From 0263bb4c22c4d806e162e2d10b631e7f93454372 Mon Sep 17 00:00:00 2001 From: auricom Date: Wed, 19 May 2021 09:35:16 +0200 Subject: [PATCH] feat: migrate secrets to kubernetes-reflector --- cluster/apps/networking/kustomization.yaml | 1 - .../networking/secret-reflector/cronjob.yaml | 48 ------------------- .../secret-reflector/kustomization.yaml | 5 -- .../networking/secret-reflector/rbac.yaml | 40 ---------------- cluster/base-custom/secrets/ingress-tls.yaml | 10 ++++ .../base-custom/secrets/kustomization.yaml | 1 + cluster/base-custom/secrets/regcred.yaml | 47 +++--------------- cluster/base-custom/secrets/replicated.yaml | 28 ++++++++++- 8 files changed, 43 insertions(+), 137 deletions(-) delete mode 100644 cluster/apps/networking/secret-reflector/cronjob.yaml delete mode 100644 cluster/apps/networking/secret-reflector/kustomization.yaml delete mode 100644 cluster/apps/networking/secret-reflector/rbac.yaml create mode 100644 cluster/base-custom/secrets/ingress-tls.yaml diff --git a/cluster/apps/networking/kustomization.yaml b/cluster/apps/networking/kustomization.yaml index ce8a63eeb..39024ea04 100644 --- a/cluster/apps/networking/kustomization.yaml +++ b/cluster/apps/networking/kustomization.yaml @@ -5,5 +5,4 @@ resources: - certificate - ingress-nginx - k8s-gateway - - secret-reflector - unifi diff --git a/cluster/apps/networking/secret-reflector/cronjob.yaml b/cluster/apps/networking/secret-reflector/cronjob.yaml deleted file mode 100644 index 224772a75..000000000 --- a/cluster/apps/networking/secret-reflector/cronjob.yaml +++ /dev/null @@ -1,48 +0,0 @@ ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: secret-reflector - namespace: networking -spec: - schedule: "0 0 */2 * *" - jobTemplate: - spec: - template: - spec: - serviceAccountName: sa-secret-reflector - containers: - - name: secret-reflector - image: bitnami/kubectl:1.21.1 - command: - - "/bin/sh" - - "-ec" - - | - set -o nounset - set -o errexit - # space delimited secrets to copy - SECRETS=$(kubectl get secrets -n networking | grep -i tls | awk '{print $1}') - # source namespace to reflect secret from - NAMESPACE_SOURCE="networking" - # space delimited namespace where to reflect the secrets to - NAMESPACE_DEST="kasten-io" - for secret in ${SECRETS}; do - secret_source_content="$(kubectl get secret "${secret}" -n "${NAMESPACE_SOURCE}" -o json | jq 'del(.metadata.managedFields, .metadata.creationTimestamp, .metadata.resourceVersion, .metadata.uid)')" - secret_source_checksum="$(echo "${secret_source_content}" | jq 'del(.metadata.namespace)' | md5sum | awk '{ print $1 }')" - for namespace in ${NAMESPACE_DEST}; do - if kubectl get secret "${secret}" -n "${namespace}" >/dev/null 2>&1; then - secret_dest_content="$(kubectl get secret "${secret}" -n "${namespace}" -o json | jq 'del(.metadata.managedFields, .metadata.creationTimestamp, .metadata.resourceVersion, .metadata.uid)')" - secret_dest_checksum="$(echo "${secret_dest_content}" | jq 'del(.metadata.namespace)' | md5sum | awk '{ print $1 }')" - if [ "${secret_source_checksum}" != "${secret_dest_checksum}" ]; then - echo "${secret_source_content}" | \ - jq -r --arg namespace "$namespace" '.metadata.namespace = $namespace' | \ - kubectl replace -n "${namespace}" -f - - fi - else - echo "${secret_source_content}" | \ - jq -r --arg namespace "$namespace" '.metadata.namespace = $namespace' | \ - kubectl apply -n "${namespace}" -f - - fi - done - done - restartPolicy: OnFailure diff --git a/cluster/apps/networking/secret-reflector/kustomization.yaml b/cluster/apps/networking/secret-reflector/kustomization.yaml deleted file mode 100644 index 0d36f3cdb..000000000 --- a/cluster/apps/networking/secret-reflector/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - cronjob.yaml - - rbac.yaml diff --git a/cluster/apps/networking/secret-reflector/rbac.yaml b/cluster/apps/networking/secret-reflector/rbac.yaml deleted file mode 100644 index a29ff6bbb..000000000 --- a/cluster/apps/networking/secret-reflector/rbac.yaml +++ /dev/null @@ -1,40 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: sa-secret-reflector - namespace: networking ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: secret-reflector -rules: - - apiGroups: [""] - resources: ["configmaps", "secrets"] - verbs: ["*"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["watch", "list"] - - apiGroups: ["certmanager.k8s.io"] - resources: ["certificates", "certificates/finalizers"] - verbs: ["watch", "list"] - - apiGroups: ["cert-manager.io"] - resources: ["certificates", "certificates/finalizers"] - verbs: ["watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: secret-reflector -roleRef: - kind: ClusterRole - name: secret-reflector - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: sa-secret-reflector - namespace: networking diff --git a/cluster/base-custom/secrets/ingress-tls.yaml b/cluster/base-custom/secrets/ingress-tls.yaml new file mode 100644 index 000000000..e5199709a --- /dev/null +++ b/cluster/base-custom/secrets/ingress-tls.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + replicator.v1.mittwald.de/replication-allowed: "true" + replicator.v1.mittwald.de/replication-allowed-namespaces: networking + name: k3s-xpander-ovh-tls + namespace: networking +data: {} diff --git a/cluster/base-custom/secrets/kustomization.yaml b/cluster/base-custom/secrets/kustomization.yaml index 2eb87b985..97b23a0ab 100644 --- a/cluster/base-custom/secrets/kustomization.yaml +++ b/cluster/base-custom/secrets/kustomization.yaml @@ -3,5 +3,6 @@ kind: Kustomization resources: - cluster-secrets.yaml - drone-pipelines.yaml + - ingress-tls.yaml - regcred.yaml - replicated.yaml diff --git a/cluster/base-custom/secrets/regcred.yaml b/cluster/base-custom/secrets/regcred.yaml index 928617aad..415a08779 100644 --- a/cluster/base-custom/secrets/regcred.yaml +++ b/cluster/base-custom/secrets/regcred.yaml @@ -1,57 +1,22 @@ kind: Secret apiVersion: v1 -metadata: - name: regcred - namespace: media -data: - .dockerconfigjson: ENC[AES256_GCM,data:Ea4JKvWLypyXjRkT1Fro7OM6WVdmfZ7J9Iy7Rrh4nJ63H49rAkeyaPoxSPJ1XlO//PJ7daOeYC1QqAmfqDW58VmYgWjaEaz6NNfXNNNuI+ibE4Z+5a7GdzOpXuAj66cHJ5w7GzOO05iH0QEZ4DuKDEyhO5OxtkdNYtE35QMT5NtrXVTqDSdHYEO9YRGhZH3jScSfIz7u+c68Ns0Z5vTP4QQbF2JvqOoC5wSG6VHEs5g5vzYdY4LdBNeDOQXzPStMtEu7QraCfAQcBvoxgtvugM2CWv/XfdSb0kylQwvvRAw=,iv:Tu+8/76zYmaR6ItGwHjR3CjSCbrHnS9RYp2XbenXJng=,tag:QxTnuEGejoP6jqmbhS5uoA==,type:str] -type: kubernetes.io/dockerconfigjson -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2021-05-01T21:34:06Z" - mac: ENC[AES256_GCM,data:Igh15GsGGSvBc4AkErY0210N2yWS8CiMLad4Q9dkt+qxNIksDxpNBhBIq59fNsqh3qrXMkeOC3xORVTVB7/7yhIHjMHtsFu8d7mdMIcT948EtloH0uivo/6jThs32BE1J6WS5ifBfIh8UCTaCPZr1zCnweOzut+xfDNlDjMW5ZQ=,iv:Q/cCruxcO2d6/RILvlNCgyy7YlbKz2wfKKOqwDucRow=,tag:xoL7ztc3bQv0kxDl38fz3g==,type:str] - pgp: - - created_at: "2021-04-15T00:19:38Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQGMA/JorPHm1g9XAQv/YR1Bb5mYrJy9ZiyBJvWtQuGIWv0bB5DqhawfDwLKnbMa - vk3G7FNzjePv9r2iiuQVmFFgk/afmegUou/ah4HbrjaMGEYSyuA5FbsfIZsyWIOG - Ho1QcrwT39vWleiP5rTowmseoyAlf97GZQHeElWTIg9l00iHxr8Gi/hwdwFws1xq - EkC1sYhxg5DZFERmWHSwfdHjGOPtSfgR9rp/Zhm3lp7h2G7ShGAj4uJHdT+gzScL - 5dpHPccKptgno5b83bIj+thUlVOw6LmJYe/HnxP6lB3il2SWNDQQlYHYm+E7WNCI - Ubn8aTAvbIV5UZSsBGPAzLJp2Z66BSCNuLg3INt4HWeN6Eqnkzfm1XG5nuyTl6uT - gzbiDjTlHjqOGBoP41+1D53BkDUg7KA2woqGPhxFtSFvWLHS2640GiaGN49UAs7X - XaJjlR4HRR+LVUPfkxUJ1v+JnxbbUyA+3LI6x6RHsJHc+mI7lPlj+NmommAHH95K - qzuThqdj7WNKszPreVRT0lwBVroqOIGHbaj+o9lbR0hZm+pcFWU5CcHVAULRFiIV - Che9Dz2rCoOhQGd368/QtXzefPdbhDp1NK0yzunTAFlQZZkCVf0NFeoiR0YVBQMU - Q3qaTGYnh8Udp7OoOw== - =T0LX - -----END PGP MESSAGE----- - fp: C8F8A49D04A1AB639F8EA21CDBA4B1DCB1FA5BDD - encrypted_regex: ^(data|stringData)$ - version: 3.7.1 ---- -kind: Secret -apiVersion: v1 metadata: name: regcred namespace: data + annotations: + replicator.v1.mittwald.de/replication-allowed: "true" + replicator.v1.mittwald.de/replication-allowed-namespaces: media +type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: ENC[AES256_GCM,data:Ea4JKvWLypyXjRkT1Fro7OM6WVdmfZ7J9Iy7Rrh4nJ63H49rAkeyaPoxSPJ1XlO//PJ7daOeYC1QqAmfqDW58VmYgWjaEaz6NNfXNNNuI+ibE4Z+5a7GdzOpXuAj66cHJ5w7GzOO05iH0QEZ4DuKDEyhO5OxtkdNYtE35QMT5NtrXVTqDSdHYEO9YRGhZH3jScSfIz7u+c68Ns0Z5vTP4QQbF2JvqOoC5wSG6VHEs5g5vzYdY4LdBNeDOQXzPStMtEu7QraCfAQcBvoxgtvugM2CWv/XfdSb0kylQwvvRAw=,iv:Tu+8/76zYmaR6ItGwHjR3CjSCbrHnS9RYp2XbenXJng=,tag:QxTnuEGejoP6jqmbhS5uoA==,type:str] -type: kubernetes.io/dockerconfigjson sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2021-05-01T21:34:06Z" - mac: ENC[AES256_GCM,data:Igh15GsGGSvBc4AkErY0210N2yWS8CiMLad4Q9dkt+qxNIksDxpNBhBIq59fNsqh3qrXMkeOC3xORVTVB7/7yhIHjMHtsFu8d7mdMIcT948EtloH0uivo/6jThs32BE1J6WS5ifBfIh8UCTaCPZr1zCnweOzut+xfDNlDjMW5ZQ=,iv:Q/cCruxcO2d6/RILvlNCgyy7YlbKz2wfKKOqwDucRow=,tag:xoL7ztc3bQv0kxDl38fz3g==,type:str] + lastmodified: "2021-05-19T08:57:10Z" + mac: ENC[AES256_GCM,data:8ln8kqt2n5OgsyUJmNh3zFZ7oWay2MjvKueETMLiVeVLfin6tKiAGRtbpy1rahXlmB/FXiUKO5+KBIqqdlo1a7nBWzNqqfHE5edUItba0tk2CP9m/rxyANEU0xB44TaLSct5suP1EgXE9emnasH1A83B9jfpiM7QdUUVPJBCADI=,iv:sDLAJISkscISAO7973BCK+po5DjXekDO9hH0f7CHraU=,tag:bw+1ASqFIY7/8M32qMj3Eg==,type:str] pgp: - created_at: "2021-04-15T00:19:38Z" enc: | diff --git a/cluster/base-custom/secrets/replicated.yaml b/cluster/base-custom/secrets/replicated.yaml index 1d879d92a..1d4b93c14 100644 --- a/cluster/base-custom/secrets/replicated.yaml +++ b/cluster/base-custom/secrets/replicated.yaml @@ -2,8 +2,32 @@ apiVersion: v1 kind: Secret metadata: - annotations: - replicator.v1.mittwald.de/replicate-from: flux-system/cluster-secrets name: cluster-secrets namespace: development + annotations: + replicator.v1.mittwald.de/replicate-from: flux-system/cluster-secrets data: {} +type: Opaque +--- +apiVersion: v1 +kind: Secret +metadata: + name: k3s-xpander-ovh-tls + namespace: kasten-io + annotations: + replicator.v1.mittwald.de/replicate-from: networking/k3s-xpander-ovh-tls +data: + tls.crt: "" + tls.key: "" +type: kubernetes.io/tls +--- +kind: Secret +apiVersion: v1 +metadata: + name: regcred + namespace: media + annotations: + replicator.v1.mittwald.de/replicate-from: data/regcred +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: e30K