feat(certs): deploy pushsecret to/from 1password #1303
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ro-bott
bot
added
area/kubernetes
--- HelmRelease: networking/nginx-external Service: networking/nginx-external-controller
+++ HelmRelease: networking/nginx-external Service: networking/nginx-external-controller
@@ -1,12 +1,12 @@
---
apiVersion: v1
kind: Service
metadata:
annotations:
- external-dns.alpha.kubernetes.io/hostname: external.${SECRET_DOMAIN}
+ external-dns.alpha.kubernetes.io/hostname: external.rodent.cc
io.cilium/lb-ipam-ips: 10.1.1.151
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: nginx-external
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
--- HelmRelease: networking/nginx-external Deployment: networking/nginx-external-controller
+++ HelmRelease: networking/nginx-external Deployment: networking/nginx-external-controller
@@ -46,13 +46,13 @@
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/nginx-external-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --maxmind-license-key=**PLACEHOLDER**
- - --default-ssl-certificate=networking/${SECRET_DOMAIN/./-}-tls
+ - --default-ssl-certificate=networking/rodent-cc-tls
securityContext:
runAsNonRoot: true
runAsUser: 101
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
@@ -112,25 +112,25 @@
readOnly: true
resources:
limits:
memory: 500Mi
requests:
cpu: 100m
- memory: 250Mi
+ memory: 90Mi
nodeSelector:
kubernetes.io/os: linux
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: nginx-external
app.kubernetes.io/name: ingress-nginx
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
serviceAccountName: nginx-external
- terminationGracePeriodSeconds: 300
+ terminationGracePeriodSeconds: 120
volumes:
- name: webhook-cert
secret:
secretName: nginx-external-admission
--- HelmRelease: networking/nginx-internal Service: networking/nginx-internal-controller
+++ HelmRelease: networking/nginx-internal Service: networking/nginx-internal-controller
@@ -1,24 +1,23 @@
---
apiVersion: v1
kind: Service
metadata:
annotations:
- external-dns.alpha.kubernetes.io/hostname: internal.${SECRET_DOMAIN}
+ external-dns.alpha.kubernetes.io/hostname: internal.rodent.cc
io.cilium/lb-ipam-ips: 10.1.1.152
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: nginx-internal
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: nginx-internal-controller
namespace: networking
spec:
type: LoadBalancer
- externalTrafficPolicy: Cluster
ipFamilyPolicy: SingleStack
ipFamilies:
- IPv4
ports:
- name: http
port: 80
--- HelmRelease: networking/nginx-internal Deployment: networking/nginx-internal-controller
+++ HelmRelease: networking/nginx-internal Deployment: networking/nginx-internal-controller
@@ -45,13 +45,13 @@
- --controller-class=k8s.io/internal
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/nginx-internal-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- - --default-ssl-certificate=networking/${SECRET_DOMAIN/./-}-tls
+ - --default-ssl-certificate=networking/rodent-cc-tls
securityContext:
runAsNonRoot: true
runAsUser: 101
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
@@ -111,25 +111,25 @@
readOnly: true
resources:
limits:
memory: 500Mi
requests:
cpu: 100m
- memory: 250Mi
+ memory: 90Mi
nodeSelector:
kubernetes.io/os: linux
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: nginx-internal
app.kubernetes.io/name: ingress-nginx
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
serviceAccountName: nginx-internal
- terminationGracePeriodSeconds: 300
+ terminationGracePeriodSeconds: 120
volumes:
- name: webhook-cert
secret:
secretName: nginx-internal-admission
--- HelmRelease: security/onepassword-connect Ingress: security/onepassword-connect
+++ HelmRelease: security/onepassword-connect Ingress: security/onepassword-connect
@@ -8,15 +8,15 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: onepassword-connect
spec:
ingressClassName: internal
tls:
- hosts:
- - onepassword-connect.${SECRET_DOMAIN}
+ - onepassword-connect.rodent.cc
rules:
- - host: onepassword-connect.${SECRET_DOMAIN}
+ - host: onepassword-connect.rodent.cc
http:
paths:
- path: /
pathType: Prefix
backend:
service:
--- HelmRelease: security/external-secrets Deployment: security/external-secrets
+++ HelmRelease: security/external-secrets Deployment: security/external-secrets
@@ -6,13 +6,13 @@
namespace: security
labels:
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/managed-by: Helm
spec:
- replicas: 2
+ replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
template: |
--- kubernetes/main/apps/cert-manager/cert-manager/app Kustomization: flux-system/cert-manager HelmRelease: cert-manager/cert-manager
+++ kubernetes/main/apps/cert-manager/cert-manager/app Kustomization: flux-system/cert-manager HelmRelease: cert-manager/cert-manager
@@ -18,18 +18,17 @@
namespace: flux-system
version: v1.14.4
install:
remediation:
retries: 3
interval: 30m
- uninstall:
- keepHistory: false
upgrade:
cleanupOnFail: true
remediation:
retries: 3
+ strategy: rollback
values:
dns01RecursiveNameservers: 1.1.1.1:53,9.9.9.9:53
dns01RecursiveNameserversOnly: true
installCRDs: true
podDnsConfig:
nameservers:
--- kubernetes/main/apps/cert-manager/cert-manager/app Kustomization: flux-system/cert-manager PrometheusRule: cert-manager/cert-manager-rules
+++ kubernetes/main/apps/cert-manager/cert-manager/app Kustomization: flux-system/cert-manager PrometheusRule: cert-manager/cert-manager-rules
@@ -40,13 +40,13 @@
for: 15m
labels:
severity: warning
- alert: CertManagerCertNotReady
annotations:
description: This certificate has not been ready to serve traffic for at least
- 10m. If the cert is being renewed or there is another valid cert, the ingress
+ 15m. If the cert is being renewed or there is another valid cert, the ingress
controller _may_ be able to serve that instead.
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready
summary: The cert {{ $labels.name }} is not ready to serve traffic.
expr: |
max by (name, exported_namespace, namespace, condition) (
certmanager_certificate_ready_status{condition!="True"} == 1)
--- kubernetes/main/apps/cert-manager/cert-manager/issuers Kustomization: flux-system/cert-manager-issuers ExternalSecret: cert-manager/cloudflare
+++ kubernetes/main/apps/cert-manager/cert-manager/issuers Kustomization: flux-system/cert-manager-issuers ExternalSecret: cert-manager/cloudflare
@@ -9,13 +9,16 @@
name: cloudflare
namespace: cert-manager
spec:
dataFrom:
- extract:
key: cloudflare
- property: CLOUDFLARE_API_KEY
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: cloudflare-secret
+ template:
+ data:
+ CLOUDFLARE_API_KEY: '{{ .CLOUDFLARE_API_KEY }}'
+ engineVersion: v2
--- kubernetes/main/apps/cert-manager/cert-manager/issuers Kustomization: flux-system/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-production
+++ kubernetes/main/apps/cert-manager/cert-manager/issuers Kustomization: flux-system/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-production
@@ -7,22 +7,21 @@
kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: letsencrypt-production
namespace: cert-manager
spec:
acme:
- email: ${SECRET_ACME_EMAIL}
+ email: [email protected]
privateKeySecretRef:
name: letsencrypt-production
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- dns01:
cloudflare:
apiKeySecretRef:
key: CLOUDFLARE_API_KEY
name: cloudflare-secret
- email: ${SECRET_CLOUDFLARE_EMAIL}
+ email: [email protected]
selector:
dnsZones:
- rodent.cc
- - rodent.casa
--- kubernetes/main/apps/cert-manager/cert-manager/issuers Kustomization: flux-system/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-staging
+++ kubernetes/main/apps/cert-manager/cert-manager/issuers Kustomization: flux-system/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-staging
@@ -7,22 +7,21 @@
kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
- email: ${SECRET_ACME_EMAIL}
+ email: [email protected]
privateKeySecretRef:
name: letsencrypt-staging
server: https://acme-staging-v02.api.letsencrypt.org/directory
solvers:
- dns01:
cloudflare:
apiKeySecretRef:
key: CLOUDFLARE_API_KEY
name: cloudflare-secret
- email: ${SECRET_CLOUDFLARE_EMAIL}
+ email: [email protected]
selector:
dnsZones:
- rodent.cc
- - rodent.casa
--- kubernetes/main/apps/networking/cloudflared/app Kustomization: flux-system/cloudflared ExternalSecret: networking/cloudflared-tunnel
+++ kubernetes/main/apps/networking/cloudflared/app Kustomization: flux-system/cloudflared ExternalSecret: networking/cloudflared-tunnel
@@ -20,10 +20,10 @@
template:
data:
credentials.json: |
{
"AccountTag": "{{ .CLOUDFLARE_ACCOUNT_TAG }}",
"TunnelSecret": "{{ .CLOUDFLARE_TUNNEL_SECRET }}",
- "TunnelID": "{{ .CLOUDFLARE_TUNNEL_ID }}"
+ "TunnelID": "${CLUSTER_CLOUDFLARE_TUNNEL_ID}"
}
engineVersion: v2
--- kubernetes/main/apps/networking/cloudflared/app Kustomization: flux-system/cloudflared DNSEndpoint: networking/cloudflared
+++ kubernetes/main/apps/networking/cloudflared/app Kustomization: flux-system/cloudflared DNSEndpoint: networking/cloudflared
@@ -7,11 +7,11 @@
kustomize.toolkit.fluxcd.io/name: cloudflared
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: cloudflared
namespace: networking
spec:
endpoints:
- - dnsName: external.devbu.io
+ - dnsName: external.rodent.cc
recordType: CNAME
targets:
- ${CLUSTER_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/cloudflared
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/cloudflared
@@ -14,12 +14,13 @@
app.kubernetes.io/name: cloudflared
decryption:
provider: sops
secretRef:
name: sops-age
dependsOn:
+ - name: external-dns-cloudflare
- name: external-secrets-stores
interval: 30m
path: ./kubernetes/main/apps/networking/cloudflared/app
postBuild:
substituteFrom:
- kind: ConfigMap
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-certificates
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-certificates
@@ -1,36 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster-apps
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: nginx-certificates
- namespace: flux-system
-spec:
- commonMetadata:
- labels:
- app.kubernetes.io/name: nginx-certificates
- decryption:
- provider: sops
- secretRef:
- name: sops-age
- dependsOn:
- - name: cert-manager-issuers
- interval: 30m
- path: ./kubernetes/main/apps/networking/nginx/certificates
- postBuild:
- substituteFrom:
- - kind: ConfigMap
- name: cluster-settings
- - kind: Secret
- name: cluster-secrets
- prune: false
- retryInterval: 1m
- sourceRef:
- kind: GitRepository
- name: home-kubernetes
- targetNamespace: networking
- timeout: 5m
- wait: true
-
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-external
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-external
@@ -13,14 +13,14 @@
app.kubernetes.io/name: nginx-external
decryption:
provider: sops
secretRef:
name: sops-age
dependsOn:
+ - name: certificates
- name: external-secrets-stores
- - name: nginx-certificates
interval: 30m
path: ./kubernetes/main/apps/networking/nginx/external
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
@@ -30,8 +30,8 @@
retryInterval: 1m
sourceRef:
kind: GitRepository
name: home-kubernetes
targetNamespace: networking
timeout: 5m
- wait: true
+ wait: false
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-internal
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-internal
@@ -13,13 +13,14 @@
app.kubernetes.io/name: nginx-internal
decryption:
provider: sops
secretRef:
name: sops-age
dependsOn:
- - name: nginx-certificates
+ - name: certificates
+ - name: external-secrets-stores
interval: 30m
path: ./kubernetes/main/apps/networking/nginx/internal
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
@@ -29,8 +30,8 @@
retryInterval: 1m
sourceRef:
kind: GitRepository
name: home-kubernetes
targetNamespace: networking
timeout: 5m
- wait: true
+ wait: false
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/certificates-import
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/certificates-import
@@ -0,0 +1,36 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: certificates-import
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: certificates-import
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-age
+ dependsOn:
+ - name: external-secrets-stores
+ interval: 30m
+ path: ./kubernetes/main/apps/cert-manager/certificates/import
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ - kind: Secret
+ name: cluster-secrets
+ prune: false
+ retryInterval: 1m
+ sourceRef:
+ kind: GitRepository
+ name: home-kubernetes
+ targetNamespace: cert-manager
+ timeout: 5m
+ wait: true
+
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/certificates
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/certificates
@@ -0,0 +1,38 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: certificates
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: certificates
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-age
+ dependsOn:
+ - name: certificates-import
+ - name: cert-manager-issuers
+ - name: external-secrets-stores
+ interval: 30m
+ path: ./kubernetes/main/apps/cert-manager/certificates/app
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ - kind: Secret
+ name: cluster-secrets
+ prune: false
+ retryInterval: 1m
+ sourceRef:
+ kind: GitRepository
+ name: home-kubernetes
+ targetNamespace: cert-manager
+ timeout: 5m
+ wait: true
+
--- kubernetes/main/apps/security/external-secrets/app Kustomization: flux-system/external-secrets HelmRelease: security/external-secrets
+++ kubernetes/main/apps/security/external-secrets/app Kustomization: flux-system/external-secrets HelmRelease: security/external-secrets
@@ -18,26 +18,23 @@
namespace: flux-system
version: 0.9.14
install:
remediation:
retries: 3
interval: 30m
- maxHistory: 2
- uninstall:
- keepHistory: false
upgrade:
cleanupOnFail: true
remediation:
retries: 3
+ strategy: rollback
values:
certController:
serviceMonitor:
enabled: true
interval: 1m
installCRDs: true
- replicaCount: 2
serviceMonitor:
enabled: true
interval: 1m
webhook:
serviceMonitor:
enabled: true
--- kubernetes/main/apps/security/external-secrets/stores Kustomization: flux-system/external-secrets-stores HelmRelease: security/onepassword-connect
+++ kubernetes/main/apps/security/external-secrets/stores Kustomization: flux-system/external-secrets-stores HelmRelease: security/onepassword-connect
@@ -129,21 +129,21 @@
runAsUser: 999
strategy: RollingUpdate
ingress:
app:
className: internal
hosts:
- - host: '{{ .Release.Name }}.${SECRET_DOMAIN}'
+ - host: '{{ .Release.Name }}.rodent.cc'
paths:
- path: /
service:
identifier: app
port: http
tls:
- hosts:
- - '{{ .Release.Name }}.${SECRET_DOMAIN}'
+ - '{{ .Release.Name }}.rodent.cc'
persistence:
config:
globalMounts:
- path: /config
type: emptyDir
service:
--- kubernetes/main/apps/networking/nginx/external Kustomization: flux-system/nginx-external ExternalSecret: networking/nginx-external
+++ kubernetes/main/apps/networking/nginx/external Kustomization: flux-system/nginx-external ExternalSecret: networking/nginx-external
@@ -16,9 +16,9 @@
kind: ClusterSecretStore
name: onepassword-connect
target:
name: nginx-external-maxmind-secret
template:
data:
- MAXMIND_LICENSE_KEY: '{{ .LICENSE_KEY }}'
+ MAXMIND_LICENSE_KEY: '{{ .MAXMIND_LICENSE_KEY }}'
engineVersion: v2
--- kubernetes/main/apps/networking/nginx/external Kustomization: flux-system/nginx-external HelmRelease: networking/nginx-external
+++ kubernetes/main/apps/networking/nginx/external Kustomization: flux-system/nginx-external HelmRelease: networking/nginx-external
@@ -18,18 +18,17 @@
namespace: flux-system
version: 4.10.0
install:
remediation:
retries: 3
interval: 30m
- uninstall:
- keepHistory: false
upgrade:
cleanupOnFail: true
remediation:
retries: 3
+ strategy: rollback
values:
controller:
admissionWebhooks:
objectSelector:
matchExpressions:
- key: ingress-class
@@ -55,13 +54,13 @@
proxy-body-size: 0
proxy-buffer-size: 16k
ssl-protocols: TLSv1.3 TLSv1.2
use-forwarded-headers: 'true'
use-geoip2: true
extraArgs:
- default-ssl-certificate: networking/${SECRET_DOMAIN/./-}-tls
+ default-ssl-certificate: networking/rodent-cc-tls
ingressClassResource:
controllerValue: k8s.io/external
default: false
name: external
metrics:
enabled: true
@@ -72,17 +71,17 @@
replicaCount: 2
resources:
limits:
memory: 500Mi
requests:
cpu: 100m
- memory: 250Mi
service:
annotations:
- external-dns.alpha.kubernetes.io/hostname: external.${SECRET_DOMAIN}
+ external-dns.alpha.kubernetes.io/hostname: external.rodent.cc
io.cilium/lb-ipam-ips: 10.1.1.151
+ terminationGracePeriodSeconds: 120
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: nginx-external
app.kubernetes.io/name: ingress-nginx
--- kubernetes/main/apps/networking/nginx/certificates Kustomization: flux-system/nginx-certificates Certificate: networking/rodent-cc
+++ kubernetes/main/apps/networking/nginx/certificates Kustomization: flux-system/nginx-certificates Certificate: networking/rodent-cc
@@ -1,20 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- labels:
- app.kubernetes.io/name: nginx-certificates
- kustomize.toolkit.fluxcd.io/name: nginx-certificates
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: rodent-cc
- namespace: networking
-spec:
- commonName: rodent.cc
- dnsNames:
- - rodent.cc
- - '*.rodent.cc'
- issuerRef:
- kind: ClusterIssuer
- name: letsencrypt-production
- secretName: rodent-cc-tls
-
--- kubernetes/main/apps/networking/nginx/certificates Kustomization: flux-system/nginx-certificates Certificate: networking/rodent-casa
+++ kubernetes/main/apps/networking/nginx/certificates Kustomization: flux-system/nginx-certificates Certificate: networking/rodent-casa
@@ -1,20 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- labels:
- app.kubernetes.io/name: nginx-certificates
- kustomize.toolkit.fluxcd.io/name: nginx-certificates
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: rodent-casa
- namespace: networking
-spec:
- commonName: rodent.casa
- dnsNames:
- - rodent.casa
- - '*.rodent.casa'
- issuerRef:
- kind: ClusterIssuer
- name: letsencrypt-production
- secretName: rodent-casa-tls
-
--- kubernetes/main/apps/networking/nginx/internal Kustomization: flux-system/nginx-internal HelmRelease: networking/nginx-internal
+++ kubernetes/main/apps/networking/nginx/internal Kustomization: flux-system/nginx-internal HelmRelease: networking/nginx-internal
@@ -18,18 +18,17 @@
namespace: flux-system
version: 4.10.0
install:
remediation:
retries: 3
interval: 30m
- uninstall:
- keepHistory: false
upgrade:
cleanupOnFail: true
remediation:
retries: 3
+ strategy: rollback
values:
controller:
admissionWebhooks:
objectSelector:
matchExpressions:
- key: ingress-class
@@ -54,13 +53,13 @@
{"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
proxy-body-size: 0
proxy-buffer-size: 16k
ssl-protocols: TLSv1.3 TLSv1.2
use-forwarded-headers: 'true'
extraArgs:
- default-ssl-certificate: networking/${SECRET_DOMAIN/./-}-tls
+ default-ssl-certificate: networking/rodent-cc-tls
ingressClassResource:
controllerValue: k8s.io/internal
default: true
name: internal
metrics:
enabled: true
@@ -71,18 +70,17 @@
replicaCount: 2
resources:
limits:
memory: 500Mi
requests:
cpu: 100m
- memory: 250Mi
service:
annotations:
- external-dns.alpha.kubernetes.io/hostname: internal.${SECRET_DOMAIN}
+ external-dns.alpha.kubernetes.io/hostname: internal.rodent.cc
io.cilium/lb-ipam-ips: 10.1.1.152
- externalTrafficPolicy: Cluster
+ terminationGracePeriodSeconds: 120
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: nginx-internal
app.kubernetes.io/name: ingress-nginx
--- kubernetes/main/apps/observability/vector/app Kustomization: flux-system/vector ExternalSecret: observability/vector-aggregator
+++ kubernetes/main/apps/observability/vector/app Kustomization: flux-system/vector ExternalSecret: observability/vector-aggregator
@@ -16,10 +16,10 @@
kind: ClusterSecretStore
name: onepassword-connect
target:
name: vector-aggregator-secret
template:
data:
- GEOIPUPDATE_ACCOUNT_ID: '{{ .ACCOUNT_ID }}'
- GEOIPUPDATE_LICENSE_KEY: '{{ .LICENSE_KEY }}'
+ GEOIPUPDATE_ACCOUNT_ID: '{{ .MAXMIND_ACCOUNT_ID }}'
+ GEOIPUPDATE_LICENSE_KEY: '{{ .MAXMIND_LICENSE_KEY }}'
engineVersion: v2
--- kubernetes/main/apps/cert-manager/certificates/app Kustomization: flux-system/certificates Certificate: cert-manager/rodent-cc
+++ kubernetes/main/apps/cert-manager/certificates/app Kustomization: flux-system/certificates Certificate: cert-manager/rodent-cc
@@ -0,0 +1,20 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ labels:
+ app.kubernetes.io/name: certificates
+ kustomize.toolkit.fluxcd.io/name: certificates
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: rodent-cc
+ namespace: cert-manager
+spec:
+ commonName: rodent.cc
+ dnsNames:
+ - rodent.cc
+ - '*.rodent.cc'
+ issuerRef:
+ kind: ClusterIssuer
+ name: letsencrypt-production
+ secretName: rodent-cc-tls
+
--- kubernetes/main/apps/cert-manager/certificates/app Kustomization: flux-system/certificates PushSecret: cert-manager/rodent-cc-tls
+++ kubernetes/main/apps/cert-manager/certificates/app Kustomization: flux-system/certificates PushSecret: cert-manager/rodent-cc-tls
@@ -0,0 +1,35 @@
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: certificates
+ kustomize.toolkit.fluxcd.io/name: certificates
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: rodent-cc-tls
+ namespace: cert-manager
+spec:
+ data:
+ - match:
+ remoteRef:
+ property: tls.crt
+ remoteKey: rodent-cc-tls
+ secretKey: tls.crt
+ - match:
+ remoteRef:
+ property: tls.key
+ remoteKey: rodent-cc-tls
+ secretKey: tls.key
+ refreshInterval: 1h
+ secretStoreRefs:
+ - kind: ClusterSecretStore
+ name: onepassword-connect
+ selector:
+ secret:
+ name: rodent-cc-tls
+ template:
+ data:
+ tls.crt: '{{ index . "tls.crt" | b64enc }}'
+ tls.key: '{{ index . "tls.key" | b64enc }}'
+ engineVersion: v2
+
--- kubernetes/main/apps/cert-manager/certificates/import Kustomization: flux-system/certificates-import ClusterExternalSecret: cert-manager/rodent-cc-tls
+++ kubernetes/main/apps/cert-manager/certificates/import Kustomization: flux-system/certificates-import ClusterExternalSecret: cert-manager/rodent-cc-tls
@@ -0,0 +1,47 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: certificates-import
+ kustomize.toolkit.fluxcd.io/name: certificates-import
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: rodent-cc-tls
+ namespace: cert-manager
+spec:
+ externalSecretName: rodent-cc-tls
+ externalSecretSpec:
+ dataFrom:
+ - extract:
+ decodingStrategy: Auto
+ key: rodent-cc-tls
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword-connect
+ target:
+ creationPolicy: Orphan
+ name: rodent-cc-tls
+ template:
+ engineVersion: v2
+ metadata:
+ annotations:
+ cert-manager.io/alt-names: '*.rodent.cc,rodent.cc'
+ cert-manager.io/certificate-name: rodent-cc
+ cert-manager.io/common-name: rodent.cc
+ cert-manager.io/ip-sans: ''
+ cert-manager.io/issuer-group: ''
+ cert-manager.io/issuer-kind: ClusterIssuer
+ cert-manager.io/issuer-name: letsencrypt-production
+ cert-manager.io/uri-sans: ''
+ labels:
+ controller.cert-manager.io/fao: 'true'
+ type: kubernetes.io/tls
+ namespaceSelector:
+ matchExpressions:
+ - key: kubernetes.io/metadata.name
+ operator: In
+ values:
+ - cert-manager
+ - networking
+ refreshTime: 1m
+ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.