⬆️ onepassword-connect app-template v2

kubernetes/apps/kube-system/external-secrets/stores/kustomization.yaml

@@ -1,9 +1,7 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kube-system
 resources:
-  - ./clustersecretstore.yaml
-  - ./helmrelease.yaml
-  - ./secret.sops.yaml
+  - ./onepassword

kubernetes/apps/kube-system/external-secrets/stores/onepassword/clustersecretstore.yaml

@@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1
 kind: ClusterSecretStore
 metadata:
   name: onepassword-connect
-  namespace: kube-system
 spec:
   provider:
     onepassword:

kubernetes/apps/kube-system/external-secrets/stores/onepassword/helmrelease.yaml

@@ -26,21 +26,19 @@ spec:
   uninstall:
     keepHistory: false
   values:
-    defaultPodOptions:
-      enableServiceLinks: false
-      securityContext:
-        runAsUser: 999
-        runAsGroup: 999
     controllers:
       main:
-        replicas: 2
-        strategy: RollingUpdate
         annotations:
           reloader.stakater.com/auto: "true"
+        pod:
+          securityContext:
+            runAsUser: 999
+            runAsGroup: 999
         containers:
           main:
             image:
-              repository: docker.io/1password/connect-api
+              # repository: docker.io/1password/connect-api
+              repository: ghcr.io/haraldkoch/onepassword-connect-api
               tag: 1.7.2
             env:
               OP_BUS_PORT: "11220"
@@ -50,7 +48,7 @@ spec:
                 valueFrom:
                   secretKeyRef:
                     name: onepassword-connect-secret
-                    key: 1password-credentials.json
+                    key: onepassword-credentials.json
             probes:
               liveness:
                 enabled: true
@@ -79,37 +77,31 @@ spec:
               limits:
                 memory: 100Mi
           sync:
+            # image: docker.io/1password/connect-sync:1.7.0
             image:
-              repository: docker.io/1password/connect-sync
+              repository: ghcr.io/haraldkoch/onepassword-sync
               tag: 1.7.2
             env:
-              OP_HTTP_PORT: &port 8081
-              OP_BUS_PORT: 11221
-              OP_BUS_PEERS: localhost:11220
-              OP_SESSION:
+              - { name: OP_HTTP_PORT, value: &sport 8081 }
+              - { name: OP_BUS_PORT, value: "11221" }
+              - { name: OP_BUS_PEERS, value: "localhost:11220" }
+              - name: OP_SESSION
                 valueFrom:
                   secretKeyRef:
                     name: onepassword-connect-secret
-                    key: 1password-credentials.json
-            probes:
-              readinessProbe:
-                httpGet:
-                  path: /health
-                  port: *port
-                initialDelaySeconds: 15
-              livenessProbe:
-                httpGet:
-                  path: /heartbeat
-                  port: *port
-                failureThreshold: 3
-                periodSeconds: 30
-                initialDelaySeconds: 15
-            resources:
-              requests:
-                cpu: 5m
-                memory: 10Mi
-              limits:
-                memory: 100Mi
+                    key: onepassword-credentials.json
+            readinessProbe:
+              httpGet:
+                path: /health
+                port: *sport
+              initialDelaySeconds: 15
+            livenessProbe:
+              httpGet:
+                path: /heartbeat
+                port: *sport
+              failureThreshold: 3
+              periodSeconds: 30
+              initialDelaySeconds: 15
     service:
       main:
         ports:

kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+resources:
+  - ./clustersecretstore.yaml
+  - ./helmrelease.yaml
+  - ./secret.sops.yaml

kubernetes/apps/kube-system/external-secrets/stores/onepassword/secret.sops.yaml

@@ -0,0 +1,30 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: onepassword-connect-secret
+    namespace: kube-system
+type: Opaque
+stringData:
+    onepassword-credentials.json: ENC[AES256_GCM,data:vVOz94aHx8jMRGQNw1a0Sio0HI7AVNT9r0nkdaRyRop/20e4lvNU+PyfnlskTdya0Ty62mZNH78Uj2+vXIgh8z5ROzulLx61MKdKSEfQqwwnbZ5mPIgZT6QHTtG/pXHj2IUGW7m0v173avxtpq0PPr5sum9Eg1QNnTSqgSwmmD3D0Q0lY0mxbYA7x5ERd6354nTqV+93f2RHNZ0JIYG72L3xMn+TdaO4TfgmZRSjXsRGCOhfISdEg69d4/NHMAQOSkDT6eoAlbIco5Tel7n4BxGi8Je+EH4J/HdzeHNtQliJuAwXXsrYWS2qaJxoBXTPuBeuVZYohoRUcF2qH8uHYINDR7mrHiByCvtxxKXs33hLTbAHUhCnMUJ4hLqyWZ/tnH5w/EdsSlsMpPVEyBc6xOZZrmL40M4b4M+O++Hoah0Bv2zw3K9JR5EwP6fezuNq0YP6hb9nds9UfZ6RsIAsOKWDt7MaO/cLMRU/0eqCgKX4tnJUM3+t+ns/p27iKGyn4DFtj3HA7wPYmuPfTDhFmA0exG3PaSsV6ITVzbrScqtPyEU8QyWdk5IAUPccZlyWTRr7CKYXtXzbUeYCGmNNsa3VuVKMRoAXTpgT6+ww0h+BVkquednurlgtUNX+nPA7vzIzPuHoQUWZbDL/kGq1rEPHF3MGwkNjLyRvMbh412n5916eNQ+r+0ZN8SZ2SoWN4IRAfa99gXlcBmZ04zPvDIhKJtFwrLgtfnqiqi2FAcILZhNFBv2uxcEFlZ1iKDdJTmue/JPuG4L3hqMcVRuKWSjJSsdYBs4GY4YLy4u+vOeh1hqIzW8zHonh7ukOA/5UfUx/O8OQ+cXY/4bZQgBuLUXaGzT/CLsrdoWW2/Ks7tvcAgJBXxXWHk0PWjLo+OQYbmM5aIjHAJY3uGiq4rjKQbAtaJUUu5dzMDnGdOnh86TJet4bSt6jF6ainaNjYNc4MaJX5zVC7mj78iBvzFa7BfzSzp47hPo3w5OS3/XvJQ1ch15DmDpu2t7MEqxE0KL8qxM0IbcDdC5nVUEBsxqTNndBlwl2a6rPSoukCwf3VBQ5dzbTisxaHyWz5XFbxWhYCtaofrN0opxBH2Abh1oUu6bFFIOsD2iXgtL+GcD+w0LjpTqP54TXRXNXK/IEwNhxuCYQ2skCzBEwQIMd370GF8tGy4jo9ttH3KYR50C6Ugw5ZQc9PcbOEisMSdvOvXl99CDHCbpXdv2nnDSWZ1XZVeiPdymBClMAXzOigaWD/p8YjM8PXOW6Ik7pM4/nIhtzrBaZCehrzntnjevfxAOBgviu4FKWBO4JognerlP/MAjL49P3EDYoy0karHMlCL+UZu2FHkoixM40gG5bQx2bMGUZ9nkzYM1nJz4i2PDQMQi7Mxi0wRi4WOFsRgl9c7gH1Ws6c+Z0O3Uul4pN7NCLtd5hqmYtqUeXIa/egaR9Buv5gmkGnF5+kPu5g5x04yc2UUIGpsD/V05B8jIp3DmMmQSO4Sa3+8c6F4n91QCe74U7Q3zlN59PFYc/Cx9kal80vphAwJ/lRfvlws1OXPtOUKe7iy0VcjJblNAtZwJTpdYE/tJtCBteeIfah9/wPBKSqrzJ4kXz8DldPiCUmWyVcWqjakZT5kYqlgxlk6Nt8/Pu1Tgwpgkl4vzlRhyvuRLfq7jkb78iR0yhPJBT/gBO+RRG/NRZTeYYzGMr/ZRVsOUfPzjnhsTfZTZO5g5SIUT0oCmTnkN440tSGXtW61d/PNSJKH2Wutt6lV+cGkTuHmgRatmh7to0YohrfJcLq19IygUh3QckK0tLCo/DTRjbE7NH1UkqzvDew0NNY+GsrhHMA4wBixQ2UFr6D7Hqx5mkIn/UXTJyXbuLrTHnZ8XfDCZ9HHm5c4nP85vXHxP0f81P6aN4OPArLRKpiGhDdhmCDOFE0kDsjjN5JsXg,iv:6yAbNoRVVpX+IQjCbktN/ukB8a+bhOOAEd45rxgaJYQ=,tag:S3Mi7dKSyxW/OAzkE2GWtA==,type:str]
+    token: ENC[AES256_GCM,data:B495oipwauim95T+fQpk3nGP2xl4oJJK4ZMzoPrudodV7KbzMfkQ/HkPZuka/Vdodad7wMenCj7Knucbc7NTDZdtCjPeKDYdGr+wimhiRF9N0jKS3dxu1mwWcgU8V5xpqYeDv+kKZ1L62NUjDDCtSzL3mXEcFdeNzKLaD1y17ek2RYvL9fm0+7J8rdeoG0t1UDaTgh17Jgo3uLclUfy+uygmo8uqAk8nP3ZRYg+4o4O6phx/5uKh87kgIliFT3IvEZ4zWerlnNfPdn2U4GbgMFjlhtuGIWj+5PN13vKY9sUN+wT3fQKOBhz2J5wXOR9Mg51n3+d6cnMS7ubFssGGHlid0UE5r9LcFSfpuBooUv/jCHAgh8omSI4/D6l4SwiQloyxhJLEBze94t+IlClgv8/P2ZLYCc4OrbnhB9AtN9V97aKvDiOw5vEPMhz4QGZ+zO71+lHF22FNS9ZSqMMe1pJrzSyatkdVCWaiRSPEEShspad+3QbJIxIRXDwpxfL/wAk/To521LjeN22dIi0GvGhz3SRFwhMv1eRoZlaHOoX4/r6CnTkeVLxZJFzd2l06Yz+XybvgDusoRHB3v1ClJ1agg8BNdJW9au2XaqzQQm3bhlQWOmWFP+8WnE4ZyRnWEG3PiMVw882wb7IOZDGnuQBKFWC/NHL5TgJIOngeBer7KeIMnRo0tf5EQG05exB+C+bvHfHiIxCr+M9SAnszOjOR3c9U3U1a1gcWgz57Pe8IZdUQdmw+U5IQhathjpYhM7ba4MdZtz+q7iDj146ZbxkyrZDZFuLRXgtoWQI2fi/wiRJXhLO5KM5BoV1J8WaQH7W7uddSVohhjAYQYOLJBCrX,iv:9oUq1Z2LcmZoQUagqKcBMPU71w6PUKjgZVdZ/cW8yHI=,tag:uyvbfEDgsUcAEekz5DL32w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
+            bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
+            VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
+            OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
+            LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-04T20:05:48Z"
+    mac: ENC[AES256_GCM,data:lC84PU9/+I2xnJLgcYaso8EoQMqPWxM1jNubUy/iHFiF6zsqJ++xxghwnSPo5Qhdki2vtZE64Upq466/E8waZUoPwwYDDWdficu7r9rH+ToHjOX0LJd0j80wnuluu13hvABhanfS/nJAL7N21mFuSSMD2Duj+Qfzpp+NgQzmrbM=,iv:1P/SKfoAw/0gtiukbVvinNBk4wzhCxHGOe2GNfI1Xbc=,tag:BcTwlvsor9h1n6vM9gpLOw==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

kubernetes/apps/kube-system/external-secrets/stores/secret.sops.yaml

@@ -1,30 +0,0 @@
-# yamllint disable
-apiVersion: v1
-kind: Secret
-metadata:
-    name: onepassword-connect-secret
-    namespace: kube-system
-type: Opaque
-stringData:
-    1password-credentials.json: ENC[AES256_GCM,data:CVn/+8EPvY4PS1K7HAV6jnaswdOh3qwhhv/w3tusoGnFBR9OjydtpyvHB8q2uVuPMbpeQLh/2e0Ln3aK+3MLAuCtapvb235g85foRmxV7CbFWOsBRtXncMg62pfARz6+2qu2G5/Xk20tQXPRF+N3848DHIyrIk7XNtwnxAaTn6Wkg2lM+mnPW0TnaO8V7MbZe7ukPsEIOTYfyf8Yh0JXr559O79jzEwt8LQHEpEDYVHW+P0r2I11ZbKQoyrGkbzIbo+jPeQ1QXPUcjB2me8YAsY0swSg+3yfN0eA7Kxtzy3hSf+DNo8sIYxQyTD6sj2+vwVkxzrUA5YOghTOyNMh791mXdNGQ7NPtH4nmBClHSBO2vOPK6EevJ9KfAtuXiMVYDk9nKijcdTopTMD04ifZMTLe+b/2ZLE8oi81NkYyqzBk7Kw6ggBx0GoNebx/BbznrS5cDTp4GbLLz51Xg8G8OZi44+L2xqcMnrePp4/nVbOZAf6OJva084zl5sTxSXox2RMYbsfyXK/RdacCX+G2PQjWOzj8ibxJEYLxAj8l6LmnjfGe4kFu1D4qR+adyVxGQPPVgmq4N7g/qRCYhCEivtb1YDYjo5NleZrsrFR0Km/23hX56e/49laRmuluFQJ5jocKCstkYUx1Txk6d5hEYCm5BZ5Ir8+OdmpBaN2ejBR8L9vT4zUwj2NN5mxps6RTvS8Vx1jk0sDvNYYBuZ7LGgnBBvRrSjHc3dxoADxS4aWyfGE7ApqZUlTsaSqdxvEeoSjdCLLlS5Bg3fc+5h0EB/wZIgPbKz8Gcnx51JsDdQVlUT79oDCS636D30t41tHAmFy5DwnaB2fjlNDb6urdPrtql7sczatJ+d1hZLqBpKxTp1jUaKz2gsDTGoMN0EAKZIgcHZbFddnM0QfR1T66VWalxmJ+BQYKEHEvCt7gatAJDRtDQreE1pGRmNfyk96DWGi8L1phsuVKf/oH77BQR3qC9VbrvoTEXlJfZ+n3nMuEw/DKJDA3enhu1FhhI7VJfV7sLLs7gnXlWuP7wxTswrSvzpavnz18jHRsquX36oUQIL169BElAm1GyOER1IXKe3p5vLVovww0v3CF1HUtL4Laqa8ntq7UWjUKsmXmTMttsQMne8XiejYrZ0EkMekTZEFfrOU4uFgQ32xdZy3sK0mWNX82J64WmsFGEgQYvBgZLcAIzAnNbwcZoUFbtFYRZKXmSbA6ycjny4DXgQGgSQxKMbT7lRJKhu3zaAG5sUg7RxvuyNBHwCLLNCLYlQcJKUWeVl0rpmo8kLrTfP0jDZCVuG1KNRpofppYTGS6eeg60Nu7u7PgBcenQuZu4nilrMOKXlhbpY0Yx2ICCqywqJ78iK6j/Q/OoygPI2nNkyz2iloy3Zl4D3aWQbFrXTVbZn6bsqVD3hGyAzv/M5lAv/XIFUlg46nSjquqlQ7R/H6fMKOktwCHq2m8sGr6/EyL7tuWze2F2WWLFo90vjaFZzI7kQr5/pza7egLLKwR0MmjMJmr1Z58cznyO3cWCsVdAd3k8rK3nxaE534SQKjILWf+ba+2Vya8cChl5YmQXIYt/TWDS+pm1S700uJWriJ0mHhJIyJj0qS3SC7D6GuusR+KuCG/ivtUQUTmDKPQOYxuAvrFYSBAdGq5+JsJdOUdwrsNUdVqkLaLMgQhpz+vcDkZDtAxetHVX8+zD0Wectld+GmTX7UuKz28WIMKReicThTWZd0sAw4y+9HL7B5oiiBzNF3dDl6blx+zqjZ379aIkjVMM+JvFxlxZHyhq9GmWQcrhl78No/gquIQfVky8kuTGGBvJVfkiPUr5jSQllSLAFro85f6N115/bx1FBwMdNQudm72EmOsoyBHPDUfZNbr55H94f//byapLA58z6AbpGX7Y9+azRgKnXedsYkpCqDy4tfGuTXZWSe,iv:YNrdv6G3GDUf3CSnagRjB6Jh/SyYC74t/GTHgFQ93oM=,tag:qgr9oUt9OQR0AaKi04lCVQ==,type:str]
-    token: ENC[AES256_GCM,data:B495oipwauim95T+fQpk3nGP2xl4oJJK4ZMzoPrudodV7KbzMfkQ/HkPZuka/Vdodad7wMenCj7Knucbc7NTDZdtCjPeKDYdGr+wimhiRF9N0jKS3dxu1mwWcgU8V5xpqYeDv+kKZ1L62NUjDDCtSzL3mXEcFdeNzKLaD1y17ek2RYvL9fm0+7J8rdeoG0t1UDaTgh17Jgo3uLclUfy+uygmo8uqAk8nP3ZRYg+4o4O6phx/5uKh87kgIliFT3IvEZ4zWerlnNfPdn2U4GbgMFjlhtuGIWj+5PN13vKY9sUN+wT3fQKOBhz2J5wXOR9Mg51n3+d6cnMS7ubFssGGHlid0UE5r9LcFSfpuBooUv/jCHAgh8omSI4/D6l4SwiQloyxhJLEBze94t+IlClgv8/P2ZLYCc4OrbnhB9AtN9V97aKvDiOw5vEPMhz4QGZ+zO71+lHF22FNS9ZSqMMe1pJrzSyatkdVCWaiRSPEEShspad+3QbJIxIRXDwpxfL/wAk/To521LjeN22dIi0GvGhz3SRFwhMv1eRoZlaHOoX4/r6CnTkeVLxZJFzd2l06Yz+XybvgDusoRHB3v1ClJ1agg8BNdJW9au2XaqzQQm3bhlQWOmWFP+8WnE4ZyRnWEG3PiMVw882wb7IOZDGnuQBKFWC/NHL5TgJIOngeBer7KeIMnRo0tf5EQG05exB+C+bvHfHiIxCr+M9SAnszOjOR3c9U3U1a1gcWgz57Pe8IZdUQdmw+U5IQhathjpYhM7ba4MdZtz+q7iDj146ZbxkyrZDZFuLRXgtoWQI2fi/wiRJXhLO5KM5BoV1J8WaQH7W7uddSVohhjAYQYOLJBCrX,iv:9oUq1Z2LcmZoQUagqKcBMPU71w6PUKjgZVdZ/cW8yHI=,tag:uyvbfEDgsUcAEekz5DL32w==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
-            bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
-            VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
-            OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
-            LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-08T20:16:14Z"
-    mac: ENC[AES256_GCM,data:tqmsruedE0vkv2Ueb33p5623Fwhp801fB17I9S+qf+DoGge7JHd4gy1T7eCdL9LjOQNw9uCaKBn6tXH8QQNBpfyfTViHOW/K+nQa3CaQf4lc/Y1IUEaX+/8WRGBm5lAVRpzTHyZ8ytotDXUmyVvgfFLu7UPbyGBOtz0CDp1UIVE=,iv:1DsenhxEQkuSxvUAvo9aFBgwx9026nqack627dH0yzs=,tag:Ha/Trnl9Ndyi1pWpGUsObA==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

kubernetes/apps/monitoring/gatus/app/helmrelease.yaml

@@ -41,7 +41,7 @@ spec:
             envFrom: &envFrom
               - secretRef:
                   name: gatus-secret
-          config-sync:
+          init-config:
             order: 2
             image: &configSyncImage
               repository: ghcr.io/kiwigrid/k8s-sidecar
@@ -69,6 +69,7 @@ spec:
               GATUS_CONFIG_PATH: /config
               CUSTOM_WEB_PORT: &port 8080
               SECRET_CLUSTER_DOMAIN: ${SECRET_CLUSTER_DOMAIN}
+            envFrom: *envFrom
             resources:
               requests:
                 cpu: 10m