diff --git a/clusters/atlas/flux-system/platform/cert-manager-cleanup/kustomization.yaml b/clusters/atlas/flux-system/platform/cert-manager-cleanup/kustomization.yaml new file mode 100644 index 0000000..230e22a --- /dev/null +++ b/clusters/atlas/flux-system/platform/cert-manager-cleanup/kustomization.yaml @@ -0,0 +1,17 @@ +# clusters/atlas/flux-system/platform/cert-manager-cleanup/kustomization.yaml +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cert-manager-cleanup + namespace: flux-system +spec: + interval: 30m + path: ./infrastructure/cert-manager/cleanup + prune: true + force: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: cert-manager + wait: true diff --git a/clusters/atlas/flux-system/platform/cert-manager/kustomization.yaml b/clusters/atlas/flux-system/platform/cert-manager/kustomization.yaml new file mode 100644 index 0000000..21a9dc9 --- /dev/null +++ b/clusters/atlas/flux-system/platform/cert-manager/kustomization.yaml @@ -0,0 +1,20 @@ +# clusters/atlas/flux-system/platform/cert-manager/kustomization.yaml +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cert-manager + namespace: flux-system +spec: + interval: 30m + path: ./infrastructure/cert-manager + prune: true + force: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: cert-manager + dependsOn: + - name: cert-manager-cleanup + - name: helm + wait: true diff --git a/clusters/atlas/flux-system/platform/kustomization.yaml b/clusters/atlas/flux-system/platform/kustomization.yaml index 83ca71e..03d9d43 100644 --- a/clusters/atlas/flux-system/platform/kustomization.yaml +++ b/clusters/atlas/flux-system/platform/kustomization.yaml @@ -4,6 +4,8 @@ kind: Kustomization resources: - core/kustomization.yaml - helm/kustomization.yaml + - cert-manager-cleanup/kustomization.yaml + - cert-manager/kustomization.yaml - metallb/kustomization.yaml - traefik/kustomization.yaml - gitops-ui/kustomization.yaml diff --git a/infrastructure/cert-manager/cleanup/cert-manager-cleanup-job.yaml b/infrastructure/cert-manager/cleanup/cert-manager-cleanup-job.yaml new file mode 100644 index 0000000..93cf53a --- /dev/null +++ b/infrastructure/cert-manager/cleanup/cert-manager-cleanup-job.yaml @@ -0,0 +1,26 @@ +# infrastructure/cert-manager/cleanup/cert-manager-cleanup-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: cert-manager-cleanup + namespace: cert-manager +spec: + backoffLimit: 1 + template: + spec: + serviceAccountName: cert-manager-cleanup + restartPolicy: Never + containers: + - name: cleanup + image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131 + command: ["/usr/bin/env", "bash"] + args: ["/scripts/cert_manager_cleanup.sh"] + volumeMounts: + - name: script + mountPath: /scripts + readOnly: true + volumes: + - name: script + configMap: + name: cert-manager-cleanup-script + defaultMode: 0555 diff --git a/infrastructure/cert-manager/cleanup/cert-manager-cleanup-rbac.yaml b/infrastructure/cert-manager/cleanup/cert-manager-cleanup-rbac.yaml new file mode 100644 index 0000000..ee275c5 --- /dev/null +++ b/infrastructure/cert-manager/cleanup/cert-manager-cleanup-rbac.yaml @@ -0,0 +1,58 @@ +# infrastructure/cert-manager/cleanup/cert-manager-cleanup-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-manager-cleanup + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-cleanup +rules: + - apiGroups: [""] + resources: + - pods + - services + - endpoints + - configmaps + - secrets + - serviceaccounts + verbs: ["get", "list", "watch", "delete"] + - apiGroups: ["apps"] + resources: + - deployments + - daemonsets + - statefulsets + - replicasets + verbs: ["get", "list", "watch", "delete"] + - apiGroups: ["batch"] + resources: + - jobs + - cronjobs + verbs: ["get", "list", "watch", "delete"] + - apiGroups: ["rbac.authorization.k8s.io"] + resources: + - roles + - rolebindings + - clusterroles + - clusterrolebindings + verbs: ["get", "list", "watch", "delete"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: ["get", "list", "watch", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-cleanup +subjects: + - kind: ServiceAccount + name: cert-manager-cleanup + namespace: cert-manager diff --git a/infrastructure/cert-manager/cleanup/kustomization.yaml b/infrastructure/cert-manager/cleanup/kustomization.yaml new file mode 100644 index 0000000..8aee369 --- /dev/null +++ b/infrastructure/cert-manager/cleanup/kustomization.yaml @@ -0,0 +1,15 @@ +# infrastructure/cert-manager/cleanup/kustomization.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - cert-manager-cleanup-rbac.yaml + - cert-manager-cleanup-job.yaml + +configMapGenerator: + - name: cert-manager-cleanup-script + namespace: cert-manager + files: + - cert_manager_cleanup.sh=scripts/cert_manager_cleanup.sh + options: + disableNameSuffixHash: true diff --git a/infrastructure/cert-manager/cleanup/namespace.yaml b/infrastructure/cert-manager/cleanup/namespace.yaml new file mode 100644 index 0000000..762cc25 --- /dev/null +++ b/infrastructure/cert-manager/cleanup/namespace.yaml @@ -0,0 +1,5 @@ +# infrastructure/cert-manager/cleanup/namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager diff --git a/infrastructure/cert-manager/cleanup/scripts/cert_manager_cleanup.sh b/infrastructure/cert-manager/cleanup/scripts/cert_manager_cleanup.sh new file mode 100644 index 0000000..9bdfc33 --- /dev/null +++ b/infrastructure/cert-manager/cleanup/scripts/cert_manager_cleanup.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +set -euo pipefail + +namespace="cert-manager" +selectors=( + "app.kubernetes.io/name=cert-manager" + "app.kubernetes.io/instance=cert-manager" + "app.kubernetes.io/instance=certmanager-prod" +) + +delete_namespaced() { + local selector="$1" + kubectl -n "${namespace}" delete deployment,daemonset,statefulset,replicaset \ + --selector "${selector}" --ignore-not-found --wait=false + kubectl -n "${namespace}" delete pod,service,endpoints,serviceaccount,configmap,secret \ + --selector "${selector}" --ignore-not-found --wait=false + kubectl -n "${namespace}" delete role,rolebinding \ + --selector "${selector}" --ignore-not-found --wait=false + kubectl -n "${namespace}" delete job,cronjob \ + --selector "${selector}" --ignore-not-found --wait=false +} + +delete_cluster_scoped() { + local selector="$1" + kubectl delete clusterrole,clusterrolebinding \ + --selector "${selector}" --ignore-not-found --wait=false + kubectl delete mutatingwebhookconfiguration,validatingwebhookconfiguration \ + --selector "${selector}" --ignore-not-found --wait=false +} + +for selector in "${selectors[@]}"; do + delete_namespaced "${selector}" + delete_cluster_scoped "${selector}" +done + +kubectl delete mutatingwebhookconfiguration cert-manager-webhook --ignore-not-found --wait=false +kubectl delete validatingwebhookconfiguration cert-manager-webhook --ignore-not-found --wait=false diff --git a/infrastructure/cert-manager/helmrelease.yaml b/infrastructure/cert-manager/helmrelease.yaml new file mode 100644 index 0000000..7fdf277 --- /dev/null +++ b/infrastructure/cert-manager/helmrelease.yaml @@ -0,0 +1,41 @@ +# infrastructure/cert-manager/helmrelease.yaml +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cert-manager + namespace: cert-manager +spec: + interval: 30m + chart: + spec: + chart: cert-manager + version: v1.17.0 + sourceRef: + kind: HelmRepository + name: jetstack + namespace: flux-system + install: + crds: CreateReplace + remediation: { retries: 3 } + timeout: 10m + upgrade: + crds: CreateReplace + remediation: + retries: 3 + remediateLastFailure: true + cleanupOnFail: true + timeout: 10m + values: + installCRDs: true + nodeSelector: + node-role.kubernetes.io/worker: "true" + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: hardware + operator: In + values: + - rpi5 + - rpi4 diff --git a/infrastructure/cert-manager/kustomization.yaml b/infrastructure/cert-manager/kustomization.yaml new file mode 100644 index 0000000..dc9d06d --- /dev/null +++ b/infrastructure/cert-manager/kustomization.yaml @@ -0,0 +1,6 @@ +# infrastructure/cert-manager/kustomization.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - helmrelease.yaml diff --git a/infrastructure/cert-manager/namespace.yaml b/infrastructure/cert-manager/namespace.yaml new file mode 100644 index 0000000..8a43590 --- /dev/null +++ b/infrastructure/cert-manager/namespace.yaml @@ -0,0 +1,5 @@ +# infrastructure/cert-manager/namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager diff --git a/infrastructure/postgres/secretproviderclass.yaml b/infrastructure/postgres/secretproviderclass.yaml index b9317a1..3a65075 100644 --- a/infrastructure/postgres/secretproviderclass.yaml +++ b/infrastructure/postgres/secretproviderclass.yaml @@ -11,5 +11,5 @@ spec: roleName: "postgres" objects: | - objectName: "postgres_password" - secretPath: "kv/data/postgres" + secretPath: "kv/data/atlas/postgres/postgres-db" secretKey: "POSTGRES_PASSWORD" diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh index 325185d..0b2dca6 100644 --- a/services/vault/scripts/vault_k8s_auth_configure.sh +++ b/services/vault/scripts/vault_k8s_auth_configure.sh @@ -216,6 +216,8 @@ write_policy_and_role "health" "health" "health-vault-sync" \ "health/*" "" write_policy_and_role "longhorn" "longhorn-system" "longhorn-vault" \ "longhorn/*" "" +write_policy_and_role "postgres" "postgres" "postgres-vault" \ + "postgres/postgres-db" "" write_policy_and_role "vault" "vault" "vault" \ "vault/*" ""