chore: Update manifests after change

2026-04-24 00:11:38 +00:00
parent cfe38d32cf
commit ba20a96b0f
233 changed files with 1471 additions and 1345 deletions
--- a/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-hookshot.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-hookshot.yaml
@@ -59,15 +59,24 @@ spec:
              readOnly: true
              subPath: registration.yml
      volumes:
-        - name: config
-          secret:
-            secretName: matrix-hookshot-config-secret
+        - csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: matrix-hookshot-config
+          name: config
        - name: data
          persistentVolumeClaim:
            claimName: matrix-hookshot
-        - name: passkey
-          secret:
-            secretName: matrix-hookshot-config-secret
-        - name: registration
-          secret:
-            secretName: matrix-hookshot-config-secret
+        - csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: matrix-hookshot-config
+          name: passkey
+        - csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: matrix-hookshot-config
+          name: registration
--- a/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse.yaml
@@ -71,7 +71,7 @@ spec:
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: matrix-synapse-valkey-secret
+                  name: matrix-synapse-valkey-config
                  key: password
          image: "ghcr.io/element-hq/synapse:v1.151.0@sha256:184dc8757daef019b511e7f96fc6e5edfb880fd074d8cf702c7e3aa899d188c8"
          imagePullPolicy: IfNotPresent
@@ -112,30 +112,10 @@ spec:
              mountPath: /synapse/data
            - name: tmpdir
              mountPath: /tmp
-            - mountPath: /synapse/config/conf.d/oidc.yaml
-              name: matrix-synapse-config-secret
+            - mountPath: /synapse/config/conf.d
+              mountPropagation: None
+              name: config
              readOnly: true
-              subPath: oidc.yaml
-            - mountPath: /synapse/config/conf.d/config.yaml
-              name: matrix-synapse-config-secret
-              readOnly: true
-              subPath: config.yaml
-            - mountPath: /synapse/config/conf.d/hookshot-registration.yaml
-              name: matrix-hookshot-config-secret
-              readOnly: true
-              subPath: hookshot-registration.yaml
-            - mountPath: /synapse/config/conf.d/mautrix-discord-registration.yaml
-              name: mautrix-discord-config-secret
-              readOnly: true
-              subPath: mautrix-discord-registration.yaml
-            - mountPath: /synapse/config/conf.d/mautrix-whatsapp-registration.yaml
-              name: mautrix-whatsapp-config-secret
-              readOnly: true
-              subPath: mautrix-whatsapp-registration.yaml
-            - mountPath: /synapse/config/conf.d/double-puppet-registration.yaml
-              name: double-puppet-registration-secret
-              readOnly: true
-              subPath: double-puppet-registration.yaml
          resources:
            requests:
              cpu: 10m
@@ -149,7 +129,7 @@ spec:
            secretName: matrix-synapse
        - name: signingkey
          secret:
-            secretName: "matrix-synapse-signingkey"
+            secretName: "matrix-synapse-signing-key"
            items:
              - key: "signing.key"
                path: signing.key
@@ -160,18 +140,9 @@ spec:
        - name: media
          persistentVolumeClaim:
            claimName: matrix-synapse
-        - name: matrix-synapse-config-secret
-          secret:
-            secretName: matrix-synapse-config-secret
-        - name: matrix-hookshot-config-secret
-          secret:
-            secretName: matrix-hookshot-config-secret
-        - name: mautrix-discord-config-secret
-          secret:
-            secretName: mautrix-discord-config-secret
-        - name: mautrix-whatsapp-config-secret
-          secret:
-            secretName: mautrix-whatsapp-config-secret
-        - name: double-puppet-registration-secret
-          secret:
-            secretName: double-puppet-registration-secret
+        - csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: matrix-synapse-config
+          name: config
--- a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-double-puppet-registration-secret.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-double-puppet-registration-secret.yaml
@@ -1,18 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: double-puppet-registration-secret
-  namespace: matrix-synapse
-  labels:
-    app.kubernetes.io/name: double-puppet-registration-secret
-    app.kubernetes.io/instance: matrix-synapse
-    app.kubernetes.io/part-of: matrix-synapse
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: double-puppet-registration.yaml
-      remoteRef:
-        key: /cl01tl/matrix-synapse/double-puppet
-        property: registration
--- a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-hookshot-config-secret.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-hookshot-config-secret.yaml
@@ -1,30 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: matrix-hookshot-config-secret
-  namespace: matrix-synapse
-  labels:
-    app.kubernetes.io/name: matrix-hookshot-config-secret
-    app.kubernetes.io/instance: matrix-synapse
-    app.kubernetes.io/part-of: matrix-synapse
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: config.yml
-      remoteRef:
-        key: /cl01tl/matrix-synapse/hookshot
-        property: config
-    - secretKey: registration.yml
-      remoteRef:
-        key: /cl01tl/matrix-synapse/hookshot
-        property: registration
-    - secretKey: hookshot-registration.yaml
-      remoteRef:
-        key: /cl01tl/matrix-synapse/hookshot
-        property: registration
-    - secretKey: passkey.pem
-      remoteRef:
-        key: /cl01tl/matrix-synapse/hookshot
-        property: passkey
--- a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-config-secret.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-config-secret.yaml
@@ -1,22 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: matrix-synapse-config-secret
-  namespace: matrix-synapse
-  labels:
-    app.kubernetes.io/name: matrix-synapse-config-secret
-    app.kubernetes.io/instance: matrix-synapse
-    app.kubernetes.io/part-of: matrix-synapse
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: oidc.yaml
-      remoteRef:
-        key: /cl01tl/matrix-synapse/config
-        property: oidc.yaml
-    - secretKey: config.yaml
-      remoteRef:
-        key: /cl01tl/matrix-synapse/config
-        property: config.yaml
--- a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-signing-key.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-signing-key.yaml
@@ -1,18 +1,18 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: matrix-synapse-signingkey
+  name: matrix-synapse-signing-key
  namespace: matrix-synapse
  labels:
-    app.kubernetes.io/name: matrix-synapse-signingkey
+    app.kubernetes.io/name: matrix-synapse-signing-key
    app.kubernetes.io/instance: matrix-synapse
    app.kubernetes.io/part-of: matrix-synapse
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: signing.key
      remoteRef:
-        key: /cl01tl/matrix-synapse/config
+        key: /cl01tl/matrix-synapse/key
        property: signing-key
--- a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-valkey-config.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-valkey-config.yaml
@@ -1,22 +1,22 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: matrix-synapse-valkey-secret
+  name: matrix-synapse-valkey-config
  namespace: matrix-synapse
  labels:
-    app.kubernetes.io/name: matrix-synapse-valkey-secret
+    app.kubernetes.io/name: matrix-synapse-valkey-config
    app.kubernetes.io/instance: matrix-synapse
    app.kubernetes.io/part-of: matrix-synapse
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: default
      remoteRef:
-        key: /cl01tl/matrix-synapse/redis
+        key: /cl01tl/matrix-synapse/valkey
        property: password
    - secretKey: password
      remoteRef:
-        key: /cl01tl/matrix-synapse/redis
+        key: /cl01tl/matrix-synapse/valkey
        property: password
--- a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-discord-config-secret.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-discord-config-secret.yaml
@@ -1,21 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: mautrix-discord-config-secret
-  namespace: matrix-synapse
-  labels:
-    app.kubernetes.io/name: matrix-synapse
-    app.kubernetes.io/instance: matrix-synapse
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: config.yaml
-      remoteRef:
-        key: /cl01tl/matrix-synapse/mautrix-discord
-        property: config
-    - secretKey: mautrix-discord-registration.yaml
-      remoteRef:
-        key: /cl01tl/matrix-synapse/mautrix-discord
-        property: registration
--- a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-whatsapp-config-secret.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-mautrix-whatsapp-config-secret.yaml
@@ -1,22 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: mautrix-whatsapp-config-secret
-  namespace: matrix-synapse
-  labels:
-    app.kubernetes.io/name: mautrix-whatsapp-config-secret
-    app.kubernetes.io/instance: matrix-synapse
-    app.kubernetes.io/part-of: matrix-synapse
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: config.yaml
-      remoteRef:
-        key: /cl01tl/matrix-synapse/mautrix-whatsapp
-        property: config
-    - secretKey: mautrix-whatsapp-registration.yaml
-      remoteRef:
-        key: /cl01tl/matrix-synapse/mautrix-whatsapp
-        property: registration
--- a/clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-valkey-test-auth-existing.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-valkey-test-auth-existing.yaml
@@ -42,4 +42,4 @@ spec:
  volumes:
    - name: valkey-users-secret
      secret:
-        secretName: matrix-synapse-valkey-secret
+        secretName: matrix-synapse-valkey-config
--- a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-hookshot-config.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-hookshot-config.yaml
@@ -0,0 +1,27 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: matrix-hookshot-config
+  namespace: matrix-synapse
+  labels:
+    app.kubernetes.io/name: matrix-hookshot-config
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/part-of: matrix-synapse
+spec:
+  provider: openbao
+  parameters:
+    baoAddress: "http://openbao-internal.openbao:8200"
+    roleName: matrix-synapse
+    objects: |
+      - objectName: config.yml
+        fileName: config.yml
+        secretPath: secret/data/cl01tl/matrix-synapse/hookshot
+        secretKey: config.yml
+      - objectName: registration.yml
+        fileName: registration.yml
+        secretPath: secret/data/cl01tl/matrix-synapse/hookshot
+        secretKey: hookshot-registration.yaml
+      - objectName: passkey.pem
+        fileName: passkey.pem
+        secretPath: secret/data/cl01tl/matrix-synapse/hookshot
+        secretKey: passkey.pem
--- a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-config.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-matrix-synapse-config.yaml
@@ -0,0 +1,39 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: matrix-synapse-config
+  namespace: matrix-synapse
+  labels:
+    app.kubernetes.io/name: matrix-synapse-config
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/part-of: matrix-synapse
+spec:
+  provider: openbao
+  parameters:
+    baoAddress: "http://openbao-internal.openbao:8200"
+    roleName: matrix-synapse
+    objects: |
+      - objectName: config.yaml
+        fileName: config.yaml
+        secretPath: secret/data/cl01tl/matrix-synapse/config
+        secretKey: config.yaml
+      - objectName: oidc.yaml
+        fileName: oidc.yaml
+        secretPath: secret/data/cl01tl/matrix-synapse/config
+        secretKey: oidc.yaml
+      - objectName: hookshot-registration.yaml
+        fileName: hookshot-registration.yaml
+        secretPath: secret/data/cl01tl/matrix-synapse/hookshot
+        secretKey: hookshot-registration.yaml
+      - objectName: mautrix-discord-registration.yaml
+        fileName: mautrix-discord-registration.yaml
+        secretPath: secret/data/cl01tl/matrix-synapse/mautrix-discord
+        secretKey: mautrix-discord-registration.yaml
+      - objectName: mautrix-whatsapp-registration.yaml
+        fileName: mautrix-whatsapp-registration.yaml
+        secretPath: secret/data/cl01tl/matrix-synapse/mautrix-whatsapp
+        secretKey: mautrix-whatsapp-registration.yaml
+      - objectName: double-puppet-registration.yaml
+        fileName: double-puppet-registration.yaml
+        secretPath: secret/data/cl01tl/matrix-synapse/double-puppet
+        secretKey: double-puppet-registration.yaml
--- a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-mautrix-discord-config.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-mautrix-discord-config.yaml
@@ -0,0 +1,23 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: mautrix-discord-config
+  namespace: matrix-synapse
+  labels:
+    app.kubernetes.io/name: mautrix-discord-config
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/part-of: matrix-synapse
+spec:
+  provider: openbao
+  parameters:
+    baoAddress: "http://openbao-internal.openbao:8200"
+    roleName: matrix-synapse
+    objects: |
+      - objectName: config.yaml
+        fileName: config.yaml
+        secretPath: secret/data/cl01tl/matrix-synapse/mautrix-discord
+        secretKey: config.yaml
+      - objectName: mautrix-discord-registration.yaml
+        fileName: mautrix-discord-registration.yaml
+        secretPath: secret/data/cl01tl/matrix-synapse/mautrix-discord
+        secretKey: mautrix-discord-registration.yaml
--- a/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-mautrix-whatsapp-config.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/SecretProviderClass-mautrix-whatsapp-config.yaml
@@ -0,0 +1,23 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: mautrix-whatsapp-config
+  namespace: matrix-synapse
+  labels:
+    app.kubernetes.io/name: mautrix-whatsapp-config
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/part-of: matrix-synapse
+spec:
+  provider: openbao
+  parameters:
+    baoAddress: "http://openbao-internal.openbao:8200"
+    roleName: matrix-synapse
+    objects: |
+      - objectName: config.yaml
+        fileName: config.yaml
+        secretPath: secret/data/cl01tl/matrix-synapse/mautrix-whatsapp
+        secretKey: config.yaml
+      - objectName: mautrix-whatsapp-registration.yaml
+        fileName: mautrix-whatsapp-registration.yaml
+        secretPath: secret/data/cl01tl/matrix-synapse/mautrix-whatsapp
+        secretKey: mautrix-whatsapp-registration.yaml
--- a/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: matrix-synapse
+  namespace: matrix-synapse
+  labels:
+    app.kubernetes.io/name: matrix-synapse
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/part-of: matrix-synapse
--- a/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey.yaml
@@ -120,5 +120,5 @@ spec:
            medium: Memory
        - name: valkey-users-secret
          secret:
-            secretName: matrix-synapse-valkey-secret
+            secretName: matrix-synapse-valkey-config
            defaultMode: 0400
--- a/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-discord.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-discord.yaml
@@ -46,12 +46,12 @@ spec:
            - mountPath: /data
              name: data
      volumes:
-        - name: config
-          secret:
-            secretName: mautrix-discord-config-secret
+        - csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: mautrix-discord-config
+          name: config
        - name: data
          persistentVolumeClaim:
            claimName: mautrix-discord
-        - name: registration
-          secret:
-            secretName: mautrix-discord-config-secret
--- a/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-whatsapp.yaml
+++ b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-mautrix-whatsapp.yaml
@@ -46,12 +46,12 @@ spec:
            - mountPath: /data
              name: data
      volumes:
-        - name: config
-          secret:
-            secretName: mautrix-whatsapp-config-secret
+        - csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: mautrix-whatsapp-config
+          name: config
        - name: data
          persistentVolumeClaim:
            claimName: mautrix-whatsapp
-        - name: registration
-          secret:
-            secretName: mautrix-whatsapp-config-secret