chore: swap secret to bws

joryirving · Feb 12, 2024 · 314785d · 314785d
1 parent b8e651c
commit 314785d
Show file tree

Hide file tree

Showing 57 changed files with 868 additions and 1,866 deletions.
diff --git a/...netes/teyvat/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml b/...netes/teyvat/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml
@@ -1,10 +1,10 @@
 ---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: &name actions-runner-controller
+  name: &name actions-runner-controller-secret
 spec:
-  refreshInterval: "1h"
   secretStoreRef:
     name: bitwarden-secrets-manager
     kind: ClusterSecretStore

diff --git a/.../teyvat/apps/actions-runner-system/actions-runner-controller/runners/home-ops-runner.yaml b/.../teyvat/apps/actions-runner-system/actions-runner-controller/runners/home-ops-runner.yaml
@@ -42,6 +42,6 @@ spec:
       namespace: actions-runner-system
   valuesFrom:
     - kind: Secret
-      name: actions-runner-controller
+      name: actions-runner-controller-secret
       valuesKey: github_token
       targetPath: githubConfigSecret.github_token
diff --git a/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/externalsecret.yaml b/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/externalsecret.yaml
@@ -1,21 +1,19 @@
 ---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: cert-manager-secret
+  name: &name cloudflare-secret
 spec:
+  secretStoreRef:
+    name: bitwarden-secrets-manager
+    kind: ClusterSecretStore
   target:
-    deletionPolicy: Delete
+    name: *name
     template:
-      type: Opaque
+      engineVersion: v2
       data:
-        api-token: "{{ .api_token }}"
-  data:
-    - secretKey: api_token
-      sourceRef:
-        storeRef:
-          name: bitwarden-fields
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
-        property: api_token
+        CLOUDFLARE_API_KEY: "{{ .CLOUDFLARE_API_KEY }}"
+  dataFrom:
+  - extract:
+      key: cloudflare
diff --git a/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/issuers.yaml b/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/issuers.yaml
@@ -12,8 +12,8 @@ spec:
       - dns01:
           cloudflare:
             apiTokenSecretRef:
-              name: cert-manager-secret
-              key: api-token
+              name: cloudflare-secret
+              key: CLOUDFLARE_API_KEY
         selector:
           dnsZones:
             - "${SECRET_DOMAIN}"
@@ -32,8 +32,8 @@ spec:
       - dns01:
           cloudflare:
             apiTokenSecretRef:
-              name: cert-manager-secret
-              key: api-token
+              name: cloudflare-secret
+              key: CLOUDFLARE_API_KEY
         selector:
           dnsZones:
             - "${SECRET_DOMAIN}"
diff --git a/kubernetes/teyvat/apps/database/cloudnative-pg/app/externalsecret.yaml b/kubernetes/teyvat/apps/database/cloudnative-pg/app/externalsecret.yaml
@@ -1,51 +1,25 @@
 ---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: cloudnative-pg-secret
+  name: &name cloudnative-pg-secret
 spec:
+  secretStoreRef:
+    name: bitwarden-secrets-manager
+    kind: ClusterSecretStore
   target:
-    deletionPolicy: Delete
+    name: *name
     template:
+      engineVersion: v2
       metadata:
         labels:
           cnpg.io/reload: "true"
-      type: kubernetes.io/basic-auth
       data:
-        username: "{{ .super_user }}"
-        password: "{{ .super_pass }}"
-        aws-access-key-id: "{{ .access_key }}"
-        aws-secret-access-key: "{{ .secret_key }}"
-  data:
-    - secretKey: super_user
-      sourceRef:
-        storeRef:
-          name: bitwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 7a5661cb-9655-422b-8506-b02900fbc4e1
-        property: username
-    - secretKey: super_pass
-      sourceRef:
-        storeRef:
-          name: bitwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 7a5661cb-9655-422b-8506-b02900fbc4e1
-        property: password
-    - secretKey: access_key
-      sourceRef:
-        storeRef:
-          name: bitwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: eff71b07-9389-4874-923b-b0560025ea51
-        property: username
-    - secretKey: secret_key
-      sourceRef:
-        storeRef:
-          name: bitwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: eff71b07-9389-4874-923b-b0560025ea51
-        property: password
+        username: "{{ .POSTGRES_SUPER_USER }}"
+        password: "{{ .POSTGRES_SUPER_PASS }}"
+        aws-access-key-id: "{{ .POSTGRES_BUCKET_USER }}"
+        aws-secret-access-key: "{{ .POSTGRES_BUCKET_PASS }}"
+  dataFrom:
+  - extract:
+      key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/database/cloudnative-pg/cluster/cluster.yaml b/kubernetes/teyvat/apps/database/cloudnative-pg/cluster/cluster.yaml
@@ -12,7 +12,7 @@ spec:
     size: 20Gi
     storageClass: local-hostpath
   superuserSecret:
-    name: cloudnative-pg-secret
+    name: cloudnative-pg
   enableSuperuserAccess: true
   postgresql:
     parameters:
@@ -46,10 +46,10 @@ spec:
       serverName: &currentCluster postgres-v4
       s3Credentials:
         accessKeyId:
-          name: cloudnative-pg-secret
+          name: &secret cloudnative-pg-secret
           key: aws-access-key-id
         secretAccessKey:
-          name: cloudnative-pg-secret
+          name: *secret
           key: aws-secret-access-key
   # # Note: previousCluster needs to be set to the name of the previous
   # # cluster when recovering from an existing cnpg cluster

diff --git a/kubernetes/teyvat/apps/default/atuin/app/externalsecret.yaml b/kubernetes/teyvat/apps/default/atuin/app/externalsecret.yaml
@@ -3,12 +3,15 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: atuin
+  name: &name atuin-secret
 spec:
+  secretStoreRef:
+    name: bitwarden-secrets-manager
+    kind: ClusterSecretStore
   target:
-    deletionPolicy: Delete
+    name: *name
     template:
-      type: Opaque
+      engineVersion: v2
       data:
         ATUIN_DB_URI: |-
           postgres://{{ .ATUIN_POSTGRES_USER }}:{{ .ATUIN_POSTGRES_PASS }}@postgres-rw.database.svc.cluster.local/atuin
@@ -17,28 +20,8 @@ spec:
         INIT_POSTGRES_USER: "{{ .ATUIN_POSTGRES_USER }}"
         INIT_POSTGRES_PASS: "{{ .ATUIN_POSTGRES_PASS }}"
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
-  data:
-    - secretKey: ATUIN_POSTGRES_USER
-      sourceRef:
-        storeRef:
-          name: bitwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: eeda4d11-e092-429a-9bc0-b0f300fa39cf
-        property: username
-    - secretKey: ATUIN_POSTGRES_PASS
-      sourceRef:
-        storeRef:
-          name: bitwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: eeda4d11-e092-429a-9bc0-b0f300fa39cf
-        property: password
-    - secretKey: POSTGRES_SUPER_PASS
-      sourceRef:
-        storeRef:
-          name: bitwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 7a5661cb-9655-422b-8506-b02900fbc4e1
-        property: password
+  dataFrom:
+  - extract:
+      key: atuin
+  - extract:
+      key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/default/atuin/app/helmrelease.yaml b/kubernetes/teyvat/apps/default/atuin/app/helmrelease.yaml
@@ -37,7 +37,7 @@ spec:
               tag: 16
             envFrom: &envFrom
               - secretRef:
-                  name: *app
+                  name: atuin-secret
         containers:
           main:
             image: