diff --git a/kubernetes/apps/monitoring/scrutiny/app/externalsecret.yaml b/kubernetes/apps/monitoring/scrutiny/app/externalsecret.yaml new file mode 100644 index 000000000..7aea10ad4 --- /dev/null +++ b/kubernetes/apps/monitoring/scrutiny/app/externalsecret.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: scrutiny + namespace: monitoring +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: scrutiny-secret + template: + engineVersion: v2 + data: + SCRUTINY_NOTIFY_URLS: pushover://shoutrrr:{{ .PUSHOVER_API_TOKEN }}@{{ .PUSHOVER_USER_KEY }} + dataFrom: + - extract: + key: pushover + - extract: + key: scrutiny diff --git a/kubernetes/apps/monitoring/scrutiny/app/helmrelease.yaml b/kubernetes/apps/monitoring/scrutiny/app/helmrelease.yaml index 56875adf9..17b1c9cd4 100644 --- a/kubernetes/apps/monitoring/scrutiny/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/scrutiny/app/helmrelease.yaml @@ -28,12 +28,10 @@ spec: values: defaultPodOptions: automountServiceAccountToken: false - securityContext: - privileged: true - # capabilities: - # add: ["SYS_RAWIO"] # allow access to smartctl controllers: main: + annotations: + reloader.stakater.com/auto: "true" containers: main: image: @@ -42,6 +40,9 @@ spec: env: TZ: ${TIMEZONE} SCRUTINY_WEB_INFLUXDB_HOST: influx.database.svc.cluster.local + envFrom: + - secretRef: + name: scrutiny-secret resources: requests: cpu: 100m @@ -116,17 +117,3 @@ spec: readOnly: true globalMounts: - path: /run/udev - nvme0n1: - enabled: true - type: hostPath - hostPath: /dev/nvme0n1 - readOnly: true - globalMounts: - - path: /dev/nvme0n1 - sda: - enabled: true - type: hostPath - hostPath: /dev/sda - readOnly: true - globalMounts: - - path: /dev/sda diff --git a/kubernetes/apps/monitoring/scrutiny/app/kustomization.yaml b/kubernetes/apps/monitoring/scrutiny/app/kustomization.yaml index c57b74823..a0f82d4cc 100644 --- a/kubernetes/apps/monitoring/scrutiny/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/scrutiny/app/kustomization.yaml @@ -1,5 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ./externalsecret.yaml - helmrelease.yaml - ../../../../templates/volsync diff --git a/kubernetes/apps/monitoring/scrutiny/collector/helmrelease.yaml b/kubernetes/apps/monitoring/scrutiny/collector/helmrelease.yaml index b6cc6568d..55dfbc899 100644 --- a/kubernetes/apps/monitoring/scrutiny/collector/helmrelease.yaml +++ b/kubernetes/apps/monitoring/scrutiny/collector/helmrelease.yaml @@ -30,8 +30,6 @@ spec: values: defaultPodOptions: automountServiceAccountToken: false - securityContext: - privileged: true # capabilities: # add: ["SYS_RAWIO"] # allow access to smartctl controllers: @@ -49,6 +47,8 @@ spec: fieldRef: fieldPath: spec.nodeName TZ: ${TIMEZONE} + securityContext: + privileged: true resources: requests: cpu: 100m @@ -71,3 +71,17 @@ spec: readOnly: true globalMounts: - path: /run/udev + nvme0n1: + enabled: true + type: hostPath + hostPath: /dev/nvme0n1 + readOnly: true + globalMounts: + - path: /dev/nvme0n1 + sda: + enabled: true + type: hostPath + hostPath: /dev/sda + readOnly: true + globalMounts: + - path: /dev/sda diff --git a/kubernetes/apps/monitoring/scrutiny/ks.yaml b/kubernetes/apps/monitoring/scrutiny/ks.yaml index c69ec40db..152858155 100644 --- a/kubernetes/apps/monitoring/scrutiny/ks.yaml +++ b/kubernetes/apps/monitoring/scrutiny/ks.yaml @@ -11,6 +11,7 @@ spec: labels: app.kubernetes.io/name: *app dependsOn: + - name: external-secrets-stores - name: rook-ceph-cluster - name: volsync path: ./kubernetes/apps/monitoring/scrutiny/app