fix(kubernetes): bootstrapping fix and some cleanup (#3364)

buroa · Jan 27, 2025 · 8ac7daa · 8ac7daa
1 parent 56c2d92
commit 8ac7daa
Show file tree

Hide file tree

Showing 72 changed files with 212 additions and 156 deletions.
diff --git a/kubernetes/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml b/kubernetes/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: onepassword-connect
+    name: onepassword
   target:
     name: actions-runner-controller-secret
     creationPolicy: Owner

diff --git a/kubernetes/apps/actions-runner-system/actions-runner-controller/ks.yaml b/kubernetes/apps/actions-runner-system/actions-runner-controller/ks.yaml
@@ -9,7 +9,7 @@ spec:
     labels:
       app.kubernetes.io/name: *app
   dependsOn:
-    - name: external-secrets-stores
+    - name: onepassword-store
       namespace: external-secrets
   interval: 30m
   path: ./kubernetes/apps/actions-runner-system/actions-runner-controller/app

diff --git a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml
@@ -21,13 +21,6 @@ spec:
     remediation:
       strategy: rollback
       retries: 3
-  values:
-    crds:
-      enabled: true
-    replicaCount: 2
-    dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
-    dns01RecursiveNameserversOnly: true
-    prometheus:
-      enabled: true
-      servicemonitor:
-        enabled: true
+  valuesFrom:
+    - kind: ConfigMap
+      name: cert-manager-helm-values
diff --git a/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml b/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml
@@ -4,3 +4,9 @@ kind: Kustomization
 resources:
   - ./helmrelease.yaml
   - ./prometheusrule.yaml
+configMapGenerator:
+  - name: cert-manager-helm-values
+    files:
+      - ./resources/values.yaml
+configurations:
+  - ./kustomizeconfig.yaml
diff --git a/kubernetes/apps/cert-manager/cert-manager/app/kustomizeconfig.yaml b/kubernetes/apps/cert-manager/cert-manager/app/kustomizeconfig.yaml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/kubernetes/apps/cert-manager/cert-manager/app/resources/values.yaml b/kubernetes/apps/cert-manager/cert-manager/app/resources/values.yaml
@@ -0,0 +1,10 @@
+---
+crds:
+  enabled: true
+replicaCount: 1
+dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
+dns01RecursiveNameserversOnly: true
+prometheus:
+  enabled: true
+  servicemonitor:
+    enabled: true
diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/externalsecret.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/externalsecret.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: onepassword-connect
+    name: onepassword
   target:
     name: cloudflare-issuer-secret
     creationPolicy: Owner

diff --git a/kubernetes/apps/cert-manager/cert-manager/ks.yaml b/kubernetes/apps/cert-manager/cert-manager/ks.yaml
@@ -31,7 +31,7 @@ spec:
   dependsOn:
     - name: cert-manager
       namespace: *namespace
-    - name: external-secrets-stores
+    - name: onepassword-store
       namespace: external-secrets
   interval: 30m
   path: ./kubernetes/apps/cert-manager/cert-manager/issuers

diff --git a/kubernetes/apps/databases/cloudnative-pg/app/externalsecret.yaml b/kubernetes/apps/databases/cloudnative-pg/app/externalsecret.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: onepassword-connect
+    name: onepassword
   target:
     name: cloudnative-pg-secret
     creationPolicy: Owner

diff --git a/kubernetes/apps/databases/cloudnative-pg/ks.yaml b/kubernetes/apps/databases/cloudnative-pg/ks.yaml
@@ -9,7 +9,7 @@ spec:
     labels:
       app.kubernetes.io/name: *app
   dependsOn:
-    - name: external-secrets-stores
+    - name: onepassword-store
       namespace: external-secrets
   interval: 30m
   path: ./kubernetes/apps/databases/cloudnative-pg/app

diff --git a/kubernetes/apps/databases/emqx/app/externalsecret.yaml b/kubernetes/apps/databases/emqx/app/externalsecret.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: onepassword-connect
+    name: onepassword
   target:
     name: emqx-secret
     template:
@@ -25,7 +25,7 @@ spec:
   refreshInterval: 5m
   secretStoreRef:
     kind: ClusterSecretStore
-    name: onepassword-connect
+    name: onepassword
   target:
     name: emqx-init-user-secret
     template:

diff --git a/kubernetes/apps/databases/emqx/ks.yaml b/kubernetes/apps/databases/emqx/ks.yaml
@@ -11,7 +11,7 @@ spec:
   dependsOn:
     - name: cert-manager
       namespace: cert-manager
-    - name: external-secrets-stores
+    - name: onepassword-store
       namespace: external-secrets
   interval: 30m
   path: ./kubernetes/apps/databases/emqx/app

diff --git a/kubernetes/apps/external-secrets/external-secrets/app/helmrelease.yaml b/kubernetes/apps/external-secrets/external-secrets/app/helmrelease.yaml
@@ -21,20 +21,6 @@ spec:
     remediation:
       strategy: rollback
       retries: 3
-  values:
-    installCRDs: true
-    image: &image
-      repository: ghcr.io/external-secrets/external-secrets
-    certController:
-      image: *image
-      serviceMonitor:
-        enabled: true
-        interval: 1m
-    webhook:
-      image: *image
-      serviceMonitor:
-        enabled: true
-        interval: 1m
-    serviceMonitor:
-      enabled: true
-      interval: 1m
+  valuesFrom:
+    - kind: ConfigMap
+      name: external-secrets-helm-values
diff --git a/kubernetes/apps/external-secrets/external-secrets/app/kustomization.yaml b/kubernetes/apps/external-secrets/external-secrets/app/kustomization.yaml
@@ -3,3 +3,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./helmrelease.yaml
+configMapGenerator:
+  - name: external-secrets-helm-values
+    files:
+      - ./resources/values.yaml
+configurations:
+  - ./kustomizeconfig.yaml
diff --git a/kubernetes/apps/external-secrets/external-secrets/app/kustomizeconfig.yaml b/kubernetes/apps/external-secrets/external-secrets/app/kustomizeconfig.yaml
@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/kubernetes/apps/external-secrets/external-secrets/app/resources/values.yaml b/kubernetes/apps/external-secrets/external-secrets/app/resources/values.yaml
@@ -0,0 +1,21 @@
+---
+installCRDs: true
+replicaCount: 1
+leaderElect: true
+image:
+  repository: ghcr.io/external-secrets/external-secrets
+webhook:
+  image:
+    repository: ghcr.io/external-secrets/external-secrets
+  serviceMonitor:
+    enabled: true
+    interval: 1m
+certController:
+  image:
+    repository: ghcr.io/external-secrets/external-secrets
+  serviceMonitor:
+    enabled: true
+    interval: 1m
+serviceMonitor:
+  enabled: true
+  interval: 1m
diff --git a/kubernetes/apps/external-secrets/external-secrets/ks.yaml b/kubernetes/apps/external-secrets/external-secrets/ks.yaml
@@ -18,26 +18,3 @@ spec:
   targetNamespace: *namespace
   timeout: 5m
   wait: true
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app external-secrets-stores
-  namespace: &namespace external-secrets
-spec:
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  dependsOn:
-    - name: external-secrets
-      namespace: *namespace
-  interval: 30m
-  path: ./kubernetes/apps/external-secrets/external-secrets/stores
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-    namespace: flux-system
-  targetNamespace: *namespace
-  timeout: 5m
-  wait: true
diff --git a/kubernetes/apps/external-secrets/kustomization.yaml b/kubernetes/apps/external-secrets/kustomization.yaml
@@ -4,7 +4,7 @@ kind: Kustomization
 namespace: external-secrets
 resources:
   - ./external-secrets/ks.yaml
-  - ./onepassword-connect/ks.yaml
+  - ./onepassword/ks.yaml
 components:
   - ../../flux/components/alerts
   - ../../flux/components/namespace
diff --git a/kubernetes/apps/external-secrets/onepassword-connect/ks.yaml b/kubernetes/apps/external-secrets/onepassword-connect/ks.yaml
diff --git a/.../onepassword-connect/app/helmrelease.yaml → ...-secrets/onepassword/app/helmrelease.yaml b/.../onepassword-connect/app/helmrelease.yaml → ...-secrets/onepassword/app/helmrelease.yaml
@@ -2,7 +2,7 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: &app onepassword-connect
+  name: &app onepassword
 spec:
   interval: 30m
   chart:
@@ -23,7 +23,7 @@ spec:
       retries: 3
   values:
     controllers:
-      onepassword-connect:
+      onepassword:
         strategy: RollingUpdate
         annotations:
           reloader.stakater.com/auto: "true"
@@ -40,7 +40,7 @@ spec:
               OP_SESSION:
                 valueFrom:
                   secretKeyRef:
-                    name: onepassword-connect-secret
+                    name: onepassword-secret
                     key: 1password-credentials.json
             probes:
               liveness:
@@ -82,7 +82,7 @@ spec:
               OP_SESSION:
                 valueFrom:
                   secretKeyRef:
-                    name: onepassword-connect-secret
+                    name: onepassword-secret
                     key: 1password-credentials.json
             probes:
               liveness:

diff --git a/...nepassword-connect/app/kustomization.yaml → ...ecrets/onepassword/app/kustomization.yaml b/...nepassword-connect/app/kustomization.yaml → ...ecrets/onepassword/app/kustomization.yaml
diff --git a/kubernetes/apps/external-secrets/onepassword/ks.yaml b/kubernetes/apps/external-secrets/onepassword/ks.yaml
@@ -0,0 +1,46 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app onepassword
+  namespace: &namespace external-secrets
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: external-secrets
+      namespace: *namespace
+  interval: 30m
+  path: ./kubernetes/apps/external-secrets/onepassword/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  targetNamespace: *namespace
+  timeout: 5m
+  wait: true
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app onepassword-store
+  namespace: &namespace external-secrets
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: onepassword
+      namespace: *namespace
+  interval: 30m
+  path: ./kubernetes/apps/external-secrets/onepassword/store
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  targetNamespace: *namespace
+  timeout: 5m
+  wait: true
diff --git a/...xternal-secrets/stores/kustomization.yaml → ...rets/onepassword/store/kustomization.yaml b/...xternal-secrets/stores/kustomization.yaml → ...rets/onepassword/store/kustomization.yaml
@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./onepassword-connect.yaml
+  - ./onepassword.yaml
diff --git a/...l-secrets/stores/onepassword-connect.yaml → ...ecrets/onepassword/store/onepassword.yaml b/...l-secrets/stores/onepassword-connect.yaml → ...ecrets/onepassword/store/onepassword.yaml
@@ -2,16 +2,16 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ClusterSecretStore
 metadata:
-  name: onepassword-connect
+  name: onepassword
 spec:
   provider:
     onepassword:
-      connectHost: http://onepassword-connect.external-secrets.svc.cluster.local
+      connectHost: http://onepassword.external-secrets.svc.cluster.local
       vaults:
         K8s: 1
       auth:
         secretRef:
           connectTokenSecretRef:
-            name: onepassword-connect-secret
+            name: onepassword-secret
             key: token
             namespace: external-secrets
diff --git a/kubernetes/apps/flux-system/flux-operator/instance/webhook/externalsecret.yaml b/kubernetes/apps/flux-system/flux-operator/instance/webhook/externalsecret.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: onepassword-connect
+    name: onepassword
   target:
     name: github-webhook-token-secret
     creationPolicy: Owner

diff --git a/kubernetes/apps/home/atuin/app/externalsecret.yaml b/kubernetes/apps/home/atuin/app/externalsecret.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: onepassword-connect
+    name: onepassword
   target:
     name: atuin-secret
     creationPolicy: Owner

diff --git a/kubernetes/apps/home/atuin/ks.yaml b/kubernetes/apps/home/atuin/ks.yaml
@@ -11,7 +11,7 @@ spec:
   dependsOn:
     - name: cloudnative-pg-cluster
       namespace: databases
-    - name: external-secrets-stores
+    - name: onepassword-store
       namespace: external-secrets
   interval: 30m
   path: ./kubernetes/apps/home/atuin/app

diff --git a/kubernetes/apps/home/go2rtc/app/externalsecret.yaml b/kubernetes/apps/home/go2rtc/app/externalsecret.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: onepassword-connect
+    name: onepassword
   target:
     name: go2rtc-secret
     creationPolicy: Owner