fluxcd: node red

2026-06-06 03:09:49 +00:00
parent 244ff73e6e
commit 950b462651
20 changed files with 158 additions and 58 deletions
@@ -0,0 +1 @@
+**.dec.**
@@ -0,0 +1,11 @@
+creation_rules:
+  # encrypt all values from file
+  - path_regex: \.private\.dec\.yaml$
+    encrypted_regex: '^(.*)$'
+    age:
+      - age1gk946fp37xtm3fv500407zdd5h89a5lvxysrufhau3f73xcq8ewqcu8l5g
+  # encrypt secrets files
+  - path_regex: .*.yaml
+    encrypted_regex: ^(data|stringData)$
+    age: 
+      - age1gk946fp37xtm3fv500407zdd5h89a5lvxysrufhau3f73xcq8ewqcu8l5g
@@ -1,20 +1,22 @@
 # node-red

-**Deploy app:**
-
-```bash {cwd=../../}
-./services/node-red/ops-scripts/apply-app.sh
-```
-
-**Deploy Infra:**
-
-```bash {cwd=../../}
-./services/node-red/ops-scripts/apply-infra.sh
-```
-
-Create password to add to node-red settings file.

 ``` bash
 #npm install bcryptjs
 node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" YOUR-PASSWORD
 ```
+
+## Setup
+
+Using flux for reconciliation.
+
+``` bash
+./ops-scripts/apply-flux.sh
+```
+
+**Encrypt secrets:**
+
+``` bash
+sops -e deploy/app/limbomox-ssh-secret.dec.yaml > deploy/app/limbomox-ssh-secret.yaml
+sops -e deploy/app/node-red-settings-secret.dec.yaml > deploy/app/node-red-settings-secret.yaml
+```
@@ -1,10 +0,0 @@
-module.exports = {
-    adminAuth: {
-        type: "credentials",
-        users: [{
-            username: "?????",
-            password: "??????",
-            permissions: "*"
-        }]
-    }
-}
@@ -15,7 +15,9 @@ spec:
    spec:
      containers:
      - name: node-red
-        image: nodered/node-red:latest
+        ### Maintained by flux - Image Update Automation
+        image: nodered/node-red:latest # {"$imagepolicy": "node-red:node-red"}
+        ###
        imagePullPolicy: Always
        ports:
        - containerPort: 1880
@@ -0,0 +1,13 @@
+apiVersion: image.toolkit.fluxcd.io/v1
+kind: ImagePolicy
+metadata:
+  name: node-red
+spec:
+  imageRepositoryRef:
+    name: node-red
+  filterTags:
+    pattern: '^latest$'
+  policy:
+    alphabetical: {}
+  digestReflectionPolicy: Always
+  interval: 24h
@@ -0,0 +1,7 @@
+apiVersion: image.toolkit.fluxcd.io/v1
+kind: ImageRepository
+metadata:
+  name: node-red
+spec:
+  image: nodered/node-red
+  interval: 72h
@@ -0,0 +1,25 @@
+apiVersion: image.toolkit.fluxcd.io/v1
+kind: ImageUpdateAutomation
+metadata:
+  name: node-red
+spec:
+  interval: 72h
+  sourceRef:
+    kind: GitRepository
+    name: casa
+    namespace: casa-limbosolutions-com
+  git:
+    checkout:
+      ref:
+        branch: main
+    commit:
+      author:
+        name: FluxCD
+        email: flux@local
+      messageTemplate: |
+        Update node-red image.
+    push:
+      branch: main
+  update:
+    path: ./services/node-red/deploy/app/deployment.yaml
+    strategy: Setters
@@ -1,17 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+namespace: node-red
 resources:
  - pvc.yaml
  - deployment.yaml
  - service.yaml
-generatorOptions:
-  disableNameSuffixHash: true
-secretGenerator:
-
- name: limbomox-ssh
-  files: 
-    - id-ed25519=./.env.d/limbomox.node-red.id_ed25519
+  - ingress.yaml
+  - node-red-settings-secret.yaml
+  - limbomox-ssh-secret.yaml
+  - image-policy.yaml
+  - image-repo.yaml
+  - image-update-automation.yaml
    
- name: node-red-settings 
-  files: 
-    - settings.js=./.env.d/node-red-settings.js
+
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: limbomox-ssh
+    namespace: default
+type: Opaque
+stringData:
+    id-ed25519: ENC[AES256_GCM,data:dODSqS2icQsYT09YMhdkeYHbbzC0DoiMg3S5GMhnkecP9UNzWHaVYjtHd24jUjn3nrMFG6DdeTTLqKwhIeOiMbELwFjj9P6BEhVW0tVXEhSv3XkLvF8AIV3wkql2BaiLrK/YBPMYn5tcWTARL8mWWp5YuCqoAAJp4gCUmlmvlch1FvS8I3RYazua2WSsARA0F21es6MJHccicv8kLEBuwWTFwaIkZDKlHMP8A3NYMV8Cwya35bu9CuZKfFc5MwziyIFXSreQ4Ft1YcDLG3ZrFx/nOnEZzstEFFmMtNwgCIwidJIeUm0r5f9zV0wbJ0u0FHxFFopKg78H+DLA28BC7NUIWmZtYR4qxvfS+yGKKPs7GtEnomRxrva4kfEc1Wfwy5x0LLfjiRTx0onfV3OFrdT9ZvZ6nqSLBTWpXk8bjx3tj5GeSCLAjgE7NLzhhQCInZYxtE9eShlI+fDIU2rkQH6kS86UhMbp5jd3Y7vWbSySfEhSziJmvuNZZsFNcI49zkc15VKD6qhhJ1x51+pg1cClEYkIRE3PCdEe,iv:rSpfatskq/mCxAjZ9m5AukO9B0z8MG8jBeU2xL+7j4k=,tag:pqVzcQ2bd738/UEyoX8BOg==,type:str]
+sops:
+    age:
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqRCs4Um1OM0FWMDE4S2E5
+            cE1PRWJIRTMwOFNIRElWOXNSMmkzczFVTDNvCjdoNUFEdVUyYlUzbmJLOTNBLzNl
+            SmdraWl4MXBSM2NncUpXejVKaUZYcWMKLS0tIGVFak9Nb0R3VllSYjlseUJNOGFX
+            T0FTeTlMWGp3Rm5ZMUtxZ3ZCM3ZIeXcKSAvHgabvJANtEOWSQvmoD6kMsWOOAG1G
+            /r2rNvr7WyQky4W1goEE9GfTkNhO7BtjY/bzp20HwnTzEYWI5r37Mg==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1gk946fp37xtm3fv500407zdd5h89a5lvxysrufhau3f73xcq8ewqcu8l5g
+    encrypted_regex: ^(data|stringData)$
+    lastmodified: "2026-06-06T02:59:51Z"
+    mac: ENC[AES256_GCM,data:/YIiA+rdhhsOzQrMQ4Ia9UYPobG8xXhMMTIRtgug2kIjj2e5UAcbqXTonp7bgnYLnC/PAcd4IDXbrZBnUZ9iiuEz102jM/CmJYWlSG4QyTNeveHVbQun4CdHqCkFytvZfN/hm12CfEg5rGiHxjS5rUCjnu0H21+d55U+K6xvm44=,iv:go44tFr9Mup3wptU1qKa5Ch8ayHQTXx+3N1kCg1Q+SA=,tag:z3q69W8UhqqHMV+6jl7fbg==,type:str]
+    version: 3.13.1
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: node-red-settings
+    namespace: default
+type: Opaque
+stringData:
+    settings.js: ENC[AES256_GCM,data:2cVFfU49mELFThxCGvOmvPh8shAdSkkLFsg2/35Y6iH3EPQXdU5mhNVRwRMApC8gLkjVqA+7+OnDeYHoYAAB7U2IAES0+lc4Z4vrNPBv4U45nZXet+JJAQHjVoYlbN60HLci9wFfGFtFNCVc4Wo1Q+xitW0nqAeDCiwnUBDWt9uu1+a/zNh9/j2hITmiOj+YKf1J83v5m9ERxywCJEPtiuiUBPbDs6Xml4bEkwchA1/fYxj9ufjuHaO6a/QHwimelEd6mlln19NJ7vKTpAVgSF3Yxf7kIT7B2MCVGJAy9GaBGDg7xVi8sJHF6GRS8YBbQ/uIXgE=,iv:ydewkmW9VbHrkBtQBo+4Hpq07+7ZuNbbNcvKPyeCjb8=,tag:s0xCytVnz5Qc5AoFY2z9lw==,type:str]
+sops:
+    age:
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVzlQNVJvYlNIRVNZOWpI
+            Y3RCbytmUVRjcDFoZ0JaeXBqNE9QOWxpcTJvCk5EdEJXVlZsYkFBRVJYb0pTOTl1
+            TVhkM294S3dudGtraHlqLzB2K0k0bmcKLS0tIE13NktDRzlIbnFxaitWYSs2VTl5
+            RGlLalBJbEMyVnBMNjRGWkdpNCtFVDgK+K3kn+8sT8/Ev2vz8bP2UhkjoUJyYpWH
+            taGn2TowwQaRRNGx31Ndj3P2xiZpg5SfjUeFUfXYrVrCAdR58JAfHA==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1gk946fp37xtm3fv500407zdd5h89a5lvxysrufhau3f73xcq8ewqcu8l5g
+    encrypted_regex: ^(data|stringData)$
+    lastmodified: "2026-06-06T02:59:51Z"
+    mac: ENC[AES256_GCM,data:Mzh5/I5tdem1kO8P/hZkXPruadAQ/ZlN/AgxT2zTZwuC0cdH6ufGPGGOsTMglh6RXXO4s4IShoKg8KbUECWIDeaUTj45ss7CqHj5wOUI3yMvM2GPW11yOsDCnw9nHaGnmTLoMkSKkijkB+szvfNt7lWMDIS2ON4DCywXvWIYsLc=,iv:pR74z80NAZ+R8NpxXK7OVIq2XVyTOXs91PMuM0UeGXc=,tag:sbtkRMwtzjStsqSM8Ofs1Q==,type:str]
+    version: 3.13.1
@@ -0,0 +1,2 @@
+**
+!.gitignore
@@ -0,0 +1,13 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: node-red
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: casa
+    namespace: casa-limbosolutions-com
+  path: services/node-red/deploy/app
+  prune: true
+  
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: node-red
+resources:
+ - app-sync.yaml
+secretGenerator:
+  - name: flux-sops-age
+    files:
+      - "age.agekey=./.env.d/age.agekey"
+generatorOptions:
+  disableNameSuffixHash: true
@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - namespace.yaml
-  - ingress.yaml
-generatorOptions:
-  disableNameSuffixHash: true
@@ -1,7 +0,0 @@
-
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: node-red
-  labels:
-    name: node-red
@@ -1,5 +0,0 @@
-#!/bin/bash
-set -e
-echo "Executing app deploy."
-
-kubectl kustomize ./services/node-red/deploy/app | kubectl apply -f -
@@ -0,0 +1,3 @@
+#!/bin/bash
+set -e
+kubectl kustomize ./services/node-red/deploy/flux | kubectl apply -f -
@@ -1,5 +0,0 @@
-#!/bin/bash
-set -e
-echo "Executing infra deploy."
-
-kubectl kustomize ./services/node-red/deploy/infra | kubectl apply -f -