diff --git a/clusters/titan.lan.huizinga.dev/flux-system/config-map-domain-vars.yaml b/clusters/titan.lan.huizinga.dev/flux-system/config-map-domain-vars.yaml new file mode 100644 index 0000000..3941578 --- /dev/null +++ b/clusters/titan.lan.huizinga.dev/flux-system/config-map-domain-vars.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: domain-vars + namespace: flux-system +data: + domain: staging.huizinga.dev + # Specifically for authelia + subdomain: .staging + topdomain: huizinga.dev diff --git a/clusters/titan.lan.huizinga.dev/flux-system/ingress.yaml b/clusters/titan.lan.huizinga.dev/flux-system/ingress.yaml new file mode 100644 index 0000000..53a186c --- /dev/null +++ b/clusters/titan.lan.huizinga.dev/flux-system/ingress.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: flux-webhook + namespace: flux-system + annotations: + traefik.ingress.kubernetes.io/router.entryPoints: websecure + traefik.ingress.kubernetes.io/router.middlewares: authelia-forwardauth-authelia@kubernetescrd + traefik.ingress.kubernetes.io/router.tls: "true" +spec: + ingressClassName: traefik + rules: + - host: flux.${domain} + http: + paths: + - backend: + service: + name: webhook-receiver + port: + number: 80 + path: / + pathType: Prefix + tls: + - secretName: ${domain//./-}-tls diff --git a/clusters/titan.lan.huizinga.dev/flux-system/kustomization.yaml b/clusters/titan.lan.huizinga.dev/flux-system/kustomization.yaml index d885c2b..0d703a9 100644 --- a/clusters/titan.lan.huizinga.dev/flux-system/kustomization.yaml +++ b/clusters/titan.lan.huizinga.dev/flux-system/kustomization.yaml @@ -1,7 +1,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - gotk-components.yaml - - gotk-sync.yaml + - ./gotk-components.yaml + - ./gotk-sync.yaml + - ./config-map-domain-vars.yaml + # - ./ingress.yaml + - ./secret-receiver.yaml + - ./receiver.yaml patches: - - path: sops-overlay.yaml + - path: patches.yaml diff --git a/clusters/titan.lan.huizinga.dev/flux-system/sops-overlay.yaml b/clusters/titan.lan.huizinga.dev/flux-system/patches.yaml similarity index 73% rename from clusters/titan.lan.huizinga.dev/flux-system/sops-overlay.yaml rename to clusters/titan.lan.huizinga.dev/flux-system/patches.yaml index 27c0426..5f7ab94 100644 --- a/clusters/titan.lan.huizinga.dev/flux-system/sops-overlay.yaml +++ b/clusters/titan.lan.huizinga.dev/flux-system/patches.yaml @@ -10,3 +10,7 @@ spec: provider: sops secretRef: name: sops-gpg + postBuild: + substituteFrom: + - kind: ConfigMap + name: domain-vars diff --git a/clusters/titan.lan.huizinga.dev/flux-system/receiver.yaml b/clusters/titan.lan.huizinga.dev/flux-system/receiver.yaml new file mode 100644 index 0000000..02b0969 --- /dev/null +++ b/clusters/titan.lan.huizinga.dev/flux-system/receiver.yaml @@ -0,0 +1,16 @@ +apiVersion: notification.toolkit.fluxcd.io/v1 +kind: Receiver +metadata: + name: flux-infra-receiver + namespace: flux-system +spec: + type: github + events: + - "ping" + - "push" + secretRef: + name: receiver + resources: + - apiVersion: source.toolkit.fluxcd.io/v1 + kind: GitRepository + name: flux-system diff --git a/clusters/titan.lan.huizinga.dev/flux-system/secret-receiver.yaml b/clusters/titan.lan.huizinga.dev/flux-system/secret-receiver.yaml new file mode 100644 index 0000000..8dba49d --- /dev/null +++ b/clusters/titan.lan.huizinga.dev/flux-system/secret-receiver.yaml @@ -0,0 +1,54 @@ +apiVersion: v1 +data: + token: ENC[AES256_GCM,data:Nd4t7LkkCe9pd/ilITlwZpmpF+oRmMfIbgbEiAzTK+OWUb4q37bBzGvhc3V70soS7XmpU13lJwo=,iv:qMoW9dsDauSEsw7GjuCSmsCy3k54jt5x/nngSdGiErg=,tag:ZTkP8IGT+DOJLfO+gIX2xg==,type:str] +kind: Secret +metadata: + name: receiver + namespace: flux-system +sops: + lastmodified: "2025-04-23T17:01:23Z" + mac: ENC[AES256_GCM,data:blRYui9FBvet9nuOUEPaMLLzD6CvX7pDZQEtQV5jLfKqLWEBFXUA13zqTrxtH1slGOzif1xshGqjOgsxREvEdb4Y8uSfoWSPuhkPI4WuRESjyYsVHUlP0fOIdE/CNc/xT4wTxxsvZ46ShGCMZ/QN29XsQ04nwHaEsTmYMqtgsBM=,iv:Km0FIruKN+N0Hsat4QaTBCCAHMQz5IiYkTKG2IGILUI=,tag:A1v4kEs46vz2Cm9ZN5Qw1g==,type:str] + pgp: + - created_at: "2025-04-23T17:01:23Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA7pKPTYH5bqOARAAwZ69AwI2iTOboLpzZmW41EngGkhPKGghGFssiyfWbXqR + dtNG+wG371TF9nUMoLagJEqTUGRVX8xznG7R68QhVd85C1iswrNJjZ55nnJKf0IN + aRcLp3xsZuWPefOFadaJglRtgLnmCtPNur1TmPXR4V94ycOe1wBTSbvheTs73h6M + LBfRBruv2ttJsrcmI2az57KgOrIQnPu/z/NSEbc2GM3CU7/Z9ChWt+b5WEyv/7Sp + Sp0ohmC9HputBFGueC6Hw08+152C8yn3BpJhMhiWcCEryNiwKawf/n2UFJ8gk86/ + 5CkRX1CWRtz8nRIfmiwU5IBd5aMXhK684/1lTtdshHGEhSbaGA9N6lK70vdrfVl+ + euaQkqyCy2sFkhz0EvcK+PTGxnueQ4UuO01l5yRG/ZUdjzYVh9fpx3RoMnJaBctx + l63LUG+xXSwR0xy4JIkrWyFDwIyGAebxbtQ8QUeLkmMzHyUx8tOL0qfKd8qkEFwg + eJWh0guYllSldgP5h7bJXOTej3ZrP9yC1WY3z2wHu+415/eCpwucFCu/A5QnJXnA + YLTE2CIwdDpj5XjjwQwmTNpBgfQ/csHJua40CURJbsYhk4HfqbHNdjEc5kkem/3L + PrtA/d59iwy3Vjkn1xmrcX+od3qXRFVDwMjaCleAXi3dnsfN619j8PrZh2bkUyHU + aAEJAhD1hSP/yZbfctLVNBCXT3HE8bLlAp82zYsqwx7UJWOhv4saodU1Zm13CWdk + nlbN8v3w5o19Xo85rt4YB091dGliTAAQ2CfvsCLRO4ZjO6N2F4KSCSTO0jLSJkce + hly9/ZsJAtXB + =GCZA + -----END PGP MESSAGE----- + fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E + - created_at: "2025-04-23T17:01:23Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA51kG++kLewoARAA5IO7TXG5xkv+mlSwFBDbldn5jPy9E1+HbZHp+4CmRquI + ONPEeDZgh3n+Fr87OMUKMKfgdEpjdE+l80rCmF7zgaVNqLscRcLJ17k14XfbpsrG + wsp5gsvymGh6sllUopetugvzd6gdxEianuhKU6DYJMM+X/nPTDsa5wHazRzPQxS/ + 8zp9tlPWt0HkZelBKXmLoYofZBakZOqZstQvhB0SSjC0BVpQN5WIfh1ES6uoBxhY + ddA0R34r1jwXWDE2UqD1Rx12H3TzUxdPGGw5rQKsEZSuEwxfxqjUAsn29ARR88qU + FlvSsy+FW7/6HeTcxwS1IMyZfNwRKQYLkzcwqf+OsrrjqTSBPCt8rcMoDVH3vxdf + wazu/vqoM1mwkUlogEF/M/SITEO9nJzrkAihAr6OJgfTJqi8RJffxoXQ8gAfan2J + wYMkcTxPNnskyZMUr2onotdnqdVSMgR2vwnsvIfSWUSx4eMpK8wO2xQm60hAXNHx + QCVcTz7sMDu6nD3xsvJs5D67YnkrLuqnuNeHQqSsREPv132kKIpEhAZop0MYk8ld + 798jafK8xCzasbIZqDRzSqUUK/Z/J4EN8A4zRY5EtcbXdKHpKkUYuX/Sb7y2FAQR + JMV3uqLxJoz4mqUM0VJBt77Del5YQ5LeqE8aHMBDNtfjAdmK/2xg7BuGuromZYzS + XgFxwGfX791vSkUJ/z+7Nf3QmAKBXOuEYaYJbcZ5pFbKKdcfI8iEfL7utVQ59U2k + 4BLB7aChrp8J795YQna+YgPybK5NR00FX6qLJiZAp56MdcvncJ8s42/epRWRusk= + =8ak0 + -----END PGP MESSAGE----- + fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28 + encrypted_regex: ^(data|stringData)$ + version: 3.10.1