a7ae41ee08
Added to kustomization.yaml: - namespaces.yaml: Centralized namespace management - auth/: Keycloak authentication system - keycloak-config.yaml: Identity provider configuration - sealed-secrets.yaml: Secret encryption system Fixed namespace conflicts: - Removed duplicate pomerium-namespace from pomerium.yaml - Removed duplicate external-dns-namespace from external-dns.yaml - All namespaces now managed centrally via namespaces.yaml Now managing 72 Kubernetes resources via GitOps: ✅ Infrastructure: Crossplane providers, external-dns ✅ Certificates: cert-manager, Let's Encrypt, Gandi webhook ✅ Authentication: Keycloak, RBAC configs ✅ Applications: Forgejo, Pomerium, Vaultwarden ✅ Security: Sealed secrets, proper RBAC 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
152 lines
No EOL
4 KiB
YAML
152 lines
No EOL
4 KiB
YAML
# External DNS service account
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: external-dns-sa
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: external-dns
|
|
namespace: external-dns
|
|
---
|
|
# External DNS cluster role
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: external-dns-clusterrole
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: external-dns
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["services", "endpoints", "pods"]
|
|
verbs: ["get", "watch", "list"]
|
|
- apiGroups: ["extensions", "networking.k8s.io"]
|
|
resources: ["ingresses"]
|
|
verbs: ["get", "watch", "list"]
|
|
- apiGroups: ["getambassador.io"]
|
|
resources: ["hosts", "mappings"]
|
|
verbs: ["get", "watch", "list"]
|
|
- apiGroups: [""]
|
|
resources: ["nodes"]
|
|
verbs: ["list", "watch"]
|
|
---
|
|
# External DNS cluster role binding
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: external-dns-clusterrolebinding
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: external-dns
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: external-dns
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: external-dns
|
|
namespace: external-dns
|
|
---
|
|
# External DNS Gandi API key secret
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: external-dns-gandi-secret
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: gandi-api-key
|
|
namespace: external-dns
|
|
type: Opaque
|
|
stringData:
|
|
api-key: "5ea1e058de81926ad37af59374756eb69f7e24af"
|
|
---
|
|
# External DNS deployment
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: external-dns-deployment
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: external-dns
|
|
namespace: external-dns
|
|
spec:
|
|
strategy:
|
|
type: Recreate
|
|
selector:
|
|
matchLabels:
|
|
app: external-dns
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: external-dns
|
|
spec:
|
|
serviceAccountName: external-dns
|
|
containers:
|
|
- name: external-dns
|
|
image: registry.k8s.io/external-dns/external-dns:v0.15.0
|
|
args:
|
|
- --source=service
|
|
- --source=ingress
|
|
- --source=ambassador-host
|
|
- --domain-filter=nge6.com
|
|
- --provider=gandi
|
|
- --registry=txt
|
|
- --txt-owner-id=external-dns
|
|
- --txt-prefix=external-dns-
|
|
- --log-level=debug
|
|
- --log-format=text
|
|
env:
|
|
- name: GANDI_PAT
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: gandi-api-key
|
|
key: api-key
|
|
resources:
|
|
limits:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
requests:
|
|
cpu: 50m
|
|
memory: 64Mi
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 65534
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: ["ALL"] |