badjware
/
home-stack-kustomize
1
0
Fork 0
Code Releases Activity

switch from kustomize plugin to external-secret

This commit is contained in:
Massaki Archambault 2023-02-20 09:07:49 -05:00
parent 48f92adc24
commit b8fa2bdf03
21 changed files with 186 additions and 234 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored
View File

@ -1,3 +0,0 @@
[submodule "plugins"]
path = plugins
url = https://github.com/badjware/kustomize-plugins

35
kustomize/bases/drone-server/drone-server-externalsecret.yaml Normal file
View File

@ -0,0 +1,35 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: drone-secret
spec:
secretStoreRef:
name: aws-parameters-store
kind: ClusterSecretStore
target:
name: drone-secret
data:
- secretKey: rpc_secret
remoteRef:
key: /k3s/prod/drone/gitea/rpc_secret
- secretKey: database_secret
remoteRef:
key: /k3s/prod/drone/gitea/database_secret
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: drone-gitea-oauth-secret
spec:
secretStoreRef:
name: aws-parameters-store
kind: ClusterSecretStore
target:
name: drone-gitea-oauth-secret
data:
- secretKey: client_id
remoteRef:
key: /k3s/prod/drone/gitea/client_id
- secretKey: client_secret
remoteRef:
key: /k3s/prod/drone/gitea/client_secret

13
kustomize/bases/drone-server/kustomization.yaml
View File

@ -1,19 +1,8 @@
resources:
- drone-server-deployment.yaml
- drone-server-ingress.yaml
- drone-server-externalsecret.yaml
commonLabels:
app.kubernetes.io/name: drone
app.kubernetes.io/component: server
secretGenerator:
- name: drone-secret
type: Opaque
literals:
- rpc_secret=changeme
- database_secret=changeme
- name: drone-gitea-oauth-secret
type: Opaque
literals:
- client_id=changeme
- client_secret=changeme

14
kustomize/bases/grafana-agent/grafana-agent-externalsecret.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: grafana-agent
spec:
secretStoreRef:
name: aws-parameters-store
kind: ClusterSecretStore
target:
name: grafana-agent
data:
- secretKey: agent.yaml
remoteRef:
key: /k3s/prod/grafana-agent/config

7
kustomize/bases/grafana-agent/kustomization.yaml
View File

@ -1,16 +1,11 @@
resources:
- https://raw.githubusercontent.com/grafana/agent/v0.24.2/production/kubernetes/agent-bare.yaml
- grafana-agent-externalsecret.yaml
commonLabels:
app.kubernetes.io/name: grafana-agent
app.kubernetes.io/part-of: monitoring
secretGenerator:
- name: grafana-agent
behavior: create
literals:
- agent.yaml=
patchesJson6902:
- target:
version: v1

14
kustomize/bases/grafana/grafana-externalsecret.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: grafana-config
spec:
secretStoreRef:
name: aws-parameters-store
kind: ClusterSecretStore
target:
name: grafana-config
data:
- secretKey: custom.ini
remoteRef:
key: /k3s/prod/grafana/config

7
kustomize/bases/grafana/kustomization.yaml
View File

@ -1,6 +1,7 @@
resources:
- grafana-deployment.yaml
- grafana-ingress.yaml
- grafana-externalsecret.yaml
commonLabels:
app.kubernetes.io/name: grafana
@ -11,12 +12,6 @@ configMapGenerator:
files:
- datasources.yaml=provision/datasources.yaml
secretGenerator:
- name: grafana-config
type: Opaque
literals:
- custom.ini=
# secretGenerator:
# - name: postgres-credentials
# type: Opaque

12
kustomize/bases/longhorn/kustomization.yaml
View File

@ -2,17 +2,7 @@ resources:
- longhorn-namespace.yaml
- longhorn-helmchart.yaml
- longhorn-recurringjob.yaml
- longhorn-externalsecret.yaml
commonLabels:
app.kubernetes.io/name: longhorn
secretGenerator:
- name: s3-backupstore-credentials
type: Opaque
namespace: longhorn-system
literals:
- AWS_ACCESS_KEY_ID=changeme
- AWS_SECRET_ACCESS_KEY=changeme
generatorOptions:
disableNameSuffixHash: true

21
kustomize/bases/longhorn/longhorn-externalsecret.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: s3-backupstore-credentials
namespace: longhorn-system
spec:
secretStoreRef:
name: aws-parameters-store
kind: ClusterSecretStore
target:
name: s3-backupstore-credentials
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
key: /k3s/prod/longhorn/s3_access_key_id
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
key: /k3s/prod/longhorn/s3_secret_access_key
- secretKey: AWS_ENDPOINTS
remoteRef:
key: /k3s/prod/longhorn/s3_endpoint

28
kustomize/bases/nextcloud/kustomization.yaml
View File

@ -6,3 +6,31 @@ resources:
commonLabels:
app.kubernetes.io/name: nextcloud
patchesStrategicMerge:
- |-
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: postgres-credentials
spec:
data:
- secretKey: database
remoteRef:
key: /k3s/prod/nextcloud/postgres/database
- secretKey: username
remoteRef:
key: /k3s/prod/nextcloud/postgres/username
- secretKey: password
remoteRef:
key: /k3s/prod/nextcloud/postgres/password
- |-
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: redis-credentials
spec:
data:
- secretKey: password
remoteRef:
key: /k3s/prod/nextcloud/redis/password

10
kustomize/bases/postgres/kustomization.yaml
View File

@ -1,14 +1,6 @@
resources:
- postgres-statefulset.yaml
- postgres-externalsecret.yaml
commonLabels:
app.kubernetes.io/component: postgres
secretGenerator:
- name: postgres-credentials
type: Opaque
behavior: create
literals:
- database=changeme
- username=changeme
- password=changeme

20
kustomize/bases/postgres/postgres-externalsecret.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: postgres-credentials
spec:
secretStoreRef:
name: aws-parameters-store
kind: ClusterSecretStore
target:
name: postgres-credentials
data:
- secretKey: database
remoteRef:
key: changeme
- secretKey: username
remoteRef:
key: changeme
- secretKey: password
remoteRef:
key: changeme

8
kustomize/bases/redis/kustomization.yaml
View File

@ -1,12 +1,6 @@
resources:
- redis-deployment.yaml
- redis-externalsecret.yaml
commonLabels:
app.kubernetes.io/component: redis
secretGenerator:
- name: redis-credentials
type: Opaque
behavior: create
literals:
- password=changeme

14
kustomize/bases/redis/redis-externalsecret.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: redis-credentials
spec:
secretStoreRef:
name: aws-parameters-store
kind: ClusterSecretStore
target:
name: redis-credentials
data:
- secretKey: password
remoteRef:
key: changeme

13
kustomize/overlays/prod-cluster/kustomization.yaml
View File

@ -8,9 +8,6 @@ buildMetadata:
commonLabels:
app.kubernetes.io/managed-by: kustomize-cluster
transformers:
- transformers/ssm-secrets.yaml
configMapGenerator:
- name: cluster-replacements
namespace: default
@ -18,16 +15,6 @@ configMapGenerator:
- TRAEFIK_EXTERNAL_HOST=traefik.badjnet.home
- LONGHORN_EXTERNAL_HOST=longhorn.badjnet.home
secretGenerator:
- name: s3-backupstore-credentials
type: Opaque
namespace: longhorn-system
behavior: replace
literals:
- AWS_ACCESS_KEY_ID=${ssm:/k3s/prod/longhorn/s3_access_key_id}
- AWS_SECRET_ACCESS_KEY=${ssm:/k3s/prod/longhorn/s3_secret_access_key}
- AWS_ENDPOINTS=https://s3.badjware.dev
replacements:
- source:
kind: ConfigMap

88
kustomize/overlays/prod/configurations/grafana-agent/agent.yaml
View File

@ -1,88 +0,0 @@
metrics:
wal_directory: /var/lib/agent/wal
global:
scrape_interval: 60s
external_labels:
cluster: cloud
# configs:
# - name: integrations
# remote_write:
# - url: https://prometheus-prod-10-prod-us-central-0.grafana.net/api/prom/push
# basic_auth:
# username: 443422
# password: ${ssm:/k3s/prod/monitoring/grafana-cloud/password}
# scrape_configs:
# - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# job_name: integrations/kubernetes/cadvisor
# kubernetes_sd_configs:
# - role: node
# metric_relabel_configs:
# - source_labels: [__name__]
# regex: namespace_memory:kube_pod_container_resource_requests:sum|kubelet_running_containers|container_cpu_usage_seconds_total|kube_pod_container_info|container_network_receive_packets_dropped_total|kube_pod_status_phase|kubelet_pod_start_duration_seconds_count|kubelet_cgroup_manager_duration_seconds_bucket|kube_horizontalpodautoscaler_status_desired_replicas|cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits|node_namespace_pod_container:container_memory_swap|kube_statefulset_status_replicas_ready|kube_horizontalpodautoscaler_spec_max_replicas|cluster:namespace:pod_memory:active:kube_pod_container_resource_requests|process_cpu_seconds_total|process_resident_memory_bytes|kubelet_server_expiration_renew_errors|kube_daemonset.*|container_fs_reads_total|machine_memory_bytes|kubelet_volume_stats_inodes_used|volume_manager_total_volumes|kube_statefulset_status_replicas|namespace_cpu:kube_pod_container_resource_limits:sum|kube_pod_container_resource_requests|kube_pod_container_resource_limits|kubelet_pod_worker_duration_seconds_count|namespace_workload_pod:kube_pod_owner:relabel|kubelet_cgroup_manager_duration_seconds_count|container_cpu_cfs_throttled_periods_total|kube_node_spec_taint|container_fs_reads_bytes_total|kubelet_certificate_manager_client_ttl_seconds|container_network_receive_bytes_total|kubelet_running_container_count|kube_daemonset_status_number_available|kube_node_status_allocatable|container_fs_writes_total|kube_namespace_status_phase|kubelet_volume_stats_available_bytes|kubelet_pleg_relist_duration_seconds_bucket|kubelet_runtime_operations_errors_total|kube_pod_container_status_waiting_reason|kube_replicaset_owner|kube_resourcequota|kube_pod_info|kubelet_pleg_relist_duration_seconds_count|kube_deployment_status_replicas_available|cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests|kubelet_running_pods|kube_statefulset_status_replicas_updated|kube_deployment_status_replicas_updated|kube_job_spec_completions|kube_daemonset_status_number_misscheduled|kubelet_certificate_manager_server_ttl_seconds|container_network_transmit_bytes_total|container_memory_cache|kubelet_volume_stats_capacity_bytes|node_namespace_pod_container:container_memory_cache|container_memory_rss|container_memory_swap|storage_operation_duration_seconds_count|kube_replicaset.*|kube_pod_owner|cluster:namespace:pod_memory:active:kube_pod_container_resource_limits|kubelet_volume_stats_inodes|kube_daemonset_status_desired_number_scheduled|kube_daemonset_status_updated_number_scheduled|kube_statefulset.*|kube_node_info|go_goroutines|kubelet_pod_worker_duration_seconds_bucket|kubelet_node_config_error|container_cpu_cfs_periods_total|kubelet_pleg_relist_interval_seconds_bucket|kube_job.*|container_network_receive_packets_total|container_fs_writes_bytes_total|kubelet_running_pod_count|kube_deployment_spec_replicas|up|kube_node_status_capacity|namespace_cpu:kube_pod_container_resource_requests:sum|node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate|container_memory_working_set_bytes|kubelet_node_name|node_namespace_pod_container:container_memory_rss|storage_operation_errors_total|kube_statefulset_metadata_generation|container_network_transmit_packets_total|kubelet_runtime_operations_total|kube_statefulset_status_observed_generation|kube_horizontalpodautoscaler_status_current_replicas|kubernetes_build_info|kubelet_certificate_manager_client_expiration_renew_errors|kube_job_failed|namespace_workload_pod|node_namespace_pod_container:container_memory_working_set_bytes|kube_statefulset_replicas|kube_deployment_status_observed_generation|kube_pod_container_status_restarts_total|kube_daemonset_status_current_number_scheduled|kube_pod_start_time|namespace_memory:kube_pod_container_resource_limits:sum|container_network_transmit_packets_dropped_total|rest_client_requests_total|kube_deployment_metadata_generation|kube_statefulset_status_update_revision|kube_job_status_succeeded|kube_horizontalpodautoscaler_spec_min_replicas|kube_statefulset_status_current_revision|node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile|kube_node_status_condition
# action: keep
# relabel_configs:
# - replacement: kubernetes.default.svc.cluster.local:443
# target_label: __address__
# - regex: (.+)
# replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
# source_labels:
# - __meta_kubernetes_node_name
# target_label: __metrics_path__
# scheme: https
# tls_config:
# ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# insecure_skip_verify: false
# server_name: kubernetes
# - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# job_name: integrations/kubernetes/kubelet
# kubernetes_sd_configs:
# - role: node
# metric_relabel_configs:
# - source_labels: [__name__]
# regex: namespace_memory:kube_pod_container_resource_requests:sum|kubelet_running_containers|container_cpu_usage_seconds_total|kube_pod_container_info|container_network_receive_packets_dropped_total|kube_pod_status_phase|kubelet_pod_start_duration_seconds_count|kubelet_cgroup_manager_duration_seconds_bucket|kube_horizontalpodautoscaler_status_desired_replicas|cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits|node_namespace_pod_container:container_memory_swap|kube_statefulset_status_replicas_ready|kube_horizontalpodautoscaler_spec_max_replicas|cluster:namespace:pod_memory:active:kube_pod_container_resource_requests|process_cpu_seconds_total|process_resident_memory_bytes|kubelet_server_expiration_renew_errors|kube_daemonset.*|container_fs_reads_total|machine_memory_bytes|kubelet_volume_stats_inodes_used|volume_manager_total_volumes|kube_statefulset_status_replicas|namespace_cpu:kube_pod_container_resource_limits:sum|kube_pod_container_resource_requests|kube_pod_container_resource_limits|kubelet_pod_worker_duration_seconds_count|namespace_workload_pod:kube_pod_owner:relabel|kubelet_cgroup_manager_duration_seconds_count|container_cpu_cfs_throttled_periods_total|kube_node_spec_taint|container_fs_reads_bytes_total|kubelet_certificate_manager_client_ttl_seconds|container_network_receive_bytes_total|kubelet_running_container_count|kube_daemonset_status_number_available|kube_node_status_allocatable|container_fs_writes_total|kube_namespace_status_phase|kubelet_volume_stats_available_bytes|kubelet_pleg_relist_duration_seconds_bucket|kubelet_runtime_operations_errors_total|kube_pod_container_status_waiting_reason|kube_replicaset_owner|kube_resourcequota|kube_pod_info|kubelet_pleg_relist_duration_seconds_count|kube_deployment_status_replicas_available|cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests|kubelet_running_pods|kube_statefulset_status_replicas_updated|kube_deployment_status_replicas_updated|kube_job_spec_completions|kube_daemonset_status_number_misscheduled|kubelet_certificate_manager_server_ttl_seconds|container_network_transmit_bytes_total|container_memory_cache|kubelet_volume_stats_capacity_bytes|node_namespace_pod_container:container_memory_cache|container_memory_rss|container_memory_swap|storage_operation_duration_seconds_count|kube_replicaset.*|kube_pod_owner|cluster:namespace:pod_memory:active:kube_pod_container_resource_limits|kubelet_volume_stats_inodes|kube_daemonset_status_desired_number_scheduled|kube_daemonset_status_updated_number_scheduled|kube_statefulset.*|kube_node_info|go_goroutines|kubelet_pod_worker_duration_seconds_bucket|kubelet_node_config_error|container_cpu_cfs_periods_total|kubelet_pleg_relist_interval_seconds_bucket|kube_job.*|container_network_receive_packets_total|container_fs_writes_bytes_total|kubelet_running_pod_count|kube_deployment_spec_replicas|up|kube_node_status_capacity|namespace_cpu:kube_pod_container_resource_requests:sum|node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate|container_memory_working_set_bytes|kubelet_node_name|node_namespace_pod_container:container_memory_rss|storage_operation_errors_total|kube_statefulset_metadata_generation|container_network_transmit_packets_total|kubelet_runtime_operations_total|kube_statefulset_status_observed_generation|kube_horizontalpodautoscaler_status_current_replicas|kubernetes_build_info|kubelet_certificate_manager_client_expiration_renew_errors|kube_job_failed|namespace_workload_pod|node_namespace_pod_container:container_memory_working_set_bytes|kube_statefulset_replicas|kube_deployment_status_observed_generation|kube_pod_container_status_restarts_total|kube_daemonset_status_current_number_scheduled|kube_pod_start_time|namespace_memory:kube_pod_container_resource_limits:sum|container_network_transmit_packets_dropped_total|rest_client_requests_total|kube_deployment_metadata_generation|kube_statefulset_status_update_revision|kube_job_status_succeeded|kube_horizontalpodautoscaler_spec_min_replicas|kube_statefulset_status_current_revision|node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile|kube_node_status_condition
# action: keep
# relabel_configs:
# - replacement: kubernetes.default.svc.cluster.local:443
# target_label: __address__
# - regex: (.+)
# replacement: /api/v1/nodes/${1}/proxy/metrics
# source_labels:
# - __meta_kubernetes_node_name
# target_label: __metrics_path__
# scheme: https
# tls_config:
# ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# insecure_skip_verify: false
# server_name: kubernetes
# - job_name: integrations/kubernetes/kube-state-metrics
# kubernetes_sd_configs:
# - role: pod
# metric_relabel_configs:
# - source_labels: [__name__]
# regex: namespace_memory:kube_pod_container_resource_requests:sum|kubelet_running_containers|container_cpu_usage_seconds_total|kube_pod_container_info|container_network_receive_packets_dropped_total|kube_pod_status_phase|kubelet_pod_start_duration_seconds_count|kubelet_cgroup_manager_duration_seconds_bucket|kube_horizontalpodautoscaler_status_desired_replicas|cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits|node_namespace_pod_container:container_memory_swap|kube_statefulset_status_replicas_ready|kube_horizontalpodautoscaler_spec_max_replicas|cluster:namespace:pod_memory:active:kube_pod_container_resource_requests|process_cpu_seconds_total|process_resident_memory_bytes|kubelet_server_expiration_renew_errors|kube_daemonset.*|container_fs_reads_total|machine_memory_bytes|kubelet_volume_stats_inodes_used|volume_manager_total_volumes|kube_statefulset_status_replicas|namespace_cpu:kube_pod_container_resource_limits:sum|kube_pod_container_resource_requests|kube_pod_container_resource_limits|kubelet_pod_worker_duration_seconds_count|namespace_workload_pod:kube_pod_owner:relabel|kubelet_cgroup_manager_duration_seconds_count|container_cpu_cfs_throttled_periods_total|kube_node_spec_taint|container_fs_reads_bytes_total|kubelet_certificate_manager_client_ttl_seconds|container_network_receive_bytes_total|kubelet_running_container_count|kube_daemonset_status_number_available|kube_node_status_allocatable|container_fs_writes_total|kube_namespace_status_phase|kubelet_volume_stats_available_bytes|kubelet_pleg_relist_duration_seconds_bucket|kubelet_runtime_operations_errors_total|kube_pod_container_status_waiting_reason|kube_replicaset_owner|kube_resourcequota|kube_pod_info|kubelet_pleg_relist_duration_seconds_count|kube_deployment_status_replicas_available|cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests|kubelet_running_pods|kube_statefulset_status_replicas_updated|kube_deployment_status_replicas_updated|kube_job_spec_completions|kube_daemonset_status_number_misscheduled|kubelet_certificate_manager_server_ttl_seconds|container_network_transmit_bytes_total|container_memory_cache|kubelet_volume_stats_capacity_bytes|node_namespace_pod_container:container_memory_cache|container_memory_rss|container_memory_swap|storage_operation_duration_seconds_count|kube_replicaset.*|kube_pod_owner|cluster:namespace:pod_memory:active:kube_pod_container_resource_limits|kubelet_volume_stats_inodes|kube_daemonset_status_desired_number_scheduled|kube_daemonset_status_updated_number_scheduled|kube_statefulset.*|kube_node_info|go_goroutines|kubelet_pod_worker_duration_seconds_bucket|kubelet_node_config_error|container_cpu_cfs_periods_total|kubelet_pleg_relist_interval_seconds_bucket|kube_job.*|container_network_receive_packets_total|container_fs_writes_bytes_total|kubelet_running_pod_count|kube_deployment_spec_replicas|up|kube_node_status_capacity|namespace_cpu:kube_pod_container_resource_requests:sum|node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate|container_memory_working_set_bytes|kubelet_node_name|node_namespace_pod_container:container_memory_rss|storage_operation_errors_total|kube_statefulset_metadata_generation|container_network_transmit_packets_total|kubelet_runtime_operations_total|kube_statefulset_status_observed_generation|kube_horizontalpodautoscaler_status_current_replicas|kubernetes_build_info|kubelet_certificate_manager_client_expiration_renew_errors|kube_job_failed|namespace_workload_pod|node_namespace_pod_container:container_memory_working_set_bytes|kube_statefulset_replicas|kube_deployment_status_observed_generation|kube_pod_container_status_restarts_total|kube_daemonset_status_current_number_scheduled|kube_pod_start_time|namespace_memory:kube_pod_container_resource_limits:sum|container_network_transmit_packets_dropped_total|rest_client_requests_total|kube_deployment_metadata_generation|kube_statefulset_status_update_revision|kube_job_status_succeeded|kube_horizontalpodautoscaler_spec_min_replicas|kube_statefulset_status_current_revision|node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile|kube_node_status_condition
# action: keep
# relabel_configs:
# - action: keep
# regex: kube-state-metrics
# source_labels:
# - __meta_kubernetes_pod_label_app_kubernetes_io_name
integrations:
eventhandler:
cache_path: /var/lib/agent/eventhandler.cache
logs_instance: integrations
logs:
configs:
- name: integrations
clients:
- url: https://logs-prod3.grafana.net/loki/api/v1/push
basic_auth:
username: 220681
password: ${ssm:/k3s/prod/monitoring/grafana-cloud/password}
external_labels:
cluster: cloud
job: integrations/kubernetes/eventhandler
positions:
filename: /tmp/positions.yaml
target_config:
sync_period: 10s

9
kustomize/overlays/prod/configurations/grafana/custom.ini
View File

@ -1,9 +0,0 @@
[auth.generic_oauth]
enabled = true
allow_sign_up = false
client_id = 5yCpX9YovdrEuBpy69438S8GzCUJZLxqFl4rOcIpjBHICRpJzjv56VMxslKj7iqm
client_secret = ${ssm:/k3s/prod/nextcloud/oidc/grafana/client_secret}
scopes = openid profile email
auth_url = https://cloud.badjware.dev/apps/oidc/authorize
token_url = https://cloud.badjware.dev/apps/oidc/token
api_url = https://cloud.badjware.dev/apps/oidc/userinfo

96
kustomize/overlays/prod/kustomization.yaml
View File

@ -39,9 +39,11 @@ configMapGenerator:
- GITEA_EXTERNAL_HOST=code.badjware.dev
- GITEA_EXTERNAL_URL=https://code.badjware.dev
- GRAFANA_EXTERNAL_HOST=grafana.badjware.dev
- GRAFANA_EXTERNAL_URL=https://grafana.badjware.dev
- DRONE_EXTERNAL_HOST=drone.badjware.dev
- NEXTCLOUD_EXTERNAL_HOST=cloud.badjware.dev
- GRAFANA_EXTERNAL_HOST=grafana.badjware.dev
- PROMETHEUS_EXTERNAL_HOST=prometheus.badjnet.home
# - name: ecommerce-exporter-config
# namespace: monitoring
@ -50,53 +52,6 @@ configMapGenerator:
# - ecommerce-exporter.yml=configurations/ecommerce-exporter/ecommerce-exporter.yml
secretGenerator:
- name: drone-secret
type: Opaque
namespace: gitea
behavior: replace
literals:
- rpc_secret=${ssm:/k3s/prod/drone/gitea/rpc_secret}
- database_secret=${ssm:/k3s/prod/drone/gitea/database_secret}
# https://docs.drone.io/server/provider/gitea/
- name: drone-gitea-oauth-secret
type: Opaque
namespace: gitea
behavior: replace
literals:
- client_id=${ssm:/k3s/prod/drone/gitea/client_id}
- client_secret=${ssm:/k3s/prod/drone/gitea/client_secret}
- name: postgres-credentials
type: Opaque
namespace: nextcloud
behavior: replace
literals:
- database=nextcloud
- username=nextcloud
- password=${ssm:/k3s/prod/nextcloud/postgres/password}
- name: redis-credentials
type: Opaque
namespace: nextcloud
behavior: replace
literals:
- password=${ssm:/k3s/prod/nextcloud/redis/password}
- name: grafana-agent
namespace: monitoring
behavior: replace
files:
- agent.yaml=configurations/grafana-agent/agent.yaml
- name: grafana-config
type: Opaque
namespace: monitoring
behavior: replace
files:
- custom.ini=configurations/grafana/custom.ini
# - name: grafana-cloud-credentials
# type: Opaque
# namespace: monitoring
# behavior: replace
# literals:
# - username=${ssm:/k3s/prod/monitoring/grafana-cloud/username}
# - password=${ssm:/k3s/prod/monitoring/grafana-cloud/password}
- name: additional-scrape-configs
type: Opaque
namespace: monitoring
@ -108,9 +63,6 @@ secretGenerator:
commonLabels:
app.kubernetes.io/managed-by: kustomize
transformers:
- transformers/ssm-secrets.yaml
patchesJson6902:
- target:
version: v1
@ -157,6 +109,36 @@ replacements:
namespace: gitea
fieldPaths:
- spec.template.spec.containers.0.env.0.value
- source:
kind: ConfigMap
name: replacements
namespace: default
fieldPath: data.GRAFANA_EXTERNAL_HOST
targets:
- select:
kind: Ingress
name: grafana
namespace: monitoring
fieldPaths:
- spec.rules.0.host
- select:
kind: Deployment
name: grafana
namespace: monitoring
fieldPaths:
- spec.template.spec.containers.0.env.0.value
- source:
kind: ConfigMap
name: replacements
namespace: default
fieldPath: data.GRAFANA_EXTERNAL_URL
targets:
- select:
kind: Deployment
name: grafana
namespace: monitoring
fieldPaths:
- spec.template.spec.containers.0.env.1.value
- source:
kind: ConfigMap
name: replacements
@ -199,18 +181,6 @@ replacements:
namespace: nextcloud
fieldPaths:
- spec.rules.0.host
- source:
kind: ConfigMap
name: replacements
namespace: default
fieldPath: data.GRAFANA_EXTERNAL_HOST
targets:
- select:
kind: Ingress
name: grafana
namespace: monitoring
fieldPaths:
- spec.rules.0.host
- source:
kind: ConfigMap
name: replacements

6
kustomize/overlays/prod/transformers/ssm-secrets.yaml
View File

@ -1,6 +0,0 @@
apiVersion: badjware/v1
kind: SSMParameterPlaceholderTransformer
metadata:
name: ssm-parameter
resourceSelectors:
- kind: Secret

1
plugins

@ -1 +0,0 @@
Subproject commit 323a2f9a62df1215b3bb4d60a0ebdd1a0bc15c0f

1
terraform/modules/aws-parameters-external-secrets/iam-policies/parameters-external-secrets-policy.json
View File

@ -4,6 +4,7 @@
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameterWithContext",
"ssm:ListTagsForResourceWithContext",
"ssm:DescribeParametersWithContext"