fixup! ♻️ migration externalsecrets

2025-09-17 18:24:14 +02:00 · 2023-07-14 23:16:36 +02:00
parent 7029232412
commit 179b8d6d8c
26 changed files with 148 additions and 200 deletions
--- a/kubernetes/apps/monitoring/thanos/app/externalsecret.yaml
+++ b/kubernetes/apps/monitoring/thanos/app/externalsecret.yaml
@@ -0,0 +1,22 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: thanos
+  namespace: flux-system
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: thanos-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        S3_ACCESS_KEY: "{{ .THANOS_S3_ACCESS_KEY }}"
+        S3_SECRET_KEY: "{{ .THANOS_S3_SECRET_KEY }}"
+  dataFrom:
+    - extract:
+        key: thanos
--- a/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml
+++ b/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml
@@ -33,6 +33,10 @@ spec:
      tag: v0.31.0
    objstoreConfig:
      type: s3
+      config:
+        bucket: thanos
+        endpoint: "truenas.${SECRET_DOMAIN}:51515"
+        region: ""
    query:
      enabled: true
      replicaCount: 2
@@ -109,22 +113,10 @@ spec:
        enabled: true
  valuesFrom:
    - kind: Secret
-      name: thanos
-      valuesKey: S3_BUCKET_NAME
-      targetPath: objstoreConfig.config.bucket
-    - kind: Secret
-      name: thanos
-      valuesKey: S3_BUCKET_HOST
-      targetPath: objstoreConfig.config.endpoint
-    - kind: Secret
-      name: thanos
-      valuesKey: S3_BUCKET_REGION
-      targetPath: objstoreConfig.config.region
-    - kind: Secret
-      name: thanos
+      name: thanos-secret
      valuesKey: S3_ACCESS_KEY
      targetPath: objstoreConfig.config.access_key
    - kind: Secret
-      name: thanos
+      name: thanos-secret
      valuesKey: S3_SECRET_KEY
      targetPath: objstoreConfig.config.secret_key
--- a/kubernetes/apps/monitoring/thanos/app/kustomization.yaml
+++ b/kubernetes/apps/monitoring/thanos/app/kustomization.yaml
@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: monitoring
 resources:
-  - ./secret.sops.yaml
+  - ./externalsecret.yaml
  - ./helmrelease.yaml
--- a/kubernetes/apps/monitoring/thanos/app/secret.sops.yaml
+++ b/kubernetes/apps/monitoring/thanos/app/secret.sops.yaml
@@ -1,32 +0,0 @@
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-    name: thanos
-    namespace: monitoring
-stringData:
-    S3_BUCKET_NAME: ENC[AES256_GCM,data:0q5tjzGN,iv:RYjlKFAJpR6NSjimSAf8JrS2t1mUGSCAjusrYhTyiuw=,tag:AAIwBbmYoflm5M1EVbHM4A==,type:str]
-    S3_BUCKET_HOST: ENC[AES256_GCM,data:/9U/cHXmbGnbDCNm37zy0PzRbt5RI2LN7g==,iv:LLCrwkc6k3mXbJVWa2FivgEsbQKa9OyJWpe47BwExB8=,tag:qji0SWdaSgp8tNANSSB9Hg==,type:str]
-    S3_BUCKET_REGION: ""
-    S3_ACCESS_KEY: ENC[AES256_GCM,data:zTvAiBiukR1RP5eACMfgBsoTbwI=,iv:IIMUgN5SO+0i9/8w8QHpRgiTzQsOELqgMZAsARvcZJQ=,tag:lIvDTJ8i5UiOkZRMLrgV7g==,type:str]
-    S3_SECRET_KEY: ENC[AES256_GCM,data:mUHk2N4tcbh3si26uZx3J/gkXWH4gqk4/vJfJ3J03mreNsD8VlNePw==,iv:+wS4yLwKrFALFF51BLxXFpP0ROlR7qdBTVpFCJ/tizM=,tag:VJr9s444GB5GPft/8897mw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSHQ5b3RRYjdGd3JYQkxh
-            cnRBTlJuMm9NTU96TFRpSEg0K2UrdnJ1V1VjCkZpRmwvSmZ3ZHJNaGNNS21mUytt
-            VXRMVzhSemx4NGZYSUtCS3g3Q281dXcKLS0tIC94NCtGVWF2U055NEZJTmtpenVM
-            L3c2WElEOU4rS0hrU1NPQ1NPZitDVDgKaN3P5xK1O1i9lTSAGJU+GIxbIoTb5OMO
-            if3medB2nPLEt5BUY2datTbswXiT3E9rFyka/Maq6afZjFiixK5mFQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-11-22T22:26:04Z"
-    mac: ENC[AES256_GCM,data:ANDShRftczGroCYNFKa/WdF22PgZ9yA6xhxdfe7/HHs0vQU48Q8nOrOT66P+8HDRV63I5ddodOurVtztFyGc8I0YdU2Bg1P2rnEmStfJsGGidTIqNloopCArsAH2UJj/fxwUA3dxswFURvgIagpjfdWHYGT2vzma44CORrk5vpU=,iv:KiFlpjLy+hj6V2dUoZeBdr3eq22So4G2oAA2QutF3UU=,tag:fkpjbQFU0Habj3d+6mNZLQ==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3
--- a/kubernetes/apps/monitoring/thanos/ks.yaml
+++ b/kubernetes/apps/monitoring/thanos/ks.yaml
@@ -9,6 +9,7 @@ metadata:
    substitution.flux.home.arpa/enabled: "true"
 spec:
  dependsOn:
+    - name: cluster-apps-external-secrets-stores
    - name: cluster-apps-rook-ceph-cluster
  path: ./kubernetes/apps/monitoring/thanos/app
  prune: true