fixup! ♻️ migration externalsecrets

kubernetes/apps/default/smtp-relay/app/externalsecret.yaml

@@ -14,5 +14,5 @@ spec:
     creationPolicy: Owner
   dataFrom:
     - extract:
-        # SMTP_DOMAIN, SMTP_EMAIL_SMTP_USERNAME, SMTP_PASSWORD
+        # SMTP_DOMAIN, SMTP_USERNAME, SMTP_PASSWORD
         key: smtp-relay

kubernetes/apps/default/smtp-relay/app/helmrelease.yaml

@@ -38,7 +38,6 @@ spec:
       DEBUG: "true"
       SMTP_DOMAIN: "${SECRET_DOMAIN}"
       SMTP_SERVER: "smtp.fastmail.com"
-      SMTP_USERNAME: "${SECRET_EMAIL_SMTP_USERNAME}"
       SMTP_PORT: "465"
     envFrom:
       - secretRef:

kubernetes/apps/default/zigbee2mqtt/app/volsync.yaml

@@ -30,7 +30,7 @@ metadata:
   name: zigbee2mqtt
   namespace: default
 spec:
-  sourcePVC: zigbee2mqtt-images
+  sourcePVC: zigbee2mqtt-config
   trigger:
     schedule: "0 7 * * *"
   restic:

kubernetes/apps/flux-system/addons/webhooks/github/externalsecret.yaml

@@ -0,0 +1,21 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: flux
+  namespace: flux-system
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: flux-github-webhook-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        token: "{{ .GITHUB_WEBHOOK_TOKEN }}"
+  dataFrom:
+    - extract:
+        key: flux

kubernetes/apps/flux-system/addons/webhooks/github/kustomization.yaml

@@ -3,6 +3,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./secret.sops.yaml
+  - ./externalsecret.yaml
   - ./ingress.yaml
   - ./receiver.yaml

kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml

@@ -11,7 +11,7 @@ spec:
     - ping
     - push
   secretRef:
-    name: github-webhook-token
+    name: flux-github-webhook-secret
   resources:
     - apiVersion: source.toolkit.fluxcd.io/v1beta2
       kind: GitRepository

kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml

@@ -1,28 +0,0 @@
-# yamllint disable
-apiVersion: v1
-kind: Secret
-metadata:
-    name: github-webhook-token
-    namespace: flux-system
-stringData:
-    token: ENC[AES256_GCM,data:PZfBsK+zNZE/DENaBkQPZEfkyN1d5mtxfAh5RtPfZ6JVeg9OWs5rgg==,iv:hCIawcGPC9SS5fC1cXHnJJ6sY4u5QtgeHWLwmlRf4p0=,tag:F9dBKyqi6LtBKC6cms8rBw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2cXVUWXpjdXUveGE5M3Bl
-            SzVhQ0phSlVMN0tMMDZRUnM1UXFpbktxd3pzCkZwQ2dmSys4L0UrREtMekJwUkNC
-            amovOWJBdEs5aTZSZVkxeHliTTk2VEEKLS0tIG8xb0dKRGZyc0VSU0RMZ01HdkFk
-            dVJzZGNrWFhoVmd0MnVUbHpKdU1XcDQKLD4TlyCxE57RFvUFqLDuhsEyoBC+12Yu
-            IZzMQYI6bDVnsfv3BzlYAm4qHHPUnhtUX3Wdx/u5ZwOlpxcyBUqNFg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-09-13T20:01:22Z"
-    mac: ENC[AES256_GCM,data:4/WPXRmc2OpOlVDro7r196SyOthcxJ7W+S9517j7vdH5xFkn2sEbIycqXdtB9+BYzR4ytKDjCDrV0qRyQEWGzGEmFrgIbA6PbYosVXzuxxWOKdCi/PTZdRuKOFkF8imJ78rB53FovYT+KLk20j2T3BmrTG2pYc+GC+KEJZ4WQwM=,iv:G1Cu4AwP7xAE4YFKAKzJ/jgDmRH5PvVy563k1mqJSxA=,tag:UshpfATU6emszsi2YNgnOQ==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

kubernetes/apps/flux-system/weave-gitops/app/externalsecret.yaml

@@ -0,0 +1,21 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: weave-gitops
+  namespace: flux-system
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: weave-gitops-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        adminPassword: "{{ .WEAVE_GITOPS_ADMIN_PASSWORD }}"
+  dataFrom:
+    - extract:
+        key: flux

kubernetes/apps/flux-system/weave-gitops/app/kustomization.yaml

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: flux-system
 resources:
+  - ./externalsecret.yaml
   - ./helmrelease.yaml
-  - ./secret.sops.yaml

kubernetes/apps/flux-system/weave-gitops/app/secret.sops.yaml

@@ -1,29 +0,0 @@
-# yamllint disable
-apiVersion: v1
-kind: Secret
-metadata:
-    name: weave-gitops
-    namespace: flux-system
-stringData:
-    adminPassword: ENC[AES256_GCM,data:StBu3tl/3/54rmGudER6nID4XEYLjumoMDptFBggSrrO/NJFrDAeUJilYY8AEuUBO6JHASPXS18hAlSx,iv:p8J+v7E7tktWquc1v/TotXxBZ9Fvx6UUV7+UunFZgSw=,tag:SXiYy43RvwmM2r6C+rztgQ==,type:str]
-type: Opaque
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLTTE0aWVrY0cva0lzNEl0
-            T2d3aEs5clE2TWZZTXE4Ly8wcmpZVms5aDN3CjZoK0ptTjJXSmZiQ1RGMmk3ckJZ
-            RlA1YURROG9PRXNFd0UyUzlST1RydzAKLS0tIGJiVyt2elc0Q0FWaEVGN1A0bS9Z
-            WUlSN1lLaHh0cTVOaHBGblU3Tmh6ZUEK0jJjreF4xiwHMqhLaQKZFgeeikjeRRqg
-            KzsMDy93tQKSByzwSD3UFcKHW48iiQAy/J1Q12bEaXSFBkOd5mILZw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-11-19T10:51:30Z"
-    mac: ENC[AES256_GCM,data:1b3WHgY9H5yAxwxbHvjPKGFZWmJ1iu945G5illQs6mEfmSrR1ZPvlBKn8eMNuSv1VN18ZhGWicFPpiwwe3MVFRr1G5Vn4F2VtS9F2Ap5IvWDW+F0vJfOAp6OdpT/TOOinp1Es9Pspd4JTpkr+Pk8tGDvVtnZ0aLer+qLv4SYZKA=,iv:zr2ZuwaqNaihfcX3KUKz0yXuGqX6o9o0zXfrhIY5vv4=,tag:kNIuKQ7Z7CbwhSBqgv5F+Q==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

kubernetes/apps/flux-system/weave-gitops/ks.yaml

@@ -13,6 +13,8 @@ spec:
   sourceRef:
     kind: GitRepository
     name: home-ops-kubernetes
+  dependsOn:
+    - name: cluster-apps-external-secrets-stores
   healthChecks:
     - apiVersion: helm.toolkit.fluxcd.io/v2beta1
       kind: HelmRelease

kubernetes/apps/monitoring/gatus/app/externalsecret.yaml

@@ -0,0 +1,30 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+    name: gatus
+    namespace: monitoring
+spec:
+    secretStoreRef:
+        kind: ClusterSecretStore
+        name: onepassword-connect
+    target:
+        name: gatus-secret
+        creationPolicy: Owner
+        template:
+            data:
+                # App
+                CUSTOM_PUSHOVER_APP_TOKEN: '{{ .PUSHOVER_API_TOKEN }}'
+                CUSTOM_PUSHOVER_USER_KEY: '{{ .PUSHOVER_USER_KEY }}'
+                # Postgres Init
+                INIT_POSTGRES_DBNAME: gatus
+                INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
+                INIT_POSTGRES_USER: '{{ .POSTGRES_USER }}'
+                INIT_POSTGRES_PASS: '{{ .POSTGRES_PASS }}'
+                INIT_POSTGRES_SUPER_PASS: '{{ .POSTGRES_SUPER_PASS }}'
+    dataFrom:
+        - extract:
+            key: pushover
+        - extract:
+            key: gatus

kubernetes/apps/monitoring/gatus/app/kustomization.yaml

@@ -4,9 +4,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: monitoring
 resources:
-  - ./rbac.yaml
+  - ./externalsecret.yaml
   - ./helmrelease.yaml
-  - ./secret.sops.yaml
+  - ./rbac.yaml
 configMapGenerator:
   - name: gatus-configmap
     files:

kubernetes/apps/monitoring/gatus/app/secret.sops.yaml

@@ -1,37 +0,0 @@
-# yamllint disable
-apiVersion: v1
-kind: Secret
-metadata:
-    name: gatus-secret
-    namespace: default
-type: Opaque
-stringData:
-    #ENC[AES256_GCM,data:4iasPQ==,iv:j84wn0onGKCdIv/VhnRkc9WUrJcKzi15PPAaccPktMI=,tag:qZSBg8M5mq0r+dwfj910LQ==,type:comment]
-    CUSTOM_PUSHOVER_APP_TOKEN: ENC[AES256_GCM,data:ojqz+I3cIQraQ8b1d79R5UCOyJ9fw6WUKP8QaclG,iv:Vh85QNkt2f9N2G4lE25EuXfFbswUp9LOdPGGFhU/j4I=,tag:m0DXN5UNUSQvH3SG5BXphw==,type:str]
-    CUSTOM_PUSHOVER_USER_KEY: ENC[AES256_GCM,data:3Ses6r1zh2AK9GjM/RAnt4fuzX86T55gpKP4Bfh2,iv:jTeHDvE35nRE8eNYR0kORPKpdFSuGB0MbhUr6oM38Go=,tag:Km2OBE/6oFCK3Flvl8X5Wg==,type:str]
-    #ENC[AES256_GCM,data:SkRXz/l1EiEl5Ywk9ro=,iv:rFH21ODFH5qmPQQfutNenDgc3gGFZpkY1fa9SC95ZXU=,tag:6/LbsWB4bsaoTyS9Mvbzog==,type:comment]
-    INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:N+UhTeY=,iv:TtHF6zRpl+vYKJDy6aPgLuo+laVQoYdnq2th+0T3Ok0=,tag:EOT48yIZyqjoQzPVVv111A==,type:str]
-    INIT_POSTGRES_HOST: ENC[AES256_GCM,data:lcvnmK3SIsfTtZV9ootfzd/RMRo1sNLQ8qAkYpVFgwjHzDKMaA==,iv:YVr19WtibsOb33WiKnGSJF7DXyoAJ5F8etk7DtqDSqU=,tag:njOVD5yFmjCFezTlGQdE5A==,type:str]
-    INIT_POSTGRES_USER: ENC[AES256_GCM,data:NfdJfi4=,iv:4P95EsR9n4nD+nJVqXsavjoJasmdQURMHll9TAzDZiI=,tag:dTPUyxMe/qRKr+8lnpebwQ==,type:str]
-    INIT_POSTGRES_PASS: ENC[AES256_GCM,data:hnRc8W9HOO/n9nj+6jsGwgbTUjo=,iv:9NX9kB1zlJ4UaQ5FLpk6z9Kuit6jGaBCvgNAS6xwz70=,tag:B9Ue9UiOosM2egzSYhWC8w==,type:str]
-    INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:naR9T7rV1zZcJ42UQesZrQ==,iv:l6UUSCWvQGRgVzM5B/W9YCqVG7v0U63BDp3ANJi2Bu0=,tag:KRRbDtBOKJJg3wQAPwlOrQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
-            bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
-            VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
-            OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
-            LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-08T06:43:48Z"
-    mac: ENC[AES256_GCM,data:OAz4DxyejtZsew6tL3F8AOIsfXOJFSgtMLzRzPv7Yure9GG4hEq+pj432HC48R/o4hQw7cNicxbHPAoSJIPtjqlNZsRStnGuPE2WBfeTaHS0XZsCesKbxW8VJ4vChbB1kp9gDV05JKETsUXAFnmSchiU6SGTvxgHepjbjYodxLk=,iv:iVcKX4O2qBKBU/UVVHsufBfD9iGUbfjFgkfDCjqN0d0=,tag:ENxJhJBvRdtcpjZjWoKXGQ==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

kubernetes/apps/monitoring/gatus/ks.yaml

@@ -10,6 +10,7 @@ metadata:
 spec:
   dependsOn:
     - name: cluster-apps-cloudnative-pg-cluster
+    - name: cluster-apps-external-secrets-stores
   path: ./kubernetes/apps/monitoring/gatus/app
   prune: true
   sourceRef:

kubernetes/apps/monitoring/thanos/app/externalsecret.yaml

@@ -0,0 +1,22 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: thanos
+  namespace: flux-system
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: thanos-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        S3_ACCESS_KEY: "{{ .THANOS_S3_ACCESS_KEY }}"
+        S3_SECRET_KEY: "{{ .THANOS_S3_SECRET_KEY }}"
+  dataFrom:
+    - extract:
+        key: thanos

kubernetes/apps/monitoring/thanos/app/helmrelease.yaml

@@ -33,6 +33,10 @@ spec:
       tag: v0.31.0
     objstoreConfig:
       type: s3
+      config:
+        bucket: thanos
+        endpoint: "truenas.${SECRET_DOMAIN}:51515"
+        region: ""
     query:
       enabled: true
       replicaCount: 2
@@ -109,22 +113,10 @@ spec:
         enabled: true
   valuesFrom:
     - kind: Secret
-      name: thanos
-      valuesKey: S3_BUCKET_NAME
-      targetPath: objstoreConfig.config.bucket
-    - kind: Secret
-      name: thanos
-      valuesKey: S3_BUCKET_HOST
-      targetPath: objstoreConfig.config.endpoint
-    - kind: Secret
-      name: thanos
-      valuesKey: S3_BUCKET_REGION
-      targetPath: objstoreConfig.config.region
-    - kind: Secret
-      name: thanos
+      name: thanos-secret
       valuesKey: S3_ACCESS_KEY
       targetPath: objstoreConfig.config.access_key
     - kind: Secret
-      name: thanos
+      name: thanos-secret
       valuesKey: S3_SECRET_KEY
       targetPath: objstoreConfig.config.secret_key

kubernetes/apps/monitoring/thanos/app/kustomization.yaml

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: monitoring
 resources:
-  - ./secret.sops.yaml
+  - ./externalsecret.yaml
   - ./helmrelease.yaml

kubernetes/apps/monitoring/thanos/app/secret.sops.yaml

@@ -1,32 +0,0 @@
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-    name: thanos
-    namespace: monitoring
-stringData:
-    S3_BUCKET_NAME: ENC[AES256_GCM,data:0q5tjzGN,iv:RYjlKFAJpR6NSjimSAf8JrS2t1mUGSCAjusrYhTyiuw=,tag:AAIwBbmYoflm5M1EVbHM4A==,type:str]
-    S3_BUCKET_HOST: ENC[AES256_GCM,data:/9U/cHXmbGnbDCNm37zy0PzRbt5RI2LN7g==,iv:LLCrwkc6k3mXbJVWa2FivgEsbQKa9OyJWpe47BwExB8=,tag:qji0SWdaSgp8tNANSSB9Hg==,type:str]
-    S3_BUCKET_REGION: ""
-    S3_ACCESS_KEY: ENC[AES256_GCM,data:zTvAiBiukR1RP5eACMfgBsoTbwI=,iv:IIMUgN5SO+0i9/8w8QHpRgiTzQsOELqgMZAsARvcZJQ=,tag:lIvDTJ8i5UiOkZRMLrgV7g==,type:str]
-    S3_SECRET_KEY: ENC[AES256_GCM,data:mUHk2N4tcbh3si26uZx3J/gkXWH4gqk4/vJfJ3J03mreNsD8VlNePw==,iv:+wS4yLwKrFALFF51BLxXFpP0ROlR7qdBTVpFCJ/tizM=,tag:VJr9s444GB5GPft/8897mw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSHQ5b3RRYjdGd3JYQkxh
-            cnRBTlJuMm9NTU96TFRpSEg0K2UrdnJ1V1VjCkZpRmwvSmZ3ZHJNaGNNS21mUytt
-            VXRMVzhSemx4NGZYSUtCS3g3Q281dXcKLS0tIC94NCtGVWF2U055NEZJTmtpenVM
-            L3c2WElEOU4rS0hrU1NPQ1NPZitDVDgKaN3P5xK1O1i9lTSAGJU+GIxbIoTb5OMO
-            if3medB2nPLEt5BUY2datTbswXiT3E9rFyka/Maq6afZjFiixK5mFQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-11-22T22:26:04Z"
-    mac: ENC[AES256_GCM,data:ANDShRftczGroCYNFKa/WdF22PgZ9yA6xhxdfe7/HHs0vQU48Q8nOrOT66P+8HDRV63I5ddodOurVtztFyGc8I0YdU2Bg1P2rnEmStfJsGGidTIqNloopCArsAH2UJj/fxwUA3dxswFURvgIagpjfdWHYGT2vzma44CORrk5vpU=,iv:KiFlpjLy+hj6V2dUoZeBdr3eq22So4G2oAA2QutF3UU=,tag:fkpjbQFU0Habj3d+6mNZLQ==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

kubernetes/apps/monitoring/thanos/ks.yaml

@@ -9,6 +9,7 @@ metadata:
     substitution.flux.home.arpa/enabled: "true"
 spec:
   dependsOn:
+    - name: cluster-apps-external-secrets-stores
     - name: cluster-apps-rook-ceph-cluster
   path: ./kubernetes/apps/monitoring/thanos/app
   prune: true

kubernetes/apps/networking/external-dns/app/externalsecret.yaml

@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: external-dns
+  namespace: networking
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: external-dns-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        OVH_APPLICATION_KEY: "{{ .OVH_APPLICATION_KEY }}"
+        OVH_APPLICATION_SECRET: "{{ .OVH_APPLICATION_SECRET }}"
+        OVH_CONSUMER_KEY: "{{ .OVH_CONSUMMER_KEY }}"
+  dataFrom:
+    - extract:
+        key: external-dns

kubernetes/apps/networking/external-dns/app/helmrelease.yaml

@@ -6,7 +6,7 @@ metadata:
   name: external-dns
   namespace: networking
 spec:
-  interval: 15m
+  interval: 30m
   chart:
     spec:
       chart: external-dns
@@ -15,7 +15,7 @@ spec:
         kind: HelmRepository
         name: external-dns
         namespace: flux-system
-  maxHistory: 3
+  maxHistory: 2
   install:
     createNamespace: true
     remediation:
@@ -34,18 +34,18 @@ spec:
       - name: OVH_APPLICATION_KEY
         valueFrom:
           secretKeyRef:
-            name: ovh-external-dns-creds
-            key: application-key
+            name: external-dns-secret
+            key: OVH_APPLICATION_KEY
       - name: OVH_APPLICATION_SECRET
         valueFrom:
           secretKeyRef:
-            name: ovh-external-dns-creds
-            key: application-secret
+            name: external-dns-secret
+            key: OVH_APPLICATION_SECRET
       - name: OVH_CONSUMER_KEY
         valueFrom:
           secretKeyRef:
-            name: ovh-external-dns-creds
-            key: consummer-key
+            name: external-dns-secret
+            key: OVH_CONSUMER_KEY
     extraArgs:
       - --annotation-filter=external-dns.home.arpa/enabled in (true)
     policy: sync

kubernetes/apps/networking/external-dns/app/kustomization.yaml

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: networking
 resources:
-  - ./secret.sops.yaml
+  - ./externalsecret.yaml
   - ./helmrelease.yaml

kubernetes/apps/networking/external-dns/app/secret.sops.yaml

@@ -1,31 +0,0 @@
-# yamllint disable
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-    name: ovh-external-dns-creds
-    namespace: networking
-stringData:
-    application-key: ENC[AES256_GCM,data:eM+c4o7krcCr38iYl+V9aw==,iv:bWvn6Du2AYczidEiYcCiiXiCWQoNTM55+pEqEDT5gVg=,tag:XAtpQsK7J7mQWs47qqAt/Q==,type:str]
-    application-secret: ENC[AES256_GCM,data:dsAI3MXIpqC5FQZojzchOUfJPARBYOOUbnmY042w9DQ=,iv:gLh0ySZfm1akVIcnN/LMuuI7GZrBBq/X6mnQd1j9BeA=,tag:wIKWVoDMRfn68Ot56HFPGA==,type:str]
-    consummer-key: ENC[AES256_GCM,data:5RZrrLBGOhmnPLyRBy83SSAYz67h9zfIwx2cEUSxFAs=,iv:x3rMt3obLjR12PSiuzFb4qPirnMXpxojFZ9sTDp2pis=,tag:2ve3wWb2bHQQUA8m7+gyKQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByazlaTU9oZFR2Y2U1blg0
-            VXdUK3BzL1hsM3RydHQzcE95RklOTUdVWEE4CnNkOGprRVFCNFZjTkpOMnJ0R09T
-            RWhhemdvb243UGlVMHhjWVUzTW03V00KLS0tIDJ3d1NYdkJLaHlvQXBCbFlDZXRp
-            bi8wYjlEM0xGZExSV05HSGlkYjQ2VlUKesUixJpqR2iYx5kNxrbD0kTG1siHVKqq
-            sh8UblAqd1av0/3Qpj9dMF8awR8Q80dElcEwXT90Ks/S7p/uEA358g==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-27T00:19:30Z"
-    mac: ENC[AES256_GCM,data:hbC1/+QtH1O0w7cCshPm5b/3pljWMR4Q1bhqoepIJEeLa82N3YqHZ4PcEKPHaJKRpzBN/+OcoMMAC29xBzp+yaS3WZLkh7cz2rYC4+16fjZCjwChZXJOtyE8CrUlsXUj7OvL23RnscCE/0fuIL4uRWqLKokLkbdc6X+sVRlY4l0=,iv:JZZIrTeY0L4jy4cUZfmcm3+ZCjxgn27qIdJf5pVrZkM=,tag:DM+XGSXt/rD/5jTW6LaWTQ==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

kubernetes/apps/networking/external-dns/ks.yaml

@@ -13,6 +13,8 @@ spec:
   sourceRef:
     kind: GitRepository
     name: home-ops-kubernetes
+  dependsOn:
+    - name: cluster-apps-external-secrets-stores
   healthChecks:
     - apiVersion: helm.toolkit.fluxcd.io/v2beta1
       kind: HelmRelease

kubernetes/flux/vars/cluster-secrets.sops.yaml

@@ -9,12 +9,7 @@ stringData:
     SECRET_CLUSTER_DOMAIN_EMAIL: ENC[AES256_GCM,data:j1yBajAlXKQeDuvbV2IyJp8IT3wA,iv:pxPgYZEZ6pvcr6trM1gkL5MZORewARaiVfwRTyWxny0=,tag:y31EGp46NgF/Pf3hQ2Iavw==,type:str]
     SECRET_DOMAIN: ENC[AES256_GCM,data:UtdBDs6+azVHO7Y=,iv:ZnWrBW+vW6HiMs1PbgY2LjcwUwuUh1HxYjqvOXvCrDk=,tag:r6uDIJhVoTIcizIfRW+lHw==,type:str]
     SECRET_CLUSTER_DOMAIN: ENC[AES256_GCM,data:lTfn9GCJHlgeO/BGXbvT,iv:LBsxVLf+WpS7Ac233XjVoWCjHqZpnhhhiJn2Q0YEHt8=,tag:d//kWxt2bJkqCF1EkEzYqA==,type:str]
-    SECRET_CLUSTER_OVH_APPLICATION_KEY: ENC[AES256_GCM,data:W8BOyYQbQJpQco0XQ8wgtA==,iv:z/nc9+DkIkvKw6Daf/UpuMsIc/H7AnwQF5ZjQarf03U=,tag:j+Qm6oK6jei7EFDBTT5ddQ==,type:str]
-    SECRET_CLUSTER_OVH_APPLICATION_SECRET: ENC[AES256_GCM,data:+R6Vy1qlYZuvFsGTnK3m94PuzdsYNPe1JVpGqhq9Dy0=,iv:bNKMp6VNMyuiJokr5xm9To2OuBYzoiJSRXUm4S00MdI=,tag:8YJoz5MICyC9bES/IP6ROw==,type:str]
-    SECRET_CLUSTER_OVH_CONSUMER_KEY: ENC[AES256_GCM,data:HwEaNSLEoON99KzgVLuDWxj8DPz1gz8tc3q/1hWJOvM=,iv:uTHCAT81Js9yQ/7iK90+elZzA0j6ia7AOWEufE1i/4k=,tag:D4tI50RyJz8o3n9hrrYz4Q==,type:str]
     SECRET_CROWDSEC_NGINX_BOUNCER_API_KEY: ENC[AES256_GCM,data:ecukkFOK40WWIxJ48sXrxJUBaHx2BnzqxkIT+cXYZg4=,iv:y6AfslVPufBfrIL3GQqTw0cDAan64mB9J7RY9OzKQqw=,tag:+V4Rgz26wey2UtA32S0PJQ==,type:str]
-    SECRET_EMAIL_DOMAIN: ENC[AES256_GCM,data:tggMEXyLi03dAorm,iv:tXHmWmm9wUIOyGXbHUagS0gl4cEW588XSvBIoNsADFw=,tag:69X+WZoj6CiI6mUJT01DzQ==,type:str]
-    SECRET_EMAIL_SMTP_USERNAME: ENC[AES256_GCM,data:U8UiC6SdBbX9JbpRglyXfofDzYf+LNY=,iv:BLqn6nWm+il2yxWBJgpjlLKp5/eVh8L9qSEfM9LzUEo=,tag:1+afhSVYeHTvzzBiTxP7Ew==,type:str]
     SECRET_GITEA_API_TOKEN: ENC[AES256_GCM,data:lHrRfoAtj/sY7aFiWibf7ejrwn5ANa62d85kyPKxpZhXhdiz5jHcAw==,iv:D4ac1ltRrsHEM1z/bG0gHQZ4TntCK4fEj8BoYxDv7XM=,tag:yXVYJNpbM46ri9kW8MwxwQ==,type:str]
     SECRET_GITEA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:VWetZHP8haXPy1r20RMJvECxEWw=,iv:B3+rjPXWSbyCdi4KAy/FeMbtNUv40UIWN462OWfv9Ww=,tag:5wK7nUGu7HmdC90d2jllwQ==,type:str]
     SECRET_GRAFANA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:3igfeqGHygjnmJXnoiKV7W8Tm2M=,iv:Hrjh38GuRvzS4Hi69QftBhaAJ02is5B0E5h23XICpUc=,tag:O4JFVSaoTQDhf3QZPLbn1Q==,type:str]
@@ -27,12 +22,8 @@ stringData:
     SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_USER_KEY: ENC[AES256_GCM,data:X1J9WLT26soYzlDb8+YtPotGw8p0lJKMuNkn69WX,iv:mW2cJOq5gfzSE+U24IuvPVL+dL2nZcTFpPAkG77Ohus=,tag:kxokidtuE5RAGJlj4Q4P2A==,type:str]
     SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_TOKEN: ENC[AES256_GCM,data:Bwvuy/jHIRduy/r1A8dOs0OE8ewdjCgs8g/br1oW,iv:PdnPH9I509MT6UJkUG1zLAGn9aV4AVrROgAVCD4a3Y0=,tag:59kBGx9qx3jeauokyoolQQ==,type:str]
     SECRET_KUBE_PROMETHEUS_STACK_GRAFANA_ADMIN_PASSWORD: ENC[AES256_GCM,data:L7LS6+tuwPCyb5HN4zg=,iv:JM2KTtDN/VrKicjp5qwqusWiJKHRZnfTtsZE2hkLq6Q=,tag:XGF3L5P6JxVBrlGuKosdZA==,type:str]
-    SECRET_MQTT_USER: ENC[AES256_GCM,data:Ggn82GysDHM2b/uNhQ==,iv:f5NXCE5/nfTqq1zdtBNH6Lu8ndf5YZKHgEWc9O0fB0I=,tag:z1OUzEeVgm+a9QRBxo9BEg==,type:str]
-    SECRET_MQTT_PASSWORD: ENC[AES256_GCM,data:WBqLezPi1sbzyzfubG71KfR+tg==,iv:gKDgjpPwZ+fEWs+zn3aHiiKglsEl/kue/vx2FaSAtsA=,tag:jXECLxyekqmejJfi11DKsQ==,type:str]
     SECRET_NITTER_HMAC: ENC[AES256_GCM,data:pOA1LqHV9rcY3xAv5JMuSCMz1rk=,iv:3LkFNu/M3r1K/xBE/f7Kbf526eA4cgyGr4Wu/c+gxD0=,tag:ibJ8U+Pa66B2UmWwP/ZhNQ==,type:str]
     SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str]
-    SECRET_RADARR_API_KEY: ENC[AES256_GCM,data:Mom5SOMHf7xUvvUkjLIRqMzOSSQshzWdKlSGIzZtIGM=,iv:4vrZFrsTCUW2e0bo2sA2iT+ZVKUDEuyferNJ5Q5klFY=,tag:xha/NKx2XN3Mpa0XPSMPvA==,type:str]
-    SECRET_SONARR_API_KEY: ENC[AES256_GCM,data:JO5N+MeVeQmAlfv/dLJru5oHyVjpy9iUrfrTe4PLVXA=,iv:NjGstpjwFapd2LJNPy6nhXsp9UuCYTBuHRovmHdCSNc=,tag:BARsx6FBISHhxueBSDJSNw==,type:str]
     SECRET_SHARRY_DB_USERNAME: ENC[AES256_GCM,data:wWnV6hHz,iv:+uV0X2tovaisFuO5KcF9PpKPyYeS4WtrrPt4Ll+CnsU=,tag:zNWR9AqheMGho0yV923vvw==,type:str]
     SECRET_SHARRY_DB_PASSWORD: ENC[AES256_GCM,data:Y0gk4bRcEws2b0SF4AY=,iv:3cQbD/uvWNGjEmz3z8uEbXWwJffIrTj3nSDsGBS0MEU=,tag:RsIBq9zI8+2temGj5r/Lqg==,type:str]
     SECRET_SHARRY_MINIO_S3_ACCESS_KEY: ENC[AES256_GCM,data:2qLE/cs=,iv:Ctrw213BgCC2jyEvFp38aOejzY/ZYiwAj9fsPzXgaY0=,tag:LBlIUm1LTAjUIKu4JeLw9A==,type:str]
@@ -53,8 +44,8 @@ sops:
             WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm
             pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-05T20:29:14Z"
-    mac: ENC[AES256_GCM,data:764Iz1qP+0cjtmBZyuOOW0A1t6om8ab7YEzNRP5P8q6BY6Mpr8HOAK8rJMXq/TqTNXzzHb2XqnfItAxcv4XYuq/5mjEioAiSd9hbbh+l6WhXEw14zTSVN9IOJCo3ClWG8ybXBc8V/kbcBtZwOYM5ikVz5j2ik0304HEabhTfz3c=,iv:Z59Sptg2svDUJC2MJ/pB1FF7Dir/x4CKIlrQO+7Ut1Q=,tag:OwvfegpdvuMtYbhIQfNaGA==,type:str]
+    lastmodified: "2023-07-14T21:58:35Z"
+    mac: ENC[AES256_GCM,data:G2sYqZY5/E/4QWVYKV5RGT5XCCnH5SIjdbW/xqw6WCV6G2nIEDpHKXSPKFLlzWHTsW3jRjWW2SOQ59ftkY5CB4doMi8EzEGzqMyw1d0llwl6sXGPzwOBjqlOeoECCc0/xm2BKA6bJ3uTyeifyFNQSx4iBvM8Djv1JTrIE/P8pVE=,iv:x8o2b+wO8FD43RtwHvz73yEtefTsgV6a1pWehLPSHoI=,tag:sqg4/tUSVE3AyZWhUGi9jw==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.7.3