From 9d078e6c9de50f85f22db558ff6e93fc1073389c Mon Sep 17 00:00:00 2001
From: LordMathis <matus@namesny.com>
Date: Mon, 30 Dec 2024 15:37:25 +0100
Subject: [PATCH] Use variable susbtitution in manifests

---
 .../authelia/forward-auth-middleware.yaml     |  2 +-
 apps/prod/authelia/values.yaml                | 10 +++----
 apps/prod/gitea/ingress.yaml                  |  2 +-
 apps/prod/gitea/values.yaml                   |  6 ++---
 apps/prod/k9s-web/ingress.yaml                |  2 +-
 apps/prod/lemma/ingress.yaml                  |  2 +-
 clusters/prod/cluster-vars/secret.enc.yaml    | 27 ++++++++++---------
 .../configs/cert-manager/certificate.yaml     |  4 +--
 .../configs/cert-manager/issuer.yaml          |  2 +-
 .../controllers/traefik/values.yaml           |  2 +-
 10 files changed, 30 insertions(+), 29 deletions(-)

diff --git a/apps/prod/authelia/forward-auth-middleware.yaml b/apps/prod/authelia/forward-auth-middleware.yaml
index b1e704f..1e2b549 100644
--- a/apps/prod/authelia/forward-auth-middleware.yaml
+++ b/apps/prod/authelia/forward-auth-middleware.yaml
@@ -6,7 +6,7 @@ metadata:
   namespace: auth
 spec:
   forwardAuth:
-    address: 'http://authelia.auth.svc.cluster.local/api/authz/forward-auth?authelia_url=https%3A%2F%2Fauth.example.com'
+    address: 'http://authelia.auth.svc.cluster.local/api/authz/forward-auth?authelia_url=https%3A%2F%2F${AUTHELIA_DOMAIN}'
     trustForwardHeader: true
     authResponseHeaders:
     - "Remote-User"
diff --git a/apps/prod/authelia/values.yaml b/apps/prod/authelia/values.yaml
index ce5f59d..a51460f 100644
--- a/apps/prod/authelia/values.yaml
+++ b/apps/prod/authelia/values.yaml
@@ -1,5 +1,5 @@
 # /apps/prod/authelia/values.yaml
-domain: 'example.com'
+domain: '${DOMAIN}'
 configMap:
   authentication_backend:
     file:
@@ -11,7 +11,7 @@ configMap:
       enabled: false
   access_control:
     rules:
-      - domain: '*.example.com'
+      - domain: '*.${DOMAIN}'
         policy: one_factor
   server:
     endpoints:
@@ -22,8 +22,8 @@ configMap:
     redis:
       enabled: false
     cookies:
-      - domain: 'example.com'
-        authelia_url: 'https://auth.example.com'
+      - domain: '${DOMAIN}'
+        authelia_url: 'https://${AUTHELIA_DOMAIN}'
         name: 'authelia_session'
   storage:
     local:
@@ -51,6 +51,6 @@ ingress:
   ingressClassName: "traefik"
   traefikCRD:
     enabled: true
-    matchOverride: Host(`auth.example.com`)
+    matchOverride: Host(`${AUTHELIA_DOMAIN}`)
     entryPoints:
       - "websecure"
\ No newline at end of file
diff --git a/apps/prod/gitea/ingress.yaml b/apps/prod/gitea/ingress.yaml
index 4edd952..a0ec9cf 100644
--- a/apps/prod/gitea/ingress.yaml
+++ b/apps/prod/gitea/ingress.yaml
@@ -8,7 +8,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`git.example.com`)
+  - match: Host(`${GITEA_DOMAIN}`)
     kind: Rule
     services:
     - name: gitea-http
diff --git a/apps/prod/gitea/values.yaml b/apps/prod/gitea/values.yaml
index c892299..98fe8e0 100644
--- a/apps/prod/gitea/values.yaml
+++ b/apps/prod/gitea/values.yaml
@@ -24,7 +24,7 @@ image:
 gitea:
   admin:
     existingSecret: gitea-admin-secret
-    email: "admin@example.com"
+    email: "${GITEA_ADMIN_EMAIL}"
   config:
     actions:
       ENABLED: true
@@ -40,8 +40,8 @@ gitea:
       TYPE: channel
     server:
       BUILTIN_SSH_SERVER_USER: git
-      ROOT_URL: https://git.example.com
-      DOMAIN: git.example.com
+      ROOT_URL: https://${GITEA_DOMAIN}
+      DOMAIN: ${GITEA_DOMAIN}
       SSH_CREATE_AUTHORIZED_KEYS_FILE: false
       LANDING_PAGE: explore
     service:
diff --git a/apps/prod/k9s-web/ingress.yaml b/apps/prod/k9s-web/ingress.yaml
index b51c2c9..0b993f9 100644
--- a/apps/prod/k9s-web/ingress.yaml
+++ b/apps/prod/k9s-web/ingress.yaml
@@ -7,7 +7,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`k9s.example.com`)
+  - match: Host(`${K9S_DOMAIN}`)
     kind: Rule
     middlewares:
     - name: "auth-authelia@kubernetescrd"
diff --git a/apps/prod/lemma/ingress.yaml b/apps/prod/lemma/ingress.yaml
index 5e8c2e5..9b803d3 100644
--- a/apps/prod/lemma/ingress.yaml
+++ b/apps/prod/lemma/ingress.yaml
@@ -7,7 +7,7 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`lemma.example.com`)
+    - match: Host(`${LEMMA_DOMAIN}`)
       kind: Rule
       services:
         - name: lemma-http
diff --git a/clusters/prod/cluster-vars/secret.enc.yaml b/clusters/prod/cluster-vars/secret.enc.yaml
index 4ea4b84..68d4c99 100644
--- a/clusters/prod/cluster-vars/secret.enc.yaml
+++ b/clusters/prod/cluster-vars/secret.enc.yaml
@@ -4,12 +4,13 @@ metadata:
     name: cluster-vars-prod
     namespace: flux-system
 stringData:
-    DOMAIN: ENC[AES256_GCM,data:95H2LGPNDZWu,iv:dPZncDMxmt80FgX2Kzc3u4Tw3ZN5XxNm1W9RExxkozw=,tag:OPCTvLJesJ7OzmZ4/c04sQ==,type:str]
-    GITEA_DOMAIN: ENC[AES256_GCM,data:6eDeGcMQp71VTjRUfA==,iv:KtCy5YQeV4tY8xzFuH2y2Yp8QWzK7ZOSuWdKhihklgU=,tag:PkdH/n01nHWCyaAW4QwoPg==,type:str]
-    AUTHELIA_DOMAIN: ENC[AES256_GCM,data:iWiuvZ5U0rCH64IOe3k=,iv:8WaB4ukSauuzmdD+TlKCVlNE2opox+XlVVjr+ER9mH0=,tag:oLWQ4r+LgzRpHTuU2mu+Xw==,type:str]
-    TRAEFIK_DOMAIN: ENC[AES256_GCM,data:QC1SpkDPrqZm+sc3e1Tv8So=,iv:YQLzZNP4+D7EcCJYYMygsFfHAjNIh12q449ensSmcc8=,tag:l6HnN4GBq9+9TynWzZCTng==,type:str]
-    LEMMA_DOMAIN: ENC[AES256_GCM,data:3+HM+wE0SZeceyAJGx9e,iv:TrOp/Lcf+Ka3RlusoBvmhOVIbRquJ7fHK/ThXSkU4SU=,tag:kGwqvbHQ4jgQ6lbz+9zvKw==,type:str]
-    LETSENCRYPT_EMAIL: ENC[AES256_GCM,data:932hjsPXXEzeeMRoCxScU0YsKo0iwDE=,iv:aVnK22akFCamQMWC+pgmhN1Ok8RUwRJ7RCrqryJUiaU=,tag:e7QZYNeR2QRJg94BRRqZSw==,type:str]
+    DOMAIN: ENC[AES256_GCM,data:uvdyDhnU5LDh,iv:n1QC5g/Eh3I5/l2rxg9p32ucW+SK1dbpNQf8ah2b3Gg=,tag:YZ6sDLVfdbBQP0heHcpaYw==,type:str]
+    GITEA_DOMAIN: ENC[AES256_GCM,data:zaHlAuW9mSRby2bDqw==,iv:veC2X0mw3XPNlsqrt6iA5pLBz3GIBahNVBUS+Rf/ATQ=,tag:ZiNe5zRUWC2lgJHzMqyVwQ==,type:str]
+    AUTHELIA_DOMAIN: ENC[AES256_GCM,data:b3ZxmxKfDAuL3ZnJHLk=,iv:WuzJjp1804xsgJmyCwm+KCrrZRrfzE55gCjUcwiusJM=,tag:ZFATTKyDyGIsBiLUO6JsFg==,type:str]
+    TRAEFIK_DOMAIN: ENC[AES256_GCM,data:quzmURTYuaLVdH4Wmm7oX4I=,iv:WW1eSlj/UD3Zau75pR6ToqSAW80ebmM+LtCcxnB3P2M=,tag:yOZlmp75IUZhLAEP2rBVSg==,type:str]
+    LEMMA_DOMAIN: ENC[AES256_GCM,data:buFgyV2AQtHxVW7MQ62l,iv:51pv0VWSGO+I7M1VpF/hSMPb/rnDvvg6pDAb+3jW45E=,tag:gi9JfLP7zui9InJSrqQIZw==,type:str]
+    LETSENCRYPT_EMAIL: ENC[AES256_GCM,data:v+WsLHOEKLAEOvgue3EvfHWPIhC3Jeg=,iv:7HMnV1P/J+EhaaDtm5mnylrdNxChPC8WITSEexsnmpM=,tag:S03Tmjx1o/FP+8x7M/Yhyw==,type:str]
+    GITEA_ADMIN_EMAIL: ENC[AES256_GCM,data:pXGtveDs596aRLLkmyS7dIU=,iv:YbRX0/iGCnCfFVmqEgoXF6ue68yRpSKaaQuYhCBebZE=,tag:6tmteEIvUVBlLQUwewrYHQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -19,14 +20,14 @@ sops:
         - recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRGZmNGpKVWYva0VJRTdh
-            TGh1eXhHUzM0bm51QTJZOENjbDkrMEdPM3pJCnNwN1pGK3E3VVZVSXpWTVBSemYw
-            eTVHNjZvZStISTBpeVhoazc3VFMxdVkKLS0tIEErYkFTV1o4RW1tODFWWk9VNkho
-            dWwrUlpjQ2xZVjNJSG9vN0tidHVvMnMKwNj4Gm3bXY/vbVIq2bH7/8OWBVMiUxuk
-            ttMDYmoTmGAqWwa3uYxpAJiYV6Qni0rGsEop+IKs4DehcmH7UH2XZw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByd1AvVDZ4MXVsSnBmMlNk
+            QktaOW56MnZTU2hWdUE0c2M0bGdFR3ViTEhRCk96S3pSNG1mOXk3YnpPUnVFNEJp
+            djFpOUdtWlNWSm42M3l2Vmh6UEYraHcKLS0tIFVTQU01cEl5VnJ2Y011a2tGdnpE
+            VktxSU5INzBUNHpodHcxOVRab01xRGcK6YCFV7n25srmqcKwpyLqvwI/2NLIWlmK
+            n5wsDxLICDkxrPAe8LZFaNIs7MQ732kVVihSS0AlfvEGohMx5V3l2Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-30T14:20:14Z"
-    mac: ENC[AES256_GCM,data:X8J6nwxK+ECLilgwpeSDcf8OTBuqZYEXiFe2UhIBfIB/xrdGRSnPrwcMf3drswftdjnHT9biFocyC3/D9Qv/dPF9iC5ft3D38SDvklstLCn97YivdxQZxGcdggp0we14WVGhmjvlLLucLZ9+1KN5tx+P2r8LhjsI+JhwkB13Zbk=,iv:QU28TNdNwzAsjyEA3po75iPZB8nIq7zCrD3y8JDzkr8=,tag:qPRcTlmAjC4BGEmsxctIRg==,type:str]
+    lastmodified: "2024-12-30T14:35:24Z"
+    mac: ENC[AES256_GCM,data:VYbExocsn36JFM2MLNlGy3JVBtwDDGf8ChXtqydn3HylBCG/Hhc0rEqpfXcjxFUvvKTFw3+wBWsejm7u7yiVz/qDB82LvMAzEYs5z5/S1T+WWYtdj5FoghhbVd6pup83pVQmMxm6vk/mOjMzkjp8I1smKqAmxMTPToY5qfyLNSo=,iv:vdqnAZCVbBv0A2UFeyL683CCdmyQiRQifEgzMYNSuPQ=,tag:gplLS7z2IqFqBke11NzFXw==,type:str]
     pgp: []
     unencrypted_regex: ^(apiVersion|metadata|kind|type)$
     version: 3.9.0
diff --git a/infrastructure/configs/cert-manager/certificate.yaml b/infrastructure/configs/cert-manager/certificate.yaml
index 1689d73..49e1e94 100644
--- a/infrastructure/configs/cert-manager/certificate.yaml
+++ b/infrastructure/configs/cert-manager/certificate.yaml
@@ -7,8 +7,8 @@ metadata:
 spec:
   secretName: wildcard-nmsny-dev-tls
   dnsNames:
-    - "example.com"
-    - "*.example.com"
+    - "${DOMAIN}"
+    - "*.{DOMAIN}"
   issuerRef:
     name: cloudflare-prod
     kind: ClusterIssuer
\ No newline at end of file
diff --git a/infrastructure/configs/cert-manager/issuer.yaml b/infrastructure/configs/cert-manager/issuer.yaml
index 88b7b1b..4e08df4 100644
--- a/infrastructure/configs/cert-manager/issuer.yaml
+++ b/infrastructure/configs/cert-manager/issuer.yaml
@@ -5,7 +5,7 @@ metadata:
   name: cloudflare-prod
 spec:
   acme:
-    email: admin@example.com
+    email: ${LETSENCRYPT_EMAIL}
     server: https://acme-v02.api.letsencrypt.org/directory
     privateKeySecretRef:
       name: cloudflare-prod-issuer-account-key 
diff --git a/infrastructure/controllers/traefik/values.yaml b/infrastructure/controllers/traefik/values.yaml
index 56ae138..8ff9148 100644
--- a/infrastructure/controllers/traefik/values.yaml
+++ b/infrastructure/controllers/traefik/values.yaml
@@ -5,7 +5,7 @@ logs:
 ingressRoute:
   dashboard:
     enabled: true
-    matchRule: Host(`traefik.example.com`)
+    matchRule: Host(`${TRAEFIK_DOMAIN}`)
     entryPoints: ["websecure"]
     middlewares:
       - name: "auth-authelia@kubernetescrd"