diff --git a/kubernetes/teyvat/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml b/kubernetes/teyvat/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml
index edd4d35871..ee9647443a 100644
--- a/kubernetes/teyvat/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml
@@ -1,4 +1,4 @@
----
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
diff --git a/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/externalsecret.yaml b/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/externalsecret.yaml
index f55b062dc6..c79bf1191f 100644
--- a/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/externalsecret.yaml
@@ -1,21 +1,19 @@
----
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: cert-manager-secret
+ name: &name cloudflare
spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
- api-token: "{{ .api_token }}"
- data:
- - secretKey: api_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
- property: api_token
+ CLOUDFLARE_API_KEY: "{{ .CLOUDFLARE_API_KEY }}"
+ dataFrom:
+ - extract:
+ key: cloudflare
diff --git a/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/issuers.yaml b/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/issuers.yaml
index 1cf7148ac5..941ae1582a 100644
--- a/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/issuers.yaml
+++ b/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/issuers.yaml
@@ -12,8 +12,8 @@ spec:
- dns01:
cloudflare:
apiTokenSecretRef:
- name: cert-manager-secret
- key: api-token
+ name: cloudflare
+ key: CLOUDFLARE_API_KEY
selector:
dnsZones:
- "${SECRET_DOMAIN}"
@@ -32,8 +32,8 @@ spec:
- dns01:
cloudflare:
apiTokenSecretRef:
- name: cert-manager-secret
- key: api-token
+ name: cloudflare
+ key: CLOUDFLARE_API_KEY
selector:
dnsZones:
- "${SECRET_DOMAIN}"
diff --git a/kubernetes/teyvat/apps/database/cloudnative-pg/app/externalsecret.yaml b/kubernetes/teyvat/apps/database/cloudnative-pg/app/externalsecret.yaml
index e23ef74ea3..ea2b3ed4ab 100644
--- a/kubernetes/teyvat/apps/database/cloudnative-pg/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/database/cloudnative-pg/app/externalsecret.yaml
@@ -1,51 +1,25 @@
----
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: cloudnative-pg-secret
+ name: &name cloudnative-pg
spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
+ engineVersion: v2
metadata:
labels:
cnpg.io/reload: "true"
- type: kubernetes.io/basic-auth
data:
- username: "{{ .super_user }}"
- password: "{{ .super_pass }}"
- aws-access-key-id: "{{ .access_key }}"
- aws-secret-access-key: "{{ .secret_key }}"
- data:
- - secretKey: super_user
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: username
- - secretKey: super_pass
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
- - secretKey: access_key
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: eff71b07-9389-4874-923b-b0560025ea51
- property: username
- - secretKey: secret_key
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: eff71b07-9389-4874-923b-b0560025ea51
- property: password
+ username: "{{ .POSTGRES_SUPER_USER }}"
+ password: "{{ .POSTGRES_SUPER_PASS }}"
+ aws-access-key-id: "{{ .POSTGRES_BUCKET_USER }}"
+ aws-secret-access-key: "{{ .POSTGRES_BUCKET_PASS }}"
+ dataFrom:
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/database/cloudnative-pg/cluster/cluster.yaml b/kubernetes/teyvat/apps/database/cloudnative-pg/cluster/cluster.yaml
index 91b3f98579..e5c2e339a2 100644
--- a/kubernetes/teyvat/apps/database/cloudnative-pg/cluster/cluster.yaml
+++ b/kubernetes/teyvat/apps/database/cloudnative-pg/cluster/cluster.yaml
@@ -12,7 +12,7 @@ spec:
size: 20Gi
storageClass: local-hostpath
superuserSecret:
- name: cloudnative-pg-secret
+ name: cloudnative-pg
enableSuperuserAccess: true
postgresql:
parameters:
@@ -46,10 +46,10 @@ spec:
serverName: ¤tCluster postgres-v4
s3Credentials:
accessKeyId:
- name: cloudnative-pg-secret
+ name: cloudnative-pg
key: aws-access-key-id
secretAccessKey:
- name: cloudnative-pg-secret
+ name: cloudnative-pg
key: aws-secret-access-key
# # Note: previousCluster needs to be set to the name of the previous
# # cluster when recovering from an existing cnpg cluster
diff --git a/kubernetes/teyvat/apps/default/atuin/app/externalsecret.yaml b/kubernetes/teyvat/apps/default/atuin/app/externalsecret.yaml
index 1ee4c6ea81..3d20beb8e3 100644
--- a/kubernetes/teyvat/apps/default/atuin/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/default/atuin/app/externalsecret.yaml
@@ -1,14 +1,17 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: atuin
+ name: &name atuin
spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
ATUIN_DB_URI: |-
postgres://{{ .ATUIN_POSTGRES_USER }}:{{ .ATUIN_POSTGRES_PASS }}@postgres-rw.database.svc.cluster.local/atuin
@@ -17,28 +20,8 @@ spec:
INIT_POSTGRES_USER: "{{ .ATUIN_POSTGRES_USER }}"
INIT_POSTGRES_PASS: "{{ .ATUIN_POSTGRES_PASS }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- data:
- - secretKey: ATUIN_POSTGRES_USER
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: eeda4d11-e092-429a-9bc0-b0f300fa39cf
- property: username
- - secretKey: ATUIN_POSTGRES_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: eeda4d11-e092-429a-9bc0-b0f300fa39cf
- property: password
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
+ dataFrom:
+ - extract:
+ key: atuin
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/default/homepage/app/externalsecret.yaml b/kubernetes/teyvat/apps/default/homepage/app/externalsecret.yaml
index 766bbc4824..0a6502580f 100644
--- a/kubernetes/teyvat/apps/default/homepage/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/default/homepage/app/externalsecret.yaml
@@ -1,4 +1,4 @@
----
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
@@ -44,233 +44,233 @@ spec:
## Security
HOMEPAGE_VAR_AUTHENTIK_TOKEN: "{{ .authentik_token }}"
data:
- ## Non Cluster
- - secretKey: cloudflare_accountid
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
- property: account_id
- - secretKey: cloudflare_tunnelid
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
- property: tunnel_id
- - secretKey: cloudflare_key
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
- property: api_token
- - secretKey: pihole_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 27fe4940-03ac-4718-815a-b0200144dda7
- property: token
- - secretKey: nextdns_id
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: dc5c6a13-709f-455b-b2af-b04200dad40d
- property: ID
- - secretKey: nextdns_api
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: dc5c6a13-709f-455b-b2af-b04200dad40d
- property: API
- - secretKey: portainer_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 7b792cef-9d6d-48f1-9fe0-acfa010ac442
- property: token
- - secretKey: unifi_user
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 02cfb975-77dc-46fb-96b2-afd60023b1a1
- property: username
- - secretKey: unifi_pass
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 02cfb975-77dc-46fb-96b2-afd60023b1a1
- property: password
- ## Default
- - secretKey: hass_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: b3582fd9-4e36-4adf-83b3-adec011a84fd
- property: token
- ## Downloads
- - secretKey: bazarr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: dd1001b2-9c2e-409b-ab81-afd500d9ba6a
- property: token
- - secretKey: kapowarr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 01806b71-fed2-4214-a80f-b04500fc17c5
- property: token
- - secretKey: mylar_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: cfe083fb-6377-49fa-ad0f-b02001445f7c
- property: token
- - secretKey: prowlarr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 7fa0147f-6ab6-44b1-9ba2-af8f01172e77
- property: token
- - secretKey: qbittorrent_username
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7bda7d2b-e9d8-4699-b43a-afc50017aab5
- property: username
- - secretKey: qbittorrent_password
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7bda7d2b-e9d8-4699-b43a-afc50017aab5
- property: password
- - secretKey: radarr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 33a5fd65-38fb-40d6-b4a6-ac6e00f706e3
- property: token
- - secretKey: readarr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f8621570-ad69-40ef-8315-afd500df25b3
- property: token
- - secretKey: sabnzbd_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 11eae6bf-761a-433f-ad9a-ac6e00f706e3
- property: api_token
- - secretKey: sonarr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f131edf2-177b-4284-b606-ac6e00f706e3
- property: token
- ## Media
- - secretKey: overseerr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: d6c7ed5d-dc6c-4a61-8df5-afd500e1d0ef
- property: token
- - secretKey: plex_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5f4a73e9-dbaa-47bf-a5f2-ac6e00f706e3
- property: token
- - secretKey: tautulli_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 9be660f2-f018-41fa-91db-afd500dfc709
- property: k8s_token
- - secretKey: kavita_username
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 675ec17c-ab29-48fe-a7e8-b0050110a1a7
- property: username
- - secretKey: kavita_password
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 675ec17c-ab29-48fe-a7e8-b0050110a1a7
- property: password
- ## Monitoring
- - secretKey: grafana_username
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: b36a66be-7898-4003-902a-afc701166ed9
- property: username
- - secretKey: grafana_password
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: b36a66be-7898-4003-902a-afc701166ed9
- property: password
- ## Security
- - secretKey: authentik_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 3ff34fd7-ec65-436c-865c-afcf0104ce37
- property: token
+ ## Non Cluster
+ - secretKey: cloudflare_accountid
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
+ property: account_id
+ - secretKey: cloudflare_tunnelid
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
+ property: tunnel_id
+ - secretKey: cloudflare_key
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
+ property: api_token
+ - secretKey: pihole_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 27fe4940-03ac-4718-815a-b0200144dda7
+ property: token
+ - secretKey: nextdns_id
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: dc5c6a13-709f-455b-b2af-b04200dad40d
+ property: ID
+ - secretKey: nextdns_api
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: dc5c6a13-709f-455b-b2af-b04200dad40d
+ property: API
+ - secretKey: portainer_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 7b792cef-9d6d-48f1-9fe0-acfa010ac442
+ property: token
+ - secretKey: unifi_user
+ sourceRef:
+ storeRef:
+ name: bitwarden-login
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 02cfb975-77dc-46fb-96b2-afd60023b1a1
+ property: username
+ - secretKey: unifi_pass
+ sourceRef:
+ storeRef:
+ name: bitwarden-login
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 02cfb975-77dc-46fb-96b2-afd60023b1a1
+ property: password
+ ## Default
+ - secretKey: hass_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: b3582fd9-4e36-4adf-83b3-adec011a84fd
+ property: token
+ ## Downloads
+ - secretKey: bazarr_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: dd1001b2-9c2e-409b-ab81-afd500d9ba6a
+ property: token
+ - secretKey: kapowarr_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 01806b71-fed2-4214-a80f-b04500fc17c5
+ property: token
+ - secretKey: mylar_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: cfe083fb-6377-49fa-ad0f-b02001445f7c
+ property: token
+ - secretKey: prowlarr_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 7fa0147f-6ab6-44b1-9ba2-af8f01172e77
+ property: token
+ - secretKey: qbittorrent_username
+ sourceRef:
+ storeRef:
+ name: bitwarden-login
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 7bda7d2b-e9d8-4699-b43a-afc50017aab5
+ property: username
+ - secretKey: qbittorrent_password
+ sourceRef:
+ storeRef:
+ name: bitwarden-login
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 7bda7d2b-e9d8-4699-b43a-afc50017aab5
+ property: password
+ - secretKey: radarr_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 33a5fd65-38fb-40d6-b4a6-ac6e00f706e3
+ property: token
+ - secretKey: readarr_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: f8621570-ad69-40ef-8315-afd500df25b3
+ property: token
+ - secretKey: sabnzbd_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 11eae6bf-761a-433f-ad9a-ac6e00f706e3
+ property: api_token
+ - secretKey: sonarr_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: f131edf2-177b-4284-b606-ac6e00f706e3
+ property: token
+ ## Media
+ - secretKey: overseerr_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: d6c7ed5d-dc6c-4a61-8df5-afd500e1d0ef
+ property: token
+ - secretKey: plex_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 5f4a73e9-dbaa-47bf-a5f2-ac6e00f706e3
+ property: token
+ - secretKey: tautulli_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 9be660f2-f018-41fa-91db-afd500dfc709
+ property: k8s_token
+ - secretKey: kavita_username
+ sourceRef:
+ storeRef:
+ name: bitwarden-login
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 675ec17c-ab29-48fe-a7e8-b0050110a1a7
+ property: username
+ - secretKey: kavita_password
+ sourceRef:
+ storeRef:
+ name: bitwarden-login
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 675ec17c-ab29-48fe-a7e8-b0050110a1a7
+ property: password
+ ## Monitoring
+ - secretKey: grafana_username
+ sourceRef:
+ storeRef:
+ name: bitwarden-login
+ kind: ClusterSecretStore
+ remoteRef:
+ key: b36a66be-7898-4003-902a-afc701166ed9
+ property: username
+ - secretKey: grafana_password
+ sourceRef:
+ storeRef:
+ name: bitwarden-login
+ kind: ClusterSecretStore
+ remoteRef:
+ key: b36a66be-7898-4003-902a-afc701166ed9
+ property: password
+ ## Security
+ - secretKey: authentik_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 3ff34fd7-ec65-436c-865c-afcf0104ce37
+ property: token
diff --git a/kubernetes/teyvat/apps/default/paperless/app/externalsecret.yaml b/kubernetes/teyvat/apps/default/paperless/app/externalsecret.yaml
index f1d941798b..550f84d328 100644
--- a/kubernetes/teyvat/apps/default/paperless/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/default/paperless/app/externalsecret.yaml
@@ -1,13 +1,17 @@
----
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: paperless-secret
+ name: &name paperless
spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# App
PAPERLESS_DBENGINE: postgresql
@@ -26,60 +30,8 @@ spec:
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_USER: "{{ .POSTGRES_SUPER_USER }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- data:
- - secretKey: PAPERLESS_DBUSER
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 844cc5ff-a52a-4452-85c2-b03101397ef2
- property: pg_user
- - secretKey: PAPERLESS_DBPASS
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 844cc5ff-a52a-4452-85c2-b03101397ef2
- property: pg_password
- - secretKey: PAPERLESS_ADMIN_USER
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 844cc5ff-a52a-4452-85c2-b03101397ef2
- property: username
- - secretKey: PAPERLESS_ADMIN_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 844cc5ff-a52a-4452-85c2-b03101397ef2
- property: password
- - secretKey: PAPERLESS_SECRET_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 844cc5ff-a52a-4452-85c2-b03101397ef2
- property: secret_key
- - secretKey: POSTGRES_SUPER_USER
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: username
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
+ dataFrom:
+ - extract:
+ key: paperless
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/default/paperless/app/helmrelease.yaml b/kubernetes/teyvat/apps/default/paperless/app/helmrelease.yaml
index f894781b97..22401de15e 100644
--- a/kubernetes/teyvat/apps/default/paperless/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/default/paperless/app/helmrelease.yaml
@@ -1,4 +1,3 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
@@ -25,10 +24,10 @@ spec:
uninstall:
keepHistory: false
dependsOn:
- - name: rook-ceph-cluster
- namespace: rook-ceph
- - name: volsync
- namespace: storage
+ - name: rook-ceph-cluster
+ namespace: rook-ceph
+ - name: volsync
+ namespace: storage
values:
controllers:
main:
@@ -43,8 +42,8 @@ spec:
tag: 16
pullPolicy: IfNotPresent
envFrom:
- - secretRef:
- name: &secret paperless-secret
+ - secretRef:
+ name: &secret paperless
containers:
main:
image:
@@ -53,10 +52,10 @@ spec:
env:
PAPERLESS_REDIS_PREFIX: pngx
envFrom:
- - secretRef:
- name: *secret
- - configMapRef:
- name: paperless-configmap
+ - secretRef:
+ name: *secret
+ - configMapRef:
+ name: paperless-configmap
resources:
requests:
cpu: 15m
@@ -77,15 +76,15 @@ spec:
gethomepage.dev/name: Paperless
gethomepage.dev/icon: paperless.png
hosts:
- - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
- paths:
- - path: /
- service:
- name: main
- port: http
+ - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+ paths:
+ - path: /
+ service:
+ name: main
+ port: http
tls:
- - hosts:
- - *host
+ - hosts:
+ - *host
persistence:
config:
enabled: true
@@ -93,7 +92,7 @@ spec:
advancedMounts:
main:
main:
- - path: /data/local
+ - path: /data/local
nas:
enabled: true
type: nfs
@@ -102,4 +101,4 @@ spec:
advancedMounts:
main:
main:
- - path: /data/nas
+ - path: /data/nas
diff --git a/kubernetes/teyvat/apps/downloads/bazarr/app/externalsecret.yaml b/kubernetes/teyvat/apps/downloads/bazarr/app/externalsecret.yaml
index f805a53102..23929a18ff 100644
--- a/kubernetes/teyvat/apps/downloads/bazarr/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/downloads/bazarr/app/externalsecret.yaml
@@ -1,16 +1,20 @@
----
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: bazarr-secret
+ name: &name bazarr
spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# App
- BAZARR__API_KEY: "{{ .BAZARR__API_KEY }}"
+ BAZARR__API_KEY: "{{ .BAZARR_API_KEY }}"
POSTGRES_ENABLED: "true"
POSTGRES_DATABASE: &dbName bazarr
POSTGRES_HOST: &dbHost postgres-rw.database.svc.cluster.local
@@ -23,44 +27,8 @@ spec:
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- data:
- - secretKey: POSTGRES_USERNAME
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: dd1001b2-9c2e-409b-ab81-afd500d9ba6a
- property: pg_user
- - secretKey: POSTGRES_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: dd1001b2-9c2e-409b-ab81-afd500d9ba6a
- property: pg_password
- - secretKey: BAZARR__API_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: dd1001b2-9c2e-409b-ab81-afd500d9ba6a
- property: token
- - secretKey: POSTGRES_SUPER_USER
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: username
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
+ dataFrom:
+ - extract:
+ key: bazarr
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/downloads/bazarr/app/helmrelease.yaml b/kubernetes/teyvat/apps/downloads/bazarr/app/helmrelease.yaml
index d9b66fb0af..477ac844e8 100644
--- a/kubernetes/teyvat/apps/downloads/bazarr/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/downloads/bazarr/app/helmrelease.yaml
@@ -1,4 +1,3 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
@@ -25,10 +24,10 @@ spec:
uninstall:
keepHistory: false
dependsOn:
- - name: rook-ceph-cluster
- namespace: rook-ceph
- - name: volsync
- namespace: storage
+ - name: rook-ceph-cluster
+ namespace: rook-ceph
+ - name: volsync
+ namespace: storage
values:
controllers:
main:
@@ -42,8 +41,8 @@ spec:
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- - secretRef:
- name: bazarr-secret
+ - secretRef:
+ name: bazarr
containers:
main:
image:
@@ -63,10 +62,10 @@ spec:
repository: registry.k8s.io/git-sync/git-sync
tag: v4.2.1
args:
- - --repo=https://github.com/KBlixt/subcleaner
- - --branch=master
- - --wait=86400 # 1 day
- - --root=/add-ons
+ - --repo=https://github.com/KBlixt/subcleaner
+ - --branch=master
+ - --wait=86400 # 1 day
+ - --root=/add-ons
resources:
requests:
cpu: 10m
@@ -101,15 +100,15 @@ spec:
sub_filter '' '';
sub_filter_once on;
hosts:
- - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
- paths:
- - path: /
- service:
- name: main
- port: http
+ - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+ paths:
+ - path: /
+ service:
+ name: main
+ port: http
tls:
- - hosts:
- - *host
+ - hosts:
+ - *host
persistence:
config:
enabled: true
@@ -120,6 +119,6 @@ spec:
server: ${NAS_IP:=temp}
path: ${SECRET_NFS_DATA:=temp}
globalMounts:
- - path: /data
+ - path: /data
add-ons:
type: emptyDir
diff --git a/kubernetes/teyvat/apps/downloads/prowlarr/app/externalsecret.yaml b/kubernetes/teyvat/apps/downloads/prowlarr/app/externalsecret.yaml
index f0a920786e..f738febbae 100644
--- a/kubernetes/teyvat/apps/downloads/prowlarr/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/downloads/prowlarr/app/externalsecret.yaml
@@ -1,20 +1,24 @@
----
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: prowlarr-secret
+ name: &name prowlarr
spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# App
- PROWLARR__API_KEY: "{{ .PROWLARR__API_KEY }}"
+ PROWLARR__API_KEY: "{{ .PROWLARR_API_KEY }}"
PROWLARR__POSTGRES_HOST: &dbHost postgres-rw.database.svc.cluster.local
PROWLARR__POSTGRES_PORT: "5432"
- PROWLARR__POSTGRES_USER: &dbUser "{{ .PROWLARR__POSTGRES_USER }}"
- PROWLARR__POSTGRES_PASSWORD: &dbPass "{{ .PROWLARR__POSTGRES_PASSWORD }}"
+ PROWLARR__POSTGRES_USER: &dbUser "{{ .POSTGRES_USERNAME }}"
+ PROWLARR__POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
PROWLARR__POSTGRES_MAIN_DB: prowlarr_main
PROWLARR__POSTGRES_LOG_DB: prowlarr_log
# Postgres Init
@@ -23,44 +27,8 @@ spec:
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- data:
- - secretKey: PROWLARR__POSTGRES_USER
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 7fa0147f-6ab6-44b1-9ba2-af8f01172e77
- property: pg_user
- - secretKey: PROWLARR__POSTGRES_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 7fa0147f-6ab6-44b1-9ba2-af8f01172e77
- property: pg_password
- - secretKey: PROWLARR__API_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 7fa0147f-6ab6-44b1-9ba2-af8f01172e77
- property: token
- - secretKey: POSTGRES_SUPER_USER
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: username
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
+ dataFrom:
+ - extract:
+ key: prowlarr
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/downloads/prowlarr/app/helmrelease.yaml b/kubernetes/teyvat/apps/downloads/prowlarr/app/helmrelease.yaml
index cb65bedb4d..9e50cd326b 100644
--- a/kubernetes/teyvat/apps/downloads/prowlarr/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/downloads/prowlarr/app/helmrelease.yaml
@@ -1,4 +1,3 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
@@ -25,10 +24,10 @@ spec:
uninstall:
keepHistory: false
dependsOn:
- - name: rook-ceph-cluster
- namespace: rook-ceph
- - name: volsync
- namespace: storage
+ - name: rook-ceph-cluster
+ namespace: rook-ceph
+ - name: volsync
+ namespace: storage
values:
controllers:
main:
@@ -41,8 +40,8 @@ spec:
tag: 16
pullPolicy: IfNotPresent
envFrom: &envFrom
- - secretRef:
- name: prowlarr-secret
+ - secretRef:
+ name: prowlarr
containers:
main:
image:
@@ -87,16 +86,16 @@ spec:
sub_filter '' '';
sub_filter_once on;
hosts:
- - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
- paths:
- - path: /
- pathType: Prefix
- service:
- name: main
- port: http
+ - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+ paths:
+ - path: /
+ pathType: Prefix
+ service:
+ name: main
+ port: http
tls:
- - hosts:
- - *host
+ - hosts:
+ - *host
persistence:
config:
enabled: true
diff --git a/kubernetes/teyvat/apps/downloads/radarr/app/externalsecret.yaml b/kubernetes/teyvat/apps/downloads/radarr/app/externalsecret.yaml
index 33d260dd57..b62e09c0cd 100644
--- a/kubernetes/teyvat/apps/downloads/radarr/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/downloads/radarr/app/externalsecret.yaml
@@ -1,20 +1,24 @@
----
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: radarr-secret
+ name: &name radarr
spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# App
- RADARR__API_KEY: "{{ .RADARR__API_KEY }}"
+ RADARR__API_KEY: "{{ .RADARR_API_KEY }}"
RADARR__POSTGRES_HOST: &dbHost postgres-rw.database.svc.cluster.local
RADARR__POSTGRES_PORT: "5432"
- RADARR__POSTGRES_USER: &dbUser "{{ .RADARR__POSTGRES_USER }}"
- RADARR__POSTGRES_PASSWORD: &dbPass "{{ .RADARR__POSTGRES_PASSWORD }}"
+ RADARR__POSTGRES_USER: &dbUser "{{ .POSTGRES_USERNAME }}"
+ RADARR__POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
RADARR__POSTGRES_MAIN_DB: radarr_main
RADARR__POSTGRES_LOG_DB: radarr_log
# Postgres Init
@@ -23,44 +27,8 @@ spec:
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- data:
- - secretKey: RADARR__API_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 33a5fd65-38fb-40d6-b4a6-ac6e00f706e3
- property: token
- - secretKey: RADARR__POSTGRES_USER
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 33a5fd65-38fb-40d6-b4a6-ac6e00f706e3
- property: pg_user
- - secretKey: RADARR__POSTGRES_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 33a5fd65-38fb-40d6-b4a6-ac6e00f706e3
- property: pg_password
- - secretKey: POSTGRES_SUPER_USER
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: username
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
+ dataFrom:
+ - extract:
+ key: radarr
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/downloads/radarr/app/helmrelease.yaml b/kubernetes/teyvat/apps/downloads/radarr/app/helmrelease.yaml
index 13d1c5e6a7..c36540381a 100644
--- a/kubernetes/teyvat/apps/downloads/radarr/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/downloads/radarr/app/helmrelease.yaml
@@ -1,4 +1,3 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
@@ -25,10 +24,10 @@ spec:
uninstall:
keepHistory: false
dependsOn:
- - name: rook-ceph-cluster
- namespace: rook-ceph
- - name: volsync
- namespace: storage
+ - name: rook-ceph-cluster
+ namespace: rook-ceph
+ - name: volsync
+ namespace: storage
values:
controllers:
main:
@@ -43,8 +42,8 @@ spec:
tag: 16
pullPolicy: IfNotPresent
envFrom: &envFrom
- - secretRef:
- name: radarr-secret
+ - secretRef:
+ name: radarr
containers:
main:
image:
@@ -107,15 +106,15 @@ spec:
sub_filter '' '';
sub_filter_once on;
hosts:
- - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
- paths:
- - path: /
- service:
- name: main
- port: http
+ - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+ paths:
+ - path: /
+ service:
+ name: main
+ port: http
tls:
- - hosts:
- - *host
+ - hosts:
+ - *host
persistence:
config:
enabled: true
@@ -128,4 +127,4 @@ spec:
server: ${NAS_IP:=temp}
path: ${SECRET_NFS_DATA:=temp}
globalMounts:
- - path: /data
+ - path: /data
diff --git a/kubernetes/teyvat/apps/downloads/readarr/app/externalsecret.yaml b/kubernetes/teyvat/apps/downloads/readarr/app/externalsecret.yaml
index 324ebe5bad..4922fba126 100644
--- a/kubernetes/teyvat/apps/downloads/readarr/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/downloads/readarr/app/externalsecret.yaml
@@ -1,20 +1,23 @@
----
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: readarr-secret
+ name: &name readarr
spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# App
- READARR__API_KEY: "{{ .READARR__API_KEY }}"
+ READARR__API_KEY: "{{ .READARR_API_KEY }}"
READARR__POSTGRES_HOST: &dbHost postgres-rw.database.svc.cluster.local
READARR__POSTGRES_PORT: "5432"
- READARR__POSTGRES_USER: &dbUser "{{ .READARR__POSTGRES_USER }}"
- READARR__POSTGRES_PASSWORD: &dbPass "{{ .READARR__POSTGRES_PASSWORD }}"
+ READARR__POSTGRES_USER: &dbUser "{{ .POSTGRES_USERNAME }}"
+ READARR__POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
READARR__POSTGRES_MAIN_DB: readarr_main
READARR__POSTGRES_LOG_DB: readarr_log
READARR__POSTGRES_CACHE_DB: readarr_cache
@@ -24,52 +27,8 @@ spec:
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- data:
- - secretKey: READARR__API_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f8621570-ad69-40ef-8315-afd500df25b3
- property: token
- - secretKey: READARR__POSTGRES_USER
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f8621570-ad69-40ef-8315-afd500df25b3
- property: pg_user
- - secretKey: READARR__POSTGRES_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f8621570-ad69-40ef-8315-afd500df25b3
- property: pg_password
- - secretKey: READARR__API_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f8621570-ad69-40ef-8315-afd500df25b3
- property: token
- - secretKey: POSTGRES_SUPER_USER
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: username
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
+ dataFrom:
+ - extract:
+ key: readarr
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/downloads/readarr/app/helmrelease.yaml b/kubernetes/teyvat/apps/downloads/readarr/app/helmrelease.yaml
index c1fed98a95..5950022a55 100644
--- a/kubernetes/teyvat/apps/downloads/readarr/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/downloads/readarr/app/helmrelease.yaml
@@ -1,4 +1,3 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
@@ -25,10 +24,10 @@ spec:
uninstall:
keepHistory: false
dependsOn:
- - name: rook-ceph-cluster
- namespace: rook-ceph
- - name: volsync
- namespace: storage
+ - name: rook-ceph-cluster
+ namespace: rook-ceph
+ - name: volsync
+ namespace: storage
values:
controllers:
main:
@@ -43,8 +42,8 @@ spec:
tag: 16
pullPolicy: IfNotPresent
envFrom: &envFrom
- - secretRef:
- name: readarr-secret
+ - secretRef:
+ name: readarr
containers:
main:
image:
@@ -90,15 +89,15 @@ spec:
sub_filter '' '';
sub_filter_once on;
hosts:
- - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
- paths:
- - path: /
- service:
- name: main
- port: http
+ - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+ paths:
+ - path: /
+ service:
+ name: main
+ port: http
tls:
- - hosts:
- - *host
+ - hosts:
+ - *host
persistence:
config:
enabled: true
@@ -111,4 +110,4 @@ spec:
server: ${NAS_IP:=temp}
path: ${SECRET_NFS_DATA:=temp}
globalMounts:
- - path: /data
+ - path: /data
diff --git a/kubernetes/teyvat/apps/downloads/recyclarr/app/externalsecret.yaml b/kubernetes/teyvat/apps/downloads/recyclarr/app/externalsecret.yaml
index b0b52ac0ed..179a53f182 100644
--- a/kubernetes/teyvat/apps/downloads/recyclarr/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/downloads/recyclarr/app/externalsecret.yaml
@@ -1,32 +1,23 @@
----
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: recyclarr-secret
+ name: &name recyclarr
spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
- RADARR_API_KEY: |-
- {{ .radarr_token }}
- SONARR_API_KEY: |-
- {{ .sonarr_token }}
- data:
- - secretKey: radarr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 33a5fd65-38fb-40d6-b4a6-ac6e00f706e3
- property: token
- - secretKey: sonarr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f131edf2-177b-4284-b606-ac6e00f706e3
- property: token
+ # App
+ RADARR_API_KEY: "{{ .RADARR_API_KEY }}"
+ SONARR_API_KEY: "{{ .SONARR_API_KEY }}"
+ dataFrom:
+ - extract:
+ key: radarr
+ - extract:
+ key: sonarr
diff --git a/kubernetes/teyvat/apps/downloads/recyclarr/app/helmrelease.yaml b/kubernetes/teyvat/apps/downloads/recyclarr/app/helmrelease.yaml
index c974ccf8df..c8cf405ddd 100644
--- a/kubernetes/teyvat/apps/downloads/recyclarr/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/downloads/recyclarr/app/helmrelease.yaml
@@ -1,4 +1,3 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
@@ -25,10 +24,10 @@ spec:
uninstall:
keepHistory: false
dependsOn:
- - name: rook-ceph-cluster
- namespace: rook-ceph
- - name: volsync
- namespace: storage
+ - name: rook-ceph-cluster
+ namespace: rook-ceph
+ - name: volsync
+ namespace: storage
values:
controllers:
main:
@@ -42,8 +41,8 @@ spec:
env:
TZ: ${TIMEZONE}
envFrom:
- - secretRef:
- name: recyclarr-secret
+ - secretRef:
+ name: recyclarr
resources:
requests:
cpu: 10m
@@ -67,6 +66,6 @@ spec:
type: configMap
name: recyclarr-configmap
globalMounts:
- - path: /config/recyclarr.yml
- subPath: recyclarr.yml
- readOnly: true
+ - path: /config/recyclarr.yml
+ subPath: recyclarr.yml
+ readOnly: true
diff --git a/kubernetes/teyvat/apps/downloads/sabnzbd/app/externalsecret.yaml b/kubernetes/teyvat/apps/downloads/sabnzbd/app/externalsecret.yaml
index deccfeba68..5984c62ea5 100644
--- a/kubernetes/teyvat/apps/downloads/sabnzbd/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/downloads/sabnzbd/app/externalsecret.yaml
@@ -1,31 +1,22 @@
----
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: sabnzbd-secret
+ name: &name sabnzbd
spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# App
- SABNZBD__API_KEY: "{{ .SABNZBD__API_KEY }}"
- SABNZBD__NZB_KEY: "{{ .SABNZBD__NZB_KEY }}"
- data:
- - secretKey: SABNZBD__API_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 11eae6bf-761a-433f-ad9a-ac6e00f706e3
- property: api_token
- - secretKey: SABNZBD__NZB_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 11eae6bf-761a-433f-ad9a-ac6e00f706e3
- property: nzb_token
+ SABNZBD__API_KEY: "{{ .SABNZBD_API_KEY }}"
+ SABNZBD__NZB_KEY: "{{ .SABNZBD_NZB_KEY }}"
+ dataFrom:
+ - extract:
+ key: sabnzbd
+
diff --git a/kubernetes/teyvat/apps/downloads/sabnzbd/app/helmrelease.yaml b/kubernetes/teyvat/apps/downloads/sabnzbd/app/helmrelease.yaml
index da7a8e5da3..ac3adc8aac 100644
--- a/kubernetes/teyvat/apps/downloads/sabnzbd/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/downloads/sabnzbd/app/helmrelease.yaml
@@ -1,4 +1,3 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
@@ -25,10 +24,10 @@ spec:
uninstall:
keepHistory: false
dependsOn:
- - name: rook-ceph-cluster
- namespace: rook-ceph
- - name: volsync
- namespace: storage
+ - name: rook-ceph-cluster
+ namespace: rook-ceph
+ - name: volsync
+ namespace: storage
values:
controllers:
main:
@@ -45,15 +44,10 @@ spec:
TZ: ${TIMEZONE}
SABNZBD__PORT: &port 8080
SABNZBD__HOST_WHITELIST_ENTRIES: >-
- sabnzbd,
- sabnzbd.downloads,
- sabnzbd.downloads.svc,
- sabnzbd.downloads.svc.cluster,
- sabnzbd.downloads.svc.cluster.local,
- sabnzbd.${SECRET_DOMAIN}
+ sabnzbd, sabnzbd.downloads, sabnzbd.downloads.svc, sabnzbd.downloads.svc.cluster, sabnzbd.downloads.svc.cluster.local, sabnzbd.${SECRET_DOMAIN}
envFrom:
- - secretRef:
- name: sabnzbd-secret
+ - secretRef:
+ name: sabnzbd
probes:
liveness: &probes
enabled: true
@@ -79,12 +73,12 @@ spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchExpressions:
- - key: app.kubernetes.io/name
- operator: In
- values: ["qbittorrent"]
- topologyKey: kubernetes.io/hostname
+ - labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values: ["qbittorrent"]
+ topologyKey: kubernetes.io/hostname
securityContext:
runAsUser: 568
runAsGroup: 568
@@ -112,15 +106,15 @@ spec:
sub_filter '' '';
sub_filter_once on;
hosts:
- - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
- paths:
- - path: /
- service:
- name: main
- port: http
+ - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+ paths:
+ - path: /
+ service:
+ name: main
+ port: http
tls:
- - hosts:
- - *host
+ - hosts:
+ - *host
persistence:
config:
enabled: true
@@ -131,16 +125,16 @@ spec:
server: ${NAS_IP:=temp}
path: ${SECRET_NFS_DATA:=temp}
globalMounts:
- - path: /downloads
- subPath: usenet
+ - path: /downloads
+ subPath: usenet
incomplete:
type: emptyDir
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchExpressions:
- - key: app.kubernetes.io/name
- operator: In
- values: ["qbittorrent"]
- topologyKey: kubernetes.io/hostname
+ - labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values: ["qbittorrent"]
+ topologyKey: kubernetes.io/hostname
diff --git a/kubernetes/teyvat/apps/downloads/sonarr/app/externalsecret.yaml b/kubernetes/teyvat/apps/downloads/sonarr/app/externalsecret.yaml
index d13a6b2b1f..201fb0dcdf 100644
--- a/kubernetes/teyvat/apps/downloads/sonarr/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/downloads/sonarr/app/externalsecret.yaml
@@ -1,19 +1,24 @@
----
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: sonarr-secret
+ name: &name sonarr
spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
- SONARR__API_KEY: "{{ .SONARR__API_KEY }}"
+ # App
+ SONARR__API_KEY: "{{ .SONARR_API_KEY }}"
SONARR__POSTGRES_HOST: &dbHost postgres-rw.database.svc.cluster.local
SONARR__POSTGRES_PORT: "5432"
- SONARR__POSTGRES_USER: &dbUser "{{ .SONARR__POSTGRES_USER }}"
- SONARR__POSTGRES_PASSWORD: &dbPass "{{ .SONARR__POSTGRES_PASSWORD }}"
+ SONARR__POSTGRES_USER: &dbUser "{{ .POSTGRES_USER }}"
+ SONARR__POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
SONARR__POSTGRES_MAIN_DB: sonarr_main
SONARR__POSTGRES_LOG_DB: sonarr_log
# Postgres Init
@@ -22,44 +27,8 @@ spec:
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- data:
- - secretKey: SONARR__API_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f131edf2-177b-4284-b606-ac6e00f706e3
- property: token
- - secretKey: SONARR__POSTGRES_USER
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f131edf2-177b-4284-b606-ac6e00f706e3
- property: pg_user
- - secretKey: SONARR__POSTGRES_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f131edf2-177b-4284-b606-ac6e00f706e3
- property: pg_password
- - secretKey: POSTGRES_SUPER_USER
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: username
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
+ dataFrom:
+ - extract:
+ key: sonarr
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/downloads/sonarr/app/helmrelease.yaml b/kubernetes/teyvat/apps/downloads/sonarr/app/helmrelease.yaml
index ce3e7fd5f3..1dea0cf309 100644
--- a/kubernetes/teyvat/apps/downloads/sonarr/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/downloads/sonarr/app/helmrelease.yaml
@@ -1,4 +1,3 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
@@ -25,10 +24,10 @@ spec:
uninstall:
keepHistory: false
dependsOn:
- - name: rook-ceph-cluster
- namespace: rook-ceph
- - name: volsync
- namespace: storage
+ - name: rook-ceph-cluster
+ namespace: rook-ceph
+ - name: volsync
+ namespace: storage
values:
controllers:
main:
@@ -43,8 +42,8 @@ spec:
tag: 16
pullPolicy: IfNotPresent
envFrom: &envFrom
- - secretRef:
- name: sonarr-secret
+ - secretRef:
+ name: sonarr
containers:
main:
image:
@@ -107,15 +106,15 @@ spec:
sub_filter '' '';
sub_filter_once on;
hosts:
- - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
- paths:
- - path: /
- service:
- name: main
- port: http
+ - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+ paths:
+ - path: /
+ service:
+ name: main
+ port: http
tls:
- - hosts:
- - *host
+ - hosts:
+ - *host
persistence:
config:
enabled: true
@@ -128,4 +127,4 @@ spec:
server: ${NAS_IP:=temp}
path: ${SECRET_NFS_DATA:=temp}
globalMounts:
- - path: /data
+ - path: /data
diff --git a/kubernetes/teyvat/apps/external-secrets/external-secrets/bitwarden-secrets-manager/externalsecret.yaml b/kubernetes/teyvat/apps/external-secrets/external-secrets/bitwarden-secrets-manager/externalsecret.yaml
new file mode 100644
index 0000000000..a070457022
--- /dev/null
+++ b/kubernetes/teyvat/apps/external-secrets/external-secrets/bitwarden-secrets-manager/externalsecret.yaml
@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ name: "bws-test-secret"
+spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
+ target:
+ name: "bws-test-secret"
+ template:
+ engineVersion: v2
+ data:
+ RESTIC_REPOSITORY: "{{ .REPOSITORY_TEMPLATE }}/test"
+ RESTIC_PASSWORD: "{{ .RESTIC_PASSWORD }}"
+ AWS_ACCESS_KEY_ID: "{{ .MINIO_ROOT_USER }}"
+ AWS_SECRET_ACCESS_KEY: "{{ .MINIO_ROOT_PASSWORD }}"
+ dataFrom:
+ - extract:
+ key: minio
+ - extract:
+ key: volsync-minio-template
diff --git a/kubernetes/teyvat/apps/flux-system/tf-controller/app/externalsecret.yaml b/kubernetes/teyvat/apps/flux-system/tf-controller/app/externalsecret.yaml
index d32fab82a9..0b72cf54b1 100644
--- a/kubernetes/teyvat/apps/flux-system/tf-controller/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/flux-system/tf-controller/app/externalsecret.yaml
@@ -1,156 +1,56 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: terraform-backend-secret
+ name: &name terraform-backend-secret
spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- metadata:
- labels:
- cnpg.io/reload: "true"
- type: Opaque
+ engineVersion: v2
data:
- access_key: "{{ .access_key }}"
- secret_key: "{{ .secret_key }}"
- endpoint: "{{ .endpoint }}"
- data:
- - secretKey: access_key
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5a98804c-6c54-4e09-817e-afd8012c70ad
- property: access_key
- - secretKey: secret_key
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5a98804c-6c54-4e09-817e-afd8012c70ad
- property: secret_key
- - secretKey: endpoint
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5a98804c-6c54-4e09-817e-afd8012c70ad
- property: endpoint
+ access_key: "{{ .AWS_ACCESS_KEY_ID }}"
+ secret_key: "{{ .AWS_SECRET_ACCESS_KEY }}"
+ endpoint: s3.${PI_DOMAIN}
+ dataFrom:
+ - extract:
+ key: minio
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: terraform-authentik-secret
+ name: &name terraform-authentik-secret
spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- metadata:
- labels:
- cnpg.io/reload: "true"
- type: Opaque
+ engineVersion: v2
data:
cluster_domain: ${SECRET_DOMAIN}
- authentik_token: "{{ .authentik_token }}"
- discord_client_id: "{{ .discord_client_id }}"
- discord_client_secret: "{{ .discord_client_secret }}"
- gitops_id: "{{ .gitops_id }}"
- gitops_secret: "{{ .gitops_secret }}"
- grafana_id: "{{ .grafana_id }}"
- grafana_secret: "{{ .grafana_secret }}"
- portainer_id: "{{ .portainer_id }}"
- portainer_secret: "{{ .portainer_secret }}"
- # bazarr_username: placeholder
- # bazarr_password: placeholder
- # overseerr_username: placeholder
- # overseerr_password: placeholder
- # prowlarr_username: placeholder
- # prowlarr_password: placeholder
- # qbittorrent_username: placeholder
- # qbittorrent_password: placeholder
- # radarr_username: placeholder
- # radarr_password: placeholder
- # readarr_username: placeholder
- # readarr_password: placeholder
- # sabnzbd_username: placeholder
- # sabnzbd_password: placeholder
- # sonarr_username: placeholder
- # sonarr_password: placeholder
- # tautulli_username: placeholder
- # tautulli_password: placeholder
- data:
- - secretKey: authentik_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 3ff34fd7-ec65-436c-865c-afcf0104ce37
- property: token
- - secretKey: discord_client_id
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 01af241c-b129-4560-877a-ac6e00f706e3
- property: authentik_client_id
- - secretKey: discord_client_secret
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 01af241c-b129-4560-877a-ac6e00f706e3
- property: authentik_client_secret
- - secretKey: gitops_id
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5e19532f-62a4-4cb8-bdfc-afd501029d14
- property: client_id
- - secretKey: gitops_secret
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5e19532f-62a4-4cb8-bdfc-afd501029d14
- property: client_secret
- - secretKey: grafana_id
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: b36a66be-7898-4003-902a-afc701166ed9
- property: client_id
- - secretKey: grafana_secret
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: b36a66be-7898-4003-902a-afc701166ed9
- property: client_secret
- - secretKey: portainer_id
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 7b792cef-9d6d-48f1-9fe0-acfa010ac442
- property: client_id
- - secretKey: portainer_secret
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 7b792cef-9d6d-48f1-9fe0-acfa010ac442
- property: client_secret
+ authentik_token: "{{ .AUTHENTIK_TOKEN }}"
+ discord_client_id: "{{ .DISCORD_CLIENT_ID }}"
+ discord_client_secret: "{{ .DISCORD_CLIENT_SECRET }}"
+ gitops_id: "{{ .GITOPS_CLIENT_ID }}"
+ gitops_secret: "{{ .GITOPS_CLIENT_SECRET }}"
+ grafana_id: "{{ .GRAFANA_CLIENT_ID }}"
+ grafana_secret: "{{ .GRAFANA_CLIENT_SECRET }}"
+ portainer_id: "{{ .PORTAINER_CLIENT_ID }}"
+ portainer_secret: "{{ .PORTAINER_CLIENT_SECRET }}"
+ dataFrom:
+ - extract:
+ key: authentik
+ - extract:
+ key: discord
+ - extract:
+ key: grafana
+ - extract:
+ key: portainer
diff --git a/kubernetes/teyvat/apps/flux-system/tf-controller/terraform/kustomization.yaml b/kubernetes/teyvat/apps/flux-system/tf-controller/terraform/kustomization.yaml
new file mode 100644
index 0000000000..48fcf13407
--- /dev/null
+++ b/kubernetes/teyvat/apps/flux-system/tf-controller/terraform/kustomization.yaml
@@ -0,0 +1,7 @@
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./authentik.yaml
+# - ./minio.yaml
+- ./ocirepository.yaml
diff --git a/kubernetes/teyvat/apps/flux-system/tf-controller/terraform/minio.yaml b/kubernetes/teyvat/apps/flux-system/tf-controller/terraform/minio.yaml
index d4cb73c463..f5d8f92b43 100644
--- a/kubernetes/teyvat/apps/flux-system/tf-controller/terraform/minio.yaml
+++ b/kubernetes/teyvat/apps/flux-system/tf-controller/terraform/minio.yaml
@@ -27,8 +27,7 @@ spec:
namespace: flux-system
runnerPodTemplate:
spec:
- image: ghcr.io/lildrunkensmurf/tf-runner-bitwarden:0.15.1@sha256:0b30a72a5ab443b3de459d13b5780f998979bccafd94ca0380c07434b7aba62e
- # Working image 1.3.9: ghcr.io/lildrunkensmurf/tf-runner-bitwarden:0.15.1@sha256:f783ebe9559a2c39416f2fa5e48e1c126fa9ab4d32324bda51e340f866e4837c
+ image: ghcr.io/lildrunkensmurf/tf-runner-bitwarden:0.15.1@sha256:02efeb088d7e53a04ff331517357267c61b047189365b1c60cfd3b1af13621a4
varsFrom:
- kind: Secret
name: terraform-minio-secret
diff --git a/kubernetes/teyvat/apps/flux-system/weave-gitops/app/externalsecret.yaml b/kubernetes/teyvat/apps/flux-system/weave-gitops/app/externalsecret.yaml
index b10a515ab9..0dc088efa3 100644
--- a/kubernetes/teyvat/apps/flux-system/weave-gitops/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/flux-system/weave-gitops/app/externalsecret.yaml
@@ -1,67 +1,48 @@
----
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: cluster-user-auth
+ name: &name cluster-user-auth
spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# Admin User
- username: "{{ .adminUser }}"
- password: "{{ .adminPass }}"
- data:
- - secretKey: adminUser
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 5e19532f-62a4-4cb8-bdfc-afd501029d14
- property: username
- - secretKey: adminPass
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5e19532f-62a4-4cb8-bdfc-afd501029d14
- property: password_encoded
+ username: "{{ .WEAVE_USER }}"
+ password: "{{ .WEAVE_PASS }}"
+ dataFrom:
+ - extract:
+ key: weave-gitops
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: oidc-auth
+ name: &name oidc-auth
spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# Authentik
- clientID: "{{ .client_id }}"
- clientSecret: "{{ .client_secret }}"
+ clientID: "{{ .GITOPS_CLIENT_ID }}"
+ clientSecret: "{{ .GITOPS_CLIENT_SECRET }}"
issuerURL: https://authentik.${SECRET_DOMAIN}/application/o/gitops-provider/
redirectURL: https://gitops.${SECRET_DOMAIN}/oauth2/callback
customScopes: openid,profile,email
claimGroups: groups
claimUsername: preferred_username
- data:
- - secretKey: client_id
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5e19532f-62a4-4cb8-bdfc-afd501029d14
- property: client_id
- - secretKey: client_secret
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5e19532f-62a4-4cb8-bdfc-afd501029d14
- property: client_secret
+ dataFrom:
+ - extract:
+ key: weave-gitops
diff --git a/kubernetes/teyvat/apps/observability/thanos/app/kustomization.yaml b/kubernetes/teyvat/apps/observability/thanos/app/kustomization.yaml
index 7e81a35ba0..e80d0a0724 100644
--- a/kubernetes/teyvat/apps/observability/thanos/app/kustomization.yaml
+++ b/kubernetes/teyvat/apps/observability/thanos/app/kustomization.yaml
@@ -1,8 +1,7 @@
----
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- - ./objectbucketclaim.yaml
- - ./helmrelease.yaml
- # - ./pushsecret.yaml
+- ./objectbucketclaim.yaml
+- ./helmrelease.yaml
+# - ./pushsecret.yaml
diff --git a/kubernetes/teyvat/templates/volsync/minio.yaml b/kubernetes/teyvat/templates/volsync/minio.yaml
index 30bb7a1edd..2d07c04e0b 100644
--- a/kubernetes/teyvat/templates/volsync/minio.yaml
+++ b/kubernetes/teyvat/templates/volsync/minio.yaml
@@ -18,7 +18,7 @@ spec:
AWS_SECRET_ACCESS_KEY: "{{ .AWS_SECRET_ACCESS_KEY }}"
dataFrom:
- extract:
- key: minio
+ key: volsync-bucket
- extract:
key: volsync-minio-template
property: RESTIC_REPOSITORY