diff --git a/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml b/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml index 9ecb730d3..a6ac7e692 100644 --- a/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml @@ -15,9 +15,13 @@ spec: mergePolicy: Merge engineVersion: v2 data: - ntfy-url: "{{ `{{ .endpoint }}` }}/audiobookshelf" + ntfy-url: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}" data: - secretKey: endpoint remoteRef: key: /cl01tl/ntfy/users/cl01tl property: internal-endpoint-credential + - secretKey: topic + remoteRef: + key: /cl01tl/ntfy/topics + property: audiobookshelf diff --git a/clusters/cl01tl/helm/qbittorrent/templates/external-secret.yaml b/clusters/cl01tl/helm/qbittorrent/templates/external-secret.yaml index e7f624514..6ce5e9896 100644 --- a/clusters/cl01tl/helm/qbittorrent/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/qbittorrent/templates/external-secret.yaml @@ -15,12 +15,16 @@ spec: mergePolicy: Merge engineVersion: v2 data: - ntfy-url: "{{ `{{ .endpoint }}` }}/qbit-manage" + ntfy-url: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}" data: - secretKey: endpoint remoteRef: key: /cl01tl/ntfy/users/cl01tl property: internal-endpoint-credential + - secretKey: topic + remoteRef: + key: /cl01tl/ntfy/topics + property: qbit-manage --- apiVersion: external-secrets.io/v1 diff --git a/clusters/cl01tl/helm/talos/templates/external-secret.yaml b/clusters/cl01tl/helm/talos/templates/external-secret.yaml index 77d47b660..f319406c2 100644 --- a/clusters/cl01tl/helm/talos/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/talos/templates/external-secret.yaml @@ -114,5 +114,5 @@ spec: property: internal-endpoint - secretKey: NTFY_TOPIC remoteRef: - key: /cl01tl/talos/ntfy - property: topic + key: /cl01tl/ntfy/topics + property: talos diff --git a/clusters/cl01tl/helm/talos/values.yaml b/clusters/cl01tl/helm/talos/values.yaml index a704768bc..925e9ce20 100644 --- a/clusters/cl01tl/helm/talos/values.yaml +++ b/clusters/cl01tl/helm/talos/values.yaml @@ -279,7 +279,7 @@ etcd-backup: s3-prune: - path: /scripts/prune.sh subPath: prune.sh - s3cmd-config-local: + etcd-backup-local-config: type: custom volumeSpec: csi: @@ -294,7 +294,7 @@ etcd-backup: readOnly: true mountPropagation: None subPath: .s3cfg - s3cmd-config-remote: + etcd-backup-remote-config: type: custom volumeSpec: csi: @@ -309,7 +309,7 @@ etcd-backup: readOnly: true mountPropagation: None subPath: .s3cfg - s3cmd-config-external: + etcd-backup-external-config: type: custom volumeSpec: csi: diff --git a/clusters/cl01tl/helm/tdarr/templates/_helpers.tpl b/clusters/cl01tl/helm/tdarr/templates/_helpers.tpl index 10688fcef..dc9e48d49 100644 --- a/clusters/cl01tl/helm/tdarr/templates/_helpers.tpl +++ b/clusters/cl01tl/helm/tdarr/templates/_helpers.tpl @@ -12,3 +12,10 @@ Selector labels app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} {{- end }} + +{{/* +NFS names +*/}} +{{- define "custom.storageNfsName" -}} +tdarr-nfs-storage +{{- end -}} diff --git a/clusters/cl01tl/helm/tdarr/templates/persistent-volume-claim.yaml b/clusters/cl01tl/helm/tdarr/templates/persistent-volume-claim.yaml index 4b76fae0b..7652a28b7 100644 --- a/clusters/cl01tl/helm/tdarr/templates/persistent-volume-claim.yaml +++ b/clusters/cl01tl/helm/tdarr/templates/persistent-volume-claim.yaml @@ -1,13 +1,13 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: tdarr-nfs-storage + name: {{ include "custom.storageNfsName" . }} namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: tdarr-nfs-storage + app.kubernetes.io/name: {{ include "custom.storageNfsName" . }} {{- include "custom.labels" . | nindent 4 }} spec: - volumeName: tdarr-nfs-storage + volumeName: {{ include "custom.storageNfsName" . }} storageClassName: nfs-client accessModes: - ReadWriteMany diff --git a/clusters/cl01tl/helm/tdarr/templates/persistent-volume.yaml b/clusters/cl01tl/helm/tdarr/templates/persistent-volume.yaml index 7417aefd8..7ce8d62aa 100644 --- a/clusters/cl01tl/helm/tdarr/templates/persistent-volume.yaml +++ b/clusters/cl01tl/helm/tdarr/templates/persistent-volume.yaml @@ -1,10 +1,10 @@ apiVersion: v1 kind: PersistentVolume metadata: - name: tdarr-nfs-storage + name: {{ include "custom.storageNfsName" . }} namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: tdarr-nfs-storage + app.kubernetes.io/name: {{ include "custom.storageNfsName" . }} {{- include "custom.labels" . | nindent 4 }} spec: persistentVolumeReclaimPolicy: Retain diff --git a/clusters/cl01tl/helm/traefik/templates/namespace.yaml b/clusters/cl01tl/helm/traefik/templates/namespace.yaml index a053774e0..bbbe36926 100644 --- a/clusters/cl01tl/helm/traefik/templates/namespace.yaml +++ b/clusters/cl01tl/helm/traefik/templates/namespace.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Namespace metadata: - name: traefik + name: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: traefik + app.kubernetes.io/name: {{ .Release.Namespace }} {{- include "custom.labels" . | nindent 4 }} pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged diff --git a/clusters/cl01tl/helm/tubearchivist/templates/_helpers.tpl b/clusters/cl01tl/helm/tubearchivist/templates/_helpers.tpl index 10688fcef..7e116efdd 100644 --- a/clusters/cl01tl/helm/tubearchivist/templates/_helpers.tpl +++ b/clusters/cl01tl/helm/tubearchivist/templates/_helpers.tpl @@ -12,3 +12,13 @@ Selector labels app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} {{- end }} + +{{/* +NFS names +*/}} +{{- define "custom.storageNfsName" -}} +tubearchivist-nfs-storage +{{- end -}} +{{- define "custom.storageSnapshotNfsName" -}} +tubearchivist-snapshot-nfs-storage +{{- end -}} diff --git a/clusters/cl01tl/helm/tubearchivist/templates/elasticsearch.yaml b/clusters/cl01tl/helm/tubearchivist/templates/elasticsearch.yaml index 1836d11ba..4087eb4d0 100644 --- a/clusters/cl01tl/helm/tubearchivist/templates/elasticsearch.yaml +++ b/clusters/cl01tl/helm/tubearchivist/templates/elasticsearch.yaml @@ -11,7 +11,7 @@ spec: version: 9.3.3 auth: fileRealm: - - secretName: tubearchivist-elasticsearch-secret + - secretName: tubearchivist-elasticsearch-config nodeSets: - name: default count: 2 @@ -21,14 +21,14 @@ spec: podTemplate: spec: volumes: - - name: tubearchivist-snapshot-nfs-storage + - name: {{ include "custom.storageSnapshotNfsName" . }} nfs: path: /volume2/Storage/TubeArchivist server: synologybond.alexlebens.net containers: - name: elasticsearch volumeMounts: - - name: tubearchivist-snapshot-nfs-storage + - name: {{ include "custom.storageSnapshotNfsName" . }} mountPath: /usr/share/elasticsearch/data/snapshot volumeClaimTemplates: - metadata: diff --git a/clusters/cl01tl/helm/tubearchivist/templates/external-secret.yaml b/clusters/cl01tl/helm/tubearchivist/templates/external-secret.yaml index a1ff4fb23..913a05819 100644 --- a/clusters/cl01tl/helm/tubearchivist/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/tubearchivist/templates/external-secret.yaml @@ -1,38 +1,38 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: tubearchivist-config-secret + name: tubearchivist-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: tubearchivist-config-secret + app.kubernetes.io/name: tubearchivist-config {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: ELASTIC_PASSWORD remoteRef: - key: /cl01tl/tubearchivist/env - property: ELASTIC_PASSWORD + key: /cl01tl/tubearchivist/elasticsearch + property: password - secretKey: TA_PASSWORD remoteRef: - key: /cl01tl/tubearchivist/env - property: TA_PASSWORD + key: /cl01tl/tubearchivist/config + property: password --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: tubearchivist-elasticsearch-secret + name: tubearchivist-elasticsearch-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: tubearchivist-elasticsearch-secret + app.kubernetes.io/name: tubearchivist-elasticsearch-config {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: username remoteRef: @@ -51,29 +51,29 @@ spec: apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: tubearchivist-wireguard-conf + name: protonvpn-wireguard-conf namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: tubearchivist-wireguard-conf + app.kubernetes.io/name: protonvpn-wireguard-conf {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: + - secretKey: conf + remoteRef: + key: /protonvpn/config + property: conf + - secretKey: email + remoteRef: + key: /protonvpn/config + property: email + - secretKey: password + remoteRef: + key: /protonvpn/config + property: password - secretKey: private-key remoteRef: - key: /airvpn/conf/cl01tl + key: /protonvpn/config property: private-key - - secretKey: preshared-key - remoteRef: - key: /airvpn/conf/cl01tl - property: preshared-key - - secretKey: addresses - remoteRef: - key: /airvpn/conf/cl01tl - property: addresses - - secretKey: input-ports - remoteRef: - key: /airvpn/conf/cl01tl - property: input-ports diff --git a/clusters/cl01tl/helm/tubearchivist/templates/namespace.yaml b/clusters/cl01tl/helm/tubearchivist/templates/namespace.yaml index d5f39b622..bbbe36926 100644 --- a/clusters/cl01tl/helm/tubearchivist/templates/namespace.yaml +++ b/clusters/cl01tl/helm/tubearchivist/templates/namespace.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Namespace metadata: - name: tubearchivist + name: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: tubearchivist + app.kubernetes.io/name: {{ .Release.Namespace }} {{- include "custom.labels" . | nindent 4 }} pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged diff --git a/clusters/cl01tl/helm/tubearchivist/templates/persistent-volume-claim.yaml b/clusters/cl01tl/helm/tubearchivist/templates/persistent-volume-claim.yaml index 831e2ac58..7652a28b7 100644 --- a/clusters/cl01tl/helm/tubearchivist/templates/persistent-volume-claim.yaml +++ b/clusters/cl01tl/helm/tubearchivist/templates/persistent-volume-claim.yaml @@ -1,13 +1,13 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: tubearchivist-nfs-storage + name: {{ include "custom.storageNfsName" . }} namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: tubearchivist-nfs-storage + app.kubernetes.io/name: {{ include "custom.storageNfsName" . }} {{- include "custom.labels" . | nindent 4 }} spec: - volumeName: tubearchivist-nfs-storage + volumeName: {{ include "custom.storageNfsName" . }} storageClassName: nfs-client accessModes: - ReadWriteMany diff --git a/clusters/cl01tl/helm/tubearchivist/templates/persistent-volume.yaml b/clusters/cl01tl/helm/tubearchivist/templates/persistent-volume.yaml index c0946d4ed..f537e7401 100644 --- a/clusters/cl01tl/helm/tubearchivist/templates/persistent-volume.yaml +++ b/clusters/cl01tl/helm/tubearchivist/templates/persistent-volume.yaml @@ -1,10 +1,10 @@ apiVersion: v1 kind: PersistentVolume metadata: - name: tubearchivist-nfs-storage + name: {{ include "custom.storageNfsName" . }} namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: tubearchivist-nfs-storage + app.kubernetes.io/name: {{ include "custom.storageNfsName" . }} {{- include "custom.labels" . | nindent 4 }} spec: persistentVolumeReclaimPolicy: Retain diff --git a/clusters/cl01tl/helm/tubearchivist/values.yaml b/clusters/cl01tl/helm/tubearchivist/values.yaml index f71d06a66..109096d2f 100644 --- a/clusters/cl01tl/helm/tubearchivist/values.yaml +++ b/clusters/cl01tl/helm/tubearchivist/values.yaml @@ -34,7 +34,7 @@ tubearchivist: value: admin envFrom: - secretRef: - name: tubearchivist-config-secret + name: tubearchivist-config resources: requests: cpu: 10m @@ -53,26 +53,16 @@ tubearchivist: command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"] env: - name: VPN_SERVICE_PROVIDER - value: airvpn + value: protonvpn - name: VPN_TYPE value: wireguard - name: WIREGUARD_PRIVATE_KEY valueFrom: secretKeyRef: - name: tubearchivist-wireguard-conf + name: protonvpn-wireguard-conf key: private-key - - name: WIREGUARD_PRESHARED_KEY - valueFrom: - secretKeyRef: - name: tubearchivist-wireguard-conf - key: preshared-key - - name: WIREGUARD_ADDRESSES - valueFrom: - secretKeyRef: - name: tubearchivist-wireguard-conf - key: addresses - name: FIREWALL_OUTBOUND_SUBNETS - value: 10.0.0.0/8 + value: 192.168.1.0/24,10.244.0.0/16 - name: FIREWALL_INPUT_PORTS value: 80,8000,24000 - name: DNS_UPSTREAM_RESOLVER_TYPE diff --git a/clusters/cl01tl/helm/unpackerr/templates/_helpers.tpl b/clusters/cl01tl/helm/unpackerr/templates/_helpers.tpl index 10688fcef..7764bbd80 100644 --- a/clusters/cl01tl/helm/unpackerr/templates/_helpers.tpl +++ b/clusters/cl01tl/helm/unpackerr/templates/_helpers.tpl @@ -12,3 +12,10 @@ Selector labels app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} {{- end }} + +{{/* +NFS names +*/}} +{{- define "custom.storageNfsName" -}} +unpackerr-nfs-storage +{{- end -}} diff --git a/clusters/cl01tl/helm/unpackerr/templates/external-secret.yaml b/clusters/cl01tl/helm/unpackerr/templates/external-secret.yaml index 16d085afd..21bf6b1ca 100644 --- a/clusters/cl01tl/helm/unpackerr/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/unpackerr/templates/external-secret.yaml @@ -1,45 +1,45 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: unpackerr-key-secret + name: unpackerr-key-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: unpackerr-key-secret + app.kubernetes.io/name: unpackerr-key-config {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: UN_SONARR_0_API_KEY remoteRef: - key: /cl01tl/sonarr4/key + key: /cl01tl/sonarr/key property: key - secretKey: UN_SONARR_1_API_KEY remoteRef: - key: /cl01tl/sonarr4-4k/key + key: /cl01tl/sonarr-4k/key property: key - secretKey: UN_SONARR_2_API_KEY remoteRef: - key: /cl01tl/sonarr4-anime/key + key: /cl01tl/sonarr-anime/key property: key - secretKey: UN_RADARR_0_API_KEY remoteRef: - key: /cl01tl/radarr5/key + key: /cl01tl/radarr/key property: key - secretKey: UN_RADARR_1_API_KEY remoteRef: - key: /cl01tl/radarr5-4k/key + key: /cl01tl/radarr-4k/key property: key - secretKey: UN_RADARR_2_API_KEY remoteRef: - key: /cl01tl/radarr5-anime/key + key: /cl01tl/radarr-anime/key property: key - secretKey: UN_RADARR_3_API_KEY remoteRef: - key: /cl01tl/radarr5-standup/key + key: /cl01tl/radarr-standup/key property: key - secretKey: UN_LIDARR_0_API_KEY remoteRef: - key: /cl01tl/lidarr2/key + key: /cl01tl/lidarr/key property: key diff --git a/clusters/cl01tl/helm/unpackerr/templates/persistent-volume-claim.yaml b/clusters/cl01tl/helm/unpackerr/templates/persistent-volume-claim.yaml index 5fb701984..7652a28b7 100644 --- a/clusters/cl01tl/helm/unpackerr/templates/persistent-volume-claim.yaml +++ b/clusters/cl01tl/helm/unpackerr/templates/persistent-volume-claim.yaml @@ -1,13 +1,13 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: unpackerr-nfs-storage + name: {{ include "custom.storageNfsName" . }} namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: unpackerr-nfs-storage + app.kubernetes.io/name: {{ include "custom.storageNfsName" . }} {{- include "custom.labels" . | nindent 4 }} spec: - volumeName: unpackerr-nfs-storage + volumeName: {{ include "custom.storageNfsName" . }} storageClassName: nfs-client accessModes: - ReadWriteMany diff --git a/clusters/cl01tl/helm/unpackerr/templates/persistent-volume.yaml b/clusters/cl01tl/helm/unpackerr/templates/persistent-volume.yaml index d633dedd7..7ce8d62aa 100644 --- a/clusters/cl01tl/helm/unpackerr/templates/persistent-volume.yaml +++ b/clusters/cl01tl/helm/unpackerr/templates/persistent-volume.yaml @@ -1,10 +1,10 @@ apiVersion: v1 kind: PersistentVolume metadata: - name: unpackerr-nfs-storage + name: {{ include "custom.storageNfsName" . }} namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: unpackerr-nfs-storage + app.kubernetes.io/name: {{ include "custom.storageNfsName" . }} {{- include "custom.labels" . | nindent 4 }} spec: persistentVolumeReclaimPolicy: Retain diff --git a/clusters/cl01tl/helm/unpackerr/values.yaml b/clusters/cl01tl/helm/unpackerr/values.yaml index 89eed5252..aa89d2c83 100644 --- a/clusters/cl01tl/helm/unpackerr/values.yaml +++ b/clusters/cl01tl/helm/unpackerr/values.yaml @@ -52,7 +52,7 @@ unpackerr: value: /mnt/store/Torrent/FINISHED/COMPLETED envFrom: - secretRef: - name: unpackerr-key-secret + name: unpackerr-key-config resources: requests: cpu: 10m diff --git a/clusters/cl01tl/helm/unpoller/templates/external-secret.yaml b/clusters/cl01tl/helm/unpoller/templates/external-secret.yaml index 5eb1bb4b2..78b6aa20d 100644 --- a/clusters/cl01tl/helm/unpoller/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/unpoller/templates/external-secret.yaml @@ -1,21 +1,21 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: unpoller-unifi-secret + name: unpoller-unifi-credentials namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: unpoller-unifi-secret + app.kubernetes.io/name: unpoller-unifi-credentials {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: UP_UNIFI_CONTROLLER_0_USER remoteRef: - key: /unifi/auth/cl01tl + key: /unifi/users/cl01tl property: user - secretKey: UP_UNIFI_CONTROLLER_0_PASS remoteRef: - key: /unifi/auth/cl01tl + key: /unifi/users/cl01tl property: password diff --git a/clusters/cl01tl/helm/vault/templates/external-secret.yaml b/clusters/cl01tl/helm/vault/templates/external-secret.yaml index 1f6df90eb..7f133691e 100644 --- a/clusters/cl01tl/helm/vault/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/vault/templates/external-secret.yaml @@ -1,120 +1,81 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: vault-snapshot-agent-token + name: vault-snapshot-agent-role namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: vault-snapshot-agent-token + app.kubernetes.io/name: vault-snapshot-agent-role {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: VAULT_APPROLE_ROLE_ID remoteRef: - key: /cl01tl/vault/snapshot - property: VAULT_APPROLE_ROLE_ID + key: /cl01tl/vault/role/snapshot + property: role-id - secretKey: VAULT_APPROLE_SECRET_ID remoteRef: - key: /cl01tl/vault/snapshot - property: VAULT_APPROLE_SECRET_ID + key: /cl01tl/vault/role/snapshot + property: secret-id --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: vault-s3cmd-local-config + name: vault-backup-local-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: vault-s3cmd-local-config + app.kubernetes.io/name: vault-backup-local-config {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - - secretKey: .s3cfg - remoteRef: - key: /garage/home-infra/vault-backups - property: s3cfg-local - secretKey: BUCKET remoteRef: key: /garage/home-infra/vault-backups - property: BUCKET + property: BUCKET_PATH --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: vault-s3cmd-remote-config + name: vault-backup-remote-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: vault-s3cmd-remote-config + app.kubernetes.io/name: vault-backup-remote-config {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - - secretKey: .s3cfg - remoteRef: - key: /garage/home-infra/vault-backups - property: s3cfg-remote - secretKey: BUCKET remoteRef: key: /garage/home-infra/vault-backups - property: BUCKET + property: BUCKET_PATH --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: vault-s3cmd-external-config + name: vault-backup-external-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: vault-s3cmd-external-config + app.kubernetes.io/name: vault-backup-external-config {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - - secretKey: .s3cfg - remoteRef: - key: /digital-ocean/home-infra/vault-backup - property: s3cfg - secretKey: BUCKET remoteRef: key: /digital-ocean/home-infra/vault-backup - property: BUCKET - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-backup-ntfy-secret - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-backup-ntfy-secret - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: NTFY_TOKEN - remoteRef: - key: /ntfy/user/cl01tl - property: token - - secretKey: NTFY_ENDPOINT - remoteRef: - key: /ntfy/user/cl01tl - property: endpoint - - secretKey: NTFY_TOPIC - remoteRef: - key: /cl01tl/vault/snapshot - property: NTFY_TOPIC + property: BUCKET_PATH --- apiVersion: external-secrets.io/v1 @@ -128,24 +89,20 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: ENVIRONMENT remoteRef: key: /cl01tl/vault/unseal - property: ENVIRONMENT + property: environment - secretKey: NODES remoteRef: key: /cl01tl/vault/unseal - property: NODES + property: nodes - secretKey: TOKENS remoteRef: key: /cl01tl/vault/unseal - property: TOKENS_1 - - secretKey: NOTIFY_QUEUE_URLS - remoteRef: - key: /cl01tl/vault/unseal - property: NOTIFY_QUEUE_URLS + property: tokens-1 --- apiVersion: external-secrets.io/v1 @@ -159,24 +116,20 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: ENVIRONMENT remoteRef: key: /cl01tl/vault/unseal - property: ENVIRONMENT + property: environment - secretKey: NODES remoteRef: key: /cl01tl/vault/unseal - property: NODES + property: nodes - secretKey: TOKENS remoteRef: key: /cl01tl/vault/unseal - property: TOKENS_2 - - secretKey: NOTIFY_QUEUE_URLS - remoteRef: - key: /cl01tl/vault/unseal - property: NOTIFY_QUEUE_URLS + property: tokens-2 --- apiVersion: external-secrets.io/v1 @@ -190,60 +143,73 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: ENVIRONMENT remoteRef: key: /cl01tl/vault/unseal - property: ENVIRONMENT + property: environment - secretKey: NODES remoteRef: key: /cl01tl/vault/unseal - property: NODES + property: nodes - secretKey: TOKENS remoteRef: key: /cl01tl/vault/unseal - property: TOKENS_3 - - secretKey: NOTIFY_QUEUE_URLS - remoteRef: - key: /cl01tl/vault/unseal - property: NOTIFY_QUEUE_URLS + property: tokens-3 --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: vault-token + name: vault-ntfy-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: vault-token + app.kubernetes.io/name: vault-ntfy-config {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - - secretKey: token + - secretKey: NTFY_TOKEN remoteRef: - key: /cl01tl/vault/token + key: /ntfy/user/cl01tl property: token - - secretKey: unseal_key_1 + - secretKey: NTFY_ENDPOINT remoteRef: - key: /cl01tl/vault/token - property: unseal_key_1 - - secretKey: unseal_key_2 + key: /ntfy/user/cl01tl + property: endpoint + - secretKey: NTFY_TOPIC remoteRef: - key: /cl01tl/vault/token - property: unseal_key_2 - - secretKey: unseal_key_3 + key: /cl01tl/ntfy/topics + property: vault + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: vault-ntfy-unseal-config + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: vault-ntfy-unseal-config + {{- include "custom.labels" . | nindent 4 }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + NOTIFY_QUEUE_URLS: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}/?priority=4&tags=vault,unseal&title=Vault+Unsealed" + data: + - secretKey: endpoint remoteRef: - key: /cl01tl/vault/token - property: unseal_key_3 - - secretKey: unseal_key_4 + key: /cl01tl/ntfy/users/cl01tl + property: internal-endpoint-credential + - secretKey: topic remoteRef: - key: /cl01tl/vault/token - property: unseal_key_4 - - secretKey: unseal_key_5 - remoteRef: - key: /cl01tl/vault/token - property: unseal_key_5 + key: /cl01tl/ntfy/topics + property: vault diff --git a/clusters/cl01tl/helm/vault/templates/secret-provider-class.yaml b/clusters/cl01tl/helm/vault/templates/secret-provider-class.yaml new file mode 100644 index 000000000..97627ac01 --- /dev/null +++ b/clusters/cl01tl/helm/vault/templates/secret-provider-class.yaml @@ -0,0 +1,58 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: vault-backup-local-config + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: vault-backup-local-config + {{- include "custom.labels" . | nindent 4 }} +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: slskd + objects: | + - objectName: .s3cfg + fileName: .s3cfg + secretPath: secret/data/garage/home-infra/vault-backups + secretKey: s3cfg-local + +--- +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: vault-backup-remote-config + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: vault-backup-remote-config + {{- include "custom.labels" . | nindent 4 }} +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: slskd + objects: | + - objectName: .s3cfg + fileName: .s3cfg + secretPath: secret/data/garage/home-infra/vault-backups + secretKey: s3cfg-remote + +--- +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: vault-backup-external-config + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: vault-backup-external-config + {{- include "custom.labels" . | nindent 4 }} +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: slskd + objects: | + - objectName: .s3cfg + fileName: .s3cfg + secretPath: secret/data/digital-ocean/home-infra/vault-backups + secretKey: s3cfg diff --git a/clusters/cl01tl/helm/vault/values.yaml b/clusters/cl01tl/helm/vault/values.yaml index ef58a705b..41cbb085d 100644 --- a/clusters/cl01tl/helm/vault/values.yaml +++ b/clusters/cl01tl/helm/vault/values.yaml @@ -119,7 +119,7 @@ snapshot: - /scripts/snapshot.sh envFrom: - secretRef: - name: vault-snapshot-agent-token + name: vault-snapshot-agent-role env: - name: VAULT_ADDR value: http://vault-active.vault.svc.cluster.local:8200 @@ -135,12 +135,12 @@ snapshot: - /scripts/backup.sh envFrom: - secretRef: - name: vault-backup-ntfy-secret + name: vault-ntfy-config env: - name: BUCKET valueFrom: secretKeyRef: - name: vault-s3cmd-local-config + name: vault-backup-local-config key: BUCKET - name: TARGET value: Local @@ -155,12 +155,12 @@ snapshot: - /scripts/backup.sh envFrom: - secretRef: - name: vault-backup-ntfy-secret + name: vault-ntfy-config env: - name: BUCKET valueFrom: secretKeyRef: - name: vault-s3cmd-remote-config + name: vault-backup-remote-config key: BUCKET - name: TARGET value: Remote @@ -175,12 +175,12 @@ snapshot: - /scripts/backup.sh envFrom: - secretRef: - name: vault-backup-ntfy-secret + name: vault-ntfy-config env: - name: BUCKET valueFrom: secretKeyRef: - name: vault-s3cmd-external-config + name: vault-backup-external-config key: BUCKET - name: TARGET value: External @@ -211,10 +211,14 @@ snapshot: s3-backup-external: - path: /scripts/backup.sh subPath: backup.sh - s3cmd-local-config: - enabled: true - type: secret - name: vault-s3cmd-local-config + backup-local-config: + type: custom + volumeSpec: + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: vault-backup-local-config advancedMounts: snapshot: s3-backup-local: @@ -222,10 +226,14 @@ snapshot: readOnly: true mountPropagation: None subPath: .s3cfg - s3cmd-remote-config: - enabled: true - type: secret - name: vault-s3cmd-remote-config + backup-remote-config: + type: custom + volumeSpec: + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: vault-backup-remote-config advancedMounts: snapshot: s3-backup-remote: @@ -233,10 +241,14 @@ snapshot: readOnly: true mountPropagation: None subPath: .s3cfg - s3cmd-external-config: - enabled: true - type: secret - name: vault-s3cmd-external-config + backup-external-config: + type: custom + volumeSpec: + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: vault-backup-external-config advancedMounts: snapshot: s3-backup-external: @@ -276,6 +288,8 @@ unseal: envFrom: - secretRef: name: vault-unseal-config-1 + - secretRef: + name: vault-ntfy-unseal-config resources: requests: cpu: 1m @@ -292,6 +306,8 @@ unseal: envFrom: - secretRef: name: vault-unseal-config-2 + - secretRef: + name: vault-ntfy-unseal-config resources: requests: cpu: 1m @@ -308,6 +324,8 @@ unseal: envFrom: - secretRef: name: vault-unseal-config-3 + - secretRef: + name: vault-ntfy-unseal-config resources: requests: cpu: 1m diff --git a/clusters/cl01tl/helm/vaultwarden/Chart.yaml b/clusters/cl01tl/helm/vaultwarden/Chart.yaml index 60e0bada4..7d7aedcf9 100644 --- a/clusters/cl01tl/helm/vaultwarden/Chart.yaml +++ b/clusters/cl01tl/helm/vaultwarden/Chart.yaml @@ -5,7 +5,7 @@ description: Vaultwarden keywords: - vaultwarden - password-manager -home: https://docs.alexlebens.dev/applications/vault/ +home: https://docs.alexlebens.dev/applications/vaultwarden/ sources: - https://github.com/dani-garcia/vaultwarden - https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden diff --git a/clusters/cl01tl/helm/vaultwarden/templates/external-secret.yaml b/clusters/cl01tl/helm/vaultwarden/templates/external-secret.yaml index 669c08ca3..b38ee3023 100644 --- a/clusters/cl01tl/helm/vaultwarden/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/vaultwarden/templates/external-secret.yaml @@ -1,21 +1,21 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: vaultwarden-oidc-secret + name: vaultwarden-oidc-authentik namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: vaultwarden-oidc-secret + app.kubernetes.io/name: vaultwarden-oidc-authentik {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - - secretKey: client + - secretKey: SSO_CLIENT_ID remoteRef: - key: /authentik/oidc/vaultwarden + key: /cl01tl/authentik/oidc/vaultwarden property: client - - secretKey: secret + - secretKey: SSO_CLIENT_SECRET remoteRef: - key: /authentik/oidc/vaultwarden + key: /cl01tl/authentik/oidc/vaultwarden property: secret diff --git a/clusters/cl01tl/helm/vaultwarden/values.yaml b/clusters/cl01tl/helm/vaultwarden/values.yaml index 860af6b09..24998f46e 100644 --- a/clusters/cl01tl/helm/vaultwarden/values.yaml +++ b/clusters/cl01tl/helm/vaultwarden/values.yaml @@ -32,13 +32,13 @@ vaultwarden: - name: SSO_CLIENT_ID valueFrom: secretKeyRef: - name: vaultwarden-oidc-secret - key: client + name: vaultwarden-oidc-authentik + key: SSO_CLIENT_ID - name: SSO_CLIENT_SECRET valueFrom: secretKeyRef: - name: vaultwarden-oidc-secret - key: secret + name: vaultwarden-oidc-authentik + key: SSO_CLIENT_SECRET resources: requests: cpu: 10m diff --git a/clusters/cl01tl/helm/yamtrack/templates/external-secret.yaml b/clusters/cl01tl/helm/yamtrack/templates/external-secret.yaml index 8df459d64..6dff59587 100644 --- a/clusters/cl01tl/helm/yamtrack/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/yamtrack/templates/external-secret.yaml @@ -1,15 +1,15 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: yamtrack-config-secret + name: yamtrack-config namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: yamtrack-config-secret + app.kubernetes.io/name: yamtrack-config {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: SECRET remoteRef: @@ -20,17 +20,17 @@ spec: apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: yamtrack-oidc-secret + name: yamtrack-oidc-authentik namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: yamtrack-oidc-secret + app.kubernetes.io/name: yamtrack-oidc-authentik {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: SOCIALACCOUNT_PROVIDERS remoteRef: - key: /authentik/oidc/yamtrack + key: /cl01tl/authentik/oidc/yamtrack property: SOCIALACCOUNT_PROVIDERS diff --git a/clusters/cl01tl/helm/yamtrack/values.yaml b/clusters/cl01tl/helm/yamtrack/values.yaml index 07516c736..a9066e63b 100644 --- a/clusters/cl01tl/helm/yamtrack/values.yaml +++ b/clusters/cl01tl/helm/yamtrack/values.yaml @@ -21,12 +21,12 @@ yamtrack: - name: SOCIALACCOUNT_PROVIDERS valueFrom: secretKeyRef: - name: yamtrack-oidc-secret + name: yamtrack-oidc-authentik key: SOCIALACCOUNT_PROVIDERS - name: SECRET valueFrom: secretKeyRef: - name: yamtrack-config-secret + name: yamtrack-config key: SECRET - name: REDIS_URL value: redis://yamtrack-valkey.yamtrack:6379