feat: add fortigate-dhcp-dns-sync

kube/clusters/biohazard/flux/kustomization.yaml

@@ -146,6 +146,7 @@ resources:
   - ../../../deploy/apps/librespeed/
   - ../../../deploy/apps/flatnotes/
   - ../../../deploy/apps/stirling-pdf/
+  - ../../../deploy/apps/fortigate-dhcp-dns-sync/
   - ../../../deploy/vm/_kubevirt/
   #- ../../../deploy/vm/_base/
   - ../../../deploy/vm/ad/

kube/deploy/apps/fortigate-dhcp-dns-sync/app/es.yaml

@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name fortigate-dhcp-dns-sync-secrets
+  namespace: fortigate-dhcp-dns-sync
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: 1p
+  dataFrom:
+    - extract:
+        key: "FortiGate DHCP DNS Sync - ${CLUSTER_NAME}"
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: *name
+    # template:
+    #   type: Opaque
+    #   data:
+    #     age.agekey: '{{ .agekey }}'

kube/deploy/apps/fortigate-dhcp-dns-sync/app/hr.yaml

@@ -0,0 +1,78 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-3.6.1/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app fortigate-dhcp-dns-sync
+  namespace: *app
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.6.1
+      sourceRef:
+        name: bjw-s
+        kind: HelmRepository
+        namespace: flux-system
+  values:
+    controllers:
+      fortigate-dhcp-dns-sync:
+        type: cronjob
+        cronjob:
+          schedule: "@hourly"
+        pod:
+          labels:
+            egress.home.arpa/router: "allow"
+        containers:
+          main:
+            image: &img
+              repository: gcr.io/distroless/python3-debian12
+              tag: nonroot@sha256:66f3e24fd4906156a7360d2861731d31d3457a02f34fd3c4491f0b710a259988
+            args:
+              - &script /app/fortigate-dhcp-dns-sync.py
+            env: &env
+              TZ: "${CONFIG_TZ}"
+            envFrom: &envFrom
+              - secretRef:
+                  name: fortigate-dhcp-dns-sync-secrets
+            securityContext: &sc
+              readOnlyRootFilesystem: true
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+            resources:
+              requests:
+                cpu: "10m"
+              limits:
+                cpu: "1"
+                memory: "128Mi"
+    persistence:
+      script:
+        type: configMap
+        name: fortigate-dhcp-dns-sync-script
+        globalMounts:
+          - subPath: fortigate-dhcp-dns-sync.py
+            path: *script
+    defaultPodOptions:
+      automountServiceAccountToken: false
+      enableServiceLinks: false
+      dnsConfig:
+        options:
+          - name: ndots
+            value: "1"
+      hostUsers: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: &uid 1000
+        runAsGroup: *uid
+        fsGroup: *uid
+        fsGroupChangePolicy: Always
+        seccompProfile: { type: "RuntimeDefault" }
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: fuckoff.home.arpa/fortigate-dhcp-dns-sync
+                    operator: DoesNotExist

kube/deploy/apps/fortigate-dhcp-dns-sync/app/script/curl.sh

@@ -0,0 +1,2 @@
+curl -vk -H "Authorization: Bearer $FGT_API_KEY" 'https://$FGT_HOST/api/v2/monitor/system/dhcp?ipv6=true&vdom=root'
+curl -vk -H "Authorization: Bearer $FGT_API_KEY" 'https://$FGT_HOST/api/v2/cmdb/system/dns-database/test.internal' -X PUT --json '{"dns-entry":[{"id":1,"status":"enable","ttl":0,"preference":10,"hostname":"edns","ip":"10.2.3.4","type":"A"}]}'