feat(secrets): add sealed-secrets management and Grafana monitoring installation
This commit is contained in:
@@ -1,7 +1,8 @@
|
|||||||
{
|
{
|
||||||
"permissions": {
|
"permissions": {
|
||||||
"allow": [
|
"allow": [
|
||||||
"Bash(helm show *)"
|
"Bash(helm show *)",
|
||||||
|
"WebFetch(domain:raw.githubusercontent.com)"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,27 @@
|
|||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: Application
|
||||||
|
metadata:
|
||||||
|
name: ingress-nginx
|
||||||
|
namespace: argocd
|
||||||
|
spec:
|
||||||
|
project: default
|
||||||
|
destination:
|
||||||
|
namespace: ingress-nginx
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
sources:
|
||||||
|
- repoURL: https://kubernetes.github.io/ingress-nginx
|
||||||
|
chart: ingress-nginx
|
||||||
|
targetRevision: 4.15.1
|
||||||
|
helm:
|
||||||
|
valueFiles:
|
||||||
|
- $values/ingress-nginx/eu-central-1/values.yaml
|
||||||
|
- repoURL: git@git.janis-eccarius.de:NowChess/GitOps.git
|
||||||
|
path: ./ingress-nginx/eu-central-1
|
||||||
|
ref: values
|
||||||
|
targetRevision: main
|
||||||
|
syncPolicy:
|
||||||
|
automated:
|
||||||
|
prune: true
|
||||||
|
selfHeal: true
|
||||||
|
syncOptions:
|
||||||
|
- CreateNamespace=true
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
controller:
|
||||||
|
service:
|
||||||
|
type: LoadBalancer
|
||||||
|
externalTrafficPolicy: Cluster
|
||||||
@@ -40,12 +40,25 @@ install_argocd() {
|
|||||||
install_cert_manager
|
install_cert_manager
|
||||||
install_argocd
|
install_argocd
|
||||||
|
|
||||||
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.15.1/deploy/static/provider/baremetal/deploy.yaml
|
# Restore sealed-secrets key before ArgoCD syncs so existing SealedSecrets decrypt correctly.
|
||||||
|
# Export from old cluster first: ./sealed-secrets-key.sh export sealed-secrets-key-backup.yaml
|
||||||
|
echo "🔑 Restoring sealed-secrets key..."
|
||||||
|
read -rp "Path to sealed-secrets key backup (leave blank to skip): " KEY_FILE
|
||||||
|
if [[ -n "$KEY_FILE" ]]; then
|
||||||
|
./sealed-secrets-key.sh import "$KEY_FILE"
|
||||||
|
else
|
||||||
|
echo "⚠️ Skipped. SealedSecrets will fail to decrypt until key is imported."
|
||||||
|
fi
|
||||||
|
|
||||||
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
|
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
|
||||||
sleep 5s
|
sleep 5s
|
||||||
|
|
||||||
kubectl apply -f ../eu-central-1/root-apps-app.yaml
|
kubectl apply -f ../eu-central-1/root-apps-app.yaml
|
||||||
|
|
||||||
|
echo "📊 Installing Grafana monitoring..."
|
||||||
|
./metrics-deployment-values.sh
|
||||||
|
echo "✅ Grafana monitoring installed!"
|
||||||
|
|
||||||
clear
|
clear
|
||||||
|
|
||||||
ARGO_PW=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 --decode)
|
ARGO_PW=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 --decode)
|
||||||
|
|||||||
Regular → Executable
Executable
+85
@@ -0,0 +1,85 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
NAMESPACE="kube-system"
|
||||||
|
|
||||||
|
usage() {
|
||||||
|
echo "Manage sealed-secrets controller keys for cluster migration."
|
||||||
|
echo ""
|
||||||
|
echo "Usage:"
|
||||||
|
echo " $0 export [output-file] Export active key(s) to YAML (default: sealed-secrets-key-backup.yaml)"
|
||||||
|
echo " $0 import <input-file> Import key(s) to new cluster before first ArgoCD sync"
|
||||||
|
echo ""
|
||||||
|
echo "IMPORTANT: Never commit the backup file to Git. Store in Passwords.kdbx."
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
export_key() {
|
||||||
|
local out="${1:-sealed-secrets-key-backup.yaml}"
|
||||||
|
|
||||||
|
local keys
|
||||||
|
keys=$(kubectl -n "$NAMESPACE" get secret \
|
||||||
|
-l sealedsecrets.bitnami.com/sealed-secrets-key \
|
||||||
|
-o name 2>/dev/null)
|
||||||
|
|
||||||
|
if [[ -z "$keys" ]]; then
|
||||||
|
echo "Error: no sealed-secrets keys found in namespace $NAMESPACE" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Strip runtime-only fields so the manifest is re-applicable
|
||||||
|
kubectl -n "$NAMESPACE" get secret \
|
||||||
|
-l sealedsecrets.bitnami.com/sealed-secrets-key \
|
||||||
|
-o yaml \
|
||||||
|
| kubectl neat \
|
||||||
|
> "$out" 2>/dev/null \
|
||||||
|
|| kubectl -n "$NAMESPACE" get secret \
|
||||||
|
-l sealedsecrets.bitnami.com/sealed-secrets-key \
|
||||||
|
-o yaml \
|
||||||
|
| grep -v $'^\t' \
|
||||||
|
| python3 -c "
|
||||||
|
import sys, yaml
|
||||||
|
docs = list(yaml.safe_load_all(sys.stdin))
|
||||||
|
# Remove a List wrapper if present, emit individual documents
|
||||||
|
if len(docs) == 1 and docs[0].get('kind') == 'List':
|
||||||
|
docs = docs[0]['items']
|
||||||
|
strip = {'resourceVersion', 'uid', 'selfLink', 'creationTimestamp',
|
||||||
|
'generation', 'managedFields'}
|
||||||
|
for d in docs:
|
||||||
|
meta = d.get('metadata', {})
|
||||||
|
for f in strip:
|
||||||
|
meta.pop(f, None)
|
||||||
|
d['metadata'] = meta
|
||||||
|
print(yaml.dump_all(docs, default_flow_style=False))
|
||||||
|
" > "$out"
|
||||||
|
|
||||||
|
local count
|
||||||
|
count=$(echo "$keys" | wc -l | tr -d ' ')
|
||||||
|
echo "Exported $count key(s) to: $out"
|
||||||
|
echo ""
|
||||||
|
echo "WARNING: Store this file securely (e.g. Passwords.kdbx). Never commit to Git."
|
||||||
|
}
|
||||||
|
|
||||||
|
import_key() {
|
||||||
|
local in="${1:?'import requires a file argument — run: $0 import <file>'}"
|
||||||
|
|
||||||
|
if [[ ! -f "$in" ]]; then
|
||||||
|
echo "Error: file not found: $in" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Importing sealed-secrets key(s) from: $in"
|
||||||
|
kubectl apply -f "$in"
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "Key imported. If the sealed-secrets controller is already running, restart it:"
|
||||||
|
echo " kubectl -n kube-system rollout restart deployment/sealed-secrets"
|
||||||
|
echo ""
|
||||||
|
echo "Apply this BEFORE ArgoCD syncs the secrets application."
|
||||||
|
}
|
||||||
|
|
||||||
|
case "${1:-}" in
|
||||||
|
export) export_key "${2:-}" ;;
|
||||||
|
import) import_key "${2:-}" ;;
|
||||||
|
*) usage ;;
|
||||||
|
esac
|
||||||
Reference in New Issue
Block a user