diff --git a/bin/flux b/bin/flux new file mode 100755 index 0000000..1984bc1 Binary files /dev/null and b/bin/flux differ diff --git a/cert-manager/gandi-credentials-secret.yaml b/cert-manager/gandi-credentials-secret.yaml index fb40656..4954850 100644 --- a/cert-manager/gandi-credentials-secret.yaml +++ b/cert-manager/gandi-credentials-secret.yaml @@ -15,4 +15,4 @@ spec: namespace: cert-manager type: Opaque stringData: - api-token: "28aedbb9b4c8d634558af5d9284a794a3a423abb" \ No newline at end of file + api-token: "5ea1e058de81926ad37af59374756eb69f7e24af" \ No newline at end of file diff --git a/external-dns.yaml b/external-dns.yaml index 9186349..6604fee 100644 --- a/external-dns.yaml +++ b/external-dns.yaml @@ -1,19 +1,3 @@ -# External DNS namespace -apiVersion: kubernetes.crossplane.io/v1alpha2 -kind: Object -metadata: - name: external-dns-namespace - namespace: crossplane-system -spec: - providerConfigRef: - name: kubernetes-provider - forProvider: - manifest: - apiVersion: v1 - kind: Namespace - metadata: - name: external-dns ---- # External DNS service account apiVersion: kubernetes.crossplane.io/v1alpha2 kind: Object diff --git a/flux/forgejo-git-secret.yaml b/flux/forgejo-git-secret.yaml new file mode 100644 index 0000000..3eb30b0 --- /dev/null +++ b/flux/forgejo-git-secret.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: forgejo-auth + namespace: flux-system +stringData: + password: dd42e9f5f74e9ce5d46bb0d20503062824472706 + username: flux-service + diff --git a/forgejo-k8s.yaml b/forgejo-k8s.yaml index 5ee7155..6c7cc70 100644 --- a/forgejo-k8s.yaml +++ b/forgejo-k8s.yaml @@ -260,7 +260,7 @@ spec: spec: secretName: forgejo-tls issuerRef: - name: letsencrypt-prod + name: letsencrypt-dns kind: ClusterIssuer dnsNames: - git.nge6.com diff --git a/kustomization.yaml b/kustomization.yaml index 26613ff..00375fb 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -5,11 +5,19 @@ resources: # Core infrastructure - providers.yaml - provider-configs.yaml +- namespaces.yaml - external-dns.yaml # Certificate management - cert-manager/ +# Authentication system +- auth/ +- keycloak-config.yaml + +# Secret management +- sealed-secrets.yaml + # Applications - forgejo-k8s.yaml - pomerium.yaml diff --git a/pomerium.yaml b/pomerium.yaml index c86f4ec..b1d5943 100644 --- a/pomerium.yaml +++ b/pomerium.yaml @@ -1,19 +1,3 @@ -# Pomerium namespace -apiVersion: kubernetes.crossplane.io/v1alpha2 -kind: Object -metadata: - name: pomerium-namespace - namespace: crossplane-system -spec: - providerConfigRef: - name: kubernetes-provider - forProvider: - manifest: - apiVersion: v1 - kind: Namespace - metadata: - name: pomerium ---- # Pomerium Helm release apiVersion: helm.crossplane.io/v1beta1 kind: Release @@ -47,16 +31,16 @@ spec: to: http://keycloak-http.auth-system.svc.cluster.local preserve_host_header: true allow_public_unauthenticated_access: true - # Forgejo Git service - temporarily allow unauthenticated for setup + # Forgejo Git service - require authentication - from: https://git.nge6.com to: http://forgejo-http.forgejo.svc.cluster.local:3000 preserve_host_header: true - allow_public_unauthenticated_access: true - # Forgejo Git service - temporarily allow unauthenticated for setup (HTTP) + allow_any_authenticated_user: true + # Forgejo Git service - require authentication (HTTP) - from: http://git.nge6.com to: http://forgejo-http.forgejo.svc.cluster.local:3000 preserve_host_header: true - allow_public_unauthenticated_access: true + allow_any_authenticated_user: true # Authentication service configuration authenticate: