joe/gitops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Try adding gluetun and sops

Browse Source
This commit is contained in:
Joe Monk
2024-09-13 20:12:32 +01:00
parent a37e8ecb36
commit ad30994088
9 changed files with 111 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.sops.yaml Normal file
View File

@@ -0,0 +1,8 @@
creation_rules:
- path_regex: secret.yaml$
encrypted_regex: ^(data|stringData)$
# tower
# k8s
age: >-
age1ntfcrf5fz43da6k9h4um06u8mejjsqg005jm6rwmt9wff949s58qqwx8tv,
age1gnxrrychharz0cyapjhu3nnzzzhc38slwfpq5h5rsq7pphuk4q6shhx3ll

3
.vscode/settings.json vendored
View File

@@ -1,5 +1,8 @@
{
"yaml.schemas": {
"https://json.schemastore.org/kustomization.json": "file:///workspace/gitops/infra/traefik.yaml"
},
"sops": {
"creationEnabled": true
}
}

4
apps/gluetun/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- secret.yaml

41
apps/gluetun/secret.yaml Normal file
View File

@@ -0,0 +1,41 @@
apiVersion: v1
kind: Secret
metadata:
name: gluetun-env
stringData:
TZ: ENC[AES256_GCM,data:LJEpoJ4aVy5Qf8w7zg==,iv:IOxz/scZUCqEhasCje3X64MCddTzrtcnOp/6wg0SHEU=,tag:PTfTjdbClLj6fnXWJFedDw==,type:str]
VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:ttMPiwizhg==,iv:TmptqgLRaugwq3NiGxOvM9NdnkflNLQsYoRp8fIXq0c=,tag:fXeinqe8eUn/a+MNbiKrzw==,type:str]
VPN_TYPE: ENC[AES256_GCM,data:1GAuiUTCew==,iv:yZFHMMXt4Z4PR5tUJ0e7k8bJbjTFPY46X2AW6LB68xE=,tag:gtveZD34ZzXXHSekDPi93Q==,type:str]
SERVER_COUNTRIES: ENC[AES256_GCM,data:D6O0wIPGYMBzL28=,iv:p4RoFg0iSGrLRzkw5cbOj9F0Ty+soASiwgDbwHsn2rU=,tag:PeMGdEoYSJjKv5jkiaQn3w==,type:str]
FIREWALL_INPUT_PORTS: ENC[AES256_GCM,data:IDFDixwvkY4YG1A=,iv:FyDaKtjza6zC1g5soqhvi5MmjGV5Ap3tFBht3zx6emM=,tag:HyNwf1wRhBoRq1CaRAtH+Q==,type:str]
OPENVPN_CIPHERS: ENC[AES256_GCM,data:V/VGTVVTlCsz1dg=,iv:eK6noWENyRrR5lUd8XwuAOgKz3MX1kqY3VKwvBQy0h4=,tag:JOH3Eym5k6DiBoUgpvePoA==,type:str]
OPENVPN_USER: ENC[AES256_GCM,data:RnZRnVakr1tPraU7PF3J1Q==,iv:1cXVtF4VfYq8Y41HVndFraxoZtwM/r4EHsowfRucBko=,tag:UgkcS89V7QKOF7ZS5Qqi+g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ntfcrf5fz43da6k9h4um06u8mejjsqg005jm6rwmt9wff949s58qqwx8tv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpc3pXZzMraGJONnVHRGta
Y0J6aDB0R0NMWmpMSFcyTTk5bkJaU3NPUldJCjgydmdOZGdoaUVCb2F2amVndnFZ
VUgxeW1IRlRUdWRydkg4TzdSTkY5b2sKLS0tIEdCcGFBMkJ2MldMMUlsaUpoeEhF
RUhxNlF4NTRROXVMWExuNi9hRmJBMWcKkSzzsaY7I46F15Y11c+9J4EcoT7lqG83
dSdTUHsbvNBsYYGYFUkHpRr7XEgnWWecV3lpzoVYLnmvJXCwFCK8Ug==
-----END AGE ENCRYPTED FILE-----
- recipient: age1gnxrrychharz0cyapjhu3nnzzzhc38slwfpq5h5rsq7pphuk4q6shhx3ll
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVEtQbTF1eVhmM0xsd2tU
b1R5ME1PRVkrbCtTRHdFM1BWSEcrMEhEUTE4Ck5aWkQvZThOMVJpN2x2Z053WTcz
bDVnQTFhYjV0QWZJbC9KaG9IVlY0T1UKLS0tIDkxaXJVWlQrK2VqODBHY3RDTzBR
QUFpRStodHhkTmxjNEpXQ2UxSjArN0EKnzsoVUTuiJIzTlhKNCSZpPHiRRs+KSAF
cyZPHvxn+xebB0jkMF6awXhruPdKHwNeijGKTzVm2RtKgjX+2YMaUg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-13T19:04:15Z"
mac: ENC[AES256_GCM,data:gXXZVu6iVZ6wqlKe4WDpQABHoxirZ1suZnaiQ+ru4sOPEQSGr2k6qyTA4uXcxSbtiw9g3JX9N34ZB2I3jNPbS+I2sfOvEr1VWe639k9OUDcWNOMEWNjK+PIiF9x81SJab9og4Z/2mdFuRXDAG9CHX6Q/sLEbsP3vpZgXeL7Xs38=,iv:yJeJPq2InZN+ewWd4yvSPTjNNo9MSgzbbxBUHL2ZCjs=,tag:2qCHVAvsucnr8yA0dkMXkA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.9.0

21
apps/sonarr/deployment.yaml
View File

@@ -20,12 +20,27 @@ spec:
app: sonarr
spec:
containers:
- image: ghcr.io/qdm12/gluetun:latest
name: gluetun
imagePullPolicy: Always
securityContext:
capabilities:
add: ["NET_ADMIN"]
ports:
- containerPort: 8989
envFrom:
- secretRef:
name: gluetun-env
resources:
limits:
cpu: 250m
memory: 500Mi
requests:
cpu: 10m
memory: 64Mi
- name: sonarr
image: lscr.io/linuxserver/sonarr:4.0.8
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 8989
livenessProbe:
httpGet:
path: /ping

4
clusters/kairos/apps/fluxrepo.yaml
View File

@@ -11,3 +11,7 @@ spec:
kind: GitRepository
name: flux-system
namespace: flux-system
decryption:
provider: sops
secretRef:
name: sops-age

4
clusters/kairos/flux-system/gotk-sync.yaml
View File

@@ -25,3 +25,7 @@ spec:
sourceRef:
kind: GitRepository
name: flux-system
decryption:
provider: sops
secretRef:
name: sops-age

2
clusters/kairos/local-path-provisioner/helmrepo.yaml
View File

@@ -7,7 +7,7 @@ spec:
interval: 15m
url: https://github.com/rancher/local-path-provisioner.git
ref:
tag: v0.0.28
tag: v0.0.29
ignore: |-
# exclude all
/*

28
readme.md
View File

@@ -28,6 +28,34 @@ Host 192.168.1.101
SSH into the server, and grab the kubeconfig with `sudo cat /etc/rancher/k3s/k3s.yaml`.
Drop the user and cluster into your config and create a context to have that user and cluster
## age & sops
I use sops with age to encrypt keys etc in git.
Before pushing encrypted keys up, we'll need to re-encrypt them with a new key.
From a shell with sops and age installed, and an already known key under `$HOME/.config/sops/age/keys.txt` (or `%AppData%\sops\age\keys.txt`), create a new key in this repo `age-keygen -o keys.txt`.
Add that new public key to the `.sops.yaml`, and push the secret key to the cluster with:
```sh
cat keys.txt |
kubectl create secret generic sops-age \
--namespace=flux-system \
--from-file=keys.txt=/dev/stdin
```
Update the encryption with `sops updatekeys`, then delete keys.txt.
### Using sops
#### Encrypting
After creating a new secret, run `sops encrypt --in-place ./path/to/secret.yaml`.
#### Editing
You can install the `@signageos/vscode-sops` extension in vscode to automatically decrypt, edit and re-encrypt a secret.
Or use `sops edit file.yaml`
## Flux CD
Install flux and everything in this repo with the following: