From f2280ff40a3e5f75c1b189d7490e7faf4c7af399 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Tue, 21 Apr 2026 21:13:37 -0500 Subject: [PATCH] feat: add more --- clusters/cl01tl/helm/harbor/values.yaml | 8 +- .../karakeep/templates/external-secret.yaml | 87 ++++++++++++------- clusters/cl01tl/helm/karakeep/values.yaml | 24 +++-- .../cl01tl/helm/kiwix/templates/_helpers.tpl | 7 ++ .../templates/persistent-volume-claim.yaml | 6 +- .../kiwix/templates/persistent-volume.yaml | 4 +- .../komodo/templates/external-secret.yaml | 33 +++++-- clusters/cl01tl/helm/komodo/values.yaml | 8 +- 8 files changed, 114 insertions(+), 63 deletions(-) diff --git a/clusters/cl01tl/helm/harbor/values.yaml b/clusters/cl01tl/helm/harbor/values.yaml index 3179f922a..210985f6d 100644 --- a/clusters/cl01tl/helm/harbor/values.yaml +++ b/clusters/cl01tl/helm/harbor/values.yaml @@ -5,10 +5,10 @@ harbor: enabled: false route: parentRefs: - group: gateway.networking.k8s.io - kind: Gateway - name: traefik-gateway - namespace: traefik + - group: gateway.networking.k8s.io + kind: Gateway + name: traefik-gateway + namespace: traefik hosts: - harbor.alexlebens.net externalURL: https://harbor.alexlebens.net diff --git a/clusters/cl01tl/helm/karakeep/templates/external-secret.yaml b/clusters/cl01tl/helm/karakeep/templates/external-secret.yaml index a809456c8..5c3a49b0a 100644 --- a/clusters/cl01tl/helm/karakeep/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/karakeep/templates/external-secret.yaml @@ -1,7 +1,26 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: karakeep-key-secret + name: karakeep-key + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: karakeep-key + {{- include "custom.labels" . | nindent 4 }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: key + remoteRef: + key: /cl01tl/karakeep/key + property: key + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: karakeep-metric-token namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: karakeep-key-secret @@ -9,38 +28,53 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - - secretKey: key - remoteRef: - key: /cl01tl/karakeep/key - property: key - secretKey: prometheus-token remoteRef: - key: /cl01tl/karakeep/key - property: prometheus-token + key: /cl01tl/karakeep/metrics + property: token --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: karakeep-oidc-secret + name: karakeep-meilisearch-key namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: karakeep-oidc-secret + app.kubernetes.io/name: karakeep-meilisearch-key {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao + data: + - secretKey: MEILI_MASTER_KEY + remoteRef: + key: /cl01tl/karakeep/meilisearch + property: master-key + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: karakeep-oidc-authentik + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: karakeep-oidc-authentik + {{- include "custom.labels" . | nindent 4 }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao data: - secretKey: AUTHENTIK_CLIENT_ID remoteRef: - key: /authentik/oidc/karakeep + key: /cl01tl/authentik/oidc/karakeep property: client - secretKey: AUTHENTIK_CLIENT_SECRET remoteRef: - key: /authentik/oidc/karakeep + key: /cl01tl/authentik/oidc/karakeep property: secret --- @@ -55,7 +89,7 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: ACCESS_KEY_ID remoteRef: @@ -69,22 +103,11 @@ spec: remoteRef: key: /garage/home-infra/karakeep-assets property: ACCESS_REGION - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: karakeep-meilisearch-master-key-secret - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: karakeep-meilisearch-master-key-secret - {{- include "custom.labels" . | nindent 4 }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: MEILI_MASTER_KEY + - secretKey: BUCKET remoteRef: - key: /cl01tl/karakeep/meilisearch - property: MEILI_MASTER_KEY + key: /garage/home-infra/karakeep-assets + property: BUCKET + - secretKey: ENDPOINT + remoteRef: + key: /garage/config + property: ENDPOINT_LOCAL diff --git a/clusters/cl01tl/helm/karakeep/values.yaml b/clusters/cl01tl/helm/karakeep/values.yaml index 12d3e2461..c8469b515 100644 --- a/clusters/cl01tl/helm/karakeep/values.yaml +++ b/clusters/cl01tl/helm/karakeep/values.yaml @@ -19,22 +19,28 @@ karakeep: - name: NEXTAUTH_SECRET valueFrom: secretKeyRef: - name: karakeep-key-secret + name: karakeep-key key: key - name: PROMETHEUS_AUTH_TOKEN valueFrom: secretKeyRef: - name: karakeep-key-secret + name: karakeep-metric-token key: prometheus-token - name: ASSET_STORE_S3_ENDPOINT - value: http://garage-main.garage:3900 + valueFrom: + secretKeyRef: + name: karakeep-bucket-garage + key: ENDPOINT - name: ASSET_STORE_S3_REGION valueFrom: secretKeyRef: name: karakeep-bucket-garage key: ACCESS_REGION - name: ASSET_STORE_S3_BUCKET - value: karakeep-assets + valueFrom: + secretKeyRef: + name: karakeep-bucket-garage + key: BUCKET - name: ASSET_STORE_S3_ACCESS_KEY_ID valueFrom: secretKeyRef: @@ -52,7 +58,7 @@ karakeep: - name: MEILI_MASTER_KEY valueFrom: secretKeyRef: - name: karakeep-meilisearch-master-key-secret + name: karakeep-meilisearch-key key: MEILI_MASTER_KEY - name: BROWSER_WEB_URL value: http://karakeep.karakeep:9222 @@ -67,12 +73,12 @@ karakeep: - name: OAUTH_CLIENT_ID valueFrom: secretKeyRef: - name: karakeep-oidc-secret + name: karakeep-oidc-authentik key: AUTHENTIK_CLIENT_ID - name: OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: - name: karakeep-oidc-secret + name: karakeep-oidc-authentik key: AUTHENTIK_CLIENT_SECRET - name: OLLAMA_BASE_URL value: http://ollama-server-3.ollama:11434 @@ -126,7 +132,7 @@ karakeep: authorization: credentials: key: prometheus-token - name: karakeep-key-secret + name: karakeep-metric-token persistence: data: forceRename: karakeep @@ -144,7 +150,7 @@ meilisearch: MEILI_ENV: production MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE: true auth: - existingMasterKeySecret: karakeep-meilisearch-master-key-secret + existingMasterKeySecret: karakeep-meilisearch-key persistence: enabled: true storageClass: ceph-block diff --git a/clusters/cl01tl/helm/kiwix/templates/_helpers.tpl b/clusters/cl01tl/helm/kiwix/templates/_helpers.tpl index 10688fcef..a2ec9030d 100644 --- a/clusters/cl01tl/helm/kiwix/templates/_helpers.tpl +++ b/clusters/cl01tl/helm/kiwix/templates/_helpers.tpl @@ -12,3 +12,10 @@ Selector labels app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} {{- end }} + +{{/* +NFS names +*/}} +{{- define "custom.storageNfsName" -}} +kiwix-nfs-storage +{{- end -}} diff --git a/clusters/cl01tl/helm/kiwix/templates/persistent-volume-claim.yaml b/clusters/cl01tl/helm/kiwix/templates/persistent-volume-claim.yaml index 9345de883..7652a28b7 100644 --- a/clusters/cl01tl/helm/kiwix/templates/persistent-volume-claim.yaml +++ b/clusters/cl01tl/helm/kiwix/templates/persistent-volume-claim.yaml @@ -1,13 +1,13 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: kiwix-nfs-storage + name: {{ include "custom.storageNfsName" . }} namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: kiwix-nfs-storage + app.kubernetes.io/name: {{ include "custom.storageNfsName" . }} {{- include "custom.labels" . | nindent 4 }} spec: - volumeName: kiwix-nfs-storage + volumeName: {{ include "custom.storageNfsName" . }} storageClassName: nfs-client accessModes: - ReadWriteMany diff --git a/clusters/cl01tl/helm/kiwix/templates/persistent-volume.yaml b/clusters/cl01tl/helm/kiwix/templates/persistent-volume.yaml index 9e50301a4..787527cad 100644 --- a/clusters/cl01tl/helm/kiwix/templates/persistent-volume.yaml +++ b/clusters/cl01tl/helm/kiwix/templates/persistent-volume.yaml @@ -1,10 +1,10 @@ apiVersion: v1 kind: PersistentVolume metadata: - name: kiwix-nfs-storage + name: {{ include "custom.storageNfsName" . }} namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: kiwix-nfs-storage + app.kubernetes.io/name: {{ include "custom.storageNfsName" . }} {{- include "custom.labels" . | nindent 4 }} spec: persistentVolumeReclaimPolicy: Retain diff --git a/clusters/cl01tl/helm/komodo/templates/external-secret.yaml b/clusters/cl01tl/helm/komodo/templates/external-secret.yaml index 32572bab6..741cbbb2d 100644 --- a/clusters/cl01tl/helm/komodo/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/komodo/templates/external-secret.yaml @@ -9,27 +9,42 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: passkey remoteRef: - key: /cl01tl/komodo/config + key: /cl01tl/komodo/key property: passkey - secretKey: jwt remoteRef: - key: /cl01tl/komodo/config + key: /cl01tl/komodo/key property: jwt - secretKey: webhook remoteRef: - key: /cl01tl/komodo/config + key: /cl01tl/komodo/key property: webhook - - secretKey: oidc-client-id + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: komodo-oidc-authentik + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: komodo-oidc-authentik + {{- include "custom.labels" . | nindent 4 }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: client remoteRef: - key: /authentik/oidc/komodo + key: /cl01tl/authentik/oidc/komodo property: client - - secretKey: oidc-client-secret + - secretKey: secret remoteRef: - key: /authentik/oidc/komodo + key: /cl01tl/authentik/oidc/komodo property: secret --- @@ -44,7 +59,7 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao data: - secretKey: uri remoteRef: diff --git a/clusters/cl01tl/helm/komodo/values.yaml b/clusters/cl01tl/helm/komodo/values.yaml index 43ed6f992..a7f39e843 100644 --- a/clusters/cl01tl/helm/komodo/values.yaml +++ b/clusters/cl01tl/helm/komodo/values.yaml @@ -68,13 +68,13 @@ komodo: - name: KOMODO_OIDC_CLIENT_ID valueFrom: secretKeyRef: - name: komodo-secret - key: oidc-client-id + name: komodo-oidc-authentik + key: client - name: KOMODO_OIDC_CLIENT_SECRET valueFrom: secretKeyRef: - name: komodo-secret - key: oidc-client-secret + name: komodo-oidc-authentik + key: secret - name: KOMODO_OIDC_USE_FULL_EMAIL value: true resources: