onedr0p · onedr0p · Jan 30, 2024 · Jan 30, 2024
diff --git a/.github/tests/config-k0s.yaml b/.github/tests/config-k0s.yaml
@@ -32,6 +32,8 @@ flux:
     webhook:
       enabled: true
       token: fake
+    private:
+      enabled: false
   sops_age_public_key: $BOOTSTRAP_AGE_PUBLIC_KEY
 
 cloudflare:

diff --git a/.github/tests/config-k3s-ipv4.yaml b/.github/tests/config-k3s-ipv4.yaml
@@ -32,6 +32,8 @@ flux:
     webhook:
       enabled: true
       token: fake
+    private:
+      enabled: false
   sops_age_public_key: $BOOTSTRAP_AGE_PUBLIC_KEY
 
 cloudflare:

diff --git a/.github/tests/config-k3s-ipv6.yaml b/.github/tests/config-k3s-ipv6.yaml
@@ -32,6 +32,8 @@ flux:
     webhook:
       enabled: true
       token: fake
+    private:
+      enabled: false
   sops_age_public_key: $BOOTSTRAP_AGE_PUBLIC_KEY
 
 cloudflare:

diff --git a/.github/tests/config-talos.yaml b/.github/tests/config-talos.yaml
@@ -32,6 +32,8 @@ flux:
     webhook:
       enabled: true
       token: fake
+    private:
+      enabled: false
   sops_age_public_key: $BOOTSTRAP_AGE_PUBLIC_KEY
 
 cloudflare:

diff --git a/.taskfiles/Flux/Taskfile.yaml b/.taskfiles/Flux/Taskfile.yaml
@@ -7,6 +7,7 @@ vars:
   PROMETHEUS_OPERATOR_VERSION: v0.71.2
   CLUSTER_SECRET_SOPS_FILE: "{{.KUBERNETES_DIR}}/flux/vars/cluster-secrets.sops.yaml"
   CLUSTER_SETTINGS_FILE: "{{.KUBERNETES_DIR}}/flux/vars/cluster-settings.yaml"
+  GITHUB_DEPLOY_KEY_FILE: "{{.KUBERNETES_DIR}}/bootstrap/github-deploy-key.sops.yaml"
 
 tasks:
 
@@ -63,7 +64,8 @@ tasks:
       - { msg: "Flux not installed", sh: "kubectl get namespace flux-system --kubeconfig {{.KUBECONFIG_FILE}} &>/dev/null && exit 0 || exit 1" }
 
   github-deploy-key:
-    cmd: sops --decrypt {{.KUBERNETES_DIR}}/bootstrap/github-deploy-key.sops.yaml | kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename -
+    cmd: sops --decrypt {{.GITHUB_DEPLOY_KEY_FILE}} | kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename -
     preconditions:
       - { msg: "Missing kubeconfig", sh: "test -f {{.KUBECONFIG_FILE}}" }
-      - { msg: "Flux not installed", sh: "kubectl get namespace flux-system --kubeconfig {{.KUBECONFIG_FILE}} &>/dev/null && exit 0 || exit 1" }
+      - { msg: "Missing Sops Age key file", sh: "test -f {{.AGE_FILE}}" }
+      - { msg: "Missing Github deploy key file", sh: "test -f {{.GITHUB_DEPLOY_KEY_FILE}}" }
diff --git a/README.md b/README.md
@@ -392,7 +392,7 @@ You have two different options for setting up your local workstation.
 
 ### 🔹 Stage 6: Install Flux in your cluster
 
-> [!IMPORTANT]
+> [!NOTE]
 > Skip this stage if you have **disabled** Flux in the `config.yaml`
 
 1. Verify Flux can be installed
@@ -407,6 +407,9 @@ You have two different options for setting up your local workstation.
 
 2. Install Flux and sync the cluster to the Git repository
 
+> [!IMPORTANT]
+> Run `task flux:github-deploy-key` first if using a private repository.
+
     ```sh
     task flux:bootstrap
     # namespace/flux-system configured
@@ -579,95 +582,6 @@ To browse or get ideas on applications people are running, community member [@wh
 The included CSI (openebs in local-hostpath mode) is a great start for storage but soon you might find you need more features like replicated block storage, or to connect to a NFS/SMB/iSCSI server. If you need any of those features be sure to check out the projects like [rook-ceph](https://github.com/rook/rook), [longhorn](https://github.com/longhorn/longhorn), [openebs](https://github.com/openebs/openebs), [democratic-csi](https://github.com/democratic-csi/democratic-csi), [csi-driver-nfs](https://github.com/kubernetes-csi/csi-driver-nfs),
 and [synology-csi](https://github.com/SynologyOpenSource/synology-csi).
 
-#### Authenticate Flux over SSH
-
-<details>
-<summary><i>Click <b>here</b> to read guide on adding Flux SSH authentication</i></summary>
-
-Authenticating Flux to your git repository has a couple benefits like using a private git repository and/or using the Flux [Image Automation Controllers](https://fluxcd.io/docs/components/image/).
-
-By default this template only works on a public Github repository, it is advised to keep your repository public.
-
-The benefits of a public repository include:
-
-- Debugging or asking for help, you can provide a link to a resource you are having issues with.
-- Adding a topic to your repository of `kubesearch` to be included in the [Kubesearch](https://kubesearch.dev) results. This search helps people discover different configurations of Helm charts across others Flux based repositories.
-
-1. Generate new SSH key:
-
-    ```sh
-    ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f ./kubernetes/bootstrap/github-deploy.key -q -P ""
-    ```
-
-2. Paste public key in the deploy keys section of your repository settings
-3. Create sops secret in `./kubernetes/bootstrap/github-deploy-key.sops.yaml` with the contents of:
-
-   ```yaml
-   apiVersion: v1
-   kind: Secret
-   metadata:
-     name: github-deploy-key
-     namespace: flux-system
-   stringData:
-     # 3a. Contents of github-deploy-key
-     identity: |
-       -----BEGIN OPENSSH PRIVATE KEY-----
-           ...
-       -----END OPENSSH PRIVATE KEY-----
-     # 3b. Output of curl --silent https://api.github.com/meta | jq --raw-output '"github.com "+.ssh_keys[]'
-     known_hosts: |
-       github.com ssh-ed25519 ...
-       github.com ecdsa-sha2-nistp256 ...
-       github.com ssh-rsa ...
-   ```
-
-4. Encrypt secret:
-
-    ```sh
-    sops --encrypt --in-place ./kubernetes/bootstrap/github-deploy-key.sops.yaml
-    ```
-
-5. Apply secret to cluster:
-
-    ```sh
-    sops --decrypt ./kubernetes/bootstrap/github-deploy-key.sops.yaml | kubectl apply -f -
-    ```
-
-6. Update `./kubernetes/flux/config/cluster.yaml`:
-
-    ```yaml
-    apiVersion: source.toolkit.fluxcd.io/v1beta2
-    kind: GitRepository
-    metadata:
-      name: home-kubernetes
-      namespace: flux-system
-    spec:
-      interval: 10m
-      # 6a: Change this to your user and repo names
-      url: ssh://git@github.com/$user/$repo
-      ref:
-        branch: main
-      secretRef:
-        name: github-deploy-key
-    ```
-
-7. Commit and push changes
-8. Force flux to reconcile your changes
-
-    ```sh
-    flux reconcile -n flux-system kustomization cluster --with-source
-    ```
-
-9. Verify git repository is now using SSH:
-
-    ```sh
-    flux get sources git -A
-    ```
-
-10. Optionally set your repository to Private in your repository settings.
-
-</details>
-
 ## 🙌 Related Projects
 
 If this repo is too hot to handle or too cold to hold check out these following projects.

diff --git a/bootstrap/templates/kubernetes/bootstrap/github-deploy-key.sops.yaml.j2 b/bootstrap/templates/kubernetes/bootstrap/github-deploy-key.sops.yaml.j2
@@ -0,0 +1,17 @@
+{% if flux.github.private.enabled %}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: github-deploy-key
+  namespace: flux-system
+stringData:
+  identity: |
+    {% filter indent(width=4, first=False) %}
+    {{ flux.github.private.key }}
+    {%- endfilter %}
+  known_hosts: |
+    github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+    github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+    github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
+{% endif %}
diff --git a/bootstrap/templates/kubernetes/flux/config/cluster.yaml.j2 b/bootstrap/templates/kubernetes/flux/config/cluster.yaml.j2
@@ -7,7 +7,7 @@ metadata:
 spec:
   interval: 30m
   url: "{{ flux.github.address }}"
-  {% if flux.github.address.startswith('ssh://') %}
+  {% if flux.github.private.enabled %}
   secretRef:
     name: github-deploy-key
   {% endif %}

diff --git a/config.sample.yaml b/config.sample.yaml
@@ -66,6 +66,21 @@ flux:
       enabled: true
       # Token for Github push-based sync (openssl rand -hex 16)
       token: ""
+    # (Required) Private key for Flux to access the Github repository
+    private:
+      # (Required) Enable to use a private Github repository
+      enabled: false
+      # Private key for Flux to access the Github repository
+      #   1. Generate a new key with the following command:
+      #     ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f github-deploy.key -q -P ""
+      #   2. Make sure to paste public key from "github-deploy.key.pub"
+      #     into the deploy keys section of your repository settings
+      #   3. Uncomment and paste the private key below
+      # key: |
+      #   -----BEGIN OPENSSH PRIVATE KEY-----
+      #   ...
+      #   -----END OPENSSH PRIVATE KEY-----
+
   # (Required) Age Public Key (e.g. age15uzrw396e67z9wdzsxzdk7ka0g2gr3l460e0slaea563zll3hdfqwqxdta)
   sops_age_public_key: ""