From 88fb42bc56b3f1b5fd8f3428ecd95486ebd4e4cc Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 12:04:15 +0100 Subject: [PATCH 01/36] remove deprecated runtime values --- helm/runtime.yaml | 74 ----------------------------------------------- 1 file changed, 74 deletions(-) delete mode 100644 helm/runtime.yaml diff --git a/helm/runtime.yaml b/helm/runtime.yaml deleted file mode 100644 index 2c48e706..00000000 --- a/helm/runtime.yaml +++ /dev/null @@ -1,74 +0,0 @@ -cert-manager: - enabled: false - -ownerEmail: notifications@plural.sh # change this to whatever email you want to receive cert notifs - -plural: - enabled: false - -operator: - enabled: false - -flux2: - enabled: false - -flux: - enabled: false - -external-dns: - enabled: true - serviceAccount: - name: externaldns - annotations: - plural.sh/dummy: ignore - # eks.amazonaws.com/role-arn: "arn:aws:iam::ACCOUNT-ID:role/plrl-console-eks-certmanager-extdns" # uncomment and update for aws - # azure.workload.identity/client-id: XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX # uncomment and update for azure - - podLabels: - azure.workload.identity/use: "true" - - txtOwnerId: plrl - - provider: azure # <- change to the provider you actually wish to use - - domainFilters: - - az.plural.sh # <- you need to change this - -# For azure -# azure: -# useWorkloadIdentityExtension: true -# resourceGroup: -# tenantId: -# subscriptionId: - -# For aws -# ingress-nginx: -# controller: -# service: -# annotations: -# service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing -# service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp -# service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' -# service.beta.kubernetes.io/aws-load-balancer-type: external -# service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip -# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" -# service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' -# config: -# compute-full-forwarded-for: 'true' -# use-forwarded-headers: 'true' -# use-proxy-protocol: 'true' - -# ingress-nginx-private: -# controller: -# service: -# annotations: -# service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp -# service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' -# service.beta.kubernetes.io/aws-load-balancer-type: external -# service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip -# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" -# service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' -# config: -# compute-full-forwarded-for: 'true' -# use-forwarded-headers: 'true' -# use-proxy-protocol: 'true' \ No newline at end of file From f367001b6b15ae73e083acf4fe2d4cf194f89761 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 12:16:37 +0100 Subject: [PATCH 02/36] update console, cert manager and runtime values folders --- setup/cert-manager.yaml | 2 +- setup/console.yaml | 2 +- setup/runtime.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/cert-manager.yaml b/setup/cert-manager.yaml index 4eef912f..15543311 100644 --- a/setup/cert-manager.yaml +++ b/setup/cert-manager.yaml @@ -6,7 +6,7 @@ metadata: spec: namespace: cert-manager git: - folder: helm-values + folder: helm ref: [[ or .Context.Branch "main" ]] repositoryRef: kind: GitRepository diff --git a/setup/console.yaml b/setup/console.yaml index 8ef0ce14..eaf1484e 100644 --- a/setup/console.yaml +++ b/setup/console.yaml @@ -6,7 +6,7 @@ metadata: spec: namespace: plrl-console git: - folder: helm-values + folder: helm ref: [[ or .Context.Branch "main" ]] repositoryRef: kind: GitRepository diff --git a/setup/runtime.yaml b/setup/runtime.yaml index 2cadac6f..daf47124 100644 --- a/setup/runtime.yaml +++ b/setup/runtime.yaml @@ -6,7 +6,7 @@ metadata: spec: namespace: plural-runtime git: - folder: helm-values + folder: helm ref: [[ or .Context.Branch "main" ]] repositoryRef: kind: GitRepository From 95b8e307fb1c9a11cc6f574d54e783d682e12f61 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 12:20:07 +0100 Subject: [PATCH 03/36] update README to clarify helm values folder structure --- README.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 951cece2..b09c97e1 100644 --- a/README.md +++ b/README.md @@ -22,11 +22,9 @@ Our defaults are meant to be tweaked, feel free to reference the documentation o A plural installation repo will have a folder structure like this: ``` -helm-values/ # git-crypted helm values to be used to bootstrap your setup. Avoid editing unless necessary +helm/ # helm values files - ${app}.yaml # value overrides - ${app}-defaults.yaml # default values we generate on install - -helm/ # helm values files that are meant to be user-editable, used for setup of many common components - *.yaml{.liquid} # `.liquid` extension signifies the helm values file can be templated bootstrap/ # setup for apps within your cluster fleet, this is the root service-of-services that bootstraps everything recursively @@ -113,7 +111,7 @@ spec: namespace: infra git: ref: main - folder: helm-values # or wherever else you want to store the helm values + folder: helm # or wherever else you want to store the helm values helm: version: 6.31.4 chart: externaldns From 94e9b5862733e3208e40fbacee223777eb49632f Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 13:26:15 +0100 Subject: [PATCH 04/36] ignore temporary bootstrap files --- .gitignore | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 92e9b68e..cffa3f24 100644 --- a/.gitignore +++ b/.gitignore @@ -38,4 +38,7 @@ test/helm-values # IDE .idea/ -**/values.secret.yaml \ No newline at end of file +**/values.secret.yaml + +# Temporary Helm files used during bootstrap +helm-temp From 34a4f95c59e5f24ce8c7e72c539197f201ffd589 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 13:37:39 +0100 Subject: [PATCH 05/36] format template --- charts/runtime/values.yaml.tpl | 2 -- 1 file changed, 2 deletions(-) diff --git a/charts/runtime/values.yaml.tpl b/charts/runtime/values.yaml.tpl index 0c9c9927..45ac0b2f 100644 --- a/charts/runtime/values.yaml.tpl +++ b/charts/runtime/values.yaml.tpl @@ -23,10 +23,8 @@ acmeEAB: {{ end }} {{ if .Cloud }} - ownerEmail: {{ .Config.Email }} - external-dns: enabled: false From 23cf530866ea54bc4dc49359a8d5095dd5efb88b Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 13:39:14 +0100 Subject: [PATCH 06/36] centralize owner email declaration in runtime values template --- charts/runtime/values.yaml.tpl | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/charts/runtime/values.yaml.tpl b/charts/runtime/values.yaml.tpl index 45ac0b2f..bca045b7 100644 --- a/charts/runtime/values.yaml.tpl +++ b/charts/runtime/values.yaml.tpl @@ -1,3 +1,5 @@ +ownerEmail: {{ .Config.Email }} + {{ if not .Cloud }} external-dns: extraArgs: @@ -14,7 +16,6 @@ dnsSolver: cluster: {{ .Cluster }} provider: {{ .Provider }} -ownerEmail: {{ .Config.Email }} pluralToken: {{ .Config.Token }} acmeEAB: @@ -23,8 +24,6 @@ acmeEAB: {{ end }} {{ if .Cloud }} -ownerEmail: {{ .Config.Email }} - external-dns: enabled: false From 91fd8bc16d6d8d72b130b2021b88f5ab1a0e4084 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 13:43:54 +0100 Subject: [PATCH 07/36] add .gitkeep to maintain directory structure --- temp/helm/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 temp/helm/.gitkeep diff --git a/temp/helm/.gitkeep b/temp/helm/.gitkeep new file mode 100644 index 00000000..e69de29b From 3beea4f40c9f7df23d18e14f94bc95d1a5e0c4a0 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 13:44:18 +0100 Subject: [PATCH 08/36] update .gitignore to generalize temporary file exclusion during bootstrap --- .gitignore | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index cffa3f24..e4b7cc18 100644 --- a/.gitignore +++ b/.gitignore @@ -40,5 +40,5 @@ test/helm-values **/values.secret.yaml -# Temporary Helm files used during bootstrap -helm-temp +# Temporary files used during bootstrap +temp From b3ab1b2dd3e3254d81a5a88b7639d8adfc8fb4d9 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 14:06:37 +0100 Subject: [PATCH 09/36] add runtime.yaml.tpl for secret management --- .gitignore | 3 ++- temp/templates/runtime.yaml.tpl | 9 +++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 temp/templates/runtime.yaml.tpl diff --git a/.gitignore b/.gitignore index e4b7cc18..e7a926f2 100644 --- a/.gitignore +++ b/.gitignore @@ -41,4 +41,5 @@ test/helm-values **/values.secret.yaml # Temporary files used during bootstrap -temp +temp/* +!temp/templates/ \ No newline at end of file diff --git a/temp/templates/runtime.yaml.tpl b/temp/templates/runtime.yaml.tpl new file mode 100644 index 00000000..113f9e47 --- /dev/null +++ b/temp/templates/runtime.yaml.tpl @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: runtime-secret +type: Opaque +stringData: + pluralToken: {{ .Values.pluralToken | quote }} + acmeEABKid: {{ .Values.acmeEAB.kid | quote }} + acmeEABSecret: {{ .Values.acmeEAB.secret | quote }} From e4b4fc66aaf82805d5cd0a9aceda8d611d434c04 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 14:21:47 +0100 Subject: [PATCH 10/36] update values templates for improved configuration management --- charts/runtime/values.bootstrap.yaml.tpl | 78 ++++++++++++++++++++++++ charts/runtime/values.yaml.tpl | 6 +- 2 files changed, 81 insertions(+), 3 deletions(-) create mode 100644 charts/runtime/values.bootstrap.yaml.tpl diff --git a/charts/runtime/values.bootstrap.yaml.tpl b/charts/runtime/values.bootstrap.yaml.tpl new file mode 100644 index 00000000..bca045b7 --- /dev/null +++ b/charts/runtime/values.bootstrap.yaml.tpl @@ -0,0 +1,78 @@ +ownerEmail: {{ .Config.Email }} + +{{ if not .Cloud }} +external-dns: + extraArgs: + plural-cluster: {{ .Cluster }} + plural-provider: {{ .Provider }} + domainFilters: + - {{ .Subdomain }} + +dnsSolver: + webhook: + groupName: acme.plural.sh + solverName: plural-solver + config: + cluster: {{ .Cluster }} + provider: {{ .Provider }} + +pluralToken: {{ .Config.Token }} + +acmeEAB: + kid: {{ .Acme.KeyId }} + secret: {{ .Acme.HmacKey }} +{{ end }} + +{{ if .Cloud }} +external-dns: + enabled: false + +plural-certmanager-webhook: + enabled: false + +operator: + enabled: false + +application: + enabled: false + +plural: + enabled: false + +ingress-nginx: + enabled: false +ingress-nginx-private: + enabled: false +{{ end }} + +{{ if and (eq .Provider "aws") (not .Cloud) }} +ingress-nginx: + controller: + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' + service.beta.kubernetes.io/aws-load-balancer-type: external + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' + config: + compute-full-forwarded-for: 'true' + use-forwarded-headers: 'true' + use-proxy-protocol: 'true' +ingress-nginx-private: + controller: + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' + service.beta.kubernetes.io/aws-load-balancer-type: external + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' + config: + compute-full-forwarded-for: 'true' + use-forwarded-headers: 'true' + use-proxy-protocol: 'true' +{{ end }} \ No newline at end of file diff --git a/charts/runtime/values.yaml.tpl b/charts/runtime/values.yaml.tpl index bca045b7..27fad567 100644 --- a/charts/runtime/values.yaml.tpl +++ b/charts/runtime/values.yaml.tpl @@ -16,11 +16,11 @@ dnsSolver: cluster: {{ .Cluster }} provider: {{ .Provider }} -pluralToken: {{ .Config.Token }} +pluralToken: {{ "{{ configuration.pluralToken }}" }} acmeEAB: - kid: {{ .Acme.KeyId }} - secret: {{ .Acme.HmacKey }} + kid: {{ "{{ configuration.acmeEABKid }}" }} + secret: {{ "{{ configuration.acmeEABSecret }}" }} {{ end }} {{ if .Cloud }} From 0121098f9992c2abf5fa59aa585e7a8a7de10240 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 14:26:38 +0100 Subject: [PATCH 11/36] remove .gitkeep from helm directory --- temp/helm/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 temp/helm/.gitkeep diff --git a/temp/helm/.gitkeep b/temp/helm/.gitkeep deleted file mode 100644 index e69de29b..00000000 From 0201095ef75dadf2213eb765f6265e9359ef5966 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 14:41:01 +0100 Subject: [PATCH 12/36] refactor values templates to standardize configuration and secret handling --- .../{values.bootstrap.yaml.tpl => values.liquid.tpl} | 8 ++++---- charts/runtime/values.yaml.tpl | 6 +++--- temp/templates/runtime.yaml.tpl | 7 ++++--- 3 files changed, 11 insertions(+), 10 deletions(-) rename charts/runtime/{values.bootstrap.yaml.tpl => values.liquid.tpl} (90%) diff --git a/charts/runtime/values.bootstrap.yaml.tpl b/charts/runtime/values.liquid.tpl similarity index 90% rename from charts/runtime/values.bootstrap.yaml.tpl rename to charts/runtime/values.liquid.tpl index bca045b7..3878f4b2 100644 --- a/charts/runtime/values.bootstrap.yaml.tpl +++ b/charts/runtime/values.liquid.tpl @@ -1,4 +1,4 @@ -ownerEmail: {{ .Config.Email }} +ownerEmail: {{ "{{ configuration.ownerEmail }}" }}} {{ if not .Cloud }} external-dns: @@ -16,11 +16,11 @@ dnsSolver: cluster: {{ .Cluster }} provider: {{ .Provider }} -pluralToken: {{ .Config.Token }} +pluralToken: {{ "{{ configuration.pluralToken }}" }} acmeEAB: - kid: {{ .Acme.KeyId }} - secret: {{ .Acme.HmacKey }} + kid: {{ "{{ configuration.acmeEABKid }}" }} + secret: {{ "{{ configuration.acmeEABSecret }}" }} {{ end }} {{ if .Cloud }} diff --git a/charts/runtime/values.yaml.tpl b/charts/runtime/values.yaml.tpl index 27fad567..bca045b7 100644 --- a/charts/runtime/values.yaml.tpl +++ b/charts/runtime/values.yaml.tpl @@ -16,11 +16,11 @@ dnsSolver: cluster: {{ .Cluster }} provider: {{ .Provider }} -pluralToken: {{ "{{ configuration.pluralToken }}" }} +pluralToken: {{ .Config.Token }} acmeEAB: - kid: {{ "{{ configuration.acmeEABKid }}" }} - secret: {{ "{{ configuration.acmeEABSecret }}" }} + kid: {{ .Acme.KeyId }} + secret: {{ .Acme.HmacKey }} {{ end }} {{ if .Cloud }} diff --git a/temp/templates/runtime.yaml.tpl b/temp/templates/runtime.yaml.tpl index 113f9e47..ba7f4a75 100644 --- a/temp/templates/runtime.yaml.tpl +++ b/temp/templates/runtime.yaml.tpl @@ -4,6 +4,7 @@ metadata: name: runtime-secret type: Opaque stringData: - pluralToken: {{ .Values.pluralToken | quote }} - acmeEABKid: {{ .Values.acmeEAB.kid | quote }} - acmeEABSecret: {{ .Values.acmeEAB.secret | quote }} + ownerEmail: {{ .Config.Email | quote }} + pluralToken: {{ .Config.Token | quote }} + acmeEABKid: {{ .Acme.KeyId | quote }} + acmeEABSecret: {{ .Acme.HmacKey | quote }} From a34fef658b237446bb263791cb0f0472ff7e5d0f Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 14:42:59 +0100 Subject: [PATCH 13/36] refactor values templates to standardize configuration and secret handling --- charts/runtime/{values.liquid.tpl => values.yaml.liquid.tpl} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename charts/runtime/{values.liquid.tpl => values.yaml.liquid.tpl} (100%) diff --git a/charts/runtime/values.liquid.tpl b/charts/runtime/values.yaml.liquid.tpl similarity index 100% rename from charts/runtime/values.liquid.tpl rename to charts/runtime/values.yaml.liquid.tpl From c3aba4240b5b3282f038b8068526897324506987 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 14:47:47 +0100 Subject: [PATCH 14/36] fix values template syntax for owner email configuration --- charts/runtime/values.yaml.liquid.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/runtime/values.yaml.liquid.tpl b/charts/runtime/values.yaml.liquid.tpl index 3878f4b2..eda1b7ca 100644 --- a/charts/runtime/values.yaml.liquid.tpl +++ b/charts/runtime/values.yaml.liquid.tpl @@ -1,4 +1,4 @@ -ownerEmail: {{ "{{ configuration.ownerEmail }}" }}} +ownerEmail: {{ "{{ configuration.ownerEmail }}" }} {{ if not .Cloud }} external-dns: From 8d6c9cf70520ee078a1d9d79d8514cd5dad7d080 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 14:52:57 +0100 Subject: [PATCH 15/36] connect runtime service with its configuration --- setup/runtime.yaml | 5 ++++- temp/templates/runtime.yaml.tpl | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/setup/runtime.yaml b/setup/runtime.yaml index daf47124..f2faaff1 100644 --- a/setup/runtime.yaml +++ b/setup/runtime.yaml @@ -12,12 +12,15 @@ spec: kind: GitRepository name: infra namespace: infra + configurationRef: + name: runtime-config + namespace: infra helm: version: "0.x.x" chart: runtime url: https://pluralsh.github.io/bootstrap valuesFiles: - - runtime.yaml + - runtime.yaml.liquid clusterRef: kind: Cluster name: mgmt diff --git a/temp/templates/runtime.yaml.tpl b/temp/templates/runtime.yaml.tpl index ba7f4a75..a28854b0 100644 --- a/temp/templates/runtime.yaml.tpl +++ b/temp/templates/runtime.yaml.tpl @@ -1,7 +1,8 @@ apiVersion: v1 kind: Secret metadata: - name: runtime-secret + name: runtime-config + namespace: infra type: Opaque stringData: ownerEmail: {{ .Config.Email | quote }} From 062f2dd43c13fd4f91f53f4595d39ceaf1ee0d2b Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 14:55:56 +0100 Subject: [PATCH 16/36] update file paths for certmanager and flux configurations --- templates/setup/console.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/setup/console.tf b/templates/setup/console.tf index 5d7094dc..49690218 100644 --- a/templates/setup/console.tf +++ b/templates/setup/console.tf @@ -7,11 +7,11 @@ resource "null_resource" "console" { } data "local_sensitive_file" "certmanager" { - filename = "${path.module}/../../helm-values/certmanager.yaml" + filename = "${path.module}/../../helm/certmanager.yaml" } data "local_sensitive_file" "flux" { - filename = "${path.module}/../../helm-values/flux.yaml" + filename = "${path.module}/../../helm/flux.yaml" } data "local_sensitive_file" "runtime" { From d1c9d30c6b0d2086ca4dcb1b74246fd13f842f6b Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 14:57:20 +0100 Subject: [PATCH 17/36] use temp helm values during runtime install --- templates/setup/console.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/setup/console.tf b/templates/setup/console.tf index 49690218..7670b569 100644 --- a/templates/setup/console.tf +++ b/templates/setup/console.tf @@ -15,7 +15,7 @@ data "local_sensitive_file" "flux" { } data "local_sensitive_file" "runtime" { - filename = "${path.module}/../../helm-values/runtime.yaml" + filename = "${path.module}/../../temp/helm/runtime.yaml" } data "local_sensitive_file" "console" { From 0c65d394449f8978ecc6080f289c28d59c3328bb Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 15:25:28 +0100 Subject: [PATCH 18/36] use single values for runtime --- charts/runtime/values.yaml.liquid.tpl | 2 +- charts/runtime/values.yaml.tpl | 78 --------------------------- 2 files changed, 1 insertion(+), 79 deletions(-) delete mode 100644 charts/runtime/values.yaml.tpl diff --git a/charts/runtime/values.yaml.liquid.tpl b/charts/runtime/values.yaml.liquid.tpl index eda1b7ca..4a180731 100644 --- a/charts/runtime/values.yaml.liquid.tpl +++ b/charts/runtime/values.yaml.liquid.tpl @@ -8,7 +8,7 @@ external-dns: domainFilters: - {{ .Subdomain }} -dnsSolver: +dnsSolver: webhook: groupName: acme.plural.sh solverName: plural-solver diff --git a/charts/runtime/values.yaml.tpl b/charts/runtime/values.yaml.tpl deleted file mode 100644 index bca045b7..00000000 --- a/charts/runtime/values.yaml.tpl +++ /dev/null @@ -1,78 +0,0 @@ -ownerEmail: {{ .Config.Email }} - -{{ if not .Cloud }} -external-dns: - extraArgs: - plural-cluster: {{ .Cluster }} - plural-provider: {{ .Provider }} - domainFilters: - - {{ .Subdomain }} - -dnsSolver: - webhook: - groupName: acme.plural.sh - solverName: plural-solver - config: - cluster: {{ .Cluster }} - provider: {{ .Provider }} - -pluralToken: {{ .Config.Token }} - -acmeEAB: - kid: {{ .Acme.KeyId }} - secret: {{ .Acme.HmacKey }} -{{ end }} - -{{ if .Cloud }} -external-dns: - enabled: false - -plural-certmanager-webhook: - enabled: false - -operator: - enabled: false - -application: - enabled: false - -plural: - enabled: false - -ingress-nginx: - enabled: false -ingress-nginx-private: - enabled: false -{{ end }} - -{{ if and (eq .Provider "aws") (not .Cloud) }} -ingress-nginx: - controller: - service: - annotations: - service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp - service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' - service.beta.kubernetes.io/aws-load-balancer-type: external - service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip - service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' - config: - compute-full-forwarded-for: 'true' - use-forwarded-headers: 'true' - use-proxy-protocol: 'true' -ingress-nginx-private: - controller: - service: - annotations: - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp - service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' - service.beta.kubernetes.io/aws-load-balancer-type: external - service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip - service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' - config: - compute-full-forwarded-for: 'true' - use-forwarded-headers: 'true' - use-proxy-protocol: 'true' -{{ end }} \ No newline at end of file From a0cd1d026b6be1d8443c05165e3118be0b312829 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 16:03:08 +0100 Subject: [PATCH 19/36] use terraform to create secrets --- .gitignore | 3 +-- temp/templates/runtime.yaml.tpl | 11 ----------- templates/setup/config-secrets.tf | 19 +++++++++++++++++++ 3 files changed, 20 insertions(+), 13 deletions(-) delete mode 100644 temp/templates/runtime.yaml.tpl create mode 100644 templates/setup/config-secrets.tf diff --git a/.gitignore b/.gitignore index e7a926f2..0788cd36 100644 --- a/.gitignore +++ b/.gitignore @@ -41,5 +41,4 @@ test/helm-values **/values.secret.yaml # Temporary files used during bootstrap -temp/* -!temp/templates/ \ No newline at end of file +temp/ diff --git a/temp/templates/runtime.yaml.tpl b/temp/templates/runtime.yaml.tpl deleted file mode 100644 index a28854b0..00000000 --- a/temp/templates/runtime.yaml.tpl +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: runtime-config - namespace: infra -type: Opaque -stringData: - ownerEmail: {{ .Config.Email | quote }} - pluralToken: {{ .Config.Token | quote }} - acmeEABKid: {{ .Acme.KeyId | quote }} - acmeEABSecret: {{ .Acme.HmacKey | quote }} diff --git a/templates/setup/config-secrets.tf b/templates/setup/config-secrets.tf new file mode 100644 index 00000000..b7a5f122 --- /dev/null +++ b/templates/setup/config-secrets.tf @@ -0,0 +1,19 @@ +# This file should not be commited to repository. + +resource "kubernetes_secret" "runtime_config" { + metadata { + name = "runtime-config" + namespace = "infra" + } + + type = "Opaque" + + data = { + ownerEmail = base64encode("{{ .Config.Email }}") + pluralToken = base64encode("{{ .Config.Token }}") + acmeEABKid = base64encode("{{ .Acme.KeyId }}") + acmeEABSecret = base64encode("{{ .Acme.HmacKey }}") + } + + depends_on = [module.mgmt.cluster, module.mgmt.ready] +} From 721a721c5fb74ff97fe0d44584c28982b6f30869 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 16:05:35 +0100 Subject: [PATCH 20/36] Revert "use single values for runtime" This reverts commit 0c65d394449f8978ecc6080f289c28d59c3328bb. --- charts/runtime/values.yaml.liquid.tpl | 2 +- charts/runtime/values.yaml.tpl | 78 +++++++++++++++++++++++++++ 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 charts/runtime/values.yaml.tpl diff --git a/charts/runtime/values.yaml.liquid.tpl b/charts/runtime/values.yaml.liquid.tpl index 4a180731..eda1b7ca 100644 --- a/charts/runtime/values.yaml.liquid.tpl +++ b/charts/runtime/values.yaml.liquid.tpl @@ -8,7 +8,7 @@ external-dns: domainFilters: - {{ .Subdomain }} -dnsSolver: +dnsSolver: webhook: groupName: acme.plural.sh solverName: plural-solver diff --git a/charts/runtime/values.yaml.tpl b/charts/runtime/values.yaml.tpl new file mode 100644 index 00000000..bca045b7 --- /dev/null +++ b/charts/runtime/values.yaml.tpl @@ -0,0 +1,78 @@ +ownerEmail: {{ .Config.Email }} + +{{ if not .Cloud }} +external-dns: + extraArgs: + plural-cluster: {{ .Cluster }} + plural-provider: {{ .Provider }} + domainFilters: + - {{ .Subdomain }} + +dnsSolver: + webhook: + groupName: acme.plural.sh + solverName: plural-solver + config: + cluster: {{ .Cluster }} + provider: {{ .Provider }} + +pluralToken: {{ .Config.Token }} + +acmeEAB: + kid: {{ .Acme.KeyId }} + secret: {{ .Acme.HmacKey }} +{{ end }} + +{{ if .Cloud }} +external-dns: + enabled: false + +plural-certmanager-webhook: + enabled: false + +operator: + enabled: false + +application: + enabled: false + +plural: + enabled: false + +ingress-nginx: + enabled: false +ingress-nginx-private: + enabled: false +{{ end }} + +{{ if and (eq .Provider "aws") (not .Cloud) }} +ingress-nginx: + controller: + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' + service.beta.kubernetes.io/aws-load-balancer-type: external + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' + config: + compute-full-forwarded-for: 'true' + use-forwarded-headers: 'true' + use-proxy-protocol: 'true' +ingress-nginx-private: + controller: + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' + service.beta.kubernetes.io/aws-load-balancer-type: external + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' + config: + compute-full-forwarded-for: 'true' + use-forwarded-headers: 'true' + use-proxy-protocol: 'true' +{{ end }} \ No newline at end of file From fbc117b91566ad9d2be11181c079a67fe09f4de9 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 16:13:59 +0100 Subject: [PATCH 21/36] add .gitkeep to temp directory in .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 0788cd36..8affe3e9 100644 --- a/.gitignore +++ b/.gitignore @@ -42,3 +42,4 @@ test/helm-values # Temporary files used during bootstrap temp/ +!temp/.gitkeep \ No newline at end of file From 278717e4548dd1796596eec50ef1d6f427fd1d3a Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 16:14:43 +0100 Subject: [PATCH 22/36] remove .gitkeep exception for temp directory in .gitignore --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index 8affe3e9..0788cd36 100644 --- a/.gitignore +++ b/.gitignore @@ -42,4 +42,3 @@ test/helm-values # Temporary files used during bootstrap temp/ -!temp/.gitkeep \ No newline at end of file From e2157ffdfb3fd901d2284490007347c97947a27a Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 16:16:06 +0100 Subject: [PATCH 23/36] update README to clarify purpose of temp directory in gitignore --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index b09c97e1..33fb0712 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,8 @@ terraform/ - - clusters - - - {cloud} # we've crafted some reusable modules for setting up clusters on most major clouds, feel free to use these in stacks or wherever - ${app}/ - submodule for individual app's terraform + +temp/ # a temp folder used during bootstrap that is gitignored ``` You're free to extend this as you'd like, although if you use the plural marketplace that structure will be expected. You can also deploy services w/ manifests in other repos, this is meant to serve as a base to define the core infrastructure and get you started in a sane way. From fef19b773ae32497331c0da7b8d634e295892c8a Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Mon, 9 Feb 2026 16:58:58 +0100 Subject: [PATCH 24/36] add kubernetes secret resource for console configuration --- templates/setup/config-secrets.tf | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/templates/setup/config-secrets.tf b/templates/setup/config-secrets.tf index b7a5f122..0e1adbf7 100644 --- a/templates/setup/config-secrets.tf +++ b/templates/setup/config-secrets.tf @@ -17,3 +17,19 @@ resource "kubernetes_secret" "runtime_config" { depends_on = [module.mgmt.cluster, module.mgmt.ready] } + +resource "kubernetes_secret" "console_config" { + metadata { + name = "console-config" + namespace = "infra" + } + + type = "Opaque" + + data = { + clusterName = base64encode("{{ .Config.ClusterName }}") + provider = base64encode("{{ .Config.Provider }}") + } + + depends_on = [module.mgmt.cluster, module.mgmt.ready] +} From 76b21e9e0e4739227385e5767df481b01509c549 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Tue, 10 Feb 2026 10:38:09 +0100 Subject: [PATCH 25/36] add console and kas DNS entries to config secrets --- templates/setup/config-secrets.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/setup/config-secrets.tf b/templates/setup/config-secrets.tf index 0e1adbf7..f7dd4713 100644 --- a/templates/setup/config-secrets.tf +++ b/templates/setup/config-secrets.tf @@ -29,7 +29,10 @@ resource "kubernetes_secret" "console_config" { data = { clusterName = base64encode("{{ .Config.ClusterName }}") provider = base64encode("{{ .Config.Provider }}") + consoleDns = base64encode("console.{{ .Subdomain }}") + kasDns = base64encode("kas.{{ .Subdomain }}") } depends_on = [module.mgmt.cluster, module.mgmt.ready] } + From 1e4f81c179bb5d9906bb1516a9c794c8734fd3b0 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Tue, 10 Feb 2026 10:41:03 +0100 Subject: [PATCH 26/36] add postgres URL to config secrets --- templates/setup/config-secrets.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/setup/config-secrets.tf b/templates/setup/config-secrets.tf index f7dd4713..dc16db1f 100644 --- a/templates/setup/config-secrets.tf +++ b/templates/setup/config-secrets.tf @@ -31,6 +31,7 @@ resource "kubernetes_secret" "console_config" { provider = base64encode("{{ .Config.Provider }}") consoleDns = base64encode("console.{{ .Subdomain }}") kasDns = base64encode("kas.{{ .Subdomain }}") + postgresUrl = base64encode(module.mgmt.db_url) } depends_on = [module.mgmt.cluster, module.mgmt.ready] From ce6fcab201b8027b8bc16763437c83edcd56c0fb Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Tue, 10 Feb 2026 11:11:00 +0100 Subject: [PATCH 27/36] add cluster issuer to console configuration secret --- templates/setup/config-secrets.tf | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/templates/setup/config-secrets.tf b/templates/setup/config-secrets.tf index dc16db1f..511ae4f9 100644 --- a/templates/setup/config-secrets.tf +++ b/templates/setup/config-secrets.tf @@ -18,6 +18,7 @@ resource "kubernetes_secret" "runtime_config" { depends_on = [module.mgmt.cluster, module.mgmt.ready] } +# This secret should stay in sync with the values generated by `plural cd control-plane-values` command. resource "kubernetes_secret" "console_config" { metadata { name = "console-config" @@ -27,11 +28,12 @@ resource "kubernetes_secret" "console_config" { type = "Opaque" data = { - clusterName = base64encode("{{ .Config.ClusterName }}") - provider = base64encode("{{ .Config.Provider }}") - consoleDns = base64encode("console.{{ .Subdomain }}") - kasDns = base64encode("kas.{{ .Subdomain }}") - postgresUrl = base64encode(module.mgmt.db_url) + clusterName = base64encode("{{ .Config.ClusterName }}") + provider = base64encode("{{ .Config.Provider }}") + consoleDns = base64encode("console.{{ .Subdomain }}") + kasDns = base64encode("kas.{{ .Subdomain }}") + postgresUrl = base64encode(module.mgmt.db_url) + clusterIssuer = base64encode("plural") } depends_on = [module.mgmt.cluster, module.mgmt.ready] From bfcf29512525a2117004c666dca7b56a4b5b922c Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Tue, 10 Feb 2026 11:18:47 +0100 Subject: [PATCH 28/36] add admin credentials to config secrets --- templates/setup/config-secrets.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/setup/config-secrets.tf b/templates/setup/config-secrets.tf index 511ae4f9..476e32af 100644 --- a/templates/setup/config-secrets.tf +++ b/templates/setup/config-secrets.tf @@ -28,6 +28,8 @@ resource "kubernetes_secret" "console_config" { type = "Opaque" data = { + adminName = base64encode("{{ .Config.UserEmail }}") + adminEmail = base64encode("{{ .Config.UserEmail }}") clusterName = base64encode("{{ .Config.ClusterName }}") provider = base64encode("{{ .Config.Provider }}") consoleDns = base64encode("console.{{ .Subdomain }}") From d110612193bcb4ea69915a49febe35af985c4a44 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Tue, 10 Feb 2026 12:26:46 +0100 Subject: [PATCH 29/36] refactor console configuration secrets to use local values and update file paths --- templates/setup/config-secrets.tf | 54 ++++++++++++++++++++----------- templates/setup/console.tf | 4 +-- 2 files changed, 38 insertions(+), 20 deletions(-) diff --git a/templates/setup/config-secrets.tf b/templates/setup/config-secrets.tf index 476e32af..67665c0e 100644 --- a/templates/setup/config-secrets.tf +++ b/templates/setup/config-secrets.tf @@ -1,43 +1,61 @@ # This file should not be commited to repository. -resource "kubernetes_secret" "runtime_config" { +locals { + console_values = yamldecode(data.local_sensitive_file.console.content) +} + +resource "kubernetes_secret" "console_config" { metadata { - name = "runtime-config" + name = "console-config" namespace = "infra" } type = "Opaque" data = { - ownerEmail = base64encode("{{ .Config.Email }}") - pluralToken = base64encode("{{ .Config.Token }}") - acmeEABKid = base64encode("{{ .Acme.KeyId }}") - acmeEABSecret = base64encode("{{ .Acme.HmacKey }}") + consoleDns = base64encode(tostring(try(local.console_values.ingress.consoleDns, ""))) + kasDns = base64encode(tostring(try(local.console_values.ingress.kasDns, ""))) + + clusterIssuer = base64encode("plural") + + provider = base64encode(tostring(try(local.console_values.provider, ""))) + + jwt = base64encode(tostring(try(local.console_values.secrets.jwt, ""))) + erlang = base64encode(tostring(try(local.console_values.secrets.erlang, ""))) + aesKey = base64encode(tostring(try(local.console_values.secrets.aesKey, ""))) + key = base64encode(tostring(try(local.console_values.secrets.key, ""))) + identity = base64encode(tostring(try(local.console_values.secrets.identity, ""))) + pluralClientId = base64encode(tostring(try(local.console_values.secrets.pluralClientId, ""))) + pluralClientSecret = base64encode(tostring(try(local.console_values.secrets.pluralClientSecret, ""))) + adminName = base64encode(tostring(try(local.console_values.secrets.adminName, ""))) + adminEmail = base64encode(tostring(try(local.console_values.secrets.adminEmail, ""))) + adminPassword = base64encode(tostring(try(local.console_values.secrets.adminPassword, ""))) + clusterName = base64encode(tostring(try(local.console_values.secrets.clusterName, ""))) + + pluralToken = base64encode(tostring(try(local.console_values.extraSecretEnv.PLURAL_TOKEN, ""))) + kasApi = base64encode(tostring(try(local.console_values.extraSecretEnv.KAS_API_SECRET, ""))) + kasPrivateApi = base64encode(tostring(try(local.console_values.extraSecretEnv.KAS_PRIVATE_API_SECRET, ""))) + kasRedis = base64encode(tostring(try(local.console_values.extraSecretEnv.KAS_REDIS_SECRET, ""))) + postgresUrl = base64encode(tostring(try(local.console_values.extraSecretEnv.POSTGRES_URL, ""))) } depends_on = [module.mgmt.cluster, module.mgmt.ready] } -# This secret should stay in sync with the values generated by `plural cd control-plane-values` command. -resource "kubernetes_secret" "console_config" { +resource "kubernetes_secret" "runtime_config" { metadata { - name = "console-config" + name = "runtime-config" namespace = "infra" } type = "Opaque" data = { - adminName = base64encode("{{ .Config.UserEmail }}") - adminEmail = base64encode("{{ .Config.UserEmail }}") - clusterName = base64encode("{{ .Config.ClusterName }}") - provider = base64encode("{{ .Config.Provider }}") - consoleDns = base64encode("console.{{ .Subdomain }}") - kasDns = base64encode("kas.{{ .Subdomain }}") - postgresUrl = base64encode(module.mgmt.db_url) - clusterIssuer = base64encode("plural") + ownerEmail = base64encode("{{ .Config.Email }}") + pluralToken = base64encode("{{ .Config.Token }}") + acmeEABKid = base64encode("{{ .Acme.KeyId }}") + acmeEABSecret = base64encode("{{ .Acme.HmacKey }}") } depends_on = [module.mgmt.cluster, module.mgmt.ready] } - diff --git a/templates/setup/console.tf b/templates/setup/console.tf index 7670b569..1c504d7e 100644 --- a/templates/setup/console.tf +++ b/templates/setup/console.tf @@ -2,7 +2,7 @@ resource "null_resource" "console" { provisioner "local-exec" { command = "plural cd control-plane-values --name {{ .Cluster }} --dsn \"${module.mgmt.db_url}\" --domain {{ .Subdomain }} --file console.yaml" - working_dir = "${path.module}/../../helm-values" + working_dir = "${path.module}/../../temp/helm" } } @@ -19,7 +19,7 @@ data "local_sensitive_file" "runtime" { } data "local_sensitive_file" "console" { - filename = "${path.module}/../../helm-values/console.yaml" + filename = "${path.module}/../../temp/helm/console.yaml" depends_on = [null_resource.console] } From 49fd6f190278bff307faa8b78a08e3ab018bd2ce Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Tue, 10 Feb 2026 13:17:52 +0100 Subject: [PATCH 30/36] update console Helm configuration to reference runtime-config and adjust values file path --- setup/console.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/setup/console.yaml b/setup/console.yaml index eaf1484e..af83bc67 100644 --- a/setup/console.yaml +++ b/setup/console.yaml @@ -12,12 +12,15 @@ spec: kind: GitRepository name: infra namespace: infra + configurationRef: + name: runtime-config + namespace: infra helm: version: "0.x.x" chart: console url: https://pluralsh.github.io/console valuesFiles: - - console.yaml + - console.yaml.liquid clusterRef: kind: Cluster name: mgmt From 1380712dca3774d3ff08c0a85dbac782babcc199 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Tue, 10 Feb 2026 13:27:05 +0100 Subject: [PATCH 31/36] add kubernetes namespace resource for infra and update secret namespaces --- templates/setup/config-secrets.tf | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/templates/setup/config-secrets.tf b/templates/setup/config-secrets.tf index 67665c0e..e83a2eac 100644 --- a/templates/setup/config-secrets.tf +++ b/templates/setup/config-secrets.tf @@ -4,10 +4,18 @@ locals { console_values = yamldecode(data.local_sensitive_file.console.content) } +resource "kubernetes_namespace" "infra" { + metadata { + name = "infra" + } + + depends_on = [module.mgmt.cluster, module.mgmt.ready] +} + resource "kubernetes_secret" "console_config" { metadata { name = "console-config" - namespace = "infra" + namespace = kubernetes_namespace.infra.metadata[0].name } type = "Opaque" @@ -39,13 +47,13 @@ resource "kubernetes_secret" "console_config" { postgresUrl = base64encode(tostring(try(local.console_values.extraSecretEnv.POSTGRES_URL, ""))) } - depends_on = [module.mgmt.cluster, module.mgmt.ready] + depends_on = [kubernetes_namespace.infra, module.mgmt.cluster, module.mgmt.ready] } resource "kubernetes_secret" "runtime_config" { metadata { name = "runtime-config" - namespace = "infra" + namespace = kubernetes_namespace.infra.metadata[0].name } type = "Opaque" @@ -57,5 +65,5 @@ resource "kubernetes_secret" "runtime_config" { acmeEABSecret = base64encode("{{ .Acme.HmacKey }}") } - depends_on = [module.mgmt.cluster, module.mgmt.ready] + depends_on = [kubernetes_namespace.infra, module.mgmt.cluster, module.mgmt.ready] } From 93c8eb9265ff1baa610e089b405980f40cbb3693 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Tue, 10 Feb 2026 16:00:36 +0100 Subject: [PATCH 32/36] remove outdated test/helm-values entry from .gitignore --- .gitignore | 2 -- 1 file changed, 2 deletions(-) diff --git a/.gitignore b/.gitignore index 0788cd36..9e7b4cef 100644 --- a/.gitignore +++ b/.gitignore @@ -33,8 +33,6 @@ override.tf.json .terraformrc terraform.rc -test/helm-values - # IDE .idea/ From fe1905ecd1bd30f70f94a9ed37a44231c5a0fd40 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Tue, 10 Feb 2026 16:35:18 +0100 Subject: [PATCH 33/36] refactor config secrets to remove base64 encoding for string values --- templates/setup/config-secrets.tf | 48 +++++++++++++++---------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/templates/setup/config-secrets.tf b/templates/setup/config-secrets.tf index e83a2eac..c01a76bb 100644 --- a/templates/setup/config-secrets.tf +++ b/templates/setup/config-secrets.tf @@ -21,30 +21,30 @@ resource "kubernetes_secret" "console_config" { type = "Opaque" data = { - consoleDns = base64encode(tostring(try(local.console_values.ingress.consoleDns, ""))) - kasDns = base64encode(tostring(try(local.console_values.ingress.kasDns, ""))) + consoleDns = tostring(try(local.console_values.ingress.consoleDns, "")) + kasDns = tostring(try(local.console_values.ingress.kasDns, "")) - clusterIssuer = base64encode("plural") + clusterIssuer = "plural" - provider = base64encode(tostring(try(local.console_values.provider, ""))) + provider = tostring(try(local.console_values.provider, "")) - jwt = base64encode(tostring(try(local.console_values.secrets.jwt, ""))) - erlang = base64encode(tostring(try(local.console_values.secrets.erlang, ""))) - aesKey = base64encode(tostring(try(local.console_values.secrets.aesKey, ""))) - key = base64encode(tostring(try(local.console_values.secrets.key, ""))) - identity = base64encode(tostring(try(local.console_values.secrets.identity, ""))) - pluralClientId = base64encode(tostring(try(local.console_values.secrets.pluralClientId, ""))) - pluralClientSecret = base64encode(tostring(try(local.console_values.secrets.pluralClientSecret, ""))) - adminName = base64encode(tostring(try(local.console_values.secrets.adminName, ""))) - adminEmail = base64encode(tostring(try(local.console_values.secrets.adminEmail, ""))) - adminPassword = base64encode(tostring(try(local.console_values.secrets.adminPassword, ""))) - clusterName = base64encode(tostring(try(local.console_values.secrets.clusterName, ""))) + jwt = tostring(try(local.console_values.secrets.jwt, "")) + erlang = tostring(try(local.console_values.secrets.erlang, "")) + aesKey = tostring(try(local.console_values.secrets.aesKey, "")) + key = tostring(try(local.console_values.secrets.key, "")) + identity = tostring(try(local.console_values.secrets.identity, "")) + pluralClientId = tostring(try(local.console_values.secrets.pluralClientId, "")) + pluralClientSecret = tostring(try(local.console_values.secrets.pluralClientSecret, "")) + adminName = tostring(try(local.console_values.secrets.adminName, "")) + adminEmail = tostring(try(local.console_values.secrets.adminEmail, "")) + adminPassword = tostring(try(local.console_values.secrets.adminPassword, "")) + clusterName = tostring(try(local.console_values.secrets.clusterName, "")) - pluralToken = base64encode(tostring(try(local.console_values.extraSecretEnv.PLURAL_TOKEN, ""))) - kasApi = base64encode(tostring(try(local.console_values.extraSecretEnv.KAS_API_SECRET, ""))) - kasPrivateApi = base64encode(tostring(try(local.console_values.extraSecretEnv.KAS_PRIVATE_API_SECRET, ""))) - kasRedis = base64encode(tostring(try(local.console_values.extraSecretEnv.KAS_REDIS_SECRET, ""))) - postgresUrl = base64encode(tostring(try(local.console_values.extraSecretEnv.POSTGRES_URL, ""))) + pluralToken = tostring(try(local.console_values.extraSecretEnv.PLURAL_TOKEN, "")) + kasApi = tostring(try(local.console_values.extraSecretEnv.KAS_API_SECRET, "")) + kasPrivateApi = tostring(try(local.console_values.extraSecretEnv.KAS_PRIVATE_API_SECRET, "")) + kasRedis = tostring(try(local.console_values.extraSecretEnv.KAS_REDIS_SECRET, "")) + postgresUrl = tostring(try(local.console_values.extraSecretEnv.POSTGRES_URL, "")) } depends_on = [kubernetes_namespace.infra, module.mgmt.cluster, module.mgmt.ready] @@ -59,10 +59,10 @@ resource "kubernetes_secret" "runtime_config" { type = "Opaque" data = { - ownerEmail = base64encode("{{ .Config.Email }}") - pluralToken = base64encode("{{ .Config.Token }}") - acmeEABKid = base64encode("{{ .Acme.KeyId }}") - acmeEABSecret = base64encode("{{ .Acme.HmacKey }}") + ownerEmail = "{{ .Config.Email }}" + pluralToken = "{{ .Config.Token }}" + acmeEABKid = "{{ .Acme.KeyId }}" + acmeEABSecret = "{{ .Acme.HmacKey }}" } depends_on = [kubernetes_namespace.infra, module.mgmt.cluster, module.mgmt.ready] From 9b90bda7544be55617a3e1e2a49fba483ed9454c Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Tue, 10 Feb 2026 17:03:30 +0100 Subject: [PATCH 34/36] refactor config secrets to use snake_case for local variable keys --- templates/setup/config-secrets.tf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/templates/setup/config-secrets.tf b/templates/setup/config-secrets.tf index c01a76bb..2b7407ae 100644 --- a/templates/setup/config-secrets.tf +++ b/templates/setup/config-secrets.tf @@ -21,8 +21,8 @@ resource "kubernetes_secret" "console_config" { type = "Opaque" data = { - consoleDns = tostring(try(local.console_values.ingress.consoleDns, "")) - kasDns = tostring(try(local.console_values.ingress.kasDns, "")) + consoleDns = tostring(try(local.console_values.ingress.console_dns, "")) + kasDns = tostring(try(local.console_values.ingress.kas_dns, "")) clusterIssuer = "plural" @@ -30,15 +30,15 @@ resource "kubernetes_secret" "console_config" { jwt = tostring(try(local.console_values.secrets.jwt, "")) erlang = tostring(try(local.console_values.secrets.erlang, "")) - aesKey = tostring(try(local.console_values.secrets.aesKey, "")) + aesKey = tostring(try(local.console_values.secrets.aes_key, "")) key = tostring(try(local.console_values.secrets.key, "")) identity = tostring(try(local.console_values.secrets.identity, "")) - pluralClientId = tostring(try(local.console_values.secrets.pluralClientId, "")) - pluralClientSecret = tostring(try(local.console_values.secrets.pluralClientSecret, "")) - adminName = tostring(try(local.console_values.secrets.adminName, "")) - adminEmail = tostring(try(local.console_values.secrets.adminEmail, "")) - adminPassword = tostring(try(local.console_values.secrets.adminPassword, "")) - clusterName = tostring(try(local.console_values.secrets.clusterName, "")) + pluralClientId = tostring(try(local.console_values.secrets.plural_client_id, "")) + pluralClientSecret = tostring(try(local.console_values.secrets.plural_client_secret, "")) + adminName = tostring(try(local.console_values.secrets.admin_name, "")) + adminEmail = tostring(try(local.console_values.secrets.admin_email, "")) + adminPassword = tostring(try(local.console_values.secrets.admin_password, "")) + clusterName = tostring(try(local.console_values.secrets.cluster_name, "")) pluralToken = tostring(try(local.console_values.extraSecretEnv.PLURAL_TOKEN, "")) kasApi = tostring(try(local.console_values.extraSecretEnv.KAS_API_SECRET, "")) From 581caceaa10d6c82325ee17c23656ef0126ab9d3 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Wed, 11 Feb 2026 14:03:16 +0100 Subject: [PATCH 35/36] update console Helm chart version to 0.3.139 --- templates/setup/console.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/setup/console.tf b/templates/setup/console.tf index 1c504d7e..49a1a0d1 100644 --- a/templates/setup/console.tf +++ b/templates/setup/console.tf @@ -76,7 +76,7 @@ resource "helm_release" "console" { namespace = "plrl-console" chart = "console" repository = "https://pluralsh.github.io/console" - version = "0.3.125" + version = "0.3.139" create_namespace = true timeout = 600 wait = true From 85bd184d1c048e66ef57527113e291154dad77c3 Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Wed, 11 Feb 2026 15:05:19 +0100 Subject: [PATCH 36/36] fix configuration ref --- setup/console.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/console.yaml b/setup/console.yaml index af83bc67..073ed074 100644 --- a/setup/console.yaml +++ b/setup/console.yaml @@ -13,7 +13,7 @@ spec: name: infra namespace: infra configurationRef: - name: runtime-config + name: console-config namespace: infra helm: version: "0.x.x"