Refactor noble cluster configurations by removing deprecated Argo CD application management files and transitioning to a streamlined Ansible-driven installation approach. Update kustomization.yaml files to reflect the new structure, ensuring clarity on resource management. Introduce new namespaces and configurations for cert-manager, external-secrets, and logging components, enhancing the overall deployment process. Add detailed README.md documentation for each component to guide users through the setup and management of the noble lab environment.

2026-03-28 17:02:50 -04:00
parent 41841abc84
commit 90fd8fb8a6
59 changed files with 28 additions and 38 deletions
--- a/clusters/noble/bootstrap/sealed-secrets/README.md
+++ b/clusters/noble/bootstrap/sealed-secrets/README.md
@@ -0,0 +1,50 @@
+# Sealed Secrets (noble)
+
+Encrypts `Secret` manifests so they can live in git; the controller decrypts **SealedSecret** resources into **Secret**s in-cluster.
+
+- **Chart:** `sealed-secrets/sealed-secrets` **2.18.4** (app **0.36.1**)
+- **Namespace:** `sealed-secrets`
+
+## Install
+
+```bash
+helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
+helm repo update
+kubectl apply -f clusters/noble/apps/sealed-secrets/namespace.yaml
+helm upgrade --install sealed-secrets sealed-secrets/sealed-secrets -n sealed-secrets \
+  --version 2.18.4 -f clusters/noble/apps/sealed-secrets/values.yaml --wait
+```
+
+## Workstation: `kubeseal`
+
+Install a **kubeseal** build compatible with the controller (match **app** minor, e.g. **0.36.x** for **0.36.1**). Examples:
+
+- **Homebrew:** `brew install kubeseal` (check `kubeseal --version` against the chart’s `image.tag` in `helm show values`).
+- **GitHub releases:** [bitnami-labs/sealed-secrets](https://github.com/bitnami-labs/sealed-secrets/releases)
+
+Fetch the cluster’s public seal cert (once per kube context):
+
+```bash
+kubeseal --fetch-cert > /tmp/noble-sealed-secrets.pem
+```
+
+Create a sealed secret from a normal secret manifest:
+
+```bash
+kubectl create secret generic example --from-literal=foo=bar --dry-run=client -o yaml \
+  | kubeseal --cert /tmp/noble-sealed-secrets.pem -o yaml > example-sealedsecret.yaml
+```
+
+Commit `example-sealedsecret.yaml`; apply it with `kubectl apply -f`. The controller creates the **Secret** in the same namespace as the **SealedSecret**.
+
+**Noble example:** `examples/kubeseal-newt-pangolin-auth.sh` (Newt / Pangolin tunnel credentials).
+
+## Backup the sealing key
+
+If the controller’s private key is lost, existing sealed files cannot be decrypted on a new cluster. Back up the key secret after install:
+
+```bash
+kubectl get secret -n sealed-secrets -l sealedsecrets.bitnami.com/sealed-secrets-key=active -o yaml > sealed-secrets-key-backup.yaml
+```
+
+Store `sealed-secrets-key-backup.yaml` in a safe offline location (not in public git).
--- a/clusters/noble/bootstrap/sealed-secrets/examples/kubeseal-newt-pangolin-auth.sh
+++ b/clusters/noble/bootstrap/sealed-secrets/examples/kubeseal-newt-pangolin-auth.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# Emit a SealedSecret for newt-pangolin-auth (namespace newt).
+# Prerequisites: sealed-secrets controller running; kubeseal client (same minor as controller).
+# Rotate Pangolin/Newt credentials in the UI first if they were exposed, then set env vars and run:
+#
+#   export PANGOLIN_ENDPOINT='https://pangolin.example.com'
+#   export NEWT_ID='...'
+#   export NEWT_SECRET='...'
+#   ./kubeseal-newt-pangolin-auth.sh > newt-pangolin-auth.sealedsecret.yaml
+#   kubectl apply -f newt-pangolin-auth.sealedsecret.yaml
+#
+set -euo pipefail
+kubectl apply -f "$(dirname "$0")/../../newt/namespace.yaml" >/dev/null 2>&1 || true
+kubectl -n newt create secret generic newt-pangolin-auth \
+  --dry-run=client \
+  --from-literal=PANGOLIN_ENDPOINT="${PANGOLIN_ENDPOINT:?}" \
+  --from-literal=NEWT_ID="${NEWT_ID:?}" \
+  --from-literal=NEWT_SECRET="${NEWT_SECRET:?}" \
+  -o yaml | kubeseal -o yaml
--- a/clusters/noble/bootstrap/sealed-secrets/namespace.yaml
+++ b/clusters/noble/bootstrap/sealed-secrets/namespace.yaml
@@ -0,0 +1,5 @@
+# Sealed Secrets controller — apply before Helm.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: sealed-secrets
--- a/clusters/noble/bootstrap/sealed-secrets/values.yaml
+++ b/clusters/noble/bootstrap/sealed-secrets/values.yaml
@@ -0,0 +1,18 @@
+# Sealed Secrets — noble (Git-encrypted Secret workflow)
+#
+# helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
+# helm repo update
+# kubectl apply -f clusters/noble/apps/sealed-secrets/namespace.yaml
+# helm upgrade --install sealed-secrets sealed-secrets/sealed-secrets -n sealed-secrets \
+#   --version 2.18.4 -f clusters/noble/apps/sealed-secrets/values.yaml --wait
+#
+# Client: install kubeseal (same minor as controller — see README).
+# Defaults are sufficient for the lab; override here if you need key renewal, resources, etc.
+#
+# GitOps pattern: create Secrets only via SealedSecret (or External Secrets + Vault).
+# Example (Newt): clusters/noble/apps/sealed-secrets/examples/kubeseal-newt-pangolin-auth.sh
+# Backup the controller's sealing key: kubectl -n sealed-secrets get secret sealed-secrets-key -o yaml
+#
+# Talos cluster secrets (bootstrap token, cluster secret, certs) belong in talhelper talsecret /
+# SOPS — not Sealed Secrets. See talos/README.md.
+commonLabels: {}