new gitops template

2025-09-17 18:24:14 +02:00 · 2021-04-13 10:34:08 +02:00
parent 67c4d6a855
commit a95f32b44d
335 changed files with 3131 additions and 3650 deletions
--- a/cluster/core/infrastructure/cert-manager/cert-manager-webhook-ovh.yaml
+++ b/cluster/core/infrastructure/cert-manager/cert-manager-webhook-ovh.yaml
@@ -0,0 +1,41 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: cert-manager-webhook-ovh
+  namespace: flux-system
+spec:
+  interval: 1440m
+  url: https://github.com/baarde/cert-manager-webhook-ovh
+  ref:
+    branch: master
+  ignore: |
+    # exclude all
+    /*
+    # include charts directory
+    !/deploy/
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager-webhook-ovh:secret-reader
+  namespace: cert-manager
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["ovh-credentials"]
+    verbs: ["get", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: cert-manager-webhook-ovh:secret-reader
+  namespace: cert-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-manager-webhook-ovh:secret-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: cert-manager-webhook-ovh
--- a/cluster/core/infrastructure/cert-manager/kustomization.yaml
+++ b/cluster/core/infrastructure/cert-manager/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cert-manager-webhook-ovh.yaml
+  - letsencrypt-production.yaml
+  - letsencrypt-staging.yaml
+  - secret.enc.yaml
--- a/cluster/core/infrastructure/cert-manager/letsencrypt-production.yaml
+++ b/cluster/core/infrastructure/cert-manager/letsencrypt-production.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: "${SECRET_CLUSTER_DOMAIN_EMAIL}"
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+      - dns01:
+          webhook:
+            groupName: "${SECRET_CLUSTER_DOMAIN_ROOT}"
+            solverName: ovh
+            config:
+              endpoint: ovh-eu
+              applicationKey: "${SECRET_CLUSTER_OVH_APPLICATION_KEY}"
+              applicationSecretRef:
+                key: applicationSecret
+                name: ovh-credentials
+              consumerKey: "${SECRET_CLUSTER_OVH_CONSUMER_KEY}"
--- a/cluster/core/infrastructure/cert-manager/letsencrypt-staging.yaml
+++ b/cluster/core/infrastructure/cert-manager/letsencrypt-staging.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: "${SECRET_CLUSTER_DOMAIN_EMAIL}"
+    privateKeySecretRef:
+      name: letsencrypt-production
+    solvers:
+      - dns01:
+          webhook:
+            groupName: "${SECRET_CLUSTER_DOMAIN_ROOT}"
+            solverName: ovh
+            config:
+              endpoint: ovh-eu
+              applicationKey: "${SECRET_CLUSTER_OVH_APPLICATION_KEY}"
+              applicationSecretRef:
+                key: applicationSecret
+                name: ovh-credentials
+              consumerKey: "${SECRET_CLUSTER_OVH_CONSUMER_KEY}"
--- a/cluster/core/infrastructure/cert-manager/secret.enc.yaml
+++ b/cluster/core/infrastructure/cert-manager/secret.enc.yaml
@@ -0,0 +1,36 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: ovh-credentials
+  namespace: cert-manager
+data:
+  applicationSecret: ENC[AES256_GCM,data:DSYSki4dpDJn2E1lRyRo1G6/atfacDPn6LyfM4hKQhKau/jDIjztarH280o=,iv:la3Vt+2U5gO3DqXb/NsVzDOsgckNw9SCTsv/jGtOZ4w=,tag:qjk4qYl/eqhbBd+ayxRKZw==,type:str]
+type: Opaque
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  lastmodified: "2021-04-14T13:49:54Z"
+  mac: ENC[AES256_GCM,data:v5c+yR/9uKX9ncNZNS92mVTYmKnusJdZ2O8osR5RjiHPx3GKeDsIkd5/gPxsFD3BWS2LDyVKBVPBxGMkCiIawDrUgmUjVDYuyXIDbn+ui9lfCEYwCCjxz5KkOotkPij6nXRQ9t0UsBmf/RhG1TN7rKVPwBEwt00kZYDh8BEMbZI=,iv:ZH3iFdaW0Q1f5qwkVZjTxI5xdX2aIjO9Dx6NdNxzlww=,tag:10W+kZE/ZAR4bqebPs6Gfg==,type:str]
+  pgp:
+    - created_at: "2021-04-14T13:49:54Z"
+      enc: |
+        -----BEGIN PGP MESSAGE-----
+
+        hQGMA/JorPHm1g9XAQv+OfbvF0TxlCEbp7Kb45tSpIt0UzX/ae9KBGPCKAxgXAjd
+        czsjIX0NH1n4YINNKuHIunm18FoAJUOtRyWWaJDwW8R0z/O24yq/E7bfXn4RNVsE
+        lFwRKtF3zPtQNFTLITPqzmINEeZsFobcV2l+gfXW6lieHWo937YYSxNYLyWrso1t
+        snNyjdAKWlckv9xr7ZLK8UftQrdwa7D1Ig+W/6xxor5z6IiaJUPeHGDuTJ7nSsWz
+        3LaqeGeW6a5zgL8JzMzhd9xHSGqaS2vGEGeNyMIFf466qUspQDLSXq8/a0YYFWb/
+        CsmySgm3RqYu6o+WvLEAnsIKKRISHsCUMnArshmCpnvJ6q1hIPxyJg/dX4hzBFau
+        MS2Ma3WD3WD2edS3uSVApJ9RDc2lLJDXQ4qEDgOeok1StOE4ANfTyP1QYS4yYHue
+        VZVZyCvsrsxbC2GQWQK0RRki/WY2p+V7lCa/ropDa6WcHCq2agfbQ769J3erMYii
+        b1efKs2vpf0HLrnnK+IF0lwBSCjz9ffqGq7+OP5Aj6uXV+E6R4kUzgn2KvIiLrot
+        U87wpXcyYL9J5hyzVWKS0S//kKbCqapPFia9vuxPMh4GgF+i1xshCTqqHzJfKzK4
+        G/YLCKCae2PnX/rkRA==
+        =Sv3h
+        -----END PGP MESSAGE-----
+      fp: C8F8A49D04A1AB639F8EA21CDBA4B1DCB1FA5BDD
+  encrypted_regex: ^(data|stringData)$
+  version: 3.6.1