feat(external-secrets): deploy

kubernetes/apps/kube-system/external-secrets/app/helmrelease.yaml

@@ -0,0 +1,39 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: external-secrets
+  namespace: kube-system
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: external-secrets
+      version: 0.9.9
+      sourceRef:
+        kind: HelmRepository
+        name: external-secrets-charts
+        namespace: flux-system
+  maxHistory: 2
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    installCRDs: true
+    replicaCount: 3
+    leaderElect: true
+    serviceMonitor:
+      enabled: true
+    webhook:
+      serviceMonitor:
+        enabled: true
+    certController:
+      serviceMonitor:
+        enabled: true

kubernetes/apps/kube-system/external-secrets/app/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+resources:
+  - helmrelease.yaml

kubernetes/apps/kube-system/external-secrets/ks.yaml

@@ -0,0 +1,36 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-external-secrets
+  namespace: flux-system
+spec:
+  path: ./kubernetes/apps/kube-system/external-secrets/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+  wait: true
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-external-secrets-stores
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  dependsOn:
+    - name: cluster-apps-external-secrets
+  path: ./kubernetes/apps/kube-system/external-secrets/stores
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+  wait: true

kubernetes/apps/kube-system/external-secrets/stores/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+resources:
+  - onepassword

kubernetes/apps/kube-system/external-secrets/stores/onepassword/clustersecretstore.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: onepassword-connect
+  namespace: kube-system
+spec:
+  provider:
+    onepassword:
+      connectHost: http://onepassword-connect:8080
+      vaults:
+        Kubernetes: 1
+      auth:
+        secretRef:
+          connectTokenSecretRef:
+            name: onepassword-connect-secret
+            key: token
+            namespace: kube-system

kubernetes/apps/kube-system/external-secrets/stores/onepassword/helmrelease.yaml

@@ -0,0 +1,113 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: onepassword-connect
+  namespace: kube-system
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 2.3.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  maxHistory: 2
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    controllers:
+      main:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        containers:
+          main:
+            image:
+              repository: ghcr.io/mchestr/onepassword-connect-api
+              tag: 1.7.2
+            env:
+              OP_BUS_PORT: "11220"
+              OP_BUS_PEERS: localhost:11221
+              OP_HTTP_PORT: 8080
+              OP_SESSION:
+                valueFrom:
+                  secretKeyRef:
+                    name: onepassword-connect-secret
+                    key: 1password-credentials.json
+            resources:
+              requests:
+                cpu: 5m
+                memory: 10Mi
+              limits:
+                memory: 100Mi
+            probes:
+              liveness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /heartbeat
+                    port: 8080
+                  initialDelaySeconds: 15
+                  periodSeconds: 30
+                  failureThreshold: 3
+              readiness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /health
+                    port: 8080
+                  initialDelaySeconds: 15
+              startup:
+                enabled: false
+          sync:
+            name: sync
+            image:
+              repository: ghcr.io/mchestr/onepassword-sync
+              tag: 1.7.2
+            env:
+              - name: OP_SESSION
+                valueFrom:
+                  secretKeyRef:
+                    name: onepassword-connect-secret
+                    key: 1password-credentials.json
+              - name: OP_HTTP_PORT
+                value: &port 8081
+              - name: OP_BUS_PORT
+                value: "11221"
+              - name: OP_BUS_PEERS
+                value: "localhost:11220"
+            readinessProbe:
+              httpGet:
+                path: /health
+                port: *port
+              initialDelaySeconds: 15
+            livenessProbe:
+              httpGet:
+                path: /heartbeat
+                port: *port
+              failureThreshold: 3
+              periodSeconds: 30
+              initialDelaySeconds: 15
+    service:
+      main:
+        ports:
+          http:
+            port: 8080
+    persistence:
+      shared:
+        enabled: true
+        type: emptyDir
+        globalMounts:
+          - path: /home/opuser/.op/data

kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+resources:
+  - secret.sops.yaml
+  - helmrelease.yaml
+  - clustersecretstore.yaml

kubernetes/apps/kube-system/external-secrets/stores/onepassword/secret.sops.yaml

@@ -0,0 +1,29 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: onepassword-connect-secret
+    namespace: kube-system
+stringData:
+    1password-credentials.json: ENC[AES256_GCM,data:6L/D0Uz2KyjQd0egHfkcdmBs/scMujBrBef8KROsVjbQUiUgYYGTWeKU05sYwpMf3OYgyctWMQgPqf37ZDJlHjGpJbPEXGmqx3S8u6mm0VW2FJbIot3dlJga3yYkNSUTbzOz2Zk40AEY1WVwssGovm3BP81tabe/bw8U2sH9qxBfrrgNJus1lvjcjVQX3s8IKHalfo/zV/rQXGCKGZ+8G/M2Qm4kI+BixGsyLMuMqY+pzcU1WYJI29N3R3VN5UByXTsej+kqgzZOIOcaBo9tg28sYTNYNcQ/Hgj5i/K7Ycjutw4+GCinLoXxJ9Mlilx7GFZUd2zkF7ra5gtei8i5bnrjyPR2eZrE22P9foa7zvaU+okWurCxx1f7RipfUB7DdZ5b2SzDnWxu19lBOYuBJq/MNjc8Nz5VV9TWSS6ALcnlcqQOGPEkZLDJ0k+KYfXWBDc0ZWMMAWiRcagz7m2xE3zvb2u4rvOPSkcPjDOFZCrl4LuTAPRDPnJ1dSfFXE6KCaECeDBnkQUajEb5EP5nCrZNZcpiIcz2ZLFJ1luhASmcmMtSxgoH32zJRSGo2kuuF8o3IkZGyaVaN/xUzzlVTlCctbNKrjO5bcnPhhY0+rl1M11BcgNOEt+vXrmibgzbHVuroNplsWyyodRNHVJ4D4PapFQBR0pUkQ6mlLAC10N7Ny+Hwl7k49ltQBoyJr9QrLLt02ms9kJJjAy5JSVlqx9ZNXxiYiXekNmX28RpzoNE76a1+SJ9h9fQKW8/iBxLz1HtMq55/OebR1AFG2YO1lQSQQ1XZV1g1mC7/KH/RpNfc/KTWD16R6VQjJ60sZDMk5SHNzXgSRSB/u2MABBskPxjONvks6MWh03KNr6vy6gZXPZ7c+6jy1XlcIHfcr3hyJAEAFlcQEGmEcWPR0QUGjb7mYIesEMoTM9SxUkfsdI476iqwlfmTNY0/Fc9akNY0ft4aVrkuzTDbAgOtaI2/OX9AtEnjEkQm4tjynvCmZ6Ovz6la1yOQgs3rNFkMtZy+VBmUpOH6Uhk//j0zGapM2iuiFzg/wlwQPjiXwISl8YLRQbXRznlf/KT/IfgHu3wafEYH6+7ofym91jjZE/zvBbgTDcYU5kI1+9+yB7VXcwTEjJBwQ30ujLiXi38WvwPdg9/hfbQm/f7HM0ZymQCuMSV12KaNLs0TJ1a5AsWMPaquGgdgTrS2OExN+dbjdtJ062oxWdWNf4dSJrz2jMhQWxUdMPM3eb/w8Dgb3Sk2nLa3XrQK3SMHMXd4YZ1du0zYmoY54RNLLdqo13PZoIS+bQpZN/tcMHUp0r/kjzn3VtPUBGh1KRoy8cLG1CeYCClFiA0wXQB5bCKy5d3AxSe1BQzMKyHEYnMzNIGc2rKA423nk9tdMlxD9e/h8CRHKeahdM8NAGPp6T4xwaolCUkT5jwzlrCE7t9wzzvnUVJNdSJbmGD8BwkblCXVtRs9nkgftOFJGeRrMDVStSc6h/C3o6lznxMuI4dt03NHtpKXVYo3uH7pdTTPnGReA9Aw2ctewRGeYr+nPnzhbnqOnxl8crBT3qFJNw/ZE/JWMyy0GZ6LWO1AzYFN8CF6y5K8E5tC9LppFPR/xJwElNsQ3+/BsupDn9+AHs4I8ysFUa6arUnmplQCXcGlc7JdfTvEa5ghLj95aKj2hkgjFQjCy1Ylwo3FscWHhxgPafOBpyHEEsptfifnbaYta+xSmLe2w4X2HRsWpFQV2dHFDmNFLGdxEnrF6zGtK5VKA2EESdu5Lrt/1oBb8uhYewOtnAReGkgJV9AaBOCtlXgVFruRWF+HG14RrDK85njejR6oqxJATL+ehMENynanGti677Pl14qY+7xnoANh16QKbadlq7SO5HwWthFV7lnzrp0VhB0VcPRL6CAU8pFP97cOJF5/AEeCc3sj5M51xC0iIPVQvqMbRYfHe8Iu3bZSPWyBouTAh3Po5cMJVUvLVxfypQ8w4gsiGsWnAET3W+MKJvzOtSGpg==,iv:I8peatRaJMvviImtK2NBu4Whg21E7LHgW0MynenGZAM=,tag:pkwoKqsdSvkGOOxeZ9+ubw==,type:str]
+    token: ENC[AES256_GCM,data:PLQXQAdaI1N0ftvOKC8XR4oYoUVPJWyGgJ9wr3r+6bWduXs412XAP31YFXDFKXhRKPTM6PH9olxDzEoFbFAFRp5XRRLthkae5Ab3jeNQzFIEMsYXlu6w4jiT7j1nedyptaW4UhdWtMH5pz+daibo8G+IDMwOAY7UjPvTn7xy75Qd1JLPL5RyBYRiiCfCWMlqXldTviOvGEdqFvxiS9Z8A+xylwumxgz9xA0yLmIfXZ4ETm8bdQU2bBVLHgumTA4OhR1wnsGw16rq2P0Vn5MzRVjFrEa5rw5KeGsggbb54cJp9CQev2kyltgVlcmEfoPdrdQaFJHr98Z/F0at1AUMtSJG4UpFxsCtN0pW5yBQx3wB7704uLE/Js5MFdVQnEwOioDCvZXMaZBOnvdacnx5c9HPtuBLIQx+7rZSYYtFOGEDXqT2w28i0B3dIC2PC17RQ8PH2hj4lFlcJfzyYP/eaBZl8WqXlMcK38bkgfpJLIwO9soOKE+cuDjhFqkgrMYd6Tzw4fHf6XYv0mtNpTcichNy7Xt/rh1H0fc7KmxiomNp2zzpuESgWfrxxaQ9NqbHP50yKuCaBH230CYMB82ecu2pzvRS6u+5GZoMWYqWvmCij4Er9J0jQFwtrLXSJHD00orkII/d1pfUJu+k1xhGS2Vcw1Yb/U/Ko4Ae4Dn54FPT19EeRnaNOjwOCnOPD3hwgMFg95Ob0t9yI35HlM1lgItfh0AIz/KRAbUW1byUMrCrlYd+/lIEimSKnIYVleEgRPC99oie2KfydtZ4Q7/40cCNWmSx2j8SbCaDoOlozrFitEKEntcQ6NjO/qlND2GxCxAJqeitToVYkuJZHknMuZv/5JBf,iv:86huK9LXfHqyCclGnENzygUps8bkacZnx9vKu4un48I=,tag:sdlof98NT2w8fJXUO8H8hQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1td266h3akjy3a238jw5kwhpkwlyj54am3gjfg9hy62748wtxlflqtfx2pl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmTUVhRURjMGE3Z2I3MHFL
+            TW9vN0JQb1N3VEs5bU5qQ2RzUjUvTkpNOWdJCkowMCticDkwUjNyTGV0VjJXWmly
+            M1VYWEdxZlVlTUN1SVNSbXYxdE5jTU0KLS0tIDBPQVZuZmIrZGdZL2hsNnA0cW5n
+            Tm9URVNTR1dtNjRvQ2RPTnJJV1p6M0EKu385X0v521YIiz/6/sxtAqpgYANxLlXR
+            Obm4JfWzELfAtCeufIbrYtii3JplXWZTYCaLNbC/N71XgxHpn+YxIw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-04T02:41:24Z"
+    mac: ENC[AES256_GCM,data:dSg9uRBIaG4rGQa0MHZfw7uRUeJ+D8Pi129PnUSBuUZO/0tEr5GmiOzWdvr6A0PwHnuozNR07ie71m+COIeZ/0ZgQA4tqXJccSgcrzFfsUbf0u08v9SGNY+m2Q7DFwE7oLhkc+TrNojn6tXlp6DWo5/iuVmYPi+Jftb9y4MEpG4=,iv:Jw9H1ZyuozPvoj1cDyp5AJooxzw5ERXGFFIo+B6yMAk=,tag:X7QVjePZ4VQVhYertA4baQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

kubernetes/apps/kube-system/kustomization.yaml

@@ -5,6 +5,7 @@ resources:
   - ./namespace.yaml
   - ./cilium/ks.yaml
   - ./coredns/ks.yaml
+  - ./external-secrets/ks.yaml
   - ./local-path-provisioner/ks.yaml
   - ./metrics-server/ks.yaml
   - ./reloader/ks.yaml

kubernetes/flux/repositories/helm/external-secrets-charts.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: external-secrets-charts
+  namespace: flux-system
+spec:
+  interval: 2h
+  url: https://charts.external-secrets.io

kubernetes/flux/repositories/helm/kustomization.yaml

@@ -9,6 +9,7 @@ resources:
   - ./csi-driver-nfs.yaml
   - ./democratic-csi.yaml
   - ./external-dns.yaml
+  - ./external-secrets-charts.yaml
   - ./grafana.yaml
   - ./hajimari.yaml
   - ./ingress-nginx.yaml