feat: flux instance

kubernetes/apps/external-secrets/external-secrets/app/helm/kustomizeconfig.yaml

@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease

kubernetes/apps/external-secrets/external-secrets/app/helm/values.yaml

@@ -0,0 +1,21 @@
+---
+installCRDs: true
+replicaCount: 1
+leaderElect: true
+image:
+  repository: ghcr.io/external-secrets/external-secrets
+webhook:
+  image:
+    repository: ghcr.io/external-secrets/external-secrets
+  serviceMonitor:
+    enabled: true
+    interval: 1m
+certController:
+  image:
+    repository: ghcr.io/external-secrets/external-secrets
+  serviceMonitor:
+    enabled: true
+    interval: 1m
+serviceMonitor:
+  enabled: true
+  interval: 1m

kubernetes/apps/external-secrets/external-secrets/app/helmrelease.yaml

@@ -0,0 +1,40 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: external-secrets
+spec:
+  interval: 5m
+  layerSelector:
+    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
+    operation: copy
+  ref:
+    tag: 0.15.1
+  url: oci://ghcr.io/external-secrets/charts/external-secrets
+  verify:
+    provider: cosign
+    matchOIDCIdentity:
+      - issuer: ^https://token.actions.githubusercontent.com$
+        subject: ^https://github.com/external-secrets/external-secrets.*$
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: external-secrets
+spec:
+  interval: 1h
+  chartRef:
+    kind: OCIRepository
+    name: external-secrets
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  valuesFrom:
+    - kind: ConfigMap
+      name: external-secrets-values

kubernetes/apps/external-secrets/external-secrets/app/kustomization.yaml

@@ -0,0 +1,13 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+resources:
+  - ./helmrelease.yaml
+configMapGenerator:
+  - name: external-secrets-values
+    files:
+      - values.yaml=./helm/values.yaml
+configurations:
+  - ./helm/kustomizeconfig.yaml

kubernetes/apps/external-secrets/external-secrets/ks.yaml

@@ -0,0 +1,52 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app external-secrets
+  namespace: &namespace flux-system
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2
+      kind: HelmRelease
+      name: *app
+      namespace: external-secrets
+  interval: 1h
+  path: ./kubernetes/apps/external-secrets/external-secrets/app
+  prune: true
+  retryInterval: 2m
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+    namespace: *namespace
+  targetNamespace: external-secrets
+  timeout: 15m
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app external-secrets-stores
+  namespace: &namespace flux-system
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  healthCheckExprs:
+    - apiVersion: external-secrets.io/v1beta1
+      kind: ClusterSecretStore
+      failed: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'False')
+      current: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True')
+  interval: 1h
+  path: ./kubernetes/apps/external-secrets/external-secrets/stores
+  prune: true
+  retryInterval: 2m
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+    namespace: *namespace
+  targetNamespace: external-secrets
+  timeout: 15m

kubernetes/apps/external-secrets/external-secrets/stores/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+resources:
+  - ./onepassword

kubernetes/apps/external-secrets/external-secrets/stores/onepassword/clustersecretstore.yaml

@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/clustersecretstore_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: onepassword-connect
+spec:
+  provider:
+    onepassword:
+      connectHost: http://onepassword-connect:8080
+      vaults:
+        Kubernetes: 1
+      auth:
+        secretRef:
+          connectTokenSecretRef:
+            name: onepassword-connect-secret
+            key: token
+            namespace: external-secrets

kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helm/kustomizeconfig.yaml

@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease

kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helm/values.yaml

@@ -0,0 +1,111 @@
+---
+controllers:
+  onepassword-connect:
+    annotations:
+      reloader.stakater.com/auto: "true"
+    pod:
+      securityContext:
+        runAsUser: 999
+        runAsGroup: 999
+    containers:
+      app:
+        image:
+          # repository: docker.io/1password/connect-api
+          repository: ghcr.io/haraldkoch/onepassword-connect-api
+          tag: 1.7.3@sha256:257a6ca59b806fec2c9c6df0acaef633a39e600eefba0ba03396554c00e065c1
+        env:
+          OP_BUS_PORT: "11220"
+          OP_BUS_PEERS: localhost:11221
+          OP_HTTP_PORT: &port 8080
+          OP_SESSION:
+            valueFrom:
+              secretKeyRef:
+                name: onepassword-connect-secret
+                key: onepassword-credentials.json
+        probes:
+          liveness:
+            enabled: true
+            custom: true
+            spec:
+              httpGet:
+                path: /heartbeat
+                port: *port
+              initialDelaySeconds: 15
+              periodSeconds: 30
+              failureThreshold: 3
+          readiness:
+            enabled: true
+            custom: true
+            spec:
+              httpGet:
+                path: /health
+                port: *port
+              initialDelaySeconds: 15
+          startup:
+            enabled: false
+        resources:
+          requests:
+            cpu: 5m
+            memory: 10Mi
+          limits:
+            memory: 100Mi
+      sync:
+        # image: docker.io/1password/connect-sync:1.7.0
+        image:
+          repository: ghcr.io/haraldkoch/onepassword-sync
+          tag: 1.7.3@sha256:7e30af4d83e6884981b2d47e6cfe5cca056da20b182e4c4c6def9e8ac65c0982
+        env:
+          - { name: OP_HTTP_PORT, value: &sport 8081 }
+          - { name: OP_BUS_PORT, value: "11221" }
+          - { name: OP_BUS_PEERS, value: localhost:11220 }
+          - name: OP_SESSION
+            valueFrom:
+              secretKeyRef:
+                name: onepassword-connect-secret
+                key: onepassword-credentials.json
+        probes:
+          readiness:
+            enabled: true
+            custom: true
+            spec:
+              httpGet:
+                path: /health
+                port: *sport
+              initialDelaySeconds: 15
+          liveness:
+            enabled: true
+            custom: true
+            spec:
+              httpGet:
+                path: /heartbeat
+                port: *sport
+              failureThreshold: 3
+              periodSeconds: 30
+              initialDelaySeconds: 15
+service:
+  app:
+    controller: onepassword-connect
+    ports:
+      http:
+        port: *port
+# ingress:
+#   app:
+#     enabled: true
+#     className: internal
+#     annotations:
+#       hajimari.io/enable: "false"
+#     hosts:
+#       - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
+#         paths:
+#           - path: /
+#             service:
+#               identifier: app
+#               port: http
+#     tls:
+#       - hosts:
+#           - *host
+persistence:
+  shared:
+    type: emptyDir
+    globalMounts:
+      - path: /home/opuser/.op/data

kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helmrelease.yaml

@@ -0,0 +1,27 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app onepassword-connect
+spec:
+  interval: 30m
+  chartRef:
+    kind: OCIRepository
+    name: app-template
+    namespace: flux-system
+  maxHistory: 2
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  uninstall:
+    keepHistory: false
+  valuesFrom:
+    - kind: ConfigMap
+      name: external-secrets-stores-values

kubernetes/apps/external-secrets/external-secrets/stores/onepassword/kustomization.yaml

@@ -0,0 +1,14 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./clustersecretstore.yaml
+  - ./helmrelease.yaml
+  - ./secret.sops.yaml
+configMapGenerator:
+  - name: external-secrets-stores-values
+    files:
+      - values.yaml=./helm/values.yaml
+configurations:
+  - ./helm/kustomizeconfig.yaml

kubernetes/apps/external-secrets/external-secrets/stores/onepassword/secret.sops.yaml

@@ -0,0 +1,29 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: onepassword-connect-secret
+type: Opaque
+stringData:
+    onepassword-credentials.json: ENC[AES256_GCM,data:vVOz94aHx8jMRGQNw1a0Sio0HI7AVNT9r0nkdaRyRop/20e4lvNU+PyfnlskTdya0Ty62mZNH78Uj2+vXIgh8z5ROzulLx61MKdKSEfQqwwnbZ5mPIgZT6QHTtG/pXHj2IUGW7m0v173avxtpq0PPr5sum9Eg1QNnTSqgSwmmD3D0Q0lY0mxbYA7x5ERd6354nTqV+93f2RHNZ0JIYG72L3xMn+TdaO4TfgmZRSjXsRGCOhfISdEg69d4/NHMAQOSkDT6eoAlbIco5Tel7n4BxGi8Je+EH4J/HdzeHNtQliJuAwXXsrYWS2qaJxoBXTPuBeuVZYohoRUcF2qH8uHYINDR7mrHiByCvtxxKXs33hLTbAHUhCnMUJ4hLqyWZ/tnH5w/EdsSlsMpPVEyBc6xOZZrmL40M4b4M+O++Hoah0Bv2zw3K9JR5EwP6fezuNq0YP6hb9nds9UfZ6RsIAsOKWDt7MaO/cLMRU/0eqCgKX4tnJUM3+t+ns/p27iKGyn4DFtj3HA7wPYmuPfTDhFmA0exG3PaSsV6ITVzbrScqtPyEU8QyWdk5IAUPccZlyWTRr7CKYXtXzbUeYCGmNNsa3VuVKMRoAXTpgT6+ww0h+BVkquednurlgtUNX+nPA7vzIzPuHoQUWZbDL/kGq1rEPHF3MGwkNjLyRvMbh412n5916eNQ+r+0ZN8SZ2SoWN4IRAfa99gXlcBmZ04zPvDIhKJtFwrLgtfnqiqi2FAcILZhNFBv2uxcEFlZ1iKDdJTmue/JPuG4L3hqMcVRuKWSjJSsdYBs4GY4YLy4u+vOeh1hqIzW8zHonh7ukOA/5UfUx/O8OQ+cXY/4bZQgBuLUXaGzT/CLsrdoWW2/Ks7tvcAgJBXxXWHk0PWjLo+OQYbmM5aIjHAJY3uGiq4rjKQbAtaJUUu5dzMDnGdOnh86TJet4bSt6jF6ainaNjYNc4MaJX5zVC7mj78iBvzFa7BfzSzp47hPo3w5OS3/XvJQ1ch15DmDpu2t7MEqxE0KL8qxM0IbcDdC5nVUEBsxqTNndBlwl2a6rPSoukCwf3VBQ5dzbTisxaHyWz5XFbxWhYCtaofrN0opxBH2Abh1oUu6bFFIOsD2iXgtL+GcD+w0LjpTqP54TXRXNXK/IEwNhxuCYQ2skCzBEwQIMd370GF8tGy4jo9ttH3KYR50C6Ugw5ZQc9PcbOEisMSdvOvXl99CDHCbpXdv2nnDSWZ1XZVeiPdymBClMAXzOigaWD/p8YjM8PXOW6Ik7pM4/nIhtzrBaZCehrzntnjevfxAOBgviu4FKWBO4JognerlP/MAjL49P3EDYoy0karHMlCL+UZu2FHkoixM40gG5bQx2bMGUZ9nkzYM1nJz4i2PDQMQi7Mxi0wRi4WOFsRgl9c7gH1Ws6c+Z0O3Uul4pN7NCLtd5hqmYtqUeXIa/egaR9Buv5gmkGnF5+kPu5g5x04yc2UUIGpsD/V05B8jIp3DmMmQSO4Sa3+8c6F4n91QCe74U7Q3zlN59PFYc/Cx9kal80vphAwJ/lRfvlws1OXPtOUKe7iy0VcjJblNAtZwJTpdYE/tJtCBteeIfah9/wPBKSqrzJ4kXz8DldPiCUmWyVcWqjakZT5kYqlgxlk6Nt8/Pu1Tgwpgkl4vzlRhyvuRLfq7jkb78iR0yhPJBT/gBO+RRG/NRZTeYYzGMr/ZRVsOUfPzjnhsTfZTZO5g5SIUT0oCmTnkN440tSGXtW61d/PNSJKH2Wutt6lV+cGkTuHmgRatmh7to0YohrfJcLq19IygUh3QckK0tLCo/DTRjbE7NH1UkqzvDew0NNY+GsrhHMA4wBixQ2UFr6D7Hqx5mkIn/UXTJyXbuLrTHnZ8XfDCZ9HHm5c4nP85vXHxP0f81P6aN4OPArLRKpiGhDdhmCDOFE0kDsjjN5JsXg,iv:6yAbNoRVVpX+IQjCbktN/ukB8a+bhOOAEd45rxgaJYQ=,tag:S3Mi7dKSyxW/OAzkE2GWtA==,type:str]
+    token: ENC[AES256_GCM,data:7yDxo39qbHCTQ2MzZvmRTGTptGlR0Nm0yUJP7pA9lVy3M4w59WY1/47Q0aKxD3tDhs4R549z1cXTfntF8FZe1/YoQr7D15IOx5sa+Ei0OCpzsKLb3ngk8sxxiRbmgo2H2fAkuiEe8lsqHEN7pUrdTMjOX//tsem3bH4XZUJwUdlU6LPrwj6JP7oUKbM+qmJ+1YXcOUhumwork5qWyGC1TrFAKsD2XXqZknkw/qNDcr9Y39ph10hBTT4WRYsrmXLMqKsU0wuD7mfaRHI5ZJmGCsXqXTFavlYHadG0X8gQ/RK4l3sKxxc6Z7w05In8PwSeQOcy09rqZj9rUqCa4x046l7SmW2Ns+gGdDopaJQIRW7uuw0a4kMtnE6FCIuZyz4CqnlUyN2odO7H074tyjQjByFmHiG0udy0+LrfXvXkGV5Rz3qVE1byV84UnbCGYavJDvAq4oDiWq8SRgrLS+VVZeDD11IGx28rKpn465nh1+HmcV8hrHBPD3KkTJCCOg21F+zEnbItsqoICWGcEWVxdtTujfP6yh6RcfuBZPZiAq7oe2tl8fJiLKb1jDHbRWWb/1ailkd9OiamSQosu2bAY7SUNFqI7R8SLByqqImBTcnNQ02ZTJKoYh8GMg87l1ZQe6bYd5AallRNT7YclJFtiH8OzVYK6Kgn7cYBgJQmWbLnLK2ido1jos8gZ8Ti1Uu2pWRw6bnK8ZH/vti6jGnYP8ot2iMT/bOUxDP5hmovuHRrv/J5qjfOXsBRrpHfMEtmF5gaQtgdwXuf2LVvr90lOw+zwz7JWtzXs14QhEnmKtDQMBYO0Ro6HSLS2O3oNEfwlPJdbpU4YJf7wQyTg0/iU3LEdg==,iv:PHJ1zL9f+Ucy+lJN95ILTyXbqOKQecV0sC/env0qk3U=,tag:jkAeCrzx0GWatr9ZFE+/dw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
+            bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
+            VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
+            OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
+            LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-05T12:25:23Z"
+    mac: ENC[AES256_GCM,data:3KguzE81b3dKWytHq52X866gJB2sHvGQYvFs0Rq6wlCLSwhIX/BVUvvuCWLZstBGyTb60HYUWqiu2isHqN4mzRiqHnKRh3qw3bzkNwbLaGa0ITxV5FrDFdrvaWD7PTPGSHTBtFRc9n3vZqDNk54chkx/8jdNKf9blybgnBPqIVM=,iv:xJx7QfBv1Tkz25S050pDgwZ/U/FAvEyL+kkdDif+BJU=,tag:lXR/EsV+/uDJiTb/ZwaycA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.3

kubernetes/apps/external-secrets/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: external-secrets
+resources:
+  - ./external-secrets/ks.yaml