From 3d58df753b2524799eba34d9d50f91f022cf747e Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Thu, 23 Apr 2026 16:40:37 -0500 Subject: [PATCH] feat: add more --- .../templates/external-secret.yaml | 16 +-- .../cl01tl/helm/sparkyfitness/values.yaml | 2 +- .../stalwart/templates/elasticsearch.yaml | 2 +- .../stalwart/templates/external-secret.yaml | 6 +- .../helm/stalwart/templates/namespace.yaml | 4 +- .../templates/external-secrets.yaml | 10 +- .../templates/namespace.yaml | 4 +- .../helm/talos/templates/external-secret.yaml | 77 ++++-------- .../templates/secret-provider-class.yaml | 78 ++++++++++++ clusters/cl01tl/helm/talos/values.yaml | 114 ++++++++---------- 10 files changed, 172 insertions(+), 141 deletions(-) create mode 100644 clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml diff --git a/clusters/cl01tl/helm/sparkyfitness/templates/external-secret.yaml b/clusters/cl01tl/helm/sparkyfitness/templates/external-secret.yaml index 2bb5cdc61..2e6c8aa22 100644 --- a/clusters/cl01tl/helm/sparkyfitness/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/sparkyfitness/templates/external-secret.yaml @@ -9,36 +9,36 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: api_encryption_key remoteRef: key: /cl01tl/sparkyfitness/key - property: api_encryption_key + property: api-encryption-key - secretKey: better_auth_secret remoteRef: key: /cl01tl/sparkyfitness/key - property: better_auth_secret + property: better-auth-secret --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: sparkyfitness-oidc-secret + name: sparkyfitness-oidc-authentik namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: sparkyfitness-oidc-secret + app.kubernetes.io/name: sparkyfitness-oidc-authentik {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: client_id remoteRef: - key: /authentik/oidc/sparkyfitness + key: /cl01tl/authentik/oidc/sparkyfitness property: client - secretKey: client_secret remoteRef: - key: /authentik/oidc/sparkyfitness + key: /cl01tl/authentik/oidc/sparkyfitness property: secret diff --git a/clusters/cl01tl/helm/sparkyfitness/values.yaml b/clusters/cl01tl/helm/sparkyfitness/values.yaml index 13b71c175..31c1f724c 100644 --- a/clusters/cl01tl/helm/sparkyfitness/values.yaml +++ b/clusters/cl01tl/helm/sparkyfitness/values.yaml @@ -10,7 +10,7 @@ sparkyfitness: issuerUrl: https://authentik.alexlebens.net/application/o/sparky-fitness logoUrl: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/authentik.webp secrets: - existingSecret: sparkyfitness-oidc-secret + existingSecret: sparkyfitness-oidc-authentik httpRoute: enabled: true hostname: sparkyfitness.alexlebens.net diff --git a/clusters/cl01tl/helm/stalwart/templates/elasticsearch.yaml b/clusters/cl01tl/helm/stalwart/templates/elasticsearch.yaml index 672c3369a..e8816b691 100644 --- a/clusters/cl01tl/helm/stalwart/templates/elasticsearch.yaml +++ b/clusters/cl01tl/helm/stalwart/templates/elasticsearch.yaml @@ -11,7 +11,7 @@ spec: version: 9.3.3 auth: fileRealm: - - secretName: stalwart-elasticsearch-secret + - secretName: stalwart-elasticsearch-config nodeSets: - name: default count: 2 diff --git a/clusters/cl01tl/helm/stalwart/templates/external-secret.yaml b/clusters/cl01tl/helm/stalwart/templates/external-secret.yaml index 31cfd9583..b344d835e 100644 --- a/clusters/cl01tl/helm/stalwart/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/stalwart/templates/external-secret.yaml @@ -1,15 +1,15 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: stalwart-elasticsearch-secret + name: stalwart-elasticsearch-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: stalwart-elasticsearch-secret + app.kubernetes.io/name: stalwart-elasticsearch-config {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: username remoteRef: diff --git a/clusters/cl01tl/helm/stalwart/templates/namespace.yaml b/clusters/cl01tl/helm/stalwart/templates/namespace.yaml index c573f079f..bbbe36926 100644 --- a/clusters/cl01tl/helm/stalwart/templates/namespace.yaml +++ b/clusters/cl01tl/helm/stalwart/templates/namespace.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Namespace metadata: - name: stalwart + name: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: stalwart + app.kubernetes.io/name: {{ .Release.Namespace }} {{- include "custom.labels" . | nindent 4 }} pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged diff --git a/clusters/cl01tl/helm/tailscale-operator/templates/external-secrets.yaml b/clusters/cl01tl/helm/tailscale-operator/templates/external-secrets.yaml index 18539044b..0c7f3393c 100644 --- a/clusters/cl01tl/helm/tailscale-operator/templates/external-secrets.yaml +++ b/clusters/cl01tl/helm/tailscale-operator/templates/external-secrets.yaml @@ -9,13 +9,13 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: client_id remoteRef: - key: /tailscale/k8s-operator - property: clientId + key: /tailscale/credentials/k8s-operator + property: client-id - secretKey: client_secret remoteRef: - key: /tailscale/k8s-operator - property: clientSecret + key: /tailscale/credentials/k8s-operator + property: client-secret diff --git a/clusters/cl01tl/helm/tailscale-operator/templates/namespace.yaml b/clusters/cl01tl/helm/tailscale-operator/templates/namespace.yaml index 166afd7cc..bbbe36926 100644 --- a/clusters/cl01tl/helm/tailscale-operator/templates/namespace.yaml +++ b/clusters/cl01tl/helm/tailscale-operator/templates/namespace.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Namespace metadata: - name: tailscale-operator + name: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: tailscale-operator + app.kubernetes.io/name: {{ .Release.Namespace }} {{- include "custom.labels" . | nindent 4 }} pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged diff --git a/clusters/cl01tl/helm/talos/templates/external-secret.yaml b/clusters/cl01tl/helm/talos/templates/external-secret.yaml index aff367831..77d47b660 100644 --- a/clusters/cl01tl/helm/talos/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/talos/templates/external-secret.yaml @@ -1,15 +1,15 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: talos-etcd-backup-local-secret + name: talos-etcd-backup-local-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: talos-etcd-backup-local-secret + app.kubernetes.io/name: talos-etcd-backup-local-config {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: AWS_ACCESS_KEY_ID remoteRef: @@ -19,14 +19,10 @@ spec: remoteRef: key: /garage/home-infra/talos-backups property: ACCESS_SECRET_KEY - - secretKey: .s3cfg - remoteRef: - key: /garage/home-infra/talos-backups - property: s3cfg-local - secretKey: BUCKET remoteRef: key: /garage/home-infra/talos-backups - property: BUCKET + property: BUCKET_PATH - secretKey: AGE_X25519_PUBLIC_KEY remoteRef: key: /cl01tl/talos/etcd-backup @@ -36,15 +32,15 @@ spec: apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: talos-etcd-backup-remote-secret + name: talos-etcd-backup-remote-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: talos-etcd-backup-remote-secret + app.kubernetes.io/name: talos-etcd-backup-remote-config {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: AWS_ACCESS_KEY_ID remoteRef: @@ -54,14 +50,10 @@ spec: remoteRef: key: /garage/home-infra/talos-backups property: ACCESS_SECRET_KEY - - secretKey: .s3cfg - remoteRef: - key: /garage/home-infra/talos-backups - property: s3cfg-remote - secretKey: BUCKET remoteRef: key: /garage/home-infra/talos-backups - property: BUCKET + property: BUCKET_PATH - secretKey: AGE_X25519_PUBLIC_KEY remoteRef: key: /cl01tl/talos/etcd-backup @@ -71,32 +63,28 @@ spec: apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: talos-etcd-backup-external-secret + name: talos-etcd-backup-external-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: talos-etcd-backup-external-secret + app.kubernetes.io/name: talos-etcd-backup-external-config {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: AWS_ACCESS_KEY_ID remoteRef: - key: /digital-ocean/home-infra/etcd-backup + key: /digital-ocean/home-infra/talos-backups property: AWS_ACCESS_KEY_ID - secretKey: AWS_SECRET_ACCESS_KEY remoteRef: - key: /digital-ocean/home-infra/etcd-backup + key: /digital-ocean/home-infra/talos-backups property: AWS_SECRET_ACCESS_KEY - - secretKey: .s3cfg - remoteRef: - key: /digital-ocean/home-infra/etcd-backup - property: s3cfg - secretKey: BUCKET remoteRef: - key: /digital-ocean/home-infra/etcd-backup - property: BUCKET + key: /digital-ocean/home-infra/talos-backups + property: BUCKET_PATH - secretKey: AGE_X25519_PUBLIC_KEY remoteRef: key: /cl01tl/talos/etcd-backup @@ -106,44 +94,25 @@ spec: apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: talos-backup-ntfy-secret + name: talos-ntfy-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: talos-backup-ntfy-secret + app.kubernetes.io/name: talos-ntfy-config {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: NTFY_TOKEN remoteRef: - key: /ntfy/user/cl01tl + key: /cl01tl/ntfy/users/cl01tl property: token - secretKey: NTFY_ENDPOINT remoteRef: - key: /ntfy/user/cl01tl - property: endpoint + key: /cl01tl/ntfy/config + property: internal-endpoint - secretKey: NTFY_TOPIC remoteRef: - key: /cl01tl/talos/etcd-backup - property: NTFY_TOPIC - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: talos-etcd-defrag-secret - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: talos-etcd-defrag-secret - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: config - remoteRef: - key: /cl01tl/talos/etcd-defrag - property: config + key: /cl01tl/talos/ntfy + property: topic diff --git a/clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml b/clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml new file mode 100644 index 000000000..f3d7c0ca0 --- /dev/null +++ b/clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml @@ -0,0 +1,78 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: talos-etcd-backup-local-config + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: talos-etcd-backup-local-config + {{- include "custom.labels" . | nindent 4 }} +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: slskd + objects: | + - objectName: .s3cfg + fileName: .s3cfg + secretPath: secret/data/garage/home-infra/talos-backups + secretKey: s3cfg-local + +--- +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: talos-etcd-backup-remote-config + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: talos-etcd-backup-remote-config + {{- include "custom.labels" . | nindent 4 }} +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: slskd + objects: | + - objectName: .s3cfg + fileName: .s3cfg + secretPath: secret/data/garage/home-infra/talos-backups + secretKey: s3cfg-remote + +--- +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: talos-etcd-backup-external-config + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: talos-etcd-backup-external-config + {{- include "custom.labels" . | nindent 4 }} +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: slskd + objects: | + - objectName: .s3cfg + fileName: .s3cfg + secretPath: secret/data/digital-ocean/home-infra/talos-backups + secretKey: s3cfg + +--- +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: talos-etcd-defrag-config + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: talos-etcd-defrag-config + {{- include "custom.labels" . | nindent 4 }} +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: slskd + objects: | + - objectName: config + fileName: config + secretPath: secret/data/cl01tl/talos/talosconfig + secretKey: config diff --git a/clusters/cl01tl/helm/talos/values.yaml b/clusters/cl01tl/helm/talos/values.yaml index ee9f3b707..a704768bc 100644 --- a/clusters/cl01tl/helm/talos/values.yaml +++ b/clusters/cl01tl/helm/talos/values.yaml @@ -37,12 +37,12 @@ etcd-backup: - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: - name: talos-etcd-backup-local-secret + name: talos-etcd-backup-local-config key: AWS_ACCESS_KEY_ID - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: - name: talos-etcd-backup-local-secret + name: talos-etcd-backup-local-config key: AWS_SECRET_ACCESS_KEY - name: AWS_REGION value: us-east-1 @@ -57,7 +57,7 @@ etcd-backup: - name: AGE_X25519_PUBLIC_KEY valueFrom: secretKeyRef: - name: talos-etcd-backup-local-secret + name: talos-etcd-backup-local-config key: AGE_X25519_PUBLIC_KEY - name: USE_PATH_STYLE value: "false" @@ -72,9 +72,9 @@ etcd-backup: - /scripts/prune.sh envFrom: - secretRef: - name: talos-etcd-backup-local-secret + name: talos-etcd-backup-local-config - secretRef: - name: talos-backup-ntfy-secret + name: talos-ntfy-config env: - name: TARGET value: Local @@ -117,12 +117,12 @@ etcd-backup: - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: - name: talos-etcd-backup-remote-secret + name: talos-etcd-backup-remote-config key: AWS_ACCESS_KEY_ID - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: - name: talos-etcd-backup-remote-secret + name: talos-etcd-backup-remote-config key: AWS_SECRET_ACCESS_KEY - name: AWS_REGION value: us-east-1 @@ -137,7 +137,7 @@ etcd-backup: - name: AGE_X25519_PUBLIC_KEY valueFrom: secretKeyRef: - name: talos-etcd-backup-remote-secret + name: talos-etcd-backup-remote-config key: AGE_X25519_PUBLIC_KEY - name: USE_PATH_STYLE value: "false" @@ -152,9 +152,9 @@ etcd-backup: - /scripts/prune.sh envFrom: - secretRef: - name: talos-etcd-backup-remote-secret + name: talos-etcd-backup-remote-config - secretRef: - name: talos-backup-ntfy-secret + name: talos-ntfy-config env: - name: TARGET value: Remote @@ -197,12 +197,12 @@ etcd-backup: - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: - name: talos-etcd-backup-external-secret + name: talos-etcd-backup-external-config key: AWS_ACCESS_KEY_ID - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: - name: talos-etcd-backup-external-secret + name: talos-etcd-backup-external-config key: AWS_SECRET_ACCESS_KEY - name: AWS_REGION value: nyc3 @@ -217,7 +217,7 @@ etcd-backup: - name: AGE_X25519_PUBLIC_KEY valueFrom: secretKeyRef: - name: talos-etcd-backup-external-secret + name: talos-etcd-backup-external-config key: AGE_X25519_PUBLIC_KEY - name: USE_PATH_STYLE value: "false" @@ -232,9 +232,9 @@ etcd-backup: - /scripts/prune.sh envFrom: - secretRef: - name: talos-etcd-backup-external-secret + name: talos-etcd-backup-external-config - secretRef: - name: talos-backup-ntfy-secret + name: talos-ntfy-config env: - name: TARGET value: External @@ -280,9 +280,13 @@ etcd-backup: - path: /scripts/prune.sh subPath: prune.sh s3cmd-config-local: - enabled: true - type: secret - name: talos-etcd-backup-local-secret + type: custom + volumeSpec: + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: talos-etcd-backup-local-config advancedMounts: local: s3-prune: @@ -291,9 +295,13 @@ etcd-backup: mountPropagation: None subPath: .s3cfg s3cmd-config-remote: - enabled: true - type: secret - name: talos-etcd-backup-remote-secret + type: custom + volumeSpec: + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: talos-etcd-backup-remote-config advancedMounts: remote: s3-prune: @@ -302,9 +310,13 @@ etcd-backup: mountPropagation: None subPath: .s3cfg s3cmd-config-external: - enabled: true - type: secret - name: talos-etcd-backup-external-secret + type: custom + volumeSpec: + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: talos-etcd-backup-external-config advancedMounts: external: s3-prune: @@ -312,7 +324,7 @@ etcd-backup: readOnly: true mountPropagation: None subPath: .s3cfg - tmp-local: + tmp: type: emptyDir medium: Memory advancedMounts: @@ -320,23 +332,15 @@ etcd-backup: backup: - path: /tmp readOnly: false - tmp-remote: - type: emptyDir - medium: Memory - advancedMounts: remote: backup: - path: /tmp readOnly: false - tmp-external: - type: emptyDir - medium: Memory - advancedMounts: external: backup: - path: /tmp readOnly: false - talos-local: + talos: type: emptyDir medium: Memory advancedMounts: @@ -344,18 +348,10 @@ etcd-backup: backup: - path: /.talos readOnly: false - talos-remote: - type: emptyDir - medium: Memory - advancedMounts: remote: backup: - path: /.talos readOnly: false - talos-external: - type: emptyDir - medium: Memory - advancedMounts: external: backup: - path: /.talos @@ -449,36 +445,24 @@ etcd-defrag: - name: TALOSCONFIG value: /tmp/.talos/config persistence: - talos-config-1: - enabled: true - type: secret - name: talos-etcd-defrag-secret + config: + type: custom + volumeSpec: + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: talos-etcd-defrag-config advancedMounts: defrag-1: main: - - path: /tmp/.talos/config + - path: /tmp/.talos/ readOnly: true - mountPropagation: None - subPath: config - talos-config-2: - enabled: true - type: secret - name: talos-etcd-defrag-secret - advancedMounts: defrag-2: main: - - path: /tmp/.talos/config + - path: /tmp/.talos/ readOnly: true - mountPropagation: None - subPath: config - talos-config-3: - enabled: true - type: secret - name: talos-etcd-defrag-secret - advancedMounts: defrag-3: main: - - path: /tmp/.talos/config + - path: /tmp/.talos/ readOnly: true - mountPropagation: None - subPath: config