From 3fd2586c4dde212422ff8b238fa3595545ac0c7c Mon Sep 17 00:00:00 2001 From: MTRNord Date: Sun, 19 Mar 2023 16:41:28 +0100 Subject: [PATCH] Fix cosign and add woodpecker --- .pre-commit-config.yaml | 5 ++ apps/base/cosign/release.yaml | 15 ++-- apps/base/woodpecker/kustomization.yaml | 7 ++ apps/base/woodpecker/namespace.yaml | 4 ++ apps/base/woodpecker/release.yaml | 72 +++++++++++++++++++ apps/base/woodpecker/repository.yaml | 8 +++ apps/production/cosign-values.yaml | 9 +++ apps/production/kustomization.yaml | 3 + apps/production/secrets/kustomization.yaml | 1 + .../production/secrets/woodpecker-secret.yaml | 28 ++++++++ apps/production/woodpecker-values.yaml | 9 +++ 11 files changed, 153 insertions(+), 8 deletions(-) create mode 100644 .pre-commit-config.yaml create mode 100644 apps/base/woodpecker/kustomization.yaml create mode 100644 apps/base/woodpecker/namespace.yaml create mode 100644 apps/base/woodpecker/release.yaml create mode 100644 apps/base/woodpecker/repository.yaml create mode 100644 apps/production/cosign-values.yaml create mode 100644 apps/production/secrets/woodpecker-secret.yaml create mode 100644 apps/production/woodpecker-values.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..4d0d6f7 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,5 @@ +repos: + - repo: https://github.com/zricethezav/gitleaks + rev: v8.16.1 + hooks: + - id: gitleaks diff --git a/apps/base/cosign/release.yaml b/apps/base/cosign/release.yaml index bea7575..07b6cea 100644 --- a/apps/base/cosign/release.yaml +++ b/apps/base/cosign/release.yaml @@ -18,14 +18,13 @@ spec: # Default values # https://github.com/stefanprodan/podinfo/blob/master/charts/podinfo/values.yaml values: - policy-controller: - cosign: - secretKeyRef: - name: cosign-secret - serviceMonitor: - enabled: true - imagePullSecrets: - - name: docker + cosign: + secretKeyRef: + name: cosign-secret + serviceMonitor: + enabled: true + imagePullSecrets: + - name: docker --- apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy diff --git a/apps/base/woodpecker/kustomization.yaml b/apps/base/woodpecker/kustomization.yaml new file mode 100644 index 0000000..82342ca --- /dev/null +++ b/apps/base/woodpecker/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: woodpecker +resources: + - namespace.yaml + - repository.yaml + - release.yaml diff --git a/apps/base/woodpecker/namespace.yaml b/apps/base/woodpecker/namespace.yaml new file mode 100644 index 0000000..9e90725 --- /dev/null +++ b/apps/base/woodpecker/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: woodpecker diff --git a/apps/base/woodpecker/release.yaml b/apps/base/woodpecker/release.yaml new file mode 100644 index 0000000..8803765 --- /dev/null +++ b/apps/base/woodpecker/release.yaml @@ -0,0 +1,72 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: woodpecker + namespace: woodpecker +spec: + releaseName: woodpecker + chart: + spec: + chart: woodpecker-server + sourceRef: + kind: HelmRepository + name: woodpecker + interval: 50m + install: + remediation: + retries: 3 + # Default values + # https://github.com/stefanprodan/podinfo/blob/master/charts/podinfo/values.yaml + values: + replicaCount: 1 + + image: + repository: woodpeckerci/woodpecker-agent + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: "next" + + env: + WOODPECKER_SERVER: "woodpecker-woodpecker-server.woodpecker.svc.cluster.local:9000" + WOODPECKER_BACKEND: kubernetes + WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker + WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "nfs-client" + WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 10G + WOODPECKER_BACKEND_K8S_STORAGE_RWX: true + WOODPECKER_MAX_PROCS: "8" + WOODPECKER_DEBUG_PRETTY: "true" + WOODPECKER_LOG_LEVEL: debug + + # Docker-in-Docker is normally not needed as Woodpecker natively supports Kubernetes + dind: + enabled: false + image: "docker:20.10.12-dind" + env: + DOCKER_DRIVER: "overlay2" + resources: {} + + extraSecretNamesForEnvFrom: + - woodpecker-secret + + serviceAccount: + # Specifies whether a service account should be created (also see RBAC subsection) + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + rbac: + # If your cluster has RBAC enabled and you're using the Kubernetes agent- + # backend you'll need this. (this is true for almost all production clusters) + # only change this if you have a non CNCF compliant cluster, missing the RBAC endpoints + # the Role and RoleBinding are only created if serviceAccount.create is also true + create: true + # additional annotations and labels in role and roleBinding are only needed, if you + # are using additional tooling to manage / verify roles or roleBindings (OPA, etc.) + role: + annotations: {} + labels: {} + roleBinding: + annotations: {} + labels: {} diff --git a/apps/base/woodpecker/repository.yaml b/apps/base/woodpecker/repository.yaml new file mode 100644 index 0000000..e48e5b5 --- /dev/null +++ b/apps/base/woodpecker/repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: woodpecker + namespace: woodpecker +spec: + interval: 5m + url: https://sigstore.github.io/helm-charts diff --git a/apps/production/cosign-values.yaml b/apps/production/cosign-values.yaml new file mode 100644 index 0000000..f48c5ad --- /dev/null +++ b/apps/production/cosign-values.yaml @@ -0,0 +1,9 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: cosign + namespace: cosign-system +spec: + chart: + spec: + version: "0.5.x" diff --git a/apps/production/kustomization.yaml b/apps/production/kustomization.yaml index 0f93596..90a98ab 100644 --- a/apps/production/kustomization.yaml +++ b/apps/production/kustomization.yaml @@ -3,5 +3,8 @@ kind: Kustomization resources: - ../base/vaultwarden - ../base/cosign + - ../base/woodpecker patchesStrategicMerge: + - cosign-values.yaml - vaultwarden-values.yaml + - woodpecker-values.yaml diff --git a/apps/production/secrets/kustomization.yaml b/apps/production/secrets/kustomization.yaml index 60f75cb..1226925 100644 --- a/apps/production/secrets/kustomization.yaml +++ b/apps/production/secrets/kustomization.yaml @@ -3,3 +3,4 @@ kind: Kustomization resources: - vaultwarden-secret.yaml - cosign-secret.yaml + - woodpecker-secret.yaml diff --git a/apps/production/secrets/woodpecker-secret.yaml b/apps/production/secrets/woodpecker-secret.yaml new file mode 100644 index 0000000..82a21e3 --- /dev/null +++ b/apps/production/secrets/woodpecker-secret.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: woodpecker-secret + namespace: woodpecker +type: Opaque +stringData: + WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:PYGnRusedHrMrCoeiKlF2K9X0JlwRuoCBSDNVKhgAGfWwxwh+zOtJhzYclx/lHV4DDITBYz1S887b0lhMr5WkQ==,iv:hKXb/owRCbOe02DWz2O71C60pr1gPrQEF4n9wstThxk=,tag:5gF2h+yQwHDafPolP/50Ew==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1esjyg2qfy49awv0ptkzvpk425adczjr38m37w2mmcahzc4p8n54sll2nzh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlY1d6WC9hYkFTTlFTQ0ox + SFZjakR5U0lhdnk5MThRUk1xRlhVNXQrOFJNCmw3V2lhSmNZMjZwYzc4a3NLVTNk + MjZ4akR6WHdoNnBJaHNRa29yTEhQSEUKLS0tIEpLcURBOEJaZzZnVkJLdjNqTFRt + eHVkZ3BQcThKY3A1bUlMT3BTbThvSm8Kduehba/sI+dEynppChQKxLOEphYHtPax + 04xWJaVp66+qbNpvuOHZiwIfX4k8awVOifYndA91iC3AGIM+NhJDTw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-03-19T15:41:09Z" + mac: ENC[AES256_GCM,data:8L7GJJ4q8FZgmRUGhbXE2fs8+y3gjy/IPul5h4ciRpRtOsFib9OwQJwv1uh0hGeR51ZFpmWGpbrj4SMD336ZeUwPHTmv8RuCn0P2DUxhpadb4mB7hE/aT+wJ4WWsfVCRRvcUT50/2WoMykNx5wNJAEbf2PXc5cuvYdnqe0HFwuo=,iv:j2yOpGLqcAM+ho7hp7kGuiaqaU4jhWCZQj3FF5NJ6ig=,tag:yKz7IEdC39RPDuvVxE11Mg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/apps/production/woodpecker-values.yaml b/apps/production/woodpecker-values.yaml new file mode 100644 index 0000000..08782a7 --- /dev/null +++ b/apps/production/woodpecker-values.yaml @@ -0,0 +1,9 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: woodpecker + namespace: woodpecker +spec: + chart: + spec: + version: "0.15.x"