feat: deploy vaultwarden and s3-csi

2023-11-21 22:32:09 +01:00 · 2023-11-21 22:32:09 +01:00 · 30974b2f38
commit 30974b2f38
parent 108eaa3026
15 changed files with 253 additions and 3 deletions
--- a/postgres-operator/resources/db/default-cluster.yaml
+++ b/postgres-operator/resources/db/default-cluster.yaml
@ -33,6 +33,9 @@ spec:
    - name: noco
      databases:
        - noco
+    - name: vaultwarden
+      databases:
+        - vaultwarden
    - name: vikunja
      databases:
        - vikunja
--- a/s3-csi/.gitignore
+++ b/s3-csi/.gitignore
@ -0,0 +1 @@
+charts/
--- a/s3-csi/config/s3-csi-config.enc.yaml
+++ b/s3-csi/config/s3-csi-config.enc.yaml
@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: csi-s3-secret
+type: Opaque
+stringData:
+    accessKeyID: ENC[AES256_GCM,data:xXtMVs8lcYBuaii8oYdVt91NzkwOkWavznEEZF8l07c=,iv:s8CWIw0Oz5yoF/SycISaoypeD9j+IWn67KK49unUjSo=,tag:7z/2XEtcoMEU+aBR8c0nDA==,type:str]
+    secretAccessKey: ENC[AES256_GCM,data:NeruTGq0aF5gsKas2ORCHB9R4ierD+f+8ccfmLzotL01Hpu8vWBtJF3uZoIPshPbbNOxYqGcEvr3EGj3f8+3Pg==,iv:Ml0i1Ocp2QOjhjw5/hfv4NMzulYXBZHv8KDdvEH22X4=,tag:yEdx4u4ErGIafG6JVOAADQ==,type:str]
+    endpoint: ENC[AES256_GCM,data:H8qcNELbxrl1y7jTDUusGxhHnXbanExwNEwT16XUB/BnCb3upAjzAhXmxcrVKUVk5IfsAlCmX+I/Tg+mOFAgUcg=,iv:AafzfoVDdtuw2iIMl5/obp0QWIoFN6Kmk5D1X/20Sig=,tag:NtX31/hzS/+ACTsNbC8rIg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEK0dvNXlwVElnekNuK2VV
+            R2U3cDRUQWVudmNQT1BqbGpTNysrR3RtVWg4CnljSldwM1o4OGJGQ2JiVUJEN0Jv
+            K3NJVHU3c2NCbEordkdVeG13NDQ2MGMKLS0tIEVPQXhOUUttZVZka3FFOUoxM05n
+            ODdkb2ErNFlsWXliZVZSYlZldmtUTzQKJLVrS1v4EhnoObtEpezdAz7Osm65ej1D
+            ygohQ1nMl5gQJsHpC7jTQUgAD6VHFter1PDCInL6TBK/ZIu9SQZYWw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMVDFndXN5cnRHZ1NQY09k
+            UnkyK2hMbjZ5amtMSjVNOTJWYmgvWmJKUGhBCjZhbElNRVFFdWl6SlcyNnk3TDU0
+            ZURHZ1hQcGlvZjFCalJaNmRLaWV3RDgKLS0tIGFpUTB6RHdCdnlVOVRPdEh1bzRk
+            N1BoeU5MY1hFMy9VVkhEeUFrK3JVOUUKunVPI8E7F8BOoaPd4LidbITubBsbPzn5
+            L3vShqSiwVJW7Nq8i4k0MA3geCHTk0zEj+Tj8Ncbkj37UjAhdawi4A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-19T13:40:05Z"
+    mac: ENC[AES256_GCM,data:JZa+bnqgii3JxeiImFyZhojQqpPOb3R6dzcc+XaNMA1tEa5E5Q8apqFpipUbfWYNawKw/iR8a4GvsfriLnIXLcTaKmz8FrdoXeLUZyzWWVjHFApWqKndmB63bp3mNupwsfauhNjvNOMVEAXGMQ8iCMIhdYx43PTnktSRkDPmKd4=,iv:NZxfwRwzy7S9vkc6rfZVTBzy8YAgyCUzMzmRP2B5xSk=,tag:Yg1rteLHY735pnPxPSpe6g==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1
--- a/s3-csi/config/values.csi-s3.yaml
+++ b/s3-csi/config/values.csi-s3.yaml
@ -0,0 +1,13 @@
+images:
+    registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.1
+    provisioner: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2
+    csi: code.icb4dc0.de/infrastructure/csi-s3:0.38.3
+
+storageClass:
+    create: true
+    name: r2
+    singleBucket: csi
+    mountOptions: "--memory-limit 1000 --dir-mode 0777 --file-mode 0666"
+secret:
+    create: false
+    name: csi-s3-secret
--- a/s3-csi/kustomization.yaml
+++ b/s3-csi/kustomization.yaml
@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kube-system
+
+helmCharts:
+  - name: csi-s3
+    repo: https://yandex-cloud.github.io/k8s-csi-s3/charts/
+    releaseName: csi-s3
+    namespace: kube-system
+    version: "0.38.3"
+    valuesFile: config/values.csi-s3.yaml
+
+generators:
+  - ./secret-generator.yaml
--- a/s3-csi/secret-generator.yaml
+++ b/s3-csi/secret-generator.yaml
@ -0,0 +1,10 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: s3-csi-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+        exec:
+          path: ksops
+files:
+  - ./config/s3-csi-config.enc.yaml
--- a/vaultwarden/config/api-env.enc.yaml
+++ b/vaultwarden/config/api-env.enc.yaml
@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: vaultwarden-api-config
+type: Opaque
+stringData:
+    DOMAIN: ENC[AES256_GCM,data:FNfA7lakNlpg1URgLofv+k4TItLu,iv:8Ulj/WqUGLrCGE6m553NPtgdFsfaGE37Pla06ziPwns=,tag:6YThAqZ0xb9dvmHmrLKHqg==,type:str]
+    #ENC[AES256_GCM,data:JOoWSgo0vKQy7Wod6Z+3OrCLfnxtAvJzwrtwZz7rNOqtFopfd2vGvMqDjpz5n4+sinZpoxVq8e4kJz5jgMXSxkrj5FuHWNv4nY1v/eM=,iv:VKp+jCV/CcS+lcRXTGGlhwVgSXiH5316RANZSHbrtJo=,tag:KTJ2CF7j+SVkSVDrg3orKg==,type:comment]
+    PUSH_ENABLED: ENC[AES256_GCM,data:U6uztw==,iv:BZF8Helqt6jkeoxqNn72DG6BTGDZoN+0yeouHBAOy5k=,tag:V+hWdhf7+0tSu3p3Bk19gg==,type:str]
+    PUSH_INSTALLATION_ID: ENC[AES256_GCM,data:5EqZWWv6q7Kzeqmm1ujEkOAVEfybl2FkHJ1uyBTIJ/3ONi0s,iv:benEN9qkAhob2Nx58fralAXPt0ZOb7Iir/w44NWDC7E=,tag:CQrihd0cO0fvAZV3yBuBxQ==,type:str]
+    PUSH_INSTALLATION_KEY: ENC[AES256_GCM,data:8vsxMGX9lenepxu/DgnXJGbEXPQ=,iv:btBOZ9fyKkmEoiD9lFQO6kWgftGvjIqTaVaKC0XeRvU=,tag:wnO37fjx6HHP6S0mtEKDeQ==,type:str]
+    #ENC[AES256_GCM,data:9AIq3r4rJttpyUlriHXOKEuML2uiE+SwgWsfPnV7DYbiP/l2,iv:ailvo4Lj8MpH6mlNsTdLI3iKqUpiZyBE1YyLO2UkOQk=,tag:9YmUcHqdsMRCl/vzNUILUA==,type:comment]
+    SIGNUPS_ALLOWED: ENC[AES256_GCM,data:yyzz624=,iv:V4E2bbHA0LnO0gocQnwuOP8QYUBCVpdObxbiI6PA9Bg=,tag:s2Quq64QTPZpUUT6AM/T8A==,type:str]
+    ADMIN_TOKEN: ENC[AES256_GCM,data:McoZbrCruksHQ5N0ZNXTT8QQNt7lsjMZMTDdSk2Pw1qWmnlxvZWcHwIAMbpr+1/EHyMSf54Q4bSPRaMLtDNPREVqSEgCnI5pF4tg/BQWbtsJvH5rGqvZkpj09K0/LnvZDrvLZpYU9jBUBkKSWizjpWLfg6Xopg==,iv:smhUVbqnODyws8ndci5p05quJ/X6/mZOTQYld+aibOE=,tag:pn7tNT+3pGPmvvPFD/a1RA==,type:str]
+    #ENC[AES256_GCM,data:QlmRWc2mcIcGDeJE3dw1txwmiI6cFfD06ALgdDD1qcNG+c/JhgPO2lGQjTXoctNsTuv2pwPgtTFUKrY1cxjt4GtwuQ==,iv:MeYwD/IONmuUhvNIoBWPyuWUhGCBascIITC4nVbpkyY=,tag:DLL5SgPOyrYeHUnqz9SvEw==,type:comment]
+    ROCKET_ADDRESS: ENC[AES256_GCM,data:47ty+hqPew==,iv:13zgUCu73oNu3Vv2MGPVfT0szJkJ/8jQdU0lwqOnGEE=,tag:cZO7grm7BVm35PVTpR3yzA==,type:str]
+    ROCKET_PORT: ENC[AES256_GCM,data:ZrfepA==,iv:fMwLrMvwp61ujQsg4owMCKaH8sxJEod85+RJchh6vLc=,tag:DbmR5uueyzGP4UVeEhWFVg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwd1AyWHA1SEpRbGhmaFY3
+            QlJCYzNUVEVaR3BudDNMT3YxZTRjUXdWelZRCmY0UWFpMEhRcFgwSVM1UmlHN1k1
+            cEkzaTBvMzR4V0pZQmVQU1RpTG9vUFEKLS0tIDlLcFN1VytENHZ4ako3cXd6M2R3
+            UHNDRDBiYUpiR0dHbmdHdmRhcTZPd0UKJgrAhYaH/rcAIhgjVivrcf0HjPtEIS97
+            z5HpimsDOZ4gntVEAdRShPtH5PrO7NFiPa3IUdex/ivYTIr4zAQSiw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVN3M5R2JwenRxR2xEWWNJ
+            WUZiTlRwaWpUaEJ0TndET0lDamJENmE2elFVCnlMWlFSZXBDOGpJSURLYlJqNzJv
+            RXljK3dSUzdEaDBUSVUyTzFpeHVvL0kKLS0tIFRHT2lJWWZ3d0RyOE1ONFNha3Bm
+            U3U0YTU2QldWbzByVmY5WlZmRW04WUUK133O8rZOp3NT5feI8HEhYR5MYMRR/Mda
+            OIEPr8qHL/DKcuVY1RNfMieGZM1Vlk+KzKSVJFq9s5DprDn3gbdE1w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-21T21:13:40Z"
+    mac: ENC[AES256_GCM,data:MkefajFpbFq1FWYScRrabX3eBq10qdcFEWw07cGbPUC8ztOaEYYAfTllHz3Olfl1tFsLJ8sOqSbPgUHWdvEjhuJQcK3zHrjTC2n3JSaXNLaIVaSa4V4qcYInsaDZ7c6P7vFCEZUtcdDJHIyjQH4RVIewm0XXQDkcaHIzczLqle0=,iv:9f7g/PwP1tpo1Z/kmgEowfzxHdHbNagVL3ESYXkcbgc=,tag:M5SswGg0h5qBPvuVaDXz2w==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1
--- a/vaultwarden/kustomization.yaml
+++ b/vaultwarden/kustomization.yaml
@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: vaultwarden
+
+commonLabels:
+  app.kubernetes.io/instance: icb4dc0de
+  app.kubernetes.io/managed-by: kustomize
+
+images:
+  - name: vaultwarden
+    newName: ghcr.io/dani-garcia/vaultwarden
+    newTag: "1.30.0"
+
+resources:
+  - "resources/namespace.yaml"
+  - "resources/pvc.yaml"
+  - "resources/deployment.yaml"
+  - "resources/service.yaml"
+  - "resources/ingress.yaml"
+
+
+generators:
+  - ./secret-generator.yaml
--- a/vaultwarden/resources/deployment.yaml
+++ b/vaultwarden/resources/deployment.yaml
@ -0,0 +1,41 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vaultwarden
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vaultwarden
+      app.kubernetes.io/part-of: vaultwarden
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: vaultwarden
+        app.kubernetes.io/part-of: vaultwarden
+    spec:
+      containers:
+      - name: vaultwarden
+        image: vaultwarden
+        envFrom:
+          - secretRef:
+              name: vaultwarden-api-config
+        env:
+          - name: DATABASE_URL
+            valueFrom:
+              secretKeyRef:
+                name: default-cluster-pguser-vaultwarden
+                key: uri
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+        ports:
+        - containerPort: 8080
+        volumeMounts:
+          - name: data
+            mountPath: /data
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: vaultwarden-data
--- a/vaultwarden/resources/ingress.yaml
+++ b/vaultwarden/resources/ingress.yaml
@ -0,0 +1,17 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: vaultwarden
+spec:
+  rules:
+  - host: pw.icb4dc0.de
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: vaultwarden
+            port: 
+              number: 8080
--- a/vaultwarden/resources/namespace.yaml
+++ b/vaultwarden/resources/namespace.yaml
@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vaultwarden
+  labels:
+    prometheus: default
--- a/vaultwarden/resources/pvc.yaml
+++ b/vaultwarden/resources/pvc.yaml
@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vaultwarden-data
+spec:
+  storageClassName: r2
+  resources:
+    requests:
+      storage: 5Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteMany
--- a/vaultwarden/resources/service.yaml
+++ b/vaultwarden/resources/service.yaml
@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vaultwarden
+spec:
+  selector:
+    app.kubernetes.io/name: vaultwarden
+    app.kubernetes.io/part-of: vaultwarden
+  ports:
+  - port: 8080
+    targetPort: 8080
--- a/vaultwarden/secret-generator.yaml
+++ b/vaultwarden/secret-generator.yaml
@ -0,0 +1,10 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: vaultwarden-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+        exec:
+          path: ksops
+files:
+  - ./config/api-env.enc.yaml
--- a/vikunja/resources/api/config.enc.yaml
+++ b/vikunja/resources/api/config.enc.yaml
@ -4,7 +4,7 @@ metadata:
    name: vikunja-config
 type: Opaque
 stringData:
-    config.yml: ENC[AES256_GCM,data:tmSeQoniqMDqsVqhpBvEZaSgQtXXwJFShVtwaUW/z43tsOybO38w1NkkyjPnOxVLb0SWkznSG5bDdvDPEXgk7EXBA2N29+hnDpp6kxE2MPQbIzLlNgZrfLC6tjEZtezOmXrZE6Xb5kleljuHFN+ph9WGes2m/ha7++fVKf/GD48MytqmC7SPBAJpitROXfx8NkqI2fhJIHkBhRsfTVy4Ur69dTryFt7xGLsC1ckxOWZebf7TYj10bpVPLAtxyLN7Os+l4Hl9GGbfjWMQ9lkSzIat3l4BNnkIWoZ2CoRqla2z/POn1crMJm7xeMkx1f6yB45NQM9r+/9HSbk3LDNGw5rgqrwkShj+/aXk2ePzGJK5O6zUSUidZpPpTLmxPNSaCu7QVmz6XR9zfzoXa4Ppdee4vbnqTa6FxUeM/oGcFI68X8kqRR+UImbjTrFKzFOPRw3hU7zHVwg2Wzh/k/4R+GNpLTLU+RlrT3dw9IvRFIERb15XTJzfId5+nWIxoMaH6tjaib84HVe1wtaRahYZNoYi7WZ748fiSx1b+AWRnxhCfK2EsQjul5Zdh2SSkYZysHi9Bmog,iv:K41jhC1s98trTYvcceAQOxx+ckAHrx22HLa5U6CYxWk=,tag:r7m/tjgYfaW3Wpfl8cJKTA==,type:str]
+    config.yml: ENC[AES256_GCM,data:P7sj7n7HRrPbEPkiGdxU4AJa8eR65AJYgEuJCeEsbsVwFtJ6epf4vm1bbpJ625P9ZzgllqunJvaiGGYCcmkHfUro77eIHdUOc5uvgaIp+Cb+Cv9+RuWm76lJeh1JpteeQ6zXX/OjeuL9TOEY89fynsuV7OQv/LxzPayPJedcAMiNsUtCzfB+qV84AlcRzNlx6HtsG0q2Aj75lBn0SvAZF0YRXX+vnJW/85y6tHu1x3kbxW0GtFHo0XMETKugbV7dEM6UUCUhRab7Za4JwjNJMvgMb2u2MU3BvQHG/3maKtqKnOQfAS1Cnbaq1W4b0FDUBRbMPKyOXHrMMXfLXPKVC7ozYqYh65eQIylBHCPP2wm9zZZeSG7QJoAN3GIj0fJIKM7tnGuppJEM3ZNwx80DWjgnVBa+AuaZ07xShMdcFsZuGbqjYKp+4OHCp2OhbgpfiM8D2Kr/6efdkC8pWu3/3e2SskX4KC6aIoWnndmW4QUY6buewjYgGvqa7HQ9vOgG/z1dOKT1/Lxh/kAje8A2E6UbA1m92LgUjowcZae6cBRWaczMdrY2LOQ7DOV+WAPyBfhQzIE=,iv:4AU8HUgOW+KBNYZEPr6LnTbIF2J2CEei3hlfa8JRQv8=,tag:9uDCrBLp4Tv770VTjlZw2g==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -29,8 +29,8 @@ sops:
            UnE2NTVSSUp1OEVFVDd5bHJYOEZpaVkKqmw9GLZavqaPQOJjGhLqXo4ggfmFDgXz
            C9HNxeDVr2kY452gleVS/YFTPWo0QPevl0SjpZg2gvnz28qLDSNXYQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-03T13:04:43Z"
-    mac: ENC[AES256_GCM,data:V29XEZk91KgM0cgTFO6qtwWcY73o+mSFTEVw5MN/NJoEPEHtzcnGXVcHePSvtVEWdWajOX8mz51WM/5sV/B3+Iah3tHNXXzlyCte/kBBa+8NTWvWXSrVUAY0b+W7kRAaAHtXIwYrHwMGkyN+lvNRTAXEcs21OSmM7n375nDsmlY=,iv:wTEKdY34e6B1lxM9qiOGcm5MWIa7RP5wYewwafz+X7A=,tag:XoGiBJwplBWyhVcqaJhkng==,type:str]
+    lastmodified: "2023-11-21T19:37:33Z"
+    mac: ENC[AES256_GCM,data:2ObbulomnNRBy2/OjuYJhXge1SQJt7abb7PG1On8y5Tdgu+UR6oHK5Sdthr338+ZEkta2qjH58CCOh/wGFrHiihJNIbpFUMY9+yKWZ/1GJpt3MZ5U1PU1PYZjy+6RDTo4NYKqbhZvdGVh/KNGSGuCvALff/ZHXy3GhuZC6pFeF4=,iv:Pz9lTnU9zoocTFU2GVrMaJF+ANTUcJ5IYGt8ACUHLBw=,tag:KgB4fEzxrB3g62N4fAwCXA==,type:str]
    pgp: []
    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
    version: 3.8.1