From 28f05a73a6c16a53f5a6ce7561349117c3c9ce60 Mon Sep 17 00:00:00 2001
From: Dan Manners <daniel.a.manners@gmail.com>
Date: Sat, 2 Dec 2023 15:46:14 -0500
Subject: [PATCH] Additional fixes

---
 iac/cloud/pulumi/modules/bastion.ts           | 29 +++++++++-----
 iac/cloud/talos/talconfig.yaml                |  2 +
 iac/cloud/talos_bootstrapping/Dockerfile      |  4 +-
 .../talos_bootstrapping/bootstrapping.sh      | 38 ++++++++++---------
 4 files changed, 44 insertions(+), 29 deletions(-)

diff --git a/iac/cloud/pulumi/modules/bastion.ts b/iac/cloud/pulumi/modules/bastion.ts
index ddd1068e..5ab7d7a8 100644
--- a/iac/cloud/pulumi/modules/bastion.ts
+++ b/iac/cloud/pulumi/modules/bastion.ts
@@ -80,26 +80,35 @@ export function createBastion(
         {
           Sid: "VisualEditor0",
           Effect: "Allow",
+          Action: "ecr:GetAuthorizationToken",
+          Resource: "*",
+        },
+        {
+          Sid: "VisualEditor1",
+          Effect: "Allow",
           Action: [
-            "kms:Encrypt",
-            "kms:Decrypt",
-            "kms:ReEncrypt*",
-            "kms:GenerateDataKey*",
-            "kms:DescribeKey",
             "ecr:ListImages",
             "ecr:BatchGetImage",
             "ecr:GetDownloadUrlForLayer",
           ],
           Resource: [
-            "arn:aws:kms:us-east-1:977656673179:key/7e829b85-6fed-4598-b675-8ebeea105c4c",
             "arn:aws:ecr:us-east-1:977656673179:repository/homelab-provisioning",
           ],
         },
         {
-          Sid: "VisualEditor1",
+          Sid: "VisualEditor2",
           Effect: "Allow",
-          Action: "ecr:GetAuthorizationToken",
-          Resource: "*",
+          Action: [
+            "kms:Encrypt",
+            "kms:Decrypt",
+            "kms:ReEncrypt*",
+            "kms:GenerateDataKey",
+            "kms:GenerateDataKeyWithoutPlaintext",
+            "kms:DescribeKey",
+          ],
+          Resource: [
+            "arn:aws:kms:us-east-1:977656673179:key/7e829b85-6fed-4598-b675-8ebeea105c4c",
+          ],
         },
       ],
     }),
@@ -166,7 +175,7 @@ export function createBastion(
     // Instance Metadata
     metadataOptions: {
       httpPutResponseHopLimit: 4,
-      httpEndpoint: "enabled", 
+      httpEndpoint: "enabled",
     },
 
     // Tags
diff --git a/iac/cloud/talos/talconfig.yaml b/iac/cloud/talos/talconfig.yaml
index 5f721553..e0ffcb9d 100644
--- a/iac/cloud/talos/talconfig.yaml
+++ b/iac/cloud/talos/talconfig.yaml
@@ -66,6 +66,7 @@ nodes:
       gateway: 10.4.0.1
 
 controlPlane:
+  schematic: {}
   patches:
   - |-
     cluster:
@@ -109,6 +110,7 @@ controlPlane:
           - 169.254.169.123
 
 worker:
+  schematic: {}
   patches:
   - |-
     cluster:
diff --git a/iac/cloud/talos_bootstrapping/Dockerfile b/iac/cloud/talos_bootstrapping/Dockerfile
index a3332ccf..1bb00170 100644
--- a/iac/cloud/talos_bootstrapping/Dockerfile
+++ b/iac/cloud/talos_bootstrapping/Dockerfile
@@ -3,7 +3,7 @@
 # Set Args
 ARG ALPINE_VERSION=3.18
 ARG TALOS_VERSION=v1.5.5
-ARG TALHELPER_VERSION=v1.15.0
+ARG TALHELPER_VERSION=v1.16.1
 ARG SOPS_VERSION=v3.8.1
 ARG KUBECTL_VERSION=v1.28.4
 ARG KUSTOMIZE_VERSION=v5.2.1
@@ -28,7 +28,7 @@ RUN apk add --no-cache wget tar upx && \
     wget -qO /opt/init/talosctl https://github.com/siderolabs/talos/releases/download/${TALOS_VERSION}/talosctl-linux-${ARCH} && \
     chmod +x /opt/init/talosctl && \
     # Download the talhelper binary and make it executable
-    echo "Installing talhelper version ${TALOS_VERSION}" && \
+    echo "Installing talhelper version ${TALHELPER_VERSION}" && \
     wget -qO- https://github.com/budimanjojo/talhelper/releases/download/${TALHELPER_VERSION}/talhelper_linux_${ARCH}.tar.gz | \
     tar -xz -C /opt/init talhelper && \
     # Download the sops binary and make it executable
diff --git a/iac/cloud/talos_bootstrapping/bootstrapping.sh b/iac/cloud/talos_bootstrapping/bootstrapping.sh
index b8d3fb36..939dbb45 100755
--- a/iac/cloud/talos_bootstrapping/bootstrapping.sh
+++ b/iac/cloud/talos_bootstrapping/bootstrapping.sh
@@ -1,30 +1,34 @@
-# Fetch the AWS Credentials Token
-export TOKEN=$(curl -XPUT \
-    "http://169.254.169.254/latest/api/token" \
-    -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+# # Set the URL we'll hit twice
+# export url="http://169.254.169.254/latest/meta-data/iam/security-credentials"
 
-# Use the token to fetch the AWS Credentials
-curl -vH "X-aws-ec2-metadata-token: $TOKEN" \
-    http://169.254.169.254/latest/meta-data/iam/security-credentials/sops-decrypt >/tmp/creds.json
+# # Generate the Token
+# export TOKEN=$(curl -sXPUT \
+#     "http://169.254.169.254/latest/api/token" \
+#     -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
 
-# Configure our AWS Credentials
-mkdir -p ~/.aws/
-cat <<EOF >~/.aws/config
-[default]
-aws_access_key_id=$(cat /tmp/creds.json | jq -r '.AccessKeyId')
-aws_secret_access_key=$(cat /tmp/creds.json | jq -r '.SecretAccessKey')
-region=us-east-1
-EOF
+# # Generate our AWS Credentials
+# curl -sH "X-aws-ec2-metadata-token: $TOKEN" ${url}/$(curl -s ${url}) >/tmp/creds.json
+
+# # Configure our AWS Credentials
+# mkdir -p ~/.aws/
+# cat <<EOF >~/.aws/credentials
+# [default]
+# aws_access_key_id=$(cat /tmp/creds.json | jq -r '.AccessKeyId')
+# aws_secret_access_key=$(cat /tmp/creds.json | jq -r '.SecretAccessKey')
+# region=us-east-1
+# EOF
 
 # Clone the homelab repo
 git clone \
     --depth 1 \
+    --branch feature/restructure \
     https://github.com/danmanners/homelab-kube-cluster.git \
     /tmp/homelab-kube-cluster
 
 # Change to the repo directory and Build the Talos Configs
-cd /tmp/homelab-kube-cluster/cloud/talos &&
-    talhelper genconfig
+cd /tmp/homelab-kube-cluster/iac/cloud/talos
+sops -d -i talsecret.sops.yaml
+talhelper genconfig
 
 # Check if the cluster has already been deployed
 if $(talosctl --talosconfig clusterconfig/talosconfig kubeconfig /tmp/kubeconfig); then