re-ecnrypt all secrets, update some values

2026-02-04 04:59:54 +00:00 · 2025-12-13 11:33:20 -05:00
parent f12e27c5c6
commit 6e63085fb3
22 changed files with 111 additions and 176 deletions
--- a/infrastructure/configs/cert-manager/cluster-issuer-letsencrypt-prod.yaml
+++ b/infrastructure/configs/cert-manager/cluster-issuer-letsencrypt-prod.yaml
@@ -16,5 +16,5 @@ spec:
        cloudflare:
          email: michael@michaelthomson.dev
          apiKeySecretRef:
-            name: cloudflare-api-key
+            name: secret
            key: cloudflare_api_key
--- a/infrastructure/configs/cert-manager/secret.yaml
+++ b/infrastructure/configs/cert-manager/secret.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: secret
+  namespace: cert-manager
+spec:
+  encryptedData:
+    cloudflare_api_key: AgCnbPF8qdEJkV70GZtytvOmQUHEF3KiN1UtxJGbmWopRc/OB3414xEXRfVmRJ5UJ64tb1IvokmWOwfXbd+RkiYuDJEv8TNHv4uzpmnOLghbbeUFSf10vp8jhiNGzKyRZGwfaPYU+x8Nje5t26CJgSS4DzhujtvBOczr+0GPV48Sj7kG7MVLk+Y5Khnq/4BiCBB71dsEJfvHBb3bjEe7LqCBMHUwtAZjunFd9YIg+Wd/ZiDj6rPZxhwyAchOoUUuPNumwsP2IYz8/IuneGCQMoW+pgN4GgJtk1IrQ5fn9p/IctFgY8QK06LPgXSlUj2/QLvvyXd4Ce/F1KNE5REhKVbywF60KdgtdgFnrfz7YN88vXcxDU33ikXdwF6Sk6TN0Of241Wb96H58U6l1lMqxaityl1Q6GYodsiB7j7b3eDEZBpHCFiQYZxdGfUKe2cC1fdO5EKGeRaN9pJnTtcNj5M7orqe4dinrLZZvJrhnjapxJk3opffJKerrOIDaYHoBIdGySfiirt0mZeYRTaiO2nECKRc6ohYBodlJD5ncYZxdgm5d4JzhDoaaen2jR2aAUrFNjWo5zDVLejiciP+vQ/Ed3M0RE+kxn5Ek17OjuMmdpNoOru5kydtCXE4uIouM9+qbDjCNebMbHCZMEjfT+Ulhr8pP6k3BCr0EgAIzFDVOBSVKUVowcuUhlEQrR2HWROANKSW/ltn6lc15vGcJ2dx19yV4g5BnMMalioVckpwfkcQLRL4
+  template:
+    metadata:
+      name: secret
+      namespace: cert-manager
--- a/infrastructure/controllers/cert-manager/release.yaml
+++ b/infrastructure/controllers/cert-manager/release.yaml
@@ -7,11 +7,12 @@ spec:
  chart:
    spec:
      chart: cert-manager
-      version: v1.17.x
+      version: v1.19.x
      sourceRef:
        kind: HelmRepository
        name: cert-manager
  interval: 15m
  releaseName: cert-manager
  values:
-    installCRDs: true
+    crds:
+      enabled: true
--- a/infrastructure/controllers/cert-manager/secret-cloudflare-api-key.yaml
+++ b/infrastructure/controllers/cert-manager/secret-cloudflare-api-key.yaml
@@ -1,21 +0,0 @@
-{
-  "kind": "SealedSecret",
-  "apiVersion": "bitnami.com/v1alpha1",
-  "metadata": {
-    "name": "cloudflare-api-key",
-    "namespace": "cert-manager",
-    "creationTimestamp": null
-  },
-  "spec": {
-    "template": {
-      "metadata": {
-        "name": "cloudflare-api-key",
-        "namespace": "cert-manager",
-        "creationTimestamp": null
-      }
-    },
-    "encryptedData": {
-      "cloudflare_api_key": "AgChqWD0JHDwnlg+U+O3Yl0acYIeDnekCj1gRu1kQVFIIukO0rZxxgwDBwB1FAnK7+H/tZsoQCLg+YRmmzqXW7fcxsvad7Ba35JFZnXXc4heCji1FeTZm9M8lLKPXsr/jSV2d2md4BFXxeHBwQtq6Km5OsPkeGiUGVo09w7q0dBhp7wcJ6Dgu3m2c2x8hQKVz0zR4AreMBRwmCw7x/dXPmoCuz/dRQzbQGZ57Z0nZ/4OWF/YBv8NYzjK7//R9QKMGXJJ28NcrXv06v/0CNtVoADbue/kD4d1a9MTBojkHSNvd8CIsIFSnBDPYP4ApnmGBiirfnVJ//AE7iVSCtl96SR9pwqFnE2xCXaAGBlWLVebCGx45W0q3qbC6isZbQLjdekQNu4LDjMs5QQVUM7/+6SusxKJrFbNEyKpWjV6IDQBaZTMkO3gTAq3ZRXGoiLy/FZZihudGa8bym7GJGkl0ZVb8hpkUBiNp3cHQFizdCMVF/3ebjmn0Mf250Kg0J6iymECZ2IdHsjjmRYyJv3Mi7wWdiCG8nOhUwwi1/379rjkbPSZadng/MmgDc8p1IhIFiaLaXTHwr3ZYtQOXpdzAQGJXtIYX4ZO5CFwoCf3UDneCjEntJwi9htaH+KtZFx2Um4LTChsTKEk4D4f64vj7a5k7neSwgpZYZg7DncAubbqKY5vgGuZlT2KMkJPs45LNO713Rf48pom/ZAxWJz6b52r+T0UYhZeF/Ffb1Kw1jrJzENu8ONj"
-    }
-  }
-}
--- a/infrastructure/controllers/external-dns/release.yaml
+++ b/infrastructure/controllers/external-dns/release.yaml
@@ -4,36 +4,25 @@ metadata:
  name: external-dns
  namespace: external-dns
 spec:
-  chartRef:
-    kind: OCIRepository
-    name: external-dns
+  chart:
+    spec:
+      chart: external-dns
+      version: v1.19.x
+      sourceRef:
+        kind: HelmRepository
+        name: external-dns
  interval: 15m
  releaseName: external-dns
  values:
    sources:
      - crd
-      # - service
-      # - ingress
-      # - contour-httpproxy
-    provider: cloudflare
-    cloudflare:
-      ## @param cloudflare.apiToken When using the Cloudflare provider, `CF_API_TOKEN` to set (optional)
-      ##
-      apiToken: ""
-      ## @param cloudflare.apiKey When using the Cloudflare provider, `CF_API_KEY` to set (optional)
-      ##
-      apiKey: ""
-      ## @param cloudflare.secretName When using the Cloudflare provider, it's the name of the secret containing cloudflare_api_token or cloudflare_api_key.
-      ## This ignores cloudflare.apiToken, and cloudflare.apiKey
-      ##
-      secretName: "cloudflare-api-key"
-      ## @param cloudflare.email When using the Cloudflare provider, `CF_API_EMAIL` to set (optional). Needed when using CF_API_KEY
-      ##
-      email: "michael@michaelthomson.dev"
-      ## @param cloudflare.proxied When using the Cloudflare provider, enable the proxy feature (DDOS protection, CDN...) (optional)
-      ##
-      proxied: false
-    crd:
-      ## @param crd.create Install and use the integrated DNSEndpoint CRD
-      ##
-      create: true
+    provider:
+      name: cloudflare
+    env:
+      - name: CF_API_KEY
+        valueFrom:
+          secretKeyRef:
+            name: secret
+            key: cloudflare_api_key
+      - name: CF_API_EMAIL
+        value: michael@michaelthomson.dev
--- a/infrastructure/controllers/external-dns/repository.yaml
+++ b/infrastructure/controllers/external-dns/repository.yaml
@@ -1,10 +1,8 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: OCIRepository
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
 metadata:
  name: external-dns
  namespace: external-dns
 spec:
  interval: 15m
-  url: oci://registry-1.docker.io/bitnamicharts/external-dns
-  ref:
-    semver: ">=8.0.0"
+  url: https://kubernetes-sigs.github.io/external-dns/
--- a/infrastructure/controllers/external-dns/sealedsecret-cloudflare-api-key.yaml
+++ b/infrastructure/controllers/external-dns/sealedsecret-cloudflare-api-key.yaml
@@ -1,21 +0,0 @@
-{
-  "kind": "SealedSecret",
-  "apiVersion": "bitnami.com/v1alpha1",
-  "metadata": {
-    "name": "cloudflare-api-key",
-    "namespace": "external-dns",
-    "creationTimestamp": null
-  },
-  "spec": {
-    "template": {
-      "metadata": {
-        "name": "cloudflare-api-key",
-        "namespace": "external-dns",
-        "creationTimestamp": null
-      }
-    },
-    "encryptedData": {
-      "cloudflare_api_key": "AgDbQ3Suck0P6dSEtuB8cfk4P47jVuieaekex+miPlhrB3I7n/YLPK3lEdoYAt49NrciMlq877iniuYylwnh8HOSevvZ47H86KthofJY3iu8anTTS5q4dkxonnqHuBPH0LTg+uvdkChxe7kuozePB0XJjQV4qdejEDTh6Q7es5dzIW9kdxHGlDRyIsgeI+YpZCZOApzU+bR+ARt39AWWpyRkn140CSAFjsF6XRJ+Enwsn9nbfZfb71s3J8hy/3BCY8fCPuqAXWoQY9pr4BwYo6TjFthlesMYZ3rsAPuBelwEO9OeWySKfVOZx3ZbTdG0aObYhr1KOMs1wTSbu0Y9Ob59WZRT78eXD3B9Un2Bm5GhQLZaw0KAwzg1uLZ2LGcOcV3Dzd5XXLa8/pajrlF/iJQkMYZlaLVfgakhi5TpM4QCTHD4Wj95ZzO16VqJ8ak4qU+l3eJ/GuO+cnMtvAF/VjEiGj9PF9fZRkcPl7HoDTOGeXgbvVcWsSyktZe9BeAkHmB326bK8gnvs6MwJZC/SFR187ngBkSDOQ89LNx1pNnu4SNYu6EHvtaNI62+a6AsNsdrku3fTW0bdNI7rPwZvmL257mnnF7ih4BZvRDxBWudAcQyw+YZdlQC5NRpFr7e0ZgFP1CvDjvNtBBaZsHELKJyFCy7vhhiOrrHpYGZfvTFgGd2/ny2n92HyhJtvpMSJNfaqjAOVu7Kp5bFa99GSSP1CZXjxHxCEzVblZdyOGW63iMwgNp7"
-    }
-  }
-}
--- a/infrastructure/controllers/external-dns/secret.yaml
+++ b/infrastructure/controllers/external-dns/secret.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: secret
+  namespace: external-dns
+spec:
+  encryptedData:
+    cloudflare_api_key: AgDB/8qYE4xI1LOJyJ73afBphwIazvJFS6JPWzC+4R7D/J83Rc14udHVf1bLr8bbkGfXBs9FOis6kVu480JFoNnsXZLdTxViwj573l9GgfOQugCFqn+R8tqpgyzhqpMCYrxJHifn1VZw7a95XJ494tYA7tAO+45SBBXjCVrXO/ZF4gpQpk0yyW6tnV/2cna678dG9ZoL+W7zVlYZ72RrZoGyHTjEUnadmCCR0cPJA0Pd7zho3QLczrnGe2WFRK5TbxaVerr9yPQjx18H2J489UePd0C2OeDkMorev8OxxdA+Wvq8AVpokMoOGgQ+qJ9eDdNDrJjJKi2Vs/FsT3q5B5iwuGwGSITtz3kk/POnnfU+IzzGEYUns5rgC1TrcO49Xk6W7d7ft5HUi0wdWLaeveox/jkIcM15QvXJQuf4RfphNoeQ1gp59ngRh2Oij2vlU/HZ+2eSHU4zMxC+LY9/JIXBytrPOfjvNehLQigeZQ4VQCcnzqqUEi1t8ptwqeFwhG+rWCJlNK5HZoS7p5gw5O+t55IL5bStaP/9teoMoOwyRgsBKz6Jclg0h1dF+UxEf3xsFxV/I4dEvFkz6e2jXtD823/uVG6p06LN2YsdK+2c1dey9JeYfHltha8p7+JWVaKMYjncWLwpIrNpjB+xljUCtzY7S7AKxp4IvGaeVDq1tKa/zqK9/c37/Fxi5bMgTcynX/xxU2bRuDLvHFA52yCwBKLHgE3TPJAS5/M9J4/iTplmLFl6
+  template:
+    metadata:
+      name: secret
+      namespace: external-dns
--- a/infrastructure/controllers/longhorn/wasabi-secret.yaml
+++ b/infrastructure/controllers/longhorn/wasabi-secret.yaml
@@ -2,16 +2,14 @@
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
-  creationTimestamp: null
  name: wasabi-secret
  namespace: longhorn-system
 spec:
  encryptedData:
-    AWS_ACCESS_KEY_ID: AgBPEaezFcnWS/vymVzH9kokhKlq2+yYUP1I40kVGLKxlovzU/kkPWfo1eYVo1kJtEKa1GNA8hlMxlz3mpSnlRc/SdqoPAXPSVjynPRiLa2SPBGtdXJjw/8BSd9dTaGJNpZj+aZ5HrbB5Ko3anAOrstQjymLgrbyNIFP5NUY8auLbnJaZ3O8W4Zo7mgDrCwDIyze0eqY4YIf96Q5ZLDiYAWuJJ29MAOFLROrAHv1/FmwUErLJX3lbJm7+PiIP0kvI2xKlcvU9/RRq5u/EEVP+9hP8wp2l7TQp3K0EJyIer9wFcq+kqCTfUCJoo2cJW69ooaobcHgT8ijsrVX0n5CxkXDrITKG5GpSRhqadCDyOgbBneC5UrvEiY5S0GWUiBWFgUCQcIPi2fYbwayqDoLWEcYTrDZ7wTE4y+PddUm4Z5BhCVM64TYsaycA9uNhcoZDCWLVUiBRnbfCP6ZfEn55TBSOHIAsWrUO8DAGgpnqjr5ud934h/fFLTnTlmhjOuiMX0LIlNZoDNLoomeG1d9L7j37IppbvBSNUfG4OHaAZMju8tmMz6T9/Z7R43J+LofgZiqa7dAl5vd6Fp8pS3f2ar11+FEXgixrlbdhv2AkhCMO0XzndBCF+8akn6FLjkarF7nXGPdEcctZHsBUWIo/nxbFz2Wd47Bs31nMi+39k34EbmWOitjOTFyM1p5O+GrVnFHDo/DJSqlRjbaLflmWkqMoLMzIg==
-    AWS_ENDPOINTS: AgBFWzMZjQqkcNzvWqFGsCNiFYnXu9XbayvcEdROPS5ZZkublXdo1PkoQ00hTcpRg3WtsMCj55u71P70MdGjaFJ2IDKOoEkTO8umADv/4stiT3166re/SZp6DGLalKc32V643J08zpujzZTFDiKwHi47PbN49WGgCtU+ltk9a/5V4M6//e2wQVUcI4e22gzhkBC/H4VxAsg+ke5KvUfJiPHvqVZjo/l5A1hyYTxIIKgkUhUMLqAs4ztpW6ApoJoK8brfs67PeOoIKiBFTXKG1K5LymNFag+BDVJOuuLOZ8ZPY52OI9YSohg835lB8hw95wfRiFCzU0XFM6V6pS9lGZ+SkTH8S2tKjYOjyOjmOZ6cZSVjIWiqPcyEHRbzV8LjVaJ7GvvKoyp2ZeZepZr3IeFZR4N19yHydztYvTrLlx8fajVH7mIxZN3sgYdH5yGjHjte/1SW8pAmIpVOtCAtSuacjHj0vmKT4LPLZCE18ayAOVQEo8rQo0S24EKhkbPomZVTXpFjOajZxRi/JczuXgLtRtvyvPLqMWiK3TSn+UQT+wyMFOVbaKf3EZKeSSSVOVN66hgR4na4j8tWIxZeKhJfeCXqnaz1iGXuK4/rW2494i5ncrmKU91Dkr1+rZ2/5PSJvzTmctl1azIG984iwEsxxLgwluPaj+E1heym+tuJRR3Dl7G/8vfv5DhtATuuHJTB6vfEvgCtWSwmaFX6jEX0i7+pm7fm7yJQXmrrSQ==
-    AWS_SECRET_ACCESS_KEY: AgBi14gLjB0om+2XmcsovTNoykudr4160/mlQZlaJKQkJVuAyXeXyX1WkCvqhhOGbY76pBYxhvzfo9ngvH1BVBom8MOahzkDSIl6GhzqiPF5L3eDH5HOBXYZiYfZZxl1QOKXFEITirCScCywovLxFJsVXjNTcLz7FGeBH+LNL4b58FLNRC/IGQgagY0iYOjg5kr2fKSula9y9yweL0xuxG+gUtDOgEQBhkZ6ncSLYlgMCIVBWAJbApEE1QGSlaG7zAbdNa0yn201XcVhHs3JlQvC5VZArLfUozFTExn1/4/3PVJ3yR80JYshplGx6NxrwkB2cQOjstr5vQzA+c6t22Mo3aeXpnLD3P2tZEXzh+z3iAjCsE+MAttLzhNC//vgScH8imYRLjFJAGifGmvBkqXYo4pQkPF9FFbaXU44ktWT5tCBcCcoylhQjAKYvuaoMqxcdJNtpGopSIgI4T08AeaQHx9jN2fY40WGZjN9Mhj0c/HJnlLEddFEHHg7A1jmsdy+UmncO9w0pin2eQ8TOOSuplARJvKZQpLiRQZHkn/09l1xZlNuVF4vUoI8yPiQgKOLIIaZezvxN6i/DPosoXBZ637dJMi/JsDG2AoaOn4P/oGDTf73Ph1fYfxOJeNaCK+rlOVkQ/h1vQyFCAUxN7cBVa59C7FO9pfrMaVFb+A15SJmmd2km6MsduTNZbB2BGR79lwL2TijFNO40kBewnqTS8GFy9u3pzGMEXymZ23q8qrCmBR20aBQ
+    AWS_ACCESS_KEY_ID: AgCmY3YSc7AqYKVNDJnmi1B8Fv6cjaMAHW9XbQFUuEokSjkUXnXd5j/k9XUn+SyhDoNA2aqmvtrAF/5aKGSkwua1QNI/W3kw+knawNfbNV2J54ZWnv8urkCIKQ9Eo90fs6PrilCnEsymqoFQPmgo650wkBFVnjMIRsu+MXB6hjso4NMRm5zgQMPg1vg/D3a8bfVD4uNitB36lrl0vwdGYw8Pl2baMgnLIHHe2iw9Z5/LIPsmVoTjk3d+Jub28nqeW+pW6iXFd0H5WJw/N2JQkwzs5xvK0049I2eHmPVrReaFdEKRvrOX1THgEZTvML+evv96Z3WaphVlIQzHjFxOiQVCa11adc1MqoaqfZeVEdWslYF3Hg+oQg98Q+VqLWdFg1PJoJBGBdNxJFnTCS5xDStbkvt8y2aWUWh0UWBL/smOpq0TWLBfzVW9wowkHB/9Pwl2tVbOzTcXWS4u/rk2lr8fre9efhjBoCDuStHXwxhlmjidhHPBo4eIpoiBIY2UYfEt6HQkB3HHXsvnqZiIbWHXa52gXHh2sHmWa41xOGorFLPU6JrAQb37ciBY71zBlvoj+UEXKsiEvcblMSff3G8Vy96nX+y8F0YUKg5JdPmSw4Dndwi0Mpv19IXytExZDNWvhksCumWI2/Nt42/7PjhNec50CEOwt2WENbF9Xsh+chhJT8l24o+3TE11qOldY3WxnP7NLAVO1XTDK+tvl0yhF3Yckg==
+    AWS_ENDPOINTS: AgCTsfnjLwLiH9MQV5cIHoRyz5WF2YG4/vFoiZrmybcax7JaAmWpkb0vfa4eWM3nNgrPN7qlCBXjIRJ2r5UPIOoHmEr5Tln2Xv+cGrie8xmRCoAkFs7lESZmQNbOa1nZLgFlG7cb8OlU1QtjyijQ3oAt1PcAuDsN4kdfWDYTlcHHDPzFzdvDu8XFwYMncnoh54r7B38gZ6fgPhbxU2PRREuVQANZAG5vWX5dQB0R7ffzjBYNZz9YgQE7oh/3/Z4ahI3z1HDBrYddulYc7w3/nsddPo6rNkvGoObdp0Qv7U4Z6RPjTCzpRQOGoLP+YqktwNCZi4IqrdxhBGppt3e+e+5lR0jCwbIJjSMUs9Izlc5umIbRdG+Dt3Wpr8MD3+M8Rq/Ii+XkPUzWrSEYVUONolBLRPcV2qycshHgKPD76Tkdgrs9x/ITDArjx9/qSMANatbRrCmpSlcqKboUJnzFQ5+7R1D+3vnTePu+XiuTrIay06ISaFi1ChhzMPtRpgjyFdW/pXsv3AEaap+iziQFYfFs6ZvOAV06SFYJtmUZm5WIteip1iBT1RGs5AlqIDK5M1YWRD2h2yNJ/1LR/11qILMIj/NnXLPDQTPmgI0UBK9Cvol5iaEScP6lUsORbbsoE6Iv4TUWANDqaQFsrUpLaK9w2pZzknftSD+QNiBoiiyrc9MaOaaIQNqtdnQLxAmynZUXvrcxmpWo6jwEFkEz2E0+VnSCKlBgHao6YyMQkQ==
+    AWS_SECRET_ACCESS_KEY: AgADI4iiUPISIHKr5anxMRJ82h8qa8qcj/rkrhrPu/QOjCgrXH3uXyQxII/siu7GTNtaKBK83VoeGkrBR0DYJ3utY63HnvMydahfZjAChTwtjdBVQ5JGQpS85foZPsUU/35H4vTx1f7s9kLomNeOz55NfeBecnkK5eKPt3a6PqjFkYkFyzSemuuVvVC5oiorhoK9ALmwqwYIT2gC+87F3uqplik7v1P1wwIHn2dm4/e6xIryFuIxgAKOm/lZk5cA3pPQGI4Rskq9Qr9sHYLylWU5VKdtLZMOp8nhYyxAeBeiEKKzkWTwQzSd39K95yRJxOnJMYqKU4DCoE/cpblHG6SleMd1vW3kvOq/HtxduL3StoLxVwL/Qq8vlpWGcEUsQDp79r2y3aBxKquYhlgEEq1f8LgTND+bPVl8ijeSoCgYntzqk/Bq0e+eulcuhiGbCSwiFwqoULeeQd/h0kTet7Qfxo58/3PNcTFB1rwWPcLJR9ezmBJGMUDTj6cXEWCuoHqmVgqS56q53vcQv7ByghTL/fcZqUnkKOX8t4JezMzhP1OkoPoVx8GZeynFMZZfJbzdJ2vfW4XwycIlkeG7tVJWH1cbODqK3NQtv351uBIEadQ0k9MjTxcjkH0OMqzyvueHmUUuJ6bwDLsox0e+/mhn+PhLMBfXMSt5nacbtf9TaP+M1R3GfU0N0qSR202jSDKZ7zAnz/UMogtlXj+o+GI+XFOq5cKi2a9fwG1tWkbsNMh7hFlmi5KO
  template:
    metadata:
-      creationTimestamp: null
      name: wasabi-secret
      namespace: longhorn-system