✨ new talos cluster

2025-09-17 18:24:14 +02:00 · 2022-11-19 04:47:32 +01:00
parent 42346bd99b
commit 4ac38f95e9
548 changed files with 1642 additions and 2331 deletions
--- a/kubernetes/cluster-0/apps/authentication/glauth/config/groups.sops.toml
+++ b/kubernetes/cluster-0/apps/authentication/glauth/config/groups.sops.toml
@@ -0,0 +1,20 @@
+{
+    "data": "ENC[AES256_GCM,data:s910tBBBfRjMxw3/W+Y8Wpm9ODOtWGb8MLQUgRbLLBIczBnZvuDUE6NrQnJAyK7H8sY0SqF2iYGbCKhbp/kFMe1zkB7Txi0EC81+vNCWMEzsKBWeB5HN7R/4LgwT19Ge0vXWYwfP4++Twiin/C5n8/KiPCqQDvcO92o96c5+zkWmvnayGYovmAuTkguSUDaPNJRffHZob7HOc9T9Tw==,iv:YoK+RSBsONPNzzyC6hJDTboz+MpoSv+nmjuypUyYVhk=,tag:UdUlrEe9yoOnFKBP1eSCXg==,type:str]",
+    "sops": {
+        "kms": null,
+        "gcp_kms": null,
+        "azure_kv": null,
+        "hc_vault": null,
+        "age": [
+            {
+                "recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
+                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZFcremxrOFJCbU12ektL\na0kwajkzRDVkQlQ3ODN2R01LNDhONVRMcDFFCnI1Mk1EWGszSm4rU0Nra0J2VUFq\nTVc3UGU1NHpQZCtTdEI5OFpIVnNKRG8KLS0tIFg4WHNUVS9pTXQxb1k3V0xsd0lL\nV09lKy9nTzBBZ3QyRDByOUhYOUd5bUkK4IEvbv8gyFv3v40Iz6Gso7M1rTWBNKBW\nGJM4LaUoAM5gCSSjPeSB1ZLn7j226Qr2M65GxQiA/4xPpBaOgzguow==\n-----END AGE ENCRYPTED FILE-----\n"
+            }
+        ],
+        "lastmodified": "2022-09-18T16:37:58Z",
+        "mac": "ENC[AES256_GCM,data:T0DB0qKA9BLT6pSud+WLeCTaYltvA19Uf2Klm/vsqCOXvtAVJVTWRMvE3OzcwTieJgBn4UOEaoUUEkpOo6T9ZKyqVzJ+Ir+RmYBkZZs08g86wPsUoMzEwmxQwz7rhaR/dqiNiWp7L0wE1ZbBg5gFpSj5WE8Hs0YJI4VZLFwVwfw=,iv:vSE1TboA1VknRr057d7ESWV8SvGGuNTbQnapieZvy7o=,tag:f2DSJqiBsjzBmexNo9U+ZA==,type:str]",
+        "pgp": null,
+        "unencrypted_suffix": "_unencrypted",
+        "version": "3.7.3"
+    }
+}
--- a/kubernetes/cluster-0/apps/authentication/glauth/config/server.sops.toml
+++ b/kubernetes/cluster-0/apps/authentication/glauth/config/server.sops.toml
@@ -0,0 +1,20 @@
+{
+    "data": "ENC[AES256_GCM,data:78oUuR7O9j8wqKKiTrCbg1QNVB2a+i3CWgNDNM38zQNDO/LZ3juQkda5rRZsvvH9ovGwsIVo+nk2omMLY5FUceFxQFssXYH5EGgPOA9cXYtbql8jdbp0Lh/41RAC3+WrEe3Pj/5/Qyl+1rMgQPg2JJf7KudJRt4whA6Lkehd3147Au12fMxTpxZpnSczk1MroZwsE+DdQStkVDdzwMA/QvWhnXCDCMcawFrHxrQvmRGOHAyYGomOrPm8WMKSdBpNDMZQFg1pjORK/QQ3LzeQpnoJ25iu/fA9OfpyYsbhryk2asOCyA==,iv:SZ1DXCoib5E9PurrC622tAcELIxxWGiensfZTVKFzXw=,tag:lDDsTO/Y5mXfEqyAJ0z0jQ==,type:str]",
+    "sops": {
+        "kms": null,
+        "gcp_kms": null,
+        "azure_kv": null,
+        "hc_vault": null,
+        "age": [
+            {
+                "recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
+                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3Mk9heFBGdDdueGFkT3Va\nS1pyMC8wOGJDSTJ3d3JPSjNnTVkzYVJ0eTJJCjVoUy8wMXdPc3Myc2JaalZ2ZG9Q\nc3J4QldvZlJqMFN4WnhvYnJmZXVuNjAKLS0tIDR5K08rWmJvR1VSSjVHUFdWNjRK\nWHd4Ny9ubjVIZ0V1SXhTMnJFN3hCK00KvH0z/ys31lAX2pYNt2JdWqPSDhp4PKEn\nbQ1Z99aG5DedV/4KqOH3L9bvHl3M5am0MiKW/CngOfN9M49bWwQ6VQ==\n-----END AGE ENCRYPTED FILE-----\n"
+            }
+        ],
+        "lastmodified": "2022-09-13T21:10:04Z",
+        "mac": "ENC[AES256_GCM,data:rKjnXHgG5ws0WdcGmTXpZ7PPGm2UIhVASqQ8K6Vtadws2g4M5OOk2JYI9sKjpnGd/Ht0pssBBpLWbqcwV2M2Ug96tkiDMRHHT7vgw4X5Y9NmnYt+5/An7ynsudraAr9AvjRS7Xux03OIPc7LjzOtCv4BIDyFR7vPj5+7opdedC0=,iv:3VPRTkVPL640URtVG5SxLKXE0/Pe3RORttfmnU0AYY0=,tag:Fcl2j31dKdCUwvfozWpRTw==,type:str]",
+        "pgp": null,
+        "unencrypted_suffix": "_unencrypted",
+        "version": "3.7.3"
+    }
+}
--- a/kubernetes/cluster-0/apps/authentication/glauth/config/users.sops.toml
+++ b/kubernetes/cluster-0/apps/authentication/glauth/config/users.sops.toml
@@ -0,0 +1,20 @@
+{
+    "data": "ENC[AES256_GCM,data:q7pZXn6YGFKwKlEX+Iax8ZWoRkuK3a0HZlbKn/aDHpf9DCOpaJuxXpFL6hlkoKb3eoFBdjLHV2Yh+y6u+v/aPnLA9yaMuhZ9MDC0I6KF+5onRermWvtadiW/pmLLBd9fFBTxvKPni3sgHpZoZ7VZMRe6YZ88StsGJBX/cXjEZkOIO9S3GC28f3iNDKH5HGsYHUWyTn2osmOfrLahG5We3P9GeVTKgbnB6/OWC0lSRR+mmPc0yAjAXklTrGuk4zRV54qDoS8HdCO0FTq3Z83f6Qa3eoFDiOrm8yLCmXRqNGSoHoFrp7dnPzCna2SMAX7RBRCrOBRw+mijaxBrbMSp/2/5MqnJyJDz53ozUZog88Ywu595vfo3lEyJ7Qu/O1DX5aJTXKCPAvOIvAwSSFXfdKGmUAQrQvEP3VgpYnzGbuhnfPTJivXKpgc4vutvOH98itTquOq9KJdCOKcsd8gmBtOpPcMrUwA7jP1TV7eJIKhSN9YFt6jflTtqxfa9a4hB6FKXkXqJOrs9b4sT1iGi1bk9uVBF+3Ccc5X/JNRZ6Q6DSLYE5SkOZGOylsS4cjzjUcFSsnyNSfTwjca8SKLlc8bnPU0qFCOIVARIjKw8vMwedYKk0aiNTEa6vqShsGTUHVV/Lx7KqaVgayX+OjhUTzK4Wtrml2dvfoO4TePRmlg0AyeeqvJiIA+Fq9kaxsDkx63HSeK+0wjFH5HWThElycxVWozN6BAQ6EK4sPqrCdjfOpIAnv2YAazY647N8gcKd/OjvYM9lo0d3X0j/EiiFo3nq7ldggMJJRt9MmXVK3Ep31jjkqaeX9nljvMWsnFWwzXq/itPheEaKT3ch44PLPSFZu8NTMn0Xe4SoDaItbCAlXWjfGaLqBSGhVXCgXlzwx9ks75HntQ1zZMR151lU1RpnrZxB0g96uRAdkNBxYtxGkfqr/L4FjbDZSbLSm6JzV6hFgZZmfK4wsDJVG8dzT5/+1XNDfu9Ih2HCbh+upoNSQVzQhcHgtawpESP1v8OQr+t8KMmtVQGKLkCJAufabTI7Q==,iv:Y5jO9xDZwhvBfMUImMz6d9IksMpPCLKhzzrecbahp2Y=,tag:Bha5EyxQ3a7l+x/i0DsiaQ==,type:str]",
+    "sops": {
+        "kms": null,
+        "gcp_kms": null,
+        "azure_kv": null,
+        "hc_vault": null,
+        "age": [
+            {
+                "recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
+                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeDRMTnBlWXhEbXIrR0Fh\naFJXTEdWS0V3TCtmNFN1UFhGSXFLSExwNFRrCngzdVRhTG5LK2FWV2d3WTNvTTY5\nV0JrNWh0bGFaK0wvanZmL2dBSENkQkEKLS0tIHlVY2daMlVwNW8wMDRNNHN1RzdP\nRmsyY2NublJsWTRsRUJqYVlZTlRJS28Ky5QoK04bIpqAiHepeIS0FBVU+Kqn9IvY\nQ3yJxfye9EO1XJ60goxur9yzq3TNyGFykhvqVsizVBVuir1Ow3sLoQ==\n-----END AGE ENCRYPTED FILE-----\n"
+            }
+        ],
+        "lastmodified": "2022-09-18T16:27:14Z",
+        "mac": "ENC[AES256_GCM,data:W77zbh5xtZPJC7nAuJ3LyZUlfQM9cmNJo6rBGnp34vxfA/H7m0OExHTaJkW+o0Zajk/3/zC9jwhmNRJdiQzd/k1M+a3q+DGOU2vt+On7Mo8mDfyuPOA6DvQnXf9ouwBPPkFjtn8t2Hb1cKvCLVdeMqRgz+x3MwJRbB2rB5YEY4o=,iv:+figksDMN3AP5+dD/gn9cE18HlgU8BOHtMtvaDEQUzs=,tag:9eo27jDtrFrqXWef5/T2nQ==,type:str]",
+        "pgp": null,
+        "unencrypted_suffix": "_unencrypted",
+        "version": "3.7.3"
+    }
+}
--- a/kubernetes/cluster-0/apps/authentication/glauth/helm-release.yaml
+++ b/kubernetes/cluster-0/apps/authentication/glauth/helm-release.yaml
@@ -0,0 +1,64 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app glauth
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.0.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 5
+  upgrade:
+    remediation:
+      retries: 5
+  values:
+    controller:
+      replicas: 1
+      strategy: RollingUpdate
+    image:
+      repository: docker.io/glauth/glauth
+      tag: v2.1.0
+    command: ["/app/glauth", "-c", "/config"]
+    service:
+      main:
+        ports:
+          http:
+            port: 5555
+          ldap:
+            enabled: true
+            port: 389
+    podSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+      fsGroup: 1000
+      fsGroupChangePolicy: "OnRootMismatch"
+    persistence:
+      config:
+        enabled: true
+        type: secret
+        name: *app
+        items:
+          - key: server.toml
+            path: server.toml
+          - key: groups.toml
+            path: groups.toml
+          - key: users.toml
+            path: users.toml
+    podAnnotations:
+      secret.reloader.stakater.com/reload: *app
+    resources:
+      requests:
+        cpu: 15m
+        memory: 105Mi
+      limits:
+        memory: 105Mi
--- a/kubernetes/cluster-0/apps/authentication/glauth/kustomization.yaml
+++ b/kubernetes/cluster-0/apps/authentication/glauth/kustomization.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - helm-release.yaml
+secretGenerator:
+  - name: glauth
+    files:
+      - server.toml=config/server.sops.toml
+      - groups.toml=config/groups.sops.toml
+      - users.toml=config/users.sops.toml
+generatorOptions:
+  disableNameSuffixHash: true