sync-taskfiles-to-bjw-s

.taskfiles/_scripts/wait-for-k8s-job.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+JOB_NAME=$1
+NAMESPACE="${2:-default}"
+CLUSTER=$3
+
+[[ -z "${JOB_NAME}" ]] && echo "Job name not specified" && exit 1
+
+while true; do
+    STATUS="$(kubectl --context "${CLUSTER}" -n "${NAMESPACE}" get pod -l job-name="${JOB_NAME}" -o jsonpath='{.items[*].status.phase}')"
+    if [[ "${STATUS}" == "Pending" ]]; then
+        break
+    fi
+    sleep 1
+done

.taskfiles/externalsecrets/Taskfile.yaml

@@ -0,0 +1,20 @@
+---
+version: "3"
+
+tasks:
+  sync:
+    desc: Sync ExternalSecret resources
+    summary: |
+      Args:
+        cluster: Cluster to run command against (required)
+        ns: Namespace the PVC is in (default: default)
+        secret: ExternalSecret to sync (required)
+    silent: true
+    vars:
+      secret: "{{ .secret }}"
+      ns: '{{.ns | default "default"}}'
+      cluster: '{{ or .cluster (fail "Argument (cluster) is required") }}'
+    cmd: kubectl --context {{.cluster}} -n {{.ns}} annotate externalsecret.external-secrets.io {{.secret}} force-sync=$(date +%s) --overwrite
+    preconditions:
+      - sh: kubectl --context {{.cluster}} -n {{.ns}} get es {{.secret}}
+        msg: "ExternalSecret not found"

.taskfiles/flux/Taskfile.yaml

@@ -0,0 +1,32 @@
+---
+version: "3"
+
+tasks:
+  apply:
+    desc: Apply a Flux Kustomization resource for a cluster
+    summary: |
+      Args:
+        cluster: Cluster to run command against (required)
+        path: Path to the Flux Kustomization resource (required)
+        ns: Namespace the Flux Kustomization exists in (default: flux-system)
+        new: Whether Flux Kustomization already exists in the cluster (default: false)
+    cmd: |
+      flux --context {{.cluster}} build ks $(basename {{.path}}) \
+        --namespace {{.ns}} \
+        --kustomization-file {{.kustomization_file}} \
+        --path {{.kustomization_path}} \
+        {{- if contains "not found" .kustomization_found }}--dry-run \{{ end }}
+      | \
+      kubectl --context {{.cluster}} apply --server-side \
+        --field-manager=kustomize-controller -f - \
+    vars:
+      kustomization_path: "{{.KUBERNETES_DIR}}/{{.cluster}}/apps/{{.path}}"
+      kustomization_file: "{{.kustomization_path}}/ks.yaml"
+      cluster: '{{ or .cluster (fail "Argument (cluster) is required") }}'
+      path: '{{ or .path (fail "Argument (path) is required") }}'
+      ns: '{{.ns | default "flux-system"}}'
+      kustomization_found:
+        sh: flux --context {{.cluster}} --namespace {{.ns}} get kustomization $(basename {{.path}}) 2>&1
+    preconditions:
+      - sh: "test -f {{.kustomization_file}}"
+        msg: "Kustomization file {{.kustomization_file}} not found"

.taskfiles/k8s/Taskfile.yaml

@@ -0,0 +1,78 @@
+---
+version: "3"
+
+tasks:
+  mount:
+    desc: Mount a PersistentVolumeClaim to a pod temporarily
+    summary: |
+      Args:
+        cluster: Cluster to run command against (required)
+        ns: Namespace the PVC is in (default: default)
+        claim: PVC to mount (required)
+    interactive: true
+    vars:
+      cluster: "{{ .cluster }}"
+      ns: '{{.ns | default "default"}}'
+      claim: "{{ .claim }}"
+    requires:
+      vars:
+        - claim
+        - cluster
+    cmds:
+      - |
+        kubectl --context {{.cluster}} run -n {{.ns}} debug-{{.claim}} -i --tty --rm --image=null --privileged --overrides='
+          {
+            "apiVersion": "v1",
+            "spec": {
+              "containers": [
+                {
+                  "name": "debug",
+                  "image": "ghcr.io/onedr0p/alpine:rolling",
+                  "command": [
+                    "/bin/bash"
+                  ],
+                  "stdin": true,
+                  "stdinOnce": true,
+                  "tty": true,
+                  "volumeMounts": [
+                    {
+                      "name": "claim",
+                      "mountPath": "/mnt/claim"
+                    }
+                  ]
+                }
+              ],
+              "volumes": [
+                {
+                  "name": "claim",
+                  "persistentVolumeClaim": {
+                    "claimName": "{{.claim}}"
+                  }
+                }
+              ],
+              "restartPolicy": "Never"
+            }
+          }'
+    preconditions:
+      - sh: kubectl --context {{.cluster}} -n {{.ns}} get pvc {{.claim}}
+        msg: "PVC not found"
+
+  delete-failed-pods:
+    desc: Deletes pods with Failed phase
+    summary: |
+      Args:
+        cluster: Cluster to run command against (required)
+    vars:
+      cluster: '{{ or .cluster (fail "Argument (cluster) is required") }}'
+    cmds:
+      - kubectl --context {{.cluster}} delete pods --field-selector status.phase=Failed -A --ignore-not-found=true
+
+  delete-succeeded-pods:
+    desc: Deletes pods with Succeeded phase
+    summary: |
+      Args:
+        cluster: Cluster to run command against (required)
+    vars:
+      cluster: '{{ or .cluster (fail "Argument (cluster) is required") }}'
+    cmds:
+      - kubectl --context {{.cluster}} delete pods --field-selector status.phase=Succeeded -A --ignore-not-found=true

.taskfiles/sops/Taskfile.yaml

@@ -0,0 +1,17 @@
+---
+version: "3"
+
+tasks:
+  re-encrypt:
+    desc: Decrypt and re-encrypt all sops secrets
+    silent: true
+    dir: "{{.USER_WORKING_DIR}}"
+    vars:
+      SECRET_FILES:
+        sh: find . -type f -name '*.sops.yaml' ! -name ".sops.yaml"
+    cmds:
+      - for: {var: SECRET_FILES}
+        cmd: |
+          echo "Re-encrypting {{ .ITEM }}"
+          sops --decrypt --in-place "{{ .ITEM }}"
+          sops --encrypt --in-place "{{ .ITEM }}"