Start refactoring

2023-10-23 22:16:51 +02:00
parent e54ea10a13
commit 8953975205
69 changed files with 3028 additions and 0 deletions
--- a/helmfile/etersoft/helmfile.yaml
+++ b/helmfile/etersoft/helmfile.yaml
@@ -0,0 +1,5 @@
+---
+
+bases:
+  - ../environments.yaml
+  - ../repositories.yaml
--- a/helmfile/etersoft/values/secrets.minio.yaml
+++ b/helmfile/etersoft/values/secrets.minio.yaml
@@ -0,0 +1,38 @@
+rootPassword: ENC[AES256_GCM,data:s38LHPKR4UsJE2MvlvIuKllZsYGZxcwssbqMWoPqo11j,iv:iredmR6yFSMxmS7NFwz5kLUxPWdSIImYRLRkICr7sJQ=,tag:Gb+rMEBrVX4dDS+N/quHyA==,type:str]
+users:
+    - accessKey: ENC[AES256_GCM,data:J3pNKKmaius=,iv:Mjbx//mHSfVM4NEsOCdPMw7nZ5N2J1rg/IE8JZxzZ30=,tag:sX3OuZ3RodAn8znacBTu4A==,type:str]
+      secretKey: ENC[AES256_GCM,data:f4PO+T8IRvw5yhFz9Twf3h6vxw==,iv:13ekjlbaTZYDyhMQeM0oJ7/U53ZfhVX/AP20FUnVQ/A=,tag:ZR1YkIl9/6iyWm6leLvQcA==,type:str]
+      policy: ENC[AES256_GCM,data:mjGhLyvFBU5n6ePk,iv:v/ECOoGcnHGjuLgqMZ8yVTLPqdvn1HBVVAaUiD5fBT0=,tag:3tS26PT1Gg8kHUTfSSUH+g==,type:str]
+    - accessKey: ENC[AES256_GCM,data:mavKbC9T,iv:gfiilFHH9P3/UUTfjo/kl4r/tcMFN3/J1KyMF+3gY24=,tag:JEhrPdUjeBasQyrsduif9w==,type:str]
+      secretKey: ENC[AES256_GCM,data:kUs0AzmT/DCLqQEuF9Y=,iv:HoilTHkjITFUREb74y4JAl4YDWHz64XxTvVvKCGE6AE=,tag:bzw9XRz6C4BgB/4mYAf5jg==,type:str]
+      policy: ENC[AES256_GCM,data:DbIQFNub,iv:NB+PF0acEGFls9BNeQFm+00V1kX+5N7UGJFnhb8DUAU=,tag:tQSO5L0G5Vy51nVD/EKHmw==,type:str]
+oidc:
+    enabled: ENC[AES256_GCM,data:AJwlxQ==,iv:e8Y4xI9VW7R64o5y2TYrMRnL92+RCzFaoF9v4wHDTlc=,tag:T0iZj9cCBxaF444+xuvKuA==,type:bool]
+    configUrl: ENC[AES256_GCM,data:UHLEsZwSGwNEV9r6wpiw4lLsMOLxJ6QfHKrrP2oduJE+YG7hImEljrO+/kPSUOgWMGgtXIjT/VLYw7xhW+TL,iv:v6bXPeKMho108y+kErL71RvqlfL0YEUtAaexITN6arY=,tag:r/oglMJVU2J2s3mEgjP+dA==,type:str]
+    clientId: ENC[AES256_GCM,data:39mFCS47/yw1lGxvDs7nLkk941qPaHUMgGBgtcqmJukGMfJK,iv:rfE/1ukQAO8geJVIJQOQaXmn37DfhDMR/t7Ghwd093A=,tag:SDz4TVKiMY+bXAtfrm17/Q==,type:str]
+    clientSecret: ENC[AES256_GCM,data:KcamhnHBTErbSS6dR7W+suwV5q13yXqZAUBYhKJ5Kj3t14dp6VDHoYc1Dwyt+hebFz0BYYbRA9g=,iv:hOhGu/lRjsEsEz4f6Wnkds6HNq3DnvM+GsJOAz1fOds=,tag:aQ4+xPDgg/2op+NQl7jhSg==,type:str]
+    claimName: ENC[AES256_GCM,data:UUrHhIFP,iv:dKg4zBykxhEKeG40a1eSWRYTyzpb5kBmzhEaULFgSII=,tag:3vfbgsoKkNF2Tmwx3Wi56w==,type:str]
+    redirectUri: ENC[AES256_GCM,data:evZK5yq5syKOsTqeqICTWLTq96AXTKftwDdbPYP9Na67N7I12P+jK8k1zKswHQY=,iv:L5AmYGkO2lyU4ytjyMOmuWDg4GtbeoTzcEdZF7WP+es=,tag:BF8AZUJ39+xICfrdNsY9iQ==,type:str]
+    comment: ENC[AES256_GCM,data:4h455QlIXewffU2bSKihkg==,iv:p5WRTZfAUgqbF/XpIlaLuUIhQhMWxgs0MW6cqNOiOtg=,tag:yk6CHXx7E8XBY3dath9ezQ==,type:str]
+    claimPrefix: ""
+    scopes: ENC[AES256_GCM,data:6DDclrvw1aAnE7KqMYcevELx/VUrQxUq/+my,iv:BUT/J2uFueDxUCdlylJgJ6cBn52fVAV6r+dGYUg+gx8=,tag:sAXpt6zqNi4kwdfYm5J75A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaeWFCZlp0VTdkNjV5VDkz
+            QVErMnVJM1hHbXZERnM5b1hvQWdRQ1N3SmpRCmpCaUkyc3pzRm0yTGZtQ3I5b21I
+            R3g5T2hKZzNxZmVKVHNoZU1RaTZlamMKLS0tIDlIUVBLSFVZOElZaktjK0xRYjJa
+            UmdLL0NqWVpuNXBYRENEeTltdFVLREUKrwPN2daokcqABFVXjYCbNyCA0zdMCYh6
+            vzTTtNV718OAPQKgl3Ho2c5nhhQcWy5YlWPfGMUklZhocXsAvMXS/g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-03-26T11:56:18Z"
+    mac: ENC[AES256_GCM,data:oiaqwWDTTSvdGZxcLqAJrLkF+jNL2PfOOrTFtO2Arry1LehiGeXqNiqlHTd5IvnB/LrU9vGv5SjDrq+FRycfceai8O5hW8aGBXqCSZANIx7cpCJqtm1ErNAm8yw+K5rq/WeRKEySszNx7QtSZiM9ufo/GIAZMZgcd/bqFdm6oXE=,iv:s+uHg40NPT3kjwHnRIu3udkbm3gE36JMzPFhM6NdT/4=,tag:Q97lA8fRcPr5kGZEUbmhxQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/helmfile/etersoft/values/values.istio-ingressgateway.yaml
+++ b/helmfile/etersoft/values/values.istio-ingressgateway.yaml
@@ -0,0 +1,21 @@
+---
+service:
+  type: LoadBalancer
+  ports:
+  - name: status-port
+    port: 15021
+    protocol: TCP
+    targetPort: 15021
+  - name: http2
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: 443
+  - name: openvpn
+    port: 1194
+    protocol: TCP
+    targetPort: 1194
+
--- a/helmfile/etersoft/values/values.istiod.yaml
+++ b/helmfile/etersoft/values/values.istiod.yaml
@@ -0,0 +1,7 @@
+---
+pilot:
+  resources:
+    requests:
+      cpu: 50m
+      memory: 256Mi
+
--- a/helmfile/etersoft/values/values.minio.yaml
+++ b/helmfile/etersoft/values/values.minio.yaml
@@ -0,0 +1,94 @@
+---
+# ------------------------------------------
+# -- Istio extenstion. Just because I'm
+# --  not using ingress nginx
+# ------------------------------------------
+istio:
+  enabled: true
+  istio:
+    - name: minio-http
+      gateway: badhouseplants-net
+      kind: http
+      hostname: min.e.badhouseplants.net
+      service: minio-console
+      port: 9001
+    - name: s3-http
+      gateway: badhouseplants-net
+      kind: http
+      hostname: s3.e.badhouseplants.net
+      service: minio
+      port: 9000
+rootUser: 'overlord'
+replicas: 1
+mode: standalone
+environment:
+  MINIO_SERVER_URL: "https://s3.e.badhouseplants.net:443"
+tls:
+  enabled: false
+  certSecret: ''
+  publicCrt: public.crt
+  privateKey: private.key
+persistence:
+  enabled: true
+  accessMode: ReadWriteOnce
+  size: 30Gi
+service:
+  type: ClusterIP
+  clusterIP: ~
+  port: '9000'
+consoleService:
+  type: ClusterIP
+  clusterIP: ~
+  port: '9001'
+resources:
+  requests:
+    memory: 0.7Gi
+policies:
+  - name: badhouseplants:owners
+    statements:
+      - resources:
+          - 'arn:aws:s3:::*'
+        actions:
+          - "s3:*"
+      - resources: []
+        actions:
+          - "admin:*"
+      - resources: []
+        actions:
+          - "kms:*"
+  - name: badhouseplants
+    statements:
+      - resources:
+          - 'arn:aws:s3:::badhouseplants-net'
+        actions:
+          - "s3:*"
+      - resources:
+          - 'arn:aws:s3:::badhouseplants-net/*'
+        actions:
+          - "s3:*"
+  - name: backup
+    statements:
+    - resources:
+        - 'arn:aws:s3:::longhorn/*'
+        - 'arn:aws:s3:::longhorn'
+        - 'arn:aws:s3:::restic/*'
+        - 'arn:aws:s3:::restic'
+      actions:
+        - "s3:DeleteObject"
+        - "s3:GetObject"
+        - "s3:ListBucket"
+        - "s3:PutObject"
+buckets:
+  - name: longhorn
+    policy: none
+    purge: false
+    versioning: false
+  - name: restic
+    policy: none
+    purge: false
+    versioning: false
+metrics:
+  serviceMonitor:
+    enabled: false
+    public: true
+    additionalLabels: {}
--- a/helmfile/etersoft/values/values.openvpn.yaml
+++ b/helmfile/etersoft/values/values.openvpn.yaml
@@ -0,0 +1,43 @@
+---
+# ------------------------------------------
+# -- Istio extenstion. Just because I'm
+# --  not using ingress nginx
+# ------------------------------------------
+istio:
+  enabled: true
+  istio:
+    - name: openvpn-tcp
+      gateway: etersoft-vpn
+      kind: tcp
+      port_match: 1194
+      hostname: "*"
+      service: openvpn
+      port: 1194
+
+storage:
+  class: microk8s-hostpath
+  size: 5Gi
+openvpn:
+  server: "tcp://91.232.225.63:1194"
+service:
+  type: ClusterIP
+  port: 1194
+  targetPort: 1194
+  protocol: TCP
+istio-resources:
+  enabled: true
+  gateways:
+    - metadata:
+        name: etersoft-vpn
+        namespace: istio-system
+      spec:
+        selector: 
+          istio: ingressgateway
+        servers: 
+          - hosts:
+              - '*'
+            port:
+              name: openvpn
+              number: 1194
+              protocol: TCP
+