From 526f896e24dd2681dc09342e018cef930cc09c6f Mon Sep 17 00:00:00 2001 From: MTRNord Date: Thu, 16 Mar 2023 23:52:17 +0100 Subject: [PATCH] Add weave and sops --- .gitignore | 1 + apps/.gitkeep | 0 .../production/flux-system/gotk-sync.yaml | 4 ++ clusters/production/infrastructure.yaml | 16 +++++++ encrypt.sh | 3 ++ infrastructure/controllers/kustomization.yaml | 5 ++ infrastructure/controllers/oidc-secret.yaml | 32 +++++++++++++ infrastructure/controllers/weave-gitops.yaml | 48 +++++++++++++++++++ 8 files changed, 109 insertions(+) create mode 100644 .gitignore create mode 100644 apps/.gitkeep create mode 100644 clusters/production/infrastructure.yaml create mode 100755 encrypt.sh create mode 100644 infrastructure/controllers/kustomization.yaml create mode 100644 infrastructure/controllers/oidc-secret.yaml create mode 100644 infrastructure/controllers/weave-gitops.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ed8582a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +age.agekey \ No newline at end of file diff --git a/apps/.gitkeep b/apps/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/clusters/production/flux-system/gotk-sync.yaml b/clusters/production/flux-system/gotk-sync.yaml index 395d079..dc4a1c6 100644 --- a/clusters/production/flux-system/gotk-sync.yaml +++ b/clusters/production/flux-system/gotk-sync.yaml @@ -22,6 +22,10 @@ spec: interval: 10m0s path: ./clusters/production prune: true + decryption: + provider: sops + secretRef: + name: sops-age sourceRef: kind: GitRepository name: flux-system diff --git a/clusters/production/infrastructure.yaml b/clusters/production/infrastructure.yaml new file mode 100644 index 0000000..f521627 --- /dev/null +++ b/clusters/production/infrastructure.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: infra-controllers + namespace: flux-system +spec: + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: flux-system + path: ./infrastructure/controllers + prune: true + wait: true diff --git a/encrypt.sh b/encrypt.sh new file mode 100755 index 0000000..80f821c --- /dev/null +++ b/encrypt.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +sops --age=age1esjyg2qfy49awv0ptkzvpk425adczjr38m37w2mmcahzc4p8n54sll2nzh --encrypt --encrypted-regex '^(data|stringData)$' --in-place "$1" \ No newline at end of file diff --git a/infrastructure/controllers/kustomization.yaml b/infrastructure/controllers/kustomization.yaml new file mode 100644 index 0000000..6c9ea16 --- /dev/null +++ b/infrastructure/controllers/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - oidc-secret.yaml + - weave-gitops.yaml diff --git a/infrastructure/controllers/oidc-secret.yaml b/infrastructure/controllers/oidc-secret.yaml new file mode 100644 index 0000000..a33d8a4 --- /dev/null +++ b/infrastructure/controllers/oidc-secret.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Secret +metadata: + name: oidc-auth + namespace: flux-system +type: Opaque +stringData: + issuerURL: ENC[AES256_GCM,data:31lcrvswL8AC6Sf/VDGxCe7l7THWSZCdAFnauzmgHdfVhIrBQpg2Os4sOLvIZO+y8Unz4jc=,iv:6ryLcYvXgzmp02cY/mi/OglLKeFUrgiH4Nchfhy4fr0=,tag:iA8pGiPlW5oj8mAIDY4y5w==,type:str] + clientID: ENC[AES256_GCM,data:7oBQUR8=,iv:Lin3Cler/1R1HaRmPqr5qwB4ejBR77z7hMWtfcp1hVM=,tag:ftWdHeSPAnZEhgy8Y/mHRg==,type:str] + clientSecret: ENC[AES256_GCM,data:u7y/1jz9WSIUANXeL4hV+paPpql3eVZYoF8c5LfuPWY=,iv:VjZlHRnHgyxSWb+XewtrpqNyrYpddWJrDWMeKLSJvzY=,tag:p54D18DlEwR83VhtMZOQ6Q==,type:str] + redirectURL: ENC[AES256_GCM,data:SWX72pcOQeHki+7yJ9qaH97J38EtJ7uWt8PD3dXtJEXOc9jYaFBxGbnxuh8TYMTk2hGpOw==,iv:K3xi5hFYghdcyeiheSo0XHerrJEZnPj7eXHzbKGQxrU=,tag:cNnqiQBt7MgaQHxDvon9+A==,type:str] + tokenDuration: ENC[AES256_GCM,data:jMTkv29n,iv:tV1QI9Wfh3wJJSPv9otImbWEUQX9YzFvv03tTp7G08A=,tag:EMSR/VvkHhXTin3E28uFeQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1esjyg2qfy49awv0ptkzvpk425adczjr38m37w2mmcahzc4p8n54sll2nzh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjZHFuUmVnemZXYU11azVa + ZWNTZUdCVzVhdXNMTjY2dlZTTG9YMEE3VHdJCjBrMDgrUFYweExNb3Y2aUs4QUNa + V1hBWU9DMnY1cjY1RVUxcmRHczI5TnMKLS0tIDIyK1V0MExOTlZIMktkYmxMWDgw + Y1VSM0NZTFdVMmZYaVlMQXhTdkpDNEkKx4iEuFixUbvJTVAmXS2xDepDqxa8O0wQ + uaV/SV3Q9Ub+VK+//FygrkCiUgAs61cr+623p4vEvu4044KNR9OLRw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-03-16T22:45:15Z" + mac: ENC[AES256_GCM,data:zHf2SET/iNdqUqianIia2zGIwIM0HoGtWy7jbpWimRjEPB6Ofm740oGQxwovmLuoCcExjZQzU+FA9/9DKAuOtgnWWtGgDuwwHrJQf3GBZtlQg0s8TzYn2wVrEoIfqD6lOi2qscoLsvEikrJXyoQnkXFISBRjNxxfbjRWwmBibBg=,iv:DSYrQRJggoOab3br2JA4NbNy1Z2ew3crFf+jfnoTta4=,tag:oWPcvQO1XQ7ox/fWZF89QQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/infrastructure/controllers/weave-gitops.yaml b/infrastructure/controllers/weave-gitops.yaml new file mode 100644 index 0000000..f735088 --- /dev/null +++ b/infrastructure/controllers/weave-gitops.yaml @@ -0,0 +1,48 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: weave-gitops + namespace: flux-system +spec: + type: oci + interval: 60m0s + url: oci://ghcr.io/weaveworks/charts +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: weave-gitops + namespace: flux-system +spec: + interval: 60m + chart: + spec: + chart: weave-gitops + version: "4.0.16" + sourceRef: + kind: HelmRepository + name: weave-gitops + interval: 12h + # https://github.com/weaveworks/weave-gitops/blob/main/charts/gitops-server/values.yaml + values: + #resources: + # requests: + # cpu: 100m + # memory: 64Mi + # limits: + # cpu: 1 + # memory: 512Mi + adminUser: + create: false + oidcSecret: + create: false + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-dns + hosts: + - host: weave.midnightthoughts.space + paths: + - path: / + pathType: ImplementationSpecific