From 854c3a2577a53c4bb921f499255ece7dd41d6277 Mon Sep 17 00:00:00 2001 From: WrenIX Date: Fri, 24 Nov 2023 19:18:29 +0100 Subject: [PATCH] chore: init with docs (bootstrap) --- docs/antora.yml | 6 ++++ docs/modules/ROOT/pages/index.adoc | 57 ++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 docs/antora.yml create mode 100644 docs/modules/ROOT/pages/index.adoc diff --git a/docs/antora.yml b/docs/antora.yml new file mode 100644 index 0000000..6172895 --- /dev/null +++ b/docs/antora.yml @@ -0,0 +1,6 @@ +name: wrenix-flux +title: "WrenIX's FluxCD (charts)" +version: + v(?+({0..9}).+({0..9}).+({0..9})).*: $ + main: latest + diff --git a/docs/modules/ROOT/pages/index.adoc b/docs/modules/ROOT/pages/index.adoc new file mode 100644 index 0000000..bbfb2ef --- /dev/null +++ b/docs/modules/ROOT/pages/index.adoc @@ -0,0 +1,57 @@ += WrenIX's FluxCD-Repository + +== Install FluxCD into a cluster + +Here i install it with connection to codeberg: + - the path is just for the cluster + - the url a repo where fluxcd (in given path) install itself and monitor + - i just install my needed components (i skip notification-controller, i prefer prometheus and alerting) + +[source,bash] +---- +flux bootstrap git --components source-controller,kustomize-controller,helm-controller --path= --url ssh://git@codeberg.org/wrenix/.git +---- + +=== Secure with verify + +Afterwards we need to setup a verification with GPG, so that nobody else could commit any workload in your cluster. +That is because i select an public git hosting (here codeberg), i trust them but maybe it get compromised one time. + +in your repository the flux cli has created an `/flux-system/kustomization.yaml`, we will edit them. + +[source,patch] +---- + apiVersion: kustomize.config.k8s.io/v1beta1 + kind: Kustomization + resources: + - gotk-components.yaml + - gotk-sync.yaml + ++patches: ++ - target: ++ kind: GitRepository ++ name: flux-system ++ patch: |- ++ apiVersion: source.toolkit.fluxcd.io/v1 ++ kind: GitRepository ++ metadata: ++ name: flux-system ++ spec: ++ verify: <1> ++ mode: HEAD ++ secretRef: ++ name: gpg-publickey ++ ++generatorOptions: ++ disableNameSuffixHash: true <2> ++ ++secretGenerator: ++ - name: gpg-publickey <3> ++ namespace: flux-system ++ files: ++ - gpg-publickey/wrenix.gpg <4> +---- +<1> add verify, that only HEAD git commit with valide gpg signature is used +<2> on the next generate, do not add hash +<3> generate kubernetes Secret with the name `gpg-publickey` which is used in the patched GitRepository, see <1> +<4> Add list of valide gpg key files