platform: add cert-manager and align postgres vault path

clusters/atlas/flux-system/platform/cert-manager-cleanup/kustomization.yaml

@@ -0,0 +1,17 @@
+# clusters/atlas/flux-system/platform/cert-manager-cleanup/kustomization.yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager-cleanup
+  namespace: flux-system
+spec:
+  interval: 30m
+  path: ./infrastructure/cert-manager/cleanup
+  prune: true
+  force: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  targetNamespace: cert-manager
+  wait: true

clusters/atlas/flux-system/platform/cert-manager/kustomization.yaml

@@ -0,0 +1,20 @@
+# clusters/atlas/flux-system/platform/cert-manager/kustomization.yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager
+  namespace: flux-system
+spec:
+  interval: 30m
+  path: ./infrastructure/cert-manager
+  prune: true
+  force: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  targetNamespace: cert-manager
+  dependsOn:
+    - name: cert-manager-cleanup
+    - name: helm
+  wait: true

clusters/atlas/flux-system/platform/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 resources:
   - core/kustomization.yaml
   - helm/kustomization.yaml
+  - cert-manager-cleanup/kustomization.yaml
+  - cert-manager/kustomization.yaml
   - metallb/kustomization.yaml
   - traefik/kustomization.yaml
   - gitops-ui/kustomization.yaml

infrastructure/cert-manager/cleanup/cert-manager-cleanup-job.yaml

@@ -0,0 +1,26 @@
+# infrastructure/cert-manager/cleanup/cert-manager-cleanup-job.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cert-manager-cleanup
+  namespace: cert-manager
+spec:
+  backoffLimit: 1
+  template:
+    spec:
+      serviceAccountName: cert-manager-cleanup
+      restartPolicy: Never
+      containers:
+        - name: cleanup
+          image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
+          command: ["/usr/bin/env", "bash"]
+          args: ["/scripts/cert_manager_cleanup.sh"]
+          volumeMounts:
+            - name: script
+              mountPath: /scripts
+              readOnly: true
+      volumes:
+        - name: script
+          configMap:
+            name: cert-manager-cleanup-script
+            defaultMode: 0555

infrastructure/cert-manager/cleanup/cert-manager-cleanup-rbac.yaml

@@ -0,0 +1,58 @@
+# infrastructure/cert-manager/cleanup/cert-manager-cleanup-rbac.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager-cleanup
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-cleanup
+rules:
+  - apiGroups: [""]
+    resources:
+      - pods
+      - services
+      - endpoints
+      - configmaps
+      - secrets
+      - serviceaccounts
+    verbs: ["get", "list", "watch", "delete"]
+  - apiGroups: ["apps"]
+    resources:
+      - deployments
+      - daemonsets
+      - statefulsets
+      - replicasets
+    verbs: ["get", "list", "watch", "delete"]
+  - apiGroups: ["batch"]
+    resources:
+      - jobs
+      - cronjobs
+    verbs: ["get", "list", "watch", "delete"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources:
+      - roles
+      - rolebindings
+      - clusterroles
+      - clusterrolebindings
+    verbs: ["get", "list", "watch", "delete"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources:
+      - validatingwebhookconfigurations
+      - mutatingwebhookconfigurations
+    verbs: ["get", "list", "watch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-cleanup
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-cleanup
+subjects:
+  - kind: ServiceAccount
+    name: cert-manager-cleanup
+    namespace: cert-manager

infrastructure/cert-manager/cleanup/kustomization.yaml

@@ -0,0 +1,15 @@
+# infrastructure/cert-manager/cleanup/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - cert-manager-cleanup-rbac.yaml
+  - cert-manager-cleanup-job.yaml
+
+configMapGenerator:
+  - name: cert-manager-cleanup-script
+    namespace: cert-manager
+    files:
+      - cert_manager_cleanup.sh=scripts/cert_manager_cleanup.sh
+    options:
+      disableNameSuffixHash: true

infrastructure/cert-manager/cleanup/namespace.yaml

@@ -0,0 +1,5 @@
+# infrastructure/cert-manager/cleanup/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager

infrastructure/cert-manager/cleanup/scripts/cert_manager_cleanup.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+namespace="cert-manager"
+selectors=(
+  "app.kubernetes.io/name=cert-manager"
+  "app.kubernetes.io/instance=cert-manager"
+  "app.kubernetes.io/instance=certmanager-prod"
+)
+
+delete_namespaced() {
+  local selector="$1"
+  kubectl -n "${namespace}" delete deployment,daemonset,statefulset,replicaset \
+    --selector "${selector}" --ignore-not-found --wait=false
+  kubectl -n "${namespace}" delete pod,service,endpoints,serviceaccount,configmap,secret \
+    --selector "${selector}" --ignore-not-found --wait=false
+  kubectl -n "${namespace}" delete role,rolebinding \
+    --selector "${selector}" --ignore-not-found --wait=false
+  kubectl -n "${namespace}" delete job,cronjob \
+    --selector "${selector}" --ignore-not-found --wait=false
+}
+
+delete_cluster_scoped() {
+  local selector="$1"
+  kubectl delete clusterrole,clusterrolebinding \
+    --selector "${selector}" --ignore-not-found --wait=false
+  kubectl delete mutatingwebhookconfiguration,validatingwebhookconfiguration \
+    --selector "${selector}" --ignore-not-found --wait=false
+}
+
+for selector in "${selectors[@]}"; do
+  delete_namespaced "${selector}"
+  delete_cluster_scoped "${selector}"
+done
+
+kubectl delete mutatingwebhookconfiguration cert-manager-webhook --ignore-not-found --wait=false
+kubectl delete validatingwebhookconfiguration cert-manager-webhook --ignore-not-found --wait=false

infrastructure/cert-manager/helmrelease.yaml

@@ -0,0 +1,41 @@
+# infrastructure/cert-manager/helmrelease.yaml
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cert-manager
+      version: v1.17.0
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+        namespace: flux-system
+  install:
+    crds: CreateReplace
+    remediation: { retries: 3 }
+    timeout: 10m
+  upgrade:
+    crds: CreateReplace
+    remediation:
+      retries: 3
+      remediateLastFailure: true
+    cleanupOnFail: true
+    timeout: 10m
+  values:
+    installCRDs: true
+    nodeSelector:
+      node-role.kubernetes.io/worker: "true"
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+            - matchExpressions:
+                - key: hardware
+                  operator: In
+                  values:
+                    - rpi5
+                    - rpi4

infrastructure/cert-manager/kustomization.yaml

@@ -0,0 +1,6 @@
+# infrastructure/cert-manager/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - helmrelease.yaml

infrastructure/cert-manager/namespace.yaml

@@ -0,0 +1,5 @@
+# infrastructure/cert-manager/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager

infrastructure/postgres/secretproviderclass.yaml

@@ -11,5 +11,5 @@ spec:
     roleName: "postgres"
     objects: |
       - objectName: "postgres_password"
-        secretPath: "kv/data/postgres"
+        secretPath: "kv/data/atlas/postgres/postgres-db"
         secretKey: "POSTGRES_PASSWORD"

services/vault/scripts/vault_k8s_auth_configure.sh

@@ -216,6 +216,8 @@ write_policy_and_role "health" "health" "health-vault-sync" \
   "health/*" ""
 write_policy_and_role "longhorn" "longhorn-system" "longhorn-vault" \
   "longhorn/*" ""
+write_policy_and_role "postgres" "postgres" "postgres-vault" \
+  "postgres/postgres-db" ""
 write_policy_and_role "vault" "vault" "vault" \
   "vault/*" ""