feat(kustomization): Add base-configs and step-certificates resources with HelmRelease for step-ca

Author: TheMeinerLP

clusters/feather-core/base-configs.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: base-configs
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: base-controllers
+  interval: 1m
+  retryInterval: 1m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./infrastructure/clusters/feather-core/base-configs
+  prune: true
+  wait: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg

clusters/feather-core/sources.yaml clusters/feather-core/base-sources.yamlclusters/feather-core/sources.yaml renamed to clusters/feather-core/base-sources.yaml

@@ -0,0 +1,5 @@
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../../infrastructure/base/configs/cert-manager

infrastructure/clusters/feather-core/base-configs/kustomization.yaml

@@ -1,4 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - cert-manager
+  - cert-manager
+  - step-certificates

infrastructure/clusters/feather-core/base-controllers/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../../base/controllers/step-certificates
+patches:
+  - path: release.yaml

infrastructure/clusters/feather-core/base-controllers/step-certificates/kustomization.yaml

@@ -0,0 +1,147 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+    name: step-ca
+    namespace: step-ca
+spec:
+    chart:
+        spec:
+            version: '>=1.28.2'
+    values:
+        autocert:
+            enabled: true
+        inject:
+            certificates:
+                intermediate_ca: |
+                    -----BEGIN CERTIFICATE-----
+                    MIIB7TCCAZOgAwIBAgIRALh56v+dmGiC4JuVSuoMnykwCgYIKoZIzj0EAwIwQDEa
+                    MBgGA1UEChMRT25lTGl0ZUZlYXRoZXIgQ0ExIjAgBgNVBAMTGU9uZUxpdGVGZWF0
+                    aGVyIENBIFJvb3QgQ0EwHhcNMjUwMzE1MjAyMjE3WhcNMzUwMzEzMjAyMjE3WjBI
+                    MRowGAYDVQQKExFPbmVMaXRlRmVhdGhlciBDQTEqMCgGA1UEAxMhT25lTGl0ZUZl
+                    YXRoZXIgQ0EgSW50ZXJtZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
+                    QgAEEk/dvCXaMdLicArKIE0vk8nW7eW5hW/HhAoM13K/vG5vVqylKc8L+jE1bRxK
+                    y76LGEuEzt9G++/ZW9KfQNffhKNmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB
+                    /wQIMAYBAf8CAQAwHQYDVR0OBBYEFEdca3s2HmZUPzk2A/bgnnACPUw6MB8GA1Ud
+                    IwQYMBaAFGg5g8JjAFjpHcNDV4EXvCf1j/+tMAoGCCqGSM49BAMCA0gAMEUCIQDs
+                    jCehbP1Q9mzF6aSikUUJmpvrZeWbuUyHO0kUGEsEQAIgOZgCbif7WLyl66fPaly7
+                    v7s0wKAgsQSbTYZnxhTrAVg=
+                    -----END CERTIFICATE-----
+                root_ca: |
+                    -----BEGIN CERTIFICATE-----
+                    MIIBwjCCAWmgAwIBAgIQYxIjeKsPaPwVGMfUH++FlDAKBggqhkjOPQQDAjBAMRow
+                    GAYDVQQKExFPbmVMaXRlRmVhdGhlciBDQTEiMCAGA1UEAxMZT25lTGl0ZUZlYXRo
+                    ZXIgQ0EgUm9vdCBDQTAeFw0yNTAzMTUyMDIyMTZaFw0zNTAzMTMyMDIyMTZaMEAx
+                    GjAYBgNVBAoTEU9uZUxpdGVGZWF0aGVyIENBMSIwIAYDVQQDExlPbmVMaXRlRmVh
+                    dGhlciBDQSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmouTyyOr
+                    kBGqscprzWxpCNlijTqN9q4asUPLBJsueFv8mNjOUrZ1+gMbM869MCxKzvhFWzQh
+                    wDS+7wqUtocFDqNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
+                    AQEwHQYDVR0OBBYEFGg5g8JjAFjpHcNDV4EXvCf1j/+tMAoGCCqGSM49BAMCA0cA
+                    MEQCICmm1OatTX5epT3+pkNt/GLMt0sAwTTIdIVE2agDnor4AiAVMzFjncqWF2lD
+                    2hj8FAI7W1X78F14OCgFirKd/Gg8Nw==
+                    -----END CERTIFICATE-----
+            config:
+                files:
+                    ca.json:
+                        address: :9000
+                        authority:
+                            claims:
+                                defaultHostSSHCertDuration: 720h
+                                defaultTLSCertDuration: 17520h
+                                defaultUserSSHCertDuration: 24h
+                                disableRenewal: false
+                                enableAdmin: false
+                                maxHostSSHCertDuration: 1680h
+                                maxTLSCertDuration: 131400h
+                                maxUserSSHCertDuration: 24h
+                                minHostSSHCertDuration: 5m
+                                minTLSCertDuration: 5m
+                                minUserSSHCertDuration: 5m
+                            provisioners:
+                                - encryptedKey: eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiNW9paDNrUTBLWU1zMFVIN1FfNUpwQSJ9.7MdlmojjtqgTYiDo1_7nxlkkMXsBRsiAyJPYbGeNKZ4kYw3iuVZjTA.zmxMBglHQqcJ9j0v.u8hF1_zCme3dqW_W9A8VY1n5Zp-cpkGilnAsN-9lVAqrEqtw1L1zXvihLXj81bptyuaZXuYWOANboK7HyXP8KR1XVTbsPjlxZa-tbyogVncOBvHLkjU-LQipemr4z7TTd2pa4JMpwtl8ackT8P2hmHRxhybH4QYKlEZxQO7AXulqopJvO5vZi-jUiJ51O2vLh33neWYdcMIN-qPy-wogc4PQj8KCKtTOivPTxUIlhZ8C41ZU1KYlyVr818NLZLG-X2XKs_1tqokhp51O_Of7vNVaDQThMWFR9vkS8AoNSp3ss8HB6oXE2JGUIpCHpeihF_95HosicAyqwMysVIs.Qdbv7zVc8t2DNzlG37nvHg
+                                  key:
+                                    alg: ES256
+                                    crv: P-256
+                                    kid: OiMo753Qm59HojYUS-ba3w7OdmYnsDsfClv7PR3dh_A
+                                    kty: EC
+                                    use: sig
+                                    x: QeFA1tBy7Jjw04gy0fLlukrePbhXYjhG01D44wJU5Z8
+                                    "y": 5jsme3MU8W82RIh816nYFq1B0_YzTiHRVw1XVTt1DNg
+                                  name: admin@onelitefeather.net
+                                  options:
+                                    ssh: {}
+                                    x509: {}
+                                  type: JWK
+                                - claims: {}
+                                  forceCN: true
+                                  name: acme
+                                  type: ACME
+                        crt: /home/step/certs/intermediate_ca.crt
+                        db:
+                            dataSource: /home/step/db
+                            type: badgerv2
+                        dnsNames:
+                            - ca.onelite.feather
+                            - step-ca-step-certificates.step-ca.svc.cluster.local
+                        federateRoots: []
+                        key: /home/step/secrets/intermediate_ca_key
+                        logger:
+                            format: json
+                        root: /home/step/certs/root_ca.crt
+                        tls:
+                            cipherSuites:
+                                - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+                                - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+                            maxVersion: 1.3
+                            minVersion: 1.2
+                            renegotiation: false
+                    defaults.json:
+                        ca-config: /home/step/config/ca.json
+                        ca-url: https://ca.apps.onelite.feather
+                        fingerprint: 8ed13e459b5fb22df3caa5f99f4c19d9b40a4685436236e8a5609e61ed1a190e
+                        root: /home/step/certs/root_ca.crt
+            enabled: true
+            secrets:
+                ca_password: ENC[AES256_GCM,data:2SsVwnPY6s7q+Z5ItW1/JvVH1H2zoj4eROSy2AH+4aVOTiZifwd6xvgF4Qw=,iv:5LXn1G3pVhUDfvfiNJpVYBCQ0pt911I7E+TrdyGAG/0=,tag:OvA3SkykbN8ZWDUkroGe3A==,type:str]
+                provisioner_password: ENC[AES256_GCM,data:xlNc5xNV4OR9asN49cBTGm/PK5dFa0xpdEH1mE5ixJuTpGUqN9ixLuyIBH4=,iv:Ty66Bj6JMH1SJVuBLN2ln86bfnR8aYnTQkDzFjKCdSg=,tag:MH+bAi+Ac6JinyVUDTsKtg==,type:str]
+                x509:
+                    intermediate_ca_key: ENC[AES256_GCM,data:ovlAn1r3suU3H1ZTgYkz2A6pkd/xvfUxi3+fz2QJwTP7WDaB5YNcGxCo626KdttMCAC1M8HPZ5KKpbxfaPOwpKMygaTN6CIY733L/P6evj54YBPJ/QsM/zWpcWad+hzHKjLuMZFikrhu6z/UDBPjx2sGkgKjjAHCfWHalGQqZIQSBgu9LwqgmlP0ZVKFTHfu0Z5RdaBd04erTEDIt8PIXIAz7zdYm+owEOAx7UWb9nJxmo49MiRMmmQHd9TI81Xls3czXEfU2iZzwbK8ZhnKpLbqW1HlSvfZzdgLJL6kHkSk4CpsY3YZ/HH8c3WFOKbz0mOW2TXGl5QeIfpxdCmf+Xs0LwgAgR0sCdzuPswlGJ/dcIld7f28GK115wRQft+bY8d6LKt09tyfseMjNT2uIlYIkhkRtQVfGsU=,iv:/HaFn38ED5f3Q0Wny/fNVh0Wd07KV6MxWb4/1nb0m/w=,tag:0ZViRmLBAeLmL7cHUP+DFg==,type:str]
+                    root_ca_key: ENC[AES256_GCM,data:+qq1JiQnXFNG9y0BWCrL3H665WmXi1fkMcyulrGFYwlIS7m3Lj1AX9LLD2dITLH8tBDoxfNGN4H1MHjP+b2MHdgFcWipABKi6+IiIaxI2bIq+Wlh6zKc3WLb0Wfcx7jNb2dFew0HMuzn9XkRljRb5ncDQVECDS7pSiNOEqIgZ7EBU/nxKPj2VOGhhNP1UCJ0D7siVqgSWysT4yRuBsUvDbAA6n2N2Ij6UsUHQ4AsgQq73e2vCi30y3t7aDf+G6Rrb3EztJtMrzmYF6SPcAmQuSxnHAKQx/XOFR5BdwwxhOBWephahnGC09D4eQiAzNfar/kuxj5ueUpN5C4Nt3ZEodb3hVt1EMdlgTfKRlfEjDkxNKIJ0Nje47GlJlIbZZGyzh1LD1pEf0WF/Qjiz/BS+gtbLVXZ/eQ03U0=,iv:UzdgsMeWYl/emnbXskeI/7quWSgmMFT8eXKbX5qDUtA=,tag:Y5TNB/xXXKsJWnPz67FaMw==,type:str]
+        resources:
+            limits:
+                cpu: 100m
+                memory: 128Mi
+            requests:
+                cpu: 100m
+                memory: 128Mi
+        service:
+            annotations:
+                io.cilium/lb-ipam-ips: 10.200.32.2
+            externalTrafficPolicy: Local
+            targetPort: 9000
+            type: LoadBalancer
+sops:
+    lastmodified: "2025-08-17T16:19:57Z"
+    mac: ENC[AES256_GCM,data:ATRMfDKgzVyIvl33eRPU0JY6el5ONmX55f6k4AsGD2p6w1qWdVnvBZoIim1ZAEgYLfWhP6AWdjvgqWfbBqUbzaobN1HnsRhle1T1I1rRrRt2TAoDrbsqYfCRbqeK3Qu+zGBrX+30XyQijgVxJcnFhcPSAH0b51rtKZQxtpcEXwM=,iv:JH1yek+5rEgeTbw/yAo1UrKb6jGG8PgO4x40wODMTlI=,tag:4bF4ybr3minMIxxWdOXuFQ==,type:str]
+    pgp:
+        - created_at: "2025-08-17T16:19:57Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwWbRp0WX+I4AQ/+Jt9FZS5S89ZU3dr/W83XBe5aWZjGZD/iiaoAznyo9Y4k
+            dI41Bgna0Yznz2rtvSm5qzgwdWyAsPZzPoFbXq5smGuUcjtYieibYRTF1LbvMIeX
+            bB6yqiqTQ6RXc4hqu/4drfyzPETfcZjqqEIgV0tiQ2HzchZlWT5Qk0PuknZA/1x2
+            2p4iG0y0w+gDfc6huCbhSjcQqCOMl7aXtH5gDaKV3xvRcW6+CvwOvuXtBYrnTZuZ
+            xzzb/xhWfazXDAwnuDn+L3eEUSn+WOMWoI3mGNiWN6U2Rr3nM6qqkpvf0hwPXe1J
+            LrBdmXEmKNxZPDN4pZ5ssRoPKnR1IrQ+uk0qWjIJEHpH/8b36qyKN1theyTeFzXv
+            f14yR0N3Ehu+ojfwG4MnMA7tcY40dfJhAOKZugGQ2MfuGWgcxPSKbZSNocHCXvYy
+            0oxJTNRZ++PlIr4uTKXmbdjkppyDtXETrhLmRtu1FF1PJX3l+Fjx2cPe1+NBCkJv
+            yq1ozAj9rSvnw8bVLJtUZXc9LZqaJGH5m8harf5Q/rm/Lg4POhnsoYk7BQjNQJ/F
+            6J0IpGG7s7HwNrAKFuISGQYi56kxMgR2+zhM1IfKHyQgb+bBnjsFz9YBH0LKBiGF
+            az87fKUZTCNvSmW389xrqjH+g3SYzbDlxUwTAyn1NijsUOpPIlRQzk5ywwRZxc3S
+            XgHU0TIzFIVBzj0pvOKYubhb/1yrJKm3C/Cg3bPXnKn0RfgC1pVqbPHY9KmOrtNx
+            e5+6n4GxMRnlYuAAD6iaVmDFCceyYrtbg3gWsL6WqLIKKp48Set9Q4MH2Orqjco=
+            =6iSH
+            -----END PGP MESSAGE-----
+          fp: 0231831CB40B8E587B7353CBA3AF727721205A62
+    encrypted_regex: ^(ca_password|provisioner_password|intermediate_ca_key|root_ca_key|\.dockerconfigjson|sql\.php)$
+    version: 3.10.2