From 9c210bdd05dd57af77d306495c247e73d0c54f75 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Sun, 19 Apr 2026 15:32:32 -0500 Subject: [PATCH 1/2] feat: use csi secret --- .../helm/slskd/templates/external-secret.yaml | 21 ------------------- .../templates/secret-provider-class.yaml | 18 ++++++++++++++++ clusters/cl01tl/helm/slskd/values.yaml | 10 ++++++--- 3 files changed, 25 insertions(+), 24 deletions(-) create mode 100644 clusters/cl01tl/helm/slskd/templates/secret-provider-class.yaml diff --git a/clusters/cl01tl/helm/slskd/templates/external-secret.yaml b/clusters/cl01tl/helm/slskd/templates/external-secret.yaml index 57e717133..337663687 100644 --- a/clusters/cl01tl/helm/slskd/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/slskd/templates/external-secret.yaml @@ -1,26 +1,5 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret -metadata: - name: slskd-config-secret - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: slskd-config-secret - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: slskd.yml - remoteRef: - key: /cl01tl/slskd/config - - property: slskd.yml - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret metadata: name: slskd-wireguard-conf namespace: {{ .Release.Namespace }} diff --git a/clusters/cl01tl/helm/slskd/templates/secret-provider-class.yaml b/clusters/cl01tl/helm/slskd/templates/secret-provider-class.yaml new file mode 100644 index 000000000..ad87f8ccb --- /dev/null +++ b/clusters/cl01tl/helm/slskd/templates/secret-provider-class.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 +kind: SecretProviderClass +metadata: + name: slskd-config-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: slskd-config-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + provider: openbao + parameters: + roleName: reader + objects: | + - objectName: slskd-config-secret + fileName: slskd.yml + secretPath: cl01tl/slskd/config + secretKey: slskd.yml diff --git a/clusters/cl01tl/helm/slskd/values.yaml b/clusters/cl01tl/helm/slskd/values.yaml index 985a62cd5..9b846e42a 100644 --- a/clusters/cl01tl/helm/slskd/values.yaml +++ b/clusters/cl01tl/helm/slskd/values.yaml @@ -159,9 +159,13 @@ slskd: value: / persistence: slskd-config: - enabled: true - type: secret - name: slskd-config-secret + type: custom + volumeSpec: + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: slskd-config-secret advancedMounts: main: main: From f587bd1e8840b4fbc935de21803fb8e3e998b911 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Sun, 19 Apr 2026 15:42:44 -0500 Subject: [PATCH 2/2] feat: use protonvpn --- .../helm/slskd/templates/external-secret.yaml | 50 ++++++++++++++++--- clusters/cl01tl/helm/slskd/values.yaml | 19 +------ 2 files changed, 45 insertions(+), 24 deletions(-) diff --git a/clusters/cl01tl/helm/slskd/templates/external-secret.yaml b/clusters/cl01tl/helm/slskd/templates/external-secret.yaml index 337663687..51a984b5b 100644 --- a/clusters/cl01tl/helm/slskd/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/slskd/templates/external-secret.yaml @@ -1,30 +1,66 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: slskd-wireguard-conf + name: airvpn-wireguard-conf namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: slskd-wireguard-conf + app.kubernetes.io/name: airvpn-wireguard-conf app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: + - secretKey: conf + remoteRef: + key: /airvpn/config + property: conf - secretKey: private-key remoteRef: - key: /airvpn/conf/cl01tl + key: /airvpn/config property: private-key - secretKey: preshared-key remoteRef: - key: /airvpn/conf/cl01tl + key: /airvpn/config property: preshared-key - secretKey: addresses remoteRef: - key: /airvpn/conf/cl01tl + key: /airvpn/config property: addresses - secretKey: input-ports remoteRef: - key: /airvpn/conf/cl01tl + key: /airvpn/config property: input-ports + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: protonvpn-wireguard-conf + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: protonvpn-wireguard-conf + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: conf + remoteRef: + key: /protonvpn/config + property: conf + - secretKey: email + remoteRef: + key: /protonvpn/config + property: email + - secretKey: password + remoteRef: + key: /protonvpn/config + property: password + - secretKey: private-key + remoteRef: + key: /protonvpn/config + property: private-key diff --git a/clusters/cl01tl/helm/slskd/values.yaml b/clusters/cl01tl/helm/slskd/values.yaml index 9b846e42a..164b34124 100644 --- a/clusters/cl01tl/helm/slskd/values.yaml +++ b/clusters/cl01tl/helm/slskd/values.yaml @@ -60,29 +60,14 @@ slskd: command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"] env: - name: VPN_SERVICE_PROVIDER - value: airvpn + value: protonvpn - name: VPN_TYPE value: wireguard - name: WIREGUARD_PRIVATE_KEY valueFrom: secretKeyRef: - name: slskd-wireguard-conf + name: protonvpn-wireguard-conf key: private-key - - name: WIREGUARD_PRESHARED_KEY - valueFrom: - secretKeyRef: - name: slskd-wireguard-conf - key: preshared-key - - name: WIREGUARD_ADDRESSES - valueFrom: - secretKeyRef: - name: slskd-wireguard-conf - key: addresses - - name: FIREWALL_VPN_INPUT_PORTS - valueFrom: - secretKeyRef: - name: slskd-wireguard-conf - key: input-ports - name: FIREWALL_OUTBOUND_SUBNETS value: 192.168.1.0/24,10.244.0.0/16 - name: FIREWALL_INPUT_PORTS