Add redis and postgresql databases

2023-04-06 22:39:06 -04:00 · 2023-04-06 22:39:06 -04:00 · 83549ffa10
parent a90f0fa700
commit 83549ffa10
14 changed files with 256 additions and 2 deletions
--- a/cluster/apps/database/kustomization.yaml
+++ b/cluster/apps/database/kustomization.yaml
@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./namespace.yaml
+- ./network_policy.yaml
+- ./postgresql
--- a/cluster/apps/database/namespace.yaml
+++ b/cluster/apps/database/namespace.yaml
@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: database
+  labels:
+    name: database
--- a/cluster/apps/database/network_policy.yaml
+++ b/cluster/apps/database/network_policy.yaml
@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-most-allow-some
+  namespace: database
+spec:
+  # Apply to all pods in this namespace
+  podSelector: {}
+  ingress:
+  - from:
+    # Allow all pods in this namespace
+    - namespaceSelector:
+        matchLabels:
+          name: "database"
+
+    # Allow all pods with this label
+    - podSelector:
+        matchLabels:
+          needsDatabase: "yes"
--- a/cluster/apps/database/postgresql/helm-release.yaml
+++ b/cluster/apps/database/postgresql/helm-release.yaml
@ -0,0 +1,23 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: postgresql
+  namespace: database
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: postgresql
+      version: 12.2.x
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami-charts
+        namespace: flux-system
+  values:
+    auth:
+      username: k3spostgresql
+      existingSecret: "pgsql-secrets"
+      secretKeys:
+        adminPasswordKey: "adminPassword"
+        userPasswordKey: "userPassword"
+        replicationPasswordKey: "replicationPassword"
--- a/cluster/apps/database/postgresql/kustomization.yaml
+++ b/cluster/apps/database/postgresql/kustomization.yaml
@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./pgsql.sops.yaml
+- ./helm-repository.yaml
+- ./service.yaml
--- a/cluster/apps/database/postgresql/pgsql.sops.yaml
+++ b/cluster/apps/database/postgresql/pgsql.sops.yaml
@ -0,0 +1,62 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: pgsql-secrets
+    namespace: database
+stringData:
+    adminPassword: ENC[AES256_GCM,data:gJ7rl2V/VlbIIRvRHcwMaZKN87t5n8bVWZCj/tRv8Uw=,iv:b/5eEnOrHzJrtnO+E2IGwJLHy2AdJQwv9WfUR5fUHY4=,tag:nTtaDNHVfYpChQX9UWwdKA==,type:str]
+    userPassword: ENC[AES256_GCM,data:gR7q508lUaRDRJ/z5lH99JLJSS9zWfg0O+TAm2B9uvo=,iv:9DDQxwd/BGtLQDacAH/crfT+qU4Pn5sGkWuEtmMprUI=,tag:tK3WoUd7729LQDVqU7pckQ==,type:str]
+    replicationPassword: ENC[AES256_GCM,data:BSA5IfYhhvN445yp2i3BI5zlIXgdj+LejCPzvlTMnVo=,iv:Qku2NAQPLxt+NUnk2dSx1+WAoyx3aEuA3+piU2mubYk=,tag:MnI+atK6VLZUc3eGS1OE1w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-04-07T01:57:23Z"
+    mac: ENC[AES256_GCM,data:wvjHgGOMyuVpy4klW5/aO434NKABQJc0907BIwLOXMxSOuIsedAeRhCWdi70IJfv5m8gIcRCb/jWVtDgQePd6CALglH72VlA3NiZI5EQrdBLQUmpGSglLNScrLDOjqNrXG/UgmikATskO5R0vl/203jt1S4OupuEHiPqPRHSSdc=,iv:qHHpufOzzjk8NCuldShenJbC1BlzhMpy4Tz2wWBolvw=,tag:HpoB7PM1gZfv6qfun7ucRw==,type:str]
+    pgp:
+        - created_at: "2023-04-07T01:57:22Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzKleRwoSoixAQ/9Hi4VyrUXV7LvbCFiLbyfv314lMGwrAf+2po/4Lr1hANe
+            KiwpfthiNheAjNaGCG6v2C1rx2Wrr5G3+rMik/1TLWbg2u9zZU4mWO8bwJUGXKDo
+            /T1nl47f09UPDtQ6KiG0nPf3M0Ovmk3d63R3zpY4Q7uE4uhLNDr0KD9mp7MmRCbZ
+            PO++tdiZa67z9owNDh/NSnQr9Y6JwjlxlkJl5SJ76vaK/SaOi/j86mOm9CV6SQmk
+            cLOwiO7JxV8I4gD9jlLdYEPS+nqztX5eHLRoaXsAQrX4DdWNnOF0C2sk9nMHwQTb
+            W8/SVmg7TiVVL6qVCXgUCgFRXllrlGlXlfv+W6ruuZIBv2MAA1V+afl5A3/KVvE6
+            FDq9YrJ4XfZPCD2ZByM2386L8MiUwkfF/3uge38MT/WDU2DTT+g7jV3UQs+Awi8f
+            N4YBVBcp5jGTkMD0347GPfPF7kdiN/YFZ/Ws1jf/EsS6vOpKNlPn64fVJfTSfdie
+            rvNxksi8Y4vpwEngy38t7JRfpJniDo9iK9EwhXMChYXnWkiz/B3vMoii496B7TzO
+            9gKd4v7kFA6iXI+wqbYrZfOGeLZlMI99pwTatNL4fo9ABJ7JScISzTvS7p/xB6Ae
+            JPdlA0Tf8wP4RYz8YYRcNlfEQPZYb4kHj5r9Ei59InHzwKfq9GyKKvluS0/k3NHU
+            aAEJAhCVkPuIHluRLHsjVEbKbFzSJUG8p/hSSmQnfk3CT36/dJhgv3jzoL+1/Sx1
+            o8OwWPmNq8TuX9SaXfhfy/EGMulWgRaztxt9D+0+wgc8IOAPp+0SYUsaOa0T9+Pl
+            pjU1GRaK5AlT
+            =mItp
+            -----END PGP MESSAGE-----
+          fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
+        - created_at: "2023-04-07T01:57:22Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4WLYkVpP8xtAQ/9FQGyKS1wEodU9ZVZ8kxijp6aFtMCmL/I5HBEhbSLj0P9
+            TVD0QwnUPZqf7zlWrAh6TspyLQdRMt9JAYZCPyLgu//FdKfBJNYeU3+aWj/lMtJ4
+            Twgs7NPtGbRJcpF+a4NmAOIqzKfJI+h714BLFoWrGtUmTE9/dBHh2yxADSgprY1o
+            /4J8aHQfaqg5JwijP3PhtRMxla4YQfhqf0JRAcmQPKUDuxT2QG/wp59Fq/665aaO
+            JFWiCOPBqTtEhY4ML4EYNUV+Cd7UT7LOXC+Xzuj1eEGMV1Pmqd1u1UyQKvHOOXhT
+            AfGeCub+ZONGfmcDcY5gEMnbSCGcQEvipA3dBIIFklgnxM00jmcJ1Ojo1+MYynpl
+            E1XLOaolRWinlDNXA62k8iWG33hcxHGSzkHrsQjtqrrD2PdHS1RmTJ8Hn+iuRUn6
+            /fGk8ZQJ7oMPsZNyfiM0OdwSXxJ4rQUtGkHHd727S4K6nXC6OLxXCzl7lYG7QKcP
+            RVrbFMNv01aToyNGhLmcSxUYdQ4oc+nv65rNZDsdbi34T+dlULboJDkwV6JrJ5dz
+            hlu3ySgijZuRD5bfpfKB2RScu2ixEijOIyk1oXBB2Dhyh1ezc3qnAw8xkGr9W2SE
+            roBuu95mZsIZEtfMS5hxwGyWzSCENnbkSukQhUoIjRXryly7MQgNZ5FMX+f5n3DU
+            aAEJAhBJcIEidIhFVqDkezzMcofKl3MlXWqkfTUV3vsjz6EpN1FwhpZ3prTexUcM
+            9XCx9Wq1kMpjkphWETh2lSAafyIz6R/d4zWV5IWIeDh+USYT9z0Rprp4URka4Wjx
+            fux0T5xDbgq5
+            =eiXM
+            -----END PGP MESSAGE-----
+          fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/cluster/apps/database/postgresql/service.yaml
+++ b/cluster/apps/database/postgresql/service.yaml
@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgresql
+  namespace: database
+
+  labels:
+    app: postgresql
+    database: postgresql
+    kubernetes.io/name: "postgresql"
+spec:
+  selector:
+    app: postgresql
+  ports:
+  - name: pgsql
+    port: 5432
+    targetPort: 5432
--- a/cluster/apps/database/redis/helm-release.yaml
+++ b/cluster/apps/database/redis/helm-release.yaml
@ -0,0 +1,20 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: redis
+  namespace: database
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: redis
+      version: 17.9.x
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami-charts
+        namespace: flux-system
+  values:
+    auth:
+      username: k3spostgresql
+      existingSecret: "redis-secrets"
+      existingSecretPasswordKey: "password"
--- a/cluster/apps/database/redis/kustomization.yaml
+++ b/cluster/apps/database/redis/kustomization.yaml
@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./redis.sops.yaml
+- ./helm-repository.yaml
+- ./service.yaml
--- a/cluster/apps/database/redis/redis.sops.yaml
+++ b/cluster/apps/database/redis/redis.sops.yaml
@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: redis-secrets
+    namespace: database
+stringData:
+    password: ENC[AES256_GCM,data:jjXsxyMKvPsAAr3wMhZWV/E/Qmmz/OYQvu6f8pRXasY=,iv:8K9IzAywC9CHiZ+ASoxhSqN14amL6APbzjpBtxPS50s=,tag:GbgcAhhDp+ob83Neyr/Lzw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-04-07T02:27:25Z"
+    mac: ENC[AES256_GCM,data:7/C0bTMeOXSWeP2ftsCrWRLk84U0RmmNBQgo8oWKKo82ELZq13UNjGyQovdnkSJQohmrf3NeYAqD1BEdkLnV1i8Fc0+UeVw0RIqApVXT0QuL1N9raw71TCZFpdIlB/QVqpnSByGquHtHeDVCU1XeVucq9SXbRQC+KXHIKKYRRWk=,iv:gG2zWKGmhCbz3iqfYUIpTvgx1Pkr3jnCPsopS1sWLWU=,tag:AAg40kPevQR+TsIpvarKRQ==,type:str]
+    pgp:
+        - created_at: "2023-04-07T01:57:22Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzKleRwoSoixAQ/9Hi4VyrUXV7LvbCFiLbyfv314lMGwrAf+2po/4Lr1hANe
+            KiwpfthiNheAjNaGCG6v2C1rx2Wrr5G3+rMik/1TLWbg2u9zZU4mWO8bwJUGXKDo
+            /T1nl47f09UPDtQ6KiG0nPf3M0Ovmk3d63R3zpY4Q7uE4uhLNDr0KD9mp7MmRCbZ
+            PO++tdiZa67z9owNDh/NSnQr9Y6JwjlxlkJl5SJ76vaK/SaOi/j86mOm9CV6SQmk
+            cLOwiO7JxV8I4gD9jlLdYEPS+nqztX5eHLRoaXsAQrX4DdWNnOF0C2sk9nMHwQTb
+            W8/SVmg7TiVVL6qVCXgUCgFRXllrlGlXlfv+W6ruuZIBv2MAA1V+afl5A3/KVvE6
+            FDq9YrJ4XfZPCD2ZByM2386L8MiUwkfF/3uge38MT/WDU2DTT+g7jV3UQs+Awi8f
+            N4YBVBcp5jGTkMD0347GPfPF7kdiN/YFZ/Ws1jf/EsS6vOpKNlPn64fVJfTSfdie
+            rvNxksi8Y4vpwEngy38t7JRfpJniDo9iK9EwhXMChYXnWkiz/B3vMoii496B7TzO
+            9gKd4v7kFA6iXI+wqbYrZfOGeLZlMI99pwTatNL4fo9ABJ7JScISzTvS7p/xB6Ae
+            JPdlA0Tf8wP4RYz8YYRcNlfEQPZYb4kHj5r9Ei59InHzwKfq9GyKKvluS0/k3NHU
+            aAEJAhCVkPuIHluRLHsjVEbKbFzSJUG8p/hSSmQnfk3CT36/dJhgv3jzoL+1/Sx1
+            o8OwWPmNq8TuX9SaXfhfy/EGMulWgRaztxt9D+0+wgc8IOAPp+0SYUsaOa0T9+Pl
+            pjU1GRaK5AlT
+            =mItp
+            -----END PGP MESSAGE-----
+          fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
+        - created_at: "2023-04-07T01:57:22Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4WLYkVpP8xtAQ/9FQGyKS1wEodU9ZVZ8kxijp6aFtMCmL/I5HBEhbSLj0P9
+            TVD0QwnUPZqf7zlWrAh6TspyLQdRMt9JAYZCPyLgu//FdKfBJNYeU3+aWj/lMtJ4
+            Twgs7NPtGbRJcpF+a4NmAOIqzKfJI+h714BLFoWrGtUmTE9/dBHh2yxADSgprY1o
+            /4J8aHQfaqg5JwijP3PhtRMxla4YQfhqf0JRAcmQPKUDuxT2QG/wp59Fq/665aaO
+            JFWiCOPBqTtEhY4ML4EYNUV+Cd7UT7LOXC+Xzuj1eEGMV1Pmqd1u1UyQKvHOOXhT
+            AfGeCub+ZONGfmcDcY5gEMnbSCGcQEvipA3dBIIFklgnxM00jmcJ1Ojo1+MYynpl
+            E1XLOaolRWinlDNXA62k8iWG33hcxHGSzkHrsQjtqrrD2PdHS1RmTJ8Hn+iuRUn6
+            /fGk8ZQJ7oMPsZNyfiM0OdwSXxJ4rQUtGkHHd727S4K6nXC6OLxXCzl7lYG7QKcP
+            RVrbFMNv01aToyNGhLmcSxUYdQ4oc+nv65rNZDsdbi34T+dlULboJDkwV6JrJ5dz
+            hlu3ySgijZuRD5bfpfKB2RScu2ixEijOIyk1oXBB2Dhyh1ezc3qnAw8xkGr9W2SE
+            roBuu95mZsIZEtfMS5hxwGyWzSCENnbkSukQhUoIjRXryly7MQgNZ5FMX+f5n3DU
+            aAEJAhBJcIEidIhFVqDkezzMcofKl3MlXWqkfTUV3vsjz6EpN1FwhpZ3prTexUcM
+            9XCx9Wq1kMpjkphWETh2lSAafyIz6R/d4zWV5IWIeDh+USYT9z0Rprp4URka4Wjx
+            fux0T5xDbgq5
+            =eiXM
+            -----END PGP MESSAGE-----
+          fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/cluster/apps/database/redis/service.yaml
+++ b/cluster/apps/database/redis/service.yaml
@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgresql
+  namespace: database
+
+  labels:
+    app: postgresql
+    database: postgresql
+    kubernetes.io/name: "postgresql"
+spec:
+  selector:
+    app: postgresql
+  ports:
+  - name: pgsql
+    port: 5432
+    targetPort: 5432
--- a/cluster/base/cluster-secrets.sops.yaml
+++ b/cluster/base/cluster-secrets.sops.yaml
@ -6,14 +6,17 @@ metadata:
 stringData:
    SECRET_MY_EMAIL: ENC[AES256_GCM,data:o1mpa9VUFdZOepjGKkD76/Px,iv:u+2VUsHGP0O0Qw5ojE4zuSd80iGTDxB95rXB6JO2CJs=,tag:5xvoFP96iOoYSjbZ9NVX0A==,type:str]
    SECRET_LETSENCRYPT_EMAIL: ENC[AES256_GCM,data:J3Q3okoZ4APVwMXcl00pCPnO,iv:F0L/cRRy5FWMqCF+lpQbZwytSl2OqVOLmVtS0B4jRvU=,tag:cnxZCYcFLDFjKNlbMz+dsg==,type:str]
+    SECRET_AUTHENTIK_SECRET_KEY: ENC[AES256_GCM,data:VNkSzACyKPK8Ois5RsddusfeopQ0/2dRZ2nTTFePz4Y=,iv:V3X1U37Aj5ja+iGuLL9DvLtW43TZvClBgNMQ419tnP8=,tag:cu4vS6fNh5H79KvjeKEtXA==,type:str]
+    SECRET_DATABASE_PGSQL_USER_PASS: ENC[AES256_GCM,data:6WJahxUSCBVaQXz2x8lpbfGOubNSjsJ4UkT/IfuPUIk=,iv:cg9FbEn5NfSTug/LKLN9mkFOnOjyRhqtENd+NYnm9Sc=,tag:3XH1AAc/tstYKnzInXzvTw==,type:str]
+    SECRET_DATABASE_REDIS_PASS: ENC[AES256_GCM,data:G5HSJB9jXkVBv619HXtgYMQx4qI0ubfnU8vXJ9ZaTzM=,iv:nWv+/KZFboIrQcIootf8l56Z9Jk6z5gYOd5Nj6Fjn38=,tag:0v77fS9jhvcoy3ASjL4ODQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2023-04-05T02:32:38Z"
-    mac: ENC[AES256_GCM,data:2O89WN/cDwxmT0bisGGmIDjtuhFF2m7ZIGH33qUH1PdRjGAKGsPgp4NZtkZ6b5G1uvF2bJzzs8BQZty1VFHGm0fbIeoqXDNN1xhQJOOMu9ZhfsKpLSB06Owh+3QTxxRNF3TAIT7wRHr4SDEVwh5vLZhwUHWbJJPaFPX3w+YRqaE=,iv:Co3oTTwuEPdarOsm/NVjhaQmq6ntqVmjyfKpgemVmI8=,tag:jRcGlvu+1mWziskoxV1Zyg==,type:str]
+    lastmodified: "2023-04-07T02:36:34Z"
+    mac: ENC[AES256_GCM,data:qJLXYJAJNnVw8ajyBMFpBpfkSW3k+l5riCJWN7cNWyVbpQJbR6wl/ck65SDS1dj6aCZKlk0kZpgWUHdyczSwLgUS5dZ+KuTQ+K1NYVz+mgL5Ye/zKlE4EQdIxWuGTXXUlc/CA/jxt6fHhb4YrJTPkdwCMTc8QexMBltx5L4Z90A=,iv:iFbJ/g5L3UAWLNhQ4oJGITyEpA6v9kueUK0RQMRs/tQ=,tag:tmkLE0/W4az+Q4zB2XtNug==,type:str]
    pgp:
        - created_at: "2023-04-05T02:28:36Z"
          enc: |
--- a/cluster/core/helm-repositories.yaml
+++ b/cluster/core/helm-repositories.yaml
@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: bitnami-charts
+  namespace: flux-system
+spec:
+  interval: 1m
+  url: https://charts.bitnami.com/bitnami
--- a/cluster/core/kustomization.yaml
+++ b/cluster/core/kustomization.yaml
@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+- ./helm-repositories.yaml
 - ./cert-manager
 - ./networking
 - ./storage