diff --git a/.gitmodules b/.gitmodules deleted file mode 100644 index 7bbe694..0000000 --- a/.gitmodules +++ /dev/null @@ -1,3 +0,0 @@ -[submodule "plugins"] - path = plugins - url = https://github.com/badjware/kustomize-plugins diff --git a/kustomize/bases/drone-server/drone-server-externalsecret.yaml b/kustomize/bases/drone-server/drone-server-externalsecret.yaml new file mode 100644 index 0000000..5815c5b --- /dev/null +++ b/kustomize/bases/drone-server/drone-server-externalsecret.yaml @@ -0,0 +1,35 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: drone-secret +spec: + secretStoreRef: + name: aws-parameters-store + kind: ClusterSecretStore + target: + name: drone-secret + data: + - secretKey: rpc_secret + remoteRef: + key: /k3s/prod/drone/gitea/rpc_secret + - secretKey: database_secret + remoteRef: + key: /k3s/prod/drone/gitea/database_secret +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: drone-gitea-oauth-secret +spec: + secretStoreRef: + name: aws-parameters-store + kind: ClusterSecretStore + target: + name: drone-gitea-oauth-secret + data: + - secretKey: client_id + remoteRef: + key: /k3s/prod/drone/gitea/client_id + - secretKey: client_secret + remoteRef: + key: /k3s/prod/drone/gitea/client_secret diff --git a/kustomize/bases/drone-server/kustomization.yaml b/kustomize/bases/drone-server/kustomization.yaml index a8666f8..3b21500 100644 --- a/kustomize/bases/drone-server/kustomization.yaml +++ b/kustomize/bases/drone-server/kustomization.yaml @@ -1,19 +1,8 @@ resources: - drone-server-deployment.yaml - drone-server-ingress.yaml + - drone-server-externalsecret.yaml commonLabels: app.kubernetes.io/name: drone app.kubernetes.io/component: server - -secretGenerator: - - name: drone-secret - type: Opaque - literals: - - rpc_secret=changeme - - database_secret=changeme - - name: drone-gitea-oauth-secret - type: Opaque - literals: - - client_id=changeme - - client_secret=changeme \ No newline at end of file diff --git a/kustomize/bases/grafana-agent/grafana-agent-externalsecret.yaml b/kustomize/bases/grafana-agent/grafana-agent-externalsecret.yaml new file mode 100644 index 0000000..3792882 --- /dev/null +++ b/kustomize/bases/grafana-agent/grafana-agent-externalsecret.yaml @@ -0,0 +1,14 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: grafana-agent +spec: + secretStoreRef: + name: aws-parameters-store + kind: ClusterSecretStore + target: + name: grafana-agent + data: + - secretKey: agent.yaml + remoteRef: + key: /k3s/prod/grafana-agent/config diff --git a/kustomize/bases/grafana-agent/kustomization.yaml b/kustomize/bases/grafana-agent/kustomization.yaml index e0f9889..635d2a6 100644 --- a/kustomize/bases/grafana-agent/kustomization.yaml +++ b/kustomize/bases/grafana-agent/kustomization.yaml @@ -1,16 +1,11 @@ resources: - https://raw.githubusercontent.com/grafana/agent/v0.24.2/production/kubernetes/agent-bare.yaml + - grafana-agent-externalsecret.yaml commonLabels: app.kubernetes.io/name: grafana-agent app.kubernetes.io/part-of: monitoring -secretGenerator: - - name: grafana-agent - behavior: create - literals: - - agent.yaml= - patchesJson6902: - target: version: v1 diff --git a/kustomize/bases/grafana/grafana-externalsecret.yaml b/kustomize/bases/grafana/grafana-externalsecret.yaml new file mode 100644 index 0000000..a633433 --- /dev/null +++ b/kustomize/bases/grafana/grafana-externalsecret.yaml @@ -0,0 +1,14 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: grafana-config +spec: + secretStoreRef: + name: aws-parameters-store + kind: ClusterSecretStore + target: + name: grafana-config + data: + - secretKey: custom.ini + remoteRef: + key: /k3s/prod/grafana/config diff --git a/kustomize/bases/grafana/kustomization.yaml b/kustomize/bases/grafana/kustomization.yaml index bb3eeaf..6259aac 100644 --- a/kustomize/bases/grafana/kustomization.yaml +++ b/kustomize/bases/grafana/kustomization.yaml @@ -1,6 +1,7 @@ resources: - grafana-deployment.yaml - grafana-ingress.yaml + - grafana-externalsecret.yaml commonLabels: app.kubernetes.io/name: grafana @@ -11,12 +12,6 @@ configMapGenerator: files: - datasources.yaml=provision/datasources.yaml -secretGenerator: - - name: grafana-config - type: Opaque - literals: - - custom.ini= - # secretGenerator: # - name: postgres-credentials # type: Opaque diff --git a/kustomize/bases/longhorn/kustomization.yaml b/kustomize/bases/longhorn/kustomization.yaml index aae3789..2d0405e 100644 --- a/kustomize/bases/longhorn/kustomization.yaml +++ b/kustomize/bases/longhorn/kustomization.yaml @@ -2,17 +2,7 @@ resources: - longhorn-namespace.yaml - longhorn-helmchart.yaml - longhorn-recurringjob.yaml + - longhorn-externalsecret.yaml commonLabels: app.kubernetes.io/name: longhorn - -secretGenerator: - - name: s3-backupstore-credentials - type: Opaque - namespace: longhorn-system - literals: - - AWS_ACCESS_KEY_ID=changeme - - AWS_SECRET_ACCESS_KEY=changeme - -generatorOptions: - disableNameSuffixHash: true \ No newline at end of file diff --git a/kustomize/bases/longhorn/longhorn-externalsecret.yaml b/kustomize/bases/longhorn/longhorn-externalsecret.yaml new file mode 100644 index 0000000..d522880 --- /dev/null +++ b/kustomize/bases/longhorn/longhorn-externalsecret.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: s3-backupstore-credentials + namespace: longhorn-system +spec: + secretStoreRef: + name: aws-parameters-store + kind: ClusterSecretStore + target: + name: s3-backupstore-credentials + data: + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: /k3s/prod/longhorn/s3_access_key_id + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: /k3s/prod/longhorn/s3_secret_access_key + - secretKey: AWS_ENDPOINTS + remoteRef: + key: /k3s/prod/longhorn/s3_endpoint diff --git a/kustomize/bases/nextcloud/kustomization.yaml b/kustomize/bases/nextcloud/kustomization.yaml index f4ce48d..67636f8 100644 --- a/kustomize/bases/nextcloud/kustomization.yaml +++ b/kustomize/bases/nextcloud/kustomization.yaml @@ -6,3 +6,31 @@ resources: commonLabels: app.kubernetes.io/name: nextcloud + +patchesStrategicMerge: + - |- + apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + metadata: + name: postgres-credentials + spec: + data: + - secretKey: database + remoteRef: + key: /k3s/prod/nextcloud/postgres/database + - secretKey: username + remoteRef: + key: /k3s/prod/nextcloud/postgres/username + - secretKey: password + remoteRef: + key: /k3s/prod/nextcloud/postgres/password + - |- + apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + metadata: + name: redis-credentials + spec: + data: + - secretKey: password + remoteRef: + key: /k3s/prod/nextcloud/redis/password diff --git a/kustomize/bases/postgres/kustomization.yaml b/kustomize/bases/postgres/kustomization.yaml index a53d021..91ae9eb 100644 --- a/kustomize/bases/postgres/kustomization.yaml +++ b/kustomize/bases/postgres/kustomization.yaml @@ -1,14 +1,6 @@ resources: - postgres-statefulset.yaml + - postgres-externalsecret.yaml commonLabels: app.kubernetes.io/component: postgres - -secretGenerator: - - name: postgres-credentials - type: Opaque - behavior: create - literals: - - database=changeme - - username=changeme - - password=changeme diff --git a/kustomize/bases/postgres/postgres-externalsecret.yaml b/kustomize/bases/postgres/postgres-externalsecret.yaml new file mode 100644 index 0000000..7c0a760 --- /dev/null +++ b/kustomize/bases/postgres/postgres-externalsecret.yaml @@ -0,0 +1,20 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: postgres-credentials +spec: + secretStoreRef: + name: aws-parameters-store + kind: ClusterSecretStore + target: + name: postgres-credentials + data: + - secretKey: database + remoteRef: + key: changeme + - secretKey: username + remoteRef: + key: changeme + - secretKey: password + remoteRef: + key: changeme diff --git a/kustomize/bases/redis/kustomization.yaml b/kustomize/bases/redis/kustomization.yaml index 1e43551..f6c1224 100644 --- a/kustomize/bases/redis/kustomization.yaml +++ b/kustomize/bases/redis/kustomization.yaml @@ -1,12 +1,6 @@ resources: - redis-deployment.yaml + - redis-externalsecret.yaml commonLabels: app.kubernetes.io/component: redis - -secretGenerator: - - name: redis-credentials - type: Opaque - behavior: create - literals: - - password=changeme diff --git a/kustomize/bases/redis/redis-externalsecret.yaml b/kustomize/bases/redis/redis-externalsecret.yaml new file mode 100644 index 0000000..0a96f4e --- /dev/null +++ b/kustomize/bases/redis/redis-externalsecret.yaml @@ -0,0 +1,14 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: redis-credentials +spec: + secretStoreRef: + name: aws-parameters-store + kind: ClusterSecretStore + target: + name: redis-credentials + data: + - secretKey: password + remoteRef: + key: changeme diff --git a/kustomize/overlays/prod-cluster/kustomization.yaml b/kustomize/overlays/prod-cluster/kustomization.yaml index 623f903..5eff825 100644 --- a/kustomize/overlays/prod-cluster/kustomization.yaml +++ b/kustomize/overlays/prod-cluster/kustomization.yaml @@ -8,9 +8,6 @@ buildMetadata: commonLabels: app.kubernetes.io/managed-by: kustomize-cluster -transformers: - - transformers/ssm-secrets.yaml - configMapGenerator: - name: cluster-replacements namespace: default @@ -18,16 +15,6 @@ configMapGenerator: - TRAEFIK_EXTERNAL_HOST=traefik.badjnet.home - LONGHORN_EXTERNAL_HOST=longhorn.badjnet.home -secretGenerator: - - name: s3-backupstore-credentials - type: Opaque - namespace: longhorn-system - behavior: replace - literals: - - AWS_ACCESS_KEY_ID=${ssm:/k3s/prod/longhorn/s3_access_key_id} - - AWS_SECRET_ACCESS_KEY=${ssm:/k3s/prod/longhorn/s3_secret_access_key} - - AWS_ENDPOINTS=https://s3.badjware.dev - replacements: - source: kind: ConfigMap diff --git a/kustomize/overlays/prod/configurations/grafana-agent/agent.yaml b/kustomize/overlays/prod/configurations/grafana-agent/agent.yaml deleted file mode 100644 index 1557f90..0000000 --- a/kustomize/overlays/prod/configurations/grafana-agent/agent.yaml +++ /dev/null @@ -1,88 +0,0 @@ -metrics: - wal_directory: /var/lib/agent/wal - global: - scrape_interval: 60s - external_labels: - cluster: cloud - # configs: - # - name: integrations - # remote_write: - # - url: https://prometheus-prod-10-prod-us-central-0.grafana.net/api/prom/push - # basic_auth: - # username: 443422 - # password: ${ssm:/k3s/prod/monitoring/grafana-cloud/password} - # scrape_configs: - # - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - # job_name: integrations/kubernetes/cadvisor - # kubernetes_sd_configs: - # - role: node - # metric_relabel_configs: - # - source_labels: [__name__] - # regex: namespace_memory:kube_pod_container_resource_requests:sum|kubelet_running_containers|container_cpu_usage_seconds_total|kube_pod_container_info|container_network_receive_packets_dropped_total|kube_pod_status_phase|kubelet_pod_start_duration_seconds_count|kubelet_cgroup_manager_duration_seconds_bucket|kube_horizontalpodautoscaler_status_desired_replicas|cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits|node_namespace_pod_container:container_memory_swap|kube_statefulset_status_replicas_ready|kube_horizontalpodautoscaler_spec_max_replicas|cluster:namespace:pod_memory:active:kube_pod_container_resource_requests|process_cpu_seconds_total|process_resident_memory_bytes|kubelet_server_expiration_renew_errors|kube_daemonset.*|container_fs_reads_total|machine_memory_bytes|kubelet_volume_stats_inodes_used|volume_manager_total_volumes|kube_statefulset_status_replicas|namespace_cpu:kube_pod_container_resource_limits:sum|kube_pod_container_resource_requests|kube_pod_container_resource_limits|kubelet_pod_worker_duration_seconds_count|namespace_workload_pod:kube_pod_owner:relabel|kubelet_cgroup_manager_duration_seconds_count|container_cpu_cfs_throttled_periods_total|kube_node_spec_taint|container_fs_reads_bytes_total|kubelet_certificate_manager_client_ttl_seconds|container_network_receive_bytes_total|kubelet_running_container_count|kube_daemonset_status_number_available|kube_node_status_allocatable|container_fs_writes_total|kube_namespace_status_phase|kubelet_volume_stats_available_bytes|kubelet_pleg_relist_duration_seconds_bucket|kubelet_runtime_operations_errors_total|kube_pod_container_status_waiting_reason|kube_replicaset_owner|kube_resourcequota|kube_pod_info|kubelet_pleg_relist_duration_seconds_count|kube_deployment_status_replicas_available|cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests|kubelet_running_pods|kube_statefulset_status_replicas_updated|kube_deployment_status_replicas_updated|kube_job_spec_completions|kube_daemonset_status_number_misscheduled|kubelet_certificate_manager_server_ttl_seconds|container_network_transmit_bytes_total|container_memory_cache|kubelet_volume_stats_capacity_bytes|node_namespace_pod_container:container_memory_cache|container_memory_rss|container_memory_swap|storage_operation_duration_seconds_count|kube_replicaset.*|kube_pod_owner|cluster:namespace:pod_memory:active:kube_pod_container_resource_limits|kubelet_volume_stats_inodes|kube_daemonset_status_desired_number_scheduled|kube_daemonset_status_updated_number_scheduled|kube_statefulset.*|kube_node_info|go_goroutines|kubelet_pod_worker_duration_seconds_bucket|kubelet_node_config_error|container_cpu_cfs_periods_total|kubelet_pleg_relist_interval_seconds_bucket|kube_job.*|container_network_receive_packets_total|container_fs_writes_bytes_total|kubelet_running_pod_count|kube_deployment_spec_replicas|up|kube_node_status_capacity|namespace_cpu:kube_pod_container_resource_requests:sum|node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate|container_memory_working_set_bytes|kubelet_node_name|node_namespace_pod_container:container_memory_rss|storage_operation_errors_total|kube_statefulset_metadata_generation|container_network_transmit_packets_total|kubelet_runtime_operations_total|kube_statefulset_status_observed_generation|kube_horizontalpodautoscaler_status_current_replicas|kubernetes_build_info|kubelet_certificate_manager_client_expiration_renew_errors|kube_job_failed|namespace_workload_pod|node_namespace_pod_container:container_memory_working_set_bytes|kube_statefulset_replicas|kube_deployment_status_observed_generation|kube_pod_container_status_restarts_total|kube_daemonset_status_current_number_scheduled|kube_pod_start_time|namespace_memory:kube_pod_container_resource_limits:sum|container_network_transmit_packets_dropped_total|rest_client_requests_total|kube_deployment_metadata_generation|kube_statefulset_status_update_revision|kube_job_status_succeeded|kube_horizontalpodautoscaler_spec_min_replicas|kube_statefulset_status_current_revision|node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile|kube_node_status_condition - # action: keep - # relabel_configs: - # - replacement: kubernetes.default.svc.cluster.local:443 - # target_label: __address__ - # - regex: (.+) - # replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor - # source_labels: - # - __meta_kubernetes_node_name - # target_label: __metrics_path__ - # scheme: https - # tls_config: - # ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - # insecure_skip_verify: false - # server_name: kubernetes - # - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - # job_name: integrations/kubernetes/kubelet - # kubernetes_sd_configs: - # - role: node - # metric_relabel_configs: - # - source_labels: [__name__] - # regex: namespace_memory:kube_pod_container_resource_requests:sum|kubelet_running_containers|container_cpu_usage_seconds_total|kube_pod_container_info|container_network_receive_packets_dropped_total|kube_pod_status_phase|kubelet_pod_start_duration_seconds_count|kubelet_cgroup_manager_duration_seconds_bucket|kube_horizontalpodautoscaler_status_desired_replicas|cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits|node_namespace_pod_container:container_memory_swap|kube_statefulset_status_replicas_ready|kube_horizontalpodautoscaler_spec_max_replicas|cluster:namespace:pod_memory:active:kube_pod_container_resource_requests|process_cpu_seconds_total|process_resident_memory_bytes|kubelet_server_expiration_renew_errors|kube_daemonset.*|container_fs_reads_total|machine_memory_bytes|kubelet_volume_stats_inodes_used|volume_manager_total_volumes|kube_statefulset_status_replicas|namespace_cpu:kube_pod_container_resource_limits:sum|kube_pod_container_resource_requests|kube_pod_container_resource_limits|kubelet_pod_worker_duration_seconds_count|namespace_workload_pod:kube_pod_owner:relabel|kubelet_cgroup_manager_duration_seconds_count|container_cpu_cfs_throttled_periods_total|kube_node_spec_taint|container_fs_reads_bytes_total|kubelet_certificate_manager_client_ttl_seconds|container_network_receive_bytes_total|kubelet_running_container_count|kube_daemonset_status_number_available|kube_node_status_allocatable|container_fs_writes_total|kube_namespace_status_phase|kubelet_volume_stats_available_bytes|kubelet_pleg_relist_duration_seconds_bucket|kubelet_runtime_operations_errors_total|kube_pod_container_status_waiting_reason|kube_replicaset_owner|kube_resourcequota|kube_pod_info|kubelet_pleg_relist_duration_seconds_count|kube_deployment_status_replicas_available|cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests|kubelet_running_pods|kube_statefulset_status_replicas_updated|kube_deployment_status_replicas_updated|kube_job_spec_completions|kube_daemonset_status_number_misscheduled|kubelet_certificate_manager_server_ttl_seconds|container_network_transmit_bytes_total|container_memory_cache|kubelet_volume_stats_capacity_bytes|node_namespace_pod_container:container_memory_cache|container_memory_rss|container_memory_swap|storage_operation_duration_seconds_count|kube_replicaset.*|kube_pod_owner|cluster:namespace:pod_memory:active:kube_pod_container_resource_limits|kubelet_volume_stats_inodes|kube_daemonset_status_desired_number_scheduled|kube_daemonset_status_updated_number_scheduled|kube_statefulset.*|kube_node_info|go_goroutines|kubelet_pod_worker_duration_seconds_bucket|kubelet_node_config_error|container_cpu_cfs_periods_total|kubelet_pleg_relist_interval_seconds_bucket|kube_job.*|container_network_receive_packets_total|container_fs_writes_bytes_total|kubelet_running_pod_count|kube_deployment_spec_replicas|up|kube_node_status_capacity|namespace_cpu:kube_pod_container_resource_requests:sum|node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate|container_memory_working_set_bytes|kubelet_node_name|node_namespace_pod_container:container_memory_rss|storage_operation_errors_total|kube_statefulset_metadata_generation|container_network_transmit_packets_total|kubelet_runtime_operations_total|kube_statefulset_status_observed_generation|kube_horizontalpodautoscaler_status_current_replicas|kubernetes_build_info|kubelet_certificate_manager_client_expiration_renew_errors|kube_job_failed|namespace_workload_pod|node_namespace_pod_container:container_memory_working_set_bytes|kube_statefulset_replicas|kube_deployment_status_observed_generation|kube_pod_container_status_restarts_total|kube_daemonset_status_current_number_scheduled|kube_pod_start_time|namespace_memory:kube_pod_container_resource_limits:sum|container_network_transmit_packets_dropped_total|rest_client_requests_total|kube_deployment_metadata_generation|kube_statefulset_status_update_revision|kube_job_status_succeeded|kube_horizontalpodautoscaler_spec_min_replicas|kube_statefulset_status_current_revision|node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile|kube_node_status_condition - # action: keep - # relabel_configs: - # - replacement: kubernetes.default.svc.cluster.local:443 - # target_label: __address__ - # - regex: (.+) - # replacement: /api/v1/nodes/${1}/proxy/metrics - # source_labels: - # - __meta_kubernetes_node_name - # target_label: __metrics_path__ - # scheme: https - # tls_config: - # ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - # insecure_skip_verify: false - # server_name: kubernetes - # - job_name: integrations/kubernetes/kube-state-metrics - # kubernetes_sd_configs: - # - role: pod - # metric_relabel_configs: - # - source_labels: [__name__] - # regex: namespace_memory:kube_pod_container_resource_requests:sum|kubelet_running_containers|container_cpu_usage_seconds_total|kube_pod_container_info|container_network_receive_packets_dropped_total|kube_pod_status_phase|kubelet_pod_start_duration_seconds_count|kubelet_cgroup_manager_duration_seconds_bucket|kube_horizontalpodautoscaler_status_desired_replicas|cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits|node_namespace_pod_container:container_memory_swap|kube_statefulset_status_replicas_ready|kube_horizontalpodautoscaler_spec_max_replicas|cluster:namespace:pod_memory:active:kube_pod_container_resource_requests|process_cpu_seconds_total|process_resident_memory_bytes|kubelet_server_expiration_renew_errors|kube_daemonset.*|container_fs_reads_total|machine_memory_bytes|kubelet_volume_stats_inodes_used|volume_manager_total_volumes|kube_statefulset_status_replicas|namespace_cpu:kube_pod_container_resource_limits:sum|kube_pod_container_resource_requests|kube_pod_container_resource_limits|kubelet_pod_worker_duration_seconds_count|namespace_workload_pod:kube_pod_owner:relabel|kubelet_cgroup_manager_duration_seconds_count|container_cpu_cfs_throttled_periods_total|kube_node_spec_taint|container_fs_reads_bytes_total|kubelet_certificate_manager_client_ttl_seconds|container_network_receive_bytes_total|kubelet_running_container_count|kube_daemonset_status_number_available|kube_node_status_allocatable|container_fs_writes_total|kube_namespace_status_phase|kubelet_volume_stats_available_bytes|kubelet_pleg_relist_duration_seconds_bucket|kubelet_runtime_operations_errors_total|kube_pod_container_status_waiting_reason|kube_replicaset_owner|kube_resourcequota|kube_pod_info|kubelet_pleg_relist_duration_seconds_count|kube_deployment_status_replicas_available|cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests|kubelet_running_pods|kube_statefulset_status_replicas_updated|kube_deployment_status_replicas_updated|kube_job_spec_completions|kube_daemonset_status_number_misscheduled|kubelet_certificate_manager_server_ttl_seconds|container_network_transmit_bytes_total|container_memory_cache|kubelet_volume_stats_capacity_bytes|node_namespace_pod_container:container_memory_cache|container_memory_rss|container_memory_swap|storage_operation_duration_seconds_count|kube_replicaset.*|kube_pod_owner|cluster:namespace:pod_memory:active:kube_pod_container_resource_limits|kubelet_volume_stats_inodes|kube_daemonset_status_desired_number_scheduled|kube_daemonset_status_updated_number_scheduled|kube_statefulset.*|kube_node_info|go_goroutines|kubelet_pod_worker_duration_seconds_bucket|kubelet_node_config_error|container_cpu_cfs_periods_total|kubelet_pleg_relist_interval_seconds_bucket|kube_job.*|container_network_receive_packets_total|container_fs_writes_bytes_total|kubelet_running_pod_count|kube_deployment_spec_replicas|up|kube_node_status_capacity|namespace_cpu:kube_pod_container_resource_requests:sum|node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate|container_memory_working_set_bytes|kubelet_node_name|node_namespace_pod_container:container_memory_rss|storage_operation_errors_total|kube_statefulset_metadata_generation|container_network_transmit_packets_total|kubelet_runtime_operations_total|kube_statefulset_status_observed_generation|kube_horizontalpodautoscaler_status_current_replicas|kubernetes_build_info|kubelet_certificate_manager_client_expiration_renew_errors|kube_job_failed|namespace_workload_pod|node_namespace_pod_container:container_memory_working_set_bytes|kube_statefulset_replicas|kube_deployment_status_observed_generation|kube_pod_container_status_restarts_total|kube_daemonset_status_current_number_scheduled|kube_pod_start_time|namespace_memory:kube_pod_container_resource_limits:sum|container_network_transmit_packets_dropped_total|rest_client_requests_total|kube_deployment_metadata_generation|kube_statefulset_status_update_revision|kube_job_status_succeeded|kube_horizontalpodautoscaler_spec_min_replicas|kube_statefulset_status_current_revision|node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile|kube_node_status_condition - # action: keep - # relabel_configs: - # - action: keep - # regex: kube-state-metrics - # source_labels: - # - __meta_kubernetes_pod_label_app_kubernetes_io_name - -integrations: - eventhandler: - cache_path: /var/lib/agent/eventhandler.cache - logs_instance: integrations -logs: - configs: - - name: integrations - clients: - - url: https://logs-prod3.grafana.net/loki/api/v1/push - basic_auth: - username: 220681 - password: ${ssm:/k3s/prod/monitoring/grafana-cloud/password} - external_labels: - cluster: cloud - job: integrations/kubernetes/eventhandler - positions: - filename: /tmp/positions.yaml - target_config: - sync_period: 10s diff --git a/kustomize/overlays/prod/configurations/grafana/custom.ini b/kustomize/overlays/prod/configurations/grafana/custom.ini deleted file mode 100644 index 2585160..0000000 --- a/kustomize/overlays/prod/configurations/grafana/custom.ini +++ /dev/null @@ -1,9 +0,0 @@ -[auth.generic_oauth] -enabled = true -allow_sign_up = false -client_id = 5yCpX9YovdrEuBpy69438S8GzCUJZLxqFl4rOcIpjBHICRpJzjv56VMxslKj7iqm -client_secret = ${ssm:/k3s/prod/nextcloud/oidc/grafana/client_secret} -scopes = openid profile email -auth_url = https://cloud.badjware.dev/apps/oidc/authorize -token_url = https://cloud.badjware.dev/apps/oidc/token -api_url = https://cloud.badjware.dev/apps/oidc/userinfo \ No newline at end of file diff --git a/kustomize/overlays/prod/kustomization.yaml b/kustomize/overlays/prod/kustomization.yaml index 8729114..f856eaa 100644 --- a/kustomize/overlays/prod/kustomization.yaml +++ b/kustomize/overlays/prod/kustomization.yaml @@ -39,9 +39,11 @@ configMapGenerator: - GITEA_EXTERNAL_HOST=code.badjware.dev - GITEA_EXTERNAL_URL=https://code.badjware.dev + - GRAFANA_EXTERNAL_HOST=grafana.badjware.dev + - GRAFANA_EXTERNAL_URL=https://grafana.badjware.dev + - DRONE_EXTERNAL_HOST=drone.badjware.dev - NEXTCLOUD_EXTERNAL_HOST=cloud.badjware.dev - - GRAFANA_EXTERNAL_HOST=grafana.badjware.dev - PROMETHEUS_EXTERNAL_HOST=prometheus.badjnet.home # - name: ecommerce-exporter-config # namespace: monitoring @@ -50,53 +52,6 @@ configMapGenerator: # - ecommerce-exporter.yml=configurations/ecommerce-exporter/ecommerce-exporter.yml secretGenerator: - - name: drone-secret - type: Opaque - namespace: gitea - behavior: replace - literals: - - rpc_secret=${ssm:/k3s/prod/drone/gitea/rpc_secret} - - database_secret=${ssm:/k3s/prod/drone/gitea/database_secret} - # https://docs.drone.io/server/provider/gitea/ - - name: drone-gitea-oauth-secret - type: Opaque - namespace: gitea - behavior: replace - literals: - - client_id=${ssm:/k3s/prod/drone/gitea/client_id} - - client_secret=${ssm:/k3s/prod/drone/gitea/client_secret} - - name: postgres-credentials - type: Opaque - namespace: nextcloud - behavior: replace - literals: - - database=nextcloud - - username=nextcloud - - password=${ssm:/k3s/prod/nextcloud/postgres/password} - - name: redis-credentials - type: Opaque - namespace: nextcloud - behavior: replace - literals: - - password=${ssm:/k3s/prod/nextcloud/redis/password} - - name: grafana-agent - namespace: monitoring - behavior: replace - files: - - agent.yaml=configurations/grafana-agent/agent.yaml - - name: grafana-config - type: Opaque - namespace: monitoring - behavior: replace - files: - - custom.ini=configurations/grafana/custom.ini - # - name: grafana-cloud-credentials - # type: Opaque - # namespace: monitoring - # behavior: replace - # literals: - # - username=${ssm:/k3s/prod/monitoring/grafana-cloud/username} - # - password=${ssm:/k3s/prod/monitoring/grafana-cloud/password} - name: additional-scrape-configs type: Opaque namespace: monitoring @@ -108,9 +63,6 @@ secretGenerator: commonLabels: app.kubernetes.io/managed-by: kustomize -transformers: - - transformers/ssm-secrets.yaml - patchesJson6902: - target: version: v1 @@ -157,6 +109,36 @@ replacements: namespace: gitea fieldPaths: - spec.template.spec.containers.0.env.0.value + - source: + kind: ConfigMap + name: replacements + namespace: default + fieldPath: data.GRAFANA_EXTERNAL_HOST + targets: + - select: + kind: Ingress + name: grafana + namespace: monitoring + fieldPaths: + - spec.rules.0.host + - select: + kind: Deployment + name: grafana + namespace: monitoring + fieldPaths: + - spec.template.spec.containers.0.env.0.value + - source: + kind: ConfigMap + name: replacements + namespace: default + fieldPath: data.GRAFANA_EXTERNAL_URL + targets: + - select: + kind: Deployment + name: grafana + namespace: monitoring + fieldPaths: + - spec.template.spec.containers.0.env.1.value - source: kind: ConfigMap name: replacements @@ -199,18 +181,6 @@ replacements: namespace: nextcloud fieldPaths: - spec.rules.0.host - - source: - kind: ConfigMap - name: replacements - namespace: default - fieldPath: data.GRAFANA_EXTERNAL_HOST - targets: - - select: - kind: Ingress - name: grafana - namespace: monitoring - fieldPaths: - - spec.rules.0.host - source: kind: ConfigMap name: replacements diff --git a/kustomize/overlays/prod/transformers/ssm-secrets.yaml b/kustomize/overlays/prod/transformers/ssm-secrets.yaml deleted file mode 100644 index cc35d89..0000000 --- a/kustomize/overlays/prod/transformers/ssm-secrets.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: badjware/v1 -kind: SSMParameterPlaceholderTransformer -metadata: - name: ssm-parameter -resourceSelectors: - - kind: Secret \ No newline at end of file diff --git a/plugins b/plugins deleted file mode 160000 index 323a2f9..0000000 --- a/plugins +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 323a2f9a62df1215b3bb4d60a0ebdd1a0bc15c0f diff --git a/terraform/modules/aws-parameters-external-secrets/iam-policies/parameters-external-secrets-policy.json b/terraform/modules/aws-parameters-external-secrets/iam-policies/parameters-external-secrets-policy.json index 62bbe30..85a6572 100644 --- a/terraform/modules/aws-parameters-external-secrets/iam-policies/parameters-external-secrets-policy.json +++ b/terraform/modules/aws-parameters-external-secrets/iam-policies/parameters-external-secrets-policy.json @@ -4,6 +4,7 @@ { "Effect": "Allow", "Action": [ + "ssm:GetParameter", "ssm:GetParameterWithContext", "ssm:ListTagsForResourceWithContext", "ssm:DescribeParametersWithContext"