From 134ce4ae01678ddc7b6c6c4f7f6d06c769472d21 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Wed, 22 Apr 2026 19:14:38 -0500 Subject: [PATCH] feat: add more --- .../ollama/templates/external-secret.yaml | 18 +-- clusters/cl01tl/helm/ollama/values.yaml | 6 +- .../helm/openbao/templates/namespace.yaml | 4 +- .../outline/templates/external-secret.yaml | 16 +-- clusters/cl01tl/helm/outline/values.yaml | 8 +- .../templates/external-secret.yaml | 41 ++++--- .../cl01tl/helm/paperless-ngx/values.yaml | 8 +- .../cl01tl/helm/plex/templates/_helpers.tpl | 7 ++ .../templates/persistent-volume-claim.yaml | 6 +- .../plex/templates/persistent-volume.yaml | 4 +- clusters/cl01tl/helm/postiz/Chart.yaml | 2 +- .../postiz/templates/external-secret.yaml | 81 +++++-------- clusters/cl01tl/helm/postiz/values.yaml | 6 +- .../prowlarr/templates/external-secret.yaml | 2 +- clusters/cl01tl/helm/qbittorrent/Chart.yaml | 2 +- .../helm/qbittorrent/templates/_helpers.tpl | 7 ++ .../templates/external-secret.yaml | 111 ++++++++++++------ .../helm/qbittorrent/templates/namespace.yaml | 4 +- .../templates/persistent-volume-claim.yaml | 6 +- .../templates/persistent-volume.yaml | 4 +- .../templates/secret-provider-class.yaml | 18 +++ clusters/cl01tl/helm/qbittorrent/values.yaml | 92 ++++++++------- 22 files changed, 252 insertions(+), 201 deletions(-) create mode 100644 clusters/cl01tl/helm/qbittorrent/templates/secret-provider-class.yaml diff --git a/clusters/cl01tl/helm/ollama/templates/external-secret.yaml b/clusters/cl01tl/helm/ollama/templates/external-secret.yaml index be7ebdedf..0eb94a511 100644 --- a/clusters/cl01tl/helm/ollama/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/ollama/templates/external-secret.yaml @@ -2,40 +2,40 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: ollama-key-secret + name: open-webui-key namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: ollama-key-secret + app.kubernetes.io/name: open-webui-key {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: key remoteRef: - key: /cl01tl/ollama/key + key: /cl01tl/ollama/open-webui/key property: key --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: ollama-oidc-secret + name: open-webui-oidc-authentik namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: ollama-oidc-secret + app.kubernetes.io/name: open-webui-oidc-authentik {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: client remoteRef: - key: /authentik/oidc/ollama + key: /cl01tl/authentik/oidc/open-webui property: client - secretKey: secret remoteRef: - key: /authentik/oidc/ollama + key: /cl01tl/authentik/oidc/open-webui property: secret diff --git a/clusters/cl01tl/helm/ollama/values.yaml b/clusters/cl01tl/helm/ollama/values.yaml index 3045d7d24..65d1c0c6d 100644 --- a/clusters/cl01tl/helm/ollama/values.yaml +++ b/clusters/cl01tl/helm/ollama/values.yaml @@ -127,7 +127,7 @@ ollama: - name: WEBUI_SECRET_KEY valueFrom: secretKeyRef: - name: ollama-key-secret + name: ollama-key key: key - name: DATABASE_URL valueFrom: @@ -143,12 +143,12 @@ ollama: - name: OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: - name: ollama-oidc-secret + name: open-webui-oidc-authentik key: secret - name: OAUTH_CLIENT_ID valueFrom: secretKeyRef: - name: ollama-oidc-secret + name: open-webui-oidc-authentik key: client - name: OAUTH_PROVIDER_NAME value: Authentik diff --git a/clusters/cl01tl/helm/openbao/templates/namespace.yaml b/clusters/cl01tl/helm/openbao/templates/namespace.yaml index 748ee3072..bbbe36926 100644 --- a/clusters/cl01tl/helm/openbao/templates/namespace.yaml +++ b/clusters/cl01tl/helm/openbao/templates/namespace.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Namespace metadata: - name: openbao + name: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: openbao + app.kubernetes.io/name: {{ .Release.Namespace }} {{- include "custom.labels" . | nindent 4 }} pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged diff --git a/clusters/cl01tl/helm/outline/templates/external-secret.yaml b/clusters/cl01tl/helm/outline/templates/external-secret.yaml index ea13a006d..95de87fab 100644 --- a/clusters/cl01tl/helm/outline/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/outline/templates/external-secret.yaml @@ -1,15 +1,15 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: outline-key-secret + name: outline-key namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: outline-key-secret + app.kubernetes.io/name: outline-key {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: secret-key remoteRef: @@ -24,21 +24,21 @@ spec: apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: outline-oidc-secret + name: outline-oidc-authentik namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: outline-oidc-secret + app.kubernetes.io/name: outline-oidc-authentik {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: client remoteRef: - key: /authentik/oidc/outline + key: /cl01tl/authentik/oidc/outline property: client - secretKey: secret remoteRef: - key: /authentik/oidc/outline + key: /cl01tl/authentik/oidc/outline property: secret diff --git a/clusters/cl01tl/helm/outline/values.yaml b/clusters/cl01tl/helm/outline/values.yaml index fa38b9e89..7b1b08eb9 100644 --- a/clusters/cl01tl/helm/outline/values.yaml +++ b/clusters/cl01tl/helm/outline/values.yaml @@ -22,12 +22,12 @@ outline: - name: SECRET_KEY valueFrom: secretKeyRef: - name: outline-key-secret + name: outline-key key: secret-key - name: UTILS_SECRET valueFrom: secretKeyRef: - name: outline-key-secret + name: outline-key key: utils-key - name: POSTGRES_USERNAME valueFrom: @@ -89,12 +89,12 @@ outline: - name: OIDC_CLIENT_ID valueFrom: secretKeyRef: - name: outline-oidc-secret + name: outline-oidc-authentik key: client - name: OIDC_CLIENT_SECRET valueFrom: secretKeyRef: - name: outline-oidc-secret + name: outline-oidc-authentik key: secret - name: OIDC_AUTH_URI value: https://auth.alexlebens.dev/application/o/authorize/ diff --git a/clusters/cl01tl/helm/paperless-ngx/templates/external-secret.yaml b/clusters/cl01tl/helm/paperless-ngx/templates/external-secret.yaml index f7c3b9c20..ce61d84f8 100644 --- a/clusters/cl01tl/helm/paperless-ngx/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/paperless-ngx/templates/external-secret.yaml @@ -1,51 +1,58 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: paperless-ngx-secret + name: paperless-ngx-key namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: paperless-ngx-secret + app.kubernetes.io/name: paperless-ngx-key {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: secret-key remoteRef: - key: /cl01tl/paperless-ngx/secret + key: /cl01tl/paperless-ngx/key property: secret-key + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: paperless-ngx-config + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: paperless-ngx-config + {{- include "custom.labels" . | nindent 4 }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: - secretKey: admin-user remoteRef: - key: /cl01tl/paperless-ngx/secret + key: /cl01tl/paperless-ngx/config property: admin-user - secretKey: admin-password remoteRef: - key: /cl01tl/paperless-ngx/secret + key: /cl01tl/paperless-ngx/config property: admin-password --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: paperless-ngx-oidc-secret + name: paperless-ngx-oidc-authentik namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: paperless-ngx-oidc-secret + app.kubernetes.io/name: paperless-ngx-oidc-authentik {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - - secretKey: OIDC_CLIENT_ID - remoteRef: - key: /authentik/oidc/paperless-ngx - property: client - - secretKey: OIDC_CLIENT_SECRET - remoteRef: - key: /authentik/oidc/paperless-ngx - property: secret - secretKey: PAPERLESS_SOCIALACCOUNT_PROVIDERS remoteRef: key: /authentik/oidc/paperless-ngx diff --git a/clusters/cl01tl/helm/paperless-ngx/values.yaml b/clusters/cl01tl/helm/paperless-ngx/values.yaml index e0d11337b..46d90c56d 100644 --- a/clusters/cl01tl/helm/paperless-ngx/values.yaml +++ b/clusters/cl01tl/helm/paperless-ngx/values.yaml @@ -44,7 +44,7 @@ paperless-ngx: - name: PAPERLESS_SECRET_KEY valueFrom: secretKeyRef: - name: paperless-ngx-secret + name: paperless-ngx-key key: secret-key - name: PAPERLESS_URL value: https://paperless-ngx.alexlebens.net @@ -53,12 +53,12 @@ paperless-ngx: - name: PAPERLESS_ADMIN_USER valueFrom: secretKeyRef: - name: paperless-ngx-secret + name: paperless-ngx-config key: admin-user - name: PAPERLESS_ADMIN_PASSWORD valueFrom: secretKeyRef: - name: paperless-ngx-secret + name: paperless-ngx-config key: admin-password - name: PAPERLESS_ACCOUNT_ALLOW_SIGNUPS value: true @@ -73,7 +73,7 @@ paperless-ngx: - name: PAPERLESS_SOCIALACCOUNT_PROVIDERS valueFrom: secretKeyRef: - name: paperless-ngx-oidc-secret + name: paperless-ngx-oidc-authentik key: PAPERLESS_SOCIALACCOUNT_PROVIDERS - name: PAPERLESS_SOCIALACCOUNT_DEFAULT_PERMISSIONS value: '["view_uisettings", "view_savedview", "add_uisettings", "change_uisettings", "delete_uisettings"]' diff --git a/clusters/cl01tl/helm/plex/templates/_helpers.tpl b/clusters/cl01tl/helm/plex/templates/_helpers.tpl index 10688fcef..a9372f5d1 100644 --- a/clusters/cl01tl/helm/plex/templates/_helpers.tpl +++ b/clusters/cl01tl/helm/plex/templates/_helpers.tpl @@ -12,3 +12,10 @@ Selector labels app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} {{- end }} + +{{/* +NFS names +*/}} +{{- define "custom.storageNfsName" -}} +plex-nfs-storage +{{- end -}} diff --git a/clusters/cl01tl/helm/plex/templates/persistent-volume-claim.yaml b/clusters/cl01tl/helm/plex/templates/persistent-volume-claim.yaml index b64bcbe01..7652a28b7 100644 --- a/clusters/cl01tl/helm/plex/templates/persistent-volume-claim.yaml +++ b/clusters/cl01tl/helm/plex/templates/persistent-volume-claim.yaml @@ -1,13 +1,13 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: plex-nfs-storage + name: {{ include "custom.storageNfsName" . }} namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: plex-nfs-storage + app.kubernetes.io/name: {{ include "custom.storageNfsName" . }} {{- include "custom.labels" . | nindent 4 }} spec: - volumeName: plex-nfs-storage + volumeName: {{ include "custom.storageNfsName" . }} storageClassName: nfs-client accessModes: - ReadWriteMany diff --git a/clusters/cl01tl/helm/plex/templates/persistent-volume.yaml b/clusters/cl01tl/helm/plex/templates/persistent-volume.yaml index 7597395f6..7ce8d62aa 100644 --- a/clusters/cl01tl/helm/plex/templates/persistent-volume.yaml +++ b/clusters/cl01tl/helm/plex/templates/persistent-volume.yaml @@ -1,10 +1,10 @@ apiVersion: v1 kind: PersistentVolume metadata: - name: plex-nfs-storage + name: {{ include "custom.storageNfsName" . }} namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: plex-nfs-storage + app.kubernetes.io/name: {{ include "custom.storageNfsName" . }} {{- include "custom.labels" . | nindent 4 }} spec: persistentVolumeReclaimPolicy: Retain diff --git a/clusters/cl01tl/helm/postiz/Chart.yaml b/clusters/cl01tl/helm/postiz/Chart.yaml index 32dee7fc0..6deda5c56 100644 --- a/clusters/cl01tl/helm/postiz/Chart.yaml +++ b/clusters/cl01tl/helm/postiz/Chart.yaml @@ -5,7 +5,7 @@ description: Postiz keywords: - postiz - social-media -home: https://docs.alexlebens.dev/applications/plex/ +home: https://docs.alexlebens.dev/applications/postiz/ sources: - https://github.com/gitroomhq/postiz-app - https://github.com/getsentry/spotlight diff --git a/clusters/cl01tl/helm/postiz/templates/external-secret.yaml b/clusters/cl01tl/helm/postiz/templates/external-secret.yaml index 496d45f4c..48ebb134f 100644 --- a/clusters/cl01tl/helm/postiz/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/postiz/templates/external-secret.yaml @@ -1,71 +1,21 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: postiz-config-secret + name: postiz-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: postiz-config-secret + app.kubernetes.io/name: postiz-config {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: JWT_SECRET remoteRef: key: /cl01tl/postiz/config property: JWT_SECRET ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: postiz-oidc-secret - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: postiz-oidc-secret - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: client - remoteRef: - key: /authentik/oidc/postiz - property: client - - secretKey: secret - remoteRef: - key: /authentik/oidc/postiz - property: secret - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: postiz-elasticsearch-secret - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: postiz-elasticsearch-secret - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: username - remoteRef: - key: /cl01tl/postiz/elasticsearch - property: username - - secretKey: password - remoteRef: - key: /cl01tl/postiz/elasticsearch - property: password - - secretKey: roles - remoteRef: - key: /cl01tl/postiz/elasticsearch - property: roles - --- apiVersion: external-secrets.io/v1 kind: ExternalSecret @@ -78,7 +28,7 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: REDIS_URL remoteRef: @@ -96,3 +46,26 @@ spec: remoteRef: key: /cl01tl/postiz/valkey property: password + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: postiz-oidc-authentik + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: postiz-oidc-authentik + {{- include "custom.labels" . | nindent 4 }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: client + remoteRef: + key: /cl01tl/authentik/oidc/postiz + property: client + - secretKey: secret + remoteRef: + key: /cl01tl/authentik/oidc/postiz + property: secret diff --git a/clusters/cl01tl/helm/postiz/values.yaml b/clusters/cl01tl/helm/postiz/values.yaml index 5fd7aa118..056907049 100644 --- a/clusters/cl01tl/helm/postiz/values.yaml +++ b/clusters/cl01tl/helm/postiz/values.yaml @@ -13,7 +13,7 @@ postiz: - name: JWT_SECRET valueFrom: secretKeyRef: - name: postiz-config-secret + name: postiz-config key: JWT_SECRET - name: MAIN_URL value: https://postiz.alexlebens.dev @@ -64,12 +64,12 @@ postiz: - name: POSTIZ_OAUTH_CLIENT_ID valueFrom: secretKeyRef: - name: postiz-oidc-secret + name: postiz-oidc-authentik key: client - name: POSTIZ_OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: - name: postiz-oidc-secret + name: postiz-oidc-authentik key: secret - name: POSTIZ_OAUTH_SCOPE value: openid profile email diff --git a/clusters/cl01tl/helm/prowlarr/templates/external-secret.yaml b/clusters/cl01tl/helm/prowlarr/templates/external-secret.yaml index 58a28bba1..df4bdb367 100644 --- a/clusters/cl01tl/helm/prowlarr/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/prowlarr/templates/external-secret.yaml @@ -9,7 +9,7 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: key remoteRef: diff --git a/clusters/cl01tl/helm/qbittorrent/Chart.yaml b/clusters/cl01tl/helm/qbittorrent/Chart.yaml index 4268eb938..3b1e89ccc 100644 --- a/clusters/cl01tl/helm/qbittorrent/Chart.yaml +++ b/clusters/cl01tl/helm/qbittorrent/Chart.yaml @@ -5,7 +5,7 @@ description: qBittorrent keywords: - qbittorrent - torrent -home: https://docs.alexlebens.dev/applications/prowlarr/ +home: https://docs.alexlebens.dev/applications/qbittorrent/ sources: - https://github.com/qbittorrent/qBittorrent - https://github.com/qdm12/gluetun diff --git a/clusters/cl01tl/helm/qbittorrent/templates/_helpers.tpl b/clusters/cl01tl/helm/qbittorrent/templates/_helpers.tpl index 10688fcef..0a58f9b45 100644 --- a/clusters/cl01tl/helm/qbittorrent/templates/_helpers.tpl +++ b/clusters/cl01tl/helm/qbittorrent/templates/_helpers.tpl @@ -12,3 +12,10 @@ Selector labels app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} {{- end }} + +{{/* +NFS names +*/}} +{{- define "custom.storageNfsName" -}} +qbittorrent-nfs-storage +{{- end -}} diff --git a/clusters/cl01tl/helm/qbittorrent/templates/external-secret.yaml b/clusters/cl01tl/helm/qbittorrent/templates/external-secret.yaml index b5b3e2bde..e7f624514 100644 --- a/clusters/cl01tl/helm/qbittorrent/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/qbittorrent/templates/external-secret.yaml @@ -1,75 +1,112 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: qbittorrent-wireguard-conf + name: qbit-manage-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: qbittorrent-wireguard-conf + app.kubernetes.io/name: qbit-manage-config {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + ntfy-url: "{{ `{{ .endpoint }}` }}/qbit-manage" data: + - secretKey: endpoint + remoteRef: + key: /cl01tl/ntfy/users/cl01tl + property: internal-endpoint-credential + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: qui-oidc-authentik + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: qui-oidc-authentik + {{- include "custom.labels" . | nindent 4 }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: secret + remoteRef: + key: /cl01tl/authentik/oidc/qui + property: secret + - secretKey: client + remoteRef: + key: /cl01tl/authentik/oidc/qui + property: client + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: airvpn-wireguard-conf + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: airvpn-wireguard-conf + {{- include "custom.labels" . | nindent 4 }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: conf + remoteRef: + key: /airvpn/config + property: conf - secretKey: private-key remoteRef: - key: /airvpn/conf/cl01tl + key: /airvpn/config property: private-key - secretKey: preshared-key remoteRef: - key: /airvpn/conf/cl01tl + key: /airvpn/config property: preshared-key - secretKey: addresses remoteRef: - key: /airvpn/conf/cl01tl + key: /airvpn/config property: addresses - secretKey: input-ports remoteRef: - key: /airvpn/conf/cl01tl + key: /airvpn/config property: input-ports --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: qbittorrent-qbit-manage-config + name: protonvpn-wireguard-conf namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: qbittorrent-qbit-manage-config + app.kubernetes.io/name: protonvpn-wireguard-conf {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - - secretKey: ntfy-url + - secretKey: conf remoteRef: - key: /cl01tl/qbittorrent/qbit-manage - property: ntfy-url - - secretKey: config.yml + key: /protonvpn/config + property: conf + - secretKey: email remoteRef: - key: /cl01tl/qbittorrent/qbit-manage - property: config.yml - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: qui-oidc-secret - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: qui-oidc-secret - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: secret + key: /protonvpn/config + property: email + - secretKey: password remoteRef: - key: /authentik/oidc/qui - property: secret - - secretKey: client + key: /protonvpn/config + property: password + - secretKey: private-key remoteRef: - key: /authentik/oidc/qui - property: client + key: /protonvpn/config + property: private-key diff --git a/clusters/cl01tl/helm/qbittorrent/templates/namespace.yaml b/clusters/cl01tl/helm/qbittorrent/templates/namespace.yaml index 97d505071..bbbe36926 100644 --- a/clusters/cl01tl/helm/qbittorrent/templates/namespace.yaml +++ b/clusters/cl01tl/helm/qbittorrent/templates/namespace.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Namespace metadata: - name: qbittorrent + name: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: qbittorrent + app.kubernetes.io/name: {{ .Release.Namespace }} {{- include "custom.labels" . | nindent 4 }} pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged diff --git a/clusters/cl01tl/helm/qbittorrent/templates/persistent-volume-claim.yaml b/clusters/cl01tl/helm/qbittorrent/templates/persistent-volume-claim.yaml index e300de499..7652a28b7 100644 --- a/clusters/cl01tl/helm/qbittorrent/templates/persistent-volume-claim.yaml +++ b/clusters/cl01tl/helm/qbittorrent/templates/persistent-volume-claim.yaml @@ -1,13 +1,13 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: qbittorrent-nfs-storage + name: {{ include "custom.storageNfsName" . }} namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: qbittorrent-nfs-storage + app.kubernetes.io/name: {{ include "custom.storageNfsName" . }} {{- include "custom.labels" . | nindent 4 }} spec: - volumeName: qbittorrent-nfs-storage + volumeName: {{ include "custom.storageNfsName" . }} storageClassName: nfs-client accessModes: - ReadWriteMany diff --git a/clusters/cl01tl/helm/qbittorrent/templates/persistent-volume.yaml b/clusters/cl01tl/helm/qbittorrent/templates/persistent-volume.yaml index 4354effca..7ce8d62aa 100644 --- a/clusters/cl01tl/helm/qbittorrent/templates/persistent-volume.yaml +++ b/clusters/cl01tl/helm/qbittorrent/templates/persistent-volume.yaml @@ -1,10 +1,10 @@ apiVersion: v1 kind: PersistentVolume metadata: - name: qbittorrent-nfs-storage + name: {{ include "custom.storageNfsName" . }} namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: qbittorrent-nfs-storage + app.kubernetes.io/name: {{ include "custom.storageNfsName" . }} {{- include "custom.labels" . | nindent 4 }} spec: persistentVolumeReclaimPolicy: Retain diff --git a/clusters/cl01tl/helm/qbittorrent/templates/secret-provider-class.yaml b/clusters/cl01tl/helm/qbittorrent/templates/secret-provider-class.yaml new file mode 100644 index 000000000..9ec37da5a --- /dev/null +++ b/clusters/cl01tl/helm/qbittorrent/templates/secret-provider-class.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: qbit-manage-config + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: qbit-manage-config + {{- include "custom.labels" . | nindent 4 }} +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: qbittorrent + objects: | + - objectName: config.yml + fileName: config.yml + secretPath: secret/data/cl01tl/qbittorrent/qbit-manage + secretKey: config.yml diff --git a/clusters/cl01tl/helm/qbittorrent/values.yaml b/clusters/cl01tl/helm/qbittorrent/values.yaml index d7f43e55d..3cf4c8d77 100644 --- a/clusters/cl01tl/helm/qbittorrent/values.yaml +++ b/clusters/cl01tl/helm/qbittorrent/values.yaml @@ -62,33 +62,22 @@ qbittorrent: command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"] env: - name: VPN_SERVICE_PROVIDER - value: airvpn + value: protonvpn - name: VPN_TYPE value: wireguard - name: WIREGUARD_PRIVATE_KEY valueFrom: secretKeyRef: - name: qbittorrent-wireguard-conf + name: protonvpn-wireguard-conf key: private-key - - name: WIREGUARD_PRESHARED_KEY - valueFrom: - secretKeyRef: - name: qbittorrent-wireguard-conf - key: preshared-key - - name: WIREGUARD_ADDRESSES - valueFrom: - secretKeyRef: - name: qbittorrent-wireguard-conf - key: addresses - - name: FIREWALL_VPN_INPUT_PORTS - valueFrom: - secretKeyRef: - name: qbittorrent-wireguard-conf - key: input-ports - name: FIREWALL_OUTBOUND_SUBNETS value: 192.168.1.0/24,10.244.0.0/16 - name: FIREWALL_INPUT_PORTS - value: 8080,9022 + value: 5030,50300 + - name: VPN_PORT_FORWARDING + value: 'on' + - name: VPN_PORT_FORWARDING_UP_COMMAND + value: '/bin/sh -c "/gluetun/update.sh {{ printf "{{PORTS}}" }}"' - name: DNS_UPSTREAM_RESOLVER_TYPE value: dot - name: BLOCK_MALICIOUS @@ -141,6 +130,8 @@ qbittorrent: reloader.stakater.com/auto: "true" replicas: 1 strategy: Recreate + serviceAccount: + name: qbittorrent initContainers: init-copy-config: image: @@ -150,7 +141,7 @@ qbittorrent: - /bin/sh - -ec - | - cp /config/config.yml /app/config/config.yml + cp /tmp/config.yml /app/config/config.yml containers: qbit-manage: image: @@ -194,7 +185,7 @@ qbittorrent: - name: APPRISE_STATELESS_URLS valueFrom: secretKeyRef: - name: qbittorrent-qbit-manage-config + name: qbit-manage-config key: ntfy-url qui: type: deployment @@ -223,12 +214,12 @@ qbittorrent: - name: QUI__OIDC_CLIENT_ID valueFrom: secretKeyRef: - name: qui-oidc-secret + name: qui-oidc-authentik key: client - name: QUI__OIDC_CLIENT_SECRET valueFrom: secretKeyRef: - name: qui-oidc-secret + name: qui-oidc-authentik key: secret - name: QUI__OIDC_REDIRECT_URL value: https://qui.alexlebens.net/api/auth/oidc/callback @@ -238,6 +229,10 @@ qbittorrent: requests: cpu: 10m memory: 70Mi + serviceAccount: + qbittorrent: + enabled: true + staticToken: true service: main: controller: main @@ -347,22 +342,6 @@ qbittorrent: gluetun: - path: /gluetun/update.sh subPath: update.sh - qbit-manage-config: - enabled: true - type: secret - name: qbittorrent-qbit-manage-config - advancedMounts: - qbit-manage: - init-copy-config: - - path: /config/config.yml - readOnly: true - mountPropagation: None - subPath: config.yml - qbit-manage: - - path: /config/config.yml - readOnly: true - mountPropagation: None - subPath: config.yml config-data: forceRename: qbittorrent-config-data storageClass: ceph-filesystem @@ -377,6 +356,27 @@ qbittorrent: qbit-manage: - path: /qbittorrent/qBittorrent readOnly: false + qbit-manage-config: + enabled: true + type: custom + volumeSpec: + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: qbit-manage-config + advancedMounts: + qbit-manage: + init-copy-config: + - path: /tmp/config.yml + readOnly: true + mountPropagation: None + subPath: config.yml + qbit-manage: + - path: /tmp/config.yml + readOnly: true + mountPropagation: None + subPath: config.yml qbit-manage-config-data: forceRename: qbittorrent-qbit-manage-config-data storageClass: ceph-block @@ -390,6 +390,15 @@ qbittorrent: qbit-manage: - path: /app/config readOnly: false + qbit-manage-config-var: + storageClass: ceph-block + accessMode: ReadWriteOnce + size: 500Mi + advancedMounts: + qbit-manage: + qbit-manage: + - path: /app/var + readOnly: false qui-config-data: forceRename: qbittorrent-qui-config-data storageClass: ceph-block @@ -400,13 +409,6 @@ qbittorrent: qui: - path: /config readOnly: false - qbit-manage-config-var: - type: emptyDir - advancedMounts: - qbit-manage: - qbit-manage: - - path: /app/var - readOnly: false storage: type: persistentVolumeClaim existingClaim: qbittorrent-nfs-storage