feat: migrate to openbao

2026-04-19 20:02:09 -05:00
parent 775f408383
commit 8f3e489e94
27 changed files with 78 additions and 100 deletions
--- a/clusters/cl01tl/helm/argocd/Chart.lock
+++ b/clusters/cl01tl/helm/argocd/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
  repository: https://argoproj.github.io/argo-helm
-  version: 9.5.1
-digest: sha256:52a9bcfdc287dac30b8833cd34654b7e62c864aa3d23bda7644a8acf5f75eb78
-generated: "2026-04-16T15:57:15.168206017Z"
+  version: 9.5.2
+digest: sha256:5d9e6405ee944bf94df6af247164ebb9b8899144853b9a7eafabe8606affe84e
+generated: "2026-04-19T19:53:40.43789-05:00"
--- a/clusters/cl01tl/helm/argocd/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/argocd/templates/external-secret.yaml
@@ -1,70 +1,42 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-oidc-secret
+  name: argocd-oidc-authentik
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: argocd-oidc-secret
+    app.kubernetes.io/name: {{ .Template.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: secret
      remoteRef:
-        key: /authentik/oidc/argocd
+        key: /cl01tl/authentik/oidc/argocd
        property: secret
    - secretKey: client
      remoteRef:
-        key: /authentik/oidc/argocd
+        key: /cl01tk/authentik/oidc/argocd
        property: client

 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-notifications-secret
+  name: argocd-notifications-ntfy
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: argocd-notifications-secret
+    app.kubernetes.io/name: {{ .Template.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: ntfy-token
      remoteRef:
-        key: /ntfy/user/cl01tl
+        key: /cl01tl/ntfy/users/cl01tl
        property: token
-
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: argocd-gitea-repo-infrastructure-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: type
-      remoteRef:
-        key: /cl01tl/argocd/credentials/repo/infrastructure
-        property: type
-    - secretKey: url
-      remoteRef:
-        key: /cl01tl/argocd/credentials/repo/infrastructure
-        property: url
-    - secretKey: sshPrivateKey
-      remoteRef:
-        key: /cl01tl/argocd/credentials/repo/infrastructure
-        property: sshPrivateKey
--- a/clusters/cl01tl/helm/argocd/values.yaml
+++ b/clusters/cl01tl/helm/argocd/values.yaml
@@ -13,8 +13,8 @@ argo-cd:
        connectors:
        - config:
            issuer: https://authentik.alexlebens.net/application/o/argocd/
-            clientID: $argocd-oidc-secret:client
-            clientSecret: $argocd-oidc-secret:secret
+            clientID: $argocd-oidc-authentik:client
+            clientSecret: $argocd-oidc-authentik:secret
            insecureEnableGroups: true
            scopes:
              - openid
@@ -205,7 +205,7 @@ argo-cd:
    argocdUrl: https://argocd.alexlebens.net
    secret:
      create: false
-      name: argocd-notifications-secret
+      name: argocd-notifications-ntfy
    metrics:
      enabled: true
      serviceMonitor: