diff --git a/kubernetes/apps/kube-system/external-secrets/app/helmrelease.yaml b/kubernetes/apps/kube-system/external-secrets/app/helmrelease.yaml new file mode 100644 index 0000000..574151b --- /dev/null +++ b/kubernetes/apps/kube-system/external-secrets/app/helmrelease.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: external-secrets + namespace: kube-system +spec: + interval: 30m + chart: + spec: + chart: external-secrets + version: 0.9.9 + sourceRef: + kind: HelmRepository + name: external-secrets-charts + namespace: flux-system + maxHistory: 2 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + installCRDs: true + replicaCount: 3 + leaderElect: true + serviceMonitor: + enabled: true + webhook: + serviceMonitor: + enabled: true + certController: + serviceMonitor: + enabled: true diff --git a/kubernetes/apps/kube-system/external-secrets/app/kustomization.yaml b/kubernetes/apps/kube-system/external-secrets/app/kustomization.yaml new file mode 100644 index 0000000..a767ce4 --- /dev/null +++ b/kubernetes/apps/kube-system/external-secrets/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +resources: + - helmrelease.yaml diff --git a/kubernetes/apps/kube-system/external-secrets/ks.yaml b/kubernetes/apps/kube-system/external-secrets/ks.yaml new file mode 100644 index 0000000..f1e18a9 --- /dev/null +++ b/kubernetes/apps/kube-system/external-secrets/ks.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps-external-secrets + namespace: flux-system +spec: + path: ./kubernetes/apps/kube-system/external-secrets/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + interval: 30m + retryInterval: 1m + timeout: 5m + wait: true +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps-external-secrets-stores + namespace: flux-system + labels: + substitution.flux.home.arpa/enabled: "true" +spec: + dependsOn: + - name: cluster-apps-external-secrets + path: ./kubernetes/apps/kube-system/external-secrets/stores + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + interval: 30m + retryInterval: 1m + timeout: 5m + wait: true diff --git a/kubernetes/apps/kube-system/external-secrets/stores/kustomization.yaml b/kubernetes/apps/kube-system/external-secrets/stores/kustomization.yaml new file mode 100644 index 0000000..9c1645a --- /dev/null +++ b/kubernetes/apps/kube-system/external-secrets/stores/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +resources: + - onepassword diff --git a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/clustersecretstore.yaml b/kubernetes/apps/kube-system/external-secrets/stores/onepassword/clustersecretstore.yaml new file mode 100644 index 0000000..a9f6dd9 --- /dev/null +++ b/kubernetes/apps/kube-system/external-secrets/stores/onepassword/clustersecretstore.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: onepassword-connect + namespace: kube-system +spec: + provider: + onepassword: + connectHost: http://onepassword-connect:8080 + vaults: + Kubernetes: 1 + auth: + secretRef: + connectTokenSecretRef: + name: onepassword-connect-secret + key: token + namespace: kube-system diff --git a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/helmrelease.yaml b/kubernetes/apps/kube-system/external-secrets/stores/onepassword/helmrelease.yaml new file mode 100644 index 0000000..d9df723 --- /dev/null +++ b/kubernetes/apps/kube-system/external-secrets/stores/onepassword/helmrelease.yaml @@ -0,0 +1,113 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: onepassword-connect + namespace: kube-system +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 2.3.0 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + maxHistory: 2 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + controllers: + main: + annotations: + reloader.stakater.com/auto: "true" + containers: + main: + image: + repository: ghcr.io/mchestr/onepassword-connect-api + tag: 1.7.2 + env: + OP_BUS_PORT: "11220" + OP_BUS_PEERS: localhost:11221 + OP_HTTP_PORT: 8080 + OP_SESSION: + valueFrom: + secretKeyRef: + name: onepassword-connect-secret + key: 1password-credentials.json + resources: + requests: + cpu: 5m + memory: 10Mi + limits: + memory: 100Mi + probes: + liveness: + enabled: true + custom: true + spec: + httpGet: + path: /heartbeat + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 30 + failureThreshold: 3 + readiness: + enabled: true + custom: true + spec: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 15 + startup: + enabled: false + sync: + name: sync + image: + repository: ghcr.io/mchestr/onepassword-sync + tag: 1.7.2 + env: + - name: OP_SESSION + valueFrom: + secretKeyRef: + name: onepassword-connect-secret + key: 1password-credentials.json + - name: OP_HTTP_PORT + value: &port 8081 + - name: OP_BUS_PORT + value: "11221" + - name: OP_BUS_PEERS + value: "localhost:11220" + readinessProbe: + httpGet: + path: /health + port: *port + initialDelaySeconds: 15 + livenessProbe: + httpGet: + path: /heartbeat + port: *port + failureThreshold: 3 + periodSeconds: 30 + initialDelaySeconds: 15 + service: + main: + ports: + http: + port: 8080 + persistence: + shared: + enabled: true + type: emptyDir + globalMounts: + - path: /home/opuser/.op/data diff --git a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml b/kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml new file mode 100644 index 0000000..9acb560 --- /dev/null +++ b/kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +resources: + - secret.sops.yaml + - helmrelease.yaml + - clustersecretstore.yaml diff --git a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/secret.sops.yaml b/kubernetes/apps/kube-system/external-secrets/stores/onepassword/secret.sops.yaml new file mode 100644 index 0000000..4706e1c --- /dev/null +++ b/kubernetes/apps/kube-system/external-secrets/stores/onepassword/secret.sops.yaml @@ -0,0 +1,29 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: onepassword-connect-secret + namespace: kube-system +stringData: + 1password-credentials.json: ENC[AES256_GCM,data:6L/D0Uz2KyjQd0egHfkcdmBs/scMujBrBef8KROsVjbQUiUgYYGTWeKU05sYwpMf3OYgyctWMQgPqf37ZDJlHjGpJbPEXGmqx3S8u6mm0VW2FJbIot3dlJga3yYkNSUTbzOz2Zk40AEY1WVwssGovm3BP81tabe/bw8U2sH9qxBfrrgNJus1lvjcjVQX3s8IKHalfo/zV/rQXGCKGZ+8G/M2Qm4kI+BixGsyLMuMqY+pzcU1WYJI29N3R3VN5UByXTsej+kqgzZOIOcaBo9tg28sYTNYNcQ/Hgj5i/K7Ycjutw4+GCinLoXxJ9Mlilx7GFZUd2zkF7ra5gtei8i5bnrjyPR2eZrE22P9foa7zvaU+okWurCxx1f7RipfUB7DdZ5b2SzDnWxu19lBOYuBJq/MNjc8Nz5VV9TWSS6ALcnlcqQOGPEkZLDJ0k+KYfXWBDc0ZWMMAWiRcagz7m2xE3zvb2u4rvOPSkcPjDOFZCrl4LuTAPRDPnJ1dSfFXE6KCaECeDBnkQUajEb5EP5nCrZNZcpiIcz2ZLFJ1luhASmcmMtSxgoH32zJRSGo2kuuF8o3IkZGyaVaN/xUzzlVTlCctbNKrjO5bcnPhhY0+rl1M11BcgNOEt+vXrmibgzbHVuroNplsWyyodRNHVJ4D4PapFQBR0pUkQ6mlLAC10N7Ny+Hwl7k49ltQBoyJr9QrLLt02ms9kJJjAy5JSVlqx9ZNXxiYiXekNmX28RpzoNE76a1+SJ9h9fQKW8/iBxLz1HtMq55/OebR1AFG2YO1lQSQQ1XZV1g1mC7/KH/RpNfc/KTWD16R6VQjJ60sZDMk5SHNzXgSRSB/u2MABBskPxjONvks6MWh03KNr6vy6gZXPZ7c+6jy1XlcIHfcr3hyJAEAFlcQEGmEcWPR0QUGjb7mYIesEMoTM9SxUkfsdI476iqwlfmTNY0/Fc9akNY0ft4aVrkuzTDbAgOtaI2/OX9AtEnjEkQm4tjynvCmZ6Ovz6la1yOQgs3rNFkMtZy+VBmUpOH6Uhk//j0zGapM2iuiFzg/wlwQPjiXwISl8YLRQbXRznlf/KT/IfgHu3wafEYH6+7ofym91jjZE/zvBbgTDcYU5kI1+9+yB7VXcwTEjJBwQ30ujLiXi38WvwPdg9/hfbQm/f7HM0ZymQCuMSV12KaNLs0TJ1a5AsWMPaquGgdgTrS2OExN+dbjdtJ062oxWdWNf4dSJrz2jMhQWxUdMPM3eb/w8Dgb3Sk2nLa3XrQK3SMHMXd4YZ1du0zYmoY54RNLLdqo13PZoIS+bQpZN/tcMHUp0r/kjzn3VtPUBGh1KRoy8cLG1CeYCClFiA0wXQB5bCKy5d3AxSe1BQzMKyHEYnMzNIGc2rKA423nk9tdMlxD9e/h8CRHKeahdM8NAGPp6T4xwaolCUkT5jwzlrCE7t9wzzvnUVJNdSJbmGD8BwkblCXVtRs9nkgftOFJGeRrMDVStSc6h/C3o6lznxMuI4dt03NHtpKXVYo3uH7pdTTPnGReA9Aw2ctewRGeYr+nPnzhbnqOnxl8crBT3qFJNw/ZE/JWMyy0GZ6LWO1AzYFN8CF6y5K8E5tC9LppFPR/xJwElNsQ3+/BsupDn9+AHs4I8ysFUa6arUnmplQCXcGlc7JdfTvEa5ghLj95aKj2hkgjFQjCy1Ylwo3FscWHhxgPafOBpyHEEsptfifnbaYta+xSmLe2w4X2HRsWpFQV2dHFDmNFLGdxEnrF6zGtK5VKA2EESdu5Lrt/1oBb8uhYewOtnAReGkgJV9AaBOCtlXgVFruRWF+HG14RrDK85njejR6oqxJATL+ehMENynanGti677Pl14qY+7xnoANh16QKbadlq7SO5HwWthFV7lnzrp0VhB0VcPRL6CAU8pFP97cOJF5/AEeCc3sj5M51xC0iIPVQvqMbRYfHe8Iu3bZSPWyBouTAh3Po5cMJVUvLVxfypQ8w4gsiGsWnAET3W+MKJvzOtSGpg==,iv:I8peatRaJMvviImtK2NBu4Whg21E7LHgW0MynenGZAM=,tag:pkwoKqsdSvkGOOxeZ9+ubw==,type:str] + token: ENC[AES256_GCM,data:PLQXQAdaI1N0ftvOKC8XR4oYoUVPJWyGgJ9wr3r+6bWduXs412XAP31YFXDFKXhRKPTM6PH9olxDzEoFbFAFRp5XRRLthkae5Ab3jeNQzFIEMsYXlu6w4jiT7j1nedyptaW4UhdWtMH5pz+daibo8G+IDMwOAY7UjPvTn7xy75Qd1JLPL5RyBYRiiCfCWMlqXldTviOvGEdqFvxiS9Z8A+xylwumxgz9xA0yLmIfXZ4ETm8bdQU2bBVLHgumTA4OhR1wnsGw16rq2P0Vn5MzRVjFrEa5rw5KeGsggbb54cJp9CQev2kyltgVlcmEfoPdrdQaFJHr98Z/F0at1AUMtSJG4UpFxsCtN0pW5yBQx3wB7704uLE/Js5MFdVQnEwOioDCvZXMaZBOnvdacnx5c9HPtuBLIQx+7rZSYYtFOGEDXqT2w28i0B3dIC2PC17RQ8PH2hj4lFlcJfzyYP/eaBZl8WqXlMcK38bkgfpJLIwO9soOKE+cuDjhFqkgrMYd6Tzw4fHf6XYv0mtNpTcichNy7Xt/rh1H0fc7KmxiomNp2zzpuESgWfrxxaQ9NqbHP50yKuCaBH230CYMB82ecu2pzvRS6u+5GZoMWYqWvmCij4Er9J0jQFwtrLXSJHD00orkII/d1pfUJu+k1xhGS2Vcw1Yb/U/Ko4Ae4Dn54FPT19EeRnaNOjwOCnOPD3hwgMFg95Ob0t9yI35HlM1lgItfh0AIz/KRAbUW1byUMrCrlYd+/lIEimSKnIYVleEgRPC99oie2KfydtZ4Q7/40cCNWmSx2j8SbCaDoOlozrFitEKEntcQ6NjO/qlND2GxCxAJqeitToVYkuJZHknMuZv/5JBf,iv:86huK9LXfHqyCclGnENzygUps8bkacZnx9vKu4un48I=,tag:sdlof98NT2w8fJXUO8H8hQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1td266h3akjy3a238jw5kwhpkwlyj54am3gjfg9hy62748wtxlflqtfx2pl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmTUVhRURjMGE3Z2I3MHFL + TW9vN0JQb1N3VEs5bU5qQ2RzUjUvTkpNOWdJCkowMCticDkwUjNyTGV0VjJXWmly + M1VYWEdxZlVlTUN1SVNSbXYxdE5jTU0KLS0tIDBPQVZuZmIrZGdZL2hsNnA0cW5n + Tm9URVNTR1dtNjRvQ2RPTnJJV1p6M0EKu385X0v521YIiz/6/sxtAqpgYANxLlXR + Obm4JfWzELfAtCeufIbrYtii3JplXWZTYCaLNbC/N71XgxHpn+YxIw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-04T02:41:24Z" + mac: ENC[AES256_GCM,data:dSg9uRBIaG4rGQa0MHZfw7uRUeJ+D8Pi129PnUSBuUZO/0tEr5GmiOzWdvr6A0PwHnuozNR07ie71m+COIeZ/0ZgQA4tqXJccSgcrzFfsUbf0u08v9SGNY+m2Q7DFwE7oLhkc+TrNojn6tXlp6DWo5/iuVmYPi+Jftb9y4MEpG4=,iv:Jw9H1ZyuozPvoj1cDyp5AJooxzw5ERXGFFIo+B6yMAk=,tag:X7QVjePZ4VQVhYertA4baQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml index 860ff1b..b511f8b 100644 --- a/kubernetes/apps/kube-system/kustomization.yaml +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -5,6 +5,7 @@ resources: - ./namespace.yaml - ./cilium/ks.yaml - ./coredns/ks.yaml + - ./external-secrets/ks.yaml - ./local-path-provisioner/ks.yaml - ./metrics-server/ks.yaml - ./reloader/ks.yaml diff --git a/kubernetes/flux/repositories/helm/external-secrets-charts.yaml b/kubernetes/flux/repositories/helm/external-secrets-charts.yaml new file mode 100644 index 0000000..03bce1e --- /dev/null +++ b/kubernetes/flux/repositories/helm/external-secrets-charts.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: external-secrets-charts + namespace: flux-system +spec: + interval: 2h + url: https://charts.external-secrets.io diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index 8dc06cc..7fe1793 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -9,6 +9,7 @@ resources: - ./csi-driver-nfs.yaml - ./democratic-csi.yaml - ./external-dns.yaml + - ./external-secrets-charts.yaml - ./grafana.yaml - ./hajimari.yaml - ./ingress-nginx.yaml