From 8398368ffb11b50c2434c29b9a99a49d5be02c43 Mon Sep 17 00:00:00 2001 From: Jan Schoone <6106846+jschoone@users.noreply.github.com> Date: Fri, 13 Sep 2024 11:36:29 +0200 Subject: [PATCH 01/41] fix(cso): add cert for hook server Signed-off-by: Jan Schoone <6106846+jschoone@users.noreply.github.com> --- .../cso-infrastructure-components.yaml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/cso/installation/cso-infrastructure-components.yaml b/cso/installation/cso-infrastructure-components.yaml index ce70ab3..fae7a0f 100644 --- a/cso/installation/cso-infrastructure-components.yaml +++ b/cso/installation/cso-infrastructure-components.yaml @@ -920,6 +920,10 @@ spec: name: cso-cluster-stack-variables image: ghcr.io/sovereigncloudstack/cso:v0.1.0-alpha.7 imagePullPolicy: Always + volumeMounts: + - mountPath: /tmp/k8s-hook-server/serving-certs + name: hook-server-cert + readOnly: true livenessProbe: failureThreshold: 3 httpGet: @@ -955,6 +959,30 @@ spec: tolerations: - effect: NoSchedule key: node-role.kubernetes.io/control-plane + volumes: + - name: hook-server-cert + secret: + defaultMode: 420 + secretName: cso-hook-server-server-cert +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + cluster.x-k8s.io/provider: cluster-stack-operator + name: cso-hook-server-server-cert + namespace: cso-system +spec: + dnsNames: + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc + - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + issuerRef: + kind: Issuer + name: cso-selfsigned-issuer + secretName: cso-hook-server-server-cert + subject: + organizations: + - k8s-sig-cluster-lifecycle --- apiVersion: cert-manager.io/v1 kind: Certificate From 91d3b26b018617a406edfa68c331ba4823ab1fbf Mon Sep 17 00:00:00 2001 From: Jan Schoone <6106846+jschoone@users.noreply.github.com> Date: Fri, 13 Sep 2024 12:30:53 +0200 Subject: [PATCH 02/41] chore: update cert-manager chore: update capi components chore: update cso Signed-off-by: Jan Schoone <6106846+jschoone@users.noreply.github.com> --- capi/config/cabp.yaml | 2 +- capi/config/cacp.yaml | 2 +- capi/config/cacpp.yaml | 2 +- capi/config/caip.yaml | 2 +- capi/config/kamaji.yaml | 4 +- capi/installation/helmrelease.yaml | 2 +- cert-manager/installation/helmrelease.yaml | 2 +- .../cso-infrastructure-components.yaml | 590 ++++++++++++------ 8 files changed, 396 insertions(+), 210 deletions(-) diff --git a/capi/config/cabp.yaml b/capi/config/cabp.yaml index 2607702..d832847 100644 --- a/capi/config/cabp.yaml +++ b/capi/config/cabp.yaml @@ -10,4 +10,4 @@ metadata: name: kubeadm namespace: capi-kubeadm-bootstrap-system spec: - version: v1.7.2 + version: v1.8.3 diff --git a/capi/config/cacp.yaml b/capi/config/cacp.yaml index 7839044..e071627 100644 --- a/capi/config/cacp.yaml +++ b/capi/config/cacp.yaml @@ -18,4 +18,4 @@ spec: MachineSetPreflightChecks: false RuntimeSDK: false verbosity: 1 - version: v1.7.2 + version: v1.8.3 diff --git a/capi/config/cacpp.yaml b/capi/config/cacpp.yaml index bcd20ab..5a11561 100644 --- a/capi/config/cacpp.yaml +++ b/capi/config/cacpp.yaml @@ -15,4 +15,4 @@ spec: MachinePool: true ClusterTopology: true KubeadmBootstrapFormatIgnition: false - version: v1.7.2 + version: v1.8.3 diff --git a/capi/config/caip.yaml b/capi/config/caip.yaml index f73c834..23d38f5 100644 --- a/capi/config/caip.yaml +++ b/capi/config/caip.yaml @@ -10,4 +10,4 @@ metadata: name: openstack namespace: openstack-infrastructure-system spec: - version: v0.10.2 + version: v0.10.5 diff --git a/capi/config/kamaji.yaml b/capi/config/kamaji.yaml index afb3c6d..f62f6f7 100644 --- a/capi/config/kamaji.yaml +++ b/capi/config/kamaji.yaml @@ -7,7 +7,7 @@ metadata: apiVersion: operator.cluster.x-k8s.io/v1alpha2 kind: ControlPlaneProvider metadata: - name: kamaji + name: kamaji namespace: capi-kamaji-control-plane-system spec: - version: v0.10.0 + version: v0.11.0 diff --git a/capi/installation/helmrelease.yaml b/capi/installation/helmrelease.yaml index 3fe75d7..e4200d9 100644 --- a/capi/installation/helmrelease.yaml +++ b/capi/installation/helmrelease.yaml @@ -13,7 +13,7 @@ spec: spec: chart: cluster-api-operator reconcileStrategy: ChartVersion - version: 0.10.1 + version: 0.13.0 sourceRef: kind: HelmRepository name: capi diff --git a/cert-manager/installation/helmrelease.yaml b/cert-manager/installation/helmrelease.yaml index d6ec7b6..f2cec9f 100644 --- a/cert-manager/installation/helmrelease.yaml +++ b/cert-manager/installation/helmrelease.yaml @@ -17,7 +17,7 @@ spec: chart: spec: chart: cert-manager - version: "v1.14.5" + version: "v1.15.3" sourceRef: kind: HelmRepository name: jetstack diff --git a/cso/installation/cso-infrastructure-components.yaml b/cso/installation/cso-infrastructure-components.yaml index fae7a0f..6771351 100644 --- a/cso/installation/cso-infrastructure-components.yaml +++ b/cso/installation/cso-infrastructure-components.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Namespace metadata: labels: - cluster.x-k8s.io/provider: infrastructure-cluster-stack-operator + cluster.x-k8s.io/provider: cluster-stack-operator control-plane: cso-controller-manager name: cso-system --- @@ -12,7 +12,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.16.2 labels: - cluster.x-k8s.io/provider: infrastructure-cluster-stack-operator + cluster.x-k8s.io/provider: cluster-stack-operator cluster.x-k8s.io/v1beta1: v1beta1 name: clusteraddons.clusterstack.x-k8s.io spec: @@ -21,6 +21,8 @@ spec: kind: ClusterAddon listKind: ClusterAddonList plural: clusteraddons + shortNames: + - caddon singular: clusteraddon scope: Namespaced versions: @@ -28,6 +30,10 @@ spec: - jsonPath: .metadata.ownerReferences[?(@.kind=="Cluster")].name name: Cluster type: string + - description: Present running hook + jsonPath: .spec.hook + name: Hook + type: string - jsonPath: .status.ready name: Ready type: boolean @@ -47,14 +53,19 @@ spec: description: ClusterAddon is the schema for the clusteraddons API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -63,49 +74,57 @@ spec: object. properties: clusterRef: - description: ClusterRef is the reference to the clusterv1.Cluster - object that corresponds to the workload cluster where this controller - applies the cluster addons. + description: |- + ClusterRef is the reference to the clusterv1.Cluster object that corresponds to the workload cluster where this + controller applies the cluster addons. properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic clusterStack: - description: ClusterStack is the full string --- that will be filled with the cluster stack that - the respective cluster uses currently. It always matches cluster.spec.topology.class - if the work of this controller is done. + description: |- + ClusterStack is the full string --- that will be filled with the cluster stack that + the respective cluster uses currently. It always matches cluster.spec.topology.class if the work of this controller is done. + type: string + hook: + description: Hook specifies the runtime hook for the Cluster event. type: string version: description: Version is the version of the cluster addons that have @@ -124,37 +143,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -196,6 +215,25 @@ spec: type: string type: object type: array + stages: + description: Stages shows the state of all stages in the current running + hook. + items: + description: StageStatus represents the helm charts of the hook + and it's phases. + properties: + action: + description: Action is the action of the helm chart. e.g. - + apply and delete. + type: string + name: + description: Name represent name of the helm chart + type: string + phase: + description: Phase is the current phase of the helm chart. + type: string + type: object + type: array type: object type: object served: true @@ -209,7 +247,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.16.2 labels: - cluster.x-k8s.io/provider: infrastructure-cluster-stack-operator + cluster.x-k8s.io/provider: cluster-stack-operator cluster.x-k8s.io/v1beta1: v1beta1 name: clusterstackreleases.clusterstack.x-k8s.io spec: @@ -218,6 +256,8 @@ spec: kind: ClusterStackRelease listKind: ClusterStackReleaseList plural: clusterstackreleases + shortNames: + - cskr singular: clusterstackrelease scope: Namespaced versions: @@ -245,14 +285,19 @@ spec: API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -260,41 +305,47 @@ spec: description: ClusterStackReleaseSpec defines the desired state of ClusterStackRelease. properties: providerRef: - description: ProviderRef specifies the reference to the ProviderClusterStackRelease - object. It has to be set only if the object exists, i.e. if the - noProvider mode is turned off. + description: |- + ProviderRef specifies the reference to the ProviderClusterStackRelease object. + It has to be set only if the object exists, i.e. if the noProvider mode is turned off. properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -309,37 +360,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -348,9 +399,9 @@ spec: type: object type: array kubernetesVersion: - description: KubernetesVersion is the Kubernetes version incl. patch - version, e.g. 1.26.6. The controller fetches the version from the - release assets of the cluster stack. + description: |- + KubernetesVersion is the Kubernetes version incl. patch version, e.g. 1.26.6. + The controller fetches the version from the release assets of the cluster stack. type: string ready: default: false @@ -399,7 +450,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.16.2 labels: - cluster.x-k8s.io/provider: infrastructure-cluster-stack-operator + cluster.x-k8s.io/provider: cluster-stack-operator cluster.x-k8s.io/v1beta1: v1beta1 name: clusterstacks.clusterstack.x-k8s.io spec: @@ -408,6 +459,8 @@ spec: kind: ClusterStack listKind: ClusterStackList plural: clusterstacks + shortNames: + - csk singular: clusterstack scope: Namespaced versions: @@ -449,14 +502,19 @@ spec: description: ClusterStack is the Schema for the clusterstacks API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -502,42 +560,47 @@ spec: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic versions: - description: Versions is a list of version of the cluster stack that - should be available in the management cluster. A version has to - have the format 'v', e.g. v1 for stable channel or, - v1-alpha.1 for alpha channel. The versions have to correspond to - the channel property. + description: |- + Versions is a list of version of the cluster stack that should be available in the management cluster. + A version has to have the format 'v', e.g. v1 for stable channel or, v1-alpha.1 for alpha channel. + The versions have to correspond to the channel property. items: type: string type: array @@ -557,37 +620,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -631,7 +694,7 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - cluster.x-k8s.io/provider: infrastructure-cluster-stack-operator + cluster.x-k8s.io/provider: cluster-stack-operator name: cso-controller-manager namespace: cso-system --- @@ -639,7 +702,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - cluster.x-k8s.io/provider: infrastructure-cluster-stack-operator + cluster.x-k8s.io/provider: cluster-stack-operator name: cso-leader-election-role namespace: cso-system rules: @@ -679,7 +742,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - cluster.x-k8s.io/provider: infrastructure-cluster-stack-operator + cluster.x-k8s.io/provider: cluster-stack-operator name: cso-manager-role rules: - apiGroups: @@ -707,6 +770,7 @@ rules: - cluster.x-k8s.io - controlplane.cluster.x-k8s.io - infrastructure.cluster.x-k8s.io + - infrastructure.clusterstack.x-k8s.io resources: - '*' verbs: @@ -739,12 +803,15 @@ rules: - clusterstack.x-k8s.io resources: - clusteraddons/finalizers + - clusterstackreleases/finalizers verbs: - update - apiGroups: - clusterstack.x-k8s.io resources: - clusteraddons/status + - clusterstackreleases/status + - clusterstacks/status verbs: - get - patch @@ -760,20 +827,6 @@ rules: - list - patch - watch -- apiGroups: - - clusterstack.x-k8s.io - resources: - - clusterstackreleases/finalizers - verbs: - - update -- apiGroups: - - clusterstack.x-k8s.io - resources: - - clusterstackreleases/status - verbs: - - get - - patch - - update - apiGroups: - clusterstack.x-k8s.io resources: @@ -791,32 +844,12 @@ rules: verbs: - delete - update -- apiGroups: - - clusterstack.x-k8s.io - resources: - - clusterstacks/status - verbs: - - get - - patch - - update -- apiGroups: - - infrastructure.clusterstack.x-k8s.io - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - cluster.x-k8s.io/provider: infrastructure-cluster-stack-operator + cluster.x-k8s.io/provider: cluster-stack-operator name: cso-leader-election-rolebinding namespace: cso-system roleRef: @@ -832,7 +865,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - cluster.x-k8s.io/provider: infrastructure-cluster-stack-operator + cluster.x-k8s.io/provider: cluster-stack-operator name: cso-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io @@ -843,11 +876,41 @@ subjects: name: cso-controller-manager namespace: cso-system --- +apiVersion: v1 +kind: Service +metadata: + labels: + cluster.x-k8s.io/provider: cluster-stack-operator + name: cso-hook-server-svc + namespace: cso-system +spec: + ports: + - port: 443 + targetPort: 9442 + selector: + cluster.x-k8s.io/provider: cluster-stack-operator + control-plane: cso-controller-manager +--- +apiVersion: v1 +kind: Service +metadata: + labels: + cluster.x-k8s.io/provider: cluster-stack-operator + name: cso-webhook-service + namespace: cso-system +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + cluster.x-k8s.io/provider: cluster-stack-operator + control-plane: cso-controller-manager +--- apiVersion: apps/v1 kind: Deployment metadata: labels: - cluster.x-k8s.io/provider: infrastructure-cluster-stack-operator + cluster.x-k8s.io/provider: cluster-stack-operator control-plane: cso-controller-manager name: cso-controller-manager namespace: cso-system @@ -855,23 +918,22 @@ spec: replicas: 1 selector: matchLabels: - cluster.x-k8s.io/provider: infrastructure-cluster-stack-operator + cluster.x-k8s.io/provider: cluster-stack-operator control-plane: cso-controller-manager template: metadata: annotations: kubectl.kubernetes.io/default-container: manager labels: - cluster.x-k8s.io/provider: infrastructure-cluster-stack-operator + cluster.x-k8s.io/provider: cluster-stack-operator control-plane: cso-controller-manager spec: containers: - args: - --leader-elect=true + - --log-level=info command: - /manager - - -source - - oci env: - name: GIT_PROVIDER valueFrom: @@ -920,10 +982,6 @@ spec: name: cso-cluster-stack-variables image: ghcr.io/sovereigncloudstack/cso:v0.1.0-alpha.7 imagePullPolicy: Always - volumeMounts: - - mountPath: /tmp/k8s-hook-server/serving-certs - name: hook-server-cert - readOnly: true livenessProbe: failureThreshold: 3 httpGet: @@ -935,6 +993,12 @@ spec: timeoutSeconds: 1 name: manager ports: + - containerPort: 9442 + name: hook-server-svc + protocol: TCP + - containerPort: 9443 + name: webhook-server + protocol: TCP - containerPort: 9440 name: healthz protocol: TCP @@ -954,6 +1018,13 @@ spec: requests: cpu: 200m memory: 250Mi + volumeMounts: + - mountPath: /tmp/k8s-hook-server/serving-certs + name: hook-server-cert + readOnly: true + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true serviceAccountName: cso-controller-manager terminationGracePeriodSeconds: 10 tolerations: @@ -964,6 +1035,10 @@ spec: secret: defaultMode: 420 secretName: cso-hook-server-server-cert + - name: cert + secret: + defaultMode: 420 + secretName: cso-webhook-server-cert --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -974,8 +1049,8 @@ metadata: namespace: cso-system spec: dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + - cso-hook-server-svc.cso-system.svc + - cso-hook-server-svc.cso-system.svc.cluster.local issuerRef: kind: Issuer name: cso-selfsigned-issuer @@ -988,13 +1063,13 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: labels: - cluster.x-k8s.io/provider: infrastructure-cluster-stack-operator + cluster.x-k8s.io/provider: cluster-stack-operator name: cso-serving-cert namespace: cso-system spec: dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local + - cso-webhook-service.cso-system.svc + - cso-webhook-service.cso-system.svc.cluster.local issuerRef: kind: Issuer name: cso-selfsigned-issuer @@ -1007,8 +1082,119 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: labels: - cluster.x-k8s.io/provider: infrastructure-cluster-stack-operator + cluster.x-k8s.io/provider: cluster-stack-operator name: cso-selfsigned-issuer namespace: cso-system spec: selfSigned: {} +--- +apiVersion: runtime.cluster.x-k8s.io/v1alpha1 +kind: ExtensionConfig +metadata: + annotations: + runtime.cluster.x-k8s.io/inject-ca-from-secret: cso-system/cso-hook-server-server-cert + labels: + cluster.x-k8s.io/provider: cluster-stack-operator + name: cso-hook-server-extensionconfig + namespace: cso-system +spec: + clientConfig: + service: + name: cso-hook-server-svc + namespace: cso-system + port: 443 + namespaceSelector: {} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: cso-system/cso-serving-cert + labels: + cluster.x-k8s.io/provider: cluster-stack-operator + name: cso-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: cso-webhook-service + namespace: cso-system + path: /validate-cluster-x-k8s-io-v1beta1-cluster + failurePolicy: Fail + name: validation.cluster.cluster.x-k8s.io + rules: + - apiGroups: + - cluster.x-k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - clusters + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + service: + name: cso-webhook-service + namespace: cso-system + path: /validate-clusterstack-x-k8s-io-v1alpha1-clusteraddon + failurePolicy: Fail + name: validation.clusteraddon.clusterstack.x-k8s.io + rules: + - apiGroups: + - clusterstack.x-k8s.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - clusteraddons + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + service: + name: cso-webhook-service + namespace: cso-system + path: /validate-clusterstack-x-k8s-io-v1alpha1-clusterstack + failurePolicy: Fail + name: validation.clusterstack.clusterstack.x-k8s.io + rules: + - apiGroups: + - clusterstack.x-k8s.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - clusterstacks + sideEffects: None +- admissionReviewVersions: + - v1 + - v1alpha1 + clientConfig: + service: + name: cso-webhook-service + namespace: cso-system + path: /validate-clusterstack-x-k8s-io-v1alpha1-clusterstackrelease + failurePolicy: Fail + name: validation.clusterstackrelease.clusterstack.x-k8s.io + rules: + - apiGroups: + - clusterstack.x-k8s.io + apiVersions: + - v1alpha1 + operations: + - DELETE + resources: + - clusterstackreleases + sideEffects: None From 27b0de0784dc12361dddea100d03fa1610734f81 Mon Sep 17 00:00:00 2001 From: Jan Schoone <6106846+jschoone@users.noreply.github.com> Date: Fri, 13 Sep 2024 12:52:01 +0200 Subject: [PATCH 03/41] feat(capi): enable runtimesdk Signed-off-by: Jan Schoone <6106846+jschoone@users.noreply.github.com> --- capi/config/cacp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/capi/config/cacp.yaml b/capi/config/cacp.yaml index e071627..8bf89bb 100644 --- a/capi/config/cacp.yaml +++ b/capi/config/cacp.yaml @@ -16,6 +16,6 @@ spec: ClusterTopology: true MachinePool: true MachineSetPreflightChecks: false - RuntimeSDK: false + RuntimeSDK: true verbosity: 1 version: v1.8.3 From 0b42ca871f410e82204586131f0dfdfb344c6656 Mon Sep 17 00:00:00 2001 From: Jan Schoone <6106846+jschoone@users.noreply.github.com> Date: Fri, 13 Sep 2024 12:53:51 +0200 Subject: [PATCH 04/41] feat(cso): use oci as source Signed-off-by: Jan Schoone <6106846+jschoone@users.noreply.github.com> --- cso/installation/cso-infrastructure-components.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cso/installation/cso-infrastructure-components.yaml b/cso/installation/cso-infrastructure-components.yaml index 6771351..1b6b6b2 100644 --- a/cso/installation/cso-infrastructure-components.yaml +++ b/cso/installation/cso-infrastructure-components.yaml @@ -934,6 +934,8 @@ spec: - --log-level=info command: - /manager + - -source + - oci env: - name: GIT_PROVIDER valueFrom: From d103629266a3088dd48baff71978f888bd10ffbe Mon Sep 17 00:00:00 2001 From: Jan Schoone <6106846+jschoone@users.noreply.github.com> Date: Fri, 13 Sep 2024 13:02:45 +0200 Subject: [PATCH 05/41] chore: update cspo Signed-off-by: Jan Schoone <6106846+jschoone@users.noreply.github.com> --- .../cspo-infrastructure-components.yaml | 241 ++++++++++-------- prod/cspo/config/secret.yaml | 9 +- 2 files changed, 141 insertions(+), 109 deletions(-) diff --git a/cspo/installation/cspo-infrastructure-components.yaml b/cspo/installation/cspo-infrastructure-components.yaml index 92808ba..e00c3cf 100644 --- a/cspo/installation/cspo-infrastructure-components.yaml +++ b/cspo/installation/cspo-infrastructure-components.yaml @@ -15,7 +15,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.16.2 name: openstackclusterstackreleases.infrastructure.clusterstack.x-k8s.io spec: group: infrastructure.clusterstack.x-k8s.io @@ -49,14 +49,19 @@ spec: API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -72,14 +77,16 @@ spec: reconciling this cluster properties: kind: - description: Kind of the identity. Must be supported by the infrastructure + description: |- + Kind of the identity. Must be supported by the infrastructure provider and may be either cluster or namespace-scoped. minLength: 1 type: string name: - description: Name of the infrastructure identity to be used. Must - be either a cluster-scoped resource, or namespaced-scoped resource - the same namespace as the resource(s) being provisioned. + description: |- + Name of the infrastructure identity to be used. + Must be either a cluster-scoped resource, or namespaced-scoped + resource the same namespace as the resource(s) being provisioned. type: string required: - kind @@ -97,37 +104,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -149,7 +156,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.16.2 name: openstackclusterstackreleasetemplates.infrastructure.clusterstack.x-k8s.io spec: group: infrastructure.clusterstack.x-k8s.io @@ -169,14 +176,19 @@ spec: API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -201,16 +213,16 @@ spec: used when reconciling this cluster properties: kind: - description: Kind of the identity. Must be supported by - the infrastructure provider and may be either cluster - or namespace-scoped. + description: |- + Kind of the identity. Must be supported by the infrastructure + provider and may be either cluster or namespace-scoped. minLength: 1 type: string name: - description: Name of the infrastructure identity to be - used. Must be either a cluster-scoped resource, or namespaced-scoped - resource the same namespace as the resource(s) being - provisioned. + description: |- + Name of the infrastructure identity to be used. + Must be either a cluster-scoped resource, or namespaced-scoped + resource the same namespace as the resource(s) being provisioned. type: string required: - kind @@ -237,7 +249,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.16.2 name: openstacknodeimagereleases.infrastructure.clusterstack.x-k8s.io spec: group: infrastructure.clusterstack.x-k8s.io @@ -271,14 +283,19 @@ spec: API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -291,14 +308,16 @@ spec: reconciling this cluster properties: kind: - description: Kind of the identity. Must be supported by the infrastructure + description: |- + Kind of the identity. Must be supported by the infrastructure provider and may be either cluster or namespace-scoped. minLength: 1 type: string name: - description: Name of the infrastructure identity to be used. Must - be either a cluster-scoped resource, or namespaced-scoped resource - the same namespace as the resource(s) being provisioned. + description: |- + Name of the infrastructure identity to be used. + Must be either a cluster-scoped resource, or namespaced-scoped + resource the same namespace as the resource(s) being provisioned. type: string required: - kind @@ -311,11 +330,13 @@ spec: description: CreateOpts represents options used to create an image. properties: container_format: - description: ContainerFormat is the format of the container. - Valid values are ami, ari, aki, bare, and ovf. + description: |- + ContainerFormat is the format of the + container. Valid values are ami, ari, aki, bare, and ovf. type: string disk_format: - description: DiskFormat is the format of the disk. If set, + description: |- + DiskFormat is the format of the disk. If set, valid values are ami, ari, aki, vhd, vmdk, raw, qcow2, vdi, and iso. type: string @@ -323,12 +344,14 @@ spec: description: Id is the the image ID. type: string min_disk: - description: MinDisk is the amount of disk space in GB that - is required to boot the image. + description: |- + MinDisk is the amount of disk space in + GB that is required to boot the image. type: integer min_ram: - description: MinRAM is the amount of RAM in MB that is required - to boot the image. + description: |- + MinRAM is the amount of RAM in MB that + is required to boot the image. type: integer name: description: Name is the name of the new image. @@ -372,37 +395,37 @@ spec: operational state. properties: lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. + description: |- + Last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when + the API field changed is acceptable. format: date-time type: string message: - description: A human readable message indicating details about - the transition. This field may be empty. + description: |- + A human readable message indicating details about the transition. + This field may be empty. type: string reason: - description: The reason for the condition's last transition - in CamelCase. The specific API may choose whether or not this - field is considered a guaranteed API. This field may not be - empty. + description: |- + The reason for the condition's last transition in CamelCase. + The specific API may choose whether or not this field is considered a guaranteed API. + This field may not be empty. type: string severity: - description: Severity provides an explicit classification of - Reason code, so the users or machines can immediately understand - the current situation and act accordingly. The Severity field - MUST be set only when Status=False. + description: |- + Severity provides an explicit classification of Reason code, so the users or machines can immediately + understand the current situation and act accordingly. + The Severity field MUST be set only when Status=False. type: string status: description: Status of the condition, one of True, False, Unknown. type: string type: - description: Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. + description: |- + Type of condition in CamelCase or in foo.example.com/CamelCase. + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability to deconflict is important. type: string required: - lastTransitionTime @@ -503,31 +526,6 @@ rules: - infrastructure.clusterstack.x-k8s.io resources: - openstackclusterstackreleases - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - infrastructure.clusterstack.x-k8s.io - resources: - - openstackclusterstackreleases/finalizers - verbs: - - update -- apiGroups: - - infrastructure.clusterstack.x-k8s.io - resources: - - openstackclusterstackreleases/status - verbs: - - get - - patch - - update -- apiGroups: - - infrastructure.clusterstack.x-k8s.io - resources: - openstacknodeimagereleases verbs: - create @@ -540,12 +538,14 @@ rules: - apiGroups: - infrastructure.clusterstack.x-k8s.io resources: + - openstackclusterstackreleases/finalizers - openstacknodeimagereleases/finalizers verbs: - update - apiGroups: - infrastructure.clusterstack.x-k8s.io resources: + - openstackclusterstackreleases/status - openstacknodeimagereleases/status verbs: - get @@ -709,6 +709,8 @@ spec: - --leader-elect command: - /manager + - -source + - oci env: - name: GIT_PROVIDER valueFrom: @@ -730,7 +732,32 @@ spec: secretKeyRef: key: git-access-token name: cspo-cluster-stack-variables - image: ghcr.io/sovereigncloudstack/cspo:v0.1.0-alpha.3 + - name: OCI_REGISTRY + valueFrom: + secretKeyRef: + key: oci-registry + name: cspo-cluster-stack-variables + - name: OCI_REPOSITORY + valueFrom: + secretKeyRef: + key: oci-repository + name: cspo-cluster-stack-variables + - name: OCI_ACCESS_TOKEN + valueFrom: + secretKeyRef: + key: oci-access-token + name: cspo-cluster-stack-variables + - name: OCI_USERNAME + valueFrom: + secretKeyRef: + key: oci-username + name: cspo-cluster-stack-variables + - name: OCI_PASSWORD + valueFrom: + secretKeyRef: + key: oci-password + name: cspo-cluster-stack-variables + image: ghcr.io/sovereigncloudstack/cspo:v0.1.0-alpha.5 livenessProbe: httpGet: path: /healthz diff --git a/prod/cspo/config/secret.yaml b/prod/cspo/config/secret.yaml index bee767c..172178c 100644 --- a/prod/cspo/config/secret.yaml +++ b/prod/cspo/config/secret.yaml @@ -4,6 +4,11 @@ data: git-org-name: ENC[AES256_GCM,data:GxbH/T9e+rQKUjHcHeurDAwshbz7aaFDEN6jEA==,iv:f9TWI5ZkMvY8nnT0yPrChJLUKSIMtlaXiyflPGzYNi8=,tag:3J63PZ48VeKlf/KO2BC1+w==,type:str] git-provider: ENC[AES256_GCM,data:1iTPv8j/KgA=,iv:z3/pVljwlvpm6xjnDon8bcgcA0cwHVMx1xUqfIpUIas=,tag:P4CSCTtt2Y7Jtj639qq/Ew==,type:str] git-repo-name: ENC[AES256_GCM,data:uhNF48toC17uxyHmf/lIDrU7vls=,iv:JVZGlOLhw88EDYLH8cQMAQZ9Cz2OYgVeFqjvThyZLqQ=,tag:tRJo5raDkicpNcnJA2TVng==,type:str] + oci-access-token: "" + oci-password: ENC[AES256_GCM,data:4HiQ7EqzGF4E3wc6HK1yDcXJQ0N+sbW6JwxgDImknqNvqa1Gk1yabNriXTw=,iv:MoyPDmQ35CucALFMQJ2yMszp8/OPeUyi1bdCNM6A3aI=,tag:uYFy3nIlXUrFDjiOtQaJQg==,type:str] + oci-registry: ENC[AES256_GCM,data:K+h/PAgxSA42N5zENmCGtx6Qata6lRowV4Md2rdZhrw=,iv:Xl7somTuVG8YYTP58VRKPdV84lmOe+RQnxF3cpUKcdI=,tag:+AGF3AdY4K7Scoom8kR8JA==,type:str] + oci-repository: ENC[AES256_GCM,data:W2HWO4VfS1jGq2s6OJaWSLq6arhKIZXp7enWb3WhIvUaXBCKZ4TXarV91Gt6zKLqmUiefrHnIrQ=,iv:bo1rdzObQyOMupWQPy84XadE0t4ShzuA2//EaZRks90=,tag:lCP2hoMd7Xkx0CaN2uoW2w==,type:str] + oci-username: ENC[AES256_GCM,data:SSxIYrv2ZHwJYEOfawBGw+CuusVj/KvKTnJCEvSLTLEjk/DYDkTNkhV1isA=,iv:NHT/EIFdC2xFuEtQZSqHO2HXhN5afKkyT8z/K+j2aLw=,tag:kHXQMAeX8cEtqxQWtMsBTw==,type:str] kind: Secret metadata: creationTimestamp: null @@ -15,8 +20,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-08-30T12:03:16Z" - mac: ENC[AES256_GCM,data:xMFW0lGtnSH5TtLZCdl3Jn4Qm8ewarSVLnvN0ImTqUEWYCJ0QA/5gf+nAntq81YmEgA7vyj6Bf14EAaHqPz03pXH9EMR02TVeUm4ef7YnMDka0jY9HSyNQ8PvdhXSETNjj1IoykRyL8DXI4D3PRr/x3NQgx+Ly0Z/ccNRi9+ns0=,iv:ZeW/JZAYI1KUgxcDNk7G6w6ah0RQeyOE7GSFy257a0Y=,tag:xcMHcBI4//BgY19JMp0j+A==,type:str] + lastmodified: "2024-09-13T10:59:09Z" + mac: ENC[AES256_GCM,data:bVltoZ8uzgwdaxVbYRyZYwBym6jKhQMU9erZccbNVcj1DtnWCxO5Q9wxCmEW6rjf/orQL99ykrgAQSMZ45jY1o/ahRQ3RuESDMsaqBXh6rdN8N0zbvxGd9feILO4bKlJEIBxOTxnMiZnBEZKcDlo/lU1czI4PdPJYJWc/HUifBU=,iv:lsXjZ3HTWRe9Ecg+SSHz2NI7rhFRMO+7aKZqN8kcMZI=,tag:M8b8rmfwc/llRhsWl5jDWg==,type:str] pgp: - created_at: "2024-07-02T12:31:06Z" enc: |- From 3c1bac238a62b6f5c7d06500a62595253078dd6e Mon Sep 17 00:00:00 2001 From: Jan Schoone <6106846+jschoone@users.noreply.github.com> Date: Fri, 13 Sep 2024 13:12:11 +0200 Subject: [PATCH 06/41] test: clusterstack behavior Signed-off-by: Jan Schoone <6106846+jschoone@users.noreply.github.com> --- kyverno/config/per-playground-resources.yaml | 143 +++++++++++++------ 1 file changed, 100 insertions(+), 43 deletions(-) diff --git a/kyverno/config/per-playground-resources.yaml b/kyverno/config/per-playground-resources.yaml index 4dfb893..1774b28 100644 --- a/kyverno/config/per-playground-resources.yaml +++ b/kyverno/config/per-playground-resources.yaml @@ -13,32 +13,89 @@ spec: validationFailureAction: Audit generateExisting: true rules: - - name: generate-clusterstack + - name: generate-cspotemplate match: any: - resources: kinds: - Namespace names: - - '*playground*' + - "*playground*" + generate: + apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 + kind: OpenStackClusterStackReleaseTemplate + name: cspotemplate + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + name: cspotemplate + namespace: "{{request.object.metadata.name}}" + spec: + template: + spec: + identityRef: + kind: Secret + name: openstack + - name: generate-clusterstack-131 + match: + any: + - resources: + kinds: + - Namespace + names: + - "*playground*" generate: apiVersion: clusterstack.x-k8s.io/v1alpha1 + kind: ClusterStack + name: scs-cluster-stack-1-31 + namespace: "{{request.object.metadata.name}}" + synchronize: true data: metadata: - name: scs-cluster-stack - namespace: '{{request.object.metadata.name}}' + name: scs-cluster-stack-1-31 + namespace: "{{request.object.metadata.name}}" spec: autoSubscribe: false channel: stable - kubernetesVersion: '1.27' + kubernetesVersion: "1.31" name: scs - noProvider: true provider: openstack + providerRef: + apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 + kind: OpenStackClusterStackReleaseTemplate + name: cspotemplate versions: - - v4 + - v0-sha.uwjqzaq + - name: generate-clusterstack-130 + match: + any: + - resources: + kinds: + - Namespace + names: + - "*playground*" + generate: + apiVersion: clusterstack.x-k8s.io/v1alpha1 + data: + metadata: + name: scs-cluster-stack-1-30 + namespace: "{{request.object.metadata.name}}" + spec: + autoSubscribe: false + channel: stable + kubernetesVersion: "1.30" + name: scs + providerRef: + apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 + kind: OpenStackClusterStackReleaseTemplate + name: cspotemplate + provider: openstack + versions: + - v0-sha.lkpzztq kind: ClusterStack - name: scs-cluster-stack - namespace: '{{request.object.metadata.name}}' + name: scs-cluster-stack-1-30 + namespace: "{{request.object.metadata.name}}" synchronize: true - name: generate-rolebinding match: @@ -47,17 +104,17 @@ spec: kinds: - Namespace names: - - '*playground*' + - "*playground*" generate: synchronize: true apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding name: scs-tenant-rolebinding - namespace: '{{request.object.metadata.name}}' + namespace: "{{request.object.metadata.name}}" data: metadata: name: scs-tenant-rolebinding - namespace: '{{request.object.metadata.name}}' + namespace: "{{request.object.metadata.name}}" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -65,34 +122,34 @@ spec: subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: 'oidc:SovereignCloudStack:moin-cluster-all-playgrounds' - - name: generate-kamaji-clusterstack - match: - any: - - resources: - kinds: - - Namespace - names: - - '*playground*' - generate: - apiVersion: clusterstack.x-k8s.io/v1alpha1 - data: - metadata: - name: kamaji - namespace: '{{request.object.metadata.name}}' - spec: - provider: openstack - name: kamaji - kubernetesVersion: "1.30" - channel: custom - autoSubscribe: false - providerRef: - apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 - kind: OpenStackClusterStackReleaseTemplate - name: cspotemplate - versions: - - v0-sha.11930ee - kind: ClusterStack - name: kamaji - namespace: '{{request.object.metadata.name}}' - synchronize: true + name: "oidc:SovereignCloudStack:moin-cluster-all-playgrounds" + #- name: generate-kamaji-clusterstack + # match: + # any: + # - resources: + # kinds: + # - Namespace + # names: + # - '*playground*' + # generate: + # apiVersion: clusterstack.x-k8s.io/v1alpha1 + # data: + # metadata: + # name: kamaji + # namespace: '{{request.object.metadata.name}}' + # spec: + # provider: openstack + # name: kamaji + # kubernetesVersion: "1.30" + # channel: custom + # autoSubscribe: false + # providerRef: + # apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 + # kind: OpenStackClusterStackReleaseTemplate + # name: cspotemplate + # versions: + # - v0-sha.11930ee + # kind: ClusterStack + # name: kamaji + # namespace: '{{request.object.metadata.name}}' + # synchronize: true From f4ac19d48852071f1f4e760db97f36af9d5907b4 Mon Sep 17 00:00:00 2001 From: Jan Schoone <6106846+jschoone@users.noreply.github.com> Date: Fri, 13 Sep 2024 21:58:12 +0200 Subject: [PATCH 07/41] feat: enable kamaji cluster stacks Signed-off-by: Jan Schoone <6106846+jschoone@users.noreply.github.com> --- kyverno/config/per-playground-resources.yaml | 60 ++++++++++---------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/kyverno/config/per-playground-resources.yaml b/kyverno/config/per-playground-resources.yaml index 1774b28..d33773e 100644 --- a/kyverno/config/per-playground-resources.yaml +++ b/kyverno/config/per-playground-resources.yaml @@ -123,33 +123,33 @@ spec: - apiGroup: rbac.authorization.k8s.io kind: Group name: "oidc:SovereignCloudStack:moin-cluster-all-playgrounds" - #- name: generate-kamaji-clusterstack - # match: - # any: - # - resources: - # kinds: - # - Namespace - # names: - # - '*playground*' - # generate: - # apiVersion: clusterstack.x-k8s.io/v1alpha1 - # data: - # metadata: - # name: kamaji - # namespace: '{{request.object.metadata.name}}' - # spec: - # provider: openstack - # name: kamaji - # kubernetesVersion: "1.30" - # channel: custom - # autoSubscribe: false - # providerRef: - # apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 - # kind: OpenStackClusterStackReleaseTemplate - # name: cspotemplate - # versions: - # - v0-sha.11930ee - # kind: ClusterStack - # name: kamaji - # namespace: '{{request.object.metadata.name}}' - # synchronize: true + - name: generate-kamaji-clusterstack + match: + any: + - resources: + kinds: + - Namespace + names: + - '*playground*' + generate: + apiVersion: clusterstack.x-k8s.io/v1alpha1 + data: + metadata: + name: kamaji + namespace: '{{request.object.metadata.name}}' + spec: + provider: openstack + name: kamaji + kubernetesVersion: "1.30" + channel: custom + autoSubscribe: false + providerRef: + apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 + kind: OpenStackClusterStackReleaseTemplate + name: cspotemplate + versions: + - v0-sha-frco630 + kind: ClusterStack + name: kamaji + namespace: '{{request.object.metadata.name}}' + synchronize: true From c059e1c8bbabb995a17fcc68461b20aed12306b0 Mon Sep 17 00:00:00 2001 From: Jan Schoone <6106846+jschoone@users.noreply.github.com> Date: Sat, 14 Sep 2024 15:14:43 +0200 Subject: [PATCH 08/41] fix: add missing rbac Signed-off-by: Jan Schoone <6106846+jschoone@users.noreply.github.com> --- kyverno/installation/helmrelease.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kyverno/installation/helmrelease.yaml b/kyverno/installation/helmrelease.yaml index c930555..2a160f7 100644 --- a/kyverno/installation/helmrelease.yaml +++ b/kyverno/installation/helmrelease.yaml @@ -62,6 +62,7 @@ spec: - patch - apiGroups: - infrastructure.clusterstack.x-k8s.io + - infrastructure.cluster.x-k8s.io resources: - "*" verbs: From 11961f6888545669f046eb1f30340ce4642e9534 Mon Sep 17 00:00:00 2001 From: Jan Schoone <6106846+jschoone@users.noreply.github.com> Date: Sat, 14 Sep 2024 15:21:37 +0200 Subject: [PATCH 09/41] fix: typo Signed-off-by: Jan Schoone <6106846+jschoone@users.noreply.github.com> --- kyverno/config/per-playground-resources.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kyverno/config/per-playground-resources.yaml b/kyverno/config/per-playground-resources.yaml index d33773e..0be7aa0 100644 --- a/kyverno/config/per-playground-resources.yaml +++ b/kyverno/config/per-playground-resources.yaml @@ -130,13 +130,13 @@ spec: kinds: - Namespace names: - - '*playground*' + - "*playground*" generate: apiVersion: clusterstack.x-k8s.io/v1alpha1 data: metadata: name: kamaji - namespace: '{{request.object.metadata.name}}' + namespace: "{{request.object.metadata.name}}" spec: provider: openstack name: kamaji @@ -148,8 +148,8 @@ spec: kind: OpenStackClusterStackReleaseTemplate name: cspotemplate versions: - - v0-sha-frco630 + - v0-sha.frco630 kind: ClusterStack name: kamaji - namespace: '{{request.object.metadata.name}}' + namespace: "{{request.object.metadata.name}}" synchronize: true From 9bbc74c0dba098acb333d00a0c0b5fab61884056 Mon Sep 17 00:00:00 2001 From: Jan Schoone <6106846+jschoone@users.noreply.github.com> Date: Thu, 26 Sep 2024 10:11:57 +0200 Subject: [PATCH 10/41] test: deactivate kamaji cluster stack Signed-off-by: Jan Schoone <6106846+jschoone@users.noreply.github.com> --- kyverno/config/per-playground-resources.yaml | 60 ++++++++++---------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/kyverno/config/per-playground-resources.yaml b/kyverno/config/per-playground-resources.yaml index 0be7aa0..24bd0f0 100644 --- a/kyverno/config/per-playground-resources.yaml +++ b/kyverno/config/per-playground-resources.yaml @@ -123,33 +123,33 @@ spec: - apiGroup: rbac.authorization.k8s.io kind: Group name: "oidc:SovereignCloudStack:moin-cluster-all-playgrounds" - - name: generate-kamaji-clusterstack - match: - any: - - resources: - kinds: - - Namespace - names: - - "*playground*" - generate: - apiVersion: clusterstack.x-k8s.io/v1alpha1 - data: - metadata: - name: kamaji - namespace: "{{request.object.metadata.name}}" - spec: - provider: openstack - name: kamaji - kubernetesVersion: "1.30" - channel: custom - autoSubscribe: false - providerRef: - apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 - kind: OpenStackClusterStackReleaseTemplate - name: cspotemplate - versions: - - v0-sha.frco630 - kind: ClusterStack - name: kamaji - namespace: "{{request.object.metadata.name}}" - synchronize: true + #- name: generate-kamaji-clusterstack + # match: + # any: + # - resources: + # kinds: + # - Namespace + # names: + # - "*playground*" + # generate: + # apiVersion: clusterstack.x-k8s.io/v1alpha1 + # data: + # metadata: + # name: kamaji + # namespace: "{{request.object.metadata.name}}" + # spec: + # provider: openstack + # name: kamaji + # kubernetesVersion: "1.30" + # channel: custom + # autoSubscribe: false + # providerRef: + # apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 + # kind: OpenStackClusterStackReleaseTemplate + # name: cspotemplate + # versions: + # - v0-sha.frco630 + # kind: ClusterStack + # name: kamaji + # namespace: "{{request.object.metadata.name}}" + # synchronize: true From 6cfa740907dfccb80a4bf8e352df566bcd03d264 Mon Sep 17 00:00:00 2001 From: Jan Schoone <6106846+jschoone@users.noreply.github.com> Date: Thu, 26 Sep 2024 10:15:35 +0200 Subject: [PATCH 11/41] kyverno/config/per-playground-resources.yaml Signed-off-by: Jan Schoone <6106846+jschoone@users.noreply.github.com> --- kyverno/config/per-playground-resources.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kyverno/config/per-playground-resources.yaml b/kyverno/config/per-playground-resources.yaml index 24bd0f0..06d3bca 100644 --- a/kyverno/config/per-playground-resources.yaml +++ b/kyverno/config/per-playground-resources.yaml @@ -66,7 +66,7 @@ spec: kind: OpenStackClusterStackReleaseTemplate name: cspotemplate versions: - - v0-sha.uwjqzaq + - v0-sha.ve8qmt7 - name: generate-clusterstack-130 match: any: @@ -92,7 +92,7 @@ spec: name: cspotemplate provider: openstack versions: - - v0-sha.lkpzztq + - v0-sha.onehude kind: ClusterStack name: scs-cluster-stack-1-30 namespace: "{{request.object.metadata.name}}" From 7f6c673e607600918ade51cb7db1131cb162188f Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Sat, 12 Oct 2024 15:15:02 +0200 Subject: [PATCH 12/41] chore(capi): bump versions Signed-off-by: Jan Schoone --- capi/config/cabp.yaml | 2 +- capi/config/cacpp.yaml | 2 +- capi/config/caip.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/capi/config/cabp.yaml b/capi/config/cabp.yaml index d832847..271e746 100644 --- a/capi/config/cabp.yaml +++ b/capi/config/cabp.yaml @@ -10,4 +10,4 @@ metadata: name: kubeadm namespace: capi-kubeadm-bootstrap-system spec: - version: v1.8.3 + version: v1.8.4 diff --git a/capi/config/cacpp.yaml b/capi/config/cacpp.yaml index 5a11561..66565b8 100644 --- a/capi/config/cacpp.yaml +++ b/capi/config/cacpp.yaml @@ -15,4 +15,4 @@ spec: MachinePool: true ClusterTopology: true KubeadmBootstrapFormatIgnition: false - version: v1.8.3 + version: v1.8.4 diff --git a/capi/config/caip.yaml b/capi/config/caip.yaml index 23d38f5..a2c3a74 100644 --- a/capi/config/caip.yaml +++ b/capi/config/caip.yaml @@ -2,12 +2,12 @@ apiVersion: v1 kind: Namespace metadata: - name: openstack-infrastructure-system + name: capo-system --- apiVersion: operator.cluster.x-k8s.io/v1alpha2 kind: InfrastructureProvider metadata: name: openstack - namespace: openstack-infrastructure-system + namespace: capo-system spec: version: v0.10.5 From 904b322e0bfaf9e4101fbacbf300f8b38c61f6f2 Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Sat, 12 Oct 2024 15:29:52 +0200 Subject: [PATCH 13/41] chore(kyverno): bump versions Signed-off-by: Jan Schoone --- kyverno/installation/helmrelease.yaml | 76 +++++++++++++-------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/kyverno/installation/helmrelease.yaml b/kyverno/installation/helmrelease.yaml index 2a160f7..c9306ff 100644 --- a/kyverno/installation/helmrelease.yaml +++ b/kyverno/installation/helmrelease.yaml @@ -11,7 +11,7 @@ spec: spec: chart: kyverno reconcileStrategy: ChartVersion - version: v3.2.2 + version: v3.2.7 sourceRef: kind: HelmRepository name: kyverno @@ -25,53 +25,53 @@ spec: clusterRole: extraResources: - apiGroups: - - cluster.x-k8s.io + - cluster.x-k8s.io resources: - - "*" + - "*" verbs: - - get - - create - - update - - delete - - watch - - list - - patch + - get + - create + - update + - delete + - watch + - list + - patch - apiGroups: - - "" + - "" resources: - - "secrets" + - "secrets" verbs: - - get - - create - - update - - delete - - watch - - list - - patch + - get + - create + - update + - delete + - watch + - list + - patch - apiGroups: - - clusterstack.x-k8s.io + - clusterstack.x-k8s.io resources: - - "*" + - "*" verbs: - - get - - create - - update - - delete - - watch - - list - - patch + - get + - create + - update + - delete + - watch + - list + - patch - apiGroups: - - infrastructure.clusterstack.x-k8s.io - - infrastructure.cluster.x-k8s.io + - infrastructure.clusterstack.x-k8s.io + - infrastructure.cluster.x-k8s.io resources: - - "*" + - "*" verbs: - - get - - create - - update - - delete - - watch - - list - - patch + - get + - create + - update + - delete + - watch + - list + - patch interval: 10s targetNamespace: kyverno From b79ab712a6490ed51ef37df360f8dba99b858dc9 Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Sat, 12 Oct 2024 15:35:55 +0200 Subject: [PATCH 14/41] feat(kyverno): add permissions for clusterresourcesets Signed-off-by: Jan Schoone --- kyverno/installation/helmrelease.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kyverno/installation/helmrelease.yaml b/kyverno/installation/helmrelease.yaml index c9306ff..789c334 100644 --- a/kyverno/installation/helmrelease.yaml +++ b/kyverno/installation/helmrelease.yaml @@ -63,6 +63,7 @@ spec: - apiGroups: - infrastructure.clusterstack.x-k8s.io - infrastructure.cluster.x-k8s.io + - addons.cluster.x-k8s.io resources: - "*" verbs: From 735e0c8b807ae668d14ffc9c91285de5802ca272 Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Tue, 15 Oct 2024 20:49:11 +0200 Subject: [PATCH 15/41] feat(installation): add dex fix(dex): typo fix(dex): typo fix(dex): fix namespace for the secret Signed-off-by: Jan Schoone --- README.md | 1 + prod/dex/installation/helmrelease.yaml | 26 ++++ prod/dex/installation/helmrepo.yaml | 9 ++ prod/dex/installation/kustomization.yaml | 6 + prod/dex/installation/secret-values.yaml | 136 ++++++++++++++++++ prod/flux/config/kustomization.yaml | 1 + .../flux/config/prod-dex-installation-ks.yaml | 17 +++ 7 files changed, 196 insertions(+) create mode 100644 prod/dex/installation/helmrelease.yaml create mode 100644 prod/dex/installation/helmrepo.yaml create mode 100644 prod/dex/installation/kustomization.yaml create mode 100644 prod/dex/installation/secret-values.yaml create mode 100644 prod/flux/config/prod-dex-installation-ks.yaml diff --git a/README.md b/README.md index 4d4f067..33d6b63 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,7 @@ The prod components include all of the above and additionally include: - Kyverno policies - secrets for gx-scs, dns, github - pre-deployed namespaces with secrets +- dex ### Development setup diff --git a/prod/dex/installation/helmrelease.yaml b/prod/dex/installation/helmrelease.yaml new file mode 100644 index 0000000..5027466 --- /dev/null +++ b/prod/dex/installation/helmrelease.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: dex + namespace: flux-system +spec: + releaseName: dex + persistentClient: false # hopefully this mimics --wait + chart: + spec: + chart: dex + reconcileStrategy: ChartVersion + version: 0.19.1 + sourceRef: + kind: HelmRepository + name: dex + install: + createNamespace: true + remediation: + retries: -1 + valuesFrom: + - kind: Secret + name: dex-secret-values + interval: 3m0s + targetNamespace: dex diff --git a/prod/dex/installation/helmrepo.yaml b/prod/dex/installation/helmrepo.yaml new file mode 100644 index 0000000..bfeec97 --- /dev/null +++ b/prod/dex/installation/helmrepo.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: dex + namespace: flux-system +spec: + interval: 1m0s + url: "https://charts.dexidp.io" diff --git a/prod/dex/installation/kustomization.yaml b/prod/dex/installation/kustomization.yaml new file mode 100644 index 0000000..79e0332 --- /dev/null +++ b/prod/dex/installation/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- helmrelease.yaml +- helmrepo.yaml +- secret-values.yaml diff --git a/prod/dex/installation/secret-values.yaml b/prod/dex/installation/secret-values.yaml new file mode 100644 index 0000000..dfb40d5 --- /dev/null +++ b/prod/dex/installation/secret-values.yaml @@ -0,0 +1,136 @@ +apiVersion: v1 +data: + values.yaml: ENC[AES256_GCM,data:d5FB3ZrsVQLJP1jJZ/lf1T5AibYORiktbapyUeDGO/tvvuHV9IVDA+vHpUqolHDVbP3Xd3315OJcqxYOXLyO6wQ3njCQb4q6xpDe4K0N0NJq5y2XmailLZmSLi5a9yMQm902khX3Dgfce6jWU5C08kLBWAAk1xzLl1NH9/kzRFQ2KN0PD0IdLmQTbGI9yVaceGEwEf1md9DCH+eZJjU+vzAmawvy9s2TwrvjX2u2r3Fn6IFUcUrzaPMIq/9zNC3LGqRJTl9fgIw23jBaywk88maAcNTSn7zmJ+/rjpSzsPx53tXrLzeVEohYQhUmLQs+ETaLikz9JVHhhHq1ZGrEi66ff8GJkg8+YWouhwkmjYx89O2ITQQ7KgYllREuaen1uXH0G+FR44cbEz0OTpcIuEC89065HWPUGhpF8NqsUG+B/CBTa4rw6E6mmcOPgKRwFhdJPSDushf6Tu2RHhzpy3q0C2vRZob5KFKdWPcX2xkNC54oB4kFm8+ob2LP4HOy+APvZaj3Yxg3SLfln67DHPBzihBHlo1Hmo1RflZwblyJ0U2IpcWjS2Sh/gTCfkD7WycDhKikvNsu4ZozBE4fjlI+irR8ypKLdtUJWiQ/Mm2WkX52fVLVGGwRn26EYmdNsimsYo58QIP59v1ecGp5nMQKhDqE4inROPOVhT+ZC7KR2CLOpCLTK85FkhlaafMWQ5cPU7IYCrUi9vm/JG4P6UGQV+okpbF/yC56yZs8nCnr6bDGOa8pWMZqR9982hfRs0CKRDnWeY7SfdIIzilgRxyiHEopSQJP7M0rH2Jg5LAsP+Dmze/RyhySHY4EfxjOg3H5zD3x8Q2QykgrJ9Lw+1FIfZMeZl44nEQxzmnj8s4qzEzMC4K5ppeLDWB20fiTgS39/E7IV4az5RVf8MAXFv0kZlyZEIwbRx3TKerl/tu1Kbf7PvLi0CK7ys4diz9GkN2seoS/hn41AWXOVNlCHwc6YNLF3dKvYJUIaav3Z4KywHT1XoAmViX+Yl9Mc71Gb2n3Tfr3PM8tIem7rzI3quCPofjlnck+cVGMX0yo3NxaqymSFgBQjkuLTDCmIq+Ehmim45ZN6LhOFepMASwbyabpeIkdQd9M4+jsZ22ATCBPNbAScCZvQpNqm//rZreGUA0vqX+/47IENP+DXWAhEJyzgSS0kF/god/hVPnkHHEP+NvLSIoZdPKWO8CIKcyXtZD/ZQ5pwTF9YrerKY6OMzQkTVNslI6Ezo3ZsYe4EiqydJr73y5kqCbmlU/yDYQYtWi/X8n0t6nGwfr6eK3En6TUOi4HmKfimQIgfAPBnvCmlElx3Z9wESM69odIVu4WjFbX3YmbmYSt/LnrARO6zMziu2VqNDkZ8fiFWV0m+bJqD1uMYkIBau0lkMSWDHIuzATBKRxtoSl6OzVXjvKA++0GuHo/tf3uxU3TaSKhtuN4kSFFuirUUevXHliumTdergif8G/q+5sD07crVE2UIaYZ0t7GpUDNec/qDISgzlAblwx+l3rcw74ZOQaHZEUPjzzRrgRJuLnqw34NdzsE6zftkBfOV8eTDw2TKxSkGgzYTxOd5vHx72t9VT+DvBfNqT0L+cyfJLMEnUSD72K9F5nIVe4XffCGFHm7W2rnP/167u8MJi8oXbKqPmzP25r4VWRbDnOoilb+h5WAqktlB1BGArdx2OPnaCydFIdzyy7Rbmnth8SZY3EnyDbDRRieOlwU3zHwEqcwpNmNq7AGMtwYfCXFFxbkq7G22+PCsoNjZs6FgfgzsmmoQeo6RwXGnqSf/CpRdDhjRZyQIzgKjHJisxIX93AV6GlHlzd23MLn7IkgVqct5UqaXNZd5hwWbQK+PgOudUwqhCKwGENxtiHt97KHfzUnJSHNXJ+9uFCD1qp0jsYGRxIlmBPQuuwYUo6umPoD5hnOgsB47J7p9CFeqAXfdYzRlbS8v7KWFM/05w5eN3MTNVfP7glnHUCAjAmRzFhQ2e11PZwaqm3f5+lCuYIW3SLPayaEw+XMp6lXto2ZUrC8PZDpf1KBjtLNhnewcD1uGRTOoGsvG8C6z4D8JAlm0PY0aNJLFCn54+msrkpuVRSrp3cAs7/7N+vL3a9d3Bds16mAbJlEGcsTzPmroybGC76pvUIg+ZIZmPxQI1ccO+4pNp1Gs6WAhOHifQd2j33yn29LDhiLGfPEk/x8+Vg94QglCKqysNu9IEmOHOgMAr1ehimP9fYHm2O3zW8lK0vsqvgU3fxDqeIkxdjBIHFFg274lOxVAQ/dEoZQPKLIpya1fZ4u9LM7VGEdSw+l42gyQm4CLvolY2btvRn+I+5Lx/tJjaX2rEqqfsMbZm6wtbrB4+/Mwl5gbuF76PAlz6hBdPTjuwvT2BEMAtZNqv88iwthOKy/rGlAFi5h60xtMvjNnYXWAw5LPVwhRbCOCk1fbL3TFH3fJCEEscQNRAXK255GgQodMBWNoWznkIYDRHFr1q70xHBXmbgkNwc3p/8FLTeOlMyeBqQVwWNMSLtBWyvXlZzs4LBq7Fc2OZKbytcCgMPJHV4kxXRoLnIIgrTkwova+G+wsRUdOv0KfIkAoPwg4OQu4bpXXNBE/UatM2uF4f8JuZxHWs9TYQ0wNxKsAGuJU1OqdjmHO0pKMKdHSfa56A9tj6zZqRpedASDpyfBPUm+t0QtgknIlo55pEIK+oGFPO8zFOWBrb4A1aLn7v1/3X/dRYk4KofJlhXpcHuktZNhOi35Z2H4JEQtGkUB3K7wx6rhoUQ+JRIWI5J/YXq6K518SUtDJNP1AMOF+YlC2u0K2wMt5Uxxc3SWzAxIr1PKMlTN+UdmFtvI+4bsPcerpfA28yC28zjFcnXc4Tzr738JFdZo4UAHk/LX/aZLmRtMciQkfqe4SZVOzUy3tyIIMgy0dBqqniYKvmk4,iv:mfJuoyb4myNMVLLgd2VePpLUHSrVi67osVwVopmKRm4=,tag:oMRo+BAWwBhq3muPpHkb2A==,type:str] +kind: Secret +metadata: + creationTimestamp: null + name: dex-secret-values + namespace: flux-system +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-10-15T18:55:28Z" + mac: ENC[AES256_GCM,data:JBz6HWQTh8PyDYM2yah3JT6EOTXVaSy/jiSQSqjmbFHUy04NPrW8172GUjjkNV7LyHOKwjq2RItfMIdiZU5m/W7a8HJwe3v93xQ6x7p9Bz/DnYEuLRGHRW/UUPyd1HB9LZvjDh2PUTXkUFJ6Ejbgg1rDO5226EnemSfkWkmFiuk=,iv:HDe4ix8ZApEu/j8hbqvcJf0NKvXpe/4ee8GIa6O0i1I=,tag:S5P3yjFRCry0GLFTZWgsCA==,type:str] + pgp: + - created_at: "2024-10-15T18:44:24Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAyBxDD99NeTXAQ/+OcjD6xwxOXkW5o2FccP/bO6lEv0ZLbmfzgAAqFkatqIZ + ojIetCv2VUpFGJe5lfgKwWfAgr/NR+sKueOZD0Oxe4XMy5mKUov7mFQ56ceyaKOm + +0oTgtyiGsP9ytRwwPjQoLHZ56FSSMsKtCh22N/ZI0AVd625weZbLM22z78t+qds + HSffsovrw2UlIjZJsy64lvyy1lJdLkUa9ZgkVLfykln7B9erQGsalQXdunxV2bgN + Ue7JMyrtu8mx0agonE2LSQ02Ehh4itOphBlPYuA5gOg8S8KhVbA4SGP/oDTV6bH+ + KK6xBsvCzilP4XDqemJ/Q5cy7zNR9v5Y6VX5oyNABZHejUrNNT/5eaOoXoazJvEE + tnCJuEY8q5zkLI5lLCfCtnoAxMZ8VdHPG51bJvPhlKRq9jlycfMOgumJQvQ2jghI + WCJqalZFxHyWTErN3fI0gaeA3XkQl3cwFBZJpHrm+C4ycPr6BTbzGdPXuMsKNLVh + 7jGlLORgrWWCpVFdYF1N9lwhi5p5x/d8fKvXjtgvCIKZizMGxtPlcruvIfA+fGxi + uYoGGWLjePd7Yhc2R8BxVFdh9n7GOGsy++3m6tDWBakJqbBdbT2spPCbBPX5JDt7 + gnC8sTk1kNO1OGbftCYLaGrTvUsfAmf5kXw78mTcBZ+GtTiM17X5vsRN29bg4SDS + UQFJTJMmpVMCoD5M+v7S7xl9WCd16MKAeMTJztfrAEluIAN25nbAQgJAuHLDl1Xf + L5y0Tfhc1tzZMm8pcjYHL7ka6sq+sVSjLDzNLqd4G84RQw== + =WWVK + -----END PGP MESSAGE----- + fp: CCCA3F0D6E841833AC56DAED48E4E0C7613AAB14 + - created_at: "2024-10-15T18:44:24Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA6Kr4c7HLrmXARAAtXoGTwXNhlH48SHFZJVry/y495se/b3lzIc3q0hmTBj1 + LlR+uKiSNlsI+qr6tW2FTqxlq0z6saeiNUaip0pDdB+hzxCMktaO/xtbh3PYSYHS + UNfJrHMFCdoNJbpFxbJ392gj8aAswC7HVnZsaTwfOZDHlo2bxJNPvjVZAXJyuEr0 + JJaEPzHjuL/QwzHrteH++3qOoV1hBbrJtrQVG5DshaZVNFjshtZPCXux2vrfYNjn + uAnRyLHmPdg++kYqFdtjp6hciIRUIgfT9AvfCQFdzrYZBBJmCVvECZIvn10zsv8e + HMmzhG7QNxCBO54I2f94lMEYlsD3wjmy2s+l9mII8ixW3L1O4D5LXCBRHUHyjghm + mZADdY08EwFBxnlhOUhUKVqH6I4yanzXGEyms86QiO4sMj4taAmqlT8gWg7Fv5Hs + FA72ery40U0dp+I36uxmlGtSJEk5RAmwv9YlNFhkLE3c/96J5cS0tF2AiZ7oGAzy + RDnOMF3gUKDo8K8GhyN1sZeEf1EDdlIUMUBGkSar0h5My8WH1K/rzQaOJ4n1NHB6 + MNzPIMgDS9hZXkTFSza06K9qpH3Ug6Z7k9SBTm3I8y49TbT+yZOkkICkMW/775c6 + SNJQhAaUIqDtHjLEc8IGX9OTltZrvmo96EsqMcbPF5DM3G3GkuHBJbvhLXmaP27S + UQEtCJzljSOdUbKD40yLcWYO1tMKzRZisaKE5VC3Eqof/xOdL8hjEK8GvO+lwXcY + fY1sQNyoL4DsZP6rkRU37gTtq9504k5KyEq81qp2e1xtVw== + =XYdW + -----END PGP MESSAGE----- + fp: DF71497C07110D584ED5D379CB3A922F8FAE3D50 + - created_at: "2024-10-15T18:44:24Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA/o5Gaf/w6e6AQ//fmwnIzHBenYxtSW4fBOw38r3qICKMYo6EMizvDfL6L84 + Z+8mAlRhFHsDcWSj+ljfKY4csmr0vGiTI2vYJBXlbt3grK2z5ROBp/R87UDlpMOZ + eLyEZzhstDAPYtFX7wz5uu6H7m6OIdkECGqp4/tnjIRfWTX4K8yM1ha2pdw3dYfZ + LBtujJ09+fqAvASkh1AhepYL83YZWOf5iq3UxZDkWt2NL2g4LoHhlgOGZHrBzCrd + MT9Xn50TAJBpaNFmwFFf1NT3c3/pDBhKduJlGVZe7GwJV++LKKHxM+RMN5vnnZ8i + d8WzRC5GXAw/EBcl50xbY7XXwdWYCVJPnw2+sK3g0RCySgs3Wa/V19h71Q3ucvoK + vfWxV81G7FkcAWhmI8kihfwiQ4ZVkYxjnpga86QB8kwX+yFECXr/0quDeU4IPDc6 + Y13X/LT6rXhfc+wbMyalIv/EyShPjINCcEm3zHG08id4Rvu97KVcj4Pl+OjrTkFx + QRWe3soCzMaHlM6CbCz3DS+U0w/AqAB4dit5WvNsDK35F8iYUMnbcBzN53v0oBgq + gHZBEbJBku09m1k9NmO2it2AJg6tBHppxQPknFG4VX3rgLzjPd2RIcbVz5OANYZ/ + fh6Nvlg2s9kgG745wBMA/bQczKPoU5Py6C8SQgLvKohodMrxmtOf/wCPdtPHnQnS + UQFNxkwk8tlSw6OL73R15uRHT4PI6NnE0oKIsyO5o99+ZSG8LC3frCrlMVRVHc1h + 9jFsIL3SHCrt+IKNhUTCtEAyGPHNvzbxbbkLoy/QfOeSEg== + =phnr + -----END PGP MESSAGE----- + fp: 5AAE7807A91FBAA7A5DB246B52A2E96A7268BCCE + - created_at: "2024-10-15T18:44:24Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wV4Ds9lh1tfJlukSAQdAt0AhswE7hoQffe24kD9PUQQvy2Rv6k08YDcM/LTaYEsw + fGkJO6KuCpLAlkbmfEiwbJ9AMr7Ety24M8n8/EIQaopF9x3rlGZr3F3d9BjTK9+Q + 0lEBx4/e/JUXHcXBkIIoMGwgod87PUKu5k1G1pebJYzQfsy8SV31GWIQ1mR0tW8t + 21DWqBUUeCAuOzFhE/ubX+AsUxyifwDBygIbO14m824Qr6Y= + =2U9N + -----END PGP MESSAGE----- + fp: 6A413E28286599A84595529EB2F65CBDF1C65D3A + - created_at: "2024-10-15T18:44:24Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA2VTGvlVjirjAQ//VErdxDqWQga7Y4WSilVW94mytI/xubThf9bF2hLeH49A + RjWTsQO5UlmUZkhJ1f8OfQHkz4oZ8fUw/S5+3iQ2L8/RZO0BMzV6p8nYdPi88nk8 + XDsCBcWPH5eAqm06eVV4fq27pl2b8iIysAxn7HKwD4aEOyiU/fPQKW45tq3KedIl + QQY+sNdTQTpUCym2KOzqBfDGVesjS8L7mkPuK6UmrQVYD008GtahVIEah7Y/LbWE + vDhBx+bjAu0gA9jwIFEb/xNfSTjwBcTHyN+VbVDW3NOWDPBEn12gOpqHBxsXRYem + KP7rpWoyDJXU/0SV7ls53U4yALaji18ekugxuaj5lkRJjqRw8WW0DMQNefdau9WC + 8j6ThPMaL0d+oDh2wWKVGChAHeD4ElfPJIVKbW6rljcjS3KYxK/B2bgHQAgnMerp + aRTZPoOp4tCwCOnGJFH8mQ5vnqjRPCUM395AsVBZiA6lEdiEbxwqoAeAIs+GrkSn + k7dplXidGhh8JQypcvgxuYdAAGeb5TMdkGFmRVRr9obMH0+Xy6woYVdSd3R1+rLa + cp612sVdUctuZa+JXRGPNXgwb8D350+q2AzE6nmPoIee37fT2MOeGeNuGCnFRIHy + uEU6lVYj5AbzbKTRdU/tGWzCWXKWDHjx7zcvLFjvQjy+TgbMdgvfSfyXlOvsFXHS + UQG2J3caJbwA6D1KMkm8ato2BsofX5e4hJhQOjUfL5cgL8UcGkArygE2GQhO4FDk + XIS3kgDNAZ4vhNk8x3xiEr2HNjNTuqofmCqznEm9h6uPAw== + =cJPb + -----END PGP MESSAGE----- + fp: D48108A56B0EB04A40DEE96775676F49EAFAA9CA + - created_at: "2024-10-15T18:44:24Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA/CESpP6bvPkAQf/Zla3BAvjC9WBaQqccTI2UgTQPZmM8teme+CN1YKGNc/T + x2h+XZcSZeuFj/YZ30CfphT+PvXgTm7XtZ5Vtc1G4QMXOGYuLJVlWfRgKF1J6NmH + wypZFKdsZRZV3M5bM1g0PQyxBCih1hVhw45VR4q36fB4NsPuVHzafBqbxaB4JzYu + OX9uJf0PdcWYPRnOdKIxGhSx2j/wl52ViagJAgtj2iVxn+WBjQVXYepykFkG5c25 + 0i63r1RZOV/8AKu/QP+0jXUpQBsLXZfebL/kU55Y3yisSQLwow1+PlgDSyJGTEq8 + 0kiUAz2hy2DCIRe0eMP++wBeI9BZBkiwJbYjrUgWp9JRARFykKxvYbviP8k5oKqW + GMEyFM1bzghnVPBPgJ+PWiZN5Qn9msJwBjmyyxGNfyhzW3FAWAZa11/f9JwA4PhC + VVwWy1jyXcjlxIkfU7rUo2ES + =av0w + -----END PGP MESSAGE----- + fp: B6829414FCD33331EBD08EC3F70112A73CB97C21 + - created_at: "2024-10-15T18:44:24Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wV4DbYZvvToLQQASAQdAjBzmwjB+B4FWc5AGSs19bsdf7bOGCTpdX/IG4d2+Xx0w + V7asuyE7EIlDiXnOwkRi6+C+XnLBS9HRwvsh+cUbdqgga9l5cLiaTg1IcJLoq4CY + 0lEBQbHqnlIcJINLVatSyisGt6p3MoF+JJ9xMY2EhAgMR7uUv4gMVC0D2ojNUS64 + V3C/TBVb34puSrtoiiNAvSQBavrWNrtITIaGOd9T/e6pvYk= + =K2Xj + -----END PGP MESSAGE----- + fp: 92842ACE52D2B8C77F9A59662AAB6EE5E2C8EE71 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/prod/flux/config/kustomization.yaml b/prod/flux/config/kustomization.yaml index 0dad19b..3eaca3f 100644 --- a/prod/flux/config/kustomization.yaml +++ b/prod/flux/config/kustomization.yaml @@ -5,6 +5,7 @@ resources: - prod-cso-config-ks.yaml - prod-cspo-config-ks.yaml - prod-cert-manager-config-ks.yaml + - prod-dex-installation-ks.yaml - prod-external-dns-installation-ks.yaml - prod-ingress-nginx-config-ks.yaml - prod-ingress-nginx-installation-ks.yaml diff --git a/prod/flux/config/prod-dex-installation-ks.yaml b/prod/flux/config/prod-dex-installation-ks.yaml new file mode 100644 index 0000000..e6b491e --- /dev/null +++ b/prod/flux/config/prod-dex-installation-ks.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: prod-dex-installation-ks + namespace: flux-system +spec: + interval: 10m0s + path: ./prod/dex/installation + prune: true + decryption: + provider: sops + secretRef: + name: sops-gpg + sourceRef: + kind: GitRepository + name: flux-system From 25109c0a6057928666297807193ce18c9938449e Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Tue, 15 Oct 2024 21:07:25 +0200 Subject: [PATCH 16/41] chore(dex): prepare dex for prod installation Signed-off-by: Jan Schoone --- prod/dex/installation/secret-values.yaml | 170 +++++++++++------------ 1 file changed, 85 insertions(+), 85 deletions(-) diff --git a/prod/dex/installation/secret-values.yaml b/prod/dex/installation/secret-values.yaml index dfb40d5..1d12c13 100644 --- a/prod/dex/installation/secret-values.yaml +++ b/prod/dex/installation/secret-values.yaml @@ -1,6 +1,6 @@ apiVersion: v1 data: - values.yaml: ENC[AES256_GCM,data:d5FB3ZrsVQLJP1jJZ/lf1T5AibYORiktbapyUeDGO/tvvuHV9IVDA+vHpUqolHDVbP3Xd3315OJcqxYOXLyO6wQ3njCQb4q6xpDe4K0N0NJq5y2XmailLZmSLi5a9yMQm902khX3Dgfce6jWU5C08kLBWAAk1xzLl1NH9/kzRFQ2KN0PD0IdLmQTbGI9yVaceGEwEf1md9DCH+eZJjU+vzAmawvy9s2TwrvjX2u2r3Fn6IFUcUrzaPMIq/9zNC3LGqRJTl9fgIw23jBaywk88maAcNTSn7zmJ+/rjpSzsPx53tXrLzeVEohYQhUmLQs+ETaLikz9JVHhhHq1ZGrEi66ff8GJkg8+YWouhwkmjYx89O2ITQQ7KgYllREuaen1uXH0G+FR44cbEz0OTpcIuEC89065HWPUGhpF8NqsUG+B/CBTa4rw6E6mmcOPgKRwFhdJPSDushf6Tu2RHhzpy3q0C2vRZob5KFKdWPcX2xkNC54oB4kFm8+ob2LP4HOy+APvZaj3Yxg3SLfln67DHPBzihBHlo1Hmo1RflZwblyJ0U2IpcWjS2Sh/gTCfkD7WycDhKikvNsu4ZozBE4fjlI+irR8ypKLdtUJWiQ/Mm2WkX52fVLVGGwRn26EYmdNsimsYo58QIP59v1ecGp5nMQKhDqE4inROPOVhT+ZC7KR2CLOpCLTK85FkhlaafMWQ5cPU7IYCrUi9vm/JG4P6UGQV+okpbF/yC56yZs8nCnr6bDGOa8pWMZqR9982hfRs0CKRDnWeY7SfdIIzilgRxyiHEopSQJP7M0rH2Jg5LAsP+Dmze/RyhySHY4EfxjOg3H5zD3x8Q2QykgrJ9Lw+1FIfZMeZl44nEQxzmnj8s4qzEzMC4K5ppeLDWB20fiTgS39/E7IV4az5RVf8MAXFv0kZlyZEIwbRx3TKerl/tu1Kbf7PvLi0CK7ys4diz9GkN2seoS/hn41AWXOVNlCHwc6YNLF3dKvYJUIaav3Z4KywHT1XoAmViX+Yl9Mc71Gb2n3Tfr3PM8tIem7rzI3quCPofjlnck+cVGMX0yo3NxaqymSFgBQjkuLTDCmIq+Ehmim45ZN6LhOFepMASwbyabpeIkdQd9M4+jsZ22ATCBPNbAScCZvQpNqm//rZreGUA0vqX+/47IENP+DXWAhEJyzgSS0kF/god/hVPnkHHEP+NvLSIoZdPKWO8CIKcyXtZD/ZQ5pwTF9YrerKY6OMzQkTVNslI6Ezo3ZsYe4EiqydJr73y5kqCbmlU/yDYQYtWi/X8n0t6nGwfr6eK3En6TUOi4HmKfimQIgfAPBnvCmlElx3Z9wESM69odIVu4WjFbX3YmbmYSt/LnrARO6zMziu2VqNDkZ8fiFWV0m+bJqD1uMYkIBau0lkMSWDHIuzATBKRxtoSl6OzVXjvKA++0GuHo/tf3uxU3TaSKhtuN4kSFFuirUUevXHliumTdergif8G/q+5sD07crVE2UIaYZ0t7GpUDNec/qDISgzlAblwx+l3rcw74ZOQaHZEUPjzzRrgRJuLnqw34NdzsE6zftkBfOV8eTDw2TKxSkGgzYTxOd5vHx72t9VT+DvBfNqT0L+cyfJLMEnUSD72K9F5nIVe4XffCGFHm7W2rnP/167u8MJi8oXbKqPmzP25r4VWRbDnOoilb+h5WAqktlB1BGArdx2OPnaCydFIdzyy7Rbmnth8SZY3EnyDbDRRieOlwU3zHwEqcwpNmNq7AGMtwYfCXFFxbkq7G22+PCsoNjZs6FgfgzsmmoQeo6RwXGnqSf/CpRdDhjRZyQIzgKjHJisxIX93AV6GlHlzd23MLn7IkgVqct5UqaXNZd5hwWbQK+PgOudUwqhCKwGENxtiHt97KHfzUnJSHNXJ+9uFCD1qp0jsYGRxIlmBPQuuwYUo6umPoD5hnOgsB47J7p9CFeqAXfdYzRlbS8v7KWFM/05w5eN3MTNVfP7glnHUCAjAmRzFhQ2e11PZwaqm3f5+lCuYIW3SLPayaEw+XMp6lXto2ZUrC8PZDpf1KBjtLNhnewcD1uGRTOoGsvG8C6z4D8JAlm0PY0aNJLFCn54+msrkpuVRSrp3cAs7/7N+vL3a9d3Bds16mAbJlEGcsTzPmroybGC76pvUIg+ZIZmPxQI1ccO+4pNp1Gs6WAhOHifQd2j33yn29LDhiLGfPEk/x8+Vg94QglCKqysNu9IEmOHOgMAr1ehimP9fYHm2O3zW8lK0vsqvgU3fxDqeIkxdjBIHFFg274lOxVAQ/dEoZQPKLIpya1fZ4u9LM7VGEdSw+l42gyQm4CLvolY2btvRn+I+5Lx/tJjaX2rEqqfsMbZm6wtbrB4+/Mwl5gbuF76PAlz6hBdPTjuwvT2BEMAtZNqv88iwthOKy/rGlAFi5h60xtMvjNnYXWAw5LPVwhRbCOCk1fbL3TFH3fJCEEscQNRAXK255GgQodMBWNoWznkIYDRHFr1q70xHBXmbgkNwc3p/8FLTeOlMyeBqQVwWNMSLtBWyvXlZzs4LBq7Fc2OZKbytcCgMPJHV4kxXRoLnIIgrTkwova+G+wsRUdOv0KfIkAoPwg4OQu4bpXXNBE/UatM2uF4f8JuZxHWs9TYQ0wNxKsAGuJU1OqdjmHO0pKMKdHSfa56A9tj6zZqRpedASDpyfBPUm+t0QtgknIlo55pEIK+oGFPO8zFOWBrb4A1aLn7v1/3X/dRYk4KofJlhXpcHuktZNhOi35Z2H4JEQtGkUB3K7wx6rhoUQ+JRIWI5J/YXq6K518SUtDJNP1AMOF+YlC2u0K2wMt5Uxxc3SWzAxIr1PKMlTN+UdmFtvI+4bsPcerpfA28yC28zjFcnXc4Tzr738JFdZo4UAHk/LX/aZLmRtMciQkfqe4SZVOzUy3tyIIMgy0dBqqniYKvmk4,iv:mfJuoyb4myNMVLLgd2VePpLUHSrVi67osVwVopmKRm4=,tag:oMRo+BAWwBhq3muPpHkb2A==,type:str] + values.yaml: ENC[AES256_GCM,data:2PvRXtxO8TwtTHv9mw2UKgmY97DTgRsc2HgpJQ//V58ctfoQX8mU4x/vPCdiyrskz5sxbrXxUG3uMelJnicOciH2vZsVB9KVrkc+l9d9gJSenta+xf3ptNrvVavhqkBqkjrfFleug16jzpP1Vf9ZznlHIwU13EOjD5VLsVuCVn0R3S5+IEv3W6TcUAbLz3yE84fhAHxTSIWBl0OimTgChqtAe7ZT9RqXXWbzsYlG+K+hEU4ki5tZY9xRV14FLCYM6flxz9JIkOfxSNstS4PY+rPQ/KNLuGYoexChL0LhCx8B2+ccuo4FnLgEL+quLrpXgRY1nVgczPltQvCQEuYHxA5YqkGaF+lmMD9FeCc5FFu2N9hrvIFWZbAsBu24fiXnIhyCBbBrV1titBsNNFhWR3vgOq1Is6tfZaIZuEALeRnkOHB/5ajAUQWt8QwIsVI2MocBEWP7yckJEIi3TBfJv1ySfdakbHi3U3mo97cs7LeETF1EMcNrN/CrRd/Kn0kVS22vAwMeWiHiNx5qbx8+HT7N8o0XL80M2Mxg/k3fAyHSphs+IB3mU7335qtB7uv1/6rDLgTYD76vIpxP8OsBp8My9I2q8I7IKti/P2pDcK/9XTjQWfSbDYfWVBV+QG7qNmAKNOJezh/GEZGExrpbgomys4Q/Jv8ozmLvh4/dxlzkX6iM0AZYjR0horYCInsJ3XL9XFBFSrWoDgMkNoSRjEL0EXbgukYSIcOLl9E9gicFfSBV6SwHBkjoanYPUmlto70t+KBq8P7+k9Gg2ch2dQ5C1U5oEWxdrhCaKGJLmEf/OxzpQCXKN6pLO7cYY34bUmiq7R2mIaT+7QW9LIHqOWktEfiOcJ5lmQ53EuV0Zyjy4ADl4+/M5/xP4yHcWv9D35h9l340ew6uU4jk425VqEQAwvdIoTFWZeqVST4TkMGdETpvRWU0sRzXuDOMZASmvdJsE9yNj0dwO7Wt4fEtbgfTD0OiFS4P46NNeGZmqmgWX9WdrSLRpN953H+6QdTakgDoEibzjckWWnafpLXNea4JrFsU+wv3a4WVQLEAwYa+Nm1q7HbWGZF2o6PlqkZZuDVwICRU1O3reds+IgkLuLPr9MJZmFzbUt/Ar4AIMyN7RN+Cd13ufgzfrbDaSI4JjVHGj06QX/mMi7Hq6upoLn8b7T0C3c7zXmfpr1YjEXbcVXvKpylkdgGzd15h9DtVp/pqpzPydCLbak9S3JB/loVpDWCpVm61oel7R0quafCwKHKJvtAxC4kjOCzwic4PyP0tjGPM+qK3QY/eo852c1/W11tUejquS75cTuKwwBMLRXke5OH7LhFWhB+iPJzkXV8ox0CuD66v44jv7IoO/VTXhqQi7wjspGFdAYrsK/8TdN9F8oQ1pWK7wTBYq0pgCuY69c6q3s6PHzq7vrsMquzTvAjNEdOtGtrO6ScJbUri9/GLFaQgINynGmrKC/yU3XIjXrXwzqpXycnxlaBwHlrYeE97gFSuonvebLKIkb7xnUwl9fZRRPY2Pu7RC078t7rCGxMQFpq2M+nNtc5rS4pxv6nwyh/1eUnYh8tSg07YBHYPygiWYS+zK4CAnjT3qP8YqWK8IFTp9lDeoBWX+52JlTf74NnWphkJYQ2KuXSASxpVyUkgYUgEWRvB0vfBgIW7T60VIj7S0JpAqhOkcf1aNruVrtwk9prz6jIOm3IJtqxQuYZyif0+VkncUKf5TqAG0Omw+fBzzTLhmAjRgXKuPAfFdEzcdAzjRef9M+LU9PR8BA9L0Zz2ecSjfYWsgpqcExFh6WYhxpeKiCPNwJjE17bxWuwy1ijiRO7Xr0xvHxZgn1WIogu1JT4kR3bf5zZDOn+OnI/MpA57jl57vSvCVS4Pr2q+OAQJB3eqLH1ugcVFItlibVekXPWaDUovTaRsfjnU4Va9gyvyKXGSKFmo6EVMkpWtG/6XRcIEekfy8B9mdV4KGWb45TQblehnWrSHKyyddzxyNI5amR8w0XSsCLirqmKfxDJBIuAHFMPqCkbYXx6JZ0Rz41sTuDfVEq6Q3tYZ4+STXMjizF+ilVbsP0CRvsjThRDaRMh4+kYQz3yl26nAL0xPYR/vcJiG1VMZ1Q+XWtY/YfVNnjncK2qZ8j5R4rmy9LtOnIQecse+GIcCaNp4V0T1mjNXXyg84nTXQ8qx3oMhzeF5rz21cLWewsGHukz5wGSJ70frI9qphq/zPjJ+FtPULSdtJgUEYu+x2aYVDA0nqWz98yldL5Gf1M69pX35I4N/aFv6eGR2uWJOR8dmPcgomrA+LHVnv+zLzunW5yCbfGEgk4Ny3zGA4r0czT3VcFNSU24Kjqh5jvNRzh8U2XyHTt4nwQutA7UkEmaAfs5FL0MR9p154xry/YdbCI8DXO1mFA6KzHGfbh/kEY0LS46EWG4UCE8QBvwx3fNpwGfVIlDnAKcjLDmdlHkMTd2PoeeY7VJnYxNN61j6wzhf1SBlNHKn9ObWWmp5/+WVX4Chr0sfwxSpLR6SbIhFaV4jyJQ1Z7bLZ0VnaoX7ebqBluYPpXJ9E9wplh71ywwKZ2ug+ewLXXcXvxSI80OqGgWtM7rXUBKvzfqDgowwd703hDh8RET678NMxZlPFJv1XNtsO98Cj3wjF8mKrWmXW9gO57YcbqdM3R1KiVNfbpj1qVlFkztp0ETa,iv:rr/uuVpCyelZZWNf/5ATnAUSw34noNnpiU4C7p4L/KY=,tag:XFcu0bdc7gxhqVqsdt3SKg==,type:str] kind: Secret metadata: creationTimestamp: null @@ -12,124 +12,124 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-10-15T18:55:28Z" - mac: ENC[AES256_GCM,data:JBz6HWQTh8PyDYM2yah3JT6EOTXVaSy/jiSQSqjmbFHUy04NPrW8172GUjjkNV7LyHOKwjq2RItfMIdiZU5m/W7a8HJwe3v93xQ6x7p9Bz/DnYEuLRGHRW/UUPyd1HB9LZvjDh2PUTXkUFJ6Ejbgg1rDO5226EnemSfkWkmFiuk=,iv:HDe4ix8ZApEu/j8hbqvcJf0NKvXpe/4ee8GIa6O0i1I=,tag:S5P3yjFRCry0GLFTZWgsCA==,type:str] + lastmodified: "2024-10-15T19:06:26Z" + mac: ENC[AES256_GCM,data:N3Ofzc0vTmlUDvPw4jkN0jR4rBE9wm8PUma0SkvmSX9+uidgA8l6J4Pbkz4K8P3nIy5PaYF2yolaX79+Z+8IbId/jcAPQ1x4gNtSUcmGGfQsG+c+9Yt7UdEYnzzx9VGSVa6Bydltl3uIxRoOxHp9iL0AgPjfbkrVyY9Afo2d4Hg=,iv:0Rcql9fEr7IeW/pGkgPPUzkE9vc7SfG3UP7kS3y+TiI=,tag:OOr2bEJkpP1rmz27N1/oyA==,type:str] pgp: - - created_at: "2024-10-15T18:44:24Z" + - created_at: "2024-10-15T19:06:26Z" enc: |- -----BEGIN PGP MESSAGE----- - wcFMAyBxDD99NeTXAQ/+OcjD6xwxOXkW5o2FccP/bO6lEv0ZLbmfzgAAqFkatqIZ - ojIetCv2VUpFGJe5lfgKwWfAgr/NR+sKueOZD0Oxe4XMy5mKUov7mFQ56ceyaKOm - +0oTgtyiGsP9ytRwwPjQoLHZ56FSSMsKtCh22N/ZI0AVd625weZbLM22z78t+qds - HSffsovrw2UlIjZJsy64lvyy1lJdLkUa9ZgkVLfykln7B9erQGsalQXdunxV2bgN - Ue7JMyrtu8mx0agonE2LSQ02Ehh4itOphBlPYuA5gOg8S8KhVbA4SGP/oDTV6bH+ - KK6xBsvCzilP4XDqemJ/Q5cy7zNR9v5Y6VX5oyNABZHejUrNNT/5eaOoXoazJvEE - tnCJuEY8q5zkLI5lLCfCtnoAxMZ8VdHPG51bJvPhlKRq9jlycfMOgumJQvQ2jghI - WCJqalZFxHyWTErN3fI0gaeA3XkQl3cwFBZJpHrm+C4ycPr6BTbzGdPXuMsKNLVh - 7jGlLORgrWWCpVFdYF1N9lwhi5p5x/d8fKvXjtgvCIKZizMGxtPlcruvIfA+fGxi - uYoGGWLjePd7Yhc2R8BxVFdh9n7GOGsy++3m6tDWBakJqbBdbT2spPCbBPX5JDt7 - gnC8sTk1kNO1OGbftCYLaGrTvUsfAmf5kXw78mTcBZ+GtTiM17X5vsRN29bg4SDS - UQFJTJMmpVMCoD5M+v7S7xl9WCd16MKAeMTJztfrAEluIAN25nbAQgJAuHLDl1Xf - L5y0Tfhc1tzZMm8pcjYHL7ka6sq+sVSjLDzNLqd4G84RQw== - =WWVK + wcFMAyBxDD99NeTXAQ/9Fgg7VGr4SzUUlzcVmtsNYnjqBN7d7oKi1CwsKFQZtME0 + rydcM8FgGIkCXLZVAVvS9aRJTb5AODDKNzs4NOt2QQKIDXZsqwmU6v2Eja4sk59d + b4jdQEA90LYkm96Nf/TZbtZyHhw4WWfpDBH6P+6aEr9vgD6zsZuBBLoYHZyL/tWZ + j43Xjd+F6+rW2W0pyMpme7nLxsBguB4Gy3uo9YWtQUc5gvnu5ststdd+M1C8RCL1 + WJA6ABaJYZC0P7fmTDEtJuXRKQPBOL+6/JvKXArx9+aTjdNmnuYwFPOyWqCdcsjw + U3A8HxFLj6s4xvogN3GfKoTwJV9nW/BXhDPbPYaQnLpBkiJDoGgAKmK4Ixa8Mn2Z + Ph2IMyhpk7i0fU5Qd7yIoQurIp0fzfHXDwMBzI3aCU2vJYHxLb8VeJIyf7209EwH + VN41vlz1JKKjH8ezKqX2mr73GQ5CCcyIRJMAaebcDMCmBjlkuONNMaZIzKIgHehb + Ia9IWmlaJHmHc5WKyh5HE2O3XLFkjZb5uOxgMIolhtx2KKIO/8pcXTzMvwTn3yaR + D9SztXvlmOVlc6+UlJTkDWtWUVluvNrDcBY28mSEIh4V5L9DSBoI0sR6om5CAao6 + fjvaeF/BNwCb2y5yIaFxKsN5JPraNq/USosSJe+GtsTysi1LAm80IM7vlHas1O7S + UQEHVttFJ8GYuvjXDIQrn/XKOW9IkQUVLHqUlodxeqUvAGh6Kfu5/v+5Wm6Z1vGx + w3iCdgujC6KIsU4WICgCosU+Rw5biniblhwHRv+tnlLuKQ== + =+Pfk -----END PGP MESSAGE----- fp: CCCA3F0D6E841833AC56DAED48E4E0C7613AAB14 - - created_at: "2024-10-15T18:44:24Z" + - created_at: "2024-10-15T19:06:26Z" enc: |- -----BEGIN PGP MESSAGE----- - wcFMA6Kr4c7HLrmXARAAtXoGTwXNhlH48SHFZJVry/y495se/b3lzIc3q0hmTBj1 - LlR+uKiSNlsI+qr6tW2FTqxlq0z6saeiNUaip0pDdB+hzxCMktaO/xtbh3PYSYHS - UNfJrHMFCdoNJbpFxbJ392gj8aAswC7HVnZsaTwfOZDHlo2bxJNPvjVZAXJyuEr0 - JJaEPzHjuL/QwzHrteH++3qOoV1hBbrJtrQVG5DshaZVNFjshtZPCXux2vrfYNjn - uAnRyLHmPdg++kYqFdtjp6hciIRUIgfT9AvfCQFdzrYZBBJmCVvECZIvn10zsv8e - HMmzhG7QNxCBO54I2f94lMEYlsD3wjmy2s+l9mII8ixW3L1O4D5LXCBRHUHyjghm - mZADdY08EwFBxnlhOUhUKVqH6I4yanzXGEyms86QiO4sMj4taAmqlT8gWg7Fv5Hs - FA72ery40U0dp+I36uxmlGtSJEk5RAmwv9YlNFhkLE3c/96J5cS0tF2AiZ7oGAzy - RDnOMF3gUKDo8K8GhyN1sZeEf1EDdlIUMUBGkSar0h5My8WH1K/rzQaOJ4n1NHB6 - MNzPIMgDS9hZXkTFSza06K9qpH3Ug6Z7k9SBTm3I8y49TbT+yZOkkICkMW/775c6 - SNJQhAaUIqDtHjLEc8IGX9OTltZrvmo96EsqMcbPF5DM3G3GkuHBJbvhLXmaP27S - UQEtCJzljSOdUbKD40yLcWYO1tMKzRZisaKE5VC3Eqof/xOdL8hjEK8GvO+lwXcY - fY1sQNyoL4DsZP6rkRU37gTtq9504k5KyEq81qp2e1xtVw== - =XYdW + wcFMA6Kr4c7HLrmXARAAjQ4ULfdzXJGfs96LMDstzTf0uYNqP0oWIBCTIrcCD2pX + RTptiAVdbIz42RL/6wZmUG6AVjUuFT2ua/qbTUBXD0nnEpMTQC+HnuVf7D+11Awp + /zssUU+9qtfFbDpTBVy+7zUfXfYfXAzE5dJCaIluoheYS4lyUt4gPvLORcZRa7JW + gRYAXCBSEDzAatROe3eICTCcaFJHMNZw/jZshEtKjrub4ihPZBLyKPQ1PtOy289x + /W+wg1Ol8OaGTUpS+b/5py1xYUdmihOuc+yZExQzIKcGZtnzuxizjMdFgK5g32+C + vrg9QRqzXpFXZ2SG5mOWRURrFPk8hhHbRmGw44PLTpI2CDjx45ZgErQY4T+6blR8 + pK3ByMHXPX/qoAf5V1ZYwAVCVP5ZsNxjrSmnryI9AbWIU0H4hidb7UO2JcepzgZG + C8J8vwt9NQcnYYNb/S0uv8RsDMU7Co5no5xZWb6Oj/NUmrV83iwvC5L8ERCThEKp + zi+TCGlwiTrOnkSzIrygMPsfj7no+cG4gFPigirrKXjLD/30e6EoUFL7X5YH2jTS + 1yPztYwonUxzTUozeqgJVDflmSiwK7Y/41+Im487uBpr7Qa33revJza1daP0OzZJ + c1sjT/Nq0qiZa93uNL88BPUVKTYi/WtD6at1EKbqCt7wB7GdpsINbaKz9KW+nynS + UQEpT4ZnE7kmh5Z+4Bdfv9gIOcAdCXWSPRkSiXKONph1GVqvvs5B5CiXZyKWhbHG + TZJiP4s6khwwokEo4v+O5RHk0WA6LTag3TPNcdKECvAC5Q== + =mC5U -----END PGP MESSAGE----- fp: DF71497C07110D584ED5D379CB3A922F8FAE3D50 - - created_at: "2024-10-15T18:44:24Z" + - created_at: "2024-10-15T19:06:26Z" enc: |- -----BEGIN PGP MESSAGE----- - wcFMA/o5Gaf/w6e6AQ//fmwnIzHBenYxtSW4fBOw38r3qICKMYo6EMizvDfL6L84 - Z+8mAlRhFHsDcWSj+ljfKY4csmr0vGiTI2vYJBXlbt3grK2z5ROBp/R87UDlpMOZ - eLyEZzhstDAPYtFX7wz5uu6H7m6OIdkECGqp4/tnjIRfWTX4K8yM1ha2pdw3dYfZ - LBtujJ09+fqAvASkh1AhepYL83YZWOf5iq3UxZDkWt2NL2g4LoHhlgOGZHrBzCrd - MT9Xn50TAJBpaNFmwFFf1NT3c3/pDBhKduJlGVZe7GwJV++LKKHxM+RMN5vnnZ8i - d8WzRC5GXAw/EBcl50xbY7XXwdWYCVJPnw2+sK3g0RCySgs3Wa/V19h71Q3ucvoK - vfWxV81G7FkcAWhmI8kihfwiQ4ZVkYxjnpga86QB8kwX+yFECXr/0quDeU4IPDc6 - Y13X/LT6rXhfc+wbMyalIv/EyShPjINCcEm3zHG08id4Rvu97KVcj4Pl+OjrTkFx - QRWe3soCzMaHlM6CbCz3DS+U0w/AqAB4dit5WvNsDK35F8iYUMnbcBzN53v0oBgq - gHZBEbJBku09m1k9NmO2it2AJg6tBHppxQPknFG4VX3rgLzjPd2RIcbVz5OANYZ/ - fh6Nvlg2s9kgG745wBMA/bQczKPoU5Py6C8SQgLvKohodMrxmtOf/wCPdtPHnQnS - UQFNxkwk8tlSw6OL73R15uRHT4PI6NnE0oKIsyO5o99+ZSG8LC3frCrlMVRVHc1h - 9jFsIL3SHCrt+IKNhUTCtEAyGPHNvzbxbbkLoy/QfOeSEg== - =phnr + wcFMA/o5Gaf/w6e6AQ//aeWGutIpwrglqGGratxgpVKDMj0gcYgI8Dkabm1XxN8x + 4MqseiSpSKkxWcUDcXAhofY8iFCyB6VjPOBXC2/7JtlyAxLmOUmM4ZERZz0Tqm4A + nf9tFSDdK3Az64ceFzYyQlzNoGUfI8sGlgLVo41H3tMKiNHFr497Mo1s7LuQbG41 + QnYSAVGap21McQvve4V4trWl0+l2WwWxeGyHlpsY73fHbfebYXjRxpvdmdDH8Gvr + q5s2VmakVCrw2oRmUMME2KXKuPh5fLD1PyNUJDxZkLXAq0/fkivZcA1KhhELWGU6 + ThuoxVFLVFL8COjoM8sL4KrCjdUhKKx/cW8fI6RFzcXuhzN5lwqKieuPvaypMnZU + YNPk5zLY9RwkVStb31zCUaEanZKq9mgzhcEyRLgM2qGvT+EzI0OR1P8ec8x+hAg9 + trEeHSpsRLx56Sv3M5MDbFz5juMUTvRiNoyiK8liswsdKJnb4Jq/UDhDEbK5GWOT + G1T2mRId2UAe0uVMmpeN5tqa1Sd07icw52wsBKFgpGzAJwvLp8E8DvwGPgzbuVA2 + bIol50lPQevCMohg8hb2ED507PheEtrSqhO7N3qtdD87hWY2LQUs8WwFAPX6MfXb + 0BA2KWDbua/5r3X6W0x4yChlHa4T687qPlhLvJJnrr/lqW9lRESUOhTQ2bCxsJTS + UQHSGCvDb6bcIz8mS7Sx7BVZTCndxmKtQ3jNQxSEWK5QhjXVMohR5nytZs+26qQm + +7epGeFoxqtu42wLrP8xfKpmX/K5QLkYWuAoD3O1iJKCcQ== + =+OhU -----END PGP MESSAGE----- fp: 5AAE7807A91FBAA7A5DB246B52A2E96A7268BCCE - - created_at: "2024-10-15T18:44:24Z" + - created_at: "2024-10-15T19:06:26Z" enc: |- -----BEGIN PGP MESSAGE----- - wV4Ds9lh1tfJlukSAQdAt0AhswE7hoQffe24kD9PUQQvy2Rv6k08YDcM/LTaYEsw - fGkJO6KuCpLAlkbmfEiwbJ9AMr7Ety24M8n8/EIQaopF9x3rlGZr3F3d9BjTK9+Q - 0lEBx4/e/JUXHcXBkIIoMGwgod87PUKu5k1G1pebJYzQfsy8SV31GWIQ1mR0tW8t - 21DWqBUUeCAuOzFhE/ubX+AsUxyifwDBygIbO14m824Qr6Y= - =2U9N + wV4Ds9lh1tfJlukSAQdAYVO/2wW9gDCUW9Kz+VxjyTdsBLltP52Mos4JPmc+f1ww + MSD5zK6ZLzIXoHbe0lvVIGGHp+pwJxr31CjWAo4TwltUVdqRf+vWmulZ7sVY+OxX + 0lEBRske7xLQV5eYkIsOBWLmBOG0vGHPHh7GT/uSpukWWLND1TPnOMnRn44xnjCm + tt+VOWJrM+qBSkeRoxZ1su1T9BoKZCh3kIJSZSqFQ2DdZPc= + =RubG -----END PGP MESSAGE----- fp: 6A413E28286599A84595529EB2F65CBDF1C65D3A - - created_at: "2024-10-15T18:44:24Z" + - created_at: "2024-10-15T19:06:26Z" enc: |- -----BEGIN PGP MESSAGE----- - wcFMA2VTGvlVjirjAQ//VErdxDqWQga7Y4WSilVW94mytI/xubThf9bF2hLeH49A - RjWTsQO5UlmUZkhJ1f8OfQHkz4oZ8fUw/S5+3iQ2L8/RZO0BMzV6p8nYdPi88nk8 - XDsCBcWPH5eAqm06eVV4fq27pl2b8iIysAxn7HKwD4aEOyiU/fPQKW45tq3KedIl - QQY+sNdTQTpUCym2KOzqBfDGVesjS8L7mkPuK6UmrQVYD008GtahVIEah7Y/LbWE - vDhBx+bjAu0gA9jwIFEb/xNfSTjwBcTHyN+VbVDW3NOWDPBEn12gOpqHBxsXRYem - KP7rpWoyDJXU/0SV7ls53U4yALaji18ekugxuaj5lkRJjqRw8WW0DMQNefdau9WC - 8j6ThPMaL0d+oDh2wWKVGChAHeD4ElfPJIVKbW6rljcjS3KYxK/B2bgHQAgnMerp - aRTZPoOp4tCwCOnGJFH8mQ5vnqjRPCUM395AsVBZiA6lEdiEbxwqoAeAIs+GrkSn - k7dplXidGhh8JQypcvgxuYdAAGeb5TMdkGFmRVRr9obMH0+Xy6woYVdSd3R1+rLa - cp612sVdUctuZa+JXRGPNXgwb8D350+q2AzE6nmPoIee37fT2MOeGeNuGCnFRIHy - uEU6lVYj5AbzbKTRdU/tGWzCWXKWDHjx7zcvLFjvQjy+TgbMdgvfSfyXlOvsFXHS - UQG2J3caJbwA6D1KMkm8ato2BsofX5e4hJhQOjUfL5cgL8UcGkArygE2GQhO4FDk - XIS3kgDNAZ4vhNk8x3xiEr2HNjNTuqofmCqznEm9h6uPAw== - =cJPb + wcFMA2VTGvlVjirjAQ/+Mmepfum0GupaF3u3Ltm+Ae6vYReGRnrkCs551BkVfJ3V + e3T6vb6NAlOhc1XEE7GIIwQ9zPYbOh6zI0smjSd/sis45vnrmrrC/P0lgts1j9w+ + Max2Aibe4TWGE2vsXakWv1k1A2stjjoHtOyrGaNgtpQOGnZHuwEl77GofsKx7KzX + HHAou26S1/16FE5A8K/abxt+kCRmktl3mcM3dO/jj0RFioRosGqL0QPDkTzyh/dk + XJs+otNvZU8gkgnxhEh/HluA+5BX4HNgklF18CDZElpAjEAwDKHG9XuB+fXUCFqW + yqomZGr4vrrQAfnTMfBCYGx+MNjiOpC/3guNiZ1lfdv8HiSfI6aKsFzcSeOKApah + 3aV0OFl+XYP/fJeVA8dRiMukiMR1CShRAnttJjRjNP11e/8kViVDjS9qATpoYlcw + OTKye00fuCug8xfQzJ7lrG9atyrQoCTttUPqF2jHagBO8A5ukKKp5R1BHMaXBzYn + LeEv0y1WiH7GPbX4c0FjU9qVb/UyIBPyZ/dofwAIf343Oue1mtHS/oHNiNs0loCN + bNJ4w4XEtGQPuNSHVVQ/Gi2sNYCBPzYhR2tDeo0OVtstq3U6rLp3uDGndVMNMjUH + 5AnWIFaGNu3Jtx7M5+3XlHiBDWK8lJsQTACTiFWrm3jUO+ID/i0zGyjUWdcztkzS + UQE10BdYlJIPgcSzRL3WrrGZKo3hKNmUZYI9jhI90thDsWf6IwuY3uP9wbjwNKpd + 4CQebYob2a2XG3PGTu/my4mE/ze1WaXzEICsA4k+qIxfuw== + =mLAh -----END PGP MESSAGE----- fp: D48108A56B0EB04A40DEE96775676F49EAFAA9CA - - created_at: "2024-10-15T18:44:24Z" + - created_at: "2024-10-15T19:06:26Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA/CESpP6bvPkAQf/Zla3BAvjC9WBaQqccTI2UgTQPZmM8teme+CN1YKGNc/T - x2h+XZcSZeuFj/YZ30CfphT+PvXgTm7XtZ5Vtc1G4QMXOGYuLJVlWfRgKF1J6NmH - wypZFKdsZRZV3M5bM1g0PQyxBCih1hVhw45VR4q36fB4NsPuVHzafBqbxaB4JzYu - OX9uJf0PdcWYPRnOdKIxGhSx2j/wl52ViagJAgtj2iVxn+WBjQVXYepykFkG5c25 - 0i63r1RZOV/8AKu/QP+0jXUpQBsLXZfebL/kU55Y3yisSQLwow1+PlgDSyJGTEq8 - 0kiUAz2hy2DCIRe0eMP++wBeI9BZBkiwJbYjrUgWp9JRARFykKxvYbviP8k5oKqW - GMEyFM1bzghnVPBPgJ+PWiZN5Qn9msJwBjmyyxGNfyhzW3FAWAZa11/f9JwA4PhC - VVwWy1jyXcjlxIkfU7rUo2ES - =av0w + wcBMA/CESpP6bvPkAQf/YTLwcR7HOPOxkLuNvLD+daBWseFX8Iqa+OoYjgWTONNX + pME27+VklE85+rDyo93btn3x2hsp1cFbaxx+8vkOBCw85IiVnve1kA+E7naXzied + Jc+OocMZ+xD7nI0xR2VH91hZtEABBXznuBNRhZ/YnMG4+lBZ3jV/mFTjgFgPUwDH + gKI4khTyOdd8H1KFk7TCRjEA0dKCZWE32qRHE0bI/tTw6ixbLsCHA/ZepT/VvBha + YrF/1kc+bj5FohDOWHZ5zz6/BaKJAvNMmA4b+wugHPiGxP20g82IMPPlA+KcN+kj + VbEiqq+Y9vTcjB4HUWGvtmV/Av/JxUgv2FJI2krmx9JRASjOIwp79F5y76imCOFV + bxhwAPOC0+mfvR1BUqWjPTE4wwL2bozL78xVcTLf9BXTeEiSCvTa/m/6KXcSdREX + 0LBYYrWRlOVdJIyLYbRyToJu + =TUQx -----END PGP MESSAGE----- fp: B6829414FCD33331EBD08EC3F70112A73CB97C21 - - created_at: "2024-10-15T18:44:24Z" + - created_at: "2024-10-15T19:06:26Z" enc: |- -----BEGIN PGP MESSAGE----- - wV4DbYZvvToLQQASAQdAjBzmwjB+B4FWc5AGSs19bsdf7bOGCTpdX/IG4d2+Xx0w - V7asuyE7EIlDiXnOwkRi6+C+XnLBS9HRwvsh+cUbdqgga9l5cLiaTg1IcJLoq4CY - 0lEBQbHqnlIcJINLVatSyisGt6p3MoF+JJ9xMY2EhAgMR7uUv4gMVC0D2ojNUS64 - V3C/TBVb34puSrtoiiNAvSQBavrWNrtITIaGOd9T/e6pvYk= - =K2Xj + wV4DbYZvvToLQQASAQdA8enWQh8DcLLEoKm69TxMM2fefYV8RjagJLY28A7Ia0gw + hM8AkQO2P8nR3XtmvTdKKHcOpU7CF4vWn4YjT7P31m5q1x9umvciGHsZpOU//Ake + 0lEBlzNWVNsBjbTMsg8Wv9KUeoP6c2BAPEZ9cHni07GpOLtS++PCRJZ4Anvcm4ad + UsSyfg8UZiW4Lbqq/9ZTr4JZZtQFjfPhervXMGQjxc/ZocE= + =NryV -----END PGP MESSAGE----- fp: 92842ACE52D2B8C77F9A59662AAB6EE5E2C8EE71 encrypted_regex: ^(data|stringData)$ From b1c073b12ff57a3de8c498915831bd56273af835 Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Tue, 15 Oct 2024 21:41:45 +0200 Subject: [PATCH 17/41] feat(rbac): add opencode group Signed-off-by: Jan Schoone --- kyverno/config/per-playground-resources.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kyverno/config/per-playground-resources.yaml b/kyverno/config/per-playground-resources.yaml index 06d3bca..6d9626d 100644 --- a/kyverno/config/per-playground-resources.yaml +++ b/kyverno/config/per-playground-resources.yaml @@ -123,6 +123,9 @@ spec: - apiGroup: rbac.authorization.k8s.io kind: Group name: "oidc:SovereignCloudStack:moin-cluster-all-playgrounds" + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: "oidc:sovereigncloudstack/moin-cluster" #- name: generate-kamaji-clusterstack # match: # any: From 42b3d6f8420c7f2c40d4c40a22b071c21877e456 Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Fri, 18 Oct 2024 16:07:54 +0200 Subject: [PATCH 18/41] feat(dex): add some redirectURIs for cluster-gen Signed-off-by: Jan Schoone --- prod/dex/installation/secret-values.yaml | 170 +++++++++++------------ 1 file changed, 85 insertions(+), 85 deletions(-) diff --git a/prod/dex/installation/secret-values.yaml b/prod/dex/installation/secret-values.yaml index 1d12c13..acdb414 100644 --- a/prod/dex/installation/secret-values.yaml +++ b/prod/dex/installation/secret-values.yaml @@ -1,6 +1,6 @@ apiVersion: v1 data: - values.yaml: ENC[AES256_GCM,data:2PvRXtxO8TwtTHv9mw2UKgmY97DTgRsc2HgpJQ//V58ctfoQX8mU4x/vPCdiyrskz5sxbrXxUG3uMelJnicOciH2vZsVB9KVrkc+l9d9gJSenta+xf3ptNrvVavhqkBqkjrfFleug16jzpP1Vf9ZznlHIwU13EOjD5VLsVuCVn0R3S5+IEv3W6TcUAbLz3yE84fhAHxTSIWBl0OimTgChqtAe7ZT9RqXXWbzsYlG+K+hEU4ki5tZY9xRV14FLCYM6flxz9JIkOfxSNstS4PY+rPQ/KNLuGYoexChL0LhCx8B2+ccuo4FnLgEL+quLrpXgRY1nVgczPltQvCQEuYHxA5YqkGaF+lmMD9FeCc5FFu2N9hrvIFWZbAsBu24fiXnIhyCBbBrV1titBsNNFhWR3vgOq1Is6tfZaIZuEALeRnkOHB/5ajAUQWt8QwIsVI2MocBEWP7yckJEIi3TBfJv1ySfdakbHi3U3mo97cs7LeETF1EMcNrN/CrRd/Kn0kVS22vAwMeWiHiNx5qbx8+HT7N8o0XL80M2Mxg/k3fAyHSphs+IB3mU7335qtB7uv1/6rDLgTYD76vIpxP8OsBp8My9I2q8I7IKti/P2pDcK/9XTjQWfSbDYfWVBV+QG7qNmAKNOJezh/GEZGExrpbgomys4Q/Jv8ozmLvh4/dxlzkX6iM0AZYjR0horYCInsJ3XL9XFBFSrWoDgMkNoSRjEL0EXbgukYSIcOLl9E9gicFfSBV6SwHBkjoanYPUmlto70t+KBq8P7+k9Gg2ch2dQ5C1U5oEWxdrhCaKGJLmEf/OxzpQCXKN6pLO7cYY34bUmiq7R2mIaT+7QW9LIHqOWktEfiOcJ5lmQ53EuV0Zyjy4ADl4+/M5/xP4yHcWv9D35h9l340ew6uU4jk425VqEQAwvdIoTFWZeqVST4TkMGdETpvRWU0sRzXuDOMZASmvdJsE9yNj0dwO7Wt4fEtbgfTD0OiFS4P46NNeGZmqmgWX9WdrSLRpN953H+6QdTakgDoEibzjckWWnafpLXNea4JrFsU+wv3a4WVQLEAwYa+Nm1q7HbWGZF2o6PlqkZZuDVwICRU1O3reds+IgkLuLPr9MJZmFzbUt/Ar4AIMyN7RN+Cd13ufgzfrbDaSI4JjVHGj06QX/mMi7Hq6upoLn8b7T0C3c7zXmfpr1YjEXbcVXvKpylkdgGzd15h9DtVp/pqpzPydCLbak9S3JB/loVpDWCpVm61oel7R0quafCwKHKJvtAxC4kjOCzwic4PyP0tjGPM+qK3QY/eo852c1/W11tUejquS75cTuKwwBMLRXke5OH7LhFWhB+iPJzkXV8ox0CuD66v44jv7IoO/VTXhqQi7wjspGFdAYrsK/8TdN9F8oQ1pWK7wTBYq0pgCuY69c6q3s6PHzq7vrsMquzTvAjNEdOtGtrO6ScJbUri9/GLFaQgINynGmrKC/yU3XIjXrXwzqpXycnxlaBwHlrYeE97gFSuonvebLKIkb7xnUwl9fZRRPY2Pu7RC078t7rCGxMQFpq2M+nNtc5rS4pxv6nwyh/1eUnYh8tSg07YBHYPygiWYS+zK4CAnjT3qP8YqWK8IFTp9lDeoBWX+52JlTf74NnWphkJYQ2KuXSASxpVyUkgYUgEWRvB0vfBgIW7T60VIj7S0JpAqhOkcf1aNruVrtwk9prz6jIOm3IJtqxQuYZyif0+VkncUKf5TqAG0Omw+fBzzTLhmAjRgXKuPAfFdEzcdAzjRef9M+LU9PR8BA9L0Zz2ecSjfYWsgpqcExFh6WYhxpeKiCPNwJjE17bxWuwy1ijiRO7Xr0xvHxZgn1WIogu1JT4kR3bf5zZDOn+OnI/MpA57jl57vSvCVS4Pr2q+OAQJB3eqLH1ugcVFItlibVekXPWaDUovTaRsfjnU4Va9gyvyKXGSKFmo6EVMkpWtG/6XRcIEekfy8B9mdV4KGWb45TQblehnWrSHKyyddzxyNI5amR8w0XSsCLirqmKfxDJBIuAHFMPqCkbYXx6JZ0Rz41sTuDfVEq6Q3tYZ4+STXMjizF+ilVbsP0CRvsjThRDaRMh4+kYQz3yl26nAL0xPYR/vcJiG1VMZ1Q+XWtY/YfVNnjncK2qZ8j5R4rmy9LtOnIQecse+GIcCaNp4V0T1mjNXXyg84nTXQ8qx3oMhzeF5rz21cLWewsGHukz5wGSJ70frI9qphq/zPjJ+FtPULSdtJgUEYu+x2aYVDA0nqWz98yldL5Gf1M69pX35I4N/aFv6eGR2uWJOR8dmPcgomrA+LHVnv+zLzunW5yCbfGEgk4Ny3zGA4r0czT3VcFNSU24Kjqh5jvNRzh8U2XyHTt4nwQutA7UkEmaAfs5FL0MR9p154xry/YdbCI8DXO1mFA6KzHGfbh/kEY0LS46EWG4UCE8QBvwx3fNpwGfVIlDnAKcjLDmdlHkMTd2PoeeY7VJnYxNN61j6wzhf1SBlNHKn9ObWWmp5/+WVX4Chr0sfwxSpLR6SbIhFaV4jyJQ1Z7bLZ0VnaoX7ebqBluYPpXJ9E9wplh71ywwKZ2ug+ewLXXcXvxSI80OqGgWtM7rXUBKvzfqDgowwd703hDh8RET678NMxZlPFJv1XNtsO98Cj3wjF8mKrWmXW9gO57YcbqdM3R1KiVNfbpj1qVlFkztp0ETa,iv:rr/uuVpCyelZZWNf/5ATnAUSw34noNnpiU4C7p4L/KY=,tag:XFcu0bdc7gxhqVqsdt3SKg==,type:str] + values.yaml: ENC[AES256_GCM,data:hkq1sA5mf1CL8nY7nnUMXsHrp4S5JS/vLfavE7CvtMFawDHfwtS0/q6jQ4Auoy1Zs0KGvi8xDSMYVPWNBDTqcU8PmGyhX0Z0NDjtLDbQbOT1yn+RldljKgVpvLPfylSdVwAw/OkFswQqel9UZqqy43iPfx0JNpJHtSHaA7pdG1yQuMtjRQdTh3K6xLsRfzeENQuFq96QTEqi74SCvL3rhdR8gs3gBMUqO+PdYW7wuAGFmpyAVMNq5l6Oti+OUIHiEOvyajm52IGKjIeeXscc/LVimYztVJpuO522cs2dkxnsdVNFdgrihj3HKig2A9scZvHpiJBawBPLLyWHG8M3Wh41Y/9ZWZlqSCFmNplcX7Wtg9Lon27AUhvSRTs7zLpO637ou6OBvvjo2YQATWxKLFbuKFOKYGuceS9p+9FVvWHHpw0FBpC9RHLYhOPu8ZReugQ91iTpsfokKvM/Cuqqe0C5MzFvvgQlXp2neQ+yyzR/V12fJA1HYby8CnTgrSCaZc3Mh4zl0gV1ZOljn5y82wG5AUPRBNDRTwKxQQOxjfgf6/1RhkVj9BjSGeIsASuM7a7E6NBbmbOSUCJs01PH0iAUkfinsFA0moT9wOTZUuS9CBgESaVxIeVWn3QVkHLS2h2nWF184R8YmrC8/sWZs0Q5S6ZIIzHZwEWwsEUdWwf6JSwJ7msfJ3Nu8zPvCWYgvYSrmmf2ldS+beS69yLXP9SZ87pXBk8BFp/nkyf5kf3ZrLd917AY/HhKPR9ib2Kb4lVihAFbmU9sCYqGnh3b6ydg2/i95q89i3MtolXZpC6dGQKD8Vlyqq95a7mG/5p2YLeqpLaRGSQXeojOHVQYuKp8vt4eT1Xr1Dsd3EQeiwm0ez1mRMFJ4CccGDY/1SCoOMbqTtEDwvPvwvhSfDOmUoNnHPuXGEZaVVSkQox/4Pl8Yz97IXWcMq0EhjPpFtUCqjc6eY2gmTIeeyMbwR3FlzOH8f+lTkpSiMSV74Qwd9Y90gHjwRuoO+cR7ndkmxSV65LD8ZvuY9DgwwpgByjaboXrUplVZLQokPVKoEu3vLcz0YvsdwRl85DK/RbLtEUNqUNZl3XSGur8adOfPc/LAM/MoG+66AJVbLH3hipnucsMDsH9pDmWqxMA3yeGfmZjATWDelsZnXIDISB3+n3RCNUCO0jl8pewHIRvn1u9jcUh7LLN/xxaGlDuIbZNdYs1ZiPzSXhAFrAukEC3Y3Ew5Y7mdW4jjh0ceJc6YrNxqnDoilx308hMbbPMisIe44E8rILXAMLweVHd5iTUwcoHeXW5tpyiHAabKZbnReqpisMv8Ec8OxDHsgQmm7P54FquEq29eCjwtSccvzEphmW9E299OVB0fMqsFHN09JFJo1YVcll0A3yRSjtm0V8fT/a58Ukf9rNl8Ll0iMKk9FF9cJGmq5RIhxou/ifmhWz3qCrftYPd85GhD//AVJdrxWaqba99eKTOOLQwQyksPWKRto8hXt1JW0X8wuxTE2N8kT7COTCLlvy2kfNO5EDeIR5v3LCbryBNtS/U7DZ7g+m5tyaH+9xTZWsbF3E7kJVvtNraPxFD21G9leZKCrv39yixvQe9JZgc4lug26SoHT5jmEerTAAEm28hM/QWKdE8GRb3iBpe54weC+2/8LZQaLCo7Jka++iPtiuiNSGFd+rIY63C6xn3Ne5WF1iEx4MZ63r0aAs6tU1b78YQZqS4my17eDd9h6eJNc52U2X0Y4HYJ1L2imPi4o5ZbqG80w0k1ha/5mGdSF7Fz/f39GJOgGYYsBcNoiZ4vEBQd52PzBLSQXXe/HUPSTILHDJTKNoSLRFsaE2QiZ+GkNyW2C4q4HIsxUjsn+6Sl/N3lIKG/5Ha/0nEt9jSRutWwUETv9I+qRXA/B55v1rXllLrs+RoOss1wdYd4ZqhJi/d7mfSSYHCcML1k5rIyZWxtkU87SbLdlaQjEFvNxfvwjRJdks+8uAdJVCULK7HbGDefY4QynUYeZeK04l7VKEOFnj9BOqq6guJR4GXllnIXkHQPo5xetgAG8rVdx7bP5S3xMzNyBfQzWg8RrLspTgYw6l2MC2zoFL7BmGIGnRsn1lADTB2tESN9a8mCcmy6lDIyMQMDhRtEPNBzBrpnDHbSYMoCG6CmeqmL/1aqI6oE0aqEM+F54+My0WbFUIEXNuRgkKi/YMxRdA8csgUu2CNvtpTUG6PAqCM+xghUMJKN1MCxZjl6BxhUFLFxvWA1Umj0jvO4omnjW+njANp/jYFyq6Uv9FExPrwoymOd8b0HmW+awlDl8SR0lGlxH9IcuZo1SQuSsPWGInOUn7Hr+i8WiIj1WhR5Rp8qcxTmmiPnkkfvTf9CxlDHZM55I1qLWzkHIGteJ86qNwSFxzsmcWhpxSKCOwL7pVCMYCE0P1lyoF0jifFdYELOGJzXRVyTVZvc14wkP6H4HlHS9wxx062z8/guUvUppWHjNFAQOFewrN5F5fFWn1P2m8gZXPrnlZIy+I+ZbtyKv47dNcnXwKNpulkaOX4Eux0LY9/bLattdprWogvqLgu3nDSch3MttX0c+Y9TfXUORvaqIwh6nyr0fdGP9a2MN9BkEJbOv9lApwWgirFBzpOFGuZMRm1OLOO0KTi4iaapZgZGd4X7NcKMeS83UZaD6lH2/Lncv4gydhgv/I3yDwdt47WfcRwuoyPuQqlLAaMuoEdTP6ZTIDJx1HcXIStbhIlHfDcjVMiGEmxhflNdxFdNua1JpwMFUE24SearkjPlHD5Eqdu+MwO1c+LWUmPgIKT+D/7CH5ywuUNDzkv6vQmeTu8imLDHJAkZ0ef/NsZG8kO3yhE3t07ix1EAnm8UH8/CxYWUPclFu+faQ6bq0q6X53IAa9DC8AmlkMAjCA1WJnYLFNeb5ivKJ1MQg==,iv:WrWlv5pQ1lUU9fUc2CgINqJ2fovUMVziRxZZ19Q73Ug=,tag:sSv6aDfxydvDiO/cU6YICA==,type:str] kind: Secret metadata: creationTimestamp: null @@ -12,124 +12,124 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-10-15T19:06:26Z" - mac: ENC[AES256_GCM,data:N3Ofzc0vTmlUDvPw4jkN0jR4rBE9wm8PUma0SkvmSX9+uidgA8l6J4Pbkz4K8P3nIy5PaYF2yolaX79+Z+8IbId/jcAPQ1x4gNtSUcmGGfQsG+c+9Yt7UdEYnzzx9VGSVa6Bydltl3uIxRoOxHp9iL0AgPjfbkrVyY9Afo2d4Hg=,iv:0Rcql9fEr7IeW/pGkgPPUzkE9vc7SfG3UP7kS3y+TiI=,tag:OOr2bEJkpP1rmz27N1/oyA==,type:str] + lastmodified: "2024-10-18T14:07:10Z" + mac: ENC[AES256_GCM,data:WWaF/alY41hcrNcitULKYKG11XhSeyffDpgGl9CEINvieI/3Lw8nD0F0xsI6GeGbG+wdzSmnFdkIFczzsbGck9YIlh9o4QwGDoceeFJE65GDlUcq0OeZa14jQPWhtGNJwZmHNqyDmufas+pAHqoXDSgHxGCficL2DpeJm560/n4=,iv:se9Xo01GTao5Q6Scc/HgpASSUfUNl+Pm0MVVKKkYX0E=,tag:SYqu0DraJrRaSL99h8CW7Q==,type:str] pgp: - - created_at: "2024-10-15T19:06:26Z" + - created_at: "2024-10-18T14:07:10Z" enc: |- -----BEGIN PGP MESSAGE----- - wcFMAyBxDD99NeTXAQ/9Fgg7VGr4SzUUlzcVmtsNYnjqBN7d7oKi1CwsKFQZtME0 - rydcM8FgGIkCXLZVAVvS9aRJTb5AODDKNzs4NOt2QQKIDXZsqwmU6v2Eja4sk59d - b4jdQEA90LYkm96Nf/TZbtZyHhw4WWfpDBH6P+6aEr9vgD6zsZuBBLoYHZyL/tWZ - j43Xjd+F6+rW2W0pyMpme7nLxsBguB4Gy3uo9YWtQUc5gvnu5ststdd+M1C8RCL1 - WJA6ABaJYZC0P7fmTDEtJuXRKQPBOL+6/JvKXArx9+aTjdNmnuYwFPOyWqCdcsjw - U3A8HxFLj6s4xvogN3GfKoTwJV9nW/BXhDPbPYaQnLpBkiJDoGgAKmK4Ixa8Mn2Z - Ph2IMyhpk7i0fU5Qd7yIoQurIp0fzfHXDwMBzI3aCU2vJYHxLb8VeJIyf7209EwH - VN41vlz1JKKjH8ezKqX2mr73GQ5CCcyIRJMAaebcDMCmBjlkuONNMaZIzKIgHehb - Ia9IWmlaJHmHc5WKyh5HE2O3XLFkjZb5uOxgMIolhtx2KKIO/8pcXTzMvwTn3yaR - D9SztXvlmOVlc6+UlJTkDWtWUVluvNrDcBY28mSEIh4V5L9DSBoI0sR6om5CAao6 - fjvaeF/BNwCb2y5yIaFxKsN5JPraNq/USosSJe+GtsTysi1LAm80IM7vlHas1O7S - UQEHVttFJ8GYuvjXDIQrn/XKOW9IkQUVLHqUlodxeqUvAGh6Kfu5/v+5Wm6Z1vGx - w3iCdgujC6KIsU4WICgCosU+Rw5biniblhwHRv+tnlLuKQ== - =+Pfk + wcFMAyBxDD99NeTXAQ//Yge7OCX1RpS65Cm8HKofxmAGQqU9plLTRnxvZHg1dmMZ + HNpZGQMLBJqR6zSZQQenzSj542k0FJBoZFggbqXmATQUpD7Mw73IaADlvOhUbB1x + qsO1UD/uukOHIxbbBkq6+d/OtN5+u+gSMs/3jEF8Hn5G+UWacm6F9lxWabKus6U/ + 7eOI/yIzQa1KNz+wIRKzaMe0Fn9COt94C1HJuBfyVFI6hzU49lhxs1crM293n3iN + DwZuouB5Xabt3o9diWDlL3SRG1IqL6nHkLFR5X5ax7HHic22Q7f5nxYw8Fa6LJM3 + vn/xNe2Be4N5RjnZWWcCu1VmU6J18/MLHAFaEohkFVdmHa855w+ACDfIU7W9TugA + BYbiZ42dUFwwjddWsDS6ckOwesrYswloBkyXQ/Mnx0I5PqsTo2G5tl4I2vgtJqXW + zha8QEt+9Hoxl9w1HP1HUAz3j+4kru2NzOXQT9G/ncGjdOUbJ0rsh3OWbF4h4VTP + SOrD19TXn8dkM5lVNL6Hl6LDj748eB2lLojPqDC9E2I+Bd5ShYduTwNQNsPoqq3T + egn/LgWmXju5j8FE9FTw5sV0jLkFGRnhPwAY/QgKNqc+C+hfJkm0ctrsUA7U8wfa + IuXUpNCvJZPsB0qcBQj9C+qz/Q8zmtAbkCArqxjRwK4P1Ph+849KxdGZwpIwsmLS + UQEM4QbknTmaS9+ELMnzbQbxKx6C6XJM55XxD8I53QG07VG/oLTQ43bC8SRhvUb5 + fWJ6q+TfXD7lk11IKAXnaR6SU/G1fmfljyGCtOs2oWDqgQ== + =q3q0 -----END PGP MESSAGE----- fp: CCCA3F0D6E841833AC56DAED48E4E0C7613AAB14 - - created_at: "2024-10-15T19:06:26Z" + - created_at: "2024-10-18T14:07:10Z" enc: |- -----BEGIN PGP MESSAGE----- - wcFMA6Kr4c7HLrmXARAAjQ4ULfdzXJGfs96LMDstzTf0uYNqP0oWIBCTIrcCD2pX - RTptiAVdbIz42RL/6wZmUG6AVjUuFT2ua/qbTUBXD0nnEpMTQC+HnuVf7D+11Awp - /zssUU+9qtfFbDpTBVy+7zUfXfYfXAzE5dJCaIluoheYS4lyUt4gPvLORcZRa7JW - gRYAXCBSEDzAatROe3eICTCcaFJHMNZw/jZshEtKjrub4ihPZBLyKPQ1PtOy289x - /W+wg1Ol8OaGTUpS+b/5py1xYUdmihOuc+yZExQzIKcGZtnzuxizjMdFgK5g32+C - vrg9QRqzXpFXZ2SG5mOWRURrFPk8hhHbRmGw44PLTpI2CDjx45ZgErQY4T+6blR8 - pK3ByMHXPX/qoAf5V1ZYwAVCVP5ZsNxjrSmnryI9AbWIU0H4hidb7UO2JcepzgZG - C8J8vwt9NQcnYYNb/S0uv8RsDMU7Co5no5xZWb6Oj/NUmrV83iwvC5L8ERCThEKp - zi+TCGlwiTrOnkSzIrygMPsfj7no+cG4gFPigirrKXjLD/30e6EoUFL7X5YH2jTS - 1yPztYwonUxzTUozeqgJVDflmSiwK7Y/41+Im487uBpr7Qa33revJza1daP0OzZJ - c1sjT/Nq0qiZa93uNL88BPUVKTYi/WtD6at1EKbqCt7wB7GdpsINbaKz9KW+nynS - UQEpT4ZnE7kmh5Z+4Bdfv9gIOcAdCXWSPRkSiXKONph1GVqvvs5B5CiXZyKWhbHG - TZJiP4s6khwwokEo4v+O5RHk0WA6LTag3TPNcdKECvAC5Q== - =mC5U + wcFMA6Kr4c7HLrmXAQ//Wd4Jz7ovcKGddrvnvCj+feAuvf7rP69aXzT0cQFcWv5b + SWIxPCGzjYz6idkJov0gWDe3RjRRqB70a48dQrRbOl0XxoZ2rW5WF3kNnAacuskn + AM8lrZME0mjDvZUFOdjcYtDl2fexHqBR4Gmd2zsDSUn5yjbzOFT7oXOfdk0hSbU2 + qO8+L3aDUkzHw7r5/Aizl3tC0Sj1nM4Il2QLr9mYVYhDCz4XMa9Ks6dQZ7BAcKON + 31BriHjErZgPLhaacKkQQifw3i7366N693WbbbC+r3ZKUqAYTjn/sWofRsM98oUW + 8pV16wAHIJEyjnZ6O9JeLkBc/nJ1s/l2uzl8NHyhkkKMjlDVF+T6mWe+AZda6Ry9 + ZOpUBO6Sw5AaokwMkZQtLg5fJJ87cO6/RoxK33Xinaz1wS99gOs1yaFkKVttACNW + 7uMPSLmaGIqQu9LJS7UD98jodWqzdTf9g+Z7MEnAUYIsbBDYy4xL5By9dy/tGw1Q + WudrXj5HVmTHkUUS4zTbvnbAP1Tgd6iPQAYIUxqW28HCbsP3d4X+CPXKfJmDHX/y + ItyKgKk3sx/JMp5Jp1FbUlhOqID0yXLAZLvH64cDYB5buO1TRJ/F180R3cwjsjan + G97NA3zvBJl8snUUU4Ym3g1vafU//q7Wh2U4yu/LOSLyk9jxdWJs/9tNT24HJWzS + UQGGQLmct1BTuekCcrBnEabGRkx7qf36CaM6dYjO/3/jhlQy0xiwHBIrv4u/FsHu + L4eMQaxksmj/puHjb6X5RH5CrGJ8FtdQnIuKk3mmrsUuhg== + =nQR5 -----END PGP MESSAGE----- fp: DF71497C07110D584ED5D379CB3A922F8FAE3D50 - - created_at: "2024-10-15T19:06:26Z" + - created_at: "2024-10-18T14:07:10Z" enc: |- -----BEGIN PGP MESSAGE----- - wcFMA/o5Gaf/w6e6AQ//aeWGutIpwrglqGGratxgpVKDMj0gcYgI8Dkabm1XxN8x - 4MqseiSpSKkxWcUDcXAhofY8iFCyB6VjPOBXC2/7JtlyAxLmOUmM4ZERZz0Tqm4A - nf9tFSDdK3Az64ceFzYyQlzNoGUfI8sGlgLVo41H3tMKiNHFr497Mo1s7LuQbG41 - QnYSAVGap21McQvve4V4trWl0+l2WwWxeGyHlpsY73fHbfebYXjRxpvdmdDH8Gvr - q5s2VmakVCrw2oRmUMME2KXKuPh5fLD1PyNUJDxZkLXAq0/fkivZcA1KhhELWGU6 - ThuoxVFLVFL8COjoM8sL4KrCjdUhKKx/cW8fI6RFzcXuhzN5lwqKieuPvaypMnZU - YNPk5zLY9RwkVStb31zCUaEanZKq9mgzhcEyRLgM2qGvT+EzI0OR1P8ec8x+hAg9 - trEeHSpsRLx56Sv3M5MDbFz5juMUTvRiNoyiK8liswsdKJnb4Jq/UDhDEbK5GWOT - G1T2mRId2UAe0uVMmpeN5tqa1Sd07icw52wsBKFgpGzAJwvLp8E8DvwGPgzbuVA2 - bIol50lPQevCMohg8hb2ED507PheEtrSqhO7N3qtdD87hWY2LQUs8WwFAPX6MfXb - 0BA2KWDbua/5r3X6W0x4yChlHa4T687qPlhLvJJnrr/lqW9lRESUOhTQ2bCxsJTS - UQHSGCvDb6bcIz8mS7Sx7BVZTCndxmKtQ3jNQxSEWK5QhjXVMohR5nytZs+26qQm - +7epGeFoxqtu42wLrP8xfKpmX/K5QLkYWuAoD3O1iJKCcQ== - =+OhU + wcFMA/o5Gaf/w6e6AQ//d+lU/7DXzyMV55wiryTyZsJE9F9hsxdGaSiyeBBiSpdr + JjJb+a6sMSGhtv5YWhh1D1xXfyLJwJaEdFVeFp2KBNHT3RQQF4onzPEIJt9wfnI4 + mzsiAx7PBZaL0wvMA38hDTa8PlNp0e9o+0o3FdW2fXSe0hXjoD/TUFEFhr4UDIWr + dG6cwB35AIJhmhvQ7kpBSNksFkmGdxrcH2oqWqJfXDVnhQLV9g1jYFdd4DybynXn + e2P4I82B2iuK1YZhieaNXWnNJjcVp+qi9LAblyWwQ8Wv9x46Apl5tcXjhkITAHug + 5dqp4u8JrZr8KvecpjlJWHkwqQvKfIRcvXi27oYfkomUu3Xnvi2iLBJ0BZt+kOmP + VL5RL1LvUTas4p0Kd+vjclrsaHO0E0cYX3Mh7A9nRx6Qeq2N5HhdctfWpvhBAqXK + zQW9EOhQy6U8hSNbeLA1gsddfgd8T9Seaq1uCU2l+LrMhmj5m2zLVrP+xvKghPC2 + hYZN7ol7j2+u+phHpAKT6oeB36EuiG7o/lhfQfXoHYHjmOx4SgCcCCP5JMtIZUYI + G8PkSCMRkcWI47PbzdMSD4Je7T4FOKV8mLGnUQGfzxOIqsyN9va3/Ru/mUbyW0+7 + crZWDnqv4E894dMZAHE2BLXaj9hOAo6Ha9JJkuNIFk+T7oBzQ/UD/2COO9vASobS + UQF275juqlq1QKO35u0x4oWeIWHZZREBI0q4Lhyn0/5MEmf8UdiK4gxHa3YVNm2n + 3iQo5dzg0S2lSwKjKwr5+3CNpwgK/Qmirnp5usqNQTRpdg== + =57Jg -----END PGP MESSAGE----- fp: 5AAE7807A91FBAA7A5DB246B52A2E96A7268BCCE - - created_at: "2024-10-15T19:06:26Z" + - created_at: "2024-10-18T14:07:10Z" enc: |- -----BEGIN PGP MESSAGE----- - wV4Ds9lh1tfJlukSAQdAYVO/2wW9gDCUW9Kz+VxjyTdsBLltP52Mos4JPmc+f1ww - MSD5zK6ZLzIXoHbe0lvVIGGHp+pwJxr31CjWAo4TwltUVdqRf+vWmulZ7sVY+OxX - 0lEBRske7xLQV5eYkIsOBWLmBOG0vGHPHh7GT/uSpukWWLND1TPnOMnRn44xnjCm - tt+VOWJrM+qBSkeRoxZ1su1T9BoKZCh3kIJSZSqFQ2DdZPc= - =RubG + wV4Ds9lh1tfJlukSAQdA5N+OT46r3WXl1+SgPtsBczmpZh30HUgs5HFhOd1DplMw + je3IDclFJMQBHXjiI+WeixW6vXjmFqAYx64Dyh5UqG3rsF+NdsTPErGWBtxR3KjO + 0lEBZ8/pvFkQeMfcQ2d8TLClsQ7tgm/iCnnc98cWmIn7I6PIXtEmIRNCiRBt2d9l + JhrdBNvLQ5y7oNhMLSd3DrYxcuH2LRiUoyayLiy+thsR0z8= + =H9hd -----END PGP MESSAGE----- fp: 6A413E28286599A84595529EB2F65CBDF1C65D3A - - created_at: "2024-10-15T19:06:26Z" + - created_at: "2024-10-18T14:07:10Z" enc: |- -----BEGIN PGP MESSAGE----- - wcFMA2VTGvlVjirjAQ/+Mmepfum0GupaF3u3Ltm+Ae6vYReGRnrkCs551BkVfJ3V - e3T6vb6NAlOhc1XEE7GIIwQ9zPYbOh6zI0smjSd/sis45vnrmrrC/P0lgts1j9w+ - Max2Aibe4TWGE2vsXakWv1k1A2stjjoHtOyrGaNgtpQOGnZHuwEl77GofsKx7KzX - HHAou26S1/16FE5A8K/abxt+kCRmktl3mcM3dO/jj0RFioRosGqL0QPDkTzyh/dk - XJs+otNvZU8gkgnxhEh/HluA+5BX4HNgklF18CDZElpAjEAwDKHG9XuB+fXUCFqW - yqomZGr4vrrQAfnTMfBCYGx+MNjiOpC/3guNiZ1lfdv8HiSfI6aKsFzcSeOKApah - 3aV0OFl+XYP/fJeVA8dRiMukiMR1CShRAnttJjRjNP11e/8kViVDjS9qATpoYlcw - OTKye00fuCug8xfQzJ7lrG9atyrQoCTttUPqF2jHagBO8A5ukKKp5R1BHMaXBzYn - LeEv0y1WiH7GPbX4c0FjU9qVb/UyIBPyZ/dofwAIf343Oue1mtHS/oHNiNs0loCN - bNJ4w4XEtGQPuNSHVVQ/Gi2sNYCBPzYhR2tDeo0OVtstq3U6rLp3uDGndVMNMjUH - 5AnWIFaGNu3Jtx7M5+3XlHiBDWK8lJsQTACTiFWrm3jUO+ID/i0zGyjUWdcztkzS - UQE10BdYlJIPgcSzRL3WrrGZKo3hKNmUZYI9jhI90thDsWf6IwuY3uP9wbjwNKpd - 4CQebYob2a2XG3PGTu/my4mE/ze1WaXzEICsA4k+qIxfuw== - =mLAh + wcFMA2VTGvlVjirjAQ//YiR/sq+oqLJtJ4mvEw1S5idPNJJwh2WG1FbT1NQHrA9/ + qAJpU5bbGmh9vnXGGSzMX4hjfZxR0pG6s7nPkywTkQO4yJuu6cKXL1R6hBk3Y9BO + agNIOYYidy9Fp1+2bYtnE4pdXNECBjNX6IuCSOMyOddHju4sMHbKubusstYGB7YQ + ws0opjsWS8OWDXM0/4HkVvh77hKHEBP54Bd+wgq5BtK/FcZN//m6LiZCpyGOyJ7v + 1RNGKWvxGN4OdcuZtWZHK+wSfQ7eDNVSSm173CarVMU4+1nXsRKxHp5mYQJcjr0+ + Tclkr2Iequ9sUYAtmMvPCqClk9XOSBjXdlunjEW6waQjgXYB778AIqeWYRW7r5wr + 9lF4ddSfg/1a2FfQm2WkQ3MgGfIpMMm1JlhFSJ2O02Vg86OjMYUajvjeBYTyLr/L + bTqHycgXK3kP0qtckS2z3oMsIIe/XQsktT1NInUQ2EtGVOw8MsdK8TL/PgPGhS2f + nX25MJUB/iD70wZl+qpMXnC8pPqHkh0FwIxvnLOOBZml1Wq+HSBFINl7ShZGuDOw + xOI+oheixontxpc2WQ8YoqJD4jWVgPhIqxSVhnXgO1QldENSueCbvDOvJP330jPz + PqhCaDtRDvtsPIgyUYGoPSSjJagaqck+P74gXjtqirnBicj/TRiO9bV3BRaR9i/S + UQHeGXUpIfBF+EmS4XxevCEBTZwVnrwXSXl1esphRNZh6eTKWDiff2IcbgibE/vr + fcWIkdPaRM/6U2TAfm/nFRYy0mNic3uIL7JqdHAu7eU/yw== + =PhkS -----END PGP MESSAGE----- fp: D48108A56B0EB04A40DEE96775676F49EAFAA9CA - - created_at: "2024-10-15T19:06:26Z" + - created_at: "2024-10-18T14:07:10Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA/CESpP6bvPkAQf/YTLwcR7HOPOxkLuNvLD+daBWseFX8Iqa+OoYjgWTONNX - pME27+VklE85+rDyo93btn3x2hsp1cFbaxx+8vkOBCw85IiVnve1kA+E7naXzied - Jc+OocMZ+xD7nI0xR2VH91hZtEABBXznuBNRhZ/YnMG4+lBZ3jV/mFTjgFgPUwDH - gKI4khTyOdd8H1KFk7TCRjEA0dKCZWE32qRHE0bI/tTw6ixbLsCHA/ZepT/VvBha - YrF/1kc+bj5FohDOWHZ5zz6/BaKJAvNMmA4b+wugHPiGxP20g82IMPPlA+KcN+kj - VbEiqq+Y9vTcjB4HUWGvtmV/Av/JxUgv2FJI2krmx9JRASjOIwp79F5y76imCOFV - bxhwAPOC0+mfvR1BUqWjPTE4wwL2bozL78xVcTLf9BXTeEiSCvTa/m/6KXcSdREX - 0LBYYrWRlOVdJIyLYbRyToJu - =TUQx + wcBMA/CESpP6bvPkAQf+JhQqPXBjmhiDumytjjqyw6Dfwbynqd4fS5WxPCthhvs8 + dMCV/QgyeNx1Ysxvul5ZRnLuJtb/rFbJJOp4OVFqMo37mV9oBR+yTSsE5Rn34uUb + RZracZOR3TuD9WWPX+P6RWxHS/FiW9z8GFEZeizhxPMEIDhid6nicUy4VkGB0BZY + 4cxX6UtbTFJErzIkRtdRrPzb0ogCe64BxaapwOP5BJpjBLN4SXT3SkAdBScYfoez + rdsHLlaNIitQqYOK9Z5aop2wHibZwkaNS6xmu0FTHxp2D+p0gWeHc+57xGuOwsds + f2GWzjZl3XKl5xu9PRg1dQW8bn6XcxyzHfH9mpGA/NJRAYcO1DKlqvBzKUEv6T/U + fW1bYKs40C/1n9gkiZJZROwUX99zgXacqkqVUXf+3DmgaUiOFhtx7+T3aBtSUfKb + Ti+H6Z6tjVGOBco0BF/IOYGq + =AmGg -----END PGP MESSAGE----- fp: B6829414FCD33331EBD08EC3F70112A73CB97C21 - - created_at: "2024-10-15T19:06:26Z" + - created_at: "2024-10-18T14:07:10Z" enc: |- -----BEGIN PGP MESSAGE----- - wV4DbYZvvToLQQASAQdA8enWQh8DcLLEoKm69TxMM2fefYV8RjagJLY28A7Ia0gw - hM8AkQO2P8nR3XtmvTdKKHcOpU7CF4vWn4YjT7P31m5q1x9umvciGHsZpOU//Ake - 0lEBlzNWVNsBjbTMsg8Wv9KUeoP6c2BAPEZ9cHni07GpOLtS++PCRJZ4Anvcm4ad - UsSyfg8UZiW4Lbqq/9ZTr4JZZtQFjfPhervXMGQjxc/ZocE= - =NryV + wV4DbYZvvToLQQASAQdAHxylgCv1qMYDCASdjbEkI8f9UsmwziBWviTUnc0qdy8w + QevW4NGKGL9lS82vc6HZK9xUZ98b9PPzbTAMUKFBk44QoH7kvCg0fNJsyXpqc6Ls + 0lEBH89t8LmtLwC6LM0Fk0uBq2QxYg4ReoeBJaSZgNSrh6JDDGQcL+AcKxN180Oy + bIHqs4XCBnHgRpMg6FxVJ+O/wm8pWOsnPn86lNkmi9q4+NY= + =t6eV -----END PGP MESSAGE----- fp: 92842ACE52D2B8C77F9A59662AAB6EE5E2C8EE71 encrypted_regex: ^(data|stringData)$ From c9f4c9fd5c1d2b4621266ceabb98ef5da765e8ad Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Sun, 20 Oct 2024 11:20:03 +0200 Subject: [PATCH 19/41] test: disable cluster stack distribution Signed-off-by: Jan Schoone --- kyverno/config/per-playground-resources.yaml | 120 +++++++++---------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/kyverno/config/per-playground-resources.yaml b/kyverno/config/per-playground-resources.yaml index 6d9626d..6ccbe28 100644 --- a/kyverno/config/per-playground-resources.yaml +++ b/kyverno/config/per-playground-resources.yaml @@ -37,66 +37,66 @@ spec: identityRef: kind: Secret name: openstack - - name: generate-clusterstack-131 - match: - any: - - resources: - kinds: - - Namespace - names: - - "*playground*" - generate: - apiVersion: clusterstack.x-k8s.io/v1alpha1 - kind: ClusterStack - name: scs-cluster-stack-1-31 - namespace: "{{request.object.metadata.name}}" - synchronize: true - data: - metadata: - name: scs-cluster-stack-1-31 - namespace: "{{request.object.metadata.name}}" - spec: - autoSubscribe: false - channel: stable - kubernetesVersion: "1.31" - name: scs - provider: openstack - providerRef: - apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 - kind: OpenStackClusterStackReleaseTemplate - name: cspotemplate - versions: - - v0-sha.ve8qmt7 - - name: generate-clusterstack-130 - match: - any: - - resources: - kinds: - - Namespace - names: - - "*playground*" - generate: - apiVersion: clusterstack.x-k8s.io/v1alpha1 - data: - metadata: - name: scs-cluster-stack-1-30 - namespace: "{{request.object.metadata.name}}" - spec: - autoSubscribe: false - channel: stable - kubernetesVersion: "1.30" - name: scs - providerRef: - apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 - kind: OpenStackClusterStackReleaseTemplate - name: cspotemplate - provider: openstack - versions: - - v0-sha.onehude - kind: ClusterStack - name: scs-cluster-stack-1-30 - namespace: "{{request.object.metadata.name}}" - synchronize: true + #- name: generate-clusterstack-131 + # match: + # any: + # - resources: + # kinds: + # - Namespace + # names: + # - "*playground*" + # generate: + # apiVersion: clusterstack.x-k8s.io/v1alpha1 + # kind: ClusterStack + # name: scs-cluster-stack-1-31 + # namespace: "{{request.object.metadata.name}}" + # synchronize: true + # data: + # metadata: + # name: scs-cluster-stack-1-31 + # namespace: "{{request.object.metadata.name}}" + # spec: + # autoSubscribe: false + # channel: stable + # kubernetesVersion: "1.31" + # name: scs + # provider: openstack + # providerRef: + # apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 + # kind: OpenStackClusterStackReleaseTemplate + # name: cspotemplate + # versions: + # - v0-sha.ve8qmt7 + #- name: generate-clusterstack-130 + # match: + # any: + # - resources: + # kinds: + # - Namespace + # names: + # - "*playground*" + # generate: + # apiVersion: clusterstack.x-k8s.io/v1alpha1 + # data: + # metadata: + # name: scs-cluster-stack-1-30 + # namespace: "{{request.object.metadata.name}}" + # spec: + # autoSubscribe: false + # channel: stable + # kubernetesVersion: "1.30" + # name: scs + # providerRef: + # apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 + # kind: OpenStackClusterStackReleaseTemplate + # name: cspotemplate + # provider: openstack + # versions: + # - v0-sha.onehude + # kind: ClusterStack + # name: scs-cluster-stack-1-30 + # namespace: "{{request.object.metadata.name}}" + # synchronize: true - name: generate-rolebinding match: any: From 575fa89a9c574bd12a8a59c35118d0679cd4a477 Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Sun, 20 Oct 2024 11:35:43 +0200 Subject: [PATCH 20/41] test(kyverno): enable cluster stack rollout Signed-off-by: Jan Schoone --- kyverno/config/per-playground-resources.yaml | 60 ++++++++++---------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/kyverno/config/per-playground-resources.yaml b/kyverno/config/per-playground-resources.yaml index 6ccbe28..fd15351 100644 --- a/kyverno/config/per-playground-resources.yaml +++ b/kyverno/config/per-playground-resources.yaml @@ -67,36 +67,36 @@ spec: # name: cspotemplate # versions: # - v0-sha.ve8qmt7 - #- name: generate-clusterstack-130 - # match: - # any: - # - resources: - # kinds: - # - Namespace - # names: - # - "*playground*" - # generate: - # apiVersion: clusterstack.x-k8s.io/v1alpha1 - # data: - # metadata: - # name: scs-cluster-stack-1-30 - # namespace: "{{request.object.metadata.name}}" - # spec: - # autoSubscribe: false - # channel: stable - # kubernetesVersion: "1.30" - # name: scs - # providerRef: - # apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 - # kind: OpenStackClusterStackReleaseTemplate - # name: cspotemplate - # provider: openstack - # versions: - # - v0-sha.onehude - # kind: ClusterStack - # name: scs-cluster-stack-1-30 - # namespace: "{{request.object.metadata.name}}" - # synchronize: true + - name: generate-clusterstack-130 + match: + any: + - resources: + kinds: + - Namespace + names: + - "*playground*" + generate: + apiVersion: clusterstack.x-k8s.io/v1alpha1 + data: + metadata: + name: openstack-scs-130 + namespace: "{{request.object.metadata.name}}" + spec: + autoSubscribe: false + channel: custom + kubernetesVersion: "1.30" + name: scs + providerRef: + apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 + kind: OpenStackClusterStackReleaseTemplate + name: cspotemplate + provider: openstack + versions: + - v0-sha.pxfmezw + kind: ClusterStack + name: scs-cluster-stack-1-30 + namespace: "{{request.object.metadata.name}}" + synchronize: true - name: generate-rolebinding match: any: From 38deda53a3e7aefb9dbac6ba213990efb04d267e Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Sun, 20 Oct 2024 11:37:31 +0200 Subject: [PATCH 21/41] fix(kyverno): rename csk Signed-off-by: Jan Schoone --- kyverno/config/per-playground-resources.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kyverno/config/per-playground-resources.yaml b/kyverno/config/per-playground-resources.yaml index fd15351..22e24da 100644 --- a/kyverno/config/per-playground-resources.yaml +++ b/kyverno/config/per-playground-resources.yaml @@ -94,7 +94,7 @@ spec: versions: - v0-sha.pxfmezw kind: ClusterStack - name: scs-cluster-stack-1-30 + name: openstack-scs-130 namespace: "{{request.object.metadata.name}}" synchronize: true - name: generate-rolebinding From 521c95f65b0cbb4ec777dc5fa58a7da0f26b59ed Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Mon, 21 Oct 2024 14:36:56 +0200 Subject: [PATCH 22/41] chore(ing): deny access to capi viz debug page Signed-off-by: Jan Schoone --- .../config/capi-visualizer-ingress.yaml | 29 +++++++++++-------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/prod/ingress-nginx/config/capi-visualizer-ingress.yaml b/prod/ingress-nginx/config/capi-visualizer-ingress.yaml index 8c5a85f..a4e67b6 100644 --- a/prod/ingress-nginx/config/capi-visualizer-ingress.yaml +++ b/prod/ingress-nginx/config/capi-visualizer-ingress.yaml @@ -4,21 +4,26 @@ metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt external-dns.alpha.kubernetes.io/hostname: viz.moin.k8s.scs.community + nginx.ingress.kubernetes.io/configuration-snippet: | + location /debug { + deny all; + return 403; + } name: capi-visualizer namespace: capi-visualizer spec: ingressClassName: nginx rules: - - host: viz.moin.k8s.scs.community - http: - paths: - - backend: - service: - name: capi-visualizer - port: - number: 8081 - pathType: ImplementationSpecific + - host: viz.moin.k8s.scs.community + http: + paths: + - backend: + service: + name: capi-visualizer + port: + number: 8081 + pathType: ImplementationSpecific tls: - - hosts: - - viz.moin.k8s.scs.community - secretName: moin-api + - hosts: + - viz.moin.k8s.scs.community + secretName: moin-api From a3c1dc046a80d2ec5c048a966051b8cb5ff575fa Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Mon, 21 Oct 2024 14:37:47 +0200 Subject: [PATCH 23/41] chore(capi-viz): bump version Signed-off-by: Jan Schoone --- capi-visualizer/installation/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/capi-visualizer/installation/helmrelease.yaml b/capi-visualizer/installation/helmrelease.yaml index ce0eb6a..038c583 100644 --- a/capi-visualizer/installation/helmrelease.yaml +++ b/capi-visualizer/installation/helmrelease.yaml @@ -10,7 +10,7 @@ spec: spec: chart: cluster-api-visualizer reconcileStrategy: ChartVersion - version: 1.3.0 + version: 1.3.1 sourceRef: kind: HelmRepository name: capi-visualizer From dd46e6d56c3638a970688053adea1d8d09a23dee Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Mon, 21 Oct 2024 15:31:34 +0200 Subject: [PATCH 24/41] test(kyverno): change to stable channel Signed-off-by: Jan Schoone --- kyverno/config/per-playground-resources.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kyverno/config/per-playground-resources.yaml b/kyverno/config/per-playground-resources.yaml index 22e24da..ebd3ee1 100644 --- a/kyverno/config/per-playground-resources.yaml +++ b/kyverno/config/per-playground-resources.yaml @@ -83,7 +83,7 @@ spec: namespace: "{{request.object.metadata.name}}" spec: autoSubscribe: false - channel: custom + channel: stable kubernetesVersion: "1.30" name: scs providerRef: @@ -144,7 +144,7 @@ spec: # provider: openstack # name: kamaji # kubernetesVersion: "1.30" - # channel: custom + # channel: stable # autoSubscribe: false # providerRef: # apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 From 2ecdf792d3ebf78b046f5d45a044d2981acd0056 Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Mon, 21 Oct 2024 15:43:03 +0200 Subject: [PATCH 25/41] test(kyverno): deactivate csk again Signed-off-by: Jan Schoone --- kyverno/config/per-playground-resources.yaml | 60 ++++++++++---------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/kyverno/config/per-playground-resources.yaml b/kyverno/config/per-playground-resources.yaml index ebd3ee1..2aa57c6 100644 --- a/kyverno/config/per-playground-resources.yaml +++ b/kyverno/config/per-playground-resources.yaml @@ -67,36 +67,36 @@ spec: # name: cspotemplate # versions: # - v0-sha.ve8qmt7 - - name: generate-clusterstack-130 - match: - any: - - resources: - kinds: - - Namespace - names: - - "*playground*" - generate: - apiVersion: clusterstack.x-k8s.io/v1alpha1 - data: - metadata: - name: openstack-scs-130 - namespace: "{{request.object.metadata.name}}" - spec: - autoSubscribe: false - channel: stable - kubernetesVersion: "1.30" - name: scs - providerRef: - apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 - kind: OpenStackClusterStackReleaseTemplate - name: cspotemplate - provider: openstack - versions: - - v0-sha.pxfmezw - kind: ClusterStack - name: openstack-scs-130 - namespace: "{{request.object.metadata.name}}" - synchronize: true + #- name: generate-clusterstack-130 + # match: + # any: + # - resources: + # kinds: + # - Namespace + # names: + # - "*playground*" + # generate: + # apiVersion: clusterstack.x-k8s.io/v1alpha1 + # data: + # metadata: + # name: openstack-scs-130 + # namespace: "{{request.object.metadata.name}}" + # spec: + # autoSubscribe: false + # channel: stable + # kubernetesVersion: "1.30" + # name: scs + # providerRef: + # apiVersion: infrastructure.clusterstack.x-k8s.io/v1alpha1 + # kind: OpenStackClusterStackReleaseTemplate + # name: cspotemplate + # provider: openstack + # versions: + # - v0-sha.pxfmezw + # kind: ClusterStack + # name: openstack-scs-130 + # namespace: "{{request.object.metadata.name}}" + # synchronize: true - name: generate-rolebinding match: any: From 0a0dc410b4821f91a03dc2b949f7b34d3f604173 Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Mon, 21 Oct 2024 17:06:13 +0200 Subject: [PATCH 26/41] text(cso): change to staging image because of https://github.com/SovereignCloudStack/cluster-stack-operator/pull/240 Signed-off-by: Jan Schoone --- cso/installation/cso-infrastructure-components.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cso/installation/cso-infrastructure-components.yaml b/cso/installation/cso-infrastructure-components.yaml index 1b6b6b2..62796cc 100644 --- a/cso/installation/cso-infrastructure-components.yaml +++ b/cso/installation/cso-infrastructure-components.yaml @@ -982,7 +982,7 @@ spec: secretKeyRef: key: oci-password name: cso-cluster-stack-variables - image: ghcr.io/sovereigncloudstack/cso:v0.1.0-alpha.7 + image: ghcr.io/sovereigncloudstack/cso-staging:sha-c797c2e imagePullPolicy: Always livenessProbe: failureThreshold: 3 From 92cda3c731d429b4eb3470eadf8baaa06d05b37a Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Tue, 22 Oct 2024 15:47:38 +0200 Subject: [PATCH 27/41] chore(external-dns): secrets aren't secrets Signed-off-by: Jan Schoone --- .../installation/kustomization.yaml | 6 ++-- prod/external-dns/installation/values.yaml | 30 +++++++++++++++++++ 2 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 prod/external-dns/installation/values.yaml diff --git a/prod/external-dns/installation/kustomization.yaml b/prod/external-dns/installation/kustomization.yaml index 79e0332..f923ad8 100644 --- a/prod/external-dns/installation/kustomization.yaml +++ b/prod/external-dns/installation/kustomization.yaml @@ -1,6 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- helmrelease.yaml -- helmrepo.yaml -- secret-values.yaml + - helmrelease.yaml + - helmrepo.yaml + - values.yaml diff --git a/prod/external-dns/installation/values.yaml b/prod/external-dns/installation/values.yaml new file mode 100644 index 0000000..e80cfbc --- /dev/null +++ b/prod/external-dns/installation/values.yaml @@ -0,0 +1,30 @@ +env: + - name: OS_AUTH_URL + valueFrom: + secretKeyRef: + key: OS_AUTH_URL + name: external-dns + - name: OS_REGION_NAME + valueFrom: + secretKeyRef: + key: OS_REGION_NAME + name: external-dns + - name: OS_APPLICATION_CREDENTIAL_ID + valueFrom: + secretKeyRef: + key: OS_APPLICATION_CREDENTIAL_ID + name: external-dns + - name: OS_APPLICATION_CREDENTIAL_SECRET + valueFrom: + secretKeyRef: + key: OS_APPLICATION_CREDENTIAL_SECRET + name: external-dns +policy: sync +provider: + name: designate +sources: + - service + - ingress +txtOwnerId: moin-cluster +txtPrefix: moin +txtSuffix: null From b81192117b73fd033e607f6ea9aa89670a8f8673 Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Tue, 22 Oct 2024 15:48:08 +0200 Subject: [PATCH 28/41] chore(ingress): secrets aren't secrets Signed-off-by: Jan Schoone --- .../installation/secret-values.yaml | 127 ------------------ 1 file changed, 127 deletions(-) delete mode 100644 prod/ingress-nginx/installation/secret-values.yaml diff --git a/prod/ingress-nginx/installation/secret-values.yaml b/prod/ingress-nginx/installation/secret-values.yaml deleted file mode 100644 index 750ab56..0000000 --- a/prod/ingress-nginx/installation/secret-values.yaml +++ /dev/null @@ -1,127 +0,0 @@ -apiVersion: v1 -data: - values.yaml: ENC[AES256_GCM,data:a1oWNKTmJU+cigfGKeCKjhpHO4uy25M9+iUHjdS8b8lGeFvk9uppb/JzbNYG4q3Jq2Mz0pOXyKRifYSQDZwwsL0Gsjghl1TMsgmC+P+oTiBXgMykay3xwqja3LWnpVcVKBoKkKfkdtc2bbEhK4EwNAmV+AZI2nD7JGU34eB9c+1PpPH9sX+VJ3MxNgdsO0mTE2LvzrSZ5NHUndsiGF5CI4IiHFMcrh6ldVOO3QIPUz2L4cH0HE3Ko86Mk9QBwJkq940es0sBCJwYurAIyuqVpP+TMh42seX0z1zKP/KK5WLJzwzm93rcICcin5N0JM6t1jUC3AZmpDV5ybgz62LH3QKdsLDf4wPGG8DuyDUO8UKmPSz7S7Ow23zFZeqARVZykdWbVgxA9Zu1cbgj4p/0uGK0/rC6MXrFOskmPq3NytAswrAMB+XC4jrwOWPE/fXxa/iOdiZQM6xCmJzmRnc6icwhKi67PwgjO6hkirQZhwNMdILYReupDS4EPNjgG2uJCwKLNOA2MJ6KmxTzFhgXr6wLbdtRBy93CcgWg42xXfDiMeHrFu7wRIpkrRfDaVhGYFVyw3IFGN4LeFbqWZsq1lYDWcse4tSu7mq8ybCs3VfiLOhjuWfqxqWO1ttrWy9/HZgb6Gd56rcIzqnujN+bPAd9srLwGMBAgzmfzedouksP2pTcgQksv2I5Xsb6BAoz+xETDka+vhLwMEgVPqFDvzWGJzNyL1Pxlr2ahSCHPy7ONFm9TaSo1Vybt4j7Jmih6JysgFr2LVEng7dMqN4ThQcfzGsokXr4GBL8iM9ZCGE=,iv:p3R2PZczMqycsoz6WbaaWKC382ZUTsY73D02A+tuP1w=,tag:n9h0ftztMq8MCvccOoEXZg==,type:str] -kind: Secret -metadata: - creationTimestamp: null - name: external-dns-secret-values - namespace: flux-system -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2024-05-23T13:27:48Z" - mac: ENC[AES256_GCM,data:jL3mG8W2tsaFy0LYoMcc9t2EPzthippO8zUeVMe4A5B/Dv76y5q7oP+yPpxKnMKH8oHQjmQtvCWv07ktoBZJ+0MMnQWOvKzPthlymFJyxrMxPoEhVi02t0s6+rZVzHSg4lBJ4oliMHb00kKN0iEYgjrxdt9CO9wyIflY//FlFnM=,iv:VobWatz1AAxbMPCocvgpN6C/StXq0HtX8vrAJvuRuek=,tag:l9+65aEvz9xX84zV7GUekA==,type:str] - pgp: - - created_at: "2024-07-02T12:31:04Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAyBxDD99NeTXAQ//SZ+sYvB8dLG40/fFwro+xjeME8lhYV2GMzPMT8xyGtwy - 8VlimLyiDn2y4oEmppoWOe/DXBwvsmqPwn7YEsGwQ5APsflqFHyeDQPYDSF0qU1Z - 6IK82c4b6qAZoWP159YOUSYQ4mCXNVs0mkueFI82fpTjGpNLPa7X1nmDYTw6Gxmn - 3qyzOPU0dLqZm9RmQAKCPc/ptQ/koOKRBziYgFuDtitVfJ1hZ91d8eshuVshaZk6 - NeDe3n7tW1In/obGx8if+QDtfGKO8wqcBK9j32pEEg4NDO9KJt+Anty15o30dH3t - YiiHQujFncO5ShKbKXV/y8rIVul5zuGuMMO+ILqfTVn6mMWIdGOmri8ApaHtCie4 - 4ommtRMuxUsCzb6zSrq2VPDeRB2HWyzD2mNfqfbJVYRCpe8lz9HSv8xL/l7ynBGQ - Z9ykuPLNRPcpHedrDhvbnKuJwwAdFiky5f2g+TbShNCK8KC6owZMOCAZQCwFEWJE - xXznpbmsb2pXYTIAazQFnXCwoMnVyDPbMK18DWOYfEU+xmezusgDmRmNa0iax5Yu - doc7BklVQMYY1VOwq3vgM3G1YiemUVBkFbtQURlcLeQR/dCudxqG0IfPwReShQPH - WcWjKzqQ9qZ+39ZC+oct7NIbeKlw2p68+eDSwcTDfh0VcoZlupxfbMW8wI2k/DjU - ZgEHAhDN45V0/uNY3duFd2Vyzpg8JaHe7xeXyGgQ70YUm3TICZ6zUKqH88/UTaCe - zoeIa2zwCE5LV9rkh9ciZWxpDHq0jl9zI8MI2U5nkHpvNOvY2W4BCgM9HV7ADBZx - sSC8aINsdg== - =7nmm - -----END PGP MESSAGE----- - fp: CCCA3F0D6E841833AC56DAED48E4E0C7613AAB14 - - created_at: "2024-07-02T12:31:04Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA6Kr4c7HLrmXARAAvkUZgS25CIAC6g6s9OTI6yPfz3KnUFFzAlBY1rnaY5nx - gaDl1RpmVuwCx7Ok8F7dNL1O6OQsXYwXJqElIYblq43Y2MsdPPq6hoUcgYFEVBv3 - uX9GIZ1+prsCXtYqL1OcBfxnJzdTJ5qD6ggnjP4hZ6l820T92Pm21s+eJ+lm8QuG - bdJdcsYPlt12K2ph313269A1JTvYsZh5diyTlZguKxiEhvLWhWk5Kr5YC0qMiK51 - bmCx4jjrhiHM7TLTOC05AjncWsFxYlGl2ZsL42HOlXronjoNJkeXz71hYIEtO18H - ejIsjb78LfvYLBFes5SY4hvenLL5QTyE6/vuBH8f5IV6XJ+RkMMZdruMzPwLbGYo - d1fx7AkFQFbMnoFkfKYeH0A4UNv/UjsNlE2X6TdyKV1S+pz4snzP0YtBokNrbIaR - mKjGfSxlOiBSnuYVpy7C1BjLBrnk0Ki0jFiD8T6+ojUfvFvQOhrcy9skO8xnsnSA - 4H+uuIPpaSBRXwGDa1kSeyIx/vpiy8oNeBM/6UiENHuXjhKKfmdWpPt9v4QivKu+ - Bz66w7HxE5sX8CoX6sNSMlePb18ZNHk6+FAbRZe9jCK5WmnhlFvHATL3/1XeqWRy - 7n09ZAEqfqqNda9AfRaD7SyePm4QJHMYJjyJqfmZM9zCSIbZcuvGR8W4ffhMfFbU - ZgEHAhCi46Le9iNZkHygfWdLDMQF7LkMRIRRgBVC68vw5Lkr37PfqeWUXsM2irsk - DroxBtJimQ704o/U6RUqWb9x3QPcPqeKpCcGl894sWPWDhX5dG3c18/WKeNGPGUZ - Ei6GfxiAPQ== - =9GIn - -----END PGP MESSAGE----- - fp: DF71497C07110D584ED5D379CB3A922F8FAE3D50 - - created_at: "2024-07-02T12:31:04Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA/o5Gaf/w6e6ARAAjQuj7C5Zd31dvxo1sA/sJDKGZg7uHri3FMRttbj+iPRv - kXlXB7GHxyYHSPxhgrRYilqgd6l60x9s+fsRJj9HLvYP6KTGoGQ9MwuW0lv291uj - 4YGkf6veFIuv/YM8HGKtVVlTI0NpBfwwiiWPQHxnS5nSQnDt/In5/yui2nfj8ejf - Z8WS/8ZZS/DHYOSYEdSLlN2JItTUHXkrYdEAS5g6x099axL6ivI7wPrqtBvOJOdr - Djv/wVFYuB262/sJxdejN/plQBWBtJ1s5A0fqkI5elRmPFIlV5xNUTNPKBQKe8JJ - 9ii/bUBrt6fJvJtT/268zzk6mTJj076cklXbTql31LP2ECBAbqWMLDiop+ggILaF - l2eG8Yw5hiugR4uFGKAOqXGOKjimIcKYxxgqn3/bMiTaIXErULWCRwTaY9H8YqBo - GLoVkoxn4qIt8J2AER2ZVs7+Hyy5y9zXCEUKVE18H96/n55AJxeX1mfgKrjCGMSk - bQevea33OrWkt45it89FwumGd6DjQWrXpWrTJnrmqaVyLmn+4R6XBcIpXpKUHH15 - IQownvXAWw3GaGgcFVra3a2Pl9mEgmfKyKgQFCUbPro0k2JBrFcx3wY7IkWo9zCz - wgqTpAJ3l5YWXq68YrmBqu3luZk9IXxqWYGONXqFALd2j5XwtyDF6bNm9XjePwDS - XAGygsGq1m3NsSPOLlULWPMxlBaMjaRWMA0pGbZG/tWyM6xIV1asqeGw5WazAdKQ - i341Gs1oUlgKk+zMMH0EBv4IkLdHXihGI/Nto51wBqZnzrQKyZtr3T3FyD6M - =v8eL - -----END PGP MESSAGE----- - fp: 5AAE7807A91FBAA7A5DB246B52A2E96A7268BCCE - - created_at: "2024-07-02T12:31:04Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hE4Ds9lh1tfJlukSAQdAXBul/01kdJcvObeUhMp/9s2wGijh2Pb8G/dXAJdZ5REg - 4bMjx30k2ScUdWPx92xZh3W5yLu5/I8a31wsV4rTdW3UZgEHAhCe3O2uyYbKSYgP - UX02+swWh8FFXzooMqtZBZfDZH7NaSAXP7UiAbQxC6ll9pQ6A6SF/sFcHlgIdy1X - 8uheP2S0oLKxecWMpBUrrgTy5ZvxehzKtO5+M53SkgRtl5BZ5fh8xg== - =/NGn - -----END PGP MESSAGE----- - fp: 6A413E28286599A84595529EB2F65CBDF1C65D3A - - created_at: "2024-07-02T12:31:04Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA2VTGvlVjirjAQ//ZzPjTRv8LXDfiIlu9sl902ZehlFMsNX9aljb6AIFpZjd - eNiUO0a7xK6R5Lp0yMCVknBhtDthND/2d16w/uL8MQZ9CexpcEVeDo9xCCxakIt/ - 1vIh0W2wjkS/sSQUDyTY/bu8D3tiBTWqc4ZUo5DF+toRcmNBmKeA8IT9ZkTFwHhC - guLj4XfDGd3Ko5Wv2Jupw6HoFDPDJxBdEBByTRAzvG/mBQm0Gpx+gZC6J78uMV8m - fx6QSkzAIkP9zc7IrSZjE6GyyA/tf2FL8LippwtQdYJ+Rfnpr+acAYQ7bSpS5Y5c - JB9NHhD+KEXWqxCTom9WDqsjFfj9c6a/Q4PtV3Lyq8Kc6kii2m7wxd6Z0yOEMYkI - /xwbDdFlG+YFoxbiWd/k11x3Z1XKTvMmlyJAFtiMynbd9u99U+E1Ul59614QkoRV - S/7SowsRZ6qJoyRtcF2y2cie732m04gbp43GnerzytEoPIL4kW3Fr7lsoT0vkaCl - UhhyTWQdIjBaBezmzRY7spBSy6RZfXoEJNJK3CO4AQKcjpjNm3detQF0Uhu327uC - EV7hfp0WsIgayRon3/LxIYYaXFeEAhtYK7I4DinUxZpCo/WXcNC+dlcz7f/kmYe2 - PEBptDqJWWNn44sF7BoQ15UHXISoJcLcrgaDjnAp0+dpPAD5flgaa5T3nyVE7y3S - XAFTS7Gc9w3lPIL5w+30bFURmIL2HL7YxtUyA9GNwOyzHmaoEIqP8oOhdGyRSsdD - 2tYFMNf35iU/SoQdvQ8mwxDMKinlhDSS7f3Da1zCqR15Cuw6cQZeHom4hm9n - =LjZV - -----END PGP MESSAGE----- - fp: D48108A56B0EB04A40DEE96775676F49EAFAA9CA - - created_at: "2024-07-02T12:31:04Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQEMA/CESpP6bvPkAQf/QwGTxVEmOHyRx5Qq5/o8JkBvFwuoXlS+YHOtS2k97oGW - bE5ExP763X4w9X52i/3EYaZKOftN7HQu8T7Tzh9IN32riU8fS97Cp8353DIE8Q2B - fb/YGR8SVEgdnAvCr7ZWOALBnlPKSkI/vEpGvLo4+1ATuOUtIB/kpR/F9xM4lEMT - EDBveiAvjkVoq0qRk+1rffvZhuhhwbSrsResSqBJJ9CAUIekzk269W+waYrUPESd - l4ILiB87OX7pBFco0VlOn1uirhatbggsKRhxpkwiJWyV2KMg4LOxvYHiNZVjhO2P - CVzFkzO2slMex6Yad8BJDSh/hlfQnFABrvFY3RciCNJcAbmAgxeQjxCsgEDI/JzB - 7qIi+FDQuoURkpoSxtpzf7HQ1SyldMenecuZQL/zFTJ+zBbn01PP3clodyPlLTuu - TSbjmN/u25BU6LLFE0sguaMJTOUxUkzgWLHfybA= - =nbsV - -----END PGP MESSAGE----- - fp: B6829414FCD33331EBD08EC3F70112A73CB97C21 - encrypted_regex: ^(data|stringData)$ - version: 3.8.1 From d60b14b3ee8094a061997fe29ac730b11e3373c9 Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Tue, 22 Oct 2024 15:53:49 +0200 Subject: [PATCH 29/41] chore(external-dns): move values to helmrelease resource Signed-off-by: Jan Schoone --- .../installation/helmrelease.yaml | 34 ++++- .../installation/kustomization.yaml | 1 - .../installation/secret-values.yaml | 127 ------------------ prod/external-dns/installation/values.yaml | 30 ----- 4 files changed, 31 insertions(+), 161 deletions(-) delete mode 100644 prod/external-dns/installation/secret-values.yaml delete mode 100644 prod/external-dns/installation/values.yaml diff --git a/prod/external-dns/installation/helmrelease.yaml b/prod/external-dns/installation/helmrelease.yaml index 024f69b..ec53685 100644 --- a/prod/external-dns/installation/helmrelease.yaml +++ b/prod/external-dns/installation/helmrelease.yaml @@ -19,8 +19,36 @@ spec: createNamespace: true remediation: retries: -1 - valuesFrom: - - kind: Secret - name: external-dns-secret-values + values: + env: + - name: OS_AUTH_URL + valueFrom: + secretKeyRef: + key: OS_AUTH_URL + name: external-dns + - name: OS_REGION_NAME + valueFrom: + secretKeyRef: + key: OS_REGION_NAME + name: external-dns + - name: OS_APPLICATION_CREDENTIAL_ID + valueFrom: + secretKeyRef: + key: OS_APPLICATION_CREDENTIAL_ID + name: external-dns + - name: OS_APPLICATION_CREDENTIAL_SECRET + valueFrom: + secretKeyRef: + key: OS_APPLICATION_CREDENTIAL_SECRET + name: external-dns + policy: sync + provider: + name: designate + sources: + - service + - ingress + txtOwnerId: moin-cluster + txtPrefix: moin + txtSuffix: null interval: 3m0s targetNamespace: external-dns diff --git a/prod/external-dns/installation/kustomization.yaml b/prod/external-dns/installation/kustomization.yaml index f923ad8..ebdbd2e 100644 --- a/prod/external-dns/installation/kustomization.yaml +++ b/prod/external-dns/installation/kustomization.yaml @@ -3,4 +3,3 @@ kind: Kustomization resources: - helmrelease.yaml - helmrepo.yaml - - values.yaml diff --git a/prod/external-dns/installation/secret-values.yaml b/prod/external-dns/installation/secret-values.yaml deleted file mode 100644 index 04022c5..0000000 --- a/prod/external-dns/installation/secret-values.yaml +++ /dev/null @@ -1,127 +0,0 @@ -apiVersion: v1 -data: - values.yaml: ENC[AES256_GCM,data:a1oWNKTmJU+cigfGKeCKjhpHO4uy25M9+iUHjdS8b8lGeFvk9uppb/JzbNYG4q3Jq2Mz0pOXyKRifYSQDZwwsL0Gsjghl1TMsgmC+P+oTiBXgMykay3xwqja3LWnpVcVKBoKkKfkdtc2bbEhK4EwNAmV+AZI2nD7JGU34eB9c+1PpPH9sX+VJ3MxNgdsO0mTE2LvzrSZ5NHUndsiGF5CI4IiHFMcrh6ldVOO3QIPUz2L4cH0HE3Ko86Mk9QBwJkq940es0sBCJwYurAIyuqVpP+TMh42seX0z1zKP/KK5WLJzwzm93rcICcin5N0JM6t1jUC3AZmpDV5ybgz62LH3QKdsLDf4wPGG8DuyDUO8UKmPSz7S7Ow23zFZeqARVZykdWbVgxA9Zu1cbgj4p/0uGK0/rC6MXrFOskmPq3NytAswrAMB+XC4jrwOWPE/fXxa/iOdiZQM6xCmJzmRnc6icwhKi67PwgjO6hkirQZhwNMdILYReupDS4EPNjgG2uJCwKLNOA2MJ6KmxTzFhgXr6wLbdtRBy93CcgWg42xXfDiMeHrFu7wRIpkrRfDaVhGYFVyw3IFGN4LeFbqWZsq1lYDWcse4tSu7mq8ybCs3VfiLOhjuWfqxqWO1ttrWy9/HZgb6Gd56rcIzqnujN+bPAd9srLwGMBAgzmfzedouksP2pTcgQksv2I5Xsb6BAoz+xETDka+vhLwMEgVPqFDvzWGJzNyL1Pxlr2ahSCHPy7ONFm9TaSo1Vybt4j7Jmih6JysgFr2LVEng7dMqN4ThQcfzGsokXr4GBL8iM9ZCGE=,iv:p3R2PZczMqycsoz6WbaaWKC382ZUTsY73D02A+tuP1w=,tag:n9h0ftztMq8MCvccOoEXZg==,type:str] -kind: Secret -metadata: - creationTimestamp: null - name: external-dns-secret-values - namespace: flux-system -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2024-05-23T13:27:48Z" - mac: ENC[AES256_GCM,data:jL3mG8W2tsaFy0LYoMcc9t2EPzthippO8zUeVMe4A5B/Dv76y5q7oP+yPpxKnMKH8oHQjmQtvCWv07ktoBZJ+0MMnQWOvKzPthlymFJyxrMxPoEhVi02t0s6+rZVzHSg4lBJ4oliMHb00kKN0iEYgjrxdt9CO9wyIflY//FlFnM=,iv:VobWatz1AAxbMPCocvgpN6C/StXq0HtX8vrAJvuRuek=,tag:l9+65aEvz9xX84zV7GUekA==,type:str] - pgp: - - created_at: "2024-07-02T12:30:51Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAyBxDD99NeTXAQ/+Pqn2kiwhrfWNJeH5Ly85mJpLl36QQvi5sRZovpZqVK7g - nUY8+LRRLv6RVBtaxstiKqKQnyqOjWS++U3Va1bud2hmRm5Yj8sd9tyciPFSIyzK - 5V8HCTafGk849esvQhf/1evip/GRQkDMGhV5JH2eFES1JUNguoT/KiD2FO7Rd+L4 - qgHYtTCGpUZJOwGbJtLFe6slpyDYAlSXp7RcTJ5o1NYC2hc6qBMTMTy20YvJKwXN - qbeSxFfqbdxRLiuD3wSgtDhv0t3aruCub45eHShXErXnkPWfaRXwly+AVQrSc8AP - Yv+E1+1bas4IKTVuXNW74sBY9+zMIR0fLsQbsttfVFe/P3V/pXjy89B+l9xN39Xj - XpLxlSpgctbhkP4o5r3vNprE2wurjOtsrDaXqulNNtXC8ft3ObXURzdVbWziN/9u - M5X6xP65s+cjObLdhgyegwvVOZ+AjsM1bRKOavFcVyFnqKPTbnEDiT2jRkqn7XR4 - 1eoPuZ/mXoh21LFkMmb815O6xXMwlckSvaFid3Ph9regQRsadpNnTdXQDVGiLe6M - fA/4V9sbb+21XWKGJ6V51J4UxEzNEo0x9Supt3izQCIpvVeUWkiKqOXtJ+SFk5kO - xwQjKxifuhSb8L8cLhXmILiMTy1OlXwWwlYOy0VDRyB3BQzRuGub9n8W7ImNpB/U - ZgEHAhAzLamBrK/b2+LGqlf+7cvvDdQY18fjXw4DJ+B+rxOSEELrDVUZy8A4U2pX - htmYZHtx3DKQq9wrnswl6VoAAytrI9dMyRRKi3Q0TukCUZtqVFB8EwHa67V+Hedv - ojz1jZHRTg== - =DWpq - -----END PGP MESSAGE----- - fp: CCCA3F0D6E841833AC56DAED48E4E0C7613AAB14 - - created_at: "2024-07-02T12:30:51Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA6Kr4c7HLrmXAQ/+Ji7jlQgeQSsbewK2oX+o/HxsMyfjAe59OfAXfRCGxeGh - ORQBVpULor5JzhJhcxJsQmOu4qNDDpDVVU4CmDULCHqPE0Xo/99u58cxqtoN8yg9 - TNYyVjXlsu02Z37Nhzifz3+UxKIHV9Q4Uwl2EpAE1yuYvfXUP2OHcizK9PwkFePB - V9BQ5vcEgPJaa4dr0c8NbTXFsu62MJxTI9OQaF/XgvaiSRWtdTOr20CkJ3hvCk+s - CKLgJ0rGSDKeFVd1fl1KA/ixH4dxKzMKLl0efhthC9YOLSdm18qwQAp+ZN74rUuj - MPYlanBW3paYhGfcUcosi+dR4lbq05E/R8s4tYa9hHAzo2UTTuJGd4Di1imxihUM - vek9UF770wqxHm65NPH8pDTzEdDgZ448vjWXlzyfPTjUcfB8EcvWugGHpc/d7cdE - JnBbhKUndontK2Iv3X1mXlIe6CuwsaHmG/i1yYgrnXda3H0YAFbEcjeOcwTaMiYQ - aUtYHdsi93di1U8jsbuXeUi0DbujXqFeWRYiuUalYLQ0homHkhyWdT1gxfZvWmBt - QhfUoiYpspecv1sl01HvQExLzQw4QKiY/eGSil5kaN49M3j8xIGCHxR5sauHaodE - YR1rmY/lj0Fs5H8Xi/exIYds3MrbNEi5KyB2/FnyDOK91kE5s7D/LO8tN1pUe0LU - ZgEHAhCs7/MRz6RFRG8/UI6wIjwcZnoSoq+sQQRHjb/VCc76bYl+3Lk9iN97A10E - wQxbXKDZh2na9xJm1Qv3slRSJEBL33uXGyO5id+bPG+99ifWh9ly/n+9Vogs1nxu - C3rFoa4jow== - =5EHs - -----END PGP MESSAGE----- - fp: DF71497C07110D584ED5D379CB3A922F8FAE3D50 - - created_at: "2024-07-02T12:30:51Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA/o5Gaf/w6e6AQ/+Kgz8j+bwmjYm/ydM+CDOqyBsaODpXhBhf5GfPhAt0a9H - mKGUoAQvN0f4oshBWbrkttrnQD1HEqeWaPrkZArPdXN1JokWKYjrtIrYScGtta5R - zrpAqObnvswIE095SYXLcl+DvbXp3eXKLVD4QCbKd/0omAcAMryiwc+rg2JopP3Y - 2GC5M0YFpuYI/nC0o3BJ+fRGB6ltCgCkqzABKsfe7cpXbVLs/nRftg0/dLek0mVh - ycRUA+cs1LEnZ+grYp0tlbKVhafXPc8+zmgEdOktRtr3dXs9szmjs9LKxV/CEXCS - HynjHKa0mQ4qqOO2usJqcyvSyjZ2PvtJtbVd0sU842yU/OcJaoS5XlsD4zPAwViy - rGYADpBXoSnabLCDLCjFk9IxIDTLsJHJ2nbqmvizrM6N1FBLM/bWDnyiEASoHMJI - LOsPHH18AM/gxl6lJZlxKDMYKCxXTmNsuF/Tz9zuZPH5Xmo82Mis42A0x+tDCCuR - P/jgf6tIFjWbwBtMSuqSTxaJF8mRCOUOSAIeUmVLLDHzv0eHhGpLBj4zXUUaxg6g - 3uhcuadxwUMByvMrg9M8FaYN0P5Ivd6ZLMl4beBwDq9SM5Zmy6yID6NJetDMzyes - 4QuewqJnuwFv6CVSOTVvE8NjVsx1pt4An12X21jnpSFxhwUp/07fnKBfobYo7uXS - XAESXbohdf2Zl7Z11R7RrlReUjUJ4CSoCjIfsENUtmI0NSWbYqkTRcVusXUrAgvf - L/rlysLtI3dijE/eWi4STQGR33bkIgAs3LtVWyh7iIZETndQuqeKNDr1K6Q/ - =FWXO - -----END PGP MESSAGE----- - fp: 5AAE7807A91FBAA7A5DB246B52A2E96A7268BCCE - - created_at: "2024-07-02T12:30:51Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hE4Ds9lh1tfJlukSAQdAhSd0sZ8owl4I50ZtREMFA1jQpLM322iwk/C8J5IWHgIg - TjQbC9gzadEbInDzqwSSAg+FDW+kH8ReZw37j9Kof0PUZgEHAhDVolN7Y8Ssxi8q - pZ1xpOmc8tDWTn6JorwFJoNRVri8nv4MHdytxzzLY+Y5/7Rwo8HlNrW/wQs9oGdQ - s/ZsiTCSXn9C5u8EO1yvQWWmuiKho1uLSJSxBPXAM4wEgFepW7dYLw== - =Q4uz - -----END PGP MESSAGE----- - fp: 6A413E28286599A84595529EB2F65CBDF1C65D3A - - created_at: "2024-07-02T12:30:51Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA2VTGvlVjirjAQ/+OqhtmaahvfwH4HedeiLXjlCynkT/S9xiI9QzXmU6WuMr - mNlKxPFnrBtFmQ6738dAUG5mhkYxLMq113WU1dDD2F2jAEzJm+UshAA4XgGt0FC+ - QbODSDS/HvZxn9+tFFPcI7qkbrLHNvFHb1S9aqUS05fl0+eGZ5tvViHk921Zf+tY - LlDrbKXi7pi0yAevuOMTI1TEBC2bL1WKJhIqfp7WfZZtQ+LnvXXC580Q1h84ss5F - hxRfmfefnfWiQwsdB9GYh2maSd0qV0OYqIag4x0bOcpM9amPaSN6WVJbQKVFkuTo - xZi3JHbd5xB578kMUcYO/ExzlRQzmZEVq6RzL7DlhlNdpx2K7qBoHzhLSZRtscHH - TH8Nvbj5mp1CA8LabMpT4Zy/nnjsGaUWVgqKeYuVbp4+euRgLbSLpThAzbbD4iqf - BRG+scZE43uDZds+PijdJIjmDxr/R4FOGpK/hZjorehvnJmyyQ26eQRK4Vzgg72p - oUAWzUWU7VlHFJKR00HABlCBYnXxIQTH8F+sB549mdCEKbQKxFy2qC8PfMePwH7r - wlB3LwkT0HEvdLrBWM/ktF/VYLaeojrWFBRhlFfEixjE6IfIqDj3q0W2AeH28uvL - R6zoBvSCPRoB9yodmMdmc/vs0m3BW0vglm7eOb72GYAB2upP0PbkI1vDllp/d7TS - XAGlk4bkZe+zirbfeO/v8+Pb7ko8VbmWSQRp8t6W5rOe9RlgkgpEfXfdT+gwUxkx - b5q/rShwIMpWJddnyWYRxu6+0wIr1jfeV11LjHHsX862FXrnAbRx2I4YnDzQ - =JAlB - -----END PGP MESSAGE----- - fp: D48108A56B0EB04A40DEE96775676F49EAFAA9CA - - created_at: "2024-07-02T12:30:51Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQEMA/CESpP6bvPkAQgAoNqYz7b1rM13ElxTdfCbyfbW6GgsIqJeec1TdRgTXoQ+ - 5A3RA2PxNTgE+Au2lSTs9S4oK8Zr+JYM6HhJ2q8muCdp19m5SBJrSHEViISApnrt - QlvIlX8dfbiymtPTwb3nkUX0GNPadCZyfPYRkokP2p+n08QJGgNxWxXG+1NwYXH6 - /a4Nv5rxWYObONtQPqj2MEABF9yAtk3ToHEREWff4L7KCCJRlRQ1iQ2Yd36fpVkm - Af8dgEkvUrhOxA/rZTunTAaeoiRoQyw1I9icagVa9NYf11IiGLBVlVNaFkNJ/+ZJ - W+eTF7+4Q19JUSZL46FEadIER7Sz3zh+zecX9g+NitJcAToDwgTSHTD+pwSNqWUR - t9sh5FgqxKA7wj3Ocs1Tmf81HuWbXe046nxgQfbk9EWa7CeRxbcf5Pq/VZEln9/2 - rzQjcJq5x1iguQyv4mtD9RWsrvVsYemm+aB0+1w= - =0sMM - -----END PGP MESSAGE----- - fp: B6829414FCD33331EBD08EC3F70112A73CB97C21 - encrypted_regex: ^(data|stringData)$ - version: 3.8.1 diff --git a/prod/external-dns/installation/values.yaml b/prod/external-dns/installation/values.yaml deleted file mode 100644 index e80cfbc..0000000 --- a/prod/external-dns/installation/values.yaml +++ /dev/null @@ -1,30 +0,0 @@ -env: - - name: OS_AUTH_URL - valueFrom: - secretKeyRef: - key: OS_AUTH_URL - name: external-dns - - name: OS_REGION_NAME - valueFrom: - secretKeyRef: - key: OS_REGION_NAME - name: external-dns - - name: OS_APPLICATION_CREDENTIAL_ID - valueFrom: - secretKeyRef: - key: OS_APPLICATION_CREDENTIAL_ID - name: external-dns - - name: OS_APPLICATION_CREDENTIAL_SECRET - valueFrom: - secretKeyRef: - key: OS_APPLICATION_CREDENTIAL_SECRET - name: external-dns -policy: sync -provider: - name: designate -sources: - - service - - ingress -txtOwnerId: moin-cluster -txtPrefix: moin -txtSuffix: null From 7968d004235b4d94586f0f63b4c441be919ceed7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Malte=20M=C3=BCnch?= Date: Thu, 4 Jul 2024 15:31:12 +0200 Subject: [PATCH 30/41] Installation resources for crossplane MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Malte Münch --- prod/crossplane/installation/helmrelease.yaml | 19 +++++++++++++++++++ prod/crossplane/installation/helmrepo.yaml | 9 +++++++++ .../installation/kustomization.yaml | 5 +++++ prod/flux/config/kustomization.yaml | 1 + .../prod-crossplane-installation-ks.yaml | 17 +++++++++++++++++ 5 files changed, 51 insertions(+) create mode 100644 prod/crossplane/installation/helmrelease.yaml create mode 100644 prod/crossplane/installation/helmrepo.yaml create mode 100644 prod/crossplane/installation/kustomization.yaml create mode 100644 prod/flux/config/prod-crossplane-installation-ks.yaml diff --git a/prod/crossplane/installation/helmrelease.yaml b/prod/crossplane/installation/helmrelease.yaml new file mode 100644 index 0000000..25c870a --- /dev/null +++ b/prod/crossplane/installation/helmrelease.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: crossplane + namespace: flux-system +spec: + chart: + spec: + chart: crossplane + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: crossplane-stable + version: 1.16.0 + install: + createNamespace: true + interval: 1m0s + targetNamespace: crossplane-system diff --git a/prod/crossplane/installation/helmrepo.yaml b/prod/crossplane/installation/helmrepo.yaml new file mode 100644 index 0000000..42c20d5 --- /dev/null +++ b/prod/crossplane/installation/helmrepo.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: crossplane-stable + namespace: flux-system +spec: + interval: 1m0s + url: https://charts.crossplane.io/stable diff --git a/prod/crossplane/installation/kustomization.yaml b/prod/crossplane/installation/kustomization.yaml new file mode 100644 index 0000000..ebdbd2e --- /dev/null +++ b/prod/crossplane/installation/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helmrelease.yaml + - helmrepo.yaml diff --git a/prod/flux/config/kustomization.yaml b/prod/flux/config/kustomization.yaml index 3eaca3f..37a7932 100644 --- a/prod/flux/config/kustomization.yaml +++ b/prod/flux/config/kustomization.yaml @@ -14,3 +14,4 @@ resources: - prod-velero-installation-ks.yaml - prod-cluster-gen-installation-ks.yaml - prod-monitoring-installation-ks.yaml + - prod-crossplane-installation-ks.yaml diff --git a/prod/flux/config/prod-crossplane-installation-ks.yaml b/prod/flux/config/prod-crossplane-installation-ks.yaml new file mode 100644 index 0000000..656d134 --- /dev/null +++ b/prod/flux/config/prod-crossplane-installation-ks.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: prod-crossplane-installation-ks + namespace: flux-system +spec: + interval: 10m0s + path: ./prod/crossplane/installation + prune: true + decryption: + provider: sops + secretRef: + name: sops-gpg + sourceRef: + kind: GitRepository + name: flux-system From e1ac7d73e8a7e932a248f50d10b9721121e13c6e Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Thu, 24 Oct 2024 15:06:48 +0200 Subject: [PATCH 31/41] chore(crossplane): bump version Signed-off-by: Jan Schoone --- prod/crossplane/installation/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/prod/crossplane/installation/helmrelease.yaml b/prod/crossplane/installation/helmrelease.yaml index 25c870a..501ffbf 100644 --- a/prod/crossplane/installation/helmrelease.yaml +++ b/prod/crossplane/installation/helmrelease.yaml @@ -12,7 +12,7 @@ spec: sourceRef: kind: HelmRepository name: crossplane-stable - version: 1.16.0 + version: 1.17.1 install: createNamespace: true interval: 1m0s From 5cc48d6ddddd11697b9d2964591b79f20ac55ddf Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Wed, 30 Oct 2024 12:26:57 +0100 Subject: [PATCH 32/41] fix(dex): use correct secret Signed-off-by: Jan Schoone --- prod/dex/installation/secret-values.yaml | 248 +++++++++++------------ 1 file changed, 124 insertions(+), 124 deletions(-) diff --git a/prod/dex/installation/secret-values.yaml b/prod/dex/installation/secret-values.yaml index acdb414..bf01e1c 100644 --- a/prod/dex/installation/secret-values.yaml +++ b/prod/dex/installation/secret-values.yaml @@ -1,136 +1,136 @@ apiVersion: v1 data: - values.yaml: ENC[AES256_GCM,data:hkq1sA5mf1CL8nY7nnUMXsHrp4S5JS/vLfavE7CvtMFawDHfwtS0/q6jQ4Auoy1Zs0KGvi8xDSMYVPWNBDTqcU8PmGyhX0Z0NDjtLDbQbOT1yn+RldljKgVpvLPfylSdVwAw/OkFswQqel9UZqqy43iPfx0JNpJHtSHaA7pdG1yQuMtjRQdTh3K6xLsRfzeENQuFq96QTEqi74SCvL3rhdR8gs3gBMUqO+PdYW7wuAGFmpyAVMNq5l6Oti+OUIHiEOvyajm52IGKjIeeXscc/LVimYztVJpuO522cs2dkxnsdVNFdgrihj3HKig2A9scZvHpiJBawBPLLyWHG8M3Wh41Y/9ZWZlqSCFmNplcX7Wtg9Lon27AUhvSRTs7zLpO637ou6OBvvjo2YQATWxKLFbuKFOKYGuceS9p+9FVvWHHpw0FBpC9RHLYhOPu8ZReugQ91iTpsfokKvM/Cuqqe0C5MzFvvgQlXp2neQ+yyzR/V12fJA1HYby8CnTgrSCaZc3Mh4zl0gV1ZOljn5y82wG5AUPRBNDRTwKxQQOxjfgf6/1RhkVj9BjSGeIsASuM7a7E6NBbmbOSUCJs01PH0iAUkfinsFA0moT9wOTZUuS9CBgESaVxIeVWn3QVkHLS2h2nWF184R8YmrC8/sWZs0Q5S6ZIIzHZwEWwsEUdWwf6JSwJ7msfJ3Nu8zPvCWYgvYSrmmf2ldS+beS69yLXP9SZ87pXBk8BFp/nkyf5kf3ZrLd917AY/HhKPR9ib2Kb4lVihAFbmU9sCYqGnh3b6ydg2/i95q89i3MtolXZpC6dGQKD8Vlyqq95a7mG/5p2YLeqpLaRGSQXeojOHVQYuKp8vt4eT1Xr1Dsd3EQeiwm0ez1mRMFJ4CccGDY/1SCoOMbqTtEDwvPvwvhSfDOmUoNnHPuXGEZaVVSkQox/4Pl8Yz97IXWcMq0EhjPpFtUCqjc6eY2gmTIeeyMbwR3FlzOH8f+lTkpSiMSV74Qwd9Y90gHjwRuoO+cR7ndkmxSV65LD8ZvuY9DgwwpgByjaboXrUplVZLQokPVKoEu3vLcz0YvsdwRl85DK/RbLtEUNqUNZl3XSGur8adOfPc/LAM/MoG+66AJVbLH3hipnucsMDsH9pDmWqxMA3yeGfmZjATWDelsZnXIDISB3+n3RCNUCO0jl8pewHIRvn1u9jcUh7LLN/xxaGlDuIbZNdYs1ZiPzSXhAFrAukEC3Y3Ew5Y7mdW4jjh0ceJc6YrNxqnDoilx308hMbbPMisIe44E8rILXAMLweVHd5iTUwcoHeXW5tpyiHAabKZbnReqpisMv8Ec8OxDHsgQmm7P54FquEq29eCjwtSccvzEphmW9E299OVB0fMqsFHN09JFJo1YVcll0A3yRSjtm0V8fT/a58Ukf9rNl8Ll0iMKk9FF9cJGmq5RIhxou/ifmhWz3qCrftYPd85GhD//AVJdrxWaqba99eKTOOLQwQyksPWKRto8hXt1JW0X8wuxTE2N8kT7COTCLlvy2kfNO5EDeIR5v3LCbryBNtS/U7DZ7g+m5tyaH+9xTZWsbF3E7kJVvtNraPxFD21G9leZKCrv39yixvQe9JZgc4lug26SoHT5jmEerTAAEm28hM/QWKdE8GRb3iBpe54weC+2/8LZQaLCo7Jka++iPtiuiNSGFd+rIY63C6xn3Ne5WF1iEx4MZ63r0aAs6tU1b78YQZqS4my17eDd9h6eJNc52U2X0Y4HYJ1L2imPi4o5ZbqG80w0k1ha/5mGdSF7Fz/f39GJOgGYYsBcNoiZ4vEBQd52PzBLSQXXe/HUPSTILHDJTKNoSLRFsaE2QiZ+GkNyW2C4q4HIsxUjsn+6Sl/N3lIKG/5Ha/0nEt9jSRutWwUETv9I+qRXA/B55v1rXllLrs+RoOss1wdYd4ZqhJi/d7mfSSYHCcML1k5rIyZWxtkU87SbLdlaQjEFvNxfvwjRJdks+8uAdJVCULK7HbGDefY4QynUYeZeK04l7VKEOFnj9BOqq6guJR4GXllnIXkHQPo5xetgAG8rVdx7bP5S3xMzNyBfQzWg8RrLspTgYw6l2MC2zoFL7BmGIGnRsn1lADTB2tESN9a8mCcmy6lDIyMQMDhRtEPNBzBrpnDHbSYMoCG6CmeqmL/1aqI6oE0aqEM+F54+My0WbFUIEXNuRgkKi/YMxRdA8csgUu2CNvtpTUG6PAqCM+xghUMJKN1MCxZjl6BxhUFLFxvWA1Umj0jvO4omnjW+njANp/jYFyq6Uv9FExPrwoymOd8b0HmW+awlDl8SR0lGlxH9IcuZo1SQuSsPWGInOUn7Hr+i8WiIj1WhR5Rp8qcxTmmiPnkkfvTf9CxlDHZM55I1qLWzkHIGteJ86qNwSFxzsmcWhpxSKCOwL7pVCMYCE0P1lyoF0jifFdYELOGJzXRVyTVZvc14wkP6H4HlHS9wxx062z8/guUvUppWHjNFAQOFewrN5F5fFWn1P2m8gZXPrnlZIy+I+ZbtyKv47dNcnXwKNpulkaOX4Eux0LY9/bLattdprWogvqLgu3nDSch3MttX0c+Y9TfXUORvaqIwh6nyr0fdGP9a2MN9BkEJbOv9lApwWgirFBzpOFGuZMRm1OLOO0KTi4iaapZgZGd4X7NcKMeS83UZaD6lH2/Lncv4gydhgv/I3yDwdt47WfcRwuoyPuQqlLAaMuoEdTP6ZTIDJx1HcXIStbhIlHfDcjVMiGEmxhflNdxFdNua1JpwMFUE24SearkjPlHD5Eqdu+MwO1c+LWUmPgIKT+D/7CH5ywuUNDzkv6vQmeTu8imLDHJAkZ0ef/NsZG8kO3yhE3t07ix1EAnm8UH8/CxYWUPclFu+faQ6bq0q6X53IAa9DC8AmlkMAjCA1WJnYLFNeb5ivKJ1MQg==,iv:WrWlv5pQ1lUU9fUc2CgINqJ2fovUMVziRxZZ19Q73Ug=,tag:sSv6aDfxydvDiO/cU6YICA==,type:str] + values.yaml: ENC[AES256_GCM,data:hkq1sA5mf1CL8nY7nnUMXsHrp4S5JS/vLfavE7CvtMFawDHfwtS0/q6jQ4Auoy1Zs0KGvi8xDSMYVPWNBDTqcU8PmGyhX0Z0NDjtLDbQbOT1yn+RldljKgVpvLPfylSdVwAw/OkFswQqel9UZqqy43iPfx0JNpJHtSHaA7pdG1yQuMtjRQdTh3K6xLsRfzeENQuFq96QTEqi74SCvL3rhdR8gs3gBMUqO+PdYW7wuAGFmpyAVMNq5l6Oti+OUIHiEOvyajm52IGKjIeeXscc/LVimYztVJpuO522cs2dkxnsdVNFdgrihj3HKig2A9scZvHpiJBawBPLLyWHG8M3Wh41Y/9ZWZlqSCFmNplcX7Wtg9Lon27AUhvSRTs7zLpO637ou6OBvvjo2YQATWxKLFbuKFOKYGuceS9p+9FVvWHHpw0FBpC9RHLYhOPu8ZReugQ91iTpsfokKvM/Cuqqe0C5MzFvvgQlXp2neQ+yyzR/V12fJA1HYby8CnTgrSCaZc3Mh4zl0gV1ZOljn5y82wG5AUPRBNDRTwKxQQOxjfgf6/1RhkVj9BjSGeIsASuM7a7E6NBbmbOSUCJs01PH0iAUkfinsFA0moT9wOTZUuS9CBgESaVxIeVWn3QVkHLS2h2nWF184R8YmrC8/sWZs0Q5S6ZIIzHZwEWwsEUdWwf6JSwJ7msfJ3Nu8zPvCWYgvYSrmmf2ldS+beS69yLXP9SZ87pXBk8BFp/nkyf5kf3ZrLd917AY/HhKPR9ib2Kb4lVihAFbmU9sCYqGnh3b6ydg2/i95q89i3MtolXZpC6dGQKD8Vlyqq95a7mG/5p2YLeqpLaRGSQXeojOHVQYuKp8vt4eT1Xr1Dsd3EQeiwm0ez1mRMFJ4CccGDY/1SCoOMbqTtEDwvPvwvhSfDOmUoNnHPuXGEZaVVSkQox/4Pl8Yz97IXWcMq0EhjPpFtUCqjc6eY2gmTIeeyMbwR3FlzOH8f+lTkpSiMSV74Qwd9Y90gHjwRuoO+cR7ndkmxSV65LD8ZvuY9DgwwpgByjaboXrUplVZLQokPVKoEu3vLcz0YvsdwRl85DK/RbLtEUNqUNZl3XSGur8adOfPc/LAM/MoG+66AJVbLH3hipnucsMDsH9pDmWqxMA3yeGfmZjATWDelsZnXIDISB3+n3RCNUCO0jl8pewHIRvn1u9jcUh7LLN/xxaGlDuIbZNdYs1ZiPzSXhAFrAukEC3Y3Ew5Y7mdW4jjh0ceJc6YrNxqnDoilx308hMbbPMisIe44E8rILXAMLweVHd5iTUwcoHeXW5tpyiHAabKZbnReqpisMv8Ec8OxDHsgQmm7P54FquEq29eCjwtSccvzEphmW9E299OVB0fMqsFHN09JFJo1YVcll0A3yRSjtm0V8fT/a58Ukf9rNl8Ll0iMKk9FF9cJGmq5RIhxou/ifmhWz3qCrftYPd85GhD//AVJdrxWaqba99eKTOOLQwQyksPWKRto8hXt1JW0X8wuxTE2N8kT7COTCLlvy2kfNO5EDeIR5v3LCbryBNtS/U7DZ7g+m5tyaH+9xTZWsbF3E7kJVvtNraPxFD21G9leZKCrv39yixvQe9JZgc4lug26SoHT5jmEerTAAEm28hM/QWKdE8GRb3iBpe54weC+2/8LZQaLCo7Jka++iPtiuiNSGFd+rIY63C6xn3Ne5WF1iEx4MZ63r0aAs6tU1b78YQZqS4my17eDd9h6eJNc52U2X0Y4HYJ1L2imPi4o5ZbqG80w0k1ha/5mGdSF7Fz/f39GJOgGYYsBcNoiZ4vEBQd52PzBLSQXXe/HUPSTILHDJTKNoSLRFsaE2QiZ+GkNyW2C4q4HIsxUjsn+6Sl/N3lIKG/5Ha/0nEt9jSRutWwUETv9I+qRXA/B55v1rXllLrs+RoOss1wdYd4ZqhJi/d7mfSSYHCcML1k5rIyZWxtkU87SbLdlaQjEFvNxfvwjRJdks+8uAdJVCULK7HbGDefY4QynUYeZeK04l7VKEOFnj9BOqq6guJR4GXllnIXkHQPo5xetgAG8rVdx7bP5S3xMzNyBfQzWg8RrLspTgYw6l2MC2zoFL7BmGIGnRsn1lADTB2tESN9a8mCcmy6lDIyMQMDhRtEPNBzBrpnDHbSYMoCG6CmeqmL/1aqI6oE0aqEM+F54+My0WbFUIEXNuRgkKi/YMxRdA8csgUu2CNvtpTUG6PAqCM+xghUMJKN1MCxZjl6BxhUFLFxvWA1Umj0jvO4omnjW+njANp/jYFyq6Uv9FExPrwoymOd8b0HmW+awlDl8SR0lGlxH9IcuZo1SQuSsPWGInOUn7Hr+i8WiIj1WhR5Rp8qcxTmmiPnkkfvTf9CxlDHZM55I1qLWzkHIGteJ86qNwSFxzsmcWhpxSKCOwL7pVCMYCE0P1lyoF0jifFdYELOGJzXRVyTVZvc14wkP6H4HlHS9wxx062z8/guUvUppWHjNFAQOFewrN5F5fFWn1P2m8gZXPrnlZIy+I+ZbtyKv47dNcnXwKNpulkaOX4Eux0LY9/bLattdprWogvqLgu3nDSch3MttX0c+Y9TfXUORvaqIwh6nyr0fdGP9a2MN9BkEJbOv9lApwWgirFBzpOFGuZMRm1OLOO0KTi4iaapZgZGd4X7NcKMeS83UZaD6lH2/Lncv4gydhgv/I3yDwdt47WfcRwuoyPuQqlLAaMuoEdTP6ZTIDJx1HcXIStbhIlHfDcjVMiGEmxhflNdxFdNua1JpwMFUE24SearkjPlHD5Eqdu+MwO1c+LWUmPgIKT+D/7CH5ywuUNDzkv6vQmeTu8imLDHJAkZ0ef/NsZG8kO3yhE3t07ix1EAnm8UH8/CxYWUPclFu+faQ6bq0q6X53IAa9DC8AmlkMAjCA1WJnYLFNeb5ivKJ1MQg==,iv:WrWlv5pQ1lUU9fUc2CgINqJ2fovUMVziRxZZ19Q73Ug=,tag:sSv6aDfxydvDiO/cU6YICA==,type:str] kind: Secret metadata: - creationTimestamp: null - name: dex-secret-values - namespace: flux-system + creationTimestamp: null + name: dex-secret-values + namespace: flux-system sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2024-10-18T14:07:10Z" - mac: ENC[AES256_GCM,data:WWaF/alY41hcrNcitULKYKG11XhSeyffDpgGl9CEINvieI/3Lw8nD0F0xsI6GeGbG+wdzSmnFdkIFczzsbGck9YIlh9o4QwGDoceeFJE65GDlUcq0OeZa14jQPWhtGNJwZmHNqyDmufas+pAHqoXDSgHxGCficL2DpeJm560/n4=,iv:se9Xo01GTao5Q6Scc/HgpASSUfUNl+Pm0MVVKKkYX0E=,tag:SYqu0DraJrRaSL99h8CW7Q==,type:str] - pgp: - - created_at: "2024-10-18T14:07:10Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-10-18T14:07:10Z" + mac: ENC[AES256_GCM,data:WWaF/alY41hcrNcitULKYKG11XhSeyffDpgGl9CEINvieI/3Lw8nD0F0xsI6GeGbG+wdzSmnFdkIFczzsbGck9YIlh9o4QwGDoceeFJE65GDlUcq0OeZa14jQPWhtGNJwZmHNqyDmufas+pAHqoXDSgHxGCficL2DpeJm560/n4=,iv:se9Xo01GTao5Q6Scc/HgpASSUfUNl+Pm0MVVKKkYX0E=,tag:SYqu0DraJrRaSL99h8CW7Q==,type:str] + pgp: + - created_at: "2024-10-18T14:07:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcFMAyBxDD99NeTXAQ//Yge7OCX1RpS65Cm8HKofxmAGQqU9plLTRnxvZHg1dmMZ - HNpZGQMLBJqR6zSZQQenzSj542k0FJBoZFggbqXmATQUpD7Mw73IaADlvOhUbB1x - qsO1UD/uukOHIxbbBkq6+d/OtN5+u+gSMs/3jEF8Hn5G+UWacm6F9lxWabKus6U/ - 7eOI/yIzQa1KNz+wIRKzaMe0Fn9COt94C1HJuBfyVFI6hzU49lhxs1crM293n3iN - DwZuouB5Xabt3o9diWDlL3SRG1IqL6nHkLFR5X5ax7HHic22Q7f5nxYw8Fa6LJM3 - vn/xNe2Be4N5RjnZWWcCu1VmU6J18/MLHAFaEohkFVdmHa855w+ACDfIU7W9TugA - BYbiZ42dUFwwjddWsDS6ckOwesrYswloBkyXQ/Mnx0I5PqsTo2G5tl4I2vgtJqXW - zha8QEt+9Hoxl9w1HP1HUAz3j+4kru2NzOXQT9G/ncGjdOUbJ0rsh3OWbF4h4VTP - SOrD19TXn8dkM5lVNL6Hl6LDj748eB2lLojPqDC9E2I+Bd5ShYduTwNQNsPoqq3T - egn/LgWmXju5j8FE9FTw5sV0jLkFGRnhPwAY/QgKNqc+C+hfJkm0ctrsUA7U8wfa - IuXUpNCvJZPsB0qcBQj9C+qz/Q8zmtAbkCArqxjRwK4P1Ph+849KxdGZwpIwsmLS - UQEM4QbknTmaS9+ELMnzbQbxKx6C6XJM55XxD8I53QG07VG/oLTQ43bC8SRhvUb5 - fWJ6q+TfXD7lk11IKAXnaR6SU/G1fmfljyGCtOs2oWDqgQ== - =q3q0 - -----END PGP MESSAGE----- - fp: CCCA3F0D6E841833AC56DAED48E4E0C7613AAB14 - - created_at: "2024-10-18T14:07:10Z" - enc: |- - -----BEGIN PGP MESSAGE----- + wcFMAyBxDD99NeTXAQ//Yge7OCX1RpS65Cm8HKofxmAGQqU9plLTRnxvZHg1dmMZ + HNpZGQMLBJqR6zSZQQenzSj542k0FJBoZFggbqXmATQUpD7Mw73IaADlvOhUbB1x + qsO1UD/uukOHIxbbBkq6+d/OtN5+u+gSMs/3jEF8Hn5G+UWacm6F9lxWabKus6U/ + 7eOI/yIzQa1KNz+wIRKzaMe0Fn9COt94C1HJuBfyVFI6hzU49lhxs1crM293n3iN + DwZuouB5Xabt3o9diWDlL3SRG1IqL6nHkLFR5X5ax7HHic22Q7f5nxYw8Fa6LJM3 + vn/xNe2Be4N5RjnZWWcCu1VmU6J18/MLHAFaEohkFVdmHa855w+ACDfIU7W9TugA + BYbiZ42dUFwwjddWsDS6ckOwesrYswloBkyXQ/Mnx0I5PqsTo2G5tl4I2vgtJqXW + zha8QEt+9Hoxl9w1HP1HUAz3j+4kru2NzOXQT9G/ncGjdOUbJ0rsh3OWbF4h4VTP + SOrD19TXn8dkM5lVNL6Hl6LDj748eB2lLojPqDC9E2I+Bd5ShYduTwNQNsPoqq3T + egn/LgWmXju5j8FE9FTw5sV0jLkFGRnhPwAY/QgKNqc+C+hfJkm0ctrsUA7U8wfa + IuXUpNCvJZPsB0qcBQj9C+qz/Q8zmtAbkCArqxjRwK4P1Ph+849KxdGZwpIwsmLS + UQEM4QbknTmaS9+ELMnzbQbxKx6C6XJM55XxD8I53QG07VG/oLTQ43bC8SRhvUb5 + fWJ6q+TfXD7lk11IKAXnaR6SU/G1fmfljyGCtOs2oWDqgQ== + =q3q0 + -----END PGP MESSAGE----- + fp: CCCA3F0D6E841833AC56DAED48E4E0C7613AAB14 + - created_at: "2024-10-18T14:07:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcFMA6Kr4c7HLrmXAQ//Wd4Jz7ovcKGddrvnvCj+feAuvf7rP69aXzT0cQFcWv5b - SWIxPCGzjYz6idkJov0gWDe3RjRRqB70a48dQrRbOl0XxoZ2rW5WF3kNnAacuskn - AM8lrZME0mjDvZUFOdjcYtDl2fexHqBR4Gmd2zsDSUn5yjbzOFT7oXOfdk0hSbU2 - qO8+L3aDUkzHw7r5/Aizl3tC0Sj1nM4Il2QLr9mYVYhDCz4XMa9Ks6dQZ7BAcKON - 31BriHjErZgPLhaacKkQQifw3i7366N693WbbbC+r3ZKUqAYTjn/sWofRsM98oUW - 8pV16wAHIJEyjnZ6O9JeLkBc/nJ1s/l2uzl8NHyhkkKMjlDVF+T6mWe+AZda6Ry9 - ZOpUBO6Sw5AaokwMkZQtLg5fJJ87cO6/RoxK33Xinaz1wS99gOs1yaFkKVttACNW - 7uMPSLmaGIqQu9LJS7UD98jodWqzdTf9g+Z7MEnAUYIsbBDYy4xL5By9dy/tGw1Q - WudrXj5HVmTHkUUS4zTbvnbAP1Tgd6iPQAYIUxqW28HCbsP3d4X+CPXKfJmDHX/y - ItyKgKk3sx/JMp5Jp1FbUlhOqID0yXLAZLvH64cDYB5buO1TRJ/F180R3cwjsjan - G97NA3zvBJl8snUUU4Ym3g1vafU//q7Wh2U4yu/LOSLyk9jxdWJs/9tNT24HJWzS - UQGGQLmct1BTuekCcrBnEabGRkx7qf36CaM6dYjO/3/jhlQy0xiwHBIrv4u/FsHu - L4eMQaxksmj/puHjb6X5RH5CrGJ8FtdQnIuKk3mmrsUuhg== - =nQR5 - -----END PGP MESSAGE----- - fp: DF71497C07110D584ED5D379CB3A922F8FAE3D50 - - created_at: "2024-10-18T14:07:10Z" - enc: |- - -----BEGIN PGP MESSAGE----- + wcFMA6Kr4c7HLrmXAQ//Wd4Jz7ovcKGddrvnvCj+feAuvf7rP69aXzT0cQFcWv5b + SWIxPCGzjYz6idkJov0gWDe3RjRRqB70a48dQrRbOl0XxoZ2rW5WF3kNnAacuskn + AM8lrZME0mjDvZUFOdjcYtDl2fexHqBR4Gmd2zsDSUn5yjbzOFT7oXOfdk0hSbU2 + qO8+L3aDUkzHw7r5/Aizl3tC0Sj1nM4Il2QLr9mYVYhDCz4XMa9Ks6dQZ7BAcKON + 31BriHjErZgPLhaacKkQQifw3i7366N693WbbbC+r3ZKUqAYTjn/sWofRsM98oUW + 8pV16wAHIJEyjnZ6O9JeLkBc/nJ1s/l2uzl8NHyhkkKMjlDVF+T6mWe+AZda6Ry9 + ZOpUBO6Sw5AaokwMkZQtLg5fJJ87cO6/RoxK33Xinaz1wS99gOs1yaFkKVttACNW + 7uMPSLmaGIqQu9LJS7UD98jodWqzdTf9g+Z7MEnAUYIsbBDYy4xL5By9dy/tGw1Q + WudrXj5HVmTHkUUS4zTbvnbAP1Tgd6iPQAYIUxqW28HCbsP3d4X+CPXKfJmDHX/y + ItyKgKk3sx/JMp5Jp1FbUlhOqID0yXLAZLvH64cDYB5buO1TRJ/F180R3cwjsjan + G97NA3zvBJl8snUUU4Ym3g1vafU//q7Wh2U4yu/LOSLyk9jxdWJs/9tNT24HJWzS + UQGGQLmct1BTuekCcrBnEabGRkx7qf36CaM6dYjO/3/jhlQy0xiwHBIrv4u/FsHu + L4eMQaxksmj/puHjb6X5RH5CrGJ8FtdQnIuKk3mmrsUuhg== + =nQR5 + -----END PGP MESSAGE----- + fp: DF71497C07110D584ED5D379CB3A922F8FAE3D50 + - created_at: "2024-10-18T14:07:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcFMA/o5Gaf/w6e6AQ//d+lU/7DXzyMV55wiryTyZsJE9F9hsxdGaSiyeBBiSpdr - JjJb+a6sMSGhtv5YWhh1D1xXfyLJwJaEdFVeFp2KBNHT3RQQF4onzPEIJt9wfnI4 - mzsiAx7PBZaL0wvMA38hDTa8PlNp0e9o+0o3FdW2fXSe0hXjoD/TUFEFhr4UDIWr - dG6cwB35AIJhmhvQ7kpBSNksFkmGdxrcH2oqWqJfXDVnhQLV9g1jYFdd4DybynXn - e2P4I82B2iuK1YZhieaNXWnNJjcVp+qi9LAblyWwQ8Wv9x46Apl5tcXjhkITAHug - 5dqp4u8JrZr8KvecpjlJWHkwqQvKfIRcvXi27oYfkomUu3Xnvi2iLBJ0BZt+kOmP - VL5RL1LvUTas4p0Kd+vjclrsaHO0E0cYX3Mh7A9nRx6Qeq2N5HhdctfWpvhBAqXK - zQW9EOhQy6U8hSNbeLA1gsddfgd8T9Seaq1uCU2l+LrMhmj5m2zLVrP+xvKghPC2 - hYZN7ol7j2+u+phHpAKT6oeB36EuiG7o/lhfQfXoHYHjmOx4SgCcCCP5JMtIZUYI - G8PkSCMRkcWI47PbzdMSD4Je7T4FOKV8mLGnUQGfzxOIqsyN9va3/Ru/mUbyW0+7 - crZWDnqv4E894dMZAHE2BLXaj9hOAo6Ha9JJkuNIFk+T7oBzQ/UD/2COO9vASobS - UQF275juqlq1QKO35u0x4oWeIWHZZREBI0q4Lhyn0/5MEmf8UdiK4gxHa3YVNm2n - 3iQo5dzg0S2lSwKjKwr5+3CNpwgK/Qmirnp5usqNQTRpdg== - =57Jg - -----END PGP MESSAGE----- - fp: 5AAE7807A91FBAA7A5DB246B52A2E96A7268BCCE - - created_at: "2024-10-18T14:07:10Z" - enc: |- - -----BEGIN PGP MESSAGE----- + wcFMA/o5Gaf/w6e6AQ//d+lU/7DXzyMV55wiryTyZsJE9F9hsxdGaSiyeBBiSpdr + JjJb+a6sMSGhtv5YWhh1D1xXfyLJwJaEdFVeFp2KBNHT3RQQF4onzPEIJt9wfnI4 + mzsiAx7PBZaL0wvMA38hDTa8PlNp0e9o+0o3FdW2fXSe0hXjoD/TUFEFhr4UDIWr + dG6cwB35AIJhmhvQ7kpBSNksFkmGdxrcH2oqWqJfXDVnhQLV9g1jYFdd4DybynXn + e2P4I82B2iuK1YZhieaNXWnNJjcVp+qi9LAblyWwQ8Wv9x46Apl5tcXjhkITAHug + 5dqp4u8JrZr8KvecpjlJWHkwqQvKfIRcvXi27oYfkomUu3Xnvi2iLBJ0BZt+kOmP + VL5RL1LvUTas4p0Kd+vjclrsaHO0E0cYX3Mh7A9nRx6Qeq2N5HhdctfWpvhBAqXK + zQW9EOhQy6U8hSNbeLA1gsddfgd8T9Seaq1uCU2l+LrMhmj5m2zLVrP+xvKghPC2 + hYZN7ol7j2+u+phHpAKT6oeB36EuiG7o/lhfQfXoHYHjmOx4SgCcCCP5JMtIZUYI + G8PkSCMRkcWI47PbzdMSD4Je7T4FOKV8mLGnUQGfzxOIqsyN9va3/Ru/mUbyW0+7 + crZWDnqv4E894dMZAHE2BLXaj9hOAo6Ha9JJkuNIFk+T7oBzQ/UD/2COO9vASobS + UQF275juqlq1QKO35u0x4oWeIWHZZREBI0q4Lhyn0/5MEmf8UdiK4gxHa3YVNm2n + 3iQo5dzg0S2lSwKjKwr5+3CNpwgK/Qmirnp5usqNQTRpdg== + =57Jg + -----END PGP MESSAGE----- + fp: 5AAE7807A91FBAA7A5DB246B52A2E96A7268BCCE + - created_at: "2024-10-18T14:07:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wV4Ds9lh1tfJlukSAQdA5N+OT46r3WXl1+SgPtsBczmpZh30HUgs5HFhOd1DplMw - je3IDclFJMQBHXjiI+WeixW6vXjmFqAYx64Dyh5UqG3rsF+NdsTPErGWBtxR3KjO - 0lEBZ8/pvFkQeMfcQ2d8TLClsQ7tgm/iCnnc98cWmIn7I6PIXtEmIRNCiRBt2d9l - JhrdBNvLQ5y7oNhMLSd3DrYxcuH2LRiUoyayLiy+thsR0z8= - =H9hd - -----END PGP MESSAGE----- - fp: 6A413E28286599A84595529EB2F65CBDF1C65D3A - - created_at: "2024-10-18T14:07:10Z" - enc: |- - -----BEGIN PGP MESSAGE----- + wV4Ds9lh1tfJlukSAQdA5N+OT46r3WXl1+SgPtsBczmpZh30HUgs5HFhOd1DplMw + je3IDclFJMQBHXjiI+WeixW6vXjmFqAYx64Dyh5UqG3rsF+NdsTPErGWBtxR3KjO + 0lEBZ8/pvFkQeMfcQ2d8TLClsQ7tgm/iCnnc98cWmIn7I6PIXtEmIRNCiRBt2d9l + JhrdBNvLQ5y7oNhMLSd3DrYxcuH2LRiUoyayLiy+thsR0z8= + =H9hd + -----END PGP MESSAGE----- + fp: 6A413E28286599A84595529EB2F65CBDF1C65D3A + - created_at: "2024-10-18T14:07:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcFMA2VTGvlVjirjAQ//YiR/sq+oqLJtJ4mvEw1S5idPNJJwh2WG1FbT1NQHrA9/ - qAJpU5bbGmh9vnXGGSzMX4hjfZxR0pG6s7nPkywTkQO4yJuu6cKXL1R6hBk3Y9BO - agNIOYYidy9Fp1+2bYtnE4pdXNECBjNX6IuCSOMyOddHju4sMHbKubusstYGB7YQ - ws0opjsWS8OWDXM0/4HkVvh77hKHEBP54Bd+wgq5BtK/FcZN//m6LiZCpyGOyJ7v - 1RNGKWvxGN4OdcuZtWZHK+wSfQ7eDNVSSm173CarVMU4+1nXsRKxHp5mYQJcjr0+ - Tclkr2Iequ9sUYAtmMvPCqClk9XOSBjXdlunjEW6waQjgXYB778AIqeWYRW7r5wr - 9lF4ddSfg/1a2FfQm2WkQ3MgGfIpMMm1JlhFSJ2O02Vg86OjMYUajvjeBYTyLr/L - bTqHycgXK3kP0qtckS2z3oMsIIe/XQsktT1NInUQ2EtGVOw8MsdK8TL/PgPGhS2f - nX25MJUB/iD70wZl+qpMXnC8pPqHkh0FwIxvnLOOBZml1Wq+HSBFINl7ShZGuDOw - xOI+oheixontxpc2WQ8YoqJD4jWVgPhIqxSVhnXgO1QldENSueCbvDOvJP330jPz - PqhCaDtRDvtsPIgyUYGoPSSjJagaqck+P74gXjtqirnBicj/TRiO9bV3BRaR9i/S - UQHeGXUpIfBF+EmS4XxevCEBTZwVnrwXSXl1esphRNZh6eTKWDiff2IcbgibE/vr - fcWIkdPaRM/6U2TAfm/nFRYy0mNic3uIL7JqdHAu7eU/yw== - =PhkS - -----END PGP MESSAGE----- - fp: D48108A56B0EB04A40DEE96775676F49EAFAA9CA - - created_at: "2024-10-18T14:07:10Z" - enc: |- - -----BEGIN PGP MESSAGE----- + wcFMA2VTGvlVjirjAQ//YiR/sq+oqLJtJ4mvEw1S5idPNJJwh2WG1FbT1NQHrA9/ + qAJpU5bbGmh9vnXGGSzMX4hjfZxR0pG6s7nPkywTkQO4yJuu6cKXL1R6hBk3Y9BO + agNIOYYidy9Fp1+2bYtnE4pdXNECBjNX6IuCSOMyOddHju4sMHbKubusstYGB7YQ + ws0opjsWS8OWDXM0/4HkVvh77hKHEBP54Bd+wgq5BtK/FcZN//m6LiZCpyGOyJ7v + 1RNGKWvxGN4OdcuZtWZHK+wSfQ7eDNVSSm173CarVMU4+1nXsRKxHp5mYQJcjr0+ + Tclkr2Iequ9sUYAtmMvPCqClk9XOSBjXdlunjEW6waQjgXYB778AIqeWYRW7r5wr + 9lF4ddSfg/1a2FfQm2WkQ3MgGfIpMMm1JlhFSJ2O02Vg86OjMYUajvjeBYTyLr/L + bTqHycgXK3kP0qtckS2z3oMsIIe/XQsktT1NInUQ2EtGVOw8MsdK8TL/PgPGhS2f + nX25MJUB/iD70wZl+qpMXnC8pPqHkh0FwIxvnLOOBZml1Wq+HSBFINl7ShZGuDOw + xOI+oheixontxpc2WQ8YoqJD4jWVgPhIqxSVhnXgO1QldENSueCbvDOvJP330jPz + PqhCaDtRDvtsPIgyUYGoPSSjJagaqck+P74gXjtqirnBicj/TRiO9bV3BRaR9i/S + UQHeGXUpIfBF+EmS4XxevCEBTZwVnrwXSXl1esphRNZh6eTKWDiff2IcbgibE/vr + fcWIkdPaRM/6U2TAfm/nFRYy0mNic3uIL7JqdHAu7eU/yw== + =PhkS + -----END PGP MESSAGE----- + fp: D48108A56B0EB04A40DEE96775676F49EAFAA9CA + - created_at: "2024-10-18T14:07:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA/CESpP6bvPkAQf+JhQqPXBjmhiDumytjjqyw6Dfwbynqd4fS5WxPCthhvs8 - dMCV/QgyeNx1Ysxvul5ZRnLuJtb/rFbJJOp4OVFqMo37mV9oBR+yTSsE5Rn34uUb - RZracZOR3TuD9WWPX+P6RWxHS/FiW9z8GFEZeizhxPMEIDhid6nicUy4VkGB0BZY - 4cxX6UtbTFJErzIkRtdRrPzb0ogCe64BxaapwOP5BJpjBLN4SXT3SkAdBScYfoez - rdsHLlaNIitQqYOK9Z5aop2wHibZwkaNS6xmu0FTHxp2D+p0gWeHc+57xGuOwsds - f2GWzjZl3XKl5xu9PRg1dQW8bn6XcxyzHfH9mpGA/NJRAYcO1DKlqvBzKUEv6T/U - fW1bYKs40C/1n9gkiZJZROwUX99zgXacqkqVUXf+3DmgaUiOFhtx7+T3aBtSUfKb - Ti+H6Z6tjVGOBco0BF/IOYGq - =AmGg - -----END PGP MESSAGE----- - fp: B6829414FCD33331EBD08EC3F70112A73CB97C21 - - created_at: "2024-10-18T14:07:10Z" - enc: |- - -----BEGIN PGP MESSAGE----- + wcBMA/CESpP6bvPkAQf+JhQqPXBjmhiDumytjjqyw6Dfwbynqd4fS5WxPCthhvs8 + dMCV/QgyeNx1Ysxvul5ZRnLuJtb/rFbJJOp4OVFqMo37mV9oBR+yTSsE5Rn34uUb + RZracZOR3TuD9WWPX+P6RWxHS/FiW9z8GFEZeizhxPMEIDhid6nicUy4VkGB0BZY + 4cxX6UtbTFJErzIkRtdRrPzb0ogCe64BxaapwOP5BJpjBLN4SXT3SkAdBScYfoez + rdsHLlaNIitQqYOK9Z5aop2wHibZwkaNS6xmu0FTHxp2D+p0gWeHc+57xGuOwsds + f2GWzjZl3XKl5xu9PRg1dQW8bn6XcxyzHfH9mpGA/NJRAYcO1DKlqvBzKUEv6T/U + fW1bYKs40C/1n9gkiZJZROwUX99zgXacqkqVUXf+3DmgaUiOFhtx7+T3aBtSUfKb + Ti+H6Z6tjVGOBco0BF/IOYGq + =AmGg + -----END PGP MESSAGE----- + fp: B6829414FCD33331EBD08EC3F70112A73CB97C21 + - created_at: "2024-10-18T14:07:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wV4DbYZvvToLQQASAQdAHxylgCv1qMYDCASdjbEkI8f9UsmwziBWviTUnc0qdy8w - QevW4NGKGL9lS82vc6HZK9xUZ98b9PPzbTAMUKFBk44QoH7kvCg0fNJsyXpqc6Ls - 0lEBH89t8LmtLwC6LM0Fk0uBq2QxYg4ReoeBJaSZgNSrh6JDDGQcL+AcKxN180Oy - bIHqs4XCBnHgRpMg6FxVJ+O/wm8pWOsnPn86lNkmi9q4+NY= - =t6eV - -----END PGP MESSAGE----- - fp: 92842ACE52D2B8C77F9A59662AAB6EE5E2C8EE71 - encrypted_regex: ^(data|stringData)$ - version: 3.8.1 + wV4DbYZvvToLQQASAQdAHxylgCv1qMYDCASdjbEkI8f9UsmwziBWviTUnc0qdy8w + QevW4NGKGL9lS82vc6HZK9xUZ98b9PPzbTAMUKFBk44QoH7kvCg0fNJsyXpqc6Ls + 0lEBH89t8LmtLwC6LM0Fk0uBq2QxYg4ReoeBJaSZgNSrh6JDDGQcL+AcKxN180Oy + bIHqs4XCBnHgRpMg6FxVJ+O/wm8pWOsnPn86lNkmi9q4+NY= + =t6eV + -----END PGP MESSAGE----- + fp: 92842ACE52D2B8C77F9A59662AAB6EE5E2C8EE71 + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 From 96ec45b8319718d777d449e0e4633d42d226364e Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Wed, 30 Oct 2024 15:34:09 +0100 Subject: [PATCH 33/41] feat(promtail): limit log scraping to some namespaces Signed-off-by: Jan Schoone --- prod/monitoring/installation/values-workload.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/prod/monitoring/installation/values-workload.yaml b/prod/monitoring/installation/values-workload.yaml index d81a797..5401c79 100644 --- a/prod/monitoring/installation/values-workload.yaml +++ b/prod/monitoring/installation/values-workload.yaml @@ -45,6 +45,13 @@ data: promtail: extraArgs: - -client.external-labels=cluster=moin-cluster + config: + snippets: + extraScrapeConfigs: | + - action: keep + source_labels: + - __meta_kubernetes_namespace + regex: capo-system|capi-system|capi-kamaji-control-plane-system|cso-system|cspo-system kube-prometheus-stack: prometheus: From 2b9483f71cee95bb156f4d8019aa0396246cc49f Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Wed, 30 Oct 2024 15:54:05 +0100 Subject: [PATCH 34/41] feat(promtail): limit log scraping to some namespaces Signed-off-by: Jan Schoone --- .../installation/values-workload.yaml | 81 +++++++++++++++++-- 1 file changed, 76 insertions(+), 5 deletions(-) diff --git a/prod/monitoring/installation/values-workload.yaml b/prod/monitoring/installation/values-workload.yaml index 5401c79..d2bacaf 100644 --- a/prod/monitoring/installation/values-workload.yaml +++ b/prod/monitoring/installation/values-workload.yaml @@ -47,11 +47,82 @@ data: - -client.external-labels=cluster=moin-cluster config: snippets: - extraScrapeConfigs: | - - action: keep - source_labels: - - __meta_kubernetes_namespace - regex: capo-system|capi-system|capi-kamaji-control-plane-system|cso-system|cspo-system + scrapeConfig: | + # See also https://github.com/grafana/loki/blob/master/production/ksonnet/promtail/scrape_config.libsonnet for reference + - job_name: kubernetes-pods + pipeline_stages: + - cri: {} + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_controller_name + regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})? + action: replace + target_label: __tmp_controller_name + - source_labels: + - __meta_kubernetes_pod_label_app_kubernetes_io_name + - __meta_kubernetes_pod_label_app + - __tmp_controller_name + - __meta_kubernetes_pod_name + regex: ^;*([^;]+)(;.*)?$ + action: replace + target_label: app + - source_labels: + - __meta_kubernetes_pod_label_app_kubernetes_io_instance + - __meta_kubernetes_pod_label_instance + regex: ^;*([^;]+)(;.*)?$ + action: replace + target_label: instance + - source_labels: + - __meta_kubernetes_pod_label_app_kubernetes_io_component + - __meta_kubernetes_pod_label_component + regex: ^;*([^;]+)(;.*)?$ + action: replace + target_label: component + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: node_name + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + replacement: $1 + separator: / + source_labels: + - namespace + - app + target_label: job + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: pod + - action: replace + source_labels: + - __meta_kubernetes_pod_container_name + target_label: container + - action: replace + replacement: /var/log/pods/*$1/*.log + separator: / + source_labels: + - __meta_kubernetes_pod_uid + - __meta_kubernetes_pod_container_name + target_label: __path__ + - action: replace + regex: true/(.*) + replacement: /var/log/pods/*$1/*.log + separator: / + source_labels: + - __meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash + - __meta_kubernetes_pod_annotation_kubernetes_io_config_hash + - __meta_kubernetes_pod_container_name + target_label: __path__ + - action: keep + source_labels: + - __meta_kubernetes_namespace + regex: capo-system|capi-system|capi-kamaji-control-plane-system|cso-system|cspo-system kube-prometheus-stack: prometheus: From ad0325f76eff6cf2fde146bebc00eb7ed485264d Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Wed, 30 Oct 2024 16:30:36 +0100 Subject: [PATCH 35/41] chore(monitoring): bump version Signed-off-by: Jan Schoone --- prod/monitoring/installation/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/prod/monitoring/installation/helmrelease.yaml b/prod/monitoring/installation/helmrelease.yaml index 6644464..968dd6c 100644 --- a/prod/monitoring/installation/helmrelease.yaml +++ b/prod/monitoring/installation/helmrelease.yaml @@ -10,7 +10,7 @@ spec: spec: chart: dnation-kubernetes-monitoring-stack reconcileStrategy: ChartVersion - version: 3.6.1 + version: 3.6.2 sourceRef: kind: HelmRepository name: dnation-cloud From 362b3d813eba15fc7f2ad2fda38294f75ebfddd1 Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Fri, 1 Nov 2024 06:19:33 +0100 Subject: [PATCH 36/41] fix(monitoring): typo Signed-off-by: Jan Schoone --- prod/monitoring/installation/values-workload.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/prod/monitoring/installation/values-workload.yaml b/prod/monitoring/installation/values-workload.yaml index d2bacaf..dceb35d 100644 --- a/prod/monitoring/installation/values-workload.yaml +++ b/prod/monitoring/installation/values-workload.yaml @@ -119,11 +119,10 @@ data: - __meta_kubernetes_pod_annotation_kubernetes_io_config_hash - __meta_kubernetes_pod_container_name target_label: __path__ - - action: keep - source_labels: - - __meta_kubernetes_namespace - regex: capo-system|capi-system|capi-kamaji-control-plane-system|cso-system|cspo-system - + - action: keep + source_labels: + - __meta_kubernetes_namespace + regex: capo-system|capi-system|capi-kamaji-control-plane-system|cso-system|cspo-system kube-prometheus-stack: prometheus: prometheusSpec: From cad14f997d08956a3622d842f4fec187aa090e8f Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Thu, 7 Nov 2024 10:28:48 +0100 Subject: [PATCH 37/41] chore(kyverno): remove kubernetes 1.28 for allowed workload cluster versions Signed-off-by: Jan Schoone --- kyverno/config/k8s-version.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kyverno/config/k8s-version.yaml b/kyverno/config/k8s-version.yaml index a301302..dda1f37 100644 --- a/kyverno/config/k8s-version.yaml +++ b/kyverno/config/k8s-version.yaml @@ -15,6 +15,6 @@ spec: deny: conditions: all: - - key: "{{ semver_compare( trim_prefix('{{ request.object.spec.topology.version }}', 'v'),'1.28.6 || 1.28.7 || 1.28.8 || 1.28.9 || 1.28.10 || 1.28.11 || 1.28.12 || 1.28.13 || 1.29.3 || 1.29.4 || 1.29.5 || 1.29.6 || 1.29.7 || 1.29.8 || 1.30.1 || 1.30.2 || 1.30.3 || 1.30.4 || 1.31.0') }}" + - key: "{{ semver_compare( trim_prefix('{{ request.object.spec.topology.version }}', 'v'),'1.29.3 || 1.29.4 || 1.29.5 || 1.29.6 || 1.29.7 || 1.29.8 || 1.29.9 || 1.30.1 || 1.30.2 || 1.30.3 || 1.30.4 || 1.31.0') }}" operator: Equals value: false From c8241d89910768c3c01da01b7250a2cf8a7c9568 Mon Sep 17 00:00:00 2001 From: Paul Hildebrandt Date: Thu, 7 Nov 2024 19:38:14 +0100 Subject: [PATCH 38/41] bump cluster-gen version Signed-off-by: Paul Hildebrandt --- prod/cluster-gen/installation/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/prod/cluster-gen/installation/helmrelease.yaml b/prod/cluster-gen/installation/helmrelease.yaml index 03eaa4b..3d049c9 100644 --- a/prod/cluster-gen/installation/helmrelease.yaml +++ b/prod/cluster-gen/installation/helmrelease.yaml @@ -30,4 +30,4 @@ spec: retries: -1 targetNamespace: cluster-gen values: - image: registry.scs.community/cluster-gen/cluster-gen:v0.0.2 + image: registry.scs.community/cluster-gen/cluster-gen:v0.0.8 From fc38a5b8d745099be214c016e294972f46f3d5bf Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Fri, 8 Nov 2024 11:55:30 +0100 Subject: [PATCH 39/41] chore(kyverno): allow to deploy clusters on 1.29.10 Signed-off-by: Jan Schoone --- kyverno/config/k8s-version.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kyverno/config/k8s-version.yaml b/kyverno/config/k8s-version.yaml index dda1f37..62e3264 100644 --- a/kyverno/config/k8s-version.yaml +++ b/kyverno/config/k8s-version.yaml @@ -15,6 +15,6 @@ spec: deny: conditions: all: - - key: "{{ semver_compare( trim_prefix('{{ request.object.spec.topology.version }}', 'v'),'1.29.3 || 1.29.4 || 1.29.5 || 1.29.6 || 1.29.7 || 1.29.8 || 1.29.9 || 1.30.1 || 1.30.2 || 1.30.3 || 1.30.4 || 1.31.0') }}" + - key: "{{ semver_compare( trim_prefix('{{ request.object.spec.topology.version }}', 'v'),'1.29.3 || 1.29.4 || 1.29.5 || 1.29.6 || 1.29.7 || 1.29.8 || 1.29.9 || 1.29.10 || 1.30.1 || 1.30.2 || 1.30.3 || 1.30.4 || 1.31.0') }}" operator: Equals value: false From 4f168f5be176c1bf8cfe27493db64a8379e802e6 Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Wed, 13 Nov 2024 22:36:56 +0100 Subject: [PATCH 40/41] chore(kyverno): allow to deploy clusters on 1.30.6 Signed-off-by: Jan Schoone --- kyverno/config/k8s-version.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kyverno/config/k8s-version.yaml b/kyverno/config/k8s-version.yaml index 62e3264..2cf5718 100644 --- a/kyverno/config/k8s-version.yaml +++ b/kyverno/config/k8s-version.yaml @@ -15,6 +15,6 @@ spec: deny: conditions: all: - - key: "{{ semver_compare( trim_prefix('{{ request.object.spec.topology.version }}', 'v'),'1.29.3 || 1.29.4 || 1.29.5 || 1.29.6 || 1.29.7 || 1.29.8 || 1.29.9 || 1.29.10 || 1.30.1 || 1.30.2 || 1.30.3 || 1.30.4 || 1.31.0') }}" + - key: "{{ semver_compare( trim_prefix('{{ request.object.spec.topology.version }}', 'v'),'1.29.3 || 1.29.4 || 1.29.5 || 1.29.6 || 1.29.7 || 1.29.8 || 1.29.9 || 1.29.10 || 1.30.1 || 1.30.2 || 1.30.3 || 1.30.4 || 1.30.5 || 1.30.6 || 1.31.0') }}" operator: Equals value: false From 91a4a0562e684d3d44518e9b2d6a148ce0746280 Mon Sep 17 00:00:00 2001 From: Jan Schoone Date: Wed, 20 Nov 2024 08:23:51 +0100 Subject: [PATCH 41/41] chore(rbac): cleanup cluster admins Signed-off-by: Jan Schoone --- .../config/cluster-admins-clusterrolebinding.yaml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/prod/k8s/config/cluster-admins-clusterrolebinding.yaml b/prod/k8s/config/cluster-admins-clusterrolebinding.yaml index 15ca559..cd8c437 100644 --- a/prod/k8s/config/cluster-admins-clusterrolebinding.yaml +++ b/prod/k8s/config/cluster-admins-clusterrolebinding.yaml @@ -7,12 +7,6 @@ roleRef: kind: ClusterRole name: cluster-admin subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: "oidc:SovereignCloudStack:cluster-admins" -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: "oidc:SovereignCloudStack:vp06a" -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: "oidc:SovereignCloudStack:vp06c" + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: "oidc:SovereignCloudStack:cluster-admins"