+45 -4

platform/staging/dex.yaml

reviewed

··· 11 11 apiVersion: helm.toolkit.fluxcd.io/v2 12 12 kind: HelmRelease 13 13 metadata: 14 14 + name: dex-secrets 15 15 + namespace: flux-system 16 16 + spec: 17 17 + interval: 30m 18 18 + dependsOn: 19 19 + - name: platform-namespaces 20 20 + - name: vault 21 21 + - name: vault-secrets-webhook 22 22 + releaseName: dex-secrets 23 23 + targetNamespace: dex 24 24 + install: 25 25 + createNamespace: true 26 26 + chart: 27 27 + spec: 28 28 + chart: app-template 29 29 + version: 4.6.0 30 30 + sourceRef: 31 31 + kind: HelmRepository 32 32 + name: app-template 33 33 + values: 34 34 + rawResources: 35 35 + dex-secrets: 36 36 + apiVersion: v1 37 37 + kind: Secret 38 38 + forceRename: dex-secrets 39 39 + annotations: 40 40 + vault.security.banzaicloud.io/vault-addr: http://vault.vault.svc.cluster.local:8200 41 41 + vault.security.banzaicloud.io/vault-role: default 42 42 + vault.security.banzaicloud.io/vault-path: kubernetes 43 43 + spec: 44 44 + stringData: 45 45 + # Keep Vault resolution on the Secret object. Inline vault: env values 46 46 + # make Dex depend on pod mutation, and that path breaks here because 47 47 + # the webhook cannot use the K3s image mirror config for registry lookups. 48 48 + ADMIN_PASSWORD_HASH: vault:secret/data/dex/auth#ADMIN_PASSWORD_HASH 49 49 + KHUEDOAN_PASSWORD_HASH: vault:secret/data/dex/auth#KHUEDOAN_PASSWORD_HASH 50 50 + FORGEJO_CLIENT_SECRET: vault:secret/data/forgejo/oauth#secret 51 51 + --- 52 52 + apiVersion: helm.toolkit.fluxcd.io/v2 53 53 + kind: HelmRelease 54 54 + metadata: 14 55 name: dex 15 56 namespace: flux-system 16 57 spec: 17 58 interval: 3m 18 59 dependsOn: 19 60 - name: platform-namespaces 61 61 + - name: dex-secrets 20 62 chart: 21 63 spec: 22 64 chart: dex ··· 32 74 image: 33 75 repository: registry.registry.svc.cluster.local/vendor/images/dexidp/dex 34 76 tag: v2.43.1 35 35 - env: 36 36 - ADMIN_PASSWORD_HASH: vault:secret/data/dex/auth#ADMIN_PASSWORD_HASH 37 37 - KHUEDOAN_PASSWORD_HASH: vault:secret/data/dex/auth#KHUEDOAN_PASSWORD_HASH 38 38 - FORGEJO_CLIENT_SECRET: vault:secret/data/forgejo/oauth#secret 77 77 + envFrom: 78 78 + - secretRef: 79 79 + name: dex-secrets 39 80 config: 40 81 issuer: https://dex.staging.khuedoan.com 41 82 storage:

+55 -13

platform/staging/forgejo.yaml

reviewed

··· 10 10 apiVersion: helm.toolkit.fluxcd.io/v2 11 11 kind: HelmRelease 12 12 metadata: 13 13 + name: forgejo-secrets 14 14 + namespace: flux-system 15 15 + spec: 16 16 + interval: 30m 17 17 + dependsOn: 18 18 + - name: platform-namespaces 19 19 + - name: vault 20 20 + - name: vault-secrets-webhook 21 21 + releaseName: forgejo-secrets 22 22 + targetNamespace: forgejo 23 23 + install: 24 24 + createNamespace: true 25 25 + chart: 26 26 + spec: 27 27 + chart: app-template 28 28 + version: 4.6.0 29 29 + sourceRef: 30 30 + kind: HelmRepository 31 31 + name: app-template 32 32 + values: 33 33 + rawResources: 34 34 + forgejo-admin: 35 35 + apiVersion: v1 36 36 + kind: Secret 37 37 + forceRename: forgejo-admin 38 38 + annotations: 39 39 + vault.security.banzaicloud.io/vault-addr: http://vault.vault.svc.cluster.local:8200 40 40 + vault.security.banzaicloud.io/vault-role: default 41 41 + vault.security.banzaicloud.io/vault-path: kubernetes 42 42 + spec: 43 43 + stringData: 44 44 + username: forgejo_admin 45 45 + password: vault:secret/data/forgejo/admin#password 46 46 + forgejo-oauth: 47 47 + apiVersion: v1 48 48 + kind: Secret 49 49 + forceRename: forgejo-oauth 50 50 + annotations: 51 51 + vault.security.banzaicloud.io/vault-addr: http://vault.vault.svc.cluster.local:8200 52 52 + vault.security.banzaicloud.io/vault-role: default 53 53 + vault.security.banzaicloud.io/vault-path: kubernetes 54 54 + spec: 55 55 + stringData: 56 56 + # Forgejo expects a Kubernetes Secret for OAuth bootstrap. Creating 57 57 + # it explicitly keeps startup independent from pod-time Vault mutation. 58 58 + key: forgejo 59 59 + secret: vault:secret/data/forgejo/oauth#secret 60 60 + --- 61 61 + apiVersion: helm.toolkit.fluxcd.io/v2 62 62 + kind: HelmRelease 63 63 + metadata: 13 64 name: forgejo 14 65 namespace: flux-system 15 66 spec: ··· 18 69 - name: dex 19 70 - name: vault 20 71 - name: vault-secrets-webhook 72 72 + - name: forgejo-secrets 21 73 chart: 22 74 spec: 23 75 chart: forgejo ··· 32 84 values: 33 85 strategy: 34 86 type: Recreate 35 35 - deployment: 36 36 - env: 37 37 - - name: FORGEJO_OAUTH_SECRET 38 38 - value: vault:secret/data/forgejo/oauth#secret 39 87 gitea: 40 88 config: 41 89 database: ··· 74 122 oauth: 75 123 - name: SSO 76 124 provider: "openidConnect" 77 77 - # Use the in-cluster Dex service for bootstrap because the single-node 78 78 - # staging cluster cannot reliably hairpin through the public gateway. 79 79 - autoDiscoverUrl: http://dex.dex.svc.cluster.local:5556/.well-known/openid-configuration 80 80 - key: forgejo 81 81 - # Can't use Vault syntax directly here, because it will be templated 82 82 - # into a secret, so we need to define a separate environment variable 83 83 - secret: ${FORGEJO_OAUTH_SECRET} 125 125 + autoDiscoverUrl: https://dex.staging.khuedoan.com/.well-known/openid-configuration 126 126 + existingSecret: forgejo-oauth 84 127 admin: 85 128 email: admin@cloudlab.khuedoan.com 86 86 - username: forgejo_admin 87 87 - password: vault:secret/data/forgejo/admin#password 129 129 + existingSecret: forgejo-admin 88 130 podAnnotations: 89 131 "istio.io/dataplane-mode": "ambient" 90 132 httpRoute:

+2

platform/staging/vault.yaml

reviewed

··· 47 47 values: 48 48 env: 49 49 VAULT_ADDR: http://vault.vault.svc.cluster.local:8200 50 50 + # TODO fail fast 51 51 + # podsFailurePolicy: Fail 50 52 --- 51 53 apiVersion: helm.toolkit.fluxcd.io/v2 52 54 kind: HelmRelease