Compare commits

..

5 Commits

Author SHA1 Message Date
unkinben 9d4739505d feat(artifactapi): mount terraform registry signing key
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
Wires the GPG signing key the terraform provider registry needs into the api
deployment. The secret is mounted optional so the pod runs before it exists;
artifactapi leaves the registry disabled until a readable key is present.

- mount secret artifactapi-tf-signing at /etc/artifactapi/tf-signing (optional)
- set TF_SIGNING_KEY_PATH, and TF_SIGNING_KEY_PASSPHRASE from the secret's
  optional passphrase key

Create the secret out of band with an armored private key:
  kubectl -n artifactapi create secret generic artifactapi-tf-signing \
    --from-file=private-key.asc=./private-key.asc
2026-07-03 18:40:08 +10:00
unkinben 15225433e9 chore(artifactapi): deploy v3.7.3 (#215)
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
## Why

artifactapi images \`v3.7.3\` are built and pushed to the registry, but au-syd1 is still running \`v3.6.5\`. This rolls the deployment forward to pick up the recent fixes.

## Changes

- \`api-deployment\`: \`artifactapi\` \`v3.6.5\` → \`v3.7.3\`
- \`ui-deployment\`: \`artifactapi-ui\` \`v3.6.5\` → \`v3.7.3\`

Included in v3.7.x since v3.6.5:
- Local-repo files now appear in the cached-objects UI (#99).
- Evicting a local RPM prunes its repodata metadata (#100).
- The bare domain redirects to the web UI at /ui (#101).

Reviewed-on: #215
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-03 15:14:28 +10:00
unkinben bbb9acba36 feat: add woodpecker service accounts for media terraform repos (#214)
Add Kubernetes ServiceAccounts in the woodpecker namespace for terraform-sonarr, terraform-radarr, and terraform-prowlarr CI pipelines.

Reviewed-on: #214
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-28 22:04:33 +10:00
benvin 48f32a044d fix: update TLSRoute to v1 (#213)
TLSRoutes are now in standard, no longer experimental

---------

Co-authored-by: Ben Vincent <ben@unkin.net>
Reviewed-on: #213
2026-06-28 17:50:27 +10:00
unkinben 7f1444fb38 Add Authentik identity provider deployment (#211)
## Summary
- Deploy Authentik (identity.unkin.net) via Helm chart 2026.5.3
- CNPG PostgreSQL cluster (3 instances) with separate rw/ro poolers (2 instances each)
- Redis with 5Gi persistent storage
- Gateway API for HTTPS (identity.unkin.net) and LDAPS (ldap.k8s.syd1.au.unkin.net, ldap.main.unkin.net)
- TLSRoute for LDAPS passthrough, HTTPRoute for external-dns record creation
- Vault secrets for postgres credentials, authentik secret key, and S3 storage credentials
- S3 storage via RadosGW (bucket: authentik)
- 3 server replicas, 2 worker replicas
- Woodpecker ServiceAccount for terraform-authentik CI
- Platform applicationset and project updated

## Dependencies
- terraform-git #15 (merged) — repo definition
- terraform-vault #78 (merged) — auth roles and Consul ACL

## Vault secrets needed before deploy
Write to `kv/kubernetes/namespace/authentik/default/`:
- `postgres-credentials`: username + password
- `authentik-credentials`: AUTHENTIK_SECRET_KEY
- `s3-credentials`: S3 access key + secret key

Reviewed-on: #211
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-28 17:42:49 +10:00
7 changed files with 43 additions and 3 deletions
+20 -1
View File
@@ -35,7 +35,7 @@ spec:
mountPath: /combined-certs
containers:
- name: api
image: git.unkin.net/unkin/artifactapi:v3.6.5
image: git.unkin.net/unkin/artifactapi:v3.7.3
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8000
@@ -48,10 +48,25 @@ spec:
- secretRef:
name: environment
optional: false
env:
# Terraform provider registry signing. The secret is mounted
# optional, so the pod runs before it exists; artifactapi keeps the
# registry disabled until a readable key is present.
- name: TF_SIGNING_KEY_PATH
value: /etc/artifactapi/tf-signing/private-key.asc
- name: TF_SIGNING_KEY_PASSPHRASE
valueFrom:
secretKeyRef:
name: artifactapi-tf-signing
key: passphrase
optional: true
volumeMounts:
- name: combined-certs
mountPath: /etc/ssl/combined
readOnly: true
- name: tf-signing-key
mountPath: /etc/artifactapi/tf-signing
readOnly: true
livenessProbe:
failureThreshold: 3
httpGet:
@@ -88,4 +103,8 @@ spec:
path: ca.crt
- name: combined-certs
emptyDir: {}
- name: tf-signing-key
secret:
secretName: artifactapi-tf-signing
optional: true
restartPolicy: Always
+1 -1
View File
@@ -22,7 +22,7 @@ spec:
automountServiceAccountToken: true
containers:
- name: ui
image: git.unkin.net/unkin/artifactapi-ui:v3.6.5
image: git.unkin.net/unkin/artifactapi-ui:v3.7.3
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
+1 -1
View File
@@ -1,5 +1,5 @@
---
apiVersion: gateway.networking.k8s.io/v1alpha2
apiVersion: gateway.networking.k8s.io/v1
kind: TLSRoute
metadata:
name: authentik-ldaps
+3
View File
@@ -9,6 +9,9 @@ resources:
- serviceaccount_terraform_artifactapi.yaml
- serviceaccount_terraform_authentik.yaml
- serviceaccount_terraform_git.yaml
- serviceaccount_terraform_prowlarr.yaml
- serviceaccount_terraform_radarr.yaml
- serviceaccount_terraform_sonarr.yaml
- serviceaccount_terraform_vault.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
@@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-prowlarr
namespace: woodpecker
@@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-radarr
namespace: woodpecker
@@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-sonarr
namespace: woodpecker