From 6c5a8ec9652d16d7fd49cca1e97ad233df9da368 Mon Sep 17 00:00:00 2001 From: Jory Irving Date: Mon, 12 Feb 2024 10:16:23 -0700 Subject: [PATCH] feat: cutover to BWS on pi cluster --- .../app/externalsecret.yaml | 25 +++----- .../default/mosquitto/app/externalsecret.yaml | 30 +++------ .../rss-forwarder/app/externalsecret.yaml | 30 +++------ .../zigbee2mqtt/app/externalsecret.yaml | 62 +++++-------------- .../app/externalsecret.yaml | 49 +++++---------- .../app/helmrelease.yaml | 2 +- .../storage/minio/app/externalsecret.yaml | 30 +++------ kubernetes/pi/templates/volsync/minio.yaml | 47 ++++---------- kubernetes/pi/templates/volsync/r2.yaml | 46 ++++---------- 9 files changed, 90 insertions(+), 231 deletions(-) diff --git a/kubernetes/pi/apps/default/free-game-notifier/app/externalsecret.yaml b/kubernetes/pi/apps/default/free-game-notifier/app/externalsecret.yaml index d030dadfc0..466a4e777e 100644 --- a/kubernetes/pi/apps/default/free-game-notifier/app/externalsecret.yaml +++ b/kubernetes/pi/apps/default/free-game-notifier/app/externalsecret.yaml @@ -1,23 +1,16 @@ --- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: free-game-notifier + name: &name free-game-notifier spec: + secretStoreRef: + name: bitwarden-secrets-manager + kind: ClusterSecretStore target: - deletionPolicy: Delete - template: - engineVersion: v2 - type: Opaque - data: - DISCORD_WEBHOOK: "{{ .DISCORD_WEBHOOK }}" - refreshInterval: 1h + name: *name data: - - secretKey: DISCORD_WEBHOOK - sourceRef: - storeRef: - name: bitwarden-fields - kind: ClusterSecretStore - remoteRef: - key: de1b453f-d386-47df-8fd4-ac6e00f706e3 - property: DISCORD_WEBHOOK + - secretKey: DISCORD_WEBHOOK + remoteRef: + key: free-games diff --git a/kubernetes/pi/apps/default/mosquitto/app/externalsecret.yaml b/kubernetes/pi/apps/default/mosquitto/app/externalsecret.yaml index d821893d5a..29b7b42f78 100644 --- a/kubernetes/pi/apps/default/mosquitto/app/externalsecret.yaml +++ b/kubernetes/pi/apps/default/mosquitto/app/externalsecret.yaml @@ -1,34 +1,22 @@ --- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: mosquitto + name: &name mosquitto spec: + secretStoreRef: + name: bitwarden-secrets-manager + kind: ClusterSecretStore target: - deletionPolicy: Delete + name: *name template: engineVersion: v2 - type: Opaque data: username: "{{ .MQTT_USERNAME }}" password: "{{ .MQTT_PASSWORD }}" mosquitto_pwd: | {{ .MQTT_USERNAME }}:{{ .MQTT_PASSWORD }} - refreshInterval: 1h - data: - - secretKey: MQTT_USERNAME - sourceRef: - storeRef: - name: bitwarden-login - kind: ClusterSecretStore - remoteRef: - key: 2b8799c5-7d83-42aa-99c9-b072001ee0f3 - property: username - - secretKey: MQTT_PASSWORD - sourceRef: - storeRef: - name: bitwarden-login - kind: ClusterSecretStore - remoteRef: - key: 2b8799c5-7d83-42aa-99c9-b072001ee0f3 - property: password + dataFrom: + - extract: + key: mqtt diff --git a/kubernetes/pi/apps/default/rss-forwarder/app/externalsecret.yaml b/kubernetes/pi/apps/default/rss-forwarder/app/externalsecret.yaml index 7e9c76a8c0..a8281e4da0 100644 --- a/kubernetes/pi/apps/default/rss-forwarder/app/externalsecret.yaml +++ b/kubernetes/pi/apps/default/rss-forwarder/app/externalsecret.yaml @@ -1,14 +1,17 @@ --- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: rss-forwarder + name: &name rss-forwarder spec: + secretStoreRef: + name: bitwarden-secrets-manager + kind: ClusterSecretStore target: - deletionPolicy: Delete + name: *name template: engineVersion: v2 - type: Opaque data: config.toml: |- [feeds.github-template] @@ -35,21 +38,6 @@ spec: retry_limit = 5 sink.type = "discord" sink.url = "{{ .MM_DISCORD_WEBHOOK }}" - refreshInterval: 1h - data: - - secretKey: INFRA_DISCORD_WEBHOOK - sourceRef: - storeRef: - name: bitwarden-fields - kind: ClusterSecretStore - remoteRef: - key: 01af241c-b129-4560-877a-ac6e00f706e3 - property: INFRA_DISCORD_WEBHOOK - - secretKey: MM_DISCORD_WEBHOOK - sourceRef: - storeRef: - name: bitwarden-fields - kind: ClusterSecretStore - remoteRef: - key: 01af241c-b129-4560-877a-ac6e00f706e3 - property: MM_DISCORD_WEBHOOK + dataFrom: + - extract: + key: discord diff --git a/kubernetes/pi/apps/default/zigbee2mqtt/app/externalsecret.yaml b/kubernetes/pi/apps/default/zigbee2mqtt/app/externalsecret.yaml index 3e6e02767c..238e427c9e 100644 --- a/kubernetes/pi/apps/default/zigbee2mqtt/app/externalsecret.yaml +++ b/kubernetes/pi/apps/default/zigbee2mqtt/app/externalsecret.yaml @@ -1,61 +1,27 @@ --- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: zigbee2mqtt + name: &name zigbee2mqtt spec: + secretStoreRef: + name: bitwarden-secrets-manager + kind: ClusterSecretStore target: - deletionPolicy: Delete + name: *name template: engineVersion: v2 - type: Opaque data: # App - ZIGBEE2MQTT_CONFIG_ADVANCED_EXT_PAN_ID: "{{ .z2m_ext_pan_id }}" - ZIGBEE2MQTT_CONFIG_ADVANCED_PAN_ID: "{{ .z2m_pan_id }}" - ZIGBEE2MQTT_CONFIG_ADVANCED_NETWORK_KEY: "{{ .z2m_network_key }}" + ZIGBEE2MQTT_CONFIG_ADVANCED_EXT_PAN_ID: "{{ .ZIGBEE2MQTT_CONFIG_ADVANCED_EXT_PAN_ID }}" + ZIGBEE2MQTT_CONFIG_ADVANCED_PAN_ID: "{{ .ZIGBEE2MQTT_CONFIG_ADVANCED_PAN_ID }}" + ZIGBEE2MQTT_CONFIG_ADVANCED_NETWORK_KEY: "{{ .ZIGBEE2MQTT_CONFIG_ADVANCED_NETWORK_KEY }}" # Mosquitto ZIGBEE2MQTT_CONFIG_MQTT_USER: "{{ .MQTT_USERNAME }}" ZIGBEE2MQTT_CONFIG_MQTT_PASSWORD: "{{ .MQTT_PASSWORD }}" - refreshInterval: 1h - data: - - secretKey: z2m_ext_pan_id - sourceRef: - storeRef: - name: bitwarden-fields - kind: ClusterSecretStore - remoteRef: - key: 2b8799c5-7d83-42aa-99c9-b072001ee0f3 - property: z2m_ext_pan_id - - secretKey: z2m_pan_id - sourceRef: - storeRef: - name: bitwarden-fields - kind: ClusterSecretStore - remoteRef: - key: 2b8799c5-7d83-42aa-99c9-b072001ee0f3 - property: z2m_pan_id - - secretKey: z2m_network_key - sourceRef: - storeRef: - name: bitwarden-fields - kind: ClusterSecretStore - remoteRef: - key: 2b8799c5-7d83-42aa-99c9-b072001ee0f3 - property: z2m_network_key - - secretKey: MQTT_USERNAME - sourceRef: - storeRef: - name: bitwarden-login - kind: ClusterSecretStore - remoteRef: - key: 2b8799c5-7d83-42aa-99c9-b072001ee0f3 - property: username - - secretKey: MQTT_PASSWORD - sourceRef: - storeRef: - name: bitwarden-login - kind: ClusterSecretStore - remoteRef: - key: 2b8799c5-7d83-42aa-99c9-b072001ee0f3 - property: password + dataFrom: + - extract: + key: mqtt + - extract: + key: zigbee2mqtt diff --git a/kubernetes/pi/apps/observability/kube-prometheus-stack/app/externalsecret.yaml b/kubernetes/pi/apps/observability/kube-prometheus-stack/app/externalsecret.yaml index 08164ed152..df664f4b5c 100644 --- a/kubernetes/pi/apps/observability/kube-prometheus-stack/app/externalsecret.yaml +++ b/kubernetes/pi/apps/observability/kube-prometheus-stack/app/externalsecret.yaml @@ -1,46 +1,27 @@ --- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: kube-prometheus-stack + name: &name thanos-objstore-secret spec: + secretStoreRef: + name: bitwarden-secrets-manager + kind: ClusterSecretStore target: - deletionPolicy: Delete + name: *name template: - metadata: - labels: - cnpg.io/reload: "true" - type: Opaque + engineVersion: v2 data: objstore.yml: |- - type: s3 config: - bucket: thanos - endpoint: rook-ceph-rgw.{{ .PRIMARY_DOMAIN }} access_key: {{ .AWS_ACCESS_KEY_ID }} + bucket: thanos + endpoint: rook-ceph-rgw.${PRIMARY_DOMAIN} + insecure: true + region: "" secret_key: {{ .AWS_SECRET_ACCESS_KEY }} - data: - - secretKey: PRIMARY_DOMAIN - sourceRef: - storeRef: - name: bitwarden-fields - kind: ClusterSecretStore - remoteRef: - key: 136c1200-904a-4e3c-bd02-ac6e00f706e3 - property: primary_domain - - secretKey: AWS_ACCESS_KEY_ID - sourceRef: - storeRef: - name: bitwarden-login - kind: ClusterSecretStore - remoteRef: - key: 3090e4fa-d3d9-44b6-ba53-b1060124db27 - property: username - - secretKey: AWS_SECRET_ACCESS_KEY - sourceRef: - storeRef: - name: bitwarden-login - kind: ClusterSecretStore - remoteRef: - key: 3090e4fa-d3d9-44b6-ba53-b1060124db27 - property: password + type: s3 + dataFrom: + - extract: + key: thanos diff --git a/kubernetes/pi/apps/observability/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/pi/apps/observability/kube-prometheus-stack/app/helmrelease.yaml index 753fa099ad..1fce94fe27 100644 --- a/kubernetes/pi/apps/observability/kube-prometheus-stack/app/helmrelease.yaml +++ b/kubernetes/pi/apps/observability/kube-prometheus-stack/app/helmrelease.yaml @@ -182,6 +182,6 @@ spec: image: quay.io/thanos/thanos:v0.34.0 objectStorageConfig: existingSecret: - name: kube-prometheus-stack + name: thanos-objstore-secret key: objstore.yml cleanPrometheusOperatorObjectNames: true diff --git a/kubernetes/pi/apps/storage/minio/app/externalsecret.yaml b/kubernetes/pi/apps/storage/minio/app/externalsecret.yaml index a2d526132c..81d070c31c 100644 --- a/kubernetes/pi/apps/storage/minio/app/externalsecret.yaml +++ b/kubernetes/pi/apps/storage/minio/app/externalsecret.yaml @@ -1,31 +1,21 @@ --- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: "minio" + name: &name minio spec: + secretStoreRef: + name: bitwarden-secrets-manager + kind: ClusterSecretStore target: - deletionPolicy: Delete + name: *name template: - type: Opaque + engineVersion: v2 data: # App MINIO_ROOT_USER: "{{ .MINIO_ROOT_USER }}" MINIO_ROOT_PASSWORD: "{{ .MINIO_ROOT_PASSWORD }}" - data: - - secretKey: MINIO_ROOT_USER - sourceRef: - storeRef: - name: bitwarden-login - kind: ClusterSecretStore - remoteRef: - key: 5a98804c-6c54-4e09-817e-afd8012c70ad - property: username - - secretKey: MINIO_ROOT_PASSWORD - sourceRef: - storeRef: - name: bitwarden-login - kind: ClusterSecretStore - remoteRef: - key: 5a98804c-6c54-4e09-817e-afd8012c70ad - property: password + dataFrom: + - extract: + key: minio diff --git a/kubernetes/pi/templates/volsync/minio.yaml b/kubernetes/pi/templates/volsync/minio.yaml index 241097176d..6c01e38771 100644 --- a/kubernetes/pi/templates/volsync/minio.yaml +++ b/kubernetes/pi/templates/volsync/minio.yaml @@ -1,51 +1,28 @@ --- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: "${APP}-volsync" spec: + secretStoreRef: + name: bitwarden-secrets-manager + kind: ClusterSecretStore target: - deletionPolicy: Delete + name: "${APP}-volsync" template: - type: Opaque + engineVersion: v2 data: RESTIC_REPOSITORY: "{{ .REPOSITORY_TEMPLATE }}/${APP}" RESTIC_PASSWORD: "{{ .RESTIC_PASSWORD }}" AWS_ACCESS_KEY_ID: "{{ .AWS_ACCESS_KEY_ID }}" AWS_SECRET_ACCESS_KEY: "{{ .AWS_SECRET_ACCESS_KEY }}" - data: - - secretKey: REPOSITORY_TEMPLATE - sourceRef: - storeRef: - name: bitwarden-fields - kind: ClusterSecretStore - remoteRef: - key: fb121da5-ecd8-4e94-a5a0-b0fe011aef94 - property: restic_endpoint - - secretKey: RESTIC_PASSWORD - sourceRef: - storeRef: - name: bitwarden-fields - kind: ClusterSecretStore - remoteRef: - key: fb121da5-ecd8-4e94-a5a0-b0fe011aef94 - property: restic_password - - secretKey: AWS_ACCESS_KEY_ID - sourceRef: - storeRef: - name: bitwarden-login - kind: ClusterSecretStore - remoteRef: - key: be779808-b3ed-469b-a27f-b0fe011a54e2 - property: username - - secretKey: AWS_SECRET_ACCESS_KEY - sourceRef: - storeRef: - name: bitwarden-login - kind: ClusterSecretStore - remoteRef: - key: be779808-b3ed-469b-a27f-b0fe011a54e2 - property: password + dataFrom: + - extract: + key: volsync-bucket + - extract: + key: volsync-minio-template + property: RESTIC_REPOSITORY --- apiVersion: volsync.backube/v1alpha1 kind: ReplicationDestination diff --git a/kubernetes/pi/templates/volsync/r2.yaml b/kubernetes/pi/templates/volsync/r2.yaml index 562dad1722..7a116e6bd0 100644 --- a/kubernetes/pi/templates/volsync/r2.yaml +++ b/kubernetes/pi/templates/volsync/r2.yaml @@ -1,51 +1,27 @@ --- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: "${APP}-volsync-r2" spec: + secretStoreRef: + name: bitwarden-secrets-manager + kind: ClusterSecretStore target: - deletionPolicy: Delete + name: "${APP}-volsync-r2" template: - type: Opaque + engineVersion: v2 data: RESTIC_REPOSITORY: "{{ .REPOSITORY_TEMPLATE }}/${APP}" RESTIC_PASSWORD: "{{ .RESTIC_PASSWORD }}" AWS_ACCESS_KEY_ID: "{{ .AWS_ACCESS_KEY_ID }}" AWS_SECRET_ACCESS_KEY: "{{ .AWS_SECRET_ACCESS_KEY }}" - data: - - secretKey: REPOSITORY_TEMPLATE - sourceRef: - storeRef: - name: bitwarden-fields - kind: ClusterSecretStore - remoteRef: - key: fb121da5-ecd8-4e94-a5a0-b0fe011aef94 - property: r2_restic_endpoint - - secretKey: RESTIC_PASSWORD - sourceRef: - storeRef: - name: bitwarden-fields - kind: ClusterSecretStore - remoteRef: - key: fb121da5-ecd8-4e94-a5a0-b0fe011aef94 - property: r2_restic_password - - secretKey: AWS_ACCESS_KEY_ID - sourceRef: - storeRef: - name: bitwarden-fields - kind: ClusterSecretStore - remoteRef: - key: fb121da5-ecd8-4e94-a5a0-b0fe011aef94 - property: r2_access_key_id - - secretKey: AWS_SECRET_ACCESS_KEY - sourceRef: - storeRef: - name: bitwarden-fields - kind: ClusterSecretStore - remoteRef: - key: fb121da5-ecd8-4e94-a5a0-b0fe011aef94 - property: r2_secret_key + dataFrom: + - extract: + key: cloudflare + - extract: + key: volsync-r2-template --- apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource