Asara/k8s
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Move stuff around, update for teapot

Browse source
This commit is contained in:
Amarpreet Minhas 2022-12-28 23:06:22 +00:00
parent 10864be5a2
commit d2662ea421
39 changed files with 556 additions and 247 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
001-metallb/values.yaml
View file

@ -1,6 +0,0 @@
configInline:
address-pools:
- name: default
protocol: layer2
addresses:
- 192.168.0.200-192.168.0.210

6
002-external-secrets/uninstall.sh
View file

@ -1,6 +0,0 @@
#!/bin/bash
NAMESPACE=vault
helm -n ${NAMESPACE} delete vault
kubectl delete ns ${NAMESPACE}

55
003-cert-manager/install.sh
View file

@ -1,55 +0,0 @@
#!/bin/bash
CHART_VERSION=1.9.1
NAMESPACE=cert-manager
EMAIL=amarpreet@minhas.io
kubectl create ns ${NAMESPACE}
#kubectl create serviceaccount -n ${NAMESPACE} cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl apply -n ${NAMESPACE} -f external-secrets.yaml
helm upgrade --install \
cert-manager \
jetstack/cert-manager \
-f values.yaml \
-n ${NAMESPACE} \
--version ${CHART_VERSION} \
--set installCRDs=true \
--cleanup-on-fail
kubectl apply -n ${NAMESPACE} -f serviceaccounttoken.yaml
./vault-role.sh
helm upgrade -install \
cert-manager-csi-driver \
jetstack/cert-manager-csi-driver \
-n ${NAMESPACE} \
--wait \
--cleanup-on-fail
git clone https://github.com/kelvie/cert-manager-webhook-namecheap
pushd cert-manager-webhook-namecheap
helm upgrade --install \
-n ${NAMESPACE} \
namecheap-webhook \
deploy/cert-manager-webhook-namecheap/ \
--wait \
--cleanup-on-fail
helm upgrade --install \
-n ${NAMESPACE} \
--set email=${EMAIL} \
letsencrypt-namecheap-issuer \
deploy/letsencrypt-namecheap-issuer/ \
--wait \
--cleanup-on-fail
popd
rm -rf cert-manager-webhook-namecheap
kubectl apply -f issuers.yaml

10
003-cert-manager/serviceaccounttoken.yaml
View file

@ -1,10 +0,0 @@
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: serviceaccounttoken
namespace: cert-manager
annotations:
kubernetes.io/service-account.name: "cert-manager"
...

22
003-cert-manager/uninstall.sh
View file

@ -1,22 +0,0 @@
#!/bin/bash
CHART_VERSION=1.9.1
kubectl delete -f issuers.yaml
for i in $(kubectl get Issuers -n cert-manager | grep -v NAME | cut -d' ' -f1); do
kubectl delete Issuers -n cert-manager $i
done
for i in $(kubectl get ClusterIssuers | grep -v NAME | cut -d' ' -f1); do
kubectl delete ClusterIssuers $i
done
for i in $(kubectl get Certificates -n cert-manager | grep -v NAME | cut -d' ' -f1); do
kubectl delete Certificates -n cert-manager $i
done
helm -n cert-manager delete namecheap-webhook
helm -n cert-manager delete letsencrypt-namecheap-issuer
helm -n cert-manager delete cert-manager
kubectl delete -n ${NAMESPACE} -f external-secrets.yaml
kubectl delete -n ${NAMESPACE} -f serviceaccounttoken.yaml
kubectl delete ns cert-manager

2
003-cert-manager/values.yaml
View file

@ -1,2 +0,0 @@
installCRDs: true

12
003-cert-manager/vault-role.sh
View file

@ -1,12 +0,0 @@
#!/bin/bash
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
TOKEN="$(kubectl get secret serviceaccounttoken -n cert-manager -o go-template='{{ .data.token }}' | base64 -d)"
vault write auth/kubernetes/role/cert-manager \
bound_service_account_names=cert-manager \
bound_service_account_namespaces=cert-manager \
policies=cert-manager \
ttl=24h
vault write auth/kubernetes/login role=cert-manager jwt=${TOKEN} iss=https://${HOST_IP}:6443

34
004-traefik/dashboard.yaml
View file

@ -1,34 +0,0 @@
---
# cert
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: traefik.k8s.masked.name
namespace: traefik
spec:
dnsNames:
- traefik.k8s.masked.name
secretName: traefik.k8s.masked.name
issuerRef:
name: vault-issuer
kind: ClusterIssuer
...
---
# dashboard.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-accessible-dashboard
namespace: traefik
spec:
entryPoints:
- websecure
routes:
- match: Host(`traefik.k8s.masked.name`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
tls:
secretName: traefik.k8s.masked.name
...

14
004-traefik/install.sh
View file

@ -1,14 +0,0 @@
#!/bin/bash
CHART_VERSION=10.24.0
helm repo add traefik https://helm.traefik.io/traefik
helm repo update
helm upgrade --install \
traefik \
traefik/traefik \
-f values.yaml \
-n traefik \
--version ${CHART_VERSION} \
--create-namespace \
--cleanup-on-fail
kubectl apply -f dashboard.yaml -n traefik

5
004-traefik/uninstall.sh
View file

@ -1,5 +0,0 @@
#!/bin/bash
kubectl delete -f dashboard.yaml -n traefik
helm uninstall traefik -n traefik
kubectl delete ns traefik

7
004-traefik/values.yaml
View file

@ -1,7 +0,0 @@
ingressClass:
enabled: true
isDefaultClass: true
ports:
web:
redirectTo: websecure

21
101-wallabag/install.sh
View file

@ -1,21 +0,0 @@
#!/bin/bash
CHART_VERSION=6.2.2
NAMESPACE=wallabag
helm repo add k8s-at-home https://k8s-at-home.com/charts/
helm repo update
kubectl create ns wallabag
kubectl create serviceaccount -n ${NAMESPACE} wallabag
kubectl apply -n ${NAMESPACE} -f external-secrets.yaml
helm upgrade --install \
wallabag \
k8s-at-home/wallabag \
-f values.yaml \
-n ${NAMESPACE} \
--version ${CHART_VERSION} \
--cleanup-on-fail
kubectl apply -n ${NAMESPACE} -f traefik.yaml

35
101-wallabag/traefik.yaml
View file

@ -1,35 +0,0 @@
---
# cert
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wallabag.minhas.io
namespace: wallabag
spec:
dnsNames:
- wallabag.minhas.io
secretName: wallabag.minhas.io
issuerRef:
kind: ClusterIssuer
name: letsencrypt-prod
...
---
# dashboard.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: wallabag
namespace: wallabag
spec:
entryPoints:
- websecure
routes:
- match: Host(`wallabag.minhas.io`)
kind: Rule
services:
- name: wallabag
kind: Service
port: 80
tls:
secretName: wallabag.minhas.io
...

3
README.md
View file

@ -1,3 +1,4 @@
# k8s
k8s scripts/helm scripts to get my services up and running
k8s scripts/helm scripts to get my services up and running
helm charts are split into two directories, the general tools used to set up the cluster and the apps deployed to the cluster

13
helm/apps/goldpinger/install.sh Executable file
View file

@ -0,0 +1,13 @@
#!/bin/bash
CHART_VERSION=5.5.0
helm repo add okgolove https://okgolove.github.io/helm-charts
helm repo update
helm upgrade --install \
goldpinger \
okgolove/goldpinger \
-n goldpinger \
--version ${CHART_VERSION} \
--create-namespace \
--values values.yaml \
--cleanup-on-fail

57
helm/apps/goldpinger/istio-ingress.yaml Normal file
View file

@ -0,0 +1,57 @@
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: goldpinger-cert
namespace: istio-system
spec:
secretName: goldpinger-cert
commonName: goldpinger.teapot.masked.name
dnsNames:
- goldpinger.teapot.masked.name
issuerRef:
name: vault-issuer
kind: ClusterIssuer
group: cert-manager.io
...
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: goldpinger-gateway
namespace: goldpinger
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: goldpinger-cert
hosts:
- goldpinger.teapot.masked.name
...
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: goldpinger-gateway
namespace: goldpinger
spec:
hosts:
- goldpinger.teapot.masked.name
gateways:
- goldpinger-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 80
host: goldpinger
...

3
helm/apps/goldpinger/values.yaml Normal file
View file

@ -0,0 +1,3 @@
---
service:
type: ClusterIP

12
helm/apps/longhorn/install.sh Executable file
View file

@ -0,0 +1,12 @@
#!/bin/bash
CHART_VERSION=1.3.2
helm repo add longhorn https://charts.longhorn.io
helm repo update
helm upgrade --install \
longhorn \
longhorn/longhorn \
-n longhorn-system \
--version ${CHART_VERSION} \
--create-namespace \
--cleanup-on-fail

67
helm/apps/longhorn/istio-ingress.yaml Normal file
View file

@ -0,0 +1,67 @@
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: longhorn-cert
namespace: istio-system
spec:
secretName: longhorn-cert
commonName: longhorn.teapot.masked.name
dnsNames:
- longhorn.teapot.masked.name
issuerRef:
name: vault-issuer
kind: ClusterIssuer
group: cert-manager.io
...
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: longhorn-gateway
namespace: longhorn-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: longhorn-cert
hosts:
- longhorn.teapot.masked.name
...
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: longhorn-gateway
namespace: longhorn-system
spec:
hosts:
- longhorn.teapot.masked.name
gateways:
- longhorn-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 80
host: longhorn-frontend
# tls:
# - match:
# - port: 443
# sniHosts:
# - longhorn.teapot.masked.name
# route:
# - destination:
# host: longhorn-frontend
# port:
# number: 80
...

36
helm/apps/longhorn/k8s-ingress.yaml Normal file
View file

@ -0,0 +1,36 @@
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: longhorn-gateway
namespace: longhorn-system
spec:
gatewayClassName: istio
listeners:
- name: http
hostname: "longhorn.teapot.masked.name"
port: 80
protocol: HTTP
allowedRoutes:
namespaces:
from: Same
...
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: longhorn-frontend
namespace: longhorn-system
spec:
parentRefs:
- name: longhorn-gateway
hostnames: ["longhorn.teapot.masked.name"]
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: longhorn-frontend
port: 80
...

2
101-wallabag/external-secrets.yaml → helm/apps/wallabag/external-secrets.yaml
View file

@ -37,7 +37,7 @@ spec:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUROVENDQWgyZ0F3SUJBZ0lVWXA4eG81dDJsSkZQM1NpRDFmSmlyZ0dVUUowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF4TUxiV0Z6YTJWa0xtNWhiV1V3SGhjTk1qQXdPREk1TVRreU16RXlXaGNOTXpBdwpPREkzTVRreU16UXlXakFXTVJRd0VnWURWUVFERXd0dFlYTnJaV1F1Ym1GdFpUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNSTdvUitLSHZ2em5mbmFBWERNTzVxcFNUQ0FZQ3lmakZFb2hZSmYKbE9jbkxPTlhiM2Y2c1A1ZDFlbHRMK1VUcTBSVlU1VVAwYU5XN2hxRFRhNDFNUncwSkNEdEI2OHlLZFlxMmhaZgo5N2dBK2xqM01FSlU2UlRBS0xyZzc1R1JoL0FiTkVJZ3d2UHVIS1c2aE1idHdPeU05REZVLy9XM3hwdXNhbFh5ClJNRnpBSGZTRGo5Y2krVXlnVXQ5SElOV2QvU21NR0cvOFBnaGFSaGZFNDR3UkZNcVllemVsaUl0MkpJczQzQlYKN0hxRzBPZXY5V1BlWG1pYVpVWUtRZXRIaVFxUjE0TXhpdjFJR3pDbXd3Tis5YjR0WnRaVGE1OG9NNWRQWGZiYgpsckVMUUU1T3NQYU50TXRFUjNNZ3hvdkROM1ZTQ0dIL08vR3lhRVdWYW5ZNVVGOENBd0VBQWFON01Ia3dEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGQlk4alczZkRWVXAKVVJ0MXByaG1ETWprVmlrZ01COEdBMVVkSXdRWU1CYUFGQlk4alczZkRWVXBVUnQxcHJobURNamtWaWtnTUJZRwpBMVVkRVFRUE1BMkNDMjFoYzJ0bFpDNXVZVzFsTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBV1F6NGQzUXpFClc4TkdBMTZaUGFtbFZ1Yk9MQjVEdFp6MnFyU3JuM0RlT2JMSURTaEluVjNxdFJsRHg5SFlKTFRDQTc1S2V0MEoKTlRzeU1jVHkydHhkNEk4aGdkRjMwWEplRWNpTjl3WjBtS0VlUC9ZS0R3ZThWMlh3V3E0WFlrRGVjaGxXSHBabwpQZldjb0xwckt3VlVJNEh6YXFrTm13Y21NVUk0eEFzQytTTGUxbXJlYnNlS200OW9Pd2RRcy9vUFZMSyswbkVwClJ2RDBhT3ZvaElMSWEvMlp0S2N6dmhCL0wzZm81cGc5RXgvMEpEQmRESEllZE1hYkQzcW44SWRzZStQNURmd2EKSnUyQ3R5YituMVRUUHhSRE14czJjRmJBNWlycisyQVJKZDhqdEdTKzFmeXhvZ2pPV1MxUlI1MjNGK3FJUzNzdQpLaWJHZWwrZ0ZQcHEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRDB6Q0NBcnVnQXdJQkFnSVVNNTJ1aFhTZVRDaW0xcG16dWNtL2NuSWdOcDh3RFFZSktvWklodmNOQVFFTApCUUF3RmpFVU1CSUdBMVVFQXhNTGJXRnphMlZrTG01aGJXVXdIaGNOTWpBd09ESTVNVGt5TnpBd1doY05NalV3Ck9ESTRNVGt5TnpNd1dqQXRNU3N3S1FZRFZRUURFeUp0WVhOclpXUXVibUZ0WlNCSmJuUmxjbTFsWkdsaGRHVWcKUVhWMGFHOXlhWFI1TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4THVHbytBcwpJQ1lXZEpqQkNZMHNuRi9YK2pGMXRkY3JRek5pUktFU0ViNWRzRGl5OTc5YnVnQ2JsUFFEUStnNVdHcVhYNHBqClV5WlpFM1p3aE91ZklTbEdLMG93MWFNanFTK3BGbFE4NUtSRC9qVXRMUFJVSnVRRittMll3SWQvTWc2L0I3UWsKZDE2NnVKa054UytNR1pDaTJPWVhlb2l2bk9ZN1EwS2ovMHZJYmM1VnQza0NSVmcybGpMU1Fob0JkKzg1QUhNUgpqZVJqWk1lWUVZRjJIVFZ3cmc0RHJDL3IwME1WdERjTnFzNitNN1laL3J6bnk3M0d2ZkpXZldvQjFDNHBpWmxnCmZ2VWNTREw1SEFoaml1NWNTZUlSN0RUdVZ4N3Q0UG9LNkFxVWtQeWdEdHExWmFMeWJYVDdYNmQwNzJkUjVBWE8KbldGTFBhYUdKOTc5aXdJREFRQUJvNElCQURDQi9UQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVJa2hWWUJhSzlDY3ZYRzhGTTJqS1ZaMTZvWkF3SHdZRFZSMGpCQmd3CkZvQVVGanlOYmQ4TlZTbFJHM1dtdUdZTXlPUldLU0F3VVFZSUt3WUJCUVVIQVFFRVJUQkRNRUVHQ0NzR0FRVUYKQnpBQ2hqVm9kSFJ3T2k4dmRtRjFiSFF1WTI5c2RXMWlhV0V1YldGemEyVmtMbTVoYldVNk9ESXdNQzkyTVM5dwphMmxmY205dmRDOWpZVEJIQmdOVkhSOEVRREErTUR5Z09xQTRoalpvZEhSd09pOHZkbUYxYkhRdVkyOXNkVzFpCmFXRXViV0Z6YTJWa0xtNWhiV1U2T0RJd01DOTJNUzl3YTJsZmNtOXZkQzlqY213d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBSzZITWdSK2hwd2paQ21mNU5zekRTSHI3ZFlLWlhQNExyY0hQV3M5NG5MTTMzVVo1NzJ1YkdIcwpkS2pSdzhZRDBjbmNyc3lwc1ltRWdSNTdVK0RIa3lzMzk0d2tiN1VPd3kxWnZkNUlJUlhkUDBjRHlsejBRenFNCkFQblFZTitpc21rb2xqaGs5ZXkwUWJvM0NtUGpNK1VRY0F4dVpRdEE0TStyaUMxK2prdWRlMXVZTDBzekM2WTkKNEtldGZ2Yk5rZWRTYVY1eUphUktDQmhSY0M0L0dqcEJHL29kUS81QWZCUEFGalpxaGNJSldCclZZYlRRVkM3OQpoTUExaXdXSlBtVDlMc2pNU1VmeEZUUHp4Um5OWFFpS0Z6NWtUMk9pUzFucWg4YU9jeVU5WUM5Mjhwa2lmTkpWCktva3VEZXpKRk03aWUzZCtFY0JrMVY5bEh3T1dkdG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
auth:
kubernetes:
mountPath: "kubernetes"
mountPath: "k8s-teapot"
role: "wallabag"
secretRef:
name: "serviceaccounttoken"

32
helm/apps/wallabag/install.sh Executable file
View file

@ -0,0 +1,32 @@
#!/bin/bash
CHART_VERSION=7.1.2
NAMESPACE=wallabag
VAULT_AUTH_NAMESPACE="k8s-teapot"
helm repo add k8s-at-home https://k8s-at-home.com/charts/
helm repo update
kubectl create ns wallabag
kubectl create serviceaccount -n ${NAMESPACE} wallabag
kubectl apply -n ${NAMESPACE} -f external-secrets.yaml
helm upgrade --install \
wallabag \
k8s-at-home/wallabag \
-f values.yaml \
-n ${NAMESPACE} \
--version ${CHART_VERSION} \
--cleanup-on-fail
#kubectl apply -n ${NAMESPACE} -f traefik.yaml
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
TOKEN="$(kubectl get secret serviceaccounttoken -n wallabag -o go-template='{{ .data.token }}' | base64 -d)"
vault write auth/${VAULT_AUTH_NAMESPACE}/role/wallabag \
bound_service_account_names=wallabag \
bound_service_account_namespaces=wallabag \
policies=wallabag \
ttl=24h
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=wallabag jwt=${TOKEN} iss=https://${HOST_IP}:6443

57
helm/apps/wallabag/istio-ingress.yaml Normal file
View file

@ -0,0 +1,57 @@
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wallabag-cert
namespace: istio-system
spec:
secretName: wallabag-cert
commonName: wallabag.minhas.io
dnsNames:
- wallabag.minhas.io
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
group: cert-manager.io
...
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: wallabag-gateway
namespace: wallabag
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: wallabag-cert
hosts:
- wallabag.minhas.io
...
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: wallabag-gateway
namespace: wallabag
spec:
hosts:
- wallabag.minhas.io
gateways:
- wallabag-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 80
host: wallabag
...

2
101-wallabag/uninstall.sh → helm/apps/wallabag/uninstall.sh
View file

@ -2,7 +2,7 @@
NAMESPACE=wallabag
kubectl delete -n ${NAMESPACE} -f traefik.yaml
#kubectl delete -n ${NAMESPACE} -f traefik.yaml
helm -n ${NAMESPACE} delete wallabag
kubectl delete -n ${NAMESPACE} -f external-secrets.yaml
kubectl delete sa wallabag -n ${NAMESPACE}

12
101-wallabag/values.yaml → helm/apps/wallabag/values.yaml
View file

@ -9,7 +9,7 @@ env:
- name: SYMFONY__ENV__DATABASE_DRIVER
value: pdo_pgsql
- name: SYMFONY__ENV__DATABASE_HOST
value: ivyking.node.masked.name
value: sedan.node.masked.name
- name: SYMFONY__ENV__DATABASE_PORT
value: 5432
- name: SYMFONY__ENV__DATABASE_NAME
@ -30,9 +30,17 @@ env:
key: db_pw
spec:
serviceAccountName: wallabag
service:
main:
ports:
http:
port: 80
probes:
startup:
spec:
initialDelaySeconds: 60
timeoutSeconds: 1
## This means it has a maximum of 5*30=150 seconds to start up before it fails
periodSeconds: 30
failureThreshold: 30
...

3
001-metallb/install.sh → helm/setup/001-metallb/install.sh
View file

@ -1,12 +1,11 @@
#!/bin/bash
CHART_VERSION=0.11.0
CHART_VERSION=0.13.7
helm repo add metallb https://metallb.github.io/metallb
helm repo update
helm upgrade --install \
metallb \
metallb/metallb \
-f values.yaml \
-n metallb-system \
--version ${CHART_VERSION} \
--create-namespace \

17
helm/setup/001-metallb/teapot-metallb-base-pool.yaml Normal file
View file

@ -0,0 +1,17 @@
---
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: base-pool
namespace: metallb-system
spec:
addresses:
- 192.168.0.220-192.168.0.245
...
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: l2advertisement
namespace: metallb-system
...

0
001-metallb/uninstall.sh → helm/setup/001-metallb/uninstall.sh
View file

11
002-external-secrets/install.sh → helm/setup/002-external-secrets/install.sh
View file

@ -1,17 +1,12 @@
#!/bin/bash
CHART_VERSION=0.5.7
NAMESPACE=external-secrets
CHART_VERSION="v0.6.1"
helm repo add external-secrets https://charts.external-secrets.io
helm repo update
kubectl create ns ${NAMESPACE}
helm upgrade --install \
external-secrets \
external-secrets/external-secrets \
-n ${NAMESPACE} \
-n external-secrets \
--version ${CHART_VERSION} \
--set "installCRDs=true" \
--create-namespace \
--cleanup-on-fail

2
003-cert-manager/external-secrets.yaml → helm/setup/003-cert-manager/external-secrets.yaml
View file

@ -27,7 +27,7 @@ spec:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUROVENDQWgyZ0F3SUJBZ0lVWXA4eG81dDJsSkZQM1NpRDFmSmlyZ0dVUUowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF4TUxiV0Z6YTJWa0xtNWhiV1V3SGhjTk1qQXdPREk1TVRreU16RXlXaGNOTXpBdwpPREkzTVRreU16UXlXakFXTVJRd0VnWURWUVFERXd0dFlYTnJaV1F1Ym1GdFpUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNSTdvUitLSHZ2em5mbmFBWERNTzVxcFNUQ0FZQ3lmakZFb2hZSmYKbE9jbkxPTlhiM2Y2c1A1ZDFlbHRMK1VUcTBSVlU1VVAwYU5XN2hxRFRhNDFNUncwSkNEdEI2OHlLZFlxMmhaZgo5N2dBK2xqM01FSlU2UlRBS0xyZzc1R1JoL0FiTkVJZ3d2UHVIS1c2aE1idHdPeU05REZVLy9XM3hwdXNhbFh5ClJNRnpBSGZTRGo5Y2krVXlnVXQ5SElOV2QvU21NR0cvOFBnaGFSaGZFNDR3UkZNcVllemVsaUl0MkpJczQzQlYKN0hxRzBPZXY5V1BlWG1pYVpVWUtRZXRIaVFxUjE0TXhpdjFJR3pDbXd3Tis5YjR0WnRaVGE1OG9NNWRQWGZiYgpsckVMUUU1T3NQYU50TXRFUjNNZ3hvdkROM1ZTQ0dIL08vR3lhRVdWYW5ZNVVGOENBd0VBQWFON01Ia3dEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGQlk4alczZkRWVXAKVVJ0MXByaG1ETWprVmlrZ01COEdBMVVkSXdRWU1CYUFGQlk4alczZkRWVXBVUnQxcHJobURNamtWaWtnTUJZRwpBMVVkRVFRUE1BMkNDMjFoYzJ0bFpDNXVZVzFsTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBV1F6NGQzUXpFClc4TkdBMTZaUGFtbFZ1Yk9MQjVEdFp6MnFyU3JuM0RlT2JMSURTaEluVjNxdFJsRHg5SFlKTFRDQTc1S2V0MEoKTlRzeU1jVHkydHhkNEk4aGdkRjMwWEplRWNpTjl3WjBtS0VlUC9ZS0R3ZThWMlh3V3E0WFlrRGVjaGxXSHBabwpQZldjb0xwckt3VlVJNEh6YXFrTm13Y21NVUk0eEFzQytTTGUxbXJlYnNlS200OW9Pd2RRcy9vUFZMSyswbkVwClJ2RDBhT3ZvaElMSWEvMlp0S2N6dmhCL0wzZm81cGc5RXgvMEpEQmRESEllZE1hYkQzcW44SWRzZStQNURmd2EKSnUyQ3R5YituMVRUUHhSRE14czJjRmJBNWlycisyQVJKZDhqdEdTKzFmeXhvZ2pPV1MxUlI1MjNGK3FJUzNzdQpLaWJHZWwrZ0ZQcHEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRDB6Q0NBcnVnQXdJQkFnSVVNNTJ1aFhTZVRDaW0xcG16dWNtL2NuSWdOcDh3RFFZSktvWklodmNOQVFFTApCUUF3RmpFVU1CSUdBMVVFQXhNTGJXRnphMlZrTG01aGJXVXdIaGNOTWpBd09ESTVNVGt5TnpBd1doY05NalV3Ck9ESTRNVGt5TnpNd1dqQXRNU3N3S1FZRFZRUURFeUp0WVhOclpXUXVibUZ0WlNCSmJuUmxjbTFsWkdsaGRHVWcKUVhWMGFHOXlhWFI1TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4THVHbytBcwpJQ1lXZEpqQkNZMHNuRi9YK2pGMXRkY3JRek5pUktFU0ViNWRzRGl5OTc5YnVnQ2JsUFFEUStnNVdHcVhYNHBqClV5WlpFM1p3aE91ZklTbEdLMG93MWFNanFTK3BGbFE4NUtSRC9qVXRMUFJVSnVRRittMll3SWQvTWc2L0I3UWsKZDE2NnVKa054UytNR1pDaTJPWVhlb2l2bk9ZN1EwS2ovMHZJYmM1VnQza0NSVmcybGpMU1Fob0JkKzg1QUhNUgpqZVJqWk1lWUVZRjJIVFZ3cmc0RHJDL3IwME1WdERjTnFzNitNN1laL3J6bnk3M0d2ZkpXZldvQjFDNHBpWmxnCmZ2VWNTREw1SEFoaml1NWNTZUlSN0RUdVZ4N3Q0UG9LNkFxVWtQeWdEdHExWmFMeWJYVDdYNmQwNzJkUjVBWE8KbldGTFBhYUdKOTc5aXdJREFRQUJvNElCQURDQi9UQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVJa2hWWUJhSzlDY3ZYRzhGTTJqS1ZaMTZvWkF3SHdZRFZSMGpCQmd3CkZvQVVGanlOYmQ4TlZTbFJHM1dtdUdZTXlPUldLU0F3VVFZSUt3WUJCUVVIQVFFRVJUQkRNRUVHQ0NzR0FRVUYKQnpBQ2hqVm9kSFJ3T2k4dmRtRjFiSFF1WTI5c2RXMWlhV0V1YldGemEyVmtMbTVoYldVNk9ESXdNQzkyTVM5dwphMmxmY205dmRDOWpZVEJIQmdOVkhSOEVRREErTUR5Z09xQTRoalpvZEhSd09pOHZkbUYxYkhRdVkyOXNkVzFpCmFXRXViV0Z6YTJWa0xtNWhiV1U2T0RJd01DOTJNUzl3YTJsZmNtOXZkQzlqY213d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBSzZITWdSK2hwd2paQ21mNU5zekRTSHI3ZFlLWlhQNExyY0hQV3M5NG5MTTMzVVo1NzJ1YkdIcwpkS2pSdzhZRDBjbmNyc3lwc1ltRWdSNTdVK0RIa3lzMzk0d2tiN1VPd3kxWnZkNUlJUlhkUDBjRHlsejBRenFNCkFQblFZTitpc21rb2xqaGs5ZXkwUWJvM0NtUGpNK1VRY0F4dVpRdEE0TStyaUMxK2prdWRlMXVZTDBzekM2WTkKNEtldGZ2Yk5rZWRTYVY1eUphUktDQmhSY0M0L0dqcEJHL29kUS81QWZCUEFGalpxaGNJSldCclZZYlRRVkM3OQpoTUExaXdXSlBtVDlMc2pNU1VmeEZUUHp4Um5OWFFpS0Z6NWtUMk9pUzFucWg4YU9jeVU5WUM5Mjhwa2lmTkpWCktva3VEZXpKRk03aWUzZCtFY0JrMVY5bEh3T1dkdG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
auth:
kubernetes:
mountPath: "kubernetes"
mountPath: "k8s-teapot"
role: "cert-manager"
secretRef:
name: "serviceaccounttoken"

73
helm/setup/003-cert-manager/install.sh Executable file
View file

@ -0,0 +1,73 @@
#!/bin/bash -x
CHART_VERSION="v1.10.1"
NAMESPACE="cert-manager"
EMAIL="amarpreet@minhas.io"
VAULT_AUTH_NAMESPACE="k8s-teapot"
kubectl create ns ${NAMESPACE}
kubectl apply -n ${NAMESPACE} -f external-secrets.yaml
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm upgrade --install \
cert-manager \
jetstack/cert-manager \
-n cert-manager \
--version ${CHART_VERSION} \
--set installCRDs=true \
--create-namespace \
--cleanup-on-fail
cat <<EOH | kubectl apply -f -
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: serviceaccounttoken
namespace: cert-manager
annotations:
kubernetes.io/service-account.name: "cert-manager"
...
EOH
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
TOKEN="$(kubectl get secret serviceaccounttoken -n cert-manager -o go-template='{{ .data.token }}' | base64 -d)"
vault write auth/${VAULT_AUTH_NAMESPACE}/role/cert-manager \
bound_service_account_names=cert-manager \
bound_service_account_namespaces=cert-manager \
policies=cert-manager \
ttl=24h
vault write auth/${VAULT_AUTH_NAMESPACE}/login role=cert-manager jwt=${TOKEN} iss=https://${HOST_IP}:6443
helm upgrade -install \
cert-manager-csi-driver \
jetstack/cert-manager-csi-driver \
-n ${NAMESPACE} \
--wait \
--cleanup-on-fail
git clone https://github.com/kelvie/cert-manager-webhook-namecheap
pushd cert-manager-webhook-namecheap
helm upgrade --install \
-n ${NAMESPACE} \
namecheap-webhook \
deploy/cert-manager-webhook-namecheap/ \
--wait \
--cleanup-on-fail
helm upgrade --install \
-n ${NAMESPACE} \
--set email=${EMAIL} \
letsencrypt-namecheap-issuer \
deploy/letsencrypt-namecheap-issuer/ \
--wait \
--cleanup-on-fail
popd
rm -rf cert-manager-webhook-namecheap
kubectl apply -f issuers.yaml

2
003-cert-manager/issuers.yaml → helm/setup/003-cert-manager/issuers.yaml
View file

@ -37,7 +37,7 @@ spec:
auth:
kubernetes:
role: cert-manager
mountPath: /v1/auth/kubernetes
mountPath: /v1/auth/k8s-teapot
secretRef:
name: serviceaccounttoken
key: token

52
helm/setup/004-pihole/external-secrets.yaml Normal file
View file

@ -0,0 +1,52 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: external-dns-k8s-tokenreview-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: default
namespace: external-dns
- kind: ServiceAccount
name: external-dns
namespace: external-dns
...
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: default
namespace: external-dns
spec:
provider:
vault:
server: "https://vault.service.masked.name:8200"
path: "kv"
version: "v2"
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUROVENDQWgyZ0F3SUJBZ0lVWXA4eG81dDJsSkZQM1NpRDFmSmlyZ0dVUUowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZqRVVNQklHQTFVRUF4TUxiV0Z6YTJWa0xtNWhiV1V3SGhjTk1qQXdPREk1TVRreU16RXlXaGNOTXpBdwpPREkzTVRreU16UXlXakFXTVJRd0VnWURWUVFERXd0dFlYTnJaV1F1Ym1GdFpUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNSTdvUitLSHZ2em5mbmFBWERNTzVxcFNUQ0FZQ3lmakZFb2hZSmYKbE9jbkxPTlhiM2Y2c1A1ZDFlbHRMK1VUcTBSVlU1VVAwYU5XN2hxRFRhNDFNUncwSkNEdEI2OHlLZFlxMmhaZgo5N2dBK2xqM01FSlU2UlRBS0xyZzc1R1JoL0FiTkVJZ3d2UHVIS1c2aE1idHdPeU05REZVLy9XM3hwdXNhbFh5ClJNRnpBSGZTRGo5Y2krVXlnVXQ5SElOV2QvU21NR0cvOFBnaGFSaGZFNDR3UkZNcVllemVsaUl0MkpJczQzQlYKN0hxRzBPZXY5V1BlWG1pYVpVWUtRZXRIaVFxUjE0TXhpdjFJR3pDbXd3Tis5YjR0WnRaVGE1OG9NNWRQWGZiYgpsckVMUUU1T3NQYU50TXRFUjNNZ3hvdkROM1ZTQ0dIL08vR3lhRVdWYW5ZNVVGOENBd0VBQWFON01Ia3dEZ1lEClZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGQlk4alczZkRWVXAKVVJ0MXByaG1ETWprVmlrZ01COEdBMVVkSXdRWU1CYUFGQlk4alczZkRWVXBVUnQxcHJobURNamtWaWtnTUJZRwpBMVVkRVFRUE1BMkNDMjFoYzJ0bFpDNXVZVzFsTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBV1F6NGQzUXpFClc4TkdBMTZaUGFtbFZ1Yk9MQjVEdFp6MnFyU3JuM0RlT2JMSURTaEluVjNxdFJsRHg5SFlKTFRDQTc1S2V0MEoKTlRzeU1jVHkydHhkNEk4aGdkRjMwWEplRWNpTjl3WjBtS0VlUC9ZS0R3ZThWMlh3V3E0WFlrRGVjaGxXSHBabwpQZldjb0xwckt3VlVJNEh6YXFrTm13Y21NVUk0eEFzQytTTGUxbXJlYnNlS200OW9Pd2RRcy9vUFZMSyswbkVwClJ2RDBhT3ZvaElMSWEvMlp0S2N6dmhCL0wzZm81cGc5RXgvMEpEQmRESEllZE1hYkQzcW44SWRzZStQNURmd2EKSnUyQ3R5YituMVRUUHhSRE14czJjRmJBNWlycisyQVJKZDhqdEdTKzFmeXhvZ2pPV1MxUlI1MjNGK3FJUzNzdQpLaWJHZWwrZ0ZQcHEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRDB6Q0NBcnVnQXdJQkFnSVVNNTJ1aFhTZVRDaW0xcG16dWNtL2NuSWdOcDh3RFFZSktvWklodmNOQVFFTApCUUF3RmpFVU1CSUdBMVVFQXhNTGJXRnphMlZrTG01aGJXVXdIaGNOTWpBd09ESTVNVGt5TnpBd1doY05NalV3Ck9ESTRNVGt5TnpNd1dqQXRNU3N3S1FZRFZRUURFeUp0WVhOclpXUXVibUZ0WlNCSmJuUmxjbTFsWkdsaGRHVWcKUVhWMGFHOXlhWFI1TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4THVHbytBcwpJQ1lXZEpqQkNZMHNuRi9YK2pGMXRkY3JRek5pUktFU0ViNWRzRGl5OTc5YnVnQ2JsUFFEUStnNVdHcVhYNHBqClV5WlpFM1p3aE91ZklTbEdLMG93MWFNanFTK3BGbFE4NUtSRC9qVXRMUFJVSnVRRittMll3SWQvTWc2L0I3UWsKZDE2NnVKa054UytNR1pDaTJPWVhlb2l2bk9ZN1EwS2ovMHZJYmM1VnQza0NSVmcybGpMU1Fob0JkKzg1QUhNUgpqZVJqWk1lWUVZRjJIVFZ3cmc0RHJDL3IwME1WdERjTnFzNitNN1laL3J6bnk3M0d2ZkpXZldvQjFDNHBpWmxnCmZ2VWNTREw1SEFoaml1NWNTZUlSN0RUdVZ4N3Q0UG9LNkFxVWtQeWdEdHExWmFMeWJYVDdYNmQwNzJkUjVBWE8KbldGTFBhYUdKOTc5aXdJREFRQUJvNElCQURDQi9UQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVJa2hWWUJhSzlDY3ZYRzhGTTJqS1ZaMTZvWkF3SHdZRFZSMGpCQmd3CkZvQVVGanlOYmQ4TlZTbFJHM1dtdUdZTXlPUldLU0F3VVFZSUt3WUJCUVVIQVFFRVJUQkRNRUVHQ0NzR0FRVUYKQnpBQ2hqVm9kSFJ3T2k4dmRtRjFiSFF1WTI5c2RXMWlhV0V1YldGemEyVmtMbTVoYldVNk9ESXdNQzkyTVM5dwphMmxmY205dmRDOWpZVEJIQmdOVkhSOEVRREErTUR5Z09xQTRoalpvZEhSd09pOHZkbUYxYkhRdVkyOXNkVzFpCmFXRXViV0Z6YTJWa0xtNWhiV1U2T0RJd01DOTJNUzl3YTJsZmNtOXZkQzlqY213d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBSzZITWdSK2hwd2paQ21mNU5zekRTSHI3ZFlLWlhQNExyY0hQV3M5NG5MTTMzVVo1NzJ1YkdIcwpkS2pSdzhZRDBjbmNyc3lwc1ltRWdSNTdVK0RIa3lzMzk0d2tiN1VPd3kxWnZkNUlJUlhkUDBjRHlsejBRenFNCkFQblFZTitpc21rb2xqaGs5ZXkwUWJvM0NtUGpNK1VRY0F4dVpRdEE0TStyaUMxK2prdWRlMXVZTDBzekM2WTkKNEtldGZ2Yk5rZWRTYVY1eUphUktDQmhSY0M0L0dqcEJHL29kUS81QWZCUEFGalpxaGNJSldCclZZYlRRVkM3OQpoTUExaXdXSlBtVDlMc2pNU1VmeEZUUHp4Um5OWFFpS0Z6NWtUMk9pUzFucWg4YU9jeVU5WUM5Mjhwa2lmTkpWCktva3VEZXpKRk03aWUzZCtFY0JrMVY5bEh3T1dkdG89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
auth:
kubernetes:
mountPath: "k8s-teapot"
role: "external-dns"
secretRef:
name: "serviceaccounttoken"
...
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: pihole
namespace: external-dns
spec:
secretStoreRef:
name: default
kind: SecretStore
data:
- secretKey: pihole-password
remoteRef:
key: external-dns
property: pihole-password

40
helm/setup/004-pihole/install.sh Executable file
View file

@ -0,0 +1,40 @@
#!/bin/bash -x
CHART_VERSION="2.11.0"
NAMESPACE="external-dns"
VAULT_AUTH_NAMESPACE="k8s-teapot"
kubectl create ns ${NAMESPACE}
cat <<EOH | kubectl apply -f -
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: serviceaccounttoken
namespace: external-dns
annotations:
kubernetes.io/service-account.name: "default"
...
EOH
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
TOKEN="$(kubectl get secret serviceaccounttoken -n external-dns -o go-template='{{ .data.token }}' | base64 -d)"
vault write auth/${VAULT_AUTH_NAMESPACE}/role/external-dns \
bound_service_account_names=default,external-dns \
bound_service_account_namespaces=external-dns \
policies=external-dns \
ttl=24h
kubectl apply -f external-secrets.yaml
helm repo add mojo2600 https://mojo2600.github.io/pihole-kubernetes/
helm repo update
helm upgrade --install \
pihole \
mojo2600/pihole \
-n ${NAMESPACE} \
--version ${CHART_VERSION} \
--values values.yaml \
--cleanup-on-fail

26
helm/setup/004-pihole/values.yaml Normal file
View file

@ -0,0 +1,26 @@
---
serviceDns:
mixedService: true
type: LoadBalancer
loadBalancerIP: 192.168.0.220
annotations:
metallb.universe.tf/allow-shared-ip: pihole
serviceWeb:
loadBalancerIP: 192.168.0.220
annotations:
metallb.universe.tf/allow-shared-ip: pihole
type: LoadBalancer
serviceDhcp:
enabled: false
DNS1: "192.168.0.1"
DNS2: "192.168.0.1"
podDnsConfig:
enabled: false
admin:
existingSecret: pihole
passwordKey: pihole-password

16
helm/setup/005-external-dns/install.sh Executable file
View file

@ -0,0 +1,16 @@
#!/bin/bash -x
CHART_VERSION="1.12.0"
NAMESPACE="external-dns"
kubectl create ns ${NAMESPACE}
helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/
helm repo update
helm upgrade --install \
external-dns \
external-dns/external-dns \
-n ${NAMESPACE} \
--version ${CHART_VERSION} \
--values values.yaml \
--cleanup-on-fail

19
helm/setup/005-external-dns/values.yaml Normal file
View file

@ -0,0 +1,19 @@
---
image:
#repository: registry.k8s.io/k8s-staging-external-dns/external-dns
repository: gcr.io/k8s-staging-external-dns/external-dns
tag: "v20221224-external-dns-helm-chart-1.12.0-18-ga68da282"
pullPolicy: IfNotPresent
provider: pihole
extraArgs:
- --pihole-server=http://pihole-web.external-dns.svc.cluster.local
env:
- name: "EXTERNAL_DNS_PIHOLE_PASSWORD"
valueFrom:
secretKeyRef:
key: pihole-password
name: pihole
sources:
- istio-gateway

12
helm/setup/006-prometheus/install.sh Executable file
View file

@ -0,0 +1,12 @@
#!/bin/bash
CHART_VERSION=18.0.0
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
helm upgrade --install \
prometheus \
prometheus-community/prometheus \
-n prometheus \
--version ${CHART_VERSION} \
--create-namespace \
--cleanup-on-fail

5
000-scripts/vault-k8s-auth-endpoint.sh → vault-setup.sh
View file

@ -1,10 +1,13 @@
#!/bin/bash
# vault login path
VAULT_LOGIN_NS=k8s-teapot
# local ip
HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode > ca.crt
vault write auth/kubernetes/config \
vault write auth/${VAULT_LOGIN_NS}/config \
kubernetes_host=https://${HOST_IP}:6443 \
kubernetes_ca_cert=@ca.crt