diff --git a/.sops.yaml b/.sops.yaml index ad0b75f..2fd620c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,13 +1,11 @@ --- keys: - - &argo-aaron age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt + - &argo age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt - &aaron age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 - - &argo age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz creation_rules: - path_regex: .* encrypted_regex: ^(data|stringData)$ key_groups: - age: - - *argo-aaron - - *aaron - *argo + - *aaron diff --git a/app-files/apps.yaml b/app-files/apps.yaml index 722a8aa..117703c 100644 --- a/app-files/apps.yaml +++ b/app-files/apps.yaml @@ -2,7 +2,7 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: aaron-k8s-deployments-self + name: k8s-deployments-self namespace: argocd spec: project: default @@ -16,43 +16,77 @@ spec: syncPolicy: automated: prune: false - selfHeal: true ---- -#apiVersion: argoproj.io/v1alpha1 -#kind: Application -#metadata: -# name: argocd -# namespace: argocd -#spec: -# project: default -# sources: -# - repoURL: https://argoproj.github.io/argo-helm -# chart: argo-cd -# targetRevision: 7.8.2 -# helm: -# releaseName: argo -# valueFiles: -# - $values/argocd/values.yaml -# - repoURL: https://git.ar21.de/aaron/k8s-deployments.git -# targetRevision: HEAD -# ref: values -# - repoURL: https://git.ar21.de/aaron/k8s-deployments.git -# targetRevision: HEAD -# path: argocd -# destination: -# server: https://kubernetes.default.svc -# namespace: argocd -# syncPolicy: -# syncOptions: -# - CreateNamespace=true -# automated: -# selfHeal: true -# prune: false --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: aaron-hoylogo + name: argocd + namespace: argocd +spec: + project: default + sources: + - repoURL: https://argoproj.github.io/argo-helm + chart: argo-cd + targetRevision: 7.6.8 + helm: + releaseName: argo + valueFiles: + - $values/argocd/values.yaml + - repoURL: https://git.ar21.de/aaron/k8s-deployments.git + targetRevision: HEAD + ref: values + - repoURL: https://git.ar21.de/aaron/k8s-deployments.git + targetRevision: HEAD + path: argocd + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true + prune: false +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: drone-runner + namespace: argocd +spec: + project: default + sources: + - chart: drone-runner-kube + repoURL: https://charts.drone.io + targetRevision: 0.1.10 + helm: + releaseName: drone-runner + values: | + extraSecretNamesForEnvFrom: + - drone-secrets + rbac: + buildNamespaces: + - drone + env: + DRONE_RPC_HOST: drone.ar21.de + DRONE_RPC_PROTO: https + DRONE_NAMESPACE_DEFAULT: drone + - repoURL: https://git.ar21.de/aaron/k8s-deployments.git + targetRevision: HEAD + path: drone + destination: + server: https://kubernetes.default.svc + namespace: drone + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: false +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: hoylogo namespace: argocd spec: project: default @@ -62,18 +96,17 @@ spec: path: hoylogo/overlays/prod destination: server: https://kubernetes.default.svc - namespace: aaron-hoylogo + namespace: hoylogo syncPolicy: syncOptions: - CreateNamespace=true automated: prune: true - selfHeal: true --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: aaron-hoylogo-staging + name: hoylogo-staging namespace: argocd spec: project: default @@ -83,18 +116,17 @@ spec: path: hoylogo/overlays/staging destination: server: https://kubernetes.default.svc - namespace: aaron-hoylogo-staging + namespace: hoylogo-staging syncPolicy: syncOptions: - CreateNamespace=true automated: prune: true - selfHeal: true --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: aaron-surveybot + name: surveybot namespace: argocd spec: project: default @@ -104,34 +136,62 @@ spec: path: surveybot destination: server: https://kubernetes.default.svc - namespace: aaron-surveybot + namespace: surveybot syncPolicy: syncOptions: - CreateNamespace=true automated: prune: true - selfHeal: true --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: aaron-cloudnative-pg + name: cloudnative-pg namespace: argocd spec: project: default sources: - chart: cloudnative-pg repoURL: https://cloudnative-pg.io/charts - targetRevision: 0.24.0 + targetRevision: 0.22.1 helm: releaseName: cloudnative-pg destination: server: https://kubernetes.default.svc - namespace: aaron-cnpg + namespace: cnpg syncPolicy: syncOptions: - CreateNamespace=true - - ServerSideApply=true automated: - prune: true + prune: false +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: openproject + namespace: argocd +spec: + project: default + sources: + - repoURL: https://charts.openproject.org + chart: openproject + targetRevision: 8.3.2 + helm: + releaseName: openproject + valueFiles: + - $values/openproject/values.yaml + - repoURL: https://git.ar21.de/aaron/k8s-deployments.git + targetRevision: HEAD + ref: values + - repoURL: https://git.ar21.de/aaron/k8s-deployments.git + targetRevision: HEAD + path: openproject + destination: + server: https://kubernetes.default.svc + namespace: openproject + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: selfHeal: true + prune: false diff --git a/argocd/secret.yaml b/argocd/secret.yaml index d2fb7c6..d552f0b 100644 --- a/argocd/secret.yaml +++ b/argocd/secret.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/name: argocd-secret app.kubernetes.io/part-of: argocd stringData: - oidc.aaronid.clientSecret: ENC[AES256_GCM,data:3Gy2J1vkqD4gpuEx9LmFDf95OnC7X3g4zYKEvKUL9JaNiK6uJapDX6a37nv3ORnnqhCgcrEdEhybNgJcNgK8vNO033QO92KbIF4rYCkxyulyGHcv4h43qvnDgoR+ac8Wr7fPlUUhltLMXnIXU3XJN8mMNlaNeuMSHgj0wCrAxnc=,iv:gWIkcidScnnQHIK2uWgj8oqexj/VV32/Frki3M+mzok=,tag:fAIgWIt3WQKAOsavEkwDGw==,type:str] + oidc.aaronid.clientSecret: ENC[AES256_GCM,data:ZrhSXPm+p9iD5tvJA3hyqiGw2czrO3YLbWPe7WvQf2Rok28f3V0a2DkFR336+5x4YTF6Khw1qYtQH6Kgc1HS7RbY7RDpynAwO2JHrxApfUir31UZ2oNsbTqv7nyNSrMFR4vgLEx9WSTaM66c43sgevdaCodDbzfiSe+Zjwrdcfw=,iv:Bzf8U16ZlkflMFM6BlfBbiJfaM6YzxkUXPTXnfjbApU=,tag:7T5e75XFm//aoTLTtQR3mA==,type:str] type: Opaque sops: kms: [] @@ -18,32 +18,23 @@ sops: - recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBudHU0M0lkWkhtK3VoMW11 - MElWeGNQbHV4VkZJdjVtZjVES0habHNSNlNnCk9CenFSczRzNnh3VE1sY0RORWlK - cDVhNlpCVmRqd1A3SFFRak5rZ1diQ1UKLS0tIEpJTUI3aHdCa1c1TEs4VHAwNk5s - ZjJ3SWhLOEFiTFBLUzJ5dnlIWDJockEKyDE0oWagwADB5HpdiafTu+BD10SbIacv - PchR/y5EOfFShzQ+7AEal2c78ztJO4D2Hd900RIpkoMkmHOyzq2bAA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlaUIvZmc3cFcxSExFcjhC + cXVNaU5TdVpGR09jTkIzWHNrTHhkSWV6ZXlvClArWGFwNlhtbzJVWUNIQXlCNlEr + aWtqMHdyNHJNTjM5dFQxN1J0QWtHTW8KLS0tIFBnWmI2NFhERWRISmVuVjhTK1E0 + TmpCTWY5T1QxWnFlZG1TRUNuN1RTNmMKpadrE3scJFXK7qc5WADHtAJ4LCSvzsd9 + j3Ew0vCLEVTjxON6rBD6k3KqZdIzQEJnDNJWUiPUaoPP+1FIl2cxvg== -----END AGE ENCRYPTED FILE----- - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUngvcHBmekpsSGxac2d4 - NmtPZ1p1aldacXVoZGFQNUZJZTZsL1NEVkNZCkRyMmtxelcrQ3FTRGk5OWltQWxp - VndydWNXWTc0d3c5MlVDeEIyUVRLUm8KLS0tIDZFcSs2MVJHQ1NmWXp2L2hkRTFE - RFdxZlBNekpkY1paeEVnTjk2SVk3S2sK+gftlDHXbLhHfDt+TiNlcz8xTgkhpiuX - 8FPvMfpK0/JPjnNG2ueofYhLmiPW/2h8GAMa3yjc/mdp+jnXkHuRdQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVnBnRlZlanI5MGFvQlpO + TEdldzQ1RkV3N3VwcUo1WXNBaGlSRFVqS1Y0CkU3RzUzSzBtU0dkZ1M5YXN6eXpL + OE5sTmc2Q2I2VnBna1lHYjQ3ak4zZ2sKLS0tIHVvelVTU29GWkVNeFdOLzJMdEY5 + UDFQL2pGNTRlcURqcFZkTG12YjRmQUkKDe7jb3TtIJXIQfDs+VuIHFZjtnKfC6Sc + caPhCC6KBejq5hyJXSOHXh6n+xYshNkzEkHp90gLY41XFiAPHU6Sfg== -----END AGE ENCRYPTED FILE----- - - recipient: age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHMGZPQVBrV3ZWWm9oME11 - NFgvTkh2REpBNldFamJCVWF4UW9qcEtMeUJVCm1mUGJKdXAxRlZPd0YzL1hvQVVK - SVBDcU5mS1VGZmxhTlJPM0xra2l6NXMKLS0tIE5KLzlXREF1Z3crekdNeTZJWWEv - L1dPa3VILytUa2xuVnVKdldoMllxRGsKi1QnyfIeFMxaFYf12akgUi73NyLxME7S - 7u5ORruhUILOZTvpX7tzwdn5aUajtxeBsaPdlJdzY4mRsa1NMIOx5g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-13T20:19:15Z" - mac: ENC[AES256_GCM,data:S34dLDOUeKFdUX08bpZ8kfrR8AmUpJPElBuQz7Mo8OmYZAWJkMJa+7Wi2v8rY3iEl5Y0n2hWpuvUVFfuBlYQeiLzsaPpJ4WTZkMXctohs+QPronFCeDbNUwdRG82gPvsSxoybVlVzF3N43Aov7Wr7Eff897o/5Blky5eLmGb2bA=,iv:d8YQN11RaSrDvLD08Bw2130HaDxrpA+wIOu03x+MRqA=,tag:tY+9MSeNI/JfGOB6oHxTaQ==,type:str] + lastmodified: "2024-11-04T19:32:15Z" + mac: ENC[AES256_GCM,data:pzukaPYOzoo3vsXpwMiIpXCuOGy2MlWAsAuPvjsDimKb5kvYeZiVKhiT2BID6TtEcGL0FpX6pyrwl6c+lwK+5fcsKRGWPLowZ47RAQxnctieRH+QneMTnmIHI6Ex0PmDPasnG1EMoXyitGDNO7ouEk1ie0AK9z9+xVeyXCtUCRg=,iv:CzUiJmvUBjpwVmf0QW1X7b1CsQlSMX2fwnBHoqlRbo0=,tag:5yxJZOzuQ720YEQAbaHY8A==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ - version: 3.9.1 + version: 3.9.0 diff --git a/argocd/sops-secret.yaml b/argocd/sops-secret.yaml index 9c71a0d..8832f72 100644 --- a/argocd/sops-secret.yaml +++ b/argocd/sops-secret.yaml @@ -5,7 +5,7 @@ metadata: namespace: argocd type: Opaque data: - keys.txt: ENC[AES256_GCM,data:wYdwuaySM50djWshzIpbD/6GaNtQTJsqyB2naldo63EzHAUknZrQ/TpuUD8uXQWsxoaeAmEE76moj8lVEZ4tn2CuYreKYQOKWGWrMvggfx9hzeVz+vkUpZsStiFwQN5hvwNsHKcokY4Tlt6/F9+J3wDzTA8qtFgbmntf1T0NJE7MrcCm8ayzC0UHrZQTsSPa5x4NP0N+hHxSdizgA0arSRid50GFgj7aEeUNHPwMMayt1rd0rDGj8wrAEMn8/q0EJyjTK2MltSWjGJb8qyZ99kzG1k/44FwuP7MUB67n+J0cLoVreO4I7aJmQb1E+3bHxUSG7B5PRUIUwAlE,iv:io8SCnrwfzmQGrjD+oH1ZrI809bEgPlhOwBEzF4V7jI=,tag:pXCWvlszalTwDL9oKxOBcg==,type:str] + keys.txt: ENC[AES256_GCM,data:ywffPwk3i+622egcKEB3QmBdnRmcaYhtaF3niX9YzOAutQUuCAaKMjEZWbl5+S9/CVfUg+iVaBoUCSUsjzaFrf22upS45ayMnzS8F9JzvAz8L2IEecEhwDvbUtsupbpciOGYZlA+XPdRb6ab+VEnuTnrv7hIA0agdRdje/qlRZwJ8Vsfozq1xuvPFWKdtORcB6mA3pZaTMheOqEwPbosT+WD7Hn1m8rK1DG+pDQsRHb8TwBXK+YfyWnvScRa04jcvhPg8nyg3lZS6PjRLGKXZ5g0MytVDXJWzrGOfU3cUmt3XUM46Vl1t8gF/Y1P+jvFeNjK8tRdze1nUpee,iv:jUOFyM/KB4b3h9UZAyM64c6IDyL+Vw9kA6qDRRD7/uw=,tag:FF3F8R4cf/59ncGy4sbkHA==,type:str] sops: kms: [] gcp_kms: [] @@ -15,32 +15,23 @@ sops: - recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZXFwN015MnVIUXNncHo0 - cUNRYUxacHpQZXR6MlhyRTBIMmxLZzRiTlhrClUyeHgwbVR3TDVTTkxFMkNiZjFV - RlpqZVQwTTI2NXZ0V2Z3Wm8reXVxNjAKLS0tIGRtSndTK0NMZkNFUzZiM3BpQkFh - NmlOMEFaN1N6RzA2YmQ5dW1vc0pkaDAKNHam03rJ6NeWRVyesa0NB4NmCi8uKTvd - wamq0vOCtgsUEo/MnHwe2yTtdnEB8OdoHs6SjPErhpUAQQfbXZ+llw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkenl5TnBHSWtXTU51TnZa + Z1pReHZlV0pPRzRsQ0RxUmsvWVI1b2RMeGljCmdSWDllRnBMSnlVSksycDI3cVVZ + TmExeEtuWStYSi9Ub0VCZS90MzZFZjgKLS0tIHEvSm5vTVVWdkRyOWNuRlhINzZY + RnRLR1grWm02UVE3TFhid3p3RHVSNlEK1fzRPAgFJmV3zEgX5FNNdV1zfd/Tv1q3 + g8HEyBgyfBAm6SXIB4Z3uTGJh9rJ9mPuTecFkiThn6WtSJJHRgQ7lQ== -----END AGE ENCRYPTED FILE----- - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3OGc4ZG92eHZ5N1B5UUlV - aExPak4xT1dvTGlFd1NoM3gycDNGeEhONEhJCnVpek0vZTRXaWc3Q3ViV2pPb2tF - VFUweDNsUmxGK01BQlBlTlJwdStGaEUKLS0tIHc3cjFNb1Z5cGpFUHR0MXloT21V - ZDJnQVNwYnYzR3lmdm8zTnJuaWlmek0KG1FMz2q6WWW5ZYzS0U0Uj5KPnXfJZH7n - 8DeQ0+mCFX8fYQXKFL0u/NsnPVAlEb96nAsg90K7h0cXMmk7rMNLJg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwSDV6VU92dXM5QTNSdmps + S3JCL2xZVERBOTZHZmlwVFptczZWMmpkZlIwCkp1TW42NWJveHdZOHp4cXY3eEpM + UkIzUWloNDJLQXRWM0g0ZzhHTmVyczQKLS0tIEE0d082L3g5MENlOTZFYkNtOGFB + NnRtdyttNjNWaGlOd09SdGhXZnZ2VE0K3bKDIJO2RQPY+1/p7nlwzZraPVnW+8L+ + wY1MoIdwygMcH5tmo0Jy3sLWMupUHQXQM9CX933wTATRPJtojLS4HA== -----END AGE ENCRYPTED FILE----- - - recipient: age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEVWs0TnlOR280U2V0WnZY - QXBLbTZtZU5aOXFNK2VUT0dnOExHYit3bUhrCnJKQm9LSzJsTk9SMGNML0xVOUQr - d2RSQmtHYnpxcXg4UFVtY3krRXIzYTAKLS0tIHJVMkNpd3BEOW9GY0NpYnc4Q3RM - WDdJZk9BaFVLR0Vxb0d3RmZFUFBvZVkKfPZ2KcflJ2Dz+HrSCpzQ77lkN0WbavAC - vP0mNZpg95Vpeg17oSHwl6KysYf8c+iPOHPVzNFLT5/mFyDB4DfStA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-13T20:19:15Z" - mac: ENC[AES256_GCM,data:PVQpcs86R6/AAkiEio0bbN0OSPS6Tmj8s0S7McjJ/KSGPnFxnA5WxDXlu2AdK/5Dqp1Q5QGn+sHjNMeW9/GnxGEkUdhI+am15IV3pUU+IK41QgTEh7FTmBMJaSgdZWeNFSJEQuTUC2jKORl+jeFssCjoT3h1b7u/oQMvTOidCjo=,iv:RgPjRpRFrBssoSts14Yrnf+kuyuVUhg+JNrLSsgRmpg=,tag:0EyIz8OJw86ELFYO6zB3lw==,type:str] + lastmodified: "2024-11-04T19:39:31Z" + mac: ENC[AES256_GCM,data:OEeKuRW4Wvkqd/aafrvhNQxCQmuose5b/PfzxGh5a0+cN5ORib819ksjpLu78AL2rOhc0qRff8hi8TgWpoyBP7BiihpmCxZGFabITTAbH8x0Nacn3fef30K4Yw8AB7gLXrN1fwA9PLxfFoqmzsPnMh7xpEKMEKq1T0/ijqvmGJM=,iv:BM5gC/Vi4COBSFC/BHxV+bv8WXDwF+6eEx64ROIqpd4=,tag:WxwbtnYxa2okLdWUxWI7Yw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ - version: 3.9.1 + version: 3.9.0 diff --git a/drone/kustomization.yaml b/drone/kustomization.yaml new file mode 100644 index 0000000..d840c3c --- /dev/null +++ b/drone/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +generators: + - ./secret-generator.yaml diff --git a/drone/secret-generator.yaml b/drone/secret-generator.yaml new file mode 100644 index 0000000..7f9b73e --- /dev/null +++ b/drone/secret-generator.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: secret-generator + annotations: + config.kubernetes.io/function: | + exec: + path: ksops +files: + - ./secret.yaml diff --git a/drone/secret.yaml b/drone/secret.yaml new file mode 100644 index 0000000..26fc6c3 --- /dev/null +++ b/drone/secret.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Secret +metadata: + name: drone-secrets + namespace: drone +type: Opaque +data: + DRONE_RPC_SECRET: ENC[AES256_GCM,data:9wEps0DmvV8Qqx2dARB6M1stwAdf547n5rbVBEiaa4lL5GPAbHMgOI7bYIo=,iv:3SAA0PNJT1ajUx1SJWNpX2AiJnmcFf8tJCrvOW3fJqk=,tag:Z3yuE/jfyAldVjrdIcPlFg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycHkzcHNDOVdBYjJLRGpz + MkZ5T1UwOEEwTG44aGVuWk5zcnV2NlFPK0NRCkh0VVIzOVh2dWlaWG1hVmJQRE1p + VmhrNERFMHBpS2RTM3EySXdTSExmY3cKLS0tIFpWK3hMUG1TS0dTcTU2VUlkemNt + WlNZY0JmbVFWaVgxaUFlUU55THlRb0UK+P9mB8LDRFlnvYn0CXxzLSa8rB+ms2WF + INPTca+SW4sC37wc3zoIrdzrGuNai6FZbKRwrUtt40eDwgU2n/TANA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3YmJiQ2RvQ2pKN0xQbHdQ + bDM3SWFPM0pUQXB4eW1tbEJEbWdSWjVTeXg0CjE3cVNEM2Y1UHBLbStrRnpsQUM4 + cUh6aWROY0wzYnljdTJRZUtKODVBU2MKLS0tIGFybkhLUFF2ajdiZlQySENRc1lu + OXlPbmxsbDJQSlloSmtQb2ZQMDduUEUKnwnwWe3/oovkPlyZtUpoJVWAiW0rPFl+ + PHbo0vrkCkvkKjtXSBP9RPE0sgdPHaYDez9Ea7Q3qdKyYsCKTebapg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-04T20:00:35Z" + mac: ENC[AES256_GCM,data:8gPH1/iWNTkUcCcW5A/+QBSHIOphnCFz7PDc7muwOfgdS7CRfpUrMbsT7smZzsC5TXuy6n/tzYajNqOkuJNzAXeHTAulD5wD/HqwLrFjhO+2zo4m35l8eN9q+AYjTvMXCvK3Yo929gAJa65PXnMmx1kjjSC061KjPrF/Ka0o87w=,iv:Mtn8rx6Lwm9nXh+9km4JyWUr6xFkr+wk2w04QTLdLac=,tag:fL1mFqS9d/HOvZZfPP625A==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/hoylogo/overlays/prod/kustomization.yaml b/hoylogo/overlays/prod/kustomization.yaml index dc2e319..0ae2645 100644 --- a/hoylogo/overlays/prod/kustomization.yaml +++ b/hoylogo/overlays/prod/kustomization.yaml @@ -5,8 +5,8 @@ resources: images: - name: git.ar21.de/aaron/hoylogo newName: git.ar21.de/aaron/hoylogo - newTag: "4" -namespace: aaron-hoylogo + newTag: "27" +namespace: hoylogo patches: - patch: |- - op: replace diff --git a/hoylogo/overlays/staging/kustomization.yaml b/hoylogo/overlays/staging/kustomization.yaml index 272b235..6934a6d 100644 --- a/hoylogo/overlays/staging/kustomization.yaml +++ b/hoylogo/overlays/staging/kustomization.yaml @@ -6,7 +6,7 @@ images: - name: git.ar21.de/aaron/hoylogo newName: git.ar21.de/aaron/hoylogo newTag: staging-1 -namespace: aaron-hoylogo-staging +namespace: hoylogo-staging patches: - patch: |- - op: replace diff --git a/openproject/db.yaml b/openproject/db.yaml new file mode 100644 index 0000000..661b3c1 --- /dev/null +++ b/openproject/db.yaml @@ -0,0 +1,9 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: openproject + namespace: openproject +spec: + instances: 3 + storage: + size: 1Gi diff --git a/openproject/kustomization.yaml b/openproject/kustomization.yaml new file mode 100644 index 0000000..d507cbe --- /dev/null +++ b/openproject/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +generators: + - ./secret-generator.yaml +resources: + - ./db.yaml diff --git a/openproject/secret-generator.yaml b/openproject/secret-generator.yaml new file mode 100644 index 0000000..7f9b73e --- /dev/null +++ b/openproject/secret-generator.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: secret-generator + annotations: + config.kubernetes.io/function: | + exec: + path: ksops +files: + - ./secret.yaml diff --git a/openproject/secret.yaml b/openproject/secret.yaml new file mode 100644 index 0000000..ccab261 --- /dev/null +++ b/openproject/secret.yaml @@ -0,0 +1,83 @@ +apiVersion: v1 +kind: Secret +metadata: + name: openproject-secret + namespace: openproject + labels: + app.kubernetes.io/name: openproject-secret + app.kubernetes.io/part-of: openproject +stringData: + clientId: ENC[AES256_GCM,data:pNsfXlI13/jOdNXbtzTrk0oYB2viicauXdzVtjljC8pd9qFXCQrnrA==,iv:x6HGIX29SedgGJiRCHwIFAXbA9ucnpO+QS1Xlgsbdks=,tag:3A53qjsmJJin2+9AA/MAuQ==,type:str] + clientSecret: ENC[AES256_GCM,data:dlBFp8ImgzMIpymOesrCgNBnSHkVHH/PZwMTJ2tXVjpHXnif7AAx5VMbsvk6dpDxRQPX8RTBzTVqhJbHv87Bqso3vwu7K/tjstf+iBIpTHfz6O0u5Qc6f1/ZJorb1mMk0nB3+MOZuOnVv/LkkDv7LCa6R2HSkzALZMvmLIhMuiI=,iv:NpkQxa0DhvJOCF831KeEq35wxqQ6v6/TJpM87Gnpzbc=,tag:2JcM1oAmY3HqWNVl2AAnyA==,type:str] +type: Opaque +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByT0xDY1ZMNUtydlZqNyt4 + RGZhYTJCaTdoaUNDcUU3c2djUFFrb1NPWmdBClM4ZXZ6aUU0WU1NdmFLYWlHUVBy + VlU0VlZnRnQwenJPdGRSTFBac1ZlSTgKLS0tIGowNGZBZjgyMGxJbTZvOWRLS2Jr + ZTczeDVvYytjK0dzUDY0QXdaUlVyN3cKM+tC9agxFrnjpfPXoNXxCinTNXJ2gHyO + xmkLs958EAJZ8LuFfne01Sak/7ojRny+PzKb9TudIggCUoxAW8S0+w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxU2dyTnc3eCtSNFVBeFQ3 + bTFndGdUYXVTdnpnRTJVQjI3Z0RRZ0FkQzJ3CjZ6ZHBpU2w1MDRFUzJQL1FKS1Ex + N011MUcyY0hlV0lYREo3Tmhhc1NXZG8KLS0tIGZpa3IyU244OXRGZ1hQdVlJbzZr + cEk2ZEp3UzArK1NEL0E2Zkwzd1dnMW8KWWQ861ukoDUh7l1iFBnnrsInQWfeYgD9 + d1y8yHr1kLZX66xg9erbaQbA+xtRRD+5sctypxJWPNkDO+rW+pfrAQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-04T21:12:27Z" + mac: ENC[AES256_GCM,data:wI/Z9/ilDAoIeYmRDwqa6cm7vnOyCKLPV3rxinVO8hhP3aVQisIJlKZH5iSZTAqE+bF0451Sqj8Ei00CiH/OXl8z7s92HeE2z2paHO51SutcLUM1RttKBcWsmdGnSvpqatlED9gziAeT487V3yECts+BS2zHppTtf+DRhjYVrd0=,iv:Pt4Jq1LFAJZo9oQmcv3PTDHmRb2HWI+gGUH/gzIuQ5s=,tag:PIcgRGoIm1tmaR6kRRIb0A==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 +--- +apiVersion: v1 +kind: Secret +metadata: + name: openproject-s3 + namespace: openproject + labels: + app.kubernetes.io/name: openproject-s3 + app.kubernetes.io/part-of: openproject +stringData: + accessKeyId: ENC[AES256_GCM,data:vp+0gIUcQ1zFZZ+FzMsjrIEnLJQ=,iv:1vO4ZESGnGHpf/Jy3mQdrRwv7DgRv2bJNppKQ+Qpi6A=,tag:1DHkZJ9bpc9P4nd2O/3nkg==,type:str] + secretAccessKey: ENC[AES256_GCM,data:ppZZ3LRQKOKeBzj4OUuiQLFDxKA1MQm8HhhdoLdpOaTDHVmxlCgRDw==,iv:oZPdTGkNPdjU4rqO6IjZcrI9t0yhlkIqHFKUTBOBr0M=,tag:M5LK3hdw8hCJ7i/tQsmj4A==,type:str] +type: Opaque +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByT0xDY1ZMNUtydlZqNyt4 + RGZhYTJCaTdoaUNDcUU3c2djUFFrb1NPWmdBClM4ZXZ6aUU0WU1NdmFLYWlHUVBy + VlU0VlZnRnQwenJPdGRSTFBac1ZlSTgKLS0tIGowNGZBZjgyMGxJbTZvOWRLS2Jr + ZTczeDVvYytjK0dzUDY0QXdaUlVyN3cKM+tC9agxFrnjpfPXoNXxCinTNXJ2gHyO + xmkLs958EAJZ8LuFfne01Sak/7ojRny+PzKb9TudIggCUoxAW8S0+w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxU2dyTnc3eCtSNFVBeFQ3 + bTFndGdUYXVTdnpnRTJVQjI3Z0RRZ0FkQzJ3CjZ6ZHBpU2w1MDRFUzJQL1FKS1Ex + N011MUcyY0hlV0lYREo3Tmhhc1NXZG8KLS0tIGZpa3IyU244OXRGZ1hQdVlJbzZr + cEk2ZEp3UzArK1NEL0E2Zkwzd1dnMW8KWWQ861ukoDUh7l1iFBnnrsInQWfeYgD9 + d1y8yHr1kLZX66xg9erbaQbA+xtRRD+5sctypxJWPNkDO+rW+pfrAQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-04T21:12:27Z" + mac: ENC[AES256_GCM,data:wI/Z9/ilDAoIeYmRDwqa6cm7vnOyCKLPV3rxinVO8hhP3aVQisIJlKZH5iSZTAqE+bF0451Sqj8Ei00CiH/OXl8z7s92HeE2z2paHO51SutcLUM1RttKBcWsmdGnSvpqatlED9gziAeT487V3yECts+BS2zHppTtf+DRhjYVrd0=,iv:Pt4Jq1LFAJZo9oQmcv3PTDHmRb2HWI+gGUH/gzIuQ5s=,tag:PIcgRGoIm1tmaR6kRRIb0A==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/openproject/values.yaml b/openproject/values.yaml new file mode 100644 index 0000000..ac4684a --- /dev/null +++ b/openproject/values.yaml @@ -0,0 +1,55 @@ +image: + registry: git.ar21.de + repository: aaron/openproject + tag: '3' +appInit: + resources: + limits: + memory: 4Gi + requests: + memory: 4Gi +clusterDomain: project.aaronriedel.de +ingress: + annotations: + kubernetes.io/tls-acme: 'true' + host: project.aaronriedel.de + tls: + secretName: openproject-tls +workers: + default: + replicas: 2 +openproject: + oidc: + enabled: true + provider: Keycloak + displayName: aaronID + host: auth.ar21.de + existingSecret: openproject-secret + userinfoEndpoint: https://auth.ar21.de/application/o/userinfo/ + tokenEndpoint: https://auth.ar21.de/application/o/token/ + authorizationEndpoint: https://auth.ar21.de/application/o/authorize/ + endSessionEndpoint: https://auth.ar21.de/application/o/openproject/end-session/ +persistence: + enabled: false +s3: + enabled: true + auth: + existingSecret: openproject-s3 + region: fsn1 + bucketName: openproject + endpoint: https://fsn1.your-objectstorage.com + pathStyle: true + enableSignatureV4Streaming: false + directUploads: false +postgresql: + bundled: false + connection: + host: openproject-rw.openproject.svc.cluster.local + port: 5432 + auth: + existingSecret: openproject-app + secretKeys: + adminPasswordKey: password + userPasswordKey: password + username: app + database: app diff --git a/renovate.json b/renovate.json index b09d564..6eb5df5 100644 --- a/renovate.json +++ b/renovate.json @@ -1,13 +1,10 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "dependencyDashboard": true, - "enabledManagers": [ - "argocd" - ], + "enabledManagers": ["argocd"], "argocd": { - "managerFilePatterns": [ - "/^app-files/apps\\.yaml$/" - ] + "fileMatch": ["^app-files/apps\\.yaml$"] }, - "packageRules": [] + "packageRules": [ + ] } diff --git a/surveybot/secret.yaml b/surveybot/secret.yaml index a45cc22..092d9f5 100644 --- a/surveybot/secret.yaml +++ b/surveybot/secret.yaml @@ -2,9 +2,10 @@ apiVersion: v1 kind: Secret metadata: name: surveybot-token + namespace: surveybot type: Opaque data: - TOKEN: ENC[AES256_GCM,data:WZam3tkyfl+fkpCqegB2kiBmuOMeEP73vnb0o7AlJi9iv7Y2zGvvIQ/oJfB0kCw7w7s+8mVMGG+iTyDVZeQdjPv1j4FRPd7GMMSo4qWVBSs=,iv:4CFd+2gvroLuG0IqzNWVR7s3XVlbvrXg3no5TBZmFVM=,tag:0zCH6nRw9Vt7YJ0jnDFx2A==,type:str] + TOKEN: ENC[AES256_GCM,data:HZpvxzlqgtHIXstqo+wH5h1SVfBBS7aV7fPEIGO3gq0Hu8wbqMDq8nzBnGHQik+5jR0AoYQvRKLqD+VyIPgHQX8Nc/15er+pyCxa2kLXXPg=,iv:3dcWIVEU7HzkBCA8IT6lHPzsywmW3nCM0HK3Wr8r5eA=,tag:QplCTrlD08dpZvZjBdvlbQ==,type:str] sops: kms: [] gcp_kms: [] @@ -14,32 +15,23 @@ sops: - recipient: age14uxgmvw26e7f82gkvxl0zwnfc5l75rdn5sms4zj0xrtrnlgn4qlsqh3kkt enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTnJ3RDVMa2tGOE5TU09E - dkI0czh1TUNiQWlYUHE1bmVYSlIyVDE4b0F3CjR4ZFRYSDZqL2ptVHZwaDBvMDcr - cjBaai95MjJRLy9iSVBQdEFTdWxObFkKLS0tIDhCMnRzNHNYWnBRZTNFUUZMTU9C - YXlPeWVSS0pvTExiZ3lHM200VDk3dDAKOgPg5+uUivaV4sYLjdZ8QGAEGWs4VNC7 - DK1SqXemv6Kod8Jcn2Q/5Bs8SrN4mZyI4rmZ16c5iTjmHjmNBq5A6w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrd1ZReHRHazZzN1VKZVFK + eXo1OVhhL1hjeW5WMG5GNzUyWmFMUXFoa0dvCnhvaDNSNFRnMUJVMkxGRlVtRTR4 + WERLanJPbEs0ZTlGSEhudTQ0ckFDbG8KLS0tIDlQTDc2NGxDelMvZXk4WHJ2cTZS + dzkycGRVTW1FRDAwYk5OSFhoSkVPVG8Kvuhx+kEUCLwVlTxVWq2HXzszM4nJE09r + 4nOrW4ytSsC6BM4DR1WR/hbqY+cz/xaHEbCfQBaH4NYQUuaONLICxg== -----END AGE ENCRYPTED FILE----- - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ODVuZi9lN1d6SW9rRWlT - OUlmWEtlR3orMzVhNWd6TlN6bVR5dGFpbkJ3ClFuVnFYSTJhVE5zVlgyR2d6SU4x - OXNWMzJvUkNiUXpnWUpZTFI1dFE4UGcKLS0tIHVWbk9wUnNQT1ZsNm54Yzh6bGxK - MktuVHlwcjRrdHVLZ1ZucmNORnZ0a2sKFKIJKNf0n7FBeVNevO34/F4hPc/jxve6 - 4zvgzzz8m1cug6NSWYuek+/4tf5SxKeEufWqxkFXPrE5c0LJD4Nt4A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCN3pEOFZCSm90eDFBOEhS + T3RSVWh1ZVI1WS9pZTRkbnJMR0E0S04wdUhVCitFdk5hWjhWNGNqenp3c0dCZGNk + S2NrSk1Ocmx5WDkzeFRFMk5id3VheGMKLS0tIDU3a2Rvb2VKUHEwWVJFY2k4UHNl + dGdSTmkrRmVNWlovVC9JbTRROFgvbUEKEDg6EIYvD2xbVwMxWirkDA9lLOPt64zb + dhgGwbvL8ijAKVPKXLJ73IOWrwk5dCLv7oe8RDhkNDtuSus9HOqD9Q== -----END AGE ENCRYPTED FILE----- - - recipient: age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3ZGJ0TW5QbkNqbmY2ckdX - dUwyT3A5RnBSNzJKVDcrb1RPZ2hPVjhNU0ZnCk9aWE5EcFErL1ZkajZXc2JqdGRD - TTJ2b3ZYVThoOUVGY3RqSE5FZjZJQjQKLS0tIHNSVTg3eXVIa25oOHRCcUhKNnkz - cUlpdC8vaVFoS09mU09tbzZWMU9HVEEKdum87k1RQN8uA6i32hYbFxfkqKYks4Ne - R+6wY+uzTvskB8nNcUNgUPFgXbm2wq1uJykO+D++LB9apMmV62JtCQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-13T20:19:15Z" - mac: ENC[AES256_GCM,data:of9bxJ+sXhv1wzlES7otXjV12Qst9HdGt0CqYy7FjLNbFwUBJ88bS3zZzigB9rzuppN4TMSTG+xiQhD7G6W/yU0TIF5FDiVoXiJndt9IccaDLREizmasfeL/0pjNNPTgNU8b2fxXX3k/yhhhR4ZyZYOiEAlTpa9NzVAkUuO2jMI=,iv:BXLPw6EGCr7X9nIK63w8UrnAg6h67HPK8Lr6aZz8/WE=,tag:/qYwcx8uJtz/iwqoRMnblQ==,type:str] + lastmodified: "2024-11-04T20:00:41Z" + mac: ENC[AES256_GCM,data:dIghUTmsUH2deQGDv9Jykicf+kV4A2XYHqxOHq0TcR7G5V329U25tm4ID07kQKmJjSgPwTx/6Vadxu/Bo3ADrvMj5+bOCUENP5FcJEp8htkJHNlzn1syQ9VXu+Vbka0e0PpPJ4AlxM3toPdmRX4k7tP5FzVlMkxSwAjMsVivHYo=,iv:1094lyciqTvwdmJjCI761sRi42AXxyiFyPw2CSUqfA4=,tag:0LlLhMOn7l4NrFzmbcfPcQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ - version: 3.9.1 + version: 3.9.0 diff --git a/surveybot/surveybot.yaml b/surveybot/surveybot.yaml index 9378868..1fcfa9d 100644 --- a/surveybot/surveybot.yaml +++ b/surveybot/surveybot.yaml @@ -7,6 +7,7 @@ apiVersion: batch/v1 kind: CronJob metadata: name: surveybot + namespace: surveybot spec: schedule: "00 16 * * 5" successfulJobsHistoryLimit: 1