rosdump to kustomize

rosdump/.gitignore

@@ -1,3 +1,3 @@
 rosdump
 rosdump.pub
-ssh_known_hosts
+known_hosts

rosdump/README.md

@@ -14,55 +14,32 @@ We also considered [ytti/oxidized](https://github.com/ytti/oxidized),
 but it does not export Prometheus metrics either.
 
 
-# Deployment
-
-To apply changes run in this directory:
-
-```
-kubectl apply -n rosdump -f application.yml
-```
-
-To trigger cronjob:
-
-```
+## Manually trigger cronjob
+```sh
 kubectl create job -n rosdump --from=cronjob/rosdump-cronjob rosdump-job-oneshot
 ```
 
-For alerting:
-
-```
-absent(kube_cronjob_status_last_successful_time{cronjob="rosdump-cronjob"})
-```
-
-# Updating SSH public keys
-
-Whenever Mikrotik targets are added/removed or if their SSH keys change,
-use following to apply changes:
-
-```
-(for j in $(kubectl get cm -n rosdump rosdump-config -o json | jq -r '.data.targets');  do ssh-keyscan -t rsa $j; done) > ssh_known_hosts
-kubectl delete -n rosdump configmap rosdump-known-hosts
-kubectl create -n rosdump configmap rosdump-known-hosts --from-file=ssh_known_hosts
-```
+## Updating SSH secrets
+Secrets live and should be applied through secretspace.
 
+### known_hosts
 Make sure strong crypto is enabled on Mikrotik side:
-
 ```
 /ip ssh set strong-crypto=yes allow-none-crypto=no
 ```
 
+For when Mikrotik targets are added/removed and their SSH keys change.
+```
+(for j in $(kubectl get cm -n rosdump rosdump-config -o json | jq -r '.data.targets');  do ssh-keyscan -t rsa $j; done) > known_hosts
+```
 
 # Replacing SSH private key
+The private key is used for both Gitea and Mikrotik targets.
 
-This affects access to both Gitea and Mikrotik targets.
-
-Generate new key and inject it to Kubernetes cluster:
-
+Generate new key:
 ```
-rm -fv rosdump
+rm -fv rosdump rosdump.pub
 ssh-keygen -P '' -b 2048 -m PEM -t rsa -f rosdump -C rosdump
-kubectl delete -n rosdump secret rosdump-secrets
-kubectl create -n rosdump secret generic rosdump-secrets --from-file=ssh_identity=rosdump
 ```
 
-Proceed to replace the public key in Gitea with one from `rosdump.pub`
+Proceed to replace the public key in Gitea with `rosdump.pub`.

rosdump/application.yaml

@@ -86,8 +86,8 @@ spec:
                   - configMap:
                       name: rosdump-known-hosts
                       items:
-                        - key: ssh_known_hosts
-                          path: ssh_known_hosts
+                        - key: known_hosts
+                          path: known_hosts
                   - configMap:
                       name: rosdump-config
 ---

rosdump/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: rosdump
+
+resources:
+- ./application.yaml
+- ./networkpolicy-base.yaml
+- ssh://git@git.k-space.ee/secretspace/kube/rosdump