k8s-and-chill

gitea_admin/k8s-and-chill

Fork 0

Commit graph

Author	SHA1	Message	Date
Felix Wolf	fe51c8c1bc	feat(minikube): add minikube environment with garage S3 backend Adds a self-contained minikube environment for local development and testing alongside the existing production env. env: minikube - cluster.domain: minikube (browser DNS routes *.minikube → minikube ip) - tls issuer: mkcert (CA-signed via cert-manager mkcert ClusterIssuer) - storageClass: standard (minikube hostpath provisioner) - backups disabled; storagebox disabled - excludes argocd, forgejo, hcloud-csi (manual kubectl apply for testing) prototypes/garage: - hand-rolled S3-compatible object store (single Deployment + PVC) - mittwald-generated rpc_secret + admin_token (hex) - PostSync init Job: assigns cluster layout, ensures bucket and access key, writes ocis-s3-credentials cross-namespace into ocis ns - idempotent: skips if k8s secret already populated; otherwise rotates the garage key (admin API only returns secretAccessKey on create) - cross-ns RBAC re-pinned via zz-cross-ns-rbac-fix overlay (ns.ytt.yaml clobbers explicit namespace fields) ocis: - new admin-user-id init Job ensures secret.user-id is a valid UUID v4 (mittwald can't generate UUIDs; ocis-settings rejects non-UUID ids) - mittwald no longer manages user-id; existing prod UUIDs preserved - insecure flag (oidcIdpInsecure / ocisHttpApiInsecure / ocmInsecure) parameterized; defaults to false; minikube sets true for self-signed OIDC issuer URL trust other prototypes: - victoria-metrics-single helm values ytt-ified (storageClassName) - grafana admin secret now generated by mittwald (was hand-created in prod; manifest is no-op there since mittwald only fills empty fields) flake.nix: minikube + docker + postgresql added to dev shell.	2026-05-03 17:23:57 +02:00
Felix Wolf	85b8fec6b3	feat: replace secret-init Jobs with mittwald operator + cert-manager Migrate ~180 LOC of openssl/kubectl init Jobs to declarative Secret manifests reconciled by mittwald/kubernetes-secret-generator (random strings, SSH keypair) and cert-manager Certificates (RSA private key + self-signed CA chain). mittwald only fills empty fields, so existing populated Secrets keep their current values across the migration. Changes: - New prototype kubernetes-secret-generator (chart 3.4.1, mittwald helm repo). Cluster-wide informer reconciler, no webhook -> cold-bootstrap safe via ArgoCD retries. - New cert-manager selfsigned ClusterIssuer (in-cluster trust root). letsencrypt remains for public-DNS endpoints. - forgejo: admin-secret Job replaced with a mittwald-annotated Secret (hex-encoded 24-char password). Deploy-key Job split: mittwald ssh-keypair Secret + slim Job that uploads pubkey to Forgejo and copies privkey into the argocd repo Secret. - ocis: 13 Secrets / 16 random fields now mittwald-managed (UUIDs replaced with opaque random hex; ocis treats user-id as opaque). IDP RSA signing key, LDAP self-signed CA, and LDAP server cert produced by cert-manager. Per-Deployment ytt overlay remaps volume key paths (tls.crt -> ldap-ca.crt, tls.key -> private-key.pem, etc.) since the ocis chart mounts Secrets raw without items support. Old multi-secret s3-secret-job replaced with a slim external-secret precheck Job that only validates pre-created Hetzner S3/Storage Box credentials. - Application sync-wave -10 on cert-manager and kubernetes-secret- generator so they install before consumers. ArgoCD selfHeal handles any residual races. CLAUDE.md: remove the "all namespaces use privileged PodSecurity" convention. Existing namespaces still carry the label and will be audited separately. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 00:00:07 +02:00

Author

SHA1

Message

Date

Felix Wolf

fe51c8c1bc

feat(minikube): add minikube environment with garage S3 backend

Adds a self-contained minikube environment for local development and
testing alongside the existing production env.

env: minikube
  - cluster.domain: minikube (browser DNS routes *.minikube → minikube ip)
  - tls issuer: mkcert (CA-signed via cert-manager mkcert ClusterIssuer)
  - storageClass: standard (minikube hostpath provisioner)
  - backups disabled; storagebox disabled
  - excludes argocd, forgejo, hcloud-csi (manual kubectl apply for testing)

prototypes/garage:
  - hand-rolled S3-compatible object store (single Deployment + PVC)
  - mittwald-generated rpc_secret + admin_token (hex)
  - PostSync init Job: assigns cluster layout, ensures bucket and access
    key, writes ocis-s3-credentials cross-namespace into ocis ns
  - idempotent: skips if k8s secret already populated; otherwise rotates
    the garage key (admin API only returns secretAccessKey on create)
  - cross-ns RBAC re-pinned via zz-cross-ns-rbac-fix overlay (ns.ytt.yaml
    clobbers explicit namespace fields)

ocis:
  - new admin-user-id init Job ensures secret.user-id is a valid UUID v4
    (mittwald can't generate UUIDs; ocis-settings rejects non-UUID ids)
  - mittwald no longer manages user-id; existing prod UUIDs preserved
  - insecure flag (oidcIdpInsecure / ocisHttpApiInsecure / ocmInsecure)
    parameterized; defaults to false; minikube sets true for self-signed
    OIDC issuer URL trust

other prototypes:
  - victoria-metrics-single helm values ytt-ified (storageClassName)
  - grafana admin secret now generated by mittwald (was hand-created in
    prod; manifest is no-op there since mittwald only fills empty fields)

flake.nix: minikube + docker + postgresql added to dev shell.

2026-05-03 17:23:57 +02:00

Felix Wolf

85b8fec6b3

feat: replace secret-init Jobs with mittwald operator + cert-manager

Migrate ~180 LOC of openssl/kubectl init Jobs to declarative Secret
manifests reconciled by mittwald/kubernetes-secret-generator (random
strings, SSH keypair) and cert-manager Certificates (RSA private key +
self-signed CA chain). mittwald only fills empty fields, so existing
populated Secrets keep their current values across the migration.

Changes:

- New prototype kubernetes-secret-generator (chart 3.4.1, mittwald helm
  repo). Cluster-wide informer reconciler, no webhook -> cold-bootstrap
  safe via ArgoCD retries.
- New cert-manager selfsigned ClusterIssuer (in-cluster trust root).
  letsencrypt remains for public-DNS endpoints.
- forgejo: admin-secret Job replaced with a mittwald-annotated Secret
  (hex-encoded 24-char password). Deploy-key Job split: mittwald
  ssh-keypair Secret + slim Job that uploads pubkey to Forgejo and
  copies privkey into the argocd repo Secret.
- ocis: 13 Secrets / 16 random fields now mittwald-managed (UUIDs
  replaced with opaque random hex; ocis treats user-id as opaque). IDP
  RSA signing key, LDAP self-signed CA, and LDAP server cert produced
  by cert-manager. Per-Deployment ytt overlay remaps volume key paths
  (tls.crt -> ldap-ca.crt, tls.key -> private-key.pem, etc.) since the
  ocis chart mounts Secrets raw without items support. Old multi-secret
  s3-secret-job replaced with a slim external-secret precheck Job that
  only validates pre-created Hetzner S3/Storage Box credentials.
- Application sync-wave -10 on cert-manager and kubernetes-secret-
  generator so they install before consumers. ArgoCD selfHeal handles
  any residual races.

CLAUDE.md: remove the "all namespaces use privileged PodSecurity"
convention. Existing namespaces still carry the label and will be
audited separately.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-03 00:00:07 +02:00

2 commits