Compare commits
5 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 4163bf80b3 | |||
| 1f4c0e11bb | |||
| 1f22ec2aa7 | |||
| 69788a967c | |||
| 5e7dc580b7 |
@@ -6,4 +6,5 @@ resources:
|
|||||||
- cluster.yaml
|
- cluster.yaml
|
||||||
- tsigkey.yaml
|
- tsigkey.yaml
|
||||||
- zones.yaml
|
- zones.yaml
|
||||||
|
- records.yaml
|
||||||
- acls.yaml
|
- acls.yaml
|
||||||
|
|||||||
@@ -0,0 +1,21 @@
|
|||||||
|
# Individually-managed authoritative records for the unkin.net zone.
|
||||||
|
# DNSRecords must live in the same namespace as their BindZone (the operator
|
||||||
|
# resolves zoneRef/clusterRef/updateKeyRef within the record's namespace), so
|
||||||
|
# these sit alongside the zone in bind-internal, not in the app namespace.
|
||||||
|
---
|
||||||
|
apiVersion: bind.unkin.net/v1alpha1
|
||||||
|
kind: DNSRecord
|
||||||
|
metadata:
|
||||||
|
# "internal" in the name distinguishes this from the external DNS that
|
||||||
|
# Authentik will manage its own records from later.
|
||||||
|
name: identity-dns-internal
|
||||||
|
namespace: bind-internal
|
||||||
|
spec:
|
||||||
|
zoneRef: unkin-net
|
||||||
|
name: identity
|
||||||
|
type: A
|
||||||
|
ttl: 600
|
||||||
|
values:
|
||||||
|
# traefik-internal gateway VIP; the authentik Gateway serves the
|
||||||
|
# identity.unkin.net hostname there.
|
||||||
|
- 198.18.200.4
|
||||||
@@ -21,6 +21,15 @@ spec:
|
|||||||
forwarders:
|
forwarders:
|
||||||
- 8.8.8.8
|
- 8.8.8.8
|
||||||
- 1.1.1.1
|
- 1.1.1.1
|
||||||
|
# The internal split-horizon zones are served UNSIGNED by the in-cluster
|
||||||
|
# authoritative, but their public parents publish DS records (e.g. unkin.net
|
||||||
|
# is DNSSEC-signed on the Internet). With dnssec-validation on, the validator
|
||||||
|
# sees "parent indicates secure" but gets an insecure answer and returns
|
||||||
|
# SERVFAIL (broken trust chain). Treat the forwarded internal domains as
|
||||||
|
# insecure so they are not validated. unkin.net covers all *.unkin.net
|
||||||
|
# (incl. k8s.syd1.au.unkin.net); 18.198.in-addr.arpa covers every reverse zone.
|
||||||
|
extraOptions:
|
||||||
|
- "validate-except { unkin.net; 18.198.in-addr.arpa; consul; }"
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
cpu: 20m
|
cpu: 20m
|
||||||
|
|||||||
@@ -13,7 +13,7 @@ metadata:
|
|||||||
name: bind-tsig-api
|
name: bind-tsig-api
|
||||||
namespace: bind-internal
|
namespace: bind-internal
|
||||||
spec:
|
spec:
|
||||||
image: git.unkin.net/unkin/bind-tsig-api:v0.2.1
|
image: git.unkin.net/unkin/bind-tsig-api:v0.2.2
|
||||||
replicas: 1
|
replicas: 1
|
||||||
port: 8443
|
port: 8443
|
||||||
# targetNamespace defaults to this resource's namespace (bind-internal), where
|
# targetNamespace defaults to this resource's namespace (bind-internal), where
|
||||||
|
|||||||
@@ -21,7 +21,7 @@ spec:
|
|||||||
runAsNonRoot: true
|
runAsNonRoot: true
|
||||||
containers:
|
containers:
|
||||||
- name: operator
|
- name: operator
|
||||||
image: git.unkin.net/unkin/bind-operator:v0.2.1
|
image: git.unkin.net/unkin/bind-operator:v0.2.2
|
||||||
args:
|
args:
|
||||||
- --metrics-bind-address=:8080
|
- --metrics-bind-address=:8080
|
||||||
- --health-probe-bind-address=:8081
|
- --health-probe-bind-address=:8081
|
||||||
|
|||||||
@@ -6,6 +6,6 @@ resources:
|
|||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
# CRDs are pulled from the bind-operator repo at the matching tag rather than
|
# CRDs are pulled from the bind-operator repo at the matching tag rather than
|
||||||
# vendored here, so they never drift from the operator.
|
# vendored here, so they never drift from the operator.
|
||||||
- https://git.unkin.net/unkin/bind-operator/raw/tag/v0.2.1/config/crd/install.yaml
|
- https://git.unkin.net/unkin/bind-operator/raw/tag/v0.2.2/config/crd/install.yaml
|
||||||
- rbac.yaml
|
- rbac.yaml
|
||||||
- deployment.yaml
|
- deployment.yaml
|
||||||
|
|||||||
@@ -6,3 +6,20 @@ metadata:
|
|||||||
namespace: argocd
|
namespace: argocd
|
||||||
data:
|
data:
|
||||||
kustomize.buildOptions: "--enable-helm"
|
kustomize.buildOptions: "--enable-helm"
|
||||||
|
# External URL ArgoCD serves on (TLS terminated at the traefik-internal gateway).
|
||||||
|
url: https://argocd.k8s.syd1.au.unkin.net
|
||||||
|
# OIDC login via Authentik. The client secret is seeded in Vault out of band
|
||||||
|
# and surfaced as the `argocd-oidc` Secret (labelled part-of=argocd) by VSO;
|
||||||
|
# `$argocd-oidc:client_secret` resolves the key from that Secret.
|
||||||
|
oidc.config: |
|
||||||
|
name: Authentik
|
||||||
|
issuer: https://identity.unkin.net/application/o/argocd/
|
||||||
|
clientID: argocd
|
||||||
|
clientSecret: $argocd-oidc:client_secret
|
||||||
|
requestedScopes:
|
||||||
|
- openid
|
||||||
|
- profile
|
||||||
|
- email
|
||||||
|
requestedIDTokenClaims:
|
||||||
|
groups:
|
||||||
|
essential: true
|
||||||
|
|||||||
@@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: argocd-cmd-params-cm
|
||||||
|
namespace: argocd
|
||||||
|
data:
|
||||||
|
# argocd-server serves plain HTTP; TLS is terminated at the traefik-internal
|
||||||
|
# gateway in front of it. Required so the gateway can route to port 80.
|
||||||
|
server.insecure: "true"
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: argocd
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: k8s/au/syd1
|
||||||
|
vaultConnectionRef: vso-system/default
|
||||||
|
allowedNamespaces:
|
||||||
|
- argocd
|
||||||
|
kubernetes:
|
||||||
|
role: default
|
||||||
|
serviceAccount: default
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
|
tokenExpirationSeconds: 600
|
||||||
@@ -0,0 +1,23 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: argocd-oidc
|
||||||
|
namespace: argocd
|
||||||
|
spec:
|
||||||
|
vaultAuthRef: default
|
||||||
|
mount: kv
|
||||||
|
type: kv-v2
|
||||||
|
# Seeded out of band; same secret is read by terraform-authentik to configure
|
||||||
|
# the provider's client_secret. Key: client_secret.
|
||||||
|
path: kubernetes/namespace/argocd/default/oauth-credentials
|
||||||
|
refreshAfter: 5m
|
||||||
|
hmacSecretData: true
|
||||||
|
destination:
|
||||||
|
name: argocd-oidc
|
||||||
|
create: true
|
||||||
|
overwrite: true
|
||||||
|
# ArgoCD only resolves `$secret:key` references against Secrets carrying
|
||||||
|
# this label.
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/part-of: argocd
|
||||||
@@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: argocd-rbac-cm
|
||||||
|
namespace: argocd
|
||||||
|
data:
|
||||||
|
# Match RBAC subjects against the `groups` claim from Authentik.
|
||||||
|
scopes: "[groups]"
|
||||||
|
# Authenticated users with no matching group get read-only access.
|
||||||
|
policy.default: role:readonly
|
||||||
|
# Authentik group -> ArgoCD role.
|
||||||
|
policy.csv: |
|
||||||
|
g, argocd-admins, role:admin
|
||||||
@@ -0,0 +1,39 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: Gateway
|
||||||
|
metadata:
|
||||||
|
name: argocd-server
|
||||||
|
namespace: argocd
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: argocd-server
|
||||||
|
app.kubernetes.io/instance: argocd
|
||||||
|
traefik.io/instance: internal
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: vault-issuer
|
||||||
|
cert-manager.io/common-name: argocd.k8s.syd1.au.unkin.net
|
||||||
|
cert-manager.io/private-key-size: "4096"
|
||||||
|
external-dns.alpha.kubernetes.io/hostname: argocd.k8s.syd1.au.unkin.net
|
||||||
|
external-dns.alpha.kubernetes.io/target: 198.18.200.4
|
||||||
|
spec:
|
||||||
|
gatewayClassName: traefik-internal
|
||||||
|
listeners:
|
||||||
|
- name: http
|
||||||
|
port: 80
|
||||||
|
protocol: HTTP
|
||||||
|
hostname: argocd.k8s.syd1.au.unkin.net
|
||||||
|
allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
- name: https
|
||||||
|
port: 443
|
||||||
|
protocol: HTTPS
|
||||||
|
hostname: argocd.k8s.syd1.au.unkin.net
|
||||||
|
allowedRoutes:
|
||||||
|
namespaces:
|
||||||
|
from: Same
|
||||||
|
tls:
|
||||||
|
mode: Terminate
|
||||||
|
certificateRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Secret
|
||||||
|
name: argocd-server-tls
|
||||||
@@ -0,0 +1,55 @@
|
|||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: argocd-server-http-redirect
|
||||||
|
namespace: argocd
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: argocd-server
|
||||||
|
app.kubernetes.io/instance: argocd
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- argocd.k8s.syd1.au.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: argocd-server
|
||||||
|
sectionName: http
|
||||||
|
rules:
|
||||||
|
- filters:
|
||||||
|
- type: RequestRedirect
|
||||||
|
requestRedirect:
|
||||||
|
scheme: https
|
||||||
|
statusCode: 301
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
|
---
|
||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: argocd-server
|
||||||
|
namespace: argocd
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: argocd-server
|
||||||
|
app.kubernetes.io/instance: argocd
|
||||||
|
spec:
|
||||||
|
hostnames:
|
||||||
|
- argocd.k8s.syd1.au.unkin.net
|
||||||
|
parentRefs:
|
||||||
|
- group: gateway.networking.k8s.io
|
||||||
|
kind: Gateway
|
||||||
|
name: argocd-server
|
||||||
|
sectionName: https
|
||||||
|
rules:
|
||||||
|
- backendRefs:
|
||||||
|
- group: ""
|
||||||
|
kind: Service
|
||||||
|
name: argocd-server
|
||||||
|
port: 80
|
||||||
|
weight: 1
|
||||||
|
matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
@@ -7,12 +7,25 @@ resources:
|
|||||||
- https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
|
- https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
|
||||||
- au-syd1-apps.yaml
|
- au-syd1-apps.yaml
|
||||||
- argocd-self-app.yaml
|
- argocd-self-app.yaml
|
||||||
|
# Authentik OIDC: expose argocd-server and wire the client secret from Vault.
|
||||||
|
- argocd-server-gateway.yaml
|
||||||
|
- argocd-server-httproute.yaml
|
||||||
|
- argocd-oidc-vaultauth.yaml
|
||||||
|
- argocd-oidc-vaultstaticsecret.yaml
|
||||||
|
|
||||||
patches:
|
patches:
|
||||||
- path: argocd-cm-patch.yaml
|
- path: argocd-cm-patch.yaml
|
||||||
target:
|
target:
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
name: argocd-cm
|
name: argocd-cm
|
||||||
|
- path: argocd-rbac-cm-patch.yaml
|
||||||
|
target:
|
||||||
|
kind: ConfigMap
|
||||||
|
name: argocd-rbac-cm
|
||||||
|
- path: argocd-cmd-params-cm-patch.yaml
|
||||||
|
target:
|
||||||
|
kind: ConfigMap
|
||||||
|
name: argocd-cmd-params-cm
|
||||||
- path: argocd-tls-certs-patch.yaml
|
- path: argocd-tls-certs-patch.yaml
|
||||||
target:
|
target:
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
|
|||||||
Reference in New Issue
Block a user