From dadb8074539df32ddfcd54fd8d4ee9b6c6f04d11 Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Thu, 8 Feb 2024 20:53:17 +0800
Subject: [PATCH] chore: cert-manager TLS, cleanup

---
 .rtx.toml                                     |  2 +-
 .../kube/deploy/apps/livestream/deps/tls.yaml |  1 +
 kube/deploy/apps/authentik/app/tls.yaml       |  5 +--
 kube/deploy/apps/default/deps/tls.yaml        |  5 +--
 kube/deploy/apps/gotosocial/app/tls.yaml      |  1 +
 kube/deploy/apps/headscale/app/tls.yaml       |  1 +
 kube/deploy/apps/kah/deps/tls.yaml            |  3 +-
 kube/deploy/apps/kanidm/deps/tls.yaml         |  5 +--
 kube/deploy/core/ingress/_deps/certs.yaml     | 32 ++++++++++++++++++-
 .../secrets/onepassword-connect/app/tls.yaml  |  1 +
 .../helmrepo.yaml => bjw-s.yaml}              |  0
 kube/repos/flux/helm/emberstack.yaml          | 10 ++++++
 .../{stakater/helmrepo.yaml => stakater.yaml} |  0
 kube/templates/test/app/es.yaml               | 18 +++++++++++
 kube/templates/test/app/secrets.yaml          |  9 ------
 15 files changed, 75 insertions(+), 18 deletions(-)
 rename kube/repos/flux/helm/{app-template/helmrepo.yaml => bjw-s.yaml} (100%)
 create mode 100644 kube/repos/flux/helm/emberstack.yaml
 rename kube/repos/flux/helm/{stakater/helmrepo.yaml => stakater.yaml} (100%)
 create mode 100644 kube/templates/test/app/es.yaml
 delete mode 100644 kube/templates/test/app/secrets.yaml

diff --git a/.rtx.toml b/.rtx.toml
index 91da7261..861fa162 100644
--- a/.rtx.toml
+++ b/.rtx.toml
@@ -9,7 +9,7 @@ KUBECTL_COMMAND_HEADERS = "true"
 # kubectx = [""]
 # kustomize = [""]
 # kubecolor = [""]
-flux2 = ["2.1.2"]
+flux2 = ["2.2.3"]
 talosctl = ["1.5.4", "1.3.6"]
 talhelper = ["1.16.2"]
 cilium-cli= ["0.15.14"]
diff --git a/archive/kube/deploy/apps/livestream/deps/tls.yaml b/archive/kube/deploy/apps/livestream/deps/tls.yaml
index bc918827..ca3690b1 100644
--- a/archive/kube/deploy/apps/livestream/deps/tls.yaml
+++ b/archive/kube/deploy/apps/livestream/deps/tls.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
diff --git a/kube/deploy/apps/authentik/app/tls.yaml b/kube/deploy/apps/authentik/app/tls.yaml
index 76b3a34f..89791a17 100644
--- a/kube/deploy/apps/authentik/app/tls.yaml
+++ b/kube/deploy/apps/authentik/app/tls.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -15,5 +16,5 @@ spec:
   commonName: ${DNS_MAIN}
   dnsNames:
     - ${DNS_MAIN}
-    - '*.${DNS_MAIN}'
-    - '*.tinfoil.${DNS_MAIN}'
+    - "*.${DNS_MAIN}"
+    - "*.tinfoil.${DNS_MAIN}"
diff --git a/kube/deploy/apps/default/deps/tls.yaml b/kube/deploy/apps/default/deps/tls.yaml
index 13e1e5b1..044fcd76 100644
--- a/kube/deploy/apps/default/deps/tls.yaml
+++ b/kube/deploy/apps/default/deps/tls.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -15,5 +16,5 @@ spec:
   commonName: ${DNS_MAIN}
   dnsNames:
     - ${DNS_MAIN}
-    - '*.${DNS_MAIN}'
-    - '*.default.${DNS_MAIN}'
+    - "*.${DNS_MAIN}"
+    - "*.default.${DNS_MAIN}"
diff --git a/kube/deploy/apps/gotosocial/app/tls.yaml b/kube/deploy/apps/gotosocial/app/tls.yaml
index 837c3850..aa4429e4 100644
--- a/kube/deploy/apps/gotosocial/app/tls.yaml
+++ b/kube/deploy/apps/gotosocial/app/tls.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
diff --git a/kube/deploy/apps/headscale/app/tls.yaml b/kube/deploy/apps/headscale/app/tls.yaml
index d0ce087e..ce669d54 100644
--- a/kube/deploy/apps/headscale/app/tls.yaml
+++ b/kube/deploy/apps/headscale/app/tls.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
diff --git a/kube/deploy/apps/kah/deps/tls.yaml b/kube/deploy/apps/kah/deps/tls.yaml
index 72426b45..d6731e83 100644
--- a/kube/deploy/apps/kah/deps/tls.yaml
+++ b/kube/deploy/apps/kah/deps/tls.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -14,4 +15,4 @@ spec:
     name: letsencrypt-production
     kind: ClusterIssuer
   dnsNames:
-    - '*.${DNS_KAH}'
\ No newline at end of file
+    - "*.${DNS_KAH}"
diff --git a/kube/deploy/apps/kanidm/deps/tls.yaml b/kube/deploy/apps/kanidm/deps/tls.yaml
index bb880cd9..19662b68 100644
--- a/kube/deploy/apps/kanidm/deps/tls.yaml
+++ b/kube/deploy/apps/kanidm/deps/tls.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -15,5 +16,5 @@ spec:
   commonName: ${DNS_SHORT}
   dnsNames:
     - ${DNS_SHORT}
-    - '*.${DNS_SHORT}'
-    - '*.damn.${DNS_SHORT}'
+    - "*.${DNS_SHORT}"
+    - "*.damn.${DNS_SHORT}"
diff --git a/kube/deploy/core/ingress/_deps/certs.yaml b/kube/deploy/core/ingress/_deps/certs.yaml
index 2136db14..27cbb5e9 100644
--- a/kube/deploy/core/ingress/_deps/certs.yaml
+++ b/kube/deploy/core/ingress/_deps/certs.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -6,6 +7,10 @@ metadata:
   namespace: ingress
 spec:
   secretName: "short-domain-tls"
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
   additionalOutputFormats:
     - type: CombinedPEM
     - type: DER
@@ -21,6 +26,7 @@ spec:
     - "${DNS_SHORT}"
     - "*.${DNS_SHORT}"
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -28,6 +34,10 @@ metadata:
   namespace: ingress
 spec:
   secretName: "long-domain-tls"
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
   additionalOutputFormats:
     - type: CombinedPEM
     - type: DER
@@ -43,6 +53,7 @@ spec:
     - "${DNS_MAIN}"
     - "*.${DNS_MAIN}"
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -50,6 +61,10 @@ metadata:
   namespace: ingress
 spec:
   secretName: "vpn-tls"
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
   additionalOutputFormats:
     - type: CombinedPEM
     - type: DER
@@ -64,6 +79,7 @@ spec:
     - "${DNS_VPN}"
     - "*.${DNS_VPN}"
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -71,6 +87,10 @@ metadata:
   namespace: ingress
 spec:
   secretName: "stream-tls"
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
   additionalOutputFormats:
     - type: CombinedPEM
     - type: DER
@@ -85,6 +105,7 @@ spec:
     - "${DNS_STREAM}"
     - "*.${DNS_STREAM}"
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -92,6 +113,10 @@ metadata:
   namespace: ingress
 spec:
   secretName: "me-tls"
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
   additionalOutputFormats:
     - type: CombinedPEM
     - type: DER
@@ -106,6 +131,7 @@ spec:
     - "${DNS_ME}"
     - "*.${DNS_ME}"
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -113,6 +139,10 @@ metadata:
   namespace: ingress
 spec:
   secretName: "home-tls"
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
   additionalOutputFormats:
     - type: CombinedPEM
     - type: DER
@@ -125,4 +155,4 @@ spec:
     rotationPolicy: Always
   dnsNames:
     - "${DNS_HOME}"
-    - "*.${DNS_HOME}"
\ No newline at end of file
+    - "*.${DNS_HOME}"
diff --git a/kube/deploy/core/secrets/onepassword-connect/app/tls.yaml b/kube/deploy/core/secrets/onepassword-connect/app/tls.yaml
index f46dbf2f..68e39b83 100644
--- a/kube/deploy/core/secrets/onepassword-connect/app/tls.yaml
+++ b/kube/deploy/core/secrets/onepassword-connect/app/tls.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
diff --git a/kube/repos/flux/helm/app-template/helmrepo.yaml b/kube/repos/flux/helm/bjw-s.yaml
similarity index 100%
rename from kube/repos/flux/helm/app-template/helmrepo.yaml
rename to kube/repos/flux/helm/bjw-s.yaml
diff --git a/kube/repos/flux/helm/emberstack.yaml b/kube/repos/flux/helm/emberstack.yaml
new file mode 100644
index 00000000..947e24ad
--- /dev/null
+++ b/kube/repos/flux/helm/emberstack.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: emberstack-charts
+  namespace: flux-system
+spec:
+  interval: 1h
+  timeout: 3m0s
+  url: https://emberstack.github.io/helm-charts/
\ No newline at end of file
diff --git a/kube/repos/flux/helm/stakater/helmrepo.yaml b/kube/repos/flux/helm/stakater.yaml
similarity index 100%
rename from kube/repos/flux/helm/stakater/helmrepo.yaml
rename to kube/repos/flux/helm/stakater.yaml
diff --git a/kube/templates/test/app/es.yaml b/kube/templates/test/app/es.yaml
new file mode 100644
index 00000000..c3ca3c77
--- /dev/null
+++ b/kube/templates/test/app/es.yaml
@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name ${APPNAME}-secrets
+  namespace: ${APPNAME}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: 1p
+  dataFrom:
+    - extract:
+        key: "${APPNAME} (${CLUSTER_NAME})"
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: *name
diff --git a/kube/templates/test/app/secrets.yaml b/kube/templates/test/app/secrets.yaml
deleted file mode 100644
index 4865c1b3..00000000
--- a/kube/templates/test/app/secrets.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: "${APPNAME}-secrets"
-  namespace: "${APPNAME}"
-type: Opaque
-stringData:
-