From 3140f7d67d46266bf8807a129e016c4e4cc17acd Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Wed, 1 Mar 2023 23:58:28 +0800 Subject: [PATCH] fix(zerotier): change to envsubst Signed-off-by: JJGadgets --- .../Biohazard/2-config/3-secrets.yaml | 14 +- .../1-clusters/Biohazard/2-config/4-vars.yaml | 8 +- kube/3-deploy/2-apps/zerotier/.sops.yaml | 2 +- kube/3-deploy/2-apps/zerotier/2-certs.yaml | 38 ++-- .../2-apps/zerotier/4-controller.yaml | 213 +++++++----------- kube/3-deploy/2-apps/zerotier/5-ui.yaml | 165 +++++--------- 6 files changed, 173 insertions(+), 267 deletions(-) diff --git a/kube/1-clusters/Biohazard/2-config/3-secrets.yaml b/kube/1-clusters/Biohazard/2-config/3-secrets.yaml index 8d0ecea3..c46af2f6 100644 --- a/kube/1-clusters/Biohazard/2-config/3-secrets.yaml +++ b/kube/1-clusters/Biohazard/2-config/3-secrets.yaml @@ -22,8 +22,8 @@ sops: UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-03-01T03:29:52Z" - mac: ENC[AES256_GCM,data:rZhGcMDGdcKm0XOQnVXLW7wOYH4mVAMn7l7mOpF3rCP0iSLfPD4Gy2PsC3GeaUyo3DAj40xUWgRuPpnyQzk1Ow9rp7zl+mzTMeFt6nfhYBUcHD5qYcpbrXIKFYksgL5I48SXcf/1KLmU2uTgGWPa8Sb5t+aqUcCUBJBH0UMDXZo=,iv:Pm2ULbnInwptIbDZGda121vrp7QqDVAdSszwW5nvM/4=,tag:N/CNkC7VPxkjTGMF+ERkww==,type:str] + lastmodified: "2023-03-01T15:50:39Z" + mac: ENC[AES256_GCM,data:zKALrWw0gp8MCMck3kAe0Bbk3aqG6cpn6fOwwPqmdEiYiv5jgnqo/k9Z3K1D4U5e9dFj0Lo9tdKeZJuS6c+asA4Ya7prjTbmTCXhfd9hOQZpehB9v4BZAOfymRBmBRS0WkNdLDoO4C7ePC6nLAi7rP0Xzo9TSuf76z2S3el+uDs=,iv:SfATUbdferXkBAPka6b29u5nk2M/j8E4rVx5WsdLxrM=,tag:FAuJs0EHFnh7Ftz3up7joQ==,type:str] pgp: - created_at: "2023-02-26T18:12:43Z" enc: | @@ -61,8 +61,8 @@ sops: UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-03-01T03:29:52Z" - mac: ENC[AES256_GCM,data:rZhGcMDGdcKm0XOQnVXLW7wOYH4mVAMn7l7mOpF3rCP0iSLfPD4Gy2PsC3GeaUyo3DAj40xUWgRuPpnyQzk1Ow9rp7zl+mzTMeFt6nfhYBUcHD5qYcpbrXIKFYksgL5I48SXcf/1KLmU2uTgGWPa8Sb5t+aqUcCUBJBH0UMDXZo=,iv:Pm2ULbnInwptIbDZGda121vrp7QqDVAdSszwW5nvM/4=,tag:N/CNkC7VPxkjTGMF+ERkww==,type:str] + lastmodified: "2023-03-01T15:50:39Z" + mac: ENC[AES256_GCM,data:zKALrWw0gp8MCMck3kAe0Bbk3aqG6cpn6fOwwPqmdEiYiv5jgnqo/k9Z3K1D4U5e9dFj0Lo9tdKeZJuS6c+asA4Ya7prjTbmTCXhfd9hOQZpehB9v4BZAOfymRBmBRS0WkNdLDoO4C7ePC6nLAi7rP0Xzo9TSuf76z2S3el+uDs=,iv:SfATUbdferXkBAPka6b29u5nk2M/j8E4rVx5WsdLxrM=,tag:FAuJs0EHFnh7Ftz3up7joQ==,type:str] pgp: - created_at: "2023-02-26T18:12:43Z" enc: | @@ -87,6 +87,8 @@ stringData: TEST: ENC[AES256_GCM,data:Hg7qUIV8/LcdFZT2,iv:jgNFUecJhj9EgkFCexym843VQUJQJVHW2Ne4H59BUa4=,tag:G/D7ZjLSkNQAJN4TOMSaaw==,type:str] SECRET_SANDSTORM_ADMIN_PASSWORD: ENC[AES256_GCM,data:iYMzuIT3l8Na9R+ivzw/,iv:aSz/PDfnf5NjprFP0F/8MSCHbSNvW1jPKGO3OXM63wE=,tag:TXpMceEeEQMDpSpSwkihTA==,type:str] CLOUDFLARE_API_KEY: ENC[AES256_GCM,data:IjhX7PRvlOrAZHhld4eUTnk0U6e+26ddBvDAzskqal68OKDhnYNGcQ==,iv:Jh+AZONqsY3nlpdG+mgwQNkHFTB38DOPCUhMZVHNIqI=,tag:PWRooXwDuDWZ8/oRfxKslA==,type:str] + SECRET_ZEROTIER_UI_USERNAME: ENC[AES256_GCM,data:n3lq4WdMRg==,iv:5jq1lh6am9O8L472YLhef4BRvokIYqmpNY4MTnkADIs=,tag:+rmMEwzNWfQLEsnoms1Erw==,type:str] + SECRET_ZEROTIER_UI_PASSWORD: ENC[AES256_GCM,data:e1bY9uZlLmKVKatA6SRcd0iO/78OnQbM,iv:tR01q+o6YMgLdEavGaZY+IHR1SF/6lo48zcebgr9SRE=,tag:kf6Qcd/VuYTePyBp5rPW8A==,type:str] sops: kms: [] gcp_kms: [] @@ -102,8 +104,8 @@ sops: UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-03-01T03:29:52Z" - mac: ENC[AES256_GCM,data:rZhGcMDGdcKm0XOQnVXLW7wOYH4mVAMn7l7mOpF3rCP0iSLfPD4Gy2PsC3GeaUyo3DAj40xUWgRuPpnyQzk1Ow9rp7zl+mzTMeFt6nfhYBUcHD5qYcpbrXIKFYksgL5I48SXcf/1KLmU2uTgGWPa8Sb5t+aqUcCUBJBH0UMDXZo=,iv:Pm2ULbnInwptIbDZGda121vrp7QqDVAdSszwW5nvM/4=,tag:N/CNkC7VPxkjTGMF+ERkww==,type:str] + lastmodified: "2023-03-01T15:50:39Z" + mac: ENC[AES256_GCM,data:zKALrWw0gp8MCMck3kAe0Bbk3aqG6cpn6fOwwPqmdEiYiv5jgnqo/k9Z3K1D4U5e9dFj0Lo9tdKeZJuS6c+asA4Ya7prjTbmTCXhfd9hOQZpehB9v4BZAOfymRBmBRS0WkNdLDoO4C7ePC6nLAi7rP0Xzo9TSuf76z2S3el+uDs=,iv:SfATUbdferXkBAPka6b29u5nk2M/j8E4rVx5WsdLxrM=,tag:FAuJs0EHFnh7Ftz3up7joQ==,type:str] pgp: - created_at: "2023-02-26T18:12:43Z" enc: | diff --git a/kube/1-clusters/Biohazard/2-config/4-vars.yaml b/kube/1-clusters/Biohazard/2-config/4-vars.yaml index 661c6738..f6bf3d01 100644 --- a/kube/1-clusters/Biohazard/2-config/4-vars.yaml +++ b/kube/1-clusters/Biohazard/2-config/4-vars.yaml @@ -22,6 +22,8 @@ data: APP_DNS_INGRESS_WILDCARD: ENC[AES256_GCM,data:7OG0ww6rUzU=,iv:5ig0dQIfSVxbQS7nuqQygRcBKk8UmBFxX0unVT9bdzE=,tag:mCOMUNFEZs5IFvVrRNpFiQ==,type:str] APP_IP_NGINX: ENC[AES256_GCM,data:9Kg5zjk+1XfUHg==,iv:dbO0hMMho8J3t0mz6Eb5uMDB3QUCjG5pXPdeuQUFbNE=,tag:ICGE5EVo27W0rUB+Jekf2Q==,type:str] APP_IP_K8S_GATEWAY: ENC[AES256_GCM,data:oakciyUzwLlGJsc=,iv:leuHfW59gWSDaEpaOEMGbSpGFtbzAnoRp4spLxlTEq0=,tag:vltbWvNKa4QvEgXXo58d/A==,type:str] + APP_IP_ZEROTIER: ENC[AES256_GCM,data:GjIY+6p4+6milRg=,iv:agX8rov+AtECRVeOu3wmoQRVWMNutOc3a69fzWY6eoA=,tag:NS0yiFfBTWt7/P9an/3OQw==,type:str] + APP_DNS_ZEROTIER: ENC[AES256_GCM,data:On0V31SI96BRUOjQ,iv:H50ISSmHflDqOqURbwBrcWRkvOQGlVI3mnSXfY8pZ28=,tag:/VlnnoGna2H3L0LGMWF0dw==,type:str] APP_UID_MINECRAFT: ENC[AES256_GCM,data:ArIA644=,iv:Q3SqB3O2nrPrOUcwhhbdXiegsty/TlHIllH/wRicYo8=,tag:yTGH0JEXPOCfqB5iU1azCA==,type:str] APP_DNS_MINECRAFT: ENC[AES256_GCM,data:XYM4FJAjpDBg,iv:bmnvwvaKOKfY2+S7O0PyV8JOtOH9m94eUIQa2M97RfY=,tag:tvIllwZ72w4GbEqZJjZX7A==,type:str] APP_IP_MINECRAFT: ENC[AES256_GCM,data:tU18Ee5Vi98mNRw=,iv:MSNHyroetvWu1wPdPE2+JtxDegZZj25QfcQVq8hcywE=,tag:wxhrsqA5lCPlRwjFgrtPHg==,type:str] @@ -40,6 +42,8 @@ data: CONFIG_SANDSTORM_MUTATORS: ENC[AES256_GCM,data:HumP4HOeZ06JaFBHCl9PHza5orjTVWfmLBq3kSdW+ygD+Avf6dDM+BVm7GkoqRIPtWEJMyMcOOUyF1bzbzrNca/PkMsNsP6/YspRd+QsH+w6JxsGSMqxEpKzN4wbBuIRH7PYbp7PncBOmoOMAOaYW3BEnsdBcV4II7V0+sAKPNQ4zsi0y6LmLaCFtjAOQhi6MMSPfcl9JTD6UoLizD8=,iv:BwbTdDXi6nVqtF7TrSoDLxJKz3Xv6gKZFiU2D2bRgkY=,tag:atIZxrt/BJdijPf2fMDEvw==,type:str] CONFIG_SANDSTORM_INIT_MAP: ENC[AES256_GCM,data:uaM2kX5hlN2BoQ==,iv:U2jmxP35cy/eWT1JTdfr6Z3b4NAzIHG55Kb4emoAin0=,tag:rNCaa5zwKHesrto092oUcg==,type:str] CONFIG_SANDSTORM_INIT_SCENARIO: ENC[AES256_GCM,data:OJVCFbvqWXuYUPvdCiwRngUzfw==,iv:1NkA4VaF/xUdudDD2W5dHEDw55dkzwo2sof5krinJz0=,tag:rmD5eZpnHpOcSJXel3AQbg==,type:str] + CONFIG_ZEROTIER_ENDPOINT: ENC[AES256_GCM,data:We/k3H6tvdmYoZ+i27Lll3bLRhXquz3fvztDI9T4tPjRc4uhG6fkpoa04hEAJffZc7yWNFUzUycPAp0=,iv:B6QCm/4bR68QEudl5o9kwJ6OtQvn1RrWeS6/W+Iaf/Q=,tag:S5xCE5e97gsBId7tpQA/mQ==,type:str] + CLUSTER_NAME: ENC[AES256_GCM,data:UTNoF7TkZ/Le,iv:mkA1AMzFXq0XEbprrqFCVWEyU37m/2y0P2SDzjDyTmw=,tag:bmh3LiqDrLEYuCzH1TnJzw==,type:str] sops: kms: [] gcp_kms: [] @@ -55,8 +59,8 @@ sops: SnpvS3RUUlFMM1dUNGZQNkVqQ2VqNDAKywch6CgtS1AFLYxfML5dB7/5V6qZ0ob1 63vBpqjOza3EqvfNKo+UMtK/fRK0Q5jlpuI+0/z9VrxzKEWsgUCBVQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-02-27T19:05:44Z" - mac: ENC[AES256_GCM,data:EjwdMQr5oeoQl159Djtc896Mywd0CJ8m2xL/IrZAtRJtlBHeYJG+/7Iolo12vav079loAXWf0s0HOOcjjkB1VARgbPq8qjA8fokEPNyUHBNI5QU2CTV8t07yYWIXe2C8y117vTUDRj2LRsH4ACS88MerFaTEJQOxD0jHQQclIHc=,iv:gDBWUs84iNNP/aTW1U7bcHu1sNUm+78Eliis/xN/Czo=,tag:IzPdGWKUwo5izx1p1LPYlw==,type:str] + lastmodified: "2023-03-01T15:51:06Z" + mac: ENC[AES256_GCM,data:3FTlFbBF/lUxKYqd4jepWC3elJfvKoLkmcXPAa+Myym+IYJ1v0GD32ysAS/t4J2x+Dk7MKgn1JL2nFq3qbVl4Vgg1qpfudw8GGASvEKFotdBtKG1JEsfsE2ihPqAXlyfEvSuQDEFrc99vGnWOvW2Yr6t+2/BMYIwYCTFEGGXKa4=,iv:ZUEf3VnlEB8VWggBjfci2tjU3rDDApwLv9HxWI5WkHA=,tag:L97F+DujKhxAcb9Mofn6Zg==,type:str] pgp: - created_at: "2023-02-22T08:12:31Z" enc: | diff --git a/kube/3-deploy/2-apps/zerotier/.sops.yaml b/kube/3-deploy/2-apps/zerotier/.sops.yaml index 0597f0af..e5de3de3 100644 --- a/kube/3-deploy/2-apps/zerotier/.sops.yaml +++ b/kube/3-deploy/2-apps/zerotier/.sops.yaml @@ -2,6 +2,6 @@ creation_rules: - path_regex: .*.yaml encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|loadBalancerIP|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$ age: >- - age1xl3fcwdw56k73lraxsjhde4ygwn7jw0js5l5qw7vsp54vc5czuwstcejxu + age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj pgp: >- 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/3-deploy/2-apps/zerotier/2-certs.yaml b/kube/3-deploy/2-apps/zerotier/2-certs.yaml index 9cb2e895..46a0b0a3 100644 --- a/kube/3-deploy/2-apps/zerotier/2-certs.yaml +++ b/kube/3-deploy/2-apps/zerotier/2-certs.yaml @@ -4,42 +4,42 @@ metadata: name: vpncert namespace: zerotier spec: - secretName: vpn + secretName: ENC[AES256_GCM,data:0hrZ,iv:xxUvw0q2Mu4DKn1+p6Y+mL68Y8D9o4zB/si7jeIYNO8=,tag:nKO3FoGWMOOSni+Dhn92tA==,type:str] issuerRef: name: letsencrypt-production kind: ClusterIssuer - commonName: ENC[AES256_GCM,data:F33BisRxtWnR,iv:QF/RZ60g3x7TLx1DWRol7oI5xMGgoqxcfMVq97tcIZs=,tag:Uv9joDxvT3GNKvO4pGDxFw==,type:str] + commonName: ENC[AES256_GCM,data:ID/wwJqSxffe,iv:9AMufuWk//7wI794F5G62Vv0IlvxDJPjAJh/z3epPVo=,tag:Lsrnu2vP6GpR91fRlkNvLA==,type:str] dnsNames: - - ENC[AES256_GCM,data:PkL7qPL20fen,iv:TjKzrublOKuIjFb+o8A7m4QYKmmpEJwOfzCR+Gh+/1w=,tag:17Gx2VaK3vseajY6RLOHAA==,type:str] - - ENC[AES256_GCM,data:1ukzW7igCwNVIOc=,iv:tSTBly5j9v5LDU7+bPJkHPolH6nCU6tx6BFQNPSPWQk=,tag:AOo2zH0stZGwlnvwQLwN5A==,type:str] + - ENC[AES256_GCM,data:K4uAzmvDrUU9,iv:iQe4azjqY7IoeXven6UnK/gPuVroibkio/Vph+QgBOI=,tag:c2W7rZSkwv3IwMsGLD9SgQ==,type:str] + - ENC[AES256_GCM,data:mJWJHXlj7pZ56xA=,iv:MsxCanR2cQNJmnWApwqxAmn45zQIxlROAVi0wqMhNc4=,tag:7psuoMpPu3kX1w6p3tiz2g==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1xl3fcwdw56k73lraxsjhde4ygwn7jw0js5l5qw7vsp54vc5czuwstcejxu + - recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSaW51TS93b0JoaDhYSDJN - Ym9FL0lxZnZJNHJBcENDNDhwWlA3RGY5SzNVCmkyOXBFME9leEx2RVlaWTJDMXM3 - TVJqb0F3QlpnZmVTMnV2R243LzBjbTQKLS0tIEgzY1F5TTQzSCtZUG1ralJRdXBF - RWlFUkJWQmJ4REQ0dEJ1encydFlGamsKSi0qRECk9btBSszv3fVW6/vXhbmq3sqR - chGfT4Ot5JnRWarC9EfeXWStc6zTfGd2hXksTltJS4IADLlUrkpmMA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNlhwWDgzSW1VSTIraGpQ + dGxpU3BjNy9qN3YzYVdKS1g4OEZCSzl1QnprCnErbDcyTmQ5ZTB2czNsbGFWbGcz + UlVlZC8yMzMxZ2ZpLzgvWEJsalowZ0EKLS0tIFJDbDg4SlFqZVRObHJTVFVMMjN1 + WWZzN0VORmh0SlNXWHZRdkNQTjFqOU0KWMCPoge9kKQdNCN3WeAx1QHhit0oEHFT + ZCudRntexd0Nrby2OC0KcXOXCH1fTJEQdPD29EjlXTig86QRp/aP7Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-02-09T02:46:50Z" - mac: ENC[AES256_GCM,data:FWwBePlkgSsqkRnG/z9pFN0fA0zXPZyORPXGcVsN4J3FgqyIiGHmVxXo+dkbPGlTg6W8PA3q816BqKVU3DRKnql9K4XYVaMJaonmkPYrumzVeYOn7Kp0ButPogTQ6oRnogtBHxPZIDHf0AjXlu2GeoJF+OiFkSy4sXEJnbB/1ok=,iv:rzy1fl8X1u+Fr1j+M1B3qEyvcgHZn7/ajbZW5oRlxi8=,tag:u8QT77mGcp2FqRRCuW96IQ==,type:str] + lastmodified: "2023-03-01T15:32:38Z" + mac: ENC[AES256_GCM,data:h7eRRJEnFOLtxwPDO5isAeB8YlAnNuAr03KqkV0syH44Z+C4sXuCdx0LzxI97qLPrifvTFabCbx1gbfKXj0iWbarzaUKGjKVncvDOdqDicntz5XRLtxxr2/JRTiqQTshgGNoAN5gzpAD6yRmxjlGoZ76R87aed47mdchrzA3Jq0=,iv:Y+53dKQjK5JRfIkq4gsepHAx5oBHjVikGBcNY9Qk2nM=,tag:+iSBsZMzQaNZpUccRA4WCw==,type:str] pgp: - - created_at: "2023-01-29T08:02:26Z" + - created_at: "2023-03-01T15:32:37Z" enc: | -----BEGIN PGP MESSAGE----- - hF4DAAAAAAAAAAASAQdA81QJphfeu8v+QdqR2+TGj/+lGg5zDEGyiBx79dHJQHkw - FxBYeRRjCyEFGAFtmhOw5ZEOWaDaS3TofQfBhXBevO8xouEQqW5F8YcKCBLrH6tl - 0lwBIGHtZjpAklRejcj/QzuVt9clWIKcl1cy92P/AzsNNQ0mb4h6MoO+83lIEI57 - /7vP0M3zPef7huZHV+Kfb7C4MMo+LNl59EwvhrTB+0BmHA9ZexffMuvE8VnfGA== - =m/wv + hF4DAAAAAAAAAAASAQdAhQox1ebxBCSRViomIaf2wSxH/2BtXiAk0wQBOnvwTHEw + Ji3mOrg7G4dPzVsiBTNRvhlB848J0+5dV9B2p85BLgyEKljYheG6L78BQp7QILEa + 0l4Bn9Ev6JtqZuj+9EyXAJJ9RUX9MBdftNOLu399qd4HxdAg4tV+l34SF0C8x/TG + ZOKtQYenHEQHygoXuPrip9bnYGruc0d4jNv96S0zeanQx/N/X7vSPAIjTjR9qMBg + =7MhE -----END PGP MESSAGE----- fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 - encrypted_regex: ^(data|stringData|commonName|dnsNames|externalIPs)$ + encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|loadBalancerIP|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$ version: 3.7.3 diff --git a/kube/3-deploy/2-apps/zerotier/4-controller.yaml b/kube/3-deploy/2-apps/zerotier/4-controller.yaml index f632bfc6..d75f1819 100644 --- a/kube/3-deploy/2-apps/zerotier/4-controller.yaml +++ b/kube/3-deploy/2-apps/zerotier/4-controller.yaml @@ -1,136 +1,85 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: zerotier-controller - namespace: zerotier + name: zerotier-controller + namespace: zerotier + labels: + helm.flux.home.arpa/app-template: "true" spec: - interval: 15m - chart: - spec: - chart: app-template - version: 1.2.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - maxHistory: 3 - install: - createNamespace: true - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - controller: - type: statefulset - strategy: RollingUpdate - fullNameOverride: zerotier-controller - image: - repository: docker.io/zyclonite/zerotier - tag: 1.10.2 - env: - ZT_OVERRIDE_LOCAL_CONF: "true" - ZT_ALLOW_MANAGEMENT_FROM: ENC[AES256_GCM,data:VH9ehVW2Gsx0,iv:cGaRGaaiCfiu1eab2nOZlTF+nMrzDZfmDQlKaQpr40Q=,tag:M9bdtwAXDmq2X04q9lH5Uw==,type:str] - dnsPolicy: ClusterFirstWithHostNet - dnsConfig: - options: - - name: ndots - value: "1" - # nameservers: - # - fake.ip - securityContext: - capabilities: - add: - - NET_ADMIN - - NET_RAW - - SYS_ADMIN - nodeSelector: - node-restriction.kubernetes.io/nodeType: awsIngress - service: - main: - enabled: true - primary: true - type: LoadBalancer - externalTrafficPolicy: Local - loadBalancerIP: ENC[AES256_GCM,data:jCBcilAyQp6zh0w=,iv:TEcZcmRUjmceJWnK6trGPobjzJX2b10JQs66LzcEqo4=,tag:J+vHaQz+c8zsB+AG6MAMDA==,type:str] - externalIPs: - - ENC[AES256_GCM,data:IljGes300xWBgCU=,iv:gmrYURklq16DO3RIUZWiPdYs5iBU0znUhbj+CvwO4WA=,tag:OshcQs1DnlGVtyVNPZLJMA==,type:str] - ports: - http: - enabled: false - zerotier-udp: - enabled: true - protocol: UDP - port: 9993 - targetPort: 9993 - zerotier-tcp: - enabled: true - protocol: TCP - port: 9993 - targetPort: 9993 - peers: - enabled: true - type: NodePort - externalTrafficPolicy: Local - ports: - http: - enabled: false - peers-udp: - enabled: true - protocol: UDP - port: 9993 - targetPort: 9993 - nodePort: 9993 - peers-tcp: - enabled: true - protocol: TCP - port: 9993 - targetPort: 9993 - nodePort: 9993 - persistence: - zerotier-one: - enabled: true - type: pvc - mountPath: /var/lib/zerotier-one - retain: true - existingClaim: zerotier-one - tun: - enabled: true - type: hostPath - hostPath: /dev/net/tun - readOnly: true -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1xl3fcwdw56k73lraxsjhde4ygwn7jw0js5l5qw7vsp54vc5czuwstcejxu - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WnhlQXBxdnFDeTdBTytu - cy9PemM4Q3R4R1Z0NkZGa1l6RFNpdG84dkVNCktocVMrcEtkRUtteHlRbmFYcDhE - d29KMklMQmRXN05NWVZvQ3MzcUtQd28KLS0tIDd2NWNPay9OdUY2M3crQjR0L0dj - UkM0WGxFNVlsQ2J6ZEkwaE0zK3FybTQKgfMnTou0TApYFiECmXVg7PVOQst2m6B1 - 4tvRYJL7lOztp+Cs4hWqMxrBnWtYTxRkuiGTAW5MK3Zmu4I2A2wDmQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-03-01T03:11:52Z" - mac: ENC[AES256_GCM,data:Y4oqNB7jL/5LiOVzFhdjCBIg5srvxaC432c7aOovxOM2+aDGQfkfcnEli4Lrvzsxabbu99hwb3q83YNHLzzEubuoAra+PxfnNT9Uzvg7mmlxcIr7d1kV6ue7KvIoXNdnoNtyhQND41SbvYzmVt8Dd1hHOOVAVvMg2QVdIHf77Po=,iv:2TPYuipTlloNAlBz3CJ6GGYb9IVLGXKr6WBcDmXJnIE=,tag:0IO3YPwwTlbd8Bz27upXsQ==,type:str] - pgp: - - created_at: "2023-02-09T03:25:06Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DAAAAAAAAAAASAQdAHyfug5pftJG3pIFJjTtawQpD3r9oszgqgQj+nlMlr0Yw - bch6ktVJjrJ0w9or7wwgz0ssPYXy076/HF9C2qu3LAyoVBLSAF3QscZXvgFG8pua - 0l4B7kXiw8Mnf6KdtjRaEJ9bbJA3dXxwpdlRA0Mi+9EpOfidsrjRvfsdzNmAV4lq - OvRpr+6Q/KV0fOrhT+snxymFaoOtaclq1ZZLpEGCaH+b5R+oeJ2SiqOB437k+zLE - =5/3C - -----END PGP MESSAGE----- - fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 - encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|loadBalancerIP|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$ - version: 3.7.3 + values: + controller: + type: statefulset + strategy: RollingUpdate + fullNameOverride: zerotier-controller + image: + repository: docker.io/zyclonite/zerotier + tag: 1.10.2 + env: + ZT_OVERRIDE_LOCAL_CONF: "true" + ZT_ALLOW_MANAGEMENT_FROM: 0.0.0.0/0 + dnsPolicy: ClusterFirstWithHostNet + dnsConfig: + options: + - name: ndots + value: "1" + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + nodeSelector: + node-restriction.kubernetes.io/nodeType: main + service: + main: + enabled: true + primary: true + # type: LoadBalancer + # externalTrafficPolicy: Local + # loadBalancerIP: "${APP_IP_ZEROTIER}" + # externalIPs: + # - "${APP_IP_ZEROTIER}" + # ports: + # http: + # enabled: false + # zerotier-udp: + # enabled: true + # protocol: UDP + # port: 9993 + # targetPort: 9993 + # zerotier-tcp: + # enabled: true + # protocol: TCP + # port: 9993 + # targetPort: 9993 + # peers: + # enabled: true + type: NodePort + externalTrafficPolicy: Local + ports: + http: + enabled: false + peers-udp: + enabled: true + protocol: UDP + port: 9993 + targetPort: 9993 + nodePort: 9993 + peers-tcp: + enabled: true + protocol: TCP + port: 9993 + targetPort: 9993 + nodePort: 9993 + persistence: + zerotier-one: + enabled: true + type: pvc + mountPath: /var/lib/zerotier-one + retain: true + existingClaim: zerotier-one + tun: + enabled: true + type: hostPath + hostPath: /dev/net/tun + readOnly: true diff --git a/kube/3-deploy/2-apps/zerotier/5-ui.yaml b/kube/3-deploy/2-apps/zerotier/5-ui.yaml index 7ff8f875..32038ec6 100644 --- a/kube/3-deploy/2-apps/zerotier/5-ui.yaml +++ b/kube/3-deploy/2-apps/zerotier/5-ui.yaml @@ -1,111 +1,62 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: zerotier-ui - namespace: zerotier + name: zerotier-ui + namespace: zerotier + labels: + helm.flux.home.arpa/app-template: "true" spec: - interval: 15m - chart: - spec: - chart: app-template - version: 1.2.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - maxHistory: 3 - install: - createNamespace: true - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - controller: - type: statefulset - strategy: RollingUpdate - fullNameOverride: zerotier-ui - image: - repository: docker.io/dec0dos/zero-ui - tag: 1.5.1 - env: - ZU_CONTROLLER_ENDPOINT: ENC[AES256_GCM,data:zAhu03Pf5dtJVcOovxDULhRQg3IrsoGD5ggbA+1f9M98UkTGWiVY2CjZVaPg9FXjjJQLW+wH7eNGH6Q=,iv:XRfEtIvdoGYbOR2iR+Y+LsxdSyWP7m0Lb5xKGus5SxQ=,tag:VyQ9jP+K1hTYu3uuoTLYcA==,type:str] - ZU_SECURE_HEADERS: "true" - ZU_DEFAULT_USERNAME: ENC[AES256_GCM,data:9bSzd2KLzw==,iv:e47uZg9rCjkgs4216ZMN0+TuDjeDOo0/B7Sw19cIdt4=,tag:2foh8j4h5y7mRJ9N0UY9ZA==,type:str] - ZU_DEFAULT_PASSWORD: ENC[AES256_GCM,data:u9qF0eVeyqM0muEEcsH2tiULAOmBLI8H,iv:KkrS2Vj95a+s0gW8qSVztlyEy03FmztgOJNL+lMA/lk=,tag:XKH3h6To2y/XtAYymwDxDg==,type:str] - # dnsPolicy: None - dnsConfig: - options: - - name: ndots - value: "1" - # nameservers: - # - fake.ip - service: - main: - ports: - http: - port: 4000 - ingress: - main: - enabled: true - ingressClassName: nginx - hosts: - - host: ENC[AES256_GCM,data:T1zkZ4qRSQCqeFfR,iv:9qE3EspO4omI9sWuX1u2J5O9GuOtQaVLfBAf/jeT2u0=,tag:YqUvoT5dwx63UM/htbrRJw==,type:str] - paths: - - path: ENC[AES256_GCM,data:ag==,iv:sWpz7xwLy7njFZXW4rVFgHp0QesZ8XcEGxm7UW5vccs=,tag:970D7QvBxzQ67aboS3N1Qg==,type:str] - pathType: ENC[AES256_GCM,data:XbEbgilh,iv:WNXxaiA5P2/uHOsFviGZT/raLO+hc5NbIpCT+YA5n/c=,tag:P0q3wauFUKXUPQFgmPbn/Q==,type:str] - tls: - - hosts: - - ENC[AES256_GCM,data:eUL5pUezplowjyci,iv:eVvP9njgYh2uVnrSiQ9xtFJQ2XkPRlyiwuhO2K+0Fw0=,tag:XtxJAUsmmIsDvPy+8W/j7w==,type:str] - secretName: ENC[AES256_GCM,data:i8GW,iv:B+b4MPSwGBZRAsABbly1t8XgL0AVRuDbi8cfw1OjX1M=,tag:vA0m8jFfQux4MKcJ12TIiw==,type:str] - persistence: - zerotier-one: - enabled: true - type: pvc - mountPath: /var/lib/zerotier-one - retain: true - existingClaim: zerotier-one - zerotier-ui-data: - enabled: true - type: pvc - mountPath: /app/backend/data - readOnly: false - accessMode: ReadWriteOnce - storageClass: block - size: 1Gi - retain: true -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1xl3fcwdw56k73lraxsjhde4ygwn7jw0js5l5qw7vsp54vc5czuwstcejxu - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdTJzZjRZSExQWm5rSGxQ - YS9IYk1zMEFmUGtzckN2N0t5SnE5a1hSOG1FCnNPUkgyVlNXdlZBQlNqVkF3Qm56 - L0xoSVVtUjdpenp4RlF5ZERpWkRybzQKLS0tIDRQU2Q3SUQwTXltMTNTTDFPVGdX - eWRxUUpKdGJybHVnZG1TamtlWUtLZE0K0YlJVZbj/18ARi5+KsoEZZV4TiWlOGRh - uCwFK2znj1m8Q9ErCFSXLc1MVtVfhcXx8JgNZhtoz7V9l8p9dyKPhg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-02-10T16:02:23Z" - mac: ENC[AES256_GCM,data:D1E7pktkIqCvTyY4uIEvI/W+TUMGeKKOAhXDkXoBUBCIorWsOl05l4iZE03bUBL+YERwD2KwOgP3gEdC4lDrXqD6uF22u4DvywXlkPiMoIMWFq6UN6M4XNqUKKTq+JlojTdwItZC4O+lIBEbz5iteoj3IN+qsLbVen0qCy3vWXE=,iv:cbAZQufjBsn7LIrMjHSMDfdwB2UXG5lzx9ZmnncRb1o=,tag:zRcKKv2lLfcPxia+Nfr3FA==,type:str] - pgp: - - created_at: "2023-02-08T19:24:20Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DAAAAAAAAAAASAQdACIaRZaDeWUhEc3JZV3/IDGRn8EVhCdZwZdQnONhmUzAw - glSkslUmetrcdwAbucn5s+SXC2PBt3gIz7OV7EahbBPNf56NBi5b0O+HCKNc8LRj - 0l4B75cK4zS8g82hx7gazdnG33S7L1d4m7G7FE5MOZ+UhOeeM2CF7prmXNUQ87iL - 0CWCTpOlu1bLU8EktGQh1hfoIzTxnIJHcC4JZM8EfMH5b1dJDSC3HGbo2Qw9p6R8 - =2zwW - -----END PGP MESSAGE----- - fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 - encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$ - version: 3.7.3 + values: + controller: + type: statefulset + strategy: RollingUpdate + fullNameOverride: zerotier-ui + image: + repository: docker.io/dec0dos/zero-ui + tag: 1.5.1 + env: + ZU_CONTROLLER_ENDPOINT: "${CONFIG_ZEROTIER_ENDPOINT}" + ZU_SECURE_HEADERS: "true" + ZU_DEFAULT_USERNAME: "${SECRET_ZEROTIER_UI_USERNAME}" + ZU_DEFAULT_PASSWORD: "${SECRET_ZEROTIER_UI_PASSWORD}" + nodeSelector: + node-restriction.kubernetes.io/nodeType: main + # dnsPolicy: None + dnsConfig: + options: + - name: ndots + value: "1" + service: + main: + ports: + http: + port: 4000 + ingress: + main: + enabled: true + ingressClassName: nginx + hosts: + - host: "${APP_DNS_ZEROTIER}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "${APP_DNS_ZEROTIER}" + secretName: vpn + persistence: + zerotier-one: + enabled: true + type: pvc + mountPath: /var/lib/zerotier-one + retain: true + existingClaim: zerotier-one + zerotier-ui-data: + enabled: true + type: pvc + mountPath: /app/backend/data + readOnly: false + accessMode: ReadWriteOnce + storageClass: block + size: 1Gi + retain: true