diff --git a/kubernetes/apps/default/smtp-relay/app/externalsecret.yaml b/kubernetes/apps/default/smtp-relay/app/externalsecret.yaml index 4f170682b..8451f9f0e 100644 --- a/kubernetes/apps/default/smtp-relay/app/externalsecret.yaml +++ b/kubernetes/apps/default/smtp-relay/app/externalsecret.yaml @@ -14,5 +14,5 @@ spec: creationPolicy: Owner dataFrom: - extract: - # SMTP_DOMAIN, SMTP_EMAIL_SMTP_USERNAME, SMTP_PASSWORD + # SMTP_DOMAIN, SMTP_USERNAME, SMTP_PASSWORD key: smtp-relay diff --git a/kubernetes/apps/default/smtp-relay/app/helmrelease.yaml b/kubernetes/apps/default/smtp-relay/app/helmrelease.yaml index 8dac3caba..571b2bda3 100644 --- a/kubernetes/apps/default/smtp-relay/app/helmrelease.yaml +++ b/kubernetes/apps/default/smtp-relay/app/helmrelease.yaml @@ -38,7 +38,6 @@ spec: DEBUG: "true" SMTP_DOMAIN: "${SECRET_DOMAIN}" SMTP_SERVER: "smtp.fastmail.com" - SMTP_USERNAME: "${SECRET_EMAIL_SMTP_USERNAME}" SMTP_PORT: "465" envFrom: - secretRef: diff --git a/kubernetes/apps/default/zigbee2mqtt/app/volsync.yaml b/kubernetes/apps/default/zigbee2mqtt/app/volsync.yaml index db74044ec..734c73e7d 100644 --- a/kubernetes/apps/default/zigbee2mqtt/app/volsync.yaml +++ b/kubernetes/apps/default/zigbee2mqtt/app/volsync.yaml @@ -30,7 +30,7 @@ metadata: name: zigbee2mqtt namespace: default spec: - sourcePVC: zigbee2mqtt-images + sourcePVC: zigbee2mqtt-config trigger: schedule: "0 7 * * *" restic: diff --git a/kubernetes/apps/flux-system/addons/webhooks/github/externalsecret.yaml b/kubernetes/apps/flux-system/addons/webhooks/github/externalsecret.yaml new file mode 100644 index 000000000..791cb791e --- /dev/null +++ b/kubernetes/apps/flux-system/addons/webhooks/github/externalsecret.yaml @@ -0,0 +1,21 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: flux + namespace: flux-system +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: flux-github-webhook-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + token: "{{ .GITHUB_WEBHOOK_TOKEN }}" + dataFrom: + - extract: + key: flux diff --git a/kubernetes/apps/flux-system/addons/webhooks/github/kustomization.yaml b/kubernetes/apps/flux-system/addons/webhooks/github/kustomization.yaml index 5461805cb..58532a27c 100644 --- a/kubernetes/apps/flux-system/addons/webhooks/github/kustomization.yaml +++ b/kubernetes/apps/flux-system/addons/webhooks/github/kustomization.yaml @@ -3,6 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./secret.sops.yaml + - ./externalsecret.yaml - ./ingress.yaml - ./receiver.yaml diff --git a/kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml b/kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml index 20d5906f0..df253af02 100644 --- a/kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml +++ b/kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml @@ -11,7 +11,7 @@ spec: - ping - push secretRef: - name: github-webhook-token + name: flux-github-webhook-secret resources: - apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: GitRepository diff --git a/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml b/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml deleted file mode 100644 index 670e5cf4f..000000000 --- a/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: github-webhook-token - namespace: flux-system -stringData: - token: ENC[AES256_GCM,data:PZfBsK+zNZE/DENaBkQPZEfkyN1d5mtxfAh5RtPfZ6JVeg9OWs5rgg==,iv:hCIawcGPC9SS5fC1cXHnJJ6sY4u5QtgeHWLwmlRf4p0=,tag:F9dBKyqi6LtBKC6cms8rBw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2cXVUWXpjdXUveGE5M3Bl - SzVhQ0phSlVMN0tMMDZRUnM1UXFpbktxd3pzCkZwQ2dmSys4L0UrREtMekJwUkNC - amovOWJBdEs5aTZSZVkxeHliTTk2VEEKLS0tIG8xb0dKRGZyc0VSU0RMZ01HdkFk - dVJzZGNrWFhoVmd0MnVUbHpKdU1XcDQKLD4TlyCxE57RFvUFqLDuhsEyoBC+12Yu - IZzMQYI6bDVnsfv3BzlYAm4qHHPUnhtUX3Wdx/u5ZwOlpxcyBUqNFg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-09-13T20:01:22Z" - mac: ENC[AES256_GCM,data:4/WPXRmc2OpOlVDro7r196SyOthcxJ7W+S9517j7vdH5xFkn2sEbIycqXdtB9+BYzR4ytKDjCDrV0qRyQEWGzGEmFrgIbA6PbYosVXzuxxWOKdCi/PTZdRuKOFkF8imJ78rB53FovYT+KLk20j2T3BmrTG2pYc+GC+KEJZ4WQwM=,iv:G1Cu4AwP7xAE4YFKAKzJ/jgDmRH5PvVy563k1mqJSxA=,tag:UshpfATU6emszsi2YNgnOQ==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/flux-system/weave-gitops/app/externalsecret.yaml b/kubernetes/apps/flux-system/weave-gitops/app/externalsecret.yaml new file mode 100644 index 000000000..fc57073d3 --- /dev/null +++ b/kubernetes/apps/flux-system/weave-gitops/app/externalsecret.yaml @@ -0,0 +1,21 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: weave-gitops + namespace: flux-system +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: weave-gitops-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + adminPassword: "{{ .WEAVE_GITOPS_ADMIN_PASSWORD }}" + dataFrom: + - extract: + key: flux diff --git a/kubernetes/apps/flux-system/weave-gitops/app/kustomization.yaml b/kubernetes/apps/flux-system/weave-gitops/app/kustomization.yaml index 22e17b7ae..8dd57db30 100644 --- a/kubernetes/apps/flux-system/weave-gitops/app/kustomization.yaml +++ b/kubernetes/apps/flux-system/weave-gitops/app/kustomization.yaml @@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: flux-system resources: + - ./externalsecret.yaml - ./helmrelease.yaml - - ./secret.sops.yaml diff --git a/kubernetes/apps/flux-system/weave-gitops/app/secret.sops.yaml b/kubernetes/apps/flux-system/weave-gitops/app/secret.sops.yaml deleted file mode 100644 index f7c88fe7f..000000000 --- a/kubernetes/apps/flux-system/weave-gitops/app/secret.sops.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: weave-gitops - namespace: flux-system -stringData: - adminPassword: ENC[AES256_GCM,data:StBu3tl/3/54rmGudER6nID4XEYLjumoMDptFBggSrrO/NJFrDAeUJilYY8AEuUBO6JHASPXS18hAlSx,iv:p8J+v7E7tktWquc1v/TotXxBZ9Fvx6UUV7+UunFZgSw=,tag:SXiYy43RvwmM2r6C+rztgQ==,type:str] -type: Opaque -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLTTE0aWVrY0cva0lzNEl0 - T2d3aEs5clE2TWZZTXE4Ly8wcmpZVms5aDN3CjZoK0ptTjJXSmZiQ1RGMmk3ckJZ - RlA1YURROG9PRXNFd0UyUzlST1RydzAKLS0tIGJiVyt2elc0Q0FWaEVGN1A0bS9Z - WUlSN1lLaHh0cTVOaHBGblU3Tmh6ZUEK0jJjreF4xiwHMqhLaQKZFgeeikjeRRqg - KzsMDy93tQKSByzwSD3UFcKHW48iiQAy/J1Q12bEaXSFBkOd5mILZw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-19T10:51:30Z" - mac: ENC[AES256_GCM,data:1b3WHgY9H5yAxwxbHvjPKGFZWmJ1iu945G5illQs6mEfmSrR1ZPvlBKn8eMNuSv1VN18ZhGWicFPpiwwe3MVFRr1G5Vn4F2VtS9F2Ap5IvWDW+F0vJfOAp6OdpT/TOOinp1Es9Pspd4JTpkr+Pk8tGDvVtnZ0aLer+qLv4SYZKA=,iv:zr2ZuwaqNaihfcX3KUKz0yXuGqX6o9o0zXfrhIY5vv4=,tag:kNIuKQ7Z7CbwhSBqgv5F+Q==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/flux-system/weave-gitops/ks.yaml b/kubernetes/apps/flux-system/weave-gitops/ks.yaml index 30119ea8d..aab645d62 100644 --- a/kubernetes/apps/flux-system/weave-gitops/ks.yaml +++ b/kubernetes/apps/flux-system/weave-gitops/ks.yaml @@ -13,6 +13,8 @@ spec: sourceRef: kind: GitRepository name: home-ops-kubernetes + dependsOn: + - name: cluster-apps-external-secrets-stores healthChecks: - apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease diff --git a/kubernetes/apps/monitoring/gatus/app/externalsecret.yaml b/kubernetes/apps/monitoring/gatus/app/externalsecret.yaml new file mode 100644 index 000000000..a0e33d1d5 --- /dev/null +++ b/kubernetes/apps/monitoring/gatus/app/externalsecret.yaml @@ -0,0 +1,30 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: gatus + namespace: monitoring +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: gatus-secret + creationPolicy: Owner + template: + data: + # App + CUSTOM_PUSHOVER_APP_TOKEN: '{{ .PUSHOVER_API_TOKEN }}' + CUSTOM_PUSHOVER_USER_KEY: '{{ .PUSHOVER_USER_KEY }}' + # Postgres Init + INIT_POSTGRES_DBNAME: gatus + INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local + INIT_POSTGRES_USER: '{{ .POSTGRES_USER }}' + INIT_POSTGRES_PASS: '{{ .POSTGRES_PASS }}' + INIT_POSTGRES_SUPER_PASS: '{{ .POSTGRES_SUPER_PASS }}' + dataFrom: + - extract: + key: pushover + - extract: + key: gatus diff --git a/kubernetes/apps/monitoring/gatus/app/kustomization.yaml b/kubernetes/apps/monitoring/gatus/app/kustomization.yaml index 3c0ad293f..df0b2d83e 100644 --- a/kubernetes/apps/monitoring/gatus/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/gatus/app/kustomization.yaml @@ -4,9 +4,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: monitoring resources: - - ./rbac.yaml + - ./externalsecret.yaml - ./helmrelease.yaml - - ./secret.sops.yaml + - ./rbac.yaml configMapGenerator: - name: gatus-configmap files: diff --git a/kubernetes/apps/monitoring/gatus/app/secret.sops.yaml b/kubernetes/apps/monitoring/gatus/app/secret.sops.yaml deleted file mode 100644 index c73148e80..000000000 --- a/kubernetes/apps/monitoring/gatus/app/secret.sops.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -metadata: - name: gatus-secret - namespace: default -type: Opaque -stringData: - #ENC[AES256_GCM,data:4iasPQ==,iv:j84wn0onGKCdIv/VhnRkc9WUrJcKzi15PPAaccPktMI=,tag:qZSBg8M5mq0r+dwfj910LQ==,type:comment] - CUSTOM_PUSHOVER_APP_TOKEN: ENC[AES256_GCM,data:ojqz+I3cIQraQ8b1d79R5UCOyJ9fw6WUKP8QaclG,iv:Vh85QNkt2f9N2G4lE25EuXfFbswUp9LOdPGGFhU/j4I=,tag:m0DXN5UNUSQvH3SG5BXphw==,type:str] - CUSTOM_PUSHOVER_USER_KEY: ENC[AES256_GCM,data:3Ses6r1zh2AK9GjM/RAnt4fuzX86T55gpKP4Bfh2,iv:jTeHDvE35nRE8eNYR0kORPKpdFSuGB0MbhUr6oM38Go=,tag:Km2OBE/6oFCK3Flvl8X5Wg==,type:str] - #ENC[AES256_GCM,data:SkRXz/l1EiEl5Ywk9ro=,iv:rFH21ODFH5qmPQQfutNenDgc3gGFZpkY1fa9SC95ZXU=,tag:6/LbsWB4bsaoTyS9Mvbzog==,type:comment] - INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:N+UhTeY=,iv:TtHF6zRpl+vYKJDy6aPgLuo+laVQoYdnq2th+0T3Ok0=,tag:EOT48yIZyqjoQzPVVv111A==,type:str] - INIT_POSTGRES_HOST: ENC[AES256_GCM,data:lcvnmK3SIsfTtZV9ootfzd/RMRo1sNLQ8qAkYpVFgwjHzDKMaA==,iv:YVr19WtibsOb33WiKnGSJF7DXyoAJ5F8etk7DtqDSqU=,tag:njOVD5yFmjCFezTlGQdE5A==,type:str] - INIT_POSTGRES_USER: ENC[AES256_GCM,data:NfdJfi4=,iv:4P95EsR9n4nD+nJVqXsavjoJasmdQURMHll9TAzDZiI=,tag:dTPUyxMe/qRKr+8lnpebwQ==,type:str] - INIT_POSTGRES_PASS: ENC[AES256_GCM,data:hnRc8W9HOO/n9nj+6jsGwgbTUjo=,iv:9NX9kB1zlJ4UaQ5FLpk6z9Kuit6jGaBCvgNAS6xwz70=,tag:B9Ue9UiOosM2egzSYhWC8w==,type:str] - INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:naR9T7rV1zZcJ42UQesZrQ==,iv:l6UUSCWvQGRgVzM5B/W9YCqVG7v0U63BDp3ANJi2Bu0=,tag:KRRbDtBOKJJg3wQAPwlOrQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2 - bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC - VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw - OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+ - LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-08T06:43:48Z" - mac: ENC[AES256_GCM,data:OAz4DxyejtZsew6tL3F8AOIsfXOJFSgtMLzRzPv7Yure9GG4hEq+pj432HC48R/o4hQw7cNicxbHPAoSJIPtjqlNZsRStnGuPE2WBfeTaHS0XZsCesKbxW8VJ4vChbB1kp9gDV05JKETsUXAFnmSchiU6SGTvxgHepjbjYodxLk=,iv:iVcKX4O2qBKBU/UVVHsufBfD9iGUbfjFgkfDCjqN0d0=,tag:ENxJhJBvRdtcpjZjWoKXGQ==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/monitoring/gatus/ks.yaml b/kubernetes/apps/monitoring/gatus/ks.yaml index 01ceded41..5a57f4769 100644 --- a/kubernetes/apps/monitoring/gatus/ks.yaml +++ b/kubernetes/apps/monitoring/gatus/ks.yaml @@ -10,6 +10,7 @@ metadata: spec: dependsOn: - name: cluster-apps-cloudnative-pg-cluster + - name: cluster-apps-external-secrets-stores path: ./kubernetes/apps/monitoring/gatus/app prune: true sourceRef: diff --git a/kubernetes/apps/monitoring/thanos/app/externalsecret.yaml b/kubernetes/apps/monitoring/thanos/app/externalsecret.yaml new file mode 100644 index 000000000..0809aca49 --- /dev/null +++ b/kubernetes/apps/monitoring/thanos/app/externalsecret.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: thanos + namespace: flux-system +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: thanos-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + S3_ACCESS_KEY: "{{ .THANOS_S3_ACCESS_KEY }}" + S3_SECRET_KEY: "{{ .THANOS_S3_SECRET_KEY }}" + dataFrom: + - extract: + key: thanos diff --git a/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml b/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml index 218bc82e2..6977c6526 100644 --- a/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml @@ -33,6 +33,10 @@ spec: tag: v0.31.0 objstoreConfig: type: s3 + config: + bucket: thanos + endpoint: "truenas.${SECRET_DOMAIN}:51515" + region: "" query: enabled: true replicaCount: 2 @@ -109,22 +113,10 @@ spec: enabled: true valuesFrom: - kind: Secret - name: thanos - valuesKey: S3_BUCKET_NAME - targetPath: objstoreConfig.config.bucket - - kind: Secret - name: thanos - valuesKey: S3_BUCKET_HOST - targetPath: objstoreConfig.config.endpoint - - kind: Secret - name: thanos - valuesKey: S3_BUCKET_REGION - targetPath: objstoreConfig.config.region - - kind: Secret - name: thanos + name: thanos-secret valuesKey: S3_ACCESS_KEY targetPath: objstoreConfig.config.access_key - kind: Secret - name: thanos + name: thanos-secret valuesKey: S3_SECRET_KEY targetPath: objstoreConfig.config.secret_key diff --git a/kubernetes/apps/monitoring/thanos/app/kustomization.yaml b/kubernetes/apps/monitoring/thanos/app/kustomization.yaml index f95906c2d..96afd809a 100644 --- a/kubernetes/apps/monitoring/thanos/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/thanos/app/kustomization.yaml @@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: monitoring resources: - - ./secret.sops.yaml + - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/monitoring/thanos/app/secret.sops.yaml b/kubernetes/apps/monitoring/thanos/app/secret.sops.yaml deleted file mode 100644 index ada0ac633..000000000 --- a/kubernetes/apps/monitoring/thanos/app/secret.sops.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: thanos - namespace: monitoring -stringData: - S3_BUCKET_NAME: ENC[AES256_GCM,data:0q5tjzGN,iv:RYjlKFAJpR6NSjimSAf8JrS2t1mUGSCAjusrYhTyiuw=,tag:AAIwBbmYoflm5M1EVbHM4A==,type:str] - S3_BUCKET_HOST: ENC[AES256_GCM,data:/9U/cHXmbGnbDCNm37zy0PzRbt5RI2LN7g==,iv:LLCrwkc6k3mXbJVWa2FivgEsbQKa9OyJWpe47BwExB8=,tag:qji0SWdaSgp8tNANSSB9Hg==,type:str] - S3_BUCKET_REGION: "" - S3_ACCESS_KEY: ENC[AES256_GCM,data:zTvAiBiukR1RP5eACMfgBsoTbwI=,iv:IIMUgN5SO+0i9/8w8QHpRgiTzQsOELqgMZAsARvcZJQ=,tag:lIvDTJ8i5UiOkZRMLrgV7g==,type:str] - S3_SECRET_KEY: ENC[AES256_GCM,data:mUHk2N4tcbh3si26uZx3J/gkXWH4gqk4/vJfJ3J03mreNsD8VlNePw==,iv:+wS4yLwKrFALFF51BLxXFpP0ROlR7qdBTVpFCJ/tizM=,tag:VJr9s444GB5GPft/8897mw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSHQ5b3RRYjdGd3JYQkxh - cnRBTlJuMm9NTU96TFRpSEg0K2UrdnJ1V1VjCkZpRmwvSmZ3ZHJNaGNNS21mUytt - VXRMVzhSemx4NGZYSUtCS3g3Q281dXcKLS0tIC94NCtGVWF2U055NEZJTmtpenVM - L3c2WElEOU4rS0hrU1NPQ1NPZitDVDgKaN3P5xK1O1i9lTSAGJU+GIxbIoTb5OMO - if3medB2nPLEt5BUY2datTbswXiT3E9rFyka/Maq6afZjFiixK5mFQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-22T22:26:04Z" - mac: ENC[AES256_GCM,data:ANDShRftczGroCYNFKa/WdF22PgZ9yA6xhxdfe7/HHs0vQU48Q8nOrOT66P+8HDRV63I5ddodOurVtztFyGc8I0YdU2Bg1P2rnEmStfJsGGidTIqNloopCArsAH2UJj/fxwUA3dxswFURvgIagpjfdWHYGT2vzma44CORrk5vpU=,iv:KiFlpjLy+hj6V2dUoZeBdr3eq22So4G2oAA2QutF3UU=,tag:fkpjbQFU0Habj3d+6mNZLQ==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/monitoring/thanos/ks.yaml b/kubernetes/apps/monitoring/thanos/ks.yaml index fbba05bad..61f1b0035 100644 --- a/kubernetes/apps/monitoring/thanos/ks.yaml +++ b/kubernetes/apps/monitoring/thanos/ks.yaml @@ -9,6 +9,7 @@ metadata: substitution.flux.home.arpa/enabled: "true" spec: dependsOn: + - name: cluster-apps-external-secrets-stores - name: cluster-apps-rook-ceph-cluster path: ./kubernetes/apps/monitoring/thanos/app prune: true diff --git a/kubernetes/apps/networking/external-dns/app/externalsecret.yaml b/kubernetes/apps/networking/external-dns/app/externalsecret.yaml new file mode 100644 index 000000000..0c5c811f9 --- /dev/null +++ b/kubernetes/apps/networking/external-dns/app/externalsecret.yaml @@ -0,0 +1,23 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: external-dns + namespace: networking +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: external-dns-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + OVH_APPLICATION_KEY: "{{ .OVH_APPLICATION_KEY }}" + OVH_APPLICATION_SECRET: "{{ .OVH_APPLICATION_SECRET }}" + OVH_CONSUMER_KEY: "{{ .OVH_CONSUMMER_KEY }}" + dataFrom: + - extract: + key: external-dns diff --git a/kubernetes/apps/networking/external-dns/app/helmrelease.yaml b/kubernetes/apps/networking/external-dns/app/helmrelease.yaml index 91da0a4c5..f3e740ccd 100644 --- a/kubernetes/apps/networking/external-dns/app/helmrelease.yaml +++ b/kubernetes/apps/networking/external-dns/app/helmrelease.yaml @@ -6,7 +6,7 @@ metadata: name: external-dns namespace: networking spec: - interval: 15m + interval: 30m chart: spec: chart: external-dns @@ -15,7 +15,7 @@ spec: kind: HelmRepository name: external-dns namespace: flux-system - maxHistory: 3 + maxHistory: 2 install: createNamespace: true remediation: @@ -34,18 +34,18 @@ spec: - name: OVH_APPLICATION_KEY valueFrom: secretKeyRef: - name: ovh-external-dns-creds - key: application-key + name: external-dns-secret + key: OVH_APPLICATION_KEY - name: OVH_APPLICATION_SECRET valueFrom: secretKeyRef: - name: ovh-external-dns-creds - key: application-secret + name: external-dns-secret + key: OVH_APPLICATION_SECRET - name: OVH_CONSUMER_KEY valueFrom: secretKeyRef: - name: ovh-external-dns-creds - key: consummer-key + name: external-dns-secret + key: OVH_CONSUMER_KEY extraArgs: - --annotation-filter=external-dns.home.arpa/enabled in (true) policy: sync diff --git a/kubernetes/apps/networking/external-dns/app/kustomization.yaml b/kubernetes/apps/networking/external-dns/app/kustomization.yaml index a6a058c0f..cea9678b3 100644 --- a/kubernetes/apps/networking/external-dns/app/kustomization.yaml +++ b/kubernetes/apps/networking/external-dns/app/kustomization.yaml @@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: networking resources: - - ./secret.sops.yaml + - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/networking/external-dns/app/secret.sops.yaml b/kubernetes/apps/networking/external-dns/app/secret.sops.yaml deleted file mode 100644 index ff5a02685..000000000 --- a/kubernetes/apps/networking/external-dns/app/secret.sops.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# yamllint disable -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: ovh-external-dns-creds - namespace: networking -stringData: - application-key: ENC[AES256_GCM,data:eM+c4o7krcCr38iYl+V9aw==,iv:bWvn6Du2AYczidEiYcCiiXiCWQoNTM55+pEqEDT5gVg=,tag:XAtpQsK7J7mQWs47qqAt/Q==,type:str] - application-secret: ENC[AES256_GCM,data:dsAI3MXIpqC5FQZojzchOUfJPARBYOOUbnmY042w9DQ=,iv:gLh0ySZfm1akVIcnN/LMuuI7GZrBBq/X6mnQd1j9BeA=,tag:wIKWVoDMRfn68Ot56HFPGA==,type:str] - consummer-key: ENC[AES256_GCM,data:5RZrrLBGOhmnPLyRBy83SSAYz67h9zfIwx2cEUSxFAs=,iv:x3rMt3obLjR12PSiuzFb4qPirnMXpxojFZ9sTDp2pis=,tag:2ve3wWb2bHQQUA8m7+gyKQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByazlaTU9oZFR2Y2U1blg0 - VXdUK3BzL1hsM3RydHQzcE95RklOTUdVWEE4CnNkOGprRVFCNFZjTkpOMnJ0R09T - RWhhemdvb243UGlVMHhjWVUzTW03V00KLS0tIDJ3d1NYdkJLaHlvQXBCbFlDZXRp - bi8wYjlEM0xGZExSV05HSGlkYjQ2VlUKesUixJpqR2iYx5kNxrbD0kTG1siHVKqq - sh8UblAqd1av0/3Qpj9dMF8awR8Q80dElcEwXT90Ks/S7p/uEA358g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-27T00:19:30Z" - mac: ENC[AES256_GCM,data:hbC1/+QtH1O0w7cCshPm5b/3pljWMR4Q1bhqoepIJEeLa82N3YqHZ4PcEKPHaJKRpzBN/+OcoMMAC29xBzp+yaS3WZLkh7cz2rYC4+16fjZCjwChZXJOtyE8CrUlsXUj7OvL23RnscCE/0fuIL4uRWqLKokLkbdc6X+sVRlY4l0=,iv:JZZIrTeY0L4jy4cUZfmcm3+ZCjxgn27qIdJf5pVrZkM=,tag:DM+XGSXt/rD/5jTW6LaWTQ==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/apps/networking/external-dns/ks.yaml b/kubernetes/apps/networking/external-dns/ks.yaml index 0a68d9877..ebac86c78 100644 --- a/kubernetes/apps/networking/external-dns/ks.yaml +++ b/kubernetes/apps/networking/external-dns/ks.yaml @@ -13,6 +13,8 @@ spec: sourceRef: kind: GitRepository name: home-ops-kubernetes + dependsOn: + - name: cluster-apps-external-secrets-stores healthChecks: - apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/flux/vars/cluster-secrets.sops.yaml index 34ea66c94..bc7c8922d 100644 --- a/kubernetes/flux/vars/cluster-secrets.sops.yaml +++ b/kubernetes/flux/vars/cluster-secrets.sops.yaml @@ -9,12 +9,7 @@ stringData: SECRET_CLUSTER_DOMAIN_EMAIL: ENC[AES256_GCM,data:j1yBajAlXKQeDuvbV2IyJp8IT3wA,iv:pxPgYZEZ6pvcr6trM1gkL5MZORewARaiVfwRTyWxny0=,tag:y31EGp46NgF/Pf3hQ2Iavw==,type:str] SECRET_DOMAIN: ENC[AES256_GCM,data:UtdBDs6+azVHO7Y=,iv:ZnWrBW+vW6HiMs1PbgY2LjcwUwuUh1HxYjqvOXvCrDk=,tag:r6uDIJhVoTIcizIfRW+lHw==,type:str] SECRET_CLUSTER_DOMAIN: ENC[AES256_GCM,data:lTfn9GCJHlgeO/BGXbvT,iv:LBsxVLf+WpS7Ac233XjVoWCjHqZpnhhhiJn2Q0YEHt8=,tag:d//kWxt2bJkqCF1EkEzYqA==,type:str] - SECRET_CLUSTER_OVH_APPLICATION_KEY: ENC[AES256_GCM,data:W8BOyYQbQJpQco0XQ8wgtA==,iv:z/nc9+DkIkvKw6Daf/UpuMsIc/H7AnwQF5ZjQarf03U=,tag:j+Qm6oK6jei7EFDBTT5ddQ==,type:str] - SECRET_CLUSTER_OVH_APPLICATION_SECRET: ENC[AES256_GCM,data:+R6Vy1qlYZuvFsGTnK3m94PuzdsYNPe1JVpGqhq9Dy0=,iv:bNKMp6VNMyuiJokr5xm9To2OuBYzoiJSRXUm4S00MdI=,tag:8YJoz5MICyC9bES/IP6ROw==,type:str] - SECRET_CLUSTER_OVH_CONSUMER_KEY: ENC[AES256_GCM,data:HwEaNSLEoON99KzgVLuDWxj8DPz1gz8tc3q/1hWJOvM=,iv:uTHCAT81Js9yQ/7iK90+elZzA0j6ia7AOWEufE1i/4k=,tag:D4tI50RyJz8o3n9hrrYz4Q==,type:str] SECRET_CROWDSEC_NGINX_BOUNCER_API_KEY: ENC[AES256_GCM,data:ecukkFOK40WWIxJ48sXrxJUBaHx2BnzqxkIT+cXYZg4=,iv:y6AfslVPufBfrIL3GQqTw0cDAan64mB9J7RY9OzKQqw=,tag:+V4Rgz26wey2UtA32S0PJQ==,type:str] - SECRET_EMAIL_DOMAIN: ENC[AES256_GCM,data:tggMEXyLi03dAorm,iv:tXHmWmm9wUIOyGXbHUagS0gl4cEW588XSvBIoNsADFw=,tag:69X+WZoj6CiI6mUJT01DzQ==,type:str] - SECRET_EMAIL_SMTP_USERNAME: ENC[AES256_GCM,data:U8UiC6SdBbX9JbpRglyXfofDzYf+LNY=,iv:BLqn6nWm+il2yxWBJgpjlLKp5/eVh8L9qSEfM9LzUEo=,tag:1+afhSVYeHTvzzBiTxP7Ew==,type:str] SECRET_GITEA_API_TOKEN: ENC[AES256_GCM,data:lHrRfoAtj/sY7aFiWibf7ejrwn5ANa62d85kyPKxpZhXhdiz5jHcAw==,iv:D4ac1ltRrsHEM1z/bG0gHQZ4TntCK4fEj8BoYxDv7XM=,tag:yXVYJNpbM46ri9kW8MwxwQ==,type:str] SECRET_GITEA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:VWetZHP8haXPy1r20RMJvECxEWw=,iv:B3+rjPXWSbyCdi4KAy/FeMbtNUv40UIWN462OWfv9Ww=,tag:5wK7nUGu7HmdC90d2jllwQ==,type:str] SECRET_GRAFANA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:3igfeqGHygjnmJXnoiKV7W8Tm2M=,iv:Hrjh38GuRvzS4Hi69QftBhaAJ02is5B0E5h23XICpUc=,tag:O4JFVSaoTQDhf3QZPLbn1Q==,type:str] @@ -27,12 +22,8 @@ stringData: SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_USER_KEY: ENC[AES256_GCM,data:X1J9WLT26soYzlDb8+YtPotGw8p0lJKMuNkn69WX,iv:mW2cJOq5gfzSE+U24IuvPVL+dL2nZcTFpPAkG77Ohus=,tag:kxokidtuE5RAGJlj4Q4P2A==,type:str] SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_TOKEN: ENC[AES256_GCM,data:Bwvuy/jHIRduy/r1A8dOs0OE8ewdjCgs8g/br1oW,iv:PdnPH9I509MT6UJkUG1zLAGn9aV4AVrROgAVCD4a3Y0=,tag:59kBGx9qx3jeauokyoolQQ==,type:str] SECRET_KUBE_PROMETHEUS_STACK_GRAFANA_ADMIN_PASSWORD: ENC[AES256_GCM,data:L7LS6+tuwPCyb5HN4zg=,iv:JM2KTtDN/VrKicjp5qwqusWiJKHRZnfTtsZE2hkLq6Q=,tag:XGF3L5P6JxVBrlGuKosdZA==,type:str] - SECRET_MQTT_USER: ENC[AES256_GCM,data:Ggn82GysDHM2b/uNhQ==,iv:f5NXCE5/nfTqq1zdtBNH6Lu8ndf5YZKHgEWc9O0fB0I=,tag:z1OUzEeVgm+a9QRBxo9BEg==,type:str] - SECRET_MQTT_PASSWORD: ENC[AES256_GCM,data:WBqLezPi1sbzyzfubG71KfR+tg==,iv:gKDgjpPwZ+fEWs+zn3aHiiKglsEl/kue/vx2FaSAtsA=,tag:jXECLxyekqmejJfi11DKsQ==,type:str] SECRET_NITTER_HMAC: ENC[AES256_GCM,data:pOA1LqHV9rcY3xAv5JMuSCMz1rk=,iv:3LkFNu/M3r1K/xBE/f7Kbf526eA4cgyGr4Wu/c+gxD0=,tag:ibJ8U+Pa66B2UmWwP/ZhNQ==,type:str] SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str] - SECRET_RADARR_API_KEY: ENC[AES256_GCM,data:Mom5SOMHf7xUvvUkjLIRqMzOSSQshzWdKlSGIzZtIGM=,iv:4vrZFrsTCUW2e0bo2sA2iT+ZVKUDEuyferNJ5Q5klFY=,tag:xha/NKx2XN3Mpa0XPSMPvA==,type:str] - SECRET_SONARR_API_KEY: ENC[AES256_GCM,data:JO5N+MeVeQmAlfv/dLJru5oHyVjpy9iUrfrTe4PLVXA=,iv:NjGstpjwFapd2LJNPy6nhXsp9UuCYTBuHRovmHdCSNc=,tag:BARsx6FBISHhxueBSDJSNw==,type:str] SECRET_SHARRY_DB_USERNAME: ENC[AES256_GCM,data:wWnV6hHz,iv:+uV0X2tovaisFuO5KcF9PpKPyYeS4WtrrPt4Ll+CnsU=,tag:zNWR9AqheMGho0yV923vvw==,type:str] SECRET_SHARRY_DB_PASSWORD: ENC[AES256_GCM,data:Y0gk4bRcEws2b0SF4AY=,iv:3cQbD/uvWNGjEmz3z8uEbXWwJffIrTj3nSDsGBS0MEU=,tag:RsIBq9zI8+2temGj5r/Lqg==,type:str] SECRET_SHARRY_MINIO_S3_ACCESS_KEY: ENC[AES256_GCM,data:2qLE/cs=,iv:Ctrw213BgCC2jyEvFp38aOejzY/ZYiwAj9fsPzXgaY0=,tag:LBlIUm1LTAjUIKu4JeLw9A==,type:str] @@ -53,8 +44,8 @@ sops: WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-05T20:29:14Z" - mac: ENC[AES256_GCM,data:764Iz1qP+0cjtmBZyuOOW0A1t6om8ab7YEzNRP5P8q6BY6Mpr8HOAK8rJMXq/TqTNXzzHb2XqnfItAxcv4XYuq/5mjEioAiSd9hbbh+l6WhXEw14zTSVN9IOJCo3ClWG8ybXBc8V/kbcBtZwOYM5ikVz5j2ik0304HEabhTfz3c=,iv:Z59Sptg2svDUJC2MJ/pB1FF7Dir/x4CKIlrQO+7Ut1Q=,tag:OwvfegpdvuMtYbhIQfNaGA==,type:str] + lastmodified: "2023-07-14T21:58:35Z" + mac: ENC[AES256_GCM,data:G2sYqZY5/E/4QWVYKV5RGT5XCCnH5SIjdbW/xqw6WCV6G2nIEDpHKXSPKFLlzWHTsW3jRjWW2SOQ59ftkY5CB4doMi8EzEGzqMyw1d0llwl6sXGPzwOBjqlOeoECCc0/xm2BKA6bJ3uTyeifyFNQSx4iBvM8Djv1JTrIE/P8pVE=,iv:x8o2b+wO8FD43RtwHvz73yEtefTsgV6a1pWehLPSHoI=,tag:sqg4/tUSVE3AyZWhUGi9jw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3