From 0e3d3fcf5da70fd1af94d1d51504ed332f3a5ef2 Mon Sep 17 00:00:00 2001 From: Rob Kaufman Date: Mon, 21 Feb 2022 12:54:02 -0800 Subject: [PATCH] new deployment structure --- .gitignore | 1 + .gitlab-ci.yml | 22 ++ .sops.yaml | 3 + bin/decrypt-secrets | 20 ++ bin/encrypt-secrets | 19 ++ ops/production-deploy.tmpl.yaml | 203 +++++++++++++++++ ops/provision/.backend.enc | 21 ++ ops/provision/.gitignore | 4 + ops/provision/efs_name | 1 + ops/provision/k8s/fcrepo-values.yaml.enc | 58 +++++ .../k8s/gitlab-secret-values.yaml.enc | 79 +++++++ ops/provision/k8s/postgresql-values.yaml.enc | 50 +++++ .../k8s/prod-issuer-dns-values.yaml.enc | 88 ++++++++ ops/provision/k8s/prod_issuer.yaml | 19 ++ ops/provision/k8s/solr-values.yaml.enc | 57 +++++ ops/provision/k8s/staging_issuer.yaml | 19 ++ ops/provision/kube_config.yml.enc | 47 ++++ ops/provision/main.tf | 212 ++++++++++++++++++ 18 files changed, 923 insertions(+) create mode 100644 .sops.yaml create mode 100755 bin/decrypt-secrets create mode 100755 bin/encrypt-secrets create mode 100644 ops/production-deploy.tmpl.yaml create mode 100644 ops/provision/.backend.enc create mode 100644 ops/provision/.gitignore create mode 100644 ops/provision/efs_name create mode 100644 ops/provision/k8s/fcrepo-values.yaml.enc create mode 100644 ops/provision/k8s/gitlab-secret-values.yaml.enc create mode 100644 ops/provision/k8s/postgresql-values.yaml.enc create mode 100644 ops/provision/k8s/prod-issuer-dns-values.yaml.enc create mode 100644 ops/provision/k8s/prod_issuer.yaml create mode 100644 ops/provision/k8s/solr-values.yaml.enc create mode 100644 ops/provision/k8s/staging_issuer.yaml create mode 100644 ops/provision/kube_config.yml.enc create mode 100644 ops/provision/main.tf diff --git a/.gitignore b/.gitignore index e7f7227d..4df40b45 100644 --- a/.gitignore +++ b/.gitignore @@ -73,3 +73,4 @@ docker/local-docker-compose-2.yml data/** fcrepo-import-export-* solr_db_initialized +ops/*-deploy.yaml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b5785571..8051dd93 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -160,6 +160,28 @@ hyku.staging: tags: - kubernetes +hyku.production: + stage: go + only: + refs: + - main + when: manual + variables: + DEPLOY_IMAGE: $CI_REGISTRY_IMAGE + DEPLOY_TAG: $CI_COMMIT_SHORT_SHA + WORKER_IMAGE: $CI_REGISTRY_IMAGE/worker + HELM_EXPERIMENTAL_OCI: 1 + HELM_RELEASE_NAME: hyku-production + KUBE_NAMESPACE: hyku-production + HELM_EXTRA_ARGS: > + --values ops/production-deploy.yaml + script: + - export KUBECONFIG=$KUBECONFIG_BL + - envsubst < ops/production-deploy.tmpl.yaml > ops/production-deploy.yaml + - ./bin/helm_deploy hyku-production hyku-production + tags: + - kubernetes + hyku.staging.stop: stage: go extends: diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 00000000..eac0cc62 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,3 @@ +--- +creation_rules: + - pgp: "40B3DE7A02CAC8D1DE76223483DA3B754DD29AF9" diff --git a/bin/decrypt-secrets b/bin/decrypt-secrets new file mode 100755 index 00000000..ddee1880 --- /dev/null +++ b/bin/decrypt-secrets @@ -0,0 +1,20 @@ +#!/usr/bin/env ruby + +# require 'byebug' + +parent_dir = File.dirname(__dir__) +Dir.chdir(File.join(parent_dir, 'ops', 'provision')) +[ + ".env.*", + "kube_config.yml", + ".backend", + "k8s/*-values.yaml" +].each do |files| + Dir.glob(files).each do |file| + next if file.match(/enc/) + next if !File.exists?("#{file}.enc") + cmd = "sops --decrypt #{file}.enc > #{file}" + puts cmd + %x{#{cmd}} + end +end diff --git a/bin/encrypt-secrets b/bin/encrypt-secrets new file mode 100755 index 00000000..285779ee --- /dev/null +++ b/bin/encrypt-secrets @@ -0,0 +1,19 @@ +#!/usr/bin/env ruby + +# require 'byebug' + +parent_dir = File.dirname(__dir__) +Dir.chdir(File.join(parent_dir, 'ops', 'provision')) +[ + ".env.*", + "kube_config.yml", + ".backend", + "k8s/*-values.yaml" +].each do |files| + Dir.glob(files).each do |file| + next if file.match(/enc/) + cmd = "sops --encrypt #{file} > #{file}.enc" + puts cmd + %x{#{cmd}} + end +end diff --git a/ops/production-deploy.tmpl.yaml b/ops/production-deploy.tmpl.yaml new file mode 100644 index 00000000..d7e572a3 --- /dev/null +++ b/ops/production-deploy.tmpl.yaml @@ -0,0 +1,203 @@ +replicaCount: 2 + +livenessProbe: + enabled: false +readinessProbe: + enabled: false + +brandingVolume: + storageClass: efs-sc +derivativesVolume: + storageClass: efs-sc +uploadsVolume: + storageClass: efs-sc + size: 200Gi + +extraVolumeMounts: &volMounts + - name: uploads + mountPath: /app/samvera/hyrax-webapp/tmp/imports + subPath: imports + - name: uploads + mountPath: /app/samvera/hyrax-webapp/tmp/exports + subPath: exports + - name: uploads + mountPath: /app/samvera/hyrax-webapp/public/system + subPath: public-system + - name: uploads + mountPath: /app/samvera/hyrax-webapp/public/uploads + subPath: public-uploads + - name: uploads + mountPath: /app/samvera/hyrax-webapp/tmp/network_files + subPath: network-files + +ingress: + enabled: true + hosts: + - host: oar.notch8.cloud + paths: + - path: / + - host: "*.oar.notch8.cloud" + paths: + - path: / + annotations: { + kubernetes.io/ingress.class: "nginx", + nginx.ingress.kubernetes.io/proxy-body-size: "0", + cert-manager.io/cluster-issuer: letsencrypt-production-dns + } + tls: + - hosts: + - oar.notch8.cloud + - "*.oar.notch8.cloud" + secretName: notch8cloud + +extraEnvVars: &envVars + - name: CONFDIR + value: "/app/samvera/hyrax-webapp/solr/config" + - name: DATABASE_ADAPTER + value: postgresql + - name: DATABASE_HOST + value: postgresql.default.svc.cluster.local + - name: DATABASE_NAME + value: hyku + - name: DATABASE_PASSWORD + value: $PROD_DATABASE_PASSWORD + - name: DATABASE_USER + value: postgres + - name: FCREPO_BASE_PATH + value: /bl + - name: FCREPO_HOST + value: fcrepo.default.svc.cluster.local:8080 + - name: FCREPO_PATH + value: /rest + - name: FEDORA_URL + value: http://fcrepo.default.svc.cluster.local:8080/rest + - name: INITIAL_ADMIN_EMAIL + value: support@notch8.com + - name: INITIAL_ADMIN_PASSWORD + value: testing123 + - name: IN_DOCKER + value: "true" + - name: LD_LIBRARY_PATH + value: /app/fits/tools/mediainfo/linux + - name: PASSENGER_APP_ENV + value: production + - name: RAILS_CACHE_STORE_URL + value: redis://:production@hyku-production-redis-master:6379/bl + - name: RAILS_ENV + value: production + - name: RAILS_LOG_TO_STDOUT + value: "true" + - name: RAILS_MAX_THREADS + value: "5" + - name: RAILS_SERVE_STATIC_FILES + value: "true" + - name: REDIS_HOST + value: hyku-production-redis-master + - name: REDIS_URL + value: redis://:production@hyku-production-redis-master:6379/bl + - name: HYRAX_ACTIVE_JOB_QUEUE + value: sidekiq + - name: HYKU_BULKRAX_ENABLED + value: "true" + - name: HYKU_CONTACT_EMAIL + value: support@notch8.com + - name: HYKU_FILE_ACL + value: "false" + - name: HYRAX_FITS_PATH + value: /app/fits/fits.sh + - name: HYKU_ADMIN_HOST + value: iro.bl.uk + - name: HYKU_ADMIN_ONLY_TENANT_CREATION + value: "true" + - name: HYKU_ALLOW_SIGNUP + value: "false" + - name: HYKU_DEFAULT_HOST + value: "%{tenant}.iro.bl.uk" + - name: HYKU_MULTITENANT + value: "true" + - name: HYKU_ROOT_HOST + value: iro.bl.uk + - name: HYKU_SMTP_SETTINGS + value: '{"from":"openaccess@bl.uk","user_name":"apikey","password":"***REMOVED***","address":"smtp.sendgrid.net","domain":"bl.uk","port":"587","authentication":"plain","enable_starttls_auto":true}' + - name: SMTP_ADDRESS + value: smtp.sendgrid.net + - name: SMTP_DOMAIN + value: "bl.uk" + - name: SMTP_ENABLED + value: "true" + - name: SMTP_PASSWORD + value: "***REMOVED***" + - name: SMTP_PORT + value: "587" + - name: SMTP_USER_NAME + value: apikey + - name: SMTP_TYPE + value: plain + - name: SOLR_ADMIN_USER + value: admin + - name: SOLR_COLLECTION_NAME + value: hyku + - name: SOLR_CONFIGSET_NAME + value: hyku + - name: SOLR_HOST + value: solr.default.svc.cluster.local + - name: SOLR_PORT + value: "8983" + - name: SOLR_URL + value: http://admin:$PROD_SOLR_PASSWORD@solr.default.svc.cluster.local:8983/solr/ + - name: SECRET_KEY_BASE + value: 2b989efef38672467771269e8e430afebf55faf20da72e302e1893a3a5de22d9967b30b18d4ef369c9d34a6ca7315f99cb13fb98825aea4ee347a21be70f917e + +worker: + replicaCount: 1 + extraVolumeMounts: *volMounts + extraEnvVars: *envVars + podSecurityContext: + runAsUser: 1001 + runAsGroup: 101 + fsGroup: 101 + fsGroupChangePolicy: "OnRootMismatch" +podSecurityContext: + runAsUser: 1001 + runAsGroup: 101 + fsGroup: 101 + fsGroupChangePolicy: "OnRootMismatch" + +embargoRelease: + enabled: false +leaseRelease: + enabled: false + +redis: + cluster: + enabled: true + password: production + +imagePullSecrets: + - name: gitlab-registry + +solr: + enabled: false + replicaCount: 2 + collectionReplicas: 1 + zookeeper: + replicaCount: 1 + +fcrepo: + enabled: false + storage: + size: 105Gi + +postgresql: + enabled: false + +externalSolrHost: solr.default.svc.cluster.local +externalSolrUser: admin +externalSolrPassword: $PROD_SOLR_PASSWORD +externalSolrCollection: "hyku" +externalFcrepoHost: fcrepo.default.svc.cluster.local +externalPostgresql: + username: postgres + password: $PROD_DATABASE_PASSWORD + database: hyku + host: postgresql.default.svc.cluster.local diff --git a/ops/provision/.backend.enc b/ops/provision/.backend.enc new file mode 100644 index 00000000..78a6e729 --- /dev/null +++ b/ops/provision/.backend.enc @@ -0,0 +1,21 @@ +{ + "data": "ENC[AES256_GCM,data:+FavHueQv9mq/CCZKOZu1O9hAJsr490MndPAIj0dapUUJj9US4wuT9j9zy1uZgV7YxdAw6HluwBfGZSRps9VYP+9EVxFX0N98Ghykpe9MWZG/8aiHtu7wIMPyGTUUnAN/WLdNrumxBr77KL67II2J4n85cXd,iv:r3wOvzDRDWrDt6P3HkIIJHB4r9ns0gDTM/XxOUPAIPo=,tag:vjBcaHDZF4HjBKfLUCLrow==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-02-21T20:48:08Z", + "mac": "ENC[AES256_GCM,data:48+JeAKvcvFqErSruhWSJcRZaLLQ29u7NyLez/SyAd4ohvJaK7aJfN1jbOBEu6Q2pskbB+f5zC26zcgHgvqziQDPUz45ITib+wvLYTB470XpKMmMFL6ciC3j1kyRrYMTcGyqz2MbpWaUsS2eYootnnEzobnMrJEatjvMlxjf9rY=,iv:pYXhib6tsGjtmxXyCzvL/dhIn90ZluorA3Hp6iumYCs=,tag:2/Gjjrn/hW6QmCS/D2rEYA==,type:str]", + "pgp": [ + { + "created_at": "2022-02-21T20:48:07Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nwcFMA7doaBdjNJH+ARAAeaeLJEYR27okMjBTqQCi2/8MQlP6YEaetjCsGvLD4L2e\nCL5mnqTBBJw2NgP7THKqHhc+1Om92FQ0yzsQgvJ4fxIhs2lICICcaXEn8Taoeq5e\nPPKukSmdJrI+HwwtYL4kva4Qkxf72d62LIaHWd9Ul0lpawqdVoroUrfwhtGfG1iD\nb05a4jffwRColozopU80oXk/qSy9P9CLkhGNbKHNZVJg/8zc1WPS6z3wOYZas+bt\nr1HT35Bgb82Bpke/2d+7RIJE12l9doio2jnHYr2DolGopwbcIZZZLap4/yOK1qie\n3MpSbQ3Q9xOQfCNqRkRDFnHqoaa4kGB34mEYjopwKyd5cmMa4JYLkd+0T+bp+iJo\n0i0/YS1w0LwrahYRBGh08Nmofwgw5Ys9mWQFR5qIs5S199Yg7kR5f0VfGlBpx3tO\niQGvk6yIDmIQsZiQXCJAgTuKw7TVQYuZcUuBNoqffT3dKEdB0cJpLhGINWF4NCmy\nkYWXrPIjNBmnO6wLWlFc0azwvDhEfP4wnmvjBxAVD/lE9Pp0Dq2IRXZL/ZZXqOp2\nvzS4t/Z/kVWNNDVpZfBgqcVU/OshBpKqQpn6kLV3EYV4KDSMaQOBnB9yTmtkcs/H\nfgAVaXZ8hTYzAr5gHkDX5CytAp9wOOde9SWuuXx/00JkWDK7vk9iGGSXGrPED7DS\n5gGrdqbT+uzx4yYxwB59vEdnSyw+IBNKYHyC+ouQyxBpZOR9Y4wXtEaxHUgj0Zs5\nNgcYv0nXw5YSw5dNkX0gpxDkgguKg7wD2jN2R/W4pEZN0+J3JOVKAA==\n=8Flw\n-----END PGP MESSAGE-----", + "fp": "40B3DE7A02CAC8D1DE76223483DA3B754DD29AF9" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/ops/provision/.gitignore b/ops/provision/.gitignore new file mode 100644 index 00000000..aace88e3 --- /dev/null +++ b/ops/provision/.gitignore @@ -0,0 +1,4 @@ +kube_config.yml +k8s/*-values.yaml +.backend +.terraform* diff --git a/ops/provision/efs_name b/ops/provision/efs_name new file mode 100644 index 00000000..08c1f1c2 --- /dev/null +++ b/ops/provision/efs_name @@ -0,0 +1 @@ +fs-0f75c2b025a620200 diff --git a/ops/provision/k8s/fcrepo-values.yaml.enc b/ops/provision/k8s/fcrepo-values.yaml.enc new file mode 100644 index 00000000..ee98e6f0 --- /dev/null +++ b/ops/provision/k8s/fcrepo-values.yaml.enc @@ -0,0 +1,58 @@ +replicaCount: ENC[AES256_GCM,data:iA==,iv:veTqWCc7z0UCRzdYoT7AAghEs6t/H9h8mucZuybWdYw=,tag:opJPFPSUdT39SQKcsuQ+Zw==,type:int] +storage: + enabled: ENC[AES256_GCM,data:wtCyeQ==,iv:co3c4yz4U15JLWXkMP34E4ABSLV4RUVquyC3gDPPNHE=,tag:tiIoQm7NQAd78ejAqiUAEg==,type:bool] + size: ENC[AES256_GCM,data:SsFvlw==,iv:a06VOxc+kkROY6vIZcE5Im/84X1WMZJRz5Nn7iafY18=,tag:2b2pzeV242qSATTcLP3a+g==,type:str] + className: ENC[AES256_GCM,data:+BjW,iv:dDrlmvZrmyoqhe4JWlDuVGiTpbSm6FdAA+LSsDYouUE=,tag:OAPRB53/3hneBwg/fjD+PQ==,type:str] +image: + repository: ENC[AES256_GCM,data:0ajssKMOOlaTcILEuDbO,iv:eZz5FEoEn2VzFRiNLPki2J+QfdwqmMxbhHFD5DnmioE=,tag:xlTskKO7EUagzNt4ZBMzLg==,type:str] + pullPolicy: ENC[AES256_GCM,data:rMNzR9nChM/HwQQ2,iv:uhnJAvJuQD6jSdXCT5eVnQHNY9ZxKETq0uOF6TfPkCg=,tag:59i4BD0EyibED3UgrAbx6w==,type:str] + tag: ENC[AES256_GCM,data:gX+72og=,iv:GuFaddMuV+3qSgis1Y88WecMl7DEtERVw4m3dtxcpQo=,tag:AVEZnZX/nxtzIH3fe/4S5g==,type:str] +postgresql: + enabled: ENC[AES256_GCM,data:a0lmXX8=,iv:qF8VWOTRmRvEkRz0Rk87mBCmwauhUjIknSqCKK1czRg=,tag:4v6prqCEcXvfbBxmMJioJQ==,type:bool] +externalPostgresql: + host: ENC[AES256_GCM,data:DP+T/iDGQm/4COOkIRW0byee,iv:sqLCmzg5iaGdh/Vr6JjOadtOyStgeN370vGnP1XMXew=,tag:cPx6mCnucLW+fop2m76pWQ==,type:str] + #ENC[AES256_GCM,data:qfwMWU3U+5zr5A8Tte+7dxaNijtW8JQAr34brmK/iHFOqA==,iv:lcH+r4HE5mQsv2iFGZi6B7BoqUr3Y4W8B1j2MvCtdIg=,tag:Pj3a0IrhFgtPI2VphVZGFA==,type:comment] + username: ENC[AES256_GCM,data:xz1M5w1H,iv:MRMo7/arY7A7LLi+946/RRK2r4tzOjK7eMVftDx+djY=,tag:jFZIle/K+JZEf4G9khlSfg==,type:str] + password: ENC[AES256_GCM,data:1DpDz87UZ7vtwg/6YOobSD4C,iv:pw3GKeQrq+8qczGOKMxvJkWuqFvbkKvH/0bj6qkexCM=,tag:SPCKacvEKJKAPgZ4uoiAqw==,type:str] +s3: + enabled: ENC[AES256_GCM,data:kQfOvgM=,iv:ID9fz46mlh8UAksT/hBjN3Udl3nJfm3dhYlokoqJD48=,tag:+PYwx/80yAiO3o+Y+WCbyA==,type:bool] + bucket: ENC[AES256_GCM,data:dR7RbW01dopBKBys0ct9eIM=,iv:T8Zd7yXemLlgugqt9KRjlByTkYCzZeffh9Ip8XlpFaM=,tag:Lq2sMiCD7zizlY2UERvVMQ==,type:str] + access_key: ENC[AES256_GCM,data:fUDfLB4f3ZNBnB0NAHYMhARBD20=,iv:lqwIgND47P8ZLaH82VP//08fYjAi8p2UUqiVQZGWKJE=,tag:8LPiiwhSOmMzx+0z9QCkbg==,type:str] + secret_key: ENC[AES256_GCM,data:ugLr/k4RWXmpd5GEaYFEMgugkhDvIH/ft9wbcaDDiqfQjM/kY4L09Q==,iv:ydVu2D88zf5hY08pFrzkcdVb8UP7iyCFzBUhzTnwZq4=,tag:FMeQ2bLaDzEqvOPIKzdzxA==,type:str] +resources: + limits: + memory: ENC[AES256_GCM,data:KI2N,iv:vsifSno0RviAGhGfk4afncmmn9/O9XV2xM4qq9+6m5k=,tag:d+EWYTp9eMhHDoahPNcR9Q==,type:str] + requests: + memory: ENC[AES256_GCM,data:i296,iv:jAu/Yc1WphLsj7c85Zibw0HRb3QLsfHIDeoFtopDYdI=,tag:SJXuhBLEfHF/VIBKoNqPCQ==,type:str] +additional_java_options: ENC[AES256_GCM,data:bGWhqGkXGXVuIKBOqNpBr+rAoa/WiPdYIBws3nCm4kB3uHUyGEl1F69xWmjkR302vSonF0dDyooVpIgok7Dw2TU3DaRZuRsG5ao+jvgz2Fnhe0K34qLpeMzVySSl2y3G9+I4eRy+DY7CFhrwlErvCDe9HMgNSwoZ9C+nWro3FZMy1DDKX/nxMhBgR84769U1eNQMDwDBehVq/ZUhXymR6sczmw6x+CN5m7oz2pBSjlnY03A=,iv:ra/GqZMDtA0hK4wVuIB5REOyC4f7u/OcZubh3qtlHwY=,tag:NJS2k9L+zMcqRLfTyMjetg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-02-21T20:48:12Z" + mac: ENC[AES256_GCM,data:Td1C3qH/5mM7wqRJ2SJg8b77lNR3pro2M+m7YORjo8nn7FaYEVsjWhASGrRvLzLCm+M+VXxUV4rCj/H9OymqCuoc/6i11i6x07JFyQCgx3IdRgcsbvTCY8Q42LJ1l+nc+immZ0UWBN8Nux/gByRf48rV/+DRtJaZktXIcB71gSQ=,iv:0woVclaYa2F3It9ZnCg5mO8gYBKeKWWl2Xo0C13p9jo=,tag:Hs46y+MBM+OpZ0Rpsmg1Ew==,type:str] + pgp: + - created_at: "2022-02-21T20:48:11Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7doaBdjNJH+ARAAeDYsetszKHoCO7zkA/heD9cSqDCyaKqe/HtpHVRWc2wm + OtFV8/eacPBiyubvrsbwmC5dsPl+8S9PTvPDUbXNtuMUeEZglUEE7KkMkgXlgxpE + AvUBGqQz2aOR9psK3Cn5tpD/5vXGt+/oUFaIvOs4zVazZENV01pZdl/SSMc2PHeu + d/wfVSvCbyOsX3tIhOqYrDLRu1q+KqG7Hw0JEpsrZuuvRPZ/36H/h3+sVUDxIlmC + NvKhryQDSKRSx2BKcG8cCoSFuXJwB+x+aanxATzzCUuXVaXPwwJQlZX3PRX2OrXj + szC0PvotZEjTnWJQMIXvt39E0dHZyT3+FIGdAUuDnRMNRR/ntWFFYHXEjyzCHz39 + 6BbUuN1c7SbBSECLwuiaCXeeQA3cxFu2sO4fbeE249OKYiYKskAQX1e6ucC7SNEl + ha0/YDPW4DGmW9i7rk0OoN2y5XjSSHONa2sffjjXVXxLo8wyCQ/heheKuVwYILBu + uKSTgFrDap2HkhyrnYyrL4eMV3OEpFRoOxnlfqaaGfqAMt+4dAYpD+6HtaHXMvtv + lkppBqzIiZ5w6zy0cJGPQaj2BSMCNM4nWSsQ/wF2ZNnswlvYBXU75dowPZCo/lTu + tjSfdH+Q72CHUe0fS08Hiam6Btz0Km1kfvUgFX6MFUU9BWzPsFX/XYutAvFGRvnS + 5gGQCxNPpGj0kxxIr0oPvLeKuluj4KIlKPjMOEwZZl4LXWoGVXHGcE6R4ctHHqSV + ak5rWbt5tzB11EAEk82axSHki/3oo2jBg8c3uI6GfgPL9OJ/qr0YAA== + =WNIJ + -----END PGP MESSAGE----- + fp: 40B3DE7A02CAC8D1DE76223483DA3B754DD29AF9 + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/ops/provision/k8s/gitlab-secret-values.yaml.enc b/ops/provision/k8s/gitlab-secret-values.yaml.enc new file mode 100644 index 00000000..d76ef1b6 --- /dev/null +++ b/ops/provision/k8s/gitlab-secret-values.yaml.enc @@ -0,0 +1,79 @@ +apiVersion: ENC[AES256_GCM,data:UTE=,iv:cfNh4iGSlCs4s4laOM5aW8LBLH9FYRQmotM8CyI6IYo=,tag:P5Qa6dWThf+j8JenHfGaig==,type:str] +data: + .dockerconfigjson: ENC[AES256_GCM,data:Mpc4SKRacHS2k/sSzyy84WB3BjouVh7c3UJWhlptubYWaNXreUSdquuVj99e3Lrdk8RNdMHGpEEixcAE0vUmW6uPUvjXxujyDDxAvQWILSwdWnL27SxrmfAsghm4JW02L5odpmb1Pm8vAh06J9xhog6+PIT8nLv5wNYejQ==,iv:jvx5T1rr1/NIQ2knNwW85a5CaFame9tWV/Zuxmqqnr8=,tag:QAHpt9cFR2KfmbH3B82rSw==,type:str] +kind: ENC[AES256_GCM,data:zwShlv9m,iv:AOA21RWi0hWceq2rV/cpEjDyRwxz4skWVgnuao9QTHw=,tag:UQH0FBDDMqLbUm963QnFhA==,type:str] +metadata: + name: ENC[AES256_GCM,data:3nUiBu1r,iv:/HvEl3FOn8c2VnWJLJOiCxQSmMJ+seRWj50iSjyX7kY=,tag:sPZXGmelbf0VsXjdeYZJbA==,type:str] + namespace: ENC[AES256_GCM,data:ShbJ,iv:Ot61+cTOFWCc+1tg50+War+MqkYQotpVO3g4BroGg6E=,tag:B8S4M06ME0jSJreSzIm9gA==,type:str] +type: ENC[AES256_GCM,data:XP6jt3BOA/jnNrbFJVlyC4UOD59OoRaqfqGaxnr/,iv:j3xfWpDL1UypMiEA8YSnsh0qEMFzCFSGBh+dn3IEmwk=,tag:kWXWEIJA9sHnOZMBWyPtHg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-02-21T20:48:13Z" + mac: ENC[AES256_GCM,data:yVoJYNHZQRQ6XIVjgWDVvPX36kfAZzVfbIBhA4eri7uDsei/B4HcRzH2mdELOLJdlD3V9CP0ep/+O4HOBWYpEdmIICdkalPqCfNUW4UVkFGCvuCX4kqYwNjYha0ycqpy19nUFBnysmAW59Ar32U7SOkIsxT17i5ifLVGNt/YqkU=,iv:5Eaq4hKDc1rUOGoOiA7Aa9pxWi5xX0OTGN7RIwCmFXw=,tag:3vBJi3myTQniXuo++r6qWA==,type:str] + pgp: + - created_at: "2022-02-21T20:48:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7doaBdjNJH+ARAAmYIY7Sy1aNslHhvYj+KXnYVu5jQ0kmJBS8tCqZACFXo/ + 8Hnlqsmy0hLBO0Fg8A9IvCMwKDWMxUwBDvJz+YfnT/S2WQdwc5x0W5vPH3wH7qPI + v6IKIb1d7tYV2xudMtA7TzDcn99XfD7DI3x/luReiDJTWN6DGjeN8LQlxyxkYwQp + TI3ucJ3TIs+SAgu/rADTXeJ9ksAjR7IbbzeYCtAi0j1zJ0vnaTJUziZVI4HaV7E4 + s25BZuTmcAjeo39o2fNr9WCeLn/qPiihn6aPaZnM55ilhm24zvcgDF8WdVW9mpSD + Dv8Vf+v1Xzk853OOomszGsmv60TBZ0XF77fRJmsYZgPnCKne7WTM+E+ROPjfFmcq + xiBCAJThFv2tQr+dRvQeAaRsIuojFDDRckzS88FPn7XpgB/zyKccCvu0pCVjQko5 + SAbIJ/a0xyq6uTiFUmZcpRYhJguga1wFqgAg04bSP/Grx8qUKnm9G7pinoGJ/4bc + waewcYDHfu/d4HSV2MvJqJAD2v0FtchONI8bXTnil1MOuVH8jJeZvF0X+5PTCSXA + zakbP4pbz/OTQQvoG73kObKVYQHcsOppBWIrruK4WaNxWuxNFZIRR5e/kIYuCbZ3 + KhJEs1wwcpJT+BbK+7irscgtUE7SgQ+MWS16m+eQJgHHzN9uBkgkAVC4U6W3UbrS + 5gHU14fMjBgK+DGKzwYAHTp71rl+JKmhSr/V7z1t334BRwRvafarz/SNr29BLeid + fvJX76l0oTt/76RdQFq++JLk0Fwuz4Z6ilx9PooAQY2pGOL3Z78+AA== + =iXAv + -----END PGP MESSAGE----- + fp: 40B3DE7A02CAC8D1DE76223483DA3B754DD29AF9 + unencrypted_suffix: _unencrypted + version: 3.7.1 +--- +apiVersion: ENC[AES256_GCM,data:3xE=,iv:3/ylx6YOR4oenj7Nh8giHcFG6LLVqMPgj6o0tDeC2rg=,tag:vidJ4NpjKU6HHuBtI7azKw==,type:str] +data: + .dockerconfigjson: ENC[AES256_GCM,data:j5H4K9tmtH5rMCfoYJQ9ZBrwxwKiIwBh2SXO8vhSzAS6OnPZJarYnJmNZ4SflIXG0S2S1HMDG1BylbpUfcM3HXNAQA//iJkucV1Rv4afYuXdr581kKEgcOTeIG584ItCDAq4IcMrrmpCgGBwPHvA8wgbitZqgAHsDs+IIQ==,iv:w+0lWSBks7eX8WyAoIN7ISA2XRtbsXj7QDjj8KK7DY8=,tag:a5M9lHzPA3fNrctpomcyVg==,type:str] +kind: ENC[AES256_GCM,data:XF2AgkoG,iv:Vagj7myErdORr9EEHIE6oKflAaDDpV1eKUbVYbLpHNs=,tag:hKzsRrnQ2mo/gb9mmPKTqA==,type:str] +metadata: + name: ENC[AES256_GCM,data:EEw0nsUd,iv:BjkeDfyFUBtNcT94ObrTGmbpG1L9UmDUK85TlBCiI5I=,tag:xS/qbGg5h3rdmOUZf4/3NA==,type:str] + namespace: ENC[AES256_GCM,data:C1x2fph5Lj/QPw==,iv:xeDrEBtfvK2viKoz+mcTSaL4Fqy2I3mTC8EepGdSsP4=,tag:wiprgA0pEnfSWsCDy4t6Nw==,type:str] +type: ENC[AES256_GCM,data:uEOWF4Eajmt9OB+BjwIzyqzI30mGqM2oTW//xlPs,iv:sqCeUYemOPpSQMboyXQVMTa9LaFQb1eqldROLFBqWEA=,tag:WFqZG2SnsfsaB7O2O/P3/A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-02-21T20:48:13Z" + mac: ENC[AES256_GCM,data:yVoJYNHZQRQ6XIVjgWDVvPX36kfAZzVfbIBhA4eri7uDsei/B4HcRzH2mdELOLJdlD3V9CP0ep/+O4HOBWYpEdmIICdkalPqCfNUW4UVkFGCvuCX4kqYwNjYha0ycqpy19nUFBnysmAW59Ar32U7SOkIsxT17i5ifLVGNt/YqkU=,iv:5Eaq4hKDc1rUOGoOiA7Aa9pxWi5xX0OTGN7RIwCmFXw=,tag:3vBJi3myTQniXuo++r6qWA==,type:str] + pgp: + - created_at: "2022-02-21T20:48:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7doaBdjNJH+ARAAmYIY7Sy1aNslHhvYj+KXnYVu5jQ0kmJBS8tCqZACFXo/ + 8Hnlqsmy0hLBO0Fg8A9IvCMwKDWMxUwBDvJz+YfnT/S2WQdwc5x0W5vPH3wH7qPI + v6IKIb1d7tYV2xudMtA7TzDcn99XfD7DI3x/luReiDJTWN6DGjeN8LQlxyxkYwQp + TI3ucJ3TIs+SAgu/rADTXeJ9ksAjR7IbbzeYCtAi0j1zJ0vnaTJUziZVI4HaV7E4 + s25BZuTmcAjeo39o2fNr9WCeLn/qPiihn6aPaZnM55ilhm24zvcgDF8WdVW9mpSD + Dv8Vf+v1Xzk853OOomszGsmv60TBZ0XF77fRJmsYZgPnCKne7WTM+E+ROPjfFmcq + xiBCAJThFv2tQr+dRvQeAaRsIuojFDDRckzS88FPn7XpgB/zyKccCvu0pCVjQko5 + SAbIJ/a0xyq6uTiFUmZcpRYhJguga1wFqgAg04bSP/Grx8qUKnm9G7pinoGJ/4bc + waewcYDHfu/d4HSV2MvJqJAD2v0FtchONI8bXTnil1MOuVH8jJeZvF0X+5PTCSXA + zakbP4pbz/OTQQvoG73kObKVYQHcsOppBWIrruK4WaNxWuxNFZIRR5e/kIYuCbZ3 + KhJEs1wwcpJT+BbK+7irscgtUE7SgQ+MWS16m+eQJgHHzN9uBkgkAVC4U6W3UbrS + 5gHU14fMjBgK+DGKzwYAHTp71rl+JKmhSr/V7z1t334BRwRvafarz/SNr29BLeid + fvJX76l0oTt/76RdQFq++JLk0Fwuz4Z6ilx9PooAQY2pGOL3Z78+AA== + =iXAv + -----END PGP MESSAGE----- + fp: 40B3DE7A02CAC8D1DE76223483DA3B754DD29AF9 + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/ops/provision/k8s/postgresql-values.yaml.enc b/ops/provision/k8s/postgresql-values.yaml.enc new file mode 100644 index 00000000..99148303 --- /dev/null +++ b/ops/provision/k8s/postgresql-values.yaml.enc @@ -0,0 +1,50 @@ +image: + tag: ENC[AES256_GCM,data:Hb7/9bF+r5Qoy6+FVY7KCK9OdcY=,iv:Mui3G+qsSijj5PjfREqYFwYJFun5EiVUcyAj4VuG2ec=,tag:smOjAxoAVj779aAhhjYGMg==,type:str] +primary: + persistence: + enabled: ENC[AES256_GCM,data:bIIZiA==,iv:Lk0HyoTyHpq5d4DA2R1IA3kbrBfaF2+uAfKqr8WyI9E=,tag:d1ovt3UMHIKmkueMp0PPQg==,type:bool] + size: ENC[AES256_GCM,data:62u86Q==,iv:dI7D2r/ZKOzk1WYeaO9maomomS/SyDvKZcWyAYa+3f0=,tag:lkGf1OQaWtPRsGWkCG8RBw==,type:str] + storageClass: ENC[AES256_GCM,data:wIqX,iv:3itwIWMrbfX5p3hJgTaNwy5ipEhBvnYCijlYeR072EM=,tag:Ba0yx5klmdZBRpY3CpErZg==,type:str] +readReplicas: + persistence: + enabled: ENC[AES256_GCM,data:e9T+1g==,iv:ReTcoWpgknP0Kz0FjpEKzFpz5eDlZSmIaKEvBC6pcq8=,tag:nOcgQPFQYpppupbPLeCi2Q==,type:bool] + size: ENC[AES256_GCM,data:BOGTBw==,iv:bjs8OoK52ucSS2LzTeTSwjrRr256dFZ4BUPh0cclLOg=,tag:Wxj615ONUtUNmIsoEbpK8Q==,type:str] + storageClass: ENC[AES256_GCM,data:0VLF,iv:6xyk/R0WLCiAPb845d+61NTby4nKU75tJbF6XQMZq3k=,tag:Ubqaw241oljGq8MvgL+QZA==,type:str] +auth: + username: ENC[AES256_GCM,data:xR34Q43j,iv:ekdcFNbxT9t5XcfVzj6AZRs/PIFyNdW/sMk8n5ATmEo=,tag:uhUXtMxSWJmAl+aYEyzwsA==,type:str] + password: ENC[AES256_GCM,data:+xbutn2zuYfag8nWmu7JugO2,iv:pDJ9qSb3MftMGHu9hNVfONtVHq2KqyKnoW5NdbWSYls=,tag:Wtoj5IkZSX10wFFQyYlaEg==,type:str] + database: ENC[AES256_GCM,data:amvot38a,iv:F1HuXGQs+mnhmJESWYLqzNpH9JR2HOPBW1ty4znTvuo=,tag:YVQsmugq98HJinFyBfQ62g==,type:str] + replicationPassword: ENC[AES256_GCM,data:vrawysvDea8rr5LJE1vl5s+cZJo=,iv:4Q10TlFH9mqEAlhilgaE7dvjDHmzcbbi+Oe/rJrbkIk=,tag:ppXHDkj1iDRysj9Rp55RMw==,type:str] +metrics: + enabled: ENC[AES256_GCM,data:DefjAQ==,iv:wV6e8gFHM1hMG3QHi3Qz4vGBECsJtyiZ21ZgKwVVx0A=,tag:nXI65IWQEBr8Axv8lriKgQ==,type:bool] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-02-21T20:48:11Z" + mac: ENC[AES256_GCM,data:v2E2RYirVv/o9PcVmeNdA3u8gsxhzWrWoxeUdXyUK1+E+lmNeVXEPptKIWgZz4RAPuJRkKVRudgcDtZacm7dljHF5QT4Q81JQ97l9GLe6xIVZ1KUp1ocztxn6KuH+dssJZMceQkJAWq2NyNo598UhGP2gSk4HlEry1h8dMHHtGU=,iv:+wJSE2yuvcRuyBCezbQ2HApbz16dakOs88llFxS13XI=,tag:26VUjT3KiEZ1pZ5l9XeyXQ==,type:str] + pgp: + - created_at: "2022-02-21T20:48:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7doaBdjNJH+ARAAjjrRSrtPvMhWeW7ISFAK3gmlml0dsHId7aLejOmU3tEK + 7fZ0fKI+3xRWdtWKXrw0Nk5DwkbG2ps+9FNiC/1fQGpkq6Pj/2Ps9HGjinwdzKRu + NcnO2kUSsjJ0yP/oIZrfYWa72D7gmQaLMx6KQl05ibjnrJ0Z5KNV/Mu/lgZVAKCM + CtlKjoLgdETWRO+YWGswhaaN8MSjp2pm+2Ca/nwpaRD2+BpgvL4pY/23/njb1PN2 + QE3kP3Ppk0i99SU5wgWrpiPIpwrDKp5mO/RwuxRkWJ4Q4IAGLW8FUOQhvVsNlEGG + fPU2VBj9QPgxHb5n/y939V08/k3Qa27XlFxYtSVqLOtmMd1vol+jDHOeBEHs3XF1 + 3t7BtVahuAVtaT2iv+OwyZKuvn1bISUYZqYCTRovyJDMApAsQGWFOfTry8kqWfzd + hEEa6E4rUrv3MaB0/Pi7DIFW2W+1jHZUkMyoj5ESzLIUBRiT6+16OKRf8FxtTDx1 + To7vay6Izstq6/AKg080LQ2JZQT1moX6d5pba+MRtvc9xmjpwpQ9gtR1NeCJqa7b + lEZfeMQvw89k/hqBRpGSYnrKREZjGwv/0Zi0/35LfRbcd8prUiJiKkj25gOpGDO4 + 8s9a0yG70lH4hZB9XfUXGQN0q7VTzJSjdU53o0AcviaIoz0vyZaCUYTX2R0rrf/S + 5gEaVIngNR7lvQmAaPmRZCagv/GVjBxfytuoF4jWK326Sc0AQzo5Dc6Q2eIJfnPa + XNcjq8GviZMmfvso6jJwudDkk9+HgOFdgEQ71MxG7+YND+L5YTQwAA== + =5DRL + -----END PGP MESSAGE----- + fp: 40B3DE7A02CAC8D1DE76223483DA3B754DD29AF9 + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/ops/provision/k8s/prod-issuer-dns-values.yaml.enc b/ops/provision/k8s/prod-issuer-dns-values.yaml.enc new file mode 100644 index 00000000..14744974 --- /dev/null +++ b/ops/provision/k8s/prod-issuer-dns-values.yaml.enc @@ -0,0 +1,88 @@ +apiVersion: ENC[AES256_GCM,data:PTI=,iv:SC+rI4SEm84xi6f9KJp1GDSxDkcLbjMstokSUQCTVAc=,tag:hq5or2ButxZi/XCM3ibRIA==,type:str] +kind: ENC[AES256_GCM,data:2fVj5xsn,iv:HOLq4+p5QkBzHPve0Qmdqc/8dEC/Hx8OnWzVKyf22nA=,tag:+KR0qd5TBWOxVt/4Zs0HVA==,type:str] +metadata: + name: ENC[AES256_GCM,data:yj6Xv7EIw/W6zsBVTqWzulSaz3UidTBMtVMt,iv:+F+2Bsw6ebyvVe0I1fkn+pfRHIlGvrZfgDeQJ2l2YY4=,tag:+3mHPqILS5bEq/p6zaIffw==,type:str] + namespace: ENC[AES256_GCM,data:u80hapF7JaLmD8Ac,iv:K2axwqDxZOpeFFb/khHj9iYci8NvX4TQPlRKmmkdmlg=,tag:Ak5U+FPzQjrGB3IYWzqJKw==,type:str] +type: ENC[AES256_GCM,data:fqMAkmi6,iv:x/AwWoYwTxD13Z2suQdTClTkUwdkOkqxwuLSlZOmH2I=,tag:nTf3g0oM1nMnA9fPf+1Deg==,type:str] +stringData: + api-token: ENC[AES256_GCM,data:JjWUrpJbBkYmkV0BZjxUXEupa+ds2UCFlw4bDc9cZjOE3l2nXzFu1g==,iv:8rbHyxFnbjKhEAUAuNmEfZ2U4kUfV7soDuKUI1L4A3Q=,tag:b7ZGg+K/B44WLcKuV17EOg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-02-21T20:48:09Z" + mac: ENC[AES256_GCM,data:PGWTnNgWHl83dkeQnB3I8I+YkTLvwjPq156aWGmwtPbbznnvgcIZn85JWTggLjYckOGQy8LD4en5bC8UBnVSpo8ULLNSLoEIGkTZvpFfnrG+B7CQDhVKihFoIWkRy0y9IyxyrSP50E9CU2aZL9WnEcrjvOi+lh3ZHUsdrCRu+Pw=,iv:u4TKaXh7IhHjiplxeBf8Ir4cc0Aa1xRtW1ewx+7aeYQ=,tag:mNZjlREd4soEcEYEjefXPg==,type:str] + pgp: + - created_at: "2022-02-21T20:48:08Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7doaBdjNJH+ARAAlRW6jsuzWDrUFXkAdypcch9CukWYkQ0POWntZxtT9QqC + 6fdddm+OMK1PwRPo3OCIhHnTn6YLAqrr6NxZBPw/q6gwZMZpNIhUirpqbwqUJFSF + ZKPyylK6F8E3qZNglmyv8A2bqdsXtRD44nvflBtotfco4k8eFaus6puEA3KLT0yN + +Son02c8VfUVYdb3dIlUHp93r5gNCqV10tvU7ntkJxpytRIxcrkR74SJtC4p7iAI + wwUl85DmXoV/WZ/WgRtL1AtUuu6I5lL1/ESmOtvaot1sTXwO4dqtiD9tXEgwu/w4 + mTS3V5CXjYMaOfZbmBeKbJdqQbvJENi+bbf7o523SgWPZNikAp6NtY0DwNsTX9Lp + TxCKPIYfZLr5IGks2AbwSLE3KcOtj+GuRMzRP7Bgbrw+D7IaEVpUo8+OPPIuxVOo + kwM5tzhWTy8A9kvXni8Ca/mgk2Cgz8h9RvV8+ujwNucxd62b4KXK+lyL+2En2yeZ + 3Lqmhv/olVj51yLheuWTZgJsBRfolUvhyR8pnkwuC+nZrqja6RbKXCGjsbI/HDJm + EQJceo8smBmx5ewTjdgfOR/iUpWtMgBL9I30aVpmx/IQtFeXiU3Lb6PFv2aiYdc8 + J8lrmkEmYKg/poAE2bEQe+OwoV3LJ71SCfMZtAl0/Z5H0eRgqRShV1A+VyjUG2nS + 5gGBFeRQ6pnOZNm1aNRQePDWZ8e0AVCC0kigIyBdn+zEdw8gBqCnnikroprmFhV4 + EHinBluJJryMWxeTWV2JMu/kaTqjHAcue5pjd+ewtAAuYuL+KNIuAA== + =lRCT + -----END PGP MESSAGE----- + fp: 40B3DE7A02CAC8D1DE76223483DA3B754DD29AF9 + unencrypted_suffix: _unencrypted + version: 3.7.1 +--- +apiVersion: ENC[AES256_GCM,data:BLq5UdlDmxFcrM+XGS4zHcGw,iv:Uui1i4Opofv6ZL2aCVDHrlrInUvgMnQt+bWh8MuUJOU=,tag:YMI3IvI+tbUACyIxMts9jQ==,type:str] +kind: ENC[AES256_GCM,data:wE5tB594mx70Kd0P9w==,iv:5Yfj4w8qilmfhoe4EaYmqBb9oztdWzGnthtBPfdNLok=,tag:Y1OukMiz9vwfroie6CHnHA==,type:str] +metadata: + name: ENC[AES256_GCM,data:IKtNyQ2JLEdHXhJWwWWtXbLpeqvf76ATmp0=,iv:jSv6sZNF551RZQIAxILTvG2XNDD4nkd9VchZ5gNwmTM=,tag:h2pfTd/msPWSN7AP2mPBvA==,type:str] +spec: + acme: + server: ENC[AES256_GCM,data:Owf1qMMTJoE6tRk/rjJxUenr6Q6yZy4Vbo6XWpuYwPpBjzuFZm0Ygb7RmjShWg==,iv:FHPNT8a731AVRe8Belby3Gj3+Q1X8zmtYMgBPwypp+A=,tag:G6XbLt5qutaYmovL0L/bew==,type:str] + email: ENC[AES256_GCM,data:kbhPbRSLOr2+JpjxJd48E83o,iv:Gr/Jy77LzEg3I6Y+cO6M7uehLIw7Gh8t9BJmUfCBgkA=,tag:PakTTb99Rs47P+tKO/ICxw==,type:str] + privateKeySecretRef: + name: ENC[AES256_GCM,data:NXoKWwUXbKKrHlT8h9XOdsp1qEVZjyAQfrZ1xigH,iv:dNeXZFqMZqygDHeCbeZZ2UNrZIRJSvqZHKFe3p1W+xM=,tag:VpKERmkkl7Sksn9eTwWdyA==,type:str] + solvers: + - dns01: + cloudflare: + email: ENC[AES256_GCM,data:9nkldFSs9U7tMTdqgp613nNZ,iv:FfcaM2z6TksywCZspJVbuHEKFNE2E1bE0Ad8cAl37p0=,tag:60xHbs4iR7+VuU2oo9Vqng==,type:str] + apiTokenSecretRef: + name: ENC[AES256_GCM,data:txjD6aAaEe5y+QiBb2Az1S1N6SKluB1jUoOF,iv:Agyf2ln0ukPtVHHGs+5VeA7XviJNy7/maEN7N4Y/6YI=,tag:9Ek+qi2cqyy2hT3KngO+Lw==,type:str] + key: ENC[AES256_GCM,data:ejPpcI8wmJ9B,iv:52jRLs0A9PawrVdMqucRi0S6LR5DUYOw/CwkFlqNfxQ=,tag:PaTkuM4nGXFM2z3WypVQfw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-02-21T20:48:09Z" + mac: ENC[AES256_GCM,data:PGWTnNgWHl83dkeQnB3I8I+YkTLvwjPq156aWGmwtPbbznnvgcIZn85JWTggLjYckOGQy8LD4en5bC8UBnVSpo8ULLNSLoEIGkTZvpFfnrG+B7CQDhVKihFoIWkRy0y9IyxyrSP50E9CU2aZL9WnEcrjvOi+lh3ZHUsdrCRu+Pw=,iv:u4TKaXh7IhHjiplxeBf8Ir4cc0Aa1xRtW1ewx+7aeYQ=,tag:mNZjlREd4soEcEYEjefXPg==,type:str] + pgp: + - created_at: "2022-02-21T20:48:08Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7doaBdjNJH+ARAAlRW6jsuzWDrUFXkAdypcch9CukWYkQ0POWntZxtT9QqC + 6fdddm+OMK1PwRPo3OCIhHnTn6YLAqrr6NxZBPw/q6gwZMZpNIhUirpqbwqUJFSF + ZKPyylK6F8E3qZNglmyv8A2bqdsXtRD44nvflBtotfco4k8eFaus6puEA3KLT0yN + +Son02c8VfUVYdb3dIlUHp93r5gNCqV10tvU7ntkJxpytRIxcrkR74SJtC4p7iAI + wwUl85DmXoV/WZ/WgRtL1AtUuu6I5lL1/ESmOtvaot1sTXwO4dqtiD9tXEgwu/w4 + mTS3V5CXjYMaOfZbmBeKbJdqQbvJENi+bbf7o523SgWPZNikAp6NtY0DwNsTX9Lp + TxCKPIYfZLr5IGks2AbwSLE3KcOtj+GuRMzRP7Bgbrw+D7IaEVpUo8+OPPIuxVOo + kwM5tzhWTy8A9kvXni8Ca/mgk2Cgz8h9RvV8+ujwNucxd62b4KXK+lyL+2En2yeZ + 3Lqmhv/olVj51yLheuWTZgJsBRfolUvhyR8pnkwuC+nZrqja6RbKXCGjsbI/HDJm + EQJceo8smBmx5ewTjdgfOR/iUpWtMgBL9I30aVpmx/IQtFeXiU3Lb6PFv2aiYdc8 + J8lrmkEmYKg/poAE2bEQe+OwoV3LJ71SCfMZtAl0/Z5H0eRgqRShV1A+VyjUG2nS + 5gGBFeRQ6pnOZNm1aNRQePDWZ8e0AVCC0kigIyBdn+zEdw8gBqCnnikroprmFhV4 + EHinBluJJryMWxeTWV2JMu/kaTqjHAcue5pjd+ewtAAuYuL+KNIuAA== + =lRCT + -----END PGP MESSAGE----- + fp: 40B3DE7A02CAC8D1DE76223483DA3B754DD29AF9 + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/ops/provision/k8s/prod_issuer.yaml b/ops/provision/k8s/prod_issuer.yaml new file mode 100644 index 00000000..f47db26a --- /dev/null +++ b/ops/provision/k8s/prod_issuer.yaml @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod + namespace: cert-manager +spec: + acme: + # The ACME server URL + server: https://acme-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: support@notch8.com + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-prod + # Enable the HTTP-01 challenge provider + solvers: + - http01: + ingress: + class: nginx diff --git a/ops/provision/k8s/solr-values.yaml.enc b/ops/provision/k8s/solr-values.yaml.enc new file mode 100644 index 00000000..52d297d2 --- /dev/null +++ b/ops/provision/k8s/solr-values.yaml.enc @@ -0,0 +1,57 @@ +#ENC[AES256_GCM,data:xmCc/eDLGjS/XpQv,iv:SZ8wZX1E6uOwZaPVDKKJxCTMZzkzwJ68VRG9WmAOSqc=,tag:6COytPbSV0w5ZK3bnyMQzw==,type:comment] +replicaCount: ENC[AES256_GCM,data:TA==,iv:XJeuKkJPnCGAIlXvYf53PPM2YXLwzT+TOmrifKmwQAk=,tag:ho3u92ElylqI2XdiQcU9Og==,type:int] +collectionReplicas: ENC[AES256_GCM,data:JQ==,iv:knNjcsSD+qbw5q8jlnpk31hDepjxehd5ai/sQeK0TYc=,tag:GhAc0saxKoMmc76hy83vUQ==,type:int] +authentication: + enabled: ENC[AES256_GCM,data:05JSWA==,iv:t05U952Im2QPh/3SkT7v7ZKCD4sUs5Fg1FK1NtXi1WU=,tag:9qnntJJqETnZm+ct+XPU+Q==,type:bool] + adminUsername: ENC[AES256_GCM,data:SCcpJe4=,iv:0P5esBVqKlJSyRCzWcqLply227dVKcpG6c7TlF9NRRA=,tag:oW5yt6YZ+QqPMxTHaFvHLA==,type:str] + adminPassword: ENC[AES256_GCM,data:LlUmqNY=,iv:2UcS14lvGGpV3BAcUMnWhhf3XncPtM4tcKa/SqI5g8o=,tag:jWAi4DmMAxjaePM+/Mu/pQ==,type:str] +javaMem: ENC[AES256_GCM,data:nILYyvgSl5Nn2pJQiA==,iv:rUNvVuoav6zLrLgdSRaBdM4nzttygQOod0nH+urP5+U=,tag:iU+8UfjF1a/shlEDzYlA0A==,type:str] +resources: + limits: + memory: ENC[AES256_GCM,data:r+R0,iv:if/ek/lkBWIF0qzXM29cSus6kkMvFLgEvtKgHoatHDY=,tag:VIPDzsxH6c6V42l0NUD0mg==,type:str] + requests: + memory: ENC[AES256_GCM,data:FgEG,iv:A/jQN6OMj6teAM7pJ4yzX3rLk4ZY6VpIY26LrStb+pc=,tag:I7RnXruL2YXK0kajFbE/9w==,type:str] +zookeeper: + replicaCount: ENC[AES256_GCM,data:5A==,iv:+SDf/l9PeiYF82+sCUhURpPRFkhpRmT5AE21omT6pyU=,tag:fCNev/ssM1wYavcw2m2Rcw==,type:int] + env: + JVMFLAGS: ENC[AES256_GCM,data:vkWdgBxR91uwDlX5JGS/,iv:c/wOHB9th527z6KlcXJEqHSXXZoD1KJHKIhoJzJjo9Q=,tag:X2Xag5OfOEiZkApR0gulPg==,type:str] + resources: + limits: + memory: ENC[AES256_GCM,data:nJpK,iv:bxm1pc8lz185azC6WcKlaW56YlOAwv/PP9A/isDJ73E=,tag:KVX7QJzgvZHRTPZjlgEVXg==,type:str] + requests: + memory: ENC[AES256_GCM,data:aiX43bs=,iv:6Pgl9amt1W3WWXPcYtA9Cx7GoWx+aEAB9qVd2pFJVpw=,tag:cF4kYMitA92hBH1bArjHvw==,type:str] +persistence: + enabled: ENC[AES256_GCM,data:LFQWhA==,iv:XALqc8D2HRvjltnrSaeIo8s9uLWvVpOwA0Hon9Xc4ow=,tag:aywePBgxIWQKK+EntgUOBw==,type:bool] + storageClass: ENC[AES256_GCM,data:117R,iv:YLKQA+QcviMpAMZK7yyQuO4rT7va+ueQir+Z64tPmnE=,tag:E28fhSnzDVRnMwcWameiIQ==,type:str] + size: ENC[AES256_GCM,data:Rb545No=,iv:r3WBSJ3rBGvEbPSMjIjoZLK+zbUTGyQWSbtZ8zt3DNw=,tag:YzMV7XDWYaPBk0gINbQBiQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-02-21T20:48:10Z" + mac: ENC[AES256_GCM,data:nqTPbrz2f6er35ImbgLM8vXg2bMJxmVtUpcsu/serGJJpi3+ZZ9QRHc+bH4MDOeHXm2qWg4Gw56NoNLPUVlFdb7+p+/JEfzCjrtJq2sx8Pdq1g5YQImntkqMojsHekVCvwbUSSJCL9MoiSlP0YYzl5R9NiZwZsNrTSXyKMeMQ5A=,iv:3kfANLuCS3aoQ3NDeIL0fNN/oDJ1RnIk0YZtqwtKwiw=,tag:Z/U4QBPalUsV/zhjHiJX/w==,type:str] + pgp: + - created_at: "2022-02-21T20:48:09Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7doaBdjNJH+ARAAD684gDO2EVVBZPk7hFHgcDNK9jLVFlJGunK8XRrpEoDl + BMzOU2GmlscQ1YdbVFsQPDf1hSrscZXYGODd9qZYvN8JlUO4R4fKRzFMk6Cz/m9W + sOYL0jDu/DfBUQjcoXfZfaW0w1DJiqkFHK/dZqz4SiyZJPiPMQxX1TqBFLQjtXhi + cgzGhFUDTNJJTIFVRGpo18xZj4GRZdPd2DlFqHUzWcXzUh8002nwuDICriThUzyG + uLsIv3znxLIimMglP6bdunsRTmehZz4+B/3+6qVRomMP7s1MTFjKuDHRZZKrNCR1 + mNoRN0qIO3P9kBRCbywawdkdta3e4t29vgcHAosf2o5hP5FyAfeBHaBfLPF3IpM0 + w3RjcTs9+gSxcQsf75buJ1asbDCU1XyGaR1n/c0D82VALgEIEBR3d5h7DeHQDl8Y + IsC7zjqzwvhtGTbrRHNDtmOchr9lw+wDevWyd5RwuuPZ5fXXWwiQZV5sk9J8RjqJ + HRVYQf/dtBXUV3j1qbv0vEd6oxhXpCm8yQfxqxWryfLRFMEyohZ9dLU047l4BZjA + H60Do441nOS4N7KAYgNwEDt3XsIg2PWiQjJTwb67EYp2G4iBIEWbRhu+79I0XVDI + 1wgHg1cUM0iPEFGr1nJIkVE/EFs08ZmYDSn4mLJUxTLMyb5I8/h+X96MjIDYivrS + 5gFGeaFPMcOxpGGPl7N91o77HTmJeMCDM7QaDBBqRS1ogCH2oAJ1s4FqpIa3V+2y + LxQbHljtB/FDTcxKpMVr2KbkcMLuSR+WMJcF+PQ1f/deJ+JpNkz5AA== + =w1Rs + -----END PGP MESSAGE----- + fp: 40B3DE7A02CAC8D1DE76223483DA3B754DD29AF9 + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/ops/provision/k8s/staging_issuer.yaml b/ops/provision/k8s/staging_issuer.yaml new file mode 100644 index 00000000..e14d64e0 --- /dev/null +++ b/ops/provision/k8s/staging_issuer.yaml @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging + namespace: cert-manager +spec: + acme: + # The ACME server URL + server: https://acme-staging-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: support@notch8.com + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-staging + # Enable the HTTP-01 challenge provider + solvers: + - http01: + ingress: + class: nginx diff --git a/ops/provision/kube_config.yml.enc b/ops/provision/kube_config.yml.enc new file mode 100644 index 00000000..0c25832c --- /dev/null +++ b/ops/provision/kube_config.yml.enc @@ -0,0 +1,47 @@ +apiVersion: ENC[AES256_GCM,data:7tI=,iv:czzo3Quf21n84bP0UA4A2egqJcCy7SXDH6Clu19kf+A=,tag:YwF4vQpZ7jKZgBD1kqmd0w==,type:str] +kind: ENC[AES256_GCM,data:hnulX0w8,iv:El2fGIVns1AXlPrHSoz25YspUSIlT5tuv7gSzH0BHKI=,tag:RZz9pibZdnr9tFFZJwef2g==,type:str] +clusters: + - name: ENC[AES256_GCM,data:GjwErgI=,iv:3HYNEwkX9ormYokhCpSaxkskrTS/yztiWihb3SijUMU=,tag:/f+5VBIEvxRvQSmsnOJW8A==,type:str] + cluster: + server: ENC[AES256_GCM,data:rqLQ0pxx6M6zbSE3lVmD9ITr7YYr+CWjAjTEQZJmuRym2oIyk3MRwwQQVw==,iv:6bQ2Jic14S4V8YD6umOl4Z+c8fj/HI06MIN4X3y8lD8=,tag:nOAh/Ewm69z78JrPwsHI8A==,type:str] +users: + - name: ENC[AES256_GCM,data:WwjL/Hc=,iv:6AZNDSrqgJmlMTCqb7Kp+gEQI1QrKVt/+Kn/kFIASzE=,tag:WVQyF42hC00j/B3KsFbfQg==,type:str] + user: + token: ENC[AES256_GCM,data:Fjrc1JniPZ1EUwbGTUyw+kRcx1DT8VyxTMNVeZlZ9JgOU39DZdqMPaPyP5j2tIhuQlHLdgu7X8xkF1um9gkK++A1Lr3UiS1akTIA5g==,iv:56sANwqRb/pc9Jtos586h9Yl0wupkyqdOBFUQR3dbpg=,tag:UVtPYWA0FLOYQ0qjMvWaUA==,type:str] +contexts: + - name: ENC[AES256_GCM,data:bB/XGT0=,iv:S9GTgh94WgqjugMZ16nriAKY2Pg7LsruzWmPylg6ASA=,tag:XSKXfqVHwXkXqqgX2si2wg==,type:str] + context: + user: ENC[AES256_GCM,data:sT+7EC0=,iv:0ASf4Oh1m2anKzFsGPlNWlvy+Cr+sc9P71v88lmFFj8=,tag:NZUdlPHLnyTpRI+Mu3gkCQ==,type:str] + cluster: ENC[AES256_GCM,data:V2v3v24=,iv:IzHeRuy4a+HDoPK52rgyklYikLz8WWfHUvoTWK2Tw3A=,tag:tvUDvoynY+LlAFd0syAamg==,type:str] +current-context: ENC[AES256_GCM,data:xZVyboc=,iv:DWQqkCCIOn9ikq9mViJWUDAMseHWAhLZ+v3JctTtXjw=,tag:HvThPMYLJ4CXfwdnrdHqyQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-02-21T20:48:07Z" + mac: ENC[AES256_GCM,data:VRdO1jvCfXMNyt4Ys1bR9DdkxJpKkCpRLLhCfiDYFSzJHpVx4I4lK+CtRsI3ZifYXtDI1BjRmkLdknNPnbySkrN60UYz1SALOE8glGn1s24AXQFAbREI/6YVCIeop0hCw2ZB4dHHVry+v/UvVfY6bceoi7mtJsAJP6uCWnyl6J4=,iv:laG3zL6Mibt+CIluwP/2NoVu4u4WGvOKGSXeJQnINtA=,tag:SwaiwJaJUWaYgOXX/uaPEQ==,type:str] + pgp: + - created_at: "2022-02-21T20:48:06Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7doaBdjNJH+ARAACVEDLdIYIFY2HxNWOrJpVZj17fCE7x1f3LRXeHEhKPck + YXvVTzU4e6yZDinIwcLU7yN9Pn1gjXiV5PnzcJNIVZC6MIL5Uyge9rtSOovBuS/o + d105x4OOigCuFvSaUikumCEIMIHX4PnLZhO8lb3smRiQxu9UBTq1PgZbAZWIs3Vn + s6ZRkog7CXEs2zCFHsMqvD0ITVNL/TpvpFlEtIWsp8Jkz8GXCfUjoZkCMPcnO04f + RefLGY8JATvxwCuBo2zVyWb0UJKzfuWJEeDeGORsGCVGH/RycoWsAixAhiJWOenx + mhUCmpG9TSFxuBX+0CGjNC1yH+xI5JNFIAhys1rKO2ZpUoFBSuoEO67gxIUH82Vg + 1TtRccILDt6URXoLovRa1Hc+nb/IT5xyGuk9npsL/6MLb6qyajhoNHWBK7XHcnPw + DziJ6G2AzrWa18t86ut39jAVVqyLT52NudeQ/OPtAsrzgnl8Vw7Xo/9o9EWmEV8E + zhCgPia2+T/+Kw25e11oo1VI63OWooETjQ5iKy3PrTRn+ta6KTw1zpXbk/FZfAKn + O5BYPY3bpOJJTx/bAQUTXOGbytRLWJdHxN47SaqAMxDj3vNgN9QlPHi0SVoWbgS+ + 6ap4vjIFOhig6yhABW1xQEBpDdeelOywLdksLH+6xK9Ik/H+Kkrz5wLpqPJ0XbXS + 5gGbTqmdOS7JbM7JZoNCaDAYgiD2vkXkiWwXxcS46a7XZX57sJvrn+fwDzfELw88 + 9KBfaC/oE2r+af2HeWHB8+zkNGSfBV8CLt5Myubo5OW1IeJe5tO5AA== + =apLn + -----END PGP MESSAGE----- + fp: 40B3DE7A02CAC8D1DE76223483DA3B754DD29AF9 + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/ops/provision/main.tf b/ops/provision/main.tf new file mode 100644 index 00000000..df4b9979 --- /dev/null +++ b/ops/provision/main.tf @@ -0,0 +1,212 @@ +terraform { + backend "pg" {} + required_version = ">= 0.13" + + required_providers { + rancher2 = { + source = "rancher/rancher2" + version = "1.11.0" + } + kubectl = { + source = "gavinbunney/kubectl" + version = ">= 1.7.0" + } + } +} + +variable "region" { + default = "eu-west-1" + description = "AWS region" +} + + +provider "helm" { + kubernetes { + config_path = "kube_config.yml" + } +} + +provider "kubectl" { + config_path = "kube_config.yml" +} + +provider "kubernetes" { + config_path = "kube_config.yml" +} + +data "local_file" "efs_name" { + filename = "efs_name" +} + +resource "helm_release" "ingress-nginx" { + name = "ingress-nginx" + namespace = "ingress-nginx" + create_namespace = true + version = "3.12.0" + repository = "https://kubernetes.github.io/ingress-nginx" + chart = "ingress-nginx" + + set { + name = "controller.service.type" + value = "LoadBalancer" + } +} + +resource "helm_release" "eks_efs_csi_driver" { + chart = "aws-efs-csi-driver" + name = "efs" + namespace = "storage" + create_namespace = true + repository = "https://kubernetes-sigs.github.io/aws-efs-csi-driver/" + + set { + name = "image.repository" + value = "602401143452.dkr.ecr.${var.region}.amazonaws.com/eks/aws-efs-csi-driver" + } +} + +resource "kubernetes_storage_class" "storage_class" { + storage_provisioner = "efs.csi.aws.com" + + parameters = { + directoryPerms = "700" + fileSystemId = trimspace(data.local_file.efs_name.content) + provisioningMode = "efs-ap" + } + + metadata { + name = "efs-sc" + } +} + +resource "helm_release" "cert_manager" { + name = "cert-manager" + namespace = "cert-manager" + create_namespace = true + version = "1.1.0" + repository = "https://charts.jetstack.io" + chart = "cert-manager" + + set { + name = "installCRDs" + value = "true" + } +} + +resource "kubectl_manifest" "prod_issuer" { + depends_on = [helm_release.cert_manager] + yaml_body = file("./k8s/prod_issuer.yaml") +} + +resource "kubectl_manifest" "prod_issuer_dns" { + depends_on = [helm_release.cert_manager] + yaml_body = file("./k8s/prod-issuer-dns-values.yaml") +} + +resource "kubectl_manifest" "staging_issuer" { + depends_on = [helm_release.cert_manager] + yaml_body = file("./k8s/staging_issuer.yaml") +} + +resource "helm_release" "postgresql" { + name = "postgresql" + namespace = "default" + create_namespace = true + repository = "https://charts.bitnami.com/bitnami" + chart = "postgresql" + values = [ + file("k8s/postgresql-values.yaml") + ] +} + +resource "helm_release" "fcrepo" { + depends_on = [helm_release.postgresql] + + name = "fcrepo" + namespace = "default" + create_namespace = true + repository = "https://samvera-labs.github.io/fcrepo-charts" + chart = "fcrepo" + values = [ + file("k8s/fcrepo-values.yaml") + ] + +} + +resource "helm_release" "solr" { + name = "solr" + namespace = "default" + create_namespace = true + repository = "https://charts.bitnami.com/bitnami" + chart = "solr" + values = [ + file("k8s/solr-values.yaml") + ] +} + +resource "kubernetes_namespace" "dev" { + metadata { + name = "dev" + annotations = { + "cattle.io/status" = jsonencode( + { + Conditions = [ + { + LastUpdateTime = "2022-02-10T05:23:42Z" + Message = "" + Status = "True" + Type = "ResourceQuotaInit" + }, + { + LastUpdateTime = "2022-02-10T05:23:43Z" + Message = "" + Status = "True" + Type = "InitialRolesPopulated" + } + ] + } + ) + "lifecycle.cattle.io/create.namespace-auth" = "true" + "field.cattle.io/projectId" = "c-6p4jv:p-98kns" + } + labels = { + "field.cattle.io/projectId" = "p-98kns" + } + } +} + +resource "kubernetes_namespace" "productionn" { + metadata { + name = "production" + annotations = { + "cattle.io/status" = jsonencode( + { + Conditions = [ + { + LastUpdateTime = "2022-02-10T05:23:42Z" + Message = "" + Status = "True" + Type = "ResourceQuotaInit" + }, + { + LastUpdateTime = "2022-02-10T05:23:43Z" + Message = "" + Status = "True" + Type = "InitialRolesPopulated" + } + ] + } + ) + "lifecycle.cattle.io/create.namespace-auth" = "true" + "field.cattle.io/projectId" = "c-6p4jv:p-98kns" + } + labels = { + "field.cattle.io/projectId" = "p-98kns" + } + } +} + +resource "kubectl_manifest" "gitlab-secrets" { + depends_on = [helm_release.cert_manager] + yaml_body = file("k8s/gitlab-secret-values.yaml") +}