This commit is contained in:
parent
79f73d2dd2
commit
7ac99af974
11
kubernetes/atuin/VaultAuth.yaml
Normal file
11
kubernetes/atuin/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: atuin
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
14
kubernetes/atuin/VaultStaticSecret-postgres-atuin.yaml
Normal file
14
kubernetes/atuin/VaultStaticSecret-postgres-atuin.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: postgres-atuin
|
||||
namespace: atuin
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: postgres-atuin
|
||||
mount: kv
|
||||
path: atuin/postgres-atuin
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
6
kubernetes/atuin/kustomization.yaml
Normal file
6
kubernetes/atuin/kustomization.yaml
Normal file
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-postgres-atuin.yaml
|
||||
- deployment.yaml
|
11
kubernetes/authentik/VaultAuth.yaml
Normal file
11
kubernetes/authentik/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: authentik
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: authentik-secrets
|
||||
namespace: authentik
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: authentik-secrets
|
||||
mount: kv
|
||||
path: authentik/authentik-secrets
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: postgres-authentik
|
||||
namespace: authentik
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: postgres-authentik
|
||||
mount: kv
|
||||
path: authentik/postgres-authentik
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -1,12 +1,15 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
helmCharts:
|
||||
- kubeVersion: '1.30'
|
||||
name: authentik
|
||||
namespace: authentik
|
||||
releaseName: authentik
|
||||
repo: https://charts.goauthentik.io
|
||||
valuesFile: ./authentik.yml
|
||||
version: 2024.6.0
|
||||
kind: Kustomization
|
||||
namespace: authentik
|
||||
|
||||
helmCharts:
|
||||
- name: authentik
|
||||
repo: https://charts.goauthentik.io
|
||||
releaseName: authentik
|
||||
namespace: authentik
|
||||
version: 2024.6.0
|
||||
valuesFile: ./authentik.yml
|
||||
kubeVersion: "1.30"
|
||||
resources:
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-postgres-authentik.yaml
|
||||
- VaultStaticSecret-authentik-secrets.yaml
|
||||
|
|
11
kubernetes/cert-manager/VaultAuth.yaml
Normal file
11
kubernetes/cert-manager/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: cloudflare-cert-api
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: cloudflare-cert-api
|
||||
mount: kv
|
||||
path: cert-manager/cloudflare-cert-api
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
6
kubernetes/cert-manager/kustomization.yaml
Normal file
6
kubernetes/cert-manager/kustomization.yaml
Normal file
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
namespace: cert-manager
|
||||
resources:
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-cloudflare-cert-api.yaml
|
11
kubernetes/cloudflare/VaultAuth.yaml
Normal file
11
kubernetes/cloudflare/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: cloudflare
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: cloudflare-exporter
|
||||
namespace: cloudflare
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: cloudflare-exporter
|
||||
mount: kv
|
||||
path: cloudflare/cloudflare-exporter
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: tunnel-credentials
|
||||
namespace: cloudflare
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: tunnel-credentials
|
||||
mount: kv
|
||||
path: cloudflare/tunnel-credentials
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -1,20 +1,22 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
helmCharts:
|
||||
- kubeVersion: '1.30'
|
||||
name: cloudflare-exporter
|
||||
releaseName: cloudflare-exporter
|
||||
repo: https://lablabs.github.io/cloudflare-exporter
|
||||
valuesInline:
|
||||
image:
|
||||
tag: 0.0.16
|
||||
secretRef: cloudflare-exporter
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
labels:
|
||||
release: prometheus
|
||||
version: 0.2.1
|
||||
kind: Kustomization
|
||||
namespace: cloudflare
|
||||
resources:
|
||||
- cloudflared.yml
|
||||
|
||||
helmCharts:
|
||||
- name: cloudflare-exporter
|
||||
releaseName: cloudflare-exporter
|
||||
version: 0.2.1
|
||||
repo: https://lablabs.github.io/cloudflare-exporter
|
||||
valuesInline:
|
||||
image:
|
||||
tag: "0.0.16"
|
||||
secretRef: "cloudflare-exporter"
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
labels:
|
||||
release: "prometheus"
|
||||
kubeVersion: "1.30"
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-tunnel-credentials.yaml
|
||||
- VaultStaticSecret-cloudflare-exporter.yaml
|
||||
|
|
11
kubernetes/duplikate/VaultAuth.yaml
Normal file
11
kubernetes/duplikate/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: duplikate
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
14
kubernetes/duplikate/VaultStaticSecret-duplikate.yaml
Normal file
14
kubernetes/duplikate/VaultStaticSecret-duplikate.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: duplikate
|
||||
namespace: duplikate
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: duplikate
|
||||
mount: kv
|
||||
path: duplikate/duplikate
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -1,20 +1,20 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
namespace: duplikate
|
||||
resources:
|
||||
- Deployment-duplikate.yaml
|
||||
- InfisicalSecret-duplikate.yaml
|
||||
|
||||
helmCharts:
|
||||
- name: redis
|
||||
releaseName: duplikate-redis
|
||||
version: 18.6.1
|
||||
repo: https://charts.bitnami.com/bitnami
|
||||
valuesInline:
|
||||
architecture: standalone
|
||||
auth:
|
||||
enabled: false
|
||||
architecture: standalone
|
||||
image:
|
||||
registry: registry.redict.io
|
||||
repository: redict
|
||||
tag: 7.3-compat
|
||||
version: 18.6.1
|
||||
kind: Kustomization
|
||||
namespace: duplikate
|
||||
resources:
|
||||
- Deployment-duplikate.yaml
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-duplikate.yaml
|
||||
|
|
11
kubernetes/e6-gallery/VaultAuth.yaml
Normal file
11
kubernetes/e6-gallery/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: e6-gallery
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
14
kubernetes/e6-gallery/VaultStaticSecret-regcred.yaml
Normal file
14
kubernetes/e6-gallery/VaultStaticSecret-regcred.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: e6-gallery
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: regcred
|
||||
mount: kv
|
||||
path: e6-gallery/regcred
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
9
kubernetes/e6-gallery/kustomization.yaml
Normal file
9
kubernetes/e6-gallery/kustomization.yaml
Normal file
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namespace: e6-gallery
|
||||
|
||||
resources:
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-regcred.yaml
|
||||
- e6-gallery.yaml
|
12
kubernetes/endpoints/Endpoints-secrets.yaml
Normal file
12
kubernetes/endpoints/Endpoints-secrets.yaml
Normal file
|
@ -0,0 +1,12 @@
|
|||
apiVersion: v1
|
||||
kind: Endpoints
|
||||
metadata:
|
||||
name: secrets
|
||||
namespace: endpoints
|
||||
subsets:
|
||||
- addresses:
|
||||
- ip: 192.168.50.147
|
||||
ports:
|
||||
- name: vault
|
||||
port: 8200
|
||||
protocol: TCP
|
22
kubernetes/endpoints/Ingress-secrets.yaml
Normal file
22
kubernetes/endpoints/Ingress-secrets.yaml
Normal file
|
@ -0,0 +1,22 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/backend-protocol: HTTP
|
||||
name: secrets
|
||||
namespace: endpoints
|
||||
spec:
|
||||
rules:
|
||||
- host: secrets.gmem.ca
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
service:
|
||||
name: secrets
|
||||
port:
|
||||
number: 8200
|
||||
path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- secrets.gmem.ca
|
10
kubernetes/endpoints/Service-secrets.yaml
Normal file
10
kubernetes/endpoints/Service-secrets.yaml
Normal file
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: secrets
|
||||
namespace: endpoints
|
||||
spec:
|
||||
ports:
|
||||
- name: secrets
|
||||
port: 8200
|
||||
targetPort: 8200
|
|
@ -16,3 +16,6 @@ resources:
|
|||
- Ingress-ibiza.yaml
|
||||
- Ingress-proxmox.yaml
|
||||
- Ingress-tokyo.yaml
|
||||
- Endpoints-secrets.yaml
|
||||
- Ingress-secrets.yaml
|
||||
- Service-secrets.yaml
|
||||
|
|
11
kubernetes/homepage/VaultAuth.yaml
Normal file
11
kubernetes/homepage/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: homepage
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
14
kubernetes/homepage/VaultStaticSecret-homepage-config.yaml
Normal file
14
kubernetes/homepage/VaultStaticSecret-homepage-config.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: homepage-config
|
||||
namespace: homepage
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: homepage-config
|
||||
mount: kv
|
||||
path: homepage/homepage-config
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -1,16 +1,16 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
helmCharts:
|
||||
- kubeVersion: '1.30'
|
||||
name: homepage
|
||||
namespace: homepage
|
||||
releaseName: homepage
|
||||
repo: https://jameswynn.github.io/helm-charts
|
||||
valuesFile: ./homepage.yaml
|
||||
version: 1.2.3
|
||||
kind: Kustomization
|
||||
namespace: homepage
|
||||
|
||||
patches:
|
||||
- path: ./deployment.yaml
|
||||
|
||||
helmCharts:
|
||||
- name: homepage
|
||||
repo: https://jameswynn.github.io/helm-charts
|
||||
releaseName: homepage
|
||||
namespace: homepage
|
||||
version: 1.2.3
|
||||
kubeVersion: "1.30"
|
||||
valuesFile: ./homepage.yaml
|
||||
resources:
|
||||
- ./VaultStaticSecret-homepage-config.yaml
|
||||
- ./VaultAuth.yaml
|
||||
|
|
|
@ -1,12 +0,0 @@
|
|||
infisical:
|
||||
fullnameOverride: infisical
|
||||
image:
|
||||
tag: v0.70.1-postgres
|
||||
ingress:
|
||||
enabled: true
|
||||
hostName: secrets.gmem.ca
|
||||
tls:
|
||||
- hosts:
|
||||
- secrets.gmem.ca
|
||||
postgresql:
|
||||
enabled: false
|
|
@ -1,19 +0,0 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namespace: infisical
|
||||
|
||||
helmCharts:
|
||||
- name: infisical-standalone
|
||||
repo: https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts
|
||||
releaseName: infisical
|
||||
namespace: infisical
|
||||
version: 1.0.8
|
||||
valuesFile: ./infvalues.yml
|
||||
kubeVersion: "1.30"
|
||||
- name: secrets-operator
|
||||
repo: https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts
|
||||
releaseName: secrets-operator-1718466666
|
||||
namespace: infisical
|
||||
version: 0.6.2
|
||||
kubeVersion: "1.30"
|
|
@ -1,12 +1,12 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
helmCharts:
|
||||
- kubeVersion: '1.30'
|
||||
name: ingress-nginx
|
||||
namespace: ingress-nginx
|
||||
releaseName: ingress-nginx
|
||||
repo: https://kubernetes.github.io/ingress-nginx
|
||||
valuesFile: ./nginx.yaml
|
||||
version: 4.10.1
|
||||
kind: Kustomization
|
||||
namespace: ingress-nginx
|
||||
|
||||
helmCharts:
|
||||
- name: ingress-nginx
|
||||
repo: https://kubernetes.github.io/ingress-nginx
|
||||
releaseName: ingress-nginx
|
||||
namespace: ingress-nginx
|
||||
version: 4.10.1
|
||||
valuesFile: ./nginx.yaml
|
||||
kubeVersion: "1.30"
|
||||
|
|
|
@ -1,30 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
config: 'listen ircs://
|
||||
|
||||
listen unix+admin:///app/admin
|
||||
|
||||
listen ws+insecure://
|
||||
|
||||
listen http+prometheus://localhost:9090
|
||||
|
||||
hostname irc.gmem.ca
|
||||
|
||||
title irc.gmem.ca
|
||||
|
||||
db postgres "dbname=soju"
|
||||
|
||||
message-store db
|
||||
|
||||
tls /ssl/tls.crt /ssl/tls.key
|
||||
|
||||
'
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
annotations:
|
||||
kubenix/k8s-version: '1.30'
|
||||
kubenix/project-name: kubenix
|
||||
labels:
|
||||
kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f
|
||||
name: soju-4a44ac46db
|
||||
namespace: irc
|
|
@ -47,12 +47,12 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /etc/soju/config
|
||||
name: config
|
||||
subPath: config
|
||||
subPath: config.in
|
||||
- mountPath: /ssl
|
||||
name: ssl
|
||||
volumes:
|
||||
- configMap:
|
||||
name: soju-4a44ac46db
|
||||
name: soju
|
||||
name: config
|
||||
- name: ssl
|
||||
secret:
|
||||
|
|
11
kubernetes/irc/VaultAuth.yaml
Normal file
11
kubernetes/irc/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: irc
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
14
kubernetes/irc/VaultStaticSecret-postgres-soju.yaml
Normal file
14
kubernetes/irc/VaultStaticSecret-postgres-soju.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: postgres-soju
|
||||
namespace: irc
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: postgres-soju
|
||||
mount: kv
|
||||
path: irc/postgres-soju
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
14
kubernetes/irc/VaultStaticSecret-soju.yaml
Normal file
14
kubernetes/irc/VaultStaticSecret-soju.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: soju
|
||||
namespace: irc
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: soju
|
||||
mount: kv
|
||||
path: irc/soju
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
9
kubernetes/irc/config.in
Normal file
9
kubernetes/irc/config.in
Normal file
|
@ -0,0 +1,9 @@
|
|||
listen ircs://
|
||||
listen unix+admin:///app/admin
|
||||
listen ws+insecure://
|
||||
listen http+prometheus://localhost:9090
|
||||
hostname irc.gmem.ca
|
||||
title irc.gmem.ca
|
||||
db postgres "dbname=soju"
|
||||
message-store db
|
||||
tls /ssl/tls.crt /ssl/tls.key
|
|
@ -1,10 +1,21 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namespace: irc
|
||||
|
||||
resources:
|
||||
- ConfigMap-soju-4a44ac46db.yaml
|
||||
- Deployment-gamja.yaml
|
||||
- Deployment-soju.yaml
|
||||
- Service-gamja.yaml
|
||||
- Service-soju.yaml
|
||||
- Service-soju-ws.yaml
|
||||
- Ingress-irc.yaml
|
||||
- irc-cert.yml
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-postgres-soju.yaml
|
||||
- VaultStaticSecret-soju.yaml
|
||||
|
||||
configMapGenerator:
|
||||
- name: soju
|
||||
files:
|
||||
- config.in
|
||||
|
|
11
kubernetes/jellyseerr/VaultAuth.yaml
Normal file
11
kubernetes/jellyseerr/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: jellyseerr
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
14
kubernetes/jellyseerr/VaultStaticSecret-jellyseerr.yaml
Normal file
14
kubernetes/jellyseerr/VaultStaticSecret-jellyseerr.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: jellyseerr
|
||||
namespace: jellyseerr
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: jellyseerr
|
||||
mount: kv
|
||||
path: jellyseerr/jellyseerr
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -4,3 +4,5 @@ resources:
|
|||
- Deployment-jellyseerr.yaml
|
||||
- Service-jellyseerr.yaml
|
||||
- Ingress-jellyseerr.yaml
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-jellyseerr.yaml
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- atuin
|
||||
- authentik
|
||||
- duplikate
|
||||
- miniflux
|
||||
- nitter
|
||||
|
@ -20,6 +21,8 @@ resources:
|
|||
- endpoints
|
||||
- ingress-nginx
|
||||
- homepage
|
||||
- infisical
|
||||
- nfs-subdir-external-provisioner
|
||||
- misc
|
||||
- vault-secrets-operator
|
||||
- vaultwarden
|
||||
- smarthome
|
||||
|
|
11
kubernetes/minecraft-invites/VaultAuth.yaml
Normal file
11
kubernetes/minecraft-invites/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: minecraft-invites
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: whitelistmanager
|
||||
namespace: minecraft-invites
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: whitelistmanager
|
||||
mount: kv
|
||||
path: whitelistmanager/whitelistmanager
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -6,3 +6,5 @@ resources:
|
|||
- Service-whitelistmanager.yaml
|
||||
- Service-whitelistmanager-frontend.yaml
|
||||
- Ingress-whitelistmanager.yaml
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-whitelistmanager.yaml
|
||||
|
|
|
@ -1,22 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
BASE_URL: https://rss.gmem.ca/
|
||||
CLEANUP_ARCHIVE_UNREAD_DAYS: '60'
|
||||
CREATE_ADMIN: '1'
|
||||
METRICS_ALLOWED_NETWORKS: 0.0.0.0/0
|
||||
METRICS_COLLECTOR: '1'
|
||||
OAUTH2_OIDC_DISCOVERY_ENDPOINT: https://authentik.gmem.ca/application/o/miniflux/
|
||||
OAUTH2_PROVIDER: oidc
|
||||
OAUTH2_REDIRECT_URL: https://rss.gmem.ca/oauth2/oidc/callback
|
||||
OAUTH2_USER_CREATION: '1'
|
||||
RUN_MIGRATIONS: '1'
|
||||
YOUTUBE_EMBED_URL_OVERRIDE: https://piped.gmem.ca/embed/
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
annotations:
|
||||
kubenix/k8s-version: '1.30'
|
||||
kubenix/project-name: kubenix
|
||||
labels:
|
||||
kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f
|
||||
name: miniflux-a4c33abb52
|
||||
namespace: miniflux
|
|
@ -22,7 +22,7 @@ spec:
|
|||
- secretRef:
|
||||
name: miniflux
|
||||
- configMapRef:
|
||||
name: miniflux-a4c33abb52
|
||||
name: miniflux
|
||||
image: docker.io/miniflux/miniflux
|
||||
name: miniflux
|
||||
ports:
|
||||
|
|
|
@ -1,27 +0,0 @@
|
|||
apiVersion: secrets.infisical.com/v1alpha1
|
||||
kind: InfisicalSecret
|
||||
metadata:
|
||||
annotations:
|
||||
kubenix/k8s-version: '1.30'
|
||||
kubenix/project-name: kubenix
|
||||
labels:
|
||||
kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f
|
||||
name: miniflux
|
||||
namespace: miniflux
|
||||
spec:
|
||||
authentication:
|
||||
kubernetesAuth:
|
||||
identityId: 68d1f432-7b0a-4e4a-b439-acbbbc160f1e
|
||||
secretsScope:
|
||||
envSlug: prod
|
||||
projectSlug: kubernetes-homelab-dp67
|
||||
secretsPath: /miniflux
|
||||
serviceAccountRef:
|
||||
name: infisical-auth
|
||||
namespace: infisical
|
||||
hostAPI: http://infisical:8080
|
||||
managedSecretReference:
|
||||
creationPolicy: Owner
|
||||
secretName: miniflux
|
||||
secretNamespace: miniflux
|
||||
resyncInterval: 10
|
11
kubernetes/miniflux/VaultAuth.yaml
Normal file
11
kubernetes/miniflux/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: miniflux
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
14
kubernetes/miniflux/VaultStaticSecret-miniflux.yaml
Normal file
14
kubernetes/miniflux/VaultStaticSecret-miniflux.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: miniflux
|
||||
namespace: miniflux
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: miniflux
|
||||
mount: kv
|
||||
path: miniflux/miniflux
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -1,9 +1,14 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ConfigMap-miniflux-a4c33abb52.yaml
|
||||
- Deployment-miniflux.yaml
|
||||
- Service-miniflux.yaml
|
||||
- ServiceMonitor-miniflux.yaml
|
||||
- Ingress-miniflux.yaml
|
||||
- InfisicalSecret-miniflux.yaml
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-miniflux.yaml
|
||||
|
||||
configMapGenerator:
|
||||
- name: miniflux
|
||||
envs:
|
||||
- miniflux.env
|
||||
|
|
11
kubernetes/miniflux/miniflux.env
Normal file
11
kubernetes/miniflux/miniflux.env
Normal file
|
@ -0,0 +1,11 @@
|
|||
BASE_URL=https://rss.gmem.ca/
|
||||
CLEANUP_ARCHIVE_UNREAD_DAYS=60
|
||||
CREATE_ADMIN=1
|
||||
METRICS_ALLOWED_NETWORKS=0.0.0.0/0
|
||||
METRICS_COLLECTOR=1
|
||||
OAUTH2_OIDC_DISCOVERY_ENDPOINT=https://authentik.gmem.ca/application/o/miniflux/
|
||||
OAUTH2_PROVIDER=oidc
|
||||
OAUTH2_REDIRECT_URL=https://rss.gmem.ca/oauth2/oidc/callback
|
||||
OAUTH2_USER_CREATION=1
|
||||
RUN_MIGRATIONS=1
|
||||
YOUTUBE_EMBED_URL_OVERRIDE=https://piped.gmem.ca/embed/
|
|
@ -1,12 +1,7 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- atuin.yaml
|
||||
- e6-gallery.yaml
|
||||
- hue.yml
|
||||
- issuer.yml
|
||||
- nginx-podmonitor.yml
|
||||
- ntfy.yaml
|
||||
- tools.yml
|
||||
- vaultwarden.yml
|
||||
|
|
|
@ -1,12 +1,11 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
helmCharts:
|
||||
- kubeVersion: '1.30'
|
||||
name: nfs-subdir-external-provisioner
|
||||
namespace: nfs-subdir-external-provisioner
|
||||
releaseName: nfs-subdir-external-provisioner
|
||||
repo: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
|
||||
valuesFile: ./nfs-provisioner-values.yml
|
||||
version: 4.0.18
|
||||
kind: Kustomization
|
||||
namespace: nfs-subdir-external-provisioner
|
||||
|
||||
helmCharts:
|
||||
- name: nfs-subdir-external-provisioner
|
||||
repo: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
|
||||
releaseName: nfs-subdir-external-provisioner
|
||||
namespace: nfs-subdir-external-provisioner
|
||||
version: 4.0.18
|
||||
valuesFile: ./nfs-provisioner-values.yml
|
||||
kubeVersion: "1.30"
|
||||
|
|
|
@ -1,13 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
NITTER_EXTERNAL_URL: https://nitter.gmem.ca
|
||||
NITTER_URL: http://nitter:8080
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
annotations:
|
||||
kubenix/k8s-version: '1.30'
|
||||
kubenix/project-name: kubenix
|
||||
labels:
|
||||
kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f
|
||||
name: nitter-bot-5d9aefaae4
|
||||
namespace: nitter
|
|
@ -1,45 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
master.conf: 'dir /data
|
||||
|
||||
# User-supplied master configuration:
|
||||
|
||||
rename-command FLUSHDB ""
|
||||
|
||||
rename-command FLUSHALL ""
|
||||
|
||||
# End of master configuration'
|
||||
redis.conf: '# User-supplied common configuration:
|
||||
|
||||
# Enable AOF https://redis.io/topics/persistence#append-only-file
|
||||
|
||||
appendonly yes
|
||||
|
||||
# Disable RDB persistence, AOF persistence already enabled.
|
||||
|
||||
save ""
|
||||
|
||||
# End of common configuration'
|
||||
replica.conf: 'dir /data
|
||||
|
||||
# User-supplied replica configuration:
|
||||
|
||||
rename-command FLUSHDB ""
|
||||
|
||||
rename-command FLUSHALL ""
|
||||
|
||||
# End of replica configuration'
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
annotations:
|
||||
kubenix/k8s-version: '1.30'
|
||||
kubenix/project-name: kubenix
|
||||
labels:
|
||||
app.kubernetes.io/instance: nitter-redis
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: redis
|
||||
app.kubernetes.io/version: 7.2.3
|
||||
helm.sh/chart: redis-18.6.1
|
||||
kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f
|
||||
name: nitter-redis-configuration-4712c8e029
|
||||
namespace: nitter
|
|
@ -1,63 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
ping_liveness_local.sh: "#!/bin/bash\n\n[[ -f $REDIS_PASSWORD_FILE ]] && export\
|
||||
\ REDIS_PASSWORD=\"$(< \"${REDIS_PASSWORD_FILE}\")\"\n[[ -n \"$REDIS_PASSWORD\"\
|
||||
\ ]] && export REDISCLI_AUTH=\"$REDIS_PASSWORD\"\nresponse=$(\n timeout -s 15\
|
||||
\ $1 \\\n redis-cli \\\n -h localhost \\\n -p $REDIS_PORT \\\n ping\n\
|
||||
)\nif [ \"$?\" -eq \"124\" ]; then\n echo \"Timed out\"\n exit 1\nfi\nresponseFirstWord=$(echo\
|
||||
\ $response | head -n1 | awk '{print $1;}')\nif [ \"$response\" != \"PONG\" ]\
|
||||
\ && [ \"$responseFirstWord\" != \"LOADING\" ] && [ \"$responseFirstWord\" !=\
|
||||
\ \"MASTERDOWN\" ]; then\n echo \"$response\"\n exit 1\nfi"
|
||||
ping_liveness_local_and_master.sh: 'script_dir="$(dirname "$0")"
|
||||
|
||||
exit_status=0
|
||||
|
||||
"$script_dir/ping_liveness_local.sh" $1 || exit_status=$?
|
||||
|
||||
"$script_dir/ping_liveness_master.sh" $1 || exit_status=$?
|
||||
|
||||
exit $exit_status'
|
||||
ping_liveness_master.sh: "#!/bin/bash\n\n[[ -f $REDIS_MASTER_PASSWORD_FILE ]] &&\
|
||||
\ export REDIS_MASTER_PASSWORD=\"$(< \"${REDIS_MASTER_PASSWORD_FILE}\")\"\n[[\
|
||||
\ -n \"$REDIS_MASTER_PASSWORD\" ]] && export REDISCLI_AUTH=\"$REDIS_MASTER_PASSWORD\"\
|
||||
\nresponse=$(\n timeout -s 15 $1 \\\n redis-cli \\\n -h $REDIS_MASTER_HOST\
|
||||
\ \\\n -p $REDIS_MASTER_PORT_NUMBER \\\n ping\n)\nif [ \"$?\" -eq \"124\"\
|
||||
\ ]; then\n echo \"Timed out\"\n exit 1\nfi\nresponseFirstWord=$(echo $response\
|
||||
\ | head -n1 | awk '{print $1;}')\nif [ \"$response\" != \"PONG\" ] && [ \"$responseFirstWord\"\
|
||||
\ != \"LOADING\" ]; then\n echo \"$response\"\n exit 1\nfi"
|
||||
ping_readiness_local.sh: "#!/bin/bash\n\n[[ -f $REDIS_PASSWORD_FILE ]] && export\
|
||||
\ REDIS_PASSWORD=\"$(< \"${REDIS_PASSWORD_FILE}\")\"\n[[ -n \"$REDIS_PASSWORD\"\
|
||||
\ ]] && export REDISCLI_AUTH=\"$REDIS_PASSWORD\"\nresponse=$(\n timeout -s 15\
|
||||
\ $1 \\\n redis-cli \\\n -h localhost \\\n -p $REDIS_PORT \\\n ping\n\
|
||||
)\nif [ \"$?\" -eq \"124\" ]; then\n echo \"Timed out\"\n exit 1\nfi\nif [ \"\
|
||||
$response\" != \"PONG\" ]; then\n echo \"$response\"\n exit 1\nfi"
|
||||
ping_readiness_local_and_master.sh: 'script_dir="$(dirname "$0")"
|
||||
|
||||
exit_status=0
|
||||
|
||||
"$script_dir/ping_readiness_local.sh" $1 || exit_status=$?
|
||||
|
||||
"$script_dir/ping_readiness_master.sh" $1 || exit_status=$?
|
||||
|
||||
exit $exit_status'
|
||||
ping_readiness_master.sh: "#!/bin/bash\n\n[[ -f $REDIS_MASTER_PASSWORD_FILE ]] &&\
|
||||
\ export REDIS_MASTER_PASSWORD=\"$(< \"${REDIS_MASTER_PASSWORD_FILE}\")\"\n[[\
|
||||
\ -n \"$REDIS_MASTER_PASSWORD\" ]] && export REDISCLI_AUTH=\"$REDIS_MASTER_PASSWORD\"\
|
||||
\nresponse=$(\n timeout -s 15 $1 \\\n redis-cli \\\n -h $REDIS_MASTER_HOST\
|
||||
\ \\\n -p $REDIS_MASTER_PORT_NUMBER \\\n ping\n)\nif [ \"$?\" -eq \"124\"\
|
||||
\ ]; then\n echo \"Timed out\"\n exit 1\nfi\nif [ \"$response\" != \"PONG\"\
|
||||
\ ]; then\n echo \"$response\"\n exit 1\nfi"
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
annotations:
|
||||
kubenix/k8s-version: '1.30'
|
||||
kubenix/project-name: kubenix
|
||||
labels:
|
||||
app.kubernetes.io/instance: nitter-redis
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: redis
|
||||
app.kubernetes.io/version: 7.2.3
|
||||
helm.sh/chart: redis-18.6.1
|
||||
kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f
|
||||
name: nitter-redis-health-05691b979f
|
||||
namespace: nitter
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
start-master.sh: "#!/bin/bash\n\n[[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD=\"\
|
||||
$(< \"${REDIS_PASSWORD_FILE}\")\"\nif [[ -f /opt/bitnami/redis/mounted-etc/master.conf\
|
||||
\ ]];then\n cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf\n\
|
||||
fi\nif [[ -f /opt/bitnami/redis/mounted-etc/redis.conf ]];then\n cp /opt/bitnami/redis/mounted-etc/redis.conf\
|
||||
\ /opt/bitnami/redis/etc/redis.conf\nfi\nARGS=(\"--port\" \"${REDIS_PORT}\")\n\
|
||||
ARGS+=(\"--protected-mode\" \"no\")\nARGS+=(\"--include\" \"/opt/bitnami/redis/etc/redis.conf\"\
|
||||
)\nARGS+=(\"--include\" \"/opt/bitnami/redis/etc/master.conf\")\nexec redis-server\
|
||||
\ \"${ARGS[@]}\"\n"
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
annotations:
|
||||
kubenix/k8s-version: '1.30'
|
||||
kubenix/project-name: kubenix
|
||||
labels:
|
||||
app.kubernetes.io/instance: nitter-redis
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: redis
|
||||
app.kubernetes.io/version: 7.2.3
|
||||
helm.sh/chart: redis-18.6.1
|
||||
kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f
|
||||
name: nitter-redis-scripts-a4596108c1
|
||||
namespace: nitter
|
11
kubernetes/nitter/VaultAuth.yaml
Normal file
11
kubernetes/nitter/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: nitter
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
14
kubernetes/nitter/VaultStaticSecret-nitter-bot.yaml
Normal file
14
kubernetes/nitter/VaultStaticSecret-nitter-bot.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: nitter-bot
|
||||
namespace: nitter
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: nitter-bot
|
||||
mount: kv
|
||||
path: nitter/nitter-bot
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
14
kubernetes/nitter/VaultStaticSecret-nitter.yaml
Normal file
14
kubernetes/nitter/VaultStaticSecret-nitter.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: nitter
|
||||
namespace: nitter
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: nitter
|
||||
mount: kv
|
||||
path: nitter/nitter
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -1,15 +1,27 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namespace: nitter
|
||||
|
||||
resources:
|
||||
- ConfigMap-nitter-bot-5d9aefaae4.yaml
|
||||
- ConfigMap-nitter-redis-configuration-4712c8e029.yaml
|
||||
- ConfigMap-nitter-redis-health-05691b979f.yaml
|
||||
- ConfigMap-nitter-redis-scripts-a4596108c1.yaml
|
||||
- Deployment-nitter.yaml
|
||||
- StatefulSet-nitter-bot.yaml
|
||||
- StatefulSet-nitter-redis-master.yaml
|
||||
- Service-nitter.yaml
|
||||
- Service-nitter-redis-headless.yaml
|
||||
- Service-nitter-redis-master.yaml
|
||||
- ServiceAccount-nitter-redis.yaml
|
||||
- Ingress-nitter.yaml
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-nitter-bot.yaml
|
||||
- VaultStaticSecret-nitter.yaml
|
||||
|
||||
helmCharts:
|
||||
- name: redis
|
||||
releaseName: nitter-redis
|
||||
repo: https://charts.bitnami.com/bitnami
|
||||
valuesInline:
|
||||
architecture: standalone
|
||||
auth:
|
||||
enabled: false
|
||||
image:
|
||||
registry: registry.redict.io
|
||||
repository: redict
|
||||
tag: 7.3-compat
|
||||
version: 18.6.1
|
||||
|
|
11
kubernetes/piped/VaultAuth.yaml
Normal file
11
kubernetes/piped/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: piped
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
14
kubernetes/piped/VaultStaticSecret-postgres-piped.yaml
Normal file
14
kubernetes/piped/VaultStaticSecret-postgres-piped.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: postgres-piped
|
||||
namespace: piped
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: postgres-piped
|
||||
mount: kv
|
||||
path: piped/postgres-piped
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -3,12 +3,5 @@ kind: Kustomization
|
|||
namespace: piped
|
||||
resources:
|
||||
- CronJob-piped-refresh.yaml
|
||||
|
||||
# Requires a server-side Helm render and apply.
|
||||
# helmCharts:
|
||||
# - name: piped
|
||||
# releaseName: piped
|
||||
# version: 5.2.0
|
||||
# repo: https://helm.piped.video
|
||||
# valuesFile: ./helm.yaml
|
||||
# kubeVersion: "1.30"
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-postgres-piped.yaml
|
||||
|
|
11
kubernetes/prometheus/VaultAuth.yaml
Normal file
11
kubernetes/prometheus/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: prometheus
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: nextdns-exporter
|
||||
namespace: prometheus
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: nextdns-exporter
|
||||
mount: kv
|
||||
path: prometheus/nextdns-exporter
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: nextdns-ts-exporter
|
||||
namespace: prometheus
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: nextdns-ts-exporter
|
||||
mount: kv
|
||||
path: prometheus/nextdns-ts-exporter
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: prometheus-remote-basic-auth
|
||||
namespace: prometheus
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: prometheus-remote-basic-auth
|
||||
mount: kv
|
||||
path: prometheus/prometheus-remote-basic-auth
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -1,19 +1,11 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namespace: prometheus
|
||||
|
||||
resources:
|
||||
- Deployment-nextdns-exporter.yaml
|
||||
- Service-nextdns-exporter-metrics.yaml
|
||||
- ServiceMonitor-nextdns-exporter.yaml
|
||||
|
||||
# Simply doesn't work for some reason :(
|
||||
# helmCharts:
|
||||
# - name: kube-prometheus-stack
|
||||
# repo: https://prometheus-community.github.io/helm-charts
|
||||
# releaseName: prometheus
|
||||
# namespace: prometheus
|
||||
# version: 61.1.0
|
||||
# valuesFile: ./prometheus-agent.yml
|
||||
# kubeVersion: "1.30"
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-nextdns-exporter.yaml
|
||||
- VaultStaticSecret-nextdns-ts-exporter.yaml
|
||||
- VaultStaticSecret-prometheus-remote-basic-auth.yaml
|
||||
|
|
|
@ -4,3 +4,4 @@ resources:
|
|||
- Deployment-redlib.yaml
|
||||
- Service-redlib.yaml
|
||||
- Ingress-redlib.yaml
|
||||
|
||||
|
|
11
kubernetes/searxng/VaultAuth.yaml
Normal file
11
kubernetes/searxng/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: searxng
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
14
kubernetes/searxng/VaultStaticSecret-searxng.yaml
Normal file
14
kubernetes/searxng/VaultStaticSecret-searxng.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: searxng
|
||||
namespace: searxng
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: searxng
|
||||
mount: kv
|
||||
path: searxng/searxng
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -1,4 +1,17 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
helmCharts:
|
||||
- name: redis
|
||||
releaseName: searxng-redis
|
||||
repo: https://charts.bitnami.com/bitnami
|
||||
valuesInline:
|
||||
architecture: standalone
|
||||
auth:
|
||||
enabled: false
|
||||
image:
|
||||
registry: registry.redict.io
|
||||
repository: redict
|
||||
tag: 7.3-compat
|
||||
version: 18.6.1
|
||||
kind: Kustomization
|
||||
namespace: searxng
|
||||
resources:
|
||||
|
@ -6,17 +19,5 @@ resources:
|
|||
- Deployment-searxng.yaml
|
||||
- Service-searxng.yaml
|
||||
- Ingress-searxng.yaml
|
||||
|
||||
helmCharts:
|
||||
- name: redis
|
||||
releaseName: searxng-redis
|
||||
version: 18.6.1
|
||||
repo: https://charts.bitnami.com/bitnami
|
||||
valuesInline:
|
||||
auth:
|
||||
enabled: false
|
||||
architecture: standalone
|
||||
image:
|
||||
registry: registry.redict.io
|
||||
repository: redict
|
||||
tag: 7.3-compat
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-searxng.yaml
|
||||
|
|
11
kubernetes/smarthome/VaultAuth.yaml
Normal file
11
kubernetes/smarthome/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: smarthome
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
14
kubernetes/smarthome/VaultStaticSecret-hue.yaml
Normal file
14
kubernetes/smarthome/VaultStaticSecret-hue.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: hue
|
||||
namespace: smarthome
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: hue
|
||||
mount: kv
|
||||
path: smarthome/hue
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
10
kubernetes/smarthome/kustomization.yaml
Normal file
10
kubernetes/smarthome/kustomization.yaml
Normal file
|
@ -0,0 +1,10 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
namespace: smarthome
|
||||
|
||||
resources:
|
||||
- homebridge.yaml
|
||||
- hue.yaml
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-hue.yaml
|
11
kubernetes/tclip/VaultAuth.yaml
Normal file
11
kubernetes/tclip/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: tclip
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
14
kubernetes/tclip/VaultStaticSecret-tclip.yaml
Normal file
14
kubernetes/tclip/VaultStaticSecret-tclip.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: tclip
|
||||
namespace: tclip
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: tclip
|
||||
mount: kv
|
||||
path: tclip/tclip
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -4,3 +4,5 @@ resources:
|
|||
- StatefulSet-tclip.yaml
|
||||
- Service-tclip.yaml
|
||||
- Ingress-tclip.yaml
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-tclip.yaml
|
||||
|
|
26
kubernetes/vault-secrets-operator/crb.yaml
Normal file
26
kubernetes/vault-secrets-operator/crb.yaml
Normal file
|
@ -0,0 +1,26 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: vault-auth
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: vault-auth
|
||||
annotations:
|
||||
kubernetes.io/service-account.name: vault-auth
|
||||
type: kubernetes.io/service-account-token
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: role-tokenreview-binding
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: system:auth-delegator
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: vault-auth
|
||||
namespace: default
|
21
kubernetes/vault-secrets-operator/kustomization.yaml
Normal file
21
kubernetes/vault-secrets-operator/kustomization.yaml
Normal file
|
@ -0,0 +1,21 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
helmCharts:
|
||||
- includeCrds: true
|
||||
kubeVersion: '1.30'
|
||||
name: vault-secrets-operator
|
||||
namespace: vault-secrets-operator
|
||||
releaseName: vault-secrets-operator
|
||||
repo: https://helm.releases.hashicorp.com
|
||||
valuesInline:
|
||||
defaultVaultConnection:
|
||||
address: https://secrets.gmem.ca
|
||||
enabled: true
|
||||
skipTLSVerify: false
|
||||
tests:
|
||||
enabled: false
|
||||
version: 0.7.1
|
||||
kind: Kustomization
|
||||
namespace: vault-secrets-operator
|
||||
resources:
|
||||
- ./crb.yaml
|
||||
|
11
kubernetes/vaultwarden/VaultAuth.yaml
Normal file
11
kubernetes/vaultwarden/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: vaultwarden
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
14
kubernetes/vaultwarden/VaultStaticSecret-vaultwarden.yaml
Normal file
14
kubernetes/vaultwarden/VaultStaticSecret-vaultwarden.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: vaultwarden
|
||||
namespace: vaultwarden
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: vaultwarden
|
||||
mount: kv
|
||||
path: vaultwarden/vaultwarden
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
6
kubernetes/vaultwarden/kustomization.yaml
Normal file
6
kubernetes/vaultwarden/kustomization.yaml
Normal file
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- VaultAuth.yaml
|
||||
- VaultStaticSecret-vaultwarden.yaml
|
||||
- deployment.yaml
|
11
kubernetes/vrchat/VaultAuth.yaml
Normal file
11
kubernetes/vrchat/VaultAuth.yaml
Normal file
|
@ -0,0 +1,11 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: vault
|
||||
namespace: vrchat
|
||||
spec:
|
||||
kubernetes:
|
||||
role: reader
|
||||
serviceAccount: default
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: vrchat-prometheus-adapter
|
||||
namespace: vrchat
|
||||
spec:
|
||||
destination:
|
||||
create: true
|
||||
name: vrchat-prometheus-adapter
|
||||
mount: kv
|
||||
path: vrchat-prometheus-adapter
|
||||
refreshAfter: 30s
|
||||
type: kv-v2
|
||||
vaultAuthRef: vault
|
|
@ -4,3 +4,4 @@ resources:
|
|||
- Deployment-vrchat-prometheus-adapter.yaml
|
||||
- Service-vrchat-prometheus-adapter.yaml
|
||||
- ServiceMonitor-vrchat-prometheus-adapter.yaml
|
||||
- VaultAuth.yaml
|
||||
|
|
Loading…
Reference in a new issue