external secrets move #419
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Owner
chrede88
commented
Feb 15, 2025
chrede88
commented
- 🔧 moving secrets for cnpg & homepage
- 🔧 moving secrets for cloudflare-ddns
- 🔧 moving secrets for network namespace resources
- 🔧 moving secrets for observability namespace resources
- 🔧 moving cnpg user secret
github-actions
bot
added
the
area/kubernetes
--- cluster/kubernetes/apps/network/cloudflare-ddns/app Kustomization: flux-system/cloudflare-ddns ExternalSecret: network/cloudflare-ddns-secret
+++ cluster/kubernetes/apps/network/cloudflare-ddns/app Kustomization: flux-system/cloudflare-ddns ExternalSecret: network/cloudflare-ddns-secret
@@ -0,0 +1,24 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: cloudflare-ddns
+ kustomize.toolkit.fluxcd.io/name: cloudflare-ddns
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cloudflare-ddns-secret
+ namespace: network
+spec:
+ dataFrom:
+ - extract:
+ key: cloudflare-ddns-secret
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: cloudflare-ddns-secret
+ template:
+ data:
+ CLOUDFLARE_API_TOKEN: '{{ .CLOUDFLARE_API_TOKEN }}'
+ SHOUTRRR: '{{ .SHOUTRRR }}'
+
--- cluster/kubernetes/apps/internal/homepage/app Kustomization: flux-system/homepage ExternalSecret: internal/homepage-secret
+++ cluster/kubernetes/apps/internal/homepage/app Kustomization: flux-system/homepage ExternalSecret: internal/homepage-secret
@@ -0,0 +1,32 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: homepage
+ kustomize.toolkit.fluxcd.io/name: homepage
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: homepage-secret
+ namespace: internal
+spec:
+ dataFrom:
+ - extract:
+ key: homepage-secret
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: homepage-secret
+ template:
+ data:
+ HOMEPAGE_VAR_GRAFANA_PASSWD: '{{ .OMEPAGE_VAR_GRAFANA_PASSWD }}'
+ HOMEPAGE_VAR_GRAFANA_USER: '{{ .HOMEPAGE_VAR_GRAFANA_USER }}'
+ HOMEPAGE_VAR_PIHOLE0_API_KEY: '{{ .HOMEPAGE_VAR_PIHOLE0_API_KEY }}'
+ HOMEPAGE_VAR_PIHOLE1_API_KEY: '{{ .HOMEPAGE_VAR_PIHOLE1_API_KEY }}'
+ HOMEPAGE_VAR_PIHOLE2_API_KEY: '{{ .HOMEPAGE_VAR_PIHOLE2_API_KEY }}'
+ HOMEPAGE_VAR_PIHOLE3_API_KEY: '{{ .HOMEPAGE_VAR_PIHOLE3_API_KEY }}'
+ HOMEPAGE_VAR_UNIFI_NETWORK_PASSWORD: '{{ .HOMEPAGE_VAR_UNIFI_NETWORK_PASSWORD
+ }}'
+ HOMEPAGE_VAR_UNIFI_NETWORK_USERNAME: '{{ .HOMEPAGE_VAR_UNIFI_NETWORK_USERNAME
+ }}'
+
--- cluster/kubernetes/apps/observability/kube-prometheus-stack/app Kustomization: flux-system/kube-prometheus-stack ExternalSecret: observability/alertmanager-secret
+++ cluster/kubernetes/apps/observability/kube-prometheus-stack/app Kustomization: flux-system/kube-prometheus-stack ExternalSecret: observability/alertmanager-secret
@@ -0,0 +1,24 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: kube-prometheus-stack
+ kustomize.toolkit.fluxcd.io/name: kube-prometheus-stack
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: alertmanager-secret
+ namespace: observability
+spec:
+ dataFrom:
+ - extract:
+ key: alertmanager-secret
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: alertmanager-secret
+ template:
+ data:
+ ALERTMANAGER_PUSHOVER_TOKEN: '{{ .ALERTMANAGER_PUSHOVER_TOKEN }}'
+ PUSHOVER_USER_KEY: '{{ .PUSHOVER_USER_KEY }}'
+
--- cluster/kubernetes/apps/network/pihole/app Kustomization: flux-system/pihole ExternalSecret: network/pihole-password
+++ cluster/kubernetes/apps/network/pihole/app Kustomization: flux-system/pihole ExternalSecret: network/pihole-password
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: pihole
+ kustomize.toolkit.fluxcd.io/name: pihole
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: pihole-password
+ namespace: network
+spec:
+ dataFrom:
+ - extract:
+ key: pihole-password
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: pihole-password
+ template:
+ data:
+ WEBPASSWORD: '{{ .password }}'
+
--- cluster/kubernetes/apps/observability/grafana/app Kustomization: flux-system/grafana HelmRelease: observability/grafana
+++ cluster/kubernetes/apps/observability/grafana/app Kustomization: flux-system/grafana HelmRelease: observability/grafana
@@ -28,13 +28,13 @@
cleanupOnFail: true
remediation:
retries: 3
strategy: rollback
values:
admin:
- existingSecret: grafana-secret
+ existingSecret: grafana-user-secret
passwordKey: admin-password
userKey: admin-user
dashboardProviders:
dashboardproviders.yaml:
apiVersion: 1
providers:
--- cluster/kubernetes/apps/observability/grafana/app Kustomization: flux-system/grafana ExternalSecret: observability/grafana-user-secret
+++ cluster/kubernetes/apps/observability/grafana/app Kustomization: flux-system/grafana ExternalSecret: observability/grafana-user-secret
@@ -0,0 +1,24 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: grafana
+ kustomize.toolkit.fluxcd.io/name: grafana
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: grafana-user-secret
+ namespace: observability
+spec:
+ dataFrom:
+ - extract:
+ key: grafana-user-secret
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: grafana-user-secret
+ template:
+ data:
+ admin-password: '{{ .admin-password }}'
+ admin-user: '{{ .admin_user }}'
+
--- cluster/kubernetes/apps/database/cloudnative-pg/clusters Kustomization: flux-system/cloudnative-pg-clusters ExternalSecret: database/cloudnative-pg-secret
+++ cluster/kubernetes/apps/database/cloudnative-pg/clusters Kustomization: flux-system/cloudnative-pg-clusters ExternalSecret: database/cloudnative-pg-secret
@@ -0,0 +1,28 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: cloudnative-pg-clusters
+ kustomize.toolkit.fluxcd.io/name: cloudnative-pg-clusters
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cloudnative-pg-secret
+ namespace: database
+spec:
+ dataFrom:
+ - extract:
+ key: cloudnative-pg-secret
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: cloudnative-pg-secret
+ template:
+ data:
+ password: '{{ .password }}'
+ username: '{{ .username }}'
+ metadata:
+ labels:
+ cnpg.io/reload: 'true'
+ type: kubernetes.io/basic-auth
+
--- cluster/kubernetes/apps/database/cloudnative-pg/clusters Kustomization: flux-system/cloudnative-pg-clusters ExternalSecret: database/gatus-user-secret
+++ cluster/kubernetes/apps/database/cloudnative-pg/clusters Kustomization: flux-system/cloudnative-pg-clusters ExternalSecret: database/gatus-user-secret
@@ -0,0 +1,28 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: cloudnative-pg-clusters
+ kustomize.toolkit.fluxcd.io/name: cloudnative-pg-clusters
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: gatus-user-secret
+ namespace: database
+spec:
+ dataFrom:
+ - extract:
+ key: gatus-user-secret
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: gatus-user-secret
+ template:
+ data:
+ password: '{{ .password }}'
+ username: '{{ .username }}'
+ metadata:
+ labels:
+ cnpg.io/reload: 'true'
+ type: kubernetes.io/basic-auth
+
--- cluster/kubernetes/apps/observability/unpoller/app Kustomization: flux-system/unpoller ExternalSecret: observability/unpoller-secret
+++ cluster/kubernetes/apps/observability/unpoller/app Kustomization: flux-system/unpoller ExternalSecret: observability/unpoller-secret
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: unpoller
+ kustomize.toolkit.fluxcd.io/name: unpoller
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: unpoller-secret
+ namespace: observability
+spec:
+ dataFrom:
+ - extract:
+ key: unpoller-secret
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: unpoller-secret
+ template:
+ data:
+ unifi-api-key: '{{ .password }}'
+
--- cluster/kubernetes/apps/network/external-dns/internal Kustomization: flux-system/external-dns-internal ExternalSecret: network/pihole-secret
+++ cluster/kubernetes/apps/network/external-dns/internal Kustomization: flux-system/external-dns-internal ExternalSecret: network/pihole-secret
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: external-dns-internal
+ kustomize.toolkit.fluxcd.io/name: external-dns-internal
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: pihole-secret
+ namespace: network
+spec:
+ dataFrom:
+ - extract:
+ key: pihole-secret
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: pihole-secret
+ template:
+ data:
+ EXTERNAL_DNS_PIHOLE_PASSWORD: '{{ .password }}'
+
--- cluster/kubernetes/apps/observability/gatus/app Kustomization: flux-system/gatus ExternalSecret: observability/gatus-secret
+++ cluster/kubernetes/apps/observability/gatus/app Kustomization: flux-system/gatus ExternalSecret: observability/gatus-secret
@@ -0,0 +1,26 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: gatus
+ kustomize.toolkit.fluxcd.io/name: gatus
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: gatus-secret
+ namespace: observability
+spec:
+ dataFrom:
+ - extract:
+ key: gatus-secret
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: gatus-secret
+ template:
+ data:
+ GATUS_PASSWD: '{{ .GATUS_PASSWD }}'
+ GATUS_USER: '{{ .GATUS_USER }}'
+ PUSHOVER_TOKEN: '{{ .PUSHOVER_TOKEN }}'
+ PUSHOVER_USER_KEY: '{{ .PUSHOVER_USER_KEY }}'
+ |
--- HelmRelease: observability/grafana Deployment: observability/grafana
+++ HelmRelease: observability/grafana Deployment: observability/grafana
@@ -99,18 +99,18 @@
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: GF_SECURITY_ADMIN_USER
valueFrom:
secretKeyRef:
- name: grafana-secret
+ name: grafana-user-secret
key: admin-user
- name: GF_SECURITY_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
- name: grafana-secret
+ name: grafana-user-secret
key: admin-password
- name: GF_PATHS_DATA
value: /var/lib/grafana/
- name: GF_PATHS_LOGS
value: /var/log/grafana
- name: GF_PATHS_PLUGINS |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.