add external-dns support (#95)

* add external-dns

Signed-off-by: Michael Fornaro <[email protected]>

* [Auto Generation] Adding hydrated manifests

Signed-off-by: Michael Fornaro <[email protected]>

* fix namespace scope

Signed-off-by: Michael Fornaro <[email protected]>

* verbose debugging

Signed-off-by: Michael Fornaro <[email protected]>

* updating virtual services

Signed-off-by: Michael Fornaro <[email protected]>

* add external-dns secret

Signed-off-by: Michael Fornaro <[email protected]>

config/flux/values.yaml

@@ -18,11 +18,12 @@ git:
 registry:
   disableScanning: true
 
+# Disabled due to circular dependency with prometheus-operator being deployed via Flux
 prometheus:
-  enabled: true
+  enabled: false
   serviceMonitor:
     # Enables ServiceMonitor creation for the Prometheus Operator
-    create: true
+    create: false
     interval: 30s
     scrapeTimeout: 10s
     namespace: flux

config/helm-operator/values.yaml

@@ -26,11 +26,12 @@ resources:
     cpu: 50m
     memory: 64Mi
 
+# Disabled due to circular dependency with prometheus-operator being deployed via Flux
 prometheus:
-  enabled: true
+  enabled: false
   serviceMonitor:
     # Enables ServiceMonitor creation for the Prometheus Operator
-    create: true
+    create: false
     interval:
     scrapeTimeout:
     namespace:

namespaces/flux/helm-operator/helm-operator.yaml

@@ -727,7 +727,6 @@ spec:
     metadata:
       annotations:
         checksum/repositories: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-        prometheus.io/scrape: "true"
       labels:
         app: helm-operator
         release: default
@@ -793,25 +792,3 @@ spec:
         secret:
           defaultMode: 256
           secretName: flux-git-ssh-private-key
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  labels:
-    app: helm-operator
-    chart: helm-operator-1.2.0
-    heritage: Helm
-    release: default
-  name: default-helm-operator
-  namespace: flux
-spec:
-  endpoints:
-  - honorLabels: true
-    port: http
-  namespaceSelector:
-    matchNames:
-    - flux
-  selector:
-    matchLabels:
-      app: helm-operator
-      release: default

namespaces/istio-system/vs-jaeger.yaml

@@ -4,6 +4,8 @@ kind: VirtualService
 metadata:
   name: jaeger
   namespace: istio-system
+  annotations:
+    external-dns.alpha.kubernetes.io/target: raspbernetes.com
 spec:
   hosts:
     - 'jaeger.raspbernetes.com'

namespaces/kube-system/sealed-secrets/vs-sealed-secrets.yaml

@@ -4,6 +4,8 @@ kind: VirtualService
 metadata:
   name: sealed-secrets
   namespace: kube-system
+  annotations:
+    external-dns.alpha.kubernetes.io/target: raspbernetes.com
 spec:
   hosts:
     - 'sealed-secrets.raspbernetes.com'

namespaces/network/dex/README.md

@@ -3,5 +3,5 @@
 Enter valid secrets into the values.yaml and use the following command to generate the secret, then use sealed secrets to encrypt these values to be used within the helm release resource.
 
 ```bash
-kubectl -n network create secret generic dex-values --from-file=values.yaml=config/dex/values.yaml --dry-run=true -o yaml > secret.yaml
+kubectl -n network create secret generic dex-helm-values --from-file=values.yaml=config/dex/values.yaml --dry-run=true -o yaml > secret.yaml
 ```

namespaces/network/dex/vs-dex.yaml → namespaces/network/dex/virtualservice.yaml

@@ -4,6 +4,8 @@ kind: VirtualService
 metadata:
   name: dex
   namespace: network
+  annotations:
+    external-dns.alpha.kubernetes.io/target: raspbernetes.com
 spec:
   hosts:
     - 'dex.raspbernetes.com'

namespaces/network/external-dns/external-dns.yaml

@@ -0,0 +1,47 @@
+---
+apiVersion: helm.fluxcd.io/v1
+kind: HelmRelease
+metadata:
+  name: external-dns
+  namespace: network
+  annotations:
+    fluxcd.io/ignore: 'false'
+    fluxcd.io/automated: 'false'
+spec:
+  releaseName: external-dns
+  chart:
+    repository: https://charts.bitnami.com/bitnami
+    name: external-dns
+    version: 3.3.0
+  values:
+    image:
+      registry: docker.io
+      repository: raspbernetes/external-dns
+      tag: v0.7.3
+      pullPolicy: IfNotPresent
+    provider: cloudflare
+    policy: upsert-only
+    registry: 'txt'
+    replicas: 1
+    logLevel: debug
+    rbac:
+      create: true
+      pspEnabled: true
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+        namespace: observability
+    crd:
+      create: true
+    sources:
+      - service
+      - ingress
+      - istio-gateway
+      - istio-virtualservice
+    domainFilters:
+      - raspbernetes.com
+    cloudflare:
+      secretName: 'cloudflare-external-dns'
+      email: '[email protected]'
+      proxied: true

namespaces/network/external-dns/secret.encrypted.yaml

@@ -0,0 +1,15 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: cloudflare-external-dns
+  namespace: network
+spec:
+  encryptedData:
+    cloudflare_api_token: AgCAGo8+uhIFpkMVasAWDRC3Vnr98ZH/JWsSQhY9pwYyEd01Wd3LQlZOiRToajW2ZWEMfzzDSR2j5cJbqfHV9U6xeY3NB3tooQX5fOxhAQ0Q5EVWGXLSczBuEID4+y7SH16SnZhNDbwmRzUf1Iqn5AfQ/Ybma52zTsYG+WLT6lfrcDTl0odsTa5+6nl+ti2AekEdNiu1WSr7qVHZBUV+q9pfUoal/gRHsFWcdZ5XFhsse0bbZ9mvWHLgCOrBQNb4Cy8Nyv7ImaUQM1tnKN67rASx0OAHiZNu8En36dRryYO1G0VxQ+WbMFOTZqLv8qr0Vrs7TPYQRRxYLW0s9cQrLw1uRf2xeRfyXwcUYMSMuDxfxkdYeBzB6ZAOjXzaT3dlNp1LMQCwdTNPUOZ5fG4rDIefdQ7wVTjcv+6UMNAur/MKRLLPdsV//UFHGhRRgdxErfWdcuvhtK8n4bOJcEUYzMSgoMVH6kcbkul5TZLFErnaXEe8+KpOaQpPIwXuzs/VCQWFYKWy95EXJLZTAuiz5s3KKVDCRWbv4gBqnj9HwxLsdLZW4/oX2upsTc2SbBaO9IFN5/AI0HmJS0ABEJMCJ9ppvBdOIyLVuSHT3HgNf3V/esEVWtbAmVvjsWS3fKZ7OySIKenUoSN8VBOiNrr8xS3SivrQVqkkmSDp4jNyz5Sdpn3ZOfZBrdRa6eFnk45fOdHuERtiBR8hrTo8QQ3WHHZ5SbvG/m7TBFg/lu03yZsAZVzll32UWbuq
+  template:
+    metadata:
+      creationTimestamp: null
+      name: cloudflare-external-dns
+      namespace: network
+

namespaces/network/oauth2-proxy/vs-oauth2-proxy.yaml → namespaces/network/oauth2-proxy/virtualservice.yaml

@@ -4,6 +4,8 @@ kind: VirtualService
 metadata:
   name: auth
   namespace: network
+  annotations:
+    external-dns.alpha.kubernetes.io/target: raspbernetes.com
 spec:
   hosts:
     - 'auth.raspbernetes.com'

namespaces/istio-system/vs-kiali.yaml → namespaces/observability/kiali/vs-kiali.yaml

@@ -3,17 +3,18 @@ apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
   name: kiali
-  namespace: istio-system
+  namespace: observability
+  annotations:
+    external-dns.alpha.kubernetes.io/target: raspbernetes.com
 spec:
   hosts:
     - 'kiali.raspbernetes.com'
   gateways:
     - istio-system/istio-system-ingress-gateway
   http:
-    - match:
-        - port: 443
-      route:
+    - route:
         - destination:
             port:
               number: 20001
             host: kiali.observability.svc.cluster.local
+          weight: 100

namespaces/observability/prometheus-operator/vs-alert-manager.yaml

@@ -4,6 +4,8 @@ kind: VirtualService
 metadata:
   name: alert-manager
   namespace: observability
+  annotations:
+    external-dns.alpha.kubernetes.io/target: raspbernetes.com
 spec:
   hosts:
     - 'alert-manager.raspbernetes.com'

namespaces/observability/prometheus-operator/vs-grafana.yaml

@@ -4,6 +4,8 @@ kind: VirtualService
 metadata:
   name: grafana
   namespace: observability
+  annotations:
+    external-dns.alpha.kubernetes.io/target: raspbernetes.com
 spec:
   hosts:
     - 'grafana.raspbernetes.com'

namespaces/observability/prometheus-operator/vs-prometheus.yaml

@@ -4,6 +4,8 @@ kind: VirtualService
 metadata:
   name: prometheus
   namespace: observability
+  annotations:
+    external-dns.alpha.kubernetes.io/target: raspbernetes.com
 spec:
   hosts:
     - 'prometheus.raspbernetes.com'