From 850ecacdec7106b070fb75ccb62d3fa65fef128b Mon Sep 17 00:00:00 2001
From: Jonathan Bartlett <34320158+Jonnobrow@users.noreply.github.com>
Date: Mon, 12 Aug 2024 16:32:15 +0100
Subject: [PATCH] Various fixes and some tidying up (#472)

* Fix

* Deploy from branch

* Add certificate

* Tweaks

* Stop it from ignoring things

* Remove patch

* Fix a typo

* Try patches again

* Cert-manager tweaks
---
 .taskfiles/flux.yml                           | 28 ++-----------------
 ...oudflare-api-token-secret.secret.sops.yaml |  1 -
 .../apps/cert-manager/app/helmrelease.yaml    |  5 +---
 .../apps/cert-manager/app/kustomization.yaml  |  6 ++--
 .../cert-manager/certificates/wildcard.yaml   | 15 ++++++++++
 .../coffee-shop-2/apps/cert-manager/ks.yaml   | 26 +++++++++++++++--
 .../apps/cert-manager/kustomization.yaml      |  5 ++++
 kubernetes/coffee-shop-2/apps/metallb/ks.yaml |  1 +
 kubernetes/coffee-shop-2/cluster/apps.yaml    |  1 +
 .../coffee-shop-2/cluster/config/cluster.yaml |  2 +-
 10 files changed, 54 insertions(+), 36 deletions(-)
 create mode 100644 kubernetes/coffee-shop-2/apps/cert-manager/certificates/wildcard.yaml
 create mode 100644 kubernetes/coffee-shop-2/apps/cert-manager/kustomization.yaml

diff --git a/.taskfiles/flux.yml b/.taskfiles/flux.yml
index 4b4fd243..c2789532 100644
--- a/.taskfiles/flux.yml
+++ b/.taskfiles/flux.yml
@@ -1,34 +1,12 @@
 ---
 version: "3"
 
-env:
-  GITHUB_USER: jonnobrow
-
 tasks:
   sync:
     desc: Sync flux-system with the Git Repository
+    vars:
+      cluster: '{{.cluster| default "coffee-shop-2"}}'
     cmds:
-      - flux reconcile source git flux-system
+      - flux reconcile source git -n flux-system {{.cluster}}
       - flux get kustomizations --watch
     silent: true
-
-  generatekey:
-    desc: Generates a git secret for flux
-    cmds:
-      - |
-        flux create secret git coffee-shop-auth \
-          --url=ssh://git@github.com/jonnobrow/coffee-shop \
-          --ssh-key-algorithm=ecdsa \
-          --ssh-ecdsa-curve=p521
-
-  bootstrap:
-    desc: Bootstrap cluster with flux
-    cmds:
-      - |
-        flux bootstrap github \
-          --owner=$GITHUB_USER \
-          --repository=coffee-shop \
-          --branch=main \
-          --path=./cluster/base \
-          --personal
-    silent: true
diff --git a/kubernetes/coffee-shop-2/apps/cert-manager/app/cloudflare-api-token-secret.secret.sops.yaml b/kubernetes/coffee-shop-2/apps/cert-manager/app/cloudflare-api-token-secret.secret.sops.yaml
index 8537be5b..49514a02 100644
--- a/kubernetes/coffee-shop-2/apps/cert-manager/app/cloudflare-api-token-secret.secret.sops.yaml
+++ b/kubernetes/coffee-shop-2/apps/cert-manager/app/cloudflare-api-token-secret.secret.sops.yaml
@@ -6,7 +6,6 @@ kind: Secret
 metadata:
     creationTimestamp: null
     name: cloudflare-api-token-secret
-    namespace: cert-manager
 sops:
     kms: []
     gcp_kms: []
diff --git a/kubernetes/coffee-shop-2/apps/cert-manager/app/helmrelease.yaml b/kubernetes/coffee-shop-2/apps/cert-manager/app/helmrelease.yaml
index c7e3e998..94f5ac0e 100644
--- a/kubernetes/coffee-shop-2/apps/cert-manager/app/helmrelease.yaml
+++ b/kubernetes/coffee-shop-2/apps/cert-manager/app/helmrelease.yaml
@@ -23,8 +23,5 @@ spec:
   values:
     crds:
       enabled: true
-    extraArgs:
-    - --dns01-recursive-nameservers=1.1.1.1:53
-    - --dns01-recursive-nameservers-only
     dns01RecursiveNameserversOnly: true
-    dns01RecursiveNameservers: "1.1.1.1,1.0.0.1"
+    dns01RecursiveNameservers: "https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query"
diff --git a/kubernetes/coffee-shop-2/apps/cert-manager/app/kustomization.yaml b/kubernetes/coffee-shop-2/apps/cert-manager/app/kustomization.yaml
index 38514284..d3f1e6f7 100644
--- a/kubernetes/coffee-shop-2/apps/cert-manager/app/kustomization.yaml
+++ b/kubernetes/coffee-shop-2/apps/cert-manager/app/kustomization.yaml
@@ -3,6 +3,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helmrepository.yaml
-  - ./helmrelease.yaml
-  - ./cloudflare-api-token-secret.secret.sops.yaml
+  - helmrepository.yaml
+  - helmrelease.yaml
+  - cloudflare-api-token-secret.secret.sops.yaml
diff --git a/kubernetes/coffee-shop-2/apps/cert-manager/certificates/wildcard.yaml b/kubernetes/coffee-shop-2/apps/cert-manager/certificates/wildcard.yaml
new file mode 100644
index 00000000..51680a47
--- /dev/null
+++ b/kubernetes/coffee-shop-2/apps/cert-manager/certificates/wildcard.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: "${SECRET_DOMAIN/./-}"
+  namespace: cert-manager
+spec:
+  secretName: "${SECRET_DOMAIN/./-}-tls"
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  commonName: "${SECRET_DOMAIN}"
+  dnsNames:
+  - "${SECRET_DOMAIN}"
+  - "*.${SECRET_DOMAIN}"
diff --git a/kubernetes/coffee-shop-2/apps/cert-manager/ks.yaml b/kubernetes/coffee-shop-2/apps/cert-manager/ks.yaml
index 61057e15..8c30a044 100644
--- a/kubernetes/coffee-shop-2/apps/cert-manager/ks.yaml
+++ b/kubernetes/coffee-shop-2/apps/cert-manager/ks.yaml
@@ -1,8 +1,9 @@
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: app
-  namespace: cert-manager
+  namespace: flux-system
 spec:
   interval: 1h
   targetNamespace: cert-manager
@@ -12,12 +13,13 @@ spec:
     kind: GitRepository
     namespace: flux-system
     name: coffee-shop-2
+  wait: true
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: issuers
-  namespace: cert-manager
+  namespace: flux-system
 spec:
   interval: 1h
   targetNamespace: cert-manager
@@ -29,3 +31,23 @@ spec:
     name: coffee-shop-2
   dependsOn:
     - name: app
+  wait: true
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: certificates
+  namespace: flux-system
+spec:
+  interval: 1h
+  targetNamespace: cert-manager
+  path: ./kubernetes/coffee-shop-2/apps/cert-manager/certificates
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: coffee-shop-2
+  dependsOn:
+    - name: app
+    - name: issuers
+  wait: true
diff --git a/kubernetes/coffee-shop-2/apps/cert-manager/kustomization.yaml b/kubernetes/coffee-shop-2/apps/cert-manager/kustomization.yaml
new file mode 100644
index 00000000..6081031a
--- /dev/null
+++ b/kubernetes/coffee-shop-2/apps/cert-manager/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - ks.yaml
diff --git a/kubernetes/coffee-shop-2/apps/metallb/ks.yaml b/kubernetes/coffee-shop-2/apps/metallb/ks.yaml
index 6cf1ea89..90a16fdf 100644
--- a/kubernetes/coffee-shop-2/apps/metallb/ks.yaml
+++ b/kubernetes/coffee-shop-2/apps/metallb/ks.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
diff --git a/kubernetes/coffee-shop-2/cluster/apps.yaml b/kubernetes/coffee-shop-2/cluster/apps.yaml
index 96568a86..39489ed5 100644
--- a/kubernetes/coffee-shop-2/cluster/apps.yaml
+++ b/kubernetes/coffee-shop-2/cluster/apps.yaml
@@ -28,6 +28,7 @@ spec:
         kind: Kustomization
         metadata:
           name: not-used
+          namespace: not-used
         spec:
           decryption:
             provider: sops
diff --git a/kubernetes/coffee-shop-2/cluster/config/cluster.yaml b/kubernetes/coffee-shop-2/cluster/config/cluster.yaml
index ef867fd6..a636e376 100644
--- a/kubernetes/coffee-shop-2/cluster/config/cluster.yaml
+++ b/kubernetes/coffee-shop-2/cluster/config/cluster.yaml
@@ -9,7 +9,7 @@ spec:
   interval: 30m
   url: ssh://git@github.com/Jonnobrow/coffee-shop.git
   ref:
-    branch: coffee-shop-2.0/main
+    branch: coffee-shop-2.0/initial-migration
   secretRef:
     name: github-deploy-key
   ignore: |