From bf896db5c60128e6913b31ac402a1cd2ccf7f76f Mon Sep 17 00:00:00 2001 From: nold Date: Sun, 20 Mar 2022 20:25:13 +0100 Subject: [PATCH] bootstrap-fix --- bootstrap/boot.yaml | 12 +++- projects/core/project.yml | 55 ++------------- projects/vault/project.yml | 14 ---- .../vault/values/vault-secrets-operator.yaml | 17 ----- projects/vault/values/vault.yaml | 70 ------------------- resources/manifests/clusterissuer.yaml | 28 -------- resources/manifests/vault_clusterissuer.yaml | 17 ----- .../vault_issuer_serviceaccount.yaml | 17 ----- 8 files changed, 16 insertions(+), 214 deletions(-) delete mode 100644 projects/vault/project.yml delete mode 100644 projects/vault/values/vault-secrets-operator.yaml delete mode 100644 projects/vault/values/vault.yaml delete mode 100644 resources/manifests/clusterissuer.yaml delete mode 100644 resources/manifests/vault_clusterissuer.yaml delete mode 100644 resources/manifests/vault_issuer_serviceaccount.yaml diff --git a/bootstrap/boot.yaml b/bootstrap/boot.yaml index e9eb0c25..32eb9368 100644 --- a/bootstrap/boot.yaml +++ b/bootstrap/boot.yaml @@ -19,6 +19,8 @@ kind: GitRepository metadata: name: heqet-userdata namespace: flux-system + finalizers: + - finalizers.fluxcd.io spec: interval: 5m # CHANGE ME: @@ -46,6 +48,8 @@ kind: GitRepository metadata: name: heqet namespace: flux-system + finalizers: + - finalizers.fluxcd.io spec: interval: 5m url: https://github.com/lib42/heqet @@ -73,6 +77,10 @@ kind: HelmRelease metadata: name: apps-of-heqet namespace: flux-system + labels: + app.kubernetes.io/managed-by: helm + meta.helm.sh/release-namespace: flux-system + meta.helm.sh/release-name: apps-of-heqet spec: releaseName: apps-of-heqet chart: @@ -88,7 +96,9 @@ spec: install: crds: CreateReplace remediation: - retries: 3 + retries: 42 + # For CRD Installs + disableOpenAPIValidation: true upgrade: crds: CreateReplace # We can overwrite some defaults here: diff --git a/projects/core/project.yml b/projects/core/project.yml index 98ed3a6b..00c7db65 100644 --- a/projects/core/project.yml +++ b/projects/core/project.yml @@ -7,56 +7,11 @@ apps: repoURL: https://charts.jetstack.io chart: cert-manager targetRevision: v1.7.1 + dependsOn: vault parameters: - name: installCRDs value: 'true' - secrets: - - name: cert-manager-vault-approle - keys: - - secretId - -- name: fast-storage - namespace: fast-storage - repoURL: https://github.com/rancher/local-path-provisioner - path: deploy/chart - syncWave: '0' - parameters: - - name: storageClass.name - value: fast - - name: nodePathMap[0].node - value: DEFAULT_PATH_FOR_NON_LISTED_NODES - - name: nodePathMap[0].paths[0] - value: /var/lib/rancher/k3s/storage - -- name: ssd-storage - namespace: ssd-storage - repoURL: https://github.com/rancher/local-path-provisioner - path: deploy/chart - syncWave: '0' - parameters: - - name: storageClass.name - value: ssd - - name: nodePathMap[0].node - value: DEFAULT_PATH_FOR_NON_LISTED_NODES - - name: nodePathMap[0].paths[0] - value: /data/kubernetes/ssd - -- name: metallb - repoURL: https://charts.bitnami.com/bitnami - chart: metallb - namespace: metallb - targetRevision: 2.5.16 - syncWave: '0' - -- name: ingress-internal - namespace: ingress-internal - repoURL: https://helm.traefik.io/traefik - chart: traefik - targetRevision: 10.15.0 - syncWave: '0' - -- name: cilium - existingNamespace: kube-system - repoURL: https://helm.cilium.io - chart: cilium - targetRevision: 1.11.2 +# secrets: +# - name: cert-manager-vault-approle +# keys: +# - secretId diff --git a/projects/vault/project.yml b/projects/vault/project.yml deleted file mode 100644 index 84276ac4..00000000 --- a/projects/vault/project.yml +++ /dev/null @@ -1,14 +0,0 @@ -config: - description: Vault Secret Managemet -apps: -- name: vault - repoURL: https://helm.releases.hashicorp.com - chart: vault - targetRevision: 0.19.0 - syncWave: '-3' -- name: vault-secrets-operator - namespace: vault-secrets-operator - repoURL: https://ricoberger.github.io/helm-charts - chart: vault-secrets-operator - targetRevision: 1.16.5 - syncWave: '-2' diff --git a/projects/vault/values/vault-secrets-operator.yaml b/projects/vault/values/vault-secrets-operator.yaml deleted file mode 100644 index 6d218bd0..00000000 --- a/projects/vault/values/vault-secrets-operator.yaml +++ /dev/null @@ -1,17 +0,0 @@ -vault: - address: "http://vault.vault.svc.cluster.local:8200" - authMethod: kubernetes - kubernetesRole: heqet-app - namespaces: "" - -crd: - create: false - -rbac: - create: true - createrole: true - namespaced: false - -serviceAccount: - create: true - name: vault-secrets-operator diff --git a/projects/vault/values/vault.yaml b/projects/vault/values/vault.yaml deleted file mode 100644 index f75bb0dd..00000000 --- a/projects/vault/values/vault.yaml +++ /dev/null @@ -1,70 +0,0 @@ -global: - enabled: true - tlsDisable: true - psp: - enable: true - -injector: - enabled: false - -server: - enabled: true - image: - repository: "hashicorp/vault" - tag: "1.9.4" - auditStorage: - accessMode: ReadWriteOnce - annotations: {} - enabled: false - mountPath: /vault/audit - size: 10Gi - storageClass: null - authDelegator: - enabled: true - dataStorage: - accessMode: ReadWriteOnce - annotations: {} - enabled: true - mountPath: /vault/data - size: 10Gi - storageClass: local-path - dev: - enabled: false - ha: - enabled: false - - ingress: - annotations: - cert-manager.io/cluster-issuer: vault-issuer - traefik.ingress.kubernetes.io/router.tls: 'true' - enabled: true - extraPaths: [] - hosts: - - host: vault.dc - paths: [] - labels: {} - tls: - - hosts: - - vault.dc - secretName: vault-tls - - networkPolicy: - egress: [] - enabled: true - - standalone: - enabled: true - config: | - ui = true - - listener "tcp" { - tls_disable = 1 - address = "[::]:8200" - cluster_address = "[::]:8201" - } - storage "file" { - path = "/vault/data" - } - -ui: - enabled: true diff --git a/resources/manifests/clusterissuer.yaml b/resources/manifests/clusterissuer.yaml deleted file mode 100644 index 303d8942..00000000 --- a/resources/manifests/clusterissuer.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt - namespace: cert-manager -spec: - acme: - # You must replace this email address with your own. - # Let's Encrypt will use this to contact you about expiring - # certificates, and issues related to your account. - email: nold@gnu.one - #server: https://acme-staging-v02.api.letsencrypt.org/directory - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - # Secret resource that will be used to store the account's private key. - name: issuer-account-key - # Add a single challenge solver, HTTP01 using nginx - solvers: - - http01: - ingress: - class: ingress-external-traefik - ingressTemplate: - metadata: - labels: - environment: external - annotations: - traefik.ingress.kubernetes.io/frontend-entry-points: "web" - kubernetes.io/ingress.class: ingress-external diff --git a/resources/manifests/vault_clusterissuer.yaml b/resources/manifests/vault_clusterissuer.yaml deleted file mode 100644 index 711f4254..00000000 --- a/resources/manifests/vault_clusterissuer.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: vault-issuer - namespace: cert-manager -spec: - vault: - path: pki_int/sign/dc - server: http://vault.vault.svc.cluster.local:8200 - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURaekNDQWsrZ0F3SUJBZ0lVVU5CTWNDZkRmbS9MeS9RUGdhWVUxdFdSc1Nrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd016RVVNQklHQTFVRUNoTUxibTlzWkhSeWIyNXBZM014RFRBTEJnTlZCQXNUQkdocGRtVXhEREFLQmdOVgpCQU1UQTJzemN6QWVGdzB5TVRBME1qa3hPVEUwTVRWYUZ3MHlNVEExTXpFeE9URTBORFJhTURNeEZEQVNCZ05WCkJBb1RDMjV2YkdSMGNtOXVhV056TVEwd0N3WURWUVFMRXdSb2FYWmxNUXd3Q2dZRFZRUURFd05yTTNNd2dnRWkKTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDOTJDb2Z6cHdvNWZjNDNPNTJvaGhqdHAwZgplRXE0ZkRTQ24rQjZwYUVmcGtsZXZvM2J1akw3ZnhTcmt2VlhuRDgyc3FCSythWjRCM0pJNVBMSHpoeTBwcVFSCm9rSDdiSUxuYVBGSlljZGYzWnF4VDVvT1QvWC9IeUlDQkNBbFdoN2ZNZThJYitFbm5oUGpFdlVTWHJzWTk4T3IKQVhpVGN4TlF0OVl5WnIzQS93cnloM2lIZmYyR3NuTGVEekRhV0tyMm93N3pCckZvZXFJRkdzWXY4b1YzcFZIZQpPdTloWWQ1V2F2ZjVRSjBQcTAwUndKTHRuc2V0RUdQenlEUlJTRnhKbmZSK2JwY1VSZDFrWkl5ZFpTRENNVFc5CnhtSTJQOUxvT2cwMThWb0MrM3l5V01PVEh1dmRraWh2SDBQM3RhcnpFcnd0cm0vOUlkT3J4NVhPVUVKUEFnTUIKQUFHamN6QnhNQTRHQTFVZER3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRVwpCQlMzOWxNTVFySDNoczBTQzk4bVFJODhEbmF6VXpBZkJnTlZIU01FR0RBV2dCUzM5bE1NUXJIM2hzMFNDOThtClFJODhEbmF6VXpBT0JnTlZIUkVFQnpBRmdnTnJNM013RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUV1VG04SzQKRndoaUFOc2dsSXhjTk10aHJYQ0p4aUhyMHJVRWFOclQ5czlSYUxRSEZlSkhhZUxiL2NJUXZncjdQbW93aURMYQpvRlVZUk1EamZKNzUwK1Jmc21oa2pmdzdJL1JMWktsVXdMY1l4dlN4MjViWFNZVkdOTW5UUi9wTmN6cWNXSk5NCmpWZEZFbDRlRjMzQmtCWCtzN1pTWGxVVUhhdFloTEszQ1EzRk5tSWRjRFliNFovVWY1bXk1eUs2cG5HT3hQbnkKTnkyY0xsYndzWVYrelA5UGR4Y3JqUTlpem1rYmMxMUVxS3ZmYnhmUmc4aGlMZkovSnFaM0hxMW91SUk0V3dvMQo3WWxxVEZsS2FXRnpKNVhOSmVPYWZyNnZpREszQ3NQMjJYTXhMekRQQmdrbEd5Qnp0cFdKbVd1ZEVVanNKVDJiCnJsKzlOdEw5TmgzQklrcz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - auth: - kubernetes: - role: vault-issuer - mountPath: /v1/auth/kubernetes - secretRef: - name: vault-issuer-token - key: token diff --git a/resources/manifests/vault_issuer_serviceaccount.yaml b/resources/manifests/vault_issuer_serviceaccount.yaml deleted file mode 100644 index 42b05829..00000000 --- a/resources/manifests/vault_issuer_serviceaccount.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vault-issuer - namespace: cert-manager -secrets: -- name: vault-issuer-token ---- -apiVersion: v1 -kind: Secret -metadata: - name: vault-issuer-token - namespace: cert-manager - annotations: - kubernetes.io/service-account.name: vault-issuer -type: kubernetes.io/service-account-token