commit 968716ec7686149bc96f58d789d6e442d84575b9
Author: Laurent Drogou <laurent.drogou@rca.fr>
Date:   Wed Apr 6 15:33:57 2022 +0200

    :tada: initial commit

diff --git a/add-all-service-helm.sh b/add-all-service-helm.sh
new file mode 100755
index 0000000..07ab46a
--- /dev/null
+++ b/add-all-service-helm.sh
@@ -0,0 +1,9 @@
+kubectl apply -f namespaces-create.yaml
+kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.0/cert-manager.yaml
+kubectl apply -f service-postgres.yaml
+kubectl apply -f service-mongodb.yaml
+kubectl apply -f service-sourcegraph.yaml
+kubectl apply -f ingress-sourcegraph.yaml
+kubectl apply -f helm-vault-server.yaml
+kubectl apply -f ingress-vault.yaml
+kubectl apply -f helm-graviteeio-server.yaml
diff --git a/add-all-service.sh b/add-all-service.sh
new file mode 100755
index 0000000..8166011
--- /dev/null
+++ b/add-all-service.sh
@@ -0,0 +1,10 @@
+kubectl apply -f namespaces-create.yaml
+kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.0/cert-manager.yaml
+kubectl apply -f ./bdd/service-postgres.yaml
+kubectl apply -f ./bdd/service-mongodb.yaml
+kubectl apply -f ./rabbitmq/service-rabbitmq.yaml
+#kubectl apply -f ./sourcegrpah/service-sourcegraph.yaml
+#kubectl apply -f ./sourcegraph/ingress-sourcegraph.yaml
+kubectl apply -f ./vault/helm-vault-server.yaml
+kubectl apply -f ./vault/ingress-vault.yaml
+
diff --git a/bdd/service-mongodb.yaml b/bdd/service-mongodb.yaml
new file mode 100644
index 0000000..35cd8e5
--- /dev/null
+++ b/bdd/service-mongodb.yaml
@@ -0,0 +1,92 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: mongo
+provisioner: rancher.io/local-path
+volumeBindingMode: WaitForFirstConsumer
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: mongo-pv-volume
+  namespace: database
+  labels:
+    type: local
+spec:
+  storageClassName: mongo
+  capacity:
+    storage: 50Gi
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: "/rca/mongodb/data"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    deploy: mongo
+    app.kubernetes.io/component: mongodb
+  name: mongo
+  namespace: database
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 50Gi
+  storageClassName: mongo
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: mongo-statefulset
+  namespace: database
+  labels:
+    app: mongo
+spec:
+  serviceName: "mongo"
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mongo
+  template:
+    metadata:
+      labels:
+        app: mongo
+    spec:
+      containers:
+      - name: mongodb
+        image: mongo:3.4 
+        #env:
+        #  - name: MONGO_INITDB_ROOT_USERNAME
+        #    value: admin
+        #  - name: MONGO_INITDB_ROOT_PASSWORD
+        #    value: password
+        ports:
+        - containerPort: 27017
+          name: mongodb
+        volumeMounts:
+        - mountPath: /data/db
+          name: mongo-pv-data
+      volumes:
+      - name: mongo-pv-data
+        persistentVolumeClaim:
+          claimName: mongo
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mongo-service
+  namespace: database
+  labels:
+    app: mongo
+spec:
+  ports:
+  - port: 27017
+    nodePort: 30010
+    name: mongo
+  type: NodePort
+  selector:
+    app: mongo
+
diff --git a/bdd/service-postgres.yaml b/bdd/service-postgres.yaml
new file mode 100644
index 0000000..2150d02
--- /dev/null
+++ b/bdd/service-postgres.yaml
@@ -0,0 +1,102 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: postgres
+provisioner: rancher.io/local-path
+volumeBindingMode: WaitForFirstConsumer
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: task-pv-volume
+  namespace: database
+  labels:
+    type: local
+spec:
+  storageClassName: postgres
+  capacity:
+    storage: 50Gi
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: "/rca/postgres/data"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    deploy: postgres
+    app.kubernetes.io/component: postgres
+  name: postgres
+  namespace: database
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 50Gi
+  storageClassName: postgres
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgres-configuration
+  namespace: database
+  labels:
+    app: postgres
+data:
+  POSTGRES_DB: postgres
+  POSTGRES_USER: rootrca
+  POSTGRES_PASSWORD: rca12345
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres-statefulset
+  namespace: database
+  labels:
+    app: postgres
+spec:
+  serviceName: "postgres"
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      containers:
+      - name: postgres
+        image: postgres:12
+        envFrom:
+        - configMapRef:
+            name: postgres-configuration
+        ports:
+        - containerPort: 5432
+          name: postgresdb
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          name: pv-data
+      volumes:
+      - name: pv-data
+        persistentVolumeClaim:
+          claimName: postgres
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres-service
+  namespace: database
+  labels:
+    app: postgres
+spec:
+  ports:
+  - port: 5432
+    nodePort: 30080
+    name: postgres
+  type: NodePort
+  selector:
+    app: postgres
+
diff --git a/create-k3d-outils.sh b/create-k3d-outils.sh
new file mode 100755
index 0000000..3b1aae3
--- /dev/null
+++ b/create-k3d-outils.sh
@@ -0,0 +1 @@
+k3d cluster create outils --config outils-config-v3.yaml
diff --git a/dev-localhost-cert.yaml b/dev-localhost-cert.yaml
new file mode 100644
index 0000000..e414941
--- /dev/null
+++ b/dev-localhost-cert.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dev-localhost
+  namespace: default
+spec:
+  secretName: dev-localhost-tls
+  issuerRef:
+    name: vault-issuer
+  commonName: dev.localhost
+  dnsNames:
+  - dev.localhost
diff --git a/enabled-kube-authent.sh b/enabled-kube-authent.sh
new file mode 100644
index 0000000..e513f93
--- /dev/null
+++ b/enabled-kube-authent.sh
@@ -0,0 +1,15 @@
+#kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh
+vault auth enable kubernetes
+
+vault write auth/kubernetes/config \
+    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
+    token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+    kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+    issuer="https://kubernetes.default.svc.cluster.local"
+
+vault write auth/kubernetes/role/issuer \
+    bound_service_account_names=issuer \
+    bound_service_account_namespaces=default \
+    policies=pki \
+    ttl=20m
+
diff --git a/enabled-pki.sh b/enabled-pki.sh
new file mode 100644
index 0000000..dd3d78c
--- /dev/null
+++ b/enabled-pki.sh
@@ -0,0 +1,18 @@
+#kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh
+vault secrets enable pki 
+
+vault secrets tune -max-lease-ttl=8760h pki
+
+vault write pki/root/generate/internal common_name=dev.localhost ttl=8760h
+
+vault write pki/config/urls issuing_certificates="http://vault.default:8200/v1/pki/ca"  crl_distribution_points="http://vault.default:8200/v1/pki/crl"
+
+vault write pki/roles/dev-dot-localhost  allowed_domains=dev.localhost  allow_subdomains=true  max_ttl=72h
+
+vault policy write pki - <<EOF
+path "pki*"                        { capabilities = ["read", "list"] }
+path "pki/roles/dev-dot-localhost"   { capabilities = ["create", "update"] }
+path "pki/sign/dev-dot-localhost"    { capabilities = ["create", "update"] }
+path "pki/issue/dev-dot-localhost"   { capabilities = ["create"] }
+EOF
+
diff --git a/graviteeio/helm-graviteeio-server.yaml b/graviteeio/helm-graviteeio-server.yaml
new file mode 100644
index 0000000..111d033
--- /dev/null
+++ b/graviteeio/helm-graviteeio-server.yaml
@@ -0,0 +1,15 @@
+# see https://rancher.com/docs/k3s/latest/en/helm/
+# see https://github.com/hashicorp/vault-helm
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: graviteeio
+  namespace: graviteeio
+spec:
+  repo: https://helm.gravitee.io
+  chart: am
+  version: 1.0.33
+  targetNamespace: graviteeio
+  valuesContent: |-
+    mongo:
+      uri: mongodb://192.168.50.239:27017/graviteeam?serverSelectionTimeoutMS=5000&connectTimeoutMS=5000&socketTimeoutMS=5000
diff --git a/graviteeio/ingress-graviteeio-gateway.yaml b/graviteeio/ingress-graviteeio-gateway.yaml
new file mode 100644
index 0000000..79f2cf3
--- /dev/null
+++ b/graviteeio/ingress-graviteeio-gateway.yaml
@@ -0,0 +1,14 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gatewayam
+  namespace: graviteeio
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`dev.graviteeio.am`) && PathPrefix(`/am`)
+      kind: Rule
+      services:
+        - name: gatewayam
+          port: 8092
diff --git a/graviteeio/ingress-graviteeio-management.yaml b/graviteeio/ingress-graviteeio-management.yaml
new file mode 100644
index 0000000..4cebf4e
--- /dev/null
+++ b/graviteeio/ingress-graviteeio-management.yaml
@@ -0,0 +1,14 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: managementam
+  namespace: graviteeio
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`dev.graviteeio.am`) && PathPrefix(`/am/management`)
+      kind: Rule
+      services:
+        - name: managementam
+          port: 8093
diff --git a/graviteeio/ingress-graviteeio-webui.yaml b/graviteeio/ingress-graviteeio-webui.yaml
new file mode 100644
index 0000000..f2432e7
--- /dev/null
+++ b/graviteeio/ingress-graviteeio-webui.yaml
@@ -0,0 +1,14 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: webuiam
+  namespace: graviteeio
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`dev.graviteeio.am`) && PathPrefix(`/am/ui`)
+      kind: Rule
+      services:
+        - name: webuiam
+          port: 80
diff --git a/graviteeio/service-gravitee-gateway.yaml b/graviteeio/service-gravitee-gateway.yaml
new file mode 100644
index 0000000..f1cc42f
--- /dev/null
+++ b/graviteeio/service-gravitee-gateway.yaml
@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gatewayam
+  namespace: graviteeio
+  labels:
+    app: gatewayam
+spec:
+  ports:
+  - name: http
+    port: 8092
+    targetPort: 8092
+  selector:
+    app: gatewayam
+  type: LoadBalancer
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gatewayam
+  namespace: graviteeio
+  labels:
+    app: gatewayam
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gatewayam
+  template:
+    metadata:
+      labels:
+        app: gatewayam
+    spec:
+      containers:
+      - name: gatewayam
+        image: graviteeio/am-gateway:2 
+        env:
+          - name: gravitee_management_mongodb_uri
+            value: mongodb://192.168.50.206:27017/graviteeam?serverSelectionTimeoutMS=5000&connectTimeoutMS=5000&socketTimeoutMS=5000
+          - name: gravitee_oauth2_mongodb_uri
+            value: mongodb://192.168.50.206:27017/graviteeam?serverSelectionTimeoutMS=5000&connectTimeoutMS=5000&socketTimeoutMS=5000
+        ports:
+        - name: http
+          containerPort: 8092
diff --git a/graviteeio/service-gravitee-management.yaml b/graviteeio/service-gravitee-management.yaml
new file mode 100644
index 0000000..fe004fd
--- /dev/null
+++ b/graviteeio/service-gravitee-management.yaml
@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: managementam
+  namespace: graviteeio
+  labels:
+    app: managementam
+spec:
+  ports:
+  - name: http
+    port: 8093
+    targetPort: 8093
+  selector:
+    app: managementam
+  type: LoadBalancer
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: managementam
+  namespace: graviteeio
+  labels:
+    app: managementam
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: managementam
+  template:
+    metadata:
+      labels:
+        app: managementam
+    spec:
+      containers:
+      - name: managementam
+        image: graviteeio/am-management-api:2 
+        env:
+          - name: gravitee_management_mongodb_uri
+            value: mongodb://192.168.50.206:27017/graviteeam?serverSelectionTimeoutMS=5000&connectTimeoutMS=5000&socketTimeoutMS=5000
+          - name: gravitee_oauth2_mongodb_uri
+            value: mongodb://192.168.50.206:27017/graviteeam?serverSelectionTimeoutMS=5000&connectTimeoutMS=5000&socketTimeoutMS=5000
+        ports:
+        - name: http
+          containerPort: 8093
diff --git a/graviteeio/service-gravitee-webui.yaml b/graviteeio/service-gravitee-webui.yaml
new file mode 100644
index 0000000..d5d71ea
--- /dev/null
+++ b/graviteeio/service-gravitee-webui.yaml
@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: webuiam
+  namespace: graviteeio
+  labels:
+    app: webuiam
+spec:
+  ports:
+  - name: http
+    port: 80
+    targetPort: 80
+  selector:
+    app: webuiam
+  type: LoadBalancer
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: webuiam
+  namespace: graviteeio
+  labels:
+    app: webuiam
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: webuiam
+  template:
+    metadata:
+      labels:
+        app: webuiam
+    spec:
+      containers:
+      - name: webuiam
+        image: graviteeio/am-management-ui:2 
+        env:
+          - name: MGMT_API_URL 
+            value: http://dev.graviteeio.am/am
+          - name: MGMT_UI_URL
+            value: http://dev.graviteeio.am/am/ui
+        ports:
+        - name: http
+          containerPort: 80
diff --git a/init-issuer.sh b/init-issuer.sh
new file mode 100644
index 0000000..acf82db
--- /dev/null
+++ b/init-issuer.sh
@@ -0,0 +1,26 @@
+kubectl create serviceaccount issuer
+
+kubectl get secrets
+
+ISSUER_SECRET_REF=$(kubectl get serviceaccount issuer -o json | jq -r ".secrets[].name")
+
+cat > vault-issuer.yaml <<EOF
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: vault-issuer
+  namespace: default
+spec:
+  vault:
+    server: http://vault.default
+    path: pki/sign/dev-dot-localhost
+    auth:
+      kubernetes:
+        mountPath: /v1/auth/kubernetes
+        role: issuer
+        secretRef:
+          name: $ISSUER_SECRET_REF
+          key: token
+EOF
+
+kubectl apply --filename vault-issuer.yaml
diff --git a/init-keys.json b/init-keys.json
new file mode 100644
index 0000000..e69de29
diff --git a/k3d-default.yaml b/k3d-default.yaml
new file mode 100644
index 0000000..15de4f7
--- /dev/null
+++ b/k3d-default.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: k3d.io/v1alpha3
+kind: Simple
+name: k3s-default
+servers: 1
+agents: 0
+image: docker.io/rancher/k3s:v1.21.5-k3s2
diff --git a/namespaces-create.yaml b/namespaces-create.yaml
new file mode 100644
index 0000000..7b494b1
--- /dev/null
+++ b/namespaces-create.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: outils
+  labels:
+    name: outils
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: database
+  labels:
+    name: database
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik
+  labels:
+    name: traefik
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault
+  labels:
+    name: vault
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: graviteeio
+  labels:
+    name: graviteeio
diff --git a/outils-config-v3.yaml b/outils-config-v3.yaml
new file mode 100644
index 0000000..94f211d
--- /dev/null
+++ b/outils-config-v3.yaml
@@ -0,0 +1,60 @@
+kind: Simple
+apiVersion: k3d.io/v1alpha3
+name: outils
+servers: 1
+agents: 2
+kubeAPI:
+  host: kubernetes.api.server
+  hostIP: 127.0.0.1
+  hostPort: "6443"
+volumes:
+        #- volume: /home/ladro/ldrogou/projets/cluster/outils/helm-vault-server.yaml:/var/lib/rancher/k3s/server/manifests/helm-vault-server.yaml
+        #  nodeFilters:
+        #  - server:0
+- volume: /rca/mongodb/data:/rca/mongodb/data
+  nodeFilters:
+  - server:0
+  - agent:*
+- volume: /rca/postgres/data:/rca/postgres/data
+  nodeFilters:
+  - server:0
+  - agent:*
+- volume: /rca/sourcegraph/config:/rca/sourcegraph/config
+  nodeFilters:
+  - server:0
+  - agent:*
+- volume: /rca/sourcegraph/data:/rca/sourcegraph/data
+  nodeFilters:
+  - server:0
+  - agent:*
+ports:
+- port: 81:80
+  nodeFilters:
+  - loadbalancer
+- port: 444:443
+  nodeFilters:
+  - loadbalancer
+- port: 5433:30080
+  nodeFilters:
+  - server:0
+- port: 27017:30010
+  nodeFilters:
+  - server:0
+- port: 5672:30082
+  nodeFilters:
+  - server:0
+- port: 15672:30083
+  nodeFilters:
+  - server:0
+options:
+  k3d:
+    wait: true
+    timeout: 1m0s
+    disableLoadbalancer: false
+    disableImageVolume: false
+    disableRollback: false
+  k3s: {}
+  kubeconfig:
+    updateDefaultKubeconfig: true
+    switchCurrentContext: true
+  runtime: {}
diff --git a/rabbitmq/service-rabbitmq.yaml b/rabbitmq/service-rabbitmq.yaml
new file mode 100644
index 0000000..cfe4e07
--- /dev/null
+++ b/rabbitmq/service-rabbitmq.yaml
@@ -0,0 +1,49 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: rabbitmq-statefulset
+  namespace: database
+  labels:
+    app: rabbitmq
+spec:
+  serviceName: "rabbitmq"
+  replicas: 1
+  selector:
+    matchLabels:
+      app: rabbitmq
+  template:
+    metadata:
+      labels:
+        app: rabbitmq
+    spec:
+      containers:
+      - name: rabbitmq
+        image: rabbitmq:3-management-alpine
+        envFrom:
+        - configMapRef:
+            name: rabbitmq-configuration
+        ports:
+        - containerPort: 5672
+          name: rabbitmqdb
+        - containerPort: 15672
+          name: rabbitmqman
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rabbitmq-service
+  namespace: database
+  labels:
+    app: rabbitmq
+spec:
+  ports:
+  - port: 5432
+    nodePort: 30082
+    name: rabbitmq
+  - port: 15672  
+    nodePort: 30083
+    name: rabbitmqman
+  type: NodePort
+  selector:
+    app: rabbitmq
+
diff --git a/sourcegraph/ingress-sourcegraph.yaml b/sourcegraph/ingress-sourcegraph.yaml
new file mode 100644
index 0000000..c0a5455
--- /dev/null
+++ b/sourcegraph/ingress-sourcegraph.yaml
@@ -0,0 +1,14 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: sourcegraph
+  namespace: outils
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`sourcegraph.dev.localhost`)
+      kind: Rule
+      services:
+        - name: sourcegraph
+          port: 7080
diff --git a/sourcegraph/service-sourcegraph.yaml b/sourcegraph/service-sourcegraph.yaml
new file mode 100644
index 0000000..2d51e91
--- /dev/null
+++ b/sourcegraph/service-sourcegraph.yaml
@@ -0,0 +1,137 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: k3d-sourcegraph-data
+provisioner: rancher.io/local-path
+volumeBindingMode: WaitForFirstConsumer
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: sourcegraph-pv-data
+  namespace: outils
+  labels:
+    type: local
+spec:
+  storageClassName: k3d-sourcegraph-data
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: "/rca/sourcegraph/data"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    deploy: sourcegraph-pvc-data
+    sourcegraph-resource-requires: no-cluster-admin
+    app.kubernetes.io/component: sourcegraph
+  name: sourcegraph-data
+  namespace: outils
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: k3d-sourcegraph-data
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: k3d-sourcegraph-config
+provisioner: rancher.io/local-path
+volumeBindingMode: WaitForFirstConsumer
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: sourcegraph-pv-config
+  namespace: outils
+  labels:
+    type: local
+spec:
+  storageClassName: k3d-sourcegraph-config
+  capacity:
+    storage: 2Gi
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: "/rca/sourcegraph/config"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    deploy: sourcegraph-pvc-config
+    sourcegraph-resource-requires: no-cluster-admin
+    app.kubernetes.io/component: sourcegraph
+  name: sourcegraph-config
+  namespace: outils
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: k3d-sourcegraph-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: sourcegraph
+  namespace: outils
+  labels:
+    app: sourcegraph
+spec:
+  ports:
+  - name: http
+    port: 7080
+    targetPort: 7080
+  selector:
+    app: sourcegraph
+  type: LoadBalancer
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sourcegraph
+  namespace: outils
+  labels:
+    app: sourcegraph
+spec:
+  replicas: 0
+  selector:
+    matchLabels:
+      app: sourcegraph
+  template:
+    metadata:
+      labels:
+        app: sourcegraph
+    spec:
+      containers:
+      - name: sourcegraph
+        image: sourcegraph/server:3.36.1
+        ports:
+        - name: http
+          containerPort: 7080
+        - name: https
+          containerPort: 7443
+        volumeMounts:
+          - mountPath: "/var/opt/sourcegraph"
+            name: sourcegraph-data
+          - mountPath: "/etc/sourcegraph"
+            name: sourcegraph-config
+      hostAliases:
+       - ip: 10.0.10.180
+         hostnames:
+         - git.int.rcacloud.it
+      volumes:
+      - name: sourcegraph-data
+        persistentVolumeClaim:
+          claimName: sourcegraph-data
+      - name: sourcegraph-config
+        persistentVolumeClaim:
+          claimName: sourcegraph-config
diff --git a/vault/helm-vault-server.yaml b/vault/helm-vault-server.yaml
new file mode 100644
index 0000000..db0d75e
--- /dev/null
+++ b/vault/helm-vault-server.yaml
@@ -0,0 +1,15 @@
+# see https://rancher.com/docs/k3s/latest/en/helm/
+# see https://github.com/hashicorp/vault-helm
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: vault
+  namespace: default
+spec:
+  repo: https://helm.releases.hashicorp.com
+  chart: vault
+  version: 0.17.1
+  targetNamespace: default
+  valuesContent: |-
+    injector:
+      enabled: false
diff --git a/vault/ingress-vault.yaml b/vault/ingress-vault.yaml
new file mode 100644
index 0000000..ad5c4db
--- /dev/null
+++ b/vault/ingress-vault.yaml
@@ -0,0 +1,14 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: vault-internal
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`vault.dev.localhost`)
+      kind: Rule
+      services:
+        - name: vault-internal
+          port: 8200
diff --git a/vault/init-vault.sh b/vault/init-vault.sh
new file mode 100755
index 0000000..993a3f0
--- /dev/null
+++ b/vault/init-vault.sh
@@ -0,0 +1,2 @@
+kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > init-keys.json
+./unseal-vault.sh
diff --git a/vault/issuer-vault.yaml b/vault/issuer-vault.yaml
new file mode 100644
index 0000000..3e6bdf0
--- /dev/null
+++ b/vault/issuer-vault.yaml
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: vault-issuer
+  namespace: default
+spec:
+  vault:
+    server: http://vault.default:8200
+    path: pki/sign/dev-dot-localhost
+    auth:
+      kubernetes:
+        mountPath: /v1/auth/kubernetes
+        role: issuer
+        secretRef:
+          name: issuer-token-sh68l
+          key: token
diff --git a/vault/unseal-vault.sh b/vault/unseal-vault.sh
new file mode 100755
index 0000000..17b0959
--- /dev/null
+++ b/vault/unseal-vault.sh
@@ -0,0 +1,8 @@
+cat init-keys.json | jq -r ".unseal_keys_b64[]"
+VAULT_UNSEAL_KEY=$(cat init-keys.json | jq -r ".unseal_keys_b64[]")
+kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
+kubectl get pods
+cat init-keys.json | jq -r ".root_token"
+VAULT_ROOT_TOKEN=$(cat init-keys.json | jq -r ".root_token")
+kubectl exec vault-0 -- vault login $VAULT_ROOT_TOKEN
+
diff --git a/vault/vault-issuer.yaml b/vault/vault-issuer.yaml
new file mode 100644
index 0000000..00e095e
--- /dev/null
+++ b/vault/vault-issuer.yaml
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1 
+kind: Issuer
+metadata:
+  name: vault-issuer
+  namespace: default
+spec:
+  vault:
+    server: http://vault.default:8200
+    path: pki/role/dev-dot-localhost
+    auth:
+      kubernetes:
+        mountPath: /v1/auth/kubernetes
+        role: issuer
+        secretRef:
+          name: issuer-token-xhgk8
+          key: token