From a64549bda76ec40eee72a63169cc47769fb8385d Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 10 May 2025 13:58:07 +0200 Subject: [PATCH 1/9] feat: add cilium to dev Signed-off-by: Nikolai Emil Damm --- k8s/clusters/dev/apps/flux-kustomization.yaml | 12 ++++++++++++ .../dev/infrastructure/flux-kustomization.yaml | 1 - k8s/clusters/dev/kustomization.yaml | 1 + k8s/clusters/local/apps/flux-kustomization.yaml | 12 ++++++++++++ .../local/infrastructure/flux-kustomization.yaml | 1 - k8s/clusters/local/kustomization.yaml | 1 + .../controllers/cilium/kustomization.yaml | 10 ++++++++++ .../cilium/patches/helm-release-patch.yaml | 15 +++++++++++++++ .../infrastructure/controllers/kustomization.yaml | 4 ++-- .../talos/infrastructure/kustomization.yaml | 4 ++-- 10 files changed, 55 insertions(+), 6 deletions(-) create mode 100644 k8s/distributions/talos/infrastructure/controllers/cilium/kustomization.yaml create mode 100644 k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml diff --git a/k8s/clusters/dev/apps/flux-kustomization.yaml b/k8s/clusters/dev/apps/flux-kustomization.yaml index 63304f693..42dfc4d55 100644 --- a/k8s/clusters/dev/apps/flux-kustomization.yaml +++ b/k8s/clusters/dev/apps/flux-kustomization.yaml @@ -11,6 +11,18 @@ spec: sourceRef: kind: OCIRepository name: flux-system + dependsOn: + - name: infrastructure + decryption: + provider: sops + secretRef: + name: sops-age + postBuild: + substituteFrom: + - kind: ConfigMap + name: variables-dev + - kind: Secret + name: variables-dev-sensitive path: clusters/dev/apps/ prune: true wait: true diff --git a/k8s/clusters/dev/infrastructure/flux-kustomization.yaml b/k8s/clusters/dev/infrastructure/flux-kustomization.yaml index 448a45451..014de268b 100644 --- a/k8s/clusters/dev/infrastructure/flux-kustomization.yaml +++ b/k8s/clusters/dev/infrastructure/flux-kustomization.yaml @@ -13,7 +13,6 @@ spec: kind: OCIRepository name: flux-system dependsOn: - - name: variables - name: infrastructure-controllers decryption: provider: sops diff --git a/k8s/clusters/dev/kustomization.yaml b/k8s/clusters/dev/kustomization.yaml index b6f6de5e6..76cf36d07 100644 --- a/k8s/clusters/dev/kustomization.yaml +++ b/k8s/clusters/dev/kustomization.yaml @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - apps/flux-kustomization.yaml - infrastructure/controllers/flux-kustomization.yaml - infrastructure/flux-kustomization.yaml - variables/flux-kustomization.yaml diff --git a/k8s/clusters/local/apps/flux-kustomization.yaml b/k8s/clusters/local/apps/flux-kustomization.yaml index 6ad63f9d4..f60e2878a 100644 --- a/k8s/clusters/local/apps/flux-kustomization.yaml +++ b/k8s/clusters/local/apps/flux-kustomization.yaml @@ -11,6 +11,18 @@ spec: sourceRef: kind: OCIRepository name: flux-system + dependsOn: + - name: infrastructure + decryption: + provider: sops + secretRef: + name: sops-age + postBuild: + substituteFrom: + - kind: ConfigMap + name: variables-local + - kind: Secret + name: variables-local-sensitive path: clusters/local/apps/ prune: true wait: true diff --git a/k8s/clusters/local/infrastructure/flux-kustomization.yaml b/k8s/clusters/local/infrastructure/flux-kustomization.yaml index 11b9aaefc..9c757ea72 100644 --- a/k8s/clusters/local/infrastructure/flux-kustomization.yaml +++ b/k8s/clusters/local/infrastructure/flux-kustomization.yaml @@ -13,7 +13,6 @@ spec: kind: OCIRepository name: flux-system dependsOn: - - name: variables - name: infrastructure-controllers decryption: provider: sops diff --git a/k8s/clusters/local/kustomization.yaml b/k8s/clusters/local/kustomization.yaml index b6f6de5e6..76cf36d07 100644 --- a/k8s/clusters/local/kustomization.yaml +++ b/k8s/clusters/local/kustomization.yaml @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - apps/flux-kustomization.yaml - infrastructure/controllers/flux-kustomization.yaml - infrastructure/flux-kustomization.yaml - variables/flux-kustomization.yaml diff --git a/k8s/distributions/talos/infrastructure/controllers/cilium/kustomization.yaml b/k8s/distributions/talos/infrastructure/controllers/cilium/kustomization.yaml new file mode 100644 index 000000000..4c763c13a --- /dev/null +++ b/k8s/distributions/talos/infrastructure/controllers/cilium/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: [] +patches: + - target: + kind: HelmRelease + name: cilium + namespace: kube-system + path: patches/helm-release-patch.yaml diff --git a/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml b/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml new file mode 100644 index 000000000..0c4ecf158 --- /dev/null +++ b/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cilium + namespace: kube-system +spec: + # https://github.com/cilium/cilium/blob/main/install/kubernetes/cilium/values.yaml + values: + cgroup: + autoMount: + enabled: false + hostRoot: /sys/fs/cgroup + k8sServiceHost: localhost + k8sServicePort: 7445 diff --git a/k8s/distributions/talos/infrastructure/controllers/kustomization.yaml b/k8s/distributions/talos/infrastructure/controllers/kustomization.yaml index 7ca1d5d4e..1a36a40c0 100644 --- a/k8s/distributions/talos/infrastructure/controllers/kustomization.yaml +++ b/k8s/distributions/talos/infrastructure/controllers/kustomization.yaml @@ -1,5 +1,5 @@ --- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -resources: [] - #- ../../../../bases/infrastructure/controllers/ +resources: + - ../../../../bases/infrastructure/controllers/ diff --git a/k8s/distributions/talos/infrastructure/kustomization.yaml b/k8s/distributions/talos/infrastructure/kustomization.yaml index e92f6dfba..0211ac6ad 100644 --- a/k8s/distributions/talos/infrastructure/kustomization.yaml +++ b/k8s/distributions/talos/infrastructure/kustomization.yaml @@ -1,5 +1,5 @@ --- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -resources: [] - #- ../../../bases/infrastructure/ +resources: + - ../../../bases/infrastructure/ From e3314277b1d5400e85dfc42685090dbde9e592db Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 10 May 2025 14:10:03 +0200 Subject: [PATCH 2/9] fix: update SOPS configuration for dev and prod clusters Signed-off-by: Nikolai Emil Damm --- .sops.yaml | 12 +++++++++++- k8s/clusters/dev/variables/secret.enc.yaml | 22 +++++++++++----------- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index c18cc1eab..fdbf60d0f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,7 +3,17 @@ creation_rules: encrypted_regex: ^(data|stringData)$ age: |- age1fqcl89lrl8daucdkn7xstjhv9mcxk39m59a9mhvw0g3j24kjmu6qcaxpp7 + - path_regex: ^k8s\/clusters\/dev\/.+\.enc\.ya?ml$ + encrypted_regex: ^(data|stringData)$ + age: |- + age1q2vtjmghm5yv3sm426325u0tsgvru758lum8kefhp62fhmhf3afqhrnm3x + - path_regex: ^k8s\/clusters\/prod\/.+\.enc\.ya?ml$ + encrypted_regex: ^(data|stringData)$ + age: |- + age18huaqzzrln439z9nj56kmqnkcu5zrj44y57ml8tlauhh5vj3yqgsa0l9dw - path_regex: ^.+\.enc\.ya?ml$ encrypted_regex: ^(data|stringData)$ age: |- - age1fqcl89lrl8daucdkn7xstjhv9mcxk39m59a9mhvw0g3j24kjmu6qcaxpp7 + age1fqcl89lrl8daucdkn7xstjhv9mcxk39m59a9mhvw0g3j24kjmu6qcaxpp7, + age1q2vtjmghm5yv3sm426325u0tsgvru758lum8kefhp62fhmhf3afqhrnm3x, + age18huaqzzrln439z9nj56kmqnkcu5zrj44y57ml8tlauhh5vj3yqgsa0l9dw diff --git a/k8s/clusters/dev/variables/secret.enc.yaml b/k8s/clusters/dev/variables/secret.enc.yaml index 0ca3f9612..f569d71e0 100644 --- a/k8s/clusters/dev/variables/secret.enc.yaml +++ b/k8s/clusters/dev/variables/secret.enc.yaml @@ -4,21 +4,21 @@ metadata: name: variables-dev-sensitive namespace: flux-system stringData: - dex_client_secret: ENC[AES256_GCM,data:+e5Ci4m7nMWUpkDT42brDaehqE0=,iv:vt18z7crgtdhsa2L371GLCv/acPnD3hNS5ZA2ZktAgw=,tag:nPQRcUHivbfwg98P0hP+6Q==,type:str] - github_app_client_secret: ENC[AES256_GCM,data:ElSZ3N+pvXNWarUiBazdBYme7LGCbbSOCGXpgutMJ8Agt+SHBaCaIw==,iv:TQVSBXGdRdyMGUXUP3YMZjpw4GF/jvA+9Bro2al0sNs=,tag:99sUHhgeVxgvmpXIuRfZ/A==,type:str] - github_app_private_key: ENC[AES256_GCM,data:+uRkDbVKduvgExe15gaue3/Mr5MGLIyiJJsjbhQBbfeRPU0wsGc0Vrcyj+4eFUjloTBB0R29I/rsZrhDE0B9L+tF59YYK1uFn5Uc+MsNkxdwxpJ4XXZPBlMsfwclLZxtncm9BhP950PQnY/5VN2Fb53BGp+xDBv42ARkT2T2qjrYzogO3uOefMv5GqL4UX2Qxj+pRjw6VelUMUNSHFKCFBQ7DDl3eI2dhIfqT0ZwxxVBxvIgNdBnEKgzQgblWz8xpyNIeFHFscTWnpoY4xgMwJJOzdCwq7IV4zhmmzxAv339VmUi2jUE055ZvyX1D7mxGontQbjuJn7uFW8Z5b0ov8A3PMa6CuEycEKvymYhKG07s3KsUZvegtKheV4L33l/3LPUPHV9T8uIYfyImcJ8fJj5C/indawdxQDMpyDN5+KuSkc/AP4Xtte4YWdNXUxmo0SxsR0HOR0VsBCIOetVnkB5WBtDXI9hTCMGDS3QZ5PoHTjQtyvZdFBrS4sv8g3tsvNmuHCcfZ6s6qo6FQ65/ZJmzSWJ6BM8H/iIJWiLDFiDIAG1XiZNqr8GRSP/jzYcTTma6sh9ST7DmdAlAeSigV/Shn8IFLKmfXxlMUMEBnPoHbOeqIpLPxDZPOlr7CiYHPE7y6gjswVNfAb1KyU7HiLzDQdtwR7VMjghJ5bAJu+erBhSb3oMU/yecBCOnTCgZStV7Qn86DWflaWa/rdn7hC4elsMYGrfbocERef2AWRFQS3ZdmjczlLc2nEspiRPEdrw3SqPEr7MduHA0nHg/OPe7+OTbXevBp0/hNXLh8Jdbk63B3RqE2+aSvSal49n8bdLlK+S8F4UKTecxtIuhMGcmU7FLcgAjuFBda0FQqC8yMEaWSzmAfLybXQuEZxlHIMKc44ODpqVdT4y9mqQuS30tz0+UnXGYOzkPqmq75p46yltIj29ZoZ1mvQjBQ2ZU8dOLOIX1ouGu417cvpMq8qG4iFL9cfW6xzrwbMC8tlLh7tC2fYgtbqf1/JPRmraJCCqiWCwZaaihTcoEy/1yWmmreGjfNMbpyaauyzJ+8OnUq5bk91nP57PHaLPsHFrphNrjyGIhFh73+3rCZrwkfyf9BOpxNyXtNXFPlLTw6r22u1tr/qSPdvElcIWlxOrSX54b9lettgFB0SSPe6hJxr5afmaErAVG6uwxcrTaGhFuVDJ4FZTCV1ws8i9Q8txM7prvV8xmwf0zuG2eUjWcZfUEiZlZ9GVCSsPVqnHXuoSXEPiGGAKY3t3d+oVuVsenfk4LK/srJGBYUrahdG7TGEhMHgMyhd++/y02S+93oxJdGIwYwpZbHca/n0asEs8m8mwirs2+Fj+zAC9JOjo3F7ew4Plh63hkJC3j2bOXY4yD0gwNjrr9TyEkLlj06354TGVzlnmpkIRl2r8PwZdOtDrHWh1zMutMKYv2D+ws9nOqKjzE0Zf6hVI1XIbn471gVvMkVvxeMq8A//txNF5g0eYDBlY8iBZ3//dbhCWiY4MFPAkCC4+6QEkbSsGNqbnDZPwPMQm1zXrrF6hJpC4Oc6elo0wPk85hzdoyqTBE0XFEpgsvDFAeyEowNYFGaBMC6vM7snxfJvH4f3X8Kro74i9ImAO+DpviiMhT5NoYCstLkyYklzn/XEsN+EOMNq6p9CvDI3X3IYucI6julbAH6XgCYcetPPN0UdXtGn4eh7X1Y9ZG1xfI1xP7122y/OClx+LjhxRw/Tuw3uVgzo6pSC10TCXqEhmpO3kKlGKd09z3vTBpFueG2rCTpZ4MmrrLXdFCu2o7Z2jbzM0iD8MYl6LQ5FmWGyUWMSfkY8FQLOqRUklP/Uh9ZHQEf1yxR1JNcTSrzyqrP4l66js4q8hVxw/T9DJnOtDIF6dOk81K4GDRF8J/0j2ikMgeunESyblXsVomSjZkchSbjgfKpAagLqS1koBbflkU0NrVsqHCF0ZjiGFlkAGtfbTrUPLTMAR17r4QbJ5zqq3/ROjhS476GS8xiqZm4UnfX4LXezVEKMF4Y++IvbLkZ5SsV3a6+aL9yF+v0eQcA56Bb8MYag9KB7kkvWIfKbJcS+hINAChRABjzSSY0RHlPjeN4+6fyEbvAlllaRIO45s4vdIJOjvdTgtCJ4CMcWW5XGMRYshrypKi5sA/Na6SCKS6G8yvBmg+QuTJpaYm0XfFBYIsVikBknWNxHuTlzMbcbznlj6fX2WDIG/zPTBp5Jlpw==,iv:/tby64GY0Q5UPkbg0w81YT6aOBiTNyDBKFFgLB0T1WA=,tag:HZ8/bnRqeO0cFfSPffzhaw==,type:str] + dex_client_secret: ENC[AES256_GCM,data:tOdVZhFh2GCtciIQNBOlc6IqXTg=,iv:pPb8Qm4Yxxm7SzdMXN4sIcXWNdSTdY40LAXIgIangYU=,tag:BjKwaaxFqvdTPBOlJnUejg==,type:str] + github_app_client_secret: ENC[AES256_GCM,data:GfDCRM515Z7u/bcSTfEdMTYicv7CcDHNEen4cuu7Qk9gGMDVSzTZiQ==,iv:05NU5gqRQTsI06HDXdeAzKsrlgcG01XL1UD7RwUIqww=,tag:vKOs1MJHbdDxiuPem9pvFA==,type:str] + github_app_private_key: ENC[AES256_GCM,data:GQGbcemwC6QhUCkEQAafsZLqe7v8E3BEtiTu44kpQBiFC9coig+/4+YsRhEcLJnIFHl9G7bNhbZej5kKPQ+MdgU47Z9iS/sJDQLIsOI5WOf2aEB1i21bxBgDLobdArSbYO+oDy9HotvvAZ6crjILaWUjfGpjk6J20b8b+HYBBfplLKkQTg3ZeCFn/OAsWG4B+mgNAcHN1rSw617YnoZRej9N2JYMSY3CgOBQ/qTEO9/jvqGICvf1jouAk0oHb+4LgihXAsizo2BmdXf5tYZI1bJ7QbqFZYbSEL4cvy445FXhDpbpn7nKrq3p94ic/B3Mw0JS81uUj/rpFH7jD87IzHImrqm6Vt2US3Hn+xUc/xv8jVjOa+WxvZsFuT4/uR/k1l4tev3PfHxaztOmSXd1B4Tz2ec85qEYZDMvNYR+D/O6ext2P7P39RV21JD8e2M/yX+mjOEIX5uO7kJMe4UTsJrkK/K3XtkfqDoCFzQufkNrL9vBLzVI18VJU67ErDp4zH9THK8EqDvfq3JDu/F31tCDhsA3W2FSQ6zisW+QPRyqCHIaIvKw6dWjfr6zgbGUdPrhkowf2wY0nQIG4207QGHHYATv1f83nx2mZHMrxsFnYVLzNHFbJ2IjEj/D9MqkhLkY9v/Qw9rm+RWbymESEWZsBA3NbJWznsFgfhdKwsTjAe+HUDAs8gmJKd1h4AQTZq0VYCgaj0gzNwIICC7ZQqOIbA0g57xCJWM8XJBfoMds16fMv4dBJomQIGI1xw9oI9IGzYy/ahOwgZ9qZTWQ2n7fC/Hw1m8XvqOe8qHUTheo8OV3HReYpBybyCGpDVUvWeqY0Oo3uwewW0r/r0OuonUTZIqlUS98Rxnqbwz+M9rPbNJWPyfG095l0etjdimb9FgqmneS6jPXV5z2h4isPqibY1HjfxtMiVecyO1xHJZTAjxg3Jh+EOGPsclcoD3NC894atRMVP8KDoyZCIgYNmOUli2iKflIan3bG3s6zdTJxCPWMfTaXIJuorRmUsuCcBs+7PHhAb2BofWzT5vzrh4uLDq407b+ipx0hn6s8kOx9OvugsbsbzJHBP2fMXw/uFGt4EUGq8Yt0X85aN6CRpvcUjIcuj2Xff5bkWgK5MXn7JBgVe6Db+d37mWsj77TnKush+C4ZXNtrWGCtJdrYOCUSYhIOFUiSEGbrz5vdIqXjdrNTG+8nDTf5VZlI8wV22sBJOGiPlWLv5OMaZSnTxRCLfmlpr0lNOE4kC3smQvYA49dpSDKLLWOAoVbdoxZz3znRV9zK1/eEy+cPhIuwwRokcrCvTp5LwppLeLv60hdh+z0LhvrP7QrelRfHUrD+rYaQHd71a1ImYzJAJy+4TmBPDWKx+RotvLZk+SyKuTGrwjbx09SmLCvp1o8oiICVsYYf7DJeGT1aoPrqwd2VSs6lv156pv2c4hIFBvQzFxDyb5LJzmkxZorfyx8n8otj0wb2Gy4BcD9hC7RXFIbNPdzGi7Wjvj0/LhrIagwa2tzUMpIyOQkSIw0NWV3wjbSys3fBDTQ0mvk61QDDOrCiBjbU4bqM+JfFHCBlF+VwKy5AXAj50m2jl6eU1OkRbLa8nnfP6kb6yV6bYuyc13YNe/FQfyM5nHfJWJDd7it0DQjo6yYGirPrbPE9+Cn3hTeCO+LRcVvTMaa3+YN/MkjyuzFU8TSMBUuPOividdoNBGlrveJq8EkS0P9oUWRHUDP+Y+iGgQe6ChgZe13Vwn3M8nY/+tsbi7u2sG3v2jDFGA5puWcbfLcC3kBlF77d2XGm3Hok2+MHHRo1uwkiObKUONGAnQAUrfZElFrfTMupJTPBXSEcQgosaQb6qq2eo6B/rBNWQes43Ftkjpwo2H7gCNtkVcjrINt5aiDKMkcjN2O5CiaW/FdY2Oy/8fZ4pQpTyFeGnCY+0rHXbLT45GRV+ILUleKdC9offsa8Vf/EswKLYJ8E9tu/5YNCTqGPT79M1/jZf53G0B0aFXouUsmlDF0HPvoWyECG3v6Qyjs+S06Ht+1gnzmVNOZtQiyMNH59W87NDEIFf/nmnhGSYxpOis5gP+QMFSflRgncOxZgNUL3MzA93W155UysbaeCItiY3RS8aFKsyVyFUSQ7xxNDF66JU3iDc+bS2YdFeAKl7e+VoX4YM7YV8WNla7sniw+Q6IBTiosG/EpR9ELU3DuEbNgUWdG/XX30jTuXTrSeSHrhjTThMNfHdtVwQ==,iv:iaQu/4tWhLkNevePvoNF4KIxqQr/Zx+mqfvGqLlYYjc=,tag:F4w8EKfr+4zrZ1P2fz7PxA==,type:str] sops: age: - - recipient: age1fqcl89lrl8daucdkn7xstjhv9mcxk39m59a9mhvw0g3j24kjmu6qcaxpp7 + - recipient: age1q2vtjmghm5yv3sm426325u0tsgvru758lum8kefhp62fhmhf3afqhrnm3x enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5b20wRER4SWdWdVgwTXpF - ZWxqTExtOFpFc2dpQ2l4bkNPRVZ4R3MyUVVnCnhUYkgxL1UxWGV6ZXBDb2xyQjZq - akJyVzdneUlPaXltNjhpYy9QbWtLVVkKLS0tIDFJUW54QUoxbXh5ZUNRcXBWRWI1 - OE1CVEVqRVBjT3Jqckc1L0gwZ1JTdk0KGKF8qlUINhdrzW3JuplBqQ52s4PfbSo9 - 8HBAS+DlVet6PrlaolKlNjI5qL0u4FZfPwub6AXrI0jIq8XwEGzj/g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcGN3MG9COGxGOGhtTmN6 + SFJsWkVxWjhLOEZpT0Y4WmFkOGxIQy80ZmpjCnAvWGVXOE5INUZ3Wkh1OGxJbjdo + UVo3S1o0UU9tUDV6aGJzK2FzeS9kNzQKLS0tIFpoNVpsQ0dKUUpKU1E3SlppbzQ0 + WHEzdjBFQ1dlcURQMEVQL2lxQXFrM2cKeQMGiRZQjdWI0/faqJDsFSN9eggyr73d + q8S5XiZDB+wAFTMaMebscfhSWo/3N8G3EpFdh1GMiVNyLMskzkbARw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-09T15:47:43Z" - mac: ENC[AES256_GCM,data:Zw3zc3sQ6jLMAfj3rkMFbXh86F94JeOmP3caFW+cpqaziPyydXahQ+296Q10n3ydivNbEq2EMEkgjut3fArpN6KTxxTQ3vagpeReq3kOlDqOwdKTAwZ+Xd1IkCvljdUigbpsUWn6pPKvzfrxQ5UiOsA3J4re3ngndrKUqypW98s=,iv:qblri7AXEtDDKAIGJCCRZwrFR8b7Syk3uQphPqQNtNA=,tag:OSYICwjt0IC1IChS+shezQ==,type:str] + lastmodified: "2025-05-10T12:05:56Z" + mac: ENC[AES256_GCM,data:HuaKpCFAsbs/EnLsrWt0AMBlYzVNNEIFN/v7YW43D3PgVyq+Rh7rdJbkC3am9qlmXEbSbMGE0muMcudH+ApPYxRsFwmLvOskvAaEsnd41xiBwA+AIHkODcYcL7h18mSJ8JLXxI/I9+WKfYMf/hPIOds+SaAEI7l5t3PXHS8yJF8=,iv:VekpOes4+E6yO7tPfOILk8IV6n6eE+rdz6wqIAwjffo=,tag:7sLeFJgeN6SZ1mNd1oxO+w==,type:str] encrypted_regex: ^(data|stringData)$ version: 3.10.2 From 0c939839bef47155198059a66e0303deff28bc6b Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 10 May 2025 14:14:51 +0200 Subject: [PATCH 3/9] fix: add security context capabilities for Cilium Signed-off-by: Nikolai Emil Damm --- .../cilium/patches/helm-release-patch.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml b/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml index 0c4ecf158..14cb7c5ad 100644 --- a/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml +++ b/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml @@ -13,3 +13,21 @@ spec: hostRoot: /sys/fs/cgroup k8sServiceHost: localhost k8sServicePort: 7445 + securityContext: + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE From c3634d93ccc53e17c9854709897da5f38ac31ac6 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 10 May 2025 14:15:16 +0200 Subject: [PATCH 4/9] fix: reorder cgroup and service configuration in HelmRelease patch Signed-off-by: Nikolai Emil Damm --- .../cilium/patches/helm-release-patch.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml b/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml index 14cb7c5ad..df045bac7 100644 --- a/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml +++ b/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml @@ -7,12 +7,6 @@ metadata: spec: # https://github.com/cilium/cilium/blob/main/install/kubernetes/cilium/values.yaml values: - cgroup: - autoMount: - enabled: false - hostRoot: /sys/fs/cgroup - k8sServiceHost: localhost - k8sServicePort: 7445 securityContext: capabilities: ciliumAgent: @@ -31,3 +25,9 @@ spec: - NET_ADMIN - SYS_ADMIN - SYS_RESOURCE + cgroup: + autoMount: + enabled: false + hostRoot: /sys/fs/cgroup + k8sServiceHost: localhost + k8sServicePort: 7445 From 08a6ebc9d009710b643442db63003c59b9415fee Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 10 May 2025 14:20:15 +0200 Subject: [PATCH 5/9] fix: comment out security context capabilities in HelmRelease patch Signed-off-by: Nikolai Emil Damm --- .../cilium/patches/helm-release-patch.yaml | 36 +++++++++---------- .../controllers/kustomization.yaml | 1 + 2 files changed, 19 insertions(+), 18 deletions(-) diff --git a/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml b/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml index df045bac7..be6c770f1 100644 --- a/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml +++ b/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml @@ -7,24 +7,24 @@ metadata: spec: # https://github.com/cilium/cilium/blob/main/install/kubernetes/cilium/values.yaml values: - securityContext: - capabilities: - ciliumAgent: - - CHOWN - - KILL - - NET_ADMIN - - NET_RAW - - IPC_LOCK - - SYS_ADMIN - - SYS_RESOURCE - - DAC_OVERRIDE - - FOWNER - - SETGID - - SETUID - cleanCiliumState: - - NET_ADMIN - - SYS_ADMIN - - SYS_RESOURCE + # securityContext: + # capabilities: + # ciliumAgent: + # - CHOWN + # - KILL + # - NET_ADMIN + # - NET_RAW + # - IPC_LOCK + # - SYS_ADMIN + # - SYS_RESOURCE + # - DAC_OVERRIDE + # - FOWNER + # - SETGID + # - SETUID + # cleanCiliumState: + # - NET_ADMIN + # - SYS_ADMIN + # - SYS_RESOURCE cgroup: autoMount: enabled: false diff --git a/k8s/distributions/talos/infrastructure/controllers/kustomization.yaml b/k8s/distributions/talos/infrastructure/controllers/kustomization.yaml index 1a36a40c0..705d9661b 100644 --- a/k8s/distributions/talos/infrastructure/controllers/kustomization.yaml +++ b/k8s/distributions/talos/infrastructure/controllers/kustomization.yaml @@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../../../bases/infrastructure/controllers/ + - cilium/ From 3ad357d5a4e45319bf1a307a347944a1d26b72d3 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 10 May 2025 14:25:32 +0200 Subject: [PATCH 6/9] fix: update kustomization files for cilium and correct resource paths Signed-off-by: Nikolai Emil Damm --- .../dev/infrastructure/controllers/kustomization.yaml | 2 +- .../controllers/cilium/kustomization.yaml | 10 ---------- .../infrastructure/controllers/kustomization.yaml | 7 ++++++- 3 files changed, 7 insertions(+), 12 deletions(-) delete mode 100644 k8s/distributions/talos/infrastructure/controllers/cilium/kustomization.yaml diff --git a/k8s/clusters/dev/infrastructure/controllers/kustomization.yaml b/k8s/clusters/dev/infrastructure/controllers/kustomization.yaml index 32019d524..1fa3e0fca 100644 --- a/k8s/clusters/dev/infrastructure/controllers/kustomization.yaml +++ b/k8s/clusters/dev/infrastructure/controllers/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../../../distributions/talos/infrastructure/controllers + - ../../../../distributions/talos/infrastructure/controllers/ diff --git a/k8s/distributions/talos/infrastructure/controllers/cilium/kustomization.yaml b/k8s/distributions/talos/infrastructure/controllers/cilium/kustomization.yaml deleted file mode 100644 index 4c763c13a..000000000 --- a/k8s/distributions/talos/infrastructure/controllers/cilium/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: [] -patches: - - target: - kind: HelmRelease - name: cilium - namespace: kube-system - path: patches/helm-release-patch.yaml diff --git a/k8s/distributions/talos/infrastructure/controllers/kustomization.yaml b/k8s/distributions/talos/infrastructure/controllers/kustomization.yaml index 705d9661b..da81d963f 100644 --- a/k8s/distributions/talos/infrastructure/controllers/kustomization.yaml +++ b/k8s/distributions/talos/infrastructure/controllers/kustomization.yaml @@ -3,4 +3,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../../../bases/infrastructure/controllers/ - - cilium/ +patches: + - target: + kind: HelmRelease + name: cilium + namespace: kube-system + path: cilium/patches/helm-release-patch.yaml From e316c43979c8e1d67f3d02a3669c5649569941d5 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 10 May 2025 14:27:55 +0200 Subject: [PATCH 7/9] fix: restore security context capabilities in HelmRelease patch Signed-off-by: Nikolai Emil Damm --- .../cilium/patches/helm-release-patch.yaml | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml b/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml index be6c770f1..df045bac7 100644 --- a/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml +++ b/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml @@ -7,24 +7,24 @@ metadata: spec: # https://github.com/cilium/cilium/blob/main/install/kubernetes/cilium/values.yaml values: - # securityContext: - # capabilities: - # ciliumAgent: - # - CHOWN - # - KILL - # - NET_ADMIN - # - NET_RAW - # - IPC_LOCK - # - SYS_ADMIN - # - SYS_RESOURCE - # - DAC_OVERRIDE - # - FOWNER - # - SETGID - # - SETUID - # cleanCiliumState: - # - NET_ADMIN - # - SYS_ADMIN - # - SYS_RESOURCE + securityContext: + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE cgroup: autoMount: enabled: false From c53699c27d1bc99c559b0f472faf7b8e8c3031b1 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 10 May 2025 14:30:39 +0200 Subject: [PATCH 8/9] feat: add kustomization and flux configurations for production environment Signed-off-by: Nikolai Emil Damm --- .../prod/apps/flux-kustomization.yaml | 29 +++++++++++++++++++ k8s/clusters/prod/apps/kustomization.yaml | 5 ++++ .../controllers/flux-kustomization.yaml | 29 +++++++++++++++++++ .../controllers/kustomization.yaml | 5 ++++ .../infrastructure/flux-kustomization.yaml | 29 +++++++++++++++++++ .../prod/infrastructure/kustomization.yaml | 5 ++++ k8s/clusters/prod/kustomization.yaml | 6 +++- k8s/clusters/prod/variables/config-map.yaml | 9 ++++++ .../prod/variables/flux-kustomization.yaml | 20 +++++++++++++ .../prod/variables/kustomization.yaml | 7 +++++ k8s/clusters/prod/variables/secret.enc.yaml | 24 +++++++++++++++ 11 files changed, 167 insertions(+), 1 deletion(-) create mode 100644 k8s/clusters/prod/apps/flux-kustomization.yaml create mode 100644 k8s/clusters/prod/apps/kustomization.yaml create mode 100644 k8s/clusters/prod/infrastructure/controllers/flux-kustomization.yaml create mode 100644 k8s/clusters/prod/infrastructure/controllers/kustomization.yaml create mode 100644 k8s/clusters/prod/infrastructure/flux-kustomization.yaml create mode 100644 k8s/clusters/prod/infrastructure/kustomization.yaml create mode 100644 k8s/clusters/prod/variables/config-map.yaml create mode 100644 k8s/clusters/prod/variables/flux-kustomization.yaml create mode 100644 k8s/clusters/prod/variables/kustomization.yaml create mode 100644 k8s/clusters/prod/variables/secret.enc.yaml diff --git a/k8s/clusters/prod/apps/flux-kustomization.yaml b/k8s/clusters/prod/apps/flux-kustomization.yaml new file mode 100644 index 000000000..8472866d1 --- /dev/null +++ b/k8s/clusters/prod/apps/flux-kustomization.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: apps + namespace: flux-system +spec: + interval: 60m + timeout: 3m + retryInterval: 2m + sourceRef: + kind: OCIRepository + name: flux-system + dependsOn: + - name: infrastructure + decryption: + provider: sops + secretRef: + name: sops-age + postBuild: + substituteFrom: + - kind: ConfigMap + name: variables-prod + - kind: Secret + name: variables-prod-sensitive + path: clusters/prod/apps/ + prune: true + wait: true + force: true diff --git a/k8s/clusters/prod/apps/kustomization.yaml b/k8s/clusters/prod/apps/kustomization.yaml new file mode 100644 index 000000000..6fc4f2175 --- /dev/null +++ b/k8s/clusters/prod/apps/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../distributions/talos/infrastructure diff --git a/k8s/clusters/prod/infrastructure/controllers/flux-kustomization.yaml b/k8s/clusters/prod/infrastructure/controllers/flux-kustomization.yaml new file mode 100644 index 000000000..c9bfcdf4d --- /dev/null +++ b/k8s/clusters/prod/infrastructure/controllers/flux-kustomization.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: infrastructure-controllers + namespace: flux-system +spec: + interval: 5m + timeout: 2m + retryInterval: 1m + path: clusters/prod/infrastructure/controllers/ + sourceRef: + kind: OCIRepository + name: flux-system + dependsOn: + - name: variables + decryption: + provider: sops + secretRef: + name: sops-age + postBuild: + substituteFrom: + - kind: ConfigMap + name: variables-prod + - kind: Secret + name: variables-prod-sensitive + wait: true + prune: true + force: true diff --git a/k8s/clusters/prod/infrastructure/controllers/kustomization.yaml b/k8s/clusters/prod/infrastructure/controllers/kustomization.yaml new file mode 100644 index 000000000..1fa3e0fca --- /dev/null +++ b/k8s/clusters/prod/infrastructure/controllers/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../../distributions/talos/infrastructure/controllers/ diff --git a/k8s/clusters/prod/infrastructure/flux-kustomization.yaml b/k8s/clusters/prod/infrastructure/flux-kustomization.yaml new file mode 100644 index 000000000..ea4293c4d --- /dev/null +++ b/k8s/clusters/prod/infrastructure/flux-kustomization.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: infrastructure + namespace: flux-system +spec: + interval: 5m + timeout: 2m + retryInterval: 1m + path: clusters/prod/infrastructure/ + sourceRef: + kind: OCIRepository + name: flux-system + dependsOn: + - name: infrastructure-controllers + decryption: + provider: sops + secretRef: + name: sops-age + postBuild: + substituteFrom: + - kind: ConfigMap + name: variables-prod + - kind: Secret + name: variables-prod-sensitive + wait: true + prune: true + force: true diff --git a/k8s/clusters/prod/infrastructure/kustomization.yaml b/k8s/clusters/prod/infrastructure/kustomization.yaml new file mode 100644 index 000000000..6fc4f2175 --- /dev/null +++ b/k8s/clusters/prod/infrastructure/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../distributions/talos/infrastructure diff --git a/k8s/clusters/prod/kustomization.yaml b/k8s/clusters/prod/kustomization.yaml index fe0f332a9..76cf36d07 100644 --- a/k8s/clusters/prod/kustomization.yaml +++ b/k8s/clusters/prod/kustomization.yaml @@ -1,4 +1,8 @@ --- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -resources: [] +resources: + - apps/flux-kustomization.yaml + - infrastructure/controllers/flux-kustomization.yaml + - infrastructure/flux-kustomization.yaml + - variables/flux-kustomization.yaml diff --git a/k8s/clusters/prod/variables/config-map.yaml b/k8s/clusters/prod/variables/config-map.yaml new file mode 100644 index 000000000..08e3b1d47 --- /dev/null +++ b/k8s/clusters/prod/variables/config-map.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: variables-prod + namespace: flux-system +data: + domain: prod.devantler.tech + github_app_client_id: Iv23liZ8GHRgpx32Em2y diff --git a/k8s/clusters/prod/variables/flux-kustomization.yaml b/k8s/clusters/prod/variables/flux-kustomization.yaml new file mode 100644 index 000000000..013239e6c --- /dev/null +++ b/k8s/clusters/prod/variables/flux-kustomization.yaml @@ -0,0 +1,20 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: variables + namespace: flux-system +spec: + interval: 5m + timeout: 2m + retryInterval: 1m + path: clusters/prod/variables/ + sourceRef: + kind: OCIRepository + name: flux-system + decryption: + provider: sops + secretRef: + name: sops-age + wait: true + prune: true + force: true diff --git a/k8s/clusters/prod/variables/kustomization.yaml b/k8s/clusters/prod/variables/kustomization.yaml new file mode 100644 index 000000000..5bda90a1a --- /dev/null +++ b/k8s/clusters/prod/variables/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../distributions/talos/variables + - config-map.yaml + - secret.enc.yaml diff --git a/k8s/clusters/prod/variables/secret.enc.yaml b/k8s/clusters/prod/variables/secret.enc.yaml new file mode 100644 index 000000000..af5f6563d --- /dev/null +++ b/k8s/clusters/prod/variables/secret.enc.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Secret +metadata: + name: variables-dev-sensitive + namespace: flux-system +stringData: + dex_client_secret: ENC[AES256_GCM,data:N2lx0i3cU5/tvNOD8VGXD0Deui0=,iv:wd7GKLALtuptqKgcTW+PLQGcMJbce02dOd0m+y6ipZM=,tag:YG0w3pS7DkG+DWdg5K+Idg==,type:str] + github_app_client_secret: ENC[AES256_GCM,data:MqpUJOm7rBTBnh/dMjmu8JZGxpuEIwBxclc7+4yuzJsn8Q4P0a6Jhw==,iv:sOBoblUdfzbl+IX2wu5gwGUmr5vOBgTMF1wD1WOxqpQ=,tag:0P62JkP4hk3z/iTpWkoHNw==,type:str] + github_app_private_key: ENC[AES256_GCM,data:cSeSQfnoqNnmU9D6lqUpIZb75v1b/C4xvGHkI3XrTo0IoJoehqWIBt+CJnhm//lzClrFOBPoYUJGmZoAC56bdPwlOQ8owYhLiEdnZ1MQvwWsq1l/dVNCt6kZzzCCX5YsonT3UbHJ64XMHE5c7VJGhKpm3avU9RtbGy6wDoVyIkRG0XIqxcVS+549QFVvfEDBgObt38+ranVKJG+zqlQ4slc+ZxcV171oTDxTbdMNu8Jh8/JZqzmEwa5DO5hS3rPPR7JqOdSkvXnHbaGLuofxwFogSgyKIMSbNGTQBM7s8E4mQnW9+jaxJeOgXwVzf3VZfDeWoCPddzmgHVCLr4bvx0e1iwin0FigAbhJji0CJ/OfS9cptRusNYzlcEBrwcpteoZCAa/ni245m1J8WyL8hm5imfsTUhwD6uZIEgMvqAfWi7FwpQkP5Y1LOQdqMQ0yqNIbYim94PaMh2v/AC3cYitfpp12yJD6xKyY+R29WzJ2TCjaMOQKgbmncAMRuTWNC3Qyvd5Xt90KY/Di1xFNQ1AnbAk8IzYrTanHcJ8w1lA0OTxnRJZx4d19aE06H622cl/W6y0dJJaCuKwL0RJzklJOU0ZitQq5ZnWdHUvSx1IZbkHBdvCuOO71LGMSRn78+AGii8O417mFGxDASuMdEfMdNmMeX92LwLxuNBaYjncK+hMaTBr856Asct9mT+f/RzVVyHbti0yj5QBObKxifs17DUB5YwmeybF7O9mWmcuVayIEdJL9r/m6K5Tcu8GtcqunJ2cAXA65DcEni2iHB9bKu8r7raL+T0A38W4LvpDiecua6eVmFJTU8E5fxrf19mDTYsdGULq/BgkcWWRfziG/cDo5y2LMA7Idb9ddT90d4dvBNd5B7okUVOeXFOi/bO2C9/VhB/V6i4R8pBqYSw9lH9HDaX9/CNgCCYylS5fS0giGmjRXMdHUMjvJaSu7MChZcF7RZs260zY99gV+DI7UhG0BR2UXDHHpmfYZvqYas05UkLpLTvbTkHyj1AoCTZmnG8cn6uF11wjQJPEINakSC7vL6zZQzgGO6jTLAb4oqiZXvt1EIX0u1J/Mm/FfPo5yrP1VelmlUw2rwZ8jQWFJRhaBoGiu5ZT0wu0FLBs9iFEytbn4VN9d3KEAPgAD3wjb3Cys1YyNnfzfnDgFgseWkOAPZdPDSGhWeHnzbkVHsdhVRIQqpDcRJSxWT4v2sHeFH2xuLBYs/RezYUp+hisVBKUsfyj7yNJPnm88U2oVsTX0WiNczeXnJW+tjkK7H1uwk7n6uOfipqjLnfwvexTdfCmLr7aIYlw4CA56nD1rD6cwlw7tCd19he17Z92myKaI9XuxoO5aFGScT367GosriyYMon9Q7uqFU6hi5nQ9dnObpfCb9Omyv+9zWfcEBCFXptQ8NTFqGN4UImoswaRf4d15i6ltD9YtXqscnJ/VEBCnyOZYx/fi4LlfhLttnKjzX4fIykVc79p9gzdci2OJFEG57+zv9S/GSiCkYVS5euG8kjY6xaGV22wD5+Xaz+XHQFm4wJ/ogR5j4YQ3S3C7TKj56U2wo5sgIx7nEkqfqTwvUQK1ndyQwG4AOaHZAtcA/sGZiF/iIOmrGTx6eU9jb7KKy066cD8RpIK9hRTBF6hfYhSfrwRwIz6c0Xea3HkD+3Xu1ULCA330nFvbL0bYb5cEVG3Lr0qE7rCU34Y39sqqgQSyGr883qgW75ZnRpwZER34Cgtl9Fp04tYd3d0PU62G99/tL3V0U74durnfjCLP0VTppJg+MqRh6VQVizZwvJwUUXfqLCjEQ5EJUF/7yjr4XXmdGz7yv/qQETWX+aKtrFpH0AmPkfgiCbJGz+I6VrfNt8Nz+jB9beI2Ubqd7lmHTIv++OoM1KzhbsLSo8KCmJTjEvzXd5cZkdhYzSNp2qM3dWJ+IHxfzgBiLJzDCTOOTX2lWo+ltHa1BdR9QnY/r7J0JvUdWXQyPFwWMQh9qOf2r07PKjFwE6QKm+YnYnIV4ERukMFeESmuqbPqGHz6OkYG/AFhz/94tvqa/VZYFkQPVUIZz4XbsIE8cDDENFWbxrAnTmzHZxbf617UiiDrEmgeOuni7lJnnu4DfPzyAFQHlUaCoxyT/5Y/i0+h+XYmkHFqxA6I3WM4AOaDSNzhK4TTW3ssRTK13GQ+ixwyD/s7sr/aPriKea6Otf4HooFc9wCjBHinGmRl6zLlvtmrhZ3drJv0LA==,iv:o4Q7KwCOhekFO44TxRM0V9uDgIMnZVtNyhg8JZOA5Ts=,tag:XINc2NtdirAjEZHTYOq1Sw==,type:str] +sops: + age: + - recipient: age18huaqzzrln439z9nj56kmqnkcu5zrj44y57ml8tlauhh5vj3yqgsa0l9dw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRTRBWmpXMEtIeWVLNWZp + QlpXV0VuRWxoSkZkdmtoZzViUCs4MWJsYlhrCnhHSUZwS0lXb2s5VXlPK0lvVjlF + bTBIY1NQZEoxMWQrdmx5WThvNlNlWlUKLS0tIFl1MituUnp6WThOd29zYkdhSkpt + UU5CNmM0eHVwMURtSWJzRkRCdEk2c3MKKiisA8AGWwUEvDsgJ+oqwSlmscNR2+5z + DCudOY0vl+rqhsHMGdkjRkK29LYuWBI125U2VZqMlPdMlhmRYcQAjA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-05-10T12:30:09Z" + mac: ENC[AES256_GCM,data:VDkP3um1ch27aPpesAtwLZjJcAB7MeRlFu61wG18HD+O9WQbEPc12NGHsX8JLPC51FGAB6N3opZ38paX1JkKpctuYC7gwl87i3yBITAhaOtFcgT8rWzpzCt29YzhJNZ7aflLpb4S7Bsf6X0PE89EJxJqwGnbt/Rgaz/FEXFxJLU=,iv:jTlj7IJsmwaqzy5DFxnZNUQUiEXO56tOp1CzkuqCFhU=,tag:NbrepcnCVp6GrnRbc4d7zQ==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 From b2f0cceb84468f81e4b64df64e3972a01608b4d7 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 10 May 2025 14:40:40 +0200 Subject: [PATCH 9/9] fix: change concurrency cancel-in-progress setting to false in deploy workflow Signed-off-by: Nikolai Emil Damm --- .github/workflows/deploy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index b16c830ef..b2b8c5c4f 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -10,7 +10,7 @@ on: concurrency: group: ${{ github.workflow }} - cancel-in-progress: true + cancel-in-progress: false permissions: contents: read