From 7ac99af974d3327e2235177b2be9e65a7d99b7ba Mon Sep 17 00:00:00 2001 From: Gabriel Simmer Date: Sat, 6 Jul 2024 00:48:36 +0100 Subject: [PATCH] Transition to Vault --- kubernetes/atuin/VaultAuth.yaml | 11 ++++ .../VaultStaticSecret-postgres-atuin.yaml | 14 +++++ .../atuin.yaml => atuin/deployment.yaml} | 0 kubernetes/atuin/kustomization.yaml | 6 ++ kubernetes/authentik/VaultAuth.yaml | 11 ++++ .../VaultStaticSecret-authentik-secrets.yaml | 14 +++++ .../VaultStaticSecret-postgres-authentik.yaml | 14 +++++ kubernetes/authentik/kustomization.yaml | 21 ++++--- kubernetes/cert-manager/VaultAuth.yaml | 11 ++++ ...VaultStaticSecret-cloudflare-cert-api.yaml | 14 +++++ kubernetes/cert-manager/kustomization.yaml | 6 ++ kubernetes/cloudflare/VaultAuth.yaml | 11 ++++ ...VaultStaticSecret-cloudflare-exporter.yaml | 14 +++++ .../VaultStaticSecret-tunnel-credentials.yaml | 14 +++++ kubernetes/cloudflare/kustomization.yaml | 32 +++++----- kubernetes/duplikate/VaultAuth.yaml | 11 ++++ .../VaultStaticSecret-duplikate.yaml | 14 +++++ kubernetes/duplikate/kustomization.yaml | 16 ++--- kubernetes/e6-gallery/VaultAuth.yaml | 11 ++++ .../e6-gallery/VaultStaticSecret-regcred.yaml | 14 +++++ .../{misc => e6-gallery}/e6-gallery.yaml | 0 kubernetes/e6-gallery/kustomization.yaml | 9 +++ kubernetes/endpoints/Endpoints-secrets.yaml | 12 ++++ kubernetes/endpoints/Ingress-secrets.yaml | 22 +++++++ kubernetes/endpoints/Service-secrets.yaml | 10 +++ kubernetes/endpoints/kustomization.yaml | 3 + kubernetes/homepage/VaultAuth.yaml | 11 ++++ .../VaultStaticSecret-homepage-config.yaml | 14 +++++ kubernetes/homepage/kustomization.yaml | 22 +++---- kubernetes/infisical/infvalues.yml | 12 ---- kubernetes/infisical/kustomization.yaml | 19 ------ kubernetes/ingress-nginx/kustomization.yaml | 16 ++--- kubernetes/irc/ConfigMap-soju-4a44ac46db.yaml | 30 --------- kubernetes/irc/Deployment-soju.yaml | 4 +- kubernetes/irc/VaultAuth.yaml | 11 ++++ .../irc/VaultStaticSecret-postgres-soju.yaml | 14 +++++ kubernetes/irc/VaultStaticSecret-soju.yaml | 14 +++++ kubernetes/irc/config.in | 9 +++ kubernetes/irc/kustomization.yaml | 13 +++- kubernetes/jellyseerr/VaultAuth.yaml | 11 ++++ .../VaultStaticSecret-jellyseerr.yaml | 14 +++++ kubernetes/jellyseerr/kustomization.yaml | 2 + kubernetes/kustomization.yaml | 7 ++- kubernetes/minecraft-invites/VaultAuth.yaml | 11 ++++ .../VaultStaticSecret-whitelistmanager.yaml | 14 +++++ .../minecraft-invites/kustomization.yaml | 2 + .../ConfigMap-miniflux-a4c33abb52.yaml | 22 ------- kubernetes/miniflux/Deployment-miniflux.yaml | 2 +- .../miniflux/InfisicalSecret-miniflux.yaml | 27 -------- kubernetes/miniflux/VaultAuth.yaml | 11 ++++ .../miniflux/VaultStaticSecret-miniflux.yaml | 14 +++++ kubernetes/miniflux/kustomization.yaml | 9 ++- kubernetes/miniflux/miniflux.env | 11 ++++ kubernetes/misc/kustomization.yaml | 5 -- .../kustomization.yaml | 17 +++-- .../ConfigMap-nitter-bot-5d9aefaae4.yaml | 13 ---- ...nitter-redis-configuration-4712c8e029.yaml | 45 ------------- ...figMap-nitter-redis-health-05691b979f.yaml | 63 ------------------- ...igMap-nitter-redis-scripts-a4596108c1.yaml | 24 ------- kubernetes/nitter/VaultAuth.yaml | 11 ++++ .../nitter/VaultStaticSecret-nitter-bot.yaml | 14 +++++ .../nitter/VaultStaticSecret-nitter.yaml | 14 +++++ kubernetes/nitter/kustomization.yaml | 28 ++++++--- kubernetes/piped/VaultAuth.yaml | 11 ++++ .../VaultStaticSecret-postgres-piped.yaml | 14 +++++ kubernetes/piped/kustomization.yaml | 11 +--- kubernetes/prometheus/VaultAuth.yaml | 11 ++++ .../VaultStaticSecret-nextdns-exporter.yaml | 14 +++++ ...VaultStaticSecret-nextdns-ts-exporter.yaml | 14 +++++ ...icSecret-prometheus-remote-basic-auth.yaml | 14 +++++ kubernetes/prometheus/kustomization.yaml | 16 ++--- kubernetes/redlib/kustomization.yaml | 1 + kubernetes/searxng/VaultAuth.yaml | 11 ++++ .../searxng/VaultStaticSecret-searxng.yaml | 14 +++++ kubernetes/searxng/kustomization.yaml | 29 ++++----- kubernetes/smarthome/VaultAuth.yaml | 11 ++++ .../smarthome/VaultStaticSecret-hue.yaml | 14 +++++ .../{misc => smarthome}/homebridge.yaml | 0 .../{misc/hue.yml => smarthome/hue.yaml} | 0 kubernetes/smarthome/kustomization.yaml | 10 +++ kubernetes/tclip/VaultAuth.yaml | 11 ++++ kubernetes/tclip/VaultStaticSecret-tclip.yaml | 14 +++++ kubernetes/tclip/kustomization.yaml | 2 + kubernetes/vault-secrets-operator/crb.yaml | 26 ++++++++ .../vault-secrets-operator/kustomization.yaml | 21 +++++++ kubernetes/vaultwarden/VaultAuth.yaml | 11 ++++ .../VaultStaticSecret-vaultwarden.yaml | 14 +++++ .../deployment.yaml} | 0 kubernetes/vaultwarden/kustomization.yaml | 6 ++ kubernetes/vrchat/VaultAuth.yaml | 11 ++++ ...taticSecret-vrchat-prometheus-adapter.yaml | 14 +++++ kubernetes/vrchat/kustomization.yaml | 1 + 92 files changed, 850 insertions(+), 371 deletions(-) create mode 100644 kubernetes/atuin/VaultAuth.yaml create mode 100644 kubernetes/atuin/VaultStaticSecret-postgres-atuin.yaml rename kubernetes/{misc/atuin.yaml => atuin/deployment.yaml} (100%) create mode 100644 kubernetes/atuin/kustomization.yaml create mode 100644 kubernetes/authentik/VaultAuth.yaml create mode 100644 kubernetes/authentik/VaultStaticSecret-authentik-secrets.yaml create mode 100644 kubernetes/authentik/VaultStaticSecret-postgres-authentik.yaml create mode 100644 kubernetes/cert-manager/VaultAuth.yaml create mode 100644 kubernetes/cert-manager/VaultStaticSecret-cloudflare-cert-api.yaml create mode 100644 kubernetes/cert-manager/kustomization.yaml create mode 100644 kubernetes/cloudflare/VaultAuth.yaml create mode 100644 kubernetes/cloudflare/VaultStaticSecret-cloudflare-exporter.yaml create mode 100644 kubernetes/cloudflare/VaultStaticSecret-tunnel-credentials.yaml create mode 100644 kubernetes/duplikate/VaultAuth.yaml create mode 100644 kubernetes/duplikate/VaultStaticSecret-duplikate.yaml create mode 100644 kubernetes/e6-gallery/VaultAuth.yaml create mode 100644 kubernetes/e6-gallery/VaultStaticSecret-regcred.yaml rename kubernetes/{misc => e6-gallery}/e6-gallery.yaml (100%) create mode 100644 kubernetes/e6-gallery/kustomization.yaml create mode 100644 kubernetes/endpoints/Endpoints-secrets.yaml create mode 100644 kubernetes/endpoints/Ingress-secrets.yaml create mode 100644 kubernetes/endpoints/Service-secrets.yaml create mode 100644 kubernetes/homepage/VaultAuth.yaml create mode 100644 kubernetes/homepage/VaultStaticSecret-homepage-config.yaml delete mode 100644 kubernetes/infisical/infvalues.yml delete mode 100644 kubernetes/infisical/kustomization.yaml delete mode 100644 kubernetes/irc/ConfigMap-soju-4a44ac46db.yaml create mode 100644 kubernetes/irc/VaultAuth.yaml create mode 100644 kubernetes/irc/VaultStaticSecret-postgres-soju.yaml create mode 100644 kubernetes/irc/VaultStaticSecret-soju.yaml create mode 100644 kubernetes/irc/config.in create mode 100644 kubernetes/jellyseerr/VaultAuth.yaml create mode 100644 kubernetes/jellyseerr/VaultStaticSecret-jellyseerr.yaml create mode 100644 kubernetes/minecraft-invites/VaultAuth.yaml create mode 100644 kubernetes/minecraft-invites/VaultStaticSecret-whitelistmanager.yaml delete mode 100644 kubernetes/miniflux/ConfigMap-miniflux-a4c33abb52.yaml delete mode 100644 kubernetes/miniflux/InfisicalSecret-miniflux.yaml create mode 100644 kubernetes/miniflux/VaultAuth.yaml create mode 100644 kubernetes/miniflux/VaultStaticSecret-miniflux.yaml create mode 100644 kubernetes/miniflux/miniflux.env delete mode 100644 kubernetes/nitter/ConfigMap-nitter-bot-5d9aefaae4.yaml delete mode 100644 kubernetes/nitter/ConfigMap-nitter-redis-configuration-4712c8e029.yaml delete mode 100644 kubernetes/nitter/ConfigMap-nitter-redis-health-05691b979f.yaml delete mode 100644 kubernetes/nitter/ConfigMap-nitter-redis-scripts-a4596108c1.yaml create mode 100644 kubernetes/nitter/VaultAuth.yaml create mode 100644 kubernetes/nitter/VaultStaticSecret-nitter-bot.yaml create mode 100644 kubernetes/nitter/VaultStaticSecret-nitter.yaml create mode 100644 kubernetes/piped/VaultAuth.yaml create mode 100644 kubernetes/piped/VaultStaticSecret-postgres-piped.yaml create mode 100644 kubernetes/prometheus/VaultAuth.yaml create mode 100644 kubernetes/prometheus/VaultStaticSecret-nextdns-exporter.yaml create mode 100644 kubernetes/prometheus/VaultStaticSecret-nextdns-ts-exporter.yaml create mode 100644 kubernetes/prometheus/VaultStaticSecret-prometheus-remote-basic-auth.yaml create mode 100644 kubernetes/searxng/VaultAuth.yaml create mode 100644 kubernetes/searxng/VaultStaticSecret-searxng.yaml create mode 100644 kubernetes/smarthome/VaultAuth.yaml create mode 100644 kubernetes/smarthome/VaultStaticSecret-hue.yaml rename kubernetes/{misc => smarthome}/homebridge.yaml (100%) rename kubernetes/{misc/hue.yml => smarthome/hue.yaml} (100%) create mode 100644 kubernetes/smarthome/kustomization.yaml create mode 100644 kubernetes/tclip/VaultAuth.yaml create mode 100644 kubernetes/tclip/VaultStaticSecret-tclip.yaml create mode 100644 kubernetes/vault-secrets-operator/crb.yaml create mode 100644 kubernetes/vault-secrets-operator/kustomization.yaml create mode 100644 kubernetes/vaultwarden/VaultAuth.yaml create mode 100644 kubernetes/vaultwarden/VaultStaticSecret-vaultwarden.yaml rename kubernetes/{misc/vaultwarden.yml => vaultwarden/deployment.yaml} (100%) create mode 100644 kubernetes/vaultwarden/kustomization.yaml create mode 100644 kubernetes/vrchat/VaultAuth.yaml create mode 100644 kubernetes/vrchat/VaultStaticSecret-vrchat-prometheus-adapter.yaml diff --git a/kubernetes/atuin/VaultAuth.yaml b/kubernetes/atuin/VaultAuth.yaml new file mode 100644 index 0000000..c327c02 --- /dev/null +++ b/kubernetes/atuin/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: atuin +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/atuin/VaultStaticSecret-postgres-atuin.yaml b/kubernetes/atuin/VaultStaticSecret-postgres-atuin.yaml new file mode 100644 index 0000000..f0651c9 --- /dev/null +++ b/kubernetes/atuin/VaultStaticSecret-postgres-atuin.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: postgres-atuin + namespace: atuin +spec: + destination: + create: true + name: postgres-atuin + mount: kv + path: atuin/postgres-atuin + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/misc/atuin.yaml b/kubernetes/atuin/deployment.yaml similarity index 100% rename from kubernetes/misc/atuin.yaml rename to kubernetes/atuin/deployment.yaml diff --git a/kubernetes/atuin/kustomization.yaml b/kubernetes/atuin/kustomization.yaml new file mode 100644 index 0000000..ba68706 --- /dev/null +++ b/kubernetes/atuin/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- VaultAuth.yaml +- VaultStaticSecret-postgres-atuin.yaml +- deployment.yaml diff --git a/kubernetes/authentik/VaultAuth.yaml b/kubernetes/authentik/VaultAuth.yaml new file mode 100644 index 0000000..63c2742 --- /dev/null +++ b/kubernetes/authentik/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: authentik +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/authentik/VaultStaticSecret-authentik-secrets.yaml b/kubernetes/authentik/VaultStaticSecret-authentik-secrets.yaml new file mode 100644 index 0000000..7b081b1 --- /dev/null +++ b/kubernetes/authentik/VaultStaticSecret-authentik-secrets.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: authentik-secrets + namespace: authentik +spec: + destination: + create: true + name: authentik-secrets + mount: kv + path: authentik/authentik-secrets + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/authentik/VaultStaticSecret-postgres-authentik.yaml b/kubernetes/authentik/VaultStaticSecret-postgres-authentik.yaml new file mode 100644 index 0000000..26cf454 --- /dev/null +++ b/kubernetes/authentik/VaultStaticSecret-postgres-authentik.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: postgres-authentik + namespace: authentik +spec: + destination: + create: true + name: postgres-authentik + mount: kv + path: authentik/postgres-authentik + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/authentik/kustomization.yaml b/kubernetes/authentik/kustomization.yaml index d250ee3..5524721 100644 --- a/kubernetes/authentik/kustomization.yaml +++ b/kubernetes/authentik/kustomization.yaml @@ -1,12 +1,15 @@ apiVersion: kustomize.config.k8s.io/v1beta1 +helmCharts: +- kubeVersion: '1.30' + name: authentik + namespace: authentik + releaseName: authentik + repo: https://charts.goauthentik.io + valuesFile: ./authentik.yml + version: 2024.6.0 kind: Kustomization namespace: authentik - -helmCharts: -- name: authentik - repo: https://charts.goauthentik.io - releaseName: authentik - namespace: authentik - version: 2024.6.0 - valuesFile: ./authentik.yml - kubeVersion: "1.30" +resources: +- VaultAuth.yaml +- VaultStaticSecret-postgres-authentik.yaml +- VaultStaticSecret-authentik-secrets.yaml diff --git a/kubernetes/cert-manager/VaultAuth.yaml b/kubernetes/cert-manager/VaultAuth.yaml new file mode 100644 index 0000000..5a16b75 --- /dev/null +++ b/kubernetes/cert-manager/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: cert-manager +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/cert-manager/VaultStaticSecret-cloudflare-cert-api.yaml b/kubernetes/cert-manager/VaultStaticSecret-cloudflare-cert-api.yaml new file mode 100644 index 0000000..adf9578 --- /dev/null +++ b/kubernetes/cert-manager/VaultStaticSecret-cloudflare-cert-api.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: cloudflare-cert-api + namespace: cert-manager +spec: + destination: + create: true + name: cloudflare-cert-api + mount: kv + path: cert-manager/cloudflare-cert-api + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/cert-manager/kustomization.yaml b/kubernetes/cert-manager/kustomization.yaml new file mode 100644 index 0000000..bbd2ea8 --- /dev/null +++ b/kubernetes/cert-manager/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: cert-manager +resources: +- VaultAuth.yaml +- VaultStaticSecret-cloudflare-cert-api.yaml diff --git a/kubernetes/cloudflare/VaultAuth.yaml b/kubernetes/cloudflare/VaultAuth.yaml new file mode 100644 index 0000000..77acc9c --- /dev/null +++ b/kubernetes/cloudflare/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: cloudflare +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/cloudflare/VaultStaticSecret-cloudflare-exporter.yaml b/kubernetes/cloudflare/VaultStaticSecret-cloudflare-exporter.yaml new file mode 100644 index 0000000..f0859bc --- /dev/null +++ b/kubernetes/cloudflare/VaultStaticSecret-cloudflare-exporter.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: cloudflare-exporter + namespace: cloudflare +spec: + destination: + create: true + name: cloudflare-exporter + mount: kv + path: cloudflare/cloudflare-exporter + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/cloudflare/VaultStaticSecret-tunnel-credentials.yaml b/kubernetes/cloudflare/VaultStaticSecret-tunnel-credentials.yaml new file mode 100644 index 0000000..824e20b --- /dev/null +++ b/kubernetes/cloudflare/VaultStaticSecret-tunnel-credentials.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: tunnel-credentials + namespace: cloudflare +spec: + destination: + create: true + name: tunnel-credentials + mount: kv + path: cloudflare/tunnel-credentials + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/cloudflare/kustomization.yaml b/kubernetes/cloudflare/kustomization.yaml index d043e40..160ea4e 100644 --- a/kubernetes/cloudflare/kustomization.yaml +++ b/kubernetes/cloudflare/kustomization.yaml @@ -1,20 +1,22 @@ apiVersion: kustomize.config.k8s.io/v1beta1 +helmCharts: +- kubeVersion: '1.30' + name: cloudflare-exporter + releaseName: cloudflare-exporter + repo: https://lablabs.github.io/cloudflare-exporter + valuesInline: + image: + tag: 0.0.16 + secretRef: cloudflare-exporter + serviceMonitor: + enabled: true + labels: + release: prometheus + version: 0.2.1 kind: Kustomization namespace: cloudflare resources: - cloudflared.yml - -helmCharts: -- name: cloudflare-exporter - releaseName: cloudflare-exporter - version: 0.2.1 - repo: https://lablabs.github.io/cloudflare-exporter - valuesInline: - image: - tag: "0.0.16" - secretRef: "cloudflare-exporter" - serviceMonitor: - enabled: true - labels: - release: "prometheus" - kubeVersion: "1.30" +- VaultAuth.yaml +- VaultStaticSecret-tunnel-credentials.yaml +- VaultStaticSecret-cloudflare-exporter.yaml diff --git a/kubernetes/duplikate/VaultAuth.yaml b/kubernetes/duplikate/VaultAuth.yaml new file mode 100644 index 0000000..4ffd1e3 --- /dev/null +++ b/kubernetes/duplikate/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: duplikate +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/duplikate/VaultStaticSecret-duplikate.yaml b/kubernetes/duplikate/VaultStaticSecret-duplikate.yaml new file mode 100644 index 0000000..8310b41 --- /dev/null +++ b/kubernetes/duplikate/VaultStaticSecret-duplikate.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: duplikate + namespace: duplikate +spec: + destination: + create: true + name: duplikate + mount: kv + path: duplikate/duplikate + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/duplikate/kustomization.yaml b/kubernetes/duplikate/kustomization.yaml index 489ee24..9624822 100644 --- a/kubernetes/duplikate/kustomization.yaml +++ b/kubernetes/duplikate/kustomization.yaml @@ -1,20 +1,20 @@ apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: duplikate -resources: -- Deployment-duplikate.yaml -- InfisicalSecret-duplikate.yaml - helmCharts: - name: redis releaseName: duplikate-redis - version: 18.6.1 repo: https://charts.bitnami.com/bitnami valuesInline: + architecture: standalone auth: enabled: false - architecture: standalone image: registry: registry.redict.io repository: redict tag: 7.3-compat + version: 18.6.1 +kind: Kustomization +namespace: duplikate +resources: +- Deployment-duplikate.yaml +- VaultAuth.yaml +- VaultStaticSecret-duplikate.yaml diff --git a/kubernetes/e6-gallery/VaultAuth.yaml b/kubernetes/e6-gallery/VaultAuth.yaml new file mode 100644 index 0000000..c45b902 --- /dev/null +++ b/kubernetes/e6-gallery/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: e6-gallery +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/e6-gallery/VaultStaticSecret-regcred.yaml b/kubernetes/e6-gallery/VaultStaticSecret-regcred.yaml new file mode 100644 index 0000000..daa8c34 --- /dev/null +++ b/kubernetes/e6-gallery/VaultStaticSecret-regcred.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: regcred + namespace: e6-gallery +spec: + destination: + create: true + name: regcred + mount: kv + path: e6-gallery/regcred + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/misc/e6-gallery.yaml b/kubernetes/e6-gallery/e6-gallery.yaml similarity index 100% rename from kubernetes/misc/e6-gallery.yaml rename to kubernetes/e6-gallery/e6-gallery.yaml diff --git a/kubernetes/e6-gallery/kustomization.yaml b/kubernetes/e6-gallery/kustomization.yaml new file mode 100644 index 0000000..d1956fa --- /dev/null +++ b/kubernetes/e6-gallery/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: e6-gallery + +resources: +- VaultAuth.yaml +- VaultStaticSecret-regcred.yaml +- e6-gallery.yaml diff --git a/kubernetes/endpoints/Endpoints-secrets.yaml b/kubernetes/endpoints/Endpoints-secrets.yaml new file mode 100644 index 0000000..04107ad --- /dev/null +++ b/kubernetes/endpoints/Endpoints-secrets.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Endpoints +metadata: + name: secrets + namespace: endpoints +subsets: +- addresses: + - ip: 192.168.50.147 + ports: + - name: vault + port: 8200 + protocol: TCP diff --git a/kubernetes/endpoints/Ingress-secrets.yaml b/kubernetes/endpoints/Ingress-secrets.yaml new file mode 100644 index 0000000..b906db3 --- /dev/null +++ b/kubernetes/endpoints/Ingress-secrets.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/backend-protocol: HTTP + name: secrets + namespace: endpoints +spec: + rules: + - host: secrets.gmem.ca + http: + paths: + - backend: + service: + name: secrets + port: + number: 8200 + path: / + pathType: Prefix + tls: + - hosts: + - secrets.gmem.ca diff --git a/kubernetes/endpoints/Service-secrets.yaml b/kubernetes/endpoints/Service-secrets.yaml new file mode 100644 index 0000000..0175dff --- /dev/null +++ b/kubernetes/endpoints/Service-secrets.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: secrets + namespace: endpoints +spec: + ports: + - name: secrets + port: 8200 + targetPort: 8200 diff --git a/kubernetes/endpoints/kustomization.yaml b/kubernetes/endpoints/kustomization.yaml index 3d133c6..5a69570 100644 --- a/kubernetes/endpoints/kustomization.yaml +++ b/kubernetes/endpoints/kustomization.yaml @@ -16,3 +16,6 @@ resources: - Ingress-ibiza.yaml - Ingress-proxmox.yaml - Ingress-tokyo.yaml +- Endpoints-secrets.yaml +- Ingress-secrets.yaml +- Service-secrets.yaml diff --git a/kubernetes/homepage/VaultAuth.yaml b/kubernetes/homepage/VaultAuth.yaml new file mode 100644 index 0000000..0074dee --- /dev/null +++ b/kubernetes/homepage/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: homepage +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/homepage/VaultStaticSecret-homepage-config.yaml b/kubernetes/homepage/VaultStaticSecret-homepage-config.yaml new file mode 100644 index 0000000..a3bf8f3 --- /dev/null +++ b/kubernetes/homepage/VaultStaticSecret-homepage-config.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: homepage-config + namespace: homepage +spec: + destination: + create: true + name: homepage-config + mount: kv + path: homepage/homepage-config + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/homepage/kustomization.yaml b/kubernetes/homepage/kustomization.yaml index 43eb6e6..df1a817 100644 --- a/kubernetes/homepage/kustomization.yaml +++ b/kubernetes/homepage/kustomization.yaml @@ -1,16 +1,16 @@ apiVersion: kustomize.config.k8s.io/v1beta1 +helmCharts: +- kubeVersion: '1.30' + name: homepage + namespace: homepage + releaseName: homepage + repo: https://jameswynn.github.io/helm-charts + valuesFile: ./homepage.yaml + version: 1.2.3 kind: Kustomization - namespace: homepage - patches: - path: ./deployment.yaml - -helmCharts: -- name: homepage - repo: https://jameswynn.github.io/helm-charts - releaseName: homepage - namespace: homepage - version: 1.2.3 - kubeVersion: "1.30" - valuesFile: ./homepage.yaml +resources: +- ./VaultStaticSecret-homepage-config.yaml +- ./VaultAuth.yaml diff --git a/kubernetes/infisical/infvalues.yml b/kubernetes/infisical/infvalues.yml deleted file mode 100644 index 83516ee..0000000 --- a/kubernetes/infisical/infvalues.yml +++ /dev/null @@ -1,12 +0,0 @@ -infisical: - fullnameOverride: infisical - image: - tag: v0.70.1-postgres -ingress: - enabled: true - hostName: secrets.gmem.ca - tls: - - hosts: - - secrets.gmem.ca -postgresql: - enabled: false diff --git a/kubernetes/infisical/kustomization.yaml b/kubernetes/infisical/kustomization.yaml deleted file mode 100644 index 3aaebc8..0000000 --- a/kubernetes/infisical/kustomization.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: infisical - -helmCharts: -- name: infisical-standalone - repo: https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts - releaseName: infisical - namespace: infisical - version: 1.0.8 - valuesFile: ./infvalues.yml - kubeVersion: "1.30" -- name: secrets-operator - repo: https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts - releaseName: secrets-operator-1718466666 - namespace: infisical - version: 0.6.2 - kubeVersion: "1.30" diff --git a/kubernetes/ingress-nginx/kustomization.yaml b/kubernetes/ingress-nginx/kustomization.yaml index 1c83b5f..6f9b638 100644 --- a/kubernetes/ingress-nginx/kustomization.yaml +++ b/kubernetes/ingress-nginx/kustomization.yaml @@ -1,12 +1,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1 +helmCharts: +- kubeVersion: '1.30' + name: ingress-nginx + namespace: ingress-nginx + releaseName: ingress-nginx + repo: https://kubernetes.github.io/ingress-nginx + valuesFile: ./nginx.yaml + version: 4.10.1 kind: Kustomization namespace: ingress-nginx -helmCharts: -- name: ingress-nginx - repo: https://kubernetes.github.io/ingress-nginx - releaseName: ingress-nginx - namespace: ingress-nginx - version: 4.10.1 - valuesFile: ./nginx.yaml - kubeVersion: "1.30" diff --git a/kubernetes/irc/ConfigMap-soju-4a44ac46db.yaml b/kubernetes/irc/ConfigMap-soju-4a44ac46db.yaml deleted file mode 100644 index c46968e..0000000 --- a/kubernetes/irc/ConfigMap-soju-4a44ac46db.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -data: - config: 'listen ircs:// - - listen unix+admin:///app/admin - - listen ws+insecure:// - - listen http+prometheus://localhost:9090 - - hostname irc.gmem.ca - - title irc.gmem.ca - - db postgres "dbname=soju" - - message-store db - - tls /ssl/tls.crt /ssl/tls.key - - ' -kind: ConfigMap -metadata: - annotations: - kubenix/k8s-version: '1.30' - kubenix/project-name: kubenix - labels: - kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f - name: soju-4a44ac46db - namespace: irc diff --git a/kubernetes/irc/Deployment-soju.yaml b/kubernetes/irc/Deployment-soju.yaml index b96eeca..1d7b701 100644 --- a/kubernetes/irc/Deployment-soju.yaml +++ b/kubernetes/irc/Deployment-soju.yaml @@ -47,12 +47,12 @@ spec: volumeMounts: - mountPath: /etc/soju/config name: config - subPath: config + subPath: config.in - mountPath: /ssl name: ssl volumes: - configMap: - name: soju-4a44ac46db + name: soju name: config - name: ssl secret: diff --git a/kubernetes/irc/VaultAuth.yaml b/kubernetes/irc/VaultAuth.yaml new file mode 100644 index 0000000..01e35f4 --- /dev/null +++ b/kubernetes/irc/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: irc +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/irc/VaultStaticSecret-postgres-soju.yaml b/kubernetes/irc/VaultStaticSecret-postgres-soju.yaml new file mode 100644 index 0000000..31f15b7 --- /dev/null +++ b/kubernetes/irc/VaultStaticSecret-postgres-soju.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: postgres-soju + namespace: irc +spec: + destination: + create: true + name: postgres-soju + mount: kv + path: irc/postgres-soju + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/irc/VaultStaticSecret-soju.yaml b/kubernetes/irc/VaultStaticSecret-soju.yaml new file mode 100644 index 0000000..2d764f5 --- /dev/null +++ b/kubernetes/irc/VaultStaticSecret-soju.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: soju + namespace: irc +spec: + destination: + create: true + name: soju + mount: kv + path: irc/soju + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/irc/config.in b/kubernetes/irc/config.in new file mode 100644 index 0000000..0bbfbd3 --- /dev/null +++ b/kubernetes/irc/config.in @@ -0,0 +1,9 @@ +listen ircs:// +listen unix+admin:///app/admin +listen ws+insecure:// +listen http+prometheus://localhost:9090 +hostname irc.gmem.ca +title irc.gmem.ca +db postgres "dbname=soju" +message-store db +tls /ssl/tls.crt /ssl/tls.key \ No newline at end of file diff --git a/kubernetes/irc/kustomization.yaml b/kubernetes/irc/kustomization.yaml index 589c66f..249ecca 100644 --- a/kubernetes/irc/kustomization.yaml +++ b/kubernetes/irc/kustomization.yaml @@ -1,10 +1,21 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization + +namespace: irc + resources: -- ConfigMap-soju-4a44ac46db.yaml - Deployment-gamja.yaml - Deployment-soju.yaml - Service-gamja.yaml - Service-soju.yaml - Service-soju-ws.yaml - Ingress-irc.yaml +- irc-cert.yml +- VaultAuth.yaml +- VaultStaticSecret-postgres-soju.yaml +- VaultStaticSecret-soju.yaml + +configMapGenerator: + - name: soju + files: + - config.in diff --git a/kubernetes/jellyseerr/VaultAuth.yaml b/kubernetes/jellyseerr/VaultAuth.yaml new file mode 100644 index 0000000..c48ae48 --- /dev/null +++ b/kubernetes/jellyseerr/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: jellyseerr +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/jellyseerr/VaultStaticSecret-jellyseerr.yaml b/kubernetes/jellyseerr/VaultStaticSecret-jellyseerr.yaml new file mode 100644 index 0000000..465397a --- /dev/null +++ b/kubernetes/jellyseerr/VaultStaticSecret-jellyseerr.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: jellyseerr + namespace: jellyseerr +spec: + destination: + create: true + name: jellyseerr + mount: kv + path: jellyseerr/jellyseerr + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/jellyseerr/kustomization.yaml b/kubernetes/jellyseerr/kustomization.yaml index 1a00ea5..17c4030 100644 --- a/kubernetes/jellyseerr/kustomization.yaml +++ b/kubernetes/jellyseerr/kustomization.yaml @@ -4,3 +4,5 @@ resources: - Deployment-jellyseerr.yaml - Service-jellyseerr.yaml - Ingress-jellyseerr.yaml +- VaultAuth.yaml +- VaultStaticSecret-jellyseerr.yaml diff --git a/kubernetes/kustomization.yaml b/kubernetes/kustomization.yaml index be34c0f..49d1016 100644 --- a/kubernetes/kustomization.yaml +++ b/kubernetes/kustomization.yaml @@ -1,7 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization - resources: +- atuin +- authentik - duplikate - miniflux - nitter @@ -20,6 +21,8 @@ resources: - endpoints - ingress-nginx - homepage -- infisical - nfs-subdir-external-provisioner - misc +- vault-secrets-operator +- vaultwarden +- smarthome diff --git a/kubernetes/minecraft-invites/VaultAuth.yaml b/kubernetes/minecraft-invites/VaultAuth.yaml new file mode 100644 index 0000000..09fdf62 --- /dev/null +++ b/kubernetes/minecraft-invites/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: minecraft-invites +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/minecraft-invites/VaultStaticSecret-whitelistmanager.yaml b/kubernetes/minecraft-invites/VaultStaticSecret-whitelistmanager.yaml new file mode 100644 index 0000000..0545df1 --- /dev/null +++ b/kubernetes/minecraft-invites/VaultStaticSecret-whitelistmanager.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: whitelistmanager + namespace: minecraft-invites +spec: + destination: + create: true + name: whitelistmanager + mount: kv + path: whitelistmanager/whitelistmanager + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/minecraft-invites/kustomization.yaml b/kubernetes/minecraft-invites/kustomization.yaml index 32d4b59..7b293a3 100644 --- a/kubernetes/minecraft-invites/kustomization.yaml +++ b/kubernetes/minecraft-invites/kustomization.yaml @@ -6,3 +6,5 @@ resources: - Service-whitelistmanager.yaml - Service-whitelistmanager-frontend.yaml - Ingress-whitelistmanager.yaml +- VaultAuth.yaml +- VaultStaticSecret-whitelistmanager.yaml diff --git a/kubernetes/miniflux/ConfigMap-miniflux-a4c33abb52.yaml b/kubernetes/miniflux/ConfigMap-miniflux-a4c33abb52.yaml deleted file mode 100644 index bed32ff..0000000 --- a/kubernetes/miniflux/ConfigMap-miniflux-a4c33abb52.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -data: - BASE_URL: https://rss.gmem.ca/ - CLEANUP_ARCHIVE_UNREAD_DAYS: '60' - CREATE_ADMIN: '1' - METRICS_ALLOWED_NETWORKS: 0.0.0.0/0 - METRICS_COLLECTOR: '1' - OAUTH2_OIDC_DISCOVERY_ENDPOINT: https://authentik.gmem.ca/application/o/miniflux/ - OAUTH2_PROVIDER: oidc - OAUTH2_REDIRECT_URL: https://rss.gmem.ca/oauth2/oidc/callback - OAUTH2_USER_CREATION: '1' - RUN_MIGRATIONS: '1' - YOUTUBE_EMBED_URL_OVERRIDE: https://piped.gmem.ca/embed/ -kind: ConfigMap -metadata: - annotations: - kubenix/k8s-version: '1.30' - kubenix/project-name: kubenix - labels: - kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f - name: miniflux-a4c33abb52 - namespace: miniflux diff --git a/kubernetes/miniflux/Deployment-miniflux.yaml b/kubernetes/miniflux/Deployment-miniflux.yaml index 137d194..f661fa6 100644 --- a/kubernetes/miniflux/Deployment-miniflux.yaml +++ b/kubernetes/miniflux/Deployment-miniflux.yaml @@ -22,7 +22,7 @@ spec: - secretRef: name: miniflux - configMapRef: - name: miniflux-a4c33abb52 + name: miniflux image: docker.io/miniflux/miniflux name: miniflux ports: diff --git a/kubernetes/miniflux/InfisicalSecret-miniflux.yaml b/kubernetes/miniflux/InfisicalSecret-miniflux.yaml deleted file mode 100644 index 7a1f0f0..0000000 --- a/kubernetes/miniflux/InfisicalSecret-miniflux.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: secrets.infisical.com/v1alpha1 -kind: InfisicalSecret -metadata: - annotations: - kubenix/k8s-version: '1.30' - kubenix/project-name: kubenix - labels: - kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f - name: miniflux - namespace: miniflux -spec: - authentication: - kubernetesAuth: - identityId: 68d1f432-7b0a-4e4a-b439-acbbbc160f1e - secretsScope: - envSlug: prod - projectSlug: kubernetes-homelab-dp67 - secretsPath: /miniflux - serviceAccountRef: - name: infisical-auth - namespace: infisical - hostAPI: http://infisical:8080 - managedSecretReference: - creationPolicy: Owner - secretName: miniflux - secretNamespace: miniflux - resyncInterval: 10 diff --git a/kubernetes/miniflux/VaultAuth.yaml b/kubernetes/miniflux/VaultAuth.yaml new file mode 100644 index 0000000..cd29a80 --- /dev/null +++ b/kubernetes/miniflux/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: miniflux +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/miniflux/VaultStaticSecret-miniflux.yaml b/kubernetes/miniflux/VaultStaticSecret-miniflux.yaml new file mode 100644 index 0000000..ee42f48 --- /dev/null +++ b/kubernetes/miniflux/VaultStaticSecret-miniflux.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: miniflux + namespace: miniflux +spec: + destination: + create: true + name: miniflux + mount: kv + path: miniflux/miniflux + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/miniflux/kustomization.yaml b/kubernetes/miniflux/kustomization.yaml index 5926fe9..948baae 100644 --- a/kubernetes/miniflux/kustomization.yaml +++ b/kubernetes/miniflux/kustomization.yaml @@ -1,9 +1,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ConfigMap-miniflux-a4c33abb52.yaml - Deployment-miniflux.yaml - Service-miniflux.yaml - ServiceMonitor-miniflux.yaml - Ingress-miniflux.yaml -- InfisicalSecret-miniflux.yaml +- VaultAuth.yaml +- VaultStaticSecret-miniflux.yaml + +configMapGenerator: +- name: miniflux + envs: + - miniflux.env diff --git a/kubernetes/miniflux/miniflux.env b/kubernetes/miniflux/miniflux.env new file mode 100644 index 0000000..9bafbb5 --- /dev/null +++ b/kubernetes/miniflux/miniflux.env @@ -0,0 +1,11 @@ +BASE_URL=https://rss.gmem.ca/ +CLEANUP_ARCHIVE_UNREAD_DAYS=60 +CREATE_ADMIN=1 +METRICS_ALLOWED_NETWORKS=0.0.0.0/0 +METRICS_COLLECTOR=1 +OAUTH2_OIDC_DISCOVERY_ENDPOINT=https://authentik.gmem.ca/application/o/miniflux/ +OAUTH2_PROVIDER=oidc +OAUTH2_REDIRECT_URL=https://rss.gmem.ca/oauth2/oidc/callback +OAUTH2_USER_CREATION=1 +RUN_MIGRATIONS=1 +YOUTUBE_EMBED_URL_OVERRIDE=https://piped.gmem.ca/embed/ diff --git a/kubernetes/misc/kustomization.yaml b/kubernetes/misc/kustomization.yaml index 02934c1..baf5e98 100644 --- a/kubernetes/misc/kustomization.yaml +++ b/kubernetes/misc/kustomization.yaml @@ -1,12 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization - resources: -- atuin.yaml -- e6-gallery.yaml -- hue.yml - issuer.yml - nginx-podmonitor.yml - ntfy.yaml - tools.yml -- vaultwarden.yml diff --git a/kubernetes/nfs-subdir-external-provisioner/kustomization.yaml b/kubernetes/nfs-subdir-external-provisioner/kustomization.yaml index b28fc25..60b90fd 100644 --- a/kubernetes/nfs-subdir-external-provisioner/kustomization.yaml +++ b/kubernetes/nfs-subdir-external-provisioner/kustomization.yaml @@ -1,12 +1,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 +helmCharts: +- kubeVersion: '1.30' + name: nfs-subdir-external-provisioner + namespace: nfs-subdir-external-provisioner + releaseName: nfs-subdir-external-provisioner + repo: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/ + valuesFile: ./nfs-provisioner-values.yml + version: 4.0.18 kind: Kustomization namespace: nfs-subdir-external-provisioner - -helmCharts: -- name: nfs-subdir-external-provisioner - repo: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/ - releaseName: nfs-subdir-external-provisioner - namespace: nfs-subdir-external-provisioner - version: 4.0.18 - valuesFile: ./nfs-provisioner-values.yml - kubeVersion: "1.30" diff --git a/kubernetes/nitter/ConfigMap-nitter-bot-5d9aefaae4.yaml b/kubernetes/nitter/ConfigMap-nitter-bot-5d9aefaae4.yaml deleted file mode 100644 index 66ba5ef..0000000 --- a/kubernetes/nitter/ConfigMap-nitter-bot-5d9aefaae4.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -data: - NITTER_EXTERNAL_URL: https://nitter.gmem.ca - NITTER_URL: http://nitter:8080 -kind: ConfigMap -metadata: - annotations: - kubenix/k8s-version: '1.30' - kubenix/project-name: kubenix - labels: - kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f - name: nitter-bot-5d9aefaae4 - namespace: nitter diff --git a/kubernetes/nitter/ConfigMap-nitter-redis-configuration-4712c8e029.yaml b/kubernetes/nitter/ConfigMap-nitter-redis-configuration-4712c8e029.yaml deleted file mode 100644 index 5126256..0000000 --- a/kubernetes/nitter/ConfigMap-nitter-redis-configuration-4712c8e029.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: v1 -data: - master.conf: 'dir /data - - # User-supplied master configuration: - - rename-command FLUSHDB "" - - rename-command FLUSHALL "" - - # End of master configuration' - redis.conf: '# User-supplied common configuration: - - # Enable AOF https://redis.io/topics/persistence#append-only-file - - appendonly yes - - # Disable RDB persistence, AOF persistence already enabled. - - save "" - - # End of common configuration' - replica.conf: 'dir /data - - # User-supplied replica configuration: - - rename-command FLUSHDB "" - - rename-command FLUSHALL "" - - # End of replica configuration' -kind: ConfigMap -metadata: - annotations: - kubenix/k8s-version: '1.30' - kubenix/project-name: kubenix - labels: - app.kubernetes.io/instance: nitter-redis - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.3 - helm.sh/chart: redis-18.6.1 - kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f - name: nitter-redis-configuration-4712c8e029 - namespace: nitter diff --git a/kubernetes/nitter/ConfigMap-nitter-redis-health-05691b979f.yaml b/kubernetes/nitter/ConfigMap-nitter-redis-health-05691b979f.yaml deleted file mode 100644 index 00e102f..0000000 --- a/kubernetes/nitter/ConfigMap-nitter-redis-health-05691b979f.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: v1 -data: - ping_liveness_local.sh: "#!/bin/bash\n\n[[ -f $REDIS_PASSWORD_FILE ]] && export\ - \ REDIS_PASSWORD=\"$(< \"${REDIS_PASSWORD_FILE}\")\"\n[[ -n \"$REDIS_PASSWORD\"\ - \ ]] && export REDISCLI_AUTH=\"$REDIS_PASSWORD\"\nresponse=$(\n timeout -s 15\ - \ $1 \\\n redis-cli \\\n -h localhost \\\n -p $REDIS_PORT \\\n ping\n\ - )\nif [ \"$?\" -eq \"124\" ]; then\n echo \"Timed out\"\n exit 1\nfi\nresponseFirstWord=$(echo\ - \ $response | head -n1 | awk '{print $1;}')\nif [ \"$response\" != \"PONG\" ]\ - \ && [ \"$responseFirstWord\" != \"LOADING\" ] && [ \"$responseFirstWord\" !=\ - \ \"MASTERDOWN\" ]; then\n echo \"$response\"\n exit 1\nfi" - ping_liveness_local_and_master.sh: 'script_dir="$(dirname "$0")" - - exit_status=0 - - "$script_dir/ping_liveness_local.sh" $1 || exit_status=$? - - "$script_dir/ping_liveness_master.sh" $1 || exit_status=$? - - exit $exit_status' - ping_liveness_master.sh: "#!/bin/bash\n\n[[ -f $REDIS_MASTER_PASSWORD_FILE ]] &&\ - \ export REDIS_MASTER_PASSWORD=\"$(< \"${REDIS_MASTER_PASSWORD_FILE}\")\"\n[[\ - \ -n \"$REDIS_MASTER_PASSWORD\" ]] && export REDISCLI_AUTH=\"$REDIS_MASTER_PASSWORD\"\ - \nresponse=$(\n timeout -s 15 $1 \\\n redis-cli \\\n -h $REDIS_MASTER_HOST\ - \ \\\n -p $REDIS_MASTER_PORT_NUMBER \\\n ping\n)\nif [ \"$?\" -eq \"124\"\ - \ ]; then\n echo \"Timed out\"\n exit 1\nfi\nresponseFirstWord=$(echo $response\ - \ | head -n1 | awk '{print $1;}')\nif [ \"$response\" != \"PONG\" ] && [ \"$responseFirstWord\"\ - \ != \"LOADING\" ]; then\n echo \"$response\"\n exit 1\nfi" - ping_readiness_local.sh: "#!/bin/bash\n\n[[ -f $REDIS_PASSWORD_FILE ]] && export\ - \ REDIS_PASSWORD=\"$(< \"${REDIS_PASSWORD_FILE}\")\"\n[[ -n \"$REDIS_PASSWORD\"\ - \ ]] && export REDISCLI_AUTH=\"$REDIS_PASSWORD\"\nresponse=$(\n timeout -s 15\ - \ $1 \\\n redis-cli \\\n -h localhost \\\n -p $REDIS_PORT \\\n ping\n\ - )\nif [ \"$?\" -eq \"124\" ]; then\n echo \"Timed out\"\n exit 1\nfi\nif [ \"\ - $response\" != \"PONG\" ]; then\n echo \"$response\"\n exit 1\nfi" - ping_readiness_local_and_master.sh: 'script_dir="$(dirname "$0")" - - exit_status=0 - - "$script_dir/ping_readiness_local.sh" $1 || exit_status=$? - - "$script_dir/ping_readiness_master.sh" $1 || exit_status=$? - - exit $exit_status' - ping_readiness_master.sh: "#!/bin/bash\n\n[[ -f $REDIS_MASTER_PASSWORD_FILE ]] &&\ - \ export REDIS_MASTER_PASSWORD=\"$(< \"${REDIS_MASTER_PASSWORD_FILE}\")\"\n[[\ - \ -n \"$REDIS_MASTER_PASSWORD\" ]] && export REDISCLI_AUTH=\"$REDIS_MASTER_PASSWORD\"\ - \nresponse=$(\n timeout -s 15 $1 \\\n redis-cli \\\n -h $REDIS_MASTER_HOST\ - \ \\\n -p $REDIS_MASTER_PORT_NUMBER \\\n ping\n)\nif [ \"$?\" -eq \"124\"\ - \ ]; then\n echo \"Timed out\"\n exit 1\nfi\nif [ \"$response\" != \"PONG\"\ - \ ]; then\n echo \"$response\"\n exit 1\nfi" -kind: ConfigMap -metadata: - annotations: - kubenix/k8s-version: '1.30' - kubenix/project-name: kubenix - labels: - app.kubernetes.io/instance: nitter-redis - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.3 - helm.sh/chart: redis-18.6.1 - kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f - name: nitter-redis-health-05691b979f - namespace: nitter diff --git a/kubernetes/nitter/ConfigMap-nitter-redis-scripts-a4596108c1.yaml b/kubernetes/nitter/ConfigMap-nitter-redis-scripts-a4596108c1.yaml deleted file mode 100644 index 66aedae..0000000 --- a/kubernetes/nitter/ConfigMap-nitter-redis-scripts-a4596108c1.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -data: - start-master.sh: "#!/bin/bash\n\n[[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD=\"\ - $(< \"${REDIS_PASSWORD_FILE}\")\"\nif [[ -f /opt/bitnami/redis/mounted-etc/master.conf\ - \ ]];then\n cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf\n\ - fi\nif [[ -f /opt/bitnami/redis/mounted-etc/redis.conf ]];then\n cp /opt/bitnami/redis/mounted-etc/redis.conf\ - \ /opt/bitnami/redis/etc/redis.conf\nfi\nARGS=(\"--port\" \"${REDIS_PORT}\")\n\ - ARGS+=(\"--protected-mode\" \"no\")\nARGS+=(\"--include\" \"/opt/bitnami/redis/etc/redis.conf\"\ - )\nARGS+=(\"--include\" \"/opt/bitnami/redis/etc/master.conf\")\nexec redis-server\ - \ \"${ARGS[@]}\"\n" -kind: ConfigMap -metadata: - annotations: - kubenix/k8s-version: '1.30' - kubenix/project-name: kubenix - labels: - app.kubernetes.io/instance: nitter-redis - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.3 - helm.sh/chart: redis-18.6.1 - kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f - name: nitter-redis-scripts-a4596108c1 - namespace: nitter diff --git a/kubernetes/nitter/VaultAuth.yaml b/kubernetes/nitter/VaultAuth.yaml new file mode 100644 index 0000000..9b7df79 --- /dev/null +++ b/kubernetes/nitter/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: nitter +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/nitter/VaultStaticSecret-nitter-bot.yaml b/kubernetes/nitter/VaultStaticSecret-nitter-bot.yaml new file mode 100644 index 0000000..9fbae3c --- /dev/null +++ b/kubernetes/nitter/VaultStaticSecret-nitter-bot.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: nitter-bot + namespace: nitter +spec: + destination: + create: true + name: nitter-bot + mount: kv + path: nitter/nitter-bot + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/nitter/VaultStaticSecret-nitter.yaml b/kubernetes/nitter/VaultStaticSecret-nitter.yaml new file mode 100644 index 0000000..ad11837 --- /dev/null +++ b/kubernetes/nitter/VaultStaticSecret-nitter.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: nitter + namespace: nitter +spec: + destination: + create: true + name: nitter + mount: kv + path: nitter/nitter + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/nitter/kustomization.yaml b/kubernetes/nitter/kustomization.yaml index f603864..71eb848 100644 --- a/kubernetes/nitter/kustomization.yaml +++ b/kubernetes/nitter/kustomization.yaml @@ -1,15 +1,27 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization + +namespace: nitter + resources: -- ConfigMap-nitter-bot-5d9aefaae4.yaml -- ConfigMap-nitter-redis-configuration-4712c8e029.yaml -- ConfigMap-nitter-redis-health-05691b979f.yaml -- ConfigMap-nitter-redis-scripts-a4596108c1.yaml - Deployment-nitter.yaml - StatefulSet-nitter-bot.yaml -- StatefulSet-nitter-redis-master.yaml - Service-nitter.yaml -- Service-nitter-redis-headless.yaml -- Service-nitter-redis-master.yaml -- ServiceAccount-nitter-redis.yaml - Ingress-nitter.yaml +- VaultAuth.yaml +- VaultStaticSecret-nitter-bot.yaml +- VaultStaticSecret-nitter.yaml + +helmCharts: +- name: redis + releaseName: nitter-redis + repo: https://charts.bitnami.com/bitnami + valuesInline: + architecture: standalone + auth: + enabled: false + image: + registry: registry.redict.io + repository: redict + tag: 7.3-compat + version: 18.6.1 diff --git a/kubernetes/piped/VaultAuth.yaml b/kubernetes/piped/VaultAuth.yaml new file mode 100644 index 0000000..65d1302 --- /dev/null +++ b/kubernetes/piped/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: piped +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/piped/VaultStaticSecret-postgres-piped.yaml b/kubernetes/piped/VaultStaticSecret-postgres-piped.yaml new file mode 100644 index 0000000..5a7f90d --- /dev/null +++ b/kubernetes/piped/VaultStaticSecret-postgres-piped.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: postgres-piped + namespace: piped +spec: + destination: + create: true + name: postgres-piped + mount: kv + path: piped/postgres-piped + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/piped/kustomization.yaml b/kubernetes/piped/kustomization.yaml index f689ea7..b3bb781 100644 --- a/kubernetes/piped/kustomization.yaml +++ b/kubernetes/piped/kustomization.yaml @@ -3,12 +3,5 @@ kind: Kustomization namespace: piped resources: - CronJob-piped-refresh.yaml - -# Requires a server-side Helm render and apply. -# helmCharts: -# - name: piped -# releaseName: piped -# version: 5.2.0 -# repo: https://helm.piped.video -# valuesFile: ./helm.yaml -# kubeVersion: "1.30" +- VaultAuth.yaml +- VaultStaticSecret-postgres-piped.yaml diff --git a/kubernetes/prometheus/VaultAuth.yaml b/kubernetes/prometheus/VaultAuth.yaml new file mode 100644 index 0000000..1fd137b --- /dev/null +++ b/kubernetes/prometheus/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: prometheus +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/prometheus/VaultStaticSecret-nextdns-exporter.yaml b/kubernetes/prometheus/VaultStaticSecret-nextdns-exporter.yaml new file mode 100644 index 0000000..67afd55 --- /dev/null +++ b/kubernetes/prometheus/VaultStaticSecret-nextdns-exporter.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: nextdns-exporter + namespace: prometheus +spec: + destination: + create: true + name: nextdns-exporter + mount: kv + path: prometheus/nextdns-exporter + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/prometheus/VaultStaticSecret-nextdns-ts-exporter.yaml b/kubernetes/prometheus/VaultStaticSecret-nextdns-ts-exporter.yaml new file mode 100644 index 0000000..bc50b6a --- /dev/null +++ b/kubernetes/prometheus/VaultStaticSecret-nextdns-ts-exporter.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: nextdns-ts-exporter + namespace: prometheus +spec: + destination: + create: true + name: nextdns-ts-exporter + mount: kv + path: prometheus/nextdns-ts-exporter + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/prometheus/VaultStaticSecret-prometheus-remote-basic-auth.yaml b/kubernetes/prometheus/VaultStaticSecret-prometheus-remote-basic-auth.yaml new file mode 100644 index 0000000..f782040 --- /dev/null +++ b/kubernetes/prometheus/VaultStaticSecret-prometheus-remote-basic-auth.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: prometheus-remote-basic-auth + namespace: prometheus +spec: + destination: + create: true + name: prometheus-remote-basic-auth + mount: kv + path: prometheus/prometheus-remote-basic-auth + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/prometheus/kustomization.yaml b/kubernetes/prometheus/kustomization.yaml index 93d48b1..5627d2e 100644 --- a/kubernetes/prometheus/kustomization.yaml +++ b/kubernetes/prometheus/kustomization.yaml @@ -1,19 +1,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization - namespace: prometheus - resources: - Deployment-nextdns-exporter.yaml - Service-nextdns-exporter-metrics.yaml - ServiceMonitor-nextdns-exporter.yaml - -# Simply doesn't work for some reason :( -# helmCharts: -# - name: kube-prometheus-stack -# repo: https://prometheus-community.github.io/helm-charts -# releaseName: prometheus -# namespace: prometheus -# version: 61.1.0 -# valuesFile: ./prometheus-agent.yml -# kubeVersion: "1.30" +- VaultAuth.yaml +- VaultStaticSecret-nextdns-exporter.yaml +- VaultStaticSecret-nextdns-ts-exporter.yaml +- VaultStaticSecret-prometheus-remote-basic-auth.yaml diff --git a/kubernetes/redlib/kustomization.yaml b/kubernetes/redlib/kustomization.yaml index 3c3d0c3..bd64ff1 100644 --- a/kubernetes/redlib/kustomization.yaml +++ b/kubernetes/redlib/kustomization.yaml @@ -4,3 +4,4 @@ resources: - Deployment-redlib.yaml - Service-redlib.yaml - Ingress-redlib.yaml + diff --git a/kubernetes/searxng/VaultAuth.yaml b/kubernetes/searxng/VaultAuth.yaml new file mode 100644 index 0000000..a8b81c4 --- /dev/null +++ b/kubernetes/searxng/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: searxng +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/searxng/VaultStaticSecret-searxng.yaml b/kubernetes/searxng/VaultStaticSecret-searxng.yaml new file mode 100644 index 0000000..19e43a4 --- /dev/null +++ b/kubernetes/searxng/VaultStaticSecret-searxng.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: searxng + namespace: searxng +spec: + destination: + create: true + name: searxng + mount: kv + path: searxng/searxng + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/searxng/kustomization.yaml b/kubernetes/searxng/kustomization.yaml index 2a117c4..d9067cf 100644 --- a/kubernetes/searxng/kustomization.yaml +++ b/kubernetes/searxng/kustomization.yaml @@ -1,4 +1,17 @@ apiVersion: kustomize.config.k8s.io/v1beta1 +helmCharts: +- name: redis + releaseName: searxng-redis + repo: https://charts.bitnami.com/bitnami + valuesInline: + architecture: standalone + auth: + enabled: false + image: + registry: registry.redict.io + repository: redict + tag: 7.3-compat + version: 18.6.1 kind: Kustomization namespace: searxng resources: @@ -6,17 +19,5 @@ resources: - Deployment-searxng.yaml - Service-searxng.yaml - Ingress-searxng.yaml - -helmCharts: -- name: redis - releaseName: searxng-redis - version: 18.6.1 - repo: https://charts.bitnami.com/bitnami - valuesInline: - auth: - enabled: false - architecture: standalone - image: - registry: registry.redict.io - repository: redict - tag: 7.3-compat +- VaultAuth.yaml +- VaultStaticSecret-searxng.yaml diff --git a/kubernetes/smarthome/VaultAuth.yaml b/kubernetes/smarthome/VaultAuth.yaml new file mode 100644 index 0000000..1991a79 --- /dev/null +++ b/kubernetes/smarthome/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: smarthome +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/smarthome/VaultStaticSecret-hue.yaml b/kubernetes/smarthome/VaultStaticSecret-hue.yaml new file mode 100644 index 0000000..c8d6185 --- /dev/null +++ b/kubernetes/smarthome/VaultStaticSecret-hue.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: hue + namespace: smarthome +spec: + destination: + create: true + name: hue + mount: kv + path: smarthome/hue + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/misc/homebridge.yaml b/kubernetes/smarthome/homebridge.yaml similarity index 100% rename from kubernetes/misc/homebridge.yaml rename to kubernetes/smarthome/homebridge.yaml diff --git a/kubernetes/misc/hue.yml b/kubernetes/smarthome/hue.yaml similarity index 100% rename from kubernetes/misc/hue.yml rename to kubernetes/smarthome/hue.yaml diff --git a/kubernetes/smarthome/kustomization.yaml b/kubernetes/smarthome/kustomization.yaml new file mode 100644 index 0000000..3755c41 --- /dev/null +++ b/kubernetes/smarthome/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: smarthome + +resources: +- homebridge.yaml +- hue.yaml +- VaultAuth.yaml +- VaultStaticSecret-hue.yaml diff --git a/kubernetes/tclip/VaultAuth.yaml b/kubernetes/tclip/VaultAuth.yaml new file mode 100644 index 0000000..bd7a924 --- /dev/null +++ b/kubernetes/tclip/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: tclip +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/tclip/VaultStaticSecret-tclip.yaml b/kubernetes/tclip/VaultStaticSecret-tclip.yaml new file mode 100644 index 0000000..f7d1eef --- /dev/null +++ b/kubernetes/tclip/VaultStaticSecret-tclip.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: tclip + namespace: tclip +spec: + destination: + create: true + name: tclip + mount: kv + path: tclip/tclip + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/tclip/kustomization.yaml b/kubernetes/tclip/kustomization.yaml index 4c3ac68..cfd5563 100644 --- a/kubernetes/tclip/kustomization.yaml +++ b/kubernetes/tclip/kustomization.yaml @@ -4,3 +4,5 @@ resources: - StatefulSet-tclip.yaml - Service-tclip.yaml - Ingress-tclip.yaml +- VaultAuth.yaml +- VaultStaticSecret-tclip.yaml diff --git a/kubernetes/vault-secrets-operator/crb.yaml b/kubernetes/vault-secrets-operator/crb.yaml new file mode 100644 index 0000000..08537a4 --- /dev/null +++ b/kubernetes/vault-secrets-operator/crb.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vault-auth +--- +apiVersion: v1 +kind: Secret +metadata: + name: vault-auth + annotations: + kubernetes.io/service-account.name: vault-auth +type: kubernetes.io/service-account-token +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: role-tokenreview-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: vault-auth + namespace: default diff --git a/kubernetes/vault-secrets-operator/kustomization.yaml b/kubernetes/vault-secrets-operator/kustomization.yaml new file mode 100644 index 0000000..cbc190e --- /dev/null +++ b/kubernetes/vault-secrets-operator/kustomization.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +helmCharts: +- includeCrds: true + kubeVersion: '1.30' + name: vault-secrets-operator + namespace: vault-secrets-operator + releaseName: vault-secrets-operator + repo: https://helm.releases.hashicorp.com + valuesInline: + defaultVaultConnection: + address: https://secrets.gmem.ca + enabled: true + skipTLSVerify: false + tests: + enabled: false + version: 0.7.1 +kind: Kustomization +namespace: vault-secrets-operator +resources: +- ./crb.yaml + diff --git a/kubernetes/vaultwarden/VaultAuth.yaml b/kubernetes/vaultwarden/VaultAuth.yaml new file mode 100644 index 0000000..57df4a9 --- /dev/null +++ b/kubernetes/vaultwarden/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: vaultwarden +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/vaultwarden/VaultStaticSecret-vaultwarden.yaml b/kubernetes/vaultwarden/VaultStaticSecret-vaultwarden.yaml new file mode 100644 index 0000000..bf168f0 --- /dev/null +++ b/kubernetes/vaultwarden/VaultStaticSecret-vaultwarden.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: vaultwarden + namespace: vaultwarden +spec: + destination: + create: true + name: vaultwarden + mount: kv + path: vaultwarden/vaultwarden + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/misc/vaultwarden.yml b/kubernetes/vaultwarden/deployment.yaml similarity index 100% rename from kubernetes/misc/vaultwarden.yml rename to kubernetes/vaultwarden/deployment.yaml diff --git a/kubernetes/vaultwarden/kustomization.yaml b/kubernetes/vaultwarden/kustomization.yaml new file mode 100644 index 0000000..f81d698 --- /dev/null +++ b/kubernetes/vaultwarden/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- VaultAuth.yaml +- VaultStaticSecret-vaultwarden.yaml +- deployment.yaml diff --git a/kubernetes/vrchat/VaultAuth.yaml b/kubernetes/vrchat/VaultAuth.yaml new file mode 100644 index 0000000..7691031 --- /dev/null +++ b/kubernetes/vrchat/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: vrchat +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/vrchat/VaultStaticSecret-vrchat-prometheus-adapter.yaml b/kubernetes/vrchat/VaultStaticSecret-vrchat-prometheus-adapter.yaml new file mode 100644 index 0000000..5a795e0 --- /dev/null +++ b/kubernetes/vrchat/VaultStaticSecret-vrchat-prometheus-adapter.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: vrchat-prometheus-adapter + namespace: vrchat +spec: + destination: + create: true + name: vrchat-prometheus-adapter + mount: kv + path: vrchat-prometheus-adapter + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/vrchat/kustomization.yaml b/kubernetes/vrchat/kustomization.yaml index 44fdd68..932cc80 100644 --- a/kubernetes/vrchat/kustomization.yaml +++ b/kubernetes/vrchat/kustomization.yaml @@ -4,3 +4,4 @@ resources: - Deployment-vrchat-prometheus-adapter.yaml - Service-vrchat-prometheus-adapter.yaml - ServiceMonitor-vrchat-prometheus-adapter.yaml +- VaultAuth.yaml