Installer: migrate internal services to *.p.{domain}
diff --git a/helmfile/users/helmfile.yaml b/helmfile/users/helmfile.yaml
index 75d62ee..0ab0ed4 100644
--- a/helmfile/users/helmfile.yaml
+++ b/helmfile/users/helmfile.yaml
@@ -76,19 +76,26 @@
- 53: {{ .Values.id }}-app-pihole/pihole-dns-tcp:53
- name: certificate-issuer
chart: ../../charts/certificate-issuer
- namespace: {{ .Values.certManagerNamespace }} # {{ .Values.id }}-ingress-private
+ namespace: {{ .Values.id }}-ingress-private
createNamespace: true
values:
+ - certManager:
+ namespace: cert-manager
+ gandiWebhookSecretReader: cert-manager-webhook-gandi
- public:
name: {{ .Values.id }}-public
server: https://acme-v02.api.letsencrypt.org/directory
+ domain: {{ .Values.domain }}
stagingServer: https://acme-staging-v02.api.letsencrypt.org/directory
contactEmail: {{ .Values.contactEmail }}
ingressClass: nginx
- private:
name: {{ .Values.id }}-private
- domain: {{ .Values.id }}
+ server: https://acme-v02.api.letsencrypt.org/directory
+ domain: p.{{ .Values.domain }}
+ contactEmail: {{ .Values.contactEmail }}
ingressClassName: {{ .Values.id }}-ingress-private
+ gandiAPIToken: {{ .Values.gandiAPIToken }}
- name: core-auth-storage # TODO(giolekva): merge with core-auth
chart: bitnami/postgresql
version: 10.13.5
@@ -142,17 +149,13 @@
enabled: true
className: {{ .Values.id }}-ingress-private
hosts:
- - host: kratos.{{ .Values.id }}
+ - host: kratos.p.{{ .Values.domain }}
paths:
- path: /
pathType: Prefix
- annotations:
- cert-manager.io/cluster-issuer: "{{ .Values.id }}-private"
- acme.cert-manager.io/http01-edit-in-place: "true"
tls:
- hosts:
- - kratos.{{ .Values.id }}
- secretName: cert-kratos.{{ .Values.id }}
+ - kratos.p.{{ .Values.domain }}
public:
enabled: true
className: nginx
@@ -161,9 +164,9 @@
paths:
- path: /
pathType: Prefix
- annotations:
- cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
- acme.cert-manager.io/http01-edit-in-place: "true"
+ # annotations:
+ # cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
+ # acme.cert-manager.io/http01-edit-in-place: "true"
tls:
- hosts:
- accounts.{{ .Values.domain }}
@@ -188,7 +191,7 @@
- https://{{ .Values.domain }}
- https://*.{{ .Values.domain }}
admin:
- base_url: https://kratos.{{ .Values.id }}/
+ base_url: https://kratos.p.{{ .Values.domain }}/
selfservice:
default_browser_return_url: https://accounts-ui.{{ .Values.domain }}
whitelisted_return_urls:
@@ -302,17 +305,13 @@
enabled: true
className: {{ .Values.id }}-ingress-private
hosts:
- - host: hydra.{{ .Values.id }}
+ - host: hydra.p.{{ .Values.domain }}
paths:
- path: /
pathType: Prefix
- annotations:
- cert-manager.io/cluster-issuer: "{{ .Values.id }}-private"
- acme.cert-manager.io/http01-edit-in-place: "true"
tls:
- hosts:
- - hydra.{{ .Values.id }}
- secretName: cert-hydra.{{ .Values.id }}
+ - hydra.p.{{ .Values.domain }}
public:
enabled: true
className: nginx
@@ -321,9 +320,9 @@
paths:
- path: /
pathType: Prefix
- annotations:
- cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
- acme.cert-manager.io/http01-edit-in-place: "true"
+ # annotations:
+ # cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
+ # acme.cert-manager.io/http01-edit-in-place: "true"
tls:
- hosts:
- hydra.{{ .Values.domain }}
@@ -362,7 +361,7 @@
# host: localhost
cors:
allowed_origins:
- - https://hydra.{{ .Values.id }}
+ - https://hydra.p.{{ .Values.domain }}
tls:
allow_termination_from:
- 0.0.0.0/0
@@ -399,7 +398,7 @@
certificateIssuer: {{ .Values.id }}-public
ingressClassName: nginx
domain: {{ .Values.domain }}
- internalDomain: {{ .Values.id }}
+ internalDomain: p.{{ .Values.domain }}
nebula:
lighthouse:
name: ui-lighthouse
@@ -466,7 +465,7 @@
hydraAdmin: http://hydra-admin
hydraPublic: https://hydra.{{ .Values.domain }}
clientId: matrix
- clientSecret: ""
+ clientSecret: {{ .Values.matrixOAuth2ClientSecret }}
secretName: oauth2-client
- postgresql:
host: postgres
diff --git a/helmfile/users/secrets.shveli.yaml b/helmfile/users/secrets.shveli.yaml
index b611f29..77740f8 100644
--- a/helmfile/users/secrets.shveli.yaml
+++ b/helmfile/users/secrets.shveli.yaml
@@ -1,30 +1,32 @@
-piholeOAuth2ClientSecret: ENC[AES256_GCM,data:UIfnS8t5,iv:aB6RI+rmst/nQsMpPlJ6IchMinPjpTmHbsP9kRY/HeI=,tag:DNphtOeNz8hAzuDrkWOLvg==,type:str]
-piholeOAuth2CookieSecret: ENC[AES256_GCM,data:g2SWinNvxlkggX1SdV8CMHfZp6xz+46s+YLoH84rveU=,iv:wgW1rUtgJAw9XrshXeBCbwFAsGMwK8sctJ+t5xk8B4Q=,tag:zdulkLmSQ73U3aavZo2YHQ==,type:str]
+gandiAPIToken: ENC[AES256_GCM,data:H0ty9QYwOd/hLaTCb7gsAwJoPrzOr8tZ,iv:Q0SgKzxb27FnqSUj9xFkm3if2QuTcf8TTFuOqek0BKw=,tag:sIzh6EyU0S8YzdiXZRsOIw==,type:str]
+piholeOAuth2ClientSecret: ENC[AES256_GCM,data:B+Hf5nMk,iv:CFh7h7pvJle7cDt+kqg6T7K4rvjvZ1J7hob10gw1ZSo=,tag:1UR6WtAJ84GA371ScJ927Q==,type:str]
+piholeOAuth2CookieSecret: ENC[AES256_GCM,data:lIk/S8koxT7P7EMiWMjGYu7HdGxM21Ew/prbCRkWiJ4=,iv:rWzXCDKHnIAv05iz2YpkJBlP4RpJuCXxEWD+fU1g8d8=,tag:IFxnFw06Leh4UsvI2IvB4w==,type:str]
+matrixOAuth2ClientSecret: ENC[AES256_GCM,data:aMOeYkt5/RoQ9H+l0TiizMoDK0YJEVTEXU8ymcVwbeU=,iv:zA1vETe7Q5L9BxiXIcV/rsomMFcgtBWS+0Vr4UOehzY=,tag:AcEiY1O6LLVgocqwFUZIEg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2021-11-10T10:26:30Z"
- mac: ENC[AES256_GCM,data:J4rVsVghKtOpFNI1H00f+60Q4iA8R9T1gcojyrbqpeVvFC69Vw1inzcICImCu5MqH8G6MmQ70ySQw3HP5lP0eRKwivyB2IXqaDznUsHfk36+vUXFoeY0NhR2kfpgEy91ccqvEfF0iKdzYlo/MOnngEsoHoJsyIqYIsKRB0ktN4A=,iv:B8JZtwYfpgCLDTCp1R6WPJUt8JGgoBXDOGuRLUm/3eE=,tag:lNPMfcdxW4jYxqDf4xMTJw==,type:str]
+ lastmodified: "2021-11-10T17:12:41Z"
+ mac: ENC[AES256_GCM,data:WglXHJLxcHMaNxCZhrgIqyX3J81M+bQbUNr7k44gYZ0zPIGnE9CntG+2Ua6QppncrHNjLuxLmdyGnNCQRdEZEH2vpLO6+vtL2uPV42K1OHs1xdtTeAcsoxyw+CJUe209C2XhWhCyPNxXqCPckB11M1z2V925VyutxuRj1qV/cyg=,iv:BeSFTZDrQvhE3wvMBPD9UEzo7KGUxrdflO2bKfyIqCg=,tag:AEOYZYeemflwSbqIhtKCmQ==,type:str]
pgp:
- - created_at: "2021-11-10T10:26:29Z"
+ - created_at: "2021-11-10T17:12:40Z"
enc: |
-----BEGIN PGP MESSAGE-----
- hQGMA8PXnOzdTLRzAQv6Akac2MgQCDyMyiEdUMN7tBWcHEacw5WOCbJgGvgkwbm9
- P0qRQp6zoxDE5wmeaSTz3VDk1vWRRl30t+QBUoqGk3KdSdG5E+2um4CBDmE2F6QL
- A5zDrfVdP9LKrfI5W42jt+yTiCdOOP56SSav/I7xqALmyToLE1Owfi71o1a1ZjZf
- j3Wh0YLlsrFc5ikadGTDxvqAYN5YxHiAA9C2c2giTCIkvE0ZyNfL3V58tjlcAc3e
- ZKTr3kygpiux/Pq8VjbAlWk8e+VQ1bC/x9hvqyegxH4pRE62OtDmUk7UEwLu1tbf
- KZZnxcM1FOoEDaBJNC5iplIV/2+jd9jSalzBhxQpnEOK9eYPlYosA8lVYQs5mhPe
- 5v1Nlt1RFFJb44JLknmFjrRMrVceFJ3t4/SGnSYT93zwlcXWNqFeuMSP9muSc+TU
- OmSx21AZuUj6MmCR26/mWLqg6KOIhz4Ze2/jS3jx/IX1LZY2N+59gZwAquiX/PSo
- 4nFBqmXnRfHL/EqULTLm0lwB//ofG/AahOECrATLIx4ywSgEbZJm4dggHSeay5G5
- QKNVqmFkmeGLQCzYJNxv+wjJmPOhLydQ09Tv/2AnfPSaw4IatX0aZbncOFPs/7jm
- dy5N2SJh7wGbkgs4XQ==
- =BaXl
+ hQGMA8PXnOzdTLRzAQv/V9Yx09TNDRNZhn44ov1pU1sx+z2zW7ESP1MD9flqkIJ2
+ +9LsjRAAaLayDRjdw42mSBK+IsnnMMkORe+/xGbsRoeBDSZu6Xk9neMUrpvn45uB
+ ICJ2/ejpPq4hew2O8cssZKHByerNAcWCNXULWDB9CigJm5s6Ohq9hY9RhFBIxzjK
+ wJ6MflskGseTmGoXjJ7tQmO78xQDWW+gAN5BhqvtA8JKDcBGjD+Gj2znxGICO/3v
+ 7NFZ//z05LU2zaLDQ0c+SI4JJMuumV2Vuhxl8jXSAdFyya1JBiyUef8E81c5oO3M
+ ybJLjKv8hGkytfb4mB7XEomTwLWWPdpg8YZbVAB7AFfKeaWraj3j7ScsijEdmg1C
+ LESbr9mDC1HvFMtwJ3TClv77lEE1iwcqY8w/YQHxhwePLapR8gzJF73ZPxPf8UxW
+ dEHHtN55cTTw48itQSY5agbGz6qYPM01ListEZ8m3QMEBHDI56iZVfJizHZ9B1TE
+ wH/iEQaR/4GsNRXsw3Ka0l4B1+FAVRuyZMUk0V53ctCB/6T40STXzHrYExPn8OH9
+ XGhQ8t++9iMu5ZSfFSBOqXt8pAIsVmdnNjOQBz67ffPmVVn8yC4RZJrLCjITED+G
+ RvBcMyZf5NxSlnp9Z5US
+ =K51p
-----END PGP MESSAGE-----
fp: 60584680BB48B3CE3FECFFBE7D1302EE361D316A
unencrypted_suffix: _unencrypted