Installer: introduce namespacePrefix, fix certificates, split matrix installation using pre-install hook
diff --git a/charts/certificate-issuer/templates/gandi-webhook-secret-reader.yaml b/charts/certificate-issuer/templates/gandi-webhook-secret-reader.yaml
index b3d1491..88cf405 100644
--- a/charts/certificate-issuer/templates/gandi-webhook-secret-reader.yaml
+++ b/charts/certificate-issuer/templates/gandi-webhook-secret-reader.yaml
@@ -1,7 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
- name: cert-manager-gandi-webhook-secret-reader
+ name: {{ .Release.Namespace }}-cert-manager-gandi-webhook-secret-reader # TODO(giolekva): make namespace part configurable
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
@@ -14,12 +14,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: cert-manager-gandi-webhook-secret-reader
+ name: {{ .Release.Namespace }}-cert-manager-gandi-webhook-secret-reader
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: cert-manager-gandi-webhook-secret-reader
+ name: {{ .Release.Namespace }}-cert-manager-gandi-webhook-secret-reader
subjects:
- kind: ServiceAccount
name: {{ .Values.certManager.gandiWebhookSecretReader }}
diff --git a/charts/certificate-issuer/templates/wildcard-certificate-private.yaml b/charts/certificate-issuer/templates/wildcard-certificate-private.yaml
index 408b76c..0300ce8 100644
--- a/charts/certificate-issuer/templates/wildcard-certificate-private.yaml
+++ b/charts/certificate-issuer/templates/wildcard-certificate-private.yaml
@@ -12,4 +12,4 @@
secretName: cert-wildcard.{{ .Values.private.domain }}
secretTemplate:
annotations:
- kubed.appscode.com/sync: "pcloud-instance-id={{ .Values.pcloudInstanceId }}"
+ kubed.appscode.com/sync: pcloud-instance-id={{ .Values.pcloudInstanceId }}
diff --git a/charts/certificate-issuer/templates/www-certificate-public.yaml b/charts/certificate-issuer/templates/www-certificate-public.yaml
index d6b4dc6..cb0c7ff 100644
--- a/charts/certificate-issuer/templates/www-certificate-public.yaml
+++ b/charts/certificate-issuer/templates/www-certificate-public.yaml
@@ -10,7 +10,7 @@
issuerRef:
name: {{ .Values.public.name }}
kind: ClusterIssuer
- secretName: cert-www.{{ .Values.private.domain }}
+ secretName: cert-www.{{ .Values.public.domain }}
secretTemplate:
annotations:
kubed.appscode.com/sync: "pcloud-instance-id={{ .Values.pcloudInstanceId }}"
diff --git a/charts/matrix/Chart.yaml b/charts/matrix/Chart.yaml
index 40204e5..51cb744 100644
--- a/charts/matrix/Chart.yaml
+++ b/charts/matrix/Chart.yaml
@@ -1,24 +1,6 @@
apiVersion: v2
name: matrix
-description: A Helm chart for Kubernetes
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+description: A Helm chart for Matrix on PCloud
type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"
+version: 0.0.1
+appVersion: "0.0.1"
diff --git a/charts/matrix/templates/config-to-merge.yaml b/charts/matrix/templates/config-to-merge.yaml
index ba18144..f74f0c0 100644
--- a/charts/matrix/templates/config-to-merge.yaml
+++ b/charts/matrix/templates/config-to-merge.yaml
@@ -6,6 +6,9 @@
metadata:
name: {{ .Values.oauth2.secretName }}
namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-weight: "-10"
data:
client_id: {{ .Values.oauth2.clientId | b64enc }}
client_secret: {{ $secret | b64enc }}
@@ -15,6 +18,9 @@
metadata:
name: {{ .Values.configMerge.configName }}
namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-weight: "-10"
data:
{{ .Values.configMerge.fileName }}: |
public_baseurl: https://matrix.{{ .Values.domain }}/
diff --git a/charts/matrix/templates/matrix.yaml b/charts/matrix/templates/matrix.yaml
index d9bd47f..e03223f 100644
--- a/charts/matrix/templates/matrix.yaml
+++ b/charts/matrix/templates/matrix.yaml
@@ -4,6 +4,9 @@
metadata:
name: CreateConfigMaps
namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-weight: "-10"
rules:
- apiGroups:
- ""
@@ -18,6 +21,9 @@
metadata:
name: default-CreateConfigMaps
namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-weight: "-10"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -42,21 +48,32 @@
targetPort: http
protocol: TCP
---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: matrix.{{ .Values.domain }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/resource-policy: keep
+spec:
+ dnsNames:
+ - 'matrix.{{ .Values.domain }}'
+ issuerRef:
+ name: {{ .Values.certificateIssuer }}
+ kind: ClusterIssuer
+ secretName: cert-matrix.{{ .Values.domain }}
+---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
namespace: {{ .Release.Namespace }}
- annotations:
- cert-manager.io/cluster-issuer: {{ .Values.certificateIssuer }}
- acme.cert-manager.io/http01-edit-in-place: "true"
spec:
ingressClassName: {{ .Values.ingressClassName }}
tls:
- hosts:
- matrix.{{ .Values.domain }}
secretName: cert-matrix.{{ .Values.domain }}
- # secretName: cert-wildcard.{{ .Values.domain }}
rules:
- host: matrix.{{ .Values.domain }}
http:
@@ -74,6 +91,9 @@
metadata:
name: generate-config
namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-weight: "-5"
spec:
template:
metadata:
@@ -179,6 +199,9 @@
metadata:
name: data
namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/hook: pre-install
+ helm.sh/hook-weight: "-10"
spec:
accessModes:
- ReadWriteOnce
diff --git a/charts/matrix/templates/well-known.yaml b/charts/matrix/templates/well-known.yaml
index 218e335..cd235cd 100644
--- a/charts/matrix/templates/well-known.yaml
+++ b/charts/matrix/templates/well-known.yaml
@@ -19,9 +19,6 @@
metadata:
name: well-known
namespace: {{ .Release.Namespace }}
- # annotations:
- # cert-manager.io/cluster-issuer: "{{ .Values.certificateIssuer }}"
- # acme.cert-manager.io/http01-edit-in-place: "true"
spec:
ingressClassName: {{ .Values.ingressClassName }}
tls:
diff --git a/charts/namespaces/templates/namespace.yaml b/charts/namespaces/templates/namespace.yaml
index 5ce22a0..af19d22 100644
--- a/charts/namespaces/templates/namespace.yaml
+++ b/charts/namespaces/templates/namespace.yaml
@@ -1,9 +1,10 @@
+{{ $prefix := .Values.namespacePrefix }}
{{ $id := .Values.pcloudInstanceId }}
{{ range .Values.namespaces }}
apiVersion: v1
kind: Namespace
metadata:
- name: {{ $id }}-{{ . }}
+ name: {{ $prefix }}{{ . }}
labels:
pcloud-instance-id: {{ $id }}
---
diff --git a/charts/namespaces/values.yaml b/charts/namespaces/values.yaml
index d17d865..9cb3886 100644
--- a/charts/namespaces/values.yaml
+++ b/charts/namespaces/values.yaml
@@ -1,4 +1,5 @@
pcloudInstanceId: example
+namespacePrefix: example-
namespaces:
- foo
- bar
diff --git a/charts/pihole/templates/oauth2-client.yaml b/charts/pihole/templates/oauth2-client.yaml
index 3ad56b2..a0b1b11 100644
--- a/charts/pihole/templates/oauth2-client.yaml
+++ b/charts/pihole/templates/oauth2-client.yaml
@@ -11,7 +11,7 @@
scope: "openid email profile"
secretName: {{ .Values.oauth2.secretName }}
redirectUris:
- - https://pihole.p.{{ .Values.domain }}/oauth2/callback
+ - https://{{ .Values.domain }}/oauth2/callback
hydraAdmin:
url: {{ .Values.oauth2.hydraAdmin }}
port: 80
diff --git a/charts/pihole/templates/oauth2-proxy-config.yaml b/charts/pihole/templates/oauth2-proxy-config.yaml
index 69a6448..04c6400 100644
--- a/charts/pihole/templates/oauth2-proxy-config.yaml
+++ b/charts/pihole/templates/oauth2-proxy-config.yaml
@@ -38,7 +38,7 @@
cookie_name = "_oauth2_proxy_pihole"
cookie_secret = "{{ .Values.oauth2.cookieSecret }}"
- cookie_domains = "pihole.p.{{ .Values.domain }}"
+ cookie_domains = "{{ .Values.domain }}"
cookie_expire = "168h"
cookie_refresh = "100h"
cookie_secure = true
diff --git a/charts/pihole/templates/oauth2-proxy.yaml b/charts/pihole/templates/oauth2-proxy.yaml
index b78490d..ddf0e2f 100644
--- a/charts/pihole/templates/oauth2-proxy.yaml
+++ b/charts/pihole/templates/oauth2-proxy.yaml
@@ -19,17 +19,13 @@
metadata:
name: ingress
namespace: {{ .Release.Namespace }}
- # annotations:
- # cert-manager.io/cluster-issuer: "{{ .Values.certificateIssuer }}"
- # acme.cert-manager.io/http01-edit-in-place: "true"
spec:
ingressClassName: {{ .Values.ingressClassName }}
tls:
- hosts:
- - pihole.p.{{ .Values.domain }}
- # secretName: cert-pihole.{{ .Values.domain }}
+ - {{ .Values.domain }}
rules:
- - host: pihole.p.{{ .Values.domain }}
+ - host: {{ .Values.domain }}
http:
paths:
- path: /
diff --git a/charts/pihole/values.yaml b/charts/pihole/values.yaml
index a7ced0b..65d1de4 100644
--- a/charts/pihole/values.yaml
+++ b/charts/pihole/values.yaml
@@ -5,10 +5,9 @@
cookieSecret: ""
secretName: oauth2-secret
configName: oauth2-proxy
-domain: example.com
+domain: pihole.p.example.com
hydraPublic: https://hydra.example.com
profileUrl: https://profile.example.com
-certificateIssuer: public
-ingressClassName: public
+ingressClassName: private
diff --git a/charts/vaultwarden/templates/install.yaml b/charts/vaultwarden/templates/install.yaml
index 3b250bd..3305d6a 100644
--- a/charts/vaultwarden/templates/install.yaml
+++ b/charts/vaultwarden/templates/install.yaml
@@ -68,15 +68,11 @@
metadata:
name: ingress
namespace: {{ .Release.Namespace }}
- # annotations:
- # cert-manager.io/cluster-issuer: "{{ .Values.certificateIssuer }}"
- # acme.cert-manager.io/http01-edit-in-place: "true"
spec:
ingressClassName: {{ .Values.ingressClassName }}
tls:
- hosts:
- {{ .Values.domain }}
- # secretName: cert-{{ .Values.domain }}
rules:
- host: {{ .Values.domain }}
http:
diff --git a/helmfile/users/helmfile.yaml b/helmfile/users/helmfile.yaml
index ae3840c..b2fae82 100644
--- a/helmfile/users/helmfile.yaml
+++ b/helmfile/users/helmfile.yaml
@@ -6,7 +6,7 @@
helmDefaults:
tillerless: true
- waitForJobs: false
+ waitForJobs: true
createNamespace: false
releases:
@@ -16,6 +16,7 @@
createNamespace: true
values:
- pcloudInstanceId: {{ .Values.id }}
+ - namespacePrefix: {{ .Values.namespacePrefix }}
- namespaces:
- app-maddy
- app-matrix
@@ -25,7 +26,7 @@
- ingress-private
- name: vpn-mesh-config
chart: ../../charts/vpn-mesh-config
- namespace: {{ .Values.id }}-ingress-private
+ namespace: {{ .Values.namespacePrefix }}ingress-private
values:
- certificateAuthority:
name: {{ .Values.id }}
@@ -37,7 +38,7 @@
- name: ingress-private
chart: ingress-nginx/ingress-nginx
version: 4.0.3
- namespace: {{ .Values.id }}-ingress-private
+ namespace: {{ .Values.namespacePrefix }}ingress-private
values:
- fullnameOverride: {{ .Values.id }}-nginx-private
- controller:
@@ -83,16 +84,16 @@
bind-address: 111.0.0.1
proxy-body-size: 0
- udp:
- 53: "{{ .Values.id }}-app-pihole/pihole-dns-udp:53"
+ 53: "{{ .Values.namespacePrefix }}app-pihole/pihole-dns-udp:53"
- tcp:
- 53: "{{ .Values.id }}-app-pihole/pihole-dns-tcp:53"
- 143: "{{ .Values.id }}-app-maddy/maddy:143"
- 465: "{{ .Values.id }}-app-maddy/maddy:465"
- 587: "{{ .Values.id }}-app-maddy/maddy:587"
- 993: "{{ .Values.id }}-app-maddy/maddy:993"
+ 53: "{{ .Values.namespacePrefix }}app-pihole/pihole-dns-tcp:53"
+ 143: "{{ .Values.namespacePrefix }}app-maddy/maddy:143"
+ 465: "{{ .Values.namespacePrefix }}app-maddy/maddy:465"
+ 587: "{{ .Values.namespacePrefix }}app-maddy/maddy:587"
+ 993: "{{ .Values.namespacePrefix }}app-maddy/maddy:993"
- name: certificate-issuer
chart: ../../charts/certificate-issuer
- namespace: {{ .Values.id }}-ingress-private
+ namespace: {{ .Values.namespacePrefix }}ingress-private
values:
- pcloudInstanceId: {{ .Values.id }}
- certManager:
@@ -115,7 +116,7 @@
- name: core-auth-storage # TODO(giolekva): merge with core-auth
chart: bitnami/postgresql
version: 10.13.5
- namespace: {{ .Values.id }}-core-auth
+ namespace: {{ .Values.namespacePrefix }}core-auth
values:
- fullnameOverride: postgres
- image:
@@ -139,7 +140,7 @@
runAsUser: 0
- name: core-auth
chart: ../../charts/auth
- namespace: {{ .Values.id }}-core-auth
+ namespace: {{ .Values.namespacePrefix }}core-auth
values:
- kratos:
fullnameOverride: kratos
@@ -348,6 +349,7 @@
enabled: true
hydraFullnameOverride: hydra
hydra-maester:
+ fullnameOverride: {{ .Values.id }}-hydra-maester
image:
repository: giolekva/ory-hydra-maester
tag: latest
@@ -425,10 +427,10 @@
secretName: node-ui-cert
certificateAuthority:
name: {{ .Values.id }}
- namespace: {{ .Values.id }}-ingress-private
+ namespace: {{ .Values.namespacePrefix }}ingress-private
- name: vaultwarden
chart: ../../charts/vaultwarden
- namespace: {{ .Values.id }}-app-vaultwarden
+ namespace: {{ .Values.namespacePrefix }}app-vaultwarden
values:
- image:
repository: vaultwarden/server
@@ -442,7 +444,7 @@
- name: matrix-storage # TODO(giolekva): merge with core-auth
chart: bitnami/postgresql
version: 10.13.5
- namespace: {{ .Values.id }}-app-matrix
+ namespace: {{ .Values.namespacePrefix }}app-matrix
values:
- fullnameOverride: postgres
- image:
@@ -457,7 +459,7 @@
#!/bin/sh
createdb -U postgres --encoding=UTF8 --locale=C --template=template0 --owner=postgres matrix
- persistence:
- size: 1Gi
+ size: {{ .Values.matrixStorageSize }}
- securityContext:
enabled: true
fsGroup: 0
@@ -469,7 +471,7 @@
runAsUser: 0
- name: matrix
chart: ../../charts/matrix
- namespace: {{ .Values.id }}-app-matrix
+ namespace: {{ .Values.namespacePrefix }}app-matrix
values:
- domain: {{ .Values.domain }}
- oauth2:
@@ -491,9 +493,9 @@
fileName: to-merge.yaml
- name: pihole
chart: ../../charts/pihole
- namespace: {{ .Values.id }}-app-pihole
+ namespace: {{ .Values.namespacePrefix }}app-pihole
values:
- - domain: {{ .Values.domain }}
+ - domain: pihole.p.{{ .Values.domain }}
- pihole:
image:
repository: "pihole/pihole"
@@ -531,11 +533,10 @@
hydraAdmin: http://hydra-admin
- hydraPublic: https://hydra.{{ .Values.domain }}/
- profileUrl: https://accounts-ui.{{ .Values.domain }}
- - certificateIssuer: {{ .Values.id }}-private
- ingressClassName: {{ .Values.id }}-ingress-private
- name: maddy
chart: ../../charts/maddy
- namespace: {{ .Values.id }}-app-maddy
+ namespace: {{ .Values.namespacePrefix }}app-maddy
values:
- ingress:
private:
@@ -558,8 +559,23 @@
values:
- pcloudEnvName: pcloud
- id: shveli
+ - namespacePrefix: shveli-
- domain: shve.li
- contactEmail: giolekva@gmail.com
- certManagerNamespace: cert-manager
- - mxHostname: mx1.lekva.me
+ - mxHostname: mail.lekva.me
- mailGatewayAddress: "tcp://maddy.pcloud-mail-gateway.svc.cluster.local:587"
+ - matrixStorageSize: 100Gi
+ lekva:
+ secrets:
+ - secrets.lekva.yaml
+ values:
+ - pcloudEnvName: pcloud
+ - id: lekva
+ - namespacePrefix: lekva-
+ - domain: lekva.me
+ - contactEmail: giolekva@gmail.com
+ - certManagerNamespace: cert-manager
+ - mxHostname: mail.lekva.me
+ - mailGatewayAddress: "tcp://maddy.pcloud-mail-gateway.svc.cluster.local:587"
+ - matrixStorageSize: 100Gi
diff --git a/helmfile/users/secrets.lekva.yaml b/helmfile/users/secrets.lekva.yaml
new file mode 100644
index 0000000..a355a12
--- /dev/null
+++ b/helmfile/users/secrets.lekva.yaml
@@ -0,0 +1,33 @@
+gandiAPIToken: ENC[AES256_GCM,data:GxZUH3fLSbPusqZqViv3cr/tBTmSgruZ,iv:+g6mmJglcieJyN2qwjHx8NkT2i1VK5xZA8uYiAIA23Y=,tag:aDLkDZ4r6ToYYHq54cZedQ==,type:str]
+piholeOAuth2ClientSecret: ENC[AES256_GCM,data:WZ6aWggy,iv:32Dg7r+SL2W35z/kDqkwKNevw+KFWR0VoisLJQ6kpUw=,tag:l/s1pHsK4M9Rh1FitXY4Jw==,type:str]
+piholeOAuth2CookieSecret: ENC[AES256_GCM,data:6ed1Px5QFkq3sc6K7cfPMYPd0KcAhLXIf2qZug5b+lM=,iv:RGn0z4Q2ygwCBF3z/8Y/vvQsSLycihi65LF//L0rbEU=,tag:ULKiC0XK7Uk8Ppv1Qs5tgw==,type:str]
+matrixOAuth2ClientSecret: ENC[AES256_GCM,data:A0cPpQ1Nt0speE36+6fDb9/5g7teW2x5+P/IThnDThA=,iv:REzjYKRJ9Kpa85dnDaeBNLODrAxBWVr7dwlyYO0J9Zw=,tag:P08EiiAO2qtVGmsIVIWt7A==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2021-11-28T18:09:52Z"
+ mac: ENC[AES256_GCM,data:zOoZxh3/tJt70M7GM0mY0EMAPEGOOWm3Lk92hFk50H2XcBAX/mfZJ3jq26aULJDlktJIwxBkjLqXSQEXpJed96Wcr7SfB1u1lrtK5AyD1HrCNwtyBDX9Rbuf6SijKpjGxpXdPaQiGt1HvP9J7lA8BnuAXDBFR9RDOCgJ6T2gdU0=,iv:UIKEr0K/wDFJtOLegePubEb2SitU4w0Qv/rSNOD46X4=,tag:QBn5WAaDq+8+y0U5ucnFrg==,type:str]
+ pgp:
+ - created_at: "2021-11-28T18:09:51Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQGMA8PXnOzdTLRzAQv+LzuGeNoPR+EFLfIbg0Ml05bFu//MT+0+1AEXzEEglyYU
+ /aXEXN1MPGRyy4WPN51bfnvMBD0WTDmFmyTM6R9dIaHdUeh+Cxm6zmn6U7yF/ciw
+ jhO2bCEmbPKCGyVueIPnZwF69CK2pwk7rQW29PTlnnGV4KcfKgHxIZwMufJcE4Le
+ 7elr+uhkrmoHp9bYMmzCPPi/ugSlF5+UD+nf5ZcvnqHDpNeOdrhFDCzEkZPleH4i
+ 1+HgELkgvLHooRCUVf51SyisDmyZFXFh80LSOZAKOUH3mHau9kSiWdEnfp8Vtx8v
+ 2ofUltMYJ6TeVLyeUmmgmdDloSWfQNGu0tg9La/rnxL8vFHVT/wenZQSFRs+mPsA
+ zLwf8qM5ZFrmPtenqtioJX3X2N9KsNVRz6K99Yo5FJiqvAe1mLakDj+xTJRdQ3Kt
+ E9Ozuwoz7Ri/amwmCaEXttFxbONhAmegTdjQyQGP16XmKUNA3pOenQSLeKB5Tw5y
+ 4mpCNeZefBqfR0ov9szF0l4BIvCJ+kv3Z7bG7fozyXDNmlJWUIwB5qt0v7ZPyt43
+ jyhMhARgY/ALlEdwvze5XE5hptv6/QyVSbhkbHou3e57kHGPY6BfIhOf8qxhWzuf
+ PUgEIks5sxhRZK/MZ7NY
+ =d6+Q
+ -----END PGP MESSAGE-----
+ fp: 60584680BB48B3CE3FECFFBE7D1302EE361D316A
+ unencrypted_suffix: _unencrypted
+ version: 3.7.1