k3s-configs/README.md

# K3s Configs

Helm configs and Kubernetes manifests for my dev cluster managed by Kustomize.

## Structure

- infra
    - [storage](https://github.com/rancher/local-path-provisioner): Local path provisioner configuration
    - [traefik](https://doc.traefik.io/traefik/): Reverse proxy with wildcart SSL certificates
    - [authelia](https://www.authelia.com/): SSO and basic auth provider

- apps
    - [gitea](https://docs.gitea.com/): Git server with [Actions](https://docs.gitea.com/usage/actions/overview) and [renovate-bot](https://docs.renovatebot.com/)
    - [mlflow](https://mlflow.org/): Machine learning model tracking and store
    - [namesny-com](https://namesny.com/): Personal website and blog


## Requirements

- [age](https://github.com/FiloSottile/age)
- [helm](https://helm.sh/)
- [kustomize](https://kustomize.io/)
- [sops](https://github.com/getsops/sops)
- [ksops](https://github.com/viaduct-ai/kustomize-sops)

## Usage

Generate age key

```bash
mkdir -p $HOME/.config/sops/age
age-keygen -o $HOME/.config/sops/age/keys.txt
```

Create `.sops.yaml` file in the repo root and copy the age public key

`.sops.yaml`
```yaml
creation_rules:
  - unencrypted_regex: "^(apiVersion|metadata|kind|type)$"
    age: "<age public key>"
```

Create `secret.yaml`

```yaml
apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm
```

Encrypt the secret using sops

```bash
sops -e secret.yaml > secret.enc.yaml
```

Create `secret-generator.yaml`

```yaml
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
  name: gitea-secret-generator
  annotations:
    config.kubernetes.io/function: |
        exec:
          path: ksops
files:
- ./secret.enc.yaml
```

Use secret generator in `kustomization.yaml`

```yaml
generators:
  - ./secret-generator.yaml
```

Deploy application

```sh
kustomize build --enable-helm --enable-alpha-plugins --enable-exec . | k apply -f -
```