diff --git a/kube/clusters/biohazard/flux/flux-repo.yaml b/kube/clusters/biohazard/flux/flux-repo.yaml index 2c66b3b9..3db5e83e 100644 --- a/kube/clusters/biohazard/flux/flux-repo.yaml +++ b/kube/clusters/biohazard/flux/flux-repo.yaml @@ -364,6 +364,79 @@ spec: version: v2beta2 kind: HelmRelease labelSelector: nginx.ingress.home.arpa/type in (auth-external-only) + - patch: |- + apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + metadata: + name: not-used + spec: + interval: 5m + timeout: 15m + maxHistory: 10 + install: + crds: CreateReplace + createNamespace: true + remediation: + retries: 5 + upgrade: + crds: CreateReplace + cleanupOnFail: true + remediation: + retries: 5 + strategy: uninstall + rollback: + recreate: true + cleanupOnFail: true + uninstall: + keepHistory: false + driftDetection: + mode: warn # TODO: verify all running apps don't have drift, and enable + ignore: + - paths: ["/spec/replicas"] # helpful for scaling things down during debugging/troubleshooting without Helm interfering + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + labelSelector: helm.flux.home.arpa/default notin (false) + - patch: |- + apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + metadata: + name: not-used + spec: + values: + ingress: + main: + annotations: + nginx.ingress.kubernetes.io/auth-url: |- + http://authentik.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx + nginx.ingress.kubernetes.io/auth-response-headers: |- + Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Host $http_host; + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + labelSelector: nginx.ingress.home.arpa/type in (auth, auth-external, auth-external-only) + - patch: |- + apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + metadata: + name: not-used + spec: + values: + ingress: + main: + annotations: + nginx.ingress.kubernetes.io/satisfy: "any" + nginx.ingress.kubernetes.io/whitelist-source-range: | + 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10 + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + labelSelector: nginx.ingress.home.arpa/type in (auth-external-only) target: group: kustomize.toolkit.fluxcd.io version: v1 @@ -729,6 +802,79 @@ spec: version: v2beta2 kind: HelmRelease labelSelector: nginx.ingress.home.arpa/type in (auth-external-only) + - patch: |- + apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + metadata: + name: not-used + spec: + interval: 5m + timeout: 15m + maxHistory: 10 + install: + crds: CreateReplace + createNamespace: true + remediation: + retries: 5 + upgrade: + crds: CreateReplace + cleanupOnFail: true + remediation: + retries: 5 + strategy: uninstall + rollback: + recreate: true + cleanupOnFail: true + uninstall: + keepHistory: false + driftDetection: + mode: warn # TODO: verify all running apps don't have drift, and enable + ignore: + - paths: ["/spec/replicas"] # helpful for scaling things down during debugging/troubleshooting without Helm interfering + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + labelSelector: helm.flux.home.arpa/default notin (false) + - patch: |- + apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + metadata: + name: not-used + spec: + values: + ingress: + main: + annotations: + nginx.ingress.kubernetes.io/auth-url: |- + http://authentik.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx + nginx.ingress.kubernetes.io/auth-response-headers: |- + Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Host $http_host; + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + labelSelector: nginx.ingress.home.arpa/type in (auth, auth-external, auth-external-only) + - patch: |- + apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + metadata: + name: not-used + spec: + values: + ingress: + main: + annotations: + nginx.ingress.kubernetes.io/satisfy: "any" + nginx.ingress.kubernetes.io/whitelist-source-range: | + 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10 + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + labelSelector: nginx.ingress.home.arpa/type in (auth-external-only) target: group: kustomize.toolkit.fluxcd.io version: v1