diff --git a/kubernetes/teyvat/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml b/kubernetes/teyvat/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml
index edd4d35871..2c2397187d 100644
--- a/kubernetes/teyvat/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml
@@ -1,10 +1,10 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: &name actions-runner-controller
+ name: &name actions-runner-controller-secret
spec:
- refreshInterval: "1h"
secretStoreRef:
name: bitwarden-secrets-manager
kind: ClusterSecretStore
diff --git a/kubernetes/teyvat/apps/actions-runner-system/actions-runner-controller/runners/home-ops-runner.yaml b/kubernetes/teyvat/apps/actions-runner-system/actions-runner-controller/runners/home-ops-runner.yaml
index c776d7f4d3..d3b793b1c7 100644
--- a/kubernetes/teyvat/apps/actions-runner-system/actions-runner-controller/runners/home-ops-runner.yaml
+++ b/kubernetes/teyvat/apps/actions-runner-system/actions-runner-controller/runners/home-ops-runner.yaml
@@ -42,6 +42,6 @@ spec:
namespace: actions-runner-system
valuesFrom:
- kind: Secret
- name: actions-runner-controller
+ name: actions-runner-controller-secret
valuesKey: github_token
targetPath: githubConfigSecret.github_token
diff --git a/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/externalsecret.yaml b/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/externalsecret.yaml
index f55b062dc6..0d7398af0b 100644
--- a/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/externalsecret.yaml
@@ -1,21 +1,19 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: cert-manager-secret
+ name: &name cloudflare-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
- api-token: "{{ .api_token }}"
- data:
- - secretKey: api_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
- property: api_token
+ CLOUDFLARE_API_KEY: "{{ .CLOUDFLARE_API_KEY }}"
+ dataFrom:
+ - extract:
+ key: cloudflare
diff --git a/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/issuers.yaml b/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/issuers.yaml
index 1cf7148ac5..4b73d40351 100644
--- a/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/issuers.yaml
+++ b/kubernetes/teyvat/apps/cert-manager/cert-manager/issuers/issuers.yaml
@@ -12,8 +12,8 @@ spec:
- dns01:
cloudflare:
apiTokenSecretRef:
- name: cert-manager-secret
- key: api-token
+ name: cloudflare-secret
+ key: CLOUDFLARE_API_KEY
selector:
dnsZones:
- "${SECRET_DOMAIN}"
@@ -32,8 +32,8 @@ spec:
- dns01:
cloudflare:
apiTokenSecretRef:
- name: cert-manager-secret
- key: api-token
+ name: cloudflare-secret
+ key: CLOUDFLARE_API_KEY
selector:
dnsZones:
- "${SECRET_DOMAIN}"
diff --git a/kubernetes/teyvat/apps/database/cloudnative-pg/app/externalsecret.yaml b/kubernetes/teyvat/apps/database/cloudnative-pg/app/externalsecret.yaml
index e23ef74ea3..b4a6d5cbb0 100644
--- a/kubernetes/teyvat/apps/database/cloudnative-pg/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/database/cloudnative-pg/app/externalsecret.yaml
@@ -1,51 +1,25 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: cloudnative-pg-secret
+ name: &name cloudnative-pg-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
+ engineVersion: v2
metadata:
labels:
cnpg.io/reload: "true"
- type: kubernetes.io/basic-auth
data:
- username: "{{ .super_user }}"
- password: "{{ .super_pass }}"
- aws-access-key-id: "{{ .access_key }}"
- aws-secret-access-key: "{{ .secret_key }}"
- data:
- - secretKey: super_user
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: username
- - secretKey: super_pass
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
- - secretKey: access_key
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: eff71b07-9389-4874-923b-b0560025ea51
- property: username
- - secretKey: secret_key
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: eff71b07-9389-4874-923b-b0560025ea51
- property: password
+ username: "{{ .POSTGRES_SUPER_USER }}"
+ password: "{{ .POSTGRES_SUPER_PASS }}"
+ aws-access-key-id: "{{ .POSTGRES_BUCKET_USER }}"
+ aws-secret-access-key: "{{ .POSTGRES_BUCKET_PASS }}"
+ dataFrom:
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/database/cloudnative-pg/cluster/cluster.yaml b/kubernetes/teyvat/apps/database/cloudnative-pg/cluster/cluster.yaml
index 91b3f98579..fd202c8671 100644
--- a/kubernetes/teyvat/apps/database/cloudnative-pg/cluster/cluster.yaml
+++ b/kubernetes/teyvat/apps/database/cloudnative-pg/cluster/cluster.yaml
@@ -12,7 +12,7 @@ spec:
size: 20Gi
storageClass: local-hostpath
superuserSecret:
- name: cloudnative-pg-secret
+ name: cloudnative-pg
enableSuperuserAccess: true
postgresql:
parameters:
@@ -46,10 +46,10 @@ spec:
serverName: ¤tCluster postgres-v4
s3Credentials:
accessKeyId:
- name: cloudnative-pg-secret
+ name: &secret cloudnative-pg-secret
key: aws-access-key-id
secretAccessKey:
- name: cloudnative-pg-secret
+ name: *secret
key: aws-secret-access-key
# # Note: previousCluster needs to be set to the name of the previous
# # cluster when recovering from an existing cnpg cluster
diff --git a/kubernetes/teyvat/apps/default/atuin/app/externalsecret.yaml b/kubernetes/teyvat/apps/default/atuin/app/externalsecret.yaml
index 1ee4c6ea81..875c5455bd 100644
--- a/kubernetes/teyvat/apps/default/atuin/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/default/atuin/app/externalsecret.yaml
@@ -3,12 +3,15 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: atuin
+ name: &name atuin-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
ATUIN_DB_URI: |-
postgres://{{ .ATUIN_POSTGRES_USER }}:{{ .ATUIN_POSTGRES_PASS }}@postgres-rw.database.svc.cluster.local/atuin
@@ -17,28 +20,8 @@ spec:
INIT_POSTGRES_USER: "{{ .ATUIN_POSTGRES_USER }}"
INIT_POSTGRES_PASS: "{{ .ATUIN_POSTGRES_PASS }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- data:
- - secretKey: ATUIN_POSTGRES_USER
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: eeda4d11-e092-429a-9bc0-b0f300fa39cf
- property: username
- - secretKey: ATUIN_POSTGRES_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: eeda4d11-e092-429a-9bc0-b0f300fa39cf
- property: password
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
+ dataFrom:
+ - extract:
+ key: atuin
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/default/atuin/app/helmrelease.yaml b/kubernetes/teyvat/apps/default/atuin/app/helmrelease.yaml
index 1daccc516d..450799ebe2 100644
--- a/kubernetes/teyvat/apps/default/atuin/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/default/atuin/app/helmrelease.yaml
@@ -37,7 +37,7 @@ spec:
tag: 16
envFrom: &envFrom
- secretRef:
- name: *app
+ name: atuin-secret
containers:
main:
image:
diff --git a/kubernetes/teyvat/apps/default/homepage/app/externalsecret.yaml b/kubernetes/teyvat/apps/default/homepage/app/externalsecret.yaml
index 766bbc4824..0a6502580f 100644
--- a/kubernetes/teyvat/apps/default/homepage/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/default/homepage/app/externalsecret.yaml
@@ -1,4 +1,4 @@
----
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
@@ -44,233 +44,233 @@ spec:
## Security
HOMEPAGE_VAR_AUTHENTIK_TOKEN: "{{ .authentik_token }}"
data:
- ## Non Cluster
- - secretKey: cloudflare_accountid
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
- property: account_id
- - secretKey: cloudflare_tunnelid
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
- property: tunnel_id
- - secretKey: cloudflare_key
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
- property: api_token
- - secretKey: pihole_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 27fe4940-03ac-4718-815a-b0200144dda7
- property: token
- - secretKey: nextdns_id
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: dc5c6a13-709f-455b-b2af-b04200dad40d
- property: ID
- - secretKey: nextdns_api
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: dc5c6a13-709f-455b-b2af-b04200dad40d
- property: API
- - secretKey: portainer_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 7b792cef-9d6d-48f1-9fe0-acfa010ac442
- property: token
- - secretKey: unifi_user
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 02cfb975-77dc-46fb-96b2-afd60023b1a1
- property: username
- - secretKey: unifi_pass
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 02cfb975-77dc-46fb-96b2-afd60023b1a1
- property: password
- ## Default
- - secretKey: hass_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: b3582fd9-4e36-4adf-83b3-adec011a84fd
- property: token
- ## Downloads
- - secretKey: bazarr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: dd1001b2-9c2e-409b-ab81-afd500d9ba6a
- property: token
- - secretKey: kapowarr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 01806b71-fed2-4214-a80f-b04500fc17c5
- property: token
- - secretKey: mylar_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: cfe083fb-6377-49fa-ad0f-b02001445f7c
- property: token
- - secretKey: prowlarr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 7fa0147f-6ab6-44b1-9ba2-af8f01172e77
- property: token
- - secretKey: qbittorrent_username
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7bda7d2b-e9d8-4699-b43a-afc50017aab5
- property: username
- - secretKey: qbittorrent_password
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7bda7d2b-e9d8-4699-b43a-afc50017aab5
- property: password
- - secretKey: radarr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 33a5fd65-38fb-40d6-b4a6-ac6e00f706e3
- property: token
- - secretKey: readarr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f8621570-ad69-40ef-8315-afd500df25b3
- property: token
- - secretKey: sabnzbd_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 11eae6bf-761a-433f-ad9a-ac6e00f706e3
- property: api_token
- - secretKey: sonarr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f131edf2-177b-4284-b606-ac6e00f706e3
- property: token
- ## Media
- - secretKey: overseerr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: d6c7ed5d-dc6c-4a61-8df5-afd500e1d0ef
- property: token
- - secretKey: plex_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5f4a73e9-dbaa-47bf-a5f2-ac6e00f706e3
- property: token
- - secretKey: tautulli_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 9be660f2-f018-41fa-91db-afd500dfc709
- property: k8s_token
- - secretKey: kavita_username
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 675ec17c-ab29-48fe-a7e8-b0050110a1a7
- property: username
- - secretKey: kavita_password
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 675ec17c-ab29-48fe-a7e8-b0050110a1a7
- property: password
- ## Monitoring
- - secretKey: grafana_username
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: b36a66be-7898-4003-902a-afc701166ed9
- property: username
- - secretKey: grafana_password
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: b36a66be-7898-4003-902a-afc701166ed9
- property: password
- ## Security
- - secretKey: authentik_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 3ff34fd7-ec65-436c-865c-afcf0104ce37
- property: token
+ ## Non Cluster
+ - secretKey: cloudflare_accountid
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
+ property: account_id
+ - secretKey: cloudflare_tunnelid
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
+ property: tunnel_id
+ - secretKey: cloudflare_key
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
+ property: api_token
+ - secretKey: pihole_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 27fe4940-03ac-4718-815a-b0200144dda7
+ property: token
+ - secretKey: nextdns_id
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: dc5c6a13-709f-455b-b2af-b04200dad40d
+ property: ID
+ - secretKey: nextdns_api
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: dc5c6a13-709f-455b-b2af-b04200dad40d
+ property: API
+ - secretKey: portainer_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 7b792cef-9d6d-48f1-9fe0-acfa010ac442
+ property: token
+ - secretKey: unifi_user
+ sourceRef:
+ storeRef:
+ name: bitwarden-login
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 02cfb975-77dc-46fb-96b2-afd60023b1a1
+ property: username
+ - secretKey: unifi_pass
+ sourceRef:
+ storeRef:
+ name: bitwarden-login
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 02cfb975-77dc-46fb-96b2-afd60023b1a1
+ property: password
+ ## Default
+ - secretKey: hass_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: b3582fd9-4e36-4adf-83b3-adec011a84fd
+ property: token
+ ## Downloads
+ - secretKey: bazarr_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: dd1001b2-9c2e-409b-ab81-afd500d9ba6a
+ property: token
+ - secretKey: kapowarr_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 01806b71-fed2-4214-a80f-b04500fc17c5
+ property: token
+ - secretKey: mylar_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: cfe083fb-6377-49fa-ad0f-b02001445f7c
+ property: token
+ - secretKey: prowlarr_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 7fa0147f-6ab6-44b1-9ba2-af8f01172e77
+ property: token
+ - secretKey: qbittorrent_username
+ sourceRef:
+ storeRef:
+ name: bitwarden-login
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 7bda7d2b-e9d8-4699-b43a-afc50017aab5
+ property: username
+ - secretKey: qbittorrent_password
+ sourceRef:
+ storeRef:
+ name: bitwarden-login
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 7bda7d2b-e9d8-4699-b43a-afc50017aab5
+ property: password
+ - secretKey: radarr_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 33a5fd65-38fb-40d6-b4a6-ac6e00f706e3
+ property: token
+ - secretKey: readarr_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: f8621570-ad69-40ef-8315-afd500df25b3
+ property: token
+ - secretKey: sabnzbd_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 11eae6bf-761a-433f-ad9a-ac6e00f706e3
+ property: api_token
+ - secretKey: sonarr_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: f131edf2-177b-4284-b606-ac6e00f706e3
+ property: token
+ ## Media
+ - secretKey: overseerr_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: d6c7ed5d-dc6c-4a61-8df5-afd500e1d0ef
+ property: token
+ - secretKey: plex_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 5f4a73e9-dbaa-47bf-a5f2-ac6e00f706e3
+ property: token
+ - secretKey: tautulli_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 9be660f2-f018-41fa-91db-afd500dfc709
+ property: k8s_token
+ - secretKey: kavita_username
+ sourceRef:
+ storeRef:
+ name: bitwarden-login
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 675ec17c-ab29-48fe-a7e8-b0050110a1a7
+ property: username
+ - secretKey: kavita_password
+ sourceRef:
+ storeRef:
+ name: bitwarden-login
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 675ec17c-ab29-48fe-a7e8-b0050110a1a7
+ property: password
+ ## Monitoring
+ - secretKey: grafana_username
+ sourceRef:
+ storeRef:
+ name: bitwarden-login
+ kind: ClusterSecretStore
+ remoteRef:
+ key: b36a66be-7898-4003-902a-afc701166ed9
+ property: username
+ - secretKey: grafana_password
+ sourceRef:
+ storeRef:
+ name: bitwarden-login
+ kind: ClusterSecretStore
+ remoteRef:
+ key: b36a66be-7898-4003-902a-afc701166ed9
+ property: password
+ ## Security
+ - secretKey: authentik_token
+ sourceRef:
+ storeRef:
+ name: bitwarden-fields
+ kind: ClusterSecretStore
+ remoteRef:
+ key: 3ff34fd7-ec65-436c-865c-afcf0104ce37
+ property: token
diff --git a/kubernetes/teyvat/apps/default/paperless/app/externalsecret.yaml b/kubernetes/teyvat/apps/default/paperless/app/externalsecret.yaml
index f1d941798b..567d295979 100644
--- a/kubernetes/teyvat/apps/default/paperless/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/default/paperless/app/externalsecret.yaml
@@ -1,13 +1,17 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: paperless-secret
+ name: &name paperless-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# App
PAPERLESS_DBENGINE: postgresql
@@ -26,60 +30,8 @@ spec:
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_USER: "{{ .POSTGRES_SUPER_USER }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- data:
- - secretKey: PAPERLESS_DBUSER
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 844cc5ff-a52a-4452-85c2-b03101397ef2
- property: pg_user
- - secretKey: PAPERLESS_DBPASS
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 844cc5ff-a52a-4452-85c2-b03101397ef2
- property: pg_password
- - secretKey: PAPERLESS_ADMIN_USER
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 844cc5ff-a52a-4452-85c2-b03101397ef2
- property: username
- - secretKey: PAPERLESS_ADMIN_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 844cc5ff-a52a-4452-85c2-b03101397ef2
- property: password
- - secretKey: PAPERLESS_SECRET_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 844cc5ff-a52a-4452-85c2-b03101397ef2
- property: secret_key
- - secretKey: POSTGRES_SUPER_USER
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: username
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
+ dataFrom:
+ - extract:
+ key: paperless
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/default/paperless/app/helmrelease.yaml b/kubernetes/teyvat/apps/default/paperless/app/helmrelease.yaml
index f894781b97..5e37f209e7 100644
--- a/kubernetes/teyvat/apps/default/paperless/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/default/paperless/app/helmrelease.yaml
@@ -1,4 +1,3 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
@@ -25,10 +24,10 @@ spec:
uninstall:
keepHistory: false
dependsOn:
- - name: rook-ceph-cluster
- namespace: rook-ceph
- - name: volsync
- namespace: storage
+ - name: rook-ceph-cluster
+ namespace: rook-ceph
+ - name: volsync
+ namespace: storage
values:
controllers:
main:
@@ -43,8 +42,8 @@ spec:
tag: 16
pullPolicy: IfNotPresent
envFrom:
- - secretRef:
- name: &secret paperless-secret
+ - secretRef:
+ name: &secret paperless-secret
containers:
main:
image:
@@ -53,10 +52,10 @@ spec:
env:
PAPERLESS_REDIS_PREFIX: pngx
envFrom:
- - secretRef:
- name: *secret
- - configMapRef:
- name: paperless-configmap
+ - secretRef:
+ name: *secret
+ - configMapRef:
+ name: paperless-configmap
resources:
requests:
cpu: 15m
@@ -77,15 +76,15 @@ spec:
gethomepage.dev/name: Paperless
gethomepage.dev/icon: paperless.png
hosts:
- - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
- paths:
- - path: /
- service:
- name: main
- port: http
+ - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+ paths:
+ - path: /
+ service:
+ name: main
+ port: http
tls:
- - hosts:
- - *host
+ - hosts:
+ - *host
persistence:
config:
enabled: true
@@ -93,7 +92,7 @@ spec:
advancedMounts:
main:
main:
- - path: /data/local
+ - path: /data/local
nas:
enabled: true
type: nfs
@@ -102,4 +101,4 @@ spec:
advancedMounts:
main:
main:
- - path: /data/nas
+ - path: /data/nas
diff --git a/kubernetes/teyvat/apps/downloads/bazarr/app/externalsecret.yaml b/kubernetes/teyvat/apps/downloads/bazarr/app/externalsecret.yaml
index f805a53102..e17c7466e7 100644
--- a/kubernetes/teyvat/apps/downloads/bazarr/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/downloads/bazarr/app/externalsecret.yaml
@@ -1,16 +1,20 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: bazarr-secret
+ name: &name bazarr-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# App
- BAZARR__API_KEY: "{{ .BAZARR__API_KEY }}"
+ BAZARR__API_KEY: "{{ .BAZARR_API_KEY }}"
POSTGRES_ENABLED: "true"
POSTGRES_DATABASE: &dbName bazarr
POSTGRES_HOST: &dbHost postgres-rw.database.svc.cluster.local
@@ -23,44 +27,8 @@ spec:
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- data:
- - secretKey: POSTGRES_USERNAME
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: dd1001b2-9c2e-409b-ab81-afd500d9ba6a
- property: pg_user
- - secretKey: POSTGRES_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: dd1001b2-9c2e-409b-ab81-afd500d9ba6a
- property: pg_password
- - secretKey: BAZARR__API_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: dd1001b2-9c2e-409b-ab81-afd500d9ba6a
- property: token
- - secretKey: POSTGRES_SUPER_USER
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: username
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
+ dataFrom:
+ - extract:
+ key: bazarr
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/downloads/bazarr/app/helmrelease.yaml b/kubernetes/teyvat/apps/downloads/bazarr/app/helmrelease.yaml
index d9b66fb0af..834ef60d9d 100644
--- a/kubernetes/teyvat/apps/downloads/bazarr/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/downloads/bazarr/app/helmrelease.yaml
@@ -1,4 +1,3 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
@@ -25,10 +24,10 @@ spec:
uninstall:
keepHistory: false
dependsOn:
- - name: rook-ceph-cluster
- namespace: rook-ceph
- - name: volsync
- namespace: storage
+ - name: rook-ceph-cluster
+ namespace: rook-ceph
+ - name: volsync
+ namespace: storage
values:
controllers:
main:
@@ -42,8 +41,8 @@ spec:
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- - secretRef:
- name: bazarr-secret
+ - secretRef:
+ name: bazarr-secret
containers:
main:
image:
@@ -63,10 +62,10 @@ spec:
repository: registry.k8s.io/git-sync/git-sync
tag: v4.2.1
args:
- - --repo=https://github.com/KBlixt/subcleaner
- - --branch=master
- - --wait=86400 # 1 day
- - --root=/add-ons
+ - --repo=https://github.com/KBlixt/subcleaner
+ - --branch=master
+ - --wait=86400 # 1 day
+ - --root=/add-ons
resources:
requests:
cpu: 10m
@@ -101,15 +100,15 @@ spec:
sub_filter '' '';
sub_filter_once on;
hosts:
- - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
- paths:
- - path: /
- service:
- name: main
- port: http
+ - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+ paths:
+ - path: /
+ service:
+ name: main
+ port: http
tls:
- - hosts:
- - *host
+ - hosts:
+ - *host
persistence:
config:
enabled: true
@@ -120,6 +119,6 @@ spec:
server: ${NAS_IP:=temp}
path: ${SECRET_NFS_DATA:=temp}
globalMounts:
- - path: /data
+ - path: /data
add-ons:
type: emptyDir
diff --git a/kubernetes/teyvat/apps/downloads/prowlarr/app/externalsecret.yaml b/kubernetes/teyvat/apps/downloads/prowlarr/app/externalsecret.yaml
index f0a920786e..67a929363b 100644
--- a/kubernetes/teyvat/apps/downloads/prowlarr/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/downloads/prowlarr/app/externalsecret.yaml
@@ -1,20 +1,24 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: prowlarr-secret
+ name: &name prowlarr-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# App
- PROWLARR__API_KEY: "{{ .PROWLARR__API_KEY }}"
+ PROWLARR__API_KEY: "{{ .PROWLARR_API_KEY }}"
PROWLARR__POSTGRES_HOST: &dbHost postgres-rw.database.svc.cluster.local
PROWLARR__POSTGRES_PORT: "5432"
- PROWLARR__POSTGRES_USER: &dbUser "{{ .PROWLARR__POSTGRES_USER }}"
- PROWLARR__POSTGRES_PASSWORD: &dbPass "{{ .PROWLARR__POSTGRES_PASSWORD }}"
+ PROWLARR__POSTGRES_USER: &dbUser "{{ .POSTGRES_USERNAME }}"
+ PROWLARR__POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
PROWLARR__POSTGRES_MAIN_DB: prowlarr_main
PROWLARR__POSTGRES_LOG_DB: prowlarr_log
# Postgres Init
@@ -23,44 +27,8 @@ spec:
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- data:
- - secretKey: PROWLARR__POSTGRES_USER
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 7fa0147f-6ab6-44b1-9ba2-af8f01172e77
- property: pg_user
- - secretKey: PROWLARR__POSTGRES_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 7fa0147f-6ab6-44b1-9ba2-af8f01172e77
- property: pg_password
- - secretKey: PROWLARR__API_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 7fa0147f-6ab6-44b1-9ba2-af8f01172e77
- property: token
- - secretKey: POSTGRES_SUPER_USER
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: username
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
+ dataFrom:
+ - extract:
+ key: prowlarr
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/downloads/prowlarr/app/helmrelease.yaml b/kubernetes/teyvat/apps/downloads/prowlarr/app/helmrelease.yaml
index cb65bedb4d..8dd4eb1d49 100644
--- a/kubernetes/teyvat/apps/downloads/prowlarr/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/downloads/prowlarr/app/helmrelease.yaml
@@ -1,4 +1,3 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
@@ -25,10 +24,10 @@ spec:
uninstall:
keepHistory: false
dependsOn:
- - name: rook-ceph-cluster
- namespace: rook-ceph
- - name: volsync
- namespace: storage
+ - name: rook-ceph-cluster
+ namespace: rook-ceph
+ - name: volsync
+ namespace: storage
values:
controllers:
main:
@@ -41,8 +40,8 @@ spec:
tag: 16
pullPolicy: IfNotPresent
envFrom: &envFrom
- - secretRef:
- name: prowlarr-secret
+ - secretRef:
+ name: prowlarr-secret
containers:
main:
image:
@@ -87,16 +86,16 @@ spec:
sub_filter '' '';
sub_filter_once on;
hosts:
- - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
- paths:
- - path: /
- pathType: Prefix
- service:
- name: main
- port: http
+ - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+ paths:
+ - path: /
+ pathType: Prefix
+ service:
+ name: main
+ port: http
tls:
- - hosts:
- - *host
+ - hosts:
+ - *host
persistence:
config:
enabled: true
diff --git a/kubernetes/teyvat/apps/downloads/radarr/app/externalsecret.yaml b/kubernetes/teyvat/apps/downloads/radarr/app/externalsecret.yaml
index 33d260dd57..ada1625177 100644
--- a/kubernetes/teyvat/apps/downloads/radarr/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/downloads/radarr/app/externalsecret.yaml
@@ -1,20 +1,24 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: radarr-secret
+ name: &name radarr-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# App
- RADARR__API_KEY: "{{ .RADARR__API_KEY }}"
+ RADARR__API_KEY: "{{ .RADARR_API_KEY }}"
RADARR__POSTGRES_HOST: &dbHost postgres-rw.database.svc.cluster.local
RADARR__POSTGRES_PORT: "5432"
- RADARR__POSTGRES_USER: &dbUser "{{ .RADARR__POSTGRES_USER }}"
- RADARR__POSTGRES_PASSWORD: &dbPass "{{ .RADARR__POSTGRES_PASSWORD }}"
+ RADARR__POSTGRES_USER: &dbUser "{{ .POSTGRES_USERNAME }}"
+ RADARR__POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
RADARR__POSTGRES_MAIN_DB: radarr_main
RADARR__POSTGRES_LOG_DB: radarr_log
# Postgres Init
@@ -23,44 +27,8 @@ spec:
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- data:
- - secretKey: RADARR__API_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 33a5fd65-38fb-40d6-b4a6-ac6e00f706e3
- property: token
- - secretKey: RADARR__POSTGRES_USER
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 33a5fd65-38fb-40d6-b4a6-ac6e00f706e3
- property: pg_user
- - secretKey: RADARR__POSTGRES_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 33a5fd65-38fb-40d6-b4a6-ac6e00f706e3
- property: pg_password
- - secretKey: POSTGRES_SUPER_USER
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: username
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
+ dataFrom:
+ - extract:
+ key: radarr
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/downloads/radarr/app/helmrelease.yaml b/kubernetes/teyvat/apps/downloads/radarr/app/helmrelease.yaml
index 13d1c5e6a7..93559bd9fc 100644
--- a/kubernetes/teyvat/apps/downloads/radarr/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/downloads/radarr/app/helmrelease.yaml
@@ -1,4 +1,3 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
@@ -25,10 +24,10 @@ spec:
uninstall:
keepHistory: false
dependsOn:
- - name: rook-ceph-cluster
- namespace: rook-ceph
- - name: volsync
- namespace: storage
+ - name: rook-ceph-cluster
+ namespace: rook-ceph
+ - name: volsync
+ namespace: storage
values:
controllers:
main:
@@ -43,8 +42,8 @@ spec:
tag: 16
pullPolicy: IfNotPresent
envFrom: &envFrom
- - secretRef:
- name: radarr-secret
+ - secretRef:
+ name: radarr-secret
containers:
main:
image:
@@ -107,15 +106,15 @@ spec:
sub_filter '' '';
sub_filter_once on;
hosts:
- - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
- paths:
- - path: /
- service:
- name: main
- port: http
+ - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+ paths:
+ - path: /
+ service:
+ name: main
+ port: http
tls:
- - hosts:
- - *host
+ - hosts:
+ - *host
persistence:
config:
enabled: true
@@ -128,4 +127,4 @@ spec:
server: ${NAS_IP:=temp}
path: ${SECRET_NFS_DATA:=temp}
globalMounts:
- - path: /data
+ - path: /data
diff --git a/kubernetes/teyvat/apps/downloads/readarr/app/externalsecret.yaml b/kubernetes/teyvat/apps/downloads/readarr/app/externalsecret.yaml
index 324ebe5bad..ed73ea17cb 100644
--- a/kubernetes/teyvat/apps/downloads/readarr/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/downloads/readarr/app/externalsecret.yaml
@@ -1,20 +1,24 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: readarr-secret
+ name: &name readarr-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# App
- READARR__API_KEY: "{{ .READARR__API_KEY }}"
+ READARR__API_KEY: "{{ .READARR_API_KEY }}"
READARR__POSTGRES_HOST: &dbHost postgres-rw.database.svc.cluster.local
READARR__POSTGRES_PORT: "5432"
- READARR__POSTGRES_USER: &dbUser "{{ .READARR__POSTGRES_USER }}"
- READARR__POSTGRES_PASSWORD: &dbPass "{{ .READARR__POSTGRES_PASSWORD }}"
+ READARR__POSTGRES_USER: &dbUser "{{ .POSTGRES_USERNAME }}"
+ READARR__POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
READARR__POSTGRES_MAIN_DB: readarr_main
READARR__POSTGRES_LOG_DB: readarr_log
READARR__POSTGRES_CACHE_DB: readarr_cache
@@ -24,52 +28,8 @@ spec:
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- data:
- - secretKey: READARR__API_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f8621570-ad69-40ef-8315-afd500df25b3
- property: token
- - secretKey: READARR__POSTGRES_USER
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f8621570-ad69-40ef-8315-afd500df25b3
- property: pg_user
- - secretKey: READARR__POSTGRES_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f8621570-ad69-40ef-8315-afd500df25b3
- property: pg_password
- - secretKey: READARR__API_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f8621570-ad69-40ef-8315-afd500df25b3
- property: token
- - secretKey: POSTGRES_SUPER_USER
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: username
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
+ dataFrom:
+ - extract:
+ key: readarr
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/downloads/readarr/app/helmrelease.yaml b/kubernetes/teyvat/apps/downloads/readarr/app/helmrelease.yaml
index c1fed98a95..68cef291cd 100644
--- a/kubernetes/teyvat/apps/downloads/readarr/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/downloads/readarr/app/helmrelease.yaml
@@ -1,4 +1,3 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
@@ -25,10 +24,10 @@ spec:
uninstall:
keepHistory: false
dependsOn:
- - name: rook-ceph-cluster
- namespace: rook-ceph
- - name: volsync
- namespace: storage
+ - name: rook-ceph-cluster
+ namespace: rook-ceph
+ - name: volsync
+ namespace: storage
values:
controllers:
main:
@@ -43,8 +42,8 @@ spec:
tag: 16
pullPolicy: IfNotPresent
envFrom: &envFrom
- - secretRef:
- name: readarr-secret
+ - secretRef:
+ name: readarr-secret
containers:
main:
image:
@@ -90,15 +89,15 @@ spec:
sub_filter '' '';
sub_filter_once on;
hosts:
- - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
- paths:
- - path: /
- service:
- name: main
- port: http
+ - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+ paths:
+ - path: /
+ service:
+ name: main
+ port: http
tls:
- - hosts:
- - *host
+ - hosts:
+ - *host
persistence:
config:
enabled: true
@@ -111,4 +110,4 @@ spec:
server: ${NAS_IP:=temp}
path: ${SECRET_NFS_DATA:=temp}
globalMounts:
- - path: /data
+ - path: /data
diff --git a/kubernetes/teyvat/apps/downloads/recyclarr/app/externalsecret.yaml b/kubernetes/teyvat/apps/downloads/recyclarr/app/externalsecret.yaml
index b0b52ac0ed..179a53f182 100644
--- a/kubernetes/teyvat/apps/downloads/recyclarr/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/downloads/recyclarr/app/externalsecret.yaml
@@ -1,32 +1,23 @@
----
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: recyclarr-secret
+ name: &name recyclarr
spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
- RADARR_API_KEY: |-
- {{ .radarr_token }}
- SONARR_API_KEY: |-
- {{ .sonarr_token }}
- data:
- - secretKey: radarr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 33a5fd65-38fb-40d6-b4a6-ac6e00f706e3
- property: token
- - secretKey: sonarr_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f131edf2-177b-4284-b606-ac6e00f706e3
- property: token
+ # App
+ RADARR_API_KEY: "{{ .RADARR_API_KEY }}"
+ SONARR_API_KEY: "{{ .SONARR_API_KEY }}"
+ dataFrom:
+ - extract:
+ key: radarr
+ - extract:
+ key: sonarr
diff --git a/kubernetes/teyvat/apps/downloads/recyclarr/app/helmrelease.yaml b/kubernetes/teyvat/apps/downloads/recyclarr/app/helmrelease.yaml
index c974ccf8df..c8cf405ddd 100644
--- a/kubernetes/teyvat/apps/downloads/recyclarr/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/downloads/recyclarr/app/helmrelease.yaml
@@ -1,4 +1,3 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
@@ -25,10 +24,10 @@ spec:
uninstall:
keepHistory: false
dependsOn:
- - name: rook-ceph-cluster
- namespace: rook-ceph
- - name: volsync
- namespace: storage
+ - name: rook-ceph-cluster
+ namespace: rook-ceph
+ - name: volsync
+ namespace: storage
values:
controllers:
main:
@@ -42,8 +41,8 @@ spec:
env:
TZ: ${TIMEZONE}
envFrom:
- - secretRef:
- name: recyclarr-secret
+ - secretRef:
+ name: recyclarr
resources:
requests:
cpu: 10m
@@ -67,6 +66,6 @@ spec:
type: configMap
name: recyclarr-configmap
globalMounts:
- - path: /config/recyclarr.yml
- subPath: recyclarr.yml
- readOnly: true
+ - path: /config/recyclarr.yml
+ subPath: recyclarr.yml
+ readOnly: true
diff --git a/kubernetes/teyvat/apps/downloads/sabnzbd/app/externalsecret.yaml b/kubernetes/teyvat/apps/downloads/sabnzbd/app/externalsecret.yaml
index deccfeba68..4b1bb6b021 100644
--- a/kubernetes/teyvat/apps/downloads/sabnzbd/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/downloads/sabnzbd/app/externalsecret.yaml
@@ -1,31 +1,22 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: sabnzbd-secret
+ name: &name sabnzbd-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# App
- SABNZBD__API_KEY: "{{ .SABNZBD__API_KEY }}"
- SABNZBD__NZB_KEY: "{{ .SABNZBD__NZB_KEY }}"
- data:
- - secretKey: SABNZBD__API_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 11eae6bf-761a-433f-ad9a-ac6e00f706e3
- property: api_token
- - secretKey: SABNZBD__NZB_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 11eae6bf-761a-433f-ad9a-ac6e00f706e3
- property: nzb_token
+ SABNZBD__API_KEY: "{{ .SABNZBD_API_KEY }}"
+ SABNZBD__NZB_KEY: "{{ .SABNZBD_NZB_KEY }}"
+ dataFrom:
+ - extract:
+ key: sabnzbd
+
diff --git a/kubernetes/teyvat/apps/downloads/sabnzbd/app/helmrelease.yaml b/kubernetes/teyvat/apps/downloads/sabnzbd/app/helmrelease.yaml
index da7a8e5da3..2ce3b3bd5e 100644
--- a/kubernetes/teyvat/apps/downloads/sabnzbd/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/downloads/sabnzbd/app/helmrelease.yaml
@@ -1,4 +1,3 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
@@ -25,10 +24,10 @@ spec:
uninstall:
keepHistory: false
dependsOn:
- - name: rook-ceph-cluster
- namespace: rook-ceph
- - name: volsync
- namespace: storage
+ - name: rook-ceph-cluster
+ namespace: rook-ceph
+ - name: volsync
+ namespace: storage
values:
controllers:
main:
@@ -45,15 +44,10 @@ spec:
TZ: ${TIMEZONE}
SABNZBD__PORT: &port 8080
SABNZBD__HOST_WHITELIST_ENTRIES: >-
- sabnzbd,
- sabnzbd.downloads,
- sabnzbd.downloads.svc,
- sabnzbd.downloads.svc.cluster,
- sabnzbd.downloads.svc.cluster.local,
- sabnzbd.${SECRET_DOMAIN}
+ sabnzbd, sabnzbd.downloads, sabnzbd.downloads.svc, sabnzbd.downloads.svc.cluster, sabnzbd.downloads.svc.cluster.local, sabnzbd.${SECRET_DOMAIN}
envFrom:
- - secretRef:
- name: sabnzbd-secret
+ - secretRef:
+ name: sabnzbd-secret
probes:
liveness: &probes
enabled: true
@@ -79,12 +73,12 @@ spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchExpressions:
- - key: app.kubernetes.io/name
- operator: In
- values: ["qbittorrent"]
- topologyKey: kubernetes.io/hostname
+ - labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values: ["qbittorrent"]
+ topologyKey: kubernetes.io/hostname
securityContext:
runAsUser: 568
runAsGroup: 568
@@ -112,15 +106,15 @@ spec:
sub_filter '' '';
sub_filter_once on;
hosts:
- - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
- paths:
- - path: /
- service:
- name: main
- port: http
+ - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+ paths:
+ - path: /
+ service:
+ name: main
+ port: http
tls:
- - hosts:
- - *host
+ - hosts:
+ - *host
persistence:
config:
enabled: true
@@ -131,16 +125,16 @@ spec:
server: ${NAS_IP:=temp}
path: ${SECRET_NFS_DATA:=temp}
globalMounts:
- - path: /downloads
- subPath: usenet
+ - path: /downloads
+ subPath: usenet
incomplete:
type: emptyDir
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchExpressions:
- - key: app.kubernetes.io/name
- operator: In
- values: ["qbittorrent"]
- topologyKey: kubernetes.io/hostname
+ - labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values: ["qbittorrent"]
+ topologyKey: kubernetes.io/hostname
diff --git a/kubernetes/teyvat/apps/downloads/sonarr/app/externalsecret.yaml b/kubernetes/teyvat/apps/downloads/sonarr/app/externalsecret.yaml
index d13a6b2b1f..876e077d15 100644
--- a/kubernetes/teyvat/apps/downloads/sonarr/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/downloads/sonarr/app/externalsecret.yaml
@@ -1,19 +1,24 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: sonarr-secret
+ name: &name sonarr-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
- SONARR__API_KEY: "{{ .SONARR__API_KEY }}"
+ # App
+ SONARR__API_KEY: "{{ .SONARR_API_KEY }}"
SONARR__POSTGRES_HOST: &dbHost postgres-rw.database.svc.cluster.local
SONARR__POSTGRES_PORT: "5432"
- SONARR__POSTGRES_USER: &dbUser "{{ .SONARR__POSTGRES_USER }}"
- SONARR__POSTGRES_PASSWORD: &dbPass "{{ .SONARR__POSTGRES_PASSWORD }}"
+ SONARR__POSTGRES_USER: &dbUser "{{ .POSTGRES_USER }}"
+ SONARR__POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
SONARR__POSTGRES_MAIN_DB: sonarr_main
SONARR__POSTGRES_LOG_DB: sonarr_log
# Postgres Init
@@ -22,44 +27,8 @@ spec:
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- data:
- - secretKey: SONARR__API_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f131edf2-177b-4284-b606-ac6e00f706e3
- property: token
- - secretKey: SONARR__POSTGRES_USER
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f131edf2-177b-4284-b606-ac6e00f706e3
- property: pg_user
- - secretKey: SONARR__POSTGRES_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f131edf2-177b-4284-b606-ac6e00f706e3
- property: pg_password
- - secretKey: POSTGRES_SUPER_USER
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: username
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
+ dataFrom:
+ - extract:
+ key: sonarr
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/downloads/sonarr/app/helmrelease.yaml b/kubernetes/teyvat/apps/downloads/sonarr/app/helmrelease.yaml
index ce3e7fd5f3..96b341090b 100644
--- a/kubernetes/teyvat/apps/downloads/sonarr/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/downloads/sonarr/app/helmrelease.yaml
@@ -1,4 +1,3 @@
----
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
@@ -25,10 +24,10 @@ spec:
uninstall:
keepHistory: false
dependsOn:
- - name: rook-ceph-cluster
- namespace: rook-ceph
- - name: volsync
- namespace: storage
+ - name: rook-ceph-cluster
+ namespace: rook-ceph
+ - name: volsync
+ namespace: storage
values:
controllers:
main:
@@ -43,8 +42,8 @@ spec:
tag: 16
pullPolicy: IfNotPresent
envFrom: &envFrom
- - secretRef:
- name: sonarr-secret
+ - secretRef:
+ name: sonarr-secret
containers:
main:
image:
@@ -107,15 +106,15 @@ spec:
sub_filter '' '';
sub_filter_once on;
hosts:
- - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
- paths:
- - path: /
- service:
- name: main
- port: http
+ - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+ paths:
+ - path: /
+ service:
+ name: main
+ port: http
tls:
- - hosts:
- - *host
+ - hosts:
+ - *host
persistence:
config:
enabled: true
@@ -128,4 +127,4 @@ spec:
server: ${NAS_IP:=temp}
path: ${SECRET_NFS_DATA:=temp}
globalMounts:
- - path: /data
+ - path: /data
diff --git a/kubernetes/teyvat/apps/external-secrets/external-secrets/bitwarden-secrets-manager/externalsecret.yaml b/kubernetes/teyvat/apps/external-secrets/external-secrets/bitwarden-secrets-manager/externalsecret.yaml
new file mode 100644
index 0000000000..a070457022
--- /dev/null
+++ b/kubernetes/teyvat/apps/external-secrets/external-secrets/bitwarden-secrets-manager/externalsecret.yaml
@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ name: "bws-test-secret"
+spec:
+ refreshInterval: "1h"
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
+ target:
+ name: "bws-test-secret"
+ template:
+ engineVersion: v2
+ data:
+ RESTIC_REPOSITORY: "{{ .REPOSITORY_TEMPLATE }}/test"
+ RESTIC_PASSWORD: "{{ .RESTIC_PASSWORD }}"
+ AWS_ACCESS_KEY_ID: "{{ .MINIO_ROOT_USER }}"
+ AWS_SECRET_ACCESS_KEY: "{{ .MINIO_ROOT_PASSWORD }}"
+ dataFrom:
+ - extract:
+ key: minio
+ - extract:
+ key: volsync-minio-template
diff --git a/kubernetes/teyvat/apps/flux-system/tf-controller/app/externalsecret.yaml b/kubernetes/teyvat/apps/flux-system/tf-controller/app/externalsecret.yaml
index d32fab82a9..11891a0715 100644
--- a/kubernetes/teyvat/apps/flux-system/tf-controller/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/flux-system/tf-controller/app/externalsecret.yaml
@@ -1,156 +1,57 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: terraform-backend-secret
+ name: &name terraform-backend-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- metadata:
- labels:
- cnpg.io/reload: "true"
- type: Opaque
+ engineVersion: v2
data:
- access_key: "{{ .access_key }}"
- secret_key: "{{ .secret_key }}"
- endpoint: "{{ .endpoint }}"
- data:
- - secretKey: access_key
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5a98804c-6c54-4e09-817e-afd8012c70ad
- property: access_key
- - secretKey: secret_key
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5a98804c-6c54-4e09-817e-afd8012c70ad
- property: secret_key
- - secretKey: endpoint
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5a98804c-6c54-4e09-817e-afd8012c70ad
- property: endpoint
+ access_key: "{{ .AWS_ACCESS_KEY_ID }}"
+ secret_key: "{{ .AWS_SECRET_ACCESS_KEY }}"
+ endpoint: s3.${PI_DOMAIN}
+ dataFrom:
+ - extract:
+ key: minio
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: terraform-authentik-secret
+ name: &name terraform-authentik-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- metadata:
- labels:
- cnpg.io/reload: "true"
- type: Opaque
+ engineVersion: v2
data:
cluster_domain: ${SECRET_DOMAIN}
- authentik_token: "{{ .authentik_token }}"
- discord_client_id: "{{ .discord_client_id }}"
- discord_client_secret: "{{ .discord_client_secret }}"
- gitops_id: "{{ .gitops_id }}"
- gitops_secret: "{{ .gitops_secret }}"
- grafana_id: "{{ .grafana_id }}"
- grafana_secret: "{{ .grafana_secret }}"
- portainer_id: "{{ .portainer_id }}"
- portainer_secret: "{{ .portainer_secret }}"
- # bazarr_username: placeholder
- # bazarr_password: placeholder
- # overseerr_username: placeholder
- # overseerr_password: placeholder
- # prowlarr_username: placeholder
- # prowlarr_password: placeholder
- # qbittorrent_username: placeholder
- # qbittorrent_password: placeholder
- # radarr_username: placeholder
- # radarr_password: placeholder
- # readarr_username: placeholder
- # readarr_password: placeholder
- # sabnzbd_username: placeholder
- # sabnzbd_password: placeholder
- # sonarr_username: placeholder
- # sonarr_password: placeholder
- # tautulli_username: placeholder
- # tautulli_password: placeholder
- data:
- - secretKey: authentik_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 3ff34fd7-ec65-436c-865c-afcf0104ce37
- property: token
- - secretKey: discord_client_id
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 01af241c-b129-4560-877a-ac6e00f706e3
- property: authentik_client_id
- - secretKey: discord_client_secret
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 01af241c-b129-4560-877a-ac6e00f706e3
- property: authentik_client_secret
- - secretKey: gitops_id
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5e19532f-62a4-4cb8-bdfc-afd501029d14
- property: client_id
- - secretKey: gitops_secret
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5e19532f-62a4-4cb8-bdfc-afd501029d14
- property: client_secret
- - secretKey: grafana_id
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: b36a66be-7898-4003-902a-afc701166ed9
- property: client_id
- - secretKey: grafana_secret
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: b36a66be-7898-4003-902a-afc701166ed9
- property: client_secret
- - secretKey: portainer_id
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 7b792cef-9d6d-48f1-9fe0-acfa010ac442
- property: client_id
- - secretKey: portainer_secret
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 7b792cef-9d6d-48f1-9fe0-acfa010ac442
- property: client_secret
+ authentik_token: "{{ .AUTHENTIK_TOKEN }}"
+ discord_client_id: "{{ .DISCORD_CLIENT_ID }}"
+ discord_client_secret: "{{ .DISCORD_CLIENT_SECRET }}"
+ gitops_id: "{{ .GITOPS_CLIENT_ID }}"
+ gitops_secret: "{{ .GITOPS_CLIENT_SECRET }}"
+ grafana_id: "{{ .GRAFANA_CLIENT_ID }}"
+ grafana_secret: "{{ .GRAFANA_CLIENT_SECRET }}"
+ portainer_id: "{{ .PORTAINER_CLIENT_ID }}"
+ portainer_secret: "{{ .PORTAINER_CLIENT_SECRET }}"
+ dataFrom:
+ - extract:
+ key: authentik
+ - extract:
+ key: discord
+ - extract:
+ key: grafana
+ - extract:
+ key: portainer
+ - extract:
+ key: weave-gitops
diff --git a/kubernetes/teyvat/apps/flux-system/tf-controller/terraform/kustomization.yaml b/kubernetes/teyvat/apps/flux-system/tf-controller/terraform/kustomization.yaml
new file mode 100644
index 0000000000..48fcf13407
--- /dev/null
+++ b/kubernetes/teyvat/apps/flux-system/tf-controller/terraform/kustomization.yaml
@@ -0,0 +1,7 @@
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./authentik.yaml
+# - ./minio.yaml
+- ./ocirepository.yaml
diff --git a/kubernetes/teyvat/apps/flux-system/tf-controller/terraform/minio.yaml b/kubernetes/teyvat/apps/flux-system/tf-controller/terraform/minio.yaml
index d4cb73c463..f5d8f92b43 100644
--- a/kubernetes/teyvat/apps/flux-system/tf-controller/terraform/minio.yaml
+++ b/kubernetes/teyvat/apps/flux-system/tf-controller/terraform/minio.yaml
@@ -27,8 +27,7 @@ spec:
namespace: flux-system
runnerPodTemplate:
spec:
- image: ghcr.io/lildrunkensmurf/tf-runner-bitwarden:0.15.1@sha256:0b30a72a5ab443b3de459d13b5780f998979bccafd94ca0380c07434b7aba62e
- # Working image 1.3.9: ghcr.io/lildrunkensmurf/tf-runner-bitwarden:0.15.1@sha256:f783ebe9559a2c39416f2fa5e48e1c126fa9ab4d32324bda51e340f866e4837c
+ image: ghcr.io/lildrunkensmurf/tf-runner-bitwarden:0.15.1@sha256:02efeb088d7e53a04ff331517357267c61b047189365b1c60cfd3b1af13621a4
varsFrom:
- kind: Secret
name: terraform-minio-secret
diff --git a/kubernetes/teyvat/apps/flux-system/weave-gitops/app/externalsecret.yaml b/kubernetes/teyvat/apps/flux-system/weave-gitops/app/externalsecret.yaml
index b10a515ab9..7ec5c9cd68 100644
--- a/kubernetes/teyvat/apps/flux-system/weave-gitops/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/flux-system/weave-gitops/app/externalsecret.yaml
@@ -1,67 +1,47 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: cluster-user-auth
+ name: &name cluster-user-auth
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# Admin User
- username: "{{ .adminUser }}"
- password: "{{ .adminPass }}"
- data:
- - secretKey: adminUser
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 5e19532f-62a4-4cb8-bdfc-afd501029d14
- property: username
- - secretKey: adminPass
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5e19532f-62a4-4cb8-bdfc-afd501029d14
- property: password_encoded
+ username: "{{ .WEAVE_USER }}"
+ password: "{{ .WEAVE_PASS }}"
+ dataFrom:
+ - extract:
+ key: weave-gitops
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: oidc-auth
+ name: &name oidc-auth
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# Authentik
- clientID: "{{ .client_id }}"
- clientSecret: "{{ .client_secret }}"
+ clientID: "{{ .GITOPS_CLIENT_ID }}"
+ clientSecret: "{{ .GITOPS_CLIENT_SECRET }}"
issuerURL: https://authentik.${SECRET_DOMAIN}/application/o/gitops-provider/
redirectURL: https://gitops.${SECRET_DOMAIN}/oauth2/callback
customScopes: openid,profile,email
claimGroups: groups
claimUsername: preferred_username
- data:
- - secretKey: client_id
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5e19532f-62a4-4cb8-bdfc-afd501029d14
- property: client_id
- - secretKey: client_secret
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5e19532f-62a4-4cb8-bdfc-afd501029d14
- property: client_secret
+ dataFrom:
+ - extract:
+ key: weave-gitops
diff --git a/kubernetes/teyvat/apps/games/palworld/app/externalsecret.yaml b/kubernetes/teyvat/apps/games/palworld/app/externalsecret.yaml
index 03bcebd8ff..8d88bd1d8f 100644
--- a/kubernetes/teyvat/apps/games/palworld/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/games/palworld/app/externalsecret.yaml
@@ -1,38 +1,21 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: palworld
+ name: &name palworld-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
SERVER_PASSWORD: "{{ .SERVER_PASSWORD }}"
ADMIN_PASSWORD: "{{ .ADMIN_PASSWORD }}"
WEBHOOK_URL: "{{ .DISCORD_WEBHOOK }}"
- data:
- - secretKey: SERVER_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 14a164a2-87a1-42be-bb0e-b102004b0dab
- property: server_password
- - secretKey: ADMIN_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 14a164a2-87a1-42be-bb0e-b102004b0dab
- property: admin_password
- - secretKey: DISCORD_WEBHOOK
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 14a164a2-87a1-42be-bb0e-b102004b0dab
- property: discord_webhook
+ dataFrom:
+ - extract:
+ key: palworld
diff --git a/kubernetes/teyvat/apps/games/palworld/app/helmrelease.yaml b/kubernetes/teyvat/apps/games/palworld/app/helmrelease.yaml
index 184579f277..c84684bf93 100644
--- a/kubernetes/teyvat/apps/games/palworld/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/games/palworld/app/helmrelease.yaml
@@ -59,7 +59,7 @@ spec:
WEBHOOK_ENABLED: true
envFrom:
- secretRef:
- name: *app
+ name: palworld-secret
probes:
liveness: &disabled
enabled: false
diff --git a/kubernetes/teyvat/apps/games/palworld/tools/externalsecret.yaml b/kubernetes/teyvat/apps/games/palworld/tools/externalsecret.yaml
index 54187c8bf9..ca56666395 100644
--- a/kubernetes/teyvat/apps/games/palworld/tools/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/games/palworld/tools/externalsecret.yaml
@@ -1,27 +1,23 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: palworld-tools
+ name: &name palworld-tools-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
engineVersion: v2
- type: Opaque
data:
rcon.yaml: |-
---
palworld:
address: "palworld.games.svc.cluster.local:25575"
password: "{{ .ADMIN_PASSWORD }}"
- refreshInterval: 1h
- data:
- - secretKey: ADMIN_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 14a164a2-87a1-42be-bb0e-b102004b0dab
- property: admin_password
+ dataFrom:
+ - extract:
+ key: palworld
diff --git a/kubernetes/teyvat/apps/games/palworld/tools/helmrelease.yaml b/kubernetes/teyvat/apps/games/palworld/tools/helmrelease.yaml
index d966e92b7e..98f36f9647 100644
--- a/kubernetes/teyvat/apps/games/palworld/tools/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/games/palworld/tools/helmrelease.yaml
@@ -74,11 +74,11 @@ spec:
persistence:
rcon-config:
type: secret
- name: *app
+ name: palworld-tools-secret
globalMounts:
- path: /config/rcon.yaml
subPath: rcon.yaml
readOnly: true
service:
main:
- enabled: false
\ No newline at end of file
+ enabled: false
diff --git a/kubernetes/teyvat/apps/media/plex/plex-image-cleanup/externalsecret.yaml b/kubernetes/teyvat/apps/media/plex/plex-image-cleanup/externalsecret.yaml
index f8432e3e5a..f3056cf242 100644
--- a/kubernetes/teyvat/apps/media/plex/plex-image-cleanup/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/media/plex/plex-image-cleanup/externalsecret.yaml
@@ -1,21 +1,19 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: plex-image-cleanup-secret
+ name: &name plex-image-cleanup-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
PLEX_TOKEN: "{{ .PLEX_TOKEN }}"
- data:
- - secretKey: PLEX_TOKEN
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5f4a73e9-dbaa-47bf-a5f2-ac6e00f706e3
- property: token
+ dataFrom:
+ - extract:
+ key: plex
diff --git a/kubernetes/teyvat/apps/media/plex/plex-image-cleanup/helmrelease.yaml b/kubernetes/teyvat/apps/media/plex/plex-image-cleanup/helmrelease.yaml
index cf28e10ee8..8866eaa769 100644
--- a/kubernetes/teyvat/apps/media/plex/plex-image-cleanup/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/media/plex/plex-image-cleanup/helmrelease.yaml
@@ -44,7 +44,7 @@ spec:
PHOTO_TRANSCODER: true
envFrom:
- secretRef:
- name: plex-image-cleanup-secret #PLEX_TOKEN
+ name: plex-image-cleanup-secret
probes:
liveness:
enabled: false
diff --git a/kubernetes/teyvat/apps/media/plex/plex-meta-manager/configs/config.yml b/kubernetes/teyvat/apps/media/plex/plex-meta-manager/configs/config.yml
index 6f4c318200..46b18d7902 100644
--- a/kubernetes/teyvat/apps/media/plex/plex-meta-manager/configs/config.yml
+++ b/kubernetes/teyvat/apps/media/plex/plex-meta-manager/configs/config.yml
@@ -116,7 +116,7 @@ settings:
plex:
url: http://plex.media.svc.cluster.local:32400
- token: {{ .PLEX_APIKEY }}
+ token: {{ .PLEX_TOKEN }}
timeout: 60
clean_bundles: true
empty_trash: true
@@ -124,11 +124,11 @@ plex:
tautulli:
url: http://tautulli.media.svc.cluster.local:8181
- apikey: {{ .TAUTULLI_APIKEY }}
+ apikey: {{ .TAUTULLI_API_KEY }}
radarr:
url: http://radarr.downloads.svc.cluster.local
- token: {{ .RADARR_APIKEY }}
+ token: {{ .RADARR_API_KEY }}
add_missing: false
add_existing: false
root_folder_path: /data/media/movies
@@ -143,7 +143,7 @@ radarr:
sonarr:
url: http://sonarr.downloads.svc.cluster.local
- token: {{ .SONARR_APIKEY }}
+ token: {{ .SONARR_API_KEY }}
add_missing: false
add_existing: false
root_folder_path: /data/media/tv
@@ -160,7 +160,7 @@ sonarr:
upgrade_existing: false
tmdb:
- apikey: {{ .TMDB_APIKEY }}
+ apikey: {{ .TMDB_API_KEY }}
language: en
cache_expiration: 60
region:
@@ -178,11 +178,11 @@ trakt:
pin:
mdblist:
- apikey: {{ .MDBLIST_APIKEY }}
+ apikey: {{ .MDBLIST_API_KEY }}
cache_expiration: 60
omdb:
- apikey: {{ .OMDB_APIKEY }}
+ apikey: {{ .OMDB_API_KEY }}
cache_expiration: 60
mal:
diff --git a/kubernetes/teyvat/apps/media/plex/plex-meta-manager/externalsecret.yaml b/kubernetes/teyvat/apps/media/plex/plex-meta-manager/externalsecret.yaml
index cd02f07af3..e857050fd5 100644
--- a/kubernetes/teyvat/apps/media/plex/plex-meta-manager/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/media/plex/plex-meta-manager/externalsecret.yaml
@@ -1,167 +1,29 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: pmm-secret
+ name: &name plex-meta-manager-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
templateFrom:
- configMap:
name: pmm-config-tpl
items:
- key: config.yml
- data:
- - secretKey: PLEX_APIKEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5f4a73e9-dbaa-47bf-a5f2-ac6e00f706e3
- property: token
- - secretKey: TAUTULLI_APIKEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 9be660f2-f018-41fa-91db-afd500dfc709
- property: k8s_token
- - secretKey: TMDB_APIKEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5e1adbab-a65f-49e7-95ab-b04d01087cb0
- property: token
- - secretKey: OMDB_APIKEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: bca00c36-8c3f-42dd-bfea-b04d010aff0e
- property: token
- - secretKey: MDBLIST_APIKEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: dbfd56f9-1e77-465a-b97f-b04d010bdc04
- property: token
- - secretKey: MYANIMELIST_CLIENT_ID
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: ea00b0d2-8825-4ae1-992f-b04d010cfac2
- property: client_id
- - secretKey: MYANIMELIST_CLIENT_SECRET
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: ea00b0d2-8825-4ae1-992f-b04d010cfac2
- property: client_secret
- - secretKey: MYANIMELIST_LOCALHOST_URL
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: ea00b0d2-8825-4ae1-992f-b04d010cfac2
- property: localhost_url
- - secretKey: MYANIMELIST_ACCESS_TOKEN
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: ea00b0d2-8825-4ae1-992f-b04d010cfac2
- property: access_token
- - secretKey: MYANIMELIST_EXPIRES_IN
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: ea00b0d2-8825-4ae1-992f-b04d010cfac2
- property: expires_in
- - secretKey: MYANIMELIST_REFRESH_TOKEN
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: ea00b0d2-8825-4ae1-992f-b04d010cfac2
- property: refresh_token
- - secretKey: RADARR_APIKEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 33a5fd65-38fb-40d6-b4a6-ac6e00f706e3
- property: token
- - secretKey: SONARR_APIKEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: f131edf2-177b-4284-b606-ac6e00f706e3
- property: token
- - secretKey: TRAKT_CLIENT_ID
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 788723bb-8d87-428c-96bb-b04d010e7f08
- property: client_id
- - secretKey: TRAKT_CLIENT_SECRET
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 788723bb-8d87-428c-96bb-b04d010e7f08
- property: client_secret
- - secretKey: TRAKT_ACCESS_TOKEN
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 788723bb-8d87-428c-96bb-b04d010e7f08
- property: access_token
- - secretKey: TRAKT_EXPIRES_IN
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 788723bb-8d87-428c-96bb-b04d010e7f08
- property: expires_in
- - secretKey: TRAKT_REFRESH_TOKEN
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 788723bb-8d87-428c-96bb-b04d010e7f08
- property: refresh_token
- - secretKey: TRAKT_CREATED_AT
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 788723bb-8d87-428c-96bb-b04d010e7f08
- property: created_at
+ dataFrom:
+ - extract:
+ key: plex
+ - extract:
+ key: tautulli
+ - extract:
+ key: radarr
+ - extract:
+ key: sonarr
+ - extract:
+ key: plex-meta-manager
diff --git a/kubernetes/teyvat/apps/media/plex/plex-meta-manager/helmrelease.yaml b/kubernetes/teyvat/apps/media/plex/plex-meta-manager/helmrelease.yaml
index 1710c0ac41..000f03a33c 100644
--- a/kubernetes/teyvat/apps/media/plex/plex-meta-manager/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/media/plex/plex-meta-manager/helmrelease.yaml
@@ -68,7 +68,7 @@ spec:
config-file:
enabled: true
type: secret
- name: pmm-secret
+ name: plex-meta-manager-secret
globalMounts:
- path: /config/config.yml
subPath: config.yml
diff --git a/kubernetes/teyvat/apps/network/cloudflared/app/externalsecret.yaml b/kubernetes/teyvat/apps/network/cloudflared/app/externalsecret.yaml
index ccd703be2b..642b61432a 100644
--- a/kubernetes/teyvat/apps/network/cloudflared/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/network/cloudflared/app/externalsecret.yaml
@@ -1,13 +1,17 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: cloudflared-secret
+ name: &name cloudflared-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
TUNNEL_ID: "{{ .CLUSTER_CLOUDFLARE_TUNNEL_ID }}"
credentials.json: |
@@ -16,28 +20,6 @@ spec:
"TunnelSecret": "{{ .CLOUDFLARE_TUNNEL_SECRET }}",
"TunnelID": "{{ .CLUSTER_CLOUDFLARE_TUNNEL_ID }}"
}
- data:
- - secretKey: CLOUDFLARE_ACCOUNT_TAG
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
- property: account_id
- - secretKey: CLOUDFLARE_TUNNEL_SECRET
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
- property: tunnel_secret
- - secretKey: CLUSTER_CLOUDFLARE_TUNNEL_ID
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
- property: tunnel_id
+ dataFrom:
+ - extract:
+ key: cloudflare
diff --git a/kubernetes/teyvat/apps/network/cloudflared/app/helmrelease.yaml b/kubernetes/teyvat/apps/network/cloudflared/app/helmrelease.yaml
index 54d854b97d..7de0d54d6b 100644
--- a/kubernetes/teyvat/apps/network/cloudflared/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/network/cloudflared/app/helmrelease.yaml
@@ -49,7 +49,7 @@ spec:
TUNNEL_ID:
valueFrom:
secretKeyRef:
- name: cloudflared-secret
+ name: &secret cloudflared-secret
key: TUNNEL_ID
args:
- tunnel
@@ -108,7 +108,7 @@ spec:
readOnly: true
creds:
type: secret
- name: cloudflared-secret
+ name: *secret
globalMounts:
- path: /etc/cloudflared/creds/credentials.json
subPath: credentials.json
diff --git a/kubernetes/teyvat/apps/network/external-dns/app/externalsecret.yaml b/kubernetes/teyvat/apps/network/external-dns/app/externalsecret.yaml
index 1a9f89b4bb..42e72433bd 100644
--- a/kubernetes/teyvat/apps/network/external-dns/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/network/external-dns/app/externalsecret.yaml
@@ -1,21 +1,19 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: external-dns-secret
+ name: &name external-dns-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
- api-token: "{{ .api_token }}"
- data:
- - secretKey: api_token
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
- property: api_token
+ api-token: "{{ .CLOUDFLARE_API_KEY }}"
+ dataFrom:
+ - extract:
+ key: cloudflare
diff --git a/kubernetes/teyvat/apps/network/external-dns/app/helmrelease.yaml b/kubernetes/teyvat/apps/network/external-dns/app/helmrelease.yaml
index 37c6452f01..f61e87ae73 100644
--- a/kubernetes/teyvat/apps/network/external-dns/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/network/external-dns/app/helmrelease.yaml
@@ -31,7 +31,7 @@ spec:
- name: CF_API_TOKEN
valueFrom:
secretKeyRef:
- name: external-dns-secret
+ name: &secret external-dns-secret
key: api-token
extraArgs:
- --ingress-class=external
@@ -46,4 +46,4 @@ spec:
serviceMonitor:
enabled: true
podAnnotations:
- secret.reloader.stakater.com/reload: external-dns-secret
+ secret.reloader.stakater.com/reload: *secret
diff --git a/kubernetes/teyvat/apps/observability/gatus/app/externalsecret.yaml b/kubernetes/teyvat/apps/observability/gatus/app/externalsecret.yaml
index ac11ca0c93..f0ec69c291 100644
--- a/kubernetes/teyvat/apps/observability/gatus/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/observability/gatus/app/externalsecret.yaml
@@ -1,13 +1,17 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: gatus-secret
+ name: &name gatus-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# App
DISCORD_WEBHOOK_URL: "{{ .DISCORD_WEBHOOK_URL }}"
@@ -17,45 +21,11 @@ spec:
INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- PI_DOMAIN: "{{ .PI_DOMAIN }}"
- data:
- - secretKey: DISCORD_WEBHOOK_URL
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 77e30fff-fad7-4812-a635-b034002b5b17
- property: discord_webhook
- - secretKey: POSTGRES_USER
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 77e30fff-fad7-4812-a635-b034002b5b17
- property: pg_user
- - secretKey: POSTGRES_PASS
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 77e30fff-fad7-4812-a635-b034002b5b17
- property: pg_password
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
- - secretKey: PI_DOMAIN
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 136c1200-904a-4e3c-bd02-ac6e00f706e3
- property: pi_domain
+ PI_DOMAIN: ${PI_DOMAIN}
+ dataFrom:
+ - extract:
+ key: discord
+ - extract:
+ key: gatus
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/observability/grafana/app/externalsecret.yaml b/kubernetes/teyvat/apps/observability/grafana/app/externalsecret.yaml
index 918b591ff6..e912e627e7 100644
--- a/kubernetes/teyvat/apps/observability/grafana/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/observability/grafana/app/externalsecret.yaml
@@ -1,23 +1,27 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: grafana-secret
+ name: &name grafana-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# Authentik
- GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "{{ .client_id }}"
- GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .client_secret }}"
+ GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "{{ .GRAFANA_CLIENT_ID }}"
+ GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_CLIENT_SECRET }}"
# Admin User
- adminUser: "{{ .adminUser }}"
- adminPass: "{{ .adminPass }}"
+ adminUser: "{{ .ADMIN_USER }}"
+ adminPass: "{{ .ADMIN_PASS }}"
# App
- GF_DATABASE_USER: &dbUser "{{ .GF_DATABASE_USER }}"
- GF_DATABASE_PASSWORD: &dbPass "{{ .GF_DATABASE_PASSWORD }}"
+ GF_DATABASE_USER: &dbUser "{{ .POSTGRES_USER }}"
+ GF_DATABASE_PASSWORD: &dbPass "{{ .POSTGRES_PASS }}"
GF_DATABASE_HOST: &dbHost postgres-rw.database.svc.cluster.local
GF_DATABASE_NAME: &dbname grafana
GF_DATABASE_SSL_MODE: disable
@@ -28,60 +32,8 @@ spec:
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- data:
- - secretKey: client_id
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: b36a66be-7898-4003-902a-afc701166ed9
- property: client_id
- - secretKey: client_secret
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: b36a66be-7898-4003-902a-afc701166ed9
- property: client_secret
- - secretKey: adminUser
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: b36a66be-7898-4003-902a-afc701166ed9
- property: username
- - secretKey: adminPass
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: b36a66be-7898-4003-902a-afc701166ed9
- property: password
- - secretKey: GF_DATABASE_USER
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: b36a66be-7898-4003-902a-afc701166ed9
- property: pg_user
- - secretKey: GF_DATABASE_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: b36a66be-7898-4003-902a-afc701166ed9
- property: pg_password
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
+ dataFrom:
+ - extract:
+ key: grafana
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/externalsecret.yaml b/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/externalsecret.yaml
index 655c642edc..6a7facc5f5 100644
--- a/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/externalsecret.yaml
@@ -1,79 +1,23 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: kube-prometheus-stack
+ name: &name alertmanager-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
- template:
- metadata:
- labels:
- cnpg.io/reload: "true"
- type: Opaque
- data:
- objstore.yml: |-
- config:
- access_key: {{ .access_key }}
- bucket: thanos
- endpoint: {{ .endpoint }}
- insecure: false
- region: ca-west-1
- secret_key: {{ .secret_key }}
- type: s3
- data:
- - secretKey: access_key
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 69af7022-f28c-4152-90a7-b0560025eaa7
- property: username
- - secretKey: secret_key
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 69af7022-f28c-4152-90a7-b0560025eaa7
- property: password
- - secretKey: endpoint
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 5a98804c-6c54-4e09-817e-afd8012c70ad
- property: endpoint
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- name: alertmanager-secret
-spec:
- target:
- deletionPolicy: Delete
+ name: *name
template:
templateFrom:
- configMap:
name: alertmanager-configmap
items:
- key: alertmanager.yml
- data:
- - secretKey: DISCORD_URL
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 77e30fff-fad7-4812-a635-b034002b5b17
- property: discord_webhook
- - secretKey: ALERTMANAGER_HEARTBEAT_URL
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 6893b595-8cc3-47a2-84fa-b0f4016f41bc
- property: alertmanager_heartbeat
+ dataFrom:
+ - extract:
+ key: alertmanager
+ - extract:
+ key: discord
diff --git a/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/helmrelease.yaml
index 47b7611158..7bd255f02b 100644
--- a/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/helmrelease.yaml
@@ -29,10 +29,6 @@ spec:
dependsOn:
- name: local-path-provisioner
namespace: storage
- valuesFrom:
- - kind: ConfigMap
- name: kube-state-metrics-configmap
- valuesKey: kube-state-metrics.yaml
values:
crds:
alertmanager:
@@ -133,6 +129,12 @@ spec:
enabled: false
kubeStateMetrics:
enabled: true
+ kube-state-metrics:
+ fullnameOverride: kube-state-metrics
+ metricLabelsAllowlist:
+ - pods=[*]
+ - deployments=[*]
+ - persistentvolumeclaims=[*]
nodeExporter:
enabled: true
prometheus-node-exporter:
@@ -217,7 +219,7 @@ spec:
image: quay.io/thanos/thanos:v0.34.0
objectStorageConfig:
existingSecret:
- name: kube-prometheus-stack
+ name: thanos-objstore-secret
key: objstore.yml
cleanPrometheusOperatorObjectNames: true
postRenderers:
diff --git a/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/kustomization.yaml b/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/kustomization.yaml
index 1fe51dbffb..723d9e566f 100644
--- a/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/kustomization.yaml
+++ b/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/kustomization.yaml
@@ -7,8 +7,8 @@ resources:
- ./helmrelease.yaml
- ./prometheusrules
configMapGenerator:
- - name: kube-state-metrics-configmap
+ - name: alertmanager-config-tpl
files:
- - kube-state-metrics.yaml=./resources/kube-state-metrics.yaml
+ - alertmanager.yaml=./resources/alertmanager.yaml
generatorOptions:
disableNameSuffixHash: true
diff --git a/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/resources/alertmanager.yaml b/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/resources/alertmanager.yaml
new file mode 100644
index 0000000000..e7e4d63c4b
--- /dev/null
+++ b/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/resources/alertmanager.yaml
@@ -0,0 +1,60 @@
+---
+global:
+ resolve_timeout: 5m
+route:
+ group_by: ["alertname", "job"]
+ group_interval: 10m
+ group_wait: 1m
+ receiver: discord
+ repeat_interval: 12h
+ routes:
+ - receiver: heartbeat
+ group_interval: 5m
+ group_wait: 0s
+ matchers:
+ - alertname =~ "Watchdog"
+ repeat_interval: 5m
+ - receiver: "null"
+ matchers:
+ - severity = "none"
+ - alertname =~ "InfoInhibitor|Watchdog"
+ - receiver: discord
+ continue: true
+ matchers:
+ - severity = "critical"
+inhibit_rules:
+ - equal: ["alertname", "namespace"]
+ source_matchers:
+ - severity = "critical"
+ target_matchers:
+ - severity = "warning"
+receivers:
+ - name: heartbeat
+ webhook_configs:
+ - send_resolved: true
+ url: "{{ .ALERTMANAGER_HEARTBEAT_URL }}"
+ - name: "null"
+ - name: discord
+ discord_configs:
+ - send_resolved: true
+ webhook_url: "{{ .DISCORD_WEBHOOK_URL }}"
+ title: >-
+ {{ "{{" }} .CommonLabels.alertname {{ "}}" }}
+ [{{ "{{" }} .Status | toUpper {{ "}}" }}{{ "{{" }} if eq .Status "firing" {{ "}}" }}:{{ "{{" }} .Alerts.Firing | len {{ "}}" }}{{ "{{" }} end {{ "}}" }}]
+ message: |-
+ {{ "{{-" }} range .Alerts {{ "}}" }}
+ {{ "{{-" }} if ne .Annotations.description "" {{ "}}" }}
+ {{ "{{" }} .Annotations.description {{ "}}" }}
+ {{ "{{-" }} else if ne .Annotations.summary "" {{ "}}" }}
+ {{ "{{" }} .Annotations.summary {{ "}}" }}
+ {{ "{{-" }} else if ne .Annotations.message "" {{ "}}" }}
+ {{ "{{" }} .Annotations.message {{ "}}" }}
+ {{ "{{-" }} else {{ "}}" }}
+ Alert description not available
+ {{ "{{-" }} end {{ "}}" }}
+ {{ "{{-" }} if gt (len .Labels.SortedPairs) 0 {{ "}}" }}
+ {{ "{{-" }} range .Labels.SortedPairs {{ "}}" }}
+ **{{ "{{" }} .Name {{ "}}" }}:** {{ "{{" }} .Value {{ "}}" }}
+ {{ "{{-" }} end {{ "}}" }}
+ {{ "{{-" }} end {{ "}}" }}
+ {{ "{{-" }} end {{ "}}" }}
diff --git a/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/resources/kube-state-metrics.yaml b/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/resources/kube-state-metrics.yaml
deleted file mode 100644
index d640ada3cc..0000000000
--- a/kubernetes/teyvat/apps/observability/kube-prometheus-stack/app/resources/kube-state-metrics.yaml
+++ /dev/null
@@ -1,284 +0,0 @@
-kube-state-metrics:
- fullnameOverride: kube-state-metrics
- metricLabelsAllowlist:
- - pods=[*]
- - deployments=[*]
- - persistentvolumeclaims=[*]
- prometheus:
- monitor:
- enabled: true
- relabelings:
- - action: replace
- regex: (.*)
- replacement: $1
- sourceLabels:
- - __meta_kubernetes_pod_node_name
- targetLabel: kubernetes_node
- rbac:
- extraRules:
- - apiGroups:
- - source.toolkit.fluxcd.io
- - kustomize.toolkit.fluxcd.io
- - helm.toolkit.fluxcd.io
- - notification.toolkit.fluxcd.io
- - image.toolkit.fluxcd.io
- resources:
- - gitrepositories
- - buckets
- - helmrepositories
- - helmcharts
- - ocirepositories
- - kustomizations
- - helmreleases
- - alerts
- - providers
- - receivers
- - imagerepositories
- - imagepolicies
- - imageupdateautomations
- verbs: [ "list", "watch" ]
- customResourceState:
- enabled: true
- config:
- spec:
- resources:
- - groupVersionKind:
- group: kustomize.toolkit.fluxcd.io
- version: v1
- kind: Kustomization
- metricNamePrefix: gotk
- metrics:
- - name: "resource_info"
- help: "The current state of a GitOps Toolkit resource."
- each:
- type: Info
- info:
- labelsFromPath:
- name: [ metadata, name ]
- labelsFromPath:
- exported_namespace: [ metadata, namespace ]
- ready: [ status, conditions, "[type=Ready]", status ]
- suspended: [ spec, suspend ]
- revision: [ status, lastAppliedRevision ]
- source_name: [ spec, sourceRef, name ]
- - groupVersionKind:
- group: helm.toolkit.fluxcd.io
- version: v2beta2
- kind: HelmRelease
- metricNamePrefix: gotk
- metrics:
- - name: "resource_info"
- help: "The current state of a GitOps Toolkit resource."
- each:
- type: Info
- info:
- labelsFromPath:
- name: [ metadata, name ]
- labelsFromPath:
- exported_namespace: [ metadata, namespace ]
- ready: [ status, conditions, "[type=Ready]", status ]
- suspended: [ spec, suspend ]
- revision: [ status, lastAppliedRevision ]
- chart_name: [ spec, chart, spec, chart ]
- chart_source_name: [ spec, chart, spec, sourceRef, name ]
- - groupVersionKind:
- group: source.toolkit.fluxcd.io
- version: v1
- kind: GitRepository
- metricNamePrefix: gotk
- metrics:
- - name: "resource_info"
- help: "The current state of a GitOps Toolkit resource."
- each:
- type: Info
- info:
- labelsFromPath:
- name: [ metadata, name ]
- labelsFromPath:
- exported_namespace: [ metadata, namespace ]
- ready: [ status, conditions, "[type=Ready]", status ]
- suspended: [ spec, suspend ]
- revision: [ status, artifact, revision ]
- url: [ spec, url ]
- - groupVersionKind:
- group: source.toolkit.fluxcd.io
- version: v1beta2
- kind: Bucket
- metricNamePrefix: gotk
- metrics:
- - name: "resource_info"
- help: "The current state of a GitOps Toolkit resource."
- each:
- type: Info
- info:
- labelsFromPath:
- name: [ metadata, name ]
- labelsFromPath:
- exported_namespace: [ metadata, namespace ]
- ready: [ status, conditions, "[type=Ready]", status ]
- suspended: [ spec, suspend ]
- revision: [ status, artifact, revision ]
- endpoint: [ spec, endpoint ]
- bucket_name: [ spec, bucketName ]
- - groupVersionKind:
- group: source.toolkit.fluxcd.io
- version: v1beta2
- kind: HelmRepository
- metricNamePrefix: gotk
- metrics:
- - name: "resource_info"
- help: "The current state of a GitOps Toolkit resource."
- each:
- type: Info
- info:
- labelsFromPath:
- name: [ metadata, name ]
- labelsFromPath:
- exported_namespace: [ metadata, namespace ]
- ready: [ status, conditions, "[type=Ready]", status ]
- suspended: [ spec, suspend ]
- revision: [ status, artifact, revision ]
- url: [ spec, url ]
- - groupVersionKind:
- group: source.toolkit.fluxcd.io
- version: v1beta2
- kind: HelmChart
- metricNamePrefix: gotk
- metrics:
- - name: "resource_info"
- help: "The current state of a GitOps Toolkit resource."
- each:
- type: Info
- info:
- labelsFromPath:
- name: [ metadata, name ]
- labelsFromPath:
- exported_namespace: [ metadata, namespace ]
- ready: [ status, conditions, "[type=Ready]", status ]
- suspended: [ spec, suspend ]
- revision: [ status, artifact, revision ]
- chart_name: [ spec, chart ]
- chart_version: [ spec, version ]
- - groupVersionKind:
- group: source.toolkit.fluxcd.io
- version: v1beta2
- kind: OCIRepository
- metricNamePrefix: gotk
- metrics:
- - name: "resource_info"
- help: "The current state of a GitOps Toolkit resource."
- each:
- type: Info
- info:
- labelsFromPath:
- name: [ metadata, name ]
- labelsFromPath:
- exported_namespace: [ metadata, namespace ]
- ready: [ status, conditions, "[type=Ready]", status ]
- suspended: [ spec, suspend ]
- revision: [ status, artifact, revision ]
- url: [ spec, url ]
- - groupVersionKind:
- group: notification.toolkit.fluxcd.io
- version: v1beta3
- kind: Alert
- metricNamePrefix: gotk
- metrics:
- - name: "resource_info"
- help: "The current state of a GitOps Toolkit resource."
- each:
- type: Info
- info:
- labelsFromPath:
- name: [ metadata, name ]
- labelsFromPath:
- exported_namespace: [ metadata, namespace ]
- suspended: [ spec, suspend ]
- - groupVersionKind:
- group: notification.toolkit.fluxcd.io
- version: v1beta3
- kind: Provider
- metricNamePrefix: gotk
- metrics:
- - name: "resource_info"
- help: "The current state of a GitOps Toolkit resource."
- each:
- type: Info
- info:
- labelsFromPath:
- name: [ metadata, name ]
- labelsFromPath:
- exported_namespace: [ metadata, namespace ]
- suspended: [ spec, suspend ]
- - groupVersionKind:
- group: notification.toolkit.fluxcd.io
- version: v1
- kind: Receiver
- metricNamePrefix: gotk
- metrics:
- - name: "resource_info"
- help: "The current state of a GitOps Toolkit resource."
- each:
- type: Info
- info:
- labelsFromPath:
- name: [ metadata, name ]
- labelsFromPath:
- exported_namespace: [ metadata, namespace ]
- ready: [ status, conditions, "[type=Ready]", status ]
- suspended: [ spec, suspend ]
- webhook_path: [ status, webhookPath ]
- - groupVersionKind:
- group: image.toolkit.fluxcd.io
- version: v1beta2
- kind: ImageRepository
- metricNamePrefix: gotk
- metrics:
- - name: "resource_info"
- help: "The current state of a GitOps Toolkit resource."
- each:
- type: Info
- info:
- labelsFromPath:
- name: [ metadata, name ]
- labelsFromPath:
- exported_namespace: [ metadata, namespace ]
- ready: [ status, conditions, "[type=Ready]", status ]
- suspended: [ spec, suspend ]
- image: [ spec, image ]
- - groupVersionKind:
- group: image.toolkit.fluxcd.io
- version: v1beta2
- kind: ImagePolicy
- metricNamePrefix: gotk
- metrics:
- - name: "resource_info"
- help: "The current state of a GitOps Toolkit resource."
- each:
- type: Info
- info:
- labelsFromPath:
- name: [ metadata, name ]
- labelsFromPath:
- exported_namespace: [ metadata, namespace ]
- ready: [ status, conditions, "[type=Ready]", status ]
- suspended: [ spec, suspend ]
- source_name: [ spec, imageRepositoryRef, name ]
- - groupVersionKind:
- group: image.toolkit.fluxcd.io
- version: v1beta1
- kind: ImageUpdateAutomation
- metricNamePrefix: gotk
- metrics:
- - name: "resource_info"
- help: "The current state of a GitOps Toolkit resource."
- each:
- type: Info
- info:
- labelsFromPath:
- name: [ metadata, name ]
- labelsFromPath:
- exported_namespace: [ metadata, namespace ]
- ready: [ status, conditions, "[type=Ready]", status ]
- suspended: [ spec, suspend ]
- source_name: [ spec, sourceRef, name ]
diff --git a/kubernetes/teyvat/apps/observability/thanos/app/kustomization.yaml b/kubernetes/teyvat/apps/observability/thanos/app/kustomization.yaml
index 7e81a35ba0..e80d0a0724 100644
--- a/kubernetes/teyvat/apps/observability/thanos/app/kustomization.yaml
+++ b/kubernetes/teyvat/apps/observability/thanos/app/kustomization.yaml
@@ -1,8 +1,7 @@
----
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- - ./objectbucketclaim.yaml
- - ./helmrelease.yaml
- # - ./pushsecret.yaml
+- ./objectbucketclaim.yaml
+- ./helmrelease.yaml
+# - ./pushsecret.yaml
diff --git a/kubernetes/teyvat/apps/observability/unifi-poller/app/externalsecret.yaml b/kubernetes/teyvat/apps/observability/unifi-poller/app/externalsecret.yaml
index 7707a03603..5dfecf282d 100644
--- a/kubernetes/teyvat/apps/observability/unifi-poller/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/observability/unifi-poller/app/externalsecret.yaml
@@ -1,32 +1,20 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: unifi-poller-credentials
+ name: &name unifi-poller-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
- UP_UNIFI_DEFAULT_USER: |-
- {{ .unifi_user }}
- UP_UNIFI_DEFAULT_PASS: |-
- {{ .unifi_pass }}
- data:
- - secretKey: unifi_user
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: a8e9f804-784b-4e9f-8bbb-afe200cc0ec1
- property: username
- - secretKey: unifi_pass
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: a8e9f804-784b-4e9f-8bbb-afe200cc0ec1
- property: password
+ UP_UNIFI_DEFAULT_USER: "{{ .UNIFI_USER }}"
+ UP_UNIFI_DEFAULT_PASS: "{{ .UNIFI_PASS }}"
+ dataFrom:
+ - extract:
+ key: unifi
diff --git a/kubernetes/teyvat/apps/observability/unifi-poller/app/helmrelease.yaml b/kubernetes/teyvat/apps/observability/unifi-poller/app/helmrelease.yaml
index 417677ca51..1471d6c042 100644
--- a/kubernetes/teyvat/apps/observability/unifi-poller/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/observability/unifi-poller/app/helmrelease.yaml
@@ -39,7 +39,7 @@ spec:
UP_INFLUXDB_DISABLE: true
envFrom:
- secretRef:
- name: unifi-poller-credentials
+ name: unifi-poller-secret
pod:
affinity:
nodeAffinity:
diff --git a/kubernetes/teyvat/apps/security/authentik/app/externalsecret.yaml b/kubernetes/teyvat/apps/security/authentik/app/externalsecret.yaml
index 210dc205f6..0b4c64d1fa 100644
--- a/kubernetes/teyvat/apps/security/authentik/app/externalsecret.yaml
+++ b/kubernetes/teyvat/apps/security/authentik/app/externalsecret.yaml
@@ -1,101 +1,35 @@
---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
- name: authentik-secrets
+ name: &name authentik-secret
spec:
+ secretStoreRef:
+ name: bitwarden-secrets-manager
+ kind: ClusterSecretStore
target:
- deletionPolicy: Delete
+ name: *name
template:
- type: Opaque
+ engineVersion: v2
data:
# Authentik
- AUTHENTIK_BOOTSTRAP_EMAIL: "{{ .AUTHENTIK_BOOTSTRAP_EMAIL }}"
- AUTHENTIK_BOOTSTRAP_PASSWORD: "{{ .AUTHENTIK_BOOTSTRAP_PASSWORD }}"
- AUTHENTIK_BOOTSTRAP_TOKEN: "{{ .AUTHENTIK_BOOTSTRAP_TOKEN }}"
- AUTHENTIK_EMAIL__USERNAME: "{{ .AUTHENTIK_EMAIL__USERNAME }}"
- AUTHENTIK_EMAIL__PASSWORD: "{{ .AUTHENTIK_EMAIL__PASSWORD }}"
- AUTHENTIK_POSTGRESQL__USER: "{{ .AUTHENTIK_DATABASE_USER }}"
- AUTHENTIK_POSTGRESQL__PASSWORD: "{{ .AUTHENTIK_DATABASE_PASSWORD }}"
- AUTHENTIK_POSTGRESQL__HOST: postgres-rw.database.svc.cluster.local
+ AUTHENTIK_BOOTSTRAP_EMAIL: "{{ .AUTHENTIK_EMAIL }}"
+ AUTHENTIK_BOOTSTRAP_PASSWORD: "{{ .AUTHENTIK_PASSWORD }}"
+ AUTHENTIK_BOOTSTRAP_TOKEN: "{{ .AUTHENTIK_TOKEN }}"
+ AUTHENTIK_POSTGRESQL__USER: &dbUser "{{ .POSTGRES_USER }}"
+ AUTHENTIK_POSTGRESQL__PASSWORD: &dbPass "{{ .POSTGRES_PASS }}"
+ AUTHENTIK_POSTGRESQL__HOST: &dbHost postgres-rw.database.svc.cluster.local
AUTHENTIK_POSTGRESQL__NAME: &dbname authentik
AUTHENTIK_SECRET_KEY: "{{ .AUTHENTIK_SECRET_KEY }}"
# Postgres Init
INIT_POSTGRES_DBNAME: *dbname
- INIT_POSTGRES_HOST: postgres-rw.database.svc.cluster.local
- INIT_POSTGRES_USER: "{{ .AUTHENTIK_DATABASE_USER }}"
- INIT_POSTGRES_PASS: "{{ .AUTHENTIK_DATABASE_PASSWORD }}"
+ INIT_POSTGRES_HOST: *dbHost
+ INIT_POSTGRES_USER: *dbUser
+ INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
- data:
- - secretKey: AUTHENTIK_DATABASE_USER
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 3ff34fd7-ec65-436c-865c-afcf0104ce37
- property: postgres_username
- - secretKey: AUTHENTIK_DATABASE_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 3ff34fd7-ec65-436c-865c-afcf0104ce37
- property: postgres_password
- - secretKey: AUTHENTIK_SECRET_KEY
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 3ff34fd7-ec65-436c-865c-afcf0104ce37
- property: secret_key
- - secretKey: AUTHENTIK_EMAIL__USERNAME
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: e09429a9-e6ef-49a1-bd0a-afc50145dc9c
- property: username
- - secretKey: AUTHENTIK_EMAIL__PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: e09429a9-e6ef-49a1-bd0a-afc50145dc9c
- property: password
- - secretKey: AUTHENTIK_BOOTSTRAP_EMAIL
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 3ff34fd7-ec65-436c-865c-afcf0104ce37
- property: username
- - secretKey: AUTHENTIK_BOOTSTRAP_PASSWORD
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 3ff34fd7-ec65-436c-865c-afcf0104ce37
- property: password
- - secretKey: AUTHENTIK_BOOTSTRAP_TOKEN
- sourceRef:
- storeRef:
- name: bitwarden-fields
- kind: ClusterSecretStore
- remoteRef:
- key: 3ff34fd7-ec65-436c-865c-afcf0104ce37
- property: token
- - secretKey: POSTGRES_SUPER_PASS
- sourceRef:
- storeRef:
- name: bitwarden-login
- kind: ClusterSecretStore
- remoteRef:
- key: 7a5661cb-9655-422b-8506-b02900fbc4e1
- property: password
+ dataFrom:
+ - extract:
+ key: authentik
+ - extract:
+ key: cloudnative-pg
diff --git a/kubernetes/teyvat/apps/security/authentik/app/helmrelease.yaml b/kubernetes/teyvat/apps/security/authentik/app/helmrelease.yaml
index 5a597d8a09..1828955c3a 100644
--- a/kubernetes/teyvat/apps/security/authentik/app/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/security/authentik/app/helmrelease.yaml
@@ -25,9 +25,9 @@ spec:
init-db:
image: ghcr.io/onedr0p/postgres-init:16
imagePullPolicy: IfNotPresent
- envFrom:
+ envFrom: &envFrom
- secretRef:
- name: authentik-secrets
+ name: authentik-secret
ingress:
enabled: true
ingressClassName: external
@@ -56,9 +56,7 @@ spec:
host: dragonfly.database.svc.cluster.local
env:
AUTHENTIK_REDIS__DB: "1"
- envFrom:
- - secretRef:
- name: authentik-secrets
+ envFrom: *envFrom
autoscaling:
server:
enabled: true
diff --git a/kubernetes/teyvat/templates/volsync/minio.yaml b/kubernetes/teyvat/templates/volsync/minio.yaml
index 30bb7a1edd..6ca49b8293 100644
--- a/kubernetes/teyvat/templates/volsync/minio.yaml
+++ b/kubernetes/teyvat/templates/volsync/minio.yaml
@@ -1,9 +1,10 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: "${APP}-volsync"
spec:
- refreshInterval: "1h"
secretStoreRef:
name: bitwarden-secrets-manager
kind: ClusterSecretStore
@@ -18,11 +19,10 @@ spec:
AWS_SECRET_ACCESS_KEY: "{{ .AWS_SECRET_ACCESS_KEY }}"
dataFrom:
- extract:
- key: minio
+ key: volsync-bucket
- extract:
key: volsync-minio-template
property: RESTIC_REPOSITORY
-
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationDestination
diff --git a/kubernetes/teyvat/templates/volsync/r2.yaml b/kubernetes/teyvat/templates/volsync/r2.yaml
index f116b49754..4c5a700d77 100644
--- a/kubernetes/teyvat/templates/volsync/r2.yaml
+++ b/kubernetes/teyvat/templates/volsync/r2.yaml
@@ -1,9 +1,10 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: "${APP}-volsync-r2"
spec:
- refreshInterval: "1h"
secretStoreRef:
name: bitwarden-secrets-manager
kind: ClusterSecretStore