diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..31a12a0 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,8 @@ +creation_rules: + - path_regex: .*.yaml + encrypted_regex: ^(data|stringData)$ + pgp: >- + 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E! + age: >- + age1860txadrlqrjwnqh0g466re2nt8jk7xhj640pq9gpsddpg23uynqsp2hul, + age1hktythzvsnth6u5en2lvag0tftnj9r03w7rpnzfgzgf5w95qxycq2azufj diff --git a/clusters/testing/kustomization.yaml b/clusters/testing/kustomization.yaml index 8727f7a..2ee120c 100644 --- a/clusters/testing/kustomization.yaml +++ b/clusters/testing/kustomization.yaml @@ -4,3 +4,5 @@ resources: - flux-system/ - ../../controllers/artifacts.yaml - ../../controllers/cert-manager/cert-manager.yaml + - ../../configs/artifacts.yaml + - ../../configs/letsencrypt/letsencrypt.yaml diff --git a/configs/artifacts.yaml b/configs/artifacts.yaml new file mode 100644 index 0000000..0cde715 --- /dev/null +++ b/configs/artifacts.yaml @@ -0,0 +1,16 @@ +apiVersion: source.extensions.fluxcd.io/v1beta1 +kind: ArtifactGenerator +metadata: + name: configs + namespace: flux-system +spec: + sources: + - alias: foundation + kind: GitRepository + name: flux-system + artifacts: + - name: letsencrypt + originRevision: "@foundation" + copy: + - from: "@foundation/configs/letsencrypt/**" + to: "@artifact/" diff --git a/configs/letsencrypt/cluster-issuer.yaml b/configs/letsencrypt/cluster-issuer.yaml new file mode 100644 index 0000000..078ae52 --- /dev/null +++ b/configs/letsencrypt/cluster-issuer.yaml @@ -0,0 +1,17 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: tim.huizinga@gmail.com + privateKeySecretRef: + name: letsencrypt + solvers: + - dns01: + cloudflare: + email: tim.huizinga@gmail.com + apiTokenSecretRef: + name: cloudflare-token + key: token diff --git a/configs/letsencrypt/kustomization.yaml b/configs/letsencrypt/kustomization.yaml new file mode 100644 index 0000000..bd1263d --- /dev/null +++ b/configs/letsencrypt/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - secret-cloudflare-token.enc.yaml + - cluster-issuer.yaml diff --git a/configs/letsencrypt/letsencrypt.yaml b/configs/letsencrypt/letsencrypt.yaml new file mode 100644 index 0000000..f53081b --- /dev/null +++ b/configs/letsencrypt/letsencrypt.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: letsencrypt + namespace: flux-system +spec: + interval: 1h + retryInterval: 2m + timeout: 5m + dependsOn: + - name: cert-manager + sourceRef: + kind: ExternalArtifact + name: letsencrypt + decryption: + provider: sops + secretRef: + name: sops-gpg + path: ./ + prune: true + wait: true diff --git a/configs/letsencrypt/secret-cloudflare-token.enc.yaml b/configs/letsencrypt/secret-cloudflare-token.enc.yaml new file mode 100644 index 0000000..1f131fc --- /dev/null +++ b/configs/letsencrypt/secret-cloudflare-token.enc.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cloudflare-token + namespace: cert-manager +type: Opaque +stringData: + token: ENC[AES256_GCM,data:uwFPBz9+EMnpXUgvkJ0u9/iEFbpJ2Rz+oX2pqwcJrH04r8E91weFOA==,iv:m9yka2XMfbuu0d/12RvG7UPWvxJEZ0UeDG+OMqxTpkg=,tag:F7EDh3PCHk2yE0MDIjmo2g==,type:str] +sops: + age: + - recipient: age1860txadrlqrjwnqh0g466re2nt8jk7xhj640pq9gpsddpg23uynqsp2hul + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuZGVBS1dpRlVQemlRR2gv + WFQraFRxV1hGTVZ1UlNPeXV5Z1VTQ0o2QVFjCjZmYzh0dmhDczllU1pUdGs3Ti82 + blBOZTAwSUVMTVlJcHNRNVA1NytTMk0KLS0tIGtwR0dYOUxOaUVWb041SXQ5cktU + b0QwUVJNVDBTUkcwcWxmV3R4Rm4wNjQKC/hMgUvkTlROHPiBZcJ1ALu2zqknkFhw + qDBjJmwpCApaLKrFMxgMEMySNbN2l04fnCQQtZ97ZH87C1lj5WFT8A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hktythzvsnth6u5en2lvag0tftnj9r03w7rpnzfgzgf5w95qxycq2azufj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSDA1NkJGdUsyR3hUeG85 + TUpldmk1V054SDNyNHdlVEhtM3NSMlBjc3hJCk9yQXd5ajl5VnFsZytMWHA5dlNN + Q2pxNHVMd01mMEwwT0pKVnBBYjByWXMKLS0tIE9uQ3pzMW90MEhZUGtxVUkrZFJH + VXJSejR2bzRLamdoemhSRkwwRGxnVDAKOVvuGT6ZO+JB33RrCF0oqyA0GXAznGOE + gT/7i9aMKuJfJr5RhfK1GY6JJf18mHt+jwM2epjtcFYzZpMjh2zjcg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-01T01:33:08Z" + mac: ENC[AES256_GCM,data:9pXCN0JoIFc7OXJvJFBtd/BGP9aByPFq+8KKUqv0MKXVWJWXxzTzN8yoinxsPrw0KSLOJ98ieDIHj2ukVMpuOILOzDELArDsiP0/TAq387V9S7vx+Z2OnCSVuHoW97fvvqSxqhyAuZ8a4alNQ83TtOdZ2gK6VMxWMKizZWdpGeI=,iv:KaEJ6avIlBSTBSIdi/xDF249WEbzubLviBTaDHSwp5A=,tag:TbwJvDuYJY8EdL6yxekWzQ==,type:str] + pgp: + - created_at: "2025-12-01T01:33:08Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA7pKPTYH5bqOAQ//XvRMEPLhIX1a7oAq5bBY/rl8o5NiBl2z78Bi2ddZ5Fnt + J1f9syNMfYCrtkrZ5dgGcbELYcdP0QFajyDYWDViz4elmdqsvdzIPY7DAdzj7NQU + gZhoJyBSK5EP4x/89fFdd9zR54nVH8K9036bp4KEGzu611YxdwHT9EtheTSM12S/ + ZVvVrN0wq6ld9NH0PxEimGL1GhGn+dpVczN1CL1Qh81dz1FpvADd7AJQ7JprkbN8 + SBSG+omRBhuZaoXTurihgL702q/zzX0/ZyQ24ONsaQGWXJmdXx+lRBgfmWPL9w8b + 6tcAwfCyOw6QTaTPipOvtHG3M6rhl3AxPWFm2eIv1oXtFGMAbmxOCDfGzy+Tkuva + JdlObrgU1v9CAxeKSeqetEZWHY/kPiUSlRUD+C4sHxJBO0MEzxQzNBlh7NgGBOPh + Ldum/jZbcCJCOyPXS1Q4bW89gwaTVTeOVpadSwwsJap8+13E2sar3BES2tIGiGTZ + e44S5pS/ycSMLQHxmPgyVnMTtMcRU5qtmEo6hjhrB05bppGQFAiCDilM6PHFJ+oN + 1IDOXCoqiDwS2Yxm7IQrw/7WvHqngTwwJyxjy6q4bgocgrnSqKzqoE0pBZvX1oGN + 1Num+9u+XwWAb2m9QUJAiWy9R16AgDD9Gp3ekArwztlMSWrXnIGz/zUL+ehh3avS + XgH1P2d8+QPjhrXq9Hyu9wANeL1Z1qQFKTTe9ReqRUc+B4Ts8ACf26FYSneksgJd + 2lyesmgmrGlFzGCVdPCBOuCPCicP/w28WzYUI7amzraPa5kHEhl3wzkQiTE710c= + =XaqU + -----END PGP MESSAGE----- + fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E! + encrypted_regex: ^(data|stringData)$ + version: 3.11.0