diff --git a/Environments.md b/Environments.md new file mode 100644 index 0000000..4fb26bc --- /dev/null +++ b/Environments.md @@ -0,0 +1,101 @@ +# Environments + +## Variables +{WIP} + +## Secret + +{WIP} +### Encryption + +In regard of GitOps there is multiple way to handle encryption of secret that +live within a git repository. We recommending you to use [SOPS](https://getsops.io/) as +you encryption engine. + +We have already Setup a key [Private key](Path_to_sops_private_key) dedicated +to your namespace that will be able to decrypt any secret that you is in your git repository. + + +[`./sops.yaml`](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/.sops.yaml) is the configuration file that will +handle how you secret will be encrypted while using sops. + +#### Quick Start + +To work with secret you'll need: +* [SOPS stable release](https://github.com/getsops/sops/releases) +* [age](https://age-encryption.org/) + +##### Create your own key + +###### Linux + +```shell +mkdir -p $XDG_CONFIG_HOME/sops/age +age-keygen -o $XDG_CONFIG_HOME/sops/age/keys.txt +``` +###### MacOS + +```shell +mkdir -p "$HOME/Library/Application Support/sops/age" +age-keygen -o "$HOME/Library/Application Support/sops/age/keys.txt" +``` +##### Propagate your Public key + +Edit the [`./sops.yaml`](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/.sops.yaml) file and add your public key +that you have generated previously. + +Please notice that you can copy this file into any subfolder of your project in case you need to have different keys depending +on your secrets file. This is useful to limit who has access to the production secrets while all developers might have access to +the dev secrets. + + +```shell +$ cat .sops.yaml + --- + + # This example uses YAML anchors which allows reuse of multiple keys + # without having to repeat yourself. + # Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml + # for a more complex example. + keys: + age: + - &cluster_age_key age13jnzxrtrghlh8zvc9q3d8yd2a9xdp8jset72l8dwz6pept3j3c0qkmxd47 + - &YOUR_KEY_NAME + creation_rules: + - path_regex: .+secret(\.sops)?\.ya?ml + input_type: yaml + encrypted_regex: ^(data|stringData)$ + key_groups: + - age: &key_groups + - *cluster_age_key + - *YOUR_KEY_NAME + - path_regex: .+secret(\.sops)?\.env + input_type: env + key_groups: + - age: *key_groups + stores: + yaml: + indent: 2 +``` +##### Create your first secret + +``` +$ sops name_of_you_file.secret.sops.yaml + +``` +You can then deploy it the cluster will be able to Decrypt it using it's public +key + +##### Rewrapping secret + +In case add/remove a key secret generated previously will need to be +reencrypted with the appropriate key. We have place a [shell +script](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/scripts/rewrap-secrets.sh) that will do that for you. + +It will reencrypt all the secret that it will find in folder and subfolder +following the .sops.yaml rules files of your directory. + + +| :boom: INFOS | +|:----------------------------| +| You can have as many .sops.yaml file as you want in your repository | diff --git a/Tenant--Wiki.md b/Tenant--Wiki.md index 159eb7a..9c27a3b 100644 --- a/Tenant--Wiki.md +++ b/Tenant--Wiki.md @@ -4,11 +4,13 @@ ## About Git Ops This repository is already fully configured to work in a GitOps Way -(https://www.gitops.tech/#what-is-gitops). We use [`FluxCD`](#Flux-Doc) has our +(https://www.gitops.tech/#what-is-gitops). We use [`FluxCD`](https://fluxcd.io/flux/) has our GitOps Tools. We highly recommand to take advantage of that setup to deploy your application however it's not mandatory and you can use another way to ship them. +All example above is taking tenant-tpl as a our 'Tenant name' + ### Our Flux Setup `Repository Overview` @@ -16,36 +18,122 @@ them. ```shell . ├── echo-server -│   ├── app -│   │   ├── helmrelease.yaml -│   │   └── kustomization.yaml -│   └── ks.yaml +│ ├── app +│ │ └── helmrelease.yaml +│ └── ks.yaml ├── kustomization.yaml ├── README.md -└── repos - ├── helm - │   ├── bjw-s.yaml - │   └── kustomization.yaml - └── kustomization.yaml +├── repos +│ ├── helm +│ │ └── bjw-s.yaml +│ └── ks.yaml +├── scripts +│ └── rewrap-secrets.sh +└── vars + ├── ks.yaml + └── tenant-tpl + ├── cluster-settings.yaml + └── README.md + ``` -We use the [`./kustomization.yaml`](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/kustomization.yaml) as our -main entrypoint that will include our [flux -kustomization](https://fluxcd.io/flux/components/kustomize/kustomizations/). - -[`./echo-server/ks.yaml`](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/echo-server/ks.yaml) Is a good example -on how create new flux kustomization definition you could use it as a template -for your next kusto. You'll find inside a breakdown and comments on line that -are mandatory. - -The echo-server [helmrelease](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/echo-server/app/helmrelease.yaml) is -example of a simple application that is accessible at a given URI. It use the -helmchart template [bjw-s.yaml](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/repos/helm/bjw-s.yaml). This chart -should cover pretty much all you need to deploy an app. +`Flux Organisation` -## How To +`$ flux get all -n tenant-tpl` -### SSL and DNS +```mermaid +flowchart TD + A["Git Repository: tenant-repos"]:::gitRepo + + subgraph Kustomization + B["kustomization/tenant-apps"]:::mainEntry + end + + F["helmrepository/bjw-s"]:::helmRepo + G["helmchart/tenant-tpl-echo-server"]:::helmChart + H["helmrelease/echo-server"]:::helmRelease + + I["kustomization/echo-server"]:::echoServer + J["kustomization/repos-sync"]:::reposSync + K["kustomization/vars"]:::vars + + A --> B + B --> C["vars/ks.yaml"] + B --> D["repos/ks.yaml"] + B --> E["echo-server/ks.yaml"] + E --> I + D --> J + C --> K + I --> H + J --> F + K --> G + + classDef gitRepo fill:#d1e7dd,stroke:#0f5132,stroke-width:2px; + classDef mainEntry fill:#fff3cd,stroke:#856404,stroke-width:2px; + classDef helmRepo fill:#d1ecf1,stroke:#0c5460,stroke-width:2px; + classDef helmChart fill:#ede7f6,stroke:#4a148c,stroke-width:2px; + classDef helmRelease fill:#f8d7da,stroke:#721c24,stroke-width:2px; + classDef echoServer fill:#ffe6e6,stroke:#cc0000,stroke-width:2px; + classDef reposSync fill:#d4edda,stroke:#155724,stroke-width:2px; + classDef vars fill:#d1ecf1,stroke:#0c5460,stroke-width:2px; + +``` +tenant-apps Is the main entry point and is not +defined within your git Repository but while we are creating the tenant for +you. + + +kustomization/echo-server +This is example application. While it's just an example it already does quite a +lot such as. +* Deploying an application using the `bjw-s` helm chart. +* Exposing the application to the internet using a SSL certificate. +* Requesting persistent storage + +[`./echo-server/app/helmrelease.yaml`](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/echo-server/app/helmrelease.yaml) + +**This is a very good example to begin with and we will refer to it very much.** + +kustomization/repos-sync +If you ever need to import a helm repository in your namespace this is the +right place. You'll find an already working example with the `bjw-s` repository +imported. + + +kustomization/vars + +Here we are defining our applications secret or variables. Please refers to [vars](var) + +### Usefull Links + +* [flux kustomization](https://fluxcd.io/flux/components/kustomize/kustomizations/) +* [bjw-s template helmchart](https://bjw-s.github.io/helm-charts/docs/app-template/) + +# How to + + +```toctree + :maxdepth: 2 + :caption: Contents + + Environments + Variables + Secret + Encryption + Storage + Persistent Storage + Object Storage + Database + PostgreSQL + MongoDB + Exposing your application + SSL + Certificate + Domain + + + +# SSL and DNS #### Bring your own certificate and domain @@ -85,96 +173,3 @@ data: accessMode: ReadWriteOnce size: 1Gi ``` -### Secret Encryption - -In regard of GitOps there is multiple way to handle encryption of secret that -live within a git repository. We recommending you to use [SOPS](https://getsops.io/) as -you encryption engine. - -We have already Setup a key [Private key](Path_to_sops_private_key) dedicated -to your namespace that will be able to decrypt any secret that you is in your git repository. - - -[`./sops.yaml`](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/.sops.yaml) is the configuration file that will -handle how you secret will be encrypted while using sops. - -#### Quick Start - -To work with secret you'll need: -* [SOPS stable release](https://github.com/getsops/sops/releases) -* [age](https://age-encryption.org/) - -##### Create your own key - -###### Linux - -```shell -mkdir -p $XDG_CONFIG_HOME/sops/age -age-keygen -o $XDG_CONFIG_HOME/sops/age/keys.txt -``` -###### MacOS - -```shell -mkdir -p "$HOME/Library/Application Support/sops/age" -age-keygen -o "$HOME/Library/Application Support/sops/age/keys.txt" -``` -##### Propagate your Public key - -Edit the [`./sops.yaml`](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/.sops.yaml) file and add your public key -that you have generated previously. - -Please notice that you can copy this file into any subfolder of your project in case you need to have different keys depending -on your secrets file. This is useful to limit who has access to the production secrets while all developers might have access to -the dev secrets. - - -```shell -$ cat .sops.yaml - --- - - # This example uses YAML anchors which allows reuse of multiple keys - # without having to repeat yourself. - # Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml - # for a more complex example. - keys: - age: - - &cluster_age_key age13jnzxrtrghlh8zvc9q3d8yd2a9xdp8jset72l8dwz6pept3j3c0qkmxd47 - - &YOUR_KEY_NAME - creation_rules: - - path_regex: .+secret(\.sops)?\.ya?ml - input_type: yaml - encrypted_regex: ^(data|stringData)$ - key_groups: - - age: &key_groups - - *cluster_age_key - - *YOUR_KEY_NAME - - path_regex: .+secret(\.sops)?\.env - input_type: env - key_groups: - - age: *key_groups - stores: - yaml: - indent: 2 -``` -##### Create your first secret - -``` -$ sops name_of_you_file.secret.sops.yaml - -``` -You can then deploy it the cluster will be able to Decrypt it using it's public -key - -##### Rewrapping secret - -In case add/remove a key secret generated previously will need to be -reencrypted with the appropriate key. We have place a [shell -script](https://git.kvant.cloud/phoenix/tenant-tpl/src/branch/main/scripts/rewrap-secrets.sh) that will do that for you. - -It will reencrypt all the secret that it will find in folder and subfolder -following the .sops.yaml rules files of your directory. - - -| :boom: INFOS | -|:----------------------------| -| You can have as many .sops.yaml file as you want in your repository |