feat: external-dns & cert-manager

2024-02-14 21:45:58 +01:00 · 2024-02-14 21:45:58 +01:00 · 21258a04b2
commit 21258a04b2
parent b21eeffd70
31 changed files with 5068 additions and 14 deletions
--- a/cert-manager/.gitignore
+++ b/cert-manager/.gitignore
@ -0,0 +1 @@
+charts/
--- a/cert-manager/config/acme-cloudflare-dns.yaml
+++ b/cert-manager/config/acme-cloudflare-dns.yaml
@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: acme-dns-cloudflare
+type: Opaque
+stringData:
+    api-token: ENC[AES256_GCM,data:9PerD+nitxWGlaVCrvwrzSq4n6OXOWdoxwuvmgNCo5dwKby5MmWzgA==,iv:+IKQIFlB0wmfAXAeqVS21zXTdQgQW1382UdsV//QNc0=,tag:ET99pjX/39bZhmHRCnAzFw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByK25WeGYzZVdFOUluczNa
+            YXdnZklod2RxZUo5UkJvcUJNVWIvQ0pSbUhZCnpJQVF0MEUwWG51RHUvOVFFMkg3
+            QmI3T2VDQ0k5L1p6dSt4b1dlczA1TmsKLS0tIC9OMlIyQjNHQU90TjdlSm9CWkIv
+            ODQ3b05TMENqZnU1NC8xUkx2YU5vRjAKAaRgVOWFkA8qmTPAwb5zsQqpZce+QOan
+            RaJAf/52GB83bk8iajcJMjpPsQLNc8Bc1BUeXZeJ8Q1eDpj/Ez4pLg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbjNobXZVOEM0b09CQ1p5
+            c2RpUDNWTTVIVXh0aVRBTzNyOUxuVUNwUFVFCjQ0K0pvdlhlWTNqV2Vxa0Jjclc2
+            cDI3Z3JlV3hxaXptYlZrN1RROHBwM2cKLS0tIEJCZjRuSjVMcTlIUmhiSWk5NmRz
+            LzVyWGZ0em5RKytCWndjbjh6eWhNc1kK+2g/VLNIs2B62l5kZmkj561Fq0hpnvf0
+            L5p+Dyxlh8VjFVKXct6PzJ2Bg+mx+/MDFSZ2PXw9QUI+eNdznCutZg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-13T20:21:29Z"
+    mac: ENC[AES256_GCM,data:phMqQQ+gs0q2AZrnwzM7qybxcdaErWk5Q3bjXE1chekJQ5IsHoaDj7orzG0CAb1GD+Qa+/3QV9n2ggsT9w3zZGSjiMTttes3L3CVfJjOXC6WpzjxHnIM7xFA2uZsziIOXbU6nqZ8OtFfFfjbio8lt0OZj7W6HIdAnom6zIwUAbI=,iv:ueToOo0V+IBScXDTJnHPVKvx9O3/NHeTBDs344FseQ0=,tag:JNc9tr1LZx6LRRpcqNwJOA==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1
--- a/cert-manager/config/values.cert-manager.yaml
+++ b/cert-manager/config/values.cert-manager.yaml
--- a/cert-manager/crds/cert-manager.crds.yaml
+++ b/cert-manager/crds/cert-manager.crds.yaml
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@ -0,0 +1,22 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kube-system
+
+resources:
+  - crds/cert-manager.crds.yaml
+  - resources/letsencrypt-staging.yaml
+  - resources/letsencrypt-production.yaml
+
+helmCharts:
+  - name: cert-manager
+    repo: https://charts.jetstack.io
+    version: "1.14.2"
+    releaseName: cert-manager
+    namespace: kube-system
+    valuesFile: config/values.cert-manager.yaml
+    apiVersions:
+      - "cert-manager.io/v1"
+
+generators:
+  - ./secret-generator.yaml
--- a/cert-manager/resources/letsencrypt-production.yaml
+++ b/cert-manager/resources/letsencrypt-production.yaml
@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+spec:
+  acme:
+    email: peter.kurfer@gmail.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-production
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: traefik
--- a/cert-manager/resources/letsencrypt-staging.yaml
+++ b/cert-manager/resources/letsencrypt-staging.yaml
@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    email: peter.kurfer@gmail.com
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: traefik
--- a/cert-manager/secret-generator.yaml
+++ b/cert-manager/secret-generator.yaml
@ -0,0 +1,10 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: cert-manager-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+        exec:
+          path: ksops
+files:
+  - ./config/acme-cloudflare-dns.yaml
--- a/coder/config/values.coder.yml
+++ b/coder/config/values.coder.yml
@ -10,6 +10,11 @@ coder:
      gethomepage.dev/group: Apps
      gethomepage.dev/icon: coder.png
      gethomepage.dev/name: Coder
+      cert-manager.io/cluster-issuer: letsencrypt-production
+    tls:
+      enable: true
+      secretName: coder-ingress-tls
+      wildcardSecretName: coder-wildcard-ingress-tls
  env:
    - name: CODER_WILDCARD_ACCESS_URL
      value: '*.ide.icb4dc0.de'
--- a/coder/kustomization.yaml
+++ b/coder/kustomization.yaml
@ -11,7 +11,7 @@ helmCharts:
    repo: https://helm.coder.com/v2
    releaseName: coder
    namespace: coder
-    version: "2.7.1"
+    version: "2.8.2"
    valuesFile: config/values.coder.yml
    skipTests: true

--- a/external-dns/config/external-dns-secrets.enc.yaml
+++ b/external-dns/config/external-dns-secrets.enc.yaml
@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: external-dns-secrets
+type: Opaque
+stringData:
+    CF_API_TOKEN: ENC[AES256_GCM,data:zN3eidkDiRiSRx5neWjBh6H//IcDEi00Up3kKpghzUHAHHin+np3cQ==,iv:yWWzvUJyi6Go3lhtPzvlvzFJKQ9+DU4BbjxO2R43It0=,tag:hXS+HtGKmPFsGsqgQg444w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQYjg0Rnd1L0tXeThlZVNu
+            OE1qY0VWVXE2R1VzUnU5UGhFR1hpZEdaTEVNCkN5TEtBQkMrcnJINUcwcC9ZbmpQ
+            ZXVCSVUxNzdyN0lSZlI2QVpzUXUzbFkKLS0tIGVja1kxWGpnS2NuTnhobmMwazBl
+            d1V2K3NTMkVNSjlORkdqWnlucDVpcEEKpWV8NyV+CCuzNpEO+68fPQN7y6udc7VS
+            qw59UYYFlZSo6tV9U3okupDFoNQibMKYqo67yNOuhQNot/ka72PAjw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtL2tKRXdzZ3ExdFRSdDJi
+            TUMvOVNORzdkVkk5TW9ISkpkZy9nbC84M1VRCkJyMzV1bzBCbnBoT2dLQzJXcGJS
+            cVdHaElpd3A3ZnBNRDYrS1JKK3ZaaGcKLS0tIG9nWXRpTjNLc3hIYWovSHNDWGFX
+            K1pycWpFQ0t1ZDlJQnh1YVJ5WFVRNDgKy8P9W8EBGrsd36lcMpaAsAAp93RLnOHQ
+            BroVhhdcfxhS/9H9crSZAw6nSROLjySvgJc46jj255FwE2j0biLQCw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-13T18:56:54Z"
+    mac: ENC[AES256_GCM,data:feslQ6tRE3ngW9WBsdQGtVCBKw7TCPdrsfbjEkRCoEybgs6eyVh6c9tjq1JmocKQ7a5KHzIvr9dM2x4Kia/6hpocaztWVP3RO+Rw5CWqOmsl6WyWjzFFuktKU8vEqwOLIvgs4v6V+4fnhBUEHtLsSxbCCG9hbsibYguWiPnnFaE=,iv:JOvnroj06nBENOwhqdnF0AQ8qP4lxdhnx+QGg1Q0qNY=,tag:Pmj7zfwHUoOf9MUYp8RPyw==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1
--- a/external-dns/kustomization.yaml
+++ b/external-dns/kustomization.yaml
@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kube-system
+
+labels:
+- includeSelectors: true
+  pairs:
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/part-of: external-dns
+
+images:
+  - name: external-dns
+    newName: registry.k8s.io/external-dns/external-dns
+    newTag: v0.14.0
+
+resources:
+  - resources/rbac/service_account.yaml
+  - resources/rbac/cluster_role.yaml
+  - resources/rbac/cluster_role_binding.yaml
+  - resources/deployment.yaml
+
+generators:
+  - ./secret-generator.yaml
--- a/external-dns/resources/deployment.yaml
+++ b/external-dns/resources/deployment.yaml
@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: external-dns
+  template:
+    metadata:
+      labels:
+        app: external-dns
+    spec:
+      serviceAccountName: external-dns
+      containers:
+        - name: external-dns
+          image: external-dns
+          args:
+            - --source=ingress
+            - --domain-filter=icb4dc0.de
+            - --zone-id-filter=ee5cd581559fcf20384856ed5b1b2f0b
+            - --provider=cloudflare
+            - --cloudflare-dns-records-per-page=5000
+            - --exclude-target-net=172.23.2.0/24
+          env:
+            - name: CF_API_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: external-dns-secrets
+                  key: CF_API_TOKEN
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+            limits:
+              cpu: 100m
+              memory: 128Mi
--- a/external-dns/resources/rbac/cluster_role.yaml
+++ b/external-dns/resources/rbac/cluster_role.yaml
@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-dns
+rules:
+- apiGroups: [""]
+  resources: ["services","endpoints","pods"]
+  verbs: ["get","watch","list"]
+- apiGroups: ["extensions","networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get","watch","list"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["list", "watch"]
--- a/external-dns/resources/rbac/cluster_role_binding.yaml
+++ b/external-dns/resources/rbac/cluster_role_binding.yaml
@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-dns-viewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-dns
+subjects:
+- kind: ServiceAccount
+  name: external-dns
+  namespace: default
--- a/external-dns/resources/rbac/service_account.yaml
+++ b/external-dns/resources/rbac/service_account.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-dns
--- a/external-dns/secret-generator.yaml
+++ b/external-dns/secret-generator.yaml
@ -0,0 +1,10 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: external-dns-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+        exec:
+          path: ksops
+files:
+  - ./config/external-dns-secrets.enc.yaml
--- a/forgejo/config/values.forgejo.yaml
+++ b/forgejo/config/values.forgejo.yaml
@ -6,6 +6,9 @@ service:
    type: NodePort
    nodePort: 32022

+strategy:
+  type: Recreate
+
 ingress:
  enabled: true
  annotations:
@ -14,11 +17,16 @@ ingress:
    gethomepage.dev/group: Apps
    gethomepage.dev/icon: forgejo.png
    gethomepage.dev/name: Forgejo
+    cert-manager.io/cluster-issuer: letsencrypt-production
  hosts:
    - host: code.icb4dc0.de
      paths:
        - path: /
          pathType: Prefix
+  tls:
+    - hosts:
+        - code.icb4dc0.de
+      secretName: forgejo-ingress-tls

 resources:
  limits:
--- a/forgejo/kustomization.yaml
+++ b/forgejo/kustomization.yaml
@ -35,7 +35,7 @@ helmCharts:
    repo: oci://codeberg.org/forgejo-contrib
    releaseName: forgejo
    namespace: forgejo
-    version: "1.1.1"
+    version: "3.0.1"
    valuesFile: config/values.forgejo.yaml
    skipTests: true
    apiVersions:
--- a/hedgedoc/resources/ingress.yaml
+++ b/hedgedoc/resources/ingress.yaml
@ -9,6 +9,7 @@ metadata:
    gethomepage.dev/group: Apps
    gethomepage.dev/icon: https://md.icb4dc0.de/icons/android-chrome-192x192.png
    gethomepage.dev/name: HedgeDoc
+    cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
  rules:
    - host: md.icb4dc0.de
@ -21,3 +22,7 @@ spec:
                name: hedgedoc
                port:
                  number: 3000
+  tls:
+    - hosts:
+        - md.icb4dc0.de
+      secretName: hedgedoc-ingress-tls
--- a/homepage/kustomization.yaml
+++ b/homepage/kustomization.yaml
@ -6,10 +6,10 @@ namespace: homepage
 images:
 - name: homepage
  newName: ghcr.io/gethomepage/homepage
-  newTag: "v0.8.6"
+  newTag: "v0.8.8"
 - name: oauth2-proxy
  newName: quay.io/oauth2-proxy/oauth2-proxy
-  newTag: v7.5.1
+  newTag: v7.6.0

 labels:
 - includeSelectors: true
--- a/homepage/resources/ingress.yaml
+++ b/homepage/resources/ingress.yaml
@ -11,6 +11,7 @@ metadata:
    gethomepage.dev/group: Apps
    gethomepage.dev/icon: homepage.png
    gethomepage.dev/name: Homepage
+    cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
  rules:
    - host: "home.icb4dc0.de"
@ -23,3 +24,7 @@ spec:
                name: homepage
                port:
                  number: 3000
+  tls:
+    - hosts:
+        - "home.icb4dc0.de"
+      secretName: homepage-ingress-tls  
--- a/linkwarden/resources/ingress.yaml
+++ b/linkwarden/resources/ingress.yaml
@ -9,6 +9,7 @@ metadata:
    gethomepage.dev/group: Apps
    gethomepage.dev/icon: linkwarden.png
    gethomepage.dev/name: Linkwarden
+    cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
  rules:
    - host: links.icb4dc0.de
@ -21,3 +22,7 @@ spec:
                name: linkwarden
                port:
                  number: 3000
+  tls:
+    - hosts:
+        - links.icb4dc0.de
+      secretName: linkwarden-ingress-tls
--- a/nocodb/resources/ingress.yaml
+++ b/nocodb/resources/ingress.yaml
@ -9,6 +9,7 @@ metadata:
    gethomepage.dev/group: Apps
    gethomepage.dev/icon: nocodb.png
    gethomepage.dev/name: NocoDB
+    cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
  rules:
    - host: noco.icb4dc0.de
@ -21,3 +22,7 @@ spec:
                name: nocodb
                port:
                  number: 8080
+  tls:
+    - hosts:
+        - noco.icb4dc0.de
+      secretName: nocodb-ingress-tls
--- a/postgres-operator/resources/db/default-cluster.yaml
+++ b/postgres-operator/resources/db/default-cluster.yaml
@ -5,7 +5,6 @@ metadata:
  name: default-cluster
  namespace: postgres
 spec:
-  image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.5-0
  postgresVersion: 15
  users:
    - name: postgres
@ -68,15 +67,24 @@ spec:

  backups:
    pgbackrest:
-      image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.47-2
+      manual:
+        repoName: repo1
+        options:
+          - --type=full
      configuration:
      - secret:
          name: pgo-s3-creds
      global:
+        repo1-retention-full: "14"
+        repo1-retention-full-type: time
+        repo1-retention-diff: "6"
        repo1-path: /pgbackrest/default-cluster/repo1
        repo1-s3-uri-style: path
      repos:
      - name: repo1
+        schedules:
+          full: "0 1 * * 0"
+          differential: "0 1 * * 1-6"
        s3:
          bucket: backup
          endpoint: 2df513adaee2eeae12106af900bed297.r2.cloudflarestorage.com
--- a/postgres-operator/resources/rbac/role_binding.yaml
+++ b/postgres-operator/resources/rbac/role_binding.yaml
@ -12,3 +12,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: pgo
+  namespace: postgres-system
--- a/traefik/values.yaml
+++ b/traefik/values.yaml
@ -0,0 +1,51 @@
+experimental:
+  kubernetesGateway:
+    enabled: true
+global:
+  systemDefaultRegistry: ""
+image:
+  repository: rancher/mirrored-library-traefik
+  tag: 2.10.5
+metrics:
+  prometheus:
+    service:
+      enabled: true
+    serviceMonitor:
+      additionalLabels:
+        prometheus: default
+      interval: 30s
+      scrapeTimeout: 5s
+podAnnotations:
+  prometheus.io/port: "8082"
+  prometheus.io/scrape: "true"
+ports:
+  traefik:
+    expose: false
+    port: 9000
+  web:
+    forwardedHeaders:
+      insecure: true
+  websecure:
+    expose: true
+priorityClassName: system-cluster-critical
+providers:
+  kubernetesIngress:
+    publishedService:
+      enabled: true
+    allowExternalNameServices: true
+  kubernetesCRD:
+    enabled: true
+    allowExternalNameServices: true
+service:
+  type: LoadBalancer
+  annotations:
+    load-balancer.hetzner.cloud/location: "hel1"
+tolerations:
+- key: CriticalAddonsOnly
+  operator: Exists
+- effect: NoSchedule
+  key: node-role.kubernetes.io/control-plane
+  operator: Exists
+- effect: NoSchedule
+  key: node-role.kubernetes.io/master
+  operator: Exists
--- a/vaultwarden/kustomization.yaml
+++ b/vaultwarden/kustomization.yaml
@ -12,7 +12,7 @@ labels:
 images:
  - name: vaultwarden
    newName: ghcr.io/dani-garcia/vaultwarden
-    newTag: "1.30.1-alpine"
+    newTag: "1.30.3-alpine"

 resources:
  - "resources/namespace.yaml"
--- a/vaultwarden/resources/ingress.yaml
+++ b/vaultwarden/resources/ingress.yaml
@ -9,6 +9,7 @@ metadata:
    gethomepage.dev/group: Apps
    gethomepage.dev/icon: vaultwarden.png
    gethomepage.dev/name: Vaultwarden
+    cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
  rules:
  - host: pw.icb4dc0.de
@ -21,3 +22,7 @@ spec:
            name: vaultwarden
            port: 
              number: 8080
+  tls:
+    - hosts:
+        - pw.icb4dc0.de
+      secretName: vaultwarden-ingress-tls
--- a/vikunja/resources/ingress.yaml
+++ b/vikunja/resources/ingress.yaml
@ -9,6 +9,7 @@ metadata:
    gethomepage.dev/group: Apps
    gethomepage.dev/icon: vikunja.png
    gethomepage.dev/name: Vikunja
+    cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
  rules:
    - host: todo.icb4dc0.de
@ -28,3 +29,7 @@ spec:
                name: vikunja-api
                port:
                  number: 3456
+  tls:
+    - hosts:
+        - todo.icb4dc0.de
+      secretName: vikunja-ingress-tls
--- a/zipline/resources/ingress.yaml
+++ b/zipline/resources/ingress.yaml
@ -9,6 +9,7 @@ metadata:
    gethomepage.dev/group: Apps
    gethomepage.dev/icon: zipline.png
    gethomepage.dev/name: Zipline
+    cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
  rules:
    - host: share.icb4dc0.de
@ -21,3 +22,7 @@ spec:
                name: zipline
                port:
                  number: 3000
+  tls:
+    - hosts:
+        - share.icb4dc0.de
+      secretName: zipline-ingress-tls