alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 12 Actions Activity

Merge pull request 'Automated Manifest Update' (#6156) from auto/update-manifests into manifests

Browse Source 
Reviewed-on: #6156
This commit was merged in pull request #6156.
This commit is contained in:
Alex Lebens
2026-04-24 00:19:40 +00:00
parent cfe38d32cf ba20a96b0f
commit fb30160603
233 changed files with 1471 additions and 1345 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
clusters/cl01tl/manifests/audiobookshelf/ExternalSecret-audiobookshelf-config-apprise.yaml
View File

@@ -16,9 +16,13 @@ spec:
mergePolicy: Merge mergePolicy: Merge
engineVersion: v2 engineVersion: v2
data: data:
ntfy-url: "{{ .endpoint }}/audiobookshelf" ntfy-url: "{{ .endpoint }}/{{ .topic }}"
data: data:
- secretKey: endpoint - secretKey: endpoint
remoteRef: remoteRef:
key: /cl01tl/ntfy/users/cl01tl key: /cl01tl/ntfy/users/cl01tl
property: internal-endpoint-credential property: internal-endpoint-credential
- secretKey: topic
remoteRef:
key: /cl01tl/ntfy/topics
property: audiobookshelf

4
clusters/cl01tl/manifests/authentik/Ingress-authentik-tailscale.yaml
View File

@@ -5,9 +5,9 @@ metadata:
namespace: authentik namespace: authentik
labels: labels:
app.kubernetes.io/name: authentik-tailscale app.kubernetes.io/name: authentik-tailscale
tailscale.com/proxy-class: no-metrics
app.kubernetes.io/instance: authentik app.kubernetes.io/instance: authentik
app.kubernetes.io/part-of: authentik app.kubernetes.io/part-of: authentik
tailscale.com/proxy-class: no-metrics
annotations: annotations:
tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
spec: spec:
@@ -26,4 +26,4 @@ spec:
service: service:
name: authentik-server name: authentik-server
port: port:
number: 80 name: http

4
clusters/cl01tl/manifests/cilium/HTTPRoute-hubble.yaml
View File

@@ -21,8 +21,6 @@ spec:
type: PathPrefix type: PathPrefix
value: / value: /
backendRefs: backendRefs:
- group: '' - kind: Service
kind: Service
name: hubble-ui name: hubble-ui
port: 80 port: 80
weight: 100

2
clusters/cl01tl/manifests/democratic-csi-synology-iscsi/DaemonSet-democratic-csi-synology-iscsi-node.yaml
View File

@@ -205,7 +205,7 @@ spec:
type: Directory type: Directory
- name: config - name: config
secret: secret:
secretName: synology-iscsi-config-secret secretName: synology-iscsi-config
- name: extra-ca-certs - name: extra-ca-certs
configMap: configMap:
name: democratic-csi-synology-iscsi name: democratic-csi-synology-iscsi

2
clusters/cl01tl/manifests/democratic-csi-synology-iscsi/Deployment-democratic-csi-synology-iscsi-controller.yaml
View File

@@ -178,7 +178,7 @@ spec:
emptyDir: {} emptyDir: {}
- name: config - name: config
secret: secret:
secretName: synology-iscsi-config-secret secretName: synology-iscsi-config
- name: extra-ca-certs - name: extra-ca-certs
configMap: configMap:
name: democratic-csi-synology-iscsi name: democratic-csi-synology-iscsi

6
clusters/cl01tl/manifests/democratic-csi-synology-iscsi/ExternalSecret-synology-iscsi-config-secret.yaml → clusters/cl01tl/manifests/democratic-csi-synology-iscsi/ExternalSecret-synology-iscsi-config.yaml
View File

@@ -1,16 +1,16 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: synology-iscsi-config-secret name: synology-iscsi-config
namespace: democratic-csi-synology-iscsi namespace: democratic-csi-synology-iscsi
labels: labels:
app.kubernetes.io/name: synology-iscsi-config-secret app.kubernetes.io/name: synology-iscsi-config
app.kubernetes.io/instance: democratic-csi-synology-iscsi app.kubernetes.io/instance: democratic-csi-synology-iscsi
app.kubernetes.io/part-of: democratic-csi-synology-iscsi app.kubernetes.io/part-of: democratic-csi-synology-iscsi
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: driver-config-file.yaml - secretKey: driver-config-file.yaml
remoteRef: remoteRef:

4
clusters/cl01tl/manifests/directus/Deployment-directus.yaml
View File

@@ -139,12 +139,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: OIDC_CLIENT_ID key: OIDC_CLIENT_ID
name: directus-oidc-secret name: directus-oidc-authentik
- name: AUTH_AUTHENTIK_CLIENT_SECRET - name: AUTH_AUTHENTIK_CLIENT_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: OIDC_CLIENT_SECRET key: OIDC_CLIENT_SECRET
name: directus-oidc-secret name: directus-oidc-authentik
- name: AUTH_AUTHENTIK_SCOPE - name: AUTH_AUTHENTIK_SCOPE
value: openid profile email value: openid profile email
- name: AUTH_AUTHENTIK_ISSUER_URL - name: AUTH_AUTHENTIK_ISSUER_URL

2
clusters/cl01tl/manifests/directus/ExternalSecret-directus-bucket-garage.yaml
View File

@@ -10,7 +10,7 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: ACCESS_KEY_ID - secretKey: ACCESS_KEY_ID
remoteRef: remoteRef:

18
clusters/cl01tl/manifests/directus/ExternalSecret-directus-config.yaml
View File

@@ -10,8 +10,16 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: key
remoteRef:
key: /cl01tl/directus/key
property: key
- secretKey: secret
remoteRef:
key: /cl01tl/directus/key
property: secret
- secretKey: admin-email - secretKey: admin-email
remoteRef: remoteRef:
key: /cl01tl/directus/config key: /cl01tl/directus/config
@@ -20,11 +28,3 @@ spec:
remoteRef: remoteRef:
key: /cl01tl/directus/config key: /cl01tl/directus/config
property: admin-password property: admin-password
- secretKey: secret
remoteRef:
key: /cl01tl/directus/config
property: secret
- secretKey: key
remoteRef:
key: /cl01tl/directus/config
property: key

2
clusters/cl01tl/manifests/directus/ExternalSecret-directus-metric-token.yaml
View File

@@ -10,7 +10,7 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: metric-token - secretKey: metric-token
remoteRef: remoteRef:

10
clusters/cl01tl/manifests/directus/ExternalSecret-directus-oidc-secret.yaml → clusters/cl01tl/manifests/directus/ExternalSecret-directus-oidc-authentik.yaml
View File

@@ -1,22 +1,22 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: directus-oidc-secret name: directus-oidc-authentik
namespace: directus namespace: directus
labels: labels:
app.kubernetes.io/name: directus-oidc-secret app.kubernetes.io/name: directus-oidc-authentik
app.kubernetes.io/instance: directus app.kubernetes.io/instance: directus
app.kubernetes.io/part-of: directus app.kubernetes.io/part-of: directus
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: OIDC_CLIENT_ID - secretKey: OIDC_CLIENT_ID
remoteRef: remoteRef:
key: /authentik/oidc/directus key: /cl01tl/authentik/oidc/directus
property: client property: client
- secretKey: OIDC_CLIENT_SECRET - secretKey: OIDC_CLIENT_SECRET
remoteRef: remoteRef:
key: /authentik/oidc/directus key: /cl01tl/authentik/oidc/directus
property: secret property: secret

10
clusters/cl01tl/manifests/directus/ExternalSecret-directus-valkey-config.yaml
View File

@@ -10,12 +10,8 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: default
remoteRef:
key: /cl01tl/directus/valkey
property: password
- secretKey: user - secretKey: user
remoteRef: remoteRef:
key: /cl01tl/directus/valkey key: /cl01tl/directus/valkey
@@ -24,3 +20,7 @@ spec:
remoteRef: remoteRef:
key: /cl01tl/directus/valkey key: /cl01tl/directus/valkey
property: password property: password
- secretKey: default
remoteRef:
key: /cl01tl/directus/valkey
property: password

10
clusters/cl01tl/manifests/external-dns/DNSEndpoint-iot-device-names.yaml
View File

@@ -34,3 +34,13 @@ spec:
recordType: A recordType: A
targets: targets:
- 10.230.0.100 - 10.230.0.100
- dnsName: dv01hr.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 10.232.1.72
- dnsName: dv02kv.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 10.232.1.71

10
clusters/cl01tl/manifests/external-dns/DNSEndpoint-server-host-names.yaml
View File

@@ -34,3 +34,13 @@ spec:
recordType: A recordType: A
targets: targets:
- 10.232.1.52 - 10.232.1.52
- dnsName: pd05wd.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 10.230.0.115
- dnsName: pl02mc.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 10.230.0.105

2
clusters/cl01tl/manifests/external-dns/ExternalSecret-external-dns-unifi-secret.yaml
View File

@@ -10,7 +10,7 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: api-key - secretKey: api-key
remoteRef: remoteRef:

4
clusters/cl01tl/manifests/freshrss/Deployment-freshrss.yaml
View File

@@ -98,9 +98,9 @@ spec:
value: preferred_username value: preferred_username
envFrom: envFrom:
- secretRef: - secretRef:
name: freshrss-oidc-secret name: freshrss-oidc-authentik
- secretRef: - secretRef:
name: freshrss-install-secret name: freshrss-install-config
image: freshrss/freshrss:1.28.1@sha256:9100f649f5c946f589f54cdb9be7a65996528f48f691ef90eb262a0e06e5a522 image: freshrss/freshrss:1.28.1@sha256:9100f649f5c946f589f54cdb9be7a65996528f48f691ef90eb262a0e06e5a522
name: main name: main
resources: resources:

12
clusters/cl01tl/manifests/freshrss/ExternalSecret-freshrss-install-secret.yaml → clusters/cl01tl/manifests/freshrss/ExternalSecret-freshrss-install-config.yaml
View File

@@ -1,26 +1,26 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: freshrss-install-secret name: freshrss-install-config
namespace: freshrss namespace: freshrss
labels: labels:
app.kubernetes.io/name: freshrss-install-secret app.kubernetes.io/name: freshrss-install-config
app.kubernetes.io/instance: freshrss app.kubernetes.io/instance: freshrss
app.kubernetes.io/part-of: freshrss app.kubernetes.io/part-of: freshrss
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: ADMIN_EMAIL - secretKey: ADMIN_EMAIL
remoteRef: remoteRef:
key: /cl01tl/freshrss/config key: /cl01tl/freshrss/config
property: ADMIN_EMAIL property: admin-email
- secretKey: ADMIN_PASSWORD - secretKey: ADMIN_PASSWORD
remoteRef: remoteRef:
key: /cl01tl/freshrss/config key: /cl01tl/freshrss/config
property: ADMIN_PASSWORD property: admin-password
- secretKey: ADMIN_API_PASSWORD - secretKey: ADMIN_API_PASSWORD
remoteRef: remoteRef:
key: /cl01tl/freshrss/config key: /cl01tl/freshrss/config
property: ADMIN_API_PASSWORD property: admin-api-password

14
clusters/cl01tl/manifests/freshrss/ExternalSecret-freshrss-oidc-secret.yaml → clusters/cl01tl/manifests/freshrss/ExternalSecret-freshrss-oidc-authentik.yaml
View File

@@ -1,26 +1,26 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: freshrss-oidc-secret name: freshrss-oidc-authentik
namespace: freshrss namespace: freshrss
labels: labels:
app.kubernetes.io/name: freshrss-oidc-secret app.kubernetes.io/name: freshrss-oidc-authentik
app.kubernetes.io/instance: freshrss app.kubernetes.io/instance: freshrss
app.kubernetes.io/part-of: freshrss app.kubernetes.io/part-of: freshrss
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: OIDC_CLIENT_ID - secretKey: OIDC_CLIENT_ID
remoteRef: remoteRef:
key: /authentik/oidc/freshrss key: /cl01tl/authentik/oidc/freshrss
property: client property: client
- secretKey: OIDC_CLIENT_SECRET - secretKey: OIDC_CLIENT_SECRET
remoteRef: remoteRef:
key: /authentik/oidc/freshrss key: /cl01tl/authentik/oidc/freshrss
property: secret property: secret
- secretKey: OIDC_CLIENT_CRYPTO_KEY - secretKey: OIDC_CLIENT_CRYPTO_KEY
remoteRef: remoteRef:
key: /authentik/oidc/freshrss key: /cl01tl/freshrss/key
property: crypto-key property: oidc-client-crypto-key

2
clusters/cl01tl/manifests/garage/Deployment-garage-server-1.yaml
View File

@@ -49,7 +49,7 @@ spec:
containers: containers:
- envFrom: - envFrom:
- secretRef: - secretRef:
name: garage-token-secret name: garage-token
image: dxflrs/garage:v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690 image: dxflrs/garage:v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
name: main name: main
resources: resources:

2
clusters/cl01tl/manifests/garage/Deployment-garage-server-2.yaml
View File

@@ -49,7 +49,7 @@ spec:
containers: containers:
- envFrom: - envFrom:
- secretRef: - secretRef:
name: garage-token-secret name: garage-token
image: dxflrs/garage:v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690 image: dxflrs/garage:v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
name: main name: main
resources: resources:

2
clusters/cl01tl/manifests/garage/Deployment-garage-server-3.yaml
View File

@@ -49,7 +49,7 @@ spec:
containers: containers:
- envFrom: - envFrom:
- secretRef: - secretRef:
name: garage-token-secret name: garage-token
image: dxflrs/garage:v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690 image: dxflrs/garage:v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
name: main name: main
resources: resources:

2
clusters/cl01tl/manifests/garage/Deployment-garage-webui.yaml
View File

@@ -45,7 +45,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: GARAGE_ADMIN_TOKEN key: GARAGE_ADMIN_TOKEN
name: garage-token-secret name: garage-token
image: khairul169/garage-webui:1.1.0@sha256:17c793551873155065bf9a022dabcde874de808a1f26e648d4b82e168806439c image: khairul169/garage-webui:1.1.0@sha256:17c793551873155065bf9a022dabcde874de808a1f26e648d4b82e168806439c
name: main name: main
resources: resources:

18
clusters/cl01tl/manifests/garage/ExternalSecret-garage-token-secret.yaml → clusters/cl01tl/manifests/garage/ExternalSecret-garage-token.yaml
View File

@@ -1,26 +1,26 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: garage-token-secret name: garage-token
namespace: garage namespace: garage
labels: labels:
app.kubernetes.io/name: garage-token-secret app.kubernetes.io/name: garage-token
app.kubernetes.io/instance: garage app.kubernetes.io/instance: garage
app.kubernetes.io/part-of: garage app.kubernetes.io/part-of: garage
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: GARAGE_RPC_SECRET - secretKey: GARAGE_RPC_SECRET
remoteRef: remoteRef:
key: /cl01tl/garage/token key: /cl01tl/garage/config
property: rpc property: rpc-secret
- secretKey: GARAGE_ADMIN_TOKEN - secretKey: GARAGE_ADMIN_TOKEN
remoteRef: remoteRef:
key: /cl01tl/garage/token key: /cl01tl/garage/config
property: admin property: admin-token
- secretKey: GARAGE_METRICS_TOKEN - secretKey: GARAGE_METRICS_TOKEN
remoteRef: remoteRef:
key: /cl01tl/garage/token key: /cl01tl/garage/config
property: metric property: metrics-token

2
clusters/cl01tl/manifests/garage/Service-garage-main.yaml
View File

@@ -27,6 +27,6 @@ spec:
protocol: TCP protocol: TCP
targetPort: 3902 targetPort: 3902
selector: selector:
app.kubernetes.io/instance: garage
app.kubernetes.io/name: garage app.kubernetes.io/name: garage
app.kubernetes.io/instance: garage
garage-type: server garage-type: server

2
clusters/cl01tl/manifests/garage/ServiceMonitor-garage.yaml
View File

@@ -21,7 +21,7 @@ spec:
endpoints: endpoints:
- bearerTokenSecret: - bearerTokenSecret:
key: GARAGE_METRICS_TOKEN key: GARAGE_METRICS_TOKEN
name: garage-token-secret name: garage-token
interval: 5m interval: 5m
path: /metrics path: /metrics
port: admin port: admin

6
clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml
View File

@@ -50,17 +50,17 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: NTFY_TOKEN key: NTFY_TOKEN
name: gatus-config-secret name: gatus-config
- name: "OIDC_CLIENT_ID" - name: "OIDC_CLIENT_ID"
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: OIDC_CLIENT_ID key: OIDC_CLIENT_ID
name: gatus-oidc-secret name: gatus-oidc-authentik
- name: "OIDC_CLIENT_SECRET" - name: "OIDC_CLIENT_SECRET"
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: OIDC_CLIENT_SECRET key: OIDC_CLIENT_SECRET
name: gatus-oidc-secret name: gatus-oidc-authentik
- name: "POSTGRES_DB" - name: "POSTGRES_DB"
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:

6
clusters/cl01tl/manifests/gatus/ExternalSecret-gatus-config-secret.yaml → clusters/cl01tl/manifests/gatus/ExternalSecret-gatus-config.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: gatus-config-secret name: gatus-config
namespace: gatus namespace: gatus
labels: labels:
app.kubernetes.io/name: gatus-config-secret app.kubernetes.io/name: gatus-config-secret
@@ -10,9 +10,9 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: NTFY_TOKEN - secretKey: NTFY_TOKEN
remoteRef: remoteRef:
key: /ntfy/user/cl01tl key: /cl01tl/ntfy/users/cl01tl
property: token property: token

10
clusters/cl01tl/manifests/gatus/ExternalSecret-gatus-oidc-secret.yaml → clusters/cl01tl/manifests/gatus/ExternalSecret-gatus-oidc-authentik.yaml
View File

@@ -1,22 +1,22 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: gatus-oidc-secret name: gatus-oidc-authentik
namespace: gatus namespace: gatus
labels: labels:
app.kubernetes.io/name: gatus-oidc-secret app.kubernetes.io/name: gatus-oidc-authentik
app.kubernetes.io/instance: gatus app.kubernetes.io/instance: gatus
app.kubernetes.io/part-of: gatus app.kubernetes.io/part-of: gatus
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: OIDC_CLIENT_ID - secretKey: OIDC_CLIENT_ID
remoteRef: remoteRef:
key: /authentik/oidc/gatus key: /cl01tl/authentik/oidc/gatus
property: client property: client
- secretKey: OIDC_CLIENT_SECRET - secretKey: OIDC_CLIENT_SECRET
remoteRef: remoteRef:
key: /authentik/oidc/gatus key: /cl01tl/authentik/oidc/gatus
property: secret property: secret

6
clusters/cl01tl/manifests/gitea/Deployment-gitea.yaml
View File

@@ -111,7 +111,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: ISSUE_INDEXER_CONN_STR key: ISSUE_INDEXER_CONN_STR
name: gitea-meilisearch-master-key-secret name: gitea-meilisearch-key
volumeMounts: volumeMounts:
- name: config - name: config
mountPath: /usr/sbinx mountPath: /usr/sbinx
@@ -151,12 +151,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: key key: key
name: gitea-oidc-secret name: gitea-oidc-authentik
- name: GITEA_OAUTH_SECRET_0 - name: GITEA_OAUTH_SECRET_0
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: secret key: secret
name: gitea-oidc-secret name: gitea-oidc-authentik
- name: GITEA_ADMIN_USERNAME - name: GITEA_ADMIN_USERNAME
value: "gitea_admin" value: "gitea_admin"
- name: GITEA_ADMIN_PASSWORD - name: GITEA_ADMIN_PASSWORD

22
clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-admin-secret.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: gitea-admin-secret
namespace: gitea
labels:
app.kubernetes.io/name: gitea-admin-secret
app.kubernetes.io/instance: gitea
app.kubernetes.io/part-of: gitea
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: username
remoteRef:
key: /cl01tl/gitea/auth/admin
property: username
- secretKey: password
remoteRef:
key: /cl01tl/gitea/auth/admin
property: password

8
clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-meilisearch-master-key-secret.yaml → clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-meilisearch-key.yaml
View File

@@ -1,16 +1,16 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: gitea-meilisearch-master-key-secret name: gitea-meilisearch-key
namespace: gitea namespace: gitea
labels: labels:
app.kubernetes.io/name: gitea-meilisearch-master-key-secret app.kubernetes.io/name: gitea-meilisearch-key
app.kubernetes.io/instance: gitea app.kubernetes.io/instance: gitea
app.kubernetes.io/part-of: gitea app.kubernetes.io/part-of: gitea
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
target: target:
template: template:
mergePolicy: Merge mergePolicy: Merge
@@ -21,4 +21,4 @@ spec:
- secretKey: MEILI_MASTER_KEY - secretKey: MEILI_MASTER_KEY
remoteRef: remoteRef:
key: /cl01tl/gitea/meilisearch key: /cl01tl/gitea/meilisearch
property: MEILI_MASTER_KEY property: master-key

10
clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-oidc-secret.yaml → clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-oidc-authentik.yaml
View File

@@ -1,22 +1,22 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: gitea-oidc-secret name: gitea-oidc-authentik
namespace: gitea namespace: gitea
labels: labels:
app.kubernetes.io/name: gitea-oidc-secret app.kubernetes.io/name: gitea-oidc-authentik
app.kubernetes.io/instance: gitea app.kubernetes.io/instance: gitea
app.kubernetes.io/part-of: gitea app.kubernetes.io/part-of: gitea
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: secret - secretKey: secret
remoteRef: remoteRef:
key: /authentik/oidc/gitea key: /cl01tl/authentik/oidc/gitea
property: secret property: secret
- secretKey: key - secretKey: key
remoteRef: remoteRef:
key: /authentik/oidc/gitea key: /cl01tl/authentik/oidc/gitea
property: client property: client

34
clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-renovate-secret.yaml
View File

@@ -1,34 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: gitea-renovate-secret
namespace: gitea
labels:
app.kubernetes.io/name: gitea-renovate-secret
app.kubernetes.io/instance: gitea
app.kubernetes.io/part-of: gitea
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: RENOVATE_ENDPOINT
remoteRef:
key: /cl01tl/gitea/renovate
property: RENOVATE_ENDPOINT
- secretKey: RENOVATE_GIT_AUTHOR
remoteRef:
key: /cl01tl/gitea/renovate
property: RENOVATE_GIT_AUTHOR
- secretKey: RENOVATE_TOKEN
remoteRef:
key: /cl01tl/gitea/renovate
property: RENOVATE_TOKEN
- secretKey: RENOVATE_GIT_PRIVATE_KEY
remoteRef:
key: /cl01tl/gitea/renovate
property: id_rsa
- secretKey: RENOVATE_GITHUB_COM_TOKEN
remoteRef:
key: /github/gitea-cl01tl
property: token

26
clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-renovate-ssh-secret.yaml
View File

@@ -1,26 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: gitea-renovate-ssh-secret
namespace: gitea
labels:
app.kubernetes.io/name: gitea-renovate-ssh-secret
app.kubernetes.io/instance: gitea
app.kubernetes.io/part-of: gitea
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: config
remoteRef:
key: /cl01tl/gitea/renovate
property: ssh_config
- secretKey: id_rsa
remoteRef:
key: /cl01tl/gitea/renovate
property: id_rsa
- secretKey: id_rsa.pub
remoteRef:
key: /cl01tl/gitea/renovate
property: id_rsa.pub

2
clusters/cl01tl/manifests/gitea/ExternalSecret-gitea-runner-secret.yaml
View File

@@ -10,7 +10,7 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: token - secretKey: token
remoteRef: remoteRef:

4
clusters/cl01tl/manifests/gitea/HTTPRoute-gitea.yaml
View File

@@ -21,8 +21,6 @@ spec:
type: PathPrefix type: PathPrefix
value: / value: /
backendRefs: backendRefs:
- group: '' - kind: Service
kind: Service
name: gitea-http name: gitea-http
port: 3000 port: 3000
weight: 100

2
clusters/cl01tl/manifests/gitea/Ingress-gitea-tailscale.yaml
View File

@@ -21,7 +21,7 @@ spec:
http: http:
paths: paths:
- path: / - path: /
pathType: ImplementationSpecific pathType: Prefix
backend: backend:
service: service:
name: gitea-http name: gitea-http

2
clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-meilisearch.yaml
View File

@@ -26,5 +26,5 @@ spec:
interval: 1m interval: 1m
scrapeTimeout: 10s scrapeTimeout: 10s
bearerTokenSecret: bearerTokenSecret:
name: gitea-meilisearch-master-key-secret name: gitea-meilisearch-key
key: MEILI_MASTER_KEY key: MEILI_MASTER_KEY

2
clusters/cl01tl/manifests/gitea/StatefulSet-gitea-meilisearch.yaml
View File

@@ -62,7 +62,7 @@ spec:
- configMapRef: - configMapRef:
name: gitea-meilisearch-environment name: gitea-meilisearch-environment
- secretRef: - secretRef:
name: gitea-meilisearch-master-key-secret name: gitea-meilisearch-key
ports: ports:
- name: http - name: http
containerPort: 7700 containerPort: 7700

4
clusters/cl01tl/manifests/gitea/TCPRoute-gitea-ssh.yaml
View File

@@ -16,8 +16,6 @@ spec:
sectionName: ssh sectionName: ssh
rules: rules:
- backendRefs: - backendRefs:
- group: '' - kind: Service
kind: Service
name: gitea-ssh name: gitea-ssh
port: 22 port: 22
weight: 100

10
clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-auth-secret.yaml → clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-config.yaml
View File

@@ -1,22 +1,22 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: grafana-auth-secret name: grafana-config
namespace: grafana-operator namespace: grafana-operator
labels: labels:
app.kubernetes.io/name: grafana-auth-secret app.kubernetes.io/name: grafana-config
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/part-of: grafana-operator
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: admin-user - secretKey: admin-user
remoteRef: remoteRef:
key: /cl01tl/grafana/auth key: /cl01tl/grafana/config
property: admin-user property: admin-user
- secretKey: admin-password - secretKey: admin-password
remoteRef: remoteRef:
key: /cl01tl/grafana/auth key: /cl01tl/grafana/config
property: admin-password property: admin-password

10
clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-oauth-secret.yaml → clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-oidc-authentik.yaml
View File

@@ -1,22 +1,22 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: grafana-oauth-secret name: grafana-oidc-authentik
namespace: grafana-operator namespace: grafana-operator
labels: labels:
app.kubernetes.io/name: grafana-oauth-secret app.kubernetes.io/name: grafana-oidc-authentik
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/part-of: grafana-operator
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: AUTH_CLIENT_ID - secretKey: AUTH_CLIENT_ID
remoteRef: remoteRef:
key: /authentik/oidc/grafana key: /cl01tl/authentik/oidc/grafana
property: client property: client
- secretKey: AUTH_CLIENT_SECRET - secretKey: AUTH_CLIENT_SECRET
remoteRef: remoteRef:
key: /authentik/oidc/grafana key: /cl01tl/authentik/oidc/grafana
property: secret property: secret

26
clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-operator-postgresql-18-cluster-backup-secret-garage.yaml
View File

@@ -1,26 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: grafana-operator-postgresql-18-cluster-backup-secret-garage
namespace: grafana-operator
labels:
app.kubernetes.io/name: grafana-operator-postgresql-18-cluster-backup-secret-garage
app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/part-of: grafana-operator
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
key: /garage/home-infra/postgres-backups
property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY
remoteRef:
key: /garage/home-infra/postgres-backups
property: ACCESS_SECRET_KEY
- secretKey: ACCESS_REGION
remoteRef:
key: /garage/home-infra/postgres-backups
property: ACCESS_REGION

22
clusters/cl01tl/manifests/grafana-operator/ExternalSecret-grafana-operator-postgresql-18-cluster-backup-secret.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: grafana-operator-postgresql-18-cluster-backup-secret
namespace: grafana-operator
labels:
app.kubernetes.io/name: grafana-operator-postgresql-18-cluster-backup-secret
app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/part-of: grafana-operator
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
key: /digital-ocean/home-infra/postgres-backups
property: access
- secretKey: ACCESS_SECRET_KEY
remoteRef:
key: /digital-ocean/home-infra/postgres-backups
property: secret

8
clusters/cl01tl/manifests/grafana-operator/Grafana-grafana-main.yaml
View File

@@ -65,22 +65,22 @@ spec:
- name: AUTH_CLIENT_ID - name: AUTH_CLIENT_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: grafana-oauth-secret name: grafana-oidc-authentik
key: AUTH_CLIENT_ID key: AUTH_CLIENT_ID
- name: AUTH_CLIENT_SECRET - name: AUTH_CLIENT_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: grafana-oauth-secret name: grafana-oidc-authentik
key: AUTH_CLIENT_SECRET key: AUTH_CLIENT_SECRET
- name: ADMIN_USER - name: ADMIN_USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: grafana-auth-secret name: grafana-config
key: admin-user key: admin-user
- name: ADMIN_PASSWORD - name: ADMIN_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: grafana-auth-secret name: grafana-config
key: admin-password key: admin-password
- name: DB_HOST - name: DB_HOST
valueFrom: valueFrom:

2
clusters/cl01tl/manifests/grimmory/Deployment-grimmory.yaml
View File

@@ -52,7 +52,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: password key: password
name: grimmory-database-secret name: grimmory-database-config
- name: GRIMMORY_PORT - name: GRIMMORY_PORT
value: "6060" value: "6060"
- name: SWAGGER_ENABLED - name: SWAGGER_ENABLED

18
clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-data-replication-secret.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: grimmory-data-replication-secret
namespace: grimmory
labels:
app.kubernetes.io/name: grimmory-data-replication-secret
app.kubernetes.io/instance: grimmory
app.kubernetes.io/part-of: grimmory
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: psk.txt
remoteRef:
key: /cl01tl/grimmory/replication
property: psk.txt

6
clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-database-secret.yaml → clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-database-config.yaml
View File

@@ -1,16 +1,16 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: grimmory-database-secret name: grimmory-database-config
namespace: grimmory namespace: grimmory
labels: labels:
app.kubernetes.io/name: grimmory-database-secret app.kubernetes.io/name: grimmory-database-config
app.kubernetes.io/instance: grimmory app.kubernetes.io/instance: grimmory
app.kubernetes.io/part-of: grimmory app.kubernetes.io/part-of: grimmory
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: password - secretKey: password
remoteRef: remoteRef:

2
clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-mariadb-cluster-backup-secret-external.yaml
View File

@@ -10,7 +10,7 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: access - secretKey: access
remoteRef: remoteRef:

6
clusters/cl01tl/manifests/grimmory/ExternalSecret-grimmory-mariadb-cluster-backup-secret-garage.yaml
View File

@@ -10,13 +10,13 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: access - secretKey: access
remoteRef: remoteRef:
key: /garage/home-infra/mariadb-backups key: /garage/home-infra/mariadb-backups
property: access property: ACCESS_KEY_ID
- secretKey: secret - secretKey: secret
remoteRef: remoteRef:
key: /garage/home-infra/mariadb-backups key: /garage/home-infra/mariadb-backups
property: secret property: ACCESS_SECRET_KEY

2
clusters/cl01tl/manifests/grimmory/MariaDB-grimmory-mariadb-cluster.yaml
View File

@@ -31,6 +31,6 @@ spec:
rootPasswordSecretKeyRef: rootPasswordSecretKeyRef:
generate: false generate: false
key: password key: password
name: grimmory-database-secret name: grimmory-database-config
storage: storage:
size: 5Gi size: 5Gi

5
clusters/cl01tl/manifests/grimmory/Namespace-grimmory.yaml
View File

@@ -2,12 +2,7 @@ apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: grimmory name: grimmory
annotations:
volsync.backube/privileged-movers: "true"
labels: labels:
app.kubernetes.io/name: grimmory app.kubernetes.io/name: grimmory
app.kubernetes.io/instance: grimmory app.kubernetes.io/instance: grimmory
app.kubernetes.io/part-of: grimmory app.kubernetes.io/part-of: grimmory
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

2
clusters/cl01tl/manifests/grimmory/PersistentVolume-grimmory-books-import-nfs-storage.yaml
View File

@@ -15,7 +15,7 @@ spec:
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
nfs: nfs:
path: /volume2/Storage/Books Import path: '/volume2/Storage/Books Import'
server: synologybond.alexlebens.net server: synologybond.alexlebens.net
mountOptions: mountOptions:
- vers=4 - vers=4

24
clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-secret.yaml
View File

@@ -10,7 +10,7 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: HARBOR_ADMIN_PASSWORD - secretKey: HARBOR_ADMIN_PASSWORD
remoteRef: remoteRef:
@@ -18,12 +18,12 @@ spec:
property: admin-password property: admin-password
- secretKey: secretKey - secretKey: secretKey
remoteRef: remoteRef:
key: /cl01tl/harbor/config key: /cl01tl/harbor/key
property: secretKey property: secret-key
- secretKey: CSRF_KEY - secretKey: CSRF_KEY
remoteRef: remoteRef:
key: /cl01tl/harbor/core key: /cl01tl/harbor/key
property: CSRF_KEY property: csrf-key
- secretKey: secret - secretKey: secret
remoteRef: remoteRef:
key: /cl01tl/harbor/core key: /cl01tl/harbor/core
@@ -39,24 +39,20 @@ spec:
- secretKey: JOBSERVICE_SECRET - secretKey: JOBSERVICE_SECRET
remoteRef: remoteRef:
key: /cl01tl/harbor/jobservice key: /cl01tl/harbor/jobservice
property: JOBSERVICE_SECRET property: secret
- secretKey: REGISTRY_HTTP_SECRET - secretKey: REGISTRY_HTTP_SECRET
remoteRef: remoteRef:
key: /cl01tl/harbor/registry key: /cl01tl/harbor/registry
property: REGISTRY_HTTP_SECRET property: http-secret
- secretKey: REGISTRY_REDIS_PASSWORD
remoteRef:
key: /cl01tl/harbor/registry
property: REGISTRY_REDIS_PASSWORD
- secretKey: REGISTRY_HTPASSWD - secretKey: REGISTRY_HTPASSWD
remoteRef: remoteRef:
key: /cl01tl/harbor/registry key: /cl01tl/harbor/registry
property: REGISTRY_HTPASSWD property: ht-passwd
- secretKey: REGISTRY_CREDENTIAL_PASSWORD - secretKey: REGISTRY_CREDENTIAL_PASSWORD
remoteRef: remoteRef:
key: /cl01tl/harbor/registry key: /cl01tl/harbor/registry
property: REGISTRY_CREDENTIAL_PASSWORD property: credential-password
- secretKey: REGISTRY_PASSWD - secretKey: REGISTRY_PASSWD
remoteRef: remoteRef:
key: /cl01tl/harbor/registry key: /cl01tl/harbor/registry
property: REGISTRY_CREDENTIAL_PASSWORD property: credential-password

6
clusters/cl01tl/manifests/headlamp/ClusterRoleBinding-cluster-admin-oidc.yaml
View File

@@ -8,13 +8,13 @@ metadata:
app.kubernetes.io/instance: headlamp app.kubernetes.io/instance: headlamp
app.kubernetes.io/part-of: headlamp app.kubernetes.io/part-of: headlamp
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: cluster-admin name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects: subjects:
- kind: User - apiGroup: rbac.authorization.k8s.io
kind: User
name: https://authentik.alexlebens.net/application/o/headlamp/#alexanderlebens@gmail.com name: https://authentik.alexlebens.net/application/o/headlamp/#alexanderlebens@gmail.com
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount - kind: ServiceAccount
name: headlamp-admin name: headlamp-admin
namespace: headlamp namespace: headlamp

2
clusters/cl01tl/manifests/headlamp/Deployment-headlamp.yaml
View File

@@ -36,7 +36,7 @@ spec:
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
envFrom: envFrom:
- secretRef: - secretRef:
name: headlamp-oidc-secret name: headlamp-oidc-authentik
args: args:
- "-in-cluster" - "-in-cluster"
- "-in-cluster-context-name=main" - "-in-cluster-context-name=main"

22
clusters/cl01tl/manifests/headlamp/ExternalSecret-headlamp-oidc-secret.yaml → clusters/cl01tl/manifests/headlamp/ExternalSecret-headlamp-oidc-authentik.yaml
View File

@@ -1,38 +1,38 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: headlamp-oidc-secret name: headlamp-oidc-authentik
namespace: headlamp namespace: headlamp
labels: labels:
app.kubernetes.io/name: headlamp-oidc-secret app.kubernetes.io/name: headlamp-oidc-authentik
app.kubernetes.io/instance: headlamp app.kubernetes.io/instance: headlamp
app.kubernetes.io/part-of: headlamp app.kubernetes.io/part-of: headlamp
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: OIDC_CLIENT_ID - secretKey: OIDC_CLIENT_ID
remoteRef: remoteRef:
key: /authentik/oidc/headlamp key: /cl01tl/authentik/oidc/headlamp
property: client property: client
- secretKey: OIDC_CLIENT_SECRET - secretKey: OIDC_CLIENT_SECRET
remoteRef: remoteRef:
key: /authentik/oidc/headlamp key: /cl01tl/authentik/oidc/headlamp
property: secret property: secret
- secretKey: OIDC_ISSUER_URL - secretKey: OIDC_ISSUER_URL
remoteRef: remoteRef:
key: /authentik/oidc/headlamp key: /cl01tl/authentik/oidc/headlamp
property: issuer property: issuer
- secretKey: OIDC_SCOPES - secretKey: OIDC_SCOPES
remoteRef: remoteRef:
key: /authentik/oidc/headlamp key: /cl01tl/authentik/oidc/headlamp
property: scopes property: scopes
- secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_IDP_ISSUER_URL - secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_IDP_ISSUER_URL
remoteRef: remoteRef:
key: /authentik/oidc/headlamp key: /cl01tl/authentik/oidc/headlamp
property: validator-issuer-url property: issuer
- secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_CLIENT_ID - secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_CLIENT_ID
remoteRef: remoteRef:
key: /authentik/oidc/headlamp key: /cl01tl/authentik/oidc/headlamp
property: validator-client-id property: client

4
clusters/cl01tl/manifests/headlamp/HTTPRoute-headlamp.yaml
View File

@@ -19,11 +19,9 @@ spec:
- headlamp.alexlebens.net - headlamp.alexlebens.net
rules: rules:
- backendRefs: - backendRefs:
- group: "" - kind: Service
kind: Service
name: headlamp name: headlamp
port: 80 port: 80
weight: 100
matches: matches:
- path: - path:
type: PathPrefix type: PathPrefix

2
clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml
View File

@@ -48,7 +48,7 @@ spec:
value: /config value: /config
envFrom: envFrom:
- secretRef: - secretRef:
name: home-assistant-code-server-password-secret name: home-assistant-code-server-password
image: ghcr.io/linuxserver/code-server:4.116.0-ls333@sha256:4620adace18935dd6ca79d77e3bc1c379e21875392192f970cf5d6b0fb4aefcd image: ghcr.io/linuxserver/code-server:4.116.0-ls333@sha256:4620adace18935dd6ca79d77e3bc1c379e21875392192f970cf5d6b0fb4aefcd
name: code-server name: code-server
volumeMounts: volumeMounts:

14
clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-code-server-password-secret.yaml → clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-code-server-password.yaml
View File

@@ -1,22 +1,22 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: home-assistant-code-server-password-secret name: home-assistant-code-server-password
namespace: home-assistant namespace: home-assistant
labels: labels:
app.kubernetes.io/name: home-assistant-code-server-password-secret app.kubernetes.io/name: home-assistant-code-server-password
app.kubernetes.io/instance: home-assistant app.kubernetes.io/instance: home-assistant
app.kubernetes.io/part-of: home-assistant app.kubernetes.io/part-of: home-assistant
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: PASSWORD - secretKey: PASSWORD
remoteRef: remoteRef:
key: /cl01tl/home-assistant/code-server/auth key: /cl01tl/home-assistant/code-server
property: PASSWORD property: password
- secretKey: SUDO_PASSWORD - secretKey: SUDO_PASSWORD
remoteRef: remoteRef:
key: /cl01tl/home-assistant/code-server/auth key: /cl01tl/home-assistant/code-server
property: SUDO_PASSWORD property: sudo-password

8
clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-token-secret.yaml → clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-metric-token.yaml
View File

@@ -1,18 +1,18 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: home-assistant-token-secret name: home-assistant-metric-token
namespace: home-assistant namespace: home-assistant
labels: labels:
app.kubernetes.io/name: home-assistant-token-secret app.kubernetes.io/name: home-assistant-metric-token
app.kubernetes.io/instance: home-assistant app.kubernetes.io/instance: home-assistant
app.kubernetes.io/part-of: home-assistant app.kubernetes.io/part-of: home-assistant
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: bearer-token - secretKey: bearer-token
remoteRef: remoteRef:
key: /cl01tl/home-assistant/auth key: /cl01tl/home-assistant/config
property: bearer-token property: bearer-token

2
clusters/cl01tl/manifests/home-assistant/ServiceMonitor-home-assistant.yaml
View File

@@ -21,7 +21,7 @@ spec:
endpoints: endpoints:
- bearerTokenSecret: - bearerTokenSecret:
key: bearer-token key: bearer-token
name: home-assistant-token-secret name: home-assistant-metric-token
interval: 3m interval: 3m
path: /api/prometheus path: /api/prometheus
port: http port: http

2
clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml
View File

@@ -44,7 +44,7 @@ spec:
value: home.alexlebens.net value: home.alexlebens.net
envFrom: envFrom:
- secretRef: - secretRef:
name: homepage-keys-secret name: homepage-secrets
image: ghcr.io/gethomepage/homepage:v1.12.3@sha256:cc84f2f5eb3c7734353701ccbaa24ed02dacb0d119114e50e4251e2005f3990a image: ghcr.io/gethomepage/homepage:v1.12.3@sha256:cc84f2f5eb3c7734353701ccbaa24ed02dacb0d119114e50e4251e2005f3990a
name: main name: main
resources: resources:

30
clusters/cl01tl/manifests/homepage/ExternalSecret-homepage-keys-secret.yaml → clusters/cl01tl/manifests/homepage/ExternalSecret-homepage-secrets.yaml
View File

@@ -1,20 +1,20 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: homepage-keys-secret name: homepage-secrets
namespace: homepage namespace: homepage
labels: labels:
app.kubernetes.io/name: homepage-keys-secret app.kubernetes.io/name: homepage-secrets
app.kubernetes.io/instance: homepage app.kubernetes.io/instance: homepage
app.kubernetes.io/part-of: homepage app.kubernetes.io/part-of: homepage
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: HOMEPAGE_VAR_GITEA_API_TOKEN - secretKey: HOMEPAGE_VAR_GITEA_API_TOKEN
remoteRef: remoteRef:
key: /cl01tl/gitea/auth/homepage key: /cl01tl/gitea/users/bot
property: token property: token
- secretKey: HOMEPAGE_VAR_ARGOCD_API_TOKEN - secretKey: HOMEPAGE_VAR_ARGOCD_API_TOKEN
remoteRef: remoteRef:
@@ -34,47 +34,47 @@ spec:
property: key property: key
- secretKey: HOMEPAGE_VAR_SYNOLOGY_USER - secretKey: HOMEPAGE_VAR_SYNOLOGY_USER
remoteRef: remoteRef:
key: /synology/auth/cl01tl key: /synology/users/remote_stats
property: user property: user
- secretKey: HOMEPAGE_VAR_SYNOLOGY_PASSWORD - secretKey: HOMEPAGE_VAR_SYNOLOGY_PASSWORD
remoteRef: remoteRef:
key: /synology/auth/cl01tl key: /synology/users/remote_stats
property: password property: password
- secretKey: HOMEPAGE_VAR_UNIFI_API_KEY - secretKey: HOMEPAGE_VAR_UNIFI_API_KEY
remoteRef: remoteRef:
key: /unifi/auth/cl01tl key: /unifi/users/cl01tl
property: api-key property: api-key
- secretKey: HOMEPAGE_VAR_SONARR_KEY - secretKey: HOMEPAGE_VAR_SONARR_KEY
remoteRef: remoteRef:
key: /cl01tl/sonarr4/key key: /cl01tl/sonarr/key
property: key property: key
- secretKey: HOMEPAGE_VAR_SONARR4K_KEY - secretKey: HOMEPAGE_VAR_SONARR4K_KEY
remoteRef: remoteRef:
key: /cl01tl/sonarr4-4k/key key: /cl01tl/sonarr-4k/key
property: key property: key
- secretKey: HOMEPAGE_VAR_SONARRANIME_KEY - secretKey: HOMEPAGE_VAR_SONARRANIME_KEY
remoteRef: remoteRef:
key: /cl01tl/sonarr4-anime/key key: /cl01tl/sonarr-anime/key
property: key property: key
- secretKey: HOMEPAGE_VAR_RADARR_KEY - secretKey: HOMEPAGE_VAR_RADARR_KEY
remoteRef: remoteRef:
key: /cl01tl/radarr5/key key: /cl01tl/radarr/key
property: key property: key
- secretKey: HOMEPAGE_VAR_RADARR4K_KEY - secretKey: HOMEPAGE_VAR_RADARR4K_KEY
remoteRef: remoteRef:
key: /cl01tl/radarr5-4k/key key: /cl01tl/radarr-4k/key
property: key property: key
- secretKey: HOMEPAGE_VAR_RADARRANIME_KEY - secretKey: HOMEPAGE_VAR_RADARRANIME_KEY
remoteRef: remoteRef:
key: /cl01tl/radarr5-anime/key key: /cl01tl/radarr-anime/key
property: key property: key
- secretKey: HOMEPAGE_VAR_RADARRSTANDUP_KEY - secretKey: HOMEPAGE_VAR_RADARRSTANDUP_KEY
remoteRef: remoteRef:
key: /cl01tl/radarr5-standup/key key: /cl01tl/radarr-standup/key
property: key property: key
- secretKey: HOMEPAGE_VAR_LIDARR_KEY - secretKey: HOMEPAGE_VAR_LIDARR_KEY
remoteRef: remoteRef:
key: /cl01tl/lidarr2/key key: /cl01tl/lidarr/key
property: key property: key
- secretKey: HOMEPAGE_VAR_PROWLARR_KEY - secretKey: HOMEPAGE_VAR_PROWLARR_KEY
remoteRef: remoteRef:

13
clusters/cl01tl/manifests/immich/Deployment-immich.yaml
View File

@@ -21,13 +21,15 @@ spec:
app.kubernetes.io/instance: immich app.kubernetes.io/instance: immich
template: template:
metadata: metadata:
annotations:
checksum/secrets: 46a3f57ca394cccffc419e0c17f5d5f366374b0651c02c507636c53c0b5f33e6
labels: labels:
app.kubernetes.io/controller: main app.kubernetes.io/controller: main
app.kubernetes.io/instance: immich app.kubernetes.io/instance: immich
app.kubernetes.io/name: immich app.kubernetes.io/name: immich
spec: spec:
enableServiceLinks: false enableServiceLinks: false
serviceAccountName: default serviceAccountName: immich
automountServiceAccountToken: true automountServiceAccountToken: true
hostIPC: false hostIPC: false
hostNetwork: false hostNetwork: false
@@ -112,9 +114,12 @@ spec:
- mountPath: /usr/src/app/upload - mountPath: /usr/src/app/upload
name: data name: data
volumes: volumes:
- name: config - csi:
secret: driver: secrets-store.csi.k8s.io
secretName: immich-config-secret readOnly: true
volumeAttributes:
secretProviderClass: immich-config
name: config
- name: data - name: data
persistentVolumeClaim: persistentVolumeClaim:
claimName: immich claimName: immich

18
clusters/cl01tl/manifests/immich/ExternalSecret-immich-config-secret.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: immich-config-secret
namespace: immich
labels:
app.kubernetes.io/name: immich-config-secret
app.kubernetes.io/instance: immich
app.kubernetes.io/part-of: immich
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: immich.json
remoteRef:
key: /cl01tl/immich/config
property: immich.json

13
clusters/cl01tl/manifests/immich/Secret-immich-immich-sa-token.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: immich-immich-sa-token
labels:
app.kubernetes.io/instance: immich
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: immich
helm.sh/chart: immich-4.6.2
annotations:
kubernetes.io/service-account.name: immich
namespace: immich

19
clusters/cl01tl/manifests/immich/SecretProviderClass-immich-config.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: immich-config
namespace: immich
labels:
app.kubernetes.io/name: immich-config
app.kubernetes.io/instance: immich
app.kubernetes.io/part-of: immich
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: immich
objects: |
- objectName: immich.json
fileName: immich.json
secretPath: secret/data/cl01tl/immich/config
secretKey: immich.json

12
clusters/cl01tl/manifests/immich/ServiceAccount-immich.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: immich
labels:
app.kubernetes.io/instance: immich
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: immich
helm.sh/chart: immich-4.6.2
namespace: immich
secrets:
- name: immich-immich-sa-token

2
clusters/cl01tl/manifests/jellyfin/Deployment-jellyfin.yaml
View File

@@ -55,7 +55,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: token key: token
name: jellyfin-exporter-secret name: jellyfin-metric-token
image: rebelcore/jellyfin-exporter:v1.5.0@sha256:37e6d389654180ad9e1661210a48fee71a6dc355a160670235a00329da0dbf80 image: rebelcore/jellyfin-exporter:v1.5.0@sha256:37e6d389654180ad9e1661210a48fee71a6dc355a160670235a00329da0dbf80
name: exporter name: exporter
- env: - env:

8
clusters/cl01tl/manifests/jellyfin/ExternalSecret-jellyfin-meilisearch-master-key-secret.yaml → clusters/cl01tl/manifests/jellyfin/ExternalSecret-jellyfin-meilisearch-key.yaml
View File

@@ -1,18 +1,18 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: jellyfin-meilisearch-master-key-secret name: jellyfin-meilisearch-key
namespace: jellyfin namespace: jellyfin
labels: labels:
app.kubernetes.io/name: jellyfin-meilisearch-master-key-secret app.kubernetes.io/name: jellyfin-meilisearch-key
app.kubernetes.io/instance: jellyfin app.kubernetes.io/instance: jellyfin
app.kubernetes.io/part-of: jellyfin app.kubernetes.io/part-of: jellyfin
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: MEILI_MASTER_KEY - secretKey: MEILI_MASTER_KEY
remoteRef: remoteRef:
key: /cl01tl/jellyfin/meilisearch key: /cl01tl/jellyfin/meilisearch
property: MEILI_MASTER_KEY property: master-key

8
clusters/cl01tl/manifests/jellyfin/ExternalSecret-jellyfin-exporter-secret.yaml → clusters/cl01tl/manifests/jellyfin/ExternalSecret-jellyfin-metric-token.yaml
View File

@@ -1,18 +1,18 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: jellyfin-exporter-secret name: jellyfin-metric-token
namespace: jellyfin namespace: jellyfin
labels: labels:
app.kubernetes.io/name: jellyfin-exporter-secret app.kubernetes.io/name: jellyfin-metric-token
app.kubernetes.io/instance: jellyfin app.kubernetes.io/instance: jellyfin
app.kubernetes.io/part-of: jellyfin app.kubernetes.io/part-of: jellyfin
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: token - secretKey: token
remoteRef: remoteRef:
key: /cl01tl/jellyfin/exporter key: /cl01tl/jellyfin/metrics
property: token property: token

2
clusters/cl01tl/manifests/jellyfin/ServiceMonitor-jellyfin-meilisearch.yaml
View File

@@ -26,5 +26,5 @@ spec:
interval: 1m interval: 1m
scrapeTimeout: 10s scrapeTimeout: 10s
bearerTokenSecret: bearerTokenSecret:
name: jellyfin-meilisearch-master-key-secret name: jellyfin-meilisearch-key
key: MEILI_MASTER_KEY key: MEILI_MASTER_KEY

2
clusters/cl01tl/manifests/jellyfin/StatefulSet-jellyfin-meilisearch.yaml
View File

@@ -62,7 +62,7 @@ spec:
- configMapRef: - configMapRef:
name: jellyfin-meilisearch-environment name: jellyfin-meilisearch-environment
- secretRef: - secretRef:
name: jellyfin-meilisearch-master-key-secret name: jellyfin-meilisearch-key
ports: ports:
- name: http - name: http
containerPort: 7700 containerPort: 7700

6
clusters/cl01tl/manifests/jellystat/Deployment-jellystat.yaml
View File

@@ -41,17 +41,17 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: secret-key key: secret-key
name: jellystat-secret name: jellystat-config
- name: JS_USER - name: JS_USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: user key: user
name: jellystat-secret name: jellystat-config
- name: JS_PASSWORD - name: JS_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: password key: password
name: jellystat-secret name: jellystat-config
- name: POSTGRES_USER - name: POSTGRES_USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:

12
clusters/cl01tl/manifests/jellystat/ExternalSecret-jellystat-secret.yaml → clusters/cl01tl/manifests/jellystat/ExternalSecret-jellystat-config.yaml
View File

@@ -1,26 +1,26 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: jellystat-secret name: jellystat-config
namespace: jellystat namespace: jellystat
labels: labels:
app.kubernetes.io/name: jellystat-secret app.kubernetes.io/name: jellystat-config
app.kubernetes.io/instance: jellystat app.kubernetes.io/instance: jellystat
app.kubernetes.io/part-of: jellystat app.kubernetes.io/part-of: jellystat
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: secret-key - secretKey: secret-key
remoteRef: remoteRef:
key: /cl01tl/jellystat/auth key: /cl01tl/jellystat/key
property: secret-key property: secret-key
- secretKey: user - secretKey: user
remoteRef: remoteRef:
key: /cl01tl/jellystat/auth key: /cl01tl/jellystat/config
property: user property: user
- secretKey: password - secretKey: password
remoteRef: remoteRef:
key: /cl01tl/jellystat/auth key: /cl01tl/jellystat/cconfig
property: password property: password

20
clusters/cl01tl/manifests/karakeep/Deployment-karakeep.yaml
View File

@@ -54,21 +54,27 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: key key: key
name: karakeep-key-secret name: karakeep-key
- name: PROMETHEUS_AUTH_TOKEN - name: PROMETHEUS_AUTH_TOKEN
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: prometheus-token key: prometheus-token
name: karakeep-key-secret name: karakeep-metric-token
- name: ASSET_STORE_S3_ENDPOINT - name: ASSET_STORE_S3_ENDPOINT
value: http://garage-main.garage:3900 valueFrom:
secretKeyRef:
key: ENDPOINT
name: karakeep-bucket-garage
- name: ASSET_STORE_S3_REGION - name: ASSET_STORE_S3_REGION
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: ACCESS_REGION key: ACCESS_REGION
name: karakeep-bucket-garage name: karakeep-bucket-garage
- name: ASSET_STORE_S3_BUCKET - name: ASSET_STORE_S3_BUCKET
value: karakeep-assets valueFrom:
secretKeyRef:
key: BUCKET
name: karakeep-bucket-garage
- name: ASSET_STORE_S3_ACCESS_KEY_ID - name: ASSET_STORE_S3_ACCESS_KEY_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
@@ -87,7 +93,7 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: MEILI_MASTER_KEY key: MEILI_MASTER_KEY
name: karakeep-meilisearch-master-key-secret name: karakeep-meilisearch-key
- name: BROWSER_WEB_URL - name: BROWSER_WEB_URL
value: http://karakeep.karakeep:9222 value: http://karakeep.karakeep:9222
- name: DISABLE_SIGNUPS - name: DISABLE_SIGNUPS
@@ -102,12 +108,12 @@ spec:
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: AUTHENTIK_CLIENT_ID key: AUTHENTIK_CLIENT_ID
name: karakeep-oidc-secret name: karakeep-oidc-authentik
- name: OAUTH_CLIENT_SECRET - name: OAUTH_CLIENT_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: AUTHENTIK_CLIENT_SECRET key: AUTHENTIK_CLIENT_SECRET
name: karakeep-oidc-secret name: karakeep-oidc-authentik
- name: OLLAMA_BASE_URL - name: OLLAMA_BASE_URL
value: http://ollama-server-3.ollama:11434 value: http://ollama-server-3.ollama:11434
- name: OLLAMA_KEEP_ALIVE - name: OLLAMA_KEEP_ALIVE

10
clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-bucket-garage.yaml
View File

@@ -10,7 +10,7 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: ACCESS_KEY_ID - secretKey: ACCESS_KEY_ID
remoteRef: remoteRef:
@@ -24,3 +24,11 @@ spec:
remoteRef: remoteRef:
key: /garage/home-infra/karakeep-assets key: /garage/home-infra/karakeep-assets
property: ACCESS_REGION property: ACCESS_REGION
- secretKey: BUCKET
remoteRef:
key: /garage/home-infra/karakeep-assets
property: BUCKET
- secretKey: ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_LOCAL

18
clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-key.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: karakeep-key
namespace: karakeep
labels:
app.kubernetes.io/name: karakeep-key
app.kubernetes.io/instance: karakeep
app.kubernetes.io/part-of: karakeep
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: key
remoteRef:
key: /cl01tl/karakeep/key
property: key

8
clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-meilisearch-master-key-secret.yaml → clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-meilisearch-key.yaml
View File

@@ -1,18 +1,18 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: karakeep-meilisearch-master-key-secret name: karakeep-meilisearch-key
namespace: karakeep namespace: karakeep
labels: labels:
app.kubernetes.io/name: karakeep-meilisearch-master-key-secret app.kubernetes.io/name: karakeep-meilisearch-key
app.kubernetes.io/instance: karakeep app.kubernetes.io/instance: karakeep
app.kubernetes.io/part-of: karakeep app.kubernetes.io/part-of: karakeep
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: MEILI_MASTER_KEY - secretKey: MEILI_MASTER_KEY
remoteRef: remoteRef:
key: /cl01tl/karakeep/meilisearch key: /cl01tl/karakeep/meilisearch
property: MEILI_MASTER_KEY property: master-key

12
clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-key-secret.yaml → clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-metric-token.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: karakeep-key-secret name: karakeep-metric-token
namespace: karakeep namespace: karakeep
labels: labels:
app.kubernetes.io/name: karakeep-key-secret app.kubernetes.io/name: karakeep-key-secret
@@ -10,13 +10,9 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: key
remoteRef:
key: /cl01tl/karakeep/key
property: key
- secretKey: prometheus-token - secretKey: prometheus-token
remoteRef: remoteRef:
key: /cl01tl/karakeep/key key: /cl01tl/karakeep/metrics
property: prometheus-token property: token

10
clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-oidc-secret.yaml → clusters/cl01tl/manifests/karakeep/ExternalSecret-karakeep-oidc-authentik.yaml
View File

@@ -1,22 +1,22 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: karakeep-oidc-secret name: karakeep-oidc-authentik
namespace: karakeep namespace: karakeep
labels: labels:
app.kubernetes.io/name: karakeep-oidc-secret app.kubernetes.io/name: karakeep-oidc-authentik
app.kubernetes.io/instance: karakeep app.kubernetes.io/instance: karakeep
app.kubernetes.io/part-of: karakeep app.kubernetes.io/part-of: karakeep
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: AUTHENTIK_CLIENT_ID - secretKey: AUTHENTIK_CLIENT_ID
remoteRef: remoteRef:
key: /authentik/oidc/karakeep key: /cl01tl/authentik/oidc/karakeep
property: client property: client
- secretKey: AUTHENTIK_CLIENT_SECRET - secretKey: AUTHENTIK_CLIENT_SECRET
remoteRef: remoteRef:
key: /authentik/oidc/karakeep key: /cl01tl/authentik/oidc/karakeep
property: secret property: secret

2
clusters/cl01tl/manifests/karakeep/ServiceMonitor-karakeep-meilisearch.yaml
View File

@@ -26,5 +26,5 @@ spec:
interval: 1m interval: 1m
scrapeTimeout: 10s scrapeTimeout: 10s
bearerTokenSecret: bearerTokenSecret:
name: karakeep-meilisearch-master-key-secret name: karakeep-meilisearch-key
key: MEILI_MASTER_KEY key: MEILI_MASTER_KEY

2
clusters/cl01tl/manifests/karakeep/ServiceMonitor-karakeep.yaml
View File

@@ -21,7 +21,7 @@ spec:
- authorization: - authorization:
credentials: credentials:
key: prometheus-token key: prometheus-token
name: karakeep-key-secret name: karakeep-metric-token
interval: 30s interval: 30s
path: /api/metrics path: /api/metrics
port: http port: http

2
clusters/cl01tl/manifests/karakeep/StatefulSet-karakeep-meilisearch.yaml
View File

@@ -62,7 +62,7 @@ spec:
- configMapRef: - configMapRef:
name: karakeep-meilisearch-environment name: karakeep-meilisearch-environment
- secretRef: - secretRef:
name: karakeep-meilisearch-master-key-secret name: karakeep-meilisearch-key
ports: ports:
- name: http - name: http
containerPort: 7700 containerPort: 7700

8
clusters/cl01tl/manifests/komodo/Deployment-komodo-main.yaml
View File

@@ -93,13 +93,13 @@ spec:
- name: KOMODO_OIDC_CLIENT_ID - name: KOMODO_OIDC_CLIENT_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: oidc-client-id key: client
name: komodo-secret name: komodo-oidc-authentik
- name: KOMODO_OIDC_CLIENT_SECRET - name: KOMODO_OIDC_CLIENT_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: oidc-client-secret key: secret
name: komodo-secret name: komodo-oidc-authentik
- name: KOMODO_OIDC_USE_FULL_EMAIL - name: KOMODO_OIDC_USE_FULL_EMAIL
value: "true" value: "true"
image: ghcr.io/moghtech/komodo-core:2.1.2@sha256:8a7dbba232e4e49797bb412be5f78207c89fcf22cc2727b38631ae30f7518a4c image: ghcr.io/moghtech/komodo-core:2.1.2@sha256:8a7dbba232e4e49797bb412be5f78207c89fcf22cc2727b38631ae30f7518a4c

22
clusters/cl01tl/manifests/komodo/ExternalSecret-komodo-oidc-authentik.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: komodo-oidc-authentik
namespace: komodo
labels:
app.kubernetes.io/name: komodo-oidc-authentik
app.kubernetes.io/instance: komodo
app.kubernetes.io/part-of: komodo
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: client
remoteRef:
key: /cl01tl/authentik/oidc/komodo
property: client
- secretKey: secret
remoteRef:
key: /cl01tl/authentik/oidc/komodo
property: secret

2
clusters/cl01tl/manifests/komodo/ExternalSecret-komodo-postgresql-17-fdb-cluster-ferret.yaml
View File

@@ -10,7 +10,7 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: uri - secretKey: uri
remoteRef: remoteRef:

16
clusters/cl01tl/manifests/komodo/ExternalSecret-komodo-secret.yaml
View File

@@ -10,25 +10,17 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: passkey - secretKey: passkey
remoteRef: remoteRef:
key: /cl01tl/komodo/config key: /cl01tl/komodo/key
property: passkey property: passkey
- secretKey: jwt - secretKey: jwt
remoteRef: remoteRef:
key: /cl01tl/komodo/config key: /cl01tl/komodo/key
property: jwt property: jwt
- secretKey: webhook - secretKey: webhook
remoteRef: remoteRef:
key: /cl01tl/komodo/config key: /cl01tl/komodo/key
property: webhook property: webhook
- secretKey: oidc-client-id
remoteRef:
key: /authentik/oidc/komodo
property: client
- secretKey: oidc-client-secret
remoteRef:
key: /authentik/oidc/komodo
property: secret

2
clusters/cl01tl/manifests/kube-prometheus-stack/Alertmanager-kube-prometheus-stack-alertmanager.yaml
View File

@@ -26,7 +26,7 @@ spec:
logLevel: "info" logLevel: "info"
retention: "120h" retention: "120h"
secrets: secrets:
- alertmanager-config-secret - alertmanager-ntfy-config
alertmanagerConfigSelector: {} alertmanagerConfigSelector: {}
alertmanagerConfigNamespaceSelector: {} alertmanagerConfigNamespaceSelector: {}
routePrefix: "/" routePrefix: "/"

13
clusters/cl01tl/manifests/kube-prometheus-stack/Deployment-ntfy-alertmanager.yaml
View File

@@ -21,13 +21,15 @@ spec:
app.kubernetes.io/instance: kube-prometheus-stack app.kubernetes.io/instance: kube-prometheus-stack
template: template:
metadata: metadata:
annotations:
checksum/secrets: 3c0d4bd47e7d4f71ba55611ddc7b74c5f3ec1cedcc474b15ac0a00daab9b791a
labels: labels:
app.kubernetes.io/controller: main app.kubernetes.io/controller: main
app.kubernetes.io/instance: kube-prometheus-stack app.kubernetes.io/instance: kube-prometheus-stack
app.kubernetes.io/name: kube-prometheus-stack app.kubernetes.io/name: kube-prometheus-stack
spec: spec:
enableServiceLinks: false enableServiceLinks: false
serviceAccountName: default serviceAccountName: ntfy-alertmanager
automountServiceAccountToken: true automountServiceAccountToken: true
hostIPC: false hostIPC: false
hostNetwork: false hostNetwork: false
@@ -43,6 +45,9 @@ spec:
readOnly: true readOnly: true
subPath: config subPath: config
volumes: volumes:
- name: config - csi:
secret: driver: secrets-store.csi.k8s.io
secretName: ntfy-alertmanager-config-secret readOnly: true
volumeAttributes:
secretProviderClass: ntfy-alertmanager-config
name: config

10
clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-alertmanager-config-secret.yaml → clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-alertmanager-ntfy-config.yaml
View File

@@ -1,18 +1,18 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: alertmanager-config-secret name: alertmanager-ntfy-config
namespace: kube-prometheus-stack namespace: kube-prometheus-stack
labels: labels:
app.kubernetes.io/name: alertmanager-config-secret app.kubernetes.io/name: alertmanager-ntfy-config
app.kubernetes.io/instance: kube-prometheus-stack app.kubernetes.io/instance: kube-prometheus-stack
app.kubernetes.io/part-of: kube-prometheus-stack app.kubernetes.io/part-of: kube-prometheus-stack
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: ntfy_password - secretKey: ntfy_password
remoteRef: remoteRef:
key: /cl01tl/kube-prometheus-stack/ntfy-alertmanager key: / cl01tl/ntfy/users/cl01tl
property: ntfy_password property: password

10
clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-garage-metric-secret.yaml → clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-garage-metric-token.yaml
View File

@@ -1,18 +1,18 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: garage-metric-secret name: garage-metric-token
namespace: kube-prometheus-stack namespace: kube-prometheus-stack
labels: labels:
app.kubernetes.io/name: garage-metric-secret app.kubernetes.io/name: garage-metric-token
app.kubernetes.io/instance: kube-prometheus-stack app.kubernetes.io/instance: kube-prometheus-stack
app.kubernetes.io/part-of: kube-prometheus-stack app.kubernetes.io/part-of: kube-prometheus-stack
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: token - secretKey: token
remoteRef: remoteRef:
key: /garage/token key: /ps10rp/garage/config
property: metric property: metrics-token

22
clusters/cl01tl/manifests/kube-prometheus-stack/ExternalSecret-ntfy-alertmanager-config-secret.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: ntfy-alertmanager-config-secret
namespace: kube-prometheus-stack
labels:
app.kubernetes.io/name: ntfy-alertmanager-config-secret
app.kubernetes.io/instance: kube-prometheus-stack
app.kubernetes.io/part-of: kube-prometheus-stack
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ntfy_password
remoteRef:
key: /cl01tl/kube-prometheus-stack/ntfy-alertmanager
property: ntfy_password
- secretKey: config
remoteRef:
key: /cl01tl/kube-prometheus-stack/ntfy-alertmanager
property: config

2
clusters/cl01tl/manifests/kube-prometheus-stack/ScrapeConfig-garage-https.yaml
View File

@@ -20,4 +20,4 @@ spec:
type: Bearer type: Bearer
credentials: credentials:
key: token key: token
name: garage-metric-secret name: garage-metric-token

13
clusters/cl01tl/manifests/kube-prometheus-stack/Secret-ntfy-alertmanager-ntfy-alertmanager-sa-token.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: ntfy-alertmanager-ntfy-alertmanager-sa-token
labels:
app.kubernetes.io/instance: kube-prometheus-stack
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kube-prometheus-stack
helm.sh/chart: ntfy-alertmanager-4.6.2
annotations:
kubernetes.io/service-account.name: ntfy-alertmanager
namespace: kube-prometheus-stack

19
clusters/cl01tl/manifests/kube-prometheus-stack/SecretProviderClass-ntfy-alertmanager-config.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: ntfy-alertmanager-config
namespace: kube-prometheus-stack
labels:
app.kubernetes.io/name: ntfy-alertmanager-config
app.kubernetes.io/instance: kube-prometheus-stack
app.kubernetes.io/part-of: kube-prometheus-stack
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: ntfy-alertmanager
objects: |
- objectName: config
fileName: config
secretPath: secret/data/cl01tl/kube-prometheus-stack/ntfy-alertmanager
secretKey: config

12
clusters/cl01tl/manifests/kube-prometheus-stack/ServiceAccount-ntfy-alertmanager.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: ntfy-alertmanager
labels:
app.kubernetes.io/instance: kube-prometheus-stack
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kube-prometheus-stack
helm.sh/chart: ntfy-alertmanager-4.6.2
namespace: kube-prometheus-stack
secrets:
- name: ntfy-alertmanager-ntfy-alertmanager-sa-token

6
clusters/cl01tl/manifests/kubelet-serving-cert-approver/Namespace-kubelet-serving-cert-approver.yaml
View File

@@ -6,6 +6,6 @@ metadata:
app.kubernetes.io/name: kubelet-serving-cert-approver app.kubernetes.io/name: kubelet-serving-cert-approver
app.kubernetes.io/instance: kubelet-serving-cert-approver app.kubernetes.io/instance: kubelet-serving-cert-approver
app.kubernetes.io/part-of: kubelet-serving-cert-approver app.kubernetes.io/part-of: kubelet-serving-cert-approver
pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: restricted pod-security.kubernetes.io/warn: privileged

2
clusters/cl01tl/manifests/kubernetes-cloudflare-ddns/ExternalSecret-kubernetes-cloudflare-ddns-secret.yaml
View File

@@ -10,7 +10,7 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: openbao
data: data:
- secretKey: AUTH_KEY - secretKey: AUTH_KEY
remoteRef: remoteRef:

Some files were not shown because too many files have changed in this diff Show More