diff --git a/cluster/apps/database/kustomization.yaml b/cluster/apps/database/kustomization.yaml new file mode 100644 index 0000000..9cc2f97 --- /dev/null +++ b/cluster/apps/database/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./namespace.yaml +- ./network_policy.yaml +- ./postgresql \ No newline at end of file diff --git a/cluster/apps/database/namespace.yaml b/cluster/apps/database/namespace.yaml new file mode 100644 index 0000000..c24ff21 --- /dev/null +++ b/cluster/apps/database/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: database + labels: + name: database \ No newline at end of file diff --git a/cluster/apps/database/network_policy.yaml b/cluster/apps/database/network_policy.yaml new file mode 100644 index 0000000..229be34 --- /dev/null +++ b/cluster/apps/database/network_policy.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: deny-most-allow-some + namespace: database +spec: + # Apply to all pods in this namespace + podSelector: {} + ingress: + - from: + # Allow all pods in this namespace + - namespaceSelector: + matchLabels: + name: "database" + + # Allow all pods with this label + - podSelector: + matchLabels: + needsDatabase: "yes" \ No newline at end of file diff --git a/cluster/apps/database/postgresql/helm-release.yaml b/cluster/apps/database/postgresql/helm-release.yaml new file mode 100644 index 0000000..98bdf80 --- /dev/null +++ b/cluster/apps/database/postgresql/helm-release.yaml @@ -0,0 +1,23 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: postgresql + namespace: database +spec: + interval: 5m + chart: + spec: + chart: postgresql + version: 12.2.x + sourceRef: + kind: HelmRepository + name: bitnami-charts + namespace: flux-system + values: + auth: + username: k3spostgresql + existingSecret: "pgsql-secrets" + secretKeys: + adminPasswordKey: "adminPassword" + userPasswordKey: "userPassword" + replicationPasswordKey: "replicationPassword" diff --git a/cluster/apps/database/postgresql/kustomization.yaml b/cluster/apps/database/postgresql/kustomization.yaml new file mode 100644 index 0000000..2895cf4 --- /dev/null +++ b/cluster/apps/database/postgresql/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./pgsql.sops.yaml +- ./helm-repository.yaml +- ./service.yaml \ No newline at end of file diff --git a/cluster/apps/database/postgresql/pgsql.sops.yaml b/cluster/apps/database/postgresql/pgsql.sops.yaml new file mode 100644 index 0000000..e3e4260 --- /dev/null +++ b/cluster/apps/database/postgresql/pgsql.sops.yaml @@ -0,0 +1,62 @@ +apiVersion: v1 +kind: Secret +metadata: + name: pgsql-secrets + namespace: database +stringData: + adminPassword: ENC[AES256_GCM,data:gJ7rl2V/VlbIIRvRHcwMaZKN87t5n8bVWZCj/tRv8Uw=,iv:b/5eEnOrHzJrtnO+E2IGwJLHy2AdJQwv9WfUR5fUHY4=,tag:nTtaDNHVfYpChQX9UWwdKA==,type:str] + userPassword: ENC[AES256_GCM,data:gR7q508lUaRDRJ/z5lH99JLJSS9zWfg0O+TAm2B9uvo=,iv:9DDQxwd/BGtLQDacAH/crfT+qU4Pn5sGkWuEtmMprUI=,tag:tK3WoUd7729LQDVqU7pckQ==,type:str] + replicationPassword: ENC[AES256_GCM,data:BSA5IfYhhvN445yp2i3BI5zlIXgdj+LejCPzvlTMnVo=,iv:Qku2NAQPLxt+NUnk2dSx1+WAoyx3aEuA3+piU2mubYk=,tag:MnI+atK6VLZUc3eGS1OE1w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-04-07T01:57:23Z" + mac: ENC[AES256_GCM,data:wvjHgGOMyuVpy4klW5/aO434NKABQJc0907BIwLOXMxSOuIsedAeRhCWdi70IJfv5m8gIcRCb/jWVtDgQePd6CALglH72VlA3NiZI5EQrdBLQUmpGSglLNScrLDOjqNrXG/UgmikATskO5R0vl/203jt1S4OupuEHiPqPRHSSdc=,iv:qHHpufOzzjk8NCuldShenJbC1BlzhMpy4Tz2wWBolvw=,tag:HpoB7PM1gZfv6qfun7ucRw==,type:str] + pgp: + - created_at: "2023-04-07T01:57:22Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAzKleRwoSoixAQ/9Hi4VyrUXV7LvbCFiLbyfv314lMGwrAf+2po/4Lr1hANe + KiwpfthiNheAjNaGCG6v2C1rx2Wrr5G3+rMik/1TLWbg2u9zZU4mWO8bwJUGXKDo + /T1nl47f09UPDtQ6KiG0nPf3M0Ovmk3d63R3zpY4Q7uE4uhLNDr0KD9mp7MmRCbZ + PO++tdiZa67z9owNDh/NSnQr9Y6JwjlxlkJl5SJ76vaK/SaOi/j86mOm9CV6SQmk + cLOwiO7JxV8I4gD9jlLdYEPS+nqztX5eHLRoaXsAQrX4DdWNnOF0C2sk9nMHwQTb + W8/SVmg7TiVVL6qVCXgUCgFRXllrlGlXlfv+W6ruuZIBv2MAA1V+afl5A3/KVvE6 + FDq9YrJ4XfZPCD2ZByM2386L8MiUwkfF/3uge38MT/WDU2DTT+g7jV3UQs+Awi8f + N4YBVBcp5jGTkMD0347GPfPF7kdiN/YFZ/Ws1jf/EsS6vOpKNlPn64fVJfTSfdie + rvNxksi8Y4vpwEngy38t7JRfpJniDo9iK9EwhXMChYXnWkiz/B3vMoii496B7TzO + 9gKd4v7kFA6iXI+wqbYrZfOGeLZlMI99pwTatNL4fo9ABJ7JScISzTvS7p/xB6Ae + JPdlA0Tf8wP4RYz8YYRcNlfEQPZYb4kHj5r9Ei59InHzwKfq9GyKKvluS0/k3NHU + aAEJAhCVkPuIHluRLHsjVEbKbFzSJUG8p/hSSmQnfk3CT36/dJhgv3jzoL+1/Sx1 + o8OwWPmNq8TuX9SaXfhfy/EGMulWgRaztxt9D+0+wgc8IOAPp+0SYUsaOa0T9+Pl + pjU1GRaK5AlT + =mItp + -----END PGP MESSAGE----- + fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5 + - created_at: "2023-04-07T01:57:22Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4WLYkVpP8xtAQ/9FQGyKS1wEodU9ZVZ8kxijp6aFtMCmL/I5HBEhbSLj0P9 + TVD0QwnUPZqf7zlWrAh6TspyLQdRMt9JAYZCPyLgu//FdKfBJNYeU3+aWj/lMtJ4 + Twgs7NPtGbRJcpF+a4NmAOIqzKfJI+h714BLFoWrGtUmTE9/dBHh2yxADSgprY1o + /4J8aHQfaqg5JwijP3PhtRMxla4YQfhqf0JRAcmQPKUDuxT2QG/wp59Fq/665aaO + JFWiCOPBqTtEhY4ML4EYNUV+Cd7UT7LOXC+Xzuj1eEGMV1Pmqd1u1UyQKvHOOXhT + AfGeCub+ZONGfmcDcY5gEMnbSCGcQEvipA3dBIIFklgnxM00jmcJ1Ojo1+MYynpl + E1XLOaolRWinlDNXA62k8iWG33hcxHGSzkHrsQjtqrrD2PdHS1RmTJ8Hn+iuRUn6 + /fGk8ZQJ7oMPsZNyfiM0OdwSXxJ4rQUtGkHHd727S4K6nXC6OLxXCzl7lYG7QKcP + RVrbFMNv01aToyNGhLmcSxUYdQ4oc+nv65rNZDsdbi34T+dlULboJDkwV6JrJ5dz + hlu3ySgijZuRD5bfpfKB2RScu2ixEijOIyk1oXBB2Dhyh1ezc3qnAw8xkGr9W2SE + roBuu95mZsIZEtfMS5hxwGyWzSCENnbkSukQhUoIjRXryly7MQgNZ5FMX+f5n3DU + aAEJAhBJcIEidIhFVqDkezzMcofKl3MlXWqkfTUV3vsjz6EpN1FwhpZ3prTexUcM + 9XCx9Wq1kMpjkphWETh2lSAafyIz6R/d4zWV5IWIeDh+USYT9z0Rprp4URka4Wjx + fux0T5xDbgq5 + =eiXM + -----END PGP MESSAGE----- + fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95 + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/apps/database/postgresql/service.yaml b/cluster/apps/database/postgresql/service.yaml new file mode 100644 index 0000000..aaf5728 --- /dev/null +++ b/cluster/apps/database/postgresql/service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: postgresql + namespace: database + + labels: + app: postgresql + database: postgresql + kubernetes.io/name: "postgresql" +spec: + selector: + app: postgresql + ports: + - name: pgsql + port: 5432 + targetPort: 5432 \ No newline at end of file diff --git a/cluster/apps/database/redis/helm-release.yaml b/cluster/apps/database/redis/helm-release.yaml new file mode 100644 index 0000000..038c525 --- /dev/null +++ b/cluster/apps/database/redis/helm-release.yaml @@ -0,0 +1,20 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: redis + namespace: database +spec: + interval: 5m + chart: + spec: + chart: redis + version: 17.9.x + sourceRef: + kind: HelmRepository + name: bitnami-charts + namespace: flux-system + values: + auth: + username: k3spostgresql + existingSecret: "redis-secrets" + existingSecretPasswordKey: "password" diff --git a/cluster/apps/database/redis/kustomization.yaml b/cluster/apps/database/redis/kustomization.yaml new file mode 100644 index 0000000..38bd9c9 --- /dev/null +++ b/cluster/apps/database/redis/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./redis.sops.yaml +- ./helm-repository.yaml +- ./service.yaml \ No newline at end of file diff --git a/cluster/apps/database/redis/redis.sops.yaml b/cluster/apps/database/redis/redis.sops.yaml new file mode 100644 index 0000000..36ec85d --- /dev/null +++ b/cluster/apps/database/redis/redis.sops.yaml @@ -0,0 +1,60 @@ +apiVersion: v1 +kind: Secret +metadata: + name: redis-secrets + namespace: database +stringData: + password: ENC[AES256_GCM,data:jjXsxyMKvPsAAr3wMhZWV/E/Qmmz/OYQvu6f8pRXasY=,iv:8K9IzAywC9CHiZ+ASoxhSqN14amL6APbzjpBtxPS50s=,tag:GbgcAhhDp+ob83Neyr/Lzw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-04-07T02:27:25Z" + mac: ENC[AES256_GCM,data:7/C0bTMeOXSWeP2ftsCrWRLk84U0RmmNBQgo8oWKKo82ELZq13UNjGyQovdnkSJQohmrf3NeYAqD1BEdkLnV1i8Fc0+UeVw0RIqApVXT0QuL1N9raw71TCZFpdIlB/QVqpnSByGquHtHeDVCU1XeVucq9SXbRQC+KXHIKKYRRWk=,iv:gG2zWKGmhCbz3iqfYUIpTvgx1Pkr3jnCPsopS1sWLWU=,tag:AAg40kPevQR+TsIpvarKRQ==,type:str] + pgp: + - created_at: "2023-04-07T01:57:22Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAzKleRwoSoixAQ/9Hi4VyrUXV7LvbCFiLbyfv314lMGwrAf+2po/4Lr1hANe + KiwpfthiNheAjNaGCG6v2C1rx2Wrr5G3+rMik/1TLWbg2u9zZU4mWO8bwJUGXKDo + /T1nl47f09UPDtQ6KiG0nPf3M0Ovmk3d63R3zpY4Q7uE4uhLNDr0KD9mp7MmRCbZ + PO++tdiZa67z9owNDh/NSnQr9Y6JwjlxlkJl5SJ76vaK/SaOi/j86mOm9CV6SQmk + cLOwiO7JxV8I4gD9jlLdYEPS+nqztX5eHLRoaXsAQrX4DdWNnOF0C2sk9nMHwQTb + W8/SVmg7TiVVL6qVCXgUCgFRXllrlGlXlfv+W6ruuZIBv2MAA1V+afl5A3/KVvE6 + FDq9YrJ4XfZPCD2ZByM2386L8MiUwkfF/3uge38MT/WDU2DTT+g7jV3UQs+Awi8f + N4YBVBcp5jGTkMD0347GPfPF7kdiN/YFZ/Ws1jf/EsS6vOpKNlPn64fVJfTSfdie + rvNxksi8Y4vpwEngy38t7JRfpJniDo9iK9EwhXMChYXnWkiz/B3vMoii496B7TzO + 9gKd4v7kFA6iXI+wqbYrZfOGeLZlMI99pwTatNL4fo9ABJ7JScISzTvS7p/xB6Ae + JPdlA0Tf8wP4RYz8YYRcNlfEQPZYb4kHj5r9Ei59InHzwKfq9GyKKvluS0/k3NHU + aAEJAhCVkPuIHluRLHsjVEbKbFzSJUG8p/hSSmQnfk3CT36/dJhgv3jzoL+1/Sx1 + o8OwWPmNq8TuX9SaXfhfy/EGMulWgRaztxt9D+0+wgc8IOAPp+0SYUsaOa0T9+Pl + pjU1GRaK5AlT + =mItp + -----END PGP MESSAGE----- + fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5 + - created_at: "2023-04-07T01:57:22Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4WLYkVpP8xtAQ/9FQGyKS1wEodU9ZVZ8kxijp6aFtMCmL/I5HBEhbSLj0P9 + TVD0QwnUPZqf7zlWrAh6TspyLQdRMt9JAYZCPyLgu//FdKfBJNYeU3+aWj/lMtJ4 + Twgs7NPtGbRJcpF+a4NmAOIqzKfJI+h714BLFoWrGtUmTE9/dBHh2yxADSgprY1o + /4J8aHQfaqg5JwijP3PhtRMxla4YQfhqf0JRAcmQPKUDuxT2QG/wp59Fq/665aaO + JFWiCOPBqTtEhY4ML4EYNUV+Cd7UT7LOXC+Xzuj1eEGMV1Pmqd1u1UyQKvHOOXhT + AfGeCub+ZONGfmcDcY5gEMnbSCGcQEvipA3dBIIFklgnxM00jmcJ1Ojo1+MYynpl + E1XLOaolRWinlDNXA62k8iWG33hcxHGSzkHrsQjtqrrD2PdHS1RmTJ8Hn+iuRUn6 + /fGk8ZQJ7oMPsZNyfiM0OdwSXxJ4rQUtGkHHd727S4K6nXC6OLxXCzl7lYG7QKcP + RVrbFMNv01aToyNGhLmcSxUYdQ4oc+nv65rNZDsdbi34T+dlULboJDkwV6JrJ5dz + hlu3ySgijZuRD5bfpfKB2RScu2ixEijOIyk1oXBB2Dhyh1ezc3qnAw8xkGr9W2SE + roBuu95mZsIZEtfMS5hxwGyWzSCENnbkSukQhUoIjRXryly7MQgNZ5FMX+f5n3DU + aAEJAhBJcIEidIhFVqDkezzMcofKl3MlXWqkfTUV3vsjz6EpN1FwhpZ3prTexUcM + 9XCx9Wq1kMpjkphWETh2lSAafyIz6R/d4zWV5IWIeDh+USYT9z0Rprp4URka4Wjx + fux0T5xDbgq5 + =eiXM + -----END PGP MESSAGE----- + fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95 + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/apps/database/redis/service.yaml b/cluster/apps/database/redis/service.yaml new file mode 100644 index 0000000..aaf5728 --- /dev/null +++ b/cluster/apps/database/redis/service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: postgresql + namespace: database + + labels: + app: postgresql + database: postgresql + kubernetes.io/name: "postgresql" +spec: + selector: + app: postgresql + ports: + - name: pgsql + port: 5432 + targetPort: 5432 \ No newline at end of file diff --git a/cluster/base/cluster-secrets.sops.yaml b/cluster/base/cluster-secrets.sops.yaml index 66d8e6c..304ba67 100644 --- a/cluster/base/cluster-secrets.sops.yaml +++ b/cluster/base/cluster-secrets.sops.yaml @@ -6,14 +6,17 @@ metadata: stringData: SECRET_MY_EMAIL: ENC[AES256_GCM,data:o1mpa9VUFdZOepjGKkD76/Px,iv:u+2VUsHGP0O0Qw5ojE4zuSd80iGTDxB95rXB6JO2CJs=,tag:5xvoFP96iOoYSjbZ9NVX0A==,type:str] SECRET_LETSENCRYPT_EMAIL: ENC[AES256_GCM,data:J3Q3okoZ4APVwMXcl00pCPnO,iv:F0L/cRRy5FWMqCF+lpQbZwytSl2OqVOLmVtS0B4jRvU=,tag:cnxZCYcFLDFjKNlbMz+dsg==,type:str] + SECRET_AUTHENTIK_SECRET_KEY: ENC[AES256_GCM,data:VNkSzACyKPK8Ois5RsddusfeopQ0/2dRZ2nTTFePz4Y=,iv:V3X1U37Aj5ja+iGuLL9DvLtW43TZvClBgNMQ419tnP8=,tag:cu4vS6fNh5H79KvjeKEtXA==,type:str] + SECRET_DATABASE_PGSQL_USER_PASS: ENC[AES256_GCM,data:6WJahxUSCBVaQXz2x8lpbfGOubNSjsJ4UkT/IfuPUIk=,iv:cg9FbEn5NfSTug/LKLN9mkFOnOjyRhqtENd+NYnm9Sc=,tag:3XH1AAc/tstYKnzInXzvTw==,type:str] + SECRET_DATABASE_REDIS_PASS: ENC[AES256_GCM,data:G5HSJB9jXkVBv619HXtgYMQx4qI0ubfnU8vXJ9ZaTzM=,iv:nWv+/KZFboIrQcIootf8l56Z9Jk6z5gYOd5Nj6Fjn38=,tag:0v77fS9jhvcoy3ASjL4ODQ==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-04-05T02:32:38Z" - mac: ENC[AES256_GCM,data:2O89WN/cDwxmT0bisGGmIDjtuhFF2m7ZIGH33qUH1PdRjGAKGsPgp4NZtkZ6b5G1uvF2bJzzs8BQZty1VFHGm0fbIeoqXDNN1xhQJOOMu9ZhfsKpLSB06Owh+3QTxxRNF3TAIT7wRHr4SDEVwh5vLZhwUHWbJJPaFPX3w+YRqaE=,iv:Co3oTTwuEPdarOsm/NVjhaQmq6ntqVmjyfKpgemVmI8=,tag:jRcGlvu+1mWziskoxV1Zyg==,type:str] + lastmodified: "2023-04-07T02:36:34Z" + mac: ENC[AES256_GCM,data:qJLXYJAJNnVw8ajyBMFpBpfkSW3k+l5riCJWN7cNWyVbpQJbR6wl/ck65SDS1dj6aCZKlk0kZpgWUHdyczSwLgUS5dZ+KuTQ+K1NYVz+mgL5Ye/zKlE4EQdIxWuGTXXUlc/CA/jxt6fHhb4YrJTPkdwCMTc8QexMBltx5L4Z90A=,iv:iFbJ/g5L3UAWLNhQ4oJGITyEpA6v9kueUK0RQMRs/tQ=,tag:tmkLE0/W4az+Q4zB2XtNug==,type:str] pgp: - created_at: "2023-04-05T02:28:36Z" enc: | diff --git a/cluster/core/helm-repositories.yaml b/cluster/core/helm-repositories.yaml new file mode 100644 index 0000000..2add8d2 --- /dev/null +++ b/cluster/core/helm-repositories.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: bitnami-charts + namespace: flux-system +spec: + interval: 1m + url: https://charts.bitnami.com/bitnami diff --git a/cluster/core/kustomization.yaml b/cluster/core/kustomization.yaml index fad965b..12ab434 100644 --- a/cluster/core/kustomization.yaml +++ b/cluster/core/kustomization.yaml @@ -1,6 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: +- ./helm-repositories.yaml - ./cert-manager - ./networking - ./storage \ No newline at end of file