development

flux-operator/index.ts

@@ -66,74 +66,12 @@ const operatorClusterRoleBinding = new kubernetes.rbac.v1.ClusterRoleBinding(`op
     apiGroup: "rbac.authorization.k8s.io",
   },
 });
-const operatorDeployment = new kubernetes.apps.v1.Deployment(`pulumi-kubernetes-operator-${ns}`, {
-  metadata: {
-    "namespace": ns,
-  },
-  spec: {
-    replicas: 1,
-    selector: {
-      matchLabels: {
-        name: "pulumi-kubernetes-operator",
-      },
-    },
-    template: {
-      metadata: {
-        labels: {
-          name: "pulumi-kubernetes-operator",
-        },
-      },
-      spec: {
-        serviceAccountName: operatorServiceAccount.metadata.name,
-        containers: [{
-          name: "pulumi-kubernetes-operator",
-          image: image,
-          args: ["--zap-level=error", "--zap-time-encoding=iso8601"],
-          imagePullPolicy: "Always",
-          env: [
-            {
-              name: "WATCH_NAMESPACE",
-              valueFrom: {
-                fieldRef: {
-                  fieldPath: "metadata.namespace",
-                },
-              },
-            },
-            {
-              name: "POD_NAME",
-              valueFrom: {
-                fieldRef: {
-                  fieldPath: "metadata.name",
-                },
-              },
-            },
-            {
-              name: "OPERATOR_NAME",
-              value: "pulumi-kubernetes-operator",
-            },
-            {
-              name: "GRACEFUL_SHUTDOWN_TIMEOUT_DURATION",
-              value: "5m",
-            },
-            {
-              name: "MAX_CONCURRENT_RECONCILES",
-              value: "10",
-            },
 
 
-          ],
-        }],
-        // Should be same or larger than GRACEFUL_SHUTDOWN_TIMEOUT_DURATION
-        terminationGracePeriodSeconds: 300,
-      },
-    },
-  },
-}, deploymentOptions);
-
 // Create the API token as a Kubernetes Secret.
 const accessToken = new Secret("operator-accesstoken", {
   metadata: {
-    name: "flux-secret",
+    name: "pulumi-operator-secret",
     namespace: ns
   },
   stringData: {accessToken: pulumiAccessToken},

l0/components/GitlabRunner.ts

@@ -11,10 +11,10 @@ export function createGitlabRunner(namespace: Namespace) {
   const serviceAccount = createServiceAccount(namespace)
   const role = createRole(namespace)
   const roleBinding = createRoleBinding(namespace, role, serviceAccount)
-  return new k8s.helm.v3.Chart("gitlab-runner", {
+  return new k8s.helm.v4.Chart("gitlab-runner", {
     chart: "gitlab-runner",
     namespace: namespace.metadata.name,
-    fetchOpts: {
+    repositoryOpts: {
       repo: "https://charts.gitlab.io/"
     },
     values: {

l0/components/addons.ts

@@ -5,12 +5,12 @@ import {Namespace} from "@pulumi/kubernetes/core/v1";
 import versions from "../versions";
 
 export function installCilium(opts: CustomResourceOptions) {
-  return new helm.v3.Chart("cilium", {
-    chart: "cilium",
-    version: "1.15.6",
+  return new helm.v4.Chart("cilium", {
+    chart: versions.cilium.depName,
+    version: versions.cilium.version,
     namespace: "kube-system",
-    fetchOpts: {
-      repo: "https://helm.cilium.io/",
+    repositoryOpts: {
+      repo: versions.cilium.registryUrl,
     },
   }, opts)
 }
@@ -19,10 +19,10 @@ export function installCilium(opts: CustomResourceOptions) {
 
 export function installCertManager(opts: CustomResourceOptions) {
   //TODO: Switch to Helm Release, to enable Hook Support
-  return new helm.v3.Chart("cert-manager", {
+  return new helm.v4.Chart("cert-manager", {
     chart: versions.certManager.depName,
     version: versions.certManager.version,
-    fetchOpts: {
+    repositoryOpts: {
       repo: versions.certManager.registryUrl,
     },
     namespace: "kube-system",
@@ -39,10 +39,10 @@ export function installExternalSecretsOperator(opts: CustomResourceOptions) {
       name: "external-secrets"
     }
   }, opts)
-  return new helm.v3.Chart("external-secrets", {
+  return new helm.v4.Chart("external-secrets", {
     chart: versions.externalSecrets.depName ,
     version: versions.externalSecrets.version,
-    fetchOpts: {
+    repositoryOpts: {
       repo: versions.externalSecrets.registryUrl,
     },
     namespace: ns.metadata.name,
@@ -59,10 +59,10 @@ export function installIstio(opts: CustomResourceOptions) {
       name: "istio-system"
     }
   }, opts)
-  new helm.v3.Chart("istio-base", {
+  new helm.v4.Chart("istio-base", {
     chart: versions.istioBase.depName,
     version: versions.istioBase.version,
-    fetchOpts: {
+    repositoryOpts: {
       repo: versions.istioBase.registryUrl,
     },
     namespace: ns.metadata.name,
@@ -71,10 +71,10 @@ export function installIstio(opts: CustomResourceOptions) {
     },
   }, opts);
 
-  return new helm.v3.Chart("istiod", {
+  return new helm.v4.Chart("istiod", {
     chart: versions.istioD.depName,
     version: versions.istioD.version,
-    fetchOpts: {
+    repositoryOpts: {
       repo: versions.istioD.registryUrl,
     },
     namespace: ns.metadata.name,
@@ -123,11 +123,11 @@ export function installCSIDriver(token: Input<string>, opts: CustomResourceOptio
     }
   },opts)
 
-  return new helm.v3.Chart("hcloud-csi", {
+  return new helm.v4.Chart("hcloud-csi", {
     chart: versions.hcloudCSI.depName,
     namespace: "kube-system",
     version: versions.hcloudCSI.version,
-    fetchOpts: {
+    repositoryOpts: {
       repo: versions.hcloudCSI.registryUrl
     },
   },opts)

l0/components/juicefs.ts

@@ -10,7 +10,7 @@ const ns = new k8s.core.v1.Namespace(ident, {
   metadata: { name: ident },
 })
 
-const redis = new k8s.helm.v3.Release("redis", {
+const redis = new k8s.helm.v4.Release("redis", {
   namespace: ns.metadata.name,
   name: "redis",
   chart: "redis",
@@ -47,7 +47,7 @@ const minioSecret = {
 }
 
 const juiceStorageClassName = "juice"
-const juicefs = new k8s.helm.v3.Release("juicefs-driver", {
+const juicefs = new k8s.helm.v4.Release("juicefs-driver", {
   namespace: ns.metadata.name,
   chart: versions.juiceCsiDriver.depName,
   version: versions.juiceCsiDriver.version,
@@ -79,7 +79,7 @@ const storage = k8s.storage.v1.StorageClass.get(
 
 export const juicefsStorage = storage.metadata.name
 
-new k8s.helm.v3.Release("juicefs-gateway", {
+new k8s.helm.v4.Release("juicefs-gateway", {
   namespace: ns.metadata.name,
   chart: "juicefs-s3-gateway",
   version: "0.9.0",
@@ -95,7 +95,7 @@ new k8s.helm.v3.Release("juicefs-gateway", {
   },
 })
 
-new k8s.helm.v3.Release("juicefs-volume-hook", {
+new k8s.helm.v4.Release("juicefs-volume-hook", {
   namespace: ns.metadata.name,
   chart: "juicefs-volume-hook",
   version: "0.2.4",

l0/components/pulumi-operator/chart/index.ts

@@ -0,0 +1,18 @@
+import {CustomResourceOptions, Input} from "@pulumi/pulumi";
+import {helm} from "@pulumi/kubernetes";
+import versions from "../../../versions";
+import {Namespace} from "@pulumi/kubernetes/core/v1";
+
+ export function installPulumiOperator(pulumiAccessToken: Input<string>, namespace: Namespace, opts: CustomResourceOptions) {
+      //TODO: Switch to Helm Release, to enable Hook Support
+      return new helm.v4.Chart("pulumi-operator", {
+        chart: versions.pulumiOperator.registryUrl!!,
+        namespace: namespace.metadata.name,
+        version: versions.pulumiOperator.version,
+        values: {
+          image: {
+            tag: "2.0.0-beta.3"
+          }
+        }
+      }, opts);
+    }

l0/components/velero.ts

@@ -8,7 +8,7 @@ const ns = new k8s.core.v1.Namespace(ident, {
   metadata: { name: ident },
 })
 
-new k8s.helm.v3.Release("velero", {
+new k8s.helm.v4.Release("velero", {
   namespace: ns.metadata.name,
   name: "velero",
   chart: "velero",

l0/create/Hetzner.ts

@@ -14,6 +14,7 @@ import {
 import {Namespace} from "@pulumi/kubernetes/core/v1";
 import {Provider} from "@pulumi/kubernetes";
 import {Input} from "@pulumi/pulumi";
+import {installPulumiOperator} from "../components/pulumi-operator/chart";
 
 
 export function createHetznerK3S(config: pulumi.Config, clusterName: string, mail: Input<string>) {
@@ -46,13 +47,18 @@ export function createHetznerK3S(config: pulumi.Config, clusterName: string, mai
   const certManager = installCertManager({provider:kubernetesProvider})
   installClusterIssuer(mail!!,{provider: kubernetesProvider, dependsOn: [certManager]})
   installIstio({provider: kubernetesProvider})
+
   const externalSecrets = installExternalSecretsOperator({provider: kubernetesProvider})
-  new Namespace("flux-system", {
+
+  //const pulumiAccessToken = config.getSecret("pulumiAccessToken")
+  const pulumiOperatorNamespace = new Namespace("pulumi-kubernetes-operator", {
         metadata: {
-          name: "flux-system"
+          name: "pulumi-kubernetes-operator"
         },
       },
       {provider: kubernetesProvider}
   )
+ // const pulumiOperator = installPulumiOperator(pulumiAccessToken!!, pulumiOperatorNamespace, {provider: kubernetesProvider})
+
   return {kubeconfig: kubeconfig, cluster: pulumi.output(cluster)}
 }

l0/versions.ts

@@ -58,6 +58,13 @@ export const versions: Record<string, VersionEntry> = {
     versioning: "semver-coerced",
     registryUrl: "https://charts.external-secrets.io"
   },
+  pulumiOperator: {
+    version: "0.8.1",
+    depName: "pulumi-kubernetes-operator",
+    datasource: "helm",
+    versioning: "semver-coerced",
+    registryUrl: "oci://ghcr.io/pulumi/helm-charts/pulumi-kubernetes-operator"
+  },
 
 };
 

l1/components/etcd/chart/Etcd.ts

@@ -3,10 +3,10 @@ import {Namespace, Secret} from "@pulumi/kubernetes/core/v1";
 
 
 export function createEtcd(namespace: Namespace, secret: Secret) {
-  return new k8s.helm.v3.Chart("etcd", {
+  return new k8s.helm.v4.Chart("etcd", {
     chart: "etcd",
     namespace: namespace.metadata.name,
-    fetchOpts: {
+    repositoryOpts: {
       repo: "https://charts.bitnami.com/bitnami"
     },
     values: {

l1/components/kafka/chart/Kafka.ts

@@ -3,10 +3,10 @@ import {Namespace, Secret} from "@pulumi/kubernetes/core/v1";
 
 
 export function createKafka(namespace: Namespace, secret: Secret) {
-  return new k8s.helm.v3.Chart("kafka", {
+  return new k8s.helm.v4.Chart("kafka", {
     chart: "kafka",
     namespace: namespace.metadata.name,
-    fetchOpts: {
+    repositoryOpts: {
       repo: "https://charts.bitnami.com/bitnami"
     },
     values: {

l2/Pulumi.hetzner.yaml

@@ -17,3 +17,7 @@ config:
     secure: AAABAD/h/5wcP3a2K4aZY3e8zhvSFxpvP4aYzkV3iPl2UE4qauHXV6fMndab2TzKyjoqWOYUAGJWjwW4xRNK0Q==
   l2:s3-secret:
     secure: AAABAOyJpJFwRpQnQVyFz3S7Pgf41EmOOts3Fzh4QfOMDL+3XY3AHeYjyyIr15NCCTsN879eOJDYgbKl/sWiFg==
+  l2:yubi-client-secret:
+    secure: AAABANxQrX2UjUlkvn7qqFyp5PAg6Lxt1kTtJ0Mh47+cIsUua3yZ/B6LJSHFwN3R82W3yBB4glJcjjKk
+  l2:yubi-client-id:
+    secure: AAABAGQXUV3oPcgNQ71AZNLWw4IazST0atdQeFK+xr1SpDkfMi4=

l2/index.ts

@@ -4,17 +4,15 @@ import * as postgresql from "@pulumi/postgresql";
 import {Provider, Role} from "@pulumi/postgresql";
 import {RandomPassword} from "@pulumi/random";
 import {Config, getStack, interpolate, StackReference} from "@pulumi/pulumi";
-import {createBackupSecret, createSecretWrapper, createUmamiSecret} from "./secrets";
+import {createBackupSecret, createUmamiSecret} from "./secrets";
 import {ConfigMap} from "@pulumi/kubernetes/core/v1";
 import createBackupCronjob from "./CronJob";
 import {createVaultwardenManual} from "./providers/Manual/Vaultwarden";
-import {createPaperless} from "./providers/Manual/paperless/Paperless";
 import {createDirectus} from "./create/directus";
 import * as aws from "@pulumi/aws"
 import {createSecretStore} from "./secretstore";
 import * as k8s from "@pulumi/kubernetes"
 import {createKubevoyage} from "./create/kubevoyage";
-import {createPlane} from "./create/plane";
 
 const config = new Config();
 const stack = getStack();
@@ -120,10 +118,13 @@ export const umamiSecret = {
 }
 createUmami("manual", namespaceUmami, createUmamiSecret(namespaceUmami, umamiSecret))
 
-
+const yubiClientSecret = config.getSecret("yubi-client-secret")
+const yubiClientId = config.getSecret("yubi-client-id")
 const vaultwardenCredentials = createDBCredentials("vaultwarden")
 export const vaultwardenSecret = {
-  "database-url": interpolate`postgresql://${vaultwardenCredentials.user}:${vaultwardenCredentials.password}@${postgresUrl}:5432/${vaultwardenCredentials.db}`
+  "database-url": interpolate`postgresql://${vaultwardenCredentials.user}:${vaultwardenCredentials.password}@${postgresUrl}:5432/${vaultwardenCredentials.db}`,
+  "yubico-client-secret": interpolate`${yubiClientSecret}`,
+  "yubico-client-id":interpolate`${yubiClientId}`
 }
 const vaultwardenNamespace = createNamespace("vaultwarden")
 const configMap = new ConfigMap("vaultwarden", {

l2/providers/Charts/Directus.ts

@@ -8,10 +8,10 @@ import {dbPassword, dbRootPassword} from "../../../util/env";
 
 export function createDirectusHelmChart(namespace: Namespace, secret: Secret, config: ConfigMap) {
 
-  return new k8s.helm.v3.Chart("directus-release", {
+  return new k8s.helm.v4.Chart("directus-release", {
         chart: "directus",
         namespace: namespace.metadata.name,
-        fetchOpts: {
+        repositoryOpts: {
           repo: "https://directus-community.github.io/helm-chart",
         },
         values: {

l2/providers/Charts/Kubevoyage.ts

@@ -15,11 +15,11 @@ export type KubevoyageConfig = {
 
 export function createKubevoyageHelmChart(config: KubevoyageConfig) {
 
-  return new k8s.helm.v3.Chart("kubevoyage", {
+  return new k8s.helm.v4.Chart("kubevoyage", {
         chart: "kubevoyage",
         version: "0.7.0",
         namespace: "default",
-        fetchOpts: {
+        repositoryOpts: {
           repo: "https://b-urb.github.io/KubeVoyage/",
         },
         values: {