Add secrets for archive-box, webhook-bridge, and tekton.

2026-04-28 17:45:02 -04:00
parent 9de8c853e3
commit 70f180f3c8
4 changed files with 98 additions and 16 deletions
--- a/nix/kubernetes/README.org
+++ b/nix/kubernetes/README.org
@@ -11,13 +11,14 @@
  ];
 #+end_src
 * IP Ranges
-|                              | IPv4                        | IPv6                                    |
-|------------------------------+-----------------------------+-----------------------------------------|
-| Pod                          | 10.200.0.0/16               | 2620:11f:7001:7:ffff:eeee::/96          |
-| Service                      | 10.197.0.0/16               | fd00:3e42:e349::/112                    |
-| Node                         | 10.215.1.0/24               | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
-| Load Balancer                | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96          |
-| PowerDNS from inside cluster | 10.215.1.211                |                                         |
+|                                | IPv4                        | IPv6                                    |
+|--------------------------------+-----------------------------+-----------------------------------------|
+| Pod                            | 10.200.0.0/16               | 2620:11f:7001:7:ffff:eeee::/96          |
+| Service                        | 10.197.0.0/16               | fd00:3e42:e349::/112                    |
+| Node                           | 10.215.1.0/24               | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
+| Load Balancer                  | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96          |
+| Load Balancer Private (unused) | 10.198.0.0/16               | fd9c:0bd5:22a4::/112                    |
+| PowerDNS from inside cluster   | 10.215.1.211                |                                         |
 * Healthcheck
 ** Check cilium status
 #+begin_src bash
--- a/nix/kubernetes/keys/package/k8s-secret-generic/package.nix
+++ b/nix/kubernetes/keys/package/k8s-secret-generic/package.nix
@@ -16,19 +16,29 @@
  secret_name,
  secret_namespace,
  secret_values ? { },
+  secret_type ? null,
+  secret_annotations ? null,
  ...
 }:
 let
  toBase64 = (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }).toBase64;
+  metadata = {
+    name = "${secret_name}";
+    namespace = "${secret_namespace}";
+  }
+  // lib.optionalAttrs (secret_annotations != null) {
+    "annotations" = secret_annotations;
+  };
  secret_yaml = {
    apiVersion = "v1";
    kind = "Secret";
-    metadata = {
-      name = "${secret_name}";
-      namespace = "${secret_namespace}";
-    };
+    metadata = metadata;
    data = (builtins.mapAttrs (key: val: (toBase64 val)) secret_values);
+  }
+  // lib.optionalAttrs (secret_type != null) {
+    "type" = secret_type;
  };
+
  settingsFormat = pkgs.formats.yaml { };
  yaml_body = settingsFormat.generate "${secret_name}.yaml" secret_yaml;
  yaml_file = pkgs.writeTextFile {
--- a/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
+++ b/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
@@ -13,13 +13,33 @@ let
      (
        secret_namespace: secrets:
        (builtins.mapAttrs (
-          secret_name: secret_values:
+          secret_name: original_secret_values:
+          let
+            secret_type = original_secret_values."__type" or null;
+            secret_annotations = original_secret_values."__annotations" or null;
+            secret_values = removeAttrs original_secret_values [
+              "__type"
+              "__annotations"
+            ];
+          in
          (callPackage ../../package/k8s-secret-generic/package.nix {
-            inherit secret_name secret_namespace secret_values;
+            inherit
+              secret_name
+              secret_namespace
+              secret_values
+              secret_type
+              secret_annotations
+              ;
          })
        ) secrets)
      )
      {
+        "archive-box" = {
+          "archive-box-auth" = {
+            "username" = (builtins.readFile "${./secrets/archive-box/archive-box-auth/username}");
+            "password" = (builtins.readFile "${./secrets/archive-box/archive-box-auth/password}");
+          };
+        };
        "cert-manager" = {
          "rfc2136" = {
            "TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
@@ -37,6 +57,11 @@ let
            );
          };
        };
+        "flux-system" = {
+          "webhook-token" = {
+            "token" = generate_key 64 "flux-system.webhook-token.token";
+          };
+        };
        "gitea" = {
          "gitea-env" = {
            "GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}");
@@ -59,6 +84,29 @@ let
            );
          };
        };
+        "tekton-gateway" = {
+          "oauth2-env" = oauth2_env { dex_id = "tekton"; };
+        };
+        "webhook-bridge" = {
+          "webhook-bridge" = {
+            "HMAC_TOKEN" = (builtins.readFile "${./secrets/webhook-bridge/webhook-bridge/HMAC_TOKEN}");
+            "OAUTH_TOKEN" = (builtins.readFile "${./secrets/webhook-bridge/webhook-bridge/OAUTH_TOKEN}");
+          };
+          "deployer-key" = {
+            "__annotations" = {
+              "tekton.dev/git-0" = "code.fizz.buzz";
+            };
+            "__type" = "kubernetes.io/ssh-auth";
+            "ssh-privatekey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-privatekey}");
+            "ssh-publickey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-publickey}");
+          };
+          "gitea" = {
+            "token" = (builtins.readFile "${./secrets/webhook-bridge/gitea/token}");
+          };
+          "harbor-plain" = {
+            "config.json" = (builtins.readFile "${./secrets/webhook-bridge/harbor-plain/config.json}");
+          };
+        };
      };
  encrypted_secrets = (
    builtins.mapAttrs (
@@ -101,8 +149,31 @@ let
        dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out"
      ''
    );
-  helm_json_escape = json: builtins.toJSON json;
-
+  # helm_json_escape = json: builtins.toJSON json;
+  helm_json_escape =
+    json:
+    builtins.replaceStrings
+      [
+        "="
+        "["
+        "]"
+        ","
+        "."
+        "\""
+        "{"
+        "}"
+      ]
+      [
+        "\\="
+        "\\["
+        "\\]"
+        "\\,"
+        "\\."
+        "\\\""
+        "\\{"
+        "\\}"
+      ]
+      json;
  ## dex
  get_dex_config =
    client_id:
--- a/nix/kubernetes/roles/kubelet/default.nix
+++ b/nix/kubernetes/roles/kubelet/default.nix
@@ -32,7 +32,7 @@ let
    containerRuntimeEndpoint = "unix:///var/run/containerd/containerd.sock";
    enableServer = true;
    failSwapOn = false;
-    maxPods = 16;
+    maxPods = 110;
    memorySwap = {
      swapBehavior = "NoSwap";
    };