Add weave and sops

2023-03-16 23:52:17 +01:00 · 2023-03-16 23:52:17 +01:00 · 526f896e24
parent 6367ea742b
commit 526f896e24
8 changed files with 109 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+age.agekey
--- a/apps/.gitkeep
+++ b/apps/.gitkeep
--- a/clusters/production/flux-system/gotk-sync.yaml
+++ b/clusters/production/flux-system/gotk-sync.yaml
@ -22,6 +22,10 @@ spec:
  interval: 10m0s
  path: ./clusters/production
  prune: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
  sourceRef:
    kind: GitRepository
    name: flux-system
--- a/clusters/production/infrastructure.yaml
+++ b/clusters/production/infrastructure.yaml
@ -0,0 +1,16 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: infra-controllers
+  namespace: flux-system
+spec:
+  interval: 1h
+  retryInterval: 1m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./infrastructure/controllers
+  prune: true
+  wait: true
--- a/encrypt.sh
+++ b/encrypt.sh
@ -0,0 +1,3 @@
+#!/bin/bash
+
+sops --age=age1esjyg2qfy49awv0ptkzvpk425adczjr38m37w2mmcahzc4p8n54sll2nzh --encrypt --encrypted-regex '^(data|stringData)$' --in-place "$1"
--- a/infrastructure/controllers/kustomization.yaml
+++ b/infrastructure/controllers/kustomization.yaml
@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - oidc-secret.yaml
+  - weave-gitops.yaml
--- a/infrastructure/controllers/oidc-secret.yaml
+++ b/infrastructure/controllers/oidc-secret.yaml
@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: oidc-auth
+    namespace: flux-system
+type: Opaque
+stringData:
+    issuerURL: ENC[AES256_GCM,data:31lcrvswL8AC6Sf/VDGxCe7l7THWSZCdAFnauzmgHdfVhIrBQpg2Os4sOLvIZO+y8Unz4jc=,iv:6ryLcYvXgzmp02cY/mi/OglLKeFUrgiH4Nchfhy4fr0=,tag:iA8pGiPlW5oj8mAIDY4y5w==,type:str]
+    clientID: ENC[AES256_GCM,data:7oBQUR8=,iv:Lin3Cler/1R1HaRmPqr5qwB4ejBR77z7hMWtfcp1hVM=,tag:ftWdHeSPAnZEhgy8Y/mHRg==,type:str]
+    clientSecret: ENC[AES256_GCM,data:u7y/1jz9WSIUANXeL4hV+paPpql3eVZYoF8c5LfuPWY=,iv:VjZlHRnHgyxSWb+XewtrpqNyrYpddWJrDWMeKLSJvzY=,tag:p54D18DlEwR83VhtMZOQ6Q==,type:str]
+    redirectURL: ENC[AES256_GCM,data:SWX72pcOQeHki+7yJ9qaH97J38EtJ7uWt8PD3dXtJEXOc9jYaFBxGbnxuh8TYMTk2hGpOw==,iv:K3xi5hFYghdcyeiheSo0XHerrJEZnPj7eXHzbKGQxrU=,tag:cNnqiQBt7MgaQHxDvon9+A==,type:str]
+    tokenDuration: ENC[AES256_GCM,data:jMTkv29n,iv:tV1QI9Wfh3wJJSPv9otImbWEUQX9YzFvv03tTp7G08A=,tag:EMSR/VvkHhXTin3E28uFeQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1esjyg2qfy49awv0ptkzvpk425adczjr38m37w2mmcahzc4p8n54sll2nzh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjZHFuUmVnemZXYU11azVa
+            ZWNTZUdCVzVhdXNMTjY2dlZTTG9YMEE3VHdJCjBrMDgrUFYweExNb3Y2aUs4QUNa
+            V1hBWU9DMnY1cjY1RVUxcmRHczI5TnMKLS0tIDIyK1V0MExOTlZIMktkYmxMWDgw
+            Y1VSM0NZTFdVMmZYaVlMQXhTdkpDNEkKx4iEuFixUbvJTVAmXS2xDepDqxa8O0wQ
+            uaV/SV3Q9Ub+VK+//FygrkCiUgAs61cr+623p4vEvu4044KNR9OLRw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-03-16T22:45:15Z"
+    mac: ENC[AES256_GCM,data:zHf2SET/iNdqUqianIia2zGIwIM0HoGtWy7jbpWimRjEPB6Ofm740oGQxwovmLuoCcExjZQzU+FA9/9DKAuOtgnWWtGgDuwwHrJQf3GBZtlQg0s8TzYn2wVrEoIfqD6lOi2qscoLsvEikrJXyoQnkXFISBRjNxxfbjRWwmBibBg=,iv:DSYrQRJggoOab3br2JA4NbNy1Z2ew3crFf+jfnoTta4=,tag:oWPcvQO1XQ7ox/fWZF89QQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/infrastructure/controllers/weave-gitops.yaml
+++ b/infrastructure/controllers/weave-gitops.yaml
@ -0,0 +1,48 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: weave-gitops
+  namespace: flux-system
+spec:
+  type: oci
+  interval: 60m0s
+  url: oci://ghcr.io/weaveworks/charts
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: weave-gitops
+  namespace: flux-system
+spec:
+  interval: 60m
+  chart:
+    spec:
+      chart: weave-gitops
+      version: "4.0.16"
+      sourceRef:
+        kind: HelmRepository
+        name: weave-gitops
+      interval: 12h
+  # https://github.com/weaveworks/weave-gitops/blob/main/charts/gitops-server/values.yaml
+  values:
+    #resources:
+    #  requests:
+    #    cpu: 100m
+    #    memory: 64Mi
+    #  limits:
+    #    cpu: 1
+    #    memory: 512Mi
+    adminUser:
+      create: false
+    oidcSecret:
+      create: false
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-dns
+      hosts:
+        - host: weave.midnightthoughts.space
+          paths:
+            - path: /
+              pathType: ImplementationSpecific