/homepage/ks.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps-homepage + namespace: flux-system +spec: + path: ./kubernetes/apps/default/homepage/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m +--- diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index c5bb12222fd..01c9573149e 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -17,4 +17,4 @@ resources: - ./k8s-gateway.yaml - ./csi-driver-nfs.yaml - ./hajimari.yaml - - ./homepage-jameswynn.yaml + - ./homepage-jameswynn.yaml\ diff --git a/kubernetes/flux/vars/cluster-settings.yaml b/kubernetes/flux/vars/cluster-settings.yaml index dc656061e69..2028b3c1beb 100644 --- a/kubernetes/flux/vars/cluster-settings.yaml +++ b/kubernetes/flux/vars/cluster-settings.yaml @@ -9,3 +9,4 @@ data: SETTINGS_NAS_IP: 10.0.40.250 SETTINGS_NAS_CONFIG_PATH: /k8s-config SETTINGS_NAS_DATA_PATH: /k8s-data + TIMEZONE: Europe/London From cb059e39cc2670455cff21418fdb6e41eda20dcc Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sat, 16 Nov 2024 23:20:49 +0000 Subject: [PATCH 15/22] fix(homepage): :ambulance: kustomization mistakes --- kubernetes/apps/default/homepage/app/kustomization.yaml | 9 +++++++++ kubernetes/flux/repositories/helm/kustomization.yaml | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 kubernetes/apps/default/homepage/app/kustomization.yaml diff --git a/kubernetes/apps/default/homepage/app/kustomization.yaml b/kubernetes/apps/default/homepage/app/kustomization.yaml new file mode 100644 index 00000000000..d7364cb624a --- /dev/null +++ b/kubernetes/apps/default/homepage/app/kustomization.yaml @@ -0,0 +1,9 @@ +# /kubernetes/apps/default/hajimari/app/kustomization.yaml +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: default +resources: + - ./helmrelease.yaml + - ./pvc.yaml +--- diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index 01c9573149e..c5bb12222fd 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -17,4 +17,4 @@ resources: - ./k8s-gateway.yaml - ./csi-driver-nfs.yaml - ./hajimari.yaml - - ./homepage-jameswynn.yaml\ + - ./homepage-jameswynn.yaml From 77e64e4dd7d700aa437a216ff2fc236409aa2a99 Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sat, 16 Nov 2024 23:25:29 +0000 Subject: [PATCH 16/22] fix(homepage): :ambulance: activate kustomization --- kubernetes/apps/default/kustomization.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/apps/default/kustomization.yaml b/kubernetes/apps/default/kustomization.yaml index 5ecb205db2b..0467f133af5 100644 --- a/kubernetes/apps/default/kustomization.yaml +++ b/kubernetes/apps/default/kustomization.yaml @@ -4,4 +4,5 @@ kind: Kustomization resources: - ./namespace.yaml - ./hajimari/ks.yaml + - ./homepage/ks.yaml From 4cfd71c2d7a7dd07d9eff62e6d861862f965a5ab Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sat, 16 Nov 2024 23:28:39 +0000 Subject: [PATCH 17/22] fix version --- kubernetes/apps/default/homepage/app/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/default/homepage/app/helmrelease.yaml b/kubernetes/apps/default/homepage/app/helmrelease.yaml index 1c9c6037974..5224bc41b31 100644 --- a/kubernetes/apps/default/homepage/app/helmrelease.yaml +++ b/kubernetes/apps/default/homepage/app/helmrelease.yaml @@ -12,7 +12,7 @@ spec: chart: spec: chart: homepage - version: 0.9.12 + version: 2.0.1 sourceRef: kind: HelmRepository name: jameswynn From 7149a3584d74b50c5187d1fb1bc98b4ee3999f4a Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sat, 16 Nov 2024 23:35:21 +0000 Subject: [PATCH 18/22] update kubernetes widget --- .../default/homepage/app/helmrelease.yaml | 53 +++++++++++++------ 1 file changed, 37 insertions(+), 16 deletions(-) diff --git a/kubernetes/apps/default/homepage/app/helmrelease.yaml b/kubernetes/apps/default/homepage/app/helmrelease.yaml index 5224bc41b31..85a1e4be9ae 100644 --- a/kubernetes/apps/default/homepage/app/helmrelease.yaml +++ b/kubernetes/apps/default/homepage/app/helmrelease.yaml @@ -57,28 +57,49 @@ spec: kubernetes: mode: cluster widgets: - - resources: - backend: kubernetes - expanded: true - cpu: true - memory: true - kubernetes: cluster: + # Shows the cluster node show: true + # Shows the aggregate CPU stats cpu: true + # Shows the aggregate memory stats memory: true + # Shows a custom label showLabel: true - - search: - provider: duckduckgo - target: _blank - services: - - Infrastructure: - - Kubernetes Dashboard: - href: https://kubernetes.${SECRET_DOMAIN} - description: Kubernetes Dashboard - - Flux: - href: https://flux.${SECRET_DOMAIN} - description: GitOps Operator + label: "cluster" + nodes: + # Shows the clusters + show: true + # Shows the CPU for each node + cpu: true + # Shows the memory for each node + memory: true + # Shows the label, which is always the node name + showLabel: true + + # - resources: + # backend: kubernetes + # expanded: true + # cpu: true + # memory: true + # - kubernetes: + # cluster: + # show: true + # cpu: true + # memory: true + # showLabel: true + # - search: + # provider: duckduckgo + # target: _blank + # services: + # - Infrastructure: + # - Kubernetes Dashboard: + # href: https://kubernetes.${SECRET_DOMAIN} + # description: Kubernetes Dashboard + # - Flux: + # href: https://flux.${SECRET_DOMAIN} + # description: GitOps Operator resources: requests: From bee0278411cd8b9d106b0c1be84a72820b29cc96 Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sun, 17 Nov 2024 16:31:14 +0000 Subject: [PATCH 19/22] initialize pre-commit --- .pre-commit-config.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000000..5926fdd1b25 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,25 @@ +--- +repos: + - repo: local + hooks: + - id: kubeconform + name: Validate Kubernetes manifests + entry: task kubernetes:kubeconform + language: system + pass_filenames: false + types: [yaml] + files: ^kubernetes/.*\.(yaml|yml)$ + + # - repo: https://github.com/pre-commit/pre-commit-hooks + # rev: v4.5.0 + # hooks: + # - id: trailing-whitespace + # - id: end-of-file-fixer + # - id: check-yaml + # - id: check-added-large-files + + # - repo: https://github.com/Lucas-C/pre-commit-hooks + # rev: v1.5.4 + # hooks: + # - id: remove-crlf + # stages: [commit] From b11e2e3ca13acbb312bb8f7c7f4ec7682fe40816 Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sun, 17 Nov 2024 16:31:54 +0000 Subject: [PATCH 20/22] initialize pre-commit --- .pre-commit-config.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5926fdd1b25..2f98d1df9e1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,13 +10,13 @@ repos: types: [yaml] files: ^kubernetes/.*\.(yaml|yml)$ - # - repo: https://github.com/pre-commit/pre-commit-hooks - # rev: v4.5.0 - # hooks: - # - id: trailing-whitespace - # - id: end-of-file-fixer - # - id: check-yaml - # - id: check-added-large-files + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.5.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-added-large-files # - repo: https://github.com/Lucas-C/pre-commit-hooks # rev: v1.5.4 From 3c6a21c0fca70de71f68a304acf288895cf74eea Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sun, 17 Nov 2024 16:33:04 +0000 Subject: [PATCH 21/22] initialize pre-commit --- .pre-commit-config.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2f98d1df9e1..1a8ccb815b1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -17,9 +17,3 @@ repos: - id: end-of-file-fixer - id: check-yaml - id: check-added-large-files - - # - repo: https://github.com/Lucas-C/pre-commit-hooks - # rev: v1.5.4 - # hooks: - # - id: remove-crlf - # stages: [commit] From ee3d8e0fbcb74791f93a71313d1aba8f51ff508e Mon Sep 17 00:00:00 2001 From: FSemti Dev Date: Sun, 17 Nov 2024 17:37:10 +0000 Subject: [PATCH 22/22] =?UTF-8?q?=1B[t(homepage):=20:sparkles:=20add=20boo?= =?UTF-8?q?kmarks=20and=20servicesces?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../default/hajimari/app/helmrelease.yaml | 8 +++++ .../default/homepage/app/helmrelease.yaml | 34 ++++++++++++++++++- 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/kubernetes/apps/default/hajimari/app/helmrelease.yaml b/kubernetes/apps/default/hajimari/app/helmrelease.yaml index 4d8d7d0ed19..f7a6b5078de 100644 --- a/kubernetes/apps/default/hajimari/app/helmrelease.yaml +++ b/kubernetes/apps/default/hajimari/app/helmrelease.yaml @@ -68,7 +68,15 @@ spec: enabled: true ingressClassName: external annotations: + external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}" + + gethomepage.dev/enabled: "true" + gethomepage.dev/description: Alternative to Homepage + gethomepage.dev/group: Operations + gethomepage.dev/icon: hajimari.png + gethomepage.dev/name: Toboshii + hosts: - host: &host "hajimari.${SECRET_DOMAIN}" paths: diff --git a/kubernetes/apps/default/homepage/app/helmrelease.yaml b/kubernetes/apps/default/homepage/app/helmrelease.yaml index 85a1e4be9ae..7b37da1ba4f 100644 --- a/kubernetes/apps/default/homepage/app/helmrelease.yaml +++ b/kubernetes/apps/default/homepage/app/helmrelease.yaml @@ -1,7 +1,7 @@ --- #? https://github.com/gethomepage/homepage/blob/dev/kubernetes.md +#? https://github.com/jameswynn/helm-charts/blob/main/charts/homepage/values.yaml ---- apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: @@ -54,8 +54,40 @@ spec: mountPath: /app/config/logs config: + + # To use an existing ConfigMap uncomment this line and specify the name + # useExistingConfigMap: existing-homepage-configmap + bookmarks: + - Developer: + - Github: + - abbr: GH + href: https://github.com/ + - KubeSearch: + - abbr: KS + href: https://kubesearch.dev/ + - OnedropClusterTemplate: + - abbr: OT + href: https://github.com/onedr0p/cluster-template + + services: + - My First Group: + - My First Service: + href: http://localhost/ + description: Homepage is awesome + + - My Second Group: + - My Second Service: + href: http://localhost/ + description: Homepage is the best + + - My Third Group: + - My Third Service: + href: http://localhost/ + description: Homepage is 😎 + kubernetes: mode: cluster + widgets: - kubernetes: cluster: