export cluster=kyuubee
export vault=(-address https://vault:8200 -ca-cert setup/root.crt)
brew install 1password/tap/1password-cli fluxcd/tap/flux ansible \
helm istioctl kubernetes-cli kustomize vault
make -C vendor
ansible-playbook deploy.yaml
vault operator init $vault
for n in {1..3}; do
vault operator unseal $vault $(op read op://$cluster/vault/unseal${n})
done
vault login $vault $(op read op://$cluster/vault/token)
vault secrets enable $vault -version=2 kv
vault kv put $vault kv/flux-system \
slack-webhook=$(op read op://$cluster/flux/slack-webhook) \
github-token=$(op read op://$cluster/flux/github-token)
vault kv put $vault kv/flux-system/repo \
identity="$(op read 'op://$cluster/ssh/private key')" \
identity.pub="$(op read 'op://$cluster/ssh/public key')" \
known_hosts="$(ssh-keyscan -t ecdsa github.com)"
for n in {1..3}; do
vault operator unseal $vault $(op read op://$cluster/vault/unseal${n})
done
kubectl create ns external-secrets
kubectl -n external-secrets create secret generic vault-token \
--from-literal=token=$(op read op://$cluster/vault/token)
kubectl apply -k flux/infra/external-secrets/crds
kubectl apply -k flux/clusters/$cluster/infra/external-secrets
istioctl install --skip-confirmation --set profile=minimal
kubectl apply -k flux/infra/flux/crds
kubectl apply -k flux/infra/flux/system
kubectl apply -k flux/clusters/$cluster