fix(kubernetes): bootstrapping fix and some cleanup #3364
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- kubernetes/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets HelmRelease: external-secrets/external-secrets
+++ kubernetes/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets HelmRelease: external-secrets/external-secrets
@@ -23,26 +23,10 @@
interval: 30m
upgrade:
cleanupOnFail: true
remediation:
retries: 3
strategy: rollback
- values:
- certController:
- image:
- repository: ghcr.io/external-secrets/external-secrets
- serviceMonitor:
- enabled: true
- interval: 1m
- image:
- repository: ghcr.io/external-secrets/external-secrets
- installCRDs: true
- serviceMonitor:
- enabled: true
- interval: 1m
- webhook:
- image:
- repository: ghcr.io/external-secrets/external-secrets
- serviceMonitor:
- enabled: true
- interval: 1m
+ valuesFrom:
+ - kind: ConfigMap
+ name: external-secrets-helm-values-h9g78hg67k
--- kubernetes/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets ConfigMap: external-secrets/external-secrets-helm-values-h9g78hg67k
+++ kubernetes/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets ConfigMap: external-secrets/external-secrets-helm-values-h9g78hg67k
@@ -0,0 +1,34 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ installCRDs: true
+ replicaCount: 1
+ leaderElect: true
+ image:
+ repository: ghcr.io/external-secrets/external-secrets
+ webhook:
+ image:
+ repository: ghcr.io/external-secrets/external-secrets
+ serviceMonitor:
+ enabled: true
+ interval: 1m
+ certController:
+ image:
+ repository: ghcr.io/external-secrets/external-secrets
+ serviceMonitor:
+ enabled: true
+ interval: 1m
+ serviceMonitor:
+ enabled: true
+ interval: 1m
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: external-secrets
+ kustomize.toolkit.fluxcd.io/name: external-secrets
+ kustomize.toolkit.fluxcd.io/namespace: external-secrets
+ name: external-secrets-helm-values-h9g78hg67k
+ namespace: external-secrets
+
--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium HelmRelease: kube-system/cilium
+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium HelmRelease: kube-system/cilium
@@ -23,25 +23,10 @@
interval: 30m
upgrade:
cleanupOnFail: true
remediation:
retries: 3
strategy: rollback
- values:
- dashboards:
- enabled: true
- operator:
- dashboards:
- enabled: true
- prometheus:
- enabled: true
- serviceMonitor:
- enabled: true
- prometheus:
- enabled: true
- serviceMonitor:
- enabled: true
- trustCRDsExist: true
valuesFrom:
- kind: ConfigMap
- name: cilium-helm-values-btb6d5kg78
+ name: cilium-helm-values-f7798hggtk
--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium ConfigMap: kube-system/cilium-helm-values-btb6d5kg78
+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium ConfigMap: kube-system/cilium-helm-values-btb6d5kg78
@@ -1,78 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- autoDirectNodeRoutes: true
- bandwidthManager:
- enabled: true
- bbr: true
- bpf:
- datapathMode: netkit
- masquerade: true
- preallocateMaps: true
- tproxy: true
- bgpControlPlane:
- enabled: true
- cgroup:
- automount:
- enabled: false
- hostRoot: /sys/fs/cgroup
- cluster:
- id: 1
- name: main
- cni:
- exclusive: false
- enableIPv4BIGTCP: true
- endpointRoutes:
- enabled: true
- envoy:
- enabled: false
- hubble:
- enabled: false
- ipam:
- mode: kubernetes
- ipv4NativeRoutingCIDR: 10.244.0.0/16
- k8sServiceHost: 127.0.0.1
- k8sServicePort: 7445
- kubeProxyReplacement: true
- kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
- l2announcements:
- enabled: true
- loadBalancer:
- algorithm: maglev
- mode: dsr
- localRedirectPolicy: true
- operator:
- rollOutPods: true
- rollOutCiliumPods: true
- routingMode: native
- securityContext:
- capabilities:
- ciliumAgent:
- - CHOWN
- - KILL
- - NET_ADMIN
- - NET_RAW
- - IPC_LOCK
- - SYS_ADMIN
- - SYS_RESOURCE
- - PERFMON
- - BPF
- - DAC_OVERRIDE
- - FOWNER
- - SETGID
- - SETUID
- cleanCiliumState:
- - NET_ADMIN
- - SYS_ADMIN
- - SYS_RESOURCE
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: cilium
- kustomize.toolkit.fluxcd.io/name: cilium
- kustomize.toolkit.fluxcd.io/namespace: kube-system
- name: cilium-helm-values-btb6d5kg78
- namespace: kube-system
-
--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium ConfigMap: kube-system/cilium-helm-values-f7798hggtk
+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium ConfigMap: kube-system/cilium-helm-values-f7798hggtk
@@ -0,0 +1,92 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ autoDirectNodeRoutes: true
+ bandwidthManager:
+ enabled: true
+ bbr: true
+ bpf:
+ datapathMode: netkit
+ masquerade: true
+ preallocateMaps: true
+ tproxy: true
+ bgpControlPlane:
+ enabled: true
+ cgroup:
+ automount:
+ enabled: false
+ hostRoot: /sys/fs/cgroup
+ cluster:
+ id: 1
+ name: main
+ cni:
+ exclusive: false
+ enableIPv4BIGTCP: true
+ endpointRoutes:
+ enabled: true
+ envoy:
+ enabled: false
+ hubble:
+ enabled: false
+ ipam:
+ mode: kubernetes
+ ipv4NativeRoutingCIDR: 10.244.0.0/16
+ k8sServiceHost: 127.0.0.1
+ k8sServicePort: 7445
+ kubeProxyReplacement: true
+ kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
+ l2announcements:
+ enabled: true
+ loadBalancer:
+ algorithm: maglev
+ mode: dsr
+ localRedirectPolicy: true
+ operator:
+ replicas: 2
+ rollOutPods: true
+ prometheus:
+ enabled: true
+ serviceMonitor:
+ enabled: true
+ dashboards:
+ enabled: true
+ prometheus:
+ enabled: true
+ serviceMonitor:
+ enabled: true
+ trustCRDsExist: true
+ dashboards:
+ enabled: true
+ rollOutCiliumPods: true
+ routingMode: native
+ securityContext:
+ capabilities:
+ ciliumAgent:
+ - CHOWN
+ - KILL
+ - NET_ADMIN
+ - NET_RAW
+ - IPC_LOCK
+ - SYS_ADMIN
+ - SYS_RESOURCE
+ - PERFMON
+ - BPF
+ - DAC_OVERRIDE
+ - FOWNER
+ - SETGID
+ - SETUID
+ cleanCiliumState:
+ - NET_ADMIN
+ - SYS_ADMIN
+ - SYS_RESOURCE
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: cilium
+ kustomize.toolkit.fluxcd.io/name: cilium
+ kustomize.toolkit.fluxcd.io/namespace: kube-system
+ name: cilium-helm-values-f7798hggtk
+ namespace: kube-system
+
--- kubernetes/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager HelmRelease: cert-manager/cert-manager
+++ kubernetes/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager HelmRelease: cert-manager/cert-manager
@@ -23,17 +23,10 @@
interval: 30m
upgrade:
cleanupOnFail: true
remediation:
retries: 3
strategy: rollback
- values:
- crds:
- enabled: true
- dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
- dns01RecursiveNameserversOnly: true
- prometheus:
- enabled: true
- servicemonitor:
- enabled: true
- replicaCount: 2
+ valuesFrom:
+ - kind: ConfigMap
+ name: cert-manager-helm-values-hgg6hf7kh2
--- kubernetes/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager ConfigMap: cert-manager/cert-manager-helm-values-hgg6hf7kh2
+++ kubernetes/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager ConfigMap: cert-manager/cert-manager-helm-values-hgg6hf7kh2
@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ crds:
+ enabled: true
+ replicaCount: 1
+ dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
+ dns01RecursiveNameserversOnly: true
+ prometheus:
+ enabled: true
+ servicemonitor:
+ enabled: true
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager
+ kustomize.toolkit.fluxcd.io/name: cert-manager
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: cert-manager-helm-values-hgg6hf7kh2
+ namespace: cert-manager
+
--- kubernetes/apps/kube-system/spegel/app Kustomization: kube-system/spegel HelmRelease: kube-system/spegel
+++ kubernetes/apps/kube-system/spegel/app Kustomization: kube-system/spegel HelmRelease: kube-system/spegel
@@ -23,15 +23,10 @@
interval: 30m
upgrade:
cleanupOnFail: true
remediation:
retries: 3
strategy: rollback
- values:
- grafanaDashboard:
- enabled: true
- serviceMonitor:
- enabled: true
valuesFrom:
- kind: ConfigMap
- name: spegel-helm-values-7455d7fkdd
+ name: spegel-helm-values-fgd55thcgf
--- kubernetes/apps/kube-system/spegel/app Kustomization: kube-system/spegel ConfigMap: kube-system/spegel-helm-values-7455d7fkdd
+++ kubernetes/apps/kube-system/spegel/app Kustomization: kube-system/spegel ConfigMap: kube-system/spegel-helm-values-7455d7fkdd
@@ -1,21 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- spegel:
- appendMirrors: true
- containerdSock: /run/containerd/containerd.sock
- containerdRegistryConfigPath: /etc/cri/conf.d/hosts
- service:
- registry:
- hostPort: 29999
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: spegel
- kustomize.toolkit.fluxcd.io/name: spegel
- kustomize.toolkit.fluxcd.io/namespace: kube-system
- name: spegel-helm-values-7455d7fkdd
- namespace: kube-system
-
--- kubernetes/apps/kube-system/spegel/app Kustomization: kube-system/spegel ConfigMap: kube-system/spegel-helm-values-fgd55thcgf
+++ kubernetes/apps/kube-system/spegel/app Kustomization: kube-system/spegel ConfigMap: kube-system/spegel-helm-values-fgd55thcgf
@@ -0,0 +1,25 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ grafanaDashboard:
+ enabled: true
+ serviceMonitor:
+ enabled: true
+ spegel:
+ appendMirrors: true
+ containerdSock: /run/containerd/containerd.sock
+ containerdRegistryConfigPath: /etc/cri/conf.d/hosts
+ service:
+ registry:
+ hostPort: 29999
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: spegel
+ kustomize.toolkit.fluxcd.io/name: spegel
+ kustomize.toolkit.fluxcd.io/namespace: kube-system
+ name: spegel-helm-values-fgd55thcgf
+ namespace: kube-system
+
--- kubernetes/apps/external-secrets/external-secrets/stores Kustomization: external-secrets/external-secrets-stores ClusterSecretStore: external-secrets/onepassword-connect
+++ kubernetes/apps/external-secrets/external-secrets/stores Kustomization: external-secrets/external-secrets-stores ClusterSecretStore: external-secrets/onepassword-connect
@@ -1,23 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
- labels:
- app.kubernetes.io/name: external-secrets-stores
- kustomize.toolkit.fluxcd.io/name: external-secrets-stores
- kustomize.toolkit.fluxcd.io/namespace: external-secrets
- name: onepassword-connect
- namespace: external-secrets
-spec:
- provider:
- onepassword:
- auth:
- secretRef:
- connectTokenSecretRef:
- key: token
- name: onepassword-connect-secret
- namespace: external-secrets
- connectHost: http://onepassword-connect.external-secrets.svc.cluster.local
- vaults:
- K8s: 1
-
--- kubernetes/apps/external-secrets/onepassword-connect/app Kustomization: external-secrets/onepassword-connect HelmRelease: external-secrets/onepassword-connect
+++ kubernetes/apps/external-secrets/onepassword-connect/app Kustomization: external-secrets/onepassword-connect HelmRelease: external-secrets/onepassword-connect
@@ -1,150 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: onepassword-connect
- kustomize.toolkit.fluxcd.io/name: onepassword-connect
- kustomize.toolkit.fluxcd.io/namespace: external-secrets
- name: onepassword-connect
- namespace: external-secrets
-spec:
- chart:
- spec:
- chart: app-template
- sourceRef:
- kind: HelmRepository
- name: bjw-s
- namespace: flux-system
- version: 3.6.1
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controllers:
- onepassword-connect:
- annotations:
- reloader.stakater.com/auto: 'true'
- containers:
- api:
- env:
- OP_BUS_PEERS: localhost:11221
- OP_BUS_PORT: 11220
- OP_HTTP_PORT: 80
- OP_SESSION:
- valueFrom:
- secretKeyRef:
- key: 1password-credentials.json
- name: onepassword-connect-secret
- XDG_DATA_HOME: /config
- image:
- repository: docker.io/1password/connect-api
- tag: 1.7.3@sha256:0601c7614e102eada268dbda6ba4b5886ce77713be2c332ec6a2fd0f028484ba
- probes:
- liveness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /heartbeat
- port: 80
- initialDelaySeconds: 15
- periodSeconds: 30
- readiness:
- custom: true
- enabled: true
- spec:
- httpGet:
- path: /health
- port: 80
- initialDelaySeconds: 15
- resources:
- limits:
- memory: 64Mi
- requests:
- cpu: 10m
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- sync:
- env:
- OP_BUS_PEERS: localhost:11220
- OP_BUS_PORT: 11221
- OP_HTTP_PORT: 8081
- OP_SESSION:
- valueFrom:
- secretKeyRef:
- key: 1password-credentials.json
- name: onepassword-connect-secret
- XDG_DATA_HOME: /config
- image:
- repository: docker.io/1password/connect-sync
- tag: 1.7.3@sha256:2f17621c7eb27bbcb1f86bbc5e5a5198bf54ac3b9c2ffac38064d03c932b07d5
- probes:
- liveness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /heartbeat
- port: 8081
- initialDelaySeconds: 15
- periodSeconds: 30
- readiness:
- custom: true
- enabled: true
- spec:
- httpGet:
- path: /health
- port: 8081
- initialDelaySeconds: 15
- resources:
- limits:
- memory: 64Mi
- requests:
- cpu: 10m
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- strategy: RollingUpdate
- defaultPodOptions:
- securityContext:
- runAsGroup: 999
- runAsNonRoot: true
- runAsUser: 999
- ingress:
- app:
- className: internal
- hosts:
- - host: '{{ .Release.Name }}.ktwo.io'
- paths:
- - path: /
- service:
- identifier: app
- port: http
- persistence:
- config:
- globalMounts:
- - path: /config
- type: emptyDir
- service:
- app:
- controller: onepassword-connect
- ports:
- http:
- port: 80
-
--- kubernetes/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ExternalSecret: flux-system/github-webhook-token
+++ kubernetes/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ExternalSecret: flux-system/github-webhook-token
@@ -11,13 +11,13 @@
spec:
dataFrom:
- extract:
key: flux
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: github-webhook-token-secret
template:
data:
token: '{{ .FLUX_GITHUB_WEBHOOK_TOKEN }}'
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: actions-runner-system/actions-runner-controller
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: actions-runner-system/actions-runner-controller
@@ -9,13 +9,13 @@
namespace: actions-runner-system
spec:
commonMetadata:
labels:
app.kubernetes.io/name: actions-runner-controller
dependsOn:
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
interval: 30m
path: ./kubernetes/apps/actions-runner-system/actions-runner-controller/app
prune: true
sourceRef:
kind: GitRepository
--- kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: actions-runner-system/github-token
+++ kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: actions-runner-system/github-token
@@ -10,13 +10,13 @@
spec:
dataFrom:
- extract:
key: flux
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: github-token-secret
template:
data:
token: '{{ .FLUX_GITHUB_TOKEN }}'
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: cert-manager/cert-manager-issuers
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: cert-manager/cert-manager-issuers
@@ -11,13 +11,13 @@
commonMetadata:
labels:
app.kubernetes.io/name: cert-manager-issuers
dependsOn:
- name: cert-manager
namespace: cert-manager
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
interval: 30m
path: ./kubernetes/apps/cert-manager/cert-manager/issuers
prune: true
sourceRef:
kind: GitRepository
--- kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: cert-manager/github-token
+++ kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: cert-manager/github-token
@@ -10,13 +10,13 @@
spec:
dataFrom:
- extract:
key: flux
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: github-token-secret
template:
data:
token: '{{ .FLUX_GITHUB_TOKEN }}'
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: databases/cloudnative-pg
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: databases/cloudnative-pg
@@ -9,13 +9,13 @@
namespace: databases
spec:
commonMetadata:
labels:
app.kubernetes.io/name: cloudnative-pg
dependsOn:
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
interval: 30m
path: ./kubernetes/apps/databases/cloudnative-pg/app
prune: true
sourceRef:
kind: GitRepository
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: databases/emqx
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: databases/emqx
@@ -11,13 +11,13 @@
commonMetadata:
labels:
app.kubernetes.io/name: emqx
dependsOn:
- name: cert-manager
namespace: cert-manager
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
interval: 30m
path: ./kubernetes/apps/databases/emqx/app
prune: true
sourceRef:
kind: GitRepository
--- kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: databases/github-token
+++ kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: databases/github-token
@@ -10,13 +10,13 @@
spec:
dataFrom:
- extract:
key: flux
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: github-token-secret
template:
data:
token: '{{ .FLUX_GITHUB_TOKEN }}'
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/external-secrets-stores
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/external-secrets-stores
@@ -1,27 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster-apps
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: external-secrets-stores
- namespace: external-secrets
-spec:
- commonMetadata:
- labels:
- app.kubernetes.io/name: external-secrets-stores
- dependsOn:
- - name: external-secrets
- namespace: external-secrets
- interval: 30m
- path: ./kubernetes/apps/external-secrets/external-secrets/stores
- prune: true
- sourceRef:
- kind: GitRepository
- name: flux-system
- namespace: flux-system
- targetNamespace: external-secrets
- timeout: 5m
- wait: true
-
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/onepassword-connect
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/onepassword-connect
@@ -1,26 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster-apps
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: onepassword-connect
- namespace: external-secrets
-spec:
- commonMetadata:
- labels:
- app.kubernetes.io/name: onepassword-connect
- dependsOn:
- - name: external-secrets
- interval: 30m
- path: ./kubernetes/apps/external-secrets/onepassword-connect/app
- prune: true
- sourceRef:
- kind: GitRepository
- name: flux-system
- namespace: flux-system
- targetNamespace: external-secrets
- timeout: 5m
- wait: true
-
--- kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: external-secrets/github-token
+++ kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: external-secrets/github-token
@@ -10,13 +10,13 @@
spec:
dataFrom:
- extract:
key: flux
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: github-token-secret
template:
data:
token: '{{ .FLUX_GITHUB_TOKEN }}'
--- kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: flux-system/github-token
+++ kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: flux-system/github-token
@@ -10,13 +10,13 @@
spec:
dataFrom:
- extract:
key: flux
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: github-token-secret
template:
data:
token: '{{ .FLUX_GITHUB_TOKEN }}'
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: home/atuin
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: home/atuin
@@ -11,13 +11,13 @@
commonMetadata:
labels:
app.kubernetes.io/name: atuin
dependsOn:
- name: cloudnative-pg-cluster
namespace: databases
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
interval: 30m
path: ./kubernetes/apps/home/atuin/app
prune: true
sourceRef:
kind: GitRepository
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: home/go2rtc
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: home/go2rtc
@@ -9,18 +9,18 @@
namespace: home
spec:
commonMetadata:
labels:
app.kubernetes.io/name: go2rtc
dependsOn:
- - name: external-secrets-stores
- namespace: external-secrets
- name: intel-device-plugin-gpu
namespace: kube-system
- name: multus-networks
namespace: networking
+ - name: onepassword-store
+ namespace: external-secrets
interval: 30m
path: ./kubernetes/apps/home/go2rtc/app
prune: true
sourceRef:
kind: GitRepository
name: flux-system
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: home/zigbee2mqtt
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: home/zigbee2mqtt
@@ -13,13 +13,13 @@
app.kubernetes.io/name: zigbee2mqtt
components:
- ../../../../flux/components/volsync
dependsOn:
- name: emqx-cluster
namespace: databases
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
- name: rook-ceph-cluster
namespace: rook-ceph
- name: volsync
namespace: volsync-system
interval: 30m
--- kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: home/github-token
+++ kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: home/github-token
@@ -10,13 +10,13 @@
spec:
dataFrom:
- extract:
key: flux
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: github-token-secret
template:
data:
token: '{{ .FLUX_GITHUB_TOKEN }}'
--- kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: kube-system/github-token
+++ kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: kube-system/github-token
@@ -10,13 +10,13 @@
spec:
dataFrom:
- extract:
key: flux
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: github-token-secret
template:
data:
token: '{{ .FLUX_GITHUB_TOKEN }}'
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/autobrr
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/autobrr
@@ -11,13 +11,13 @@
commonMetadata:
labels:
app.kubernetes.io/name: autobrr
dependsOn:
- name: cloudnative-pg-cluster
namespace: databases
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
interval: 30m
path: ./kubernetes/apps/media/autobrr/app
prune: true
sourceRef:
kind: GitRepository
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/bazarr
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/bazarr
@@ -11,13 +11,13 @@
commonMetadata:
labels:
app.kubernetes.io/name: bazarr
components:
- ../../../../flux/components/volsync
dependsOn:
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
- name: rook-ceph-cluster
namespace: rook-ceph
- name: volsync
namespace: volsync-system
interval: 30m
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/cross-seed
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/cross-seed
@@ -11,13 +11,13 @@
commonMetadata:
labels:
app.kubernetes.io/name: cross-seed
components:
- ../../../../flux/components/volsync
dependsOn:
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
- name: qbittorrent
namespace: media
- name: rook-ceph-cluster
namespace: rook-ceph
- name: volsync
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/prowlarr
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/prowlarr
@@ -11,13 +11,13 @@
commonMetadata:
labels:
app.kubernetes.io/name: prowlarr
dependsOn:
- name: cloudnative-pg-cluster
namespace: databases
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
interval: 30m
path: ./kubernetes/apps/media/prowlarr/app
prune: true
sourceRef:
kind: GitRepository
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/radarr
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/radarr
@@ -11,13 +11,13 @@
commonMetadata:
labels:
app.kubernetes.io/name: radarr
dependsOn:
- name: cloudnative-pg-cluster
namespace: databases
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
- name: rook-ceph-cluster
namespace: rook-ceph
interval: 30m
path: ./kubernetes/apps/media/radarr/app
prune: true
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/recyclarr
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/recyclarr
@@ -11,13 +11,13 @@
commonMetadata:
labels:
app.kubernetes.io/name: recyclarr
components:
- ../../../../flux/components/volsync
dependsOn:
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
- name: rook-ceph-cluster
namespace: rook-ceph
- name: volsync
namespace: volsync-system
interval: 30m
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/sabnzbd
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/sabnzbd
@@ -11,13 +11,13 @@
commonMetadata:
labels:
app.kubernetes.io/name: sabnzbd
components:
- ../../../../flux/components/volsync
dependsOn:
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
- name: rook-ceph-cluster
namespace: rook-ceph
- name: volsync
namespace: volsync-system
interval: 30m
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/sonarr
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/sonarr
@@ -11,13 +11,13 @@
commonMetadata:
labels:
app.kubernetes.io/name: sonarr
dependsOn:
- name: cloudnative-pg-cluster
namespace: databases
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
- name: rook-ceph-cluster
namespace: rook-ceph
interval: 30m
path: ./kubernetes/apps/media/sonarr/app
prune: true
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/unpackerr
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: media/unpackerr
@@ -9,13 +9,13 @@
namespace: media
spec:
commonMetadata:
labels:
app.kubernetes.io/name: unpackerr
dependsOn:
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
interval: 30m
path: ./kubernetes/apps/media/unpackerr/app
prune: true
sourceRef:
kind: GitRepository
--- kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: media/github-token
+++ kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: media/github-token
@@ -10,13 +10,13 @@
spec:
dataFrom:
- extract:
key: flux
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: github-token-secret
template:
data:
token: '{{ .FLUX_GITHUB_TOKEN }}'
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: monitoring/gatus
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: monitoring/gatus
@@ -13,13 +13,13 @@
app.kubernetes.io/name: gatus
components:
- ../../../../flux/components/gatus
dependsOn:
- name: cloudnative-pg-cluster
namespace: databases
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
interval: 30m
path: ./kubernetes/apps/monitoring/gatus/app
postBuild:
substitute:
APP: gatus
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: monitoring/grafana
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: monitoring/grafana
@@ -9,13 +9,13 @@
namespace: monitoring
spec:
commonMetadata:
labels:
app.kubernetes.io/name: grafana
dependsOn:
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
interval: 30m
path: ./kubernetes/apps/monitoring/grafana/app
prune: true
sourceRef:
kind: GitRepository
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: monitoring/kube-prometheus-stack
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: monitoring/kube-prometheus-stack
@@ -9,13 +9,13 @@
namespace: monitoring
spec:
commonMetadata:
labels:
app.kubernetes.io/name: kube-prometheus-stack
dependsOn:
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
- name: prometheus-operator-crds
namespace: monitoring
- name: rook-ceph-cluster
namespace: rook-ceph
interval: 30m
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: monitoring/unpoller
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: monitoring/unpoller
@@ -9,13 +9,13 @@
namespace: monitoring
spec:
commonMetadata:
labels:
app.kubernetes.io/name: unpoller
dependsOn:
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
interval: 30m
path: ./kubernetes/apps/monitoring/unpoller/app
prune: true
sourceRef:
kind: GitRepository
--- kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: monitoring/github-token
+++ kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: monitoring/github-token
@@ -10,13 +10,13 @@
spec:
dataFrom:
- extract:
key: flux
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: github-token-secret
template:
data:
token: '{{ .FLUX_GITHUB_TOKEN }}'
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: networking/cloudflared
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: networking/cloudflared
@@ -9,13 +9,13 @@
namespace: networking
spec:
commonMetadata:
labels:
app.kubernetes.io/name: cloudflared
dependsOn:
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
interval: 30m
path: ./kubernetes/apps/networking/cloudflared/app
prune: true
sourceRef:
kind: GitRepository
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: networking/external-dns-cloudflare
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: networking/external-dns-cloudflare
@@ -9,13 +9,13 @@
namespace: networking
spec:
commonMetadata:
labels:
app.kubernetes.io/name: external-dns-cloudflare
dependsOn:
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
interval: 30m
path: ./kubernetes/apps/networking/external-dns/cloudflare
prune: true
sourceRef:
kind: GitRepository
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: networking/external-dns-unifi
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: networking/external-dns-unifi
@@ -9,13 +9,13 @@
namespace: networking
spec:
commonMetadata:
labels:
app.kubernetes.io/name: external-dns-unifi
dependsOn:
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
interval: 30m
path: ./kubernetes/apps/networking/external-dns/unifi
prune: true
sourceRef:
kind: GitRepository
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: networking/smtp-relay
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: networking/smtp-relay
@@ -9,13 +9,13 @@
namespace: networking
spec:
commonMetadata:
labels:
app.kubernetes.io/name: smtp-relay
dependsOn:
- - name: external-secrets-stores
+ - name: onepassword-store
namespace: external-secrets
interval: 30m
path: ./kubernetes/apps/networking/smtp-relay/app
prune: true
sourceRef:
kind: GitRepository
--- kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: networking/github-token
+++ kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: networking/github-token
@@ -10,13 +10,13 @@
spec:
dataFrom:
- extract:
key: flux
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: github-token-secret
template:
data:
token: '{{ .FLUX_GITHUB_TOKEN }}'
--- kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: openebs-system/github-token
+++ kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: openebs-system/github-token
@@ -10,13 +10,13 @@
spec:
dataFrom:
- extract:
key: flux
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: github-token-secret
template:
data:
token: '{{ .FLUX_GITHUB_TOKEN }}'
--- kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: rook-ceph/github-token
+++ kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: rook-ceph/github-token
@@ -10,13 +10,13 @@
spec:
dataFrom:
- extract:
key: flux
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: github-token-secret
template:
data:
token: '{{ .FLUX_GITHUB_TOKEN }}'
--- kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: system-upgrade/github-token
+++ kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: system-upgrade/github-token
@@ -10,13 +10,13 @@
spec:
dataFrom:
- extract:
key: flux
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: github-token-secret
template:
data:
token: '{{ .FLUX_GITHUB_TOKEN }}'
--- kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: volsync-system/github-token
+++ kubernetes/apps Kustomization: flux-system/cluster-apps ExternalSecret: volsync-system/github-token
@@ -10,13 +10,13 @@
spec:
dataFrom:
- extract:
key: flux
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: github-token-secret
template:
data:
token: '{{ .FLUX_GITHUB_TOKEN }}'
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/onepassword
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/onepassword
@@ -0,0 +1,27 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: onepassword
+ namespace: external-secrets
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: onepassword
+ dependsOn:
+ - name: external-secrets
+ namespace: external-secrets
+ interval: 30m
+ path: ./kubernetes/apps/external-secrets/onepassword/app
+ prune: true
+ sourceRef:
+ kind: GitRepository
+ name: flux-system
+ namespace: flux-system
+ targetNamespace: external-secrets
+ timeout: 5m
+ wait: true
+
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/onepassword-store
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/onepassword-store
@@ -0,0 +1,27 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: onepassword-store
+ namespace: external-secrets
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: onepassword-store
+ dependsOn:
+ - name: onepassword
+ namespace: external-secrets
+ interval: 30m
+ path: ./kubernetes/apps/external-secrets/onepassword/store
+ prune: true
+ sourceRef:
+ kind: GitRepository
+ name: flux-system
+ namespace: flux-system
+ targetNamespace: external-secrets
+ timeout: 5m
+ wait: true
+
--- kubernetes/apps/networking/external-dns/unifi Kustomization: networking/external-dns-unifi ExternalSecret: networking/external-dns-unifi
+++ kubernetes/apps/networking/external-dns/unifi Kustomization: networking/external-dns-unifi ExternalSecret: networking/external-dns-unifi
@@ -11,13 +11,13 @@
spec:
dataFrom:
- extract:
key: unifi
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: external-dns-unifi-secret
template:
data:
UNIFI_API_KEY: '{{ .UNIFI_API_KEY }}'
--- kubernetes/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ExternalSecret: cert-manager/cloudflare-issuer
+++ kubernetes/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ExternalSecret: cert-manager/cloudflare-issuer
@@ -11,13 +11,13 @@
spec:
dataFrom:
- extract:
key: cloudflare
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: cloudflare-issuer-secret
template:
data:
CLOUDFLARE_API_TOKEN: '{{ .CLOUDFLARE_API_TOKEN }}'
--- kubernetes/apps/databases/cloudnative-pg/app Kustomization: databases/cloudnative-pg ExternalSecret: databases/cloudnative-pg
+++ kubernetes/apps/databases/cloudnative-pg/app Kustomization: databases/cloudnative-pg ExternalSecret: databases/cloudnative-pg
@@ -13,13 +13,13 @@
- extract:
key: cloudflare
- extract:
key: cloudnative-pg
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: cloudnative-pg-secret
template:
data:
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
--- kubernetes/apps/actions-runner-system/actions-runner-controller/app Kustomization: actions-runner-system/actions-runner-controller ExternalSecret: actions-runner-system/actions-runner-controller
+++ kubernetes/apps/actions-runner-system/actions-runner-controller/app Kustomization: actions-runner-system/actions-runner-controller ExternalSecret: actions-runner-system/actions-runner-controller
@@ -11,13 +11,13 @@
spec:
dataFrom:
- extract:
key: actions-runner-controller
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: actions-runner-controller-secret
template:
data:
ACTION_RUNNER_CONTROLLER_GITHUB_APP_ID: '{{ .ACTION_RUNNER_CONTROLLER_GITHUB_APP_ID
--- kubernetes/apps/networking/external-dns/cloudflare Kustomization: networking/external-dns-cloudflare ExternalSecret: networking/external-dns-cloudflare
+++ kubernetes/apps/networking/external-dns/cloudflare Kustomization: networking/external-dns-cloudflare ExternalSecret: networking/external-dns-cloudflare
@@ -11,13 +11,13 @@
spec:
dataFrom:
- extract:
key: cloudflare
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: external-dns-cloudflare-secret
template:
data:
CF_API_TOKEN: '{{ .CLOUDFLARE_API_TOKEN }}'
--- kubernetes/apps/databases/emqx/app Kustomization: databases/emqx ExternalSecret: databases/emqx
+++ kubernetes/apps/databases/emqx/app Kustomization: databases/emqx ExternalSecret: databases/emqx
@@ -11,13 +11,13 @@
spec:
dataFrom:
- extract:
key: emqx
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
name: emqx-secret
template:
data:
EMQX_DASHBOARD__DEFAULT_PASSWORD: '{{ .EMQX_DASHBOARD__DEFAULT_PASSWORD }}'
EMQX_DASHBOARD__DEFAULT_USERNAME: '{{ .EMQX_DASHBOARD__DEFAULT_USERNAME }}'
--- kubernetes/apps/databases/emqx/app Kustomization: databases/emqx ExternalSecret: databases/emqx-init-user
+++ kubernetes/apps/databases/emqx/app Kustomization: databases/emqx ExternalSecret: databases/emqx-init-user
@@ -12,13 +12,13 @@
dataFrom:
- extract:
key: emqx
refreshInterval: 5m
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
name: emqx-init-user-secret
template:
data:
init-user.json: |
[{"user_id": "{{ .X_EMQX_MQTT_USERNAME }}", "password": "{{ .X_EMQX_MQTT_PASSWORD }}", "is_superuser": true}]
--- kubernetes/apps/media/unpackerr/app Kustomization: media/unpackerr ExternalSecret: media/unpackerr
+++ kubernetes/apps/media/unpackerr/app Kustomization: media/unpackerr ExternalSecret: media/unpackerr
@@ -13,13 +13,13 @@
- extract:
key: radarr
- extract:
key: sonarr
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: unpackerr-secret
template:
data:
UN_RADARR_0_API_KEY: '{{ .RADARR_API_KEY }}'
--- kubernetes/apps/networking/smtp-relay/app Kustomization: networking/smtp-relay ExternalSecret: networking/smtp-relay
+++ kubernetes/apps/networking/smtp-relay/app Kustomization: networking/smtp-relay ExternalSecret: networking/smtp-relay
@@ -11,13 +11,13 @@
spec:
dataFrom:
- extract:
key: smtp-relay
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: smtp-relay-secret
template:
data:
SMTP_RELAY_PASSWORD: '{{ .SMTP_RELAY_PASSWORD }}'
--- kubernetes/apps/monitoring/unpoller/app Kustomization: monitoring/unpoller ExternalSecret: monitoring/unpoller
+++ kubernetes/apps/monitoring/unpoller/app Kustomization: monitoring/unpoller ExternalSecret: monitoring/unpoller
@@ -11,13 +11,13 @@
spec:
dataFrom:
- extract:
key: unifi
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: unpoller-secret
template:
data:
UP_UNIFI_DEFAULT_API_KEY: '{{ .UNIFI_API_KEY }}'
--- kubernetes/apps/monitoring/grafana/app Kustomization: monitoring/grafana ExternalSecret: monitoring/grafana
+++ kubernetes/apps/monitoring/grafana/app Kustomization: monitoring/grafana ExternalSecret: monitoring/grafana
@@ -11,13 +11,13 @@
spec:
dataFrom:
- extract:
key: grafana
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: grafana-secret
template:
data:
admin-password: '{{ .GRAFANA_ADMIN_PASS }}'
--- kubernetes/apps/networking/cloudflared/app Kustomization: networking/cloudflared ExternalSecret: networking/cloudflared
+++ kubernetes/apps/networking/cloudflared/app Kustomization: networking/cloudflared ExternalSecret: networking/cloudflared
@@ -11,13 +11,13 @@
spec:
dataFrom:
- extract:
key: cloudflare
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: cloudflared-secret
template:
data:
CLOUDFLARE_TUNNEL_ID: '{{ .CLOUDFLARE_TUNNEL_ID }}'
--- kubernetes/apps/media/bazarr/app Kustomization: media/bazarr ExternalSecret: media/bazarr
+++ kubernetes/apps/media/bazarr/app Kustomization: media/bazarr ExternalSecret: media/bazarr
@@ -11,13 +11,13 @@
spec:
dataFrom:
- extract:
key: plex
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: bazarr-secret
template:
data:
PLEX_TOKEN: '{{ .PLEX_TOKEN }}'
--- kubernetes/apps/media/bazarr/app Kustomization: media/bazarr ExternalSecret: media/bazarr-restic
+++ kubernetes/apps/media/bazarr/app Kustomization: media/bazarr ExternalSecret: media/bazarr-restic
@@ -13,13 +13,13 @@
- extract:
key: cloudflare
- extract:
key: volsync-restic-template
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
name: bazarr-restic-secret
template:
data:
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
--- kubernetes/apps/media/qbittorrent/app Kustomization: media/qbittorrent ExternalSecret: media/qbittorrent-restic
+++ kubernetes/apps/media/qbittorrent/app Kustomization: media/qbittorrent ExternalSecret: media/qbittorrent-restic
@@ -13,13 +13,13 @@
- extract:
key: cloudflare
- extract:
key: volsync-restic-template
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
name: qbittorrent-restic-secret
template:
data:
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
--- kubernetes/apps/home/go2rtc/app Kustomization: home/go2rtc ExternalSecret: home/go2rtc
+++ kubernetes/apps/home/go2rtc/app Kustomization: home/go2rtc ExternalSecret: home/go2rtc
@@ -11,13 +11,13 @@
spec:
dataFrom:
- extract:
key: go2rtc
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: go2rtc-secret
template:
data:
GO2RTC_HOMEKIT_CLIENT_ID_0: '{{ .GO2RTC_HOMEKIT_CLIENT_ID_0 }}'
--- kubernetes/apps/media/tautulli/app Kustomization: media/tautulli ExternalSecret: media/tautulli-restic
+++ kubernetes/apps/media/tautulli/app Kustomization: media/tautulli ExternalSecret: media/tautulli-restic
@@ -13,13 +13,13 @@
- extract:
key: cloudflare
- extract:
key: volsync-restic-template
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
name: tautulli-restic-secret
template:
data:
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
--- kubernetes/apps/monitoring/kube-prometheus-stack/app Kustomization: monitoring/kube-prometheus-stack ExternalSecret: monitoring/alertmanager
+++ kubernetes/apps/monitoring/kube-prometheus-stack/app Kustomization: monitoring/kube-prometheus-stack ExternalSecret: monitoring/alertmanager
@@ -11,13 +11,13 @@
spec:
dataFrom:
- extract:
key: alertmanager
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: alertmanager-secret
template:
data:
ALERTMANAGER_HEARTBEAT_URL: '{{ .ALERTMANAGER_HEARTBEAT_URL }}'
--- kubernetes/apps/media/overseerr/app Kustomization: media/overseerr ExternalSecret: media/overseerr-restic
+++ kubernetes/apps/media/overseerr/app Kustomization: media/overseerr ExternalSecret: media/overseerr-restic
@@ -13,13 +13,13 @@
- extract:
key: cloudflare
- extract:
key: volsync-restic-template
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
name: overseerr-restic-secret
template:
data:
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
--- kubernetes/apps/media/recyclarr/app Kustomization: media/recyclarr ExternalSecret: media/recyclarr
+++ kubernetes/apps/media/recyclarr/app Kustomization: media/recyclarr ExternalSecret: media/recyclarr
@@ -13,13 +13,13 @@
- extract:
key: radarr
- extract:
key: sonarr
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: recyclarr-secret
template:
data:
RADARR_API_KEY: '{{ .RADARR_API_KEY }}'
--- kubernetes/apps/media/recyclarr/app Kustomization: media/recyclarr ExternalSecret: media/recyclarr-restic
+++ kubernetes/apps/media/recyclarr/app Kustomization: media/recyclarr ExternalSecret: media/recyclarr-restic
@@ -13,13 +13,13 @@
- extract:
key: cloudflare
- extract:
key: volsync-restic-template
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
name: recyclarr-restic-secret
template:
data:
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
--- kubernetes/apps/media/sabnzbd/app Kustomization: media/sabnzbd ExternalSecret: media/sabnzbd
+++ kubernetes/apps/media/sabnzbd/app Kustomization: media/sabnzbd ExternalSecret: media/sabnzbd
@@ -11,13 +11,13 @@
spec:
dataFrom:
- extract:
key: sabnzbd
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: sabnzbd-secret
template:
data:
SABNZBD__API_KEY: '{{ .SABNZBD_API_KEY }}'
--- kubernetes/apps/media/sabnzbd/app Kustomization: media/sabnzbd ExternalSecret: media/sabnzbd-restic
+++ kubernetes/apps/media/sabnzbd/app Kustomization: media/sabnzbd ExternalSecret: media/sabnzbd-restic
@@ -13,13 +13,13 @@
- extract:
key: cloudflare
- extract:
key: volsync-restic-template
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
name: sabnzbd-restic-secret
template:
data:
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
--- kubernetes/apps/media/plex/app Kustomization: media/plex ExternalSecret: media/plex-restic
+++ kubernetes/apps/media/plex/app Kustomization: media/plex ExternalSecret: media/plex-restic
@@ -13,13 +13,13 @@
- extract:
key: cloudflare
- extract:
key: volsync-restic-template
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
name: plex-restic-secret
template:
data:
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
--- kubernetes/apps/home/atuin/app Kustomization: home/atuin ExternalSecret: home/atuin
+++ kubernetes/apps/home/atuin/app Kustomization: home/atuin ExternalSecret: home/atuin
@@ -13,13 +13,13 @@
- extract:
key: atuin
- extract:
key: cloudnative-pg
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: atuin-secret
template:
data:
ATUIN_DB_URI: postgres://{{ .ATUIN_POSTGRES_USER }}:{{ .ATUIN_POSTGRES_PASS
--- kubernetes/apps/home/home-assistant/app Kustomization: home/home-assistant ExternalSecret: home/home-assistant-restic
+++ kubernetes/apps/home/home-assistant/app Kustomization: home/home-assistant ExternalSecret: home/home-assistant-restic
@@ -13,13 +13,13 @@
- extract:
key: cloudflare
- extract:
key: volsync-restic-template
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
name: home-assistant-restic-secret
template:
data:
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
--- kubernetes/apps/media/radarr/app Kustomization: media/radarr ExternalSecret: media/radarr
+++ kubernetes/apps/media/radarr/app Kustomization: media/radarr ExternalSecret: media/radarr
@@ -13,13 +13,13 @@
- extract:
key: cloudnative-pg
- extract:
key: radarr
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: radarr-secret
template:
data:
INIT_POSTGRES_DBNAME: radarr_main radarr_log
--- kubernetes/apps/monitoring/gatus/app Kustomization: monitoring/gatus ExternalSecret: monitoring/gatus
+++ kubernetes/apps/monitoring/gatus/app Kustomization: monitoring/gatus ExternalSecret: monitoring/gatus
@@ -13,13 +13,13 @@
- extract:
key: cloudnative-pg
- extract:
key: gatus
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: gatus-secret
template:
data:
GATUS_PUSHOVER_APP_TOKEN: '{{ .GATUS_PUSHOVER_APP_TOKEN }}'
--- kubernetes/apps/home/zigbee2mqtt/app Kustomization: home/zigbee2mqtt ExternalSecret: home/zigbee2mqtt
+++ kubernetes/apps/home/zigbee2mqtt/app Kustomization: home/zigbee2mqtt ExternalSecret: home/zigbee2mqtt
@@ -13,13 +13,13 @@
- extract:
key: emqx
- extract:
key: zigbee2mqtt
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: zigbee2mqtt-secret
template:
data:
ZIGBEE2MQTT_CONFIG_ADVANCED_CHANNEL: '{{ .ZIGBEE2MQTT_CONFIG_ADVANCED_CHANNEL
--- kubernetes/apps/home/zigbee2mqtt/app Kustomization: home/zigbee2mqtt ExternalSecret: home/zigbee2mqtt-restic
+++ kubernetes/apps/home/zigbee2mqtt/app Kustomization: home/zigbee2mqtt ExternalSecret: home/zigbee2mqtt-restic
@@ -13,13 +13,13 @@
- extract:
key: cloudflare
- extract:
key: volsync-restic-template
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
name: zigbee2mqtt-restic-secret
template:
data:
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
--- kubernetes/apps/media/prowlarr/app Kustomization: media/prowlarr ExternalSecret: media/prowlarr
+++ kubernetes/apps/media/prowlarr/app Kustomization: media/prowlarr ExternalSecret: media/prowlarr
@@ -13,13 +13,13 @@
- extract:
key: cloudnative-pg
- extract:
key: prowlarr
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: prowlarr-secret
template:
data:
INIT_POSTGRES_DBNAME: prowlarr_main prowlarr_log
--- kubernetes/apps/media/sonarr/app Kustomization: media/sonarr ExternalSecret: media/sonarr
+++ kubernetes/apps/media/sonarr/app Kustomization: media/sonarr ExternalSecret: media/sonarr
@@ -13,13 +13,13 @@
- extract:
key: cloudnative-pg
- extract:
key: sonarr
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: sonarr-secret
template:
data:
INIT_POSTGRES_DBNAME: sonarr_main sonarr_log
--- kubernetes/apps/media/cross-seed/app Kustomization: media/cross-seed ExternalSecret: media/cross-seed
+++ kubernetes/apps/media/cross-seed/app Kustomization: media/cross-seed ExternalSecret: media/cross-seed
@@ -11,13 +11,13 @@
spec:
dataFrom:
- extract:
key: cross-seed
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: cross-seed-secret
template:
data:
CROSS_SEED_API_KEY: '{{ .CROSS_SEED_API_KEY }}'
--- kubernetes/apps/media/cross-seed/app Kustomization: media/cross-seed ExternalSecret: media/cross-seed-restic
+++ kubernetes/apps/media/cross-seed/app Kustomization: media/cross-seed ExternalSecret: media/cross-seed-restic
@@ -13,13 +13,13 @@
- extract:
key: cloudflare
- extract:
key: volsync-restic-template
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
name: cross-seed-restic-secret
template:
data:
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
--- kubernetes/apps/media/autobrr/app Kustomization: media/autobrr ExternalSecret: media/autobrr
+++ kubernetes/apps/media/autobrr/app Kustomization: media/autobrr ExternalSecret: media/autobrr
@@ -13,13 +13,13 @@
- extract:
key: autobrr
- extract:
key: cloudnative-pg
secretStoreRef:
kind: ClusterSecretStore
- name: onepassword-connect
+ name: onepassword
target:
creationPolicy: Owner
name: autobrr-secret
template:
data:
AUTOBRR__DATABASE_TYPE: postgres
--- kubernetes/apps/external-secrets/onepassword/app Kustomization: external-secrets/onepassword HelmRelease: external-secrets/onepassword
+++ kubernetes/apps/external-secrets/onepassword/app Kustomization: external-secrets/onepassword HelmRelease: external-secrets/onepassword
@@ -0,0 +1,150 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: onepassword
+ kustomize.toolkit.fluxcd.io/name: onepassword
+ kustomize.toolkit.fluxcd.io/namespace: external-secrets
+ name: onepassword
+ namespace: external-secrets
+spec:
+ chart:
+ spec:
+ chart: app-template
+ sourceRef:
+ kind: HelmRepository
+ name: bjw-s
+ namespace: flux-system
+ version: 3.6.1
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ controllers:
+ onepassword:
+ annotations:
+ reloader.stakater.com/auto: 'true'
+ containers:
+ api:
+ env:
+ OP_BUS_PEERS: localhost:11221
+ OP_BUS_PORT: 11220
+ OP_HTTP_PORT: 80
+ OP_SESSION:
+ valueFrom:
+ secretKeyRef:
+ key: 1password-credentials.json
+ name: onepassword-secret
+ XDG_DATA_HOME: /config
+ image:
+ repository: docker.io/1password/connect-api
+ tag: 1.7.3@sha256:0601c7614e102eada268dbda6ba4b5886ce77713be2c332ec6a2fd0f028484ba
+ probes:
+ liveness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /heartbeat
+ port: 80
+ initialDelaySeconds: 15
+ periodSeconds: 30
+ readiness:
+ custom: true
+ enabled: true
+ spec:
+ httpGet:
+ path: /health
+ port: 80
+ initialDelaySeconds: 15
+ resources:
+ limits:
+ memory: 64Mi
+ requests:
+ cpu: 10m
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ sync:
+ env:
+ OP_BUS_PEERS: localhost:11220
+ OP_BUS_PORT: 11221
+ OP_HTTP_PORT: 8081
+ OP_SESSION:
+ valueFrom:
+ secretKeyRef:
+ key: 1password-credentials.json
+ name: onepassword-secret
+ XDG_DATA_HOME: /config
+ image:
+ repository: docker.io/1password/connect-sync
+ tag: 1.7.3@sha256:2f17621c7eb27bbcb1f86bbc5e5a5198bf54ac3b9c2ffac38064d03c932b07d5
+ probes:
+ liveness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /heartbeat
+ port: 8081
+ initialDelaySeconds: 15
+ periodSeconds: 30
+ readiness:
+ custom: true
+ enabled: true
+ spec:
+ httpGet:
+ path: /health
+ port: 8081
+ initialDelaySeconds: 15
+ resources:
+ limits:
+ memory: 64Mi
+ requests:
+ cpu: 10m
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 999
+ runAsNonRoot: true
+ runAsUser: 999
+ ingress:
+ app:
+ className: internal
+ hosts:
+ - host: '{{ .Release.Name }}.ktwo.io'
+ paths:
+ - path: /
+ service:
+ identifier: app
+ port: http
+ persistence:
+ config:
+ globalMounts:
+ - path: /config
+ type: emptyDir
+ service:
+ app:
+ controller: onepassword
+ ports:
+ http:
+ port: 80
+
--- kubernetes/apps/external-secrets/onepassword/store Kustomization: external-secrets/onepassword-store ClusterSecretStore: external-secrets/onepassword
+++ kubernetes/apps/external-secrets/onepassword/store Kustomization: external-secrets/onepassword-store ClusterSecretStore: external-secrets/onepassword
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+ labels:
+ app.kubernetes.io/name: onepassword-store
+ kustomize.toolkit.fluxcd.io/name: onepassword-store
+ kustomize.toolkit.fluxcd.io/namespace: external-secrets
+ name: onepassword
+ namespace: external-secrets
+spec:
+ provider:
+ onepassword:
+ auth:
+ secretRef:
+ connectTokenSecretRef:
+ key: token
+ name: onepassword-secret
+ namespace: external-secrets
+ connectHost: http://onepassword.external-secrets.svc.cluster.local
+ vaults:
+ K8s: 1
+ |
--- HelmRelease: external-secrets/onepassword-connect Service: external-secrets/onepassword-connect
+++ HelmRelease: external-secrets/onepassword-connect Service: external-secrets/onepassword-connect
@@ -1,22 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- name: onepassword-connect
- labels:
- app.kubernetes.io/instance: onepassword-connect
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: onepassword-connect
- app.kubernetes.io/service: onepassword-connect
-spec:
- type: ClusterIP
- ports:
- - port: 80
- targetPort: 80
- protocol: TCP
- name: http
- selector:
- app.kubernetes.io/component: onepassword-connect
- app.kubernetes.io/instance: onepassword-connect
- app.kubernetes.io/name: onepassword-connect
-
--- HelmRelease: external-secrets/onepassword-connect Deployment: external-secrets/onepassword-connect
+++ HelmRelease: external-secrets/onepassword-connect Deployment: external-secrets/onepassword-connect
@@ -1,129 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: onepassword-connect
- labels:
- app.kubernetes.io/component: onepassword-connect
- app.kubernetes.io/instance: onepassword-connect
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: onepassword-connect
- annotations:
- reloader.stakater.com/auto: 'true'
-spec:
- revisionHistoryLimit: 3
- replicas: 1
- strategy:
- type: RollingUpdate
- selector:
- matchLabels:
- app.kubernetes.io/component: onepassword-connect
- app.kubernetes.io/name: onepassword-connect
- app.kubernetes.io/instance: onepassword-connect
- template:
- metadata:
- labels:
- app.kubernetes.io/component: onepassword-connect
- app.kubernetes.io/instance: onepassword-connect
- app.kubernetes.io/name: onepassword-connect
- spec:
- enableServiceLinks: false
- serviceAccountName: default
- automountServiceAccountToken: true
- securityContext:
- runAsGroup: 999
- runAsNonRoot: true
- runAsUser: 999
- hostIPC: false
- hostNetwork: false
- hostPID: false
- dnsPolicy: ClusterFirst
- containers:
- - env:
- - name: OP_BUS_PEERS
- value: localhost:11221
- - name: OP_BUS_PORT
- value: '11220'
- - name: OP_HTTP_PORT
- value: '80'
- - name: OP_SESSION
- valueFrom:
- secretKeyRef:
- key: 1password-credentials.json
- name: onepassword-connect-secret
- - name: XDG_DATA_HOME
- value: /config
- image: docker.io/1password/connect-api:1.7.3@sha256:0601c7614e102eada268dbda6ba4b5886ce77713be2c332ec6a2fd0f028484ba
- livenessProbe:
- failureThreshold: 3
- httpGet:
- path: /heartbeat
- port: 80
- initialDelaySeconds: 15
- periodSeconds: 30
- name: api
- readinessProbe:
- httpGet:
- path: /health
- port: 80
- initialDelaySeconds: 15
- resources:
- limits:
- memory: 64Mi
- requests:
- cpu: 10m
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- volumeMounts:
- - mountPath: /config
- name: config
- - env:
- - name: OP_BUS_PEERS
- value: localhost:11220
- - name: OP_BUS_PORT
- value: '11221'
- - name: OP_HTTP_PORT
- value: '8081'
- - name: OP_SESSION
- valueFrom:
- secretKeyRef:
- key: 1password-credentials.json
- name: onepassword-connect-secret
- - name: XDG_DATA_HOME
- value: /config
- image: docker.io/1password/connect-sync:1.7.3@sha256:2f17621c7eb27bbcb1f86bbc5e5a5198bf54ac3b9c2ffac38064d03c932b07d5
- livenessProbe:
- failureThreshold: 3
- httpGet:
- path: /heartbeat
- port: 8081
- initialDelaySeconds: 15
- periodSeconds: 30
- name: sync
- readinessProbe:
- httpGet:
- path: /health
- port: 8081
- initialDelaySeconds: 15
- resources:
- limits:
- memory: 64Mi
- requests:
- cpu: 10m
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- volumeMounts:
- - mountPath: /config
- name: config
- volumes:
- - emptyDir: {}
- name: config
-
--- HelmRelease: external-secrets/onepassword-connect Ingress: external-secrets/onepassword-connect
+++ HelmRelease: external-secrets/onepassword-connect Ingress: external-secrets/onepassword-connect
@@ -1,23 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: onepassword-connect
- labels:
- app.kubernetes.io/instance: onepassword-connect
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: onepassword-connect
-spec:
- ingressClassName: internal
- rules:
- - host: onepassword-connect.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: onepassword-connect
- port:
- number: 80
-
--- HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager
+++ HelmRelease: cert-manager/cert-manager Deployment: cert-manager/cert-manager
@@ -8,13 +8,13 @@
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/managed-by: Helm
spec:
- replicas: 2
+ replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: controller
template:
--- HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets
+++ HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets
@@ -37,12 +37,13 @@
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
image: ghcr.io/external-secrets/external-secrets:v0.13.0
imagePullPolicy: IfNotPresent
args:
+ - --enable-leader-election=true
- --concurrent=1
- --metrics-addr=:8080
- --loglevel=info
- --zap-time-encoding=epoch
ports:
- containerPort: 8080
--- HelmRelease: external-secrets/onepassword Service: external-secrets/onepassword
+++ HelmRelease: external-secrets/onepassword Service: external-secrets/onepassword
@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: onepassword
+ labels:
+ app.kubernetes.io/instance: onepassword
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: onepassword
+ app.kubernetes.io/service: onepassword
+spec:
+ type: ClusterIP
+ ports:
+ - port: 80
+ targetPort: 80
+ protocol: TCP
+ name: http
+ selector:
+ app.kubernetes.io/component: onepassword
+ app.kubernetes.io/instance: onepassword
+ app.kubernetes.io/name: onepassword
+
--- HelmRelease: external-secrets/onepassword Deployment: external-secrets/onepassword
+++ HelmRelease: external-secrets/onepassword Deployment: external-secrets/onepassword
@@ -0,0 +1,129 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: onepassword
+ labels:
+ app.kubernetes.io/component: onepassword
+ app.kubernetes.io/instance: onepassword
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: onepassword
+ annotations:
+ reloader.stakater.com/auto: 'true'
+spec:
+ revisionHistoryLimit: 3
+ replicas: 1
+ strategy:
+ type: RollingUpdate
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: onepassword
+ app.kubernetes.io/name: onepassword
+ app.kubernetes.io/instance: onepassword
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/component: onepassword
+ app.kubernetes.io/instance: onepassword
+ app.kubernetes.io/name: onepassword
+ spec:
+ enableServiceLinks: false
+ serviceAccountName: default
+ automountServiceAccountToken: true
+ securityContext:
+ runAsGroup: 999
+ runAsNonRoot: true
+ runAsUser: 999
+ hostIPC: false
+ hostNetwork: false
+ hostPID: false
+ dnsPolicy: ClusterFirst
+ containers:
+ - env:
+ - name: OP_BUS_PEERS
+ value: localhost:11221
+ - name: OP_BUS_PORT
+ value: '11220'
+ - name: OP_HTTP_PORT
+ value: '80'
+ - name: OP_SESSION
+ valueFrom:
+ secretKeyRef:
+ key: 1password-credentials.json
+ name: onepassword-secret
+ - name: XDG_DATA_HOME
+ value: /config
+ image: docker.io/1password/connect-api:1.7.3@sha256:0601c7614e102eada268dbda6ba4b5886ce77713be2c332ec6a2fd0f028484ba
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /heartbeat
+ port: 80
+ initialDelaySeconds: 15
+ periodSeconds: 30
+ name: api
+ readinessProbe:
+ httpGet:
+ path: /health
+ port: 80
+ initialDelaySeconds: 15
+ resources:
+ limits:
+ memory: 64Mi
+ requests:
+ cpu: 10m
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ volumeMounts:
+ - mountPath: /config
+ name: config
+ - env:
+ - name: OP_BUS_PEERS
+ value: localhost:11220
+ - name: OP_BUS_PORT
+ value: '11221'
+ - name: OP_HTTP_PORT
+ value: '8081'
+ - name: OP_SESSION
+ valueFrom:
+ secretKeyRef:
+ key: 1password-credentials.json
+ name: onepassword-secret
+ - name: XDG_DATA_HOME
+ value: /config
+ image: docker.io/1password/connect-sync:1.7.3@sha256:2f17621c7eb27bbcb1f86bbc5e5a5198bf54ac3b9c2ffac38064d03c932b07d5
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /heartbeat
+ port: 8081
+ initialDelaySeconds: 15
+ periodSeconds: 30
+ name: sync
+ readinessProbe:
+ httpGet:
+ path: /health
+ port: 8081
+ initialDelaySeconds: 15
+ resources:
+ limits:
+ memory: 64Mi
+ requests:
+ cpu: 10m
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ volumeMounts:
+ - mountPath: /config
+ name: config
+ volumes:
+ - emptyDir: {}
+ name: config
+
--- HelmRelease: external-secrets/onepassword Ingress: external-secrets/onepassword
+++ HelmRelease: external-secrets/onepassword Ingress: external-secrets/onepassword
@@ -0,0 +1,23 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: onepassword
+ labels:
+ app.kubernetes.io/instance: onepassword
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: onepassword
+spec:
+ ingressClassName: internal
+ rules:
+ - host: onepassword.ktwo.io
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: onepassword
+ port:
+ number: 80
+ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.