diff --git a/k8s/apps/external/proxmox/tls-route.yaml b/k8s/apps/external/proxmox/tls-route.yaml index a617f9a..0594463 100644 --- a/k8s/apps/external/proxmox/tls-route.yaml +++ b/k8s/apps/external/proxmox/tls-route.yaml @@ -1,15 +1,11 @@ apiVersion: gateway.networking.k8s.io/v1alpha2 kind: TLSRoute metadata: - name: proxmox-tls + name: proxmox namespace: proxmox spec: parentRefs: - - name: tls-passthrough - namespace: gateway - hostnames: - - "proxmox.stonegarden.dev" + - { name: internal, namespace: gateway } + hostnames: [ proxmox.stonegarden.dev ] rules: - - backendRefs: - - name: proxmox - port: 443 + - backendRefs: [ { name: proxmox, port: 443 } ] diff --git a/k8s/apps/external/truenas/tls-route.yaml b/k8s/apps/external/truenas/tls-route.yaml index 580dfbf..d0af955 100644 --- a/k8s/apps/external/truenas/tls-route.yaml +++ b/k8s/apps/external/truenas/tls-route.yaml @@ -5,11 +5,7 @@ metadata: namespace: truenas spec: parentRefs: - - name: tls-passthrough - namespace: gateway - hostnames: - - "truenas.stonegarden.dev" + - { name: internal, namespace: gateway } + hostnames: [ truenas.stonegarden.dev ] rules: - - backendRefs: - - name: truenas - port: 443 + - backendRefs: [ { name: truenas, port: 443 } ] diff --git a/k8s/infra/controllers/argocd/http-route.yaml b/k8s/infra/controllers/argocd/http-route.yaml deleted file mode 100644 index 3a00cef..0000000 --- a/k8s/infra/controllers/argocd/http-route.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: argocd - namespace: argocd -spec: - parentRefs: - - name: internal - namespace: gateway - hostnames: - - "argocd.stonegarden.dev" - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - name: argocd-server - port: 80 -# - matches: -# - headers: -# - name: Content-Type -# value: application/grpc -# backendRefs: -# - name: argocd-server -# port: 80 diff --git a/k8s/infra/controllers/argocd/tls-route.yaml b/k8s/infra/controllers/argocd/tls-route.yaml index 08a8ac0..c533d7e 100644 --- a/k8s/infra/controllers/argocd/tls-route.yaml +++ b/k8s/infra/controllers/argocd/tls-route.yaml @@ -5,11 +5,7 @@ metadata: namespace: argocd spec: parentRefs: - - name: internal - namespace: gateway - hostnames: - - "argocd.stonegarden.dev" + - { name: internal, namespace: gateway } + hostnames: [ argocd.stonegarden.dev ] rules: - - backendRefs: - - name: argocd-server - port: 443 + - backendRefs: [ { name: argocd-server, port: 443 } ] diff --git a/k8s/infra/network/gateway/gw-tls-passthrough.yaml b/k8s/infra/network/gateway/gw-tls-passthrough.yaml deleted file mode 100644 index 5be73be..0000000 --- a/k8s/infra/network/gateway/gw-tls-passthrough.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - name: tls-passthrough - namespace: gateway -spec: - gatewayClassName: cilium - infrastructure: - annotations: - io.cilium/lb-ipam-ips: 192.168.1.221 - listeners: - - protocol: TLS - port: 443 - name: proxmox - hostname: "proxmox.stonegarden.dev" - tls: - mode: Passthrough - allowedRoutes: - namespaces: - from: All - - protocol: TLS - port: 443 - name: truenas - hostname: "truenas.stonegarden.dev" - tls: - mode: Passthrough - allowedRoutes: - namespaces: - from: All diff --git a/k8s/infra/network/gateway/kustomization.yaml b/k8s/infra/network/gateway/kustomization.yaml index 7a6a0a4..1db18c8 100644 --- a/k8s/infra/network/gateway/kustomization.yaml +++ b/k8s/infra/network/gateway/kustomization.yaml @@ -7,4 +7,3 @@ resources: - ns.yaml - gw-external.yaml - gw-internal.yaml - - gw-tls-passthrough.yaml diff --git a/tofu/kubernetes/REMOTE_BACKEND.md b/tofu/kubernetes/REMOTE_BACKEND.md deleted file mode 100644 index 9dd5697..0000000 --- a/tofu/kubernetes/REMOTE_BACKEND.md +++ /dev/null @@ -1,42 +0,0 @@ -## GCS Remote - -1. Create a [Service Account](https://cloud.google.com/iam/docs/service-accounts-create) named tofu (after enabling the - IAM API if needed). Leave the permissions blank. -2. Create and download the [service account key](https://cloud.google.com/iam/docs/keys-create-delete#creating). -3. Create a GCS bucket for tofu state with public access prevention and versioning as necessary. -4. In the permissions tab of the bucket, give **Storage Object Admin** access to the service account. -5. Copy backend.tf.sample to backend.tf and make necessary changes. - -```shell -cp remote_backend.tf.sample remote_backend.tf -``` - -### Encryption key - -Generate the encryption key - -```shell -python3 -c 'import os;import base64;print(base64.b64encode(os.urandom(32)).decode("utf-8"))' -``` - -`Without the encryption key, your state would not be recoverable. Store in a password manager, if not using any kms like bws.` - -### Environment variables - -```shell -export GOOGLE_APPLICATION_CREDENTIALS="" -export GOOGLE_ENCRYPTION_KEY="" -``` - -Run tofu init / plan / apply as usual. - -### Bitwarden Secrets Manager - -Store the downloaded key contents and generated encryption key into GOOGLE_CREDENTIALS and GOOGLE_ENCRYPTION_KEY -respectively in bws. - -Run bws run -- tofu init / plan / apply as usual. - -### Beta Notice - -`Please treat this as beta and only use for air-gapped installations as of now. Will remove the beta tag after testing it in due course.` diff --git a/tofu/kubernetes/remote_backend.tf.sample b/tofu/kubernetes/remote_backend.tf.sample deleted file mode 100644 index 6404b0b..0000000 --- a/tofu/kubernetes/remote_backend.tf.sample +++ /dev/null @@ -1,6 +0,0 @@ -terraform { - backend "gcs" { - bucket = "" - prefix = "prod/kubernetes" - } -}