Compare commits
66 Commits
6cd65eef9c
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| de229e6473 | |||
| 29caf72a1b | |||
| 730269f97a | |||
| ab8865c6a8 | |||
| a85f805a4d | |||
| bc80546f04 | |||
| e48d4c740d | |||
| 5e610148e1 | |||
| 44ec664257 | |||
| 40065f9066 | |||
| 52109204e1 | |||
| 858cb421ca | |||
| 0f76adc9d1 | |||
| 70c47fcd51 | |||
| 40dd60fcab | |||
| 7608d03c2a | |||
1fae8a6704
|
|||
|
66579bbe93
|
|||
| 967476d960 | |||
| d3052ce240 | |||
|
268b4693cf
|
|||
|
887424946f
|
|||
|
fee24bc228
|
|||
|
cd5113b661
|
|||
|
c2c4d249e9
|
|||
|
c585e7497d
|
|||
|
1c141714a3
|
|||
|
35e4ed430e
|
|||
|
a5940a3bb6
|
|||
|
58b285eb6f
|
|||
|
0ae9832801
|
|||
|
cf650782be
|
|||
|
634389d6f7
|
|||
|
743dc036a7
|
|||
|
39e8770a4f
|
|||
|
9065daf3de
|
|||
|
2dfe1af11e
|
|||
|
db3a41fcc1 | ||
|
|
a5de857abc | ||
|
ec3de3bcf2
|
|||
|
87a9790081
|
|||
|
32ca369e16
|
|||
|
799059ad75
|
|||
|
b35900ee4a
|
|||
|
9d937c164a
|
|||
|
d1bd8dfca9
|
|||
|
f86082455e
|
|||
|
693ecf9d12
|
|||
|
228812130d
|
|||
|
9b2f642a13
|
|||
|
5cc42cfbef
|
|||
|
0300f62dec
|
|||
|
9325619310
|
|||
|
a304d25730
|
|||
|
7485edc45e
|
|||
|
d2de4f9c83
|
|||
|
669ff1ad29
|
|||
|
b9adb461e2
|
|||
|
90e8f64a18
|
|||
|
8c04aac4ad
|
|||
|
dfd2fee3ac
|
|||
|
f64566981a
|
|||
|
8022b1c619
|
|||
|
d5a44fbf63
|
|||
|
43dfb611d4
|
|||
|
82eb04b89c
|
9
.drone.yml
Executable file
9
.drone.yml
Executable file
@@ -0,0 +1,9 @@
|
||||
|
||||
kind: pipeline
|
||||
type: docker
|
||||
name: "test"
|
||||
steps:
|
||||
- name: test
|
||||
image: harbor.front.kjuulh.io/docker-proxy/library/bash:latest
|
||||
commands:
|
||||
- echo 'Run tests'
|
||||
6
apps/base/nginx/kustomization.yaml
Normal file
6
apps/base/nginx/kustomization.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
namespace: nginx
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- release.yaml
|
||||
4
apps/base/nginx/namespace.yaml
Normal file
4
apps/base/nginx/namespace.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: nginx
|
||||
21
apps/base/nginx/release.yaml
Normal file
21
apps/base/nginx/release.yaml
Normal file
@@ -0,0 +1,21 @@
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: nginx
|
||||
namespace: nginx
|
||||
spec:
|
||||
releaseName: nginx
|
||||
chart:
|
||||
spec:
|
||||
chart: nginx
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bitnami
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
values:
|
||||
service:
|
||||
type: ClusterIP
|
||||
@@ -1,5 +1,4 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- controller.yaml
|
||||
|
||||
- ../base/nginx
|
||||
@@ -1,53 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: wishlist
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: wishlist-deployment
|
||||
namespace: wishlist
|
||||
labels:
|
||||
app: wishlist
|
||||
spec:
|
||||
replicas: 3
|
||||
selector:
|
||||
matchLabels:
|
||||
app: wishlist
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: wishlist
|
||||
spec:
|
||||
containers:
|
||||
- name: wishlist
|
||||
image: kasperhermansen/wishlist-2022
|
||||
ports:
|
||||
- containerPort: 80
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: 80
|
||||
initialDelaySeconds: 5
|
||||
timeoutSeconds: 5
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: 80
|
||||
initialDelaySeconds: 5
|
||||
timeoutSeconds: 5
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: wishlist
|
||||
namespace: wishlist
|
||||
spec:
|
||||
ports:
|
||||
- port: 80
|
||||
name: http
|
||||
protocol: TCP
|
||||
targetPort: 80
|
||||
selector:
|
||||
run: wishlist
|
||||
@@ -1,12 +0,0 @@
|
||||
---
|
||||
apiVersion: source.toolkit.fluxcd.io/v1beta2
|
||||
kind: GitRepository
|
||||
metadata:
|
||||
name: podinfo
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 30s
|
||||
ref:
|
||||
branch: master
|
||||
url: https://github.com/stefanprodan/podinfo
|
||||
|
||||
@@ -1,16 +0,0 @@
|
||||
---
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: wishlist
|
||||
namespace: prod
|
||||
spec:
|
||||
interval: 10m0s
|
||||
retryInterval: 30s
|
||||
path: ./clank/apps/prod/wishlist
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: flux-system
|
||||
namespace: flux-system
|
||||
targetNamespace: wishlist
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,16 +0,0 @@
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cloudflare-api-token-secret
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
encryptedData:
|
||||
api-token: AgB8kf7TaAZpwTCn4aYNY5+aCpFyTPwVGLhQL8S6Muoss8/jz+9RIH7WPIxeyTlfjtTw8dzjro3SYfkZ9FHNiL8AS3/YDU9ZHoD1JTrlLB8j6lvPvuMbc0iXimNDWtU5KCwGwjC6gw6TNhnAns1EwMsCH93W2e9XUOYHz4NLxcaue284p0t9JgmtXLi220WCqoG7fs2hQo9dhYitcpmjnOEQRBA75t8paxc3jSA3BqKKeTm0KtYSgOENtahs/u3GQRmLu3y7L9epAyJOUCw1q23jgGZugAmDXY7b2gPXxAF0LMLrjI9l3UAl6FT0fUTrhQZxNZfurIFfV+yVFAkO2nGDlFWkN9xlxV8QzGPeTZEISI3/3aV5+MbJKV2bamOckh2q5Tj5xVAHB5pBc0CJzLpy8okmLnheNZXFRp/jlbH+D9p/sZErFt7TmvZfJS/GYCF/PRjzNwZlFWgiQ3ITTbGcEymXvfRS2NntsU1RCohUw4byAzYw/pxdGx7GA+irFTJyVQ2KwYdkR/P69PotHD0LGyHNWuLcrC1/kbq0lQtSvKHKUNbQM4jSVUweLgSYHlyxKft5F42eunR8BOG1EmUpdR2Y7U86HylwR5CxMJcpkO7a9EfoHDwMMegt1cgbPr37uXN+BKZ3uNUJ9AorZbvnrmFn7gAju+b3URTvaOldlCEaBA0fA8zfbF9lMFz1Lv6zzqOCGhXbOz/1wDUbGKjd2dS0pqIMmp7HOVEyP7TeW2LPJFdkj1F4
|
||||
template:
|
||||
data: null
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cloudflare-api-token-secret
|
||||
namespace: cert-manager
|
||||
|
||||
@@ -1,252 +0,0 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations: {}
|
||||
labels:
|
||||
name: sealed-secrets-service-proxier
|
||||
name: sealed-secrets-service-proxier
|
||||
namespace: kube-system
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resourceNames:
|
||||
- sealed-secrets-controller
|
||||
resources:
|
||||
- services
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resourceNames:
|
||||
- 'http:sealed-secrets-controller:'
|
||||
- sealed-secrets-controller
|
||||
resources:
|
||||
- services/proxy
|
||||
verbs:
|
||||
- create
|
||||
- get
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations: {}
|
||||
labels:
|
||||
name: sealed-secrets-key-admin
|
||||
name: sealed-secrets-key-admin
|
||||
namespace: kube-system
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- create
|
||||
- list
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
annotations: {}
|
||||
labels:
|
||||
name: sealed-secrets-controller
|
||||
name: sealed-secrets-controller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: secrets-unsealer
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: sealed-secrets-controller
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
annotations: {}
|
||||
labels:
|
||||
name: secrets-unsealer
|
||||
name: secrets-unsealer
|
||||
rules:
|
||||
- apiGroups:
|
||||
- bitnami.com
|
||||
resources:
|
||||
- sealedsecrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- bitnami.com
|
||||
resources:
|
||||
- sealedsecrets/status
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- patch
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
annotations: {}
|
||||
labels:
|
||||
name: sealed-secrets-controller
|
||||
name: sealed-secrets-controller
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
annotations: {}
|
||||
labels:
|
||||
name: sealed-secrets-controller
|
||||
name: sealed-secrets-controller
|
||||
namespace: kube-system
|
||||
spec:
|
||||
minReadySeconds: 30
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 10
|
||||
selector:
|
||||
matchLabels:
|
||||
name: sealed-secrets-controller
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: 25%
|
||||
maxUnavailable: 25%
|
||||
type: RollingUpdate
|
||||
template:
|
||||
metadata:
|
||||
annotations: {}
|
||||
labels:
|
||||
name: sealed-secrets-controller
|
||||
spec:
|
||||
containers:
|
||||
- args: []
|
||||
command:
|
||||
- controller
|
||||
env: []
|
||||
image: docker.io/bitnami/sealed-secrets-controller:v0.17.5
|
||||
imagePullPolicy: Always
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: http
|
||||
name: sealed-secrets-controller
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
name: http
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: http
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1001
|
||||
stdin: false
|
||||
tty: false
|
||||
volumeMounts:
|
||||
- mountPath: /tmp
|
||||
name: tmp
|
||||
imagePullSecrets: []
|
||||
initContainers: []
|
||||
securityContext:
|
||||
fsGroup: 65534
|
||||
serviceAccountName: sealed-secrets-controller
|
||||
terminationGracePeriodSeconds: 30
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: tmp
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: sealedsecrets.bitnami.com
|
||||
spec:
|
||||
group: bitnami.com
|
||||
names:
|
||||
kind: SealedSecret
|
||||
listKind: SealedSecretList
|
||||
plural: sealedsecrets
|
||||
singular: sealedsecret
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
properties:
|
||||
spec:
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
status:
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
annotations: {}
|
||||
labels:
|
||||
name: sealed-secrets-controller
|
||||
name: sealed-secrets-controller
|
||||
namespace: kube-system
|
||||
spec:
|
||||
ports:
|
||||
- port: 8080
|
||||
targetPort: 8080
|
||||
selector:
|
||||
name: sealed-secrets-controller
|
||||
type: ClusterIP
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
annotations: {}
|
||||
labels:
|
||||
name: sealed-secrets-service-proxier
|
||||
name: sealed-secrets-service-proxier
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: sealed-secrets-service-proxier
|
||||
subjects:
|
||||
- apiGroup: rbac.authorization.k8s.io
|
||||
kind: Group
|
||||
name: system:authenticated
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
annotations: {}
|
||||
labels:
|
||||
name: sealed-secrets-controller
|
||||
name: sealed-secrets-controller
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: sealed-secrets-key-admin
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: sealed-secrets-controller
|
||||
namespace: kube-system
|
||||
@@ -1,15 +1,16 @@
|
||||
---
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: podinfo
|
||||
name: apps
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 10m0s
|
||||
retryInterval: 30s
|
||||
path: ./kustomize
|
||||
prune: true
|
||||
dependsOn:
|
||||
- name: infrastructure
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: podinfo
|
||||
targetNamespace: default
|
||||
name: flux-system
|
||||
path: ./apps/production
|
||||
prune: true
|
||||
wait: true
|
||||
timeout: 5m0s
|
||||
12584
clusters/production/flux-system/gotk-components.yaml
Normal file
12584
clusters/production/flux-system/gotk-components.yaml
Normal file
File diff suppressed because it is too large
Load Diff
27
clusters/production/flux-system/gotk-sync.yaml
Normal file
27
clusters/production/flux-system/gotk-sync.yaml
Normal file
@@ -0,0 +1,27 @@
|
||||
# This manifest was generated by flux. DO NOT EDIT.
|
||||
---
|
||||
apiVersion: source.toolkit.fluxcd.io/v1beta2
|
||||
kind: GitRepository
|
||||
metadata:
|
||||
name: flux-system
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 1m0s
|
||||
ref:
|
||||
branch: main
|
||||
secretRef:
|
||||
name: flux-system
|
||||
url: ssh://git@git.front.kjuulh.io/clank/kubernetes-state.git
|
||||
---
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: flux-system
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 10m0s
|
||||
path: ./clusters/production
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: flux-system
|
||||
5
clusters/production/flux-system/kustomization.yaml
Normal file
5
clusters/production/flux-system/kustomization.yaml
Normal file
@@ -0,0 +1,5 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- gotk-components.yaml
|
||||
- gotk-sync.yaml
|
||||
@@ -1,13 +1,12 @@
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: platform
|
||||
name: infrastructure
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 10m0s
|
||||
path: ./clank/platform
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: flux-system
|
||||
namespace: flux-system
|
||||
path: ./infrastructure
|
||||
prune: true
|
||||
@@ -1,4 +1,3 @@
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
@@ -16,6 +15,6 @@ spec:
|
||||
secretTemplate:
|
||||
annotations:
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "platform,kube-system,wishlist" # Control destination namespaces
|
||||
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "kube-system" # Control destination namespaces
|
||||
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces
|
||||
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "platform,wishlist" # Control auto-reflection namespaces
|
||||
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "kube-system" #
|
||||
16
infrastructure/cert-manager/cloudflare-secret.sealed.yaml
Normal file
16
infrastructure/cert-manager/cloudflare-secret.sealed.yaml
Normal file
@@ -0,0 +1,16 @@
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cloudflare-api-token-secret
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
encryptedData:
|
||||
api-token: AgBfxV2k7bG5Zf9KIvaSGwgisxhpi6Wxg6TlgIqdJmARkWezhnM7kc41oU2FxK2rOroYF4ailxBJVbCyeCSPoaPu7sn9Fc7+EgGvlb1DOHKvLVLXoAdu3b1opta6gYi05Uzc8anU9uAsMoEJFcn71RTzFIGNMVKVs2VovtajtRf6UW61kNaC54wmMPuhEYsYKYs75sCc/CgmhMD7P8bx6/b6f7QnsksP07mR5GXS1Q8DePu4dHGx9FhMNXVu+lajyd6wW2eLk0EqzNsZ1cSoK3gZrbpKtHGOkuO6TIoBPAgtgqN8wQzurFkeHowTuEU7GMas0FJtP5b/uH0GwKzYeKvqLvX2LLybwiD/idb/fGSZiPIdk5g3ENSOa8bUiVB78mVGXfSWmVcJCAmKY5uB7vRxq44jZI6eTvalrZoAFKF0zzHi1PBTOimgiDUWJXNd6gVORcqqvsbuAOYi/8KzBSXd+qR+EGbAfYgC/0UAhQPr2uuH0MP1x2gnOLtulxU5oRMvtSzMVZrv85qGrkp1KOtK5oQoDT6kgNZKJ6FBV8JsKhISPUGdM0xsgH+cXyqVZ73UlyohaiPYVHpvoRtcMMw0zQM/tQnhMdstEKQgsSGuzg8g7cOgv2aiYFL1sfm08XEofCBeBXrTNodxAa77I4KnNeB1tbR/WXdX/kzLxb0aGheCxsv8nDU3KJyrvAbRj9wVL3hnBnIc6p/bg8KPLrJkp2Qe+3ree/7Wma0+qhlswdvjLn4dGeb9
|
||||
template:
|
||||
data: null
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cloudflare-api-token-secret
|
||||
namespace: cert-manager
|
||||
|
||||
@@ -7,7 +7,7 @@ spec:
|
||||
# You must replace this email address with your own.
|
||||
# Let's Encrypt will use this to contact you about expiring
|
||||
# certificates, and issues related to your account.
|
||||
email: contact@kjuulh.io
|
||||
email: contact@kasperhermansen.com
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
privateKeySecretRef:
|
||||
# Secret resource that will be used to store the account's private key.
|
||||
@@ -1,19 +1,15 @@
|
||||
#!/bin/bash
|
||||
|
||||
echo "Encrypt secret with 'sealed-secrets'"
|
||||
|
||||
kubectl -n default create secret generic cloudflare-api-token-secret \
|
||||
--from-literal=api-token="$1" \
|
||||
--namespace="cert-manager" \
|
||||
--dry-run=client \
|
||||
-o yaml > cloudflare-secret.yaml
|
||||
|
||||
echo "secret: $1"
|
||||
|
||||
kubeseal --format=yaml \
|
||||
kubeseal \
|
||||
--format=yaml \
|
||||
--controller-name=sealed-secrets \
|
||||
--controller-namespace=kube-system \
|
||||
< cloudflare-secret.yaml > cloudflare-secret.sealed.yaml
|
||||
|
||||
echo "Updated/created secret"
|
||||
|
||||
rm cloudflare-secret.yaml
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
namespace: cert-manager
|
||||
resources:
|
||||
- cert-manager.yaml
|
||||
- certificate.yaml
|
||||
- namespace.yaml
|
||||
- release.yaml
|
||||
- cloudflare-secret.sealed.yaml
|
||||
- cluster-issuer.yaml
|
||||
|
||||
- certificate.yaml
|
||||
4
infrastructure/cert-manager/namespace.yaml
Normal file
4
infrastructure/cert-manager/namespace.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cert-manager
|
||||
22
infrastructure/cert-manager/release.yaml
Normal file
22
infrastructure/cert-manager/release.yaml
Normal file
@@ -0,0 +1,22 @@
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: cert-manager
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
releaseName: cert-manager
|
||||
chart:
|
||||
spec:
|
||||
chart: cert-manager
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: jetstack
|
||||
namespace: flux-system
|
||||
interval: 30m
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
values:
|
||||
installCRDs: true
|
||||
service:
|
||||
type: ClusterIP
|
||||
@@ -2,7 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- sources
|
||||
- reflector
|
||||
- traefik
|
||||
- cert-manager
|
||||
- sealed-secrets
|
||||
- reflector
|
||||
- postgres
|
||||
17
infrastructure/postgres/create-db.sh
Executable file
17
infrastructure/postgres/create-db.sh
Executable file
@@ -0,0 +1,17 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
SUBJECT=$1
|
||||
PGPASSWORD=$2
|
||||
|
||||
PASSWORD=$(openssl rand -hex 20)
|
||||
ID=$(openssl rand -hex 5)
|
||||
|
||||
kubectl run "postgres-client-$ID" --rm -i --image "bitnami/postgresql" -n postgres --env="PGPASSWORD=$PGPASSWORD" --command -- psql --host postgres-postgresql -U postgres <<SQL
|
||||
CREATE DATABASE $SUBJECT;
|
||||
CREATE USER $SUBJECT with encrypted password '$PASSWORD';
|
||||
grant all privileges on database $SUBJECT to $SUBJECT;
|
||||
SQL
|
||||
|
||||
echo "$PASSWORD"
|
||||
6
infrastructure/postgres/kustomization.yaml
Normal file
6
infrastructure/postgres/kustomization.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
namespace: postgres
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- release.yaml
|
||||
4
infrastructure/postgres/namespace.yaml
Normal file
4
infrastructure/postgres/namespace.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: postgres
|
||||
7
infrastructure/postgres/port-forward-db.sh
Executable file
7
infrastructure/postgres/port-forward-db.sh
Executable file
@@ -0,0 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
PGPASSWORD=$1
|
||||
|
||||
kubectl run postgres-client --rm --tty -i --image "bitnami/postgresql" -n postgres --env="PGPASSWORD=$PGPASSWORD" --command -- psql --host postgres-postgresql -U postgres
|
||||
21
infrastructure/postgres/release.yaml
Normal file
21
infrastructure/postgres/release.yaml
Normal file
@@ -0,0 +1,21 @@
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: postgres
|
||||
spec:
|
||||
releaseName: postgres
|
||||
chart:
|
||||
spec:
|
||||
chart: postgresql
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bitnami
|
||||
namespace: flux-system
|
||||
version: "11.6.3"
|
||||
interval: 1h0m0s
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
values:
|
||||
global:
|
||||
storageClass: hcloud-volumes
|
||||
@@ -2,4 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- release.yaml
|
||||
- ingress.yaml
|
||||
@@ -1,19 +1,18 @@
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: traefik
|
||||
name: sealed-secrets
|
||||
namespace: kube-system
|
||||
spec:
|
||||
releaseName: traefik
|
||||
releaseName: sealed-secrets
|
||||
chart:
|
||||
spec:
|
||||
chart: traefik
|
||||
chart: sealed-secrets
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: traefik
|
||||
name: bitnami
|
||||
namespace: flux-system
|
||||
version: "10.19.5"
|
||||
interval: 1h0m0s
|
||||
interval: 30m
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
7
infrastructure/sources/bitnami.yaml
Normal file
7
infrastructure/sources/bitnami.yaml
Normal file
@@ -0,0 +1,7 @@
|
||||
apiVersion: source.toolkit.fluxcd.io/v1beta2
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: bitnami
|
||||
spec:
|
||||
interval: 30m
|
||||
url: https://charts.bitnami.com/bitnami
|
||||
@@ -1,7 +1,7 @@
|
||||
apiVersion: source.toolkit.fluxcd.io/v1beta2
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: traefik
|
||||
name: jetstack
|
||||
spec:
|
||||
interval: 30m
|
||||
url: https://helm.traefik.io/traefik
|
||||
url: https://charts.jetstack.io
|
||||
@@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
namespace: flux-system
|
||||
resources:
|
||||
- bitnami.yaml
|
||||
- jetstack.yaml
|
||||
- emberstack.yaml
|
||||
- traefik.yaml
|
||||
57
infrastructure/traefik/helmconfig.yaml
Normal file
57
infrastructure/traefik/helmconfig.yaml
Normal file
@@ -0,0 +1,57 @@
|
||||
apiVersion: helm.cattle.io/v1
|
||||
kind: HelmChartConfig
|
||||
metadata:
|
||||
name: traefik
|
||||
namespace: kube-system
|
||||
spec:
|
||||
failurePolicy: abort
|
||||
valuesContent: |
|
||||
logs:
|
||||
general:
|
||||
level: INFO
|
||||
providers:
|
||||
kubernetesCRD:
|
||||
enabled: true
|
||||
allowCrossNamespace: true
|
||||
allowExternalNameServices: true
|
||||
# ingressClass: traefik-internal
|
||||
# labelSelector: environment=production,method=traefik
|
||||
namespaces:
|
||||
- "default"
|
||||
- "kube-system"
|
||||
kubernetesIngress:
|
||||
enabled: true
|
||||
allowExternalNameServices: true
|
||||
allowEmptyServices: true
|
||||
# ingressClass: traefik-internal
|
||||
# labelSelector: environment=production,method=traefik
|
||||
namespaces:
|
||||
- "default"
|
||||
- "kube-system"
|
||||
# IP used for Kubernetes Ingress endpoints
|
||||
publishedService:
|
||||
enabled: true
|
||||
# Published Kubernetes Service to copy status from. Format: namespace/servicename
|
||||
# By default this Traefik service
|
||||
# pathOverride: ""
|
||||
service:
|
||||
enabled: true
|
||||
type: LoadBalancer
|
||||
annotations:
|
||||
"load-balancer.hetzner.cloud/name": "clank"
|
||||
# make hetzners load-balancer connect to our nodes via our private k3s
|
||||
"load-balancer.hetzner.cloud/use-private-ip": "true"
|
||||
# keep hetzner-ccm from exposing our private ingress ip, which in general isn't routeable from the public internet
|
||||
"load-balancer.hetzner.cloud/disable-private-ingress": "true"
|
||||
# disable ipv6 by default, because external-dns doesn't support AAAA for hcloud yet https://github.com/kubernetes-sigs/external-dns/issues/2044
|
||||
"load-balancer.hetzner.cloud/ipv6-disabled": "true"
|
||||
"load-balancer.hetzner.cloud/location": "fsn1"
|
||||
"load-balancer.hetzner.cloud/type": "lb11"
|
||||
"load-balancer.hetzner.cloud/uses-proxyprotocol": "true"
|
||||
additionalArguments:
|
||||
- "--entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,10.0.0.0/8"
|
||||
- "--entryPoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,10.0.0.0/8"
|
||||
- "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8"
|
||||
- "--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8"
|
||||
- "--providers.kubernetescrd.allowCrossNamespace=true"
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
@@ -16,23 +15,3 @@ spec:
|
||||
kind: TraefikService
|
||||
tls:
|
||||
secretName: clank-cert
|
||||
#---
|
||||
#apiVersion: traefik.containo.us/v1alpha1
|
||||
#kind: IngressRoute
|
||||
#metadata:
|
||||
# name: wishlist
|
||||
# namespace: kube-system
|
||||
#spec:
|
||||
# entryPoints:
|
||||
# - web
|
||||
# - websecure
|
||||
# routes:
|
||||
# - match: Host(`wishlist.kjuulh.app`)
|
||||
# kind: Rule
|
||||
# services:
|
||||
# - name: wishlist
|
||||
# kind: Service
|
||||
# namespace: wishlist
|
||||
# port: 80
|
||||
# tls:
|
||||
# secretName: clank-cert
|
||||
5
infrastructure/traefik/kustomization.yaml
Normal file
5
infrastructure/traefik/kustomization.yaml
Normal file
@@ -0,0 +1,5 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- helmconfig.yaml
|
||||
- ingress.yaml
|
||||
3
renovate.json
Normal file
3
renovate.json
Normal file
@@ -0,0 +1,3 @@
|
||||
{
|
||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json"
|
||||
}
|
||||
Reference in New Issue
Block a user