diff --git a/kubernetes/apps/stealth-gateway/kustomization.yaml b/kubernetes/apps/stealth-gateway/kustomization.yaml deleted file mode 100644 index 8089c0281..000000000 --- a/kubernetes/apps/stealth-gateway/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./stealth-gateway/ks.yaml diff --git a/kubernetes/apps/stealth-gateway/namespace.yaml b/kubernetes/apps/stealth-gateway/namespace.yaml deleted file mode 100644 index 9f760af3c..000000000 --- a/kubernetes/apps/stealth-gateway/namespace.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: stealth-gateway - annotations: - kustomize.toolkit.fluxcd.io/prune: disabled - labels: - pod-security.kubernetes.io/enforce: privileged ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json -apiVersion: notification.toolkit.fluxcd.io/v1beta3 -kind: Provider -metadata: - name: alert-manager - namespace: stealth-gateway -spec: - type: alertmanager - address: http://alertmanager-operated.observability.svc.cluster.local:9093/api/v2/alerts/ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json -apiVersion: notification.toolkit.fluxcd.io/v1beta3 -kind: Alert -metadata: - name: alert-manager - namespace: stealth-gateway -spec: - providerRef: - name: alert-manager - eventSeverity: error - eventSources: - - kind: HelmRelease - name: "*" - exclusionList: - - "error.*lookup github\\.com" - - "error.*lookup raw\\.githubusercontent\\.com" - - "dial.*tcp.*timeout" - - "waiting.*socket" - suspend: false diff --git a/kubernetes/apps/stealth-gateway/stealth-gateway/app/certificate.yaml b/kubernetes/apps/stealth-gateway/stealth-gateway/app/certificate.yaml deleted file mode 100644 index 77dad8e83..000000000 --- a/kubernetes/apps/stealth-gateway/stealth-gateway/app/certificate.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: stealth-gateway-pod-gateway-webhook-tls -spec: - secretName: stealth-gateway-pod-gateway-webhook-tls - duration: 2160h # 90d - issuerRef: - name: cluster-ca - kind: ClusterIssuer - group: cert-manager.io - dnsNames: - - stealth-gateway-pod-gateway-webhook - - stealth-gateway-pod-gateway-webhook.stealth-gateway - - stealth-gateway-pod-gateway-webhook.stealth-gateway.svc diff --git a/kubernetes/apps/stealth-gateway/stealth-gateway/app/helmrelease.yaml b/kubernetes/apps/stealth-gateway/stealth-gateway/app/helmrelease.yaml deleted file mode 100644 index 10733a715..000000000 --- a/kubernetes/apps/stealth-gateway/stealth-gateway/app/helmrelease.yaml +++ /dev/null @@ -1,185 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app stealth-gateway -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.3.2 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - driftDetection: - mode: enabled - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - controllers: - pod-gateway: - annotations: - reloader.stakater.com/auto: "true" - initContainers: - routes: - image: - repository: ghcr.io/jfroy/pod-gateway - tag: v1.11.1@sha256:b90b6db742a8e9b2c42a1766d3e22a07d82dd385758ef8c7414b97bc51892262 - command: - - /bin/gateway_init.sh - securityContext: - capabilities: - add: - - NET_ADMIN - containers: - pod-gateway: - image: - repository: ghcr.io/jfroy/pod-gateway - tag: v1.11.1@sha256:b90b6db742a8e9b2c42a1766d3e22a07d82dd385758ef8c7414b97bc51892262 - command: - - /bin/gateway_sidecar.sh - securityContext: - capabilities: - add: - - NET_ADMIN - ports: - - name: vxlan - containerPort: 4789 - protocol: UDP - netshoot: - image: - repository: ghcr.io/nicolaka/netshoot - tag: v0.13@sha256:a20c2531bf35436ed3766cd6cfe89d352b050ccc4d7005ce6400adf97503da1b - command: - - /bin/sh - - -c - - sleep infinity - securityContext: - capabilities: - add: - - NET_ADMIN - gluetun: - image: - repository: ghcr.io/qdm12/gluetun - tag: v3.39.0@sha256:2f011a9aca767af62008d879eefcbc80a8645bd4fd4466ab312cc941cb658ad1 - env: - DOT: "off" - FIREWALL: "off" - HEALTH_VPN_DURATION_INITIAL: 30s - TZ: America/Los_Angeles - envFrom: - - secretRef: - name: stealth-gateway-gluetun-secret - resources: - requests: - cpu: 15m - memory: 64Mi - limits: - memory: 128Mi - securityContext: - capabilities: - add: - - NET_ADMIN - pod-gateway-webhook: - annotations: - reloader.stakater.com/auto: "true" - containers: - webhook: - image: - repository: ghcr.io/jfroy/gateway-admision-controller - tag: v3.11.1@sha256:9c8153eb36165624505773661d2212b4540bec3ab2f8e48d5056b46647a954a4 - args: - - --webhook-listen-address=:8080 - - --gateway=stealth-gateway-pod-gateway.stealth-gateway.svc.cluster.local - - --DNS=172.16.0.1 - - --secretName=stealth-gateway-secret - - --setGatewayLabel=stealth-gateway - - --setGatewayAnnotation=stealth-gateway - # Static - - --tls-cert-file-path=/tls/tls.crt - - --tls-key-file-path=/tls/tls.key - - --DNSPolicy=None - # renovate: datasource=docker depName=ghcr.io/jfroy/pod-gateway - - --initImage=ghcr.io/jfroy/pod-gateway:v1.11.1@sha256:b90b6db742a8e9b2c42a1766d3e22a07d82dd385758ef8c7414b97bc51892262 - - --initImagePullPol=IfNotPresent - - --initCmd=/bin/client_init.sh - - --initMountPoint=/config - # renovate: datasource=docker depName=ghcr.io/jfroy/pod-gateway - - --sidecarImage=ghcr.io/jfroy/pod-gateway:v1.11.1@sha256:b90b6db742a8e9b2c42a1766d3e22a07d82dd385758ef8c7414b97bc51892262 - - --sidecarImagePullPol=IfNotPresent - - --sidecarCmd=/bin/client_sidecar.sh - - --sidecarMountPoint=/config - ports: - - name: http - containerPort: 8080 - protocol: TCP - probes: - readiness: &probe - enabled: true - custom: true - spec: - httpGet: - path: /wh/health - port: 8080 - scheme: HTTPS - initialDelaySeconds: 1 - timeoutSeconds: 10 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 5 - liveness: *probe - startup: - enabled: true - custom: true - spec: - httpGet: - path: /wh/health - port: 8080 - scheme: HTTPS - timeoutSeconds: 1 - periodSeconds: 1 - successThreshold: 1 - failureThreshold: 30 - service: - pod-gateway: - controller: pod-gateway - type: ClusterIP - clusterIP: None - ports: - vxlan: - protocol: UDP - port: 4789 - targetPort: vxlan - pod-gateway-webhook: - controller: pod-gateway-webhook - ports: - http: - protocol: TCP - port: 8080 - targetPort: http - persistence: - config: - type: secret - name: stealth-gateway-secret - advancedMounts: - pod-gateway: - routes: - - path: /config - pod-gateway: - - path: /config - certificates: - type: secret - name: stealth-gateway-pod-gateway-webhook-tls - advancedMounts: - pod-gateway-webhook: - webhook: - - path: /tls diff --git a/kubernetes/apps/stealth-gateway/stealth-gateway/app/kustomization.yaml b/kubernetes/apps/stealth-gateway/stealth-gateway/app/kustomization.yaml deleted file mode 100644 index e409f78f0..000000000 --- a/kubernetes/apps/stealth-gateway/stealth-gateway/app/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./certificate.yaml - - ./helmrelease.yaml - - ./secret.sops.yaml - - ./webhook.yaml diff --git a/kubernetes/apps/stealth-gateway/stealth-gateway/app/secret.sops.yaml b/kubernetes/apps/stealth-gateway/stealth-gateway/app/secret.sops.yaml deleted file mode 100644 index 31a34e8c4..000000000 --- a/kubernetes/apps/stealth-gateway/stealth-gateway/app/secret.sops.yaml +++ /dev/null @@ -1,72 +0,0 @@ -# Source: pod-gateway/templates/configmap.yaml -apiVersion: v1 -kind: Secret -metadata: - name: stealth-gateway-secret - annotations: - reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: default - reflector.v1.k8s.emberstack.com/reflection-allowed: "true" - reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" -type: Opaque -stringData: - settings.sh: ENC[AES256_GCM,data:L3jnLIPTLaqdHwAS7XMVq8ZC+aeRGCbWp+TFHrSPp7TDn4u3+ScwqaNuaB6rDD6NywbAoko587E2ks+9BW14lHWPMR3MzUX/QixXgv2NDdkSmnodvphclvGiHTWZG3MsXrLtz1/b1kcuPlrvEJ5qOriADyr24yRuooS7mAtkAvsMcphv/3sci6UWd2mW2u8GwFea//JurMI5laOyshKwmDaT0gVIPbBnnFyJC55Lpa1vGUy/UvrE+J81CrS/UodXF3vdM7xLDjEzwN1Fwg9nnmgzNkFSBE4gCnS/t2EAFfwhgJYc4gB6muhsruBMAnVc1uBzOEmhn2wTj7cf7c0ynsmHB1G8zZ6/iLa/jxACJWglOKVmqJz8jQW1YY7J/u8=,iv:r+BIFwHWPP6Ycv3nFflzUtf0ORyHprPgYCsjhuIbb5U=,tag:bbz7YTMaEfN2O1EWLgVq1w==,type:str] - nat.conf: ENC[AES256_GCM,data:JLCyEVq/l8UiVs5EGm9lX5UaGvUbgL2GZMRyhW0waodJdWA=,iv:SJnBzByvHWe4MqZ2sTTGJoR+jw/F/dpaHOFudojLHag=,tag:1SnZtTks+z0155L/TYmbDw==,type:str] - nat6.conf: "" -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbHdvdHJPSS9nMWxHSElv - T0FtQVU3M0VrWE5WTGUzTkU4TGhPTk8vUGdRCmJPTUJZZk1ZL0tGRXpLT2h2enhI - MFlBdFhCMHB6M1pYSEllTTlhekF5akEKLS0tIDQxb1ZmQ3BoVE5iTHRmOTc1a1lB - R0o2M0w2SGxPUzU0UTkyV0Nad01LNjAKdFDcSK8ZncOoJhL+mxn3EBL/VpdP3hn0 - 7jYQuTh2lB0/tgz5zPiaNlaPpPYAXx2zmxtv41AJem3YRgpTa63vNg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-30T04:35:37Z" - mac: ENC[AES256_GCM,data:DkFR0BQ7lQW79gcFCFh2FpLVMibLCbX6nTpF4BtO1emGaXB3R9CGjeeSH/Rvo3XarG61IycVVg7F+PAV+RbZxuOHIIMRz3cpI82HmK7WMNRmYpjtauKktYoLReB60Jjqdkg/DnkSEJEURQP1mqs0A5KNeMVFo/xgO/NunCGCzcs=,iv:Yu1YDwWAI6aYw+l7Zhkg2FV7llk4Q1Qp9mqY8HZEGks=,tag:Z4TsVq3mbpIf29nC0Lw60g==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData|password)$ - version: 3.8.1 ---- -apiVersion: v1 -kind: Secret -metadata: - name: stealth-gateway-gluetun-secret -type: Opaque -stringData: - FIREWALL_VPN_INPUT_PORTS: ENC[AES256_GCM,data:nuSCqh/pTiJt8w==,iv:L79mv9xxx0d/cvOWrOrXnF2XxD21+s++WHnj7X4/wPE=,tag:qwP16DSnJVY8AyXKzsq6bw==,type:str] - SERVER_COUNTRIES: ENC[AES256_GCM,data:rAdbclbYQJcX0g636Q==,iv:RZ77dBy2KBCYO7Oz6fAG4oDyeinuonSVmxTE/HN6QHs=,tag:O9JkXdgKMyOk7wJXoQTMpQ==,type:str] - VPN_INTERFACE: ENC[AES256_GCM,data:uyyN,iv:7GpPfYbL0DsB3aM0oGH7UBFoa2OCuCbvGrWcqqkqYzQ=,tag:wpq+zz3KEWr4bMiP3YYYHQ==,type:str] - VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:lfFUYGEp,iv:AfslS1/suJsL68y0S403x1VOuwx2C4yNzowEKIbPUsw=,tag:zSXAnYqdj2AhSm945tIbig==,type:str] - VPN_TYPE: ENC[AES256_GCM,data:/A/8NdTrGxCx,iv:hG5VbTSr/Ln1jOcYXfOajHe55rmL5UQnrxfRaNvuMNw=,tag:mVpJaIPi8hiKHFD+Tuv6WA==,type:str] - WIREGUARD_ADDRESSES: ENC[AES256_GCM,data:kYcrIKrcrj0WQ5cnTjlCfg==,iv:KB1C97Wx1segZEeIWmnIuvUg/tz8dS8V/NyRBXA6nJ4=,tag:XeglVneDMpFE5Kd9zZt2TA==,type:str] - WIREGUARD_DNS: ENC[AES256_GCM,data:E2hWmsTK6npgoQ==,iv:aWEzwKNCBXNVRlB+cEssW/C5Pv0KuqDYrzO6Xh/T0Bc=,tag:V61/LGb+voISrHYRNmoR8A==,type:str] - WIREGUARD_MTU: ENC[AES256_GCM,data:mQF7HQ==,iv:LR7iqJkq+Q5ObstxSZ3x113zlZL3sAXXRj/VVHQYWiI=,tag:q1t1XrhagY5CiRCPpmyOIw==,type:str] - WIREGUARD_PRESHARED_KEY: ENC[AES256_GCM,data:VpoB/F08Zn+IcRR6c6r2LnERHk8x0ROYIuaiHwAkIdF2WiLEtH1bWlx4iK4=,iv:qWjWIO+AtLOa98mK1DGc28OKilKKH0FHF+ji44IZgOU=,tag:N1xj96d2A4Bxkv4vzvmnYw==,type:str] - WIREGUARD_PRIVATE_KEY: ENC[AES256_GCM,data:Bm8zIrzyCHhHsqvvaUrNJAFhSS5HPhZRFvjU/qkSk6kW4hItei8iaUOBGEQ=,iv:VroXHon6BwilYtgft5FOJoFwQ73JkSEsOs6/AaqI1f0=,tag:CbsG8Dxr3jBKP2KHJ0jE2w==,type:str] - WIREGUARD_PUBLIC_KEY: ENC[AES256_GCM,data:gtdmwCabrmWmzLu3Da7K8FX3ePjpyksIGNb7Ls00dAqtosl3WOEtH+LcXX4=,iv:vOGeMwinpf2fpEb9ZfqD9eJ+kl7qo17HAecnWTWq4i0=,tag:IdepDk/MxQIRRwimPdHJ4Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbHdvdHJPSS9nMWxHSElv - T0FtQVU3M0VrWE5WTGUzTkU4TGhPTk8vUGdRCmJPTUJZZk1ZL0tGRXpLT2h2enhI - MFlBdFhCMHB6M1pYSEllTTlhekF5akEKLS0tIDQxb1ZmQ3BoVE5iTHRmOTc1a1lB - R0o2M0w2SGxPUzU0UTkyV0Nad01LNjAKdFDcSK8ZncOoJhL+mxn3EBL/VpdP3hn0 - 7jYQuTh2lB0/tgz5zPiaNlaPpPYAXx2zmxtv41AJem3YRgpTa63vNg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-30T04:35:37Z" - mac: ENC[AES256_GCM,data:DkFR0BQ7lQW79gcFCFh2FpLVMibLCbX6nTpF4BtO1emGaXB3R9CGjeeSH/Rvo3XarG61IycVVg7F+PAV+RbZxuOHIIMRz3cpI82HmK7WMNRmYpjtauKktYoLReB60Jjqdkg/DnkSEJEURQP1mqs0A5KNeMVFo/xgO/NunCGCzcs=,iv:Yu1YDwWAI6aYw+l7Zhkg2FV7llk4Q1Qp9mqY8HZEGks=,tag:Z4TsVq3mbpIf29nC0Lw60g==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData|password)$ - version: 3.8.1 diff --git a/kubernetes/apps/stealth-gateway/stealth-gateway/app/webhook.yaml b/kubernetes/apps/stealth-gateway/stealth-gateway/app/webhook.yaml deleted file mode 100644 index 093402af0..000000000 --- a/kubernetes/apps/stealth-gateway/stealth-gateway/app/webhook.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: stealth-gateway-pod-gateway - annotations: - cert-manager.io/inject-ca-from: stealth-gateway/stealth-gateway-pod-gateway-webhook-tls -webhooks: - - name: stealth-gateway-pod-gateway.svc.cluster.local - namespaceSelector: - matchLabels: - stealth-gateway: "true" - rules: - - apiGroups: [""] - apiVersions: ["v1"] - operations: ["CREATE","UPDATE"] - resources: ["pods"] - scope: Namespaced - clientConfig: - service: - namespace: stealth-gateway - name: stealth-gateway-pod-gateway-webhook - path: /wh/mutating/setgateway - port: 8080 - admissionReviewVersions: ["v1", "v1beta1"] - sideEffects: None - timeoutSeconds: 10 diff --git a/kubernetes/apps/stealth-gateway/stealth-gateway/ks.yaml b/kubernetes/apps/stealth-gateway/stealth-gateway/ks.yaml deleted file mode 100644 index e15a36a3a..000000000 --- a/kubernetes/apps/stealth-gateway/stealth-gateway/ks.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app stealth-gateway - namespace: flux-system -spec: - targetNamespace: stealth-gateway - commonMetadata: - labels: - app.kubernetes.io/name: pod-gateway - app.kubernetes.io/instance: *app - dependsOn: - - name: cert-manager-issuers - path: ./kubernetes/apps/stealth-gateway/stealth-gateway/app - prune: true - sourceRef: - kind: GitRepository - name: home-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m