feat: install external-dns

kubernetes/main/apps/network/external-dns/app/secret.sops.yaml

@@ -4,6 +4,7 @@ metadata:
     name: external-dns-secret
 stringData:
     api-token: ENC[AES256_GCM,data:FYb0yfgumZa5z1xPI290u7eB8FqoRfg43TTVGP8HN5ncoaSLtDEEsg==,iv:/IdbbvzLZ2rR5xdBqNfYV5ysmBlZYexN0BhYeY7yuXM=,tag:dSLaxby5xaYkFX4u/6vBrA==,type:str]
+    pihole: ENC[AES256_GCM,data:zD244xAMwm2dfSwUN52Kjg==,iv:OTMkg2QGhZLPmCKYVOANzZka2FrrFj8zaoHp62n396o=,tag:ek+B3ammueU3tnpqA5kMQg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -19,8 +20,8 @@ sops:
             eE85OENEUHliZ0hDL3JuV0JhS1VEb1UKGPa6W0/pUc/BrQIuWRWIvtWuBH6zIL20
             uP6ZwABdx8Lcr929zOXZixLPSikL694hNulcjZfA9ttzPPB3j2vkUg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-05T13:28:30Z"
-    mac: ENC[AES256_GCM,data:1W4mefNiB6JWZuUElyI/DBEymdzZoYo/sFM11ojD3zlkGjohaqdJcAbORLtwTTKwxZCUDz5xFqCuWhY0kPJ17jm8Wkr+IE6h/p4KBwhN7C+wBI6EMh5sZVB3px6gBeq9TXnsQXD9bS1VfBaLFRGXSZYVuvZM2f3opcM3mPKHHN0=,iv:WtC2Hq2CoNtKzIQz1+VaHRwsJkjzwOvVdZHUs6zhuh4=,tag:o6P0SGXCM2FzEGmT2ziuWQ==,type:str]
+    lastmodified: "2024-07-23T14:42:05Z"
+    mac: ENC[AES256_GCM,data:FPMMWuNnBO5lYX82B7jNAKxRejO71NJxOUYzUzH3N6L4wkJfaPoBhv3U9VL4MoZ/Hd3xRLtZYjCFVtyHRYmkcheI+nNgrY+PaVE/7b4cyz+xn9kEf3H2tfRC58iLbECzYwgddsSG42lqST2uQlyyH/0gjSmOBQ0C/IobUk9pXv0=,iv:Oyp2v0jn+7YWEgfwcbrG9wVkh+cITLO5HQojSlsKcmA=,tag:ZEXz1gsuZG8x3vsG6GPfkw==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
-    version: 3.7.3
+    version: 3.8.1

kubernetes/main/apps/network/external-dns/internal/helmrelease.yaml

@@ -0,0 +1,43 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app external-dns
+spec:
+  interval: 1h
+  chart:
+    spec:
+      chart: external-dns
+      version: 1.14.5
+      sourceRef:
+        kind: HelmRepository
+        name: external-dns
+        namespace: flux-system
+  install:
+    crds: CreateReplace
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    crds: CreateReplace
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    provider: pihole
+    extraArgs:
+      - --pihole-server=http://192.168.0.8
+      - --ingress-class=internal
+    policy: upsert-only
+    sources: ["ingress", "service"]
+    registry: noop
+    domainFilters: ["web3.wiki.br"]
+    env:
+      - name: &name EXTERNAL_DNS_PIHOLE_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: &secret external-dns-secret
+            key: pihole
+    serviceMonitor:
+      enabled: true

kubernetes/main/apps/network/external-dns/internal/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml

kubernetes/main/apps/network/external-dns/ks.yaml

@@ -19,3 +19,24 @@ spec:
   interval: 30m
   retryInterval: 1m
   timeout: 5m
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app external-dns-pihole
+  namespace: flux-system
+spec:
+  targetNamespace: network
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/main/apps/network/external-dns/internal
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/turing/flux/repositories/helm/external-dns.yaml

@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: external-dns
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://kubernetes-sigs.github.io/external-dns

kubernetes/turing/flux/repositories/helm/kustomization.yaml

@@ -4,6 +4,7 @@ kind: Kustomization
 resources:
   - ./bjw-s.yaml
   - ./cilium.yaml
+  - ./external-dns.yaml
   - ./ingress-nginx.yaml
   - ./jetstack.yaml
   - ./k8s-gateway.yaml

kubernetes/turing/kube-system/cilium/app/helmrelease.yaml

@@ -52,13 +52,13 @@ spec:
           enabled: true
           className: internal
           hosts:
-            - "hubble2.web3.wiki.br"
+            - "hubble.turing.web3.wiki.br"
           tls:
             - hosts:
-                - "hubble2.web3.wiki.br"
+                - "hubble.turing.web3.wiki.br"
     ipam:
       mode: kubernetes
-    ipv4NativeRoutingCIDR: "192.168.0.0/24"
+    ipv4NativeRoutingCIDR: "10.68.0.0/16"
     k8sServiceHost: 127.0.0.1
     k8sServicePort: 6444
     kubeProxyReplacement: true
@@ -72,4 +72,23 @@ spec:
     operator:
       replicas: 1
       rollOutPods: true
+    rollOutCiliumPods: true
     routingMode: native
+    securityContext:
+      capabilities:
+        ciliumAgent:
+          - CHOWN
+          - KILL
+          - NET_ADMIN
+          - NET_RAW
+          - IPC_LOCK
+          - SYS_ADMIN
+          - SYS_RESOURCE
+          - DAC_OVERRIDE
+          - FOWNER
+          - SETGID
+          - SETUID
+        cleanCiliumState:
+          - NET_ADMIN
+          - SYS_ADMIN
+          - SYS_RESOURCE

kubernetes/turing/media/jellyfin/app/helmrelease.yaml

@@ -89,7 +89,7 @@ spec:
           gethomepage.dev/icon: jellyfin.png
           gethomepage.dev/name: Jellyfin
         hosts:
-          - host: &host jellyfin.${SECRET_DOMAIN}
+          - host: &host jellyfin.turing.${SECRET_DOMAIN}
             paths:
               - path: /
                 pathType: Prefix

kubernetes/turing/network/external-dns/app/helmrelease.yaml

@@ -0,0 +1,43 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app external-dns
+spec:
+  interval: 1h
+  chart:
+    spec:
+      chart: external-dns
+      version: 1.14.5
+      sourceRef:
+        kind: HelmRepository
+        name: external-dns
+        namespace: flux-system
+  install:
+    crds: CreateReplace
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    crds: CreateReplace
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    provider: pihole
+    extraArgs:
+      - --pihole-server=http://192.168.0.8
+      - --ingress-class=internal
+    policy: upsert-only
+    sources: ["ingress", "service"]
+    registry: noop
+    domainFilters: ["web3.wiki.br"]
+    env:
+      - name: &name EXTERNAL_DNS_PIHOLE_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: &secret pihole-password
+            key: *name
+    serviceMonitor:
+      enabled: true

kubernetes/turing/network/external-dns/app/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secret.sops.yaml
+  - ./helmrelease.yaml

kubernetes/turing/network/external-dns/app/secret.sops.yaml

@@ -0,0 +1,37 @@
+kind: Secret
+apiVersion: v1
+type: Opaque
+metadata:
+    name: pihole-password
+    namespace: network
+data:
+    EXTERNAL_DNS_PIHOLE_PASSWORD: ENC[AES256_GCM,data:y2TMM2D4KBj1RH7IliJNA2Ppbth7TUv4,iv:MuHhnyBmzXXoXo0yarhsc/IBQX87VE867fim9m9MMk4=,tag:N1RjjmbVqAPJChbLsU4bcw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1nkvss2a8xvmjauvr5mxzm233hyh2mk2fg4s6pt0t0kcn03dv34wqtgymg8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQTIxTERiRUVJbFFrMlBx
+            czBVbFl5NC9tcFZaNzB3RjBlK2xtZXB1NkVNCm9xY0cwV3JjcHdNaEpRZ1RWRk5u
+            dXZZZE1CSmsveXFCRTF1LytHRTIwNzgKLS0tIERGa2FKVHVqTUNhckZOSFQ5aFZx
+            OFpRSGJ4VVJiS0VENVlsZXRyd3haem8KVIO8yuq8Qr/S3rK4oMFhXAIvoI8Pw+E3
+            kO8LqkJVtG+iqFuVF9gi6wJn432kT/DHzHm22dp6R8+EcZ4E0zmC/g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wxwqdrmkwkzsxajp58g0cgeextgf4wq287fv82pptv9yghkfgcqql66zhj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3bDVKQUdNYmE5byswaGts
+            d3ZodllTMkN0WCtQa1VRamU1Yk9ORnRmWFg0CjdpYlRQd3RkNzdpaUhaYURaYlQ5
+            MC8rdngyMmFza0JFYjFhUXdqMnRQWWsKLS0tIFNraHd4YW1BK3dQMlU0ZldlZkRM
+            U2dHQTNCYmRRMncvKzFxZWRkMG9CMDgKxhpMKdLPUiCVAEAc5O26bISuopUBiLHF
+            rldQq17sMi7ymIE5BrLtwXpLpIKUl/szwwI1QXbbD2tXV0ZUdaqVNg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-07-23T19:43:06Z"
+    mac: ENC[AES256_GCM,data:idtkUwkKUeKhvHhuWqoZMPloCOajDzHazafwBp8fDY1HS+Qx0fArw8z76VFql3YdPg6bX0/nb0pzLC3ceUyW8zBV+XQ56BfdN2LHJ6C1QeQDD365RUs6HwVN7ja4FGc69NF+oe4b0M/uTycpdZ4+Rb46HtxNOhrMsD1PHK5E0ws=,iv:Jik+F/tVjKiiNHAqn+rX+It7TnNzO1Pn1wICmzHQAuo=,tag:tSX4MAK/vzW5gezYkfnpng==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

kubernetes/turing/network/external-dns/ks.yaml

@@ -0,0 +1,21 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app external-dns
+  namespace: flux-system
+spec:
+  targetNamespace: network
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/turing/network/external-dns/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/turing/network/kustomization.yaml

@@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./cert-manager/ks.yaml
+  - ./external-dns/ks.yaml
   - ./ingress-nginx/ks.yaml
-  - ./namespace.yaml
   - ./k8s-gateway/ks.yaml
+  - ./namespace.yaml