fix(k8s/infra): split infrastructure into controllers and configs stages
ClusterIssuer dry-run fails because cert-manager CRDs are not yet installed when the single infrastructure Kustomization is applied. Split into infrastructure-controllers (Helm charts that install CRDs) and infrastructure-configs (CRD-dependent resources like ClusterIssuer) with a dependency between them.
This commit is contained in:
File diff suppressed because one or more lines are too long
@@ -0,0 +1,5 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: authelia
|
||||
13
kubernetes/infrastructure/controllers/authelia/pvc.yaml
Normal file
13
kubernetes/infrastructure/controllers/authelia/pvc.yaml
Normal file
@@ -0,0 +1,13 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: authelia-data
|
||||
namespace: authelia
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: nfs-synology-ssd
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
74
kubernetes/infrastructure/controllers/authelia/release.yaml
Normal file
74
kubernetes/infrastructure/controllers/authelia/release.yaml
Normal file
@@ -0,0 +1,74 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: authelia
|
||||
namespace: flux-system
|
||||
spec:
|
||||
chart:
|
||||
spec:
|
||||
chart: authelia
|
||||
reconcileStrategy: ChartVersion
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: authelia
|
||||
namespace: flux-system
|
||||
version: 0.10.49
|
||||
interval: 1m0s
|
||||
targetNamespace: authelia
|
||||
values:
|
||||
pod:
|
||||
kind: Deployment
|
||||
extraVolumes:
|
||||
- name: authelia-config
|
||||
configMap:
|
||||
name: authelia-config
|
||||
- name: authelia-data
|
||||
persistentVolumeClaim:
|
||||
claimName: authelia-data
|
||||
- name: authelia-custom-secrets
|
||||
secret:
|
||||
secretName: authelia-secrets
|
||||
items:
|
||||
- key: OIDC_ISSUER_PRIVATE_KEY
|
||||
path: OIDC_ISSUER_PRIVATE_KEY
|
||||
- key: SMTP_PASSWORD
|
||||
path: SMTP_PASSWORD
|
||||
extraVolumeMounts:
|
||||
- name: authelia-config
|
||||
mountPath: /configuration.yaml
|
||||
subPath: configuration.yml
|
||||
- name: authelia-config
|
||||
mountPath: /users_database.yml
|
||||
subPath: users_database.yml
|
||||
- name: authelia-data
|
||||
mountPath: /data
|
||||
- name: authelia-custom-secrets
|
||||
mountPath: /secrets
|
||||
readOnly: true
|
||||
ingress:
|
||||
enabled: true
|
||||
certManager: true
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt
|
||||
tls:
|
||||
enabled: true
|
||||
secret: authelia-tls
|
||||
traefikCRD:
|
||||
enabled: true
|
||||
disableIngressRoute: true
|
||||
middlewares:
|
||||
auth:
|
||||
authResponseHeaders:
|
||||
- Remote-User
|
||||
- Remote-Groups
|
||||
- Remote-Email
|
||||
- Remote-Name
|
||||
configMap:
|
||||
disabled: true
|
||||
session:
|
||||
cookies:
|
||||
- subdomain: auth
|
||||
domain: ${AUTHELIA_DOMAIN}
|
||||
secret:
|
||||
existingSecret: authelia-secrets
|
||||
@@ -0,0 +1,9 @@
|
||||
---
|
||||
apiVersion: source.toolkit.fluxcd.io/v1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: authelia
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 1m0s
|
||||
url: https://charts.authelia.com/
|
||||
@@ -0,0 +1,27 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: authelia-secrets
|
||||
namespace: authelia
|
||||
stringData:
|
||||
OIDC_ISSUER_PRIVATE_KEY: ENC[AES256_GCM,data:PDGGuupGLm3L44/aIuaWSK9122fqKWbXEMyDu8Q0H+kRrJYZMyWHW348Gt7423MS0gfEt0EcCmi78me9UGZgI1Xv3EmYvLQwetaOQ5/IKvD6AjbxK1V4+v+vsE/Se8jur2GrKzQBHQ+NSXrAQ/txpXD1ptczKPX5HTiZPsYjm/AFCtV+NKLIAHeHsl8vMjib56S9USXwVkra09GhrGJ74JWB46zFQC9ClJQgM2jpGMgZpa9LVwVIBrp2njrcWGxyJsZ75F3uKFIikXuRRQatezT4tXkdom4TLwI7V8E4mcTjelIRpMVmIDcLtuDRmi/6sv7Tq2I8uzRB2KugS5bvB1t3t0VPczCgoGol3Dm/NYYqCRkhyYyqWjNLIMzrhWQhLOu3wmjyShU6KDecLW7pwtdw0esgRT3ed2F0fvhe5YWRL7kB035RA/rCsi2qjEgU/a4nYtuV6LDTZBvsqZe0tca62GawexqwVyeGdebW6w4CMgYD3ZaUNV9CpVTidnKweID9nYSoHUEKsEAIVI6SuCiYYhm0CXl9rHdRGA9YmDXcJLjgvbMjkcBqOVzWzZW6Q70KwLdlpA1rtrM30tNW4Sw4NMqHM+g1xpXTJf3gTroBTukWnSlpef43n16Lq07j59Z3A8O0omYacFKm7smMBpppQ6zaSi1813EMcvo98qqGvZQtuSt76ZsiZRlddmcrEx5j0JijQ8xIAwf1+en7f6Tqaf72wDypIzOrFGPfJo+aYk8sGF716fbOrl6ERpMTVjqxCf2gW9SgFT276I5V6J7zLAggltmCiykt88Wfzwrhav18NOw1FPzumI4qg+0wFfpg/4BmCo3fUY0LRyA+zuZB3r3MYvlYolGhunZiSiESXoz9wEJM+l3VE+Mdha3ONaUrF/iEm2LnFgb0nEzM/pk8SuzXofBrE44CvxW46jy5fG6+6koFTBaifLmZGWiFSLUeQ5XMpYtqICAUTSWigz9RhKBeFNVIj091Knqkznpa9f1N6INODz4hduoJH7jViERdYIz1IfE8XWLJ1RXMHm1zE/cqX7CAIuj9GBSzP23XjpZDzpQ93Au+RkLBcamDRwCHKc0nGk0Rru6Jea48PYKF3DUq62SAcc46suKHA4+zho0EWEqI96CUhK4ll6jsfOUUQxjrt/h2ic80Eqic+R655dS2rOs5OsKXRILmGkPEFvKWrXmfT0o9TgKLNANBjCZxo+3zZ4Jjr7n7t0+zgKxgpq5wDj+fEANmU7jJ1VUNqvJfRdVmuj/brjhp86DgNJKq0IonImN9PKbY7KblhEyhRAjdA1jM+mqSaezSLiZ8ombDvd1XUYVs6aZD5VIiu4Q+f+SW/f170jdoz2icG/FPZz08pAYTEAuXM43/cVbiD1bW1qqgMCPvreUJPsag5j7+/RvO0Mey3QL3xc1XbnxE7SaOwCKl0ejyh6anzOYd/Ohk+/YHVybSDpG0NUghoj13poShvNwk3UtAeDLp+2qn2spA6jJlsx3XrRj7+/HUM+3bsWB7F87mySgcVEUZ+SIBscf/ZJ4GaMZg5sswLcu49hCzIUTfZzXWEFcLNAYs8VMFoWwlwh584AkMnXe8mfGL0GqYtyuWLlAkLk5VDqAJ6gaNQgBR7+K34o5oQ35/1wR0FHlv0nJ1w0kyhGNbVX6ANZzxQCgU+lXzUmlrGmAuQRwoffLAfW+wr6vXlve6XqdOj0ch/8QKxggngK9Acc79rBulcwbm85b4rkDLUqs3gcMNOjsDgXSPtchQ3F7+UBBu30jgv1D+1hAhc+xaGiRYhmtgWi3Nl6mpk1Q2sJvDCpEjKEac8mSS6vOAe2n4fgwICaOxfIuZbWL6OxBnKm+q65DIBM7mLoFMnrs58cBHxFwB2wlLtQvomqeZeNduwWtqW50TnDp7jxX+HE6PnX23F3ZfhNQYYKSpetbxoZBUIgxbJSvIj1nHNGEakJOkSelmPoQ8yZepU8tejs8iZ1SxyvOeATbAslJ7a5lpMO7riAN+X6xnp3JcgqRd9aMVvfTTh8XwzBmf9SFuV68ZOvD3hmCPoBvroExkYoKOoaiEBoLiA706bdH22bEC4UPaqmlnHPWTi7yiRAi3794jCDb+Nh3Ebd+XbXqMvACacdMQW7FTK/ytn14ypFWFwjX4WiJRsrpEgMdMTrsfYmcg2BwaJnWlaZsYMknwOJlE0bg5GU7ASL5g7+Ma+dknmN0nKKW8mK0c2CiI/AAhjK40EeJA5J8hqZaSZHay1gZYxT+TRb0vMvsu,iv:U1smwRB2mQSJHPeGSD8HFaon6ugk0JFPWtz41QdoGTs=,tag:TvetAkJqhGMIxm6+NcHCzg==,type:str]
|
||||
SMTP_PASSWORD: ENC[AES256_GCM,data:zcQbkOhsrrsof84ZvRXHVS4=,iv:cchXKmCPH8wBi9kDHY0Dr47QfOohQa7rPbjMsnYLNdI=,tag:O+gDLjkGe5V8St+kYGc6pQ==,type:str]
|
||||
identity_validation.reset_password.jwt.hmac.key: ENC[AES256_GCM,data:+eLVPSg8VIclVrT1trWdmHj1llhQVKHBYmQbrY3TnH8JAsssINoBPXoFOoT3m/YAktmvIFotrpi8k+cu0gkt9v1xf9FT3ppSPAspCujjvH5GNWWD+aVGxp0xHSwkQ3GDwG80ERezEYFcD/0FdhxPmeD52sh3heJnYdFluOAu95bD,iv:kIXe80T+Uh+NiqqH0n35XHZtoJ7lU3ifST/t34D6iKM=,tag:Bzs50EU0dUBieBOxtyvQ1Q==,type:str]
|
||||
session.encryption.key: ENC[AES256_GCM,data:4M0piJnmrpWnzqFEzCWEIWZ3E88l78HZriEBJDvRr1JwNXz2evbHlg1kBf0dw7M9u/c0z68C91BMf3i+Ym5PNJezCv6otcUqFOvdn43uWOh7qvEBnxyyblDobxSMWkfei9V9z3qsCq46t7LDrrpSjD/ugATzaBrnG5b4YFyCFPI2,iv:S0sUiqeAipJstGmsUZNy4HW+v/Voy9atAAmaevvLHoo=,tag:BbuPrFN7ElV5qxWa5wmEfQ==,type:str]
|
||||
storage.encryption.key: ENC[AES256_GCM,data:vUvA3FAT//CSu1fO0GSxYY8lDwbNQDB5RaSuLXboujUIN9wWKAJt+WH0pQ5fU4K3i2cZjJT/LouP6uDhdEPs7NFDRYHUs59CimB2tqBGzOLHbUMVNgUZRM61l+O8eSurx4TkiC4q5JSmQUrlg4+/58dLNNWBte6Niz8nfDaeDnUY,iv:xBUvaXHBC5ipIxP8XBshzHc8mCrWnqjPlPinN5E/Eh8=,tag:6I4+lqUD2HwYY8NsqfBMFQ==,type:str]
|
||||
identity_providers.oidc.hmac.key: ENC[AES256_GCM,data:W4yp/fk6F/p90YuPH3GaQ5fBq19nDvdEbv6lUQcBbTajAnxMBqSph5JufGKG6gW1XU9ZpUAUiKr1r8nLPN5wvpM1Gu9VUG4ciLkcwmLpgl6lsnLPDHxxQ5xpdQ4YoZqFnffga14NxnVv4ALAOvUDbZFAB8kSbKGKfez2m+W7uQLC,iv:TBiQJhd9hgqVvQyO/gaZH4Vzg0+bKd6jc10dgHKwobY=,tag:2wZhbZo0/st2NBEbrN8zUg==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMDVSbERpdkRLSy9TcnVG
|
||||
VWdVRitPTGRhUzM3QXp2WTl2STVYU2lRa1I4CjVRcitJbzQxTFJ5c0pmcEJScDVo
|
||||
Vk9FQ0Q5a20xT1RjcWM4T1A3enVpckEKLS0tIFkzbTMzOTFVaVR3T1daNTNLdzVk
|
||||
ZzFsaDBkN1RKdG4yTlVUendQWFY1OFEKZZWj+gvQZ+578nqrYmpFivZeqPGV6Fu0
|
||||
QnAHACCjYI/3D0sLWqM54XMYe98DfX0dFnqZTNZ85hohLNCnq1w5Uw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2026-02-18T20:09:04Z"
|
||||
mac: ENC[AES256_GCM,data:NCIM5lGLDmIbl+R+rC0wA6Lp/irgWnhSqBhwnHtp1T8NUSK5GSJ162Cc8W3TOLMsVbKPzLfCOPi3ZNT9YKrutUj4h7VCLOlPIhXev81qx9J8iJImJyOM1Xry8gvRQ+XyZfi/ZbYxyR1X1fr8H8xQ+Rfc47bmgnIjhNR7F3vKRTY=,iv:OpmsIZb6gcOc5iJ6Q34RspBKE337cArfqeo48AfNTfY=,tag:3bDIp6rrIfXdTm87RcCekA==,type:str]
|
||||
encrypted_regex: ^(data|stringData|email)$
|
||||
version: 3.11.0
|
||||
@@ -0,0 +1,5 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cert-manager
|
||||
@@ -0,0 +1,20 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: cert-manager
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
chart:
|
||||
spec:
|
||||
chart: cert-manager
|
||||
version: v1.19.3
|
||||
reconcileStrategy: ChartVersion
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: jetstack
|
||||
namespace: flux-system
|
||||
interval: 1m0s
|
||||
values:
|
||||
crds:
|
||||
enabled: true
|
||||
@@ -0,0 +1,9 @@
|
||||
---
|
||||
apiVersion: source.toolkit.fluxcd.io/v1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: jetstack
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 1m0s
|
||||
url: https://charts.jetstack.io
|
||||
@@ -0,0 +1,24 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: nfs-subdir-external-provisioner
|
||||
namespace: flux-system
|
||||
spec:
|
||||
chart:
|
||||
spec:
|
||||
chart: nfs-subdir-external-provisioner
|
||||
version: 4.0.18
|
||||
reconcileStrategy: ChartVersion
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: nfs-subdir-external-provisioner
|
||||
namespace: flux-system
|
||||
interval: 1m0s
|
||||
values:
|
||||
nfs:
|
||||
server: synology.lviv
|
||||
path: /volume3/k8s-dev
|
||||
storageClass:
|
||||
name: nfs-synology-ssd
|
||||
defaultClass: false
|
||||
@@ -0,0 +1,9 @@
|
||||
---
|
||||
apiVersion: source.toolkit.fluxcd.io/v1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: nfs-subdir-external-provisioner
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 1m0s
|
||||
url: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
|
||||
@@ -0,0 +1,22 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: cloudflare-api-token
|
||||
namespace: cert-manager
|
||||
stringData:
|
||||
api-token: ENC[AES256_GCM,data:q7pulR1T7uF0iZn9kSu7PMon3Nj5wsLDDrL+FLChuo65oiTkp3nOAQ==,iv:WncCihEL6jsuU6Yo6SUO0yxsudUw4NUk24SlUctVnZw=,tag:b7hh9nfVxt4pQ4Z0h8KT5A==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNm5BVXpUeXBsN2VLWDVk
|
||||
em9ET3VVMUJaQVY2RzlZMEpaUFJBaGs4YWdzCjFrYm5DQ2VGeGJ0WHdnODk5VWJF
|
||||
RnNleGhPT245c2dhckVnbTVwWFBjNWcKLS0tIEh5cnZiSTF5aWpham14MmliSXEy
|
||||
VEo5L25DNDF0c0hjYUxTek43ckxVRkEKmo/PLZTn8YtcWjFzDlwpUn7Y+Jyde0Cl
|
||||
z/mzEJDhjX2ozdLTQdZog8d0PVnzQ8DY47NumyIItYWyiDHDBfEm5g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2026-02-10T11:32:15Z"
|
||||
mac: ENC[AES256_GCM,data:lgpjt+lAkz61ZubY4Gno//ZZmeigVCyMC8yt8+EdQHCCJhGjSnaWKpHuj6sa0df14nw2koTC8sPXP8Y2G+5ikJNBLGcJhl9ZR7cEG5tKjMUy367xamPKzRwDpv1U/OCEdpT4G6uDPWx5J3I8EfyYwC+NQpTgluJNjjnfX/ocGX0=,iv:bV0rECMs8wG10eCKxVU9WGVUDKc/XxS00YWvm4XTraw=,tag:uv1LpRXLJw882VfTBJ/a1Q==,type:str]
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
version: 3.11.0
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: traefik
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
25
kubernetes/infrastructure/controllers/traefik/release.yaml
Normal file
25
kubernetes/infrastructure/controllers/traefik/release.yaml
Normal file
@@ -0,0 +1,25 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: traefik
|
||||
namespace: traefik
|
||||
spec:
|
||||
chart:
|
||||
spec:
|
||||
chart: traefik
|
||||
version: 39.0.0
|
||||
reconcileStrategy: ChartVersion
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: traefik
|
||||
namespace: flux-system
|
||||
interval: 1m0s
|
||||
values:
|
||||
service:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
web:
|
||||
hostPort: 80
|
||||
websecure:
|
||||
hostPort: 443
|
||||
@@ -0,0 +1,9 @@
|
||||
---
|
||||
apiVersion: source.toolkit.fluxcd.io/v1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: traefik
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 1m0s
|
||||
url: https://traefik.github.io/charts
|
||||
Reference in New Issue
Block a user