chore: add cert-manager and external secrets

certificates.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: self-signed
+  namespace: default
+spec:
+  selfSigned: {}

kustomization.yaml

@@ -5,3 +5,7 @@ resources:
 - postgres.yaml
 - rabbitmq.yaml
 - https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+- https://github.com/jetstack/cert-manager/releases/download/v1.11.0/cert-manager.yaml
+- certificates.yaml
+- external-secrets.yaml
+- secrets-store.yaml

rabbitmq.yaml

@@ -15,6 +15,13 @@ data:
   memory.conf: |-
     total_memory_available_override_value = 1GB
 ---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: rabbitmq
+stringData:
+  AMQP_URL: "amqp://user:password@rabbitmq:5672/"
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -37,6 +44,10 @@ spec:
       labels:
         app: rabbitmq
     spec:
+      securityContext:
+        fsGroup: 999
+        runAsUser: 999
+        runAsGroup: 999
       containers:
       - env:
         - name: RABBITMQ_DEFAULT_USER

secrets-store.yaml

@@ -0,0 +1,52 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: external-secrets
+spec:
+  provider:
+    fake:
+      data:
+        - key: "applications/shiny/accounting-service"
+          valueMap:
+            SENTRY_DSN: ""
+            SENTRY_DISABLED: "true"
+        - key: "applications/shiny/authz-service"
+          valueMap:
+            SENTRY_DSN: ""
+            SENTRY_DISABLED: "true"
+        - key: "applications/shiny/company-service"
+          valueMap:
+            SENTRY_DSN: ""
+            SENTRY_DISABLED: "true"
+        - key: "applications/shiny/consumer-service"
+          valueMap:
+            SENTRY_DSN: ""
+            SENTRY_DISABLED: "true"
+        - key: "applications/shiny/employee-service"
+          valueMap:
+            SENTRY_DSN: ""
+            SENTRY_DISABLED: "true"
+        - key: "applications/shiny/invoice-service"
+          valueMap:
+            SENTRY_DSN: ""
+            SENTRY_DISABLED: "true"
+        - key: "applications/shiny/notification-service"
+          valueMap:
+            SENTRY_DSN: ""
+            SENTRY_DISABLED: "true"
+        - key: "applications/shiny/salary-service"
+          valueMap:
+            SENTRY_DSN: ""
+            SENTRY_DISABLED: "true"
+        - key: "applications/shiny/time-service"
+          valueMap:
+            SENTRY_DSN: ""
+            SENTRY_DISABLED: "true"
+        - key: "rds/postgres/prod-psql"
+          valueMap:
+            POSTGRES_URL: "postgres://postgres:postgres@postgres:5432/postgres?sslmode=disable"
+            DB_HOST: "postgres"
+            DB_NAME: "postgres"
+            DB_PASSWORD: "postgres"
+            DB_PORT: "5432"
+            DB_USERNAME: "postgres"

setup

@@ -8,10 +8,13 @@ kubectl create secret docker-registry gitlab \
           --docker-server=registry.gitlab.com \
           --docker-username=gitlab \
           --docker-password="${GITLAB_TOKEN}" \
-          --docker-email=gitlab@paidit.se
+          --docker-email=gitlab@unbound.se
 
 kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "gitlab"}]}'
 
+kubectl apply -k . || true
+kubectl wait --for=condition=Ready pods --all -n cert-manager --timeout=5m
+kubectl wait --for=condition=Ready pods --all -n external-secrets --timeout=5m
 kubectl apply -k .
 
 kubectl wait --for=condition=Ready pods --all --timeout=5m