From 5a20255f995969e570ca2b4d970cbde15f58a742 Mon Sep 17 00:00:00 2001 From: Michael Stengel Date: Wed, 13 Dec 2023 09:22:41 -0600 Subject: [PATCH] Prod certs --- .../inventory/host_vars/k3s-new-01.sops.yaml | 16 +- .../inventory/host_vars/k3s-new-02.sops.yaml | 16 +- .../cert-manager/issuers/secret.sops.yaml | 16 +- .../app/secret.sops.yaml | 16 +- .../addons/webhooks/github/secret.sops.yaml | 16 +- .../monitoring/grafana/app/helmrelease.yaml | 173 ++++++++++++++++++ .../monitoring/grafana/app/kustomization.yaml | 6 + .../monitoring/grafana/app/secret.sops.yaml | 27 +++ kubernetes/apps/monitoring/grafana/ks.yaml | 20 ++ .../app/helmrelease.yaml | 35 ++++ .../kube-prometheus-stack/app/helmvalues.yaml | 123 +++++++++++++ .../app/kustomization.yaml | 6 + .../monitoring/kube-prometheus-stack/ks.yaml | 20 ++ kubernetes/apps/monitoring/kustomization.yaml | 2 + .../cloudflared/app/secret.sops.yaml | 18 +- .../external-dns/app/secret.sops.yaml | 16 +- .../nginx/certificates/kustomization.yaml | 1 + .../nginx/external/helmrelease.yaml | 2 +- .../nginx/internal/helmrelease.yaml | 2 +- .../flux/vars/cluster-secrets-user.sops.yaml | 16 +- .../flux/vars/cluster-secrets.sops.yaml | 20 +- 21 files changed, 490 insertions(+), 77 deletions(-) create mode 100644 kubernetes/apps/monitoring/grafana/app/helmrelease.yaml create mode 100644 kubernetes/apps/monitoring/grafana/app/kustomization.yaml create mode 100644 kubernetes/apps/monitoring/grafana/app/secret.sops.yaml create mode 100644 kubernetes/apps/monitoring/grafana/ks.yaml create mode 100644 kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml create mode 100644 kubernetes/apps/monitoring/kube-prometheus-stack/app/helmvalues.yaml create mode 100644 kubernetes/apps/monitoring/kube-prometheus-stack/app/kustomization.yaml create mode 100644 kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml diff --git a/ansible/inventory/host_vars/k3s-new-01.sops.yaml b/ansible/inventory/host_vars/k3s-new-01.sops.yaml index dc9a7f5d..301c210c 100644 --- a/ansible/inventory/host_vars/k3s-new-01.sops.yaml +++ b/ansible/inventory/host_vars/k3s-new-01.sops.yaml @@ -1,4 +1,4 @@ -ansible_become_pass: ENC[AES256_GCM,data:Oclc85l9rKkbu3y06kI=,iv:289D9q1jDtnRctO8gwQ8VAHRMjdtpoR+MoyJbVkLf78=,tag:UvHcBnxuGyKkCWaZzx9G2g==,type:str] +ansible_become_pass: ENC[AES256_GCM,data:bDfijHxoPuqDfevSKic=,iv:5W2wn5AhdJf3rl2BZkWAQUznWY0Omr3UrEif7hCTldU=,tag:9r4bUTPSe/bV/NK4sx0z6w==,type:str] sops: kms: [] gcp_kms: [] @@ -8,14 +8,14 @@ sops: - recipient: age1xet7mguda7d2gt4f6re7nsv4cdr7tmqeh4lvfyhxeg66sjtghv2q9xd44n enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDSGl6aUF6VVE2UnJjNHBS - YVdMWStWcGl0czc3N0loR0tVdWhiMmNzMEhJCmhoaGcxYWZkOThKTkM2TndoUGlY - eHZUSDR1MmlvZ1FTTjZqTmRId0plWTAKLS0tIDB5U2NnTmdLekJYT0kzTFphWHV2 - SWd0NisrbWhxc1VNOTNjWXo5WTkxczQK3eX3ap5GL4ZD/+k7beSemRuqR+Bdtfjc - OeFjQ1gWTrECRhZmT84OtXlAJ14I45rW0TP5hiZxct7hKCWU7DE4Vw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzaTkzWHozWnFlYjRTNjVB + L1Y1MjZtbTliMUhIQjdFR2JxdmFjR1FTUHpJClUyQ01xcEFpUldGc0N0N1BNamht + YmVZNmhqb1FETjFKWU9Vd3BaV2NoL1kKLS0tIERncDBoVFpJcVFLK0lGMXFyRWRJ + Y3NaQWlOSk9mRVBrTkFqa2ttM2k2Qm8KlayoZ1XZHaiqgvHDU9yCzM9h7snQ5dMh + PNCGXOB/uV7rLtkHIU6w74L5DcrBYzMDLhOGBVi8kMTyEsjliATc6Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-13T14:41:10Z" - mac: ENC[AES256_GCM,data:SBmXenTFBYq6uz0fnHW/uaB7PDdr/zktu184sK9eTkRKQjsI8hH5G0a6gDA8y/3mNbT8MsoSOoj/aEeZhphRCxhrev7TtgufIZyx9QuOteog5DWYsTi+8cDWHpXKKplOhrlglXtb51+x3c5XZ5jOPlVXPdFo1GQwREqvtYScx/s=,iv:CZ0E7EiR3I7RAQbB+VJuAsnEvpPYfBWON4nc+396AOg=,tag:T7Ix4iLqxNEzXNd2HDdSWw==,type:str] + lastmodified: "2023-12-13T15:21:41Z" + mac: ENC[AES256_GCM,data:qhV+IQ7FV7+qkozTYqR2g/mkpG4Yg1NYtwnFuJ6CnRx8ThkAhZRcliM9K66ZqRjrttXmb1EIt4cObouAOLlFprZsdbTEDhxZsLN4tC63hrOHH/Y/mYLGnz8XEQNc6mbFGdoxo6SeUJnVLWOr3iszlxOkQtqpTMFhuxOVuwOeH1o=,iv:EmV3TYkqtR4drvxGvLw0kHdxRGGnIoTt/wDD+n+rVtM=,tag:T7lCL/YrEwVwSwtDAeeEPw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/ansible/inventory/host_vars/k3s-new-02.sops.yaml b/ansible/inventory/host_vars/k3s-new-02.sops.yaml index 6973b1a1..80166d9b 100644 --- a/ansible/inventory/host_vars/k3s-new-02.sops.yaml +++ b/ansible/inventory/host_vars/k3s-new-02.sops.yaml @@ -1,4 +1,4 @@ -ansible_become_pass: ENC[AES256_GCM,data:bAN8kwOH9nwNPjlMB/I=,iv:y7JVMtCl7NZI04QBDLgAaTPHxmYhQym/LHmg4CsDypQ=,tag:i63Yq0E0oo0Lr6FGFEBgvg==,type:str] +ansible_become_pass: ENC[AES256_GCM,data:rmg0WScw5HpN8l9sxwI=,iv:rOgArITdwrnQklBpE+m/yWVp7hINQzAZ3K8UsZTeDsM=,tag:iNXVtcLxRCwDq+yNkIUJTA==,type:str] sops: kms: [] gcp_kms: [] @@ -8,14 +8,14 @@ sops: - recipient: age1xet7mguda7d2gt4f6re7nsv4cdr7tmqeh4lvfyhxeg66sjtghv2q9xd44n enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvYncvNmR3ZndKU2pKWm5p - SE9WUkdtMUhlVGdxUEhTVkZRbTkvOHE3czBjCnZITVRyU284bzJydWlnbCtyMGRZ - aGRYTU53eWFRT1JqeTUwWS9HQUNKN1kKLS0tIGpHWUdrb0FvUk0rb2ZNMFFwUTlr - L3ZacnBxSTNuQjlvTmhOTFd0RGJZNjQKCldQVQoP534L+ugkt9NWE1Qm8jjKFz+4 - xyWZRr74n1Gi6GK8LNG2mF7r8/EUTricVJANqR6xcDAmpUOZWqwAeg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZzcrcW9qekExWUlmQVoz + SDVXUHlySnFaVnozMGx1MDdTejVOM0JWOWo0CnhQUTdmd2FYb21uUTkxd01RZW1o + a1dSYWxWdW95RjIxbDVTTFU2R1I0UG8KLS0tIEdkT09nS2JHdlZocTQwZkdrMy9n + WnpaVlJqbElIRUFWYUowMVBBRHBubTgKXo4vyRcfWk7ABsWRAwPwRE5DlF8JBTnM + RC35/cr0T6kewr8ASkhcq2BIhLC6XSRiykWGh5PoatCChKhgTiyndw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-13T14:41:10Z" - mac: ENC[AES256_GCM,data:s6bFJrE2eCzICmg0ZW2TjhcJ6obdYK0Fne5yOhJP+DoPPw5EcxBDB+yrVTGFIYdTsIKHCz/W8Ggy3o21wYGwciPCIT75rPnKNduVBA8OuvXzwrrw+k/AQSX9cWXi7b+89bB4FAFNqNor/9TQazh30Y6ElQFswDurmgMWTpLiu9E=,iv:tPrAXJ2zeKsUUpvkjU8kZ8bs4lJZkS4LWSysi+rnkqw=,tag:kqUhwHquTuL0GHabmXeJ1g==,type:str] + lastmodified: "2023-12-13T15:21:41Z" + mac: ENC[AES256_GCM,data:3k2LYVS9yajd03Z0qIxvtQR+I0qN3nzTJ3X4QsXG6I8cmGh18e4vs8HuyqvNadt5EMv/oxArrxFfkLjF7Q7PnDSg5SEismTC4dj4iNSXPLN0zhGe0bk38glU49FiiH98XqO0Xpl72PkWKlyiiFkErVM2QUC+h4J11hdOWfnNo+I=,iv:LFO4b1yjRqCh1xVHR0rNilOYELoEPAURkqwHOCm/3eU=,tag:l9Lyp5knTCmW6o1/BbB1/g==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml index b3fecb2c..8683e2f5 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml @@ -3,7 +3,7 @@ kind: Secret metadata: name: cert-manager-secret stringData: - api-token: ENC[AES256_GCM,data:ilQj4JcZuEaVjXK52quZ0Js2K/mDmeR/DYGNxHJJvzRXXK/XM+CszQ==,iv:t5B3kltnjxJWTKYWwlmZ5jLJAiwf84lJOBBd3Yph2lg=,tag:LpMksSWo7KUCZqiFHjDnFg==,type:str] + api-token: ENC[AES256_GCM,data:vdww5GO1zDKlcID95Sxv3jzdPpFgiIqE9FFvhlT076a8ZZR706/ypg==,iv:IU7DOUxmv1HLk6l3uMRhNFIQFROX0Dyfiqx9lv97OCg=,tag:8s74q4aOlXdMqPuaJ6TD1g==,type:str] sops: kms: [] gcp_kms: [] @@ -13,14 +13,14 @@ sops: - recipient: age1xet7mguda7d2gt4f6re7nsv4cdr7tmqeh4lvfyhxeg66sjtghv2q9xd44n enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlWlNhaVZuWGZmcVpFU1Vh - VXpDZzRiYXZXUmlWT3cwOFJaWmJYT1BLVzFJCkR1ZnpkTGlLWVE4cWlhVDQ1WTQx - Z040TVIrQTk4Rk9zcDkxcWRIR3NMTjAKLS0tIDg0WHZyM0NpNzZLRTAyTkhWK2Rh - UDZZK3hvMWlXMWx6aW41NVAxbkdKYXcKODZ+81G3dF60ZV/+RY07HcuuogtG+5qV - jqrJCYpOC/6DJD4VUW3xANxngrzOLvDonZQpV/pSmKwgNswv8DtQXQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBueEZYMUZBOE9qdVdHc2R2 + aWNMMDI1L0NOQ1JHREZXQjJVb2t2VTR0RUFNCjgzaG9zOW91WWtQRkQ5WFVxWTVP + MzZuQXF6cnJGbWlvekpRbFhzakM4bU0KLS0tIGRUbVdsNXY2T2NROGI5bFhueksz + U1VjN2FCWURvelhRQ0ZINHB1bFIySEEKdv+TDZIrPpIEcJDT9GlW3rmLU25HaYY6 + 9dZDc3BfaSICEV0raMLTVNILIPkQK/CWcFufcdfgfpODHYDrCKFznw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-13T14:41:49Z" - mac: ENC[AES256_GCM,data:dG1DeU/v3lUyW1izqpZOPsOQTGMWZ7I3ESg4El4w/iE2tOU4fPbbuPYBpU4LTwKPpQViGNQYxiGfWG2UzU1Jeq10Kz4IlWhdkjTdcITx+Pr5Lc2bRGa4Y4YM8I58qpecoEzSW8yG8PFebhcPycgIEDkIzVrMcN9/dlMgQlkvM28=,iv:rY8qd1JDvYbc1j5Ld/+/szAzGOMpqFU1RbVg2JbCtHY=,tag:WQ8WKXc9VnCVpmAC2y66sQ==,type:str] + lastmodified: "2023-12-13T15:22:19Z" + mac: ENC[AES256_GCM,data:fsclpYEXf1sWmmtedDl05na4C+1jB+/AzrFWak9wQcYeLZF7zZvtqseVfzPHJ3Ol0DD6uFbyBkgRd3ACue1xZHp3qeSwnuuoGWm5pEW0kePMrpbO9WGTbeBQttA18tZD+KGWv3mu4fMUfzhFOSUhLB5LLnmxKkwwBu/IpW2N5wY=,iv:yDjMa0l+MFEuz8MYhEWGvohKotwjoly2fBNq9yYjo9E=,tag:5L+AOs/MoaUX/ysJQbB7eg==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/apps/default/discord-template-notifier/app/secret.sops.yaml b/kubernetes/apps/default/discord-template-notifier/app/secret.sops.yaml index 572cddea..cd128f33 100644 --- a/kubernetes/apps/default/discord-template-notifier/app/secret.sops.yaml +++ b/kubernetes/apps/default/discord-template-notifier/app/secret.sops.yaml @@ -3,7 +3,7 @@ kind: Secret metadata: name: discord-template-notifier-secret stringData: - config.toml: ENC[AES256_GCM,data:4FGSWxFMf8Aucnt7GpX3YO0KbDo7zwO2BZFOqWWN/Y5teYUx+H3UfWHBhJ/GgBMsgABqZufkirmeMdExstj0dxJoheLnP5xabMDEoThs6/rD+SfCN04D+N7CQOeNXZKOfak6aOE7pJLnipxLZshVogMptChQxk/9K/Js4PDa7DIRDQBpVGmba3RPLsPghHtxX/AqOt06EdeqYQYWGgCaxZPED0tR9RNQD5vpMTwZQzj3G9tRxfX4YwQDewwb3Gy+OG5Ggb8GVbQ2VRE4V3i+2sZmWH906oGQTmhjmkjbx7qiCEmnwExgppPpkxnC1y66i8GKv9IxUkYCT0BnAJQp/3XySES7nN3ULRVRb7wgxdjhA4gOx/0hUGHkGGVCZhrupA==,iv:I6pxoZzMrZZmK4nTxUs1q7JWBrhuIuQzrfbaozp94hM=,tag:0ONoNhJMP65y/bYVOgEIjw==,type:str] + config.toml: ENC[AES256_GCM,data:8wFD4D5olewTGMl8s/r/XfZD7/6etsyyNxe89c7OdPt3RIspt3aFG33L1LtClBGRDykSfO2kdEeDO4QQFmYcmAKsd90Z9s8HpiH7c4PDCMFuphJyQNLFe+vYmiqlEGL6tbwwustfx9Eo2cwAlBaVnr5ZrBcJJkWLdgUwFxaZEASnBS4ocCzmpdsh8KOQOBB0MKWQ2TNU95rQvwid+w0HL54BKynfK8KPQoR9yFOhVEK63z1bPU9ADtUXisiyqYppm5T9b+ko33z/xvWWgWrBZoc66gTe38AyFO2LmZoxBZR6p20bz7NMKqbrCgzMK7KlLrfYmLduqjeNY+Spz3MjD7kBbI1iGvLp+RLPnzumsdg0K0B+kjDGyPpw5JLBmI9thg==,iv:s+YRr02bQWZSXyEmQeRtJG1EzbI/VhQ4NEkPnr4ELiI=,tag:lGwttsu0B2w6WTUBtwfr0A==,type:str] type: Opaque sops: kms: [] @@ -14,14 +14,14 @@ sops: - recipient: age1xet7mguda7d2gt4f6re7nsv4cdr7tmqeh4lvfyhxeg66sjtghv2q9xd44n enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYaVBVV0FiYmpGSUMzMWNF - RjVaRzRpb3h4RDNnamtaeFlYZWJqdjlIaVRJCjNQa1h0NisvZHoyMDFTd3RCaU4y - b0hCT2VwTExXNS8veVJ1cXdIb2lya1kKLS0tIDV1a2FudHh6Y1l2UkhLL1JBSVJx - YlRiY0xGSTA1M3dRYk1seHVJdS9JOE0KuLlvNKTEOc298eFQPdxRnTkPAevLso5u - Htp2hfakFQz+b+JZh9vmjZoJsf8R7pR+t9FTaOPK/Bs7ttkTgRG4NA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UWF3THRrTzV6NUdDZFMz + T1J6U1RSTFRVSVo5UHQ4MjNkVkVLZzI3UVVjCkFzV2x5NmlCOHdvRjVXdXJGdmdr + UHg4TXJLM29OUm1lajBYZWtpR05tNTgKLS0tIHlVMVpZZVVLblJqYTdEbno4aUR2 + by9BWnJiVkZ3NFpDMEtBRGpDUXB6UlEKhR4NQ+mRC7XdkLmi/XLTX9g/scjjcUiX + Ya9027mJEJhhZE6plbEaF/49TmxNLacmWd6i6qxd75ekagWUswiHhg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-13T14:41:53Z" - mac: ENC[AES256_GCM,data:snkeWkpD7Tek/vN0Z9BILOgAkLXWOy/aHUNzOtxGFo8AvbhIjYKCDUZOHTZ6qf46TLwI+82rxorlRq8JlEkrNsBkh2/JCqbBTB6oM6aPYpv3mJOUttiPguvA2mTaSX6IqDYocc018qqB8CEa42OAM74qWbPSB84prm/XIsiTZSg=,iv:YRe04SLXHhemxt+YJunUDZw84tES9fJCw+eoeBlBiLs=,tag:qdZ/nCQtbEbPMfgaiqAQEQ==,type:str] + lastmodified: "2023-12-13T15:22:25Z" + mac: ENC[AES256_GCM,data:ig4HIY0gXgN+xwV18qRgS4PlzIFH8UmpC34U91OwjRI7ZVTfWVnl/wM0KdyZDQsbmaaAzaUp54IAAEm5Fcg2/1ZHmhP+Jmjl/6LXpT4KmHXiEuG2rUlVq0XF8H9PJwiJqtGlclDMuT5DqCn6pedp3Wi7DvdgLgKNbl+FDgh3aTU=,iv:vlR1gzpFspITmu7MN27or3kj8tshDAciZp6LzwkZB+4=,tag:2ju5TWvVMUgHwI8ZJGnKJA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml b/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml index 417ee00c..764fd16e 100644 --- a/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml +++ b/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml @@ -3,7 +3,7 @@ kind: Secret metadata: name: github-webhook-token-secret stringData: - token: ENC[AES256_GCM,data:TXqWB16iEL+CGG72A6HYygy0dnotchW0,iv:sEaxbOGMcxUJURm68ujd+gXES+q3YwcBMcyRuWTFhjU=,tag:hXzWxkXkX0kxaNixZf6cSA==,type:str] + token: ENC[AES256_GCM,data:+algh3L/T4nT7p07znWLF+dRv4iBj5cE,iv:KL9rJU5iwqm220imcuZi+3b9QMeA4y7nnOCN9VrsGhs=,tag:2HEDCL8kTmVM20FJskWVZQ==,type:str] sops: kms: [] gcp_kms: [] @@ -13,14 +13,14 @@ sops: - recipient: age1xet7mguda7d2gt4f6re7nsv4cdr7tmqeh4lvfyhxeg66sjtghv2q9xd44n enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUEI1MlREWS9LZXBTbktj - eFA3Z3JOS2xBaSs1T3IzQ3RtcnZwRDRESXlNCllrVXNoR2h1c1RwUFVJNjdiMXYx - MUJob2hQeVNJZ29LcHUrSDN6N25uS3MKLS0tIFEzbDMvSTg0b1hybEJsUlFZT1BW - akRtcFphRG94VlVJTGpqNEoxQzdFQ28KpfAr4X3AkX877Z0nhNSCPwZo7T8XReO7 - t/DPddk706flgC8Pr48syi40pPAVzCakjxzLt7aesUwVxQs2Xx2lDw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhbkMreEhDYnRlMkMvT1Zm + TDRUQWdzOWVSODVwZEcwRUlpa2NrMW5kZVQ4CmJJbDZZN0tzV2JqRTI1dno4bUhW + SDU4aXlZOG56V0p1UnJweVUrbGdiYTQKLS0tIFpRVmlCeHhiWW56cjc2amZJZ3ZQ + V1hYa0FzbllKdTU3NU1oT2Y1ZkZjTVkKsuTkTYHzA6agrv0zmCz7iafA9nyzEhRL + Bhk80tkAw3K9hx5u8lux+zh23dtaxNDc9BZWuD9HCtjm7nESxFHp9w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-13T14:41:48Z" - mac: ENC[AES256_GCM,data:Cf/lYT+mmOo0PbEJkb9ED8708L4I1XB5/e+QUWgTycL6Goh6PVQ7jLpLuAxVBC3cxVnqb4NKLv0tqmNy6gs1scvs7E5VCKj+iczpFOZYrzHoYRrCxfEoJwPQzVbyACvQo4DFf29F9p9MRRdd1PbIA2HYCMz15sjDSFzVFWt4bbg=,iv:1eK0Y3PUnJp168p9yv052Wv1vSg3zK89NSArrBfKqhc=,tag:Z0fMe08f9fY2e8T4tjpQ/A==,type:str] + lastmodified: "2023-12-13T15:22:18Z" + mac: ENC[AES256_GCM,data:EqwGpeSrJNH53eLF9LcyPRcchj7rFDAhpvDZWyOYCH/q4Lt+kc6Bomjd5X1ngtUDbkcR3KXn9204yt0xzohJe3dGqNIrvykGB3TQ95Y5jyiQ0alD3Zs0Upy+0TTa3YJH2I2EvtddoelgtVw0UPfYzfDo10RJqssaAdW6HzCtZkQ=,iv:8YcS8xxxu4VBAY2oRV+XnZcxmnU5YubSQB3ESTe9gwo=,tag:c25GuoZsCi8lXCEbK2fmNg==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml new file mode 100644 index 00000000..2def2f44 --- /dev/null +++ b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml @@ -0,0 +1,173 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: grafana +spec: + interval: 30m + chart: + spec: + chart: grafana + version: 7.0.17 + sourceRef: + kind: HelmRepository + name: grafana + namespace: flux-system + maxHistory: 2 + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + dependsOn: + - name: local-path-provisioner + namespace: kube-system + values: + deploymentStrategy: + type: Recreate + admin: + existingSecret: grafana-admin-secret + env: + GF_EXPLORE_ENABLED: true + GF_SERVER_ROOT_URL: "https://grafana.${SECRET_DOMAIN}" + grafana.ini: + analytics: + check_for_updates: false + check_for_plugin_updates: false + reporting_enabled: false + dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: default + orgId: 1 + folder: "" + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/default + - name: flux + orgId: 1 + folder: Flux + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/flux + - name: kubernetes + orgId: 1 + folder: Kubernetes + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/kubernetes + - name: nginx + orgId: 1 + folder: Nginx + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/nginx + datasources: + datasources.yaml: + apiVersion: 1 + deleteDatasources: + - { name: Prometheus, orgId: 1 } + datasources: + - name: Prometheus + type: prometheus + uid: prometheus + access: proxy + url: http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090 + jsonData: + prometheusType: Prometheus + isDefault: true + dashboards: + default: + cloudflared: + gnetId: 17457 # https://grafana.com/grafana/dashboards/17457?tab=revisions + revision: 6 + datasource: + - { name: DS_PROMETHEUS, value: Prometheus } + external-dns: + gnetId: 15038 # https://grafana.com/grafana/dashboards/15038?tab=revisions + revision: 1 + datasource: Prometheus + cert-manager: + url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/cert-manager/dashboards/cert-manager.json + datasource: Prometheus + node-exporter-full: + gnetId: 1860 # https://grafana.com/grafana/dashboards/1860?tab=revisions + revision: 31 + datasource: Prometheus + flux: + flux-cluster: + url: https://raw.githubusercontent.com/fluxcd/flux2/main/manifests/monitoring/monitoring-config/dashboards/cluster.json + datasource: Prometheus + flux-control-plane: + url: https://raw.githubusercontent.com/fluxcd/flux2/main/manifests/monitoring/monitoring-config/dashboards/control-plane.json + datasource: Prometheus + kubernetes: + kubernetes-api-server: + url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-system-api-server.json + datasource: Prometheus + kubernetes-coredns: + url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-system-coredns.json + datasource: Prometheus + kubernetes-global: + url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-global.json + datasource: Prometheus + kubernetes-namespaces: + url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-namespaces.json + datasource: Prometheus + kubernetes-nodes: + url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-nodes.json + datasource: Prometheus + kubernetes-pods: + url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-pods.json + datasource: Prometheus + nginx: + nginx: + url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json + datasource: Prometheus + nginx-request-handling-performance: + url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/request-handling-performance.json + datasource: Prometheus + sidecar: + dashboards: + enabled: true + searchNamespace: ALL + labelValue: "" + label: grafana_dashboard + folderAnnotation: grafana_folder + provider: + disableDelete: true + foldersFromFilesStructure: true + datasources: + enabled: true + searchNamespace: ALL + labelValue: "" + serviceMonitor: + enabled: true + ingress: + enabled: true + ingressClassName: internal + annotations: + hajimari.io/icon: simple-icons:grafana + hosts: + - &host "grafana.${SECRET_DOMAIN}" + tls: + - hosts: + - *host + persistence: + enabled: true + storageClassName: local-path + testFramework: + enabled: false diff --git a/kubernetes/apps/monitoring/grafana/app/kustomization.yaml b/kubernetes/apps/monitoring/grafana/app/kustomization.yaml new file mode 100644 index 00000000..95bf4747 --- /dev/null +++ b/kubernetes/apps/monitoring/grafana/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/monitoring/grafana/app/secret.sops.yaml b/kubernetes/apps/monitoring/grafana/app/secret.sops.yaml new file mode 100644 index 00000000..53e674de --- /dev/null +++ b/kubernetes/apps/monitoring/grafana/app/secret.sops.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Secret +metadata: + name: grafana-admin-secret +stringData: + admin-password: ENC[AES256_GCM,data:SVapmts=,iv:l6Rio4fOA2HZC4UF8+wxLyfSChB6KKlY+VRPQhjKZ5s=,tag:M5Q/fIXm13NFvRQHr+6g1w==,type:str] + admin-user: ENC[AES256_GCM,data:WWrVLc8=,iv:Vm2ppcijILsuuKjipo92+DNSWJ/xgKKFIwItBDR8Qt4=,tag:GdE/710hkW6X18RLwGSkCg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1xet7mguda7d2gt4f6re7nsv4cdr7tmqeh4lvfyhxeg66sjtghv2q9xd44n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGcFQ3QUh3NkxZc2F4c3Ux + Q1BKMEZ3ciszMC9XUVhPN1EyOS9EbVYybVZRClQ0MjB0YkRPeDZYaFUxVy80QjlP + MFJ0aWtKNFhPQk4vZlhXTFlXSWtLczAKLS0tIG54VERZRmtnMndPdmgvTGdzeEpP + NzFQcXhVdkhSVUFDRmhvLzJLNHl6SFUKfGsLLkCIhRISK4Ox5WzK8T5bddDvdG1c + s6uiooBHY1FTvAzMhqQqfy0pSqIezgr4lw7Ineb3BKd2f5gr7VCnfw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-13T15:22:22Z" + mac: ENC[AES256_GCM,data:BafTgc0dAc/qCcLJZlY2L8qC348mGmW+7FjtPxLvRbO9YQvHvRZMD+PXJ/cmnuRFLl+/TsJb7oGNowKKTRe7Vp6Kt0pbkeH3J5KvYYw3NPnElFG3d6BhiXpa+bpiO1P3TSJ8Sa6jpc4bnR9E7nQbqH5DfFUA4eZL5HYs02hA/Bc=,iv:wHdQ3U4Nm1pWTY3ZsnEpg32STuiX/gQ6DW9G92bHrQc=,tag:uuLhsbNEIVAN/ok7mXEmdw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/kubernetes/apps/monitoring/grafana/ks.yaml b/kubernetes/apps/monitoring/grafana/ks.yaml new file mode 100644 index 00000000..21e71d4a --- /dev/null +++ b/kubernetes/apps/monitoring/grafana/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app grafana + namespace: flux-system +spec: + targetNamespace: monitoring + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/monitoring/grafana/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml new file mode 100644 index 00000000..b63014c2 --- /dev/null +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: kube-prometheus-stack +spec: + interval: 30m + timeout: 15m + chart: + spec: + chart: kube-prometheus-stack + version: 55.3.1 + sourceRef: + kind: HelmRepository + name: prometheus-community + namespace: flux-system + maxHistory: 2 + install: + crds: CreateReplace + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + crds: CreateReplace + remediation: + retries: 3 + uninstall: + keepHistory: false + dependsOn: + - name: local-path-provisioner + namespace: kube-system + valuesFrom: + - name: kube-prometheus-stack-values + kind: ConfigMap + valuesKey: values.yaml diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmvalues.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmvalues.yaml new file mode 100644 index 00000000..597f205f --- /dev/null +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmvalues.yaml @@ -0,0 +1,123 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kube-prometheus-stack-values +data: + values.yaml: | + crds: + enabled: true + cleanPrometheusOperatorObjectNames: true + alertmanager: + enabled: false + kube-state-metrics: + metricLabelsAllowlist: + - "deployments=[*]" + - "persistentvolumeclaims=[*]" + - "pods=[*]" + prometheus: + monitor: + enabled: true + relabelings: + - action: replace + sourceLabels: ["__meta_kubernetes_pod_node_name"] + regex: ^(.*)$ + replacement: $1 + targetLabel: kubernetes_node + kubelet: + enabled: true + serviceMonitor: + metricRelabelings: + # Remove duplicate labels provided by k3s + - action: keep + sourceLabels: ["__name__"] + regex: (apiserver_audit|apiserver_client|apiserver_delegated|apiserver_envelope|apiserver_storage|apiserver_webhooks|authentication_token|cadvisor_version|container_blkio|container_cpu|container_fs|container_last|container_memory|container_network|container_oom|container_processes|container|csi_operations|disabled_metric|get_token|go|hidden_metric|kubelet_certificate|kubelet_cgroup|kubelet_container|kubelet_containers|kubelet_cpu|kubelet_device|kubelet_graceful|kubelet_http|kubelet_lifecycle|kubelet_managed|kubelet_node|kubelet_pleg|kubelet_pod|kubelet_run|kubelet_running|kubelet_runtime|kubelet_server|kubelet_started|kubelet_volume|kubernetes_build|kubernetes_feature|machine_cpu|machine_memory|machine_nvm|machine_scrape|node_namespace|plugin_manager|prober_probe|process_cpu|process_max|process_open|process_resident|process_start|process_virtual|registered_metric|rest_client|scrape_duration|scrape_samples|scrape_series|storage_operation|volume_manager|volume_operation|workqueue)_(.+) + - action: replace + sourceLabels: ["node"] + targetLabel: instance + # Drop high cardinality labels + - action: labeldrop + regex: (uid) + - action: labeldrop + regex: (id|name) + - action: drop + sourceLabels: ["__name__"] + regex: (rest_client_request_duration_seconds_bucket|rest_client_request_duration_seconds_sum|rest_client_request_duration_seconds_count) + kubeApiServer: + enabled: true + serviceMonitor: + metricRelabelings: + # Remove duplicate labels provided by k3s + - action: keep + sourceLabels: ["__name__"] + regex: (aggregator_openapi|aggregator_unavailable|apiextensions_openapi|apiserver_admission|apiserver_audit|apiserver_cache|apiserver_cel|apiserver_client|apiserver_crd|apiserver_current|apiserver_envelope|apiserver_flowcontrol|apiserver_init|apiserver_kube|apiserver_longrunning|apiserver_request|apiserver_requested|apiserver_response|apiserver_selfrequest|apiserver_storage|apiserver_terminated|apiserver_tls|apiserver_watch|apiserver_webhooks|authenticated_user|authentication|disabled_metric|etcd_bookmark|etcd_lease|etcd_request|field_validation|get_token|go|grpc_client|hidden_metric|kube_apiserver|kubernetes_build|kubernetes_feature|node_authorizer|pod_security|process_cpu|process_max|process_open|process_resident|process_start|process_virtual|registered_metric|rest_client|scrape_duration|scrape_samples|scrape_series|serviceaccount_legacy|serviceaccount_stale|serviceaccount_valid|watch_cache|workqueue)_(.+) + # Drop high cardinality labels + - action: drop + sourceLabels: ["__name__"] + regex: (apiserver|etcd|rest_client)_request(|_sli|_slo)_duration_seconds_bucket + - action: drop + sourceLabels: ["__name__"] + regex: (apiserver_response_sizes_bucket|apiserver_watch_events_sizes_bucket) + kubeControllerManager: + enabled: true + endpoints: + - 192.168.3.10 + serviceMonitor: + metricRelabelings: + # Remove duplicate labels provided by k3s + - action: keep + sourceLabels: ["__name__"] + regex: "(apiserver_audit|apiserver_client|apiserver_delegated|apiserver_envelope|apiserver_storage|apiserver_webhooks|attachdetach_controller|authenticated_user|authentication|cronjob_controller|disabled_metric|endpoint_slice|ephemeral_volume|garbagecollector_controller|get_token|go|hidden_metric|job_controller|kubernetes_build|kubernetes_feature|leader_election|node_collector|node_ipam|process_cpu|process_max|process_open|process_resident|process_start|process_virtual|pv_collector|registered_metric|replicaset_controller|rest_client|retroactive_storageclass|root_ca|running_managed|scrape_duration|scrape_samples|scrape_series|service_controller|storage_count|storage_operation|ttl_after|volume_operation|workqueue)_(.+)" + kubeEtcd: + enabled: true + endpoints: + - 192.168.3.10 + kubeScheduler: + enabled: true + endpoints: + - 192.168.3.10 + serviceMonitor: + metricRelabelings: + # Remove duplicate labels provided by k3s + - action: keep + sourceLabels: ["__name__"] + regex: "(apiserver_audit|apiserver_client|apiserver_delegated|apiserver_envelope|apiserver_storage|apiserver_webhooks|authenticated_user|authentication|disabled_metric|go|hidden_metric|kubernetes_build|kubernetes_feature|leader_election|process_cpu|process_max|process_open|process_resident|process_start|process_virtual|registered_metric|rest_client|scheduler|scrape_duration|scrape_samples|scrape_series|workqueue)_(.+)" + kubeProxy: + enabled: false # Disabled due to eBPF + prometheus: + ingress: + enabled: true + ingressClassName: internal + annotations: + hajimari.io/appName: Prometheus + hajimari.io/icon: simple-icons:prometheus + pathType: Prefix + hosts: + - "prometheus.${SECRET_DOMAIN}" + tls: + - hosts: + - "prometheus.${SECRET_DOMAIN}" + prometheusSpec: + ruleSelectorNilUsesHelmValues: false + serviceMonitorSelectorNilUsesHelmValues: false + podMonitorSelectorNilUsesHelmValues: false + probeSelectorNilUsesHelmValues: false + scrapeConfigSelectorNilUsesHelmValues: false + enableAdminAPI: true + walCompression: true + retentionSize: 8GB + storageSpec: + volumeClaimTemplate: + spec: + storageClassName: local-path + resources: + requests: + storage: 10Gi + grafana: + enabled: false + forceDeployDashboards: true + sidecar: + dashboards: + multicluster: + etcd: + enabled: true diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/kustomization.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/kustomization.yaml new file mode 100644 index 00000000..dc39651b --- /dev/null +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmvalues.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml new file mode 100644 index 00000000..0d66c3fc --- /dev/null +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app kube-prometheus-stack + namespace: flux-system +spec: + targetNamespace: monitoring + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/monitoring/kube-prometheus-stack/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/monitoring/kustomization.yaml b/kubernetes/apps/monitoring/kustomization.yaml index 5413fe6a..01f63a0b 100644 --- a/kubernetes/apps/monitoring/kustomization.yaml +++ b/kubernetes/apps/monitoring/kustomization.yaml @@ -3,3 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml + - ./grafana/ks.yaml + - ./kube-prometheus-stack/ks.yaml diff --git a/kubernetes/apps/networking/cloudflared/app/secret.sops.yaml b/kubernetes/apps/networking/cloudflared/app/secret.sops.yaml index 14d4875c..7f123ae1 100644 --- a/kubernetes/apps/networking/cloudflared/app/secret.sops.yaml +++ b/kubernetes/apps/networking/cloudflared/app/secret.sops.yaml @@ -3,8 +3,8 @@ kind: Secret metadata: name: cloudflared-secret stringData: - TUNNEL_ID: ENC[AES256_GCM,data:luiqMjpQ84+CT6HYDrtr6Y6CJXy5LDWj4XV2f9idb/zRAcUc,iv:5ldrpt5gqHJyAkcJSZe4EtSFbX383Bjsx1Lo1mSnRZc=,tag:2B3RTX3P/CbiWJtDkW67/A==,type:str] - credentials.json: ENC[AES256_GCM,data:fMZ2Em429rrTtVAWBUo/Dc3RI6bsFeCZtCDGP9CDimpuaYPa2R1VHjLmegV+kHPc7wO3tfgmC4Ei/0OCOe8ino6Hi6zl/7v8Ute/ooN+NJSOopns4R52i3lWjPPVDLE5bOz6q8VK5RrXnOCH4qe97LVosZuoUHIMzhFP9KzsrXIv0+797UvFWbDrNXd8DVRdu2l5bPrs3i5qY8Ny+sow4k7foSdMZwhHPuVv2Vl2VQ==,iv:QT2hsRvW17RfjDB3X4SPlpMScYD8+YaDHOPbxa9ckkE=,tag:w8obTM0Zzs4NN6iEymY7nA==,type:str] + TUNNEL_ID: ENC[AES256_GCM,data:XShd6PmRCxJoS6bvzEobcv47rxqqux+GonLL56CoiTfCA6cQ,iv:sq8eoNw8Z26MBee3I5Wf7tktQx2L99uANpWx1SWDcIA=,tag:0NvH9zqPh3bH2KVYS95NAA==,type:str] + credentials.json: ENC[AES256_GCM,data:kUyj0w6TwdwQEWzIuP7O2J9g/VpfCfCSfhSMmCb4uIMoEhiyXYVqKGMlkMnrJMTGoUFnImpPtL2kxyLEAGxQS1joxbYWcwNalongKrz21dzdILc6JBFcXmAhZFyOexB2kMb+j8s3UAVk/N3HbrSFsAadL0Q2rIpztcOOF5tL+HCzOGo2m4xKQ3d9DeMQ7E0EDpARRtMZbFhYV9LIpM5Da7+pOa1LTIUdDEtTjD0fhA==,iv:oMjjMlOh9sPpSPf42Pp8sd69xmFmXmXVOD8zTwcR3K4=,tag:SeuFgwpBHui06+BQM74haQ==,type:str] sops: kms: [] gcp_kms: [] @@ -14,14 +14,14 @@ sops: - recipient: age1xet7mguda7d2gt4f6re7nsv4cdr7tmqeh4lvfyhxeg66sjtghv2q9xd44n enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUb0s1aS9NdzV0YUprMlRx - NkMyNk1FK1BFakRiNndoclo0SUhqNTlXa0NJCkZiMkFXbjE2TzlYd01wdTdDdmpo - K1hpWHJhK3RsaSsyN0RCQi8zK2FqSU0KLS0tIGlsVEE3VE5rMUtPKzRKZm5JV01u - OVlwaFlEWm5pdUVxNEFuZWs3TmJhUzAKKacNHo9rzr7R4YB5JGBSh3J1PbKNyiNL - bsclRqvXEWO0vITGMeqYp9jO98WnlXGc+KM7tj5/ZPZIbJxptcNWmw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPcnEvSmVtQlRPMXZJTDR5 + Q2xReUkwL1YyOHlRbjl5VzJmVGtvSnJtTm5JCmNpc2JNeGFwUHErSmo1My9hMkZs + ZzhDZFBqT2hrWDBMMUFXL3pZRHNGYlEKLS0tIFU1L0x2dHBYQmJ3OHJ5TDdHdGVC + VmVYeTJvMlBMZTM1ZjBQaXI4Q2dZQWcK/OxMz/5S+sRpuEY0FrWPVx2/GPbB7gQT + MRGH4t7D7TLN9r5dBYKNAwZslXHqw+yBz2AuTUBMaz0YE2KKqbUm2A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-13T14:41:49Z" - mac: ENC[AES256_GCM,data:B78q8bhdPMwRqApHU5rTW7FKJldPU6CEeE9M6pvUOaE1rpkJNCEEK+jJ2Mfse+uV/wzW/3FYuj016Nq418dylhqDck/+QIxkMtf43dSAZrDGZVmzfG7jTuGfS75mlltji8gam1F1LfZ6697pVQ7IXT9rmn83Jz9CMDxEMk7VJ78=,iv:lVoVMXDYa0QFyU8CZY1wLQ30k1/b9Qa4Nor1YGhD3gY=,tag:13F7JV/PsY3HEU9Y777jSg==,type:str] + lastmodified: "2023-12-13T15:22:18Z" + mac: ENC[AES256_GCM,data:l2xCKNY6IzHJ7iGMpDAxcfUvR0slptewt7/RtDGBfuqSAfyA0v5WDUAQrzKhFmRd6Kuh5R9yqWGdV/odsp+lAM8imPOs8M/6SmT3w1wYKJTvU+eIeMCtGSQA33h9RkvvhNKKi6BAeRb4uePE/g+Kzxz/QKEch8lGSvJsvTS+CeA=,iv:/ftcZe4KkkpGaEXLmcByVam2tOG6BkWh7UKPjco/zG0=,tag:x8XyGnoG1KDj5SVzNUtNcQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/apps/networking/external-dns/app/secret.sops.yaml b/kubernetes/apps/networking/external-dns/app/secret.sops.yaml index ee5bea48..fc661e3f 100644 --- a/kubernetes/apps/networking/external-dns/app/secret.sops.yaml +++ b/kubernetes/apps/networking/external-dns/app/secret.sops.yaml @@ -3,7 +3,7 @@ kind: Secret metadata: name: external-dns-secret stringData: - api-token: ENC[AES256_GCM,data:vEh5FN0vTuHrwUQQuKBNacF0Sv5kE8cM6saAIrRWSAelFj11Fep7vQ==,iv:sd2qZ8sgx+9Bq4knRmbiu3ZhjfowAKnKAnHsMbfG218=,tag:0aB9cUKB5k6wa84y1OEQGg==,type:str] + api-token: ENC[AES256_GCM,data:J0aX9eMO8FS7JklggjlAH3PECj7lw7gXRUrQYCPOTl/ss8fVn8cUbg==,iv:rtg+jZWEOK/nUN99faMEzRzXfKz+5/Vo/XqXYaKOigQ=,tag:YUHWWeIGdCI+2hZU+5aKWg==,type:str] sops: kms: [] gcp_kms: [] @@ -13,14 +13,14 @@ sops: - recipient: age1xet7mguda7d2gt4f6re7nsv4cdr7tmqeh4lvfyhxeg66sjtghv2q9xd44n enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3K09PNURVSjVScXlGQ1Vr - MkkwWW9URUhQL1gxcXptTmthVW1OZVorWm5JCkc4T050OG9DOGR4VFZUVzlmNTEx - ZERrNHZkQWttS1phTWlzc1A3V2orSTgKLS0tIEFBV2kwTDl1MHhyRlNPNFVnR3dP - VVhpOUxteHlBUnVKQWp1RGt2cGJQdlkKiCB3A9J3wYoKLsmtFm+7a6AvBnO6EqmE - EdVGLer5wSb1ryfPteRzN9z22wtVICY0KAo3vd66Ynfmo+mlaUD3IA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZdXpDTXFBRk1tRlE2N0gz + S08yWnA2NDR4MTVVbm1Bc2ZJeTFKaUtUdEFjCkZRdU93M0Z3aU1MeTlHM2R2KzJt + MjlVeVVhYUN3a041VUFqa0JsUnZ5TncKLS0tICs5R3VPTlVHZHYyY3FzWTVkQUph + cjAzRHdTOXZvYTBhQmhzQldWWWpmb1EK+iM1XuywJGaK2gczAAI/by9mXEVBH54r + d095Apt0dT4sd3GoSTceMEakAWTLCEKO0+SxcCucrer0LAQFaCSsJQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-13T14:41:49Z" - mac: ENC[AES256_GCM,data:LS+DbeMDT8xQlTaI7QotbK6rB8z8fMJYJpmqU49aBCaD7Z9oxQCCs7YSxuvAE9TUOwSnPJrF1Xi7rv0YIUP7hX6UeYrEKGi44pFQuXMeoaBZKpBlAT5I/Z5pIf1yHlfL4+a4oM2Y5WsnlKWKWzxB5Pt+I71XEFMvwwG2J+Uj+/g=,iv:l1jKMJJNBHqJ0tq8riUZYES/+SEW/Ck1GCqPiFpO/As=,tag:S1basmAaiopCMhUmtMTpCw==,type:str] + lastmodified: "2023-12-13T15:22:18Z" + mac: ENC[AES256_GCM,data:7+71N9vHPGaq6xnnSNg1/F+mJXAFu0/93NNkiHq3M1cp1d7qnIWxT0tVgaMPSOX4SGV0XhiGMMPA9kN11ZrLMVi8XkimQXJO7ugMPTvtqWMTzGBnS9CFqeiL5xO4/In/qRNv9br3QUZsaaYNWjf1QrWW6kbBckSSr3WTEBGrwvU=,iv:r7QTqinSApVjdcrXwr0h85g7Kr4vKO1fEYSNH6SkQ9o=,tag:qs7fXFrnKruFrZHa9tNDKg==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/apps/networking/nginx/certificates/kustomization.yaml b/kubernetes/apps/networking/nginx/certificates/kustomization.yaml index e7892580..f58e4a76 100644 --- a/kubernetes/apps/networking/nginx/certificates/kustomization.yaml +++ b/kubernetes/apps/networking/nginx/certificates/kustomization.yaml @@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./staging.yaml + - ./production.yaml diff --git a/kubernetes/apps/networking/nginx/external/helmrelease.yaml b/kubernetes/apps/networking/nginx/external/helmrelease.yaml index c877b202..9efe0c55 100644 --- a/kubernetes/apps/networking/nginx/external/helmrelease.yaml +++ b/kubernetes/apps/networking/nginx/external/helmrelease.yaml @@ -73,7 +73,7 @@ spec: namespaceSelector: any: true extraArgs: - default-ssl-certificate: "networking/${SECRET_DOMAIN/./-}-staging-tls" + default-ssl-certificate: "networking/${SECRET_DOMAIN/./-}-production-tls" topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname diff --git a/kubernetes/apps/networking/nginx/internal/helmrelease.yaml b/kubernetes/apps/networking/nginx/internal/helmrelease.yaml index 79bede81..a26a0eea 100644 --- a/kubernetes/apps/networking/nginx/internal/helmrelease.yaml +++ b/kubernetes/apps/networking/nginx/internal/helmrelease.yaml @@ -70,7 +70,7 @@ spec: namespaceSelector: any: true extraArgs: - default-ssl-certificate: "networking/${SECRET_DOMAIN/./-}-staging-tls" + default-ssl-certificate: "networking/${SECRET_DOMAIN/./-}-production-tls" topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname diff --git a/kubernetes/flux/vars/cluster-secrets-user.sops.yaml b/kubernetes/flux/vars/cluster-secrets-user.sops.yaml index 626f1b65..2b78a7b3 100644 --- a/kubernetes/flux/vars/cluster-secrets-user.sops.yaml +++ b/kubernetes/flux/vars/cluster-secrets-user.sops.yaml @@ -4,7 +4,7 @@ metadata: name: cluster-secrets-user namespace: flux-system stringData: - SECRET_PLACEHOLDER: ENC[AES256_GCM,data:04DBIiHofCO4cWZN,iv:FgxgxXCzyEAUlyQfHjSZC8UNXqBNTYDYTBWOGQdygDY=,tag:CYNlgREhhpclan0MUtqC1w==,type:str] + SECRET_PLACEHOLDER: ENC[AES256_GCM,data:nqA90+3G7viY91rQ,iv:zuTaO0ofJf+N4rcEonfwx9ref3gvUVW3Al9PaP1RApA=,tag:lIihpAYw68M/Tybmr6dCAA==,type:str] sops: kms: [] gcp_kms: [] @@ -14,14 +14,14 @@ sops: - recipient: age1xet7mguda7d2gt4f6re7nsv4cdr7tmqeh4lvfyhxeg66sjtghv2q9xd44n enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQThHaG04aDl5aE9lK2dT - TSt4dDYrSEZMYlZuOHBlYUFSSzIxaFlna20wClFnbTBkQ21zYlltelFtOXlBeWNP - VEVIZ2xZN2ZqekpiUHA3K2dyVzg2YzAKLS0tIDlLUTFFeWxHOUpFcFI4U0drbkNi - dWxCZDhhWlBBOVhiUmQ3d2Q3NUNUL0EKKBhvsRqCV/aYoqBizUWo1rY5Jrwhnggt - NoK2JYzBHN9ey90sKqQriDX7VeTARJGNgkcwZNz119PINol6zIdLcA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5YU5jN09sdmh2WldQSzlC + L1MzcitVelMyWXRyZ1dPTjVPcUtJWTFmRUZRCkNJUDk3L1Q5WGJNdkhVbUtXMVNP + K1RrdHZRZjljdEhCV2FtYVRTQWFxejQKLS0tIERNTzVFRzhOQXFKY3BuVEhnVm5L + WEFMS0VRdnF3QnVJd3RJRFYwUERiR1kKVUlMppHyUfee4myWRpN0RgtWEtPzI+8w + 0CcH46NrPEY1R97LvCMKW2jKs2Q5YFcdanL0ES5nbRVY59GVMdkuHQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-13T14:41:49Z" - mac: ENC[AES256_GCM,data:DhtiaIgp1MlaKx+fxExZWx6Trv2y1fsOcAIpG0X2vCiaWgXazlwZlOTPcPviFD0EU5Mv0z19jN3XoUN0n5kvT0DemNW5tyM/aIgIpwRg9JX+dIQZtYg/MAHxZleCmyW7x42kBwiWs23nAYgD2bodeflb30IJ77rK5ULfOX5okyk=,iv:SJKMZGRKLqTlvPAGx6S8eKnn0He3ljrzZF0ic8rOPik=,tag:4c6P4lyxzUjUUJYQVRMI9A==,type:str] + lastmodified: "2023-12-13T15:22:19Z" + mac: ENC[AES256_GCM,data:AiryNQ6ZoAMusnFatL1RPZMxsU/Kq/j9JmT1dYEfmUxFZl5ZDVv+Y0XWLU/e98qOjbtSsBjKaJ49XYiECSPaJBOBy5cu1a94OM7x2xGbFIqFp6XDAWvQTU/vQPZVrlIDqr1fukfUsVHZkugikgz1Gb7VXMDQBni4RMZPJ+Qrfnc=,iv:iFXFfVz1ERo2OVEmePoHiICXx0QCmb6nYSlsHzlzO3E=,tag:jdCCOlIIe3g+cieq8qr+bQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/flux/vars/cluster-secrets.sops.yaml index 67ec3345..7cb30296 100644 --- a/kubernetes/flux/vars/cluster-secrets.sops.yaml +++ b/kubernetes/flux/vars/cluster-secrets.sops.yaml @@ -4,9 +4,9 @@ metadata: name: cluster-secrets namespace: flux-system stringData: - SECRET_ACME_EMAIL: ENC[AES256_GCM,data:Zg6rzUH7xzIU9dd+NkU+tWraCTDPlA==,iv:42u683vLeqgsY3Clj9/TDMHTnXMaTDVvyGJF5h4ih+U=,tag:grVrKr1xF6GcUCoA05vTdQ==,type:str] - SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:Nwjora2jy3CT1exwT2bFdoHkqoAnfI8m9aruOx5oFMYfbXQt,iv:VfzFzHgzqpL62pTVQhlFDgDQ2+MyEQ1aSouD3AmXo8E=,tag:BKGZerOAodv+b7erSsCOoQ==,type:str] - SECRET_DOMAIN: ENC[AES256_GCM,data:WEfdZYiegKcPyPk4D0lPlkVX,iv:ZuI/hEPiTpYMbI7/ZsZwBIMrUIYVCDOBx9Y7AhFUBZc=,tag:9igak49rvDGDLeUmdrpPCg==,type:str] + SECRET_ACME_EMAIL: ENC[AES256_GCM,data:Rs9Pbb8iy72ohxSREeDoTZ5/Zv++Rg==,iv:H4G4tx3CTCP2UGq7BQp5Hse+jVTCUhCYY5V6nZ/FfMU=,tag:Z/z0cDuk8+AsUbdPDHvN7A==,type:str] + SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:37BYmeQlzR1u61yoOxRNOBr0EUXu2Quv5DqC5aKi/uckOXHS,iv:UyRyqRBcY+60f0PmirNC+OUBBdXm79eMsr4eNJKityY=,tag:FzOM/Z49Sqhjk0iLciT1wg==,type:str] + SECRET_DOMAIN: ENC[AES256_GCM,data:MLXyTHOMS63qMMfCb408XpJy,iv:fvdgOvteOBBcd5KGBflbMXQ/cY+vXBVG+1CSKCTt0KY=,tag:9HP/EABV8Yd0ieJs7zxkxw==,type:str] sops: kms: [] gcp_kms: [] @@ -16,14 +16,14 @@ sops: - recipient: age1xet7mguda7d2gt4f6re7nsv4cdr7tmqeh4lvfyhxeg66sjtghv2q9xd44n enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwSGJkSGZUUUp4VUhEZHFa - K3g0cmk1VVNxcHNzbjByejhTekFDOVc1K2tJCm9zaENQSXFVWjZuQ0RBbmN3MWZR - cFVoYVl3elpIaEx3K2RtN1I0ZHkzN3MKLS0tIHc3NUFEWU4zV1J0ZlpGVXhxamJZ - WGlyUVIxNncwZGxLclppT2pQaHJLM0kKIuh0XbHQmZc4acJtYuuLdZ4wPXBddRqN - IaBYSGPNPZXHlDbYdZwM69i7e8XJKOHFG590YT11al7pT+UChNzjcw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWSjQxbHlxMytTUmc3R3F3 + MVdhV1dvYzJpN3pTcklKRWxIQUNIckdTcW5FCnY0UStvdjBEellHc3JGU0VicFY5 + Y2RrQkptQkJxVTJKMldCeWVYRUduVmMKLS0tIGNNSlFGWVRUcGh0djZEaDJZeHJ6 + WWlwQS9QcXoyV2diU0Y1d3RGU2JQSmcKEonYozksgs0M0SrJz8b2Mv4PFsdCWe/W + yJ+aybqlzedfo4cSJAJ7E7w5vQS0f4aYIB5cpgOFliPvWcFXgd5SRg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-13T14:41:50Z" - mac: ENC[AES256_GCM,data:4P5kWVRW88mWBsrbx9GpDNMnNwSVE+4gADvONP+XgKA3Gv1YHqnnHsmY+S4NiESUdMaX3zqW4vtAtDDwEoXDKrK4xoxhY5bATebxOkqeDJLQCwwmG3lO5Q9Wggj039eqltZW3Gcfj5hb2RMxkSOhEFLu2DVLMr/3SMnHvRDSLbM=,iv:d13hDXhKc45DeAoNPqI2F/ksoAfug/o642N4l49SFrQ=,tag:qNwjmPJQNvjEDq3AhS38Ig==,type:str] + lastmodified: "2023-12-13T15:22:19Z" + mac: ENC[AES256_GCM,data:A3qvBRrWFcoDXk+QZBLvVH01mIakdj1N/xL4aex2cJipXtyaaeTNTovsB7WNmpAzJrBgWJnY1yEtlOs8fj+w7jAosrBuSM6Qb4SCGdSn7h99aOMxtYWqHjFZyMQ+75mJHiNB3lzKbnIlk1TaBWCBNYNwfU/7Tp/ndk36a8fJ2rY=,iv:tLztXMygisy/wEbAZKIWjoakAj+BsufCXLnSzt9mtgw=,tag:jost4p80tgpnsxptcQL21g==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1