feat: external-dns & cert-manager

2024-02-14 21:45:58 +01:00 · 2024-02-14 21:45:58 +01:00 · 21258a04b2
commit 21258a04b2
parent b21eeffd70
31 changed files with 5068 additions and 14 deletions
--- a/cert-manager/.gitignore
+++ b/cert-manager/.gitignore
@ -0,0 +1 @@
 charts/
--- a/cert-manager/config/acme-cloudflare-dns.yaml
+++ b/cert-manager/config/acme-cloudflare-dns.yaml
@ -0,0 +1,36 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: acme-dns-cloudflare
 type: Opaque
 stringData:
    api-token: ENC[AES256_GCM,data:9PerD+nitxWGlaVCrvwrzSq4n6OXOWdoxwuvmgNCo5dwKby5MmWzgA==,iv:+IKQIFlB0wmfAXAeqVS21zXTdQgQW1382UdsV//QNc0=,tag:ET99pjX/39bZhmHRCnAzFw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByK25WeGYzZVdFOUluczNa
            YXdnZklod2RxZUo5UkJvcUJNVWIvQ0pSbUhZCnpJQVF0MEUwWG51RHUvOVFFMkg3
            QmI3T2VDQ0k5L1p6dSt4b1dlczA1TmsKLS0tIC9OMlIyQjNHQU90TjdlSm9CWkIv
            ODQ3b05TMENqZnU1NC8xUkx2YU5vRjAKAaRgVOWFkA8qmTPAwb5zsQqpZce+QOan
            RaJAf/52GB83bk8iajcJMjpPsQLNc8Bc1BUeXZeJ8Q1eDpj/Ez4pLg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbjNobXZVOEM0b09CQ1p5
            c2RpUDNWTTVIVXh0aVRBTzNyOUxuVUNwUFVFCjQ0K0pvdlhlWTNqV2Vxa0Jjclc2
            cDI3Z3JlV3hxaXptYlZrN1RROHBwM2cKLS0tIEJCZjRuSjVMcTlIUmhiSWk5NmRz
            LzVyWGZ0em5RKytCWndjbjh6eWhNc1kK+2g/VLNIs2B62l5kZmkj561Fq0hpnvf0
            L5p+Dyxlh8VjFVKXct6PzJ2Bg+mx+/MDFSZ2PXw9QUI+eNdznCutZg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-02-13T20:21:29Z"
    mac: ENC[AES256_GCM,data:phMqQQ+gs0q2AZrnwzM7qybxcdaErWk5Q3bjXE1chekJQ5IsHoaDj7orzG0CAb1GD+Qa+/3QV9n2ggsT9w3zZGSjiMTttes3L3CVfJjOXC6WpzjxHnIM7xFA2uZsziIOXbU6nqZ8OtFfFfjbio8lt0OZj7W6HIdAnom6zIwUAbI=,iv:ueToOo0V+IBScXDTJnHPVKvx9O3/NHeTBDs344FseQ0=,tag:JNc9tr1LZx6LRRpcqNwJOA==,type:str]
    pgp: []
    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
    version: 3.8.1
--- a/cert-manager/config/values.cert-manager.yaml
+++ b/cert-manager/config/values.cert-manager.yaml
--- a/cert-manager/crds/cert-manager.crds.yaml
+++ b/cert-manager/crds/cert-manager.crds.yaml
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@ -0,0 +1,22 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kube-system
 resources:
  - crds/cert-manager.crds.yaml
  - resources/letsencrypt-staging.yaml
  - resources/letsencrypt-production.yaml
 helmCharts:
  - name: cert-manager
    repo: https://charts.jetstack.io
    version: "1.14.2"
    releaseName: cert-manager
    namespace: kube-system
    valuesFile: config/values.cert-manager.yaml
    apiVersions:
      - "cert-manager.io/v1"
 generators:
  - ./secret-generator.yaml
--- a/cert-manager/resources/letsencrypt-production.yaml
+++ b/cert-manager/resources/letsencrypt-production.yaml
@ -0,0 +1,14 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-production
 spec:
  acme:
    email: peter.kurfer@gmail.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-production
    solvers:
      - http01:
          ingress:
            ingressClassName: traefik
--- a/cert-manager/resources/letsencrypt-staging.yaml
+++ b/cert-manager/resources/letsencrypt-staging.yaml
@ -0,0 +1,14 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-staging
 spec:
  acme:
    email: peter.kurfer@gmail.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - http01:
          ingress:
            ingressClassName: traefik
--- a/cert-manager/secret-generator.yaml
+++ b/cert-manager/secret-generator.yaml
@ -0,0 +1,10 @@
 apiVersion: viaduct.ai/v1
 kind: ksops
 metadata:
  name: cert-manager-secret-generator
  annotations:
    config.kubernetes.io/function: |
        exec:
          path: ksops
 files:
  - ./config/acme-cloudflare-dns.yaml
--- a/coder/config/values.coder.yml
+++ b/coder/config/values.coder.yml
@ -10,6 +10,11 @@ coder:
      gethomepage.dev/group: Apps
      gethomepage.dev/icon: coder.png
      gethomepage.dev/name: Coder
      cert-manager.io/cluster-issuer: letsencrypt-production
    tls:
      enable: true
      secretName: coder-ingress-tls
      wildcardSecretName: coder-wildcard-ingress-tls
  env:
    - name: CODER_WILDCARD_ACCESS_URL
      value: '*.ide.icb4dc0.de'
--- a/coder/kustomization.yaml
+++ b/coder/kustomization.yaml
@ -11,7 +11,7 @@ helmCharts:
    repo: https://helm.coder.com/v2
    releaseName: coder
    namespace: coder
-    version: "2.7.1"
+    version: "2.8.2"
    valuesFile: config/values.coder.yml
    skipTests: true
--- a/external-dns/config/external-dns-secrets.enc.yaml
+++ b/external-dns/config/external-dns-secrets.enc.yaml
@ -0,0 +1,36 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: external-dns-secrets
 type: Opaque
 stringData:
    CF_API_TOKEN: ENC[AES256_GCM,data:zN3eidkDiRiSRx5neWjBh6H//IcDEi00Up3kKpghzUHAHHin+np3cQ==,iv:yWWzvUJyi6Go3lhtPzvlvzFJKQ9+DU4BbjxO2R43It0=,tag:hXS+HtGKmPFsGsqgQg444w==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQYjg0Rnd1L0tXeThlZVNu
            OE1qY0VWVXE2R1VzUnU5UGhFR1hpZEdaTEVNCkN5TEtBQkMrcnJINUcwcC9ZbmpQ
            ZXVCSVUxNzdyN0lSZlI2QVpzUXUzbFkKLS0tIGVja1kxWGpnS2NuTnhobmMwazBl
            d1V2K3NTMkVNSjlORkdqWnlucDVpcEEKpWV8NyV+CCuzNpEO+68fPQN7y6udc7VS
            qw59UYYFlZSo6tV9U3okupDFoNQibMKYqo67yNOuhQNot/ka72PAjw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtL2tKRXdzZ3ExdFRSdDJi
            TUMvOVNORzdkVkk5TW9ISkpkZy9nbC84M1VRCkJyMzV1bzBCbnBoT2dLQzJXcGJS
            cVdHaElpd3A3ZnBNRDYrS1JKK3ZaaGcKLS0tIG9nWXRpTjNLc3hIYWovSHNDWGFX
            K1pycWpFQ0t1ZDlJQnh1YVJ5WFVRNDgKy8P9W8EBGrsd36lcMpaAsAAp93RLnOHQ
            BroVhhdcfxhS/9H9crSZAw6nSROLjySvgJc46jj255FwE2j0biLQCw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-02-13T18:56:54Z"
    mac: ENC[AES256_GCM,data:feslQ6tRE3ngW9WBsdQGtVCBKw7TCPdrsfbjEkRCoEybgs6eyVh6c9tjq1JmocKQ7a5KHzIvr9dM2x4Kia/6hpocaztWVP3RO+Rw5CWqOmsl6WyWjzFFuktKU8vEqwOLIvgs4v6V+4fnhBUEHtLsSxbCCG9hbsibYguWiPnnFaE=,iv:JOvnroj06nBENOwhqdnF0AQ8qP4lxdhnx+QGg1Q0qNY=,tag:Pmj7zfwHUoOf9MUYp8RPyw==,type:str]
    pgp: []
    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
    version: 3.8.1
--- a/external-dns/kustomization.yaml
+++ b/external-dns/kustomization.yaml
@ -0,0 +1,24 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kube-system
 labels:
 - includeSelectors: true
  pairs:
    app.kubernetes.io/managed-by: kustomize
    app.kubernetes.io/part-of: external-dns
 images:
  - name: external-dns
    newName: registry.k8s.io/external-dns/external-dns
    newTag: v0.14.0
 resources:
  - resources/rbac/service_account.yaml
  - resources/rbac/cluster_role.yaml
  - resources/rbac/cluster_role_binding.yaml
  - resources/deployment.yaml
 generators:
  - ./secret-generator.yaml
--- a/external-dns/resources/deployment.yaml
+++ b/external-dns/resources/deployment.yaml
@ -0,0 +1,39 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: external-dns
 spec:
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: external-dns
  template:
    metadata:
      labels:
        app: external-dns
    spec:
      serviceAccountName: external-dns
      containers:
        - name: external-dns
          image: external-dns
          args:
            - --source=ingress
            - --domain-filter=icb4dc0.de
            - --zone-id-filter=ee5cd581559fcf20384856ed5b1b2f0b
            - --provider=cloudflare
            - --cloudflare-dns-records-per-page=5000
            - --exclude-target-net=172.23.2.0/24
          env:
            - name: CF_API_TOKEN
              valueFrom:
                secretKeyRef:
                  name: external-dns-secrets
                  key: CF_API_TOKEN
          resources:
            requests:
              cpu: 50m
              memory: 128Mi
            limits:
              cpu: 100m
              memory: 128Mi
--- a/external-dns/resources/rbac/cluster_role.yaml
+++ b/external-dns/resources/rbac/cluster_role.yaml
@ -0,0 +1,14 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: external-dns
 rules:
 - apiGroups: [""]
  resources: ["services","endpoints","pods"]
  verbs: ["get","watch","list"]
 - apiGroups: ["extensions","networking.k8s.io"]
  resources: ["ingresses"]
  verbs: ["get","watch","list"]
 - apiGroups: [""]
  resources: ["nodes"]
  verbs: ["list", "watch"]
--- a/external-dns/resources/rbac/cluster_role_binding.yaml
+++ b/external-dns/resources/rbac/cluster_role_binding.yaml
@ -0,0 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: external-dns-viewer
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-dns
 subjects:
 - kind: ServiceAccount
  name: external-dns
  namespace: default
--- a/external-dns/resources/rbac/service_account.yaml
+++ b/external-dns/resources/rbac/service_account.yaml
@ -0,0 +1,4 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: external-dns
--- a/external-dns/secret-generator.yaml
+++ b/external-dns/secret-generator.yaml
@ -0,0 +1,10 @@
 apiVersion: viaduct.ai/v1
 kind: ksops
 metadata:
  name: external-dns-secret-generator
  annotations:
    config.kubernetes.io/function: |
        exec:
          path: ksops
 files:
  - ./config/external-dns-secrets.enc.yaml
--- a/forgejo/config/values.forgejo.yaml
+++ b/forgejo/config/values.forgejo.yaml
@ -6,6 +6,9 @@ service:
    type: NodePort
    nodePort: 32022
 strategy:
  type: Recreate
 ingress:
  enabled: true
  annotations:
@ -14,11 +17,16 @@ ingress:
    gethomepage.dev/group: Apps
    gethomepage.dev/icon: forgejo.png
    gethomepage.dev/name: Forgejo
    cert-manager.io/cluster-issuer: letsencrypt-production
  hosts:
    - host: code.icb4dc0.de
      paths:
        - path: /
          pathType: Prefix
  tls:
    - hosts:
        - code.icb4dc0.de
      secretName: forgejo-ingress-tls
 resources:
  limits:
--- a/forgejo/kustomization.yaml
+++ b/forgejo/kustomization.yaml
@ -35,7 +35,7 @@ helmCharts:
    repo: oci://codeberg.org/forgejo-contrib
    releaseName: forgejo
    namespace: forgejo
-    version: "1.1.1"
+    version: "3.0.1"
    valuesFile: config/values.forgejo.yaml
    skipTests: true
    apiVersions:
--- a/hedgedoc/resources/ingress.yaml
+++ b/hedgedoc/resources/ingress.yaml
@ -9,6 +9,7 @@ metadata:
    gethomepage.dev/group: Apps
    gethomepage.dev/icon: https://md.icb4dc0.de/icons/android-chrome-192x192.png
    gethomepage.dev/name: HedgeDoc
    cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
  rules:
    - host: md.icb4dc0.de
@ -20,4 +21,8 @@ spec:
              service:
                name: hedgedoc
                port:
-                  number: 3000
+                  number: 3000
  tls:
    - hosts:
        - md.icb4dc0.de
      secretName: hedgedoc-ingress-tls
--- a/homepage/kustomization.yaml
+++ b/homepage/kustomization.yaml
@ -6,10 +6,10 @@ namespace: homepage
 images:
 - name: homepage
  newName: ghcr.io/gethomepage/homepage
-  newTag: "v0.8.6"
+  newTag: "v0.8.8"
 - name: oauth2-proxy
  newName: quay.io/oauth2-proxy/oauth2-proxy
-  newTag: v7.5.1
+  newTag: v7.6.0
 labels:
 - includeSelectors: true
--- a/homepage/resources/ingress.yaml
+++ b/homepage/resources/ingress.yaml
@ -11,6 +11,7 @@ metadata:
    gethomepage.dev/group: Apps
    gethomepage.dev/icon: homepage.png
    gethomepage.dev/name: Homepage
    cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
  rules:
    - host: "home.icb4dc0.de"
@ -22,4 +23,8 @@ spec:
              service:
                name: homepage
                port:
-                  number: 3000
+                  number: 3000
  tls:
    - hosts:
        - "home.icb4dc0.de"
      secretName: homepage-ingress-tls  
--- a/linkwarden/resources/ingress.yaml
+++ b/linkwarden/resources/ingress.yaml
@ -9,6 +9,7 @@ metadata:
    gethomepage.dev/group: Apps
    gethomepage.dev/icon: linkwarden.png
    gethomepage.dev/name: Linkwarden
    cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
  rules:
    - host: links.icb4dc0.de
@ -20,4 +21,8 @@ spec:
              service:
                name: linkwarden
                port:
-                  number: 3000
+                  number: 3000
  tls:
    - hosts:
        - links.icb4dc0.de
      secretName: linkwarden-ingress-tls
--- a/nocodb/resources/ingress.yaml
+++ b/nocodb/resources/ingress.yaml
@ -9,6 +9,7 @@ metadata:
    gethomepage.dev/group: Apps
    gethomepage.dev/icon: nocodb.png
    gethomepage.dev/name: NocoDB
    cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
  rules:
    - host: noco.icb4dc0.de
@ -20,4 +21,8 @@ spec:
              service:
                name: nocodb
                port:
-                  number: 8080
+                  number: 8080
  tls:
    - hosts:
        - noco.icb4dc0.de
      secretName: nocodb-ingress-tls
--- a/postgres-operator/resources/db/default-cluster.yaml
+++ b/postgres-operator/resources/db/default-cluster.yaml
@ -5,7 +5,6 @@ metadata:
  name: default-cluster
  namespace: postgres
 spec:
  image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.5-0
  postgresVersion: 15
  users:
    - name: postgres
@ -68,15 +67,24 @@ spec:
  backups:
    pgbackrest:
-      image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.47-2
+      manual:
        repoName: repo1
        options:
          - --type=full
      configuration:
      - secret:
          name: pgo-s3-creds
      global:
        repo1-retention-full: "14"
        repo1-retention-full-type: time
        repo1-retention-diff: "6"
        repo1-path: /pgbackrest/default-cluster/repo1
        repo1-s3-uri-style: path
      repos:
      - name: repo1
        schedules:
          full: "0 1 * * 0"
          differential: "0 1 * * 1-6"
        s3:
          bucket: backup
          endpoint: 2df513adaee2eeae12106af900bed297.r2.cloudflarestorage.com
--- a/postgres-operator/resources/rbac/role_binding.yaml
+++ b/postgres-operator/resources/rbac/role_binding.yaml
@ -11,4 +11,5 @@ roleRef:
  name: postgres-operator
 subjects:
 - kind: ServiceAccount
-  name: pgo
+  name: pgo
  namespace: postgres-system
--- a/traefik/values.yaml
+++ b/traefik/values.yaml
@ -0,0 +1,51 @@
 experimental:
  kubernetesGateway:
    enabled: true
 global:
  systemDefaultRegistry: ""
 image:
  repository: rancher/mirrored-library-traefik
  tag: 2.10.5
 metrics:
  prometheus:
    service:
      enabled: true
    serviceMonitor:
      additionalLabels:
        prometheus: default
      interval: 30s
      scrapeTimeout: 5s
 podAnnotations:
  prometheus.io/port: "8082"
  prometheus.io/scrape: "true"
 ports:
  traefik:
    expose: false
    port: 9000
  web:
    forwardedHeaders:
      insecure: true
  websecure:
    expose: true
 priorityClassName: system-cluster-critical
 providers:
  kubernetesIngress:
    publishedService:
      enabled: true
    allowExternalNameServices: true
  kubernetesCRD:
    enabled: true
    allowExternalNameServices: true
 service:
  type: LoadBalancer
  annotations:
    load-balancer.hetzner.cloud/location: "hel1"
 tolerations:
 - key: CriticalAddonsOnly
  operator: Exists
 - effect: NoSchedule
  key: node-role.kubernetes.io/control-plane
  operator: Exists
 - effect: NoSchedule
  key: node-role.kubernetes.io/master
  operator: Exists
--- a/vaultwarden/kustomization.yaml
+++ b/vaultwarden/kustomization.yaml
@ -12,7 +12,7 @@ labels:
 images:
  - name: vaultwarden
    newName: ghcr.io/dani-garcia/vaultwarden
-    newTag: "1.30.1-alpine"
+    newTag: "1.30.3-alpine"
 resources:
  - "resources/namespace.yaml"
--- a/vaultwarden/resources/ingress.yaml
+++ b/vaultwarden/resources/ingress.yaml
@ -9,6 +9,7 @@ metadata:
    gethomepage.dev/group: Apps
    gethomepage.dev/icon: vaultwarden.png
    gethomepage.dev/name: Vaultwarden
    cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
  rules:
  - host: pw.icb4dc0.de
@ -21,3 +22,7 @@ spec:
            name: vaultwarden
            port: 
              number: 8080
  tls:
    - hosts:
        - pw.icb4dc0.de
      secretName: vaultwarden-ingress-tls
--- a/vikunja/resources/ingress.yaml
+++ b/vikunja/resources/ingress.yaml
@ -9,6 +9,7 @@ metadata:
    gethomepage.dev/group: Apps
    gethomepage.dev/icon: vikunja.png
    gethomepage.dev/name: Vikunja
    cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
  rules:
    - host: todo.icb4dc0.de
@ -27,4 +28,8 @@ spec:
              service:
                name: vikunja-api
                port:
-                  number: 3456
+                  number: 3456
  tls:
    - hosts:
        - todo.icb4dc0.de
      secretName: vikunja-ingress-tls
--- a/zipline/resources/ingress.yaml
+++ b/zipline/resources/ingress.yaml
@ -9,6 +9,7 @@ metadata:
    gethomepage.dev/group: Apps
    gethomepage.dev/icon: zipline.png
    gethomepage.dev/name: Zipline
    cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
  rules:
    - host: share.icb4dc0.de
@ -20,4 +21,8 @@ spec:
              service:
                name: zipline
                port:
-                  number: 3000
+                  number: 3000
  tls:
    - hosts:
        - share.icb4dc0.de
      secretName: zipline-ingress-tls