From 94b5077db742c6ba594c6d377da03b86ec625037 Mon Sep 17 00:00:00 2001 From: auricom <27022259+auricom@users.noreply.github.com> Date: Sat, 8 Jul 2023 21:02:19 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=9A=80=20external-secrets?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../external-secrets/app/helmrelease.yaml | 41 ++++++ .../external-secrets/app/kustomization.yaml | 7 + .../apps/kube-system/external-secrets/ks.yaml | 40 ++++++ .../stores/clustersecretstore.yaml | 19 +++ .../external-secrets/stores/helmrelease.yaml | 124 ++++++++++++++++++ .../stores/kustomization.yaml | 9 ++ .../external-secrets/stores/secret.sops.yaml | 30 +++++ .../apps/kube-system/kustomization.yaml | 1 + .../repositories/helm/external-secrets.yaml | 10 ++ .../flux/repositories/helm/kustomization.yaml | 1 + 10 files changed, 282 insertions(+) create mode 100644 kubernetes/apps/kube-system/external-secrets/app/helmrelease.yaml create mode 100644 kubernetes/apps/kube-system/external-secrets/app/kustomization.yaml create mode 100644 kubernetes/apps/kube-system/external-secrets/ks.yaml create mode 100644 kubernetes/apps/kube-system/external-secrets/stores/clustersecretstore.yaml create mode 100644 kubernetes/apps/kube-system/external-secrets/stores/helmrelease.yaml create mode 100644 kubernetes/apps/kube-system/external-secrets/stores/kustomization.yaml create mode 100644 kubernetes/apps/kube-system/external-secrets/stores/secret.sops.yaml create mode 100644 kubernetes/flux/repositories/helm/external-secrets.yaml diff --git a/kubernetes/apps/kube-system/external-secrets/app/helmrelease.yaml b/kubernetes/apps/kube-system/external-secrets/app/helmrelease.yaml new file mode 100644 index 000000000..ee0715bbc --- /dev/null +++ b/kubernetes/apps/kube-system/external-secrets/app/helmrelease.yaml @@ -0,0 +1,41 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: external-secrets + namespace: kube-system +spec: + interval: 30m + chart: + spec: + chart: external-secrets + version: 0.9.1 + sourceRef: + kind: HelmRepository + name: external-secrets + namespace: flux-system + maxHistory: 2 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + installCRDs: true + serviceMonitor: + enabled: true + interval: 1m + webhook: + serviceMonitor: + enabled: true + interval: 1m + certController: + serviceMonitor: + enabled: true + interval: 1m diff --git a/kubernetes/apps/kube-system/external-secrets/app/kustomization.yaml b/kubernetes/apps/kube-system/external-secrets/app/kustomization.yaml new file mode 100644 index 000000000..a09cef314 --- /dev/null +++ b/kubernetes/apps/kube-system/external-secrets/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/kube-system/external-secrets/ks.yaml b/kubernetes/apps/kube-system/external-secrets/ks.yaml new file mode 100644 index 000000000..3a2a42eb6 --- /dev/null +++ b/kubernetes/apps/kube-system/external-secrets/ks.yaml @@ -0,0 +1,40 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps-external-secrets + namespace: flux-system + labels: + substitution.flux.home.arpa/enabled: "true" +spec: + path: ./kubernetes/apps/kube-system/external-secrets/app + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps-external-secrets-stores + namespace: flux-system + labels: + substitution.flux.home.arpa/enabled: "true" +spec: + dependsOn: + - name: cluster-apps-external-secrets + path: ./kubernetes/apps/kube-system/external-secrets/stores + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/kube-system/external-secrets/stores/clustersecretstore.yaml b/kubernetes/apps/kube-system/external-secrets/stores/clustersecretstore.yaml new file mode 100644 index 000000000..a1ba67421 --- /dev/null +++ b/kubernetes/apps/kube-system/external-secrets/stores/clustersecretstore.yaml @@ -0,0 +1,19 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/clustersecretstore_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: onepassword-connect + namespace: kube-system +spec: + provider: + onepassword: + connectHost: http://onepassword-connect:8080 + vaults: + Kubernetes: 1 + auth: + secretRef: + connectTokenSecretRef: + name: onepassword-connect-secret + key: token + namespace: kube-system diff --git a/kubernetes/apps/kube-system/external-secrets/stores/helmrelease.yaml b/kubernetes/apps/kube-system/external-secrets/stores/helmrelease.yaml new file mode 100644 index 000000000..babef9d74 --- /dev/null +++ b/kubernetes/apps/kube-system/external-secrets/stores/helmrelease.yaml @@ -0,0 +1,124 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: onepassword-connect + namespace: kube-system +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 1.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + maxHistory: 2 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + controller: + annotations: + reloader.stakater.com/auto: "true" + image: + repository: docker.io/1password/connect-api + tag: 1.7.1 + env: + OP_BUS_PORT: "11220" + OP_BUS_PEERS: "localhost:11221" + OP_HTTP_PORT: &port 8080 + OP_SESSION: + valueFrom: + secretKeyRef: + name: onepassword-connect-secret + key: 1password-credentials.json + service: + main: + ports: + http: + port: *port + probes: + liveness: + enabled: true + custom: true + spec: + httpGet: + path: /heartbeat + port: *port + initialDelaySeconds: 15 + periodSeconds: 30 + failureThreshold: 3 + readiness: + enabled: true + custom: true + spec: + httpGet: + path: /health + port: *port + initialDelaySeconds: 15 + startup: + enabled: false + ingress: + main: + enabled: true + ingressClassName: nginx + annotations: + hajimari.io/enable: "false" + hosts: + - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host + podSecurityContext: + runAsUser: 999 + runAsGroup: 999 + persistence: + shared: + enabled: true + type: emptyDir + mountPath: /home/opuser/.op/data + resources: + requests: + cpu: 5m + memory: 10Mi + limits: + memory: 100Mi + sidecars: + sync: + image: docker.io/1password/connect-sync:1.7.1 + imagePullPolicy: IfNotPresent + env: + - { name: OP_HTTP_PORT, value: &port 8081 } + - { name: OP_BUS_PORT, value: "11221" } + - { name: OP_BUS_PEERS, value: "localhost:11220" } + - name: OP_SESSION + valueFrom: + secretKeyRef: + name: onepassword-connect-secret + key: 1password-credentials.json + readinessProbe: + httpGet: + path: /health + port: *port + initialDelaySeconds: 15 + livenessProbe: + httpGet: + path: /heartbeat + port: *port + failureThreshold: 3 + periodSeconds: 30 + initialDelaySeconds: 15 + volumeMounts: + - { name: shared, mountPath: /home/opuser/.op/data } diff --git a/kubernetes/apps/kube-system/external-secrets/stores/kustomization.yaml b/kubernetes/apps/kube-system/external-secrets/stores/kustomization.yaml new file mode 100644 index 000000000..7e9fb64d1 --- /dev/null +++ b/kubernetes/apps/kube-system/external-secrets/stores/kustomization.yaml @@ -0,0 +1,9 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +resources: + - ./clustersecretstore.yaml + - ./helmrelease.yaml + - ./secret.sops.yaml diff --git a/kubernetes/apps/kube-system/external-secrets/stores/secret.sops.yaml b/kubernetes/apps/kube-system/external-secrets/stores/secret.sops.yaml new file mode 100644 index 000000000..c1fd196b6 --- /dev/null +++ b/kubernetes/apps/kube-system/external-secrets/stores/secret.sops.yaml @@ -0,0 +1,30 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: onepassword-connect-secret + namespace: kube-system +type: Opaque +stringData: + 1password-credentials.json: ENC[AES256_GCM,data:CVn/+8EPvY4PS1K7HAV6jnaswdOh3qwhhv/w3tusoGnFBR9OjydtpyvHB8q2uVuPMbpeQLh/2e0Ln3aK+3MLAuCtapvb235g85foRmxV7CbFWOsBRtXncMg62pfARz6+2qu2G5/Xk20tQXPRF+N3848DHIyrIk7XNtwnxAaTn6Wkg2lM+mnPW0TnaO8V7MbZe7ukPsEIOTYfyf8Yh0JXr559O79jzEwt8LQHEpEDYVHW+P0r2I11ZbKQoyrGkbzIbo+jPeQ1QXPUcjB2me8YAsY0swSg+3yfN0eA7Kxtzy3hSf+DNo8sIYxQyTD6sj2+vwVkxzrUA5YOghTOyNMh791mXdNGQ7NPtH4nmBClHSBO2vOPK6EevJ9KfAtuXiMVYDk9nKijcdTopTMD04ifZMTLe+b/2ZLE8oi81NkYyqzBk7Kw6ggBx0GoNebx/BbznrS5cDTp4GbLLz51Xg8G8OZi44+L2xqcMnrePp4/nVbOZAf6OJva084zl5sTxSXox2RMYbsfyXK/RdacCX+G2PQjWOzj8ibxJEYLxAj8l6LmnjfGe4kFu1D4qR+adyVxGQPPVgmq4N7g/qRCYhCEivtb1YDYjo5NleZrsrFR0Km/23hX56e/49laRmuluFQJ5jocKCstkYUx1Txk6d5hEYCm5BZ5Ir8+OdmpBaN2ejBR8L9vT4zUwj2NN5mxps6RTvS8Vx1jk0sDvNYYBuZ7LGgnBBvRrSjHc3dxoADxS4aWyfGE7ApqZUlTsaSqdxvEeoSjdCLLlS5Bg3fc+5h0EB/wZIgPbKz8Gcnx51JsDdQVlUT79oDCS636D30t41tHAmFy5DwnaB2fjlNDb6urdPrtql7sczatJ+d1hZLqBpKxTp1jUaKz2gsDTGoMN0EAKZIgcHZbFddnM0QfR1T66VWalxmJ+BQYKEHEvCt7gatAJDRtDQreE1pGRmNfyk96DWGi8L1phsuVKf/oH77BQR3qC9VbrvoTEXlJfZ+n3nMuEw/DKJDA3enhu1FhhI7VJfV7sLLs7gnXlWuP7wxTswrSvzpavnz18jHRsquX36oUQIL169BElAm1GyOER1IXKe3p5vLVovww0v3CF1HUtL4Laqa8ntq7UWjUKsmXmTMttsQMne8XiejYrZ0EkMekTZEFfrOU4uFgQ32xdZy3sK0mWNX82J64WmsFGEgQYvBgZLcAIzAnNbwcZoUFbtFYRZKXmSbA6ycjny4DXgQGgSQxKMbT7lRJKhu3zaAG5sUg7RxvuyNBHwCLLNCLYlQcJKUWeVl0rpmo8kLrTfP0jDZCVuG1KNRpofppYTGS6eeg60Nu7u7PgBcenQuZu4nilrMOKXlhbpY0Yx2ICCqywqJ78iK6j/Q/OoygPI2nNkyz2iloy3Zl4D3aWQbFrXTVbZn6bsqVD3hGyAzv/M5lAv/XIFUlg46nSjquqlQ7R/H6fMKOktwCHq2m8sGr6/EyL7tuWze2F2WWLFo90vjaFZzI7kQr5/pza7egLLKwR0MmjMJmr1Z58cznyO3cWCsVdAd3k8rK3nxaE534SQKjILWf+ba+2Vya8cChl5YmQXIYt/TWDS+pm1S700uJWriJ0mHhJIyJj0qS3SC7D6GuusR+KuCG/ivtUQUTmDKPQOYxuAvrFYSBAdGq5+JsJdOUdwrsNUdVqkLaLMgQhpz+vcDkZDtAxetHVX8+zD0Wectld+GmTX7UuKz28WIMKReicThTWZd0sAw4y+9HL7B5oiiBzNF3dDl6blx+zqjZ379aIkjVMM+JvFxlxZHyhq9GmWQcrhl78No/gquIQfVky8kuTGGBvJVfkiPUr5jSQllSLAFro85f6N115/bx1FBwMdNQudm72EmOsoyBHPDUfZNbr55H94f//byapLA58z6AbpGX7Y9+azRgKnXedsYkpCqDy4tfGuTXZWSe,iv:YNrdv6G3GDUf3CSnagRjB6Jh/SyYC74t/GTHgFQ93oM=,tag:qgr9oUt9OQR0AaKi04lCVQ==,type:str] + token: ENC[AES256_GCM,data:B495oipwauim95T+fQpk3nGP2xl4oJJK4ZMzoPrudodV7KbzMfkQ/HkPZuka/Vdodad7wMenCj7Knucbc7NTDZdtCjPeKDYdGr+wimhiRF9N0jKS3dxu1mwWcgU8V5xpqYeDv+kKZ1L62NUjDDCtSzL3mXEcFdeNzKLaD1y17ek2RYvL9fm0+7J8rdeoG0t1UDaTgh17Jgo3uLclUfy+uygmo8uqAk8nP3ZRYg+4o4O6phx/5uKh87kgIliFT3IvEZ4zWerlnNfPdn2U4GbgMFjlhtuGIWj+5PN13vKY9sUN+wT3fQKOBhz2J5wXOR9Mg51n3+d6cnMS7ubFssGGHlid0UE5r9LcFSfpuBooUv/jCHAgh8omSI4/D6l4SwiQloyxhJLEBze94t+IlClgv8/P2ZLYCc4OrbnhB9AtN9V97aKvDiOw5vEPMhz4QGZ+zO71+lHF22FNS9ZSqMMe1pJrzSyatkdVCWaiRSPEEShspad+3QbJIxIRXDwpxfL/wAk/To521LjeN22dIi0GvGhz3SRFwhMv1eRoZlaHOoX4/r6CnTkeVLxZJFzd2l06Yz+XybvgDusoRHB3v1ClJ1agg8BNdJW9au2XaqzQQm3bhlQWOmWFP+8WnE4ZyRnWEG3PiMVw882wb7IOZDGnuQBKFWC/NHL5TgJIOngeBer7KeIMnRo0tf5EQG05exB+C+bvHfHiIxCr+M9SAnszOjOR3c9U3U1a1gcWgz57Pe8IZdUQdmw+U5IQhathjpYhM7ba4MdZtz+q7iDj146ZbxkyrZDZFuLRXgtoWQI2fi/wiRJXhLO5KM5BoV1J8WaQH7W7uddSVohhjAYQYOLJBCrX,iv:9oUq1Z2LcmZoQUagqKcBMPU71w6PUKjgZVdZ/cW8yHI=,tag:uyvbfEDgsUcAEekz5DL32w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2 + bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC + VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw + OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+ + LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-08T20:16:14Z" + mac: ENC[AES256_GCM,data:tqmsruedE0vkv2Ueb33p5623Fwhp801fB17I9S+qf+DoGge7JHd4gy1T7eCdL9LjOQNw9uCaKBn6tXH8QQNBpfyfTViHOW/K+nQa3CaQf4lc/Y1IUEaX+/8WRGBm5lAVRpzTHyZ8ytotDXUmyVvgfFLu7UPbyGBOtz0CDp1UIVE=,iv:1DsenhxEQkuSxvUAvo9aFBgwx9026nqack627dH0yzs=,tag:Ha/Trnl9Ndyi1pWpGUsObA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml index b5f7b806c..5d43adfc4 100644 --- a/kubernetes/apps/kube-system/kustomization.yaml +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -8,6 +8,7 @@ resources: # Flux-Kustomizations - ./cilium/ks.yaml - ./descheduler/ks.yaml + - ./external-secrets/ks.yaml - ./intel-gpu/ks.yaml - ./kubelet-csr-approver/ks.yaml - ./metrics-server/ks.yaml diff --git a/kubernetes/flux/repositories/helm/external-secrets.yaml b/kubernetes/flux/repositories/helm/external-secrets.yaml new file mode 100644 index 000000000..59818bfd4 --- /dev/null +++ b/kubernetes/flux/repositories/helm/external-secrets.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/source.toolkit.fluxcd.io/helmrepository_v1beta2.json +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: external-secrets + namespace: flux-system +spec: + interval: 2h + url: https://charts.external-secrets.io diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index ce0a3e812..dd41798a4 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -17,6 +17,7 @@ resources: - ./dysnix.yaml - ./emxq.yaml - ./external-dns.yaml + - ./external-secrets.yaml - ./gitea.yaml - ./grafana.yaml - ./hajimari.yaml