From e458a770c65f4c38622de578fe79dff9a83c2bc6 Mon Sep 17 00:00:00 2001 From: Toboshii Nakama <63410334+toboshii@users.noreply.github.com> Date: Mon, 18 Jul 2022 10:29:41 -0500 Subject: [PATCH] feat: use cnpg --- cluster/apps/media/szurubooru/database.yaml | 4 +- cluster/apps/security/authentik/database.yaml | 19 ++++++ .../apps/security/authentik/helm-release.yaml | 40 ++++++++--- .../security/authentik/kustomization.yaml | 1 + .../apps/security/vaultwarden/config-pvc.yaml | 17 +++++ .../apps/security/vaultwarden/database.yaml | 19 ++++++ .../security/vaultwarden/helm-release.yaml | 66 +++++++++++-------- .../security/vaultwarden/kustomization.yaml | 4 +- talos/talconfig.yaml | 1 + 9 files changed, 133 insertions(+), 38 deletions(-) create mode 100644 cluster/apps/security/authentik/database.yaml create mode 100644 cluster/apps/security/vaultwarden/config-pvc.yaml create mode 100644 cluster/apps/security/vaultwarden/database.yaml diff --git a/cluster/apps/media/szurubooru/database.yaml b/cluster/apps/media/szurubooru/database.yaml index bb7e3a0b..26ed33aa 100644 --- a/cluster/apps/media/szurubooru/database.yaml +++ b/cluster/apps/media/szurubooru/database.yaml @@ -3,7 +3,7 @@ apiVersion: db.movetokube.com/v1alpha1 kind: Postgres metadata: name: szurubooru-db - namespace: selfhosted + namespace: media spec: database: szurubooru --- @@ -11,7 +11,7 @@ apiVersion: db.movetokube.com/v1alpha1 kind: PostgresUser metadata: name: szurubooru-user - namespace: selfhosted + namespace: media spec: role: szurubooru database: szurubooru-db diff --git a/cluster/apps/security/authentik/database.yaml b/cluster/apps/security/authentik/database.yaml new file mode 100644 index 00000000..99cbb090 --- /dev/null +++ b/cluster/apps/security/authentik/database.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: db.movetokube.com/v1alpha1 +kind: Postgres +metadata: + name: authentik-db + namespace: security +spec: + database: authentik +--- +apiVersion: db.movetokube.com/v1alpha1 +kind: PostgresUser +metadata: + name: authentik-user + namespace: security +spec: + role: authentik + database: authentik-db + secretName: database + privileges: OWNER diff --git a/cluster/apps/security/authentik/helm-release.yaml b/cluster/apps/security/authentik/helm-release.yaml index 325e7f45..e45c4529 100644 --- a/cluster/apps/security/authentik/helm-release.yaml +++ b/cluster/apps/security/authentik/helm-release.yaml @@ -21,15 +21,42 @@ spec: image: repository: ghcr.io/goauthentik/server tag: 2022.6.3 + initContainers: + wait-for-db: + image: ghcr.io/patrickdappollonio/wait-for:v1.0.0 + imagePullPolicy: IfNotPresent + env: + - name: POSTGRES_HOST + valueFrom: + secretKeyRef: + name: database-authentik-user + key: HOST + command: + - /wait-for + args: + - --host="$(POSTGRES_HOST):5432" + - --verbose + envValueFrom: + AUTHENTIK_POSTGRESQL__HOST: + secretKeyRef: + name: database-authentik-user + key: HOST + AUTHENTIK_POSTGRESQL__NAME: + secretKeyRef: + name: database-authentik-user + key: DATABASE_NAME + AUTHENTIK_POSTGRESQL__USER: + secretKeyRef: + name: database-authentik-user + key: LOGIN + AUTHENTIK_POSTGRESQL__PASSWORD: + secretKeyRef: + name: database-authentik-user + key: PASSWORD authentik: outposts: docker_image_base: ghcr.io/goauthentik/%(type)s:%(version)s secret_key: "${SECRET_AUTHENTIK_SECRET_KEY}" - postgresql: - host: "authentik-postgresql" - name: "authentik" - user: "authentik" - password: "${SECRET_AUTHENTIK_POSTGRES_PASSWORD}" redis: host: "authentik-redis-master" email: @@ -53,9 +80,6 @@ spec: tls: - hosts: - "id.${SECRET_DOMAIN}" - postgresql: - enabled: true - postgresqlPassword: "${SECRET_AUTHENTIK_POSTGRES_PASSWORD}" redis: enabled: true prometheus: diff --git a/cluster/apps/security/authentik/kustomization.yaml b/cluster/apps/security/authentik/kustomization.yaml index 2fa2de20..5da76aef 100644 --- a/cluster/apps/security/authentik/kustomization.yaml +++ b/cluster/apps/security/authentik/kustomization.yaml @@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - database.yaml - helm-release.yaml diff --git a/cluster/apps/security/vaultwarden/config-pvc.yaml b/cluster/apps/security/vaultwarden/config-pvc.yaml new file mode 100644 index 00000000..12201684 --- /dev/null +++ b/cluster/apps/security/vaultwarden/config-pvc.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: vaultwarden-config-v1 + namespace: security + labels: + app.kubernetes.io/name: &name vaultwarden + app.kubernetes.io/instance: *name + pmb.home.arpa/backup: "true" +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + storageClassName: ceph-block diff --git a/cluster/apps/security/vaultwarden/database.yaml b/cluster/apps/security/vaultwarden/database.yaml new file mode 100644 index 00000000..4fbfa646 --- /dev/null +++ b/cluster/apps/security/vaultwarden/database.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: db.movetokube.com/v1alpha1 +kind: Postgres +metadata: + name: vaultwarden-db + namespace: security +spec: + database: vaultwarden +--- +apiVersion: db.movetokube.com/v1alpha1 +kind: PostgresUser +metadata: + name: vaultwarden-user + namespace: security +spec: + role: vaultwarden + database: vaultwarden-db + secretName: database + privileges: OWNER diff --git a/cluster/apps/security/vaultwarden/helm-release.yaml b/cluster/apps/security/vaultwarden/helm-release.yaml index 505afd53..837d8eba 100644 --- a/cluster/apps/security/vaultwarden/helm-release.yaml +++ b/cluster/apps/security/vaultwarden/helm-release.yaml @@ -6,23 +6,47 @@ metadata: namespace: security spec: releaseName: vaultwarden - interval: 5m + interval: 15m chart: spec: - # renovate: registryUrl=https://k8s-at-home.com/charts/ - chart: vaultwarden - version: 3.3.1 + chart: kah-common-chart + version: 1.1.2 sourceRef: kind: HelmRepository name: k8s-at-home-charts namespace: flux-system - interval: 5m + interval: 15m + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 values: - nameOverride: vaultwarden - fullnameOverride: vaultwarden + global: + nameOverride: *app + controller: + labels: + pmb.home.arpa/backup-claim: &claimName "vaultwarden-config-v1" image: - repository: vaultwarden/server - tag: 1.23.0-alpine + repository: ghcr.io/k8s-at-home/vaultwarden + tag: 1.25.1@sha256:ea7901a9629897801b38b6afbce1869d357ebb9e080ec6ffff5839d85d8a79e4 + initContainers: + wait-for-db: + image: ghcr.io/patrickdappollonio/wait-for:v1.0.0 + imagePullPolicy: IfNotPresent + env: + - name: POSTGRES_HOST + valueFrom: + secretKeyRef: + name: database-vaultwarden-user + key: HOST + command: + - /wait-for + args: + - --host="$(POSTGRES_HOST):5432" + - --verbose env: DATA_FOLDER: "config" SIGNUPS_ALLOWED: false @@ -38,12 +62,17 @@ spec: SMTP_PORT: 587 SMTP_USERNAME: "apikey" SMTP_PASSWORD: "${SECRET_SENDGRID_API_KEY}" - DATABASE_URL: "postgresql://vaultwarden:${SECRET_VAULTWARDEN_DB_PASSWORD}@vaultwarden-postgresql/vaultwarden" + DATABASE_URL: + valueFrom: + secretKeyRef: + name: database-vaultwarden-user + key: POSTGRES_URL ingress: main: enabled: true ingressClassName: "nginx" annotations: + hajimari.io/icon: "form-textbox-password" external-dns/is-public: "true" external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}" hosts: @@ -59,20 +88,3 @@ spec: tls: - hosts: - "warden.${SECRET_DOMAIN}" - persistence: - config: - enabled: true - storageClass: ceph-block - accessMode: ReadWriteOnce - size: 10Gi - postgresql: - enabled: true - postgresqlUsername: "vaultwarden" - postgresqlPassword: "${SECRET_VAULTWARDEN_DB_PASSWORD}" - postgresqlDatabase: "vaultwarden" - persistence: - enabled: true - storageClass: ceph-block - accessModes: - - ReadWriteOnce - size: 10Gi diff --git a/cluster/apps/security/vaultwarden/kustomization.yaml b/cluster/apps/security/vaultwarden/kustomization.yaml index 2fa2de20..25b03dd5 100644 --- a/cluster/apps/security/vaultwarden/kustomization.yaml +++ b/cluster/apps/security/vaultwarden/kustomization.yaml @@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - helm-release.yaml + - config-pvc.yaml + - database.yaml + # - helm-release.yaml diff --git a/talos/talconfig.yaml b/talos/talconfig.yaml index 4eb7fd16..5dfc2d7c 100644 --- a/talos/talconfig.yaml +++ b/talos/talconfig.yaml @@ -68,6 +68,7 @@ controlPlane: crt: ${k8sAggregatorCert} key: ${k8sAggregatorCertKey} apiServer: + admissionControl: [] certSANs: - ${clusterEndpointIP} - cluster01.${domainName}