From 2d1f33e96cea9f33f4c97fef2f59bdd590c0c92e Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Fri, 24 Apr 2026 10:58:57 -0500 Subject: [PATCH 1/3] feat: add service account --- .../cl01tl/helm/matrix-synapse/templates/_helpers.tpl | 2 +- clusters/cl01tl/helm/talos/templates/_helpers.tpl | 7 +++++++ .../helm/talos/templates/secret-provider-class.yaml | 8 ++++---- clusters/cl01tl/helm/talos/templates/service-account.yaml | 4 ++-- clusters/cl01tl/helm/vault/templates/_helpers.tpl | 7 +++++++ .../helm/vault/templates/secret-provider-class.yaml | 6 +++--- clusters/cl01tl/helm/vault/templates/service-account.yaml | 8 ++++++++ clusters/cl01tl/helm/vault/values.yaml | 2 ++ 8 files changed, 34 insertions(+), 10 deletions(-) create mode 100644 clusters/cl01tl/helm/vault/templates/service-account.yaml diff --git a/clusters/cl01tl/helm/matrix-synapse/templates/_helpers.tpl b/clusters/cl01tl/helm/matrix-synapse/templates/_helpers.tpl index 838a01f34..3f3fc2a08 100644 --- a/clusters/cl01tl/helm/matrix-synapse/templates/_helpers.tpl +++ b/clusters/cl01tl/helm/matrix-synapse/templates/_helpers.tpl @@ -14,7 +14,7 @@ app.kubernetes.io/part-of: {{ .Release.Name }} {{- end }} {{/* -NFS names +ServiceAccount names */}} {{- define "custom.serviceAccountName" -}} matrix-synapse diff --git a/clusters/cl01tl/helm/talos/templates/_helpers.tpl b/clusters/cl01tl/helm/talos/templates/_helpers.tpl index 10688fcef..fd712bb52 100644 --- a/clusters/cl01tl/helm/talos/templates/_helpers.tpl +++ b/clusters/cl01tl/helm/talos/templates/_helpers.tpl @@ -12,3 +12,10 @@ Selector labels app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} {{- end }} + +{{/* +ServiceAccount names +*/}} +{{- define "custom.serviceAccountName" -}} +talos-backup-secrets +{{- end -}} diff --git a/clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml b/clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml index f3d7c0ca0..2f839bc05 100644 --- a/clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml +++ b/clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml @@ -10,7 +10,7 @@ spec: provider: openbao parameters: baoAddress: "http://openbao-internal.openbao:8200" - roleName: slskd + roleName: {{ include "custom.serviceAccountName" . }} objects: | - objectName: .s3cfg fileName: .s3cfg @@ -30,7 +30,7 @@ spec: provider: openbao parameters: baoAddress: "http://openbao-internal.openbao:8200" - roleName: slskd + roleName: {{ include "custom.serviceAccountName" . }} objects: | - objectName: .s3cfg fileName: .s3cfg @@ -50,7 +50,7 @@ spec: provider: openbao parameters: baoAddress: "http://openbao-internal.openbao:8200" - roleName: slskd + roleName: {{ include "custom.serviceAccountName" . }} objects: | - objectName: .s3cfg fileName: .s3cfg @@ -70,7 +70,7 @@ spec: provider: openbao parameters: baoAddress: "http://openbao-internal.openbao:8200" - roleName: slskd + roleName: {{ include "custom.serviceAccountName" . }} objects: | - objectName: config fileName: config diff --git a/clusters/cl01tl/helm/talos/templates/service-account.yaml b/clusters/cl01tl/helm/talos/templates/service-account.yaml index 605a45acd..1096b3700 100644 --- a/clusters/cl01tl/helm/talos/templates/service-account.yaml +++ b/clusters/cl01tl/helm/talos/templates/service-account.yaml @@ -1,10 +1,10 @@ apiVersion: talos.dev/v1alpha1 kind: ServiceAccount metadata: - name: talos-backup-secrets + name: {{ include "custom.serviceAccountName" . }} namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: talos-backup-secrets + app.kubernetes.io/name: {{ include "custom.serviceAccountName" . }} {{- include "custom.labels" . | nindent 4 }} spec: roles: diff --git a/clusters/cl01tl/helm/vault/templates/_helpers.tpl b/clusters/cl01tl/helm/vault/templates/_helpers.tpl index 10688fcef..9505d8172 100644 --- a/clusters/cl01tl/helm/vault/templates/_helpers.tpl +++ b/clusters/cl01tl/helm/vault/templates/_helpers.tpl @@ -12,3 +12,10 @@ Selector labels app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }} {{- end }} + +{{/* +ServiceAccount names +*/}} +{{- define "custom.serviceAccountName" -}} +vault +{{- end -}} diff --git a/clusters/cl01tl/helm/vault/templates/secret-provider-class.yaml b/clusters/cl01tl/helm/vault/templates/secret-provider-class.yaml index 97627ac01..c6dd28bd9 100644 --- a/clusters/cl01tl/helm/vault/templates/secret-provider-class.yaml +++ b/clusters/cl01tl/helm/vault/templates/secret-provider-class.yaml @@ -10,7 +10,7 @@ spec: provider: openbao parameters: baoAddress: "http://openbao-internal.openbao:8200" - roleName: slskd + roleName: vault objects: | - objectName: .s3cfg fileName: .s3cfg @@ -30,7 +30,7 @@ spec: provider: openbao parameters: baoAddress: "http://openbao-internal.openbao:8200" - roleName: slskd + roleName: vault objects: | - objectName: .s3cfg fileName: .s3cfg @@ -50,7 +50,7 @@ spec: provider: openbao parameters: baoAddress: "http://openbao-internal.openbao:8200" - roleName: slskd + roleName: vault objects: | - objectName: .s3cfg fileName: .s3cfg diff --git a/clusters/cl01tl/helm/vault/templates/service-account.yaml b/clusters/cl01tl/helm/vault/templates/service-account.yaml new file mode 100644 index 000000000..5db759b3e --- /dev/null +++ b/clusters/cl01tl/helm/vault/templates/service-account.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "custom.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "custom.serviceAccountName" . }} + {{- include "custom.labels" . | nindent 4 }} diff --git a/clusters/cl01tl/helm/vault/values.yaml b/clusters/cl01tl/helm/vault/values.yaml index 41cbb085d..d3957852a 100644 --- a/clusters/cl01tl/helm/vault/values.yaml +++ b/clusters/cl01tl/helm/vault/values.yaml @@ -107,6 +107,8 @@ snapshot: schedule: 0 4 * * * backoffLimit: 3 parallelism: 1 + serviceAccount: + name: vault initContainers: snapshot: image: -- 2.49.1 From d4ab84ed8dc0f4ed528f84f0bb55cef0b6c8a548 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Fri, 24 Apr 2026 11:00:21 -0500 Subject: [PATCH 2/3] fix: wrong name --- clusters/cl01tl/helm/roundcube/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/cl01tl/helm/roundcube/values.yaml b/clusters/cl01tl/helm/roundcube/values.yaml index 88b25cd51..283d611a0 100644 --- a/clusters/cl01tl/helm/roundcube/values.yaml +++ b/clusters/cl01tl/helm/roundcube/values.yaml @@ -103,7 +103,7 @@ roundcube: - name: ROUNDCUBEMAIL_DES_KEY valueFrom: secretKeyRef: - name: roundcube-key-secret + name: roundcube-key key: DES_KEY - name: ROUNDCUBEMAIL_DEFAULT_HOST value: tls://stalwart.stalwart -- 2.49.1 From 92a5ff487d398e5809643da05d539ad0d07c9c46 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Fri, 24 Apr 2026 11:03:57 -0500 Subject: [PATCH 3/3] fix: wrong name --- clusters/cl01tl/helm/kube-prometheus-stack/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/cl01tl/helm/kube-prometheus-stack/values.yaml b/clusters/cl01tl/helm/kube-prometheus-stack/values.yaml index f34a9f287..d7c6de96c 100644 --- a/clusters/cl01tl/helm/kube-prometheus-stack/values.yaml +++ b/clusters/cl01tl/helm/kube-prometheus-stack/values.yaml @@ -30,7 +30,7 @@ kube-prometheus-stack: http_config: basic_auth: username: ntfy-alertmanager - password_file: /etc/alertmanager/secrets/alertmanager-config-secret/ntfy_password + password_file: /etc/alertmanager/secrets/alertmanager-config-config/ntfy_password route: main: enabled: true -- 2.49.1