From d0bb9edbb08d2627433851b60e34a9a3012c1fa6 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Thu, 23 Apr 2026 20:28:52 -0500 Subject: [PATCH 1/6] feat: separate secrets --- .../openbao/templates/external-secret.yaml | 97 +++++++------------ clusters/cl01tl/helm/openbao/values.yaml | 6 ++ 2 files changed, 43 insertions(+), 60 deletions(-) diff --git a/clusters/cl01tl/helm/openbao/templates/external-secret.yaml b/clusters/cl01tl/helm/openbao/templates/external-secret.yaml index 0b0734b93..76704e164 100644 --- a/clusters/cl01tl/helm/openbao/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/openbao/templates/external-secret.yaml @@ -45,19 +45,15 @@ spec: - secretKey: ENVIRONMENT remoteRef: key: /cl01tl/openbao/unseal - property: ENVIRONMENT + property: environment - secretKey: NODES remoteRef: key: /cl01tl/openbao/unseal - property: NODES + property: nodes - secretKey: TOKENS remoteRef: key: /cl01tl/openbao/unseal - property: TOKENS_1 - - secretKey: NOTIFY_QUEUE_URLS - remoteRef: - key: /cl01tl/openbao/unseal - property: NOTIFY_QUEUE_URLS + property: tokens-1 --- apiVersion: external-secrets.io/v1 @@ -76,19 +72,15 @@ spec: - secretKey: ENVIRONMENT remoteRef: key: /cl01tl/openbao/unseal - property: ENVIRONMENT + property: environment - secretKey: NODES remoteRef: key: /cl01tl/openbao/unseal - property: NODES + property: nodes - secretKey: TOKENS remoteRef: key: /cl01tl/openbao/unseal - property: TOKENS_2 - - secretKey: NOTIFY_QUEUE_URLS - remoteRef: - key: /cl01tl/openbao/unseal - property: NOTIFY_QUEUE_URLS + property: tokens-2 --- apiVersion: external-secrets.io/v1 @@ -107,56 +99,41 @@ spec: - secretKey: ENVIRONMENT remoteRef: key: /cl01tl/openbao/unseal - property: ENVIRONMENT + property: environment - secretKey: NODES remoteRef: key: /cl01tl/openbao/unseal - property: NODES + property: nodes - secretKey: TOKENS remoteRef: key: /cl01tl/openbao/unseal - property: TOKENS_3 - - secretKey: NOTIFY_QUEUE_URLS - remoteRef: - key: /cl01tl/openbao/unseal - property: NOTIFY_QUEUE_URLS + property: tokens-3 -# --- -# apiVersion: external-secrets.io/v1 -# kind: ExternalSecret -# metadata: -# name: openbao-token -# namespace: {{ .Release.Namespace }} -# labels: -# app.kubernetes.io/name: openbao-token -# app.kubernetes.io/instance: {{ .Release.Name }} -# app.kubernetes.io/part-of: {{ .Release.Name }} -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: openbao -# data: -# - secretKey: token -# remoteRef: -# key: /cl01tl/openbao/token -# property: token -# - secretKey: unseal_key_1 -# remoteRef: -# key: /cl01tl/openbao/token -# property: unseal_key_1 -# - secretKey: unseal_key_2 -# remoteRef: -# key: /cl01tl/openbao/token -# property: unseal_key_2 -# - secretKey: unseal_key_3 -# remoteRef: -# key: /cl01tl/openbao/token -# property: unseal_key_3 -# - secretKey: unseal_key_4 -# remoteRef: -# key: /cl01tl/openbao/token -# property: unseal_key_4 -# - secretKey: unseal_key_5 -# remoteRef: -# key: /cl01tl/openbao/token -# property: unseal_key_5 +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: openbao-ntfy-unseal-config + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: openbao-ntfy-unseal-config + {{- include "custom.labels" . | nindent 4 }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + target: + template: + mergePolicy: Merge + engineVersion: v2 + data: + NOTIFY_QUEUE_URLS: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}/?priority=4&tags=vault,unseal&title=Vault+Unsealed" + data: + - secretKey: endpoint + remoteRef: + key: /cl01tl/ntfy/users/cl01tl + property: internal-endpoint-credential + - secretKey: topic + remoteRef: + key: /cl01tl/ntfy/topics + property: openbao diff --git a/clusters/cl01tl/helm/openbao/values.yaml b/clusters/cl01tl/helm/openbao/values.yaml index 73e7f51ee..e224f1a49 100644 --- a/clusters/cl01tl/helm/openbao/values.yaml +++ b/clusters/cl01tl/helm/openbao/values.yaml @@ -160,6 +160,8 @@ unseal: envFrom: - secretRef: name: openbao-unseal-config-1 + - secretRef: + name: openbao-ntfy-unseal-config resources: requests: cpu: 1m @@ -176,6 +178,8 @@ unseal: envFrom: - secretRef: name: openbao-unseal-config-2 + - secretRef: + name: openbao-ntfy-unseal-config resources: requests: cpu: 1m @@ -192,6 +196,8 @@ unseal: envFrom: - secretRef: name: openbao-unseal-config-3 + - secretRef: + name: openbao-ntfy-unseal-config resources: requests: cpu: 1m -- 2.49.1 From c6948462cb9890e78b8ea45e9f4c5284e75fb90a Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Thu, 23 Apr 2026 20:30:20 -0500 Subject: [PATCH 2/6] fix: wrong path --- clusters/cl01tl/helm/vault/templates/external-secret.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/cl01tl/helm/vault/templates/external-secret.yaml b/clusters/cl01tl/helm/vault/templates/external-secret.yaml index 091e0dca4..7b4f2e9ef 100644 --- a/clusters/cl01tl/helm/vault/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/vault/templates/external-secret.yaml @@ -197,8 +197,8 @@ spec: property: token - secretKey: NTFY_ENDPOINT remoteRef: - key: /cl01tl/ntfy/users/cl01tl - property: endpoint + key: /cl01tl/ntfy/config + property: internal-endpoint - secretKey: NTFY_TOPIC remoteRef: key: /cl01tl/ntfy/topics -- 2.49.1 From c67ee7c8e6631a10b2e17d8d016e36664b98e059 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Thu, 23 Apr 2026 20:31:21 -0500 Subject: [PATCH 3/6] fix: wrong path --- clusters/cl01tl/helm/vault/templates/external-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/cl01tl/helm/vault/templates/external-secret.yaml b/clusters/cl01tl/helm/vault/templates/external-secret.yaml index 7b4f2e9ef..27e9bd300 100644 --- a/clusters/cl01tl/helm/vault/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/vault/templates/external-secret.yaml @@ -93,7 +93,7 @@ spec: data: - secretKey: BUCKET remoteRef: - key: /digital-ocean/home-infra/vault-backup + key: /digital-ocean/home-infra/vault-backups property: BUCKET_PATH --- -- 2.49.1 From 5878d1eb45479ec51d9add623599d4b0f46dca5f Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Thu, 23 Apr 2026 20:35:08 -0500 Subject: [PATCH 4/6] fix: wrong path --- clusters/cl01tl/helm/grimmory/templates/external-secret.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/cl01tl/helm/grimmory/templates/external-secret.yaml b/clusters/cl01tl/helm/grimmory/templates/external-secret.yaml index 85ab951c9..94b827e30 100644 --- a/clusters/cl01tl/helm/grimmory/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/grimmory/templates/external-secret.yaml @@ -33,11 +33,11 @@ spec: - secretKey: access remoteRef: key: /digital-ocean/home-infra/mariadb-backups - property: access + property: AWS_ACCESS_KEY_ID - secretKey: secret remoteRef: key: /digital-ocean/home-infra/mariadb-backups - property: secret + property: AWS_SECRET_ACCESS_KEY --- apiVersion: external-secrets.io/v1 -- 2.49.1 From df27228e1127a7482a896b390154c6cda06a1f2c Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Thu, 23 Apr 2026 20:37:05 -0500 Subject: [PATCH 5/6] feat: revert name --- clusters/cl01tl/helm/grimmory/templates/external-secret.yaml | 4 ++-- clusters/cl01tl/helm/grimmory/values.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/clusters/cl01tl/helm/grimmory/templates/external-secret.yaml b/clusters/cl01tl/helm/grimmory/templates/external-secret.yaml index 94b827e30..eb53422f4 100644 --- a/clusters/cl01tl/helm/grimmory/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/grimmory/templates/external-secret.yaml @@ -1,10 +1,10 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: grimmory-database-config + name: grimmory-database-secret namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: grimmory-database-config + app.kubernetes.io/name: grimmory-database-secret {{- include "custom.labels" . | nindent 4 }} spec: secretStoreRef: diff --git a/clusters/cl01tl/helm/grimmory/values.yaml b/clusters/cl01tl/helm/grimmory/values.yaml index 8d09eb481..d0ba29d65 100644 --- a/clusters/cl01tl/helm/grimmory/values.yaml +++ b/clusters/cl01tl/helm/grimmory/values.yaml @@ -27,7 +27,7 @@ grimmory: - name: DATABASE_PASSWORD valueFrom: secretKeyRef: - name: grimmory-database-config + name: grimmory-database-secret key: password - name: GRIMMORY_PORT value: 6060 @@ -98,7 +98,7 @@ mariadb-cluster: mariadb: rootPasswordSecretKeyRef: generate: false - name: grimmory-database-config + name: grimmory-database-secret key: password storage: size: 5Gi -- 2.49.1 From 0cd6ca5ea0f4925f93a89b0cbd4eeb4609472e71 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Thu, 23 Apr 2026 20:39:01 -0500 Subject: [PATCH 6/6] feat: set seviceaccount --- clusters/cl01tl/helm/matrix-synapse/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/clusters/cl01tl/helm/matrix-synapse/values.yaml b/clusters/cl01tl/helm/matrix-synapse/values.yaml index c91ffc81a..3e7f46fbc 100644 --- a/clusters/cl01tl/helm/matrix-synapse/values.yaml +++ b/clusters/cl01tl/helm/matrix-synapse/values.yaml @@ -118,6 +118,8 @@ matrix-hookshot: type: deployment replicas: 1 strategy: Recreate + serviceAccount: + name: matrix-synapse containers: main: image: -- 2.49.1