From 16c62d5a4af8b5e5d762357fab920adc72072e8b Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Wed, 14 Jan 2026 12:28:10 -0300 Subject: [PATCH] vault: move core apps to injector --- .../bstein-dev-home/backend-deployment.yaml | 39 ++++++------ .../chat-ai-gateway-deployment.yaml | 37 ++++++----- services/bstein-dev-home/kustomization.yaml | 6 -- .../portal-onboarding-e2e-test-job.yaml | 38 ++++++----- .../scripts/bstein_dev_home_vault_env.sh | 17 ----- .../bstein-dev-home/secretproviderclass.yaml | 24 ------- .../vaultwarden-cred-sync-cronjob.yaml | 38 ++++++----- services/gitea/deployment.yaml | 45 +++++++++---- services/gitea/kustomization.yaml | 1 - services/gitea/secretproviderclass.yaml | 30 --------- services/nextcloud-mail-sync/cronjob.yaml | 47 +++++++++----- services/nextcloud/deployment.yaml | 54 +++++++++------- services/nextcloud/kustomization.yaml | 6 -- services/nextcloud/maintenance-cronjob.yaml | 47 +++++++++----- .../nextcloud/scripts/nextcloud_vault_env.sh | 27 -------- services/nextcloud/secretproviderclass.yaml | 45 ------------- services/outline/deployment.yaml | 46 +++++++++----- services/outline/kustomization.yaml | 7 --- services/outline/scripts/outline_vault_env.sh | 31 --------- services/outline/secretproviderclass.yaml | 63 ------------------- services/planka/deployment.yaml | 49 ++++++++++----- services/planka/kustomization.yaml | 7 --- services/planka/scripts/planka_vault_env.sh | 27 -------- services/planka/secretproviderclass.yaml | 60 ------------------ services/vaultwarden/deployment.yaml | 33 +++++----- services/vaultwarden/kustomization.yaml | 8 --- .../scripts/vaultwarden_vault_env.sh | 14 ----- services/vaultwarden/secretproviderclass.yaml | 24 ------- 28 files changed, 282 insertions(+), 588 deletions(-) delete mode 100644 services/bstein-dev-home/scripts/bstein_dev_home_vault_env.sh delete mode 100644 services/gitea/secretproviderclass.yaml delete mode 100644 services/nextcloud/scripts/nextcloud_vault_env.sh delete mode 100644 services/nextcloud/secretproviderclass.yaml delete mode 100644 services/outline/scripts/outline_vault_env.sh delete mode 100644 services/outline/secretproviderclass.yaml delete mode 100644 services/planka/scripts/planka_vault_env.sh delete mode 100644 services/planka/secretproviderclass.yaml delete mode 100644 services/vaultwarden/scripts/vaultwarden_vault_env.sh delete mode 100644 services/vaultwarden/secretproviderclass.yaml diff --git a/services/bstein-dev-home/backend-deployment.yaml b/services/bstein-dev-home/backend-deployment.yaml index 3266747..659cd33 100644 --- a/services/bstein-dev-home/backend-deployment.yaml +++ b/services/bstein-dev-home/backend-deployment.yaml @@ -14,6 +14,25 @@ spec: metadata: labels: app: bstein-dev-home-backend + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "bstein-dev-home" + vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db" + vault.hashicorp.com/agent-inject-template-portal-env.sh: | + {{- with secret "kv/data/atlas/portal/atlas-portal-db" -}} + export PORTAL_DATABASE_URL="{{ .Data.data.PORTAL_DATABASE_URL }}" + {{- end }} + {{- with secret "kv/data/atlas/portal/bstein-dev-home-keycloak-admin" -}} + export KEYCLOAK_ADMIN_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}} + export CHAT_KEY_MATRIX="{{ .Data.data.matrix }}" + export CHAT_KEY_HOMEPAGE="{{ .Data.data.homepage }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}} + export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}" + export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} spec: automountServiceAccountToken: true serviceAccountName: bstein-dev-home @@ -29,7 +48,7 @@ spec: command: ["/bin/sh", "-c"] args: - >- - . /vault/scripts/bstein_dev_home_vault_env.sh + . /vault/secrets/portal-env.sh && exec gunicorn -b 0.0.0.0:8080 --workers 2 --timeout 180 app:app env: - name: AI_CHAT_API @@ -94,13 +113,6 @@ spec: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 3 - volumeMounts: - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true resources: requests: cpu: 100m @@ -108,14 +120,3 @@ spec: limits: cpu: 500m memory: 512Mi - volumes: - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: bstein-dev-home-vault - - name: vault-scripts - configMap: - name: bstein-dev-home-vault-env - defaultMode: 0555 diff --git a/services/bstein-dev-home/chat-ai-gateway-deployment.yaml b/services/bstein-dev-home/chat-ai-gateway-deployment.yaml index 4fb4ba5..fba58bc 100644 --- a/services/bstein-dev-home/chat-ai-gateway-deployment.yaml +++ b/services/bstein-dev-home/chat-ai-gateway-deployment.yaml @@ -14,6 +14,25 @@ spec: metadata: labels: app: chat-ai-gateway + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "bstein-dev-home" + vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db" + vault.hashicorp.com/agent-inject-template-portal-env.sh: | + {{- with secret "kv/data/atlas/portal/atlas-portal-db" -}} + export PORTAL_DATABASE_URL="{{ .Data.data.PORTAL_DATABASE_URL }}" + {{- end }} + {{- with secret "kv/data/atlas/portal/bstein-dev-home-keycloak-admin" -}} + export KEYCLOAK_ADMIN_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}} + export CHAT_KEY_MATRIX="{{ .Data.data.matrix }}" + export CHAT_KEY_HOMEPAGE="{{ .Data.data.homepage }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}} + export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}" + export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} spec: serviceAccountName: bstein-dev-home nodeSelector: @@ -24,7 +43,7 @@ spec: image: python:3.11-slim command: ["/bin/sh","-c"] args: - - . /vault/scripts/bstein_dev_home_vault_env.sh && exec python /app/gateway.py + - . /vault/secrets/portal-env.sh && exec python /app/gateway.py env: - name: UPSTREAM_URL value: http://bstein-dev-home-backend/api/chat @@ -54,23 +73,7 @@ spec: - name: code mountPath: /app/gateway.py subPath: gateway.py - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true volumes: - name: code configMap: name: chat-ai-gateway - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: bstein-dev-home-vault - - name: vault-scripts - configMap: - name: bstein-dev-home-vault-env - defaultMode: 0555 diff --git a/services/bstein-dev-home/kustomization.yaml b/services/bstein-dev-home/kustomization.yaml index a57c81a..31e1d41 100644 --- a/services/bstein-dev-home/kustomization.yaml +++ b/services/bstein-dev-home/kustomization.yaml @@ -19,12 +19,6 @@ resources: - portal-onboarding-e2e-test-job.yaml - ingress.yaml configMapGenerator: - - name: bstein-dev-home-vault-env - namespace: bstein-dev-home - files: - - bstein_dev_home_vault_env.sh=scripts/bstein_dev_home_vault_env.sh - options: - disableNameSuffixHash: true - name: chat-ai-gateway namespace: bstein-dev-home files: diff --git a/services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml b/services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml index b5fdc6d..dce1471 100644 --- a/services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml +++ b/services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml @@ -7,6 +7,26 @@ metadata: spec: backoffLimit: 0 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "bstein-dev-home" + vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db" + vault.hashicorp.com/agent-inject-template-portal-env.sh: | + {{- with secret "kv/data/atlas/portal/atlas-portal-db" -}} + export PORTAL_DATABASE_URL="{{ .Data.data.PORTAL_DATABASE_URL }}" + {{- end }} + {{- with secret "kv/data/atlas/portal/bstein-dev-home-keycloak-admin" -}} + export KEYCLOAK_ADMIN_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}} + export CHAT_KEY_MATRIX="{{ .Data.data.matrix }}" + export CHAT_KEY_HOMEPAGE="{{ .Data.data.homepage }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}} + export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}" + export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} spec: restartPolicy: Never serviceAccountName: bstein-dev-home @@ -40,30 +60,14 @@ spec: args: - | set -euo pipefail - . /vault/scripts/bstein_dev_home_vault_env.sh + . /vault/secrets/portal-env.sh python /scripts/test_portal_onboarding_flow.py volumeMounts: - name: tests mountPath: /scripts readOnly: true - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true volumes: - name: tests configMap: name: portal-onboarding-e2e-tests defaultMode: 0555 - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: bstein-dev-home-vault - - name: vault-scripts - configMap: - name: bstein-dev-home-vault-env - defaultMode: 0555 diff --git a/services/bstein-dev-home/scripts/bstein_dev_home_vault_env.sh b/services/bstein-dev-home/scripts/bstein_dev_home_vault_env.sh deleted file mode 100644 index 8cab54e..0000000 --- a/services/bstein-dev-home/scripts/bstein_dev_home_vault_env.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/env sh -set -eu - -vault_dir="/vault/secrets" - -read_secret() { - cat "${vault_dir}/$1" -} - -export KEYCLOAK_ADMIN_CLIENT_SECRET="$(read_secret bstein-dev-home-keycloak-admin__client_secret)" -export PORTAL_DATABASE_URL="$(read_secret atlas-portal-db__PORTAL_DATABASE_URL)" - -export CHAT_KEY_MATRIX="$(read_secret chat-ai-keys-runtime__matrix)" -export CHAT_KEY_HOMEPAGE="$(read_secret chat-ai-keys-runtime__homepage)" - -export PORTAL_E2E_CLIENT_ID="$(read_secret portal-e2e-client__client_id)" -export PORTAL_E2E_CLIENT_SECRET="$(read_secret portal-e2e-client__client_secret)" diff --git a/services/bstein-dev-home/secretproviderclass.yaml b/services/bstein-dev-home/secretproviderclass.yaml index c153211..f330fe6 100644 --- a/services/bstein-dev-home/secretproviderclass.yaml +++ b/services/bstein-dev-home/secretproviderclass.yaml @@ -10,30 +10,6 @@ spec: vaultAddress: "http://vault.vault.svc.cluster.local:8200" roleName: "bstein-dev-home" objects: | - - objectName: "atlas-portal-db__PORTAL_DATABASE_URL" - secretPath: "kv/data/atlas/portal/atlas-portal-db" - secretKey: "PORTAL_DATABASE_URL" - - objectName: "bstein-dev-home-keycloak-admin__client_secret" - secretPath: "kv/data/atlas/portal/bstein-dev-home-keycloak-admin" - secretKey: "client_secret" - - objectName: "chat-ai-keys__homepage" - secretPath: "kv/data/atlas/portal/chat-ai-keys" - secretKey: "homepage" - - objectName: "chat-ai-keys__matrix" - secretPath: "kv/data/atlas/portal/chat-ai-keys" - secretKey: "matrix" - - objectName: "chat-ai-keys-runtime__homepage" - secretPath: "kv/data/atlas/shared/chat-ai-keys-runtime" - secretKey: "homepage" - - objectName: "chat-ai-keys-runtime__matrix" - secretPath: "kv/data/atlas/shared/chat-ai-keys-runtime" - secretKey: "matrix" - - objectName: "portal-e2e-client__client_id" - secretPath: "kv/data/atlas/shared/portal-e2e-client" - secretKey: "client_id" - - objectName: "portal-e2e-client__client_secret" - secretPath: "kv/data/atlas/shared/portal-e2e-client" - secretKey: "client_secret" - objectName: "harbor-pull__dockerconfigjson" secretPath: "kv/data/atlas/harbor-pull/bstein-dev-home" secretKey: "dockerconfigjson" diff --git a/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml b/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml index 5d7531e..b46a2e3 100644 --- a/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml +++ b/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml @@ -13,6 +13,26 @@ spec: spec: backoffLimit: 0 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "bstein-dev-home" + vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db" + vault.hashicorp.com/agent-inject-template-portal-env.sh: | + {{- with secret "kv/data/atlas/portal/atlas-portal-db" -}} + export PORTAL_DATABASE_URL="{{ .Data.data.PORTAL_DATABASE_URL }}" + {{- end }} + {{- with secret "kv/data/atlas/portal/bstein-dev-home-keycloak-admin" -}} + export KEYCLOAK_ADMIN_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}} + export CHAT_KEY_MATRIX="{{ .Data.data.matrix }}" + export CHAT_KEY_HOMEPAGE="{{ .Data.data.homepage }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/portal-e2e-client" -}} + export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}" + export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}" + {{- end }} spec: serviceAccountName: bstein-dev-home restartPolicy: Never @@ -28,7 +48,7 @@ spec: command: ["/bin/sh", "-c"] args: - >- - . /vault/scripts/bstein_dev_home_vault_env.sh + . /vault/secrets/portal-env.sh && exec python /scripts/vaultwarden_cred_sync.py env: - name: PYTHONPATH @@ -49,24 +69,8 @@ spec: - name: vaultwarden-cred-sync-script mountPath: /scripts readOnly: true - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true volumes: - name: vaultwarden-cred-sync-script configMap: name: vaultwarden-cred-sync-script defaultMode: 0555 - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: bstein-dev-home-vault - - name: vault-scripts - configMap: - name: bstein-dev-home-vault-env - defaultMode: 0555 diff --git a/services/gitea/deployment.yaml b/services/gitea/deployment.yaml index 4fa1ecb..e67b3b9 100644 --- a/services/gitea/deployment.yaml +++ b/services/gitea/deployment.yaml @@ -20,6 +20,39 @@ spec: metadata: labels: app: gitea + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "gitea" + vault.hashicorp.com/agent-inject-secret-gitea-db-secret__password: "kv/data/atlas/gitea/gitea-db-secret" + vault.hashicorp.com/agent-inject-template-gitea-db-secret__password: | + {{- with secret "kv/data/atlas/gitea/gitea-db-secret" -}} + {{ .Data.data.password }} + {{- end }} + vault.hashicorp.com/agent-inject-secret-gitea-secret__SECRET_KEY: "kv/data/atlas/gitea/gitea-secret" + vault.hashicorp.com/agent-inject-template-gitea-secret__SECRET_KEY: | + {{- with secret "kv/data/atlas/gitea/gitea-secret" -}} + {{ .Data.data.SECRET_KEY }} + {{- end }} + vault.hashicorp.com/agent-inject-secret-gitea-secret__INTERNAL_TOKEN: "kv/data/atlas/gitea/gitea-secret" + vault.hashicorp.com/agent-inject-template-gitea-secret__INTERNAL_TOKEN: | + {{- with secret "kv/data/atlas/gitea/gitea-secret" -}} + {{ .Data.data.INTERNAL_TOKEN }} + {{- end }} + vault.hashicorp.com/agent-inject-secret-gitea-oidc__client_id: "kv/data/atlas/gitea/gitea-oidc" + vault.hashicorp.com/agent-inject-template-gitea-oidc__client_id: | + {{- with secret "kv/data/atlas/gitea/gitea-oidc" -}} + {{ .Data.data.client_id }} + {{- end }} + vault.hashicorp.com/agent-inject-secret-gitea-oidc__client_secret: "kv/data/atlas/gitea/gitea-oidc" + vault.hashicorp.com/agent-inject-template-gitea-oidc__client_secret: | + {{- with secret "kv/data/atlas/gitea/gitea-oidc" -}} + {{ .Data.data.client_secret }} + {{- end }} + vault.hashicorp.com/agent-inject-secret-gitea-oidc__openid_auto_discovery_url: "kv/data/atlas/gitea/gitea-oidc" + vault.hashicorp.com/agent-inject-template-gitea-oidc__openid_auto_discovery_url: | + {{- with secret "kv/data/atlas/gitea/gitea-oidc" -}} + {{ .Data.data.openid_auto_discovery_url }} + {{- end }} spec: serviceAccountName: gitea-vault initContainers: @@ -75,9 +108,6 @@ spec: volumeMounts: - name: gitea-data mountPath: /data - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true nodeSelector: node-role.kubernetes.io/worker: "true" affinity: @@ -157,16 +187,7 @@ spec: volumeMounts: - name: gitea-data mountPath: /data - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true volumes: - name: gitea-data persistentVolumeClaim: claimName: gitea-data - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: gitea-vault diff --git a/services/gitea/kustomization.yaml b/services/gitea/kustomization.yaml index 84a1b64..b09f5fd 100644 --- a/services/gitea/kustomization.yaml +++ b/services/gitea/kustomization.yaml @@ -5,7 +5,6 @@ resources: - namespace.yaml - serviceaccount.yaml - pvc.yaml - - secretproviderclass.yaml - deployment.yaml - service.yaml - ingress.yaml diff --git a/services/gitea/secretproviderclass.yaml b/services/gitea/secretproviderclass.yaml deleted file mode 100644 index b555025..0000000 --- a/services/gitea/secretproviderclass.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# services/gitea/secretproviderclass.yaml -apiVersion: secrets-store.csi.x-k8s.io/v1 -kind: SecretProviderClass -metadata: - name: gitea-vault - namespace: gitea -spec: - provider: vault - parameters: - vaultAddress: "http://vault.vault.svc.cluster.local:8200" - roleName: "gitea" - objects: | - - objectName: "gitea-db-secret__password" - secretPath: "kv/data/atlas/gitea/gitea-db-secret" - secretKey: "password" - - objectName: "gitea-secret__SECRET_KEY" - secretPath: "kv/data/atlas/gitea/gitea-secret" - secretKey: "SECRET_KEY" - - objectName: "gitea-secret__INTERNAL_TOKEN" - secretPath: "kv/data/atlas/gitea/gitea-secret" - secretKey: "INTERNAL_TOKEN" - - objectName: "gitea-oidc__client_id" - secretPath: "kv/data/atlas/gitea/gitea-oidc" - secretKey: "client_id" - - objectName: "gitea-oidc__client_secret" - secretPath: "kv/data/atlas/gitea/gitea-oidc" - secretKey: "client_secret" - - objectName: "gitea-oidc__openid_auto_discovery_url" - secretPath: "kv/data/atlas/gitea/gitea-oidc" - secretKey: "openid_auto_discovery_url" diff --git a/services/nextcloud-mail-sync/cronjob.yaml b/services/nextcloud-mail-sync/cronjob.yaml index 129022b..75fe548 100644 --- a/services/nextcloud-mail-sync/cronjob.yaml +++ b/services/nextcloud-mail-sync/cronjob.yaml @@ -12,6 +12,35 @@ spec: jobTemplate: spec: template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "nextcloud" + vault.hashicorp.com/agent-inject-secret-nextcloud-env.sh: "kv/data/atlas/nextcloud/nextcloud-db" + vault.hashicorp.com/agent-inject-template-nextcloud-env.sh: | + {{- with secret "kv/data/atlas/nextcloud/nextcloud-db" -}} + export POSTGRES_DB="{{ .Data.data.database }}" + export POSTGRES_USER="{{ .Data.data.db-username }}" + export POSTGRES_PASSWORD="{{ .Data.data.db-password }}" + {{- end }} + {{- with secret "kv/data/atlas/nextcloud/nextcloud-admin" -}} + export NEXTCLOUD_ADMIN_USER="{{ .Data.data.admin-user }}" + export NEXTCLOUD_ADMIN_PASSWORD="{{ .Data.data.admin-password }}" + {{- end }} + export ADMIN_USER="${NEXTCLOUD_ADMIN_USER}" + export ADMIN_PASS="${NEXTCLOUD_ADMIN_PASSWORD}" + {{- with secret "kv/data/atlas/nextcloud/nextcloud-oidc" -}} + export OIDC_CLIENT_ID="{{ .Data.data.client-id }}" + export OIDC_CLIENT_SECRET="{{ .Data.data.client-secret }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/postmark-relay" -}} + export SMTP_NAME="{{ index .Data.data "relay-username" }}" + export SMTP_PASSWORD="{{ index .Data.data "relay-password" }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KC_ADMIN_USER="{{ .Data.data.username }}" + export KC_ADMIN_PASS="{{ .Data.data.password }}" + {{- end }} spec: restartPolicy: OnFailure securityContext: @@ -53,16 +82,10 @@ spec: - name: sync-script mountPath: /sync/sync.sh subPath: sync.sh - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true args: - | set -euo pipefail - . /vault/scripts/nextcloud_vault_env.sh + . /vault/secrets/nextcloud-env.sh exec /sync/sync.sh volumes: - name: nextcloud-config-pvc @@ -81,13 +104,3 @@ spec: configMap: name: nextcloud-mail-sync-script defaultMode: 0755 - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: nextcloud-vault - - name: vault-scripts - configMap: - name: nextcloud-vault-env - defaultMode: 0555 diff --git a/services/nextcloud/deployment.yaml b/services/nextcloud/deployment.yaml index 45f5e8f..84efb1d 100644 --- a/services/nextcloud/deployment.yaml +++ b/services/nextcloud/deployment.yaml @@ -15,6 +15,34 @@ spec: metadata: labels: app: nextcloud + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "nextcloud" + vault.hashicorp.com/agent-inject-secret-nextcloud-env.sh: "kv/data/atlas/nextcloud/nextcloud-db" + vault.hashicorp.com/agent-inject-template-nextcloud-env.sh: | + {{- with secret "kv/data/atlas/nextcloud/nextcloud-db" -}} + export POSTGRES_DB="{{ .Data.data.database }}" + export POSTGRES_USER="{{ .Data.data.db-username }}" + export POSTGRES_PASSWORD="{{ .Data.data.db-password }}" + {{- end }} + {{- with secret "kv/data/atlas/nextcloud/nextcloud-admin" -}} + export NEXTCLOUD_ADMIN_USER="{{ .Data.data.admin-user }}" + export NEXTCLOUD_ADMIN_PASSWORD="{{ .Data.data.admin-password }}" + {{- end }} + export ADMIN_USER="${NEXTCLOUD_ADMIN_USER}" + export ADMIN_PASS="${NEXTCLOUD_ADMIN_PASSWORD}" + {{- with secret "kv/data/atlas/nextcloud/nextcloud-oidc" -}} + export OIDC_CLIENT_ID="{{ .Data.data.client-id }}" + export OIDC_CLIENT_SECRET="{{ .Data.data.client-secret }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/postmark-relay" -}} + export SMTP_NAME="{{ index .Data.data "relay-username" }}" + export SMTP_PASSWORD="{{ index .Data.data "relay-password" }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KC_ADMIN_USER="{{ .Data.data.username }}" + export KC_ADMIN_PASS="{{ .Data.data.password }}" + {{- end }} spec: nodeSelector: hardware: rpi5 @@ -81,7 +109,7 @@ spec: command: ["/bin/sh", "-c"] args: - | - . /vault/scripts/nextcloud_vault_env.sh + . /vault/secrets/nextcloud-env.sh installed="$(su -s /bin/sh www-data -c "php /var/www/html/occ status" 2>/dev/null | awk '/installed:/{print $3}' || true)" if [ ! -s /var/www/html/config/config.php ]; then su -s /bin/sh www-data -c "php /var/www/html/occ maintenance:install --database pgsql --database-host \"${POSTGRES_HOST}\" --database-name \"${POSTGRES_DB}\" --database-user \"${POSTGRES_USER}\" --database-pass \"${POSTGRES_PASSWORD}\" --admin-user \"${NEXTCLOUD_ADMIN_USER}\" --admin-pass \"${NEXTCLOUD_ADMIN_PASSWORD}\" --data-dir /var/www/html/data" @@ -164,12 +192,6 @@ spec: - name: nextcloud-config-extra mountPath: /var/www/html/config/extra.config.php subPath: extra.config.php - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true containers: - name: nextcloud image: nextcloud:29-apache @@ -177,7 +199,7 @@ spec: command: ["/bin/sh", "-c"] args: - >- - . /vault/scripts/nextcloud_vault_env.sh + . /vault/secrets/nextcloud-env.sh && exec /entrypoint.sh apache2-foreground env: # DB (external secret required: nextcloud-db with keys username,password,database) @@ -223,12 +245,6 @@ spec: - name: nextcloud-config-extra mountPath: /var/www/html/config/extra.config.php subPath: extra.config.php - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true resources: requests: cpu: 250m @@ -253,13 +269,3 @@ spec: configMap: name: nextcloud-config defaultMode: 0444 - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: nextcloud-vault - - name: vault-scripts - configMap: - name: nextcloud-vault-env - defaultMode: 0555 diff --git a/services/nextcloud/kustomization.yaml b/services/nextcloud/kustomization.yaml index f16db47..ebaeaaf 100644 --- a/services/nextcloud/kustomization.yaml +++ b/services/nextcloud/kustomization.yaml @@ -5,7 +5,6 @@ namespace: nextcloud resources: - namespace.yaml - serviceaccount.yaml - - secretproviderclass.yaml - configmap.yaml - pvc.yaml - deployment.yaml @@ -15,11 +14,6 @@ resources: - service.yaml - ingress.yaml configMapGenerator: - - name: nextcloud-vault-env - files: - - nextcloud_vault_env.sh=scripts/nextcloud_vault_env.sh - options: - disableNameSuffixHash: true - name: nextcloud-maintenance-script files: - maintenance.sh=scripts/nextcloud-maintenance.sh diff --git a/services/nextcloud/maintenance-cronjob.yaml b/services/nextcloud/maintenance-cronjob.yaml index d76478e..aaedbc8 100644 --- a/services/nextcloud/maintenance-cronjob.yaml +++ b/services/nextcloud/maintenance-cronjob.yaml @@ -10,6 +10,35 @@ spec: jobTemplate: spec: template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "nextcloud" + vault.hashicorp.com/agent-inject-secret-nextcloud-env.sh: "kv/data/atlas/nextcloud/nextcloud-db" + vault.hashicorp.com/agent-inject-template-nextcloud-env.sh: | + {{- with secret "kv/data/atlas/nextcloud/nextcloud-db" -}} + export POSTGRES_DB="{{ .Data.data.database }}" + export POSTGRES_USER="{{ .Data.data.db-username }}" + export POSTGRES_PASSWORD="{{ .Data.data.db-password }}" + {{- end }} + {{- with secret "kv/data/atlas/nextcloud/nextcloud-admin" -}} + export NEXTCLOUD_ADMIN_USER="{{ .Data.data.admin-user }}" + export NEXTCLOUD_ADMIN_PASSWORD="{{ .Data.data.admin-password }}" + {{- end }} + export ADMIN_USER="${NEXTCLOUD_ADMIN_USER}" + export ADMIN_PASS="${NEXTCLOUD_ADMIN_PASSWORD}" + {{- with secret "kv/data/atlas/nextcloud/nextcloud-oidc" -}} + export OIDC_CLIENT_ID="{{ .Data.data.client-id }}" + export OIDC_CLIENT_SECRET="{{ .Data.data.client-secret }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/postmark-relay" -}} + export SMTP_NAME="{{ index .Data.data "relay-username" }}" + export SMTP_PASSWORD="{{ index .Data.data "relay-password" }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/keycloak-admin" -}} + export KC_ADMIN_USER="{{ .Data.data.username }}" + export KC_ADMIN_PASS="{{ .Data.data.password }}" + {{- end }} spec: restartPolicy: OnFailure securityContext: @@ -24,7 +53,7 @@ spec: args: - | set -euo pipefail - . /vault/scripts/nextcloud_vault_env.sh + . /vault/secrets/nextcloud-env.sh exec /maintenance/maintenance.sh env: - name: NC_URL @@ -41,12 +70,6 @@ spec: - name: maintenance-script mountPath: /maintenance/maintenance.sh subPath: maintenance.sh - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true resources: requests: cpu: 100m @@ -71,13 +94,3 @@ spec: configMap: name: nextcloud-maintenance-script defaultMode: 0755 - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: nextcloud-vault - - name: vault-scripts - configMap: - name: nextcloud-vault-env - defaultMode: 0555 diff --git a/services/nextcloud/scripts/nextcloud_vault_env.sh b/services/nextcloud/scripts/nextcloud_vault_env.sh deleted file mode 100644 index 0f34c9f..0000000 --- a/services/nextcloud/scripts/nextcloud_vault_env.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env sh -set -eu - -vault_dir="/vault/secrets" - -read_secret() { - cat "${vault_dir}/$1" -} - -export POSTGRES_DB="$(read_secret nextcloud-db__database)" -export POSTGRES_USER="$(read_secret nextcloud-db__db-username)" -export POSTGRES_PASSWORD="$(read_secret nextcloud-db__db-password)" - -export NEXTCLOUD_ADMIN_USER="$(read_secret nextcloud-admin__admin-user)" -export NEXTCLOUD_ADMIN_PASSWORD="$(read_secret nextcloud-admin__admin-password)" - -export ADMIN_USER="${NEXTCLOUD_ADMIN_USER}" -export ADMIN_PASS="${NEXTCLOUD_ADMIN_PASSWORD}" - -export OIDC_CLIENT_ID="$(read_secret nextcloud-oidc__client-id)" -export OIDC_CLIENT_SECRET="$(read_secret nextcloud-oidc__client-secret)" - -export SMTP_NAME="$(read_secret nextcloud-smtp__smtp-username)" -export SMTP_PASSWORD="$(read_secret nextcloud-smtp__smtp-password)" - -export KC_ADMIN_USER="$(read_secret keycloak-admin__username)" -export KC_ADMIN_PASS="$(read_secret keycloak-admin__password)" diff --git a/services/nextcloud/secretproviderclass.yaml b/services/nextcloud/secretproviderclass.yaml deleted file mode 100644 index 1d9a104..0000000 --- a/services/nextcloud/secretproviderclass.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# services/nextcloud/secretproviderclass.yaml -apiVersion: secrets-store.csi.x-k8s.io/v1 -kind: SecretProviderClass -metadata: - name: nextcloud-vault - namespace: nextcloud -spec: - provider: vault - parameters: - vaultAddress: "http://vault.vault.svc.cluster.local:8200" - roleName: "nextcloud" - objects: | - - objectName: "nextcloud-db__database" - secretPath: "kv/data/atlas/nextcloud/nextcloud-db" - secretKey: "database" - - objectName: "nextcloud-db__db-username" - secretPath: "kv/data/atlas/nextcloud/nextcloud-db" - secretKey: "db-username" - - objectName: "nextcloud-db__db-password" - secretPath: "kv/data/atlas/nextcloud/nextcloud-db" - secretKey: "db-password" - - objectName: "nextcloud-admin__admin-user" - secretPath: "kv/data/atlas/nextcloud/nextcloud-admin" - secretKey: "admin-user" - - objectName: "nextcloud-admin__admin-password" - secretPath: "kv/data/atlas/nextcloud/nextcloud-admin" - secretKey: "admin-password" - - objectName: "nextcloud-oidc__client-id" - secretPath: "kv/data/atlas/nextcloud/nextcloud-oidc" - secretKey: "client-id" - - objectName: "nextcloud-oidc__client-secret" - secretPath: "kv/data/atlas/nextcloud/nextcloud-oidc" - secretKey: "client-secret" - - objectName: "nextcloud-smtp__smtp-username" - secretPath: "kv/data/atlas/shared/postmark-relay" - secretKey: "relay-username" - - objectName: "nextcloud-smtp__smtp-password" - secretPath: "kv/data/atlas/shared/postmark-relay" - secretKey: "relay-password" - - objectName: "keycloak-admin__username" - secretPath: "kv/data/atlas/shared/keycloak-admin" - secretKey: "username" - - objectName: "keycloak-admin__password" - secretPath: "kv/data/atlas/shared/keycloak-admin" - secretKey: "password" diff --git a/services/outline/deployment.yaml b/services/outline/deployment.yaml index 0c4825e..04341a0 100644 --- a/services/outline/deployment.yaml +++ b/services/outline/deployment.yaml @@ -20,6 +20,34 @@ spec: metadata: labels: app: outline + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "outline" + vault.hashicorp.com/agent-inject-secret-outline-env.sh: "kv/data/atlas/outline/outline-db" + vault.hashicorp.com/agent-inject-template-outline-env.sh: | + {{- with secret "kv/data/atlas/outline/outline-db" -}} + export DATABASE_URL="{{ .Data.data.DATABASE_URL }}" + {{- end }} + {{- with secret "kv/data/atlas/outline/outline-secrets" -}} + export SECRET_KEY="{{ .Data.data.SECRET_KEY }}" + export UTILS_SECRET="{{ .Data.data.UTILS_SECRET }}" + {{- end }} + {{- with secret "kv/data/atlas/outline/outline-oidc" -}} + export OIDC_AUTH_URI="{{ .Data.data.OIDC_AUTH_URI }}" + export OIDC_CLIENT_ID="{{ .Data.data.OIDC_CLIENT_ID }}" + export OIDC_CLIENT_SECRET="{{ .Data.data.OIDC_CLIENT_SECRET }}" + export OIDC_LOGOUT_URI="{{ .Data.data.OIDC_LOGOUT_URI }}" + export OIDC_TOKEN_URI="{{ .Data.data.OIDC_TOKEN_URI }}" + export OIDC_USERINFO_URI="{{ .Data.data.OIDC_USERINFO_URI }}" + {{- end }} + {{- with secret "kv/data/atlas/outline/outline-smtp" -}} + export SMTP_FROM_EMAIL="{{ .Data.data.SMTP_FROM_EMAIL }}" + export SMTP_HOST="{{ .Data.data.SMTP_HOST }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/postmark-relay" -}} + export SMTP_USERNAME="{{ index .Data.data "relay-username" }}" + export SMTP_PASSWORD="{{ index .Data.data "relay-password" }}" + {{- end }} spec: serviceAccountName: outline-vault nodeSelector: @@ -39,7 +67,7 @@ spec: - /bin/sh - -c args: - - . /vault/scripts/outline_vault_env.sh && exec node build/server/index.js + - . /vault/secrets/outline-env.sh && exec node build/server/index.js ports: - name: http containerPort: 3000 @@ -75,12 +103,6 @@ spec: volumeMounts: - name: user-data mountPath: /var/lib/outline/data - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true readinessProbe: httpGet: path: /_health @@ -108,13 +130,3 @@ spec: - name: user-data persistentVolumeClaim: claimName: outline-user-data - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: outline-vault - - name: vault-scripts - configMap: - name: outline-vault-env - defaultMode: 0555 diff --git a/services/outline/kustomization.yaml b/services/outline/kustomization.yaml index 011c6e6..2fd0ae5 100644 --- a/services/outline/kustomization.yaml +++ b/services/outline/kustomization.yaml @@ -5,16 +5,9 @@ namespace: outline resources: - namespace.yaml - serviceaccount.yaml - - secretproviderclass.yaml - user-pvc.yaml - redis-deployment.yaml - redis-service.yaml - deployment.yaml - service.yaml - ingress.yaml -generatorOptions: - disableNameSuffixHash: true -configMapGenerator: - - name: outline-vault-env - files: - - outline_vault_env.sh=scripts/outline_vault_env.sh diff --git a/services/outline/scripts/outline_vault_env.sh b/services/outline/scripts/outline_vault_env.sh deleted file mode 100644 index d9f8469..0000000 --- a/services/outline/scripts/outline_vault_env.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env sh -set -eu - -vault_dir="/vault/secrets" - -read_secret() { - cat "${vault_dir}/$1" -} - -export DATABASE_URL="$(read_secret DATABASE_URL)" -export SECRET_KEY="$(read_secret SECRET_KEY)" -export UTILS_SECRET="$(read_secret UTILS_SECRET)" - -export OIDC_AUTH_URI="$(read_secret OIDC_AUTH_URI)" -export OIDC_CLIENT_ID="$(read_secret OIDC_CLIENT_ID)" -export OIDC_CLIENT_SECRET="$(read_secret OIDC_CLIENT_SECRET)" -export OIDC_LOGOUT_URI="$(read_secret OIDC_LOGOUT_URI)" -export OIDC_TOKEN_URI="$(read_secret OIDC_TOKEN_URI)" -export OIDC_USERINFO_URI="$(read_secret OIDC_USERINFO_URI)" - -export SMTP_FROM_EMAIL="$(read_secret SMTP_FROM_EMAIL)" -export SMTP_HOST="$(read_secret SMTP_HOST)" -export SMTP_PASSWORD="$(read_secret SMTP_PASSWORD)" -export SMTP_USERNAME="$(read_secret SMTP_USERNAME)" - -if [ -f "${vault_dir}/AWS_ACCESS_KEY_ID" ]; then - export AWS_ACCESS_KEY_ID="$(read_secret AWS_ACCESS_KEY_ID)" - export AWS_SECRET_ACCESS_KEY="$(read_secret AWS_SECRET_ACCESS_KEY)" - export AWS_S3_UPLOAD_BUCKET_NAME="$(read_secret AWS_S3_UPLOAD_BUCKET_NAME)" - export AWS_S3_UPLOAD_BUCKET_URL="$(read_secret AWS_S3_UPLOAD_BUCKET_URL)" -fi diff --git a/services/outline/secretproviderclass.yaml b/services/outline/secretproviderclass.yaml deleted file mode 100644 index 70891df..0000000 --- a/services/outline/secretproviderclass.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# services/outline/secretproviderclass.yaml -apiVersion: secrets-store.csi.x-k8s.io/v1 -kind: SecretProviderClass -metadata: - name: outline-vault - namespace: outline -spec: - provider: vault - parameters: - vaultAddress: "http://vault.vault.svc.cluster.local:8200" - roleName: "outline" - objects: | - - objectName: "DATABASE_URL" - secretPath: "kv/data/atlas/outline/outline-db" - secretKey: "DATABASE_URL" - - objectName: "SECRET_KEY" - secretPath: "kv/data/atlas/outline/outline-secrets" - secretKey: "SECRET_KEY" - - objectName: "UTILS_SECRET" - secretPath: "kv/data/atlas/outline/outline-secrets" - secretKey: "UTILS_SECRET" - - objectName: "OIDC_AUTH_URI" - secretPath: "kv/data/atlas/outline/outline-oidc" - secretKey: "OIDC_AUTH_URI" - - objectName: "OIDC_CLIENT_ID" - secretPath: "kv/data/atlas/outline/outline-oidc" - secretKey: "OIDC_CLIENT_ID" - - objectName: "OIDC_CLIENT_SECRET" - secretPath: "kv/data/atlas/outline/outline-oidc" - secretKey: "OIDC_CLIENT_SECRET" - - objectName: "OIDC_LOGOUT_URI" - secretPath: "kv/data/atlas/outline/outline-oidc" - secretKey: "OIDC_LOGOUT_URI" - - objectName: "OIDC_TOKEN_URI" - secretPath: "kv/data/atlas/outline/outline-oidc" - secretKey: "OIDC_TOKEN_URI" - - objectName: "OIDC_USERINFO_URI" - secretPath: "kv/data/atlas/outline/outline-oidc" - secretKey: "OIDC_USERINFO_URI" - - objectName: "SMTP_FROM_EMAIL" - secretPath: "kv/data/atlas/outline/outline-smtp" - secretKey: "SMTP_FROM_EMAIL" - - objectName: "SMTP_HOST" - secretPath: "kv/data/atlas/outline/outline-smtp" - secretKey: "SMTP_HOST" - - objectName: "SMTP_PASSWORD" - secretPath: "kv/data/atlas/shared/postmark-relay" - secretKey: "relay-password" - - objectName: "SMTP_USERNAME" - secretPath: "kv/data/atlas/shared/postmark-relay" - secretKey: "relay-username" - - objectName: "AWS_ACCESS_KEY_ID" - secretPath: "kv/data/atlas/outline/outline-s3" - secretKey: "AWS_ACCESS_KEY_ID" - - objectName: "AWS_SECRET_ACCESS_KEY" - secretPath: "kv/data/atlas/outline/outline-s3" - secretKey: "AWS_SECRET_ACCESS_KEY" - - objectName: "AWS_S3_UPLOAD_BUCKET_NAME" - secretPath: "kv/data/atlas/outline/outline-s3" - secretKey: "AWS_S3_UPLOAD_BUCKET_NAME" - - objectName: "AWS_S3_UPLOAD_BUCKET_URL" - secretPath: "kv/data/atlas/outline/outline-s3" - secretKey: "AWS_S3_UPLOAD_BUCKET_URL" diff --git a/services/planka/deployment.yaml b/services/planka/deployment.yaml index d2aa431..cec505f 100644 --- a/services/planka/deployment.yaml +++ b/services/planka/deployment.yaml @@ -20,6 +20,37 @@ spec: metadata: labels: app: planka + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "planka" + vault.hashicorp.com/agent-inject-secret-planka-env.sh: "kv/data/atlas/planka/planka-db" + vault.hashicorp.com/agent-inject-template-planka-env.sh: | + {{- with secret "kv/data/atlas/planka/planka-db" -}} + export DATABASE_URL="{{ .Data.data.DATABASE_URL }}" + {{- end }} + {{- with secret "kv/data/atlas/planka/planka-secrets" -}} + export SECRET_KEY="{{ .Data.data.SECRET_KEY }}" + {{- end }} + {{- with secret "kv/data/atlas/planka/planka-oidc" -}} + export OIDC_CLIENT_ID="{{ .Data.data.OIDC_CLIENT_ID }}" + export OIDC_CLIENT_SECRET="{{ .Data.data.OIDC_CLIENT_SECRET }}" + export OIDC_ENFORCED="{{ .Data.data.OIDC_ENFORCED }}" + export OIDC_IGNORE_ROLES="{{ .Data.data.OIDC_IGNORE_ROLES }}" + export OIDC_ISSUER="{{ .Data.data.OIDC_ISSUER }}" + export OIDC_SCOPES="{{ .Data.data.OIDC_SCOPES }}" + export OIDC_USE_OAUTH_CALLBACK="{{ .Data.data.OIDC_USE_OAUTH_CALLBACK }}" + {{- end }} + {{- with secret "kv/data/atlas/planka/planka-smtp" -}} + export SMTP_FROM="{{ .Data.data.SMTP_FROM }}" + export SMTP_HOST="{{ .Data.data.SMTP_HOST }}" + export SMTP_PORT="{{ .Data.data.SMTP_PORT }}" + export SMTP_SECURE="{{ .Data.data.SMTP_SECURE }}" + export SMTP_TLS_REJECT_UNAUTHORIZED="{{ .Data.data.SMTP_TLS_REJECT_UNAUTHORIZED }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/postmark-relay" -}} + export SMTP_USER="{{ index .Data.data "relay-username" }}" + export SMTP_PASSWORD="{{ index .Data.data "relay-password" }}" + {{- end }} spec: serviceAccountName: planka-vault nodeSelector: @@ -63,7 +94,7 @@ spec: - /bin/sh - -c args: - - . /vault/scripts/planka_vault_env.sh && exec node app.js --prod + - . /vault/secrets/planka-env.sh && exec node app.js --prod ports: - name: http containerPort: 1337 @@ -90,12 +121,6 @@ spec: subPath: private/attachments - name: app-data mountPath: /app/.tmp - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true readinessProbe: httpGet: path: / @@ -126,13 +151,3 @@ spec: - name: app-data persistentVolumeClaim: claimName: planka-app-data - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: planka-vault - - name: vault-scripts - configMap: - name: planka-vault-env - defaultMode: 0555 diff --git a/services/planka/kustomization.yaml b/services/planka/kustomization.yaml index 14a7cc9..db19e6e 100644 --- a/services/planka/kustomization.yaml +++ b/services/planka/kustomization.yaml @@ -5,15 +5,8 @@ namespace: planka resources: - namespace.yaml - serviceaccount.yaml - - secretproviderclass.yaml - user-data-pvc.yaml - app-pvc.yaml - deployment.yaml - service.yaml - ingress.yaml -generatorOptions: - disableNameSuffixHash: true -configMapGenerator: - - name: planka-vault-env - files: - - planka_vault_env.sh=scripts/planka_vault_env.sh diff --git a/services/planka/scripts/planka_vault_env.sh b/services/planka/scripts/planka_vault_env.sh deleted file mode 100644 index f5ab2ab..0000000 --- a/services/planka/scripts/planka_vault_env.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env sh -set -eu - -vault_dir="/vault/secrets" - -read_secret() { - cat "${vault_dir}/$1" -} - -export DATABASE_URL="$(read_secret DATABASE_URL)" -export SECRET_KEY="$(read_secret SECRET_KEY)" - -export OIDC_CLIENT_ID="$(read_secret OIDC_CLIENT_ID)" -export OIDC_CLIENT_SECRET="$(read_secret OIDC_CLIENT_SECRET)" -export OIDC_ENFORCED="$(read_secret OIDC_ENFORCED)" -export OIDC_IGNORE_ROLES="$(read_secret OIDC_IGNORE_ROLES)" -export OIDC_ISSUER="$(read_secret OIDC_ISSUER)" -export OIDC_SCOPES="$(read_secret OIDC_SCOPES)" -export OIDC_USE_OAUTH_CALLBACK="$(read_secret OIDC_USE_OAUTH_CALLBACK)" - -export SMTP_FROM="$(read_secret SMTP_FROM)" -export SMTP_HOST="$(read_secret SMTP_HOST)" -export SMTP_PASSWORD="$(read_secret SMTP_PASSWORD)" -export SMTP_PORT="$(read_secret SMTP_PORT)" -export SMTP_SECURE="$(read_secret SMTP_SECURE)" -export SMTP_TLS_REJECT_UNAUTHORIZED="$(read_secret SMTP_TLS_REJECT_UNAUTHORIZED)" -export SMTP_USER="$(read_secret SMTP_USER)" diff --git a/services/planka/secretproviderclass.yaml b/services/planka/secretproviderclass.yaml deleted file mode 100644 index 028b2b5..0000000 --- a/services/planka/secretproviderclass.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# services/planka/secretproviderclass.yaml -apiVersion: secrets-store.csi.x-k8s.io/v1 -kind: SecretProviderClass -metadata: - name: planka-vault - namespace: planka -spec: - provider: vault - parameters: - vaultAddress: "http://vault.vault.svc.cluster.local:8200" - roleName: "planka" - objects: | - - objectName: "DATABASE_URL" - secretPath: "kv/data/atlas/planka/planka-db" - secretKey: "DATABASE_URL" - - objectName: "SECRET_KEY" - secretPath: "kv/data/atlas/planka/planka-secrets" - secretKey: "SECRET_KEY" - - objectName: "OIDC_CLIENT_ID" - secretPath: "kv/data/atlas/planka/planka-oidc" - secretKey: "OIDC_CLIENT_ID" - - objectName: "OIDC_CLIENT_SECRET" - secretPath: "kv/data/atlas/planka/planka-oidc" - secretKey: "OIDC_CLIENT_SECRET" - - objectName: "OIDC_ENFORCED" - secretPath: "kv/data/atlas/planka/planka-oidc" - secretKey: "OIDC_ENFORCED" - - objectName: "OIDC_IGNORE_ROLES" - secretPath: "kv/data/atlas/planka/planka-oidc" - secretKey: "OIDC_IGNORE_ROLES" - - objectName: "OIDC_ISSUER" - secretPath: "kv/data/atlas/planka/planka-oidc" - secretKey: "OIDC_ISSUER" - - objectName: "OIDC_SCOPES" - secretPath: "kv/data/atlas/planka/planka-oidc" - secretKey: "OIDC_SCOPES" - - objectName: "OIDC_USE_OAUTH_CALLBACK" - secretPath: "kv/data/atlas/planka/planka-oidc" - secretKey: "OIDC_USE_OAUTH_CALLBACK" - - objectName: "SMTP_FROM" - secretPath: "kv/data/atlas/planka/planka-smtp" - secretKey: "SMTP_FROM" - - objectName: "SMTP_HOST" - secretPath: "kv/data/atlas/planka/planka-smtp" - secretKey: "SMTP_HOST" - - objectName: "SMTP_PASSWORD" - secretPath: "kv/data/atlas/shared/postmark-relay" - secretKey: "relay-password" - - objectName: "SMTP_PORT" - secretPath: "kv/data/atlas/planka/planka-smtp" - secretKey: "SMTP_PORT" - - objectName: "SMTP_SECURE" - secretPath: "kv/data/atlas/planka/planka-smtp" - secretKey: "SMTP_SECURE" - - objectName: "SMTP_TLS_REJECT_UNAUTHORIZED" - secretPath: "kv/data/atlas/planka/planka-smtp" - secretKey: "SMTP_TLS_REJECT_UNAUTHORIZED" - - objectName: "SMTP_USER" - secretPath: "kv/data/atlas/shared/postmark-relay" - secretKey: "relay-username" diff --git a/services/vaultwarden/deployment.yaml b/services/vaultwarden/deployment.yaml index f102ea9..57789a7 100644 --- a/services/vaultwarden/deployment.yaml +++ b/services/vaultwarden/deployment.yaml @@ -18,6 +18,21 @@ spec: metadata: labels: app: vaultwarden + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "vaultwarden" + vault.hashicorp.com/agent-inject-secret-vaultwarden-env.sh: "kv/data/atlas/vaultwarden/vaultwarden-db-url" + vault.hashicorp.com/agent-inject-template-vaultwarden-env.sh: | + {{- with secret "kv/data/atlas/vaultwarden/vaultwarden-db-url" -}} + export DATABASE_URL="{{ .Data.data.DATABASE_URL }}" + {{- end }} + {{- with secret "kv/data/atlas/vaultwarden/vaultwarden-admin" -}} + export ADMIN_TOKEN="{{ .Data.data.ADMIN_TOKEN }}" + {{- end }} + {{- with secret "kv/data/atlas/shared/postmark-relay" -}} + export SMTP_USERNAME="{{ index .Data.data "relay-username" }}" + export SMTP_PASSWORD="{{ index .Data.data "relay-password" }}" + {{- end }} spec: serviceAccountName: vaultwarden-vault containers: @@ -26,7 +41,7 @@ spec: command: ["/bin/sh", "-c"] args: - >- - . /vault/scripts/vaultwarden_vault_env.sh + . /vault/secrets/vaultwarden-env.sh && exec /start.sh env: - name: SIGNUPS_ALLOWED @@ -56,23 +71,7 @@ spec: volumeMounts: - name: vaultwarden-data mountPath: /data - - name: vault-secrets - mountPath: /vault/secrets - readOnly: true - - name: vault-scripts - mountPath: /vault/scripts - readOnly: true volumes: - name: vaultwarden-data persistentVolumeClaim: claimName: vaultwarden-data - - name: vault-secrets - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: vaultwarden-vault - - name: vault-scripts - configMap: - name: vaultwarden-vault-env - defaultMode: 0555 diff --git a/services/vaultwarden/kustomization.yaml b/services/vaultwarden/kustomization.yaml index c1525f7..c53cb1c 100644 --- a/services/vaultwarden/kustomization.yaml +++ b/services/vaultwarden/kustomization.yaml @@ -6,14 +6,6 @@ resources: - namespace.yaml - serviceaccount.yaml - pvc.yaml - - secretproviderclass.yaml - deployment.yaml - service.yaml - ingress.yaml -configMapGenerator: - - name: vaultwarden-vault-env - namespace: vaultwarden - files: - - vaultwarden_vault_env.sh=scripts/vaultwarden_vault_env.sh - options: - disableNameSuffixHash: true diff --git a/services/vaultwarden/scripts/vaultwarden_vault_env.sh b/services/vaultwarden/scripts/vaultwarden_vault_env.sh deleted file mode 100644 index 7a80081..0000000 --- a/services/vaultwarden/scripts/vaultwarden_vault_env.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env sh -set -eu - -vault_dir="/vault/secrets" - -read_secret() { - cat "${vault_dir}/$1" -} - -export DATABASE_URL="$(read_secret vaultwarden-db-url__DATABASE_URL)" -export ADMIN_TOKEN="$(read_secret vaultwarden-admin__ADMIN_TOKEN)" - -export SMTP_USERNAME="$(read_secret postmark-relay__relay-username)" -export SMTP_PASSWORD="$(read_secret postmark-relay__relay-password)" diff --git a/services/vaultwarden/secretproviderclass.yaml b/services/vaultwarden/secretproviderclass.yaml deleted file mode 100644 index 63f864e..0000000 --- a/services/vaultwarden/secretproviderclass.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# services/vaultwarden/secretproviderclass.yaml -apiVersion: secrets-store.csi.x-k8s.io/v1 -kind: SecretProviderClass -metadata: - name: vaultwarden-vault - namespace: vaultwarden -spec: - provider: vault - parameters: - vaultAddress: "http://vault.vault.svc.cluster.local:8200" - roleName: "vaultwarden" - objects: | - - objectName: "vaultwarden-db-url__DATABASE_URL" - secretPath: "kv/data/atlas/vaultwarden/vaultwarden-db-url" - secretKey: "DATABASE_URL" - - objectName: "vaultwarden-admin__ADMIN_TOKEN" - secretPath: "kv/data/atlas/vaultwarden/vaultwarden-admin" - secretKey: "ADMIN_TOKEN" - - objectName: "postmark-relay__relay-username" - secretPath: "kv/data/atlas/shared/postmark-relay" - secretKey: "relay-username" - - objectName: "postmark-relay__relay-password" - secretPath: "kv/data/atlas/shared/postmark-relay" - secretKey: "relay-password"