From b413d381cc3c56069c320d4af5e1d36bc16e893b Mon Sep 17 00:00:00 2001 From: Nikolai Rodionov Date: Mon, 3 Mar 2025 09:58:44 +0100 Subject: [PATCH] Fox some things --- common/environments.yaml | 46 ------- .../applications/helmfile-badhouseplants.yaml | 4 +- .../applications/helmfile-etersoft.yaml | 1 - .../kyverno/etersoft/pvc-patch.yaml | 4 +- .../app-vaultwarden/secrets.yaml | 26 ++-- values/badhouseplants/values.traefik.yaml | 12 +- values/etersoft/secrets.vaultwardentest.yaml | 34 +++-- values/etersoft/values.external-dns.yaml | 8 +- values/etersoft/values.vaultwardentest.yaml | 117 +++++------------- 9 files changed, 78 insertions(+), 174 deletions(-) diff --git a/common/environments.yaml b/common/environments.yaml index db23ea9..7841f50 100644 --- a/common/environments.yaml +++ b/common/environments.yaml @@ -41,52 +41,6 @@ environments: enabled: false - redis: enabled: false - - postgres16: - enabled: true - - istio: - enabled: false - xray-1: - kubeContext: xray-1 - values: - - base: - enabled: false - - velero: - enabled: false - - workload: - enabled: false - - backups: - enabled: false - - openebs: - enabled: false - - localpath: - enabled: false - - postgres17: - enabled: false - - redis: - enabled: false - - postgres16: - enabled: false - - istio: - enabled: false - xray-2: - kubeContext: xray-2 - values: - - base: - enabled: false - - velero: - enabled: false - - workload: - enabled: false - - backups: - enabled: false - - openebs: - enabled: false - - localpath: - enabled: false - - postgres17: - enabled: false - - redis: - enabled: false - postgres16: enabled: false - istio: diff --git a/installations/applications/helmfile-badhouseplants.yaml b/installations/applications/helmfile-badhouseplants.yaml index 01c8d31..7883c48 100644 --- a/installations/applications/helmfile-badhouseplants.yaml +++ b/installations/applications/helmfile-badhouseplants.yaml @@ -54,7 +54,7 @@ releases: - name: navidrome chart: allangers-charts/navidrome namespace: applications - version: 0.3.0 + version: 0.4.0 inherit: - template: default-env-values - template: ext-traefik-middleware @@ -62,7 +62,7 @@ releases: - name: navidrome-private chart: allangers-charts/navidrome namespace: applications - version: 0.3.0 + version: 0.4.0 inherit: - template: default-env-values - template: default-env-secrets diff --git a/installations/applications/helmfile-etersoft.yaml b/installations/applications/helmfile-etersoft.yaml index 7e0331c..0c7fdca 100644 --- a/installations/applications/helmfile-etersoft.yaml +++ b/installations/applications/helmfile-etersoft.yaml @@ -26,7 +26,6 @@ releases: inherit: - template: default-env-values - template: default-env-secrets - - template: ext-database - name: external-service-xray chart: ../../kustomizations/external-service-xray diff --git a/kustomizations/kyverno/etersoft/pvc-patch.yaml b/kustomizations/kyverno/etersoft/pvc-patch.yaml index 78d4338..fa9f33e 100644 --- a/kustomizations/kyverno/etersoft/pvc-patch.yaml +++ b/kustomizations/kyverno/etersoft/pvc-patch.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: replace-storage-class-by-openebs + name: append-node-name-to-pvc spec: rules: - name: replace-storage-class @@ -11,7 +11,7 @@ spec: kinds: - PersistentVolumeClaim namespaces: - - application + - applications - platform mutate: patchStrategicMerge: diff --git a/values/badhouseplants/org-badhouseplants/app-vaultwarden/secrets.yaml b/values/badhouseplants/org-badhouseplants/app-vaultwarden/secrets.yaml index d4424ae..e186fc4 100644 --- a/values/badhouseplants/org-badhouseplants/app-vaultwarden/secrets.yaml +++ b/values/badhouseplants/org-badhouseplants/app-vaultwarden/secrets.yaml @@ -1,14 +1,14 @@ config: env: secrets: - enabled: ENC[AES256_GCM,data:3uyfgg==,iv:h0lDQcBUq7dGkoEUrbpYUIH3WMjLCTfeuyWN3dor4Fc=,tag:haDg+tn+P4byTBu9Ubo7lg==,type:bool] - sensitive: ENC[AES256_GCM,data:++ogyA==,iv:pGxb1rjvB6/P2xb0UiP8EkfRlaGWRjkIkcquhSBoGK0=,tag:6MKBUdow2ncGBTIKqipSQA==,type:bool] + enabled: ENC[AES256_GCM,data:C4TSoQ==,iv:kG2QtaNWHSc2sdhzo8HnMnPE0Mixqs1dvFsAcke/Gw4=,tag:HhbVmIw5RQ9hipQqZ5J2pw==,type:bool] + sensitive: ENC[AES256_GCM,data:0wVOUg==,iv:FGxAd9h2e0LeWukZR/THhCscF3FWoK4dnkrX1mqSC+A=,tag:0rpeedT6x2V79WB5xRNbuA==,type:bool] data: - SMTP_USERNAME: ENC[AES256_GCM,data:N+Br,iv:PCsBwchLQ1cHaLXTM3xoMyrZYMHC/u0jky6LE8SEhh4=,tag:RmgPoHblCVy2SxG0SxK3Hw==,type:str] - ADMIN_PASSWORD: ENC[AES256_GCM,data:BKHlDha9Ce+tZxHrfDgTxExSkAHlrjQxIw==,iv:kNqYZP1EItbzvBJK4eaDrdm2FMTrv8K/AjMLuH2oABY=,tag:en3UXFjjzQFpty5UNhsYwg==,type:str] - ADMIN_TOKEN: ENC[AES256_GCM,data:Hl3d5pEWQaiR8b3u/ue1yvDInneH4VY10XgBb+D7M6lxPGDkFgJHoocsw+ZB3N+nK+JSvdeblA65z4H3fVxpMS8Bs8dtAXHjW6k=,iv:D/04/1IiW3Bs/IpOlbhP+mSOyon5TtPatNmS5437lBo=,tag:AO7f1NGMDRVsg/e6iLUxBg==,type:str] + SMTP_USERNAME: ENC[AES256_GCM,data:82zb,iv:Z89+Wt6jGMQTZ73ghk1Ey504WYt2Li9XQ2gaH0SB8tI=,tag:RmqHxghik75E9LAABzyVxA==,type:str] + ADMIN_PASSWORD: ENC[AES256_GCM,data:ELi8dtNa/OhQKgrXbrgwHK95ntZjyzRSvQ==,iv:IVZbXZlFyCRMc3bW81Ak9UdjeGke0px9mGqrmaW7EHk=,tag:9xli08c0pqnxu2ktTbCMcg==,type:str] + ADMIN_TOKEN: ENC[AES256_GCM,data:CAAalqRcu9vsM1bjC76enJCSX/tc7yOd48mxGV0d5rTFxQz08b4JVhKyMzl7BRog7+PMtJkkTnRIXZHgj31FqhRylmHyuAn3iPc=,iv:PpZvZMhOEt6ecdkBcvAOSz+eZktPAzaAlYNjBSgiN/w=,tag:apHKw66HG7TYnpBNVyM7xA==,type:str] DATABASE_URL: null - SMTP_PASSWORD: ENC[AES256_GCM,data:WFsNwHisslATr9wgiDJrwRycr9xFckGGJA==,iv:tz7kOZuwwJOBpToJMtEIqKH6CS+8lNgHKzp8wdyRHq0=,tag:0dQ/qB9AAhxT4Bw2W4uQ+Q==,type:str] + SMTP_PASSWORD: ENC[AES256_GCM,data:g212PzN9/4hxBKMAWFNiR0qAnPPK/tkffg==,iv:1l6dikIQGSjznW9MsaCTdz0wLJmAhiL0ZOdN2J4Q0yA=,tag:tNbPdORUa6IBWgh0HHaNjA==,type:str] sops: kms: [] gcp_kms: [] @@ -18,14 +18,14 @@ sops: - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQkRvRGRNWWcrbXk4SG1B - bCt0TFg4cUhjbTU3RzNSbTVKbVFhWkVGRlFvCndUbW5jWWhKZ256RWZkN3RQZnhJ - ZEc0NkNTRk5rYjhpVjhWZXdGZmdrc0UKLS0tIGpncTNyaXZGMTVubmZIS0pmWWRa - cG5FRVRpSEo4ektGclJyc1BjVVZGL2cKk6T/GQ6yuH/fejE4/RIaPhqnDFQSdvOl - 5Vts8+3J+x23HxXSzSuscz4JTuFiaLHWRi1I40yV9qpwSoy5D76sqw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoLys3dkJDK2lrQ0d4ZlJi + eFRTSmx1RUtZRnpxdkNvVFFCeXl6dDcvWXdvCitoNkcwVFFxRVJ6dkNUbGVPb1pU + b3E4ZjZibFF6QytNdUhXNDFLZXRpSEUKLS0tIHpZTmFXNnptVzJmZFhIU2haRWhR + UjNEN1BlREFVak1xdmQzaFY1dHVyM3cKuvMIrQUL1cuw3Odz/Cv+kZV9ZZzBozSW + XimhDSkxNrH5OsGC1Jxz/8JOv8abBs4NROzffVdyqtZZzXOLzw3mJQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-20T13:25:53Z" - mac: ENC[AES256_GCM,data:uS8xrENKnhTCPgSHYSqwssYaWNsvPgwG1zabR/GIrVnMxUQlOUnUP6G1cC8ELQ9Zx79sEUW/X+nZOOeSiggHWBgh3XQNJRIXO8OUz4El+9yoXaTr0mfU72e3KtpWZ2xxOQoVBD3mRVACSuNbfwL/qQEx8L8bYfEghZ35dMld8f0=,iv:MEJ5MNb3og993Z3JoL7gidcX8YdW288PbYaBl3g+Aqo=,tag:JuCvgkrdziwOeVsAxfKcPw==,type:str] + lastmodified: "2025-03-02T08:58:16Z" + mac: ENC[AES256_GCM,data:px+D6tlAZU6GzlE8/jLc0BaPyRwsfE1jRROy2mX7bhFTIW3lZqt/zangO46fFH5hXZjY5wLNIktCDbawIbUFwAp0vrmXxctZoAftl9hpdtW6ann3yfyv3pdcs7/BKu3s5QUswx6D13iLU0dvzyG4vGcQNmKpxuPQYLuDp2o74hM=,iv:2Y+wsS7QcgQ/8umZ+a21QjU25Yq24Y7UWjXVy9Gmvoo=,tag:APVtby5NCOQxrPAjIbMJ+w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 diff --git a/values/badhouseplants/values.traefik.yaml b/values/badhouseplants/values.traefik.yaml index 614c670..41b4a21 100644 --- a/values/badhouseplants/values.traefik.yaml +++ b/values/badhouseplants/values.traefik.yaml @@ -10,12 +10,12 @@ ports: readTimeout: 0 idleTimeout: 0 writeTimeout: 0 - forwardedHeaders: - trustedIPs: - - "192.168.0.0/16" - proxyProtocol: - trustedIPs: - - "192.168.0.0/16" + forwardedHeaders: + trustedIPs: + - "192.168.0.0/16" + proxyProtocol: + trustedIPs: + - "192.168.0.0/16" ssh: port: 22 expose: diff --git a/values/etersoft/secrets.vaultwardentest.yaml b/values/etersoft/secrets.vaultwardentest.yaml index 9a4b11f..361c37c 100644 --- a/values/etersoft/secrets.vaultwardentest.yaml +++ b/values/etersoft/secrets.vaultwardentest.yaml @@ -1,13 +1,11 @@ -env: - secrets: - enabled: ENC[AES256_GCM,data:zzAqZw==,iv:eNmoXsT7ME8Ayq1+6SKVMAmNfMXbaCHhbpoIVSCMmEs=,tag:rXlJGUtPQm0ulut18xuEpQ==,type:bool] - sensitive: ENC[AES256_GCM,data:p+tT+Q==,iv:0W4zA1+9Q6eDx6OMAscdDc0GveZgo/zW6in/PdfZo5E=,tag:SBplDU0DWQHzS0zQbhlOmA==,type:bool] - data: - #ENC[AES256_GCM,data:lUhrHf0qCaIFA/03PexzwaG8BZPx4jJ1E7+D8RSusZsegYVEAcP13XkQ,iv:/aKm2fUtjUWb7zGipYLjFSoPv6JEhrt0lneEHcLY2vk=,tag:0TrN03ApXMyDLbghPU3lEw==,type:comment] - ADMIN_PASSWORD: ENC[AES256_GCM,data:NkRDv5wL9+q30cydrbxaG5kSkEjSVk1kj4H1OipjaWkSKR1gUyVfFcmd1NCWldDNAK8=,iv:i26l6IFjyHqHXVadTGBl3wKDtRyykTca20mNaItl6kM=,tag:iYDdkUBE0GorA+zhu1ogfg==,type:str] - ADMIN_TOKEN: ENC[AES256_GCM,data:3LzUfxviYj5PSsm9bUn7pkLdVR7ggFHToXKvKIEw61d1MY6Ph3qVMr32KKJlbwh25by/hUQgSa1/WxxJDbBWsMzP9PikTov6lwFzMMOS/DDBM9ctxw==,iv:9zDoNV+Gbij9N95tKLd7Aa5c63UswSIG0nauGLS39Jg=,tag:wZE8U1t6GEqt7Obj4mqWcA==,type:str] - DATABASE_URL: null - #ENC[AES256_GCM,data:/5YuWuePwRN26Y2mCmGqI2FeDzZnsEyucbj1TR8j2LoCmhE=,iv:GMB4Y6LMAodfF6ItU5cRffMSPZh/85VHuLWOSo5YXdc=,tag:/h4vqzl5ZBy4msVe96l4Uw==,type:comment] +config: + env: + secrets: + enabled: ENC[AES256_GCM,data:nQ+V6A==,iv:V3S80SWwPd4CmIpcE7h8JlzqlMhJPwRa3QjQ0Ezl9po=,tag:J1bNAB6vQzuZLK+QPGl/Mw==,type:bool] + sensitive: ENC[AES256_GCM,data:O1M/Pw==,iv:FcXRYnWleruNLWWB5SvXKKh2VDrpq1NmFgZ0qXtwz8A=,tag:MPaozYmtMvIp2ik2NMv50A==,type:bool] + data: + ADMIN_PASSWORD: ENC[AES256_GCM,data:YDMg09xZG26MR+d4wcEtqGDnID8piLNX4uFFa1rnrde3qek2ZYzm5RDGhRjUbABgj3g=,iv:Q0wi8tDfkzDDfBHFNEm9EItmIEwhX/13LiZ9cvb9QBo=,tag:zugAhXY26VPRsS1Sz+KCkg==,type:str] + ADMIN_TOKEN: ENC[AES256_GCM,data:FZtTW2AVZsSlsF0kaZOkpaOvpYmjaVTJ3joSXU+6ylS16iItp4ggqfZe/EMjKDImqB42XrOt+c90hWu21a/RlGe7iGt+av9mkG3/932STxgUaPHB8A==,iv:GOb9mOurT3qeXcO4GmX38kQNFQx4ylAQ7Z/n5GCaVao=,tag:raZZSHBg9mPKnwaYB4yoaA==,type:str] sops: kms: [] gcp_kms: [] @@ -17,14 +15,14 @@ sops: - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQRHYvUG9ybVdOUk56alc1 - VFUrS1lxT0srSG1uRldVUkZxY0NDaDZFUFJRCklsejBiNm9pelZYRTdlTGcvMSta - TS9lMElyMGJCa1pPN0J0amxDOFlQbGsKLS0tIE1mYlpwZEhES2Zrdk84UExjeXlz - akQ2M3NTc2hDRCt0OFJMMmVKZzg5UXMKqFkcNzqp9uhVu67/APA5XbqMVzv4RegS - at9pmPCxTlWQoPjzGtuF+l7J5lkS2KrU0wROC62AggnmEY1dMOSzqw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUGtWT09WOVlGRnc3aVVp + VWdMbHFPMTAwSGFOd3dBSDUrbFB2R3VOaVVRCkptckpBR1JHcW12bEVIQ3pBOHJN + emQ0VmorbjhSeUNhTGJMMWFKMWZrelEKLS0tIFRDMkRiV0owWnNLWFFKSVAzZ1Bi + eWt3a0J4b1F3ejFwZlRlblcyWGYrY00KvZ737upypCW8nDPa01uHVTtHgGcKhEFv + MSa0WYeEa3ArffR6gPtH4uAErL0B7+slSvTFVt6HJ5z1VdgIWlMBZg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-06T09:06:31Z" - mac: ENC[AES256_GCM,data:uDSzjE3cnkzY2ADj/v6PkaB4XVla9+N5J7H/+b7Erc9cSdbV7utvBjhxDeMpnrurO10mNDtvgPEJ00e/bDz4Ru3tl6OXSeY9lvvKZTHi69i5e8naX6t6M2xv7rKyLe8gw5GzwSGfKGpsJeTKsUuKN2tAcoy23THC1Mauulj6G2A=,iv:85JA9+1rps4OUzFrXsy0e/NS0SZPfYpPHP0hjy/uCRQ=,tag:K/Oj9TyQIJXvuo6gwPzzRw==,type:str] + lastmodified: "2025-03-02T08:58:13Z" + mac: ENC[AES256_GCM,data:hYtrnn0dXtv/9vZ82hu6wsFVXvP56QNKrz1vb6o8+BVOc9cWheDAyPwhv3SHibkSSXb7Bw0qCXN0w43+zxT03HTxHAWb/zk/YD39Vv8iWvGc5Wuyduh/pPZn52MrQr4Gyqf/QQQMwvDkWwXQ0t6Y8XU+HF+XDz2NKE2NyZzOOa8=,iv:Rg7AUYEhqWHJqvZi32F7b9Ux4fv1o0Gmavw6SQe+hao=,tag:5clTc1DJrfFzMiTEPtj7Fw==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.9.4 diff --git a/values/etersoft/values.external-dns.yaml b/values/etersoft/values.external-dns.yaml index e9cbf9a..e20711b 100644 --- a/values/etersoft/values.external-dns.yaml +++ b/values/etersoft/values.external-dns.yaml @@ -1,7 +1,13 @@ provider: name: cloudflare +domainFilters: + - badhouseplants.net policy: sync txtOwnerId: eter -txtPrefix: eter-ext-dns +txtPrefix: eter-ext-dns- logFormat: json logLevel: info +sources: + - service + - ingress + - crd diff --git a/values/etersoft/values.vaultwardentest.yaml b/values/etersoft/values.vaultwardentest.yaml index 59de1b6..c0bb042 100644 --- a/values/etersoft/values.vaultwardentest.yaml +++ b/values/etersoft/values.vaultwardentest.yaml @@ -1,91 +1,38 @@ shortcuts: hostname: vaulttest.ru.badhouseplants.net -ext-database: - enabled: true - name: vaultwardentest-postgres16 - instance: postgres16 - credentials: - DATABASE_URL: "{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}" -workload: - kind: Deployment - strategy: - type: RollingUpdate - containers: - vaultwarden: - mounts: - storage: - data: - path: /app/data/ - extraVolumes: - logs: - path: /app/logs - envFrom: - - environment - - secrets - - secretRef: - name: vaultwardentest-postgres16-creds + ingress: main: class: traefik - annotations: - kubernetes.io/ingress.class: traefik - traefik.ingress.kubernetes.io/router.entrypoints: web,websecure - kubernetes.io/tls-acme: "true" - kubernetes.io/ingress.allow-http: "false" - kubernetes.io/ingress.global-static-ip-name: "" - cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 - rules: - - host: vaulttest.ru.badhouseplants.net - http: - paths: - - backend: - service: - name: '{{ include "chart.fullname" $ }}-main' - port: - number: 8080 - path: / - pathType: Prefix - tls: - - hosts: - - vaulttest.ru.badhouseplants.net - secretName: vaulttest.ru.badhouseplants.net -extraVolumes: - logs: - emptyDir: {} + metadata: + annotations: + kubernetes.io/ingress.class: traefik + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 -storage: - data: - annotations: - volume.kubernetes.io/selected-node: yekaterinburg - accessModes: - - ReadWriteOnce -env: - environment: - enabled: true - sensitive: false - data: - DOMAIN: https://vaulttest.ru.badhouseplants.net - #SMTP_HOST: mail.badhouseplants.net - #SMTP_SECURITY: "starttls" - #SMTP_PORT: 587 - #SMTP_FROM: vaulttest@badhouseplants.net - #SMTP_FROM_NAME: Vault Warden - #SMTP_AUTH_MECHANISM: "Plain" - #SMTP_ACCEPT_INVALID_HOSTNAMES: "false" - #SMTP_ACCEPT_INVALID_CERTS: "false" - #SMTP_DEBUG: false - DATA_FOLDER: /app/data/ - ROCKET_PORT: 8080 - SHOW_PASSWORD_HINT: true - SIGNUPS_ALLOWED: true - INVITATIONS_ALLOWED: true - SIGNUPS_DOMAINS_WHITELIST: "test.com" - SIGNUPS_VERIFY: false - WEB_VAULT_ENABLED: true - LOG_FILE: /app/logs/log.txt - LOG_LEVEL: debug - DB_CONNECTION_RETRIES: 10 - DATABASE_MAX_CONNS: 10 - ORG_GROUPS_ENABLED: true - ORG_EVENTS_ENABLED: true - ORG_CREATION_USERS: "" +config: + env: + main: + enabled: true + sensitive: false + data: + DOMAIN: https://vaulttest.ru.badhouseplants.net + DATA_FOLDER: /app/data/ + ROCKET_PORT: 8080 + SHOW_PASSWORD_HINT: true + SIGNUPS_ALLOWED: true + INVITATIONS_ALLOWED: true + SIGNUPS_DOMAINS_WHITELIST: "test.com" + SIGNUPS_VERIFY: false + WEB_VAULT_ENABLED: true + LOG_FILE: /app/logs/log.txt + LOG_LEVEL: debug + DB_CONNECTION_RETRIES: 10 + DATABASE_MAX_CONNS: 10 + ORG_GROUPS_ENABLED: true + ORG_EVENTS_ENABLED: true + ORG_CREATION_USERS: "" + SMTP_SECURITY: 'off'