alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 6 Actions Activity

feat: migrate to openbao

Browse Source
This commit is contained in:
Alex Lebens
2026-04-19 20:02:09 -05:00
parent 10917de337
commit d40151ca3e
27 changed files with 78 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
clusters/cl01tl/helm/argocd/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: argo-cd
repository: https://argoproj.github.io/argo-helm
version: 9.5.1
digest: sha256:52a9bcfdc287dac30b8833cd34654b7e62c864aa3d23bda7644a8acf5f75eb78
generated: "2026-04-16T15:57:15.168206017Z"
version: 9.5.2
digest: sha256:5d9e6405ee944bf94df6af247164ebb9b8899144853b9a7eafabe8606affe84e
generated: "2026-04-19T19:53:40.43789-05:00"

46
clusters/cl01tl/helm/argocd/templates/external-secret.yaml
View File

@@ -1,70 +1,42 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argocd-oidc-secret
name: argocd-oidc-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argocd-oidc-secret
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: secret
remoteRef:
key: /authentik/oidc/argocd
key: /cl01tl/authentik/oidc/argocd
property: secret
- secretKey: client
remoteRef:
key: /authentik/oidc/argocd
key: /cl01tk/authentik/oidc/argocd
property: client
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argocd-notifications-secret
name: argocd-notifications-ntfy
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argocd-notifications-secret
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: ntfy-token
remoteRef:
key: /ntfy/user/cl01tl
key: /cl01tl/ntfy/users/cl01tl
property: token
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argocd-gitea-repo-infrastructure-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: type
remoteRef:
key: /cl01tl/argocd/credentials/repo/infrastructure
property: type
- secretKey: url
remoteRef:
key: /cl01tl/argocd/credentials/repo/infrastructure
property: url
- secretKey: sshPrivateKey
remoteRef:
key: /cl01tl/argocd/credentials/repo/infrastructure
property: sshPrivateKey

6
clusters/cl01tl/helm/argocd/values.yaml
View File

@@ -13,8 +13,8 @@ argo-cd:
connectors:
- config:
issuer: https://authentik.alexlebens.net/application/o/argocd/
clientID: $argocd-oidc-secret:client
clientSecret: $argocd-oidc-secret:secret
clientID: $argocd-oidc-authentik:client
clientSecret: $argocd-oidc-authentik:secret
insecureEnableGroups: true
scopes:
- openid
@@ -205,7 +205,7 @@ argo-cd:
argocdUrl: https://argocd.alexlebens.net
secret:
create: false
name: argocd-notifications-secret
name: argocd-notifications-ntfy
metrics:
enabled: true
serviceMonitor:

18
clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
View File

@@ -1,18 +1,24 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: audiobookshelf-apprise-config
name: audiobookshelf-config-apprise
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-apprise-config
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
ntfy-url: "{{ `{{ .internal-endpoint-credential }}` }}/audiobookshelf"
data:
- secretKey: ntfy-url
- secretKey: internal-endpoint-credential
remoteRef:
key: /cl01tl/audiobookshelf/apprise
property: ntfy-url
key: /cl01tl/ntfy/users/cl01tl
property: internal-endpoint-credential

12
clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
View File

@@ -4,11 +4,11 @@ metadata:
name: audiobookshelf-books-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-books-nfs-storage
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: audiobookshelf-books-nfs-storage
volumeName: {{ .Template.Name }}
storageClassName: nfs-client
accessModes:
- ReadWriteMany
@@ -23,11 +23,11 @@ metadata:
name: audiobookshelf-audiobooks-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: audiobookshelf-audiobooks-nfs-storage
volumeName: {{ .Template.Name }}
storageClassName: nfs-client
accessModes:
- ReadWriteMany
@@ -42,11 +42,11 @@ metadata:
name: audiobookshelf-podcasts-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: audiobookshelf-podcasts-nfs-storage
volumeName: {{ .Template.Name }}
storageClassName: nfs-client
accessModes:
- ReadWriteMany

6
clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
View File

@@ -4,7 +4,7 @@ metadata:
name: audiobookshelf-books-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-books-nfs-storage
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
@@ -29,7 +29,7 @@ metadata:
name: audiobookshelf-audiobooks-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
@@ -54,7 +54,7 @@ metadata:
name: audiobookshelf-podcasts-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:

2
clusters/cl01tl/helm/audiobookshelf/values.yaml
View File

@@ -40,7 +40,7 @@ audiobookshelf:
- name: APPRISE_STATELESS_URLS
valueFrom:
secretKeyRef:
name: audiobookshelf-apprise-config
name: audiobookshelf-config-apprise
key: ntfy-url
service:
main:

6
clusters/cl01tl/helm/authentik/templates/external-secret.yaml
View File

@@ -1,16 +1,16 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authentik-key-secret
name: authentik-key
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-key-secret
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: key
remoteRef:

2
clusters/cl01tl/helm/authentik/templates/ingress.yaml
View File

@@ -4,7 +4,7 @@ metadata:
name: authentik-tailscale
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-tailscale
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
tailscale.com/proxy-class: no-metrics

2
clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
View File

@@ -4,7 +4,7 @@ metadata:
name: allow-outpost-cross-namespace-access
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: allow-outpost-cross-namespace-access
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:

2
clusters/cl01tl/helm/authentik/values.yaml
View File

@@ -4,7 +4,7 @@ authentik:
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-key-secret
name: authentik-key
key: key
- name: AUTHENTIK_POSTGRESQL__HOST
valueFrom:

8
clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml
View File

@@ -4,11 +4,11 @@ metadata:
name: backrest-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: backrest-nfs-storage
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: backrest-nfs-storage
volumeName: {{ .Template.Name }}
storageClassName: nfs-client
accessModes:
- ReadWriteMany
@@ -23,11 +23,11 @@ metadata:
name: backrest-nfs-share
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: backrest-nfs-share
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: backrest-nfs-share
volumeName: {{ .Template.Name }}
storageClassName: nfs-client
accessModes:
- ReadWriteMany

4
clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml
View File

@@ -4,7 +4,7 @@ metadata:
name: backrest-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: backrest-nfs-storage
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
@@ -29,7 +29,7 @@ metadata:
name: backrest-nfs-share
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: backrest-nfs-share
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:

6
clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
View File

@@ -1,16 +1,16 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: bazarr-key-secret
name: bazarr-key
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: bazarr-key-secret
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: key
remoteRef:

4
clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml
View File

@@ -4,11 +4,11 @@ metadata:
name: bazarr-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: bazarr-nfs-storage
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: bazarr-nfs-storage
volumeName: {{ .Template.Name }}
storageClassName: nfs-client
accessModes:
- ReadWriteMany

2
clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml
View File

@@ -4,7 +4,7 @@ metadata:
name: bazarr-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: bazarr-nfs-storage
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:

2
clusters/cl01tl/helm/bazarr/values.yaml
View File

@@ -39,7 +39,7 @@ bazarr:
- name: APIKEY
valueFrom:
secretKeyRef:
name: bazarr-key-secret
name: bazarr-key
key: key
- name: ENABLE_ADDITIONAL_METRICS
value: false

2
clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
View File

@@ -4,7 +4,7 @@ metadata:
name: letsencrypt-issuer
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: letsencrypt-issuer
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:

6
clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
View File

@@ -4,15 +4,15 @@ metadata:
name: cloudflare-api-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: cloudflare-api-token
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: api-token
remoteRef:
key: /cloudflare/alexlebens.net/clusterissuer
key: /cloudflare/alexlebens.net/cl01tl-issuer-certificate
property: token

2
clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml
View File

@@ -4,7 +4,7 @@
# name: cilium-bgp-advertisements
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: cilium-bgp-advertisements
# app.kubernetes.io/name: {{ .Template.Name }}
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:

2
clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml
View File

@@ -4,7 +4,7 @@
# name: cilium-bgp
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: cilium-bgp
# app.kubernetes.io/name: {{ .Template.Name }}
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:

2
clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml
View File

@@ -4,7 +4,7 @@
# name: cilium-peer
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: cilium-peer
# app.kubernetes.io/name: {{ .Template.Name }}
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:

4
clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
View File

@@ -4,7 +4,7 @@ metadata:
name: default-ip-pool
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: default-ip-pool
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
@@ -19,7 +19,7 @@ metadata:
name: bgp-ip-pool
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: bgp-ip-pool
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:

2
clusters/cl01tl/helm/cilium/templates/gateway.yaml
View File

@@ -4,7 +4,7 @@
# name: cilium-tls-gateway
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: cilium-tls-gateway
# app.kubernetes.io/name: {{ .Template.Name }}
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# annotations:

2
clusters/cl01tl/helm/cilium/templates/http-route.yaml
View File

@@ -4,7 +4,7 @@ metadata:
name: hubble
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: hubble
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:

16
clusters/cl01tl/helm/dawarich/templates/external-secret.yaml
View File

@@ -1,16 +1,16 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: dawarich-key-secret
name: dawarich-key
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: dawarich-key-secret
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: key
remoteRef:
@@ -21,22 +21,22 @@ spec:
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: dawarich-oidc-secret
name: dawarich-oidc-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: dawarich-oidc-secret
app.kubernetes.io/name: {{ .Template.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: client
remoteRef:
key: /authentik/oidc/dawarich
key: /cl01tl/authentik/oidc/dawarich
property: client
- secretKey: secret
remoteRef:
key: /authentik/oidc/dawarich
key: /cl01tl/authentik/oidc/dawarich
property: secret

6
clusters/cl01tl/helm/dawarich/values.yaml
View File

@@ -61,12 +61,12 @@ dawarich:
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: dawarich-oidc-secret
name: dawarich-oidc-authentik
key: client
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: dawarich-oidc-secret
name: dawarich-oidc-authentik
key: secret
- name: OIDC_PROVIDER_NAME
value: Authentik
@@ -81,7 +81,7 @@ dawarich:
- name: SECRET_KEY_BASE
valueFrom:
secretKeyRef:
name: dawarich-key-secret
name: dawarich-key
key: key
- name: RAILS_LOG_TO_STDOUT
value: true