🚀 external-secrets

kubernetes/apps/kube-system/external-secrets/app/helmrelease.yaml

@@ -0,0 +1,41 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: external-secrets
+  namespace: kube-system
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: external-secrets
+      version: 0.9.1
+      sourceRef:
+        kind: HelmRepository
+        name: external-secrets
+        namespace: flux-system
+  maxHistory: 2
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    installCRDs: true
+    serviceMonitor:
+      enabled: true
+      interval: 1m
+    webhook:
+      serviceMonitor:
+        enabled: true
+        interval: 1m
+    certController:
+      serviceMonitor:
+        enabled: true
+        interval: 1m

kubernetes/apps/kube-system/external-secrets/app/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+resources:
+  - ./helmrelease.yaml

kubernetes/apps/kube-system/external-secrets/ks.yaml

@@ -0,0 +1,40 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-external-secrets
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: ./kubernetes/apps/kube-system/external-secrets/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-external-secrets-stores
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  dependsOn:
+    - name: cluster-apps-external-secrets
+  path: ./kubernetes/apps/kube-system/external-secrets/stores
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/apps/kube-system/external-secrets/stores/clustersecretstore.yaml

@@ -0,0 +1,19 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/clustersecretstore_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: onepassword-connect
+  namespace: kube-system
+spec:
+  provider:
+    onepassword:
+      connectHost: http://onepassword-connect:8080
+      vaults:
+        Kubernetes: 1
+      auth:
+        secretRef:
+          connectTokenSecretRef:
+            name: onepassword-connect-secret
+            key: token
+            namespace: kube-system

kubernetes/apps/kube-system/external-secrets/stores/helmrelease.yaml

@@ -0,0 +1,124 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: onepassword-connect
+  namespace: kube-system
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  maxHistory: 2
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    controller:
+      annotations:
+        reloader.stakater.com/auto: "true"
+    image:
+      repository: docker.io/1password/connect-api
+      tag: 1.7.1
+    env:
+      OP_BUS_PORT: "11220"
+      OP_BUS_PEERS: "localhost:11221"
+      OP_HTTP_PORT: &port 8080
+      OP_SESSION:
+        valueFrom:
+          secretKeyRef:
+            name: onepassword-connect-secret
+            key: 1password-credentials.json
+    service:
+      main:
+        ports:
+          http:
+            port: *port
+    probes:
+      liveness:
+        enabled: true
+        custom: true
+        spec:
+          httpGet:
+            path: /heartbeat
+            port: *port
+          initialDelaySeconds: 15
+          periodSeconds: 30
+          failureThreshold: 3
+      readiness:
+        enabled: true
+        custom: true
+        spec:
+          httpGet:
+            path: /health
+            port: *port
+          initialDelaySeconds: 15
+      startup:
+        enabled: false
+    ingress:
+      main:
+        enabled: true
+        ingressClassName: nginx
+        annotations:
+          hajimari.io/enable: "false"
+        hosts:
+          - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+    podSecurityContext:
+      runAsUser: 999
+      runAsGroup: 999
+    persistence:
+      shared:
+        enabled: true
+        type: emptyDir
+        mountPath: /home/opuser/.op/data
+    resources:
+      requests:
+        cpu: 5m
+        memory: 10Mi
+      limits:
+        memory: 100Mi
+    sidecars:
+      sync:
+        image: docker.io/1password/connect-sync:1.7.1
+        imagePullPolicy: IfNotPresent
+        env:
+          - { name: OP_HTTP_PORT, value: &port 8081 }
+          - { name: OP_BUS_PORT, value: "11221" }
+          - { name: OP_BUS_PEERS, value: "localhost:11220" }
+          - name: OP_SESSION
+            valueFrom:
+              secretKeyRef:
+                name: onepassword-connect-secret
+                key: 1password-credentials.json
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: *port
+          initialDelaySeconds: 15
+        livenessProbe:
+          httpGet:
+            path: /heartbeat
+            port: *port
+          failureThreshold: 3
+          periodSeconds: 30
+          initialDelaySeconds: 15
+        volumeMounts:
+          - { name: shared, mountPath: /home/opuser/.op/data }

kubernetes/apps/kube-system/external-secrets/stores/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+resources:
+  - ./clustersecretstore.yaml
+  - ./helmrelease.yaml
+  - ./secret.sops.yaml

kubernetes/apps/kube-system/external-secrets/stores/secret.sops.yaml

@@ -0,0 +1,30 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: onepassword-connect-secret
+    namespace: kube-system
+type: Opaque
+stringData:
+    1password-credentials.json: ENC[AES256_GCM,data:CVn/+8EPvY4PS1K7HAV6jnaswdOh3qwhhv/w3tusoGnFBR9OjydtpyvHB8q2uVuPMbpeQLh/2e0Ln3aK+3MLAuCtapvb235g85foRmxV7CbFWOsBRtXncMg62pfARz6+2qu2G5/Xk20tQXPRF+N3848DHIyrIk7XNtwnxAaTn6Wkg2lM+mnPW0TnaO8V7MbZe7ukPsEIOTYfyf8Yh0JXr559O79jzEwt8LQHEpEDYVHW+P0r2I11ZbKQoyrGkbzIbo+jPeQ1QXPUcjB2me8YAsY0swSg+3yfN0eA7Kxtzy3hSf+DNo8sIYxQyTD6sj2+vwVkxzrUA5YOghTOyNMh791mXdNGQ7NPtH4nmBClHSBO2vOPK6EevJ9KfAtuXiMVYDk9nKijcdTopTMD04ifZMTLe+b/2ZLE8oi81NkYyqzBk7Kw6ggBx0GoNebx/BbznrS5cDTp4GbLLz51Xg8G8OZi44+L2xqcMnrePp4/nVbOZAf6OJva084zl5sTxSXox2RMYbsfyXK/RdacCX+G2PQjWOzj8ibxJEYLxAj8l6LmnjfGe4kFu1D4qR+adyVxGQPPVgmq4N7g/qRCYhCEivtb1YDYjo5NleZrsrFR0Km/23hX56e/49laRmuluFQJ5jocKCstkYUx1Txk6d5hEYCm5BZ5Ir8+OdmpBaN2ejBR8L9vT4zUwj2NN5mxps6RTvS8Vx1jk0sDvNYYBuZ7LGgnBBvRrSjHc3dxoADxS4aWyfGE7ApqZUlTsaSqdxvEeoSjdCLLlS5Bg3fc+5h0EB/wZIgPbKz8Gcnx51JsDdQVlUT79oDCS636D30t41tHAmFy5DwnaB2fjlNDb6urdPrtql7sczatJ+d1hZLqBpKxTp1jUaKz2gsDTGoMN0EAKZIgcHZbFddnM0QfR1T66VWalxmJ+BQYKEHEvCt7gatAJDRtDQreE1pGRmNfyk96DWGi8L1phsuVKf/oH77BQR3qC9VbrvoTEXlJfZ+n3nMuEw/DKJDA3enhu1FhhI7VJfV7sLLs7gnXlWuP7wxTswrSvzpavnz18jHRsquX36oUQIL169BElAm1GyOER1IXKe3p5vLVovww0v3CF1HUtL4Laqa8ntq7UWjUKsmXmTMttsQMne8XiejYrZ0EkMekTZEFfrOU4uFgQ32xdZy3sK0mWNX82J64WmsFGEgQYvBgZLcAIzAnNbwcZoUFbtFYRZKXmSbA6ycjny4DXgQGgSQxKMbT7lRJKhu3zaAG5sUg7RxvuyNBHwCLLNCLYlQcJKUWeVl0rpmo8kLrTfP0jDZCVuG1KNRpofppYTGS6eeg60Nu7u7PgBcenQuZu4nilrMOKXlhbpY0Yx2ICCqywqJ78iK6j/Q/OoygPI2nNkyz2iloy3Zl4D3aWQbFrXTVbZn6bsqVD3hGyAzv/M5lAv/XIFUlg46nSjquqlQ7R/H6fMKOktwCHq2m8sGr6/EyL7tuWze2F2WWLFo90vjaFZzI7kQr5/pza7egLLKwR0MmjMJmr1Z58cznyO3cWCsVdAd3k8rK3nxaE534SQKjILWf+ba+2Vya8cChl5YmQXIYt/TWDS+pm1S700uJWriJ0mHhJIyJj0qS3SC7D6GuusR+KuCG/ivtUQUTmDKPQOYxuAvrFYSBAdGq5+JsJdOUdwrsNUdVqkLaLMgQhpz+vcDkZDtAxetHVX8+zD0Wectld+GmTX7UuKz28WIMKReicThTWZd0sAw4y+9HL7B5oiiBzNF3dDl6blx+zqjZ379aIkjVMM+JvFxlxZHyhq9GmWQcrhl78No/gquIQfVky8kuTGGBvJVfkiPUr5jSQllSLAFro85f6N115/bx1FBwMdNQudm72EmOsoyBHPDUfZNbr55H94f//byapLA58z6AbpGX7Y9+azRgKnXedsYkpCqDy4tfGuTXZWSe,iv:YNrdv6G3GDUf3CSnagRjB6Jh/SyYC74t/GTHgFQ93oM=,tag:qgr9oUt9OQR0AaKi04lCVQ==,type:str]
+    token: ENC[AES256_GCM,data:B495oipwauim95T+fQpk3nGP2xl4oJJK4ZMzoPrudodV7KbzMfkQ/HkPZuka/Vdodad7wMenCj7Knucbc7NTDZdtCjPeKDYdGr+wimhiRF9N0jKS3dxu1mwWcgU8V5xpqYeDv+kKZ1L62NUjDDCtSzL3mXEcFdeNzKLaD1y17ek2RYvL9fm0+7J8rdeoG0t1UDaTgh17Jgo3uLclUfy+uygmo8uqAk8nP3ZRYg+4o4O6phx/5uKh87kgIliFT3IvEZ4zWerlnNfPdn2U4GbgMFjlhtuGIWj+5PN13vKY9sUN+wT3fQKOBhz2J5wXOR9Mg51n3+d6cnMS7ubFssGGHlid0UE5r9LcFSfpuBooUv/jCHAgh8omSI4/D6l4SwiQloyxhJLEBze94t+IlClgv8/P2ZLYCc4OrbnhB9AtN9V97aKvDiOw5vEPMhz4QGZ+zO71+lHF22FNS9ZSqMMe1pJrzSyatkdVCWaiRSPEEShspad+3QbJIxIRXDwpxfL/wAk/To521LjeN22dIi0GvGhz3SRFwhMv1eRoZlaHOoX4/r6CnTkeVLxZJFzd2l06Yz+XybvgDusoRHB3v1ClJ1agg8BNdJW9au2XaqzQQm3bhlQWOmWFP+8WnE4ZyRnWEG3PiMVw882wb7IOZDGnuQBKFWC/NHL5TgJIOngeBer7KeIMnRo0tf5EQG05exB+C+bvHfHiIxCr+M9SAnszOjOR3c9U3U1a1gcWgz57Pe8IZdUQdmw+U5IQhathjpYhM7ba4MdZtz+q7iDj146ZbxkyrZDZFuLRXgtoWQI2fi/wiRJXhLO5KM5BoV1J8WaQH7W7uddSVohhjAYQYOLJBCrX,iv:9oUq1Z2LcmZoQUagqKcBMPU71w6PUKjgZVdZ/cW8yHI=,tag:uyvbfEDgsUcAEekz5DL32w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
+            bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
+            VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
+            OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
+            LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-07-08T20:16:14Z"
+    mac: ENC[AES256_GCM,data:tqmsruedE0vkv2Ueb33p5623Fwhp801fB17I9S+qf+DoGge7JHd4gy1T7eCdL9LjOQNw9uCaKBn6tXH8QQNBpfyfTViHOW/K+nQa3CaQf4lc/Y1IUEaX+/8WRGBm5lAVRpzTHyZ8ytotDXUmyVvgfFLu7UPbyGBOtz0CDp1UIVE=,iv:1DsenhxEQkuSxvUAvo9aFBgwx9026nqack627dH0yzs=,tag:Ha/Trnl9Ndyi1pWpGUsObA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

kubernetes/apps/kube-system/kustomization.yaml

@@ -8,6 +8,7 @@ resources:
   # Flux-Kustomizations
   - ./cilium/ks.yaml
   - ./descheduler/ks.yaml
+  - ./external-secrets/ks.yaml
   - ./intel-gpu/ks.yaml
   - ./kubelet-csr-approver/ks.yaml
   - ./metrics-server/ks.yaml

kubernetes/flux/repositories/helm/external-secrets.yaml

@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/source.toolkit.fluxcd.io/helmrepository_v1beta2.json
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: external-secrets
+  namespace: flux-system
+spec:
+  interval: 2h
+  url: https://charts.external-secrets.io

kubernetes/flux/repositories/helm/kustomization.yaml

@@ -17,6 +17,7 @@ resources:
   - ./dysnix.yaml
   - ./emxq.yaml
   - ./external-dns.yaml
+  - ./external-secrets.yaml
   - ./gitea.yaml
   - ./grafana.yaml
   - ./hajimari.yaml