alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 6 Actions Activity

migration to next

Browse Source
This commit is contained in:
Alex Lebens
2025-03-02 16:56:16 -06:00
parent 1693ecd0ae
commit 9fe661cf24
342 changed files with 166 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files

390
clusters/cl01tl/platform/vault/templates/external-secret.yaml
View File

@@ -1,390 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-snapshot-agent-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-snapshot-agent-token
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: snapshot
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: VAULT_APPROLE_ROLE_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/snapshot
metadataPolicy: None
property: VAULT_APPROLE_ROLE_ID
- secretKey: VAULT_APPROLE_SECRET_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/snapshot
metadataPolicy: None
property: VAULT_APPROLE_SECRET_ID
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-snapshot-s3
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-snapshot-s3
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: snapshot
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/vault-backup
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/vault-backup
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-s3cmd-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-snapshot-s3
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: snapshot
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: .s3cfg
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/snapshot
metadataPolicy: None
property: s3cfg
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-unseal-config-1
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-unseal-key-1
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: unseal
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: ENVIRONMENT
- secretKey: CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: CHECK_INTERVAL
- secretKey: MAX_CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: MAX_CHECK_INTERVAL
- secretKey: NODES
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: NODES
- secretKey: TLS_SKIP_VERIFY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: TLS_SKIP_VERIFY
- secretKey: TOKENS
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: TOKENS
- secretKey: EMAIL_ENABLED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: EMAIL_ENABLED
- secretKey: NOTIFY_MAX_ELAPSED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: NOTIFY_MAX_ELAPSED
- secretKey: NOTIFY_QUEUE_DELAY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: NOTIFY_QUEUE_DELAY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-unseal-config-2
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-unseal-key-2
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: unseal
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: ENVIRONMENT
- secretKey: CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: CHECK_INTERVAL
- secretKey: MAX_CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: MAX_CHECK_INTERVAL
- secretKey: NODES
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: NODES
- secretKey: TLS_SKIP_VERIFY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: TLS_SKIP_VERIFY
- secretKey: TOKENS
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: TOKENS
- secretKey: EMAIL_ENABLED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: EMAIL_ENABLED
- secretKey: NOTIFY_MAX_ELAPSED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: NOTIFY_MAX_ELAPSED
- secretKey: NOTIFY_QUEUE_DELAY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: NOTIFY_QUEUE_DELAY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-unseal-config-3
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-unseal-config-3
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: unseal
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: ENVIRONMENT
- secretKey: CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: CHECK_INTERVAL
- secretKey: MAX_CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: MAX_CHECK_INTERVAL
- secretKey: NODES
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: NODES
- secretKey: TLS_SKIP_VERIFY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: TLS_SKIP_VERIFY
- secretKey: TOKENS
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: TOKENS
- secretKey: EMAIL_ENABLED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: EMAIL_ENABLED
- secretKey: NOTIFY_MAX_ELAPSED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: NOTIFY_MAX_ELAPSED
- secretKey: NOTIFY_QUEUE_DELAY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: NOTIFY_QUEUE_DELAY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-token
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: token
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: token
- secretKey: unseal_key_1
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_1
- secretKey: unseal_key_2
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_2
- secretKey: unseal_key_3
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_3
- secretKey: unseal_key_4
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_4
- secretKey: unseal_key_5
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_5

32
clusters/cl01tl/platform/vault/templates/ingress.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vault-tailscale
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-tailscale
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
labels:
tailscale.com/proxy-class: no-metrics
annotations:
tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
spec:
ingressClassName: tailscale
tls:
- hosts:
- vault-cl01tl
secretName: vault-cl01tl
rules:
- host: vault-cl01tl
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: vault-active
port:
number: 8200

19
clusters/cl01tl/platform/vault/templates/persistent-volume-claim.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vault-nfs-storage-backup
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-nfs-storage-backup
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeMode: Filesystem
storageClassName: nfs-client
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi