🤖 ci(vault): declare dance-lessons-coach JWT role + ops policy (#1)

Co-authored-by: Gabriel Radureau <arcodange@gmail.com>
Co-committed-by: Gabriel Radureau <arcodange@gmail.com>

.gitea/workflows/crowdsec.yaml

@@ -16,10 +16,11 @@ concurrency:
 
 .vault_step: &vault_step
   name: read vault secret
-  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
+  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
   id: vault-secrets
   with:
-    url: https://vault.arcodange.duckdns.org
+    url: https://vault.arcodange.lab
+    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
     jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
     role: gitea_cicd_crowdsec
     method: jwt
@@ -49,12 +50,12 @@ jobs:
     env:
       OPENTOFU_VERSION: 1.8.2
       TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
     steps:
       - *vault_step
       - uses: actions/checkout@v4
-      # - uses: dflook/terraform-plan@v1
+      - name: prepare vault self signed cert
-      #   with:
+        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
-      #     path: hashicorp-vault/iac
       - name: terraform apply
         uses: dflook/terraform-apply@v1
         with:

.gitea/workflows/helmcharts.yaml

@@ -165,7 +165,7 @@ jobs:
           chart_package=${chart}-${chart_version}.tgz
           # helm package ${chart}
           tar -X ${chart}/.helmignore -czf ${chart_package} ${chart}
-          curl --user ${{ github.actor }}:${{ secrets.PACKAGES_TOKEN }} -X POST --upload-file ./${chart_package} https://gitea.arcodange.duckdns.org/api/packages/${{ github.repository_owner }}/helm/api/charts
+          curl --user ${{ github.actor }}:${{ secrets.PACKAGES_TOKEN }} -X POST --upload-file ./${chart_package} https://gitea.arcodange.lab/api/packages/${{ github.repository_owner }}/helm/api/charts
 
   application-charts:
     <<: *charts-matrix-job

.gitea/workflows/plausible.yaml

@@ -16,10 +16,11 @@ concurrency:
 
 .vault_step: &vault_step
   name: read vault secret
-  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
+  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
   id: vault-secrets
   with:
-    url: https://vault.arcodange.duckdns.org
+    url: https://vault.arcodange.lab
+    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
     jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
     role: gitea_cicd_plausible
     method: jwt
@@ -49,12 +50,12 @@ jobs:
     env:
       OPENTOFU_VERSION: 1.8.2
       TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
     steps:
       - *vault_step
       - uses: actions/checkout@v4
-      # - uses: dflook/terraform-plan@v1
+      - name: prepare vault self signed cert
-      #   with:
+        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
-      #     path: hashicorp-vault/iac
       - name: terraform apply
         uses: dflook/terraform-apply@v1
         with:

.gitea/workflows/vault.yaml

@@ -16,10 +16,11 @@ concurrency:
 
 .vault_step: &vault_step
   name: read vault secret
-  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
+  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
   id: vault-secrets
   with:
-    url: https://vault.arcodange.duckdns.org
+    url: https://vault.arcodange.lab
+    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
     jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
     role: gitea_cicd
     method: jwt
@@ -50,12 +51,12 @@ jobs:
     env:
       OPENTOFU_VERSION: 1.8.2
       TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
     steps:
       - *vault_step
       - uses: actions/checkout@v4
-      # - uses: dflook/terraform-plan@v1
+      - name: prepare vault self signed cert
-      #   with:
+        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
-      #     path: hashicorp-vault/iac
       - name: terraform apply
         uses: dflook/terraform-apply@v1
         with:

chart/templates/apps.yaml

@@ -10,7 +10,7 @@ metadata:
 spec:
   project: tools
   source:
-    repoURL: https://gitea.arcodange.duckdns.org/arcodange-org/tools
+    repoURL: https://gitea.arcodange.lab/arcodange-org/tools
     targetRevision: HEAD
     path: {{ $app_name }}
   destination:

chart/templates/project.yaml

@@ -10,7 +10,7 @@ metadata:
 spec:
   description: Arcodange tools (monitoring, cache, connection pool, secret management...)
   sourceRepos:
-  - 'https://gitea.arcodange.duckdns.org/arcodange-org/tools'
+  - 'https://gitea.arcodange.lab/arcodange-org/tools'
   # Only permit applications to deploy to the tools namespace in the same cluster
   destinations:
   - namespace: tools

chart/values.yaml

@@ -7,4 +7,5 @@ tools:
   redis: {}
   clickhouse: {}
   grafana: {}
-  plausible: {}
+  plausible: {}
+  prometheus: {}

clickhouse/charts/databases/templates/init-databases-job.yaml

@@ -5,6 +5,8 @@ metadata:
   labels:
     app.kubernetes.io/name: clickhouse-db-init
     app.kubernetes.io/instance: {{ .Release.Name }}
+  annotations:
+    checksum/config: {{ include (print $.Template.BasePath "/init-sql-configmap.yaml") . | sha256sum }}
 spec:
   template:
     spec:

clickhouse/charts/databases/templates/init-sql-configmap.yaml

@@ -20,5 +20,7 @@ data:
     GRANT CREATE, SELECT, INSERT, ALTER, DROP
       ON {{ $db }}.*
       TO {{ $db }};
+    
+    GRANT SELECT ON system.* TO {{ $db }};
 
     {{- end }}

clickhouse/clickhouseValues.yaml

@@ -158,15 +158,15 @@ resources: {}
   #   memory: 128Mi
 
 # -- Pod-level affinity. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
-affinity: {}
+affinity:
-  # nodeAffinity:
+  nodeAffinity:
-  #   requiredDuringSchedulingIgnoredDuringExecution:
+    requiredDuringSchedulingIgnoredDuringExecution:
-  #     nodeSelectorTerms:
+      nodeSelectorTerms:
-  #       - matchExpressions:
+      - matchExpressions:
-  #           - key: kubernetes.io/hostname
+        - key: kubernetes.io/hostname
-  #             operator: In
+          operator: NotIn
-  #             values:
+          values:
-  #               - my-node-xyz
+          - pi2
 
 # -- Pod-level tolerations. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
 tolerations: []

clickhouse/kustomization.yaml

@@ -1,5 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+namespace: tools
 
 helmGlobals:
  chartHome: charts

crowdsec/Chart.yaml

@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
   version: 0.1.0
-  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: crowdsec
   version: 0.20.1
   repository: https://crowdsecurity.github.io/helm-charts

crowdsec/iac/providers.tf

@@ -8,7 +8,7 @@ terraform {
 }
 
 provider "vault" {
-  address = "https://vault.arcodange.duckdns.org"
+  address = "https://vault.arcodange.lab"
   auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
     mount = "gitea_jwt"
     role  = "gitea_cicd_crowdsec"

crowdsec/values.yaml

@@ -24,10 +24,7 @@ crowdsec: &crowdsec_config
         value: Europe/Paris
   lapi:
     strategy:
-      type: RollingUpdate
+      type: Recreate
-      rollingUpdate:
-        maxUnavailable: 0
-        maxSurge: 1
     env:
       - name: TZ
         value: Europe/Paris
@@ -95,4 +92,4 @@ tool:
   repo: https://crowdsecurity.github.io/helm-charts
   chart: crowdsec
   version: 0.20.1
-  values: *crowdsec_config
+  values: *crowdsec_config

grafana/Chart.yaml

@@ -16,7 +16,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
   version: 0.1.0
-  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: grafana
   version: 10.3.0
   repository: https://grafana.github.io/helm-charts

grafana/values.yaml

@@ -270,11 +270,11 @@ grafana: &grafana_config
       traefik.ingress.kubernetes.io/router.entrypoints: websecure
       traefik.ingress.kubernetes.io/router.tls: "true"
       traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
-      traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.duckdns.org
+      traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
-      traefik.ingress.kubernetes.io/router.tls.domains.0.sans: grafana.arcodange.duckdns.org
+      traefik.ingress.kubernetes.io/router.tls.domains.0.sans: grafana.arcodange.lab
       traefik.ingress.kubernetes.io/router.middlewares: localIp@file
     hosts:
-      - grafana.arcodange.duckdns.org
+      - grafana.arcodange.lab
 
   resources:
    limits:
@@ -553,11 +553,11 @@ grafana: &grafana_config
             username: arcodange
           secureJsonData:
             password: clickhousearcodange
-  #    - name: Prometheus
+        - name: Prometheus
-  #      type: prometheus
+          type: prometheus
-  #      url: http://prometheus-prometheus-server
+          url: http://prometheus-server.tools.svc.cluster.local
-  #      access: proxy
+          access: proxy
-  #      isDefault: true
+          isDefault: true
   #    - name: CloudWatch
   #      type: cloudwatch
   #      access: proxy
@@ -695,6 +695,15 @@ grafana: &grafana_config
           disableDeletion: false
           options:
             path: /var/lib/grafana/dashboards/clickhouse
+        - name: 'grafana-dashboards-kubernetes'
+          orgId: 1
+          folder: 'Kubernetes'
+          type: file
+          disableDeletion: true
+          editable: true
+          options:
+            path: /var/lib/grafana/dashboards/grafana-dashboards-kubernetes
+
         # - name: 'default'
         #   orgId: 1
         #   folder: ''
@@ -728,6 +737,26 @@ grafana: &grafana_config
         url: "https://grafana.com/api/dashboards/23589/revisions/1/download"
         curlOptions: "-sLf"
         datasource: clickhouse
+    
+    grafana-dashboards-kubernetes:
+      k8s-system-api-server:
+        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-system-api-server.json
+        token: ''
+      k8s-system-coredns:
+        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-system-coredns.json
+        token: ''
+      k8s-views-global:
+        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-global.json
+        token: ''
+      k8s-views-namespaces:
+        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-namespaces.json
+        token: ''
+      k8s-views-nodes:
+        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-nodes.json
+        token: ''
+      k8s-views-pods:
+        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-pods.json
+        token: ''
 
     # default:
     #   some-dashboard:

hashicorp-vault/Chart.yaml

@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
   version: 0.1.0
-  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: vault
   version: 0.28.1
   repository: https://helm.releases.hashicorp.com

hashicorp-vault/README.md

@@ -1,8 +1,8 @@
 # Vault
 
-1. Les [playbooks ansible](https://gitea.arcodange.duckdns.org/arcodange-org/factory/src/branch/main/ansible/arcodange/factory/playbooks) configurent la base de données postgres et le minimum requis pour permetre au dépot "tools" d'appliquer via un workflow gitea action [une configuration vault via tofu](./iac/).
+1. Les [playbooks ansible](https://gitea.arcodange.lab/arcodange-org/factory/src/branch/main/ansible/arcodange/factory/playbooks) configurent la base de données postgres et le minimum requis pour permetre au dépot "tools" d'appliquer via un workflow gitea action [une configuration vault via tofu](./iac/).
 2. Configuration des backend d'authentification et des roles pour postgres et kubernetes. Définition de rôles "${app}-ops" pour permettre au dépot d'une application de définir ses propres dépendances dans vault. Rotation de credentials postgres pour les applications.
-3. [Le dépot de l'application webapp](https://gitea.arcodange.duckdns.org/arcodange-org/webapp) gère l'obtention de ses crédentials pour postgres.
+3. [Le dépot de l'application webapp](https://gitea.arcodange.lab/arcodange-org/webapp) gère l'obtention de ses crédentials pour postgres.
 
 ```mermaid
 flowchart LR

hashicorp-vault/iac/providers.tf

@@ -8,7 +8,7 @@ terraform {
 }
 
 provider "vault" {
-  address = "https://vault.arcodange.duckdns.org"
+  address = "https://vault.arcodange.lab"
   auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
     mount = "gitea_jwt"
     role  = "gitea_cicd"

hashicorp-vault/iac/terraform.tfvars

@@ -1,6 +1,7 @@
 applications = [
   { name = "webapp" },
   { name = "erp" },
+  { name = "dance-lessons-coach" },
   {
     name                   = "cms"
     ops_policies               = ["factory__cf_r2_arcodange_tf"]

hashicorp-vault/values.yaml

@@ -15,11 +15,11 @@ vault: &vault_config
         traefik.ingress.kubernetes.io/router.entrypoints: websecure
         traefik.ingress.kubernetes.io/router.tls: "true"
         traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
-        traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.duckdns.org
+        traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
-        traefik.ingress.kubernetes.io/router.tls.domains.0.sans: vault.arcodange.duckdns.org
+        traefik.ingress.kubernetes.io/router.tls.domains.0.sans: vault.arcodange.lab
         traefik.ingress.kubernetes.io/router.middlewares: localIp@file
       hosts:
-        - host: vault.arcodange.duckdns.org
+        - host: vault.arcodange.lab
           paths: []
 
   postStart: [] # https://github.com/hashicorp/vault-helm/blob/main/values.yaml

pgbouncer/Chart.yaml

@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
   version: 0.1.0
-  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: pgbouncer
   version: 2.3.1
   repository: https://icoretech.github.io/helm

pgbouncer/values.yaml

@@ -15,6 +15,7 @@ pgbouncer: &pgbouncer_config
       auth_query: SELECT uname, phash FROM user_lookup($1)
       ignore_startup_parameters: extra_float_digits # unsupported jdbc extra_float_digits=2 argument
       server_reset_query: DEALLOCATE ALL # fix prepared statement already exist (crowdsec)
+      server_idle_timeout: 7200
   pgbouncerExporter:
     enabled: false
 

pgcat/Chart.yaml

@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
   version: 0.1.0
-  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: pgcat
   version: 0.1.0
   repository: https://improwised.github.io/charts/

plausible/iac/providers.tf

@@ -8,7 +8,7 @@ terraform {
 }
 
 provider "vault" {
-  address = "https://vault.arcodange.duckdns.org"
+  address = "https://vault.arcodange.lab"
   auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
     mount = "gitea_jwt"
     role  = "gitea_cicd_plausible"

plausible/kustomization.yaml

@@ -1,12 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+namespace: tools
 
+# https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_
 helmCharts:
 - name: plausible
   repo: https://charts.pascaliske.dev
   version: 2.0.0
   releaseName: plausible
   valuesFile: plausibleValues.yaml
+  namespace: tools
 
 patches:
   - target:
@@ -18,9 +21,9 @@ patches:
         value:
           certResolver: letsencrypt
           domains:
-          - main: arcodange.duckdns.org
+          - main: arcodange.lab
             sans:
-            - analytics.arcodange.duckdns.org
+            - analytics.arcodange.lab
 
 resources:
   - resources/vaultauth.yaml
@@ -28,6 +31,7 @@ resources:
   - resources/vaultsecret.yaml
   - resources/configmap.yaml
   - resources/geoipsecret.yaml
+  - resources/ingressroute.yaml
 
 patchesJson6902:
   - target:
@@ -43,6 +47,16 @@ patchesJson6902:
             secretKeyRef:
               name: plausible-geoip
               key: LICENSE_KEY
+      - op: replace
+        path: /spec/template/spec/containers/1/env/4
+        value:
+          name: GEOIPUPDATE_EDITION_IDS
+          value: "GeoLite2-Country GeoLite2-City"
+      - op: add
+        path: /spec/template/spec/containers/0/env/2
+        value:
+          name: IP_GEOLOCATION_DB
+          value: /geoip/GeoLite2-City.mmdb
       - op: add
         path: /spec/template/spec/volumes/-
         value:
@@ -59,6 +73,11 @@ patchesJson6902:
         value:
           - configMapRef:
               name: plausible-config
+      - op: replace
+        path: /spec/template/spec/initContainers/0/args
+        value:
+          - >-
+            sleep 10 && /entrypoint.sh db migrate
   - target:
       version: v1
       kind: Deployment

plausible/plausibleValues.yaml

@@ -58,7 +58,7 @@ ingressRoute:
   # -- List of [entry points](https://doc.traefik.io/traefik/routing/routers/#entrypoints) on which the ingress route will be available.
   entryPoints: [websecure]
   # -- [Matching rule](https://doc.traefik.io/traefik/routing/routers/#rule) for the underlying router.
-  rule: 'Host(analytics.arcodange.duckdns.org)'
+  rule: Host(`analytics.arcodange.lab`)
   # -- List of [middleware objects](https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/#kind-middleware) for the ingress route.
   middlewares:
     - name: localIp@file

plausible/resources/configmap.yaml

@@ -9,6 +9,13 @@ data:
   DB_PORT: !!str 5432
   DB_NAME: plausible
 
-  BASE_URL: https://analytics.arcodange.duckdns.org
+  BASE_URL: https://analytics.arcodange.lab
 
-  CLICKHOUSE_DATABASE_URL: http://plausible:plausiblearcodange@plausible.tools:8123/plausible
+  CLICKHOUSE_DATABASE_URL: http://plausible:plausiblearcodange@clickhouse.tools:8123/plausible
+
+
+  DB_POOL_SIZE: "30"
+  DB_QUEUE_TARGET: "10000"  # 10 secondes
+  DB_CONNECT_TIMEOUT: "30000"  # 30 secondes
+  DB_RECONNECT_ATTEMPTS: "5"
+  DB_RECONNECT_DELAY: "5000"

plausible/resources/ingressroute.yaml

@@ -0,0 +1,20 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: plausible-external
+  labels:
+    app.kubernetes.io/instance: plausible
+    app.kubernetes.io/name: plausible
+spec:
+  entryPoints:
+    - web
+  routes:
+    - kind: Rule
+      match: Host(`analytics.arcodange.fr`) && (PathPrefix(`/api/event`) || PathPrefix(`/js/`))
+      middlewares:
+        - name: kube-system-crowdsec@kubernetescrd
+      services:
+        - kind: Service
+          name: plausible-web
+          namespace: tools
+          port: 8000

prometheus/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: prometheus
+description: A Helm chart for Kubernetes
+
+dependencies:
+- name: tool
+  version: 0.1.0
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
+- name: prometheus
+  version: 28.13.0
+  repository: https://prometheus-community.github.io/helm-charts
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+version: 0.1.0
+appVersion: "v3.10.0"

prometheus/templates/helm-chart-config.yaml

@@ -0,0 +1,3 @@
+{{- if eq .Values.tool.kind "HelmChart" -}}
+{{- include "tool.helm-chart-config.tpl" . -}}
+{{- end -}}

prometheus/templates/helm-chart.yaml

@@ -0,0 +1,3 @@
+{{- if eq .Values.tool.kind "HelmChart" -}}
+{{- include "tool.helm-chart.tpl" . -}}
+{{- end -}}

redis/Chart.yaml

@@ -16,7 +16,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
   version: 0.1.0
-  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: redis
   version: 2.1.0
   repository: https://charts.pascaliske.dev