From 06c11576f54507364fe9944ebceaac487e012ca3 Mon Sep 17 00:00:00 2001 From: Nikolai Rodionov Date: Fri, 5 Jul 2024 10:08:35 +0200 Subject: [PATCH] More changes --- badhouseplants/helmfile.yaml | 8 +++---- badhouseplants/values/secrets.authentik.yaml | 24 +++++++++++++++++++ badhouseplants/values/values.authentik.yaml | 10 +++++++- badhouseplants/values/values.namespaces.yaml | 11 +-------- badhouseplants/values/values.roles.yaml | 12 +++++++++- badhouseplants/values/values.traefik.yaml | 3 +++ .../values/values.woodpecker-ci.yaml | 23 ++---------------- etersoft/helmfile.yaml | 6 ++--- releases.yaml | 17 ++++++------- scripts/migrate_postgres.sh | 24 +++++++++---------- 10 files changed, 78 insertions(+), 60 deletions(-) create mode 100644 badhouseplants/values/secrets.authentik.yaml diff --git a/badhouseplants/helmfile.yaml b/badhouseplants/helmfile.yaml index 7fffed1..6402c1e 100644 --- a/badhouseplants/helmfile.yaml +++ b/badhouseplants/helmfile.yaml @@ -3,12 +3,12 @@ releases: - <<: *istio-base - installed: true + installed: false namespace: istio-system createNamespace: false - <<: *istiod - installed: true + installed: false namespace: istio-system createNamespace: false - <<: *namespaces @@ -29,7 +29,7 @@ releases: - <<: *argocd installed: true - namespace: argo-system + namespace: platform createNamespace: false - <<: *nrodionov @@ -82,7 +82,7 @@ releases: - <<: *woodpecker-ci installed: true - namespace: woodpecker-ci + namespace: platform createNamespace: true - <<: *vaultwarden diff --git a/badhouseplants/values/secrets.authentik.yaml b/badhouseplants/values/secrets.authentik.yaml new file mode 100644 index 0000000..3dc49a2 --- /dev/null +++ b/badhouseplants/values/secrets.authentik.yaml @@ -0,0 +1,24 @@ +authentik: + email: + password: ENC[AES256_GCM,data:j5JFI7KqO2dOjl0xi4KhvnF04tc=,iv:/YH+XId24X69lRXrp73ZhKGOcuEtXn/ZvqlJwMTgdRk=,tag:YBh/slhCstFpXxE4y05Viw==,type:str] + secret_key: ENC[AES256_GCM,data:zbs2HX75h3rITd/JRPVa60AhrWgDp/syWFttnadRyDJFFM4/6YFOUhJNcGGQis6Tz5Q=,iv:1iYOTqBU3WHNPBa5TpSwi6+h6IT8Joc6Z4c2UKY7xQ8=,tag:DcRfBP69i17zKFobMA3WFQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGK0hPSEY4d3N4QS9aM0h3 + NXRYZ1BMdXozVzdJWmlzWnIySXBwcHVrVUhrClgvRENGTHdJMnVsTjdSN2NseUtT + cjJ0emRObHdXTUhDejhhVEI1U0xvNlkKLS0tIHh2NGhzbGZDMm9ObDVxN1NYYS9u + WlhXbFVQbFZUNFlGWEhoVktxUXRuZUUKJNSS+vhG5McKrxvqCIT9dGivcReZOud7 + HEReDoZcf0+7c4JgnrcT0AvvTR5fHPnfveTkwHym3LHMYbZnIPueig== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-30T18:36:34Z" + mac: ENC[AES256_GCM,data:djXTiatawc1OuJ5VqfbR8wS2xKrvVZigGLyQa7tx6/zbgcP2yLQJvcYeZj6zHhQasFzaiNbD05Qz+9Td0ysxZuAnajQ+CaulnIOhy/FhaiiQFtqFTR7xEsFIiUBxTPEJkhVNlKTxzjJ1AX2dagiov75otC6jbueQqYTXaGGcdko=,iv:oWbWTUqlM1zQ7zfC5FZkNJJ8RxvM9+fvTWobgJCmLQE=,tag:7Jb9XBBq1OI0ghqOqxiJJA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/badhouseplants/values/values.authentik.yaml b/badhouseplants/values/values.authentik.yaml index be006ea..f6ac6bc 100644 --- a/badhouseplants/values/values.authentik.yaml +++ b/badhouseplants/values/values.authentik.yaml @@ -13,12 +13,20 @@ ext-database: password: "{{ .Password }}" database: "{{ .Database }}" authentik: + email: + host: email.badhouseplants.net + port: 587 + username: bot@badhouseplants.net + use_tls: false + use_ssl: false + timeout: 30 + from: bot@badhouseplants.net postgresql: host: file:///postgres-creds/host user: file:///postgres-creds/username password: file:///postgres-creds/password name: file:///postgres-creds/database - secret_key: "TKSzEEQnu$^GKtHDMSVb!&Z8f5EuwTxC&^EZXeRKXWf%Vk53w5" + secret_key: "2Scv6ivCfV6uGRTx9Kg5CYJ2KjBRHpR8GqSBearnBYvBFZBwR7" # This sends anonymous usage-data, stack traces on errors and # performance data to authentik.error-reporting.a7k.io, and is fully opt-in error_reporting: diff --git a/badhouseplants/values/values.namespaces.yaml b/badhouseplants/values/values.namespaces.yaml index b4ef325..308aa7e 100644 --- a/badhouseplants/values/values.namespaces.yaml +++ b/badhouseplants/values/values.namespaces.yaml @@ -1,19 +1,10 @@ namespaces: - name: longhorn-system - name: minio-service - - name: argo-system - name: nrodionov-application - - name: minecraft-application - annotations: - badohouseplants.net/git-repo: | - https://git.badhouseplants.net/badhouseplants/minecraft-helmfile - badhouseplants.net/ci: | - https://ci.badhouseplants.net/repos/15 - - name: gitea-service - name: funkwhale-application - name: database-service - name: vaultwarden-application - - name: woodpecker-ci - name: openvpn-service - name: badhouseplants-main labels: @@ -23,5 +14,5 @@ namespaces: - name: databases - name: applications - name: development - - name: devops + - name: platform - name: games diff --git a/badhouseplants/values/values.roles.yaml b/badhouseplants/values/values.roles.yaml index 7fcd045..d98ce91 100644 --- a/badhouseplants/values/values.roles.yaml +++ b/badhouseplants/values/values.roles.yaml @@ -6,4 +6,14 @@ roles: - apiGroups: ["*"] resources: ["*"] verbs: ["*"] - namespace: ["minecraft-application"] + namespace: + - minecraft-application + - name: minecraft-admin + namespace: games + kind: Role + rules: + - apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] + namespace: + - games diff --git a/badhouseplants/values/values.traefik.yaml b/badhouseplants/values/values.traefik.yaml index bff1302..6ed9cbe 100644 --- a/badhouseplants/values/values.traefik.yaml +++ b/badhouseplants/values/values.traefik.yaml @@ -4,6 +4,9 @@ service: spec: externalTrafficPolicy: Local ports: + web: + redirectTo: + port: websecure ssh: port: 22 expose: diff --git a/badhouseplants/values/values.woodpecker-ci.yaml b/badhouseplants/values/values.woodpecker-ci.yaml index b559413..03a27a2 100644 --- a/badhouseplants/values/values.woodpecker-ci.yaml +++ b/badhouseplants/values/values.woodpecker-ci.yaml @@ -2,15 +2,6 @@ # -- Istio extenstion. Just because I'm # -- not using ingress nginx # ------------------------------------------ -istio: - enabled: true - istio: - - name: woodpecker-server-http - gateway: istio-system/badhouseplants-net - kind: http - hostname: ci.badhouseplants.net - service: woodpecker-ci-server - port: 80 ext-database: enabled: true name: woodpecker-postgres16 @@ -35,11 +26,6 @@ server: - secretName: woodpecker-tls-secret hosts: - ci.badhouseplants.net - #image: - # registry: git.badhouseplants.net - # repository: allanger/woodpecker-server - # pullPolicy: Always - # tag: icon enabled: true env: WOODPECKER_GITEA: true @@ -50,21 +36,16 @@ server: WOODPECKER_ADMIN: "woodpecker,allanger" WOODPECKER_HOST: "https://ci.badhouseplants.net" WOODPECKER_ESCALATE: true - WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker-ci + WOODPECKER_BACKEND_K8S_NAMESPACE: platform extraSecretNamesForEnvFrom: - woodpecker-postgres16-creds agent: - #image: - # registry: git.badhouseplants.net - # repository: allanger/woodpecker-agent - # pullPolicy: Always - # tag: dev enabled: true extraSecretNamesForEnvFrom: [] env: WOODPECKER_SERVER: woodpecker-ci-server:9000 WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 3Gi - WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker-ci + WOODPECKER_BACKEND_K8S_NAMESPACE: platform WOODPECKER_BACKEND_K8S_STORAGE_CLASS: longhorn serviceAccount: create: true diff --git a/etersoft/helmfile.yaml b/etersoft/helmfile.yaml index 677999c..e496a6a 100644 --- a/etersoft/helmfile.yaml +++ b/etersoft/helmfile.yaml @@ -8,17 +8,17 @@ releases: createNamespace: false - <<: *istio-base - installed: true + installed: false namespace: istio-system createNamespace: false - <<: *istio-gateway - installed: true + installed: false namespace: istio-system createNamespace: false - <<: *istiod - installed: true + installed: false namespace: istio-system createNamespace: false diff --git a/releases.yaml b/releases.yaml index 5ba7a54..602870c 100644 --- a/releases.yaml +++ b/releases.yaml @@ -145,9 +145,9 @@ templates: cert-manager: &cert-manager name: cert-manager chart: jetstack/cert-manager - version: 1.15.0 + version: 1.15.1 set: - - name: installCRDs + - name: crds.enabled value: true longhorn: &longhorn name: longhorn @@ -159,7 +159,7 @@ templates: argocd: &argocd name: argocd chart: argo/argo-cd - version: 7.1.3 + version: 7.3.3 inherit: - template: default-env-values - template: default-env-secrets @@ -199,7 +199,7 @@ templates: istio-common: labels: bundle: istio - version: 1.22.0 + version: 1.22.2 istio-base: &istio-base name: istio-base @@ -265,7 +265,7 @@ templates: nrodionov: &nrodionov name: nrodionov chart: bitnami/wordpress - version: 22.4.10 + version: 22.4.16 inherit: - template: default-env-values - template: default-env-secrets @@ -336,12 +336,12 @@ templates: db-operator: &db-operator name: db-operator chart: db-operator/db-operator - version: 1.25.0 + version: 1.27.1 db-instances: &db-instances name: db-instances chart: db-operator/db-instances - version: 2.3.1 + version: 2.3.4 inherit: - template: default-env-values - template: default-env-secrets @@ -349,7 +349,7 @@ templates: mysql: &mysql name: mysql chart: bitnami/mysql - version: 11.1.2 + version: 11.1.4 inherit: - template: default-env-values - template: default-env-secrets @@ -465,4 +465,5 @@ templates: createNamespace: false inherit: - template: default-env-values + - template: default-env-secrets - template: ext-database diff --git a/scripts/migrate_postgres.sh b/scripts/migrate_postgres.sh index 3c6c971..321f653 100644 --- a/scripts/migrate_postgres.sh +++ b/scripts/migrate_postgres.sh @@ -5,18 +5,18 @@ export PGDATABASE=$OLD_PGDATABASE export PGPORT=$OLD_PGPORT export PGUSER=$OLD_PGUSER DUMP_FILE=/tmp/$PGDATABASE.dump -pg_dump $PGDATABASE --no-owner --no-privileges -Fc -f $DUMP_FILE -vvv - -export PGHOST=$NEW_PGHOST -export PGPASSWORD=$NEW_PGPASSWORD -export PGDATABASE=$NEW_PGDATABASE -export PGPORT=$NEW_PGPORT -export PGUSER=$NEW_PGUSER -pg_restore --no-owner --no-privileges -d $PGDATABASE -Fc $DUMP_FILE -vvv - -psql -c "GRANT ALL PRIVILEGES ON DATABASE \"${PGDATABASE}\" to \"${PGDATABASE}\"" -psql -c "GRANT ALL ON SCHEMA public to \"${PGDATABASE}\"" -psql -c "GRANT ALL ON ALL TABLES IN SCHEMA public TO \"${PGDATABASE}\"" +#pg_dump $PGDATABASE --no-owner --no-privileges -Fc -f $DUMP_FILE -vvv +# +#export PGHOST=$NEW_PGHOST +#export PGPASSWORD=$NEW_PGPASSWORD +#export PGDATABASE=$NEW_PGDATABASE +#export PGPORT=$NEW_PGPORT +#export PGUSER=$NEW_PGUSER +#pg_restore --no-owner --no-privileges -d $PGDATABASE -Fc $DUMP_FILE -vvv +# +#psql -c "GRANT ALL PRIVILEGES ON DATABASE \"${PGDATABASE}\" to \"${PGDATABASE}\"" +#psql -c "GRANT ALL ON SCHEMA public to \"${PGDATABASE}\"" +#psql -c "GRANT ALL ON ALL TABLES IN SCHEMA public TO \"${PGDATABASE}\"" rm -f /tmp/output