alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 12 Actions Activity

Merge pull request 'feat: subpath mount' (#6170) from tmp/secrets-10 into main
Some checks failed
lint-test-helm / lint-helm (push) Successful in 4m0s
Details
lint-test-helm / validate-kubeconform (push) Has been skipped
Details
renovate / renovate (push) Has been cancelled
Details

Browse Source 
Reviewed-on: #6170
This commit was merged in pull request #6170.
This commit is contained in:
Alex Lebens
2026-04-24 02:11:43 +00:00
parent 2a6062a62f 2eee76307a
commit bf24f60161
2 changed files with 137 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
clusters/cl01tl/helm/matrix-synapse/templates/secret-provider-class.yaml
View File

@@ -16,22 +16,102 @@ spec:
fileName: config.yaml
secretPath: secret/data/cl01tl/matrix-synapse/config
secretKey: config.yaml
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: matrix-synapse-oidc-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: matrix-synapse-oidc-config
{{- include "custom.labels" . | nindent 4 }}
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: matrix-synapse
objects: |
- objectName: oidc.yaml
fileName: oidc.yaml
secretPath: secret/data/cl01tl/matrix-synapse/config
secretKey: oidc.yaml
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: matrix-synapse-hookshot-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: matrix-synapse-hookshot-config
{{- include "custom.labels" . | nindent 4 }}
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: matrix-synapse
objects: |
- objectName: hookshot-registration.yaml
fileName: hookshot-registration.yaml
secretPath: secret/data/cl01tl/matrix-synapse/hookshot
secretKey: hookshot-registration.yaml
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: matrix-synapse-mautrix-discord-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: matrix-synapse-mautrix-discord-config
{{- include "custom.labels" . | nindent 4 }}
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: matrix-synapse
objects: |
- objectName: mautrix-discord-registration.yaml
fileName: mautrix-discord-registration.yaml
secretPath: secret/data/cl01tl/matrix-synapse/mautrix-discord
secretKey: mautrix-discord-registration.yaml
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: matrix-synapse-mautrix-whatsapp-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: matrix-synapse-mautrix-whatsapp-config
{{- include "custom.labels" . | nindent 4 }}
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: matrix-synapse
objects: |
- objectName: mautrix-whatsapp-registration.yaml
fileName: mautrix-whatsapp-registration.yaml
secretPath: secret/data/cl01tl/matrix-synapse/mautrix-whatsapp
secretKey: mautrix-whatsapp-registration.yaml
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: matrix-synapse-double-puppet-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: matrix-synapse-double-puppet-config
{{- include "custom.labels" . | nindent 4 }}
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: matrix-synapse
objects: |
- objectName: double-puppet-registration.yaml
fileName: double-puppet-registration.yaml
secretPath: secret/data/cl01tl/matrix-synapse/double-puppet

58
clusters/cl01tl/helm/matrix-synapse/values.yaml
View File

@@ -43,11 +43,67 @@ matrix-synapse:
readOnly: true
volumeAttributes:
secretProviderClass: matrix-synapse-config
- name: oidc-config
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: matrix-synapse-oidc-config
- name: hookshot-config
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: matrix-synapse-hookshot-config
- name: mautrix-discord-config
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: matrix-synapse-mautrix-discord-config
- name: mautrix-whatsapp-config
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: matrix-synapse-mautrix-whatsapp-config
- name: double-puppet-config
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: matrix-synapse-double-puppet-config
extraVolumeMounts:
- name: config
mountPath: /synapse/config/conf.d
mountPath: /synapse/config/conf.d/config.yaml
mountPropagation: None
readOnly: true
subPath: config.yaml
- name: oidc-config
mountPath: /synapse/config/conf.d/
mountPropagation: None
readOnly: true
subPath: oidc.yaml
- name: hookshot-config
mountPath: /synapse/config/conf.d/
mountPropagation: None
readOnly: true
subPath: hookshot-registration.yaml
- name: mautrix-discord-config
mountPath: /synapse/config/conf.d/
mountPropagation: None
readOnly: true
subPath: mautrix-discord-registration.yaml
- name: mautrix-whatsapp-config
mountPath: /synapse/config/conf.d/
mountPropagation: None
readOnly: true
subPath: mautrix-whatsapp-registration.yaml
- name: double-puppet-config
mountPath: /synapse/config/conf.d/
mountPropagation: None
readOnly: true
subPath: double-puppet-registration.yaml
resources:
requests:
cpu: 10m