diff --git a/001-metallb/values.yaml b/001-metallb/values.yaml deleted file mode 100644 index b308799..0000000 --- a/001-metallb/values.yaml +++ /dev/null @@ -1,6 +0,0 @@ -configInline: - address-pools: - - name: default - protocol: layer2 - addresses: - - 192.168.0.200-192.168.0.210 diff --git a/002-external-secrets/uninstall.sh b/002-external-secrets/uninstall.sh deleted file mode 100755 index 8ad902b..0000000 --- a/002-external-secrets/uninstall.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash - -NAMESPACE=vault - -helm -n ${NAMESPACE} delete vault -kubectl delete ns ${NAMESPACE} diff --git a/003-cert-manager/install.sh b/003-cert-manager/install.sh deleted file mode 100755 index 54e7f20..0000000 --- a/003-cert-manager/install.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -CHART_VERSION=1.9.1 -NAMESPACE=cert-manager -EMAIL=amarpreet@minhas.io - -kubectl create ns ${NAMESPACE} -#kubectl create serviceaccount -n ${NAMESPACE} cert-manager - -helm repo add jetstack https://charts.jetstack.io -helm repo update - -kubectl apply -n ${NAMESPACE} -f external-secrets.yaml - -helm upgrade --install \ - cert-manager \ - jetstack/cert-manager \ - -f values.yaml \ - -n ${NAMESPACE} \ - --version ${CHART_VERSION} \ - --set installCRDs=true \ - --cleanup-on-fail - -kubectl apply -n ${NAMESPACE} -f serviceaccounttoken.yaml -./vault-role.sh - -helm upgrade -install \ - cert-manager-csi-driver \ - jetstack/cert-manager-csi-driver \ - -n ${NAMESPACE} \ - --wait \ - --cleanup-on-fail - -git clone https://github.com/kelvie/cert-manager-webhook-namecheap - -pushd cert-manager-webhook-namecheap -helm upgrade --install \ - -n ${NAMESPACE} \ - namecheap-webhook \ - deploy/cert-manager-webhook-namecheap/ \ - --wait \ - --cleanup-on-fail - -helm upgrade --install \ - -n ${NAMESPACE} \ - --set email=${EMAIL} \ - letsencrypt-namecheap-issuer \ - deploy/letsencrypt-namecheap-issuer/ \ - --wait \ - --cleanup-on-fail -popd - -rm -rf cert-manager-webhook-namecheap - -kubectl apply -f issuers.yaml diff --git a/003-cert-manager/serviceaccounttoken.yaml b/003-cert-manager/serviceaccounttoken.yaml deleted file mode 100644 index 5bf0229..0000000 --- a/003-cert-manager/serviceaccounttoken.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -type: kubernetes.io/service-account-token -metadata: - name: serviceaccounttoken - namespace: cert-manager - annotations: - kubernetes.io/service-account.name: "cert-manager" -... diff --git a/003-cert-manager/uninstall.sh b/003-cert-manager/uninstall.sh deleted file mode 100755 index d2fd0e8..0000000 --- a/003-cert-manager/uninstall.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -CHART_VERSION=1.9.1 - -kubectl delete -f issuers.yaml -for i in $(kubectl get Issuers -n cert-manager | grep -v NAME | cut -d' ' -f1); do - kubectl delete Issuers -n cert-manager $i -done -for i in $(kubectl get ClusterIssuers | grep -v NAME | cut -d' ' -f1); do - kubectl delete ClusterIssuers $i -done -for i in $(kubectl get Certificates -n cert-manager | grep -v NAME | cut -d' ' -f1); do - kubectl delete Certificates -n cert-manager $i -done - -helm -n cert-manager delete namecheap-webhook -helm -n cert-manager delete letsencrypt-namecheap-issuer -helm -n cert-manager delete cert-manager - -kubectl delete -n ${NAMESPACE} -f external-secrets.yaml -kubectl delete -n ${NAMESPACE} -f serviceaccounttoken.yaml -kubectl delete ns cert-manager diff --git a/003-cert-manager/values.yaml b/003-cert-manager/values.yaml deleted file mode 100644 index 055ba58..0000000 --- a/003-cert-manager/values.yaml +++ /dev/null @@ -1,2 +0,0 @@ -installCRDs: true - diff --git a/003-cert-manager/vault-role.sh b/003-cert-manager/vault-role.sh deleted file mode 100755 index 45bb83e..0000000 --- a/003-cert-manager/vault-role.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+') -TOKEN="$(kubectl get secret serviceaccounttoken -n cert-manager -o go-template='{{ .data.token }}' | base64 -d)" - -vault write auth/kubernetes/role/cert-manager \ - bound_service_account_names=cert-manager \ - bound_service_account_namespaces=cert-manager \ - policies=cert-manager \ - ttl=24h - -vault write auth/kubernetes/login role=cert-manager jwt=${TOKEN} iss=https://${HOST_IP}:6443 diff --git a/004-traefik/dashboard.yaml b/004-traefik/dashboard.yaml deleted file mode 100644 index 078470c..0000000 --- a/004-traefik/dashboard.yaml +++ /dev/null @@ -1,34 +0,0 @@ ---- -# cert -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: traefik.k8s.masked.name - namespace: traefik -spec: - dnsNames: - - traefik.k8s.masked.name - secretName: traefik.k8s.masked.name - issuerRef: - name: vault-issuer - kind: ClusterIssuer -... ---- -# dashboard.yaml -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: traefik-accessible-dashboard - namespace: traefik -spec: - entryPoints: - - websecure - routes: - - match: Host(`traefik.k8s.masked.name`) - kind: Rule - services: - - name: api@internal - kind: TraefikService - tls: - secretName: traefik.k8s.masked.name -... diff --git a/004-traefik/install.sh b/004-traefik/install.sh deleted file mode 100755 index 587108f..0000000 --- a/004-traefik/install.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash -CHART_VERSION=10.24.0 - -helm repo add traefik https://helm.traefik.io/traefik -helm repo update -helm upgrade --install \ - traefik \ - traefik/traefik \ - -f values.yaml \ - -n traefik \ - --version ${CHART_VERSION} \ - --create-namespace \ - --cleanup-on-fail -kubectl apply -f dashboard.yaml -n traefik diff --git a/004-traefik/uninstall.sh b/004-traefik/uninstall.sh deleted file mode 100755 index fbdbbcb..0000000 --- a/004-traefik/uninstall.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -kubectl delete -f dashboard.yaml -n traefik -helm uninstall traefik -n traefik -kubectl delete ns traefik diff --git a/004-traefik/values.yaml b/004-traefik/values.yaml deleted file mode 100644 index ba1ebc1..0000000 --- a/004-traefik/values.yaml +++ /dev/null @@ -1,7 +0,0 @@ -ingressClass: - enabled: true - isDefaultClass: true - -ports: - web: - redirectTo: websecure diff --git a/101-wallabag/install.sh b/101-wallabag/install.sh deleted file mode 100755 index 0562f34..0000000 --- a/101-wallabag/install.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -CHART_VERSION=6.2.2 -NAMESPACE=wallabag - -helm repo add k8s-at-home https://k8s-at-home.com/charts/ -helm repo update - -kubectl create ns wallabag -kubectl create serviceaccount -n ${NAMESPACE} wallabag -kubectl apply -n ${NAMESPACE} -f external-secrets.yaml - -helm upgrade --install \ - wallabag \ - k8s-at-home/wallabag \ - -f values.yaml \ - -n ${NAMESPACE} \ - --version ${CHART_VERSION} \ - --cleanup-on-fail - -kubectl apply -n ${NAMESPACE} -f traefik.yaml diff --git a/101-wallabag/traefik.yaml b/101-wallabag/traefik.yaml deleted file mode 100644 index 7b77c2a..0000000 --- a/101-wallabag/traefik.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# cert -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: wallabag.minhas.io - namespace: wallabag -spec: - dnsNames: - - wallabag.minhas.io - secretName: wallabag.minhas.io - issuerRef: - kind: ClusterIssuer - name: letsencrypt-prod -... ---- -# dashboard.yaml -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: wallabag - namespace: wallabag -spec: - entryPoints: - - websecure - routes: - - match: Host(`wallabag.minhas.io`) - kind: Rule - services: - - name: wallabag - kind: Service - port: 80 - tls: - secretName: wallabag.minhas.io -... diff --git a/README.md b/README.md index 0100e3f..c6b648a 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ # k8s -k8s scripts/helm scripts to get my services up and running \ No newline at end of file +k8s scripts/helm scripts to get my services up and running +helm charts are split into two directories, the general tools used to set up the cluster and the apps deployed to the cluster diff --git a/helm/apps/goldpinger/install.sh b/helm/apps/goldpinger/install.sh new file mode 100755 index 0000000..d9c60af --- /dev/null +++ b/helm/apps/goldpinger/install.sh @@ -0,0 +1,13 @@ +#!/bin/bash +CHART_VERSION=5.5.0 + +helm repo add okgolove https://okgolove.github.io/helm-charts +helm repo update +helm upgrade --install \ + goldpinger \ + okgolove/goldpinger \ + -n goldpinger \ + --version ${CHART_VERSION} \ + --create-namespace \ + --values values.yaml \ + --cleanup-on-fail diff --git a/helm/apps/goldpinger/istio-ingress.yaml b/helm/apps/goldpinger/istio-ingress.yaml new file mode 100644 index 0000000..593bf2f --- /dev/null +++ b/helm/apps/goldpinger/istio-ingress.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: goldpinger-cert + namespace: istio-system +spec: + secretName: goldpinger-cert + commonName: goldpinger.teapot.masked.name + dnsNames: + - goldpinger.teapot.masked.name + issuerRef: + name: vault-issuer + kind: ClusterIssuer + group: cert-manager.io +... +--- +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: goldpinger-gateway + namespace: goldpinger +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: goldpinger-cert + hosts: + - goldpinger.teapot.masked.name +... +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: goldpinger-gateway + namespace: goldpinger +spec: + hosts: + - goldpinger.teapot.masked.name + gateways: + - goldpinger-gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + port: + number: 80 + host: goldpinger +... diff --git a/helm/apps/goldpinger/values.yaml b/helm/apps/goldpinger/values.yaml new file mode 100644 index 0000000..36a66d3 --- /dev/null +++ b/helm/apps/goldpinger/values.yaml @@ -0,0 +1,3 @@ +--- +service: + type: ClusterIP diff --git a/helm/apps/longhorn/install.sh b/helm/apps/longhorn/install.sh new file mode 100755 index 0000000..d47f122 --- /dev/null +++ b/helm/apps/longhorn/install.sh @@ -0,0 +1,12 @@ +#!/bin/bash +CHART_VERSION=1.3.2 + +helm repo add longhorn https://charts.longhorn.io +helm repo update +helm upgrade --install \ + longhorn \ + longhorn/longhorn \ + -n longhorn-system \ + --version ${CHART_VERSION} \ + --create-namespace \ + --cleanup-on-fail diff --git a/helm/apps/longhorn/istio-ingress.yaml b/helm/apps/longhorn/istio-ingress.yaml new file mode 100644 index 0000000..8efb058 --- /dev/null +++ b/helm/apps/longhorn/istio-ingress.yaml @@ -0,0 +1,67 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: longhorn-cert + namespace: istio-system +spec: + secretName: longhorn-cert + commonName: longhorn.teapot.masked.name + dnsNames: + - longhorn.teapot.masked.name + issuerRef: + name: vault-issuer + kind: ClusterIssuer + group: cert-manager.io +... +--- +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: longhorn-gateway + namespace: longhorn-system +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: longhorn-cert + hosts: + - longhorn.teapot.masked.name +... +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: longhorn-gateway + namespace: longhorn-system +spec: + hosts: + - longhorn.teapot.masked.name + gateways: + - longhorn-gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + port: + number: 80 + host: longhorn-frontend + # tls: + # - match: + # - port: 443 + # sniHosts: + # - longhorn.teapot.masked.name + # route: + # - destination: + # host: longhorn-frontend + # port: + # number: 80 +... diff --git a/helm/apps/longhorn/k8s-ingress.yaml b/helm/apps/longhorn/k8s-ingress.yaml new file mode 100644 index 0000000..f0774a5 --- /dev/null +++ b/helm/apps/longhorn/k8s-ingress.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: longhorn-gateway + namespace: longhorn-system +spec: + gatewayClassName: istio + listeners: + - name: http + hostname: "longhorn.teapot.masked.name" + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: Same +... +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: longhorn-frontend + namespace: longhorn-system +spec: + parentRefs: + - name: longhorn-gateway + hostnames: ["longhorn.teapot.masked.name"] + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: longhorn-frontend + port: 80 +... diff --git a/101-wallabag/external-secrets.yaml b/helm/apps/wallabag/external-secrets.yaml similarity index 99% rename from 101-wallabag/external-secrets.yaml rename to helm/apps/wallabag/external-secrets.yaml index 2a5c088..6de48d3 100644 --- a/101-wallabag/external-secrets.yaml +++ b/helm/apps/wallabag/external-secrets.yaml @@ -37,7 +37,7 @@ spec: caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUROVENDQWgyZ0F3SUJBZ0lVWXA4eG81dDJsSkZQM1NpRDFmSmlyZ0dVUUowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF4TUxiV0Z6YTJWa0xtNWhiV1V3SGhjTk1qQXdPREk1TVRreU16RXlXaGNOTXpBdwpPREkzTVRreU16UXlXakFXTVJRd0VnWURWUVFERXd0dFlYTnJaV1F1Ym1GdFpUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNSTdvUitLSHZ2em5mbmFBWERNTzVxcFNUQ0FZQ3lmakZFb2hZSmYKbE9jbkxPTlhiM2Y2c1A1ZDFlbHRMK1VUcTBSVlU1VVAwYU5XN2hxRFRhNDFNUncwSkNEdEI2OHlLZFlxMmhaZgo5N2dBK2xqM01FSlU2UlRBS0xyZzc1R1JoL0FiTkVJZ3d2UHVIS1c2aE1idHdPeU05REZVLy9XM3hwdXNhbFh5ClJNRnpBSGZTRGo5Y2krVXlnVXQ5SElOV2QvU21NR0cvOFBnaGFSaGZFNDR3UkZNcVllemVsaUl0MkpJczQzQlYKN0hxRzBPZXY5V1BlWG1pYVpVWUtRZXRIaVFxUjE0TXhpdjFJR3pDbXd3Tis5YjR0WnRaVGE1OG9NNWRQWGZiYgpsckVMUUU1T3NQYU50TXRFUjNNZ3hvdkROM1ZTQ0dIL08vR3lhRVdWYW5ZNVVGOENBd0VBQWFON01Ia3dEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGQlk4alczZkRWVXAKVVJ0MXByaG1ETWprVmlrZ01COEdBMVVkSXdRWU1CYUFGQlk4alczZkRWVXBVUnQxcHJobURNamtWaWtnTUJZRwpBMVVkRVFRUE1BMkNDMjFoYzJ0bFpDNXVZVzFsTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBV1F6NGQzUXpFClc4TkdBMTZaUGFtbFZ1Yk9MQjVEdFp6MnFyU3JuM0RlT2JMSURTaEluVjNxdFJsRHg5SFlKTFRDQTc1S2V0MEoKTlRzeU1jVHkydHhkNEk4aGdkRjMwWEplRWNpTjl3WjBtS0VlUC9ZS0R3ZThWMlh3V3E0WFlrRGVjaGxXSHBabwpQZldjb0xwckt3VlVJNEh6YXFrTm13Y21NVUk0eEFzQytTTGUxbXJlYnNlS200OW9Pd2RRcy9vUFZMSyswbkVwClJ2RDBhT3ZvaElMSWEvMlp0S2N6dmhCL0wzZm81cGc5RXgvMEpEQmRESEllZE1hYkQzcW44SWRzZStQNURmd2EKSnUyQ3R5YituMVRUUHhSRE14czJjRmJBNWlycisyQVJKZDhqdEdTKzFmeXhvZ2pPV1MxUlI1MjNGK3FJUzNzdQpLaWJHZWwrZ0ZQcHEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRDB6Q0NBcnVnQXdJQkFnSVVNNTJ1aFhTZVRDaW0xcG16dWNtL2NuSWdOcDh3RFFZSktvWklodmNOQVFFTApCUUF3RmpFVU1CSUdBMVVFQXhNTGJXRnphMlZrTG01aGJXVXdIaGNOTWpBd09ESTVNVGt5TnpBd1doY05NalV3Ck9ESTRNVGt5TnpNd1dqQXRNU3N3S1FZRFZRUURFeUp0WVhOclpXUXVibUZ0WlNCSmJuUmxjbTFsWkdsaGRHVWcKUVhWMGFHOXlhWFI1TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4THVHbytBcwpJQ1lXZEpqQkNZMHNuRi9YK2pGMXRkY3JRek5pUktFU0ViNWRzRGl5OTc5YnVnQ2JsUFFEUStnNVdHcVhYNHBqClV5WlpFM1p3aE91ZklTbEdLMG93MWFNanFTK3BGbFE4NUtSRC9qVXRMUFJVSnVRRittMll3SWQvTWc2L0I3UWsKZDE2NnVKa054UytNR1pDaTJPWVhlb2l2bk9ZN1EwS2ovMHZJYmM1VnQza0NSVmcybGpMU1Fob0JkKzg1QUhNUgpqZVJqWk1lWUVZRjJIVFZ3cmc0RHJDL3IwME1WdERjTnFzNitNN1laL3J6bnk3M0d2ZkpXZldvQjFDNHBpWmxnCmZ2VWNTREw1SEFoaml1NWNTZUlSN0RUdVZ4N3Q0UG9LNkFxVWtQeWdEdHExWmFMeWJYVDdYNmQwNzJkUjVBWE8KbldGTFBhYUdKOTc5aXdJREFRQUJvNElCQURDQi9UQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVJa2hWWUJhSzlDY3ZYRzhGTTJqS1ZaMTZvWkF3SHdZRFZSMGpCQmd3CkZvQVVGanlOYmQ4TlZTbFJHM1dtdUdZTXlPUldLU0F3VVFZSUt3WUJCUVVIQVFFRVJUQkRNRUVHQ0NzR0FRVUYKQnpBQ2hqVm9kSFJ3T2k4dmRtRjFiSFF1WTI5c2RXMWlhV0V1YldGemEyVmtMbTVoYldVNk9ESXdNQzkyTVM5dwphMmxmY205dmRDOWpZVEJIQmdOVkhSOEVRREErTUR5Z09xQTRoalpvZEhSd09pOHZkbUYxYkhRdVkyOXNkVzFpCmFXRXViV0Z6YTJWa0xtNWhiV1U2T0RJd01DOTJNUzl3YTJsZmNtOXZkQzlqY213d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBSzZITWdSK2hwd2paQ21mNU5zekRTSHI3ZFlLWlhQNExyY0hQV3M5NG5MTTMzVVo1NzJ1YkdIcwpkS2pSdzhZRDBjbmNyc3lwc1ltRWdSNTdVK0RIa3lzMzk0d2tiN1VPd3kxWnZkNUlJUlhkUDBjRHlsejBRenFNCkFQblFZTitpc21rb2xqaGs5ZXkwUWJvM0NtUGpNK1VRY0F4dVpRdEE0TStyaUMxK2prdWRlMXVZTDBzekM2WTkKNEtldGZ2Yk5rZWRTYVY1eUphUktDQmhSY0M0L0dqcEJHL29kUS81QWZCUEFGalpxaGNJSldCclZZYlRRVkM3OQpoTUExaXdXSlBtVDlMc2pNU1VmeEZUUHp4Um5OWFFpS0Z6NWtUMk9pUzFucWg4YU9jeVU5WUM5Mjhwa2lmTkpWCktva3VEZXpKRk03aWUzZCtFY0JrMVY5bEh3T1dkdG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K auth: kubernetes: - mountPath: "kubernetes" + mountPath: "k8s-teapot" role: "wallabag" secretRef: name: "serviceaccounttoken" diff --git a/helm/apps/wallabag/install.sh b/helm/apps/wallabag/install.sh new file mode 100755 index 0000000..2e5d6e7 --- /dev/null +++ b/helm/apps/wallabag/install.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +CHART_VERSION=7.1.2 +NAMESPACE=wallabag +VAULT_AUTH_NAMESPACE="k8s-teapot" + +helm repo add k8s-at-home https://k8s-at-home.com/charts/ +helm repo update + +kubectl create ns wallabag +kubectl create serviceaccount -n ${NAMESPACE} wallabag +kubectl apply -n ${NAMESPACE} -f external-secrets.yaml + +helm upgrade --install \ + wallabag \ + k8s-at-home/wallabag \ + -f values.yaml \ + -n ${NAMESPACE} \ + --version ${CHART_VERSION} \ + --cleanup-on-fail + +#kubectl apply -n ${NAMESPACE} -f traefik.yaml +HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+') +TOKEN="$(kubectl get secret serviceaccounttoken -n wallabag -o go-template='{{ .data.token }}' | base64 -d)" + +vault write auth/${VAULT_AUTH_NAMESPACE}/role/wallabag \ + bound_service_account_names=wallabag \ + bound_service_account_namespaces=wallabag \ + policies=wallabag \ + ttl=24h + +vault write auth/${VAULT_AUTH_NAMESPACE}/login role=wallabag jwt=${TOKEN} iss=https://${HOST_IP}:6443 diff --git a/helm/apps/wallabag/istio-ingress.yaml b/helm/apps/wallabag/istio-ingress.yaml new file mode 100644 index 0000000..fdaa870 --- /dev/null +++ b/helm/apps/wallabag/istio-ingress.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wallabag-cert + namespace: istio-system +spec: + secretName: wallabag-cert + commonName: wallabag.minhas.io + dnsNames: + - wallabag.minhas.io + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer + group: cert-manager.io +... +--- +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: wallabag-gateway + namespace: wallabag +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: wallabag-cert + hosts: + - wallabag.minhas.io +... +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: wallabag-gateway + namespace: wallabag +spec: + hosts: + - wallabag.minhas.io + gateways: + - wallabag-gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + port: + number: 80 + host: wallabag +... diff --git a/101-wallabag/uninstall.sh b/helm/apps/wallabag/uninstall.sh similarity index 80% rename from 101-wallabag/uninstall.sh rename to helm/apps/wallabag/uninstall.sh index 4492398..1108997 100755 --- a/101-wallabag/uninstall.sh +++ b/helm/apps/wallabag/uninstall.sh @@ -2,7 +2,7 @@ NAMESPACE=wallabag -kubectl delete -n ${NAMESPACE} -f traefik.yaml +#kubectl delete -n ${NAMESPACE} -f traefik.yaml helm -n ${NAMESPACE} delete wallabag kubectl delete -n ${NAMESPACE} -f external-secrets.yaml kubectl delete sa wallabag -n ${NAMESPACE} diff --git a/101-wallabag/values.yaml b/helm/apps/wallabag/values.yaml similarity index 75% rename from 101-wallabag/values.yaml rename to helm/apps/wallabag/values.yaml index 1d0b581..3e2e348 100644 --- a/101-wallabag/values.yaml +++ b/helm/apps/wallabag/values.yaml @@ -9,7 +9,7 @@ env: - name: SYMFONY__ENV__DATABASE_DRIVER value: pdo_pgsql - name: SYMFONY__ENV__DATABASE_HOST - value: ivyking.node.masked.name + value: sedan.node.masked.name - name: SYMFONY__ENV__DATABASE_PORT value: 5432 - name: SYMFONY__ENV__DATABASE_NAME @@ -30,9 +30,17 @@ env: key: db_pw spec: serviceAccountName: wallabag - service: main: ports: http: port: 80 +probes: + startup: + spec: + initialDelaySeconds: 60 + timeoutSeconds: 1 + ## This means it has a maximum of 5*30=150 seconds to start up before it fails + periodSeconds: 30 + failureThreshold: 30 +... diff --git a/001-metallb/install.sh b/helm/setup/001-metallb/install.sh similarity index 85% rename from 001-metallb/install.sh rename to helm/setup/001-metallb/install.sh index a6f3bb2..cfabc2c 100755 --- a/001-metallb/install.sh +++ b/helm/setup/001-metallb/install.sh @@ -1,12 +1,11 @@ #!/bin/bash -CHART_VERSION=0.11.0 +CHART_VERSION=0.13.7 helm repo add metallb https://metallb.github.io/metallb helm repo update helm upgrade --install \ metallb \ metallb/metallb \ - -f values.yaml \ -n metallb-system \ --version ${CHART_VERSION} \ --create-namespace \ diff --git a/helm/setup/001-metallb/teapot-metallb-base-pool.yaml b/helm/setup/001-metallb/teapot-metallb-base-pool.yaml new file mode 100644 index 0000000..94a6bfd --- /dev/null +++ b/helm/setup/001-metallb/teapot-metallb-base-pool.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: base-pool + namespace: metallb-system +spec: + addresses: + - 192.168.0.220-192.168.0.245 +... +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: l2advertisement + namespace: metallb-system +... diff --git a/001-metallb/uninstall.sh b/helm/setup/001-metallb/uninstall.sh similarity index 100% rename from 001-metallb/uninstall.sh rename to helm/setup/001-metallb/uninstall.sh diff --git a/002-external-secrets/install.sh b/helm/setup/002-external-secrets/install.sh similarity index 63% rename from 002-external-secrets/install.sh rename to helm/setup/002-external-secrets/install.sh index f4100be..72679f6 100755 --- a/002-external-secrets/install.sh +++ b/helm/setup/002-external-secrets/install.sh @@ -1,17 +1,12 @@ #!/bin/bash - -CHART_VERSION=0.5.7 -NAMESPACE=external-secrets +CHART_VERSION="v0.6.1" helm repo add external-secrets https://charts.external-secrets.io helm repo update - -kubectl create ns ${NAMESPACE} - helm upgrade --install \ external-secrets \ external-secrets/external-secrets \ - -n ${NAMESPACE} \ + -n external-secrets \ --version ${CHART_VERSION} \ - --set "installCRDs=true" \ + --create-namespace \ --cleanup-on-fail diff --git a/003-cert-manager/external-secrets.yaml b/helm/setup/003-cert-manager/external-secrets.yaml similarity index 99% rename from 003-cert-manager/external-secrets.yaml rename to helm/setup/003-cert-manager/external-secrets.yaml index 403062b..fb1dad0 100644 --- a/003-cert-manager/external-secrets.yaml +++ b/helm/setup/003-cert-manager/external-secrets.yaml @@ -27,7 +27,7 @@ spec: caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUROVENDQWgyZ0F3SUJBZ0lVWXA4eG81dDJsSkZQM1NpRDFmSmlyZ0dVUUowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF4TUxiV0Z6YTJWa0xtNWhiV1V3SGhjTk1qQXdPREk1TVRreU16RXlXaGNOTXpBdwpPREkzTVRreU16UXlXakFXTVJRd0VnWURWUVFERXd0dFlYTnJaV1F1Ym1GdFpUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNSTdvUitLSHZ2em5mbmFBWERNTzVxcFNUQ0FZQ3lmakZFb2hZSmYKbE9jbkxPTlhiM2Y2c1A1ZDFlbHRMK1VUcTBSVlU1VVAwYU5XN2hxRFRhNDFNUncwSkNEdEI2OHlLZFlxMmhaZgo5N2dBK2xqM01FSlU2UlRBS0xyZzc1R1JoL0FiTkVJZ3d2UHVIS1c2aE1idHdPeU05REZVLy9XM3hwdXNhbFh5ClJNRnpBSGZTRGo5Y2krVXlnVXQ5SElOV2QvU21NR0cvOFBnaGFSaGZFNDR3UkZNcVllemVsaUl0MkpJczQzQlYKN0hxRzBPZXY5V1BlWG1pYVpVWUtRZXRIaVFxUjE0TXhpdjFJR3pDbXd3Tis5YjR0WnRaVGE1OG9NNWRQWGZiYgpsckVMUUU1T3NQYU50TXRFUjNNZ3hvdkROM1ZTQ0dIL08vR3lhRVdWYW5ZNVVGOENBd0VBQWFON01Ia3dEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGQlk4alczZkRWVXAKVVJ0MXByaG1ETWprVmlrZ01COEdBMVVkSXdRWU1CYUFGQlk4alczZkRWVXBVUnQxcHJobURNamtWaWtnTUJZRwpBMVVkRVFRUE1BMkNDMjFoYzJ0bFpDNXVZVzFsTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBV1F6NGQzUXpFClc4TkdBMTZaUGFtbFZ1Yk9MQjVEdFp6MnFyU3JuM0RlT2JMSURTaEluVjNxdFJsRHg5SFlKTFRDQTc1S2V0MEoKTlRzeU1jVHkydHhkNEk4aGdkRjMwWEplRWNpTjl3WjBtS0VlUC9ZS0R3ZThWMlh3V3E0WFlrRGVjaGxXSHBabwpQZldjb0xwckt3VlVJNEh6YXFrTm13Y21NVUk0eEFzQytTTGUxbXJlYnNlS200OW9Pd2RRcy9vUFZMSyswbkVwClJ2RDBhT3ZvaElMSWEvMlp0S2N6dmhCL0wzZm81cGc5RXgvMEpEQmRESEllZE1hYkQzcW44SWRzZStQNURmd2EKSnUyQ3R5YituMVRUUHhSRE14czJjRmJBNWlycisyQVJKZDhqdEdTKzFmeXhvZ2pPV1MxUlI1MjNGK3FJUzNzdQpLaWJHZWwrZ0ZQcHEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRDB6Q0NBcnVnQXdJQkFnSVVNNTJ1aFhTZVRDaW0xcG16dWNtL2NuSWdOcDh3RFFZSktvWklodmNOQVFFTApCUUF3RmpFVU1CSUdBMVVFQXhNTGJXRnphMlZrTG01aGJXVXdIaGNOTWpBd09ESTVNVGt5TnpBd1doY05NalV3Ck9ESTRNVGt5TnpNd1dqQXRNU3N3S1FZRFZRUURFeUp0WVhOclpXUXVibUZ0WlNCSmJuUmxjbTFsWkdsaGRHVWcKUVhWMGFHOXlhWFI1TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4THVHbytBcwpJQ1lXZEpqQkNZMHNuRi9YK2pGMXRkY3JRek5pUktFU0ViNWRzRGl5OTc5YnVnQ2JsUFFEUStnNVdHcVhYNHBqClV5WlpFM1p3aE91ZklTbEdLMG93MWFNanFTK3BGbFE4NUtSRC9qVXRMUFJVSnVRRittMll3SWQvTWc2L0I3UWsKZDE2NnVKa054UytNR1pDaTJPWVhlb2l2bk9ZN1EwS2ovMHZJYmM1VnQza0NSVmcybGpMU1Fob0JkKzg1QUhNUgpqZVJqWk1lWUVZRjJIVFZ3cmc0RHJDL3IwME1WdERjTnFzNitNN1laL3J6bnk3M0d2ZkpXZldvQjFDNHBpWmxnCmZ2VWNTREw1SEFoaml1NWNTZUlSN0RUdVZ4N3Q0UG9LNkFxVWtQeWdEdHExWmFMeWJYVDdYNmQwNzJkUjVBWE8KbldGTFBhYUdKOTc5aXdJREFRQUJvNElCQURDQi9UQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVJa2hWWUJhSzlDY3ZYRzhGTTJqS1ZaMTZvWkF3SHdZRFZSMGpCQmd3CkZvQVVGanlOYmQ4TlZTbFJHM1dtdUdZTXlPUldLU0F3VVFZSUt3WUJCUVVIQVFFRVJUQkRNRUVHQ0NzR0FRVUYKQnpBQ2hqVm9kSFJ3T2k4dmRtRjFiSFF1WTI5c2RXMWlhV0V1YldGemEyVmtMbTVoYldVNk9ESXdNQzkyTVM5dwphMmxmY205dmRDOWpZVEJIQmdOVkhSOEVRREErTUR5Z09xQTRoalpvZEhSd09pOHZkbUYxYkhRdVkyOXNkVzFpCmFXRXViV0Z6YTJWa0xtNWhiV1U2T0RJd01DOTJNUzl3YTJsZmNtOXZkQzlqY213d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBSzZITWdSK2hwd2paQ21mNU5zekRTSHI3ZFlLWlhQNExyY0hQV3M5NG5MTTMzVVo1NzJ1YkdIcwpkS2pSdzhZRDBjbmNyc3lwc1ltRWdSNTdVK0RIa3lzMzk0d2tiN1VPd3kxWnZkNUlJUlhkUDBjRHlsejBRenFNCkFQblFZTitpc21rb2xqaGs5ZXkwUWJvM0NtUGpNK1VRY0F4dVpRdEE0TStyaUMxK2prdWRlMXVZTDBzekM2WTkKNEtldGZ2Yk5rZWRTYVY1eUphUktDQmhSY0M0L0dqcEJHL29kUS81QWZCUEFGalpxaGNJSldCclZZYlRRVkM3OQpoTUExaXdXSlBtVDlMc2pNU1VmeEZUUHp4Um5OWFFpS0Z6NWtUMk9pUzFucWg4YU9jeVU5WUM5Mjhwa2lmTkpWCktva3VEZXpKRk03aWUzZCtFY0JrMVY5bEh3T1dkdG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K auth: kubernetes: - mountPath: "kubernetes" + mountPath: "k8s-teapot" role: "cert-manager" secretRef: name: "serviceaccounttoken" diff --git a/helm/setup/003-cert-manager/install.sh b/helm/setup/003-cert-manager/install.sh new file mode 100755 index 0000000..4e2f686 --- /dev/null +++ b/helm/setup/003-cert-manager/install.sh @@ -0,0 +1,73 @@ +#!/bin/bash -x +CHART_VERSION="v1.10.1" +NAMESPACE="cert-manager" +EMAIL="amarpreet@minhas.io" +VAULT_AUTH_NAMESPACE="k8s-teapot" + +kubectl create ns ${NAMESPACE} +kubectl apply -n ${NAMESPACE} -f external-secrets.yaml + +helm repo add jetstack https://charts.jetstack.io +helm repo update +helm upgrade --install \ + cert-manager \ + jetstack/cert-manager \ + -n cert-manager \ + --version ${CHART_VERSION} \ + --set installCRDs=true \ + --create-namespace \ + --cleanup-on-fail + +cat < ca.crt -vault write auth/kubernetes/config \ +vault write auth/${VAULT_LOGIN_NS}/config \ kubernetes_host=https://${HOST_IP}:6443 \ kubernetes_ca_cert=@ca.crt