alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 8 Actions Activity

chore: Update manifests after change

Browse Source
This commit is contained in:
Gitea
2026-04-16 01:01:11 +00:00
parent 8ae5854379
commit 52d7dfcc53
58 changed files with 1939 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml
View File

@@ -130,6 +130,7 @@ data:
objects IN CNAME traefik-cl01tl objects IN CNAME traefik-cl01tl
ollama IN CNAME traefik-cl01tl ollama IN CNAME traefik-cl01tl
omni-tools IN CNAME traefik-cl01tl omni-tools IN CNAME traefik-cl01tl
openbao IN CNAME traefik-cl01tl
paperless-ngx IN CNAME traefik-cl01tl paperless-ngx IN CNAME traefik-cl01tl
plex IN CNAME traefik-cl01tl plex IN CNAME traefik-cl01tl
postiz-spotlight IN CNAME traefik-cl01tl postiz-spotlight IN CNAME traefik-cl01tl

2
clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml
View File

@@ -22,7 +22,7 @@ spec:
template: template:
metadata: metadata:
annotations: annotations:
checksum/configMaps: f8de88b5a9037f61f1dd5bd0dae68035d99dc8758c173b69f06a55a2b1d93304 checksum/configMaps: c09d68cf84d75e9c363e3663d97d8cccc831b88e7dd6e6cd79b2ac6c85369339
labels: labels:
app.kubernetes.io/controller: main app.kubernetes.io/controller: main
app.kubernetes.io/instance: blocky app.kubernetes.io/instance: blocky

9
clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml
View File

@@ -483,6 +483,15 @@ data:
interval: 30s interval: 30s
name: vault name: vault
url: https://vault.alexlebens.net url: https://vault.alexlebens.net
- alerts:
- type: ntfy
conditions:
- '[STATUS] == 200'
- '[CERTIFICATE_EXPIRATION] > 240h'
group: core
interval: 30s
name: openbao
url: https://openbao.alexlebens.net
- alerts: - alerts:
- type: ntfy - type: ntfy
conditions: conditions:

2
clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml
View File

@@ -26,7 +26,7 @@ spec:
app.kubernetes.io/name: gatus app.kubernetes.io/name: gatus
app.kubernetes.io/instance: gatus app.kubernetes.io/instance: gatus
annotations: annotations:
checksum/config: fa939ee3306d395924758008b12352f8785d18da1ed5c5728b9a62facdfed267 checksum/config: 2e9a8befb2caa928dbe6f8c2ea3f9a85f1d98354adeb28580e90fc18413fb127
spec: spec:
serviceAccountName: default serviceAccountName: default
automountServiceAccountToken: false automountServiceAccountToken: false

17
clusters/cl01tl/manifests/grafana-operator/GrafanaDashboard-grafana-dashboard-openbao.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDashboard
metadata:
name: grafana-dashboard-openbao
namespace: grafana-operator
labels:
app.kubernetes.io/name: grafana-dashboard-openbao
app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/part-of: grafana-operator
spec:
instanceSelector:
matchLabels:
app: grafana-main
contentCacheDuration: 6h
folderUID: grafana-folder-platform
resyncPeriod: 6h
url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/openbao.json

12
clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml
View File

@@ -567,6 +567,18 @@ data:
app.kubernetes.io/instance in ( app.kubernetes.io/instance in (
vault vault
) )
- Secrets:
icon: sh-openbao.webp
description: OpenBao
href: https://openbao.alexlebens.net
siteMonitor: http://openbao.openbao:8200
statusStyle: dot
namespace: openbao
app: openbao
podSelector: >-
app.kubernetes.io/instance in (
openbao
)
- Backups: - Backups:
icon: sh-backrest-light.webp icon: sh-backrest-light.webp
description: Backrest description: Backrest

2
clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml
View File

@@ -24,7 +24,7 @@ spec:
template: template:
metadata: metadata:
annotations: annotations:
checksum/configMaps: 1191af1b56a3c06d7cc4f5ddf91144a1c682e9c3ca13a4d0eea26e148e2c6d50 checksum/configMaps: 23a5c8ee073c4b2443acd207d4b960c17b431a3ff0bdea1a44a8a179ff788c89
checksum/secrets: d3ba83f111cd32f92c909268c55ad8bbd4f9e299b74b35b33c1a011180d8b378 checksum/secrets: d3ba83f111cd32f92c909268c55ad8bbd4f9e299b74b35b33c1a011180d8b378
labels: labels:
app.kubernetes.io/controller: main app.kubernetes.io/controller: main

15
clusters/cl01tl/manifests/openbao/ClusterRole-openbao-csi-provider-clusterrole.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: openbao-csi-provider-clusterrole
labels:
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create

16
clusters/cl01tl/manifests/openbao/ClusterRoleBinding-openbao-csi-provider-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: openbao-csi-provider-clusterrolebinding
labels:
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: openbao-csi-provider-clusterrole
subjects:
- kind: ServiceAccount
name: openbao-csi-provider
namespace: openbao

17
clusters/cl01tl/manifests/openbao/ClusterRoleBinding-openbao-server-binding.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: openbao-server-binding
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: openbao
namespace: openbao

43
clusters/cl01tl/manifests/openbao/ConfigMap-openbao-config.yaml Normal file
View File

@@ -0,0 +1,43 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: openbao-config
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
data:
extraconfig-from-values.hcl: |2-
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
telemetry {
unauthenticated_metrics_access = "true"
}
}
storage "raft" {
path = "/openbao/data"
retry_join {
leader_api_addr = "http://openbao-0.openbao-internal:8201"
}
retry_join {
leader_api_addr = "http://openbao-1.openbao-internal:8201"
}
retry_join {
leader_api_addr = "http://openbao-2.openbao-internal:8201"
}
}
service_registration "kubernetes" {}
telemetry {
prometheus_retention_time = "30s"
disable_hostname = true
}

22
clusters/cl01tl/manifests/openbao/ConfigMap-openbao-csi-provider-agent-config.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: openbao-csi-provider-agent-config
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
data:
config.hcl: |
vault {
"address" = "http://openbao.openbao.svc:8200"
}
cache {}
listener "unix" {
address = "/var/run/vault/agent.sock"
tls_disable = true
}

19
clusters/cl01tl/manifests/openbao/ConfigMap-openbao-snapshot.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: openbao-snapshot
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
data:
S3_HOST: garage-main.garage:3900
S3_BUCKET: openbao-backups
S3CMD_EXTRA_FLAG: -v
S3_URI: s3://openbao-backups
S3_EXPIRE_DAYS: "30"
BAO_AUTH_PATH: kubernetes
BAO_ROLE: bao-snapshot
BAO_ADDR: http://openbao-active.openbao.svc:8200

63
clusters/cl01tl/manifests/openbao/CronJob-openbao-snapshot.yaml Normal file
View File

@@ -0,0 +1,63 @@
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
name: openbao-snapshot
namespace: openbao
spec:
schedule: "0 4 * * *"
jobTemplate:
metadata:
labels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: snapshot-agent
spec:
template:
metadata:
labels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: snapshot-agent
spec:
restartPolicy: OnFailure
serviceAccountName: openbao-snapshot
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsGroup: 1000
runAsUser: 100
fsGroup: 1000
containers:
- name: bao-snapshot
envFrom:
- configMapRef:
name: openbao-snapshot
env:
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: AWS_SECRET_ACCESS_KEY
name: openbao-snapshot-secret
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: AWS_ACCESS_KEY_ID
name: openbao-snapshot-secret
image: ghcr.io/openbao/openbao-snapshot-agent:0.3.0@sha256:d7a8ca9d26b12cf226ce093b9051f243c53aefbb8a419b3dc0b554e7575c931c
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
volumeMounts:
- name: snapshot-dir
mountPath: /bao-snapshots
imagePullPolicy: IfNotPresent
volumes:
- name: snapshot-dir
emptyDir: {}

105
clusters/cl01tl/manifests/openbao/DaemonSet-openbao-csi-provider.yaml Normal file
View File

@@ -0,0 +1,105 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: openbao-csi-provider
namespace: openbao
labels:
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
spec:
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
template:
metadata:
labels:
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
spec:
serviceAccountName: openbao-csi-provider
containers:
- name: openbao-csi-provider
resources:
requests:
cpu: 50m
memory: 100Mi
image: "quay.io/openbao/openbao-csi-provider:2.0.1@sha256:a3bd5e8183da778b5dc79ee1a3d7313ac77dc599b623b4106a91b19362674f27"
imagePullPolicy: IfNotPresent
args:
- --endpoint=/provider/openbao.sock
- --debug=false
- --hmac-secret-name=openbao-csi-provider-hmac-key
env:
- name: VAULT_ADDR
value: "unix:///var/run/vault/agent.sock"
volumeMounts:
- name: providervol
mountPath: "/provider"
- name: agent-unix-socket
mountPath: /var/run/vault
livenessProbe:
httpGet:
path: /health/ready
port: 8080
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
readinessProbe:
httpGet:
path: /health/ready
port: 8080
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
- name: openbao-agent
image: "quay.io/openbao/openbao:2.5.2@sha256:6c75c97223873807260352f269640935a07db0c26b3dbf12a98a36ec43ad9878"
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 10m
memory: 100Mi
command:
- bao
args:
- agent
- -config=/etc/vault/config.hcl
ports:
- containerPort: 8200
env:
- name: BAO_LOG_LEVEL
value: "info"
- name: BAO_LOG_FORMAT
value: "standard"
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 100
runAsGroup: 1000
volumeMounts:
- name: agent-config
mountPath: /etc/vault/config.hcl
subPath: config.hcl
readOnly: true
- name: agent-unix-socket
mountPath: /var/run/vault
volumes:
- name: providervol
hostPath:
path: /etc/kubernetes/secrets-store-csi-providers
- name: agent-config
configMap:
name: openbao-csi-provider-agent-config
- name: agent-unix-socket
emptyDir:
medium: Memory

45
clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-1.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: openbao-unseal-unseal-1
labels:
app.kubernetes.io/controller: unseal-1
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: unseal-4.6.2
namespace: openbao
spec:
revisionHistoryLimit: 3
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/controller: unseal-1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
template:
metadata:
labels:
app.kubernetes.io/controller: unseal-1
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- envFrom:
- secretRef:
name: openbao-unseal-config-1
image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef
name: main
resources:
requests:
cpu: 1m
memory: 10Mi

45
clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-2.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: openbao-unseal-unseal-2
labels:
app.kubernetes.io/controller: unseal-2
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: unseal-4.6.2
namespace: openbao
spec:
revisionHistoryLimit: 3
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/controller: unseal-2
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
template:
metadata:
labels:
app.kubernetes.io/controller: unseal-2
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- envFrom:
- secretRef:
name: openbao-unseal-config-2
image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef
name: main
resources:
requests:
cpu: 1m
memory: 10Mi

45
clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-3.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: openbao-unseal-unseal-3
labels:
app.kubernetes.io/controller: unseal-3
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao
helm.sh/chart: unseal-4.6.2
namespace: openbao
spec:
revisionHistoryLimit: 3
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/controller: unseal-3
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
template:
metadata:
labels:
app.kubernetes.io/controller: unseal-3
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- envFrom:
- secretRef:
name: openbao-unseal-config-3
image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef
name: main
resources:
requests:
cpu: 1m
memory: 10Mi

30
clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-snapshot-secret.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: openbao-snapshot-secret
namespace: openbao
labels:
app.kubernetes.io/name: openbao-snapshot-secret
app.kubernetes.io/instance: openbao
app.kubernetes.io/part-of: openbao
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
key: /garage/home-infra/openbao-backups
property: ACCESS_KEY_ID
- secretKey: ACCESS_REGION
remoteRef:
key: /garage/home-infra/openbao-backups
property: ACCESS_REGION
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
key: /garage/home-infra/openbao-backups
property: ACCESS_SECRET_KEY
- secretKey: BUCKET
remoteRef:
key: /garage/home-infra/openbao-backups
property: BUCKET

30
clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-1.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: openbao-unseal-config-1
namespace: openbao
labels:
app.kubernetes.io/name: openbao-unseal-config-1
app.kubernetes.io/instance: openbao
app.kubernetes.io/part-of: openbao
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
key: /cl01tl/openbao/unseal
property: ENVIRONMENT
- secretKey: NODES
remoteRef:
key: /cl01tl/openbao/unseal
property: NODES
- secretKey: TOKENS
remoteRef:
key: /cl01tl/openbao/unseal
property: TOKENS_1
- secretKey: NOTIFY_QUEUE_URLS
remoteRef:
key: /cl01tl/openbao/unseal
property: NOTIFY_QUEUE_URLS

30
clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-2.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: openbao-unseal-config-2
namespace: openbao
labels:
app.kubernetes.io/name: openbao-unseal-config-2
app.kubernetes.io/instance: openbao
app.kubernetes.io/part-of: openbao
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
key: /cl01tl/openbao/unseal
property: ENVIRONMENT
- secretKey: NODES
remoteRef:
key: /cl01tl/openbao/unseal
property: NODES
- secretKey: TOKENS
remoteRef:
key: /cl01tl/openbao/unseal
property: TOKENS_2
- secretKey: NOTIFY_QUEUE_URLS
remoteRef:
key: /cl01tl/openbao/unseal
property: NOTIFY_QUEUE_URLS

30
clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-3.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: openbao-unseal-config-3
namespace: openbao
labels:
app.kubernetes.io/name: openbao-unseal-config-3
app.kubernetes.io/instance: openbao
app.kubernetes.io/part-of: openbao
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
key: /cl01tl/openbao/unseal
property: ENVIRONMENT
- secretKey: NODES
remoteRef:
key: /cl01tl/openbao/unseal
property: NODES
- secretKey: TOKENS
remoteRef:
key: /cl01tl/openbao/unseal
property: TOKENS_3
- secretKey: NOTIFY_QUEUE_URLS
remoteRef:
key: /cl01tl/openbao/unseal
property: NOTIFY_QUEUE_URLS

29
clusters/cl01tl/manifests/openbao/Ingress-openbao-tailscale.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: openbao-tailscale
namespace: openbao
labels:
app.kubernetes.io/name: openbao-tailscale
app.kubernetes.io/instance: openbao
app.kubernetes.io/part-of: openbao
tailscale.com/proxy-class: no-metrics
annotations:
tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
spec:
ingressClassName: tailscale
tls:
- hosts:
- openbao-cl01tl
secretName: openbao-cl01tl
rules:
- host: openbao-cl01tl
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: openbao-active
port:
number: 8200

38
clusters/cl01tl/manifests/openbao/Pod-openbao-server-test.yaml Normal file
View File

@@ -0,0 +1,38 @@
apiVersion: v1
kind: Pod
metadata:
name: openbao-server-test
namespace: openbao
annotations:
"helm.sh/hook": test
spec:
containers:
- name: openbao-server-test
image: quay.io/openbao/openbao:2.5.2@sha256:6c75c97223873807260352f269640935a07db0c26b3dbf12a98a36ec43ad9878
imagePullPolicy: IfNotPresent
env:
- name: VAULT_ADDR
value: http://openbao.openbao.svc:8200
command:
- /bin/sh
- -c
- |
echo "Checking for sealed info in 'bao status' output"
ATTEMPTS=10
n=0
until [ "$n" -ge $ATTEMPTS ]
do
echo "Attempt" $n...
bao status -format yaml | grep -E '^sealed: (true|false)' && break
n=$((n+1))
sleep 5
done
if [ $n -ge $ATTEMPTS ]; then
echo "timed out looking for sealed info in 'bao status' output"
exit 1
fi
exit 0
volumeMounts:
volumes:
restartPolicy: Never

17
clusters/cl01tl/manifests/openbao/PodDisruptionBudget-openbao.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: openbao
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
spec:
maxUnavailable: 1
selector:
matchLabels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: server

29
clusters/cl01tl/manifests/openbao/PrometheusRule-openbao.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: openbao
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
release: prometheus
spec:
groups:
- name: openbao
rules:
- alert: vault-HighResponseTime
annotations:
message: The response time of Vault is over 500ms on average over the last 5 minutes.
expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
for: 5m
labels:
severity: warning
- alert: vault-HighResponseTime
annotations:
message: The response time of Vault is over 1s on average over the last 5 minutes.
expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
for: 5m
labels:
severity: critical

18
clusters/cl01tl/manifests/openbao/Role-openbao-csi-provider-role.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: openbao-csi-provider-role
namespace: openbao
labels:
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames:
- openbao-csi-provider-hmac-key
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]

14
clusters/cl01tl/manifests/openbao/Role-openbao-discovery-role.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: openbao
name: openbao-discovery-role
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list", "update", "patch"]

17
clusters/cl01tl/manifests/openbao/RoleBinding-openbao-csi-provider-rolebinding.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: openbao-csi-provider-rolebinding
namespace: openbao
labels:
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: openbao-csi-provider-role
subjects:
- kind: ServiceAccount
name: openbao-csi-provider
namespace: openbao

18
clusters/cl01tl/manifests/openbao/RoleBinding-openbao-discovery-rolebinding.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: openbao-discovery-rolebinding
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: openbao-discovery-role
subjects:
- kind: ServiceAccount
name: openbao
namespace: openbao

26
clusters/cl01tl/manifests/openbao/Service-openbao-active.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: v1
kind: Service
metadata:
name: openbao-active
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
openbao-active: "true"
spec:
publishNotReadyAddresses: true
ports:
- name: http
port: 8200
targetPort: 8200
appProtocol: HTTP
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: server
openbao-active: "true"

26
clusters/cl01tl/manifests/openbao/Service-openbao-internal.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: v1
kind: Service
metadata:
name: openbao-internal
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
openbao-internal: "true"
spec:
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: "http"
port: 8200
targetPort: 8200
appProtocol: HTTP
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: server

25
clusters/cl01tl/manifests/openbao/Service-openbao-standby.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: Service
metadata:
name: openbao-standby
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
spec:
publishNotReadyAddresses: true
ports:
- name: http
port: 8200
targetPort: 8200
appProtocol: HTTP
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: server
openbao-active: "false"

24
clusters/cl01tl/manifests/openbao/Service-openbao.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: v1
kind: Service
metadata:
name: openbao
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
spec:
publishNotReadyAddresses: true
ports:
- name: http
port: 8200
targetPort: 8200
appProtocol: HTTP
- name: https-internal
port: 8201
targetPort: 8201
selector:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: server

9
clusters/cl01tl/manifests/openbao/ServiceAccount-openbao-csi-provider.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: openbao-csi-provider
namespace: openbao
labels:
app.kubernetes.io/name: openbao-csi-provider
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm

10
clusters/cl01tl/manifests/openbao/ServiceAccount-openbao-snapshot.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: openbao-snapshot
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm

10
clusters/cl01tl/manifests/openbao/ServiceAccount-openbao.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: openbao
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm

31
clusters/cl01tl/manifests/openbao/ServiceMonitor-openbao.yaml Normal file
View File

@@ -0,0 +1,31 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: openbao
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
release: prometheus
spec:
selector:
matchLabels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
openbao-active: "true"
endpoints:
- port: http
interval: 30s
scrapeTimeout: 10s
scheme: http
path: /v1/sys/metrics
params:
format:
- prometheus
tlsConfig:
insecureSkipVerify: true
namespaceSelector:
matchNames:
- openbao

162
clusters/cl01tl/manifests/openbao/StatefulSet-openbao.yaml Normal file
View File

@@ -0,0 +1,162 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: openbao
namespace: openbao
labels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
spec:
serviceName: openbao-internal
podManagementPolicy: OrderedReady
replicas: 3
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: server
template:
metadata:
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
component: server
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: "openbao"
component: server
topologyKey: kubernetes.io/hostname
terminationGracePeriodSeconds: 10
serviceAccountName: openbao
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsGroup: 1000
runAsUser: 100
fsGroup: 1000
hostNetwork: false
volumes:
- name: config
configMap:
name: openbao-config
- name: home
emptyDir: {}
containers:
- name: openbao
resources:
requests:
cpu: 50m
memory: 500Mi
image: "quay.io/openbao/openbao:2.5.2@sha256:6c75c97223873807260352f269640935a07db0c26b3dbf12a98a36ec43ad9878"
imagePullPolicy: IfNotPresent
command:
- "/bin/sh"
- "-ec"
args:
- "cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;\n[ -n \"${HOST_IP}\" ] && sed -Ei \"s|HOST_IP|${HOST_IP?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${POD_IP}\" ] && sed -Ei \"s|POD_IP|${POD_IP?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${HOSTNAME}\" ] && sed -Ei \"s|HOSTNAME|${HOSTNAME?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${API_ADDR}\" ] && sed -Ei \"s|API_ADDR|${API_ADDR?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${TRANSIT_ADDR}\" ] && sed -Ei \"s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${RAFT_ADDR}\" ] && sed -Ei \"s|RAFT_ADDR|${RAFT_ADDR?}|g\" /tmp/storageconfig.hcl;\n/usr/local/bin/docker-entrypoint.sh bao server -config=/tmp/storageconfig.hcl \n"
securityContext:
allowPrivilegeEscalation: false
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: BAO_K8S_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: BAO_K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: BAO_ADDR
value: "http://127.0.0.1:8200"
- name: BAO_API_ADDR
value: "http://$(POD_IP):8200"
- name: SKIP_CHOWN
value: "true"
- name: SKIP_SETCAP
value: "true"
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: BAO_CLUSTER_ADDR
value: "https://$(HOSTNAME).openbao-internal:8201"
- name: HOME
value: "/home/openbao"
volumeMounts:
- name: audit
mountPath: /openbao/audit
- name: data
mountPath: /openbao/data
- name: config
mountPath: /openbao/config
- name: home
mountPath: /home/openbao
ports:
- containerPort: 8200
name: http
- containerPort: 8201
name: https-internal
- containerPort: 8202
name: http-rep
readinessProbe:
exec:
command: ["/bin/sh", "-ec", "bao status -tls-skip-verify"]
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
livenessProbe:
httpGet:
path: "/v1/sys/health?standbyok=true"
port: 8200
scheme: HTTP
failureThreshold: 2
initialDelaySeconds: 60
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
lifecycle:
preStop:
exec:
command: ["/bin/sh", "-c", "sleep 5 && kill -SIGTERM $(pidof bao)"]
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: ceph-block
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audit
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: ceph-block

22
clusters/cl01tl/manifests/openbao/TLSRoute-openbao.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: gateway.networking.k8s.io/v1
kind: TLSRoute
metadata:
name: openbao
namespace: openbao
labels:
helm.sh/chart: openbao-0.27.1
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
spec:
hostnames:
- "vault.alexlebens.net"
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
rules:
- backendRefs:
- name: openbao-active
port: 8200

16
clusters/cl01tl/manifests/secrets-store-csi-driver/CSIDriver-secrets-store.csi.k8s.io.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: secrets-store.csi.k8s.io
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"
spec:
podInfoOnMount: true
attachRequired: false
volumeLifecycleModes:
- Ephemeral

27
clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secretproviderclasses-admin-role.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: secretproviderclasses-admin-role
rules:
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasses
verbs:
- get
- list
- watch
- create
- update
- patch
- delete

65
clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secretproviderclasses-role.yaml Normal file
View File

@@ -0,0 +1,65 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secretproviderclasses-role
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasses
verbs:
- get
- list
- watch
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasspodstatuses
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasspodstatuses/status
verbs:
- get
- patch
- update
- apiGroups:
- storage.k8s.io
resourceNames:
- secrets-store.csi.k8s.io
resources:
- csidrivers
verbs:
- get
- list
- watch

22
clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secretproviderclasses-viewer-role.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: secretproviderclasses-viewer-role
rules:
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasses
verbs:
- get
- list
- watch

22
clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secretproviderclasspodstatuses-viewer-role.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: secretproviderclasspodstatuses-viewer-role
rules:
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasspodstatuses
verbs:
- get
- list
- watch

19
clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secrets-store-csi-driver-keep-crds.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secrets-store-csi-driver-keep-crds
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"
annotations:
helm.sh/hook: pre-upgrade
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "2"
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "patch"]

19
clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secrets-store-csi-driver-upgrade-crds.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secrets-store-csi-driver-upgrade-crds
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "1"
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "create", "update", "patch"]

19
clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRoleBinding-secretproviderclasses-rolebinding.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: secretproviderclasses-rolebinding
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: secretproviderclasses-role
subjects:
- kind: ServiceAccount
name: secrets-store-csi-driver
namespace: secrets-store-csi-driver

23
clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRoleBinding-secrets-store-csi-driver-keep-crds.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: secrets-store-csi-driver-keep-crds
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"
annotations:
helm.sh/hook: pre-upgrade
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "2"
subjects:
- kind: ServiceAccount
name: secrets-store-csi-driver-keep-crds
namespace: secrets-store-csi-driver
roleRef:
kind: ClusterRole
name: secrets-store-csi-driver-keep-crds
apiGroup: rbac.authorization.k8s.io

23
clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRoleBinding-secrets-store-csi-driver-upgrade-crds.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: secrets-store-csi-driver-upgrade-crds
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "1"
subjects:
- kind: ServiceAccount
name: secrets-store-csi-driver-upgrade-crds
namespace: secrets-store-csi-driver
roleRef:
kind: ClusterRole
name: secrets-store-csi-driver-upgrade-crds
apiGroup: rbac.authorization.k8s.io

180
clusters/cl01tl/manifests/secrets-store-csi-driver/CustomResourceDefinition-secretproviderclasses.secrets-store.csi.x-k8s.io.yaml Normal file
View File

@@ -0,0 +1,180 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.3
name: secretproviderclasses.secrets-store.csi.x-k8s.io
spec:
group: secrets-store.csi.x-k8s.io
names:
kind: SecretProviderClass
listKind: SecretProviderClassList
plural: secretproviderclasses
singular: secretproviderclass
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: SecretProviderClass is the Schema for the secretproviderclasses API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: SecretProviderClassSpec defines the desired state of SecretProviderClass
properties:
parameters:
additionalProperties:
type: string
description: Configuration for specific provider
type: object
provider:
description: Configuration for provider name
type: string
secretObjects:
items:
description: SecretObject defines the desired state of synced K8s secret objects
properties:
annotations:
additionalProperties:
type: string
description: annotations of k8s secret object
type: object
data:
items:
description: SecretObjectData defines the desired state of synced K8s secret object data
properties:
key:
description: data field to populate
type: string
objectName:
description: name of the object to sync
type: string
type: object
type: array
labels:
additionalProperties:
type: string
description: labels of K8s secret object
type: object
secretName:
description: name of the K8s secret object
type: string
type:
description: type of K8s secret object
type: string
type: object
type: array
type: object
status:
description: SecretProviderClassStatus defines the observed state of SecretProviderClass
type: object
type: object
served: true
storage: true
- deprecated: true
deprecationWarning: secrets-store.csi.x-k8s.io/v1alpha1 is deprecated. Use secrets-store.csi.x-k8s.io/v1 instead.
name: v1alpha1
schema:
openAPIV3Schema:
description: SecretProviderClass is the Schema for the secretproviderclasses API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: SecretProviderClassSpec defines the desired state of SecretProviderClass
properties:
parameters:
additionalProperties:
type: string
description: Configuration for specific provider
type: object
provider:
description: Configuration for provider name
type: string
secretObjects:
items:
description: SecretObject defines the desired state of synced K8s secret objects
properties:
annotations:
additionalProperties:
type: string
description: annotations of k8s secret object
type: object
data:
items:
description: SecretObjectData defines the desired state of synced K8s secret object data
properties:
key:
description: data field to populate
type: string
objectName:
description: name of the object to sync
type: string
type: object
type: array
labels:
additionalProperties:
type: string
description: labels of K8s secret object
type: object
secretName:
description: name of the K8s secret object
type: string
type:
description: type of K8s secret object
type: string
type: object
type: array
type: object
status:
description: SecretProviderClassStatus defines the observed state of SecretProviderClass
properties:
byPod:
items:
description: |-
ByPodStatus defines the state of SecretProviderClass as seen by
an individual controller
properties:
id:
description: id of the pod that wrote the status
type: string
namespace:
description: namespace of the pod that wrote the status
type: string
type: object
type: array
type: object
type: object
served: true
storage: false

110
clusters/cl01tl/manifests/secrets-store-csi-driver/CustomResourceDefinition-secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io.yaml Normal file
View File

@@ -0,0 +1,110 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.3
name: secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io
spec:
group: secrets-store.csi.x-k8s.io
names:
kind: SecretProviderClassPodStatus
listKind: SecretProviderClassPodStatusList
plural: secretproviderclasspodstatuses
singular: secretproviderclasspodstatus
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: SecretProviderClassPodStatus is the Schema for the secretproviderclassespodstatus API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
status:
description: SecretProviderClassPodStatusStatus defines the observed state of SecretProviderClassPodStatus
properties:
mounted:
type: boolean
objects:
items:
description: SecretProviderClassObject defines the object fetched from external secrets store
properties:
id:
type: string
version:
type: string
type: object
type: array
podName:
type: string
secretProviderClassName:
type: string
targetPath:
type: string
type: object
type: object
served: true
storage: true
- deprecated: true
name: v1alpha1
schema:
openAPIV3Schema:
description: SecretProviderClassPodStatus is the Schema for the secretproviderclassespodstatus API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
status:
description: SecretProviderClassPodStatusStatus defines the observed state of SecretProviderClassPodStatus
properties:
mounted:
type: boolean
objects:
items:
description: SecretProviderClassObject defines the object fetched from external secrets store
properties:
id:
type: string
version:
type: string
type: object
type: array
podName:
type: string
secretProviderClassName:
type: string
targetPath:
type: string
type: object
type: object
served: true
storage: false

153
clusters/cl01tl/manifests/secrets-store-csi-driver/DaemonSet-secrets-store-csi-driver.yaml Normal file
View File

@@ -0,0 +1,153 @@
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: secrets-store-csi-driver
namespace: secrets-store-csi-driver
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"
spec:
selector:
matchLabels:
app: secrets-store-csi-driver
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"
annotations:
kubectl.kubernetes.io/default-container: secrets-store
spec:
automountServiceAccountToken: true
serviceAccountName: secrets-store-csi-driver
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: type
operator: NotIn
values:
- virtual-kubelet
containers:
- name: node-driver-registrar
image: "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.16.0@sha256:ab482308a4921e28a6df09a16ab99a457e9af9641ff44fb1be1a690d07ce8b70"
args:
- --v=5
- --csi-address=/csi/csi.sock
- --kubelet-registration-path=/var/lib/kubelet/plugins/csi-secrets-store/csi.sock
imagePullPolicy: IfNotPresent
volumeMounts:
- name: plugin-dir
mountPath: /csi
- name: registration-dir
mountPath: /registration
resources:
limits: {}
requests:
cpu: 10m
memory: 20Mi
- name: secrets-store
image: "registry.k8s.io/csi-secrets-store/driver:v1.5.6@sha256:6df2b3b3817136d2ade3d53306dbbd98385c1c01e8b3c373192c0e5b8d183f7b"
args:
- "--endpoint=$(CSI_ENDPOINT)"
- "--nodeid=$(KUBE_NODE_NAME)"
- "--provider-volume=/var/run/secrets-store-csi-providers"
- "--additional-provider-volume-paths=/etc/kubernetes/secrets-store-csi-providers"
- "--metrics-addr=:8095"
- "--provider-health-check-interval=2m"
- "--max-call-recv-msg-size=4194304"
env:
- name: CSI_ENDPOINT
value: unix:///csi/csi.sock
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
ports:
- containerPort: 9808
name: healthz
protocol: TCP
- containerPort: 8095
name: metrics
protocol: TCP
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 30
timeoutSeconds: 10
periodSeconds: 15
volumeMounts:
- name: plugin-dir
mountPath: /csi
- name: mountpoint-dir
mountPath: /var/lib/kubelet/pods
mountPropagation: Bidirectional
- name: providers-dir
mountPath: /var/run/secrets-store-csi-providers
- name: providers-dir-0
mountPath: "/etc/kubernetes/secrets-store-csi-providers"
resources:
limits: {}
requests:
cpu: 10m
memory: 100Mi
- name: liveness-probe
image: "registry.k8s.io/sig-storage/livenessprobe:v2.18.0@sha256:c4cc074199c045dd73ab85f28897e2a32f4d6f38ffdba4f3b13b8007ccbd3570"
imagePullPolicy: IfNotPresent
args:
- --csi-address=/csi/csi.sock
- --probe-timeout=3s
- --http-endpoint=0.0.0.0:9808
- -v=2
volumeMounts:
- name: plugin-dir
mountPath: /csi
resources:
limits: {}
requests:
cpu: 10m
memory: 20Mi
volumes:
- name: mountpoint-dir
hostPath:
path: /var/lib/kubelet/pods
type: DirectoryOrCreate
- name: registration-dir
hostPath:
path: /var/lib/kubelet/plugins_registry/
type: Directory
- name: plugin-dir
hostPath:
path: /var/lib/kubelet/plugins/csi-secrets-store/
type: DirectoryOrCreate
- name: providers-dir
hostPath:
path: /var/run/secrets-store-csi-providers
type: DirectoryOrCreate
- name: providers-dir-0
hostPath:
path: "/etc/kubernetes/secrets-store-csi-providers"
type: DirectoryOrCreate
nodeSelector:
kubernetes.io/os: linux
tolerations:
- operator: Exists

39
clusters/cl01tl/manifests/secrets-store-csi-driver/Job-secrets-store-csi-driver-keep-crds.yaml Normal file
View File

@@ -0,0 +1,39 @@
apiVersion: batch/v1
kind: Job
metadata:
name: secrets-store-csi-driver-keep-crds
namespace: secrets-store-csi-driver
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"
annotations:
helm.sh/hook: pre-upgrade
helm.sh/hook-weight: "20"
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
spec:
backoffLimit: 3
template:
metadata:
name: secrets-store-csi-driver-keep-crds
spec:
serviceAccountName: secrets-store-csi-driver-keep-crds
restartPolicy: Never
containers:
- name: crds-keep
image: "registry.k8s.io/csi-secrets-store/driver-crds:v1.5.6@sha256:d40d9212beb62ee0f9f09b75d024ed807816879f38e75eca309497c3df89568c"
args:
- patch
- crd
- secretproviderclasses.secrets-store.csi.x-k8s.io
- secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io
- -p
- '{"metadata":{"annotations": {"helm.sh/resource-policy": "keep"}}}'
imagePullPolicy: IfNotPresent
nodeSelector:
kubernetes.io/os: linux
tolerations:
- operator: Exists

36
clusters/cl01tl/manifests/secrets-store-csi-driver/Job-secrets-store-csi-driver-upgrade-crds.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: batch/v1
kind: Job
metadata:
name: secrets-store-csi-driver-upgrade-crds
namespace: secrets-store-csi-driver
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-weight: "10"
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
spec:
backoffLimit: 3
template:
metadata:
name: secrets-store-csi-driver-upgrade-crds
spec:
serviceAccountName: secrets-store-csi-driver-upgrade-crds
restartPolicy: Never
containers:
- name: crds-upgrade
image: "registry.k8s.io/csi-secrets-store/driver-crds:v1.5.6@sha256:d40d9212beb62ee0f9f09b75d024ed807816879f38e75eca309497c3df89568c"
args:
- apply
- -f
- crds/
imagePullPolicy: IfNotPresent
nodeSelector:
kubernetes.io/os: linux
tolerations:
- operator: Exists

16
clusters/cl01tl/manifests/secrets-store-csi-driver/ServiceAccount-secrets-store-csi-driver-keep-crds.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: secrets-store-csi-driver-keep-crds
namespace: secrets-store-csi-driver
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"
annotations:
helm.sh/hook: pre-upgrade
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "2"

16
clusters/cl01tl/manifests/secrets-store-csi-driver/ServiceAccount-secrets-store-csi-driver-upgrade-crds.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: secrets-store-csi-driver-upgrade-crds
namespace: secrets-store-csi-driver
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "1"

12
clusters/cl01tl/manifests/secrets-store-csi-driver/ServiceAccount-secrets-store-csi-driver.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: secrets-store-csi-driver
namespace: secrets-store-csi-driver
labels:
app.kubernetes.io/instance: "secrets-store-csi-driver"
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/name: "secrets-store-csi-driver"
app.kubernetes.io/version: "1.5.6"
app: secrets-store-csi-driver
helm.sh/chart: "secrets-store-csi-driver-1.5.6"