Use variable susbtitution in manifests

2025-12-23 00:54:26 +00:00 · 2024-12-30 15:37:25 +01:00
parent 1eaa3a42e4
commit 9d078e6c9d
10 changed files with 30 additions and 29 deletions
--- a/apps/prod/authelia/forward-auth-middleware.yaml
+++ b/apps/prod/authelia/forward-auth-middleware.yaml
@@ -6,7 +6,7 @@ metadata:
  namespace: auth
 spec:
  forwardAuth:
-    address: 'http://authelia.auth.svc.cluster.local/api/authz/forward-auth?authelia_url=https%3A%2F%2Fauth.example.com'
+    address: 'http://authelia.auth.svc.cluster.local/api/authz/forward-auth?authelia_url=https%3A%2F%2F${AUTHELIA_DOMAIN}'
    trustForwardHeader: true
    authResponseHeaders:
    - "Remote-User"
--- a/apps/prod/authelia/values.yaml
+++ b/apps/prod/authelia/values.yaml
@@ -1,5 +1,5 @@
 # /apps/prod/authelia/values.yaml
-domain: 'example.com'
+domain: '${DOMAIN}'
 configMap:
  authentication_backend:
    file:
@@ -11,7 +11,7 @@ configMap:
      enabled: false
  access_control:
    rules:
-      - domain: '*.example.com'
+      - domain: '*.${DOMAIN}'
        policy: one_factor
  server:
    endpoints:
@@ -22,8 +22,8 @@ configMap:
    redis:
      enabled: false
    cookies:
-      - domain: 'example.com'
+      - domain: '${DOMAIN}'
-        authelia_url: 'https://auth.example.com'
+        authelia_url: 'https://${AUTHELIA_DOMAIN}'
        name: 'authelia_session'
  storage:
    local:
@@ -51,6 +51,6 @@ ingress:
  ingressClassName: "traefik"
  traefikCRD:
    enabled: true
-    matchOverride: Host(`auth.example.com`)
+    matchOverride: Host(`${AUTHELIA_DOMAIN}`)
    entryPoints:
      - "websecure"
--- a/apps/prod/gitea/ingress.yaml
+++ b/apps/prod/gitea/ingress.yaml
@@ -8,7 +8,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-  - match: Host(`git.example.com`)
+  - match: Host(`${GITEA_DOMAIN}`)
    kind: Rule
    services:
    - name: gitea-http
--- a/apps/prod/gitea/values.yaml
+++ b/apps/prod/gitea/values.yaml
@@ -24,7 +24,7 @@ image:
 gitea:
  admin:
    existingSecret: gitea-admin-secret
-    email: "admin@example.com"
+    email: "${GITEA_ADMIN_EMAIL}"
  config:
    actions:
      ENABLED: true
@@ -40,8 +40,8 @@ gitea:
      TYPE: channel
    server:
      BUILTIN_SSH_SERVER_USER: git
-      ROOT_URL: https://git.example.com
+      ROOT_URL: https://${GITEA_DOMAIN}
-      DOMAIN: git.example.com
+      DOMAIN: ${GITEA_DOMAIN}
      SSH_CREATE_AUTHORIZED_KEYS_FILE: false
      LANDING_PAGE: explore
    service:
--- a/apps/prod/k9s-web/ingress.yaml
+++ b/apps/prod/k9s-web/ingress.yaml
@@ -7,7 +7,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-  - match: Host(`k9s.example.com`)
+  - match: Host(`${K9S_DOMAIN}`)
    kind: Rule
    middlewares:
    - name: "auth-authelia@kubernetescrd"
--- a/apps/prod/lemma/ingress.yaml
+++ b/apps/prod/lemma/ingress.yaml
@@ -7,7 +7,7 @@ spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`lemma.example.com`)
+    - match: Host(`${LEMMA_DOMAIN}`)
      kind: Rule
      services:
        - name: lemma-http
--- a/clusters/prod/cluster-vars/secret.enc.yaml
+++ b/clusters/prod/cluster-vars/secret.enc.yaml
@@ -4,12 +4,13 @@ metadata:
    name: cluster-vars-prod
    namespace: flux-system
 stringData:
-    DOMAIN: ENC[AES256_GCM,data:95H2LGPNDZWu,iv:dPZncDMxmt80FgX2Kzc3u4Tw3ZN5XxNm1W9RExxkozw=,tag:OPCTvLJesJ7OzmZ4/c04sQ==,type:str]
+    DOMAIN: ENC[AES256_GCM,data:uvdyDhnU5LDh,iv:n1QC5g/Eh3I5/l2rxg9p32ucW+SK1dbpNQf8ah2b3Gg=,tag:YZ6sDLVfdbBQP0heHcpaYw==,type:str]
-    GITEA_DOMAIN: ENC[AES256_GCM,data:6eDeGcMQp71VTjRUfA==,iv:KtCy5YQeV4tY8xzFuH2y2Yp8QWzK7ZOSuWdKhihklgU=,tag:PkdH/n01nHWCyaAW4QwoPg==,type:str]
+    GITEA_DOMAIN: ENC[AES256_GCM,data:zaHlAuW9mSRby2bDqw==,iv:veC2X0mw3XPNlsqrt6iA5pLBz3GIBahNVBUS+Rf/ATQ=,tag:ZiNe5zRUWC2lgJHzMqyVwQ==,type:str]
-    AUTHELIA_DOMAIN: ENC[AES256_GCM,data:iWiuvZ5U0rCH64IOe3k=,iv:8WaB4ukSauuzmdD+TlKCVlNE2opox+XlVVjr+ER9mH0=,tag:oLWQ4r+LgzRpHTuU2mu+Xw==,type:str]
+    AUTHELIA_DOMAIN: ENC[AES256_GCM,data:b3ZxmxKfDAuL3ZnJHLk=,iv:WuzJjp1804xsgJmyCwm+KCrrZRrfzE55gCjUcwiusJM=,tag:ZFATTKyDyGIsBiLUO6JsFg==,type:str]
-    TRAEFIK_DOMAIN: ENC[AES256_GCM,data:QC1SpkDPrqZm+sc3e1Tv8So=,iv:YQLzZNP4+D7EcCJYYMygsFfHAjNIh12q449ensSmcc8=,tag:l6HnN4GBq9+9TynWzZCTng==,type:str]
+    TRAEFIK_DOMAIN: ENC[AES256_GCM,data:quzmURTYuaLVdH4Wmm7oX4I=,iv:WW1eSlj/UD3Zau75pR6ToqSAW80ebmM+LtCcxnB3P2M=,tag:yOZlmp75IUZhLAEP2rBVSg==,type:str]
-    LEMMA_DOMAIN: ENC[AES256_GCM,data:3+HM+wE0SZeceyAJGx9e,iv:TrOp/Lcf+Ka3RlusoBvmhOVIbRquJ7fHK/ThXSkU4SU=,tag:kGwqvbHQ4jgQ6lbz+9zvKw==,type:str]
+    LEMMA_DOMAIN: ENC[AES256_GCM,data:buFgyV2AQtHxVW7MQ62l,iv:51pv0VWSGO+I7M1VpF/hSMPb/rnDvvg6pDAb+3jW45E=,tag:gi9JfLP7zui9InJSrqQIZw==,type:str]
-    LETSENCRYPT_EMAIL: ENC[AES256_GCM,data:932hjsPXXEzeeMRoCxScU0YsKo0iwDE=,iv:aVnK22akFCamQMWC+pgmhN1Ok8RUwRJ7RCrqryJUiaU=,tag:e7QZYNeR2QRJg94BRRqZSw==,type:str]
+    LETSENCRYPT_EMAIL: ENC[AES256_GCM,data:v+WsLHOEKLAEOvgue3EvfHWPIhC3Jeg=,iv:7HMnV1P/J+EhaaDtm5mnylrdNxChPC8WITSEexsnmpM=,tag:S03Tmjx1o/FP+8x7M/Yhyw==,type:str]
    GITEA_ADMIN_EMAIL: ENC[AES256_GCM,data:pXGtveDs596aRLLkmyS7dIU=,iv:YbRX0/iGCnCfFVmqEgoXF6ue68yRpSKaaQuYhCBebZE=,tag:6tmteEIvUVBlLQUwewrYHQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -19,14 +20,14 @@ sops:
        - recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRGZmNGpKVWYva0VJRTdh
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByd1AvVDZ4MXVsSnBmMlNk
-            TGh1eXhHUzM0bm51QTJZOENjbDkrMEdPM3pJCnNwN1pGK3E3VVZVSXpWTVBSemYw
+            QktaOW56MnZTU2hWdUE0c2M0bGdFR3ViTEhRCk96S3pSNG1mOXk3YnpPUnVFNEJp
-            eTVHNjZvZStISTBpeVhoazc3VFMxdVkKLS0tIEErYkFTV1o4RW1tODFWWk9VNkho
+            djFpOUdtWlNWSm42M3l2Vmh6UEYraHcKLS0tIFVTQU01cEl5VnJ2Y011a2tGdnpE
-            dWwrUlpjQ2xZVjNJSG9vN0tidHVvMnMKwNj4Gm3bXY/vbVIq2bH7/8OWBVMiUxuk
+            VktxSU5INzBUNHpodHcxOVRab01xRGcK6YCFV7n25srmqcKwpyLqvwI/2NLIWlmK
-            ttMDYmoTmGAqWwa3uYxpAJiYV6Qni0rGsEop+IKs4DehcmH7UH2XZw==
+            n5wsDxLICDkxrPAe8LZFaNIs7MQ732kVVihSS0AlfvEGohMx5V3l2Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-30T14:20:14Z"
+    lastmodified: "2024-12-30T14:35:24Z"
-    mac: ENC[AES256_GCM,data:X8J6nwxK+ECLilgwpeSDcf8OTBuqZYEXiFe2UhIBfIB/xrdGRSnPrwcMf3drswftdjnHT9biFocyC3/D9Qv/dPF9iC5ft3D38SDvklstLCn97YivdxQZxGcdggp0we14WVGhmjvlLLucLZ9+1KN5tx+P2r8LhjsI+JhwkB13Zbk=,iv:QU28TNdNwzAsjyEA3po75iPZB8nIq7zCrD3y8JDzkr8=,tag:qPRcTlmAjC4BGEmsxctIRg==,type:str]
+    mac: ENC[AES256_GCM,data:VYbExocsn36JFM2MLNlGy3JVBtwDDGf8ChXtqydn3HylBCG/Hhc0rEqpfXcjxFUvvKTFw3+wBWsejm7u7yiVz/qDB82LvMAzEYs5z5/S1T+WWYtdj5FoghhbVd6pup83pVQmMxm6vk/mOjMzkjp8I1smKqAmxMTPToY5qfyLNSo=,iv:vdqnAZCVbBv0A2UFeyL683CCdmyQiRQifEgzMYNSuPQ=,tag:gplLS7z2IqFqBke11NzFXw==,type:str]
    pgp: []
    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
    version: 3.9.0
--- a/infrastructure/configs/cert-manager/certificate.yaml
+++ b/infrastructure/configs/cert-manager/certificate.yaml
@@ -7,8 +7,8 @@ metadata:
 spec:
  secretName: wildcard-nmsny-dev-tls
  dnsNames:
-    - "example.com"
+    - "${DOMAIN}"
-    - "*.example.com"
+    - "*.{DOMAIN}"
  issuerRef:
    name: cloudflare-prod
    kind: ClusterIssuer
--- a/infrastructure/configs/cert-manager/issuer.yaml
+++ b/infrastructure/configs/cert-manager/issuer.yaml
@@ -5,7 +5,7 @@ metadata:
  name: cloudflare-prod
 spec:
  acme:
-    email: admin@example.com
+    email: ${LETSENCRYPT_EMAIL}
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: cloudflare-prod-issuer-account-key 
--- a/infrastructure/controllers/traefik/values.yaml
+++ b/infrastructure/controllers/traefik/values.yaml
@@ -5,7 +5,7 @@ logs:
 ingressRoute:
  dashboard:
    enabled: true
-    matchRule: Host(`traefik.example.com`)
+    matchRule: Host(`${TRAEFIK_DOMAIN}`)
    entryPoints: ["websecure"]
    middlewares:
      - name: "auth-authelia@kubernetescrd"