diff --git a/flux-operator/index.ts b/flux-operator/index.ts index c260c9a0..de0c32a6 100644 --- a/flux-operator/index.ts +++ b/flux-operator/index.ts @@ -66,74 +66,12 @@ const operatorClusterRoleBinding = new kubernetes.rbac.v1.ClusterRoleBinding(`op apiGroup: "rbac.authorization.k8s.io", }, }); -const operatorDeployment = new kubernetes.apps.v1.Deployment(`pulumi-kubernetes-operator-${ns}`, { - metadata: { - "namespace": ns, - }, - spec: { - replicas: 1, - selector: { - matchLabels: { - name: "pulumi-kubernetes-operator", - }, - }, - template: { - metadata: { - labels: { - name: "pulumi-kubernetes-operator", - }, - }, - spec: { - serviceAccountName: operatorServiceAccount.metadata.name, - containers: [{ - name: "pulumi-kubernetes-operator", - image: image, - args: ["--zap-level=error", "--zap-time-encoding=iso8601"], - imagePullPolicy: "Always", - env: [ - { - name: "WATCH_NAMESPACE", - valueFrom: { - fieldRef: { - fieldPath: "metadata.namespace", - }, - }, - }, - { - name: "POD_NAME", - valueFrom: { - fieldRef: { - fieldPath: "metadata.name", - }, - }, - }, - { - name: "OPERATOR_NAME", - value: "pulumi-kubernetes-operator", - }, - { - name: "GRACEFUL_SHUTDOWN_TIMEOUT_DURATION", - value: "5m", - }, - { - name: "MAX_CONCURRENT_RECONCILES", - value: "10", - }, - ], - }], - // Should be same or larger than GRACEFUL_SHUTDOWN_TIMEOUT_DURATION - terminationGracePeriodSeconds: 300, - }, - }, - }, -}, deploymentOptions); - // Create the API token as a Kubernetes Secret. const accessToken = new Secret("operator-accesstoken", { metadata: { - name: "flux-secret", + name: "pulumi-operator-secret", namespace: ns }, stringData: {accessToken: pulumiAccessToken}, diff --git a/l0/components/GitlabRunner.ts b/l0/components/GitlabRunner.ts index 8d8275ce..d8377d4c 100644 --- a/l0/components/GitlabRunner.ts +++ b/l0/components/GitlabRunner.ts @@ -11,10 +11,10 @@ export function createGitlabRunner(namespace: Namespace) { const serviceAccount = createServiceAccount(namespace) const role = createRole(namespace) const roleBinding = createRoleBinding(namespace, role, serviceAccount) - return new k8s.helm.v3.Chart("gitlab-runner", { + return new k8s.helm.v4.Chart("gitlab-runner", { chart: "gitlab-runner", namespace: namespace.metadata.name, - fetchOpts: { + repositoryOpts: { repo: "https://charts.gitlab.io/" }, values: { diff --git a/l0/components/addons.ts b/l0/components/addons.ts index 670045c2..98f68c78 100644 --- a/l0/components/addons.ts +++ b/l0/components/addons.ts @@ -5,12 +5,12 @@ import {Namespace} from "@pulumi/kubernetes/core/v1"; import versions from "../versions"; export function installCilium(opts: CustomResourceOptions) { - return new helm.v3.Chart("cilium", { - chart: "cilium", - version: "1.15.6", + return new helm.v4.Chart("cilium", { + chart: versions.cilium.depName, + version: versions.cilium.version, namespace: "kube-system", - fetchOpts: { - repo: "https://helm.cilium.io/", + repositoryOpts: { + repo: versions.cilium.registryUrl, }, }, opts) } @@ -19,10 +19,10 @@ export function installCilium(opts: CustomResourceOptions) { export function installCertManager(opts: CustomResourceOptions) { //TODO: Switch to Helm Release, to enable Hook Support - return new helm.v3.Chart("cert-manager", { + return new helm.v4.Chart("cert-manager", { chart: versions.certManager.depName, version: versions.certManager.version, - fetchOpts: { + repositoryOpts: { repo: versions.certManager.registryUrl, }, namespace: "kube-system", @@ -39,10 +39,10 @@ export function installExternalSecretsOperator(opts: CustomResourceOptions) { name: "external-secrets" } }, opts) - return new helm.v3.Chart("external-secrets", { + return new helm.v4.Chart("external-secrets", { chart: versions.externalSecrets.depName , version: versions.externalSecrets.version, - fetchOpts: { + repositoryOpts: { repo: versions.externalSecrets.registryUrl, }, namespace: ns.metadata.name, @@ -59,10 +59,10 @@ export function installIstio(opts: CustomResourceOptions) { name: "istio-system" } }, opts) - new helm.v3.Chart("istio-base", { + new helm.v4.Chart("istio-base", { chart: versions.istioBase.depName, version: versions.istioBase.version, - fetchOpts: { + repositoryOpts: { repo: versions.istioBase.registryUrl, }, namespace: ns.metadata.name, @@ -71,10 +71,10 @@ export function installIstio(opts: CustomResourceOptions) { }, }, opts); - return new helm.v3.Chart("istiod", { + return new helm.v4.Chart("istiod", { chart: versions.istioD.depName, version: versions.istioD.version, - fetchOpts: { + repositoryOpts: { repo: versions.istioD.registryUrl, }, namespace: ns.metadata.name, @@ -123,11 +123,11 @@ export function installCSIDriver(token: Input, opts: CustomResourceOptio } },opts) - return new helm.v3.Chart("hcloud-csi", { + return new helm.v4.Chart("hcloud-csi", { chart: versions.hcloudCSI.depName, namespace: "kube-system", version: versions.hcloudCSI.version, - fetchOpts: { + repositoryOpts: { repo: versions.hcloudCSI.registryUrl }, },opts) diff --git a/l0/components/flux/chart/index.ts b/l0/components/flux/chart/index.ts deleted file mode 100644 index 9332a4d7..00000000 --- a/l0/components/flux/chart/index.ts +++ /dev/null @@ -1,14 +0,0 @@ -import {CustomResourceOptions} from "@pulumi/pulumi"; -import {helm} from "@pulumi/kubernetes"; - - export function installFlux(opts: CustomResourceOptions) { - //TODO: Switch to Helm Release, to enable Hook Support - return new helm.v3.Chart("flux-operator", { - chart: "pulumi-kubernetes-operator", - version: "v0.5.0", - fetchOpts: { - repo: "https://pulumi.github.io/pulumi-kubernetes-operator", - }, - - }, opts); - } diff --git a/l0/components/juicefs.ts b/l0/components/juicefs.ts index 8ff423a0..fd8c9849 100644 --- a/l0/components/juicefs.ts +++ b/l0/components/juicefs.ts @@ -10,7 +10,7 @@ const ns = new k8s.core.v1.Namespace(ident, { metadata: { name: ident }, }) -const redis = new k8s.helm.v3.Release("redis", { +const redis = new k8s.helm.v4.Release("redis", { namespace: ns.metadata.name, name: "redis", chart: "redis", @@ -47,7 +47,7 @@ const minioSecret = { } const juiceStorageClassName = "juice" -const juicefs = new k8s.helm.v3.Release("juicefs-driver", { +const juicefs = new k8s.helm.v4.Release("juicefs-driver", { namespace: ns.metadata.name, chart: versions.juiceCsiDriver.depName, version: versions.juiceCsiDriver.version, @@ -79,7 +79,7 @@ const storage = k8s.storage.v1.StorageClass.get( export const juicefsStorage = storage.metadata.name -new k8s.helm.v3.Release("juicefs-gateway", { +new k8s.helm.v4.Release("juicefs-gateway", { namespace: ns.metadata.name, chart: "juicefs-s3-gateway", version: "0.9.0", @@ -95,7 +95,7 @@ new k8s.helm.v3.Release("juicefs-gateway", { }, }) -new k8s.helm.v3.Release("juicefs-volume-hook", { +new k8s.helm.v4.Release("juicefs-volume-hook", { namespace: ns.metadata.name, chart: "juicefs-volume-hook", version: "0.2.4", diff --git a/l0/components/pulumi-operator/chart/index.ts b/l0/components/pulumi-operator/chart/index.ts new file mode 100644 index 00000000..26cccc8d --- /dev/null +++ b/l0/components/pulumi-operator/chart/index.ts @@ -0,0 +1,18 @@ +import {CustomResourceOptions, Input} from "@pulumi/pulumi"; +import {helm} from "@pulumi/kubernetes"; +import versions from "../../../versions"; +import {Namespace} from "@pulumi/kubernetes/core/v1"; + + export function installPulumiOperator(pulumiAccessToken: Input, namespace: Namespace, opts: CustomResourceOptions) { + //TODO: Switch to Helm Release, to enable Hook Support + return new helm.v4.Chart("pulumi-operator", { + chart: versions.pulumiOperator.registryUrl!!, + namespace: namespace.metadata.name, + version: versions.pulumiOperator.version, + values: { + image: { + tag: "2.0.0-beta.3" + } + } + }, opts); + } diff --git a/l0/components/velero.ts b/l0/components/velero.ts index a8ba0a10..d26f3c88 100644 --- a/l0/components/velero.ts +++ b/l0/components/velero.ts @@ -8,7 +8,7 @@ const ns = new k8s.core.v1.Namespace(ident, { metadata: { name: ident }, }) -new k8s.helm.v3.Release("velero", { +new k8s.helm.v4.Release("velero", { namespace: ns.metadata.name, name: "velero", chart: "velero", diff --git a/l0/create/Hetzner.ts b/l0/create/Hetzner.ts index 3fc00b34..752e8629 100644 --- a/l0/create/Hetzner.ts +++ b/l0/create/Hetzner.ts @@ -14,6 +14,7 @@ import { import {Namespace} from "@pulumi/kubernetes/core/v1"; import {Provider} from "@pulumi/kubernetes"; import {Input} from "@pulumi/pulumi"; +import {installPulumiOperator} from "../components/pulumi-operator/chart"; export function createHetznerK3S(config: pulumi.Config, clusterName: string, mail: Input) { @@ -46,13 +47,18 @@ export function createHetznerK3S(config: pulumi.Config, clusterName: string, mai const certManager = installCertManager({provider:kubernetesProvider}) installClusterIssuer(mail!!,{provider: kubernetesProvider, dependsOn: [certManager]}) installIstio({provider: kubernetesProvider}) + const externalSecrets = installExternalSecretsOperator({provider: kubernetesProvider}) - new Namespace("flux-system", { + + //const pulumiAccessToken = config.getSecret("pulumiAccessToken") + const pulumiOperatorNamespace = new Namespace("pulumi-kubernetes-operator", { metadata: { - name: "flux-system" + name: "pulumi-kubernetes-operator" }, }, {provider: kubernetesProvider} ) + // const pulumiOperator = installPulumiOperator(pulumiAccessToken!!, pulumiOperatorNamespace, {provider: kubernetesProvider}) + return {kubeconfig: kubeconfig, cluster: pulumi.output(cluster)} } \ No newline at end of file diff --git a/l0/versions.ts b/l0/versions.ts index d2d6e054..69eb6f58 100644 --- a/l0/versions.ts +++ b/l0/versions.ts @@ -58,6 +58,13 @@ export const versions: Record = { versioning: "semver-coerced", registryUrl: "https://charts.external-secrets.io" }, + pulumiOperator: { + version: "0.8.1", + depName: "pulumi-kubernetes-operator", + datasource: "helm", + versioning: "semver-coerced", + registryUrl: "oci://ghcr.io/pulumi/helm-charts/pulumi-kubernetes-operator" + }, }; diff --git a/l1/components/etcd/chart/Etcd.ts b/l1/components/etcd/chart/Etcd.ts index 893e32e0..985906d6 100644 --- a/l1/components/etcd/chart/Etcd.ts +++ b/l1/components/etcd/chart/Etcd.ts @@ -3,10 +3,10 @@ import {Namespace, Secret} from "@pulumi/kubernetes/core/v1"; export function createEtcd(namespace: Namespace, secret: Secret) { - return new k8s.helm.v3.Chart("etcd", { + return new k8s.helm.v4.Chart("etcd", { chart: "etcd", namespace: namespace.metadata.name, - fetchOpts: { + repositoryOpts: { repo: "https://charts.bitnami.com/bitnami" }, values: { diff --git a/l1/components/kafka/chart/Kafka.ts b/l1/components/kafka/chart/Kafka.ts index 7ea76a8f..aead7712 100644 --- a/l1/components/kafka/chart/Kafka.ts +++ b/l1/components/kafka/chart/Kafka.ts @@ -3,10 +3,10 @@ import {Namespace, Secret} from "@pulumi/kubernetes/core/v1"; export function createKafka(namespace: Namespace, secret: Secret) { - return new k8s.helm.v3.Chart("kafka", { + return new k8s.helm.v4.Chart("kafka", { chart: "kafka", namespace: namespace.metadata.name, - fetchOpts: { + repositoryOpts: { repo: "https://charts.bitnami.com/bitnami" }, values: { diff --git a/l2/Pulumi.hetzner.yaml b/l2/Pulumi.hetzner.yaml index 37efceaa..57b15e24 100644 --- a/l2/Pulumi.hetzner.yaml +++ b/l2/Pulumi.hetzner.yaml @@ -17,3 +17,7 @@ config: secure: AAABAD/h/5wcP3a2K4aZY3e8zhvSFxpvP4aYzkV3iPl2UE4qauHXV6fMndab2TzKyjoqWOYUAGJWjwW4xRNK0Q== l2:s3-secret: secure: AAABAOyJpJFwRpQnQVyFz3S7Pgf41EmOOts3Fzh4QfOMDL+3XY3AHeYjyyIr15NCCTsN879eOJDYgbKl/sWiFg== + l2:yubi-client-secret: + secure: AAABANxQrX2UjUlkvn7qqFyp5PAg6Lxt1kTtJ0Mh47+cIsUua3yZ/B6LJSHFwN3R82W3yBB4glJcjjKk + l2:yubi-client-id: + secure: AAABAGQXUV3oPcgNQ71AZNLWw4IazST0atdQeFK+xr1SpDkfMi4= diff --git a/l2/index.ts b/l2/index.ts index 084b8f54..e69903e5 100644 --- a/l2/index.ts +++ b/l2/index.ts @@ -4,17 +4,15 @@ import * as postgresql from "@pulumi/postgresql"; import {Provider, Role} from "@pulumi/postgresql"; import {RandomPassword} from "@pulumi/random"; import {Config, getStack, interpolate, StackReference} from "@pulumi/pulumi"; -import {createBackupSecret, createSecretWrapper, createUmamiSecret} from "./secrets"; +import {createBackupSecret, createUmamiSecret} from "./secrets"; import {ConfigMap} from "@pulumi/kubernetes/core/v1"; import createBackupCronjob from "./CronJob"; import {createVaultwardenManual} from "./providers/Manual/Vaultwarden"; -import {createPaperless} from "./providers/Manual/paperless/Paperless"; import {createDirectus} from "./create/directus"; import * as aws from "@pulumi/aws" import {createSecretStore} from "./secretstore"; import * as k8s from "@pulumi/kubernetes" import {createKubevoyage} from "./create/kubevoyage"; -import {createPlane} from "./create/plane"; const config = new Config(); const stack = getStack(); @@ -120,10 +118,13 @@ export const umamiSecret = { } createUmami("manual", namespaceUmami, createUmamiSecret(namespaceUmami, umamiSecret)) - +const yubiClientSecret = config.getSecret("yubi-client-secret") +const yubiClientId = config.getSecret("yubi-client-id") const vaultwardenCredentials = createDBCredentials("vaultwarden") export const vaultwardenSecret = { - "database-url": interpolate`postgresql://${vaultwardenCredentials.user}:${vaultwardenCredentials.password}@${postgresUrl}:5432/${vaultwardenCredentials.db}` + "database-url": interpolate`postgresql://${vaultwardenCredentials.user}:${vaultwardenCredentials.password}@${postgresUrl}:5432/${vaultwardenCredentials.db}`, + "yubico-client-secret": interpolate`${yubiClientSecret}`, + "yubico-client-id":interpolate`${yubiClientId}` } const vaultwardenNamespace = createNamespace("vaultwarden") const configMap = new ConfigMap("vaultwarden", { diff --git a/l2/providers/Charts/Directus.ts b/l2/providers/Charts/Directus.ts index 611d21c7..ef0b063a 100644 --- a/l2/providers/Charts/Directus.ts +++ b/l2/providers/Charts/Directus.ts @@ -8,10 +8,10 @@ import {dbPassword, dbRootPassword} from "../../../util/env"; export function createDirectusHelmChart(namespace: Namespace, secret: Secret, config: ConfigMap) { - return new k8s.helm.v3.Chart("directus-release", { + return new k8s.helm.v4.Chart("directus-release", { chart: "directus", namespace: namespace.metadata.name, - fetchOpts: { + repositoryOpts: { repo: "https://directus-community.github.io/helm-chart", }, values: { diff --git a/l2/providers/Charts/Kubevoyage.ts b/l2/providers/Charts/Kubevoyage.ts index 6d7b67e6..007e28a7 100644 --- a/l2/providers/Charts/Kubevoyage.ts +++ b/l2/providers/Charts/Kubevoyage.ts @@ -15,11 +15,11 @@ export type KubevoyageConfig = { export function createKubevoyageHelmChart(config: KubevoyageConfig) { - return new k8s.helm.v3.Chart("kubevoyage", { + return new k8s.helm.v4.Chart("kubevoyage", { chart: "kubevoyage", version: "0.7.0", namespace: "default", - fetchOpts: { + repositoryOpts: { repo: "https://b-urb.github.io/KubeVoyage/", }, values: { diff --git a/l2/providers/Charts/Plane.ts b/l2/providers/Charts/Plane.ts index e35269a0..0ac9bde7 100644 --- a/l2/providers/Charts/Plane.ts +++ b/l2/providers/Charts/Plane.ts @@ -15,10 +15,10 @@ export default function createPlaneHelm(namespace: Namespace, config: { awsS3Endpoint: Output; url: string }) { - return new k8s.helm.v3.Chart("plane", { + return new k8s.helm.v4.Chart("plane", { chart: versions.plane.depName, namespace: namespace.metadata.name, - fetchOpts: { + repositoryOpts: { repo: versions.plane.registryUrl, }, values: { diff --git a/l2/providers/Charts/Vaultwarden.ts b/l2/providers/Charts/Vaultwarden.ts index 65e9be93..a3352624 100644 --- a/l2/providers/Charts/Vaultwarden.ts +++ b/l2/providers/Charts/Vaultwarden.ts @@ -10,10 +10,10 @@ export function createVaultwardenHelmchart() { } }) - return new k8s.helm.v3.Chart("bitwarden-rs", { + return new k8s.helm.v4.Chart("bitwarden-rs", { chart: "bitwarden-rs", namespace: namespace.metadata.name, - fetchOpts: { + repositoryOpts: { repo: "https://charts.cronce.io/", }, values: { diff --git a/l2/providers/Manual/Vaultwarden.ts b/l2/providers/Manual/Vaultwarden.ts index 44930d10..7c4527a3 100644 --- a/l2/providers/Manual/Vaultwarden.ts +++ b/l2/providers/Manual/Vaultwarden.ts @@ -60,6 +60,10 @@ function createVaultwardenDeployments(website: WebService, configMap: ConfigMap, "env": [ {name: "DATABASE_URL", valueFrom: {secretKeyRef: { name: secret.metadata.name, key: "database-url" }}}, + {name: "YUBICO_SECRET_KEY", + valueFrom: {secretKeyRef: { name: secret.metadata.name, key: "yubico-client-secret" }}}, + {name: "YUBICO_CLIENT_ID", + valueFrom: {secretKeyRef: { name: secret.metadata.name, key: "yubico-client-id" }}}, {name: "DOMAIN", valueFrom: {configMapKeyRef: { name: configMap.metadata.name, key: "url" }}} ],