🚑 scrutiny mounts

2025-09-17 18:24:14 +02:00 · 2024-01-30 13:25:49 +01:00
parent 0eea400b34
commit 8ebf45dbe8
5 changed files with 45 additions and 20 deletions
--- a/kubernetes/apps/monitoring/scrutiny/app/externalsecret.yaml
+++ b/kubernetes/apps/monitoring/scrutiny/app/externalsecret.yaml
@@ -0,0 +1,22 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: scrutiny
+  namespace: monitoring
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: scrutiny-secret
+    template:
+      engineVersion: v2
+      data:
+        SCRUTINY_NOTIFY_URLS: pushover://shoutrrr:{{ .PUSHOVER_API_TOKEN }}@{{ .PUSHOVER_USER_KEY }}
+  dataFrom:
+    - extract:
+        key: pushover
+    - extract:
+        key: scrutiny
--- a/kubernetes/apps/monitoring/scrutiny/app/helmrelease.yaml
+++ b/kubernetes/apps/monitoring/scrutiny/app/helmrelease.yaml
@@ -28,12 +28,10 @@ spec:
  values:
    defaultPodOptions:
      automountServiceAccountToken: false
-      securityContext:
-        privileged: true
-        # capabilities:
-        #   add: ["SYS_RAWIO"] # allow access to smartctl
    controllers:
      main:
+        annotations:
+          reloader.stakater.com/auto: "true"
        containers:
          main:
            image:
@@ -42,6 +40,9 @@ spec:
            env:
              TZ: ${TIMEZONE}
              SCRUTINY_WEB_INFLUXDB_HOST: influx.database.svc.cluster.local
+            envFrom:
+              - secretRef:
+                  name: scrutiny-secret
            resources:
              requests:
                cpu: 100m
@@ -116,17 +117,3 @@ spec:
        readOnly: true
        globalMounts:
          - path: /run/udev
-      nvme0n1:
-        enabled: true
-        type: hostPath
-        hostPath: /dev/nvme0n1
-        readOnly: true
-        globalMounts:
-          - path: /dev/nvme0n1
-      sda:
-        enabled: true
-        type: hostPath
-        hostPath: /dev/sda
-        readOnly: true
-        globalMounts:
-          - path: /dev/sda
--- a/kubernetes/apps/monitoring/scrutiny/app/kustomization.yaml
+++ b/kubernetes/apps/monitoring/scrutiny/app/kustomization.yaml
@@ -1,5 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ./externalsecret.yaml
  - helmrelease.yaml
  - ../../../../templates/volsync
--- a/kubernetes/apps/monitoring/scrutiny/collector/helmrelease.yaml
+++ b/kubernetes/apps/monitoring/scrutiny/collector/helmrelease.yaml
@@ -30,8 +30,6 @@ spec:
  values:
    defaultPodOptions:
      automountServiceAccountToken: false
-      securityContext:
-        privileged: true
        # capabilities:
        #   add: ["SYS_RAWIO"] # allow access to smartctl
    controllers:
@@ -49,6 +47,8 @@ spec:
                  fieldRef:
                    fieldPath: spec.nodeName
              TZ: ${TIMEZONE}
+            securityContext:
+              privileged: true
            resources:
              requests:
                cpu: 100m
@@ -71,3 +71,17 @@ spec:
        readOnly: true
        globalMounts:
          - path: /run/udev
+      nvme0n1:
+        enabled: true
+        type: hostPath
+        hostPath: /dev/nvme0n1
+        readOnly: true
+        globalMounts:
+          - path: /dev/nvme0n1
+      sda:
+        enabled: true
+        type: hostPath
+        hostPath: /dev/sda
+        readOnly: true
+        globalMounts:
+          - path: /dev/sda
--- a/kubernetes/apps/monitoring/scrutiny/ks.yaml
+++ b/kubernetes/apps/monitoring/scrutiny/ks.yaml
@@ -11,6 +11,7 @@ spec:
    labels:
      app.kubernetes.io/name: *app
  dependsOn:
+    - name: external-secrets-stores
    - name: rook-ceph-cluster
    - name: volsync
  path: ./kubernetes/apps/monitoring/scrutiny/app