From 1bbb031551606128a19e550edb7d0531977a3b3d Mon Sep 17 00:00:00 2001 From: Aaron Riedel Date: Fri, 4 Oct 2024 19:04:36 +0200 Subject: [PATCH 1/2] add woodpecker-deployment --- app-files/apps.yaml | 30 ++++++++ woodpecker/secrets/kustomization.yaml | 4 + woodpecker/secrets/secret-generator.yaml | 10 +++ woodpecker/secrets/secrets.enc.yaml | 94 ++++++++++++++++++++++++ woodpecker/values/values.yaml | 35 +++++++++ 5 files changed, 173 insertions(+) create mode 100644 app-files/apps.yaml create mode 100644 woodpecker/secrets/kustomization.yaml create mode 100644 woodpecker/secrets/secret-generator.yaml create mode 100644 woodpecker/secrets/secrets.enc.yaml create mode 100644 woodpecker/values/values.yaml diff --git a/app-files/apps.yaml b/app-files/apps.yaml new file mode 100644 index 0000000..06c875e --- /dev/null +++ b/app-files/apps.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: woodpecker + namespace: argocd +spec: + project: default + sources: + - chart: woodpecker + repoURL: https://woodpecker-ci.org/ + targetRevision: 1.6.0 + helm: + releaseName: woodpecker + valueFiles: + - $values/woodpecker/values.yaml + - repoURL: https://git.ar21.de/yolokube/core-deployments.git + targetRevision: HEAD + ref: values + - repoURL: https://git.ar21.de/yolokube/core-deployments.git + targetRevision: HEAD + path: secrets + destination: + server: https://kubernetes.default.svc + namespace: woodpecker + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: false diff --git a/woodpecker/secrets/kustomization.yaml b/woodpecker/secrets/kustomization.yaml new file mode 100644 index 0000000..073e908 --- /dev/null +++ b/woodpecker/secrets/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +generators: + - ./secret-generator.yaml diff --git a/woodpecker/secrets/secret-generator.yaml b/woodpecker/secrets/secret-generator.yaml new file mode 100644 index 0000000..b0e550d --- /dev/null +++ b/woodpecker/secrets/secret-generator.yaml @@ -0,0 +1,10 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: secret-generator + annotations: + config.kubernetes.io/function: | + exec: + path: ksops +files: + - ./secrets.enc.yaml diff --git a/woodpecker/secrets/secrets.enc.yaml b/woodpecker/secrets/secrets.enc.yaml new file mode 100644 index 0000000..f990d36 --- /dev/null +++ b/woodpecker/secrets/secrets.enc.yaml @@ -0,0 +1,94 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: woodpecker +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzakpwaHhhclQ5MU5BOVpO + eHY0WGF6bHlyaStxNW5WVGZIQzZnRVR3SVFrCjdrRjIzRjFheHZqdWpmYlFpODVo + RzBsd1llNk5JZEtFbCtuN3Nrd2lTejAKLS0tIEFxOU00aGVlM1U3S0tYdFJ5NnVH + U0h3czZCUUk5NDdlL1o1THJGSXdqMUUKA4bMrmS1o1yB+aGdUgUzWMGjfYaQ55UW + Em+FXnis5k+3eY18YplZs3rBRiiuSHjt4WOnrwOymn3TvGixS1nA2A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1s9nvc4rxj3kaj4apmzzn8fmjrudrvdhgu70rg04we9hyse5aadsq7kmckn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0WGlRZzJ4emVKazRtbGxk + SUs3R3J4aGpZV2EvVTllb2h4Tlh6NDd2QndBCnlxdUQ1L3BReHV3eTQ2OEh1bjNM + b3UzdjR5YlBqakN1aU9CanZrM0RqajQKLS0tIGFhVGVXSmRXbmhJVE1aOW0xYzV2 + ZStBaHZxRDhzWTVnSHFBK3J4R3R5Z2cKg/yRNnsxy0Zrwi/dcNHTzjSHcQ9ZbipN + N1JKH1WCGdmZku3m/G0DSRdxP7yNs3rJBoOg63h632bWHKHj/pElsQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVkdsM01hVzhpaUVCYTk5 + SXZTemJudWl6YlNnTnJiN1dIQkdlbnBZZ2o0CkFvNndWbXBNcUNkSkVmeGx2aVBJ + WkYxbHV0czBydWZpWnN6NFkwdm5aZVUKLS0tIEhNK0FLakVZMXNKRGdpYXd2WmQz + dGZrWWhwemxSdzdjNmF2UmdVWklJeEkKmLPdUb3KcgA61fMhhiaQxwcDx0kEdh0t + gMyW7MGzyCxkUjGxb/amuPJkq0/7MujpfHK8q0AgUztmqa6Tk02P9Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-04T16:57:58Z" + mac: ENC[AES256_GCM,data:YIke3ycXwzygpKuCoodWcR7VQw8qMABML2c5R8LZi4A9JcAK+3MNF8T1EEhPtqgzSDlNjrBr3MAJc01bONidsoDq7YRR97ZBQq57J7JoUcuysh2z2sV80PzsZsmI/FIygGz8MFEBrp3E6yc14tIKgnbleFn4gO9QBn1ocY9r+aM=,iv:NGu0zMt/b9esI57ApKrmkKiFQEOlKp6d6KEqMt3SzAM=,tag:Rm4ZetiphajoyZzi6uqE9w==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 +--- +apiVersion: v1 +kind: Secret +metadata: + name: woodpecker-forgejo + namespace: woodpecker + labels: + app.kubernetes.io/instance: woodpecker +type: Opaque +data: + WOODPECKER_FORGEJO_CLIENT: ENC[AES256_GCM,data:zTcJ9+s6Oykd2ptkaM4/FTcIriF0BarmswUyDzvLIyeBQl7mvTktPKJaeK/RudFVzdgEJA==,iv:im64HVYag5cWwo3+wINzoHMbfaiAYu67GeNexm6ffsA=,tag:a1a6eUmjyRPOzX4r8m9iuQ==,type:str] + WOODPECKER_FORGEJO_SECRET: ENC[AES256_GCM,data:gYiC+ZYXeMGPgWnvaHHEs8pNq1UP3kFthryX346TNnM7+oJVKQjz+ufLlsKmradtH6W4ulHzmSBHByT2VHHH8uHItA+Qbs55twRL0w==,iv:4VaEMHf7K+2lEYZAMCTo+Ot018SNIzCNJs27RovaN+I=,tag:qMkWRopd4/4xGBFZk7PW/Q==,type:str] + WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:DokhZ7SJGOeHnTVmnwJgmXJngaoSBZjdCAQUE76bf/tyQJoBA8Sh4vGy3VgVORY3MQIF33glxm+VNvqFWxV6LYbOvfGlJgZ5R8435NBPXfZnG/+PEungX9vQpcDvIf8ffcgGpC/Z/f3QBRAV,iv:DyuzOYf/bvUUm8NT4+8dk2hEgyqeVxOJqmt0mKCw2SQ=,tag:pvKr0hZzM4cXMErTYRr2jg==,type:str] + WOODPECKER_PROMETHEUS_AUTH_TOKEN: ENC[AES256_GCM,data:yzYzatAWs3BO8C4rsq3KpTYrHagA0eUkSD6aOlSU8u0mfJeoVq1vTzR3lLo=,iv:bhaaf9CCSHLkhYgdsTvNlZD/FFQCL6FanhIgsaXLfOA=,tag:W+MXx47fRElZaTmsAoMvPw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzakpwaHhhclQ5MU5BOVpO + eHY0WGF6bHlyaStxNW5WVGZIQzZnRVR3SVFrCjdrRjIzRjFheHZqdWpmYlFpODVo + RzBsd1llNk5JZEtFbCtuN3Nrd2lTejAKLS0tIEFxOU00aGVlM1U3S0tYdFJ5NnVH + U0h3czZCUUk5NDdlL1o1THJGSXdqMUUKA4bMrmS1o1yB+aGdUgUzWMGjfYaQ55UW + Em+FXnis5k+3eY18YplZs3rBRiiuSHjt4WOnrwOymn3TvGixS1nA2A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1s9nvc4rxj3kaj4apmzzn8fmjrudrvdhgu70rg04we9hyse5aadsq7kmckn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0WGlRZzJ4emVKazRtbGxk + SUs3R3J4aGpZV2EvVTllb2h4Tlh6NDd2QndBCnlxdUQ1L3BReHV3eTQ2OEh1bjNM + b3UzdjR5YlBqakN1aU9CanZrM0RqajQKLS0tIGFhVGVXSmRXbmhJVE1aOW0xYzV2 + ZStBaHZxRDhzWTVnSHFBK3J4R3R5Z2cKg/yRNnsxy0Zrwi/dcNHTzjSHcQ9ZbipN + N1JKH1WCGdmZku3m/G0DSRdxP7yNs3rJBoOg63h632bWHKHj/pElsQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVkdsM01hVzhpaUVCYTk5 + SXZTemJudWl6YlNnTnJiN1dIQkdlbnBZZ2o0CkFvNndWbXBNcUNkSkVmeGx2aVBJ + WkYxbHV0czBydWZpWnN6NFkwdm5aZVUKLS0tIEhNK0FLakVZMXNKRGdpYXd2WmQz + dGZrWWhwemxSdzdjNmF2UmdVWklJeEkKmLPdUb3KcgA61fMhhiaQxwcDx0kEdh0t + gMyW7MGzyCxkUjGxb/amuPJkq0/7MujpfHK8q0AgUztmqa6Tk02P9Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-04T16:57:58Z" + mac: ENC[AES256_GCM,data:YIke3ycXwzygpKuCoodWcR7VQw8qMABML2c5R8LZi4A9JcAK+3MNF8T1EEhPtqgzSDlNjrBr3MAJc01bONidsoDq7YRR97ZBQq57J7JoUcuysh2z2sV80PzsZsmI/FIygGz8MFEBrp3E6yc14tIKgnbleFn4gO9QBn1ocY9r+aM=,iv:NGu0zMt/b9esI57ApKrmkKiFQEOlKp6d6KEqMt3SzAM=,tag:Rm4ZetiphajoyZzi6uqE9w==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/woodpecker/values/values.yaml b/woodpecker/values/values.yaml new file mode 100644 index 0000000..822f9d3 --- /dev/null +++ b/woodpecker/values/values.yaml @@ -0,0 +1,35 @@ +server: + ingress: + # -- Enable the ingress for the server component + enabled: true + # -- Add annotations to the ingress + annotations: + # kubernetes.io/ingress.class: nginx + kubernetes.io/tls-acme: "true" + hosts: + - host: woodpecker.ar21.de + paths: + - path: / + backend: + serviceName: woodpecker-svc + servicePort: 80 + tls: + - hosts: + - woodpecker.ar21.de + secretName: woodpecker-tls-key + statefulSet: + replicaCount: 1 + env: + WOODPECKER_ADMIN: 'aaron' + WOODPECKER_HOST: 'https://woodpecker.ar21.de' + WOODPECKER_OPEN: true + WOODPECKER_FORGEJO: true + WOODPECKER_FORGEJO_URL: 'https://git.ar21.de' + extraSecretNamesForEnvFrom: + - woodpecker-forgejo +agent: + extraSecretNamesForEnvFrom: + - woodpecker-forgejo + replicaCount: 3 + env: + WOODPECKER_MAX_WORKFLOWS: 2 -- 2.45.2 From 6f34793ba241412dfc6af5312eb3ab9e7c606af9 Mon Sep 17 00:00:00 2001 From: Aaron Riedel Date: Fri, 4 Oct 2024 19:20:00 +0200 Subject: [PATCH 2/2] remove namespace from secret --- woodpecker/secrets/secrets.enc.yaml | 47 ++--------------------------- 1 file changed, 2 insertions(+), 45 deletions(-) diff --git a/woodpecker/secrets/secrets.enc.yaml b/woodpecker/secrets/secrets.enc.yaml index f990d36..86ab261 100644 --- a/woodpecker/secrets/secrets.enc.yaml +++ b/woodpecker/secrets/secrets.enc.yaml @@ -1,47 +1,4 @@ apiVersion: v1 -kind: Namespace -metadata: - name: woodpecker -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzakpwaHhhclQ5MU5BOVpO - eHY0WGF6bHlyaStxNW5WVGZIQzZnRVR3SVFrCjdrRjIzRjFheHZqdWpmYlFpODVo - RzBsd1llNk5JZEtFbCtuN3Nrd2lTejAKLS0tIEFxOU00aGVlM1U3S0tYdFJ5NnVH - U0h3czZCUUk5NDdlL1o1THJGSXdqMUUKA4bMrmS1o1yB+aGdUgUzWMGjfYaQ55UW - Em+FXnis5k+3eY18YplZs3rBRiiuSHjt4WOnrwOymn3TvGixS1nA2A== - -----END AGE ENCRYPTED FILE----- - - recipient: age1s9nvc4rxj3kaj4apmzzn8fmjrudrvdhgu70rg04we9hyse5aadsq7kmckn - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0WGlRZzJ4emVKazRtbGxk - SUs3R3J4aGpZV2EvVTllb2h4Tlh6NDd2QndBCnlxdUQ1L3BReHV3eTQ2OEh1bjNM - b3UzdjR5YlBqakN1aU9CanZrM0RqajQKLS0tIGFhVGVXSmRXbmhJVE1aOW0xYzV2 - ZStBaHZxRDhzWTVnSHFBK3J4R3R5Z2cKg/yRNnsxy0Zrwi/dcNHTzjSHcQ9ZbipN - N1JKH1WCGdmZku3m/G0DSRdxP7yNs3rJBoOg63h632bWHKHj/pElsQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVkdsM01hVzhpaUVCYTk5 - SXZTemJudWl6YlNnTnJiN1dIQkdlbnBZZ2o0CkFvNndWbXBNcUNkSkVmeGx2aVBJ - WkYxbHV0czBydWZpWnN6NFkwdm5aZVUKLS0tIEhNK0FLakVZMXNKRGdpYXd2WmQz - dGZrWWhwemxSdzdjNmF2UmdVWklJeEkKmLPdUb3KcgA61fMhhiaQxwcDx0kEdh0t - gMyW7MGzyCxkUjGxb/amuPJkq0/7MujpfHK8q0AgUztmqa6Tk02P9Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-04T16:57:58Z" - mac: ENC[AES256_GCM,data:YIke3ycXwzygpKuCoodWcR7VQw8qMABML2c5R8LZi4A9JcAK+3MNF8T1EEhPtqgzSDlNjrBr3MAJc01bONidsoDq7YRR97ZBQq57J7JoUcuysh2z2sV80PzsZsmI/FIygGz8MFEBrp3E6yc14tIKgnbleFn4gO9QBn1ocY9r+aM=,iv:NGu0zMt/b9esI57ApKrmkKiFQEOlKp6d6KEqMt3SzAM=,tag:Rm4ZetiphajoyZzi6uqE9w==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.9.0 ---- -apiVersion: v1 kind: Secret metadata: name: woodpecker-forgejo @@ -87,8 +44,8 @@ sops: dGZrWWhwemxSdzdjNmF2UmdVWklJeEkKmLPdUb3KcgA61fMhhiaQxwcDx0kEdh0t gMyW7MGzyCxkUjGxb/amuPJkq0/7MujpfHK8q0AgUztmqa6Tk02P9Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-04T16:57:58Z" - mac: ENC[AES256_GCM,data:YIke3ycXwzygpKuCoodWcR7VQw8qMABML2c5R8LZi4A9JcAK+3MNF8T1EEhPtqgzSDlNjrBr3MAJc01bONidsoDq7YRR97ZBQq57J7JoUcuysh2z2sV80PzsZsmI/FIygGz8MFEBrp3E6yc14tIKgnbleFn4gO9QBn1ocY9r+aM=,iv:NGu0zMt/b9esI57ApKrmkKiFQEOlKp6d6KEqMt3SzAM=,tag:Rm4ZetiphajoyZzi6uqE9w==,type:str] + lastmodified: "2024-10-04T17:19:41Z" + mac: ENC[AES256_GCM,data:oW62pLYPe4greXFb5rbyLhr29FltC1tcVsbwJd6x9HZ5Iz3JiLkHU49R4fObMBBt7gE/Dv+d+U5Ov/ucq3ulzvQdLffkzhIBilfHMCTksd8Dj41Q+I6mcedRnnFbPhyI2bVTivftotsbtPldYIl8PaWcmCRohM9Mjzf/TbWWrag=,iv:ZlmpKUWt0T06RaJdRJqqjeQaBoCgMhnpLcnydcgMCLI=,tag:Vgw7xuWVp/gnLNOD096z+w==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.0 -- 2.45.2