Install new vaultwarden and enabled istio

2024-12-27 12:49:25 +01:00 · 2024-12-27 12:49:25 +01:00 · df5dbf104d
commit df5dbf104d
parent a79d85bc2a
7 changed files with 102 additions and 1 deletions
--- a/common/environments.yaml
+++ b/common/environments.yaml
@ -21,7 +21,7 @@ environments:
      - redis:
          enabled: true
      - istio:
-          enabled: false
+          enabled: true
  etersoft:
    kubeContext: etersoft
    values:
--- a/installations/applications/helmfile-badhouseplants.yaml
+++ b/installations/applications/helmfile-badhouseplants.yaml
@ -41,6 +41,15 @@ releases:
      - template: default-env-secrets
      - template: ext-database

+  - name: vaultwarden-new
+    chart: allangers-charts/vaultwarden
+    version: 3.0.0
+    namespace: applications
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
+      - template: ext-database
+
  - name: vaultwarden
    chart: allangers-charts/vaultwarden
    version: 2.3.0
--- a/installations/system/helmfile.yaml
+++ b/installations/system/helmfile.yaml
@ -166,6 +166,7 @@ releases:
  - name: istio-ingressgateway
    chart: istio/gateway
    condition: istio.enabled
+    installed: false
    namespace: istio-system
    needs:
      - istio-system/istio-base
--- a/manifests/peerauth.yaml
+++ b/manifests/peerauth.yaml
@ -0,0 +1,8 @@
+apiVersion: security.istio.io/v1
+kind: PeerAuthentication
+metadata:
+  name: default
+  namespace: public-xray
+spec:
+  mtls:
+    mode: STRICT
--- a/values/badhouseplants/secrets.vaultwarden-new.yaml
+++ b/values/badhouseplants/secrets.vaultwarden-new.yaml
@ -0,0 +1,31 @@
+config:
+    env:
+        secrets:
+            enabled: ENC[AES256_GCM,data:Ofk6VQ==,iv:c/dJkneJnB05RNPk70Kv1xGArs5xiK0173YMvqeLj/I=,tag:k3Jtib8Xe2YGUMsK0sD2lA==,type:bool]
+            sensitive: ENC[AES256_GCM,data:6cpHdg==,iv:XpEdNwvGZp6KW7dhxo0DW2cXG+q7wPFItmw/UpFMFs8=,tag:1Xojcj9bbX4jIlFOeBlXhg==,type:bool]
+            data:
+                SMTP_USERNAME: ENC[AES256_GCM,data:oVGo,iv:JSViXnLQ4JKIDk+QzLKL/9SSIgvzpjaM9RY+HODpwHs=,tag:0PEL2F6epbPX//ThkyGW5w==,type:str]
+                ADMIN_PASSWORD: ENC[AES256_GCM,data:SW0FabxOiwPO4A8GWzu1rZVhLhHktBEA1A==,iv:HrlgVfrsWQzWqjLrb/3qjGv7LAhsbdbT7XM6NZLqHJQ=,tag:2upDJLYSK2LCMlTqmkmBYQ==,type:str]
+                ADMIN_TOKEN: ENC[AES256_GCM,data:KkIC89EZFyMICPcScNQMh7lBa2+nhop9tCRqkEsHFOvcw4x+Wv+PGphqYOEPn0TpdlxoHU/7uVJkJPgHlnFl8NyGS+4LAwCwe1E=,iv:dI744XgwewVE+0SbZ8H/6ty45INJPcRF3c5FJ6V49xg=,tag:6HtBaW398c9bmb1eahiS/g==,type:str]
+                DATABASE_URL: null
+                SMTP_PASSWORD: ENC[AES256_GCM,data:ucLA0UtLRwCe+r9auLx+k1eOmkiOyyEnog==,iv:Is4eJGns3VZTiRWUw5WtYm81U0zmCs4xRazzASRGixo=,tag:hyFy0sIBHOduB83hCAPKcQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWZFB0cjVSd09WQ2JoMlBi
+            MkFjN1FtbG0vTlBMVmRRejI5Uk1ORzFweHhRCnVKbmlmd25aTXl3ZFMycnFNMlJa
+            WUJ4UWxZbFl6Rm10SWo3M1NidUx0ak0KLS0tIE1IdWllU3FPU2xUaVVGNHJ4R1Y0
+            M1lINzdmc1dNWEgxeU9BcVR3R2JJRXMKWkDwyC2Vacmcf6p2AO6lD6OcGlGq9iBu
+            yOmoxsP3tH7pFyB/M5JNCvambcvOAgGOvUmaKs9hqDGQOJcII6C6mg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-25T19:15:48Z"
+    mac: ENC[AES256_GCM,data:6SkwIknanAQyjPgaBc5kklKULplQpBSJ1d9g94TvJvc0kI6fFEkBE9DBAwyMpcRIrvtLEKz56qFiH7ZY+Eej5O9TKk4mZ4oKTc9Y8NphMDblBPvHXKwS+bviTbAfQtMLQ7S1hwoRX/l9ld0j3n8ZFrsmmwXnlbiZzHLrTKD8GAw=,iv:Vl9YDHjIBgpYvkH41hH7jvlVD/lI7lq1PFZGJyQRHpU=,tag:Knk0rZVEidhoRoWFVazp7A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
--- a/values/badhouseplants/values.namespaces.yaml
+++ b/values/badhouseplants/values.namespaces.yaml
@ -5,8 +5,12 @@ namespaces:
  - name: databases
  - name: istio-system
  - name: applications
+    labels:
+      istio-injection: disabled
  - name: platform
  - name: games
  - name: team-fortress-2
  - name: pipelines
  - name: public-xray
+    labels:
+      istio-injection: enabled
--- a/values/badhouseplants/values.vaultwarden-new.yaml
+++ b/values/badhouseplants/values.vaultwarden-new.yaml
@ -0,0 +1,48 @@
+shortcuts:
+  hostname: vaultwarden.badhouseplants.net
+ext-database:
+  enabled: true
+  name: vaultwarden-postgres17
+  instance: postgres17
+  credentials:
+    DATABASE_URL: "{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}"
+base:
+  workload:
+    kind: Deployment
+    strategy:
+      type: RollingUpdate
+    containers:
+      vaultwarden:
+        envFrom:
+          raw:
+            - secretRef:
+                name: vaultwarden-postgres17-creds
+ingress:
+  main:
+    class: traefik
+    metadata:
+      annotations:
+        kubernetes.io/ingress.class: traefik
+        traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+        kubernetes.io/tls-acme: "true"
+        kubernetes.io/ingress.allow-http: "false"
+        kubernetes.io/ingress.global-static-ip-name: ""
+        cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+
+config:
+  env:
+    main:
+      enabled: true
+      sensitive: false
+      data:
+        SMTP_HOST: stalwart.badhouseplants.net
+        SMTP_SECURITY: "starttls"
+        SMTP_PORT: 587
+        SMTP_FROM: vault@badhouseplants.net
+        SMTP_FROM_NAME: Vault Warden
+        SMTP_AUTH_MECHANISM: "Plain"
+        SMTP_ACCEPT_INVALID_HOSTNAMES: "false"
+        SMTP_ACCEPT_INVALID_CERTS: "false"
+        SMTP_DEBUG: false
+        DOMAIN: "https://{{ .Values.shortcuts.hostname }}"
+        LOG_FILE: /app/logs/log.txt