From bd507cc869a0e5a420f31965766910efe992613e Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Thu, 22 May 2025 19:58:59 +0200 Subject: [PATCH 01/12] feat(traefik): add Traefik configuration files and resources Signed-off-by: Nikolai Emil Damm --- .../controllers/kustomization.yaml | 1 + .../{ => controllers}/traefik/README.md | 0 .../controllers/traefik/helm-release.yaml | 45 +++++++++++++++++++ .../traefik/helm-repository.yaml | 0 .../traefik/kustomization.yaml | 0 .../controllers/traefik/namespace.yaml | 8 ++++ .../infrastructure/traefik/namespace.yaml | 8 ---- 7 files changed, 54 insertions(+), 8 deletions(-) rename k8s/bases/infrastructure/{ => controllers}/traefik/README.md (100%) create mode 100644 k8s/bases/infrastructure/controllers/traefik/helm-release.yaml rename k8s/bases/infrastructure/{ => controllers}/traefik/helm-repository.yaml (100%) rename k8s/bases/infrastructure/{ => controllers}/traefik/kustomization.yaml (100%) create mode 100644 k8s/bases/infrastructure/controllers/traefik/namespace.yaml delete mode 100644 k8s/bases/infrastructure/traefik/namespace.yaml diff --git a/k8s/bases/infrastructure/controllers/kustomization.yaml b/k8s/bases/infrastructure/controllers/kustomization.yaml index 1166be111..fa0ef4402 100644 --- a/k8s/bases/infrastructure/controllers/kustomization.yaml +++ b/k8s/bases/infrastructure/controllers/kustomization.yaml @@ -5,3 +5,4 @@ resources: - cert-manager/ - cilium/ - reloader/ + - traefik/ diff --git a/k8s/bases/infrastructure/traefik/README.md b/k8s/bases/infrastructure/controllers/traefik/README.md similarity index 100% rename from k8s/bases/infrastructure/traefik/README.md rename to k8s/bases/infrastructure/controllers/traefik/README.md diff --git a/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml b/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml new file mode 100644 index 000000000..02e0e0c02 --- /dev/null +++ b/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml @@ -0,0 +1,45 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: traefik + namespace: traefik +spec: + interval: 10m + chart: + spec: + chart: traefik + version: 35.2.0 + sourceRef: + kind: HelmRepository + name: traefik + # https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml + values: + ports: + web: + redirectTo: + port: websecure + # websecure: + # middlewares: + # - traefik-auth-headers@kubernetescrd + # tlsStore: + # default: + # defaultCertificate: + # secretName: cluster-issuer-certificate-tls + # service: + # type: ${traefik_service_type:=ClusterIP} + # spec: + # loadBalancerIP: ${traefik_ingress_load_balancer_ip} + ingressRoute: + dashboard: + enabled: true + matchRule: Host(`traefik.${domain}`) + entryPoints: + - websecure + # middlewares: + # - name: traefik-forward-auth + # annotations: + # gethomepage.dev/enabled: "true" + # gethomepage.dev/name: Traefik + # gethomepage.dev/description: Dashboard for monitoring the traefik reverse proxy. + # gethomepage.dev/group: Monitoring + # gethomepage.dev/icon: traefik diff --git a/k8s/bases/infrastructure/traefik/helm-repository.yaml b/k8s/bases/infrastructure/controllers/traefik/helm-repository.yaml similarity index 100% rename from k8s/bases/infrastructure/traefik/helm-repository.yaml rename to k8s/bases/infrastructure/controllers/traefik/helm-repository.yaml diff --git a/k8s/bases/infrastructure/traefik/kustomization.yaml b/k8s/bases/infrastructure/controllers/traefik/kustomization.yaml similarity index 100% rename from k8s/bases/infrastructure/traefik/kustomization.yaml rename to k8s/bases/infrastructure/controllers/traefik/kustomization.yaml diff --git a/k8s/bases/infrastructure/controllers/traefik/namespace.yaml b/k8s/bases/infrastructure/controllers/traefik/namespace.yaml new file mode 100644 index 000000000..b9947468c --- /dev/null +++ b/k8s/bases/infrastructure/controllers/traefik/namespace.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: traefik + # labels: + # goldilocks.fairwinds.com/enabled: "true" + # goldilocks.fairwinds.com/vpa-update-mode: "auto" + # goldilocks.fairwinds.com/vpa-min-replicas: "1" diff --git a/k8s/bases/infrastructure/traefik/namespace.yaml b/k8s/bases/infrastructure/traefik/namespace.yaml deleted file mode 100644 index 99521c5eb..000000000 --- a/k8s/bases/infrastructure/traefik/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: traefik - labels: - goldilocks.fairwinds.com/enabled: "true" - goldilocks.fairwinds.com/vpa-update-mode: "auto" - goldilocks.fairwinds.com/vpa-min-replicas: "1" From 9a6d38ccd806a7f17a47eac508b6c430ac47ae4c Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Thu, 22 May 2025 20:10:46 +0200 Subject: [PATCH 02/12] fix(traefik): correct web port redirection configuration Signed-off-by: Nikolai Emil Damm --- .../infrastructure/controllers/traefik/helm-release.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml b/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml index 02e0e0c02..7c2754580 100644 --- a/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml +++ b/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml @@ -16,8 +16,11 @@ spec: values: ports: web: - redirectTo: - port: websecure + redirections: + entryPoint: + to: websecure + scheme: https + permanent: true # websecure: # middlewares: # - traefik-auth-headers@kubernetescrd From b016b72ba82e3a07c6406706ca99f624acaf670a Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Thu, 22 May 2025 20:11:33 +0200 Subject: [PATCH 03/12] fix(traefik): remove unnecessary redirection scheme and permanence settings Signed-off-by: Nikolai Emil Damm --- k8s/bases/infrastructure/controllers/traefik/helm-release.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml b/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml index 7c2754580..20be134e4 100644 --- a/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml +++ b/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml @@ -19,8 +19,6 @@ spec: redirections: entryPoint: to: websecure - scheme: https - permanent: true # websecure: # middlewares: # - traefik-auth-headers@kubernetescrd From b3b7c4dceae40e5a6b425abdd7b9b99483ae0b1d Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Thu, 22 May 2025 20:14:40 +0200 Subject: [PATCH 04/12] fix(policyignore): expand ignored patterns for various resources Signed-off-by: Nikolai Emil Damm --- .policyignore | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/.policyignore b/.policyignore index ad49bbb94..4662a3f44 100644 --- a/.policyignore +++ b/.policyignore @@ -6,13 +6,34 @@ *README.md argo* aws* +best-practices-cel* +best-practices* castai* +cert-manager* +cleanup* consul* +external-secret-operator* +flux-cel* +flux* istio* +karpenter* kasten* +kubecost-cel* +kubecost* +kubevirt* linkerd* nginx* openshift* +other-cel* +other* +pod-security-cel* +pod-security* +psa-cel* +psa* +psp-migration-cel* +psp-migration* tekton* +traefik-cel* +traefik* velero* windows-security* From 8c7713f540b8bf270440106628359139d5328556 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Thu, 22 May 2025 20:18:07 +0200 Subject: [PATCH 05/12] fix(traefik): update redirection configuration to use HTTPS scheme and remove deprecated HelmRelease Signed-off-by: Nikolai Emil Damm --- .../controllers/traefik/helm-release.yaml | 1 + .../infrastructure/traefik/helm-release.yaml | 52 ------------------- 2 files changed, 1 insertion(+), 52 deletions(-) delete mode 100644 k8s/bases/infrastructure/traefik/helm-release.yaml diff --git a/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml b/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml index 20be134e4..3786864ed 100644 --- a/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml +++ b/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml @@ -19,6 +19,7 @@ spec: redirections: entryPoint: to: websecure + scheme: https # websecure: # middlewares: # - traefik-auth-headers@kubernetescrd diff --git a/k8s/bases/infrastructure/traefik/helm-release.yaml b/k8s/bases/infrastructure/traefik/helm-release.yaml deleted file mode 100644 index e917a32fd..000000000 --- a/k8s/bases/infrastructure/traefik/helm-release.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: traefik - namespace: traefik - labels: - helm.toolkit.fluxcd.io/crds: enabled - helm.toolkit.fluxcd.io/helm-test: enabled - helm.toolkit.fluxcd.io/remediation: enabled -spec: - interval: 10m - dependsOn: - - name: cert-manager - namespace: cert-manager - chart: - spec: - chart: traefik - version: 35.3.0 - sourceRef: - kind: HelmRepository - name: traefik - # https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml - values: - ports: - web: - redirectTo: - port: websecure - websecure: - middlewares: - - traefik-auth-headers@kubernetescrd - tlsStore: - default: - defaultCertificate: - secretName: cluster-issuer-certificate-tls - service: - type: ${traefik_service_type:=ClusterIP} - spec: - loadBalancerIP: ${traefik_ingress_load_balancer_ip} - ingressRoute: - dashboard: - enabled: true - matchRule: Host(`traefik.${cluster_domain}`) - entryPoints: - - websecure - middlewares: - - name: traefik-forward-auth - annotations: - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Traefik - gethomepage.dev/description: Dashboard for monitoring the traefik reverse proxy. - gethomepage.dev/group: Monitoring - gethomepage.dev/icon: traefik From eb716bb1568e5f3b076ee0942c4a7a3ae5befbac Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Thu, 22 May 2025 20:24:53 +0200 Subject: [PATCH 06/12] fix(traefik): update dashboard ingress route match rule to include API path prefix Signed-off-by: Nikolai Emil Damm --- k8s/bases/infrastructure/controllers/traefik/helm-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml b/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml index 3786864ed..711e37b7d 100644 --- a/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml +++ b/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml @@ -34,7 +34,7 @@ spec: ingressRoute: dashboard: enabled: true - matchRule: Host(`traefik.${domain}`) + matchRule: Host(`traefik.${domain}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)) entryPoints: - websecure # middlewares: From 6406c25dd19a7f08b6a798d7faab382c28b04117 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Thu, 22 May 2025 20:29:18 +0200 Subject: [PATCH 07/12] fix(traefik): simplify dashboard ingress route match rule by removing API path prefix Signed-off-by: Nikolai Emil Damm --- k8s/bases/infrastructure/controllers/traefik/helm-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml b/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml index 711e37b7d..3786864ed 100644 --- a/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml +++ b/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml @@ -34,7 +34,7 @@ spec: ingressRoute: dashboard: enabled: true - matchRule: Host(`traefik.${domain}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)) + matchRule: Host(`traefik.${domain}`) entryPoints: - websecure # middlewares: From 0c09f58593d31e4b3fd00bd11f34e2922524c138 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Fri, 23 May 2025 16:31:55 +0200 Subject: [PATCH 08/12] chore(cloudflared): remove obsolete HelmRelease, HelmRepository, and related configurations Signed-off-by: Nikolai Emil Damm --- .../infrastructure/cloudflared/README.md | 6 ----- .../cloudflared/helm-release.yaml | 22 ------------------- .../cloudflared/helm-repository.yaml | 7 ------ .../cloudflared/kustomization.yaml | 6 ----- .../infrastructure/cloudflared/namespace.yaml | 8 ------- 5 files changed, 49 deletions(-) delete mode 100644 k8s/bases/infrastructure/cloudflared/README.md delete mode 100644 k8s/bases/infrastructure/cloudflared/helm-release.yaml delete mode 100644 k8s/bases/infrastructure/cloudflared/helm-repository.yaml delete mode 100644 k8s/bases/infrastructure/cloudflared/kustomization.yaml delete mode 100644 k8s/bases/infrastructure/cloudflared/namespace.yaml diff --git a/k8s/bases/infrastructure/cloudflared/README.md b/k8s/bases/infrastructure/cloudflared/README.md deleted file mode 100644 index d0d5b06de..000000000 --- a/k8s/bases/infrastructure/cloudflared/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# Cloudflared - -Cloudflared is a tunneling daemon based on Wireguard that can proxy a local webserver through the Cloudflare network. It is used to make the local Kubernetes cluster available on the internet. - -- [Documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/) -- [Helm Chart](https://github.com/cloudflare/helm-charts) diff --git a/k8s/bases/infrastructure/cloudflared/helm-release.yaml b/k8s/bases/infrastructure/cloudflared/helm-release.yaml deleted file mode 100644 index f49371ce9..000000000 --- a/k8s/bases/infrastructure/cloudflared/helm-release.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: cloudflared - namespace: cloudflared - labels: - helm.toolkit.fluxcd.io/crds: enabled - helm.toolkit.fluxcd.io/helm-test: enabled - helm.toolkit.fluxcd.io/remediation: enabled -spec: - interval: 10m - chart: - spec: - chart: cloudflare-tunnel-remote - version: 0.1.2 - sourceRef: - kind: HelmRepository - name: cloudflared - # https://github.com/cloudflare/helm-charts/blob/main/charts/cloudflare-tunnel-remote/values.yaml - values: - cloudflare: - tunnel_token: ${cloudflared_tunnel_token} diff --git a/k8s/bases/infrastructure/cloudflared/helm-repository.yaml b/k8s/bases/infrastructure/cloudflared/helm-repository.yaml deleted file mode 100644 index dc2ce6acf..000000000 --- a/k8s/bases/infrastructure/cloudflared/helm-repository.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: cloudflared - namespace: cloudflared -spec: - url: https://cloudflare.github.io/helm-charts diff --git a/k8s/bases/infrastructure/cloudflared/kustomization.yaml b/k8s/bases/infrastructure/cloudflared/kustomization.yaml deleted file mode 100644 index 7edec9cc4..000000000 --- a/k8s/bases/infrastructure/cloudflared/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - namespace.yaml - - helm-release.yaml - - helm-repository.yaml diff --git a/k8s/bases/infrastructure/cloudflared/namespace.yaml b/k8s/bases/infrastructure/cloudflared/namespace.yaml deleted file mode 100644 index f6cd68241..000000000 --- a/k8s/bases/infrastructure/cloudflared/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: cloudflared - labels: - goldilocks.fairwinds.com/enabled: "true" - goldilocks.fairwinds.com/vpa-update-mode: "auto" - goldilocks.fairwinds.com/vpa-min-replicas: "1" From 0cfbfd97597597cb43a185ef5693344bf9400f68 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Fri, 23 May 2025 16:32:13 +0200 Subject: [PATCH 09/12] fix(traefik): update service type to LoadBalancer in helm-release configuration Signed-off-by: Nikolai Emil Damm --- .../infrastructure/controllers/traefik/helm-release.yaml | 6 ++---- .../dev/variables/variables-cluster-config-map.yaml | 1 + 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml b/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml index 3786864ed..7a90ee3bb 100644 --- a/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml +++ b/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml @@ -27,10 +27,8 @@ spec: # default: # defaultCertificate: # secretName: cluster-issuer-certificate-tls - # service: - # type: ${traefik_service_type:=ClusterIP} - # spec: - # loadBalancerIP: ${traefik_ingress_load_balancer_ip} + service: + type: ${traefik_service_type:=LoadBalancer} ingressRoute: dashboard: enabled: true diff --git a/k8s/clusters/dev/variables/variables-cluster-config-map.yaml b/k8s/clusters/dev/variables/variables-cluster-config-map.yaml index 761db3b33..5767fc983 100644 --- a/k8s/clusters/dev/variables/variables-cluster-config-map.yaml +++ b/k8s/clusters/dev/variables/variables-cluster-config-map.yaml @@ -7,3 +7,4 @@ metadata: data: domain: dev.devantler.tech github_app_client_id: Iv23liZ8GHRgpx32Em2y + traefik_service_type: ClusterIP From e8c18c206885d3f94788b91bc1f14ba8ce56bbcd Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Fri, 23 May 2025 16:32:51 +0200 Subject: [PATCH 10/12] feat(cloudflared): add HelmRelease, HelmRepository, and related configurations for Cloudflared Signed-off-by: Nikolai Emil Damm --- .../variables-cluster-secret.enc.yaml | 21 +++++++++--------- .../infrastructure/cloudflared/README.md | 6 +++++ .../cloudflared/helm-release.yaml | 22 +++++++++++++++++++ .../cloudflared/helm-repository.yaml | 7 ++++++ .../cloudflared/kustomization.yaml | 6 +++++ .../infrastructure/cloudflared/namespace.yaml | 8 +++++++ .../talos/infrastructure/kustomization.yaml | 1 + 7 files changed, 61 insertions(+), 10 deletions(-) create mode 100644 k8s/distributions/talos/infrastructure/cloudflared/README.md create mode 100644 k8s/distributions/talos/infrastructure/cloudflared/helm-release.yaml create mode 100644 k8s/distributions/talos/infrastructure/cloudflared/helm-repository.yaml create mode 100644 k8s/distributions/talos/infrastructure/cloudflared/kustomization.yaml create mode 100644 k8s/distributions/talos/infrastructure/cloudflared/namespace.yaml diff --git a/k8s/clusters/dev/variables/variables-cluster-secret.enc.yaml b/k8s/clusters/dev/variables/variables-cluster-secret.enc.yaml index 249a68a00..fe4025394 100644 --- a/k8s/clusters/dev/variables/variables-cluster-secret.enc.yaml +++ b/k8s/clusters/dev/variables/variables-cluster-secret.enc.yaml @@ -4,21 +4,22 @@ metadata: name: variables-cluster namespace: flux-system stringData: - dex_client_secret: ENC[AES256_GCM,data:tOdVZhFh2GCtciIQNBOlc6IqXTg=,iv:pPb8Qm4Yxxm7SzdMXN4sIcXWNdSTdY40LAXIgIangYU=,tag:BjKwaaxFqvdTPBOlJnUejg==,type:str] - github_app_client_secret: ENC[AES256_GCM,data:GfDCRM515Z7u/bcSTfEdMTYicv7CcDHNEen4cuu7Qk9gGMDVSzTZiQ==,iv:05NU5gqRQTsI06HDXdeAzKsrlgcG01XL1UD7RwUIqww=,tag:vKOs1MJHbdDxiuPem9pvFA==,type:str] - github_app_private_key: ENC[AES256_GCM,data:GQGbcemwC6QhUCkEQAafsZLqe7v8E3BEtiTu44kpQBiFC9coig+/4+YsRhEcLJnIFHl9G7bNhbZej5kKPQ+MdgU47Z9iS/sJDQLIsOI5WOf2aEB1i21bxBgDLobdArSbYO+oDy9HotvvAZ6crjILaWUjfGpjk6J20b8b+HYBBfplLKkQTg3ZeCFn/OAsWG4B+mgNAcHN1rSw617YnoZRej9N2JYMSY3CgOBQ/qTEO9/jvqGICvf1jouAk0oHb+4LgihXAsizo2BmdXf5tYZI1bJ7QbqFZYbSEL4cvy445FXhDpbpn7nKrq3p94ic/B3Mw0JS81uUj/rpFH7jD87IzHImrqm6Vt2US3Hn+xUc/xv8jVjOa+WxvZsFuT4/uR/k1l4tev3PfHxaztOmSXd1B4Tz2ec85qEYZDMvNYR+D/O6ext2P7P39RV21JD8e2M/yX+mjOEIX5uO7kJMe4UTsJrkK/K3XtkfqDoCFzQufkNrL9vBLzVI18VJU67ErDp4zH9THK8EqDvfq3JDu/F31tCDhsA3W2FSQ6zisW+QPRyqCHIaIvKw6dWjfr6zgbGUdPrhkowf2wY0nQIG4207QGHHYATv1f83nx2mZHMrxsFnYVLzNHFbJ2IjEj/D9MqkhLkY9v/Qw9rm+RWbymESEWZsBA3NbJWznsFgfhdKwsTjAe+HUDAs8gmJKd1h4AQTZq0VYCgaj0gzNwIICC7ZQqOIbA0g57xCJWM8XJBfoMds16fMv4dBJomQIGI1xw9oI9IGzYy/ahOwgZ9qZTWQ2n7fC/Hw1m8XvqOe8qHUTheo8OV3HReYpBybyCGpDVUvWeqY0Oo3uwewW0r/r0OuonUTZIqlUS98Rxnqbwz+M9rPbNJWPyfG095l0etjdimb9FgqmneS6jPXV5z2h4isPqibY1HjfxtMiVecyO1xHJZTAjxg3Jh+EOGPsclcoD3NC894atRMVP8KDoyZCIgYNmOUli2iKflIan3bG3s6zdTJxCPWMfTaXIJuorRmUsuCcBs+7PHhAb2BofWzT5vzrh4uLDq407b+ipx0hn6s8kOx9OvugsbsbzJHBP2fMXw/uFGt4EUGq8Yt0X85aN6CRpvcUjIcuj2Xff5bkWgK5MXn7JBgVe6Db+d37mWsj77TnKush+C4ZXNtrWGCtJdrYOCUSYhIOFUiSEGbrz5vdIqXjdrNTG+8nDTf5VZlI8wV22sBJOGiPlWLv5OMaZSnTxRCLfmlpr0lNOE4kC3smQvYA49dpSDKLLWOAoVbdoxZz3znRV9zK1/eEy+cPhIuwwRokcrCvTp5LwppLeLv60hdh+z0LhvrP7QrelRfHUrD+rYaQHd71a1ImYzJAJy+4TmBPDWKx+RotvLZk+SyKuTGrwjbx09SmLCvp1o8oiICVsYYf7DJeGT1aoPrqwd2VSs6lv156pv2c4hIFBvQzFxDyb5LJzmkxZorfyx8n8otj0wb2Gy4BcD9hC7RXFIbNPdzGi7Wjvj0/LhrIagwa2tzUMpIyOQkSIw0NWV3wjbSys3fBDTQ0mvk61QDDOrCiBjbU4bqM+JfFHCBlF+VwKy5AXAj50m2jl6eU1OkRbLa8nnfP6kb6yV6bYuyc13YNe/FQfyM5nHfJWJDd7it0DQjo6yYGirPrbPE9+Cn3hTeCO+LRcVvTMaa3+YN/MkjyuzFU8TSMBUuPOividdoNBGlrveJq8EkS0P9oUWRHUDP+Y+iGgQe6ChgZe13Vwn3M8nY/+tsbi7u2sG3v2jDFGA5puWcbfLcC3kBlF77d2XGm3Hok2+MHHRo1uwkiObKUONGAnQAUrfZElFrfTMupJTPBXSEcQgosaQb6qq2eo6B/rBNWQes43Ftkjpwo2H7gCNtkVcjrINt5aiDKMkcjN2O5CiaW/FdY2Oy/8fZ4pQpTyFeGnCY+0rHXbLT45GRV+ILUleKdC9offsa8Vf/EswKLYJ8E9tu/5YNCTqGPT79M1/jZf53G0B0aFXouUsmlDF0HPvoWyECG3v6Qyjs+S06Ht+1gnzmVNOZtQiyMNH59W87NDEIFf/nmnhGSYxpOis5gP+QMFSflRgncOxZgNUL3MzA93W155UysbaeCItiY3RS8aFKsyVyFUSQ7xxNDF66JU3iDc+bS2YdFeAKl7e+VoX4YM7YV8WNla7sniw+Q6IBTiosG/EpR9ELU3DuEbNgUWdG/XX30jTuXTrSeSHrhjTThMNfHdtVwQ==,iv:iaQu/4tWhLkNevePvoNF4KIxqQr/Zx+mqfvGqLlYYjc=,tag:F4w8EKfr+4zrZ1P2fz7PxA==,type:str] + cloudflared_tunnel_token: ENC[AES256_GCM,data:uTQEeJ45EG5TyUu9I5WSUZVqPHkR3XLZrssdCYm5skgVqXqCIcAirILlYyXWDCCSywxwDcPEnSlnj3Bk4ctvXdSskS9eptNv3VsO4KgYJW5Kwv8RCksgR8h3NmRSXSuMfNS5IOdmVGCp+8IjXD30+bFn98TsByPDX4sUanxQpwV1LJCoduZIckv5cGD1Hvj3T4LSqEv0Trk0KG6yYPlsG1KN8tNsDYwCF8D+Qwy7AAbeBzGT/2hGcQ==,iv:/JW5ftilZFMayltE2RkP1mvYd58mhBNz1lgRi8jM5zQ=,tag:s/IKkb1EH4wnK9SiHO8smA==,type:str] + dex_client_secret: ENC[AES256_GCM,data:wDXfLk083EYkp3NgngWmclcOegU=,iv:0/JKWrVKcdOya6AyNWXfNh/WF7lFX12eqZMHJb7NXHc=,tag:zoLVCeBafJHRtnP2EHWLoQ==,type:str] + github_app_client_secret: ENC[AES256_GCM,data:vvY+8+BujzBjj3UE82TOWS6ZKWRoN5a6rTHlE44MIzERqHPtcAJryA==,iv:YkPH3EOX2bSez5rJ5MieuPltRSNMKoXhWXzqClyOjQY=,tag:UNBKTekSzznLsfQmvlH7zQ==,type:str] + github_app_private_key: ENC[AES256_GCM,data:MP6Aegbe+pNuH1b1TF0MF65PE9VDUpdbOZIoGwjjPbOgtvL5+XA9XAvDZeS4Gtux0BzpOXFeI50v6/42GzpgXMH220sdqCg0PUav2lIVaMEn378kki7tLCIiHeD5yJrupZPYkyxhYXEIC3+QuO7xA+kXxHebixv3MOl92SOL28ksYWF5XFmtJiKkYKEEk6h0pI0cq+nefGVgsbUTZ8KB9rAGHEjL67jyMob0YnJOWJVv3vC/nFqjWQxfzvxwRCFG3ZBiewkfuLIUzFN51n1EPU921qwBh0ptphdXwRt3W2JnAzpqjtkO/URwgooSxHvHAdIe3qMQ82WEaNwYSimBQ/GC8bO26lwrYLjKX3rYR2U5CsBa6BMNjzz9VqN92iv0XZFr+emSNBd1dbutEoWwwWYm1Iiezo4JnfTCSOrpq3MsfRP4vnZxrUSNgR4HBSrE/JtGAvdfjyFOhtJP6IuK8qOZFC+YsoJr9yZWHnV7BWVDj5SwFGfNvVQ2rkDjLSg2PQR3h6HOHq+fQCQ8YYw3gCYtFGTAciXQFzvea4UFcl386u7tEv3LT77MuvXlJxByxzk8yaMV2WcjY/74TwRtID+Y6RTxPWB7sC7CvuwdYDir+cLNVJcV9XqaE0LrH5MttUBNxS6SjHEMz0mIJGfHLWeZd8+SAn2yIvYqBUyj6VzSkTAl2Wh9k6bPLQL6AgCzjCeNDtHMnguCsx295OCCjpV/S2VY6PVVelkYRx01GlDpmUqShv+0L06+iZDZUHhwtyIjTWcE6eq/nFzB9CZg7cC1NhTDNuQhLPXD2ID7p/jp2tFfA6w0JJ1URUGtWazH+JQvDh7pobd/iNooUjuIbTPI0kOnNtba+viQmG3vd2CENtmbkNpULvE3u5OqC4h4bVqRtcl5utF+K5aJHliJ4VSfhmZFvFQIBFUsvUso5vpEJBt7rx/lPaPvxkCc2F+2GXaqUSzov8C2w+LRRoWJ7k1t85XZ9gTmq0P5YUQIiLjwEy7qBO5x/ORUoHKDYdJo25sA1IwLXYIaEieiaSwDUNG0knPinRs0nDX3fwrOQJpGcN8wQvnFpZjMSGqMu669RZlpngxemHnet+09PeOw02ywR2DCYHyC2RWB/oTZtqPa7fHGc8YgulYAOHm31etGcYunYmNlbaKMXjXYwh310b/gPf9hpBm3zw8/VsvNIHzvUy6Nxdp2Wv1r0PH/w2LrTU0+kbkCwfK++8opVe9EXVCGreNLBCuUF6WDvPeaDJHHzL9UmzBe/Gih6wnTzZUtqDR/sqsN8CKS3rbAydLMXRreppCCuKYKg8CpRs6SeICzb57b3N3EdbPASFZN2rpiATjZ71BIdCRE10Yt3K9GJ0uTrYZ2rcJxawhs7bDWC4d9MUGc17xmCPyTfFw4Y/bZbQO4BVFQdbNPO5kJdVoUjAk747kxMsT5Arlom1muOoGxqkuYSgw88D4iiyv+8jCjMe9Gzk8VeZ2zs/PMbKcpGAkQy2FdY+KMO6+mSRZ8Q+S3M7D/zldjVJfCKaCPIk5+EMWTNW/ePC50GwydKxSgC4w+30LLR5t8F1ehSd6bIdD1VdYxja46ZBnWiUll/e3YUm09QTitpeb7dvEbixKhbBjKXtcd7MxiEieKi33zhWbP9QqMgZtVB8ViKbpjL6IwTh18v7wsz5qtUNMSYNjIVAWo0yXOAPhZ1+qKW/JEsLLlvbiyNxOhFz57rGyUdF/xFEYihXvqWJtPORYpqPvwncUe8cFZRfbMuAjbfqn4LBZXveQDlXaTrMAchvLLfemJkmWYhDtoz2eIVqsGoFvFe2vJGGqyNwXHuvL2F8orouPBsWr6w4ofnFTtftIQ7n6dgItLIvGXa6hWgnhMW0PdDw/y0/uy2QmFdD0qVOHxQk5WYJE7WkIiNFx1BF2rga9YqY7H6fujvrXAN/7kuN43mbpjPSG7jrdeUrEV0owXEouzbLH3zO6v1rYEc4uPZd0SduKvOCxnCxyu7wwlRTUZA6IQ4XsiYtomgWyip3C/VUAwFVAZsnAu/weZ6WIQeewTATokqmXWJ6k3IyxTGnKpKUjVaOiGmPqJe+DmYkro/z1M1+MEGephx6Aypy2JIhvVvmkkn+mNk8RqSb0YfAPcQCsUefQhVo5HD/lgK/Wph2xqiGZOPJHYGlnAeQcVcHnbqL03QId6JqfHZzolOVYF0ozB/R0STGZWzw70IMSLEp+MICpJyjGhg2Zvdg==,iv:p+dGenoMUDiKm8qs8EOSgMtbjObTpgnPAdcPoXdP4Fs=,tag:fqqtXZ6eT+ArlThXD0LySA==,type:str] sops: age: - recipient: age1q2vtjmghm5yv3sm426325u0tsgvru758lum8kefhp62fhmhf3afqhrnm3x enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcGN3MG9COGxGOGhtTmN6 - SFJsWkVxWjhLOEZpT0Y4WmFkOGxIQy80ZmpjCnAvWGVXOE5INUZ3Wkh1OGxJbjdo - UVo3S1o0UU9tUDV6aGJzK2FzeS9kNzQKLS0tIFpoNVpsQ0dKUUpKU1E3SlppbzQ0 - WHEzdjBFQ1dlcURQMEVQL2lxQXFrM2cKeQMGiRZQjdWI0/faqJDsFSN9eggyr73d - q8S5XiZDB+wAFTMaMebscfhSWo/3N8G3EpFdh1GMiVNyLMskzkbARw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZbGhTREpyL1ZreXBBR2d2 + VU55Z0luU3pIZkJIZ1krVWRmK3psN3dZMzI4CnptbUdCZlh1QnlrSDFzUm02d1I0 + d0JtSFpkSzNiS0lwYi9ZNUFyMDJMMTAKLS0tIGUzNWxWQU5LWWdwbTJVZ29xNUFK + eStldU55TjcwdGE4SjF0N3Q4TG9TRGcK1OworkGus/sekn6++t+YQP3QagKuAjeo + AHzPZPAh7pZNFJ9cnvPwpUx6tlgRVpDUDhTZuNikFVYtCWw/PqRObw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-11T14:04:39Z" - mac: ENC[AES256_GCM,data:UjRJbo20SVwYVa7Z+7jr7N2P0P4ro59YEjbEQeh4wcxgpU2+lH8RiHSKKi1/mI72wtg7fXaWDcw0KLkMTfDgtzK6HZJxUVTJJofFqnG7oMTGryMZthZosi9l7oL0B/2gNgRmxWaL+AbYXxpbY09JYhT3fbblm+orWlJw18zbItw=,iv:u2Av5vFEKaTpcwZFDFnnKIQVczUBUKj604BI3Ruu+Cs=,tag:JUcJxzUi9GmqVVmeMaQojg==,type:str] + lastmodified: "2025-05-23T14:28:47Z" + mac: ENC[AES256_GCM,data:+O9zBD+jiI41hZA6y558r2wof6wPgRNq/IO5f6sBeayqBqn4VgQ5GYYrA9JADL3jQhM16zQsmLKzaHkMSyCZ7fQ/UayLoVBVZ7X8sjuVvMAH0j7CZy3xpAYh1viFvgx4dR9NpVAttkRadzv40QTLcUiFEZMrEW5QK3UQFB4ox1c=,iv:aZbp7yEeBYDz28Vkr09+SYOUDm2wQeHf6LCY+AQF2Yk=,tag:AMsJfUF2HbSe7dV7H7a+Vw==,type:str] encrypted_regex: ^(data|stringData)$ version: 3.10.2 diff --git a/k8s/distributions/talos/infrastructure/cloudflared/README.md b/k8s/distributions/talos/infrastructure/cloudflared/README.md new file mode 100644 index 000000000..d0d5b06de --- /dev/null +++ b/k8s/distributions/talos/infrastructure/cloudflared/README.md @@ -0,0 +1,6 @@ +# Cloudflared + +Cloudflared is a tunneling daemon based on Wireguard that can proxy a local webserver through the Cloudflare network. It is used to make the local Kubernetes cluster available on the internet. + +- [Documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/) +- [Helm Chart](https://github.com/cloudflare/helm-charts) diff --git a/k8s/distributions/talos/infrastructure/cloudflared/helm-release.yaml b/k8s/distributions/talos/infrastructure/cloudflared/helm-release.yaml new file mode 100644 index 000000000..03ec948c2 --- /dev/null +++ b/k8s/distributions/talos/infrastructure/cloudflared/helm-release.yaml @@ -0,0 +1,22 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cloudflared + namespace: cloudflared + # labels: + # helm.toolkit.fluxcd.io/crds: enabled + # helm.toolkit.fluxcd.io/helm-test: enabled + # helm.toolkit.fluxcd.io/remediation: enabled +spec: + interval: 10m + chart: + spec: + chart: cloudflare-tunnel-remote + version: 0.1.2 + sourceRef: + kind: HelmRepository + name: cloudflared + # https://github.com/cloudflare/helm-charts/blob/main/charts/cloudflare-tunnel-remote/values.yaml + values: + cloudflare: + tunnel_token: ${cloudflared_tunnel_token} diff --git a/k8s/distributions/talos/infrastructure/cloudflared/helm-repository.yaml b/k8s/distributions/talos/infrastructure/cloudflared/helm-repository.yaml new file mode 100644 index 000000000..dc2ce6acf --- /dev/null +++ b/k8s/distributions/talos/infrastructure/cloudflared/helm-repository.yaml @@ -0,0 +1,7 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: cloudflared + namespace: cloudflared +spec: + url: https://cloudflare.github.io/helm-charts diff --git a/k8s/distributions/talos/infrastructure/cloudflared/kustomization.yaml b/k8s/distributions/talos/infrastructure/cloudflared/kustomization.yaml new file mode 100644 index 000000000..7edec9cc4 --- /dev/null +++ b/k8s/distributions/talos/infrastructure/cloudflared/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - helm-release.yaml + - helm-repository.yaml diff --git a/k8s/distributions/talos/infrastructure/cloudflared/namespace.yaml b/k8s/distributions/talos/infrastructure/cloudflared/namespace.yaml new file mode 100644 index 000000000..371847932 --- /dev/null +++ b/k8s/distributions/talos/infrastructure/cloudflared/namespace.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cloudflared + # labels: + # goldilocks.fairwinds.com/enabled: "true" + # goldilocks.fairwinds.com/vpa-update-mode: "auto" + # goldilocks.fairwinds.com/vpa-min-replicas: "1" diff --git a/k8s/distributions/talos/infrastructure/kustomization.yaml b/k8s/distributions/talos/infrastructure/kustomization.yaml index 0bd531bf1..c699cf46e 100644 --- a/k8s/distributions/talos/infrastructure/kustomization.yaml +++ b/k8s/distributions/talos/infrastructure/kustomization.yaml @@ -3,4 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../../bases/infrastructure/ + - cloudflared/ - kubelet-serving-cert-approver/ From e8f3909eae39af6bab58d1ef676ab2d8e6ae29db Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Fri, 23 May 2025 16:35:14 +0200 Subject: [PATCH 11/12] feat(variables): add traefik_service_type to ConfigMap and cloudflared_tunnel_token to Secret Signed-off-by: Nikolai Emil Damm --- .../prod/variables/variables-cluster-config-map.yaml | 1 + .../prod/variables/variables-cluster-secret.enc.yaml | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/k8s/clusters/prod/variables/variables-cluster-config-map.yaml b/k8s/clusters/prod/variables/variables-cluster-config-map.yaml index eafe4baa2..d04a32f72 100644 --- a/k8s/clusters/prod/variables/variables-cluster-config-map.yaml +++ b/k8s/clusters/prod/variables/variables-cluster-config-map.yaml @@ -7,3 +7,4 @@ metadata: data: domain: devantler.tech github_app_client_id: Iv23liZ8GHRgpx32Em2y + traefik_service_type: ClusterIP diff --git a/k8s/clusters/prod/variables/variables-cluster-secret.enc.yaml b/k8s/clusters/prod/variables/variables-cluster-secret.enc.yaml index b4af479d6..23e8975f9 100644 --- a/k8s/clusters/prod/variables/variables-cluster-secret.enc.yaml +++ b/k8s/clusters/prod/variables/variables-cluster-secret.enc.yaml @@ -4,6 +4,7 @@ metadata: name: variables-cluster namespace: flux-system stringData: + cloudflared_tunnel_token: ENC[AES256_GCM,data:h+uCmkRbHa2tcA7oxK4r1fpzBdL0G7vX9Ijz+02RxkKpZ+n+sJ8Wr8AARjJ4hyV01SlwY0xrTSB/qgFYUcM00KpEDpirDQF9mV/5BQq9ZqRlnN0EKf70aurvg0BNPitan253X8X1IfqE9GOkiYOWovSk7vFTeTo/MXVrC6xokloxOpGk3XvdsaeL2x16PzvpPvopAh9jS/h2EMD4mMSjoVUTke4hXnvBBAQRN5dZR/3TOPEUIk0JBQ==,iv:uCovFD0ZKeBXR3u63hd+hcgekmt1zqulD8No1w33Hf0=,tag:tAYHBtgxJRONiJKtQnVohA==,type:str] dex_client_secret: ENC[AES256_GCM,data:N2lx0i3cU5/tvNOD8VGXD0Deui0=,iv:wd7GKLALtuptqKgcTW+PLQGcMJbce02dOd0m+y6ipZM=,tag:YG0w3pS7DkG+DWdg5K+Idg==,type:str] github_app_client_secret: ENC[AES256_GCM,data:MqpUJOm7rBTBnh/dMjmu8JZGxpuEIwBxclc7+4yuzJsn8Q4P0a6Jhw==,iv:sOBoblUdfzbl+IX2wu5gwGUmr5vOBgTMF1wD1WOxqpQ=,tag:0P62JkP4hk3z/iTpWkoHNw==,type:str] github_app_private_key: ENC[AES256_GCM,data:cSeSQfnoqNnmU9D6lqUpIZb75v1b/C4xvGHkI3XrTo0IoJoehqWIBt+CJnhm//lzClrFOBPoYUJGmZoAC56bdPwlOQ8owYhLiEdnZ1MQvwWsq1l/dVNCt6kZzzCCX5YsonT3UbHJ64XMHE5c7VJGhKpm3avU9RtbGy6wDoVyIkRG0XIqxcVS+549QFVvfEDBgObt38+ranVKJG+zqlQ4slc+ZxcV171oTDxTbdMNu8Jh8/JZqzmEwa5DO5hS3rPPR7JqOdSkvXnHbaGLuofxwFogSgyKIMSbNGTQBM7s8E4mQnW9+jaxJeOgXwVzf3VZfDeWoCPddzmgHVCLr4bvx0e1iwin0FigAbhJji0CJ/OfS9cptRusNYzlcEBrwcpteoZCAa/ni245m1J8WyL8hm5imfsTUhwD6uZIEgMvqAfWi7FwpQkP5Y1LOQdqMQ0yqNIbYim94PaMh2v/AC3cYitfpp12yJD6xKyY+R29WzJ2TCjaMOQKgbmncAMRuTWNC3Qyvd5Xt90KY/Di1xFNQ1AnbAk8IzYrTanHcJ8w1lA0OTxnRJZx4d19aE06H622cl/W6y0dJJaCuKwL0RJzklJOU0ZitQq5ZnWdHUvSx1IZbkHBdvCuOO71LGMSRn78+AGii8O417mFGxDASuMdEfMdNmMeX92LwLxuNBaYjncK+hMaTBr856Asct9mT+f/RzVVyHbti0yj5QBObKxifs17DUB5YwmeybF7O9mWmcuVayIEdJL9r/m6K5Tcu8GtcqunJ2cAXA65DcEni2iHB9bKu8r7raL+T0A38W4LvpDiecua6eVmFJTU8E5fxrf19mDTYsdGULq/BgkcWWRfziG/cDo5y2LMA7Idb9ddT90d4dvBNd5B7okUVOeXFOi/bO2C9/VhB/V6i4R8pBqYSw9lH9HDaX9/CNgCCYylS5fS0giGmjRXMdHUMjvJaSu7MChZcF7RZs260zY99gV+DI7UhG0BR2UXDHHpmfYZvqYas05UkLpLTvbTkHyj1AoCTZmnG8cn6uF11wjQJPEINakSC7vL6zZQzgGO6jTLAb4oqiZXvt1EIX0u1J/Mm/FfPo5yrP1VelmlUw2rwZ8jQWFJRhaBoGiu5ZT0wu0FLBs9iFEytbn4VN9d3KEAPgAD3wjb3Cys1YyNnfzfnDgFgseWkOAPZdPDSGhWeHnzbkVHsdhVRIQqpDcRJSxWT4v2sHeFH2xuLBYs/RezYUp+hisVBKUsfyj7yNJPnm88U2oVsTX0WiNczeXnJW+tjkK7H1uwk7n6uOfipqjLnfwvexTdfCmLr7aIYlw4CA56nD1rD6cwlw7tCd19he17Z92myKaI9XuxoO5aFGScT367GosriyYMon9Q7uqFU6hi5nQ9dnObpfCb9Omyv+9zWfcEBCFXptQ8NTFqGN4UImoswaRf4d15i6ltD9YtXqscnJ/VEBCnyOZYx/fi4LlfhLttnKjzX4fIykVc79p9gzdci2OJFEG57+zv9S/GSiCkYVS5euG8kjY6xaGV22wD5+Xaz+XHQFm4wJ/ogR5j4YQ3S3C7TKj56U2wo5sgIx7nEkqfqTwvUQK1ndyQwG4AOaHZAtcA/sGZiF/iIOmrGTx6eU9jb7KKy066cD8RpIK9hRTBF6hfYhSfrwRwIz6c0Xea3HkD+3Xu1ULCA330nFvbL0bYb5cEVG3Lr0qE7rCU34Y39sqqgQSyGr883qgW75ZnRpwZER34Cgtl9Fp04tYd3d0PU62G99/tL3V0U74durnfjCLP0VTppJg+MqRh6VQVizZwvJwUUXfqLCjEQ5EJUF/7yjr4XXmdGz7yv/qQETWX+aKtrFpH0AmPkfgiCbJGz+I6VrfNt8Nz+jB9beI2Ubqd7lmHTIv++OoM1KzhbsLSo8KCmJTjEvzXd5cZkdhYzSNp2qM3dWJ+IHxfzgBiLJzDCTOOTX2lWo+ltHa1BdR9QnY/r7J0JvUdWXQyPFwWMQh9qOf2r07PKjFwE6QKm+YnYnIV4ERukMFeESmuqbPqGHz6OkYG/AFhz/94tvqa/VZYFkQPVUIZz4XbsIE8cDDENFWbxrAnTmzHZxbf617UiiDrEmgeOuni7lJnnu4DfPzyAFQHlUaCoxyT/5Y/i0+h+XYmkHFqxA6I3WM4AOaDSNzhK4TTW3ssRTK13GQ+ixwyD/s7sr/aPriKea6Otf4HooFc9wCjBHinGmRl6zLlvtmrhZ3drJv0LA==,iv:o4Q7KwCOhekFO44TxRM0V9uDgIMnZVtNyhg8JZOA5Ts=,tag:XINc2NtdirAjEZHTYOq1Sw==,type:str] @@ -18,7 +19,7 @@ sops: UU5CNmM0eHVwMURtSWJzRkRCdEk2c3MKKiisA8AGWwUEvDsgJ+oqwSlmscNR2+5z DCudOY0vl+rqhsHMGdkjRkK29LYuWBI125U2VZqMlPdMlhmRYcQAjA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-11T14:01:38Z" - mac: ENC[AES256_GCM,data:3LPYC+W7NiFTZH3XkgjjES60mfmHQywbNYvkvDrEwanYCLVJ3L76Riyao6X2JxHuID8NzLcC8pFqMqL7EK8QCH0BMdUS/nrRWUGNnE2vqb1qHVmwIR5rqtKDy1zxKZh5ntUdr7mEONPJWgUubCHXxz+DUPwJlK9hb0o8bOAM4iw=,iv:TezpZVVx9mmmCJlE2Uev81SS9WL7gljwIyuh1SZDGLo=,tag:hYLxCv2DcSsgaEClYgbPSg==,type:str] + lastmodified: "2025-05-23T14:34:51Z" + mac: ENC[AES256_GCM,data:un2AB2Ve0AcHZY9FNQ/pI+Xrcpp4ge8/8XppZBSd8tYdMHbBUoTRTbgzZwfbQdauvqml56GgptTW76rt7aT54vm/GntFtyDcCj54hj/1s1ASiDVn9hhjAV/rnoVz5CF5Q6n7MthB1UUDlVO+R5Ja7jhCfa0LbZxKeRL54h9VZro=,iv:c+7ftyAcZcrt/+P+wvRg9kbnmAhas6LSkSczMqNJ6SE=,tag:qyYcWFLmmB8LDaNXAg1jyQ==,type:str] encrypted_regex: ^(data|stringData)$ version: 3.10.2 From 445d3b382c07c14d3b3019d55759ba1ecfa98fac Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Fri, 23 May 2025 16:53:56 +0200 Subject: [PATCH 12/12] refactor(dex): remove deprecated HelmRelease and related resources; update namespace labels Signed-off-by: Nikolai Emil Damm --- .../controllers/dex/helm-release.yaml | 20 +++----- .../controllers/dex/namespace.yaml | 2 +- .../controllers/kustomization.yaml | 1 + k8s/bases/infrastructure/dex/README.md | 6 --- .../infrastructure/dex/helm-release.yaml | 48 ------------------- .../infrastructure/dex/helm-repository.yaml | 7 --- .../infrastructure/dex/kustomization.yaml | 6 --- k8s/bases/infrastructure/dex/namespace.yaml | 8 ---- k8s/bases/infrastructure/kustomization.yaml | 1 - 9 files changed, 9 insertions(+), 90 deletions(-) delete mode 100644 k8s/bases/infrastructure/dex/README.md delete mode 100644 k8s/bases/infrastructure/dex/helm-release.yaml delete mode 100644 k8s/bases/infrastructure/dex/helm-repository.yaml delete mode 100644 k8s/bases/infrastructure/dex/kustomization.yaml delete mode 100644 k8s/bases/infrastructure/dex/namespace.yaml diff --git a/k8s/bases/infrastructure/controllers/dex/helm-release.yaml b/k8s/bases/infrastructure/controllers/dex/helm-release.yaml index 3102cf771..9eb6dfcc9 100644 --- a/k8s/bases/infrastructure/controllers/dex/helm-release.yaml +++ b/k8s/bases/infrastructure/controllers/dex/helm-release.yaml @@ -3,10 +3,6 @@ kind: HelmRelease metadata: name: dex namespace: dex - labels: - helm.toolkit.fluxcd.io/crds: enabled - helm.toolkit.fluxcd.io/helm-test: enabled - helm.toolkit.fluxcd.io/remediation: enabled spec: interval: 10m chart: @@ -22,12 +18,12 @@ spec: enabled: true className: ${ingress_class_name:=} hosts: - - host: dex.${cluster_domain} + - host: dex.${domain} paths: - path: / pathType: ImplementationSpecific config: - issuer: https://dex.${cluster_domain} + issuer: https://dex.${domain} storage: type: kubernetes config: @@ -38,17 +34,15 @@ spec: - name: GitHub id: github secret: ${dex_client_secret} - redirectURIs: - - https://headlamp.${cluster_domain}/oidc-callback - - https://grafana.${cluster_domain}/login/generic_oauth + redirectURIs: [] connectors: - name: GitHub type: github id: github config: - clientID: ${github_client_id} - clientSecret: ${github_client_secret} + clientID: ${github_app_client_id} + clientSecret: ${github_app_client_secret} teamNameField: slug - redirectURI: https://dex.${cluster_domain}/callback + redirectURI: https://dex.${domain}/callback orgs: - - name: devantlerware + - name: devantler-tech diff --git a/k8s/bases/infrastructure/controllers/dex/namespace.yaml b/k8s/bases/infrastructure/controllers/dex/namespace.yaml index 7b33c864c..2e418bf10 100644 --- a/k8s/bases/infrastructure/controllers/dex/namespace.yaml +++ b/k8s/bases/infrastructure/controllers/dex/namespace.yaml @@ -5,4 +5,4 @@ metadata: labels: goldilocks.fairwinds.com/enabled: "true" goldilocks.fairwinds.com/vpa-update-mode: "auto" - goldilocks.fairwinds.com/vpa-min-replicas: "1" + goldilocks.fairwinds.com/vpa-min-replicas: "2" diff --git a/k8s/bases/infrastructure/controllers/kustomization.yaml b/k8s/bases/infrastructure/controllers/kustomization.yaml index fa0ef4402..10b70dc49 100644 --- a/k8s/bases/infrastructure/controllers/kustomization.yaml +++ b/k8s/bases/infrastructure/controllers/kustomization.yaml @@ -4,5 +4,6 @@ kind: Kustomization resources: - cert-manager/ - cilium/ + - dex/ - reloader/ - traefik/ diff --git a/k8s/bases/infrastructure/dex/README.md b/k8s/bases/infrastructure/dex/README.md deleted file mode 100644 index f783c6a1d..000000000 --- a/k8s/bases/infrastructure/dex/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# Dex - -A federated OpenID Connect provider for Kubernetes. - -- [Documentation](https://dexidp.io/docs/) -- [Helm Chart](https://github.com/dexidp/helm-charts/tree/master/charts/dex) diff --git a/k8s/bases/infrastructure/dex/helm-release.yaml b/k8s/bases/infrastructure/dex/helm-release.yaml deleted file mode 100644 index 9eb6dfcc9..000000000 --- a/k8s/bases/infrastructure/dex/helm-release.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: dex - namespace: dex -spec: - interval: 10m - chart: - spec: - chart: dex - version: 0.23.0 - sourceRef: - kind: HelmRepository - name: dex - # https://github.com/dexidp/helm-charts/blob/master/charts/dex/values.yaml - values: - ingress: - enabled: true - className: ${ingress_class_name:=} - hosts: - - host: dex.${domain} - paths: - - path: / - pathType: ImplementationSpecific - config: - issuer: https://dex.${domain} - storage: - type: kubernetes - config: - inCluster: true - oauth2: - skipApprovalScreen: true - staticClients: - - name: GitHub - id: github - secret: ${dex_client_secret} - redirectURIs: [] - connectors: - - name: GitHub - type: github - id: github - config: - clientID: ${github_app_client_id} - clientSecret: ${github_app_client_secret} - teamNameField: slug - redirectURI: https://dex.${domain}/callback - orgs: - - name: devantler-tech diff --git a/k8s/bases/infrastructure/dex/helm-repository.yaml b/k8s/bases/infrastructure/dex/helm-repository.yaml deleted file mode 100644 index 78b96a6cb..000000000 --- a/k8s/bases/infrastructure/dex/helm-repository.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: dex - namespace: dex -spec: - url: https://charts.dexidp.io diff --git a/k8s/bases/infrastructure/dex/kustomization.yaml b/k8s/bases/infrastructure/dex/kustomization.yaml deleted file mode 100644 index 7edec9cc4..000000000 --- a/k8s/bases/infrastructure/dex/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - namespace.yaml - - helm-release.yaml - - helm-repository.yaml diff --git a/k8s/bases/infrastructure/dex/namespace.yaml b/k8s/bases/infrastructure/dex/namespace.yaml deleted file mode 100644 index 2e418bf10..000000000 --- a/k8s/bases/infrastructure/dex/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: dex - labels: - goldilocks.fairwinds.com/enabled: "true" - goldilocks.fairwinds.com/vpa-update-mode: "auto" - goldilocks.fairwinds.com/vpa-min-replicas: "2" diff --git a/k8s/bases/infrastructure/kustomization.yaml b/k8s/bases/infrastructure/kustomization.yaml index 899bbafa6..58d62993e 100644 --- a/k8s/bases/infrastructure/kustomization.yaml +++ b/k8s/bases/infrastructure/kustomization.yaml @@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - dex/ - metrics-server/