diff --git a/clusters/cl01tl/manifests/audiobookshelf/ExternalSecret-audiobookshelf-config-apprise.yaml b/clusters/cl01tl/manifests/audiobookshelf/ExternalSecret-audiobookshelf-config-apprise.yaml index 5bbb5c8e1..869df7e31 100644 --- a/clusters/cl01tl/manifests/audiobookshelf/ExternalSecret-audiobookshelf-config-apprise.yaml +++ b/clusters/cl01tl/manifests/audiobookshelf/ExternalSecret-audiobookshelf-config-apprise.yaml @@ -16,9 +16,13 @@ spec: mergePolicy: Merge engineVersion: v2 data: - ntfy-url: "{{ .endpoint }}/audiobookshelf" + ntfy-url: "{{ .endpoint }}/{{ .topic }}" data: - secretKey: endpoint remoteRef: key: /cl01tl/ntfy/users/cl01tl property: internal-endpoint-credential + - secretKey: topic + remoteRef: + key: /cl01tl/ntfy/topics + property: audiobookshelf diff --git a/clusters/cl01tl/manifests/authentik/Ingress-authentik-tailscale.yaml b/clusters/cl01tl/manifests/authentik/Ingress-authentik-tailscale.yaml index 0c7dfaf94..d659e0a3b 100644 --- a/clusters/cl01tl/manifests/authentik/Ingress-authentik-tailscale.yaml +++ b/clusters/cl01tl/manifests/authentik/Ingress-authentik-tailscale.yaml @@ -5,9 +5,9 @@ metadata: namespace: authentik labels: app.kubernetes.io/name: authentik-tailscale - tailscale.com/proxy-class: no-metrics app.kubernetes.io/instance: authentik app.kubernetes.io/part-of: authentik + tailscale.com/proxy-class: no-metrics annotations: tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" spec: @@ -26,4 +26,4 @@ spec: service: name: authentik-server port: - number: 80 + name: http diff --git a/clusters/cl01tl/manifests/cilium/HTTPRoute-hubble.yaml b/clusters/cl01tl/manifests/cilium/HTTPRoute-hubble.yaml index b1f64e09b..2ff42825a 100644 --- a/clusters/cl01tl/manifests/cilium/HTTPRoute-hubble.yaml +++ b/clusters/cl01tl/manifests/cilium/HTTPRoute-hubble.yaml @@ -21,8 +21,6 @@ spec: type: PathPrefix value: / backendRefs: - - group: '' - kind: Service + - kind: Service name: hubble-ui port: 80 - weight: 100 diff --git a/clusters/cl01tl/manifests/democratic-csi-synology-iscsi/DaemonSet-democratic-csi-synology-iscsi-node.yaml b/clusters/cl01tl/manifests/democratic-csi-synology-iscsi/DaemonSet-democratic-csi-synology-iscsi-node.yaml index c521070e9..61336c8e9 100644 --- a/clusters/cl01tl/manifests/democratic-csi-synology-iscsi/DaemonSet-democratic-csi-synology-iscsi-node.yaml +++ b/clusters/cl01tl/manifests/democratic-csi-synology-iscsi/DaemonSet-democratic-csi-synology-iscsi-node.yaml @@ -205,7 +205,7 @@ spec: type: Directory - name: config secret: - secretName: synology-iscsi-config-secret + secretName: synology-iscsi-config - name: extra-ca-certs configMap: name: democratic-csi-synology-iscsi diff --git a/clusters/cl01tl/manifests/democratic-csi-synology-iscsi/Deployment-democratic-csi-synology-iscsi-controller.yaml b/clusters/cl01tl/manifests/democratic-csi-synology-iscsi/Deployment-democratic-csi-synology-iscsi-controller.yaml index bfe330ec3..831a0c1e9 100644 --- a/clusters/cl01tl/manifests/democratic-csi-synology-iscsi/Deployment-democratic-csi-synology-iscsi-controller.yaml +++ b/clusters/cl01tl/manifests/democratic-csi-synology-iscsi/Deployment-democratic-csi-synology-iscsi-controller.yaml @@ -178,7 +178,7 @@ spec: emptyDir: {} - name: config secret: - secretName: synology-iscsi-config-secret + secretName: synology-iscsi-config - name: extra-ca-certs configMap: name: democratic-csi-synology-iscsi diff --git a/clusters/cl01tl/manifests/democratic-csi-synology-iscsi/ExternalSecret-synology-iscsi-config-secret.yaml b/clusters/cl01tl/manifests/democratic-csi-synology-iscsi/ExternalSecret-synology-iscsi-config.yaml similarity index 80% rename from clusters/cl01tl/manifests/democratic-csi-synology-iscsi/ExternalSecret-synology-iscsi-config-secret.yaml rename to clusters/cl01tl/manifests/democratic-csi-synology-iscsi/ExternalSecret-synology-iscsi-config.yaml index 308f062de..2871f2dab 100644 --- a/clusters/cl01tl/manifests/democratic-csi-synology-iscsi/ExternalSecret-synology-iscsi-config-secret.yaml +++ b/clusters/cl01tl/manifests/democratic-csi-synology-iscsi/ExternalSecret-synology-iscsi-config.yaml @@ -1,16 +1,16 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: synology-iscsi-config-secret + name: synology-iscsi-config namespace: democratic-csi-synology-iscsi labels: - app.kubernetes.io/name: synology-iscsi-config-secret + app.kubernetes.io/name: synology-iscsi-config app.kubernetes.io/instance: democratic-csi-synology-iscsi app.kubernetes.io/part-of: democratic-csi-synology-iscsi spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: driver-config-file.yaml remoteRef: diff --git a/clusters/cl01tl/manifests/directus/Deployment-directus.yaml b/clusters/cl01tl/manifests/directus/Deployment-directus.yaml index f72d9cc96..1861c0b75 100644 --- a/clusters/cl01tl/manifests/directus/Deployment-directus.yaml +++ b/clusters/cl01tl/manifests/directus/Deployment-directus.yaml @@ -139,12 +139,12 @@ spec: valueFrom: secretKeyRef: key: OIDC_CLIENT_ID - name: directus-oidc-secret + name: directus-oidc-authentik - name: AUTH_AUTHENTIK_CLIENT_SECRET valueFrom: secretKeyRef: key: OIDC_CLIENT_SECRET - name: directus-oidc-secret + name: directus-oidc-authentik - name: AUTH_AUTHENTIK_SCOPE value: openid profile email - name: AUTH_AUTHENTIK_ISSUER_URL diff --git a/clusters/cl01tl/manifests/directus/ExternalSecret-directus-bucket-garage.yaml b/clusters/cl01tl/manifests/directus/ExternalSecret-directus-bucket-garage.yaml index 5b0c4692e..96a1f87a4 100644 --- a/clusters/cl01tl/manifests/directus/ExternalSecret-directus-bucket-garage.yaml +++ b/clusters/cl01tl/manifests/directus/ExternalSecret-directus-bucket-garage.yaml @@ -10,7 +10,7 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: ACCESS_KEY_ID remoteRef: diff --git a/clusters/cl01tl/manifests/directus/ExternalSecret-directus-config.yaml b/clusters/cl01tl/manifests/directus/ExternalSecret-directus-config.yaml index 7d4882764..a0ac6b02a 100644 --- a/clusters/cl01tl/manifests/directus/ExternalSecret-directus-config.yaml +++ b/clusters/cl01tl/manifests/directus/ExternalSecret-directus-config.yaml @@ -10,8 +10,16 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: + - secretKey: key + remoteRef: + key: /cl01tl/directus/key + property: key + - secretKey: secret + remoteRef: + key: /cl01tl/directus/key + property: secret - secretKey: admin-email remoteRef: key: /cl01tl/directus/config @@ -20,11 +28,3 @@ spec: remoteRef: key: /cl01tl/directus/config property: admin-password - - secretKey: secret - remoteRef: - key: /cl01tl/directus/config - property: secret - - secretKey: key - remoteRef: - key: /cl01tl/directus/config - property: key diff --git a/clusters/cl01tl/manifests/directus/ExternalSecret-directus-metric-token.yaml b/clusters/cl01tl/manifests/directus/ExternalSecret-directus-metric-token.yaml index 44d7264a8..0c43ea32d 100644 --- a/clusters/cl01tl/manifests/directus/ExternalSecret-directus-metric-token.yaml +++ b/clusters/cl01tl/manifests/directus/ExternalSecret-directus-metric-token.yaml @@ -10,7 +10,7 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: metric-token remoteRef: diff --git a/clusters/cl01tl/manifests/directus/ExternalSecret-directus-oidc-secret.yaml b/clusters/cl01tl/manifests/directus/ExternalSecret-directus-oidc-authentik.yaml similarity index 67% rename from clusters/cl01tl/manifests/directus/ExternalSecret-directus-oidc-secret.yaml rename to clusters/cl01tl/manifests/directus/ExternalSecret-directus-oidc-authentik.yaml index 107c1171c..831c3558f 100644 --- a/clusters/cl01tl/manifests/directus/ExternalSecret-directus-oidc-secret.yaml +++ b/clusters/cl01tl/manifests/directus/ExternalSecret-directus-oidc-authentik.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: directus-oidc-secret + name: directus-oidc-authentik namespace: directus labels: - app.kubernetes.io/name: directus-oidc-secret + app.kubernetes.io/name: directus-oidc-authentik app.kubernetes.io/instance: directus app.kubernetes.io/part-of: directus spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: OIDC_CLIENT_ID remoteRef: - key: /authentik/oidc/directus + key: /cl01tl/authentik/oidc/directus property: client - secretKey: OIDC_CLIENT_SECRET remoteRef: - key: /authentik/oidc/directus + key: /cl01tl/authentik/oidc/directus property: secret diff --git a/clusters/cl01tl/manifests/directus/ExternalSecret-directus-valkey-config.yaml b/clusters/cl01tl/manifests/directus/ExternalSecret-directus-valkey-config.yaml index 5d7f2f03a..b23661dd4 100644 --- a/clusters/cl01tl/manifests/directus/ExternalSecret-directus-valkey-config.yaml +++ b/clusters/cl01tl/manifests/directus/ExternalSecret-directus-valkey-config.yaml @@ -10,12 +10,8 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - - secretKey: default - remoteRef: - key: /cl01tl/directus/valkey - property: password - secretKey: user remoteRef: key: /cl01tl/directus/valkey @@ -24,3 +20,7 @@ spec: remoteRef: key: /cl01tl/directus/valkey property: password + - secretKey: default + remoteRef: + key: /cl01tl/directus/valkey + property: password diff --git a/clusters/cl01tl/manifests/external-dns/DNSEndpoint-iot-device-names.yaml b/clusters/cl01tl/manifests/external-dns/DNSEndpoint-iot-device-names.yaml index 3b1849850..824c222a0 100644 --- a/clusters/cl01tl/manifests/external-dns/DNSEndpoint-iot-device-names.yaml +++ b/clusters/cl01tl/manifests/external-dns/DNSEndpoint-iot-device-names.yaml @@ -34,3 +34,13 @@ spec: recordType: A targets: - 10.230.0.100 + - dnsName: dv01hr.alexlebens.net + recordTTL: 180 + recordType: A + targets: + - 10.232.1.72 + - dnsName: dv02kv.alexlebens.net + recordTTL: 180 + recordType: A + targets: + - 10.232.1.71 diff --git a/clusters/cl01tl/manifests/external-dns/DNSEndpoint-server-host-names.yaml b/clusters/cl01tl/manifests/external-dns/DNSEndpoint-server-host-names.yaml index 091872efc..a31551c2b 100644 --- a/clusters/cl01tl/manifests/external-dns/DNSEndpoint-server-host-names.yaml +++ b/clusters/cl01tl/manifests/external-dns/DNSEndpoint-server-host-names.yaml @@ -34,3 +34,13 @@ spec: recordType: A targets: - 10.232.1.52 + - dnsName: pd05wd.alexlebens.net + recordTTL: 180 + recordType: A + targets: + - 10.230.0.115 + - dnsName: pl02mc.alexlebens.net + recordTTL: 180 + recordType: A + targets: + - 10.230.0.105 diff --git a/clusters/cl01tl/manifests/external-dns/ExternalSecret-external-dns-unifi-secret.yaml b/clusters/cl01tl/manifests/external-dns/ExternalSecret-external-dns-unifi-secret.yaml index 2cdc54984..c2b60a65a 100644 --- a/clusters/cl01tl/manifests/external-dns/ExternalSecret-external-dns-unifi-secret.yaml +++ b/clusters/cl01tl/manifests/external-dns/ExternalSecret-external-dns-unifi-secret.yaml @@ -10,7 +10,7 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: api-key remoteRef: diff --git a/clusters/cl01tl/manifests/freshrss/Deployment-freshrss.yaml b/clusters/cl01tl/manifests/freshrss/Deployment-freshrss.yaml index 957879378..ddda1b40a 100644 --- a/clusters/cl01tl/manifests/freshrss/Deployment-freshrss.yaml +++ b/clusters/cl01tl/manifests/freshrss/Deployment-freshrss.yaml @@ -98,9 +98,9 @@ spec: value: preferred_username envFrom: - secretRef: - name: freshrss-oidc-secret + name: freshrss-oidc-authentik - secretRef: - name: freshrss-install-secret + name: freshrss-install-config image: freshrss/freshrss:1.28.1@sha256:9100f649f5c946f589f54cdb9be7a65996528f48f691ef90eb262a0e06e5a522 name: main resources: diff --git a/clusters/cl01tl/manifests/freshrss/ExternalSecret-freshrss-install-secret.yaml b/clusters/cl01tl/manifests/freshrss/ExternalSecret-freshrss-install-config.yaml similarity index 71% rename from clusters/cl01tl/manifests/freshrss/ExternalSecret-freshrss-install-secret.yaml rename to clusters/cl01tl/manifests/freshrss/ExternalSecret-freshrss-install-config.yaml index 8ee4be52e..c96228b65 100644 --- a/clusters/cl01tl/manifests/freshrss/ExternalSecret-freshrss-install-secret.yaml +++ b/clusters/cl01tl/manifests/freshrss/ExternalSecret-freshrss-install-config.yaml @@ -1,26 +1,26 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: freshrss-install-secret + name: freshrss-install-config namespace: freshrss labels: - app.kubernetes.io/name: freshrss-install-secret + app.kubernetes.io/name: freshrss-install-config app.kubernetes.io/instance: freshrss app.kubernetes.io/part-of: freshrss spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: ADMIN_EMAIL remoteRef: key: /cl01tl/freshrss/config - property: ADMIN_EMAIL + property: admin-email - secretKey: ADMIN_PASSWORD remoteRef: key: /cl01tl/freshrss/config - property: ADMIN_PASSWORD + property: admin-password - secretKey: ADMIN_API_PASSWORD remoteRef: key: /cl01tl/freshrss/config - property: ADMIN_API_PASSWORD + property: admin-api-password diff --git a/clusters/cl01tl/manifests/freshrss/ExternalSecret-freshrss-oidc-secret.yaml b/clusters/cl01tl/manifests/freshrss/ExternalSecret-freshrss-oidc-authentik.yaml similarity index 62% rename from clusters/cl01tl/manifests/freshrss/ExternalSecret-freshrss-oidc-secret.yaml rename to clusters/cl01tl/manifests/freshrss/ExternalSecret-freshrss-oidc-authentik.yaml index 3dd8974a8..d3e6d9e81 100644 --- a/clusters/cl01tl/manifests/freshrss/ExternalSecret-freshrss-oidc-secret.yaml +++ b/clusters/cl01tl/manifests/freshrss/ExternalSecret-freshrss-oidc-authentik.yaml @@ -1,26 +1,26 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: freshrss-oidc-secret + name: freshrss-oidc-authentik namespace: freshrss labels: - app.kubernetes.io/name: freshrss-oidc-secret + app.kubernetes.io/name: freshrss-oidc-authentik app.kubernetes.io/instance: freshrss app.kubernetes.io/part-of: freshrss spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: OIDC_CLIENT_ID remoteRef: - key: /authentik/oidc/freshrss + key: /cl01tl/authentik/oidc/freshrss property: client - secretKey: OIDC_CLIENT_SECRET remoteRef: - key: /authentik/oidc/freshrss + key: /cl01tl/authentik/oidc/freshrss property: secret - secretKey: OIDC_CLIENT_CRYPTO_KEY remoteRef: - key: /authentik/oidc/freshrss - property: crypto-key + key: /cl01tl/freshrss/key + property: oidc-client-crypto-key diff --git a/clusters/cl01tl/manifests/garage/Deployment-garage-server-1.yaml b/clusters/cl01tl/manifests/garage/Deployment-garage-server-1.yaml index 7d2492fab..293b867e3 100644 --- a/clusters/cl01tl/manifests/garage/Deployment-garage-server-1.yaml +++ b/clusters/cl01tl/manifests/garage/Deployment-garage-server-1.yaml @@ -49,7 +49,7 @@ spec: containers: - envFrom: - secretRef: - name: garage-token-secret + name: garage-token image: dxflrs/garage:v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690 name: main resources: diff --git a/clusters/cl01tl/manifests/garage/Deployment-garage-server-2.yaml b/clusters/cl01tl/manifests/garage/Deployment-garage-server-2.yaml index 4bc82b4ca..a5f95a9d7 100644 --- a/clusters/cl01tl/manifests/garage/Deployment-garage-server-2.yaml +++ b/clusters/cl01tl/manifests/garage/Deployment-garage-server-2.yaml @@ -49,7 +49,7 @@ spec: containers: - envFrom: - secretRef: - name: garage-token-secret + name: garage-token image: dxflrs/garage:v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690 name: main resources: diff --git a/clusters/cl01tl/manifests/garage/Deployment-garage-server-3.yaml b/clusters/cl01tl/manifests/garage/Deployment-garage-server-3.yaml index b0f6827fd..2fc9ce092 100644 --- a/clusters/cl01tl/manifests/garage/Deployment-garage-server-3.yaml +++ b/clusters/cl01tl/manifests/garage/Deployment-garage-server-3.yaml @@ -49,7 +49,7 @@ spec: containers: - envFrom: - secretRef: - name: garage-token-secret + name: garage-token image: dxflrs/garage:v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690 name: main resources: diff --git a/clusters/cl01tl/manifests/garage/Deployment-garage-webui.yaml b/clusters/cl01tl/manifests/garage/Deployment-garage-webui.yaml index 3d7c0e355..1143bc6c6 100644 --- a/clusters/cl01tl/manifests/garage/Deployment-garage-webui.yaml +++ b/clusters/cl01tl/manifests/garage/Deployment-garage-webui.yaml @@ -45,7 +45,7 @@ spec: valueFrom: secretKeyRef: key: GARAGE_ADMIN_TOKEN - name: garage-token-secret + name: garage-token image: khairul169/garage-webui:1.1.0@sha256:17c793551873155065bf9a022dabcde874de808a1f26e648d4b82e168806439c name: main resources: diff --git a/clusters/cl01tl/manifests/garage/ExternalSecret-garage-token-secret.yaml b/clusters/cl01tl/manifests/garage/ExternalSecret-garage-token.yaml similarity index 58% rename from clusters/cl01tl/manifests/garage/ExternalSecret-garage-token-secret.yaml rename to clusters/cl01tl/manifests/garage/ExternalSecret-garage-token.yaml index e77744970..64894a80a 100644 --- a/clusters/cl01tl/manifests/garage/ExternalSecret-garage-token-secret.yaml +++ b/clusters/cl01tl/manifests/garage/ExternalSecret-garage-token.yaml @@ -1,26 +1,26 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: garage-token-secret + name: garage-token namespace: garage labels: - app.kubernetes.io/name: garage-token-secret + app.kubernetes.io/name: garage-token app.kubernetes.io/instance: garage app.kubernetes.io/part-of: garage spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: GARAGE_RPC_SECRET remoteRef: - key: /cl01tl/garage/token - property: rpc + key: /cl01tl/garage/config + property: rpc-secret - secretKey: GARAGE_ADMIN_TOKEN remoteRef: - key: /cl01tl/garage/token - property: admin + key: /cl01tl/garage/config + property: admin-token - secretKey: GARAGE_METRICS_TOKEN remoteRef: - key: /cl01tl/garage/token - property: metric + key: /cl01tl/garage/config + property: metrics-token diff --git a/clusters/cl01tl/manifests/garage/Service-garage-main.yaml b/clusters/cl01tl/manifests/garage/Service-garage-main.yaml index 22f3d63c9..89c413e18 100644 --- a/clusters/cl01tl/manifests/garage/Service-garage-main.yaml +++ b/clusters/cl01tl/manifests/garage/Service-garage-main.yaml @@ -27,6 +27,6 @@ spec: protocol: TCP targetPort: 3902 selector: - app.kubernetes.io/instance: garage app.kubernetes.io/name: garage + app.kubernetes.io/instance: garage garage-type: server diff --git a/clusters/cl01tl/manifests/garage/ServiceMonitor-garage.yaml b/clusters/cl01tl/manifests/garage/ServiceMonitor-garage.yaml index 119273fec..4e22c8450 100644 --- a/clusters/cl01tl/manifests/garage/ServiceMonitor-garage.yaml +++ b/clusters/cl01tl/manifests/garage/ServiceMonitor-garage.yaml @@ -21,7 +21,7 @@ spec: endpoints: - bearerTokenSecret: key: GARAGE_METRICS_TOKEN - name: garage-token-secret + name: garage-token interval: 5m path: /metrics port: admin diff --git a/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml b/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml index 290ae5782..16a0f97ea 100644 --- a/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml +++ b/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml @@ -50,17 +50,17 @@ spec: valueFrom: secretKeyRef: key: NTFY_TOKEN - name: gatus-config-secret + name: gatus-config - name: "OIDC_CLIENT_ID" valueFrom: secretKeyRef: key: OIDC_CLIENT_ID - name: gatus-oidc-secret + name: gatus-oidc-authentik - name: "OIDC_CLIENT_SECRET" valueFrom: secretKeyRef: key: OIDC_CLIENT_SECRET - name: gatus-oidc-secret + name: gatus-oidc-authentik - name: "POSTGRES_DB" valueFrom: secretKeyRef: diff --git a/clusters/cl01tl/manifests/gatus/ExternalSecret-gatus-config-secret.yaml b/clusters/cl01tl/manifests/gatus/ExternalSecret-gatus-config.yaml similarity index 81% rename from clusters/cl01tl/manifests/gatus/ExternalSecret-gatus-config-secret.yaml rename to clusters/cl01tl/manifests/gatus/ExternalSecret-gatus-config.yaml index 1fb159e10..bccd77b00 100644 --- a/clusters/cl01tl/manifests/gatus/ExternalSecret-gatus-config-secret.yaml +++ b/clusters/cl01tl/manifests/gatus/ExternalSecret-gatus-config.yaml @@ -1,7 +1,7 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: gatus-config-secret + name: gatus-config namespace: gatus labels: app.kubernetes.io/name: gatus-config-secret @@ -10,9 +10,9 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: NTFY_TOKEN remoteRef: - key: /ntfy/user/cl01tl + key: /cl01tl/ntfy/users/cl01tl property: token diff --git a/clusters/cl01tl/manifests/gatus/ExternalSecret-gatus-oidc-secret.yaml b/clusters/cl01tl/manifests/gatus/ExternalSecret-gatus-oidc-authentik.yaml similarity index 68% rename from clusters/cl01tl/manifests/gatus/ExternalSecret-gatus-oidc-secret.yaml rename to clusters/cl01tl/manifests/gatus/ExternalSecret-gatus-oidc-authentik.yaml index 0290ee2f2..06ce6a8a5 100644 --- a/clusters/cl01tl/manifests/gatus/ExternalSecret-gatus-oidc-secret.yaml +++ b/clusters/cl01tl/manifests/gatus/ExternalSecret-gatus-oidc-authentik.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: gatus-oidc-secret + name: gatus-oidc-authentik namespace: gatus labels: - app.kubernetes.io/name: gatus-oidc-secret + app.kubernetes.io/name: gatus-oidc-authentik app.kubernetes.io/instance: gatus app.kubernetes.io/part-of: gatus spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: OIDC_CLIENT_ID remoteRef: - key: /authentik/oidc/gatus + key: /cl01tl/authentik/oidc/gatus property: client - secretKey: OIDC_CLIENT_SECRET remoteRef: - key: /authentik/oidc/gatus + key: /cl01tl/authentik/oidc/gatus property: secret diff --git a/clusters/cl01tl/manifests/gitea/Deployment-gitea.yaml b/clusters/cl01tl/manifests/gitea/Deployment-gitea.yaml index 86c2cd054..d747fa766 100644 --- a/clusters/cl01tl/manifests/gitea/Deployment-gitea.yaml +++ b/clusters/cl01tl/manifests/gitea/Deployment-gitea.yaml @@ -111,7 +111,7 @@ spec: valueFrom: secretKeyRef: key: ISSUE_INDEXER_CONN_STR - name: gitea-meilisearch-master-key-secret + name: gitea-meilisearch-key volumeMounts: - name: config mountPath: /usr/sbinx @@ -151,12 +151,12 @@ spec: valueFrom: secretKeyRef: key: key - name: gitea-oidc-secret + name: gitea-oidc-authentik - name: GITEA_OAUTH_SECRET_0 valueFrom: secretKeyRef: key: secret - name: gitea-oidc-secret + name: gitea-oidc-authentik - name: GITEA_ADMIN_USERNAME value: "gitea_admin" - name: GITEA_ADMIN_PASSWORD diff --git a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-admin-secret.yaml b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-admin-secret.yaml deleted file mode 100644 index e1d96f9f0..000000000 --- a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-admin-secret.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gitea-admin-secret - namespace: gitea - labels: - app.kubernetes.io/name: gitea-admin-secret - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: username - remoteRef: - key: /cl01tl/gitea/auth/admin - property: username - - secretKey: password - remoteRef: - key: /cl01tl/gitea/auth/admin - property: password diff --git a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-meilisearch-master-key-secret.yaml b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-meilisearch-key.yaml similarity index 75% rename from clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-meilisearch-master-key-secret.yaml rename to clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-meilisearch-key.yaml index d38d7f759..db81c34c7 100644 --- a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-meilisearch-master-key-secret.yaml +++ b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-meilisearch-key.yaml @@ -1,16 +1,16 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: gitea-meilisearch-master-key-secret + name: gitea-meilisearch-key namespace: gitea labels: - app.kubernetes.io/name: gitea-meilisearch-master-key-secret + app.kubernetes.io/name: gitea-meilisearch-key app.kubernetes.io/instance: gitea app.kubernetes.io/part-of: gitea spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao target: template: mergePolicy: Merge @@ -21,4 +21,4 @@ spec: - secretKey: MEILI_MASTER_KEY remoteRef: key: /cl01tl/gitea/meilisearch - property: MEILI_MASTER_KEY + property: master-key diff --git a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-oidc-secret.yaml b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-oidc-authentik.yaml similarity index 66% rename from clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-oidc-secret.yaml rename to clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-oidc-authentik.yaml index 45953e765..69f2454c5 100644 --- a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-oidc-secret.yaml +++ b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-oidc-authentik.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: gitea-oidc-secret + name: gitea-oidc-authentik namespace: gitea labels: - app.kubernetes.io/name: gitea-oidc-secret + app.kubernetes.io/name: gitea-oidc-authentik app.kubernetes.io/instance: gitea app.kubernetes.io/part-of: gitea spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: secret remoteRef: - key: /authentik/oidc/gitea + key: /cl01tl/authentik/oidc/gitea property: secret - secretKey: key remoteRef: - key: /authentik/oidc/gitea + key: /cl01tl/authentik/oidc/gitea property: client diff --git a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-renovate-secret.yaml b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-renovate-secret.yaml deleted file mode 100644 index bb55e2be8..000000000 --- a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-renovate-secret.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gitea-renovate-secret - namespace: gitea - labels: - app.kubernetes.io/name: gitea-renovate-secret - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: RENOVATE_ENDPOINT - remoteRef: - key: /cl01tl/gitea/renovate - property: RENOVATE_ENDPOINT - - secretKey: RENOVATE_GIT_AUTHOR - remoteRef: - key: /cl01tl/gitea/renovate - property: RENOVATE_GIT_AUTHOR - - secretKey: RENOVATE_TOKEN - remoteRef: - key: /cl01tl/gitea/renovate - property: RENOVATE_TOKEN - - secretKey: RENOVATE_GIT_PRIVATE_KEY - remoteRef: - key: /cl01tl/gitea/renovate - property: id_rsa - - secretKey: RENOVATE_GITHUB_COM_TOKEN - remoteRef: - key: /github/gitea-cl01tl - property: token diff --git a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-renovate-ssh-secret.yaml b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-renovate-ssh-secret.yaml deleted file mode 100644 index 9f2709d4b..000000000 --- a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-renovate-ssh-secret.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gitea-renovate-ssh-secret - namespace: gitea - labels: - app.kubernetes.io/name: gitea-renovate-ssh-secret - app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: gitea -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: config - remoteRef: - key: /cl01tl/gitea/renovate - property: ssh_config - - secretKey: id_rsa - remoteRef: - key: /cl01tl/gitea/renovate - property: id_rsa - - secretKey: id_rsa.pub - remoteRef: - key: /cl01tl/gitea/renovate - property: id_rsa.pub diff --git a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-runner-secret.yaml b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-runner-secret.yaml index 263ea3d72..bc71e8d92 100644 --- a/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-runner-secret.yaml +++ b/clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-runner-secret.yaml @@ -10,7 +10,7 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: token remoteRef: diff --git a/clusters/cl01tl/manifests/gitea/HTTPRoute-gitea.yaml b/clusters/cl01tl/manifests/gitea/HTTPRoute-gitea.yaml index b60277480..f1e5178ef 100644 --- a/clusters/cl01tl/manifests/gitea/HTTPRoute-gitea.yaml +++ b/clusters/cl01tl/manifests/gitea/HTTPRoute-gitea.yaml @@ -21,8 +21,6 @@ spec: type: PathPrefix value: / backendRefs: - - group: '' - kind: Service + - kind: Service name: gitea-http port: 3000 - weight: 100 diff --git a/clusters/cl01tl/manifests/gitea/Ingress-gitea-tailscale.yaml b/clusters/cl01tl/manifests/gitea/Ingress-gitea-tailscale.yaml index abf6cce42..2f7521ab4 100644 --- a/clusters/cl01tl/manifests/gitea/Ingress-gitea-tailscale.yaml +++ b/clusters/cl01tl/manifests/gitea/Ingress-gitea-tailscale.yaml @@ -21,7 +21,7 @@ spec: http: paths: - path: / - pathType: ImplementationSpecific + pathType: Prefix backend: service: name: gitea-http diff --git a/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-meilisearch.yaml b/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-meilisearch.yaml index c802eae8f..9e220a45e 100644 --- a/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-meilisearch.yaml +++ b/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-meilisearch.yaml @@ -26,5 +26,5 @@ spec: interval: 1m scrapeTimeout: 10s bearerTokenSecret: - name: gitea-meilisearch-master-key-secret + name: gitea-meilisearch-key key: MEILI_MASTER_KEY diff --git a/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-meilisearch.yaml b/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-meilisearch.yaml index 8c49dd77c..2be9d3cfc 100644 --- a/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-meilisearch.yaml +++ b/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-meilisearch.yaml @@ -62,7 +62,7 @@ spec: - configMapRef: name: gitea-meilisearch-environment - secretRef: - name: gitea-meilisearch-master-key-secret + name: gitea-meilisearch-key ports: - name: http containerPort: 7700 diff --git a/clusters/cl01tl/manifests/gitea/TCPRoute-gitea-ssh.yaml b/clusters/cl01tl/manifests/gitea/TCPRoute-gitea-ssh.yaml index af6241167..375447900 100644 --- a/clusters/cl01tl/manifests/gitea/TCPRoute-gitea-ssh.yaml +++ b/clusters/cl01tl/manifests/gitea/TCPRoute-gitea-ssh.yaml @@ -16,8 +16,6 @@ spec: sectionName: ssh rules: - backendRefs: - - group: '' - kind: Service + - kind: Service name: gitea-ssh port: 22 - weight: 100 diff --git a/clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-auth-secret.yaml b/clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-config.yaml similarity index 72% rename from clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-auth-secret.yaml rename to clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-config.yaml index b5568b88d..94f9de28f 100644 --- a/clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-auth-secret.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-config.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: grafana-auth-secret + name: grafana-config namespace: grafana-operator labels: - app.kubernetes.io/name: grafana-auth-secret + app.kubernetes.io/name: grafana-config app.kubernetes.io/instance: grafana-operator app.kubernetes.io/part-of: grafana-operator spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: admin-user remoteRef: - key: /cl01tl/grafana/auth + key: /cl01tl/grafana/config property: admin-user - secretKey: admin-password remoteRef: - key: /cl01tl/grafana/auth + key: /cl01tl/grafana/config property: admin-password diff --git a/clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-oauth-secret.yaml b/clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-oidc-authentik.yaml similarity index 68% rename from clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-oauth-secret.yaml rename to clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-oidc-authentik.yaml index 91d6f5fc6..13cc87f43 100644 --- a/clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-oauth-secret.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-oidc-authentik.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: grafana-oauth-secret + name: grafana-oidc-authentik namespace: grafana-operator labels: - app.kubernetes.io/name: grafana-oauth-secret + app.kubernetes.io/name: grafana-oidc-authentik app.kubernetes.io/instance: grafana-operator app.kubernetes.io/part-of: grafana-operator spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: AUTH_CLIENT_ID remoteRef: - key: /authentik/oidc/grafana + key: /cl01tl/authentik/oidc/grafana property: client - secretKey: AUTH_CLIENT_SECRET remoteRef: - key: /authentik/oidc/grafana + key: /cl01tl/authentik/oidc/grafana property: secret diff --git a/clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-operator-postgresql-18-cluster-backup-secret-garage.yaml b/clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-operator-postgresql-18-cluster-backup-secret-garage.yaml deleted file mode 100644 index d61fcd698..000000000 --- a/clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-operator-postgresql-18-cluster-backup-secret-garage.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: grafana-operator-postgresql-18-cluster-backup-secret-garage - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-operator-postgresql-18-cluster-backup-secret-garage - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - key: /garage/home-infra/postgres-backups - property: ACCESS_KEY_ID - - secretKey: ACCESS_SECRET_KEY - remoteRef: - key: /garage/home-infra/postgres-backups - property: ACCESS_SECRET_KEY - - secretKey: ACCESS_REGION - remoteRef: - key: /garage/home-infra/postgres-backups - property: ACCESS_REGION diff --git a/clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-operator-postgresql-18-cluster-backup-secret.yaml b/clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-operator-postgresql-18-cluster-backup-secret.yaml deleted file mode 100644 index 3b1896c26..000000000 --- a/clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-operator-postgresql-18-cluster-backup-secret.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: grafana-operator-postgresql-18-cluster-backup-secret - namespace: grafana-operator - labels: - app.kubernetes.io/name: grafana-operator-postgresql-18-cluster-backup-secret - app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/part-of: grafana-operator -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ACCESS_KEY_ID - remoteRef: - key: /digital-ocean/home-infra/postgres-backups - property: access - - secretKey: ACCESS_SECRET_KEY - remoteRef: - key: /digital-ocean/home-infra/postgres-backups - property: secret diff --git a/clusters/cl01tl/manifests/grafana-operator/Grafana-grafana-main.yaml b/clusters/cl01tl/manifests/grafana-operator/Grafana-grafana-main.yaml index 3bb70ed8a..7843f0d9d 100644 --- a/clusters/cl01tl/manifests/grafana-operator/Grafana-grafana-main.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/Grafana-grafana-main.yaml @@ -65,22 +65,22 @@ spec: - name: AUTH_CLIENT_ID valueFrom: secretKeyRef: - name: grafana-oauth-secret + name: grafana-oidc-authentik key: AUTH_CLIENT_ID - name: AUTH_CLIENT_SECRET valueFrom: secretKeyRef: - name: grafana-oauth-secret + name: grafana-oidc-authentik key: AUTH_CLIENT_SECRET - name: ADMIN_USER valueFrom: secretKeyRef: - name: grafana-auth-secret + name: grafana-config key: admin-user - name: ADMIN_PASSWORD valueFrom: secretKeyRef: - name: grafana-auth-secret + name: grafana-config key: admin-password - name: DB_HOST valueFrom: diff --git a/clusters/cl01tl/manifests/grimmory/Deployment-grimmory.yaml b/clusters/cl01tl/manifests/grimmory/Deployment-grimmory.yaml index b08024bdf..6e9d74ccd 100644 --- a/clusters/cl01tl/manifests/grimmory/Deployment-grimmory.yaml +++ b/clusters/cl01tl/manifests/grimmory/Deployment-grimmory.yaml @@ -52,7 +52,7 @@ spec: valueFrom: secretKeyRef: key: password - name: grimmory-database-secret + name: grimmory-database-config - name: GRIMMORY_PORT value: "6060" - name: SWAGGER_ENABLED diff --git a/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-data-replication-secret.yaml b/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-data-replication-secret.yaml deleted file mode 100644 index 68d332cce..000000000 --- a/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-data-replication-secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: grimmory-data-replication-secret - namespace: grimmory - labels: - app.kubernetes.io/name: grimmory-data-replication-secret - app.kubernetes.io/instance: grimmory - app.kubernetes.io/part-of: grimmory -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: psk.txt - remoteRef: - key: /cl01tl/grimmory/replication - property: psk.txt diff --git a/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-database-secret.yaml b/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-database-config.yaml similarity index 77% rename from clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-database-secret.yaml rename to clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-database-config.yaml index bca49dfc2..77a14617f 100644 --- a/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-database-secret.yaml +++ b/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-database-config.yaml @@ -1,16 +1,16 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: grimmory-database-secret + name: grimmory-database-config namespace: grimmory labels: - app.kubernetes.io/name: grimmory-database-secret + app.kubernetes.io/name: grimmory-database-config app.kubernetes.io/instance: grimmory app.kubernetes.io/part-of: grimmory spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: password remoteRef: diff --git a/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-mariadb-cluster-backup-secret-external.yaml b/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-mariadb-cluster-backup-secret-external.yaml index 8cfb3102c..4c7bfece0 100644 --- a/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-mariadb-cluster-backup-secret-external.yaml +++ b/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-mariadb-cluster-backup-secret-external.yaml @@ -10,7 +10,7 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: access remoteRef: diff --git a/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-mariadb-cluster-backup-secret-garage.yaml b/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-mariadb-cluster-backup-secret-garage.yaml index 7c3124f76..410300581 100644 --- a/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-mariadb-cluster-backup-secret-garage.yaml +++ b/clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-mariadb-cluster-backup-secret-garage.yaml @@ -10,13 +10,13 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: access remoteRef: key: /garage/home-infra/mariadb-backups - property: access + property: ACCESS_KEY_ID - secretKey: secret remoteRef: key: /garage/home-infra/mariadb-backups - property: secret + property: ACCESS_SECRET_KEY diff --git a/clusters/cl01tl/manifests/grimmory/MariaDB-grimmory-mariadb-cluster.yaml b/clusters/cl01tl/manifests/grimmory/MariaDB-grimmory-mariadb-cluster.yaml index f58e70f12..8bd8d7c64 100644 --- a/clusters/cl01tl/manifests/grimmory/MariaDB-grimmory-mariadb-cluster.yaml +++ b/clusters/cl01tl/manifests/grimmory/MariaDB-grimmory-mariadb-cluster.yaml @@ -31,6 +31,6 @@ spec: rootPasswordSecretKeyRef: generate: false key: password - name: grimmory-database-secret + name: grimmory-database-config storage: size: 5Gi diff --git a/clusters/cl01tl/manifests/grimmory/Namespace-grimmory.yaml b/clusters/cl01tl/manifests/grimmory/Namespace-grimmory.yaml index 9abba2a21..9f43cc8a8 100644 --- a/clusters/cl01tl/manifests/grimmory/Namespace-grimmory.yaml +++ b/clusters/cl01tl/manifests/grimmory/Namespace-grimmory.yaml @@ -2,12 +2,7 @@ apiVersion: v1 kind: Namespace metadata: name: grimmory - annotations: - volsync.backube/privileged-movers: "true" labels: app.kubernetes.io/name: grimmory app.kubernetes.io/instance: grimmory app.kubernetes.io/part-of: grimmory - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged diff --git a/clusters/cl01tl/manifests/grimmory/PersistentVolume-grimmory-books-import-nfs-storage.yaml b/clusters/cl01tl/manifests/grimmory/PersistentVolume-grimmory-books-import-nfs-storage.yaml index 258896ee1..c5d99082f 100644 --- a/clusters/cl01tl/manifests/grimmory/PersistentVolume-grimmory-books-import-nfs-storage.yaml +++ b/clusters/cl01tl/manifests/grimmory/PersistentVolume-grimmory-books-import-nfs-storage.yaml @@ -15,7 +15,7 @@ spec: accessModes: - ReadWriteMany nfs: - path: /volume2/Storage/Books Import + path: '/volume2/Storage/Books Import' server: synologybond.alexlebens.net mountOptions: - vers=4 diff --git a/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-secret.yaml b/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-secret.yaml index 703db1b17..06d516626 100644 --- a/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-secret.yaml +++ b/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-secret.yaml @@ -10,7 +10,7 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: HARBOR_ADMIN_PASSWORD remoteRef: @@ -18,12 +18,12 @@ spec: property: admin-password - secretKey: secretKey remoteRef: - key: /cl01tl/harbor/config - property: secretKey + key: /cl01tl/harbor/key + property: secret-key - secretKey: CSRF_KEY remoteRef: - key: /cl01tl/harbor/core - property: CSRF_KEY + key: /cl01tl/harbor/key + property: csrf-key - secretKey: secret remoteRef: key: /cl01tl/harbor/core @@ -39,24 +39,20 @@ spec: - secretKey: JOBSERVICE_SECRET remoteRef: key: /cl01tl/harbor/jobservice - property: JOBSERVICE_SECRET + property: secret - secretKey: REGISTRY_HTTP_SECRET remoteRef: key: /cl01tl/harbor/registry - property: REGISTRY_HTTP_SECRET - - secretKey: REGISTRY_REDIS_PASSWORD - remoteRef: - key: /cl01tl/harbor/registry - property: REGISTRY_REDIS_PASSWORD + property: http-secret - secretKey: REGISTRY_HTPASSWD remoteRef: key: /cl01tl/harbor/registry - property: REGISTRY_HTPASSWD + property: ht-passwd - secretKey: REGISTRY_CREDENTIAL_PASSWORD remoteRef: key: /cl01tl/harbor/registry - property: REGISTRY_CREDENTIAL_PASSWORD + property: credential-password - secretKey: REGISTRY_PASSWD remoteRef: key: /cl01tl/harbor/registry - property: REGISTRY_CREDENTIAL_PASSWORD + property: credential-password diff --git a/clusters/cl01tl/manifests/headlamp/ClusterRoleBinding-cluster-admin-oidc.yaml b/clusters/cl01tl/manifests/headlamp/ClusterRoleBinding-cluster-admin-oidc.yaml index 93933e052..31ace65a0 100644 --- a/clusters/cl01tl/manifests/headlamp/ClusterRoleBinding-cluster-admin-oidc.yaml +++ b/clusters/cl01tl/manifests/headlamp/ClusterRoleBinding-cluster-admin-oidc.yaml @@ -8,13 +8,13 @@ metadata: app.kubernetes.io/instance: headlamp app.kubernetes.io/part-of: headlamp roleRef: + apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin - apiGroup: rbac.authorization.k8s.io subjects: - - kind: User + - apiGroup: rbac.authorization.k8s.io + kind: User name: https://authentik.alexlebens.net/application/o/headlamp/#alexanderlebens@gmail.com - apiGroup: rbac.authorization.k8s.io - kind: ServiceAccount name: headlamp-admin namespace: headlamp diff --git a/clusters/cl01tl/manifests/headlamp/Deployment-headlamp.yaml b/clusters/cl01tl/manifests/headlamp/Deployment-headlamp.yaml index 852e4f57c..c2df6e2f7 100644 --- a/clusters/cl01tl/manifests/headlamp/Deployment-headlamp.yaml +++ b/clusters/cl01tl/manifests/headlamp/Deployment-headlamp.yaml @@ -36,7 +36,7 @@ spec: imagePullPolicy: IfNotPresent envFrom: - secretRef: - name: headlamp-oidc-secret + name: headlamp-oidc-authentik args: - "-in-cluster" - "-in-cluster-context-name=main" diff --git a/clusters/cl01tl/manifests/headlamp/ExternalSecret-headlamp-oidc-secret.yaml b/clusters/cl01tl/manifests/headlamp/ExternalSecret-headlamp-oidc-authentik.yaml similarity index 62% rename from clusters/cl01tl/manifests/headlamp/ExternalSecret-headlamp-oidc-secret.yaml rename to clusters/cl01tl/manifests/headlamp/ExternalSecret-headlamp-oidc-authentik.yaml index 1a1c1ad77..478f73ce4 100644 --- a/clusters/cl01tl/manifests/headlamp/ExternalSecret-headlamp-oidc-secret.yaml +++ b/clusters/cl01tl/manifests/headlamp/ExternalSecret-headlamp-oidc-authentik.yaml @@ -1,38 +1,38 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: headlamp-oidc-secret + name: headlamp-oidc-authentik namespace: headlamp labels: - app.kubernetes.io/name: headlamp-oidc-secret + app.kubernetes.io/name: headlamp-oidc-authentik app.kubernetes.io/instance: headlamp app.kubernetes.io/part-of: headlamp spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: OIDC_CLIENT_ID remoteRef: - key: /authentik/oidc/headlamp + key: /cl01tl/authentik/oidc/headlamp property: client - secretKey: OIDC_CLIENT_SECRET remoteRef: - key: /authentik/oidc/headlamp + key: /cl01tl/authentik/oidc/headlamp property: secret - secretKey: OIDC_ISSUER_URL remoteRef: - key: /authentik/oidc/headlamp + key: /cl01tl/authentik/oidc/headlamp property: issuer - secretKey: OIDC_SCOPES remoteRef: - key: /authentik/oidc/headlamp + key: /cl01tl/authentik/oidc/headlamp property: scopes - secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_IDP_ISSUER_URL remoteRef: - key: /authentik/oidc/headlamp - property: validator-issuer-url + key: /cl01tl/authentik/oidc/headlamp + property: issuer - secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_CLIENT_ID remoteRef: - key: /authentik/oidc/headlamp - property: validator-client-id + key: /cl01tl/authentik/oidc/headlamp + property: client diff --git a/clusters/cl01tl/manifests/headlamp/HTTPRoute-headlamp.yaml b/clusters/cl01tl/manifests/headlamp/HTTPRoute-headlamp.yaml index 50c9d6e02..ee71f1124 100644 --- a/clusters/cl01tl/manifests/headlamp/HTTPRoute-headlamp.yaml +++ b/clusters/cl01tl/manifests/headlamp/HTTPRoute-headlamp.yaml @@ -19,11 +19,9 @@ spec: - headlamp.alexlebens.net rules: - backendRefs: - - group: "" - kind: Service + - kind: Service name: headlamp port: 80 - weight: 100 matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml b/clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml index 4720d12df..cac602fb4 100644 --- a/clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml +++ b/clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml @@ -48,7 +48,7 @@ spec: value: /config envFrom: - secretRef: - name: home-assistant-code-server-password-secret + name: home-assistant-code-server-password image: ghcr.io/linuxserver/code-server:4.116.0-ls333@sha256:4620adace18935dd6ca79d77e3bc1c379e21875392192f970cf5d6b0fb4aefcd name: code-server volumeMounts: diff --git a/clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-code-server-password-secret.yaml b/clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-code-server-password.yaml similarity index 53% rename from clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-code-server-password-secret.yaml rename to clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-code-server-password.yaml index 3743e9254..31211e5c8 100644 --- a/clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-code-server-password-secret.yaml +++ b/clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-code-server-password.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: home-assistant-code-server-password-secret + name: home-assistant-code-server-password namespace: home-assistant labels: - app.kubernetes.io/name: home-assistant-code-server-password-secret + app.kubernetes.io/name: home-assistant-code-server-password app.kubernetes.io/instance: home-assistant app.kubernetes.io/part-of: home-assistant spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: PASSWORD remoteRef: - key: /cl01tl/home-assistant/code-server/auth - property: PASSWORD + key: /cl01tl/home-assistant/code-server + property: password - secretKey: SUDO_PASSWORD remoteRef: - key: /cl01tl/home-assistant/code-server/auth - property: SUDO_PASSWORD + key: /cl01tl/home-assistant/code-server + property: sudo-password diff --git a/clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-token-secret.yaml b/clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-metric-token.yaml similarity index 68% rename from clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-token-secret.yaml rename to clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-metric-token.yaml index 36f920d97..e828ea550 100644 --- a/clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-token-secret.yaml +++ b/clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-metric-token.yaml @@ -1,18 +1,18 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: home-assistant-token-secret + name: home-assistant-metric-token namespace: home-assistant labels: - app.kubernetes.io/name: home-assistant-token-secret + app.kubernetes.io/name: home-assistant-metric-token app.kubernetes.io/instance: home-assistant app.kubernetes.io/part-of: home-assistant spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: bearer-token remoteRef: - key: /cl01tl/home-assistant/auth + key: /cl01tl/home-assistant/config property: bearer-token diff --git a/clusters/cl01tl/manifests/home-assistant/ServiceMonitor-home-assistant.yaml b/clusters/cl01tl/manifests/home-assistant/ServiceMonitor-home-assistant.yaml index 8316cf40b..c0eb962de 100644 --- a/clusters/cl01tl/manifests/home-assistant/ServiceMonitor-home-assistant.yaml +++ b/clusters/cl01tl/manifests/home-assistant/ServiceMonitor-home-assistant.yaml @@ -21,7 +21,7 @@ spec: endpoints: - bearerTokenSecret: key: bearer-token - name: home-assistant-token-secret + name: home-assistant-metric-token interval: 3m path: /api/prometheus port: http diff --git a/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml b/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml index 4065a69cb..54783e175 100644 --- a/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml +++ b/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml @@ -44,7 +44,7 @@ spec: value: home.alexlebens.net envFrom: - secretRef: - name: homepage-keys-secret + name: homepage-secrets image: ghcr.io/gethomepage/homepage:v1.12.3@sha256:cc84f2f5eb3c7734353701ccbaa24ed02dacb0d119114e50e4251e2005f3990a name: main resources: diff --git a/clusters/cl01tl/manifests/homepage/ExternalSecret-homepage-keys-secret.yaml b/clusters/cl01tl/manifests/homepage/ExternalSecret-homepage-secrets.yaml similarity index 78% rename from clusters/cl01tl/manifests/homepage/ExternalSecret-homepage-keys-secret.yaml rename to clusters/cl01tl/manifests/homepage/ExternalSecret-homepage-secrets.yaml index 2dae4dc73..127cd58e8 100644 --- a/clusters/cl01tl/manifests/homepage/ExternalSecret-homepage-keys-secret.yaml +++ b/clusters/cl01tl/manifests/homepage/ExternalSecret-homepage-secrets.yaml @@ -1,20 +1,20 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: homepage-keys-secret + name: homepage-secrets namespace: homepage labels: - app.kubernetes.io/name: homepage-keys-secret + app.kubernetes.io/name: homepage-secrets app.kubernetes.io/instance: homepage app.kubernetes.io/part-of: homepage spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: HOMEPAGE_VAR_GITEA_API_TOKEN remoteRef: - key: /cl01tl/gitea/auth/homepage + key: /cl01tl/gitea/users/bot property: token - secretKey: HOMEPAGE_VAR_ARGOCD_API_TOKEN remoteRef: @@ -34,47 +34,47 @@ spec: property: key - secretKey: HOMEPAGE_VAR_SYNOLOGY_USER remoteRef: - key: /synology/auth/cl01tl + key: /synology/users/remote_stats property: user - secretKey: HOMEPAGE_VAR_SYNOLOGY_PASSWORD remoteRef: - key: /synology/auth/cl01tl + key: /synology/users/remote_stats property: password - secretKey: HOMEPAGE_VAR_UNIFI_API_KEY remoteRef: - key: /unifi/auth/cl01tl + key: /unifi/users/cl01tl property: api-key - secretKey: HOMEPAGE_VAR_SONARR_KEY remoteRef: - key: /cl01tl/sonarr4/key + key: /cl01tl/sonarr/key property: key - secretKey: HOMEPAGE_VAR_SONARR4K_KEY remoteRef: - key: /cl01tl/sonarr4-4k/key + key: /cl01tl/sonarr-4k/key property: key - secretKey: HOMEPAGE_VAR_SONARRANIME_KEY remoteRef: - key: /cl01tl/sonarr4-anime/key + key: /cl01tl/sonarr-anime/key property: key - secretKey: HOMEPAGE_VAR_RADARR_KEY remoteRef: - key: /cl01tl/radarr5/key + key: /cl01tl/radarr/key property: key - secretKey: HOMEPAGE_VAR_RADARR4K_KEY remoteRef: - key: /cl01tl/radarr5-4k/key + key: /cl01tl/radarr-4k/key property: key - secretKey: HOMEPAGE_VAR_RADARRANIME_KEY remoteRef: - key: /cl01tl/radarr5-anime/key + key: /cl01tl/radarr-anime/key property: key - secretKey: HOMEPAGE_VAR_RADARRSTANDUP_KEY remoteRef: - key: /cl01tl/radarr5-standup/key + key: /cl01tl/radarr-standup/key property: key - secretKey: HOMEPAGE_VAR_LIDARR_KEY remoteRef: - key: /cl01tl/lidarr2/key + key: /cl01tl/lidarr/key property: key - secretKey: HOMEPAGE_VAR_PROWLARR_KEY remoteRef: diff --git a/clusters/cl01tl/manifests/immich/Deployment-immich.yaml b/clusters/cl01tl/manifests/immich/Deployment-immich.yaml index 692fa9e56..545ba0eea 100644 --- a/clusters/cl01tl/manifests/immich/Deployment-immich.yaml +++ b/clusters/cl01tl/manifests/immich/Deployment-immich.yaml @@ -21,13 +21,15 @@ spec: app.kubernetes.io/instance: immich template: metadata: + annotations: + checksum/secrets: 46a3f57ca394cccffc419e0c17f5d5f366374b0651c02c507636c53c0b5f33e6 labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: immich app.kubernetes.io/name: immich spec: enableServiceLinks: false - serviceAccountName: default + serviceAccountName: immich automountServiceAccountToken: true hostIPC: false hostNetwork: false @@ -112,9 +114,12 @@ spec: - mountPath: /usr/src/app/upload name: data volumes: - - name: config - secret: - secretName: immich-config-secret + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: immich-config + name: config - name: data persistentVolumeClaim: claimName: immich diff --git a/clusters/cl01tl/manifests/immich/ExternalSecret-immich-config-secret.yaml b/clusters/cl01tl/manifests/immich/ExternalSecret-immich-config-secret.yaml deleted file mode 100644 index c2aa80b10..000000000 --- a/clusters/cl01tl/manifests/immich/ExternalSecret-immich-config-secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: immich-config-secret - namespace: immich - labels: - app.kubernetes.io/name: immich-config-secret - app.kubernetes.io/instance: immich - app.kubernetes.io/part-of: immich -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: immich.json - remoteRef: - key: /cl01tl/immich/config - property: immich.json diff --git a/clusters/cl01tl/manifests/immich/Secret-immich-immich-sa-token.yaml b/clusters/cl01tl/manifests/immich/Secret-immich-immich-sa-token.yaml new file mode 100644 index 000000000..2628b39fd --- /dev/null +++ b/clusters/cl01tl/manifests/immich/Secret-immich-immich-sa-token.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: immich-immich-sa-token + labels: + app.kubernetes.io/instance: immich + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: immich + helm.sh/chart: immich-4.6.2 + annotations: + kubernetes.io/service-account.name: immich + namespace: immich diff --git a/clusters/cl01tl/manifests/immich/SecretProviderClass-immich-config.yaml b/clusters/cl01tl/manifests/immich/SecretProviderClass-immich-config.yaml new file mode 100644 index 000000000..d1c78ea57 --- /dev/null +++ b/clusters/cl01tl/manifests/immich/SecretProviderClass-immich-config.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: immich-config + namespace: immich + labels: + app.kubernetes.io/name: immich-config + app.kubernetes.io/instance: immich + app.kubernetes.io/part-of: immich +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: immich + objects: | + - objectName: immich.json + fileName: immich.json + secretPath: secret/data/cl01tl/immich/config + secretKey: immich.json diff --git a/clusters/cl01tl/manifests/immich/ServiceAccount-immich.yaml b/clusters/cl01tl/manifests/immich/ServiceAccount-immich.yaml new file mode 100644 index 000000000..4c94fbe57 --- /dev/null +++ b/clusters/cl01tl/manifests/immich/ServiceAccount-immich.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: immich + labels: + app.kubernetes.io/instance: immich + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: immich + helm.sh/chart: immich-4.6.2 + namespace: immich +secrets: + - name: immich-immich-sa-token diff --git a/clusters/cl01tl/manifests/jellyfin/Deployment-jellyfin.yaml b/clusters/cl01tl/manifests/jellyfin/Deployment-jellyfin.yaml index bb918d49f..1a2e26a7d 100644 --- a/clusters/cl01tl/manifests/jellyfin/Deployment-jellyfin.yaml +++ b/clusters/cl01tl/manifests/jellyfin/Deployment-jellyfin.yaml @@ -55,7 +55,7 @@ spec: valueFrom: secretKeyRef: key: token - name: jellyfin-exporter-secret + name: jellyfin-metric-token image: rebelcore/jellyfin-exporter:v1.5.0@sha256:37e6d389654180ad9e1661210a48fee71a6dc355a160670235a00329da0dbf80 name: exporter - env: diff --git a/clusters/cl01tl/manifests/jellyfin/ExternalSecret-jellyfin-meilisearch-master-key-secret.yaml b/clusters/cl01tl/manifests/jellyfin/ExternalSecret-jellyfin-meilisearch-key.yaml similarity index 66% rename from clusters/cl01tl/manifests/jellyfin/ExternalSecret-jellyfin-meilisearch-master-key-secret.yaml rename to clusters/cl01tl/manifests/jellyfin/ExternalSecret-jellyfin-meilisearch-key.yaml index b353af943..e6d2491a1 100644 --- a/clusters/cl01tl/manifests/jellyfin/ExternalSecret-jellyfin-meilisearch-master-key-secret.yaml +++ b/clusters/cl01tl/manifests/jellyfin/ExternalSecret-jellyfin-meilisearch-key.yaml @@ -1,18 +1,18 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: jellyfin-meilisearch-master-key-secret + name: jellyfin-meilisearch-key namespace: jellyfin labels: - app.kubernetes.io/name: jellyfin-meilisearch-master-key-secret + app.kubernetes.io/name: jellyfin-meilisearch-key app.kubernetes.io/instance: jellyfin app.kubernetes.io/part-of: jellyfin spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: MEILI_MASTER_KEY remoteRef: key: /cl01tl/jellyfin/meilisearch - property: MEILI_MASTER_KEY + property: master-key diff --git a/clusters/cl01tl/manifests/jellyfin/ExternalSecret-jellyfin-exporter-secret.yaml b/clusters/cl01tl/manifests/jellyfin/ExternalSecret-jellyfin-metric-token.yaml similarity index 68% rename from clusters/cl01tl/manifests/jellyfin/ExternalSecret-jellyfin-exporter-secret.yaml rename to clusters/cl01tl/manifests/jellyfin/ExternalSecret-jellyfin-metric-token.yaml index 30d0d989e..bd369e9d9 100644 --- a/clusters/cl01tl/manifests/jellyfin/ExternalSecret-jellyfin-exporter-secret.yaml +++ b/clusters/cl01tl/manifests/jellyfin/ExternalSecret-jellyfin-metric-token.yaml @@ -1,18 +1,18 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: jellyfin-exporter-secret + name: jellyfin-metric-token namespace: jellyfin labels: - app.kubernetes.io/name: jellyfin-exporter-secret + app.kubernetes.io/name: jellyfin-metric-token app.kubernetes.io/instance: jellyfin app.kubernetes.io/part-of: jellyfin spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: token remoteRef: - key: /cl01tl/jellyfin/exporter + key: /cl01tl/jellyfin/metrics property: token diff --git a/clusters/cl01tl/manifests/jellyfin/ServiceMonitor-jellyfin-meilisearch.yaml b/clusters/cl01tl/manifests/jellyfin/ServiceMonitor-jellyfin-meilisearch.yaml index e3af687eb..35ec2bfb5 100644 --- a/clusters/cl01tl/manifests/jellyfin/ServiceMonitor-jellyfin-meilisearch.yaml +++ b/clusters/cl01tl/manifests/jellyfin/ServiceMonitor-jellyfin-meilisearch.yaml @@ -26,5 +26,5 @@ spec: interval: 1m scrapeTimeout: 10s bearerTokenSecret: - name: jellyfin-meilisearch-master-key-secret + name: jellyfin-meilisearch-key key: MEILI_MASTER_KEY diff --git a/clusters/cl01tl/manifests/jellyfin/StatefulSet-jellyfin-meilisearch.yaml b/clusters/cl01tl/manifests/jellyfin/StatefulSet-jellyfin-meilisearch.yaml index a3b5c6492..40f8ec29c 100644 --- a/clusters/cl01tl/manifests/jellyfin/StatefulSet-jellyfin-meilisearch.yaml +++ b/clusters/cl01tl/manifests/jellyfin/StatefulSet-jellyfin-meilisearch.yaml @@ -62,7 +62,7 @@ spec: - configMapRef: name: jellyfin-meilisearch-environment - secretRef: - name: jellyfin-meilisearch-master-key-secret + name: jellyfin-meilisearch-key ports: - name: http containerPort: 7700 diff --git a/clusters/cl01tl/manifests/jellystat/Deployment-jellystat.yaml b/clusters/cl01tl/manifests/jellystat/Deployment-jellystat.yaml index 0ad161ab1..e6f6569e7 100644 --- a/clusters/cl01tl/manifests/jellystat/Deployment-jellystat.yaml +++ b/clusters/cl01tl/manifests/jellystat/Deployment-jellystat.yaml @@ -41,17 +41,17 @@ spec: valueFrom: secretKeyRef: key: secret-key - name: jellystat-secret + name: jellystat-config - name: JS_USER valueFrom: secretKeyRef: key: user - name: jellystat-secret + name: jellystat-config - name: JS_PASSWORD valueFrom: secretKeyRef: key: password - name: jellystat-secret + name: jellystat-config - name: POSTGRES_USER valueFrom: secretKeyRef: diff --git a/clusters/cl01tl/manifests/jellystat/ExternalSecret-jellystat-secret.yaml b/clusters/cl01tl/manifests/jellystat/ExternalSecret-jellystat-config.yaml similarity index 69% rename from clusters/cl01tl/manifests/jellystat/ExternalSecret-jellystat-secret.yaml rename to clusters/cl01tl/manifests/jellystat/ExternalSecret-jellystat-config.yaml index 572a849d9..1def4cbf6 100644 --- a/clusters/cl01tl/manifests/jellystat/ExternalSecret-jellystat-secret.yaml +++ b/clusters/cl01tl/manifests/jellystat/ExternalSecret-jellystat-config.yaml @@ -1,26 +1,26 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: jellystat-secret + name: jellystat-config namespace: jellystat labels: - app.kubernetes.io/name: jellystat-secret + app.kubernetes.io/name: jellystat-config app.kubernetes.io/instance: jellystat app.kubernetes.io/part-of: jellystat spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: secret-key remoteRef: - key: /cl01tl/jellystat/auth + key: /cl01tl/jellystat/key property: secret-key - secretKey: user remoteRef: - key: /cl01tl/jellystat/auth + key: /cl01tl/jellystat/config property: user - secretKey: password remoteRef: - key: /cl01tl/jellystat/auth + key: /cl01tl/jellystat/cconfig property: password diff --git a/clusters/cl01tl/manifests/karakeep/Deployment-karakeep.yaml b/clusters/cl01tl/manifests/karakeep/Deployment-karakeep.yaml index 6c5a05d80..0f772696a 100644 --- a/clusters/cl01tl/manifests/karakeep/Deployment-karakeep.yaml +++ b/clusters/cl01tl/manifests/karakeep/Deployment-karakeep.yaml @@ -54,21 +54,27 @@ spec: valueFrom: secretKeyRef: key: key - name: karakeep-key-secret + name: karakeep-key - name: PROMETHEUS_AUTH_TOKEN valueFrom: secretKeyRef: key: prometheus-token - name: karakeep-key-secret + name: karakeep-metric-token - name: ASSET_STORE_S3_ENDPOINT - value: http://garage-main.garage:3900 + valueFrom: + secretKeyRef: + key: ENDPOINT + name: karakeep-bucket-garage - name: ASSET_STORE_S3_REGION valueFrom: secretKeyRef: key: ACCESS_REGION name: karakeep-bucket-garage - name: ASSET_STORE_S3_BUCKET - value: karakeep-assets + valueFrom: + secretKeyRef: + key: BUCKET + name: karakeep-bucket-garage - name: ASSET_STORE_S3_ACCESS_KEY_ID valueFrom: secretKeyRef: @@ -87,7 +93,7 @@ spec: valueFrom: secretKeyRef: key: MEILI_MASTER_KEY - name: karakeep-meilisearch-master-key-secret + name: karakeep-meilisearch-key - name: BROWSER_WEB_URL value: http://karakeep.karakeep:9222 - name: DISABLE_SIGNUPS @@ -102,12 +108,12 @@ spec: valueFrom: secretKeyRef: key: AUTHENTIK_CLIENT_ID - name: karakeep-oidc-secret + name: karakeep-oidc-authentik - name: OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: key: AUTHENTIK_CLIENT_SECRET - name: karakeep-oidc-secret + name: karakeep-oidc-authentik - name: OLLAMA_BASE_URL value: http://ollama-server-3.ollama:11434 - name: OLLAMA_KEEP_ALIVE diff --git a/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-bucket-garage.yaml b/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-bucket-garage.yaml index 797032b89..bef43bbe2 100644 --- a/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-bucket-garage.yaml +++ b/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-bucket-garage.yaml @@ -10,7 +10,7 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: ACCESS_KEY_ID remoteRef: @@ -24,3 +24,11 @@ spec: remoteRef: key: /garage/home-infra/karakeep-assets property: ACCESS_REGION + - secretKey: BUCKET + remoteRef: + key: /garage/home-infra/karakeep-assets + property: BUCKET + - secretKey: ENDPOINT + remoteRef: + key: /garage/config + property: ENDPOINT_LOCAL diff --git a/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-key.yaml b/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-key.yaml new file mode 100644 index 000000000..03adb101a --- /dev/null +++ b/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-key.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: karakeep-key + namespace: karakeep + labels: + app.kubernetes.io/name: karakeep-key + app.kubernetes.io/instance: karakeep + app.kubernetes.io/part-of: karakeep +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: key + remoteRef: + key: /cl01tl/karakeep/key + property: key diff --git a/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-meilisearch-master-key-secret.yaml b/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-meilisearch-key.yaml similarity index 66% rename from clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-meilisearch-master-key-secret.yaml rename to clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-meilisearch-key.yaml index a7c052ec6..aa22d71c2 100644 --- a/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-meilisearch-master-key-secret.yaml +++ b/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-meilisearch-key.yaml @@ -1,18 +1,18 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: karakeep-meilisearch-master-key-secret + name: karakeep-meilisearch-key namespace: karakeep labels: - app.kubernetes.io/name: karakeep-meilisearch-master-key-secret + app.kubernetes.io/name: karakeep-meilisearch-key app.kubernetes.io/instance: karakeep app.kubernetes.io/part-of: karakeep spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: MEILI_MASTER_KEY remoteRef: key: /cl01tl/karakeep/meilisearch - property: MEILI_MASTER_KEY + property: master-key diff --git a/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-key-secret.yaml b/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-metric-token.yaml similarity index 62% rename from clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-key-secret.yaml rename to clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-metric-token.yaml index f76ede6e2..d3d79b97a 100644 --- a/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-key-secret.yaml +++ b/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-metric-token.yaml @@ -1,7 +1,7 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: karakeep-key-secret + name: karakeep-metric-token namespace: karakeep labels: app.kubernetes.io/name: karakeep-key-secret @@ -10,13 +10,9 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - - secretKey: key - remoteRef: - key: /cl01tl/karakeep/key - property: key - secretKey: prometheus-token remoteRef: - key: /cl01tl/karakeep/key - property: prometheus-token + key: /cl01tl/karakeep/metrics + property: token diff --git a/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-oidc-secret.yaml b/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-oidc-authentik.yaml similarity index 67% rename from clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-oidc-secret.yaml rename to clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-oidc-authentik.yaml index 8cb846f8d..232a47104 100644 --- a/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-oidc-secret.yaml +++ b/clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-oidc-authentik.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: karakeep-oidc-secret + name: karakeep-oidc-authentik namespace: karakeep labels: - app.kubernetes.io/name: karakeep-oidc-secret + app.kubernetes.io/name: karakeep-oidc-authentik app.kubernetes.io/instance: karakeep app.kubernetes.io/part-of: karakeep spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: AUTHENTIK_CLIENT_ID remoteRef: - key: /authentik/oidc/karakeep + key: /cl01tl/authentik/oidc/karakeep property: client - secretKey: AUTHENTIK_CLIENT_SECRET remoteRef: - key: /authentik/oidc/karakeep + key: /cl01tl/authentik/oidc/karakeep property: secret diff --git a/clusters/cl01tl/manifests/karakeep/ServiceMonitor-karakeep-meilisearch.yaml b/clusters/cl01tl/manifests/karakeep/ServiceMonitor-karakeep-meilisearch.yaml index cfa04f86d..96c70c4a3 100644 --- a/clusters/cl01tl/manifests/karakeep/ServiceMonitor-karakeep-meilisearch.yaml +++ b/clusters/cl01tl/manifests/karakeep/ServiceMonitor-karakeep-meilisearch.yaml @@ -26,5 +26,5 @@ spec: interval: 1m scrapeTimeout: 10s bearerTokenSecret: - name: karakeep-meilisearch-master-key-secret + name: karakeep-meilisearch-key key: MEILI_MASTER_KEY diff --git a/clusters/cl01tl/manifests/karakeep/ServiceMonitor-karakeep.yaml b/clusters/cl01tl/manifests/karakeep/ServiceMonitor-karakeep.yaml index 7183979e4..1b6db31a0 100644 --- a/clusters/cl01tl/manifests/karakeep/ServiceMonitor-karakeep.yaml +++ b/clusters/cl01tl/manifests/karakeep/ServiceMonitor-karakeep.yaml @@ -21,7 +21,7 @@ spec: - authorization: credentials: key: prometheus-token - name: karakeep-key-secret + name: karakeep-metric-token interval: 30s path: /api/metrics port: http diff --git a/clusters/cl01tl/manifests/karakeep/StatefulSet-karakeep-meilisearch.yaml b/clusters/cl01tl/manifests/karakeep/StatefulSet-karakeep-meilisearch.yaml index cf8a8733b..84397ba7c 100644 --- a/clusters/cl01tl/manifests/karakeep/StatefulSet-karakeep-meilisearch.yaml +++ b/clusters/cl01tl/manifests/karakeep/StatefulSet-karakeep-meilisearch.yaml @@ -62,7 +62,7 @@ spec: - configMapRef: name: karakeep-meilisearch-environment - secretRef: - name: karakeep-meilisearch-master-key-secret + name: karakeep-meilisearch-key ports: - name: http containerPort: 7700 diff --git a/clusters/cl01tl/manifests/komodo/Deployment-komodo-main.yaml b/clusters/cl01tl/manifests/komodo/Deployment-komodo-main.yaml index e81daf09f..29614b79f 100644 --- a/clusters/cl01tl/manifests/komodo/Deployment-komodo-main.yaml +++ b/clusters/cl01tl/manifests/komodo/Deployment-komodo-main.yaml @@ -93,13 +93,13 @@ spec: - name: KOMODO_OIDC_CLIENT_ID valueFrom: secretKeyRef: - key: oidc-client-id - name: komodo-secret + key: client + name: komodo-oidc-authentik - name: KOMODO_OIDC_CLIENT_SECRET valueFrom: secretKeyRef: - key: oidc-client-secret - name: komodo-secret + key: secret + name: komodo-oidc-authentik - name: KOMODO_OIDC_USE_FULL_EMAIL value: "true" image: ghcr.io/moghtech/komodo-core:2.1.2@sha256:8a7dbba232e4e49797bb412be5f78207c89fcf22cc2727b38631ae30f7518a4c diff --git a/clusters/cl01tl/manifests/komodo/ExternalSecret-komodo-oidc-authentik.yaml b/clusters/cl01tl/manifests/komodo/ExternalSecret-komodo-oidc-authentik.yaml new file mode 100644 index 000000000..32e50d9c8 --- /dev/null +++ b/clusters/cl01tl/manifests/komodo/ExternalSecret-komodo-oidc-authentik.yaml @@ -0,0 +1,22 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: komodo-oidc-authentik + namespace: komodo + labels: + app.kubernetes.io/name: komodo-oidc-authentik + app.kubernetes.io/instance: komodo + app.kubernetes.io/part-of: komodo +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: client + remoteRef: + key: /cl01tl/authentik/oidc/komodo + property: client + - secretKey: secret + remoteRef: + key: /cl01tl/authentik/oidc/komodo + property: secret diff --git a/clusters/cl01tl/manifests/komodo/ExternalSecret-komodo-postgresql-17-fdb-cluster-ferret.yaml b/clusters/cl01tl/manifests/komodo/ExternalSecret-komodo-postgresql-17-fdb-cluster-ferret.yaml index b63c265cf..57aacaece 100644 --- a/clusters/cl01tl/manifests/komodo/ExternalSecret-komodo-postgresql-17-fdb-cluster-ferret.yaml +++ b/clusters/cl01tl/manifests/komodo/ExternalSecret-komodo-postgresql-17-fdb-cluster-ferret.yaml @@ -10,7 +10,7 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: uri remoteRef: diff --git a/clusters/cl01tl/manifests/komodo/ExternalSecret-komodo-secret.yaml b/clusters/cl01tl/manifests/komodo/ExternalSecret-komodo-secret.yaml index 96f6793b7..c586665c1 100644 --- a/clusters/cl01tl/manifests/komodo/ExternalSecret-komodo-secret.yaml +++ b/clusters/cl01tl/manifests/komodo/ExternalSecret-komodo-secret.yaml @@ -10,25 +10,17 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: passkey remoteRef: - key: /cl01tl/komodo/config + key: /cl01tl/komodo/key property: passkey - secretKey: jwt remoteRef: - key: /cl01tl/komodo/config + key: /cl01tl/komodo/key property: jwt - secretKey: webhook remoteRef: - key: /cl01tl/komodo/config + key: /cl01tl/komodo/key property: webhook - - secretKey: oidc-client-id - remoteRef: - key: /authentik/oidc/komodo - property: client - - secretKey: oidc-client-secret - remoteRef: - key: /authentik/oidc/komodo - property: secret diff --git a/clusters/cl01tl/manifests/kube-prometheus-stack/Alertmanager-kube-prometheus-stack-alertmanager.yaml b/clusters/cl01tl/manifests/kube-prometheus-stack/Alertmanager-kube-prometheus-stack-alertmanager.yaml index 46a30c34b..d16b61c8a 100644 --- a/clusters/cl01tl/manifests/kube-prometheus-stack/Alertmanager-kube-prometheus-stack-alertmanager.yaml +++ b/clusters/cl01tl/manifests/kube-prometheus-stack/Alertmanager-kube-prometheus-stack-alertmanager.yaml @@ -26,7 +26,7 @@ spec: logLevel: "info" retention: "120h" secrets: - - alertmanager-config-secret + - alertmanager-ntfy-config alertmanagerConfigSelector: {} alertmanagerConfigNamespaceSelector: {} routePrefix: "/" diff --git a/clusters/cl01tl/manifests/kube-prometheus-stack/Deployment-ntfy-alertmanager.yaml b/clusters/cl01tl/manifests/kube-prometheus-stack/Deployment-ntfy-alertmanager.yaml index 307c2de51..b7700fea7 100644 --- a/clusters/cl01tl/manifests/kube-prometheus-stack/Deployment-ntfy-alertmanager.yaml +++ b/clusters/cl01tl/manifests/kube-prometheus-stack/Deployment-ntfy-alertmanager.yaml @@ -21,13 +21,15 @@ spec: app.kubernetes.io/instance: kube-prometheus-stack template: metadata: + annotations: + checksum/secrets: 3c0d4bd47e7d4f71ba55611ddc7b74c5f3ec1cedcc474b15ac0a00daab9b791a labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: kube-prometheus-stack app.kubernetes.io/name: kube-prometheus-stack spec: enableServiceLinks: false - serviceAccountName: default + serviceAccountName: ntfy-alertmanager automountServiceAccountToken: true hostIPC: false hostNetwork: false @@ -43,6 +45,9 @@ spec: readOnly: true subPath: config volumes: - - name: config - secret: - secretName: ntfy-alertmanager-config-secret + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: ntfy-alertmanager-config + name: config diff --git a/clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-alertmanager-config-secret.yaml b/clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-alertmanager-ntfy-config.yaml similarity index 62% rename from clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-alertmanager-config-secret.yaml rename to clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-alertmanager-ntfy-config.yaml index 0bb5dc5b3..99c8388aa 100644 --- a/clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-alertmanager-config-secret.yaml +++ b/clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-alertmanager-ntfy-config.yaml @@ -1,18 +1,18 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: alertmanager-config-secret + name: alertmanager-ntfy-config namespace: kube-prometheus-stack labels: - app.kubernetes.io/name: alertmanager-config-secret + app.kubernetes.io/name: alertmanager-ntfy-config app.kubernetes.io/instance: kube-prometheus-stack app.kubernetes.io/part-of: kube-prometheus-stack spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: ntfy_password remoteRef: - key: /cl01tl/kube-prometheus-stack/ntfy-alertmanager - property: ntfy_password + key: / cl01tl/ntfy/users/cl01tl + property: password diff --git a/clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-garage-metric-secret.yaml b/clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-garage-metric-token.yaml similarity index 66% rename from clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-garage-metric-secret.yaml rename to clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-garage-metric-token.yaml index aa7230fb6..0ab7767b8 100644 --- a/clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-garage-metric-secret.yaml +++ b/clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-garage-metric-token.yaml @@ -1,18 +1,18 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: garage-metric-secret + name: garage-metric-token namespace: kube-prometheus-stack labels: - app.kubernetes.io/name: garage-metric-secret + app.kubernetes.io/name: garage-metric-token app.kubernetes.io/instance: kube-prometheus-stack app.kubernetes.io/part-of: kube-prometheus-stack spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: token remoteRef: - key: /garage/token - property: metric + key: /ps10rp/garage/config + property: metrics-token diff --git a/clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-ntfy-alertmanager-config-secret.yaml b/clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-ntfy-alertmanager-config-secret.yaml deleted file mode 100644 index 80bd4aac2..000000000 --- a/clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-ntfy-alertmanager-config-secret.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: ntfy-alertmanager-config-secret - namespace: kube-prometheus-stack - labels: - app.kubernetes.io/name: ntfy-alertmanager-config-secret - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/part-of: kube-prometheus-stack -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ntfy_password - remoteRef: - key: /cl01tl/kube-prometheus-stack/ntfy-alertmanager - property: ntfy_password - - secretKey: config - remoteRef: - key: /cl01tl/kube-prometheus-stack/ntfy-alertmanager - property: config diff --git a/clusters/cl01tl/manifests/kube-prometheus-stack/ScrapeConfig-garage-https.yaml b/clusters/cl01tl/manifests/kube-prometheus-stack/ScrapeConfig-garage-https.yaml index 9479d9110..44eda08ec 100644 --- a/clusters/cl01tl/manifests/kube-prometheus-stack/ScrapeConfig-garage-https.yaml +++ b/clusters/cl01tl/manifests/kube-prometheus-stack/ScrapeConfig-garage-https.yaml @@ -20,4 +20,4 @@ spec: type: Bearer credentials: key: token - name: garage-metric-secret + name: garage-metric-token diff --git a/clusters/cl01tl/manifests/kube-prometheus-stack/Secret-ntfy-alertmanager-ntfy-alertmanager-sa-token.yaml b/clusters/cl01tl/manifests/kube-prometheus-stack/Secret-ntfy-alertmanager-ntfy-alertmanager-sa-token.yaml new file mode 100644 index 000000000..c5282c7de --- /dev/null +++ b/clusters/cl01tl/manifests/kube-prometheus-stack/Secret-ntfy-alertmanager-ntfy-alertmanager-sa-token.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: ntfy-alertmanager-ntfy-alertmanager-sa-token + labels: + app.kubernetes.io/instance: kube-prometheus-stack + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kube-prometheus-stack + helm.sh/chart: ntfy-alertmanager-4.6.2 + annotations: + kubernetes.io/service-account.name: ntfy-alertmanager + namespace: kube-prometheus-stack diff --git a/clusters/cl01tl/manifests/kube-prometheus-stack/SecretProviderClass-ntfy-alertmanager-config.yaml b/clusters/cl01tl/manifests/kube-prometheus-stack/SecretProviderClass-ntfy-alertmanager-config.yaml new file mode 100644 index 000000000..c41b38e0c --- /dev/null +++ b/clusters/cl01tl/manifests/kube-prometheus-stack/SecretProviderClass-ntfy-alertmanager-config.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: ntfy-alertmanager-config + namespace: kube-prometheus-stack + labels: + app.kubernetes.io/name: ntfy-alertmanager-config + app.kubernetes.io/instance: kube-prometheus-stack + app.kubernetes.io/part-of: kube-prometheus-stack +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: ntfy-alertmanager + objects: | + - objectName: config + fileName: config + secretPath: secret/data/cl01tl/kube-prometheus-stack/ntfy-alertmanager + secretKey: config diff --git a/clusters/cl01tl/manifests/kube-prometheus-stack/ServiceAccount-ntfy-alertmanager.yaml b/clusters/cl01tl/manifests/kube-prometheus-stack/ServiceAccount-ntfy-alertmanager.yaml new file mode 100644 index 000000000..b398eb5f6 --- /dev/null +++ b/clusters/cl01tl/manifests/kube-prometheus-stack/ServiceAccount-ntfy-alertmanager.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ntfy-alertmanager + labels: + app.kubernetes.io/instance: kube-prometheus-stack + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kube-prometheus-stack + helm.sh/chart: ntfy-alertmanager-4.6.2 + namespace: kube-prometheus-stack +secrets: + - name: ntfy-alertmanager-ntfy-alertmanager-sa-token diff --git a/clusters/cl01tl/manifests/kubelet-serving-cert-approver/Namespace-kubelet-serving-cert-approver.yaml b/clusters/cl01tl/manifests/kubelet-serving-cert-approver/Namespace-kubelet-serving-cert-approver.yaml index 2f6bcf3bc..f1004671a 100644 --- a/clusters/cl01tl/manifests/kubelet-serving-cert-approver/Namespace-kubelet-serving-cert-approver.yaml +++ b/clusters/cl01tl/manifests/kubelet-serving-cert-approver/Namespace-kubelet-serving-cert-approver.yaml @@ -6,6 +6,6 @@ metadata: app.kubernetes.io/name: kubelet-serving-cert-approver app.kubernetes.io/instance: kubelet-serving-cert-approver app.kubernetes.io/part-of: kubelet-serving-cert-approver - pod-security.kubernetes.io/audit: restricted - pod-security.kubernetes.io/enforce: restricted - pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged diff --git a/clusters/cl01tl/manifests/kubernetes-cloudflare-ddns/ExternalSecret-kubernetes-cloudflare-ddns-secret.yaml b/clusters/cl01tl/manifests/kubernetes-cloudflare-ddns/ExternalSecret-kubernetes-cloudflare-ddns-secret.yaml index 4173640fa..03cdd651c 100644 --- a/clusters/cl01tl/manifests/kubernetes-cloudflare-ddns/ExternalSecret-kubernetes-cloudflare-ddns-secret.yaml +++ b/clusters/cl01tl/manifests/kubernetes-cloudflare-ddns/ExternalSecret-kubernetes-cloudflare-ddns-secret.yaml @@ -10,7 +10,7 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: AUTH_KEY remoteRef: diff --git a/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-hookshot.yaml index 3d808478b..35bf8ee9a 100644 --- a/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-hookshot.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-hookshot.yaml @@ -59,15 +59,24 @@ spec: readOnly: true subPath: registration.yml volumes: - - name: config - secret: - secretName: matrix-hookshot-config-secret + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: matrix-hookshot-config + name: config - name: data persistentVolumeClaim: claimName: matrix-hookshot - - name: passkey - secret: - secretName: matrix-hookshot-config-secret - - name: registration - secret: - secretName: matrix-hookshot-config-secret + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: matrix-hookshot-config + name: passkey + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: matrix-hookshot-config + name: registration diff --git a/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse.yaml b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse.yaml index 870d57941..200d2a191 100644 --- a/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse.yaml @@ -71,7 +71,7 @@ spec: - name: REDIS_PASSWORD valueFrom: secretKeyRef: - name: matrix-synapse-valkey-secret + name: matrix-synapse-valkey-config key: password image: "ghcr.io/element-hq/synapse:v1.151.0@sha256:184dc8757daef019b511e7f96fc6e5edfb880fd074d8cf702c7e3aa899d188c8" imagePullPolicy: IfNotPresent @@ -112,30 +112,10 @@ spec: mountPath: /synapse/data - name: tmpdir mountPath: /tmp - - mountPath: /synapse/config/conf.d/oidc.yaml - name: matrix-synapse-config-secret + - mountPath: /synapse/config/conf.d + mountPropagation: None + name: config readOnly: true - subPath: oidc.yaml - - mountPath: /synapse/config/conf.d/config.yaml - name: matrix-synapse-config-secret - readOnly: true - subPath: config.yaml - - mountPath: /synapse/config/conf.d/hookshot-registration.yaml - name: matrix-hookshot-config-secret - readOnly: true - subPath: hookshot-registration.yaml - - mountPath: /synapse/config/conf.d/mautrix-discord-registration.yaml - name: mautrix-discord-config-secret - readOnly: true - subPath: mautrix-discord-registration.yaml - - mountPath: /synapse/config/conf.d/mautrix-whatsapp-registration.yaml - name: mautrix-whatsapp-config-secret - readOnly: true - subPath: mautrix-whatsapp-registration.yaml - - mountPath: /synapse/config/conf.d/double-puppet-registration.yaml - name: double-puppet-registration-secret - readOnly: true - subPath: double-puppet-registration.yaml resources: requests: cpu: 10m @@ -149,7 +129,7 @@ spec: secretName: matrix-synapse - name: signingkey secret: - secretName: "matrix-synapse-signingkey" + secretName: "matrix-synapse-signing-key" items: - key: "signing.key" path: signing.key @@ -160,18 +140,9 @@ spec: - name: media persistentVolumeClaim: claimName: matrix-synapse - - name: matrix-synapse-config-secret - secret: - secretName: matrix-synapse-config-secret - - name: matrix-hookshot-config-secret - secret: - secretName: matrix-hookshot-config-secret - - name: mautrix-discord-config-secret - secret: - secretName: mautrix-discord-config-secret - - name: mautrix-whatsapp-config-secret - secret: - secretName: mautrix-whatsapp-config-secret - - name: double-puppet-registration-secret - secret: - secretName: double-puppet-registration-secret + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: matrix-synapse-config + name: config diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-double-puppet-registration-secret.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-double-puppet-registration-secret.yaml deleted file mode 100644 index 10c743973..000000000 --- a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-double-puppet-registration-secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: double-puppet-registration-secret - namespace: matrix-synapse - labels: - app.kubernetes.io/name: double-puppet-registration-secret - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: double-puppet-registration.yaml - remoteRef: - key: /cl01tl/matrix-synapse/double-puppet - property: registration diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-hookshot-config-secret.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-hookshot-config-secret.yaml deleted file mode 100644 index 2114f7325..000000000 --- a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-hookshot-config-secret.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: matrix-hookshot-config-secret - namespace: matrix-synapse - labels: - app.kubernetes.io/name: matrix-hookshot-config-secret - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: config.yml - remoteRef: - key: /cl01tl/matrix-synapse/hookshot - property: config - - secretKey: registration.yml - remoteRef: - key: /cl01tl/matrix-synapse/hookshot - property: registration - - secretKey: hookshot-registration.yaml - remoteRef: - key: /cl01tl/matrix-synapse/hookshot - property: registration - - secretKey: passkey.pem - remoteRef: - key: /cl01tl/matrix-synapse/hookshot - property: passkey diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-config-secret.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-config-secret.yaml deleted file mode 100644 index 5b4465d12..000000000 --- a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-config-secret.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: matrix-synapse-config-secret - namespace: matrix-synapse - labels: - app.kubernetes.io/name: matrix-synapse-config-secret - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: oidc.yaml - remoteRef: - key: /cl01tl/matrix-synapse/config - property: oidc.yaml - - secretKey: config.yaml - remoteRef: - key: /cl01tl/matrix-synapse/config - property: config.yaml diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-signingkey.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-signing-key.yaml similarity index 69% rename from clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-signingkey.yaml rename to clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-signing-key.yaml index 67d0f7d00..020e567c9 100644 --- a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-signingkey.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-signing-key.yaml @@ -1,18 +1,18 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: matrix-synapse-signingkey + name: matrix-synapse-signing-key namespace: matrix-synapse labels: - app.kubernetes.io/name: matrix-synapse-signingkey + app.kubernetes.io/name: matrix-synapse-signing-key app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: signing.key remoteRef: - key: /cl01tl/matrix-synapse/config + key: /cl01tl/matrix-synapse/key property: signing-key diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-valkey-secret.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-valkey-config.yaml similarity index 66% rename from clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-valkey-secret.yaml rename to clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-valkey-config.yaml index 319093632..84c1e9db6 100644 --- a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-valkey-secret.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-valkey-config.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: matrix-synapse-valkey-secret + name: matrix-synapse-valkey-config namespace: matrix-synapse labels: - app.kubernetes.io/name: matrix-synapse-valkey-secret + app.kubernetes.io/name: matrix-synapse-valkey-config app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: default remoteRef: - key: /cl01tl/matrix-synapse/redis + key: /cl01tl/matrix-synapse/valkey property: password - secretKey: password remoteRef: - key: /cl01tl/matrix-synapse/redis + key: /cl01tl/matrix-synapse/valkey property: password diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-discord-config-secret.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-discord-config-secret.yaml deleted file mode 100644 index 5c603846e..000000000 --- a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-discord-config-secret.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: mautrix-discord-config-secret - namespace: matrix-synapse - labels: - app.kubernetes.io/name: matrix-synapse - app.kubernetes.io/instance: matrix-synapse -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: config.yaml - remoteRef: - key: /cl01tl/matrix-synapse/mautrix-discord - property: config - - secretKey: mautrix-discord-registration.yaml - remoteRef: - key: /cl01tl/matrix-synapse/mautrix-discord - property: registration diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-whatsapp-config-secret.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-whatsapp-config-secret.yaml deleted file mode 100644 index 978619d3f..000000000 --- a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-whatsapp-config-secret.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: mautrix-whatsapp-config-secret - namespace: matrix-synapse - labels: - app.kubernetes.io/name: mautrix-whatsapp-config-secret - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: config.yaml - remoteRef: - key: /cl01tl/matrix-synapse/mautrix-whatsapp - property: config - - secretKey: mautrix-whatsapp-registration.yaml - remoteRef: - key: /cl01tl/matrix-synapse/mautrix-whatsapp - property: registration diff --git a/clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-valkey-test-auth-existing.yaml b/clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-valkey-test-auth-existing.yaml index aabae496c..2631a3fbf 100644 --- a/clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-valkey-test-auth-existing.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-valkey-test-auth-existing.yaml @@ -42,4 +42,4 @@ spec: volumes: - name: valkey-users-secret secret: - secretName: matrix-synapse-valkey-secret + secretName: matrix-synapse-valkey-config diff --git a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-hookshot-config.yaml b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-hookshot-config.yaml new file mode 100644 index 000000000..1514bf1f6 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-hookshot-config.yaml @@ -0,0 +1,27 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: matrix-hookshot-config + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-hookshot-config + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: matrix-synapse + objects: | + - objectName: config.yml + fileName: config.yml + secretPath: secret/data/cl01tl/matrix-synapse/hookshot + secretKey: config.yml + - objectName: registration.yml + fileName: registration.yml + secretPath: secret/data/cl01tl/matrix-synapse/hookshot + secretKey: hookshot-registration.yaml + - objectName: passkey.pem + fileName: passkey.pem + secretPath: secret/data/cl01tl/matrix-synapse/hookshot + secretKey: passkey.pem diff --git a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-config.yaml b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-config.yaml new file mode 100644 index 000000000..a97084f68 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-config.yaml @@ -0,0 +1,39 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: matrix-synapse-config + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse-config + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: matrix-synapse + objects: | + - objectName: config.yaml + fileName: config.yaml + secretPath: secret/data/cl01tl/matrix-synapse/config + secretKey: config.yaml + - objectName: oidc.yaml + fileName: oidc.yaml + secretPath: secret/data/cl01tl/matrix-synapse/config + secretKey: oidc.yaml + - objectName: hookshot-registration.yaml + fileName: hookshot-registration.yaml + secretPath: secret/data/cl01tl/matrix-synapse/hookshot + secretKey: hookshot-registration.yaml + - objectName: mautrix-discord-registration.yaml + fileName: mautrix-discord-registration.yaml + secretPath: secret/data/cl01tl/matrix-synapse/mautrix-discord + secretKey: mautrix-discord-registration.yaml + - objectName: mautrix-whatsapp-registration.yaml + fileName: mautrix-whatsapp-registration.yaml + secretPath: secret/data/cl01tl/matrix-synapse/mautrix-whatsapp + secretKey: mautrix-whatsapp-registration.yaml + - objectName: double-puppet-registration.yaml + fileName: double-puppet-registration.yaml + secretPath: secret/data/cl01tl/matrix-synapse/double-puppet + secretKey: double-puppet-registration.yaml diff --git a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-mautrix-discord-config.yaml b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-mautrix-discord-config.yaml new file mode 100644 index 000000000..00260abdc --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-mautrix-discord-config.yaml @@ -0,0 +1,23 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: mautrix-discord-config + namespace: matrix-synapse + labels: + app.kubernetes.io/name: mautrix-discord-config + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: matrix-synapse + objects: | + - objectName: config.yaml + fileName: config.yaml + secretPath: secret/data/cl01tl/matrix-synapse/mautrix-discord + secretKey: config.yaml + - objectName: mautrix-discord-registration.yaml + fileName: mautrix-discord-registration.yaml + secretPath: secret/data/cl01tl/matrix-synapse/mautrix-discord + secretKey: mautrix-discord-registration.yaml diff --git a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-mautrix-whatsapp-config.yaml b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-mautrix-whatsapp-config.yaml new file mode 100644 index 000000000..749160c55 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-mautrix-whatsapp-config.yaml @@ -0,0 +1,23 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: mautrix-whatsapp-config + namespace: matrix-synapse + labels: + app.kubernetes.io/name: mautrix-whatsapp-config + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: matrix-synapse + objects: | + - objectName: config.yaml + fileName: config.yaml + secretPath: secret/data/cl01tl/matrix-synapse/mautrix-whatsapp + secretKey: config.yaml + - objectName: mautrix-whatsapp-registration.yaml + fileName: mautrix-whatsapp-registration.yaml + secretPath: secret/data/cl01tl/matrix-synapse/mautrix-whatsapp + secretKey: mautrix-whatsapp-registration.yaml diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse.yaml new file mode 100644 index 000000000..1bec77b93 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: matrix-synapse + namespace: matrix-synapse + labels: + app.kubernetes.io/name: matrix-synapse + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/part-of: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey.yaml b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey.yaml index b1857e4c3..4256bcf13 100644 --- a/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey.yaml @@ -120,5 +120,5 @@ spec: medium: Memory - name: valkey-users-secret secret: - secretName: matrix-synapse-valkey-secret + secretName: matrix-synapse-valkey-config defaultMode: 0400 diff --git a/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-discord.yaml b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-discord.yaml index 8bef3d94c..3a8e9b6e5 100644 --- a/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-discord.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-discord.yaml @@ -46,12 +46,12 @@ spec: - mountPath: /data name: data volumes: - - name: config - secret: - secretName: mautrix-discord-config-secret + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: mautrix-discord-config + name: config - name: data persistentVolumeClaim: claimName: mautrix-discord - - name: registration - secret: - secretName: mautrix-discord-config-secret diff --git a/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-whatsapp.yaml b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-whatsapp.yaml index 519720891..d64ac6562 100644 --- a/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-whatsapp.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-whatsapp.yaml @@ -46,12 +46,12 @@ spec: - mountPath: /data name: data volumes: - - name: config - secret: - secretName: mautrix-whatsapp-config-secret + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: mautrix-whatsapp-config + name: config - name: data persistentVolumeClaim: claimName: mautrix-whatsapp - - name: registration - secret: - secretName: mautrix-whatsapp-config-secret diff --git a/clusters/cl01tl/manifests/music-grabber/ExternalSecret-music-grabber-config-secret.yaml b/clusters/cl01tl/manifests/music-grabber/ExternalSecret-music-grabber-config.yaml similarity index 67% rename from clusters/cl01tl/manifests/music-grabber/ExternalSecret-music-grabber-config-secret.yaml rename to clusters/cl01tl/manifests/music-grabber/ExternalSecret-music-grabber-config.yaml index 170a8178c..135ab862a 100644 --- a/clusters/cl01tl/manifests/music-grabber/ExternalSecret-music-grabber-config-secret.yaml +++ b/clusters/cl01tl/manifests/music-grabber/ExternalSecret-music-grabber-config.yaml @@ -1,30 +1,30 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: music-grabber-config-secret + name: music-grabber-config namespace: music-grabber labels: - app.kubernetes.io/name: music-grabber-config-secret + app.kubernetes.io/name: music-grabber-config app.kubernetes.io/instance: music-grabber app.kubernetes.io/part-of: music-grabber spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: navidrome-user remoteRef: - key: /cl01tl/navidrome/admin + key: /cl01tl/navidrome/users/admin property: user - secretKey: navidrome-password remoteRef: - key: /cl01tl/navidrome/admin + key: /cl01tl/navidrome/users/admin property: password - secretKey: slskd-user remoteRef: - key: /cl01tl/slskd/auth + key: /cl01tl/slskd/users/slskd property: user - secretKey: slskd-password remoteRef: - key: /cl01tl/slskd/auth + key: /cl01tl/slskd/users/slskd property: password diff --git a/clusters/cl01tl/manifests/music-grabber/ExternalSecret-music-grabber-wireguard-conf.yaml b/clusters/cl01tl/manifests/music-grabber/ExternalSecret-music-grabber-wireguard-conf.yaml deleted file mode 100644 index 35de4f14d..000000000 --- a/clusters/cl01tl/manifests/music-grabber/ExternalSecret-music-grabber-wireguard-conf.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: music-grabber-wireguard-conf - namespace: music-grabber - labels: - app.kubernetes.io/name: music-grabber-wireguard-conf - app.kubernetes.io/instance: music-grabber - app.kubernetes.io/part-of: music-grabber -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: private-key - remoteRef: - key: /airvpn/conf/cl01tl - property: private-key - - secretKey: preshared-key - remoteRef: - key: /airvpn/conf/cl01tl - property: preshared-key - - secretKey: addresses - remoteRef: - key: /airvpn/conf/cl01tl - property: addresses - - secretKey: input-ports - remoteRef: - key: /airvpn/conf/cl01tl - property: input-ports diff --git a/clusters/cl01tl/manifests/ntfy/Deployment-ntfy.yaml b/clusters/cl01tl/manifests/ntfy/Deployment-ntfy.yaml index 29ed37e7f..aa077ae1f 100644 --- a/clusters/cl01tl/manifests/ntfy/Deployment-ntfy.yaml +++ b/clusters/cl01tl/manifests/ntfy/Deployment-ntfy.yaml @@ -56,7 +56,7 @@ spec: valueFrom: secretKeyRef: key: attachment-cache-dir - name: ntfy-config-secret + name: ntfy-config - name: NTFY_ATTACHMENT_TOTAL_SIZE_LIMIT value: 10G - name: NTFY_ATTACHMENT_FILE_SIZE_LIMIT diff --git a/clusters/cl01tl/manifests/ntfy/ExternalSecret-ntfy-config-secret.yaml b/clusters/cl01tl/manifests/ntfy/ExternalSecret-ntfy-config.yaml similarity index 72% rename from clusters/cl01tl/manifests/ntfy/ExternalSecret-ntfy-config-secret.yaml rename to clusters/cl01tl/manifests/ntfy/ExternalSecret-ntfy-config.yaml index 712a3c54f..3fbb6671b 100644 --- a/clusters/cl01tl/manifests/ntfy/ExternalSecret-ntfy-config-secret.yaml +++ b/clusters/cl01tl/manifests/ntfy/ExternalSecret-ntfy-config.yaml @@ -1,18 +1,18 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: ntfy-config-secret + name: ntfy-config namespace: ntfy labels: - app.kubernetes.io/name: ntfy-config-secret + app.kubernetes.io/name: ntfy-config app.kubernetes.io/instance: ntfy app.kubernetes.io/part-of: ntfy spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: attachment-cache-dir remoteRef: key: /garage/home-infra/ntfy-attachments - property: attachment-cache-dir + property: S3_URI diff --git a/clusters/cl01tl/manifests/ollama/Deployment-ollama-web.yaml b/clusters/cl01tl/manifests/ollama/Deployment-ollama-web.yaml index d9854b0b9..a3823e12a 100644 --- a/clusters/cl01tl/manifests/ollama/Deployment-ollama-web.yaml +++ b/clusters/cl01tl/manifests/ollama/Deployment-ollama-web.yaml @@ -51,7 +51,7 @@ spec: valueFrom: secretKeyRef: key: key - name: ollama-key-secret + name: ollama-key - name: DATABASE_URL valueFrom: secretKeyRef: @@ -67,12 +67,12 @@ spec: valueFrom: secretKeyRef: key: secret - name: ollama-oidc-secret + name: open-webui-oidc-authentik - name: OAUTH_CLIENT_ID valueFrom: secretKeyRef: key: client - name: ollama-oidc-secret + name: open-webui-oidc-authentik - name: OAUTH_PROVIDER_NAME value: Authentik - name: OPENID_PROVIDER_URL diff --git a/clusters/cl01tl/manifests/ollama/ExternalSecret-ollama-key-secret.yaml b/clusters/cl01tl/manifests/ollama/ExternalSecret-open-webui-key.yaml similarity index 69% rename from clusters/cl01tl/manifests/ollama/ExternalSecret-ollama-key-secret.yaml rename to clusters/cl01tl/manifests/ollama/ExternalSecret-open-webui-key.yaml index 6efb3eae1..2ce99f63a 100644 --- a/clusters/cl01tl/manifests/ollama/ExternalSecret-ollama-key-secret.yaml +++ b/clusters/cl01tl/manifests/ollama/ExternalSecret-open-webui-key.yaml @@ -1,18 +1,18 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: ollama-key-secret + name: open-webui-key namespace: ollama labels: - app.kubernetes.io/name: ollama-key-secret + app.kubernetes.io/name: open-webui-key app.kubernetes.io/instance: ollama app.kubernetes.io/part-of: ollama spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: key remoteRef: - key: /cl01tl/ollama/key + key: /cl01tl/ollama/open-webui/key property: key diff --git a/clusters/cl01tl/manifests/ollama/ExternalSecret-ollama-oidc-secret.yaml b/clusters/cl01tl/manifests/ollama/ExternalSecret-open-webui-oidc-authentik.yaml similarity index 64% rename from clusters/cl01tl/manifests/ollama/ExternalSecret-ollama-oidc-secret.yaml rename to clusters/cl01tl/manifests/ollama/ExternalSecret-open-webui-oidc-authentik.yaml index 0260846d4..542a69d53 100644 --- a/clusters/cl01tl/manifests/ollama/ExternalSecret-ollama-oidc-secret.yaml +++ b/clusters/cl01tl/manifests/ollama/ExternalSecret-open-webui-oidc-authentik.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: ollama-oidc-secret + name: open-webui-oidc-authentik namespace: ollama labels: - app.kubernetes.io/name: ollama-oidc-secret + app.kubernetes.io/name: open-webui-oidc-authentik app.kubernetes.io/instance: ollama app.kubernetes.io/part-of: ollama spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: client remoteRef: - key: /authentik/oidc/ollama + key: /cl01tl/authentik/oidc/open-webui property: client - secretKey: secret remoteRef: - key: /authentik/oidc/ollama + key: /cl01tl/authentik/oidc/open-webui property: secret diff --git a/clusters/cl01tl/manifests/outline/Deployment-outline.yaml b/clusters/cl01tl/manifests/outline/Deployment-outline.yaml index c0a3fb2de..31a4c3c4b 100644 --- a/clusters/cl01tl/manifests/outline/Deployment-outline.yaml +++ b/clusters/cl01tl/manifests/outline/Deployment-outline.yaml @@ -47,12 +47,12 @@ spec: valueFrom: secretKeyRef: key: secret-key - name: outline-key-secret + name: outline-key - name: UTILS_SECRET valueFrom: secretKeyRef: key: utils-key - name: outline-key-secret + name: outline-key - name: POSTGRES_USERNAME valueFrom: secretKeyRef: @@ -114,12 +114,12 @@ spec: valueFrom: secretKeyRef: key: client - name: outline-oidc-secret + name: outline-oidc-authentik - name: OIDC_CLIENT_SECRET valueFrom: secretKeyRef: key: secret - name: outline-oidc-secret + name: outline-oidc-authentik - name: OIDC_AUTH_URI value: https://auth.alexlebens.dev/application/o/authorize/ - name: OIDC_TOKEN_URI diff --git a/clusters/cl01tl/manifests/outline/ExternalSecret-outline-key-secret.yaml b/clusters/cl01tl/manifests/outline/ExternalSecret-outline-key.yaml similarity index 83% rename from clusters/cl01tl/manifests/outline/ExternalSecret-outline-key-secret.yaml rename to clusters/cl01tl/manifests/outline/ExternalSecret-outline-key.yaml index 42375e759..5c96aefd7 100644 --- a/clusters/cl01tl/manifests/outline/ExternalSecret-outline-key-secret.yaml +++ b/clusters/cl01tl/manifests/outline/ExternalSecret-outline-key.yaml @@ -1,16 +1,16 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: outline-key-secret + name: outline-key namespace: outline labels: - app.kubernetes.io/name: outline-key-secret + app.kubernetes.io/name: outline-key app.kubernetes.io/instance: outline app.kubernetes.io/part-of: outline spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: secret-key remoteRef: diff --git a/clusters/cl01tl/manifests/outline/ExternalSecret-outline-oidc-secret.yaml b/clusters/cl01tl/manifests/outline/ExternalSecret-outline-oidc-authentik.yaml similarity index 66% rename from clusters/cl01tl/manifests/outline/ExternalSecret-outline-oidc-secret.yaml rename to clusters/cl01tl/manifests/outline/ExternalSecret-outline-oidc-authentik.yaml index e3fc91558..b6b15d740 100644 --- a/clusters/cl01tl/manifests/outline/ExternalSecret-outline-oidc-secret.yaml +++ b/clusters/cl01tl/manifests/outline/ExternalSecret-outline-oidc-authentik.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: outline-oidc-secret + name: outline-oidc-authentik namespace: outline labels: - app.kubernetes.io/name: outline-oidc-secret + app.kubernetes.io/name: outline-oidc-authentik app.kubernetes.io/instance: outline app.kubernetes.io/part-of: outline spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: client remoteRef: - key: /authentik/oidc/outline + key: /cl01tl/authentik/oidc/outline property: client - secretKey: secret remoteRef: - key: /authentik/oidc/outline + key: /cl01tl/authentik/oidc/outline property: secret diff --git a/clusters/cl01tl/manifests/paperless-ngx/Deployment-paperless-ngx.yaml b/clusters/cl01tl/manifests/paperless-ngx/Deployment-paperless-ngx.yaml index eafdb6517..2ea85af7d 100644 --- a/clusters/cl01tl/manifests/paperless-ngx/Deployment-paperless-ngx.yaml +++ b/clusters/cl01tl/manifests/paperless-ngx/Deployment-paperless-ngx.yaml @@ -72,7 +72,7 @@ spec: valueFrom: secretKeyRef: key: secret-key - name: paperless-ngx-secret + name: paperless-ngx-key - name: PAPERLESS_URL value: https://paperless-ngx.alexlebens.net - name: PAPERLESS_ALLOWED_HOSTS @@ -81,12 +81,12 @@ spec: valueFrom: secretKeyRef: key: admin-user - name: paperless-ngx-secret + name: paperless-ngx-config - name: PAPERLESS_ADMIN_PASSWORD valueFrom: secretKeyRef: key: admin-password - name: paperless-ngx-secret + name: paperless-ngx-config - name: PAPERLESS_ACCOUNT_ALLOW_SIGNUPS value: "true" - name: PAPERLESS_SOCIAL_AUTO_SIGNUP @@ -101,7 +101,7 @@ spec: valueFrom: secretKeyRef: key: PAPERLESS_SOCIALACCOUNT_PROVIDERS - name: paperless-ngx-oidc-secret + name: paperless-ngx-oidc-authentik - name: PAPERLESS_SOCIALACCOUNT_DEFAULT_PERMISSIONS value: '["view_uisettings", "view_savedview", "add_uisettings", "change_uisettings", "delete_uisettings"]' - name: PAPERLESS_TIME_ZONE diff --git a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-secret.yaml b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-config.yaml similarity index 58% rename from clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-secret.yaml rename to clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-config.yaml index a336bda51..3c8eb85d1 100644 --- a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-secret.yaml +++ b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-config.yaml @@ -1,26 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: paperless-ngx-secret + name: paperless-ngx-config namespace: paperless-ngx labels: - app.kubernetes.io/name: paperless-ngx-secret + app.kubernetes.io/name: paperless-ngx-config app.kubernetes.io/instance: paperless-ngx app.kubernetes.io/part-of: paperless-ngx spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - - secretKey: secret-key - remoteRef: - key: /cl01tl/paperless-ngx/secret - property: secret-key - secretKey: admin-user remoteRef: - key: /cl01tl/paperless-ngx/secret + key: /cl01tl/paperless-ngx/config property: admin-user - secretKey: admin-password remoteRef: - key: /cl01tl/paperless-ngx/secret + key: /cl01tl/paperless-ngx/config property: admin-password diff --git a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-key.yaml b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-key.yaml new file mode 100644 index 000000000..a06a7d5c3 --- /dev/null +++ b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-key.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: paperless-ngx-key + namespace: paperless-ngx + labels: + app.kubernetes.io/name: paperless-ngx-key + app.kubernetes.io/instance: paperless-ngx + app.kubernetes.io/part-of: paperless-ngx +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: secret-key + remoteRef: + key: /cl01tl/paperless-ngx/key + property: secret-key diff --git a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-oidc-secret.yaml b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-oidc-authentik.yaml similarity index 55% rename from clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-oidc-secret.yaml rename to clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-oidc-authentik.yaml index 4d8e10598..da10c8289 100644 --- a/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-oidc-secret.yaml +++ b/clusters/cl01tl/manifests/paperless-ngx/ExternalSecret-paperless-ngx-oidc-authentik.yaml @@ -1,25 +1,17 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: paperless-ngx-oidc-secret + name: paperless-ngx-oidc-authentik namespace: paperless-ngx labels: - app.kubernetes.io/name: paperless-ngx-oidc-secret + app.kubernetes.io/name: paperless-ngx-oidc-authentik app.kubernetes.io/instance: paperless-ngx app.kubernetes.io/part-of: paperless-ngx spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - - secretKey: OIDC_CLIENT_ID - remoteRef: - key: /authentik/oidc/paperless-ngx - property: client - - secretKey: OIDC_CLIENT_SECRET - remoteRef: - key: /authentik/oidc/paperless-ngx - property: secret - secretKey: PAPERLESS_SOCIALACCOUNT_PROVIDERS remoteRef: key: /authentik/oidc/paperless-ngx diff --git a/clusters/cl01tl/manifests/postiz/Deployment-postiz-main.yaml b/clusters/cl01tl/manifests/postiz/Deployment-postiz-main.yaml index 62cb5a3f8..b8c5446cf 100644 --- a/clusters/cl01tl/manifests/postiz/Deployment-postiz-main.yaml +++ b/clusters/cl01tl/manifests/postiz/Deployment-postiz-main.yaml @@ -39,7 +39,7 @@ spec: valueFrom: secretKeyRef: key: JWT_SECRET - name: postiz-config-secret + name: postiz-config - name: MAIN_URL value: https://postiz.alexlebens.dev - name: FRONTEND_URL @@ -90,12 +90,12 @@ spec: valueFrom: secretKeyRef: key: client - name: postiz-oidc-secret + name: postiz-oidc-authentik - name: POSTIZ_OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: key: secret - name: postiz-oidc-secret + name: postiz-oidc-authentik - name: POSTIZ_OAUTH_SCOPE value: openid profile email - name: NEXT_PUBLIC_SENTRY_DSN diff --git a/clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-config-secret.yaml b/clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-config.yaml similarity index 78% rename from clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-config-secret.yaml rename to clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-config.yaml index d4c9701f1..2a036c02c 100644 --- a/clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-config-secret.yaml +++ b/clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-config.yaml @@ -1,16 +1,16 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: postiz-config-secret + name: postiz-config namespace: postiz labels: - app.kubernetes.io/name: postiz-config-secret + app.kubernetes.io/name: postiz-config app.kubernetes.io/instance: postiz app.kubernetes.io/part-of: postiz spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: JWT_SECRET remoteRef: diff --git a/clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-elasticsearch-secret.yaml b/clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-elasticsearch-secret.yaml deleted file mode 100644 index 2ac043e05..000000000 --- a/clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-elasticsearch-secret.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: postiz-elasticsearch-secret - namespace: postiz - labels: - app.kubernetes.io/name: postiz-elasticsearch-secret - app.kubernetes.io/instance: postiz - app.kubernetes.io/part-of: postiz -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: username - remoteRef: - key: /cl01tl/postiz/elasticsearch - property: username - - secretKey: password - remoteRef: - key: /cl01tl/postiz/elasticsearch - property: password - - secretKey: roles - remoteRef: - key: /cl01tl/postiz/elasticsearch - property: roles diff --git a/clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-oidc-secret.yaml b/clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-oidc-authentik.yaml similarity index 66% rename from clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-oidc-secret.yaml rename to clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-oidc-authentik.yaml index 160c17c56..86f9c4e90 100644 --- a/clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-oidc-secret.yaml +++ b/clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-oidc-authentik.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: postiz-oidc-secret + name: postiz-oidc-authentik namespace: postiz labels: - app.kubernetes.io/name: postiz-oidc-secret + app.kubernetes.io/name: postiz-oidc-authentik app.kubernetes.io/instance: postiz app.kubernetes.io/part-of: postiz spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: client remoteRef: - key: /authentik/oidc/postiz + key: /cl01tl/authentik/oidc/postiz property: client - secretKey: secret remoteRef: - key: /authentik/oidc/postiz + key: /cl01tl/authentik/oidc/postiz property: secret diff --git a/clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-valkey-config.yaml b/clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-valkey-config.yaml index 2715a4c0c..5b745ea17 100644 --- a/clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-valkey-config.yaml +++ b/clusters/cl01tl/manifests/postiz/ExternalSecret-postiz-valkey-config.yaml @@ -10,7 +10,7 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: REDIS_URL remoteRef: diff --git a/clusters/cl01tl/manifests/prowlarr/ExternalSecret-prowlarr-key-secret.yaml b/clusters/cl01tl/manifests/prowlarr/ExternalSecret-prowlarr-key-secret.yaml index a5e45c159..90baf086e 100644 --- a/clusters/cl01tl/manifests/prowlarr/ExternalSecret-prowlarr-key-secret.yaml +++ b/clusters/cl01tl/manifests/prowlarr/ExternalSecret-prowlarr-key-secret.yaml @@ -10,7 +10,7 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: key remoteRef: diff --git a/clusters/cl01tl/manifests/qbittorrent/Deployment-qbittorrent-main.yaml b/clusters/cl01tl/manifests/qbittorrent/Deployment-qbittorrent-main.yaml index bb9a6ed47..1d58a7f39 100644 --- a/clusters/cl01tl/manifests/qbittorrent/Deployment-qbittorrent-main.yaml +++ b/clusters/cl01tl/manifests/qbittorrent/Deployment-qbittorrent-main.yaml @@ -21,13 +21,15 @@ spec: app.kubernetes.io/instance: qbittorrent template: metadata: + annotations: + checksum/secrets: 545cc0ac43a8c257917ff35f6fed45976eaefcbaed5d63bbd60d3b932dc71794 labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: qbittorrent app.kubernetes.io/name: qbittorrent spec: enableServiceLinks: false - serviceAccountName: default + serviceAccountName: qbittorrent automountServiceAccountToken: true securityContext: fsGroup: 1000 @@ -72,33 +74,22 @@ spec: name: exporter - env: - name: VPN_SERVICE_PROVIDER - value: airvpn + value: protonvpn - name: VPN_TYPE value: wireguard - name: WIREGUARD_PRIVATE_KEY valueFrom: secretKeyRef: key: private-key - name: qbittorrent-wireguard-conf - - name: WIREGUARD_PRESHARED_KEY - valueFrom: - secretKeyRef: - key: preshared-key - name: qbittorrent-wireguard-conf - - name: WIREGUARD_ADDRESSES - valueFrom: - secretKeyRef: - key: addresses - name: qbittorrent-wireguard-conf - - name: FIREWALL_VPN_INPUT_PORTS - valueFrom: - secretKeyRef: - key: input-ports - name: qbittorrent-wireguard-conf + name: protonvpn-wireguard-conf - name: FIREWALL_OUTBOUND_SUBNETS value: 192.168.1.0/24,10.244.0.0/16 - name: FIREWALL_INPUT_PORTS - value: 8080,9022 + value: 5030,50300 + - name: VPN_PORT_FORWARDING + value: "on" + - name: VPN_PORT_FORWARDING_UP_COMMAND + value: /bin/sh -c "/gluetun/update.sh {{PORTS}}" - name: DNS_UPSTREAM_RESOLVER_TYPE value: dot - name: BLOCK_MALICIOUS diff --git a/clusters/cl01tl/manifests/qbittorrent/Deployment-qbittorrent-qbit-manage.yaml b/clusters/cl01tl/manifests/qbittorrent/Deployment-qbittorrent-qbit-manage.yaml index 3bdfe6392..6f1aff73c 100644 --- a/clusters/cl01tl/manifests/qbittorrent/Deployment-qbittorrent-qbit-manage.yaml +++ b/clusters/cl01tl/manifests/qbittorrent/Deployment-qbittorrent-qbit-manage.yaml @@ -23,13 +23,15 @@ spec: app.kubernetes.io/instance: qbittorrent template: metadata: + annotations: + checksum/secrets: 545cc0ac43a8c257917ff35f6fed45976eaefcbaed5d63bbd60d3b932dc71794 labels: app.kubernetes.io/controller: qbit-manage app.kubernetes.io/instance: qbittorrent app.kubernetes.io/name: qbittorrent spec: enableServiceLinks: false - serviceAccountName: default + serviceAccountName: qbittorrent automountServiceAccountToken: true hostIPC: false hostNetwork: false @@ -40,11 +42,11 @@ spec: - /bin/sh - -ec - | - cp /config/config.yml /app/config/config.yml + cp /tmp/config.yml /app/config/config.yml image: busybox:1.37.0@sha256:1487d0af5f52b4ba31c7e465126ee2123fe3f2305d638e7827681e7cf6c83d5e name: init-copy-config volumeMounts: - - mountPath: /config/config.yml + - mountPath: /tmp/config.yml mountPropagation: None name: qbit-manage-config readOnly: true @@ -69,7 +71,7 @@ spec: valueFrom: secretKeyRef: key: ntfy-url - name: qbittorrent-qbit-manage-config + name: qbit-manage-config image: ghcr.io/caronc/apprise:v1.3.3@sha256:4bfeac268ba87b8e08e308c9aa0182fe99e9501ec464027afc333d1634e65977 name: apprise-api - env: @@ -95,7 +97,7 @@ spec: volumeMounts: - mountPath: /qbittorrent/qBittorrent name: config-data - - mountPath: /config/config.yml + - mountPath: /tmp/config.yml mountPropagation: None name: qbit-manage-config readOnly: true @@ -110,14 +112,18 @@ spec: - name: config-data persistentVolumeClaim: claimName: qbittorrent-config-data - - name: qbit-manage-config - secret: - secretName: qbittorrent-qbit-manage-config + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: qbit-manage-config + name: qbit-manage-config - name: qbit-manage-config-data persistentVolumeClaim: claimName: qbittorrent-qbit-manage-config-data - - emptyDir: {} - name: qbit-manage-config-var + - name: qbit-manage-config-var + persistentVolumeClaim: + claimName: qbittorrent-qbit-manage-config-var - name: storage persistentVolumeClaim: claimName: qbittorrent-nfs-storage diff --git a/clusters/cl01tl/manifests/qbittorrent/Deployment-qbittorrent-qui.yaml b/clusters/cl01tl/manifests/qbittorrent/Deployment-qbittorrent-qui.yaml index e8763b1ed..ff6e527b1 100644 --- a/clusters/cl01tl/manifests/qbittorrent/Deployment-qbittorrent-qui.yaml +++ b/clusters/cl01tl/manifests/qbittorrent/Deployment-qbittorrent-qui.yaml @@ -21,13 +21,15 @@ spec: app.kubernetes.io/instance: qbittorrent template: metadata: + annotations: + checksum/secrets: 545cc0ac43a8c257917ff35f6fed45976eaefcbaed5d63bbd60d3b932dc71794 labels: app.kubernetes.io/controller: qui app.kubernetes.io/instance: qbittorrent app.kubernetes.io/name: qbittorrent spec: enableServiceLinks: false - serviceAccountName: default + serviceAccountName: qbittorrent automountServiceAccountToken: true securityContext: fsGroup: 1000 @@ -52,12 +54,12 @@ spec: valueFrom: secretKeyRef: key: client - name: qui-oidc-secret + name: qui-oidc-authentik - name: QUI__OIDC_CLIENT_SECRET valueFrom: secretKeyRef: key: secret - name: qui-oidc-secret + name: qui-oidc-authentik - name: QUI__OIDC_REDIRECT_URL value: https://qui.alexlebens.net/api/auth/oidc/callback - name: QUI__OIDC_DISABLE_BUILT_IN_LOGIN diff --git a/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-qbittorrent-wireguard-conf.yaml b/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-airvpn-wireguard-conf.yaml similarity index 64% rename from clusters/cl01tl/manifests/qbittorrent/ExternalSecret-qbittorrent-wireguard-conf.yaml rename to clusters/cl01tl/manifests/qbittorrent/ExternalSecret-airvpn-wireguard-conf.yaml index 409d35ce3..f4b98e7f4 100644 --- a/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-qbittorrent-wireguard-conf.yaml +++ b/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-airvpn-wireguard-conf.yaml @@ -1,30 +1,34 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: qbittorrent-wireguard-conf + name: airvpn-wireguard-conf namespace: qbittorrent labels: - app.kubernetes.io/name: qbittorrent-wireguard-conf + app.kubernetes.io/name: airvpn-wireguard-conf app.kubernetes.io/instance: qbittorrent app.kubernetes.io/part-of: qbittorrent spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: + - secretKey: conf + remoteRef: + key: /airvpn/config + property: conf - secretKey: private-key remoteRef: - key: /airvpn/conf/cl01tl + key: /airvpn/config property: private-key - secretKey: preshared-key remoteRef: - key: /airvpn/conf/cl01tl + key: /airvpn/config property: preshared-key - secretKey: addresses remoteRef: - key: /airvpn/conf/cl01tl + key: /airvpn/config property: addresses - secretKey: input-ports remoteRef: - key: /airvpn/conf/cl01tl + key: /airvpn/config property: input-ports diff --git a/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-protonvpn-wireguard-conf.yaml b/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-protonvpn-wireguard-conf.yaml new file mode 100644 index 000000000..61e60dcea --- /dev/null +++ b/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-protonvpn-wireguard-conf.yaml @@ -0,0 +1,30 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: protonvpn-wireguard-conf + namespace: qbittorrent + labels: + app.kubernetes.io/name: protonvpn-wireguard-conf + app.kubernetes.io/instance: qbittorrent + app.kubernetes.io/part-of: qbittorrent +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: conf + remoteRef: + key: /protonvpn/config + property: conf + - secretKey: email + remoteRef: + key: /protonvpn/config + property: email + - secretKey: password + remoteRef: + key: /protonvpn/config + property: password + - secretKey: private-key + remoteRef: + key: /protonvpn/config + property: private-key diff --git a/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-qbit-manage-config.yaml b/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-qbit-manage-config.yaml new file mode 100644 index 000000000..ef681f55e --- /dev/null +++ b/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-qbit-manage-config.yaml @@ -0,0 +1,28 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: qbit-manage-config + namespace: qbittorrent + labels: + app.kubernetes.io/name: qbit-manage-config + app.kubernetes.io/instance: qbittorrent + app.kubernetes.io/part-of: qbittorrent +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + ntfy-url: "{{ .endpoint }}/{{ .topic }}" + data: + - secretKey: endpoint + remoteRef: + key: /cl01tl/ntfy/users/cl01tl + property: internal-endpoint-credential + - secretKey: topic + remoteRef: + key: /cl01tl/ntfy/topics + property: qbit-manage diff --git a/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-qbittorrent-qbit-manage-config.yaml b/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-qbittorrent-qbit-manage-config.yaml deleted file mode 100644 index 39ae17f1f..000000000 --- a/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-qbittorrent-qbit-manage-config.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: qbittorrent-qbit-manage-config - namespace: qbittorrent - labels: - app.kubernetes.io/name: qbittorrent-qbit-manage-config - app.kubernetes.io/instance: qbittorrent - app.kubernetes.io/part-of: qbittorrent -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: ntfy-url - remoteRef: - key: /cl01tl/qbittorrent/qbit-manage - property: ntfy-url - - secretKey: config.yml - remoteRef: - key: /cl01tl/qbittorrent/qbit-manage - property: config.yml diff --git a/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-qui-oidc-secret.yaml b/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-qui-oidc-authentik.yaml similarity index 68% rename from clusters/cl01tl/manifests/qbittorrent/ExternalSecret-qui-oidc-secret.yaml rename to clusters/cl01tl/manifests/qbittorrent/ExternalSecret-qui-oidc-authentik.yaml index 0e25b1b0d..f0d4e7736 100644 --- a/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-qui-oidc-secret.yaml +++ b/clusters/cl01tl/manifests/qbittorrent/ExternalSecret-qui-oidc-authentik.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: qui-oidc-secret + name: qui-oidc-authentik namespace: qbittorrent labels: - app.kubernetes.io/name: qui-oidc-secret + app.kubernetes.io/name: qui-oidc-authentik app.kubernetes.io/instance: qbittorrent app.kubernetes.io/part-of: qbittorrent spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: secret remoteRef: - key: /authentik/oidc/qui + key: /cl01tl/authentik/oidc/qui property: secret - secretKey: client remoteRef: - key: /authentik/oidc/qui + key: /cl01tl/authentik/oidc/qui property: client diff --git a/clusters/cl01tl/manifests/qbittorrent/PersistentVolumeClaim-qbittorrent-qbit-manage-config-var.yaml b/clusters/cl01tl/manifests/qbittorrent/PersistentVolumeClaim-qbittorrent-qbit-manage-config-var.yaml new file mode 100644 index 000000000..ec2d5a07f --- /dev/null +++ b/clusters/cl01tl/manifests/qbittorrent/PersistentVolumeClaim-qbittorrent-qbit-manage-config-var.yaml @@ -0,0 +1,17 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: qbittorrent-qbit-manage-config-var + labels: + app.kubernetes.io/instance: qbittorrent + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: qbittorrent + helm.sh/chart: qbittorrent-4.6.2 + namespace: qbittorrent +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "500Mi" + storageClassName: "ceph-block" diff --git a/clusters/cl01tl/manifests/qbittorrent/Secret-qbittorrent-qbittorrent-sa-token.yaml b/clusters/cl01tl/manifests/qbittorrent/Secret-qbittorrent-qbittorrent-sa-token.yaml new file mode 100644 index 000000000..d4e40951c --- /dev/null +++ b/clusters/cl01tl/manifests/qbittorrent/Secret-qbittorrent-qbittorrent-sa-token.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: qbittorrent-qbittorrent-sa-token + labels: + app.kubernetes.io/instance: qbittorrent + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: qbittorrent + helm.sh/chart: qbittorrent-4.6.2 + annotations: + kubernetes.io/service-account.name: qbittorrent + namespace: qbittorrent diff --git a/clusters/cl01tl/manifests/qbittorrent/SecretProviderClass-qbit-manage-config.yaml b/clusters/cl01tl/manifests/qbittorrent/SecretProviderClass-qbit-manage-config.yaml new file mode 100644 index 000000000..1655ee256 --- /dev/null +++ b/clusters/cl01tl/manifests/qbittorrent/SecretProviderClass-qbit-manage-config.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: qbit-manage-config + namespace: qbittorrent + labels: + app.kubernetes.io/name: qbit-manage-config + app.kubernetes.io/instance: qbittorrent + app.kubernetes.io/part-of: qbittorrent +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: qbittorrent + objects: | + - objectName: config.yml + fileName: config.yml + secretPath: secret/data/cl01tl/qbittorrent/qbit-manage + secretKey: config.yml diff --git a/clusters/cl01tl/manifests/qbittorrent/ServiceAccount-qbittorrent.yaml b/clusters/cl01tl/manifests/qbittorrent/ServiceAccount-qbittorrent.yaml new file mode 100644 index 000000000..45fcaa483 --- /dev/null +++ b/clusters/cl01tl/manifests/qbittorrent/ServiceAccount-qbittorrent.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: qbittorrent + labels: + app.kubernetes.io/instance: qbittorrent + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: qbittorrent + helm.sh/chart: qbittorrent-4.6.2 + namespace: qbittorrent +secrets: + - name: qbittorrent-qbittorrent-sa-token diff --git a/clusters/cl01tl/manifests/rclone/CronJob-rclone-openbao-backups-external.yaml b/clusters/cl01tl/manifests/rclone/CronJob-rclone-openbao-backups-external.yaml index 0e0177338..5f458a9a6 100644 --- a/clusters/cl01tl/manifests/rclone/CronJob-rclone-openbao-backups-external.yaml +++ b/clusters/cl01tl/manifests/rclone/CronJob-rclone-openbao-backups-external.yaml @@ -66,10 +66,7 @@ spec: key: ACCESS_REGION name: external-openbao-backups-secret - name: RCLONE_CONFIG_DEST_ENDPOINT - valueFrom: - secretKeyRef: - key: ENDPOINT - name: external-openbao-backups-secret + value: https://nyc3.digitaloceanspaces.com - name: RCLONE_CONFIG_DEST_S3_FORCE_PATH_STYLE value: "true" image: rclone/rclone:1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96 @@ -135,10 +132,7 @@ spec: key: ACCESS_REGION name: external-openbao-backups-secret - name: RCLONE_CONFIG_DEST_ENDPOINT - valueFrom: - secretKeyRef: - key: ENDPOINT - name: external-openbao-backups-secret + value: https://nyc3.digitaloceanspaces.com - name: RCLONE_CONFIG_DEST_S3_FORCE_PATH_STYLE value: "true" image: rclone/rclone:1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96 diff --git a/clusters/cl01tl/manifests/rclone/ExternalSecret-external-openbao-backups-secret.yaml b/clusters/cl01tl/manifests/rclone/ExternalSecret-external-openbao-backups-secret.yaml index 3f7dd073e..8ceac11c8 100644 --- a/clusters/cl01tl/manifests/rclone/ExternalSecret-external-openbao-backups-secret.yaml +++ b/clusters/cl01tl/manifests/rclone/ExternalSecret-external-openbao-backups-secret.yaml @@ -24,7 +24,3 @@ spec: remoteRef: key: /digital-ocean/home-infra/openbao-backups property: ACCESS_SECRET_KEY - - secretKey: ENDPOINT - remoteRef: - key: /digital-ocean/home-infra/openbao-backups - property: ENDPOINT diff --git a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-directus-secret.yaml b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-directus-secret.yaml index 973e80d6a..215552565 100644 --- a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-directus-secret.yaml +++ b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-directus-secret.yaml @@ -10,7 +10,7 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: ACCESS_KEY_ID remoteRef: @@ -26,9 +26,9 @@ spec: property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - key: /garage/config/local - property: ENDPOINT + key: /garage/config + property: ENDPOINT_LOCAL - secretKey: DEST_ENDPOINT remoteRef: - key: /garage/config/remote - property: ENDPOINT + key: /garage/config + property: ENDPOINT_REMOTE diff --git a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-karakeep-secret.yaml b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-karakeep-secret.yaml index bd83a8583..115f1f317 100644 --- a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-karakeep-secret.yaml +++ b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-karakeep-secret.yaml @@ -26,9 +26,9 @@ spec: property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - key: /garage/config/local - property: ENDPOINT + key: /garage/config + property: ENDPOINT_LOCAL - secretKey: DEST_ENDPOINT remoteRef: - key: /garage/config/remote - property: ENDPOINT + key: /garage/config + property: ENDPOINT_REMOTE diff --git a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-ntfy-attachments-secret.yaml b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-ntfy-attachments-secret.yaml index f37ce9217..236498800 100644 --- a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-ntfy-attachments-secret.yaml +++ b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-ntfy-attachments-secret.yaml @@ -26,9 +26,9 @@ spec: property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - key: /garage/config/local - property: ENDPOINT + key: /garage/config + property: ENDPOINT_LOCAL - secretKey: DEST_ENDPOINT remoteRef: - key: /garage/config/remote - property: ENDPOINT + key: /garage/config + property: ENDPOINT_REMOTE diff --git a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-openbao-backups-secret.yaml b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-openbao-backups-secret.yaml index abf63a4c5..811d49369 100644 --- a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-openbao-backups-secret.yaml +++ b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-openbao-backups-secret.yaml @@ -26,9 +26,9 @@ spec: property: ACCESS_SECRET_KEY - secretKey: ENDPOINT_LOCAL remoteRef: - key: /garage/home-infra/openbao-backups + key: /garage/config property: ENDPOINT_LOCAL - secretKey: ENDPOINT_REMOTE remoteRef: - key: /garage/home-infra/openbao-backups + key: /garage/config property: ENDPOINT_REMOTE diff --git a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-postgres-backups-secret.yaml b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-postgres-backups-secret.yaml index 6a102cab9..07b4b2b5d 100644 --- a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-postgres-backups-secret.yaml +++ b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-postgres-backups-secret.yaml @@ -26,9 +26,9 @@ spec: property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - key: /garage/config/local - property: ENDPOINT + key: /garage/config + property: ENDPOINT_LOCAL - secretKey: DEST_ENDPOINT remoteRef: - key: /garage/config/remote - property: ENDPOINT + key: /garage/config + property: ENDPOINT_REMOTE diff --git a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-talos-backups-secret.yaml b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-talos-backups-secret.yaml index 3988592c2..5f461950e 100644 --- a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-talos-backups-secret.yaml +++ b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-talos-backups-secret.yaml @@ -26,9 +26,9 @@ spec: property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - key: /garage/config/local - property: ENDPOINT + key: /garage/config + property: ENDPOINT_LOCAL - secretKey: DEST_ENDPOINT remoteRef: - key: /garage/config/remote - property: ENDPOINT + key: /garage/config + property: ENDPOINT_REMOTE diff --git a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-web-assets-secret.yaml b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-web-assets-secret.yaml index c9064e65a..67df80716 100644 --- a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-web-assets-secret.yaml +++ b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-web-assets-secret.yaml @@ -26,9 +26,9 @@ spec: property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - key: /garage/config/local - property: ENDPOINT + key: /garage/config + property: ENDPOINT_LOCAL - secretKey: DEST_ENDPOINT remoteRef: - key: /garage/config/remote - property: ENDPOINT + key: /garage/config + property: ENDPOINT_REMOTE diff --git a/clusters/cl01tl/manifests/roundcube/Deployment-roundcube-main.yaml b/clusters/cl01tl/manifests/roundcube/Deployment-roundcube-main.yaml index a88bde8c8..7a58bd314 100644 --- a/clusters/cl01tl/manifests/roundcube/Deployment-roundcube-main.yaml +++ b/clusters/cl01tl/manifests/roundcube/Deployment-roundcube-main.yaml @@ -63,7 +63,7 @@ spec: valueFrom: secretKeyRef: key: DES_KEY - name: roundcube-key-secret + name: roundcube-key - name: ROUNDCUBEMAIL_DEFAULT_HOST value: stalwart.stalwart - name: ROUNDCUBEMAIL_DEFAULT_PORT diff --git a/clusters/cl01tl/manifests/roundcube/ExternalSecret-roundcube-key-secret.yaml b/clusters/cl01tl/manifests/roundcube/ExternalSecret-roundcube-key.yaml similarity index 72% rename from clusters/cl01tl/manifests/roundcube/ExternalSecret-roundcube-key-secret.yaml rename to clusters/cl01tl/manifests/roundcube/ExternalSecret-roundcube-key.yaml index 446675fa8..f395539e8 100644 --- a/clusters/cl01tl/manifests/roundcube/ExternalSecret-roundcube-key-secret.yaml +++ b/clusters/cl01tl/manifests/roundcube/ExternalSecret-roundcube-key.yaml @@ -1,18 +1,18 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: roundcube-key-secret + name: roundcube-key namespace: roundcube labels: - app.kubernetes.io/name: roundcube-key-secret + app.kubernetes.io/name: roundcube-key app.kubernetes.io/instance: roundcube app.kubernetes.io/part-of: roundcube spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: DES_KEY remoteRef: key: /cl01tl/roundcube/key - property: DES_KEY + property: des-key diff --git a/clusters/cl01tl/manifests/rybbit/Deployment-rybbit-backend.yaml b/clusters/cl01tl/manifests/rybbit/Deployment-rybbit-backend.yaml index 2c4ca172d..1c85140a4 100644 --- a/clusters/cl01tl/manifests/rybbit/Deployment-rybbit-backend.yaml +++ b/clusters/cl01tl/manifests/rybbit/Deployment-rybbit-backend.yaml @@ -47,12 +47,12 @@ spec: valueFrom: secretKeyRef: key: clickhouse-user - name: rybbit-config-secret + name: rybbit-clickhouse-config - name: CLICKHOUSE_PASSWORD valueFrom: secretKeyRef: key: clickhouse-password - name: rybbit-config-secret + name: rybbit-clickhouse-config - name: POSTGRES_HOST valueFrom: secretKeyRef: @@ -82,7 +82,7 @@ spec: valueFrom: secretKeyRef: key: better-auth-secret - name: rybbit-config-secret + name: rybbit-config - name: BASE_URL value: https://rybbit.alexlebens.dev - name: DISABLE_SIGNUP @@ -93,7 +93,7 @@ spec: valueFrom: secretKeyRef: key: mapbox-token - name: rybbit-config-secret + name: rybbit-config image: ghcr.io/rybbit-io/rybbit-backend:v2.5.0@sha256:fd00f61abe592f872a0e4ac13f8c7b190ab2810e72f898faea4809d7ced46eef livenessProbe: failureThreshold: 5 diff --git a/clusters/cl01tl/manifests/rybbit/Deployment-rybbit-clickhouse.yaml b/clusters/cl01tl/manifests/rybbit/Deployment-rybbit-clickhouse.yaml index 6d8e9126d..66d21599c 100644 --- a/clusters/cl01tl/manifests/rybbit/Deployment-rybbit-clickhouse.yaml +++ b/clusters/cl01tl/manifests/rybbit/Deployment-rybbit-clickhouse.yaml @@ -43,12 +43,12 @@ spec: valueFrom: secretKeyRef: key: clickhouse-user - name: rybbit-config-secret + name: rybbit-clickhouse-config - name: CLICKHOUSE_PASSWORD valueFrom: secretKeyRef: key: clickhouse-password - name: rybbit-config-secret + name: rybbit-clickhouse-config image: clickhouse/clickhouse-server:26.3.9@sha256:537014a67ce8bf1f5c79c2e2b26fb30b8285a86ffff03875bb14ed17ea35db62 livenessProbe: failureThreshold: 5 diff --git a/clusters/cl01tl/manifests/rybbit/ExternalSecret-rybbit-config-secret.yaml b/clusters/cl01tl/manifests/rybbit/ExternalSecret-rybbit-clickhouse-config.yaml similarity index 58% rename from clusters/cl01tl/manifests/rybbit/ExternalSecret-rybbit-config-secret.yaml rename to clusters/cl01tl/manifests/rybbit/ExternalSecret-rybbit-clickhouse-config.yaml index b54930056..1f939a569 100644 --- a/clusters/cl01tl/manifests/rybbit/ExternalSecret-rybbit-config-secret.yaml +++ b/clusters/cl01tl/manifests/rybbit/ExternalSecret-rybbit-clickhouse-config.yaml @@ -1,16 +1,16 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: rybbit-config-secret + name: rybbit-clickhouse-config namespace: rybbit labels: - app.kubernetes.io/name: rybbit-config-secret + app.kubernetes.io/name: rybbit-clickhouse-config app.kubernetes.io/instance: rybbit app.kubernetes.io/part-of: rybbit spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: clickhouse-user remoteRef: @@ -20,11 +20,3 @@ spec: remoteRef: key: /cl01tl/rybbit/clickhouse property: password - - secretKey: better-auth-secret - remoteRef: - key: /cl01tl/rybbit/auth - property: better-auth-secret - - secretKey: mapbox-token - remoteRef: - key: /cl01tl/rybbit/auth - property: mapbox-token diff --git a/clusters/cl01tl/manifests/rybbit/ExternalSecret-rybbit-config.yaml b/clusters/cl01tl/manifests/rybbit/ExternalSecret-rybbit-config.yaml new file mode 100644 index 000000000..53da09234 --- /dev/null +++ b/clusters/cl01tl/manifests/rybbit/ExternalSecret-rybbit-config.yaml @@ -0,0 +1,22 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: rybbit-config + namespace: rybbit + labels: + app.kubernetes.io/name: rybbit-config + app.kubernetes.io/instance: rybbit + app.kubernetes.io/part-of: rybbit +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: better-auth-secret + remoteRef: + key: /cl01tl/rybbit/config + property: better-auth-secret + - secretKey: mapbox-token + remoteRef: + key: /cl01tl/rybbit/config + property: mapbox-token diff --git a/clusters/cl01tl/manifests/s3-exporter/Deployment-s3-exporter-digital-ocean.yaml b/clusters/cl01tl/manifests/s3-exporter/Deployment-s3-exporter-digital-ocean.yaml index 9380b0e75..9254a0440 100644 --- a/clusters/cl01tl/manifests/s3-exporter/Deployment-s3-exporter-digital-ocean.yaml +++ b/clusters/cl01tl/manifests/s3-exporter/Deployment-s3-exporter-digital-ocean.yaml @@ -43,17 +43,17 @@ spec: valueFrom: secretKeyRef: key: AWS_ACCESS_KEY_ID - name: s3-do-home-infra-secret + name: digital-ocean-s3-exporter-credentials - name: S3_SECRET_KEY valueFrom: secretKeyRef: key: AWS_SECRET_ACCESS_KEY - name: s3-do-home-infra-secret + name: digital-ocean-s3-exporter-credentials - name: S3_REGION valueFrom: secretKeyRef: key: AWS_REGION - name: s3-do-home-infra-secret + name: digital-ocean-s3-exporter-credentials - name: LOG_LEVEL value: info - name: S3_FORCE_PATH_STYLE diff --git a/clusters/cl01tl/manifests/s3-exporter/Deployment-s3-exporter-garage-local.yaml b/clusters/cl01tl/manifests/s3-exporter/Deployment-s3-exporter-garage-local.yaml index 5a87c8463..1a4aef1b7 100644 --- a/clusters/cl01tl/manifests/s3-exporter/Deployment-s3-exporter-garage-local.yaml +++ b/clusters/cl01tl/manifests/s3-exporter/Deployment-s3-exporter-garage-local.yaml @@ -43,14 +43,17 @@ spec: valueFrom: secretKeyRef: key: AWS_ACCESS_KEY_ID - name: s3-garage-secret + name: garage-s3-exporter-credentials - name: S3_SECRET_KEY valueFrom: secretKeyRef: key: AWS_SECRET_ACCESS_KEY - name: s3-garage-secret + name: garage-s3-exporter-credentials - name: S3_REGION - value: us-east-1 + valueFrom: + secretKeyRef: + key: ACCESS_REGION + name: garage-s3-exporter-credentials - name: LOG_LEVEL value: debug - name: S3_FORCE_PATH_STYLE diff --git a/clusters/cl01tl/manifests/s3-exporter/ExternalSecret-s3-do-home-infra-secret.yaml b/clusters/cl01tl/manifests/s3-exporter/ExternalSecret-digital-ocean-s3-exporter-credentials.yaml similarity index 64% rename from clusters/cl01tl/manifests/s3-exporter/ExternalSecret-s3-do-home-infra-secret.yaml rename to clusters/cl01tl/manifests/s3-exporter/ExternalSecret-digital-ocean-s3-exporter-credentials.yaml index ddd1618a2..d108b7417 100644 --- a/clusters/cl01tl/manifests/s3-exporter/ExternalSecret-s3-do-home-infra-secret.yaml +++ b/clusters/cl01tl/manifests/s3-exporter/ExternalSecret-digital-ocean-s3-exporter-credentials.yaml @@ -1,26 +1,26 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: s3-do-home-infra-secret + name: digital-ocean-s3-exporter-credentials namespace: s3-exporter labels: - app.kubernetes.io/name: s3-do-home-infra-secret + app.kubernetes.io/name: digital-ocean-s3-exporter-credentials app.kubernetes.io/instance: s3-exporter app.kubernetes.io/part-of: s3-exporter spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: AWS_ACCESS_KEY_ID remoteRef: - key: /digital-ocean/home-infra/all-access + key: /digital-ocean/home-infra/s3-exporter property: AWS_ACCESS_KEY_ID - secretKey: AWS_SECRET_ACCESS_KEY remoteRef: - key: /digital-ocean/home-infra/all-access + key: /digital-ocean/home-infra/s3-exporter property: AWS_SECRET_ACCESS_KEY - secretKey: AWS_REGION remoteRef: - key: /digital-ocean/home-infra/prometheus-exporter + key: /digital-ocean/home-infra/s3-exporter property: AWS_REGION diff --git a/clusters/cl01tl/manifests/s3-exporter/ExternalSecret-s3-garage-secret.yaml b/clusters/cl01tl/manifests/s3-exporter/ExternalSecret-garage-s3-exporter-credentials.yaml similarity index 68% rename from clusters/cl01tl/manifests/s3-exporter/ExternalSecret-s3-garage-secret.yaml rename to clusters/cl01tl/manifests/s3-exporter/ExternalSecret-garage-s3-exporter-credentials.yaml index 3bf313f72..b6f7a79a8 100644 --- a/clusters/cl01tl/manifests/s3-exporter/ExternalSecret-s3-garage-secret.yaml +++ b/clusters/cl01tl/manifests/s3-exporter/ExternalSecret-garage-s3-exporter-credentials.yaml @@ -1,16 +1,16 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: s3-garage-secret + name: garage-s3-exporter-credentials namespace: s3-exporter labels: - app.kubernetes.io/name: s3-garage-secret + app.kubernetes.io/name: garage-s3-exporter-credentials app.kubernetes.io/instance: s3-exporter app.kubernetes.io/part-of: s3-exporter spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: AWS_ACCESS_KEY_ID remoteRef: @@ -20,3 +20,7 @@ spec: remoteRef: key: /garage/home-infra/s3-exporter property: ACCESS_SECRET_KEY + - secretKey: ACCESS_REGION + remoteRef: + key: /garage/home-infra/s3-exporter + property: ACCESS_REGION diff --git a/clusters/cl01tl/manifests/searxng/Deployment-searxng-api.yaml b/clusters/cl01tl/manifests/searxng/Deployment-searxng-api.yaml index 1e65cecf9..ec68edc8f 100644 --- a/clusters/cl01tl/manifests/searxng/Deployment-searxng-api.yaml +++ b/clusters/cl01tl/manifests/searxng/Deployment-searxng-api.yaml @@ -27,7 +27,7 @@ spec: app.kubernetes.io/name: searxng spec: enableServiceLinks: false - serviceAccountName: default + serviceAccountName: searxng automountServiceAccountToken: true hostIPC: false hostNetwork: false @@ -58,20 +58,17 @@ spec: volumeMounts: - mountPath: /etc/searxng name: api-data - - mountPath: /etc/searxng/settings.yml + - mountPath: /etc/searxng/ mountPropagation: None name: config readOnly: true - subPath: settings.yml - - mountPath: /etc/searxng/limiter.toml - mountPropagation: None - name: config - readOnly: true - subPath: limiter.toml volumes: - name: api-data persistentVolumeClaim: claimName: searxng-api-data - - name: config - secret: - secretName: searxng-api-config-secret + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: searxng-api-config + name: config diff --git a/clusters/cl01tl/manifests/searxng/Deployment-searxng-browser.yaml b/clusters/cl01tl/manifests/searxng/Deployment-searxng-browser.yaml index 9cd24eef2..56753f1b4 100644 --- a/clusters/cl01tl/manifests/searxng/Deployment-searxng-browser.yaml +++ b/clusters/cl01tl/manifests/searxng/Deployment-searxng-browser.yaml @@ -27,7 +27,7 @@ spec: app.kubernetes.io/name: searxng spec: enableServiceLinks: false - serviceAccountName: default + serviceAccountName: searxng automountServiceAccountToken: true hostIPC: false hostNetwork: false diff --git a/clusters/cl01tl/manifests/searxng/ExternalSecret-searxng-api-config-secret.yaml b/clusters/cl01tl/manifests/searxng/ExternalSecret-searxng-api-config-secret.yaml deleted file mode 100644 index d794d3303..000000000 --- a/clusters/cl01tl/manifests/searxng/ExternalSecret-searxng-api-config-secret.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: searxng-api-config-secret - namespace: searxng - labels: - app.kubernetes.io/name: searxng-api-config-secret - app.kubernetes.io/instance: searxng - app.kubernetes.io/part-of: searxng -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: settings.yml - remoteRef: - key: /cl01tl/searxng/api/config - property: settings.yml - - secretKey: limiter.toml - remoteRef: - key: /cl01tl/searxng/api/config - property: limiter.toml diff --git a/clusters/cl01tl/manifests/searxng/ExternalSecret-searxng-browser-metrics-auth.yaml b/clusters/cl01tl/manifests/searxng/ExternalSecret-searxng-browser-metrics-credentials.yaml similarity index 60% rename from clusters/cl01tl/manifests/searxng/ExternalSecret-searxng-browser-metrics-auth.yaml rename to clusters/cl01tl/manifests/searxng/ExternalSecret-searxng-browser-metrics-credentials.yaml index b02426e53..38ab8cddd 100644 --- a/clusters/cl01tl/manifests/searxng/ExternalSecret-searxng-browser-metrics-auth.yaml +++ b/clusters/cl01tl/manifests/searxng/ExternalSecret-searxng-browser-metrics-credentials.yaml @@ -1,10 +1,10 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: searxng-browser-metrics-auth + name: searxng-browser-metrics-credentials namespace: searxng labels: - app.kubernetes.io/name: searxng-browser-metrics-auth + app.kubernetes.io/name: searxng-browser-metrics-credentials app.kubernetes.io/instance: searxng app.kubernetes.io/part-of: searxng spec: @@ -14,9 +14,9 @@ spec: data: - secretKey: metrics-password remoteRef: - key: cl01tl/searxng/browser - property: metrics-password + key: /cl01tl/searxng/metrics + property: password - secretKey: metrics-username remoteRef: - key: cl01tl/searxng/browser - property: metrics-username + key: /cl01tl/searxng/metrics + property: username diff --git a/clusters/cl01tl/manifests/searxng/SecretProviderClass-searxng-api-config.yaml b/clusters/cl01tl/manifests/searxng/SecretProviderClass-searxng-api-config.yaml new file mode 100644 index 000000000..3521f542b --- /dev/null +++ b/clusters/cl01tl/manifests/searxng/SecretProviderClass-searxng-api-config.yaml @@ -0,0 +1,23 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: searxng-api-config + namespace: searxng + labels: + app.kubernetes.io/name: searxng-api-config + app.kubernetes.io/instance: searxng + app.kubernetes.io/part-of: searxng +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: searxng + objects: | + - objectName: limiter.toml + fileName: limiter.toml + secretPath: secret/data/cl01tl/searxng/api + secretKey: limiter.toml + - objectName: settings.yml + fileName: settings.yml + secretPath: secret/data/cl01tl/searxng/api + secretKey: settings.yml diff --git a/clusters/cl01tl/manifests/searxng/ServiceAccount-searxng.yaml b/clusters/cl01tl/manifests/searxng/ServiceAccount-searxng.yaml new file mode 100644 index 000000000..151109a17 --- /dev/null +++ b/clusters/cl01tl/manifests/searxng/ServiceAccount-searxng.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: searxng + labels: + app.kubernetes.io/instance: searxng + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: searxng + helm.sh/chart: searxng-4.6.2 + namespace: searxng diff --git a/clusters/cl01tl/manifests/searxng/ServiceMonitor-searxng.yaml b/clusters/cl01tl/manifests/searxng/ServiceMonitor-searxng.yaml index f9aab1d64..71698019b 100644 --- a/clusters/cl01tl/manifests/searxng/ServiceMonitor-searxng.yaml +++ b/clusters/cl01tl/manifests/searxng/ServiceMonitor-searxng.yaml @@ -21,10 +21,10 @@ spec: - basicAuth: password: key: metrics-password - name: searxng-browser-metrics-auth + name: searxng-browser-metrics-credentials username: key: metrics-username - name: searxng-browser-metrics-auth + name: searxng-browser-metrics-credentials interval: 30s path: /metrics port: mail diff --git a/clusters/cl01tl/manifests/shelfmark/Deployment-shelfmark.yaml b/clusters/cl01tl/manifests/shelfmark/Deployment-shelfmark.yaml index b6c7650f2..94ef0df66 100644 --- a/clusters/cl01tl/manifests/shelfmark/Deployment-shelfmark.yaml +++ b/clusters/cl01tl/manifests/shelfmark/Deployment-shelfmark.yaml @@ -60,12 +60,12 @@ spec: valueFrom: secretKeyRef: key: grimmory-user - name: shelfmark-config-secret + name: shelfmark-grimmory-config - name: BOOKLORE_PASSWORD valueFrom: secretKeyRef: key: grimmory-password - name: shelfmark-config-secret + name: shelfmark-grimmory-config - name: BOOKLORE_DESTINATION value: library - name: BOOKLORE_LIBRARY_ID @@ -92,7 +92,7 @@ spec: valueFrom: secretKeyRef: key: prowlarr-key - name: shelfmark-config-secret + name: shelfmark-prowlarr-config - name: ABB_ENABLED value: "true" - name: ABB_HOSTNAME diff --git a/clusters/cl01tl/manifests/shelfmark/ExternalSecret-shelfmark-config-secret.yaml b/clusters/cl01tl/manifests/shelfmark/ExternalSecret-shelfmark-grimmory-config.yaml similarity index 58% rename from clusters/cl01tl/manifests/shelfmark/ExternalSecret-shelfmark-config-secret.yaml rename to clusters/cl01tl/manifests/shelfmark/ExternalSecret-shelfmark-grimmory-config.yaml index feb6847d1..792b16adb 100644 --- a/clusters/cl01tl/manifests/shelfmark/ExternalSecret-shelfmark-config-secret.yaml +++ b/clusters/cl01tl/manifests/shelfmark/ExternalSecret-shelfmark-grimmory-config.yaml @@ -1,26 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: shelfmark-config-secret + name: shelfmark-grimmory-config namespace: shelfmark labels: - app.kubernetes.io/name: shelfmark-config-secret + app.kubernetes.io/name: shelfmark-grimmory-config app.kubernetes.io/instance: shelfmark app.kubernetes.io/part-of: shelfmark spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: grimmory-user remoteRef: - key: /cl01tl/shelfmark/booklore + key: /cl01tl/grimmory/users/shelfmark property: user - secretKey: grimmory-password remoteRef: - key: /cl01tl/shelfmark/booklore + key: /cl01tl/grimmory/users/shelfmark property: password - - secretKey: prowlarr-key - remoteRef: - key: /cl01tl/prowlarr/key - property: key diff --git a/clusters/cl01tl/manifests/shelfmark/ExternalSecret-shelfmark-prowlarr-config.yaml b/clusters/cl01tl/manifests/shelfmark/ExternalSecret-shelfmark-prowlarr-config.yaml new file mode 100644 index 000000000..def6dab9d --- /dev/null +++ b/clusters/cl01tl/manifests/shelfmark/ExternalSecret-shelfmark-prowlarr-config.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: shelfmark-prowlarr-config + namespace: shelfmark + labels: + app.kubernetes.io/name: shelfmark-prowlarr-config + app.kubernetes.io/instance: shelfmark + app.kubernetes.io/part-of: shelfmark +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: prowlarr-key + remoteRef: + key: /cl01tl/prowlarr/key + property: key diff --git a/clusters/cl01tl/manifests/shelly-plug/ExternalSecret-shelly-plug-config-secret.yaml b/clusters/cl01tl/manifests/shelly-plug/ExternalSecret-shelly-plug-config-secret.yaml index 6bdac2da2..daf650cbd 100644 --- a/clusters/cl01tl/manifests/shelly-plug/ExternalSecret-shelly-plug-config-secret.yaml +++ b/clusters/cl01tl/manifests/shelly-plug/ExternalSecret-shelly-plug-config-secret.yaml @@ -10,13 +10,13 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: SHELLY_HTTP_USERNAME remoteRef: - key: /shelly-plug/auth/it05sp - property: SHELLY_HTTP_USERNAME + key: /it05sp/auth + property: username - secretKey: SHELLY_HTTP_PASSWORD remoteRef: - key: /shelly-plug/auth/it05sp - property: SHELLY_HTTP_PASSWORD + key: /it05sp/auth + property: password diff --git a/clusters/cl01tl/manifests/slskd/ServiceAccount-slskd.yaml b/clusters/cl01tl/manifests/slskd/ServiceAccount-slskd.yaml new file mode 100644 index 000000000..39fbdcaf5 --- /dev/null +++ b/clusters/cl01tl/manifests/slskd/ServiceAccount-slskd.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: slskd + labels: + app.kubernetes.io/instance: slskd + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: slskd + helm.sh/chart: slskd-4.6.2 + namespace: slskd diff --git a/clusters/cl01tl/manifests/sparkyfitness/Deployment-sparkyfitness-server.yaml b/clusters/cl01tl/manifests/sparkyfitness/Deployment-sparkyfitness-server.yaml index 3d4a9067e..06565338d 100644 --- a/clusters/cl01tl/manifests/sparkyfitness/Deployment-sparkyfitness-server.yaml +++ b/clusters/cl01tl/manifests/sparkyfitness/Deployment-sparkyfitness-server.yaml @@ -93,12 +93,12 @@ spec: - name: SPARKY_FITNESS_OIDC_CLIENT_ID valueFrom: secretKeyRef: - name: sparkyfitness-oidc-secret + name: sparkyfitness-oidc-authentik key: client_id - name: SPARKY_FITNESS_OIDC_CLIENT_SECRET valueFrom: secretKeyRef: - name: sparkyfitness-oidc-secret + name: sparkyfitness-oidc-authentik key: client_secret securityContext: allowPrivilegeEscalation: false diff --git a/clusters/cl01tl/manifests/sparkyfitness/ExternalSecret-sparkyfitness-key-secret.yaml b/clusters/cl01tl/manifests/sparkyfitness/ExternalSecret-sparkyfitness-key-secret.yaml index c0ccad8b2..3e49b1668 100644 --- a/clusters/cl01tl/manifests/sparkyfitness/ExternalSecret-sparkyfitness-key-secret.yaml +++ b/clusters/cl01tl/manifests/sparkyfitness/ExternalSecret-sparkyfitness-key-secret.yaml @@ -10,13 +10,13 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: api_encryption_key remoteRef: key: /cl01tl/sparkyfitness/key - property: api_encryption_key + property: api-encryption-key - secretKey: better_auth_secret remoteRef: key: /cl01tl/sparkyfitness/key - property: better_auth_secret + property: better-auth-secret diff --git a/clusters/cl01tl/manifests/sparkyfitness/ExternalSecret-sparkyfitness-oidc-secret.yaml b/clusters/cl01tl/manifests/sparkyfitness/ExternalSecret-sparkyfitness-oidc-authentik.yaml similarity index 65% rename from clusters/cl01tl/manifests/sparkyfitness/ExternalSecret-sparkyfitness-oidc-secret.yaml rename to clusters/cl01tl/manifests/sparkyfitness/ExternalSecret-sparkyfitness-oidc-authentik.yaml index 5040a7436..0088acd6b 100644 --- a/clusters/cl01tl/manifests/sparkyfitness/ExternalSecret-sparkyfitness-oidc-secret.yaml +++ b/clusters/cl01tl/manifests/sparkyfitness/ExternalSecret-sparkyfitness-oidc-authentik.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: sparkyfitness-oidc-secret + name: sparkyfitness-oidc-authentik namespace: sparkyfitness labels: - app.kubernetes.io/name: sparkyfitness-oidc-secret + app.kubernetes.io/name: sparkyfitness-oidc-authentik app.kubernetes.io/instance: sparkyfitness app.kubernetes.io/part-of: sparkyfitness spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: client_id remoteRef: - key: /authentik/oidc/sparkyfitness + key: /cl01tl/authentik/oidc/sparkyfitness property: client - secretKey: client_secret remoteRef: - key: /authentik/oidc/sparkyfitness + key: /cl01tl/authentik/oidc/sparkyfitness property: secret diff --git a/clusters/cl01tl/manifests/stalwart/Elasticsearch-elasticsearch-stalwart.yaml b/clusters/cl01tl/manifests/stalwart/Elasticsearch-elasticsearch-stalwart.yaml index 3b1cb7a70..dbed0cd11 100644 --- a/clusters/cl01tl/manifests/stalwart/Elasticsearch-elasticsearch-stalwart.yaml +++ b/clusters/cl01tl/manifests/stalwart/Elasticsearch-elasticsearch-stalwart.yaml @@ -11,7 +11,7 @@ spec: version: 9.3.3 auth: fileRealm: - - secretName: stalwart-elasticsearch-secret + - secretName: stalwart-elasticsearch-config nodeSets: - name: default count: 2 diff --git a/clusters/cl01tl/manifests/stalwart/ExternalSecret-stalwart-elasticsearch-secret.yaml b/clusters/cl01tl/manifests/stalwart/ExternalSecret-stalwart-elasticsearch-config.yaml similarity index 83% rename from clusters/cl01tl/manifests/stalwart/ExternalSecret-stalwart-elasticsearch-secret.yaml rename to clusters/cl01tl/manifests/stalwart/ExternalSecret-stalwart-elasticsearch-config.yaml index 6c920c013..0240dee30 100644 --- a/clusters/cl01tl/manifests/stalwart/ExternalSecret-stalwart-elasticsearch-secret.yaml +++ b/clusters/cl01tl/manifests/stalwart/ExternalSecret-stalwart-elasticsearch-config.yaml @@ -1,16 +1,16 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: stalwart-elasticsearch-secret + name: stalwart-elasticsearch-config namespace: stalwart labels: - app.kubernetes.io/name: stalwart-elasticsearch-secret + app.kubernetes.io/name: stalwart-elasticsearch-config app.kubernetes.io/instance: stalwart app.kubernetes.io/part-of: stalwart spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: username remoteRef: diff --git a/clusters/cl01tl/manifests/tailscale-operator/ExternalSecret-operator-oauth.yaml b/clusters/cl01tl/manifests/tailscale-operator/ExternalSecret-operator-oauth.yaml index 8744b4f9c..5b3be98de 100644 --- a/clusters/cl01tl/manifests/tailscale-operator/ExternalSecret-operator-oauth.yaml +++ b/clusters/cl01tl/manifests/tailscale-operator/ExternalSecret-operator-oauth.yaml @@ -10,13 +10,13 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: client_id remoteRef: - key: /tailscale/k8s-operator - property: clientId + key: /tailscale/credentials/k8s-operator + property: client-id - secretKey: client_secret remoteRef: - key: /tailscale/k8s-operator - property: clientSecret + key: /tailscale/credentials/k8s-operator + property: client-secret diff --git a/clusters/cl01tl/manifests/talos/CronJob-etcd-defrag-defrag-1.yaml b/clusters/cl01tl/manifests/talos/CronJob-etcd-defrag-defrag-1.yaml index 674da173f..87337b759 100644 --- a/clusters/cl01tl/manifests/talos/CronJob-etcd-defrag-defrag-1.yaml +++ b/clusters/cl01tl/manifests/talos/CronJob-etcd-defrag-defrag-1.yaml @@ -54,12 +54,13 @@ spec: image: ghcr.io/siderolabs/talosctl:v1.12.6@sha256:a027cf02cf74a75eee83ccffa201f3a9455d77e795d092b87cae5e637f143e54 name: main volumeMounts: - - mountPath: /tmp/.talos/config - mountPropagation: None - name: talos-config-1 + - mountPath: /tmp/.talos/ + name: config readOnly: true - subPath: config volumes: - - name: talos-config-1 - secret: - secretName: talos-etcd-defrag-secret + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: talos-etcd-defrag-config + name: config diff --git a/clusters/cl01tl/manifests/talos/CronJob-etcd-defrag-defrag-2.yaml b/clusters/cl01tl/manifests/talos/CronJob-etcd-defrag-defrag-2.yaml index b16df8f4b..f3d23b8a2 100644 --- a/clusters/cl01tl/manifests/talos/CronJob-etcd-defrag-defrag-2.yaml +++ b/clusters/cl01tl/manifests/talos/CronJob-etcd-defrag-defrag-2.yaml @@ -54,12 +54,13 @@ spec: image: ghcr.io/siderolabs/talosctl:v1.12.6@sha256:a027cf02cf74a75eee83ccffa201f3a9455d77e795d092b87cae5e637f143e54 name: main volumeMounts: - - mountPath: /tmp/.talos/config - mountPropagation: None - name: talos-config-2 + - mountPath: /tmp/.talos/ + name: config readOnly: true - subPath: config volumes: - - name: talos-config-2 - secret: - secretName: talos-etcd-defrag-secret + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: talos-etcd-defrag-config + name: config diff --git a/clusters/cl01tl/manifests/talos/CronJob-etcd-defrag-defrag-3.yaml b/clusters/cl01tl/manifests/talos/CronJob-etcd-defrag-defrag-3.yaml index 16b594950..9e4e3c6b2 100644 --- a/clusters/cl01tl/manifests/talos/CronJob-etcd-defrag-defrag-3.yaml +++ b/clusters/cl01tl/manifests/talos/CronJob-etcd-defrag-defrag-3.yaml @@ -54,12 +54,13 @@ spec: image: ghcr.io/siderolabs/talosctl:v1.12.6@sha256:a027cf02cf74a75eee83ccffa201f3a9455d77e795d092b87cae5e637f143e54 name: main volumeMounts: - - mountPath: /tmp/.talos/config - mountPropagation: None - name: talos-config-3 + - mountPath: /tmp/.talos/ + name: config readOnly: true - subPath: config volumes: - - name: talos-config-3 - secret: - secretName: talos-etcd-defrag-secret + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: talos-etcd-defrag-config + name: config diff --git a/clusters/cl01tl/manifests/talos/CronJob-talos-external.yaml b/clusters/cl01tl/manifests/talos/CronJob-talos-external.yaml index 97163f2e9..fac57957e 100644 --- a/clusters/cl01tl/manifests/talos/CronJob-talos-external.yaml +++ b/clusters/cl01tl/manifests/talos/CronJob-talos-external.yaml @@ -50,12 +50,12 @@ spec: valueFrom: secretKeyRef: key: AWS_ACCESS_KEY_ID - name: talos-etcd-backup-external-secret + name: talos-etcd-backup-external-config - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: key: AWS_SECRET_ACCESS_KEY - name: talos-etcd-backup-external-secret + name: talos-etcd-backup-external-config - name: AWS_REGION value: nyc3 - name: CUSTOM_S3_ENDPOINT @@ -70,7 +70,7 @@ spec: valueFrom: secretKeyRef: key: AGE_X25519_PUBLIC_KEY - name: talos-etcd-backup-external-secret + name: talos-etcd-backup-external-config - name: USE_PATH_STYLE value: "false" image: ghcr.io/siderolabs/talos-backup:v0.1.0-beta.3-7-ge8e193c@sha256:d6f98bf2817bb0bd46be49e41251e24d713945a6af6e893529cc17d524187953 @@ -91,9 +91,9 @@ spec: name: secret readOnly: true - mountPath: /.talos - name: talos-external + name: talos - mountPath: /tmp - name: tmp-external + name: tmp workingDir: /tmp - args: - -ec @@ -107,34 +107,37 @@ spec: value: "1209600" envFrom: - secretRef: - name: talos-etcd-backup-external-secret + name: talos-etcd-backup-external-config - secretRef: - name: talos-backup-ntfy-secret + name: talos-ntfy-config image: d3fk/s3cmd:latest@sha256:d66cc5677b30b31a7981f9fde0af064a9072e8b8a57d5e9b4cc02f44f02acbf2 name: s3-prune volumeMounts: + - mountPath: /root/.s3cfg + mountPropagation: None + name: etcd-backup-external-config + readOnly: true + subPath: .s3cfg - mountPath: /scripts/prune.sh name: prune-script subPath: prune.sh - - mountPath: /root/.s3cfg - mountPropagation: None - name: s3cmd-config-external - readOnly: true - subPath: .s3cfg volumes: + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: talos-etcd-backup-external-config + name: etcd-backup-external-config - configMap: defaultMode: 493 name: talos-prune-script name: prune-script - - name: s3cmd-config-external - secret: - secretName: talos-etcd-backup-external-secret - name: secret secret: secretName: talos-backup-secrets - emptyDir: medium: Memory - name: talos-external + name: talos - emptyDir: medium: Memory - name: tmp-external + name: tmp diff --git a/clusters/cl01tl/manifests/talos/CronJob-talos-local.yaml b/clusters/cl01tl/manifests/talos/CronJob-talos-local.yaml index 52f66bbaa..6a481f16c 100644 --- a/clusters/cl01tl/manifests/talos/CronJob-talos-local.yaml +++ b/clusters/cl01tl/manifests/talos/CronJob-talos-local.yaml @@ -50,12 +50,12 @@ spec: valueFrom: secretKeyRef: key: AWS_ACCESS_KEY_ID - name: talos-etcd-backup-local-secret + name: talos-etcd-backup-local-config - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: key: AWS_SECRET_ACCESS_KEY - name: talos-etcd-backup-local-secret + name: talos-etcd-backup-local-config - name: AWS_REGION value: us-east-1 - name: CUSTOM_S3_ENDPOINT @@ -70,7 +70,7 @@ spec: valueFrom: secretKeyRef: key: AGE_X25519_PUBLIC_KEY - name: talos-etcd-backup-local-secret + name: talos-etcd-backup-local-config - name: USE_PATH_STYLE value: "false" image: ghcr.io/siderolabs/talos-backup:v0.1.0-beta.3-7-ge8e193c@sha256:d6f98bf2817bb0bd46be49e41251e24d713945a6af6e893529cc17d524187953 @@ -91,9 +91,9 @@ spec: name: secret readOnly: true - mountPath: /.talos - name: talos-local + name: talos - mountPath: /tmp - name: tmp-local + name: tmp workingDir: /tmp - args: - -ec @@ -107,34 +107,37 @@ spec: value: "2419200" envFrom: - secretRef: - name: talos-etcd-backup-local-secret + name: talos-etcd-backup-local-config - secretRef: - name: talos-backup-ntfy-secret + name: talos-ntfy-config image: d3fk/s3cmd:latest@sha256:d66cc5677b30b31a7981f9fde0af064a9072e8b8a57d5e9b4cc02f44f02acbf2 name: s3-prune volumeMounts: + - mountPath: /root/.s3cfg + mountPropagation: None + name: etcd-backup-local-config + readOnly: true + subPath: .s3cfg - mountPath: /scripts/prune.sh name: prune-script subPath: prune.sh - - mountPath: /root/.s3cfg - mountPropagation: None - name: s3cmd-config-local - readOnly: true - subPath: .s3cfg volumes: + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: talos-etcd-backup-local-config + name: etcd-backup-local-config - configMap: defaultMode: 493 name: talos-prune-script name: prune-script - - name: s3cmd-config-local - secret: - secretName: talos-etcd-backup-local-secret - name: secret secret: secretName: talos-backup-secrets - emptyDir: medium: Memory - name: talos-local + name: talos - emptyDir: medium: Memory - name: tmp-local + name: tmp diff --git a/clusters/cl01tl/manifests/talos/CronJob-talos-remote.yaml b/clusters/cl01tl/manifests/talos/CronJob-talos-remote.yaml index 13e7f12e2..d48c6084a 100644 --- a/clusters/cl01tl/manifests/talos/CronJob-talos-remote.yaml +++ b/clusters/cl01tl/manifests/talos/CronJob-talos-remote.yaml @@ -50,12 +50,12 @@ spec: valueFrom: secretKeyRef: key: AWS_ACCESS_KEY_ID - name: talos-etcd-backup-remote-secret + name: talos-etcd-backup-remote-config - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: key: AWS_SECRET_ACCESS_KEY - name: talos-etcd-backup-remote-secret + name: talos-etcd-backup-remote-config - name: AWS_REGION value: us-east-1 - name: CUSTOM_S3_ENDPOINT @@ -70,7 +70,7 @@ spec: valueFrom: secretKeyRef: key: AGE_X25519_PUBLIC_KEY - name: talos-etcd-backup-remote-secret + name: talos-etcd-backup-remote-config - name: USE_PATH_STYLE value: "false" image: ghcr.io/siderolabs/talos-backup:v0.1.0-beta.3-7-ge8e193c@sha256:d6f98bf2817bb0bd46be49e41251e24d713945a6af6e893529cc17d524187953 @@ -91,9 +91,9 @@ spec: name: secret readOnly: true - mountPath: /.talos - name: talos-remote + name: talos - mountPath: /tmp - name: tmp-remote + name: tmp workingDir: /tmp - args: - -ec @@ -107,34 +107,37 @@ spec: value: "2419200" envFrom: - secretRef: - name: talos-etcd-backup-remote-secret + name: talos-etcd-backup-remote-config - secretRef: - name: talos-backup-ntfy-secret + name: talos-ntfy-config image: d3fk/s3cmd:latest@sha256:d66cc5677b30b31a7981f9fde0af064a9072e8b8a57d5e9b4cc02f44f02acbf2 name: s3-prune volumeMounts: + - mountPath: /root/.s3cfg + mountPropagation: None + name: etcd-backup-remote-config + readOnly: true + subPath: .s3cfg - mountPath: /scripts/prune.sh name: prune-script subPath: prune.sh - - mountPath: /root/.s3cfg - mountPropagation: None - name: s3cmd-config-remote - readOnly: true - subPath: .s3cfg volumes: + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: talos-etcd-backup-remote-config + name: etcd-backup-remote-config - configMap: defaultMode: 493 name: talos-prune-script name: prune-script - - name: s3cmd-config-remote - secret: - secretName: talos-etcd-backup-remote-secret - name: secret secret: secretName: talos-backup-secrets - emptyDir: medium: Memory - name: talos-remote + name: talos - emptyDir: medium: Memory - name: tmp-remote + name: tmp diff --git a/clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-external-secret.yaml b/clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-external-config.yaml similarity index 58% rename from clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-external-secret.yaml rename to clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-external-config.yaml index 0c81d8549..a2dd66018 100644 --- a/clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-external-secret.yaml +++ b/clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-external-config.yaml @@ -1,33 +1,29 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: talos-etcd-backup-external-secret + name: talos-etcd-backup-external-config namespace: talos labels: - app.kubernetes.io/name: talos-etcd-backup-external-secret + app.kubernetes.io/name: talos-etcd-backup-external-config app.kubernetes.io/instance: talos app.kubernetes.io/part-of: talos spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: AWS_ACCESS_KEY_ID remoteRef: - key: /digital-ocean/home-infra/etcd-backup + key: /digital-ocean/home-infra/talos-backups property: AWS_ACCESS_KEY_ID - secretKey: AWS_SECRET_ACCESS_KEY remoteRef: - key: /digital-ocean/home-infra/etcd-backup + key: /digital-ocean/home-infra/talos-backups property: AWS_SECRET_ACCESS_KEY - - secretKey: .s3cfg - remoteRef: - key: /digital-ocean/home-infra/etcd-backup - property: s3cfg - secretKey: BUCKET remoteRef: - key: /digital-ocean/home-infra/etcd-backup - property: BUCKET + key: /digital-ocean/home-infra/talos-backups + property: BUCKET_PATH - secretKey: AGE_X25519_PUBLIC_KEY remoteRef: key: /cl01tl/talos/etcd-backup diff --git a/clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-local-secret.yaml b/clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-local-config.yaml similarity index 73% rename from clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-local-secret.yaml rename to clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-local-config.yaml index 6ae33cb10..1dce794d2 100644 --- a/clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-local-secret.yaml +++ b/clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-local-config.yaml @@ -1,16 +1,16 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: talos-etcd-backup-local-secret + name: talos-etcd-backup-local-config namespace: talos labels: - app.kubernetes.io/name: talos-etcd-backup-local-secret + app.kubernetes.io/name: talos-etcd-backup-local-config app.kubernetes.io/instance: talos app.kubernetes.io/part-of: talos spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: AWS_ACCESS_KEY_ID remoteRef: @@ -20,14 +20,10 @@ spec: remoteRef: key: /garage/home-infra/talos-backups property: ACCESS_SECRET_KEY - - secretKey: .s3cfg - remoteRef: - key: /garage/home-infra/talos-backups - property: s3cfg-local - secretKey: BUCKET remoteRef: key: /garage/home-infra/talos-backups - property: BUCKET + property: BUCKET_PATH - secretKey: AGE_X25519_PUBLIC_KEY remoteRef: key: /cl01tl/talos/etcd-backup diff --git a/clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-remote-secret.yaml b/clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-remote-config.yaml similarity index 73% rename from clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-remote-secret.yaml rename to clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-remote-config.yaml index 52819ba43..ec3150b20 100644 --- a/clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-remote-secret.yaml +++ b/clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-backup-remote-config.yaml @@ -1,16 +1,16 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: talos-etcd-backup-remote-secret + name: talos-etcd-backup-remote-config namespace: talos labels: - app.kubernetes.io/name: talos-etcd-backup-remote-secret + app.kubernetes.io/name: talos-etcd-backup-remote-config app.kubernetes.io/instance: talos app.kubernetes.io/part-of: talos spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: AWS_ACCESS_KEY_ID remoteRef: @@ -20,14 +20,10 @@ spec: remoteRef: key: /garage/home-infra/talos-backups property: ACCESS_SECRET_KEY - - secretKey: .s3cfg - remoteRef: - key: /garage/home-infra/talos-backups - property: s3cfg-remote - secretKey: BUCKET remoteRef: key: /garage/home-infra/talos-backups - property: BUCKET + property: BUCKET_PATH - secretKey: AGE_X25519_PUBLIC_KEY remoteRef: key: /cl01tl/talos/etcd-backup diff --git a/clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-defrag-secret.yaml b/clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-defrag-secret.yaml deleted file mode 100644 index 57cf62745..000000000 --- a/clusters/cl01tl/manifests/talos/ExternalSecret-talos-etcd-defrag-secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: talos-etcd-defrag-secret - namespace: talos - labels: - app.kubernetes.io/name: talos-etcd-defrag-secret - app.kubernetes.io/instance: talos - app.kubernetes.io/part-of: talos -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: config - remoteRef: - key: /cl01tl/talos/etcd-defrag - property: config diff --git a/clusters/cl01tl/manifests/talos/ExternalSecret-talos-backup-ntfy-secret.yaml b/clusters/cl01tl/manifests/talos/ExternalSecret-talos-ntfy-config.yaml similarity index 60% rename from clusters/cl01tl/manifests/talos/ExternalSecret-talos-backup-ntfy-secret.yaml rename to clusters/cl01tl/manifests/talos/ExternalSecret-talos-ntfy-config.yaml index 396e672aa..9a691bd92 100644 --- a/clusters/cl01tl/manifests/talos/ExternalSecret-talos-backup-ntfy-secret.yaml +++ b/clusters/cl01tl/manifests/talos/ExternalSecret-talos-ntfy-config.yaml @@ -1,26 +1,26 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: talos-backup-ntfy-secret + name: talos-ntfy-config namespace: talos labels: - app.kubernetes.io/name: talos-backup-ntfy-secret + app.kubernetes.io/name: talos-ntfy-config app.kubernetes.io/instance: talos app.kubernetes.io/part-of: talos spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: NTFY_TOKEN remoteRef: - key: /ntfy/user/cl01tl + key: /cl01tl/ntfy/users/cl01tl property: token - secretKey: NTFY_ENDPOINT remoteRef: - key: /ntfy/user/cl01tl - property: endpoint + key: /cl01tl/ntfy/config + property: internal-endpoint - secretKey: NTFY_TOPIC remoteRef: - key: /cl01tl/talos/etcd-backup - property: NTFY_TOPIC + key: /cl01tl/ntfy/topics + property: talos diff --git a/clusters/cl01tl/manifests/talos/SecretProviderClass-talos-etcd-backup-external-config.yaml b/clusters/cl01tl/manifests/talos/SecretProviderClass-talos-etcd-backup-external-config.yaml new file mode 100644 index 000000000..a2d2ec155 --- /dev/null +++ b/clusters/cl01tl/manifests/talos/SecretProviderClass-talos-etcd-backup-external-config.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: talos-etcd-backup-external-config + namespace: talos + labels: + app.kubernetes.io/name: talos-etcd-backup-external-config + app.kubernetes.io/instance: talos + app.kubernetes.io/part-of: talos +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: slskd + objects: | + - objectName: .s3cfg + fileName: .s3cfg + secretPath: secret/data/digital-ocean/home-infra/talos-backups + secretKey: s3cfg diff --git a/clusters/cl01tl/manifests/talos/SecretProviderClass-talos-etcd-backup-local-config.yaml b/clusters/cl01tl/manifests/talos/SecretProviderClass-talos-etcd-backup-local-config.yaml new file mode 100644 index 000000000..bec42fa39 --- /dev/null +++ b/clusters/cl01tl/manifests/talos/SecretProviderClass-talos-etcd-backup-local-config.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: talos-etcd-backup-local-config + namespace: talos + labels: + app.kubernetes.io/name: talos-etcd-backup-local-config + app.kubernetes.io/instance: talos + app.kubernetes.io/part-of: talos +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: slskd + objects: | + - objectName: .s3cfg + fileName: .s3cfg + secretPath: secret/data/garage/home-infra/talos-backups + secretKey: s3cfg-local diff --git a/clusters/cl01tl/manifests/talos/SecretProviderClass-talos-etcd-backup-remote-config.yaml b/clusters/cl01tl/manifests/talos/SecretProviderClass-talos-etcd-backup-remote-config.yaml new file mode 100644 index 000000000..168a36255 --- /dev/null +++ b/clusters/cl01tl/manifests/talos/SecretProviderClass-talos-etcd-backup-remote-config.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: talos-etcd-backup-remote-config + namespace: talos + labels: + app.kubernetes.io/name: talos-etcd-backup-remote-config + app.kubernetes.io/instance: talos + app.kubernetes.io/part-of: talos +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: slskd + objects: | + - objectName: .s3cfg + fileName: .s3cfg + secretPath: secret/data/garage/home-infra/talos-backups + secretKey: s3cfg-remote diff --git a/clusters/cl01tl/manifests/talos/SecretProviderClass-talos-etcd-defrag-config.yaml b/clusters/cl01tl/manifests/talos/SecretProviderClass-talos-etcd-defrag-config.yaml new file mode 100644 index 000000000..ac13a695b --- /dev/null +++ b/clusters/cl01tl/manifests/talos/SecretProviderClass-talos-etcd-defrag-config.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: talos-etcd-defrag-config + namespace: talos + labels: + app.kubernetes.io/name: talos-etcd-defrag-config + app.kubernetes.io/instance: talos + app.kubernetes.io/part-of: talos +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: slskd + objects: | + - objectName: config + fileName: config + secretPath: secret/data/cl01tl/talos/talosconfig + secretKey: config diff --git a/clusters/cl01tl/manifests/tubearchivist/Deployment-tubearchivist.yaml b/clusters/cl01tl/manifests/tubearchivist/Deployment-tubearchivist.yaml index 977b22823..a8969f413 100644 --- a/clusters/cl01tl/manifests/tubearchivist/Deployment-tubearchivist.yaml +++ b/clusters/cl01tl/manifests/tubearchivist/Deployment-tubearchivist.yaml @@ -41,26 +41,16 @@ spec: name: bgutil - env: - name: VPN_SERVICE_PROVIDER - value: airvpn + value: protonvpn - name: VPN_TYPE value: wireguard - name: WIREGUARD_PRIVATE_KEY valueFrom: secretKeyRef: key: private-key - name: tubearchivist-wireguard-conf - - name: WIREGUARD_PRESHARED_KEY - valueFrom: - secretKeyRef: - key: preshared-key - name: tubearchivist-wireguard-conf - - name: WIREGUARD_ADDRESSES - valueFrom: - secretKeyRef: - key: addresses - name: tubearchivist-wireguard-conf + name: protonvpn-wireguard-conf - name: FIREWALL_OUTBOUND_SUBNETS - value: 10.0.0.0/8 + value: 192.168.1.0/24,10.244.0.0/16 - name: FIREWALL_INPUT_PORTS value: 80,8000,24000 - name: DNS_UPSTREAM_RESOLVER_TYPE @@ -120,7 +110,7 @@ spec: value: admin envFrom: - secretRef: - name: tubearchivist-config-secret + name: tubearchivist-config image: bbilly1/tubearchivist:v0.5.10@sha256:dfe723cf008520e1758ecc3e59e6ea8761dd10d5bb099cd87289e80f5bd66567 name: main resources: diff --git a/clusters/cl01tl/manifests/tubearchivist/Elasticsearch-elasticsearch-tubearchivist.yaml b/clusters/cl01tl/manifests/tubearchivist/Elasticsearch-elasticsearch-tubearchivist.yaml index 39078fa0a..160e974b4 100644 --- a/clusters/cl01tl/manifests/tubearchivist/Elasticsearch-elasticsearch-tubearchivist.yaml +++ b/clusters/cl01tl/manifests/tubearchivist/Elasticsearch-elasticsearch-tubearchivist.yaml @@ -11,7 +11,7 @@ spec: version: 9.3.3 auth: fileRealm: - - secretName: tubearchivist-elasticsearch-secret + - secretName: tubearchivist-elasticsearch-config nodeSets: - name: default count: 2 diff --git a/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-protonvpn-wireguard-conf.yaml b/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-protonvpn-wireguard-conf.yaml new file mode 100644 index 000000000..64ec4d6a5 --- /dev/null +++ b/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-protonvpn-wireguard-conf.yaml @@ -0,0 +1,30 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: protonvpn-wireguard-conf + namespace: tubearchivist + labels: + app.kubernetes.io/name: protonvpn-wireguard-conf + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/part-of: tubearchivist +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: conf + remoteRef: + key: /protonvpn/config + property: conf + - secretKey: email + remoteRef: + key: /protonvpn/config + property: email + - secretKey: password + remoteRef: + key: /protonvpn/config + property: password + - secretKey: private-key + remoteRef: + key: /protonvpn/config + property: private-key diff --git a/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-config-secret.yaml b/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-config.yaml similarity index 58% rename from clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-config-secret.yaml rename to clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-config.yaml index 071cdf40b..ab138d21a 100644 --- a/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-config-secret.yaml +++ b/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-config.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: tubearchivist-config-secret + name: tubearchivist-config namespace: tubearchivist labels: - app.kubernetes.io/name: tubearchivist-config-secret + app.kubernetes.io/name: tubearchivist-config app.kubernetes.io/instance: tubearchivist app.kubernetes.io/part-of: tubearchivist spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: ELASTIC_PASSWORD remoteRef: - key: /cl01tl/tubearchivist/env - property: ELASTIC_PASSWORD + key: /cl01tl/tubearchivist/elasticsearch + property: password - secretKey: TA_PASSWORD remoteRef: - key: /cl01tl/tubearchivist/env - property: TA_PASSWORD + key: /cl01tl/tubearchivist/config + property: password diff --git a/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-elasticsearch-secret.yaml b/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-elasticsearch-config.yaml similarity index 83% rename from clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-elasticsearch-secret.yaml rename to clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-elasticsearch-config.yaml index 36c820917..7e4832945 100644 --- a/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-elasticsearch-secret.yaml +++ b/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-elasticsearch-config.yaml @@ -1,16 +1,16 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: tubearchivist-elasticsearch-secret + name: tubearchivist-elasticsearch-config namespace: tubearchivist labels: - app.kubernetes.io/name: tubearchivist-elasticsearch-secret + app.kubernetes.io/name: tubearchivist-elasticsearch-config app.kubernetes.io/instance: tubearchivist app.kubernetes.io/part-of: tubearchivist spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: username remoteRef: diff --git a/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-wireguard-conf.yaml b/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-wireguard-conf.yaml deleted file mode 100644 index 466aacf25..000000000 --- a/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-wireguard-conf.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: tubearchivist-wireguard-conf - namespace: tubearchivist - labels: - app.kubernetes.io/name: tubearchivist-wireguard-conf - app.kubernetes.io/instance: tubearchivist - app.kubernetes.io/part-of: tubearchivist -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: private-key - remoteRef: - key: /airvpn/conf/cl01tl - property: private-key - - secretKey: preshared-key - remoteRef: - key: /airvpn/conf/cl01tl - property: preshared-key - - secretKey: addresses - remoteRef: - key: /airvpn/conf/cl01tl - property: addresses - - secretKey: input-ports - remoteRef: - key: /airvpn/conf/cl01tl - property: input-ports diff --git a/clusters/cl01tl/manifests/unpackerr/Deployment-unpackerr.yaml b/clusters/cl01tl/manifests/unpackerr/Deployment-unpackerr.yaml index f98f461d5..5fe17d1c1 100644 --- a/clusters/cl01tl/manifests/unpackerr/Deployment-unpackerr.yaml +++ b/clusters/cl01tl/manifests/unpackerr/Deployment-unpackerr.yaml @@ -76,7 +76,7 @@ spec: value: /mnt/store/Torrent/FINISHED/COMPLETED envFrom: - secretRef: - name: unpackerr-key-secret + name: unpackerr-key-config image: golift/unpackerr:0.15.2@sha256:057e34740d26c34d81ec8e2faf8ec11f8dbfc77489b7a42826f52b37e5ee1b6c name: main resources: diff --git a/clusters/cl01tl/manifests/unpackerr/ExternalSecret-unpackerr-key-secret.yaml b/clusters/cl01tl/manifests/unpackerr/ExternalSecret-unpackerr-key-config.yaml similarity index 68% rename from clusters/cl01tl/manifests/unpackerr/ExternalSecret-unpackerr-key-secret.yaml rename to clusters/cl01tl/manifests/unpackerr/ExternalSecret-unpackerr-key-config.yaml index b3a2136fb..d7246e4c2 100644 --- a/clusters/cl01tl/manifests/unpackerr/ExternalSecret-unpackerr-key-secret.yaml +++ b/clusters/cl01tl/manifests/unpackerr/ExternalSecret-unpackerr-key-config.yaml @@ -1,46 +1,46 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: unpackerr-key-secret + name: unpackerr-key-config namespace: unpackerr labels: - app.kubernetes.io/name: unpackerr-key-secret + app.kubernetes.io/name: unpackerr-key-config app.kubernetes.io/instance: unpackerr app.kubernetes.io/part-of: unpackerr spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: UN_SONARR_0_API_KEY remoteRef: - key: /cl01tl/sonarr4/key + key: /cl01tl/sonarr/key property: key - secretKey: UN_SONARR_1_API_KEY remoteRef: - key: /cl01tl/sonarr4-4k/key + key: /cl01tl/sonarr-4k/key property: key - secretKey: UN_SONARR_2_API_KEY remoteRef: - key: /cl01tl/sonarr4-anime/key + key: /cl01tl/sonarr-anime/key property: key - secretKey: UN_RADARR_0_API_KEY remoteRef: - key: /cl01tl/radarr5/key + key: /cl01tl/radarr/key property: key - secretKey: UN_RADARR_1_API_KEY remoteRef: - key: /cl01tl/radarr5-4k/key + key: /cl01tl/radarr-4k/key property: key - secretKey: UN_RADARR_2_API_KEY remoteRef: - key: /cl01tl/radarr5-anime/key + key: /cl01tl/radarr-anime/key property: key - secretKey: UN_RADARR_3_API_KEY remoteRef: - key: /cl01tl/radarr5-standup/key + key: /cl01tl/radarr-standup/key property: key - secretKey: UN_LIDARR_0_API_KEY remoteRef: - key: /cl01tl/lidarr2/key + key: /cl01tl/lidarr/key property: key diff --git a/clusters/cl01tl/manifests/unpoller/ExternalSecret-unpoller-unifi-secret.yaml b/clusters/cl01tl/manifests/unpoller/ExternalSecret-unpoller-unifi-credentials.yaml similarity index 70% rename from clusters/cl01tl/manifests/unpoller/ExternalSecret-unpoller-unifi-secret.yaml rename to clusters/cl01tl/manifests/unpoller/ExternalSecret-unpoller-unifi-credentials.yaml index 953434ec2..54d7ddd1a 100644 --- a/clusters/cl01tl/manifests/unpoller/ExternalSecret-unpoller-unifi-secret.yaml +++ b/clusters/cl01tl/manifests/unpoller/ExternalSecret-unpoller-unifi-credentials.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: unpoller-unifi-secret + name: unpoller-unifi-credentials namespace: unpoller labels: - app.kubernetes.io/name: unpoller-unifi-secret + app.kubernetes.io/name: unpoller-unifi-credentials app.kubernetes.io/instance: unpoller app.kubernetes.io/part-of: unpoller spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: UP_UNIFI_CONTROLLER_0_USER remoteRef: - key: /unifi/auth/cl01tl + key: /unifi/users/cl01tl property: user - secretKey: UP_UNIFI_CONTROLLER_0_PASS remoteRef: - key: /unifi/auth/cl01tl + key: /unifi/users/cl01tl property: password diff --git a/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml b/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml index fffb35733..a39474740 100644 --- a/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml +++ b/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml @@ -47,7 +47,7 @@ spec: value: http://vault-active.vault.svc.cluster.local:8200 envFrom: - secretRef: - name: vault-snapshot-agent-token + name: vault-snapshot-agent-role image: hashicorp/vault:1.21.4@sha256:4e33b126a59c0c333b76fb4e894722462659a6bec7c48c9ee8cea56fccfd2569 name: snapshot volumeMounts: @@ -67,25 +67,25 @@ spec: valueFrom: secretKeyRef: key: BUCKET - name: vault-s3cmd-external-config + name: vault-backup-external-config - name: TARGET value: External envFrom: - secretRef: - name: vault-backup-ntfy-secret + name: vault-ntfy-config image: d3fk/s3cmd:latest@sha256:d66cc5677b30b31a7981f9fde0af064a9072e8b8a57d5e9b4cc02f44f02acbf2 name: s3-backup-external volumeMounts: - mountPath: /opt/backup name: backup + - mountPath: /root/.s3cfg + mountPropagation: None + name: backup-external-config + readOnly: true + subPath: .s3cfg - mountPath: /scripts/backup.sh name: backup-script subPath: backup.sh - - mountPath: /root/.s3cfg - mountPropagation: None - name: s3cmd-external-config - readOnly: true - subPath: .s3cfg - args: - -ec - /scripts/backup.sh @@ -96,25 +96,25 @@ spec: valueFrom: secretKeyRef: key: BUCKET - name: vault-s3cmd-local-config + name: vault-backup-local-config - name: TARGET value: Local envFrom: - secretRef: - name: vault-backup-ntfy-secret + name: vault-ntfy-config image: d3fk/s3cmd:latest@sha256:d66cc5677b30b31a7981f9fde0af064a9072e8b8a57d5e9b4cc02f44f02acbf2 name: s3-backup-local volumeMounts: - mountPath: /opt/backup name: backup + - mountPath: /root/.s3cfg + mountPropagation: None + name: backup-local-config + readOnly: true + subPath: .s3cfg - mountPath: /scripts/backup.sh name: backup-script subPath: backup.sh - - mountPath: /root/.s3cfg - mountPropagation: None - name: s3cmd-local-config - readOnly: true - subPath: .s3cfg - args: - -ec - /scripts/backup.sh @@ -125,42 +125,51 @@ spec: valueFrom: secretKeyRef: key: BUCKET - name: vault-s3cmd-remote-config + name: vault-backup-remote-config - name: TARGET value: Remote envFrom: - secretRef: - name: vault-backup-ntfy-secret + name: vault-ntfy-config image: d3fk/s3cmd:latest@sha256:d66cc5677b30b31a7981f9fde0af064a9072e8b8a57d5e9b4cc02f44f02acbf2 name: s3-backup-remote volumeMounts: - mountPath: /opt/backup name: backup + - mountPath: /root/.s3cfg + mountPropagation: None + name: backup-remote-config + readOnly: true + subPath: .s3cfg - mountPath: /scripts/backup.sh name: backup-script subPath: backup.sh - - mountPath: /root/.s3cfg - mountPropagation: None - name: s3cmd-remote-config - readOnly: true - subPath: .s3cfg volumes: - name: backup persistentVolumeClaim: claimName: vault-storage-backup + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: vault-backup-external-config + name: backup-external-config + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: vault-backup-local-config + name: backup-local-config + - csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: vault-backup-remote-config + name: backup-remote-config - configMap: defaultMode: 493 name: vault-backup-script name: backup-script - - name: s3cmd-external-config - secret: - secretName: vault-s3cmd-external-config - - name: s3cmd-local-config - secret: - secretName: vault-s3cmd-local-config - - name: s3cmd-remote-config - secret: - secretName: vault-s3cmd-remote-config - configMap: defaultMode: 493 name: vault-snapshot-script diff --git a/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-1.yaml b/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-1.yaml index 0b039e773..bc096bb53 100644 --- a/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-1.yaml +++ b/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-1.yaml @@ -37,6 +37,8 @@ spec: - envFrom: - secretRef: name: vault-unseal-config-1 + - secretRef: + name: vault-ntfy-unseal-config image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef name: main resources: diff --git a/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-2.yaml b/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-2.yaml index 8c53608d1..c4a1c6a58 100644 --- a/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-2.yaml +++ b/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-2.yaml @@ -37,6 +37,8 @@ spec: - envFrom: - secretRef: name: vault-unseal-config-2 + - secretRef: + name: vault-ntfy-unseal-config image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef name: main resources: diff --git a/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-3.yaml b/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-3.yaml index c7fe5b563..4675bc176 100644 --- a/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-3.yaml +++ b/clusters/cl01tl/manifests/vault/Deployment-vault-unseal-unseal-3.yaml @@ -37,6 +37,8 @@ spec: - envFrom: - secretRef: name: vault-unseal-config-3 + - secretRef: + name: vault-ntfy-unseal-config image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef name: main resources: diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-external-config.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-external-config.yaml similarity index 56% rename from clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-external-config.yaml rename to clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-external-config.yaml index 1005b7a14..5e729f9a4 100644 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-external-config.yaml +++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-external-config.yaml @@ -1,22 +1,18 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: vault-s3cmd-external-config + name: vault-backup-external-config namespace: vault labels: - app.kubernetes.io/name: vault-s3cmd-external-config + app.kubernetes.io/name: vault-backup-external-config app.kubernetes.io/instance: vault app.kubernetes.io/part-of: vault spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - - secretKey: .s3cfg - remoteRef: - key: /digital-ocean/home-infra/vault-backup - property: s3cfg - secretKey: BUCKET remoteRef: key: /digital-ocean/home-infra/vault-backup - property: BUCKET + property: BUCKET_PATH diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-local-config.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-local-config.yaml similarity index 56% rename from clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-local-config.yaml rename to clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-local-config.yaml index 84c49f70e..89161e130 100644 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-local-config.yaml +++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-local-config.yaml @@ -1,22 +1,18 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: vault-s3cmd-local-config + name: vault-backup-local-config namespace: vault labels: - app.kubernetes.io/name: vault-s3cmd-local-config + app.kubernetes.io/name: vault-backup-local-config app.kubernetes.io/instance: vault app.kubernetes.io/part-of: vault spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - - secretKey: .s3cfg - remoteRef: - key: /garage/home-infra/vault-backups - property: s3cfg-local - secretKey: BUCKET remoteRef: key: /garage/home-infra/vault-backups - property: BUCKET + property: BUCKET_PATH diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-remote-config.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-remote-config.yaml similarity index 56% rename from clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-remote-config.yaml rename to clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-remote-config.yaml index 57bab6033..e18f8b5c6 100644 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-remote-config.yaml +++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-remote-config.yaml @@ -1,22 +1,18 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: vault-s3cmd-remote-config + name: vault-backup-remote-config namespace: vault labels: - app.kubernetes.io/name: vault-s3cmd-remote-config + app.kubernetes.io/name: vault-backup-remote-config app.kubernetes.io/instance: vault app.kubernetes.io/part-of: vault spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - - secretKey: .s3cfg - remoteRef: - key: /garage/home-infra/vault-backups - property: s3cfg-remote - secretKey: BUCKET remoteRef: key: /garage/home-infra/vault-backups - property: BUCKET + property: BUCKET_PATH diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-ntfy-secret.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-config.yaml similarity index 74% rename from clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-ntfy-secret.yaml rename to clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-config.yaml index b04f59d87..53439fa12 100644 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-ntfy-secret.yaml +++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-config.yaml @@ -1,16 +1,16 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: vault-backup-ntfy-secret + name: vault-ntfy-config namespace: vault labels: - app.kubernetes.io/name: vault-backup-ntfy-secret + app.kubernetes.io/name: vault-ntfy-config app.kubernetes.io/instance: vault app.kubernetes.io/part-of: vault spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: NTFY_TOKEN remoteRef: @@ -22,5 +22,5 @@ spec: property: endpoint - secretKey: NTFY_TOPIC remoteRef: - key: /cl01tl/vault/snapshot - property: NTFY_TOPIC + key: /cl01tl/ntfy/topics + property: vault diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-unseal-config.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-unseal-config.yaml new file mode 100644 index 000000000..fa33f1b62 --- /dev/null +++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-ntfy-unseal-config.yaml @@ -0,0 +1,28 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: vault-ntfy-unseal-config + namespace: vault + labels: + app.kubernetes.io/name: vault-ntfy-unseal-config + app.kubernetes.io/instance: vault + app.kubernetes.io/part-of: vault +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + NOTIFY_QUEUE_URLS: "{{ .endpoint }}/{{ .topic }}/?priority=4&tags=vault,unseal&title=Vault+Unsealed" + data: + - secretKey: endpoint + remoteRef: + key: /cl01tl/ntfy/users/cl01tl + property: internal-endpoint-credential + - secretKey: topic + remoteRef: + key: /cl01tl/ntfy/topics + property: vault diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-snapshot-agent-token.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-snapshot-agent-role.yaml similarity index 57% rename from clusters/cl01tl/manifests/vault/ExternalSecret-vault-snapshot-agent-token.yaml rename to clusters/cl01tl/manifests/vault/ExternalSecret-vault-snapshot-agent-role.yaml index 74c70efae..73a81d8d4 100644 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-snapshot-agent-token.yaml +++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-snapshot-agent-role.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: vault-snapshot-agent-token + name: vault-snapshot-agent-role namespace: vault labels: - app.kubernetes.io/name: vault-snapshot-agent-token + app.kubernetes.io/name: vault-snapshot-agent-role app.kubernetes.io/instance: vault app.kubernetes.io/part-of: vault spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: VAULT_APPROLE_ROLE_ID remoteRef: - key: /cl01tl/vault/snapshot - property: VAULT_APPROLE_ROLE_ID + key: /cl01tl/vault/role/snapshot + property: role-id - secretKey: VAULT_APPROLE_SECRET_ID remoteRef: - key: /cl01tl/vault/snapshot - property: VAULT_APPROLE_SECRET_ID + key: /cl01tl/vault/role/snapshot + property: secret-id diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-token.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-token.yaml deleted file mode 100644 index 526c2adc7..000000000 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-token.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-token - namespace: vault - labels: - app.kubernetes.io/name: vault-token - app.kubernetes.io/instance: vault - app.kubernetes.io/part-of: vault -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: token - remoteRef: - key: /cl01tl/vault/token - property: token - - secretKey: unseal_key_1 - remoteRef: - key: /cl01tl/vault/token - property: unseal_key_1 - - secretKey: unseal_key_2 - remoteRef: - key: /cl01tl/vault/token - property: unseal_key_2 - - secretKey: unseal_key_3 - remoteRef: - key: /cl01tl/vault/token - property: unseal_key_3 - - secretKey: unseal_key_4 - remoteRef: - key: /cl01tl/vault/token - property: unseal_key_4 - - secretKey: unseal_key_5 - remoteRef: - key: /cl01tl/vault/token - property: unseal_key_5 diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-1.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-1.yaml index 045ea5782..2cc9bbcd2 100644 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-1.yaml +++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-1.yaml @@ -10,21 +10,17 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: ENVIRONMENT remoteRef: key: /cl01tl/vault/unseal - property: ENVIRONMENT + property: environment - secretKey: NODES remoteRef: key: /cl01tl/vault/unseal - property: NODES + property: nodes - secretKey: TOKENS remoteRef: key: /cl01tl/vault/unseal - property: TOKENS_1 - - secretKey: NOTIFY_QUEUE_URLS - remoteRef: - key: /cl01tl/vault/unseal - property: NOTIFY_QUEUE_URLS + property: tokens-1 diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-2.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-2.yaml index 5a583b925..173425663 100644 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-2.yaml +++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-2.yaml @@ -10,21 +10,17 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: ENVIRONMENT remoteRef: key: /cl01tl/vault/unseal - property: ENVIRONMENT + property: environment - secretKey: NODES remoteRef: key: /cl01tl/vault/unseal - property: NODES + property: nodes - secretKey: TOKENS remoteRef: key: /cl01tl/vault/unseal - property: TOKENS_2 - - secretKey: NOTIFY_QUEUE_URLS - remoteRef: - key: /cl01tl/vault/unseal - property: NOTIFY_QUEUE_URLS + property: tokens-2 diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-3.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-3.yaml index 517f7498c..b5f29558b 100644 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-3.yaml +++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-unseal-config-3.yaml @@ -10,21 +10,17 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: ENVIRONMENT remoteRef: key: /cl01tl/vault/unseal - property: ENVIRONMENT + property: environment - secretKey: NODES remoteRef: key: /cl01tl/vault/unseal - property: NODES + property: nodes - secretKey: TOKENS remoteRef: key: /cl01tl/vault/unseal - property: TOKENS_3 - - secretKey: NOTIFY_QUEUE_URLS - remoteRef: - key: /cl01tl/vault/unseal - property: NOTIFY_QUEUE_URLS + property: tokens-3 diff --git a/clusters/cl01tl/manifests/vault/SecretProviderClass-vault-backup-external-config.yaml b/clusters/cl01tl/manifests/vault/SecretProviderClass-vault-backup-external-config.yaml new file mode 100644 index 000000000..0bff1d25c --- /dev/null +++ b/clusters/cl01tl/manifests/vault/SecretProviderClass-vault-backup-external-config.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: vault-backup-external-config + namespace: vault + labels: + app.kubernetes.io/name: vault-backup-external-config + app.kubernetes.io/instance: vault + app.kubernetes.io/part-of: vault +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: slskd + objects: | + - objectName: .s3cfg + fileName: .s3cfg + secretPath: secret/data/digital-ocean/home-infra/vault-backups + secretKey: s3cfg diff --git a/clusters/cl01tl/manifests/vault/SecretProviderClass-vault-backup-local-config.yaml b/clusters/cl01tl/manifests/vault/SecretProviderClass-vault-backup-local-config.yaml new file mode 100644 index 000000000..d6919e012 --- /dev/null +++ b/clusters/cl01tl/manifests/vault/SecretProviderClass-vault-backup-local-config.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: vault-backup-local-config + namespace: vault + labels: + app.kubernetes.io/name: vault-backup-local-config + app.kubernetes.io/instance: vault + app.kubernetes.io/part-of: vault +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: slskd + objects: | + - objectName: .s3cfg + fileName: .s3cfg + secretPath: secret/data/garage/home-infra/vault-backups + secretKey: s3cfg-local diff --git a/clusters/cl01tl/manifests/vault/SecretProviderClass-vault-backup-remote-config.yaml b/clusters/cl01tl/manifests/vault/SecretProviderClass-vault-backup-remote-config.yaml new file mode 100644 index 000000000..a3f2d7a2c --- /dev/null +++ b/clusters/cl01tl/manifests/vault/SecretProviderClass-vault-backup-remote-config.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: vault-backup-remote-config + namespace: vault + labels: + app.kubernetes.io/name: vault-backup-remote-config + app.kubernetes.io/instance: vault + app.kubernetes.io/part-of: vault +spec: + provider: openbao + parameters: + baoAddress: "http://openbao-internal.openbao:8200" + roleName: slskd + objects: | + - objectName: .s3cfg + fileName: .s3cfg + secretPath: secret/data/garage/home-infra/vault-backups + secretKey: s3cfg-remote diff --git a/clusters/cl01tl/manifests/vaultwarden/Deployment-vaultwarden.yaml b/clusters/cl01tl/manifests/vaultwarden/Deployment-vaultwarden.yaml index fb7afc704..5226fec3c 100644 --- a/clusters/cl01tl/manifests/vaultwarden/Deployment-vaultwarden.yaml +++ b/clusters/cl01tl/manifests/vaultwarden/Deployment-vaultwarden.yaml @@ -57,13 +57,13 @@ spec: - name: SSO_CLIENT_ID valueFrom: secretKeyRef: - key: client - name: vaultwarden-oidc-secret + key: SSO_CLIENT_ID + name: vaultwarden-oidc-authentik - name: SSO_CLIENT_SECRET valueFrom: secretKeyRef: - key: secret - name: vaultwarden-oidc-secret + key: SSO_CLIENT_SECRET + name: vaultwarden-oidc-authentik image: ghcr.io/dani-garcia/vaultwarden:1.35.7@sha256:9a8eec71f4a52411cc43edc7a50f33e9b6f62b5baca0dd95f0c6e7fd60f1a341 name: main resources: diff --git a/clusters/cl01tl/manifests/vaultwarden/ExternalSecret-vaultwarden-oidc-secret.yaml b/clusters/cl01tl/manifests/vaultwarden/ExternalSecret-vaultwarden-oidc-authentik.yaml similarity index 55% rename from clusters/cl01tl/manifests/vaultwarden/ExternalSecret-vaultwarden-oidc-secret.yaml rename to clusters/cl01tl/manifests/vaultwarden/ExternalSecret-vaultwarden-oidc-authentik.yaml index c8f939be0..1b93ee756 100644 --- a/clusters/cl01tl/manifests/vaultwarden/ExternalSecret-vaultwarden-oidc-secret.yaml +++ b/clusters/cl01tl/manifests/vaultwarden/ExternalSecret-vaultwarden-oidc-authentik.yaml @@ -1,22 +1,22 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: vaultwarden-oidc-secret + name: vaultwarden-oidc-authentik namespace: vaultwarden labels: - app.kubernetes.io/name: vaultwarden-oidc-secret + app.kubernetes.io/name: vaultwarden-oidc-authentik app.kubernetes.io/instance: vaultwarden app.kubernetes.io/part-of: vaultwarden spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - - secretKey: client + - secretKey: SSO_CLIENT_ID remoteRef: - key: /authentik/oidc/vaultwarden + key: /cl01tl/authentik/oidc/vaultwarden property: client - - secretKey: secret + - secretKey: SSO_CLIENT_SECRET remoteRef: - key: /authentik/oidc/vaultwarden + key: /cl01tl/authentik/oidc/vaultwarden property: secret diff --git a/clusters/cl01tl/manifests/yamtrack/Deployment-yamtrack.yaml b/clusters/cl01tl/manifests/yamtrack/Deployment-yamtrack.yaml index 7a4783bba..782d27526 100644 --- a/clusters/cl01tl/manifests/yamtrack/Deployment-yamtrack.yaml +++ b/clusters/cl01tl/manifests/yamtrack/Deployment-yamtrack.yaml @@ -47,12 +47,12 @@ spec: valueFrom: secretKeyRef: key: SOCIALACCOUNT_PROVIDERS - name: yamtrack-oidc-secret + name: yamtrack-oidc-authentik - name: SECRET valueFrom: secretKeyRef: key: SECRET - name: yamtrack-config-secret + name: yamtrack-config - name: REDIS_URL value: redis://yamtrack-valkey.yamtrack:6379 - name: DB_USER diff --git a/clusters/cl01tl/manifests/yamtrack/ExternalSecret-yamtrack-config-secret.yaml b/clusters/cl01tl/manifests/yamtrack/ExternalSecret-yamtrack-config.yaml similarity index 77% rename from clusters/cl01tl/manifests/yamtrack/ExternalSecret-yamtrack-config-secret.yaml rename to clusters/cl01tl/manifests/yamtrack/ExternalSecret-yamtrack-config.yaml index 3985041e7..eaffaddd8 100644 --- a/clusters/cl01tl/manifests/yamtrack/ExternalSecret-yamtrack-config-secret.yaml +++ b/clusters/cl01tl/manifests/yamtrack/ExternalSecret-yamtrack-config.yaml @@ -1,16 +1,16 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: yamtrack-config-secret + name: yamtrack-config namespace: yamtrack labels: - app.kubernetes.io/name: yamtrack-config-secret + app.kubernetes.io/name: yamtrack-config app.kubernetes.io/instance: yamtrack app.kubernetes.io/part-of: yamtrack spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: SECRET remoteRef: diff --git a/clusters/cl01tl/manifests/yamtrack/ExternalSecret-yamtrack-oidc-secret.yaml b/clusters/cl01tl/manifests/yamtrack/ExternalSecret-yamtrack-oidc-authentik.yaml similarity index 69% rename from clusters/cl01tl/manifests/yamtrack/ExternalSecret-yamtrack-oidc-secret.yaml rename to clusters/cl01tl/manifests/yamtrack/ExternalSecret-yamtrack-oidc-authentik.yaml index a2082c639..f4f652235 100644 --- a/clusters/cl01tl/manifests/yamtrack/ExternalSecret-yamtrack-oidc-secret.yaml +++ b/clusters/cl01tl/manifests/yamtrack/ExternalSecret-yamtrack-oidc-authentik.yaml @@ -1,18 +1,18 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: yamtrack-oidc-secret + name: yamtrack-oidc-authentik namespace: yamtrack labels: - app.kubernetes.io/name: yamtrack-oidc-secret + app.kubernetes.io/name: yamtrack-oidc-authentik app.kubernetes.io/instance: yamtrack app.kubernetes.io/part-of: yamtrack spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: SOCIALACCOUNT_PROVIDERS remoteRef: - key: /authentik/oidc/yamtrack + key: /cl01tl/authentik/oidc/yamtrack property: SOCIALACCOUNT_PROVIDERS