bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vault: move core apps to injector

Browse Source
This commit is contained in:
Brad Stein 2026-01-14 12:28:10 -03:00
parent 1add32e683
commit 16c62d5a4a
28 changed files with 282 additions and 588 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
services/bstein-dev-home/backend-deployment.yaml
View File

@ -14,6 +14,25 @@ spec:
metadata: metadata:
labels: labels:
app: bstein-dev-home-backend app: bstein-dev-home-backend
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "bstein-dev-home"
vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db"
vault.hashicorp.com/agent-inject-template-portal-env.sh: |
{{- with secret "kv/data/atlas/portal/atlas-portal-db" -}}
export PORTAL_DATABASE_URL="{{ .Data.data.PORTAL_DATABASE_URL }}"
{{- end }}
{{- with secret "kv/data/atlas/portal/bstein-dev-home-keycloak-admin" -}}
export KEYCLOAK_ADMIN_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}
export CHAT_KEY_MATRIX="{{ .Data.data.matrix }}"
export CHAT_KEY_HOMEPAGE="{{ .Data.data.homepage }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
spec: spec:
automountServiceAccountToken: true automountServiceAccountToken: true
serviceAccountName: bstein-dev-home serviceAccountName: bstein-dev-home
@ -29,7 +48,7 @@ spec:
command: ["/bin/sh", "-c"] command: ["/bin/sh", "-c"]
args: args:
- >- - >-
. /vault/scripts/bstein_dev_home_vault_env.sh . /vault/secrets/portal-env.sh
&& exec gunicorn -b 0.0.0.0:8080 --workers 2 --timeout 180 app:app && exec gunicorn -b 0.0.0.0:8080 --workers 2 --timeout 180 app:app
env: env:
- name: AI_CHAT_API - name: AI_CHAT_API
@ -94,13 +113,6 @@ spec:
initialDelaySeconds: 10 initialDelaySeconds: 10
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 3 timeoutSeconds: 3
volumeMounts:
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
resources: resources:
requests: requests:
cpu: 100m cpu: 100m
@ -108,14 +120,3 @@ spec:
limits: limits:
cpu: 500m cpu: 500m
memory: 512Mi memory: 512Mi
volumes:
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: bstein-dev-home-vault
- name: vault-scripts
configMap:
name: bstein-dev-home-vault-env
defaultMode: 0555

37
services/bstein-dev-home/chat-ai-gateway-deployment.yaml
View File

@ -14,6 +14,25 @@ spec:
metadata: metadata:
labels: labels:
app: chat-ai-gateway app: chat-ai-gateway
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "bstein-dev-home"
vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db"
vault.hashicorp.com/agent-inject-template-portal-env.sh: |
{{- with secret "kv/data/atlas/portal/atlas-portal-db" -}}
export PORTAL_DATABASE_URL="{{ .Data.data.PORTAL_DATABASE_URL }}"
{{- end }}
{{- with secret "kv/data/atlas/portal/bstein-dev-home-keycloak-admin" -}}
export KEYCLOAK_ADMIN_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}
export CHAT_KEY_MATRIX="{{ .Data.data.matrix }}"
export CHAT_KEY_HOMEPAGE="{{ .Data.data.homepage }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
spec: spec:
serviceAccountName: bstein-dev-home serviceAccountName: bstein-dev-home
nodeSelector: nodeSelector:
@ -24,7 +43,7 @@ spec:
image: python:3.11-slim image: python:3.11-slim
command: ["/bin/sh","-c"] command: ["/bin/sh","-c"]
args: args:
- . /vault/scripts/bstein_dev_home_vault_env.sh && exec python /app/gateway.py - . /vault/secrets/portal-env.sh && exec python /app/gateway.py
env: env:
- name: UPSTREAM_URL - name: UPSTREAM_URL
value: http://bstein-dev-home-backend/api/chat value: http://bstein-dev-home-backend/api/chat
@ -54,23 +73,7 @@ spec:
- name: code - name: code
mountPath: /app/gateway.py mountPath: /app/gateway.py
subPath: gateway.py subPath: gateway.py
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
volumes: volumes:
- name: code - name: code
configMap: configMap:
name: chat-ai-gateway name: chat-ai-gateway
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: bstein-dev-home-vault
- name: vault-scripts
configMap:
name: bstein-dev-home-vault-env
defaultMode: 0555

6
services/bstein-dev-home/kustomization.yaml
View File

@ -19,12 +19,6 @@ resources:
- portal-onboarding-e2e-test-job.yaml - portal-onboarding-e2e-test-job.yaml
- ingress.yaml - ingress.yaml
configMapGenerator: configMapGenerator:
- name: bstein-dev-home-vault-env
namespace: bstein-dev-home
files:
- bstein_dev_home_vault_env.sh=scripts/bstein_dev_home_vault_env.sh
options:
disableNameSuffixHash: true
- name: chat-ai-gateway - name: chat-ai-gateway
namespace: bstein-dev-home namespace: bstein-dev-home
files: files:

38
services/bstein-dev-home/portal-onboarding-e2e-test-job.yaml
View File

@ -7,6 +7,26 @@ metadata:
spec: spec:
backoffLimit: 0 backoffLimit: 0
template: template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "bstein-dev-home"
vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db"
vault.hashicorp.com/agent-inject-template-portal-env.sh: |
{{- with secret "kv/data/atlas/portal/atlas-portal-db" -}}
export PORTAL_DATABASE_URL="{{ .Data.data.PORTAL_DATABASE_URL }}"
{{- end }}
{{- with secret "kv/data/atlas/portal/bstein-dev-home-keycloak-admin" -}}
export KEYCLOAK_ADMIN_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}
export CHAT_KEY_MATRIX="{{ .Data.data.matrix }}"
export CHAT_KEY_HOMEPAGE="{{ .Data.data.homepage }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
spec: spec:
restartPolicy: Never restartPolicy: Never
serviceAccountName: bstein-dev-home serviceAccountName: bstein-dev-home
@ -40,30 +60,14 @@ spec:
args: args:
- | - |
set -euo pipefail set -euo pipefail
. /vault/scripts/bstein_dev_home_vault_env.sh . /vault/secrets/portal-env.sh
python /scripts/test_portal_onboarding_flow.py python /scripts/test_portal_onboarding_flow.py
volumeMounts: volumeMounts:
- name: tests - name: tests
mountPath: /scripts mountPath: /scripts
readOnly: true readOnly: true
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
volumes: volumes:
- name: tests - name: tests
configMap: configMap:
name: portal-onboarding-e2e-tests name: portal-onboarding-e2e-tests
defaultMode: 0555 defaultMode: 0555
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: bstein-dev-home-vault
- name: vault-scripts
configMap:
name: bstein-dev-home-vault-env
defaultMode: 0555

17
services/bstein-dev-home/scripts/bstein_dev_home_vault_env.sh
View File

@ -1,17 +0,0 @@
#!/usr/bin/env sh
set -eu
vault_dir="/vault/secrets"
read_secret() {
cat "${vault_dir}/$1"
}
export KEYCLOAK_ADMIN_CLIENT_SECRET="$(read_secret bstein-dev-home-keycloak-admin__client_secret)"
export PORTAL_DATABASE_URL="$(read_secret atlas-portal-db__PORTAL_DATABASE_URL)"
export CHAT_KEY_MATRIX="$(read_secret chat-ai-keys-runtime__matrix)"
export CHAT_KEY_HOMEPAGE="$(read_secret chat-ai-keys-runtime__homepage)"
export PORTAL_E2E_CLIENT_ID="$(read_secret portal-e2e-client__client_id)"
export PORTAL_E2E_CLIENT_SECRET="$(read_secret portal-e2e-client__client_secret)"

24
services/bstein-dev-home/secretproviderclass.yaml
View File

@ -10,30 +10,6 @@ spec:
vaultAddress: "http://vault.vault.svc.cluster.local:8200" vaultAddress: "http://vault.vault.svc.cluster.local:8200"
roleName: "bstein-dev-home" roleName: "bstein-dev-home"
objects: | objects: |
- objectName: "atlas-portal-db__PORTAL_DATABASE_URL"
secretPath: "kv/data/atlas/portal/atlas-portal-db"
secretKey: "PORTAL_DATABASE_URL"
- objectName: "bstein-dev-home-keycloak-admin__client_secret"
secretPath: "kv/data/atlas/portal/bstein-dev-home-keycloak-admin"
secretKey: "client_secret"
- objectName: "chat-ai-keys__homepage"
secretPath: "kv/data/atlas/portal/chat-ai-keys"
secretKey: "homepage"
- objectName: "chat-ai-keys__matrix"
secretPath: "kv/data/atlas/portal/chat-ai-keys"
secretKey: "matrix"
- objectName: "chat-ai-keys-runtime__homepage"
secretPath: "kv/data/atlas/shared/chat-ai-keys-runtime"
secretKey: "homepage"
- objectName: "chat-ai-keys-runtime__matrix"
secretPath: "kv/data/atlas/shared/chat-ai-keys-runtime"
secretKey: "matrix"
- objectName: "portal-e2e-client__client_id"
secretPath: "kv/data/atlas/shared/portal-e2e-client"
secretKey: "client_id"
- objectName: "portal-e2e-client__client_secret"
secretPath: "kv/data/atlas/shared/portal-e2e-client"
secretKey: "client_secret"
- objectName: "harbor-pull__dockerconfigjson" - objectName: "harbor-pull__dockerconfigjson"
secretPath: "kv/data/atlas/harbor-pull/bstein-dev-home" secretPath: "kv/data/atlas/harbor-pull/bstein-dev-home"
secretKey: "dockerconfigjson" secretKey: "dockerconfigjson"

38
services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml
View File

@ -13,6 +13,26 @@ spec:
spec: spec:
backoffLimit: 0 backoffLimit: 0
template: template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "bstein-dev-home"
vault.hashicorp.com/agent-inject-secret-portal-env.sh: "kv/data/atlas/portal/atlas-portal-db"
vault.hashicorp.com/agent-inject-template-portal-env.sh: |
{{- with secret "kv/data/atlas/portal/atlas-portal-db" -}}
export PORTAL_DATABASE_URL="{{ .Data.data.PORTAL_DATABASE_URL }}"
{{- end }}
{{- with secret "kv/data/atlas/portal/bstein-dev-home-keycloak-admin" -}}
export KEYCLOAK_ADMIN_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/chat-ai-keys-runtime" -}}
export CHAT_KEY_MATRIX="{{ .Data.data.matrix }}"
export CHAT_KEY_HOMEPAGE="{{ .Data.data.homepage }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/portal-e2e-client" -}}
export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
{{- end }}
spec: spec:
serviceAccountName: bstein-dev-home serviceAccountName: bstein-dev-home
restartPolicy: Never restartPolicy: Never
@ -28,7 +48,7 @@ spec:
command: ["/bin/sh", "-c"] command: ["/bin/sh", "-c"]
args: args:
- >- - >-
. /vault/scripts/bstein_dev_home_vault_env.sh . /vault/secrets/portal-env.sh
&& exec python /scripts/vaultwarden_cred_sync.py && exec python /scripts/vaultwarden_cred_sync.py
env: env:
- name: PYTHONPATH - name: PYTHONPATH
@ -49,24 +69,8 @@ spec:
- name: vaultwarden-cred-sync-script - name: vaultwarden-cred-sync-script
mountPath: /scripts mountPath: /scripts
readOnly: true readOnly: true
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
volumes: volumes:
- name: vaultwarden-cred-sync-script - name: vaultwarden-cred-sync-script
configMap: configMap:
name: vaultwarden-cred-sync-script name: vaultwarden-cred-sync-script
defaultMode: 0555 defaultMode: 0555
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: bstein-dev-home-vault
- name: vault-scripts
configMap:
name: bstein-dev-home-vault-env
defaultMode: 0555

45
services/gitea/deployment.yaml
View File

@ -20,6 +20,39 @@ spec:
metadata: metadata:
labels: labels:
app: gitea app: gitea
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "gitea"
vault.hashicorp.com/agent-inject-secret-gitea-db-secret__password: "kv/data/atlas/gitea/gitea-db-secret"
vault.hashicorp.com/agent-inject-template-gitea-db-secret__password: |
{{- with secret "kv/data/atlas/gitea/gitea-db-secret" -}}
{{ .Data.data.password }}
{{- end }}
vault.hashicorp.com/agent-inject-secret-gitea-secret__SECRET_KEY: "kv/data/atlas/gitea/gitea-secret"
vault.hashicorp.com/agent-inject-template-gitea-secret__SECRET_KEY: |
{{- with secret "kv/data/atlas/gitea/gitea-secret" -}}
{{ .Data.data.SECRET_KEY }}
{{- end }}
vault.hashicorp.com/agent-inject-secret-gitea-secret__INTERNAL_TOKEN: "kv/data/atlas/gitea/gitea-secret"
vault.hashicorp.com/agent-inject-template-gitea-secret__INTERNAL_TOKEN: |
{{- with secret "kv/data/atlas/gitea/gitea-secret" -}}
{{ .Data.data.INTERNAL_TOKEN }}
{{- end }}
vault.hashicorp.com/agent-inject-secret-gitea-oidc__client_id: "kv/data/atlas/gitea/gitea-oidc"
vault.hashicorp.com/agent-inject-template-gitea-oidc__client_id: |
{{- with secret "kv/data/atlas/gitea/gitea-oidc" -}}
{{ .Data.data.client_id }}
{{- end }}
vault.hashicorp.com/agent-inject-secret-gitea-oidc__client_secret: "kv/data/atlas/gitea/gitea-oidc"
vault.hashicorp.com/agent-inject-template-gitea-oidc__client_secret: |
{{- with secret "kv/data/atlas/gitea/gitea-oidc" -}}
{{ .Data.data.client_secret }}
{{- end }}
vault.hashicorp.com/agent-inject-secret-gitea-oidc__openid_auto_discovery_url: "kv/data/atlas/gitea/gitea-oidc"
vault.hashicorp.com/agent-inject-template-gitea-oidc__openid_auto_discovery_url: |
{{- with secret "kv/data/atlas/gitea/gitea-oidc" -}}
{{ .Data.data.openid_auto_discovery_url }}
{{- end }}
spec: spec:
serviceAccountName: gitea-vault serviceAccountName: gitea-vault
initContainers: initContainers:
@ -75,9 +108,6 @@ spec:
volumeMounts: volumeMounts:
- name: gitea-data - name: gitea-data
mountPath: /data mountPath: /data
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
nodeSelector: nodeSelector:
node-role.kubernetes.io/worker: "true" node-role.kubernetes.io/worker: "true"
affinity: affinity:
@ -157,16 +187,7 @@ spec:
volumeMounts: volumeMounts:
- name: gitea-data - name: gitea-data
mountPath: /data mountPath: /data
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
volumes: volumes:
- name: gitea-data - name: gitea-data
persistentVolumeClaim: persistentVolumeClaim:
claimName: gitea-data claimName: gitea-data
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: gitea-vault

1
services/gitea/kustomization.yaml
View File

@ -5,7 +5,6 @@ resources:
- namespace.yaml - namespace.yaml
- serviceaccount.yaml - serviceaccount.yaml
- pvc.yaml - pvc.yaml
- secretproviderclass.yaml
- deployment.yaml - deployment.yaml
- service.yaml - service.yaml
- ingress.yaml - ingress.yaml

30
services/gitea/secretproviderclass.yaml
View File

@ -1,30 +0,0 @@
# services/gitea/secretproviderclass.yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: gitea-vault
namespace: gitea
spec:
provider: vault
parameters:
vaultAddress: "http://vault.vault.svc.cluster.local:8200"
roleName: "gitea"
objects: |
- objectName: "gitea-db-secret__password"
secretPath: "kv/data/atlas/gitea/gitea-db-secret"
secretKey: "password"
- objectName: "gitea-secret__SECRET_KEY"
secretPath: "kv/data/atlas/gitea/gitea-secret"
secretKey: "SECRET_KEY"
- objectName: "gitea-secret__INTERNAL_TOKEN"
secretPath: "kv/data/atlas/gitea/gitea-secret"
secretKey: "INTERNAL_TOKEN"
- objectName: "gitea-oidc__client_id"
secretPath: "kv/data/atlas/gitea/gitea-oidc"
secretKey: "client_id"
- objectName: "gitea-oidc__client_secret"
secretPath: "kv/data/atlas/gitea/gitea-oidc"
secretKey: "client_secret"
- objectName: "gitea-oidc__openid_auto_discovery_url"
secretPath: "kv/data/atlas/gitea/gitea-oidc"
secretKey: "openid_auto_discovery_url"

47
services/nextcloud-mail-sync/cronjob.yaml
View File

@ -12,6 +12,35 @@ spec:
jobTemplate: jobTemplate:
spec: spec:
template: template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "nextcloud"
vault.hashicorp.com/agent-inject-secret-nextcloud-env.sh: "kv/data/atlas/nextcloud/nextcloud-db"
vault.hashicorp.com/agent-inject-template-nextcloud-env.sh: |
{{- with secret "kv/data/atlas/nextcloud/nextcloud-db" -}}
export POSTGRES_DB="{{ .Data.data.database }}"
export POSTGRES_USER="{{ .Data.data.db-username }}"
export POSTGRES_PASSWORD="{{ .Data.data.db-password }}"
{{- end }}
{{- with secret "kv/data/atlas/nextcloud/nextcloud-admin" -}}
export NEXTCLOUD_ADMIN_USER="{{ .Data.data.admin-user }}"
export NEXTCLOUD_ADMIN_PASSWORD="{{ .Data.data.admin-password }}"
{{- end }}
export ADMIN_USER="${NEXTCLOUD_ADMIN_USER}"
export ADMIN_PASS="${NEXTCLOUD_ADMIN_PASSWORD}"
{{- with secret "kv/data/atlas/nextcloud/nextcloud-oidc" -}}
export OIDC_CLIENT_ID="{{ .Data.data.client-id }}"
export OIDC_CLIENT_SECRET="{{ .Data.data.client-secret }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/postmark-relay" -}}
export SMTP_NAME="{{ index .Data.data "relay-username" }}"
export SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KC_ADMIN_USER="{{ .Data.data.username }}"
export KC_ADMIN_PASS="{{ .Data.data.password }}"
{{- end }}
spec: spec:
restartPolicy: OnFailure restartPolicy: OnFailure
securityContext: securityContext:
@ -53,16 +82,10 @@ spec:
- name: sync-script - name: sync-script
mountPath: /sync/sync.sh mountPath: /sync/sync.sh
subPath: sync.sh subPath: sync.sh
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
args: args:
- | - |
set -euo pipefail set -euo pipefail
. /vault/scripts/nextcloud_vault_env.sh . /vault/secrets/nextcloud-env.sh
exec /sync/sync.sh exec /sync/sync.sh
volumes: volumes:
- name: nextcloud-config-pvc - name: nextcloud-config-pvc
@ -81,13 +104,3 @@ spec:
configMap: configMap:
name: nextcloud-mail-sync-script name: nextcloud-mail-sync-script
defaultMode: 0755 defaultMode: 0755
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: nextcloud-vault
- name: vault-scripts
configMap:
name: nextcloud-vault-env
defaultMode: 0555

54
services/nextcloud/deployment.yaml
View File

@ -15,6 +15,34 @@ spec:
metadata: metadata:
labels: labels:
app: nextcloud app: nextcloud
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "nextcloud"
vault.hashicorp.com/agent-inject-secret-nextcloud-env.sh: "kv/data/atlas/nextcloud/nextcloud-db"
vault.hashicorp.com/agent-inject-template-nextcloud-env.sh: |
{{- with secret "kv/data/atlas/nextcloud/nextcloud-db" -}}
export POSTGRES_DB="{{ .Data.data.database }}"
export POSTGRES_USER="{{ .Data.data.db-username }}"
export POSTGRES_PASSWORD="{{ .Data.data.db-password }}"
{{- end }}
{{- with secret "kv/data/atlas/nextcloud/nextcloud-admin" -}}
export NEXTCLOUD_ADMIN_USER="{{ .Data.data.admin-user }}"
export NEXTCLOUD_ADMIN_PASSWORD="{{ .Data.data.admin-password }}"
{{- end }}
export ADMIN_USER="${NEXTCLOUD_ADMIN_USER}"
export ADMIN_PASS="${NEXTCLOUD_ADMIN_PASSWORD}"
{{- with secret "kv/data/atlas/nextcloud/nextcloud-oidc" -}}
export OIDC_CLIENT_ID="{{ .Data.data.client-id }}"
export OIDC_CLIENT_SECRET="{{ .Data.data.client-secret }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/postmark-relay" -}}
export SMTP_NAME="{{ index .Data.data "relay-username" }}"
export SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KC_ADMIN_USER="{{ .Data.data.username }}"
export KC_ADMIN_PASS="{{ .Data.data.password }}"
{{- end }}
spec: spec:
nodeSelector: nodeSelector:
hardware: rpi5 hardware: rpi5
@ -81,7 +109,7 @@ spec:
command: ["/bin/sh", "-c"] command: ["/bin/sh", "-c"]
args: args:
- | - |
. /vault/scripts/nextcloud_vault_env.sh . /vault/secrets/nextcloud-env.sh
installed="$(su -s /bin/sh www-data -c "php /var/www/html/occ status" 2>/dev/null | awk '/installed:/{print $3}' || true)" installed="$(su -s /bin/sh www-data -c "php /var/www/html/occ status" 2>/dev/null | awk '/installed:/{print $3}' || true)"
if [ ! -s /var/www/html/config/config.php ]; then if [ ! -s /var/www/html/config/config.php ]; then
su -s /bin/sh www-data -c "php /var/www/html/occ maintenance:install --database pgsql --database-host \"${POSTGRES_HOST}\" --database-name \"${POSTGRES_DB}\" --database-user \"${POSTGRES_USER}\" --database-pass \"${POSTGRES_PASSWORD}\" --admin-user \"${NEXTCLOUD_ADMIN_USER}\" --admin-pass \"${NEXTCLOUD_ADMIN_PASSWORD}\" --data-dir /var/www/html/data" su -s /bin/sh www-data -c "php /var/www/html/occ maintenance:install --database pgsql --database-host \"${POSTGRES_HOST}\" --database-name \"${POSTGRES_DB}\" --database-user \"${POSTGRES_USER}\" --database-pass \"${POSTGRES_PASSWORD}\" --admin-user \"${NEXTCLOUD_ADMIN_USER}\" --admin-pass \"${NEXTCLOUD_ADMIN_PASSWORD}\" --data-dir /var/www/html/data"
@ -164,12 +192,6 @@ spec:
- name: nextcloud-config-extra - name: nextcloud-config-extra
mountPath: /var/www/html/config/extra.config.php mountPath: /var/www/html/config/extra.config.php
subPath: extra.config.php subPath: extra.config.php
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
containers: containers:
- name: nextcloud - name: nextcloud
image: nextcloud:29-apache image: nextcloud:29-apache
@ -177,7 +199,7 @@ spec:
command: ["/bin/sh", "-c"] command: ["/bin/sh", "-c"]
args: args:
- >- - >-
. /vault/scripts/nextcloud_vault_env.sh . /vault/secrets/nextcloud-env.sh
&& exec /entrypoint.sh apache2-foreground && exec /entrypoint.sh apache2-foreground
env: env:
# DB (external secret required: nextcloud-db with keys username,password,database) # DB (external secret required: nextcloud-db with keys username,password,database)
@ -223,12 +245,6 @@ spec:
- name: nextcloud-config-extra - name: nextcloud-config-extra
mountPath: /var/www/html/config/extra.config.php mountPath: /var/www/html/config/extra.config.php
subPath: extra.config.php subPath: extra.config.php
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
resources: resources:
requests: requests:
cpu: 250m cpu: 250m
@ -253,13 +269,3 @@ spec:
configMap: configMap:
name: nextcloud-config name: nextcloud-config
defaultMode: 0444 defaultMode: 0444
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: nextcloud-vault
- name: vault-scripts
configMap:
name: nextcloud-vault-env
defaultMode: 0555

6
services/nextcloud/kustomization.yaml
View File

@ -5,7 +5,6 @@ namespace: nextcloud
resources: resources:
- namespace.yaml - namespace.yaml
- serviceaccount.yaml - serviceaccount.yaml
- secretproviderclass.yaml
- configmap.yaml - configmap.yaml
- pvc.yaml - pvc.yaml
- deployment.yaml - deployment.yaml
@ -15,11 +14,6 @@ resources:
- service.yaml - service.yaml
- ingress.yaml - ingress.yaml
configMapGenerator: configMapGenerator:
- name: nextcloud-vault-env
files:
- nextcloud_vault_env.sh=scripts/nextcloud_vault_env.sh
options:
disableNameSuffixHash: true
- name: nextcloud-maintenance-script - name: nextcloud-maintenance-script
files: files:
- maintenance.sh=scripts/nextcloud-maintenance.sh - maintenance.sh=scripts/nextcloud-maintenance.sh

47
services/nextcloud/maintenance-cronjob.yaml
View File

@ -10,6 +10,35 @@ spec:
jobTemplate: jobTemplate:
spec: spec:
template: template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "nextcloud"
vault.hashicorp.com/agent-inject-secret-nextcloud-env.sh: "kv/data/atlas/nextcloud/nextcloud-db"
vault.hashicorp.com/agent-inject-template-nextcloud-env.sh: |
{{- with secret "kv/data/atlas/nextcloud/nextcloud-db" -}}
export POSTGRES_DB="{{ .Data.data.database }}"
export POSTGRES_USER="{{ .Data.data.db-username }}"
export POSTGRES_PASSWORD="{{ .Data.data.db-password }}"
{{- end }}
{{- with secret "kv/data/atlas/nextcloud/nextcloud-admin" -}}
export NEXTCLOUD_ADMIN_USER="{{ .Data.data.admin-user }}"
export NEXTCLOUD_ADMIN_PASSWORD="{{ .Data.data.admin-password }}"
{{- end }}
export ADMIN_USER="${NEXTCLOUD_ADMIN_USER}"
export ADMIN_PASS="${NEXTCLOUD_ADMIN_PASSWORD}"
{{- with secret "kv/data/atlas/nextcloud/nextcloud-oidc" -}}
export OIDC_CLIENT_ID="{{ .Data.data.client-id }}"
export OIDC_CLIENT_SECRET="{{ .Data.data.client-secret }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/postmark-relay" -}}
export SMTP_NAME="{{ index .Data.data "relay-username" }}"
export SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
export KC_ADMIN_USER="{{ .Data.data.username }}"
export KC_ADMIN_PASS="{{ .Data.data.password }}"
{{- end }}
spec: spec:
restartPolicy: OnFailure restartPolicy: OnFailure
securityContext: securityContext:
@ -24,7 +53,7 @@ spec:
args: args:
- | - |
set -euo pipefail set -euo pipefail
. /vault/scripts/nextcloud_vault_env.sh . /vault/secrets/nextcloud-env.sh
exec /maintenance/maintenance.sh exec /maintenance/maintenance.sh
env: env:
- name: NC_URL - name: NC_URL
@ -41,12 +70,6 @@ spec:
- name: maintenance-script - name: maintenance-script
mountPath: /maintenance/maintenance.sh mountPath: /maintenance/maintenance.sh
subPath: maintenance.sh subPath: maintenance.sh
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
resources: resources:
requests: requests:
cpu: 100m cpu: 100m
@ -71,13 +94,3 @@ spec:
configMap: configMap:
name: nextcloud-maintenance-script name: nextcloud-maintenance-script
defaultMode: 0755 defaultMode: 0755
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: nextcloud-vault
- name: vault-scripts
configMap:
name: nextcloud-vault-env
defaultMode: 0555

27
services/nextcloud/scripts/nextcloud_vault_env.sh
View File

@ -1,27 +0,0 @@
#!/usr/bin/env sh
set -eu
vault_dir="/vault/secrets"
read_secret() {
cat "${vault_dir}/$1"
}
export POSTGRES_DB="$(read_secret nextcloud-db__database)"
export POSTGRES_USER="$(read_secret nextcloud-db__db-username)"
export POSTGRES_PASSWORD="$(read_secret nextcloud-db__db-password)"
export NEXTCLOUD_ADMIN_USER="$(read_secret nextcloud-admin__admin-user)"
export NEXTCLOUD_ADMIN_PASSWORD="$(read_secret nextcloud-admin__admin-password)"
export ADMIN_USER="${NEXTCLOUD_ADMIN_USER}"
export ADMIN_PASS="${NEXTCLOUD_ADMIN_PASSWORD}"
export OIDC_CLIENT_ID="$(read_secret nextcloud-oidc__client-id)"
export OIDC_CLIENT_SECRET="$(read_secret nextcloud-oidc__client-secret)"
export SMTP_NAME="$(read_secret nextcloud-smtp__smtp-username)"
export SMTP_PASSWORD="$(read_secret nextcloud-smtp__smtp-password)"
export KC_ADMIN_USER="$(read_secret keycloak-admin__username)"
export KC_ADMIN_PASS="$(read_secret keycloak-admin__password)"

45
services/nextcloud/secretproviderclass.yaml
View File

@ -1,45 +0,0 @@
# services/nextcloud/secretproviderclass.yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: nextcloud-vault
namespace: nextcloud
spec:
provider: vault
parameters:
vaultAddress: "http://vault.vault.svc.cluster.local:8200"
roleName: "nextcloud"
objects: |
- objectName: "nextcloud-db__database"
secretPath: "kv/data/atlas/nextcloud/nextcloud-db"
secretKey: "database"
- objectName: "nextcloud-db__db-username"
secretPath: "kv/data/atlas/nextcloud/nextcloud-db"
secretKey: "db-username"
- objectName: "nextcloud-db__db-password"
secretPath: "kv/data/atlas/nextcloud/nextcloud-db"
secretKey: "db-password"
- objectName: "nextcloud-admin__admin-user"
secretPath: "kv/data/atlas/nextcloud/nextcloud-admin"
secretKey: "admin-user"
- objectName: "nextcloud-admin__admin-password"
secretPath: "kv/data/atlas/nextcloud/nextcloud-admin"
secretKey: "admin-password"
- objectName: "nextcloud-oidc__client-id"
secretPath: "kv/data/atlas/nextcloud/nextcloud-oidc"
secretKey: "client-id"
- objectName: "nextcloud-oidc__client-secret"
secretPath: "kv/data/atlas/nextcloud/nextcloud-oidc"
secretKey: "client-secret"
- objectName: "nextcloud-smtp__smtp-username"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-username"
- objectName: "nextcloud-smtp__smtp-password"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-password"
- objectName: "keycloak-admin__username"
secretPath: "kv/data/atlas/shared/keycloak-admin"
secretKey: "username"
- objectName: "keycloak-admin__password"
secretPath: "kv/data/atlas/shared/keycloak-admin"
secretKey: "password"

46
services/outline/deployment.yaml
View File

@ -20,6 +20,34 @@ spec:
metadata: metadata:
labels: labels:
app: outline app: outline
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "outline"
vault.hashicorp.com/agent-inject-secret-outline-env.sh: "kv/data/atlas/outline/outline-db"
vault.hashicorp.com/agent-inject-template-outline-env.sh: |
{{- with secret "kv/data/atlas/outline/outline-db" -}}
export DATABASE_URL="{{ .Data.data.DATABASE_URL }}"
{{- end }}
{{- with secret "kv/data/atlas/outline/outline-secrets" -}}
export SECRET_KEY="{{ .Data.data.SECRET_KEY }}"
export UTILS_SECRET="{{ .Data.data.UTILS_SECRET }}"
{{- end }}
{{- with secret "kv/data/atlas/outline/outline-oidc" -}}
export OIDC_AUTH_URI="{{ .Data.data.OIDC_AUTH_URI }}"
export OIDC_CLIENT_ID="{{ .Data.data.OIDC_CLIENT_ID }}"
export OIDC_CLIENT_SECRET="{{ .Data.data.OIDC_CLIENT_SECRET }}"
export OIDC_LOGOUT_URI="{{ .Data.data.OIDC_LOGOUT_URI }}"
export OIDC_TOKEN_URI="{{ .Data.data.OIDC_TOKEN_URI }}"
export OIDC_USERINFO_URI="{{ .Data.data.OIDC_USERINFO_URI }}"
{{- end }}
{{- with secret "kv/data/atlas/outline/outline-smtp" -}}
export SMTP_FROM_EMAIL="{{ .Data.data.SMTP_FROM_EMAIL }}"
export SMTP_HOST="{{ .Data.data.SMTP_HOST }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/postmark-relay" -}}
export SMTP_USERNAME="{{ index .Data.data "relay-username" }}"
export SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
{{- end }}
spec: spec:
serviceAccountName: outline-vault serviceAccountName: outline-vault
nodeSelector: nodeSelector:
@ -39,7 +67,7 @@ spec:
- /bin/sh - /bin/sh
- -c - -c
args: args:
- . /vault/scripts/outline_vault_env.sh && exec node build/server/index.js - . /vault/secrets/outline-env.sh && exec node build/server/index.js
ports: ports:
- name: http - name: http
containerPort: 3000 containerPort: 3000
@ -75,12 +103,6 @@ spec:
volumeMounts: volumeMounts:
- name: user-data - name: user-data
mountPath: /var/lib/outline/data mountPath: /var/lib/outline/data
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /_health path: /_health
@ -108,13 +130,3 @@ spec:
- name: user-data - name: user-data
persistentVolumeClaim: persistentVolumeClaim:
claimName: outline-user-data claimName: outline-user-data
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: outline-vault
- name: vault-scripts
configMap:
name: outline-vault-env
defaultMode: 0555

7
services/outline/kustomization.yaml
View File

@ -5,16 +5,9 @@ namespace: outline
resources: resources:
- namespace.yaml - namespace.yaml
- serviceaccount.yaml - serviceaccount.yaml
- secretproviderclass.yaml
- user-pvc.yaml - user-pvc.yaml
- redis-deployment.yaml - redis-deployment.yaml
- redis-service.yaml - redis-service.yaml
- deployment.yaml - deployment.yaml
- service.yaml - service.yaml
- ingress.yaml - ingress.yaml
generatorOptions:
disableNameSuffixHash: true
configMapGenerator:
- name: outline-vault-env
files:
- outline_vault_env.sh=scripts/outline_vault_env.sh

31
services/outline/scripts/outline_vault_env.sh
View File

@ -1,31 +0,0 @@
#!/usr/bin/env sh
set -eu
vault_dir="/vault/secrets"
read_secret() {
cat "${vault_dir}/$1"
}
export DATABASE_URL="$(read_secret DATABASE_URL)"
export SECRET_KEY="$(read_secret SECRET_KEY)"
export UTILS_SECRET="$(read_secret UTILS_SECRET)"
export OIDC_AUTH_URI="$(read_secret OIDC_AUTH_URI)"
export OIDC_CLIENT_ID="$(read_secret OIDC_CLIENT_ID)"
export OIDC_CLIENT_SECRET="$(read_secret OIDC_CLIENT_SECRET)"
export OIDC_LOGOUT_URI="$(read_secret OIDC_LOGOUT_URI)"
export OIDC_TOKEN_URI="$(read_secret OIDC_TOKEN_URI)"
export OIDC_USERINFO_URI="$(read_secret OIDC_USERINFO_URI)"
export SMTP_FROM_EMAIL="$(read_secret SMTP_FROM_EMAIL)"
export SMTP_HOST="$(read_secret SMTP_HOST)"
export SMTP_PASSWORD="$(read_secret SMTP_PASSWORD)"
export SMTP_USERNAME="$(read_secret SMTP_USERNAME)"
if [ -f "${vault_dir}/AWS_ACCESS_KEY_ID" ]; then
export AWS_ACCESS_KEY_ID="$(read_secret AWS_ACCESS_KEY_ID)"
export AWS_SECRET_ACCESS_KEY="$(read_secret AWS_SECRET_ACCESS_KEY)"
export AWS_S3_UPLOAD_BUCKET_NAME="$(read_secret AWS_S3_UPLOAD_BUCKET_NAME)"
export AWS_S3_UPLOAD_BUCKET_URL="$(read_secret AWS_S3_UPLOAD_BUCKET_URL)"
fi

63
services/outline/secretproviderclass.yaml
View File

@ -1,63 +0,0 @@
# services/outline/secretproviderclass.yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: outline-vault
namespace: outline
spec:
provider: vault
parameters:
vaultAddress: "http://vault.vault.svc.cluster.local:8200"
roleName: "outline"
objects: |
- objectName: "DATABASE_URL"
secretPath: "kv/data/atlas/outline/outline-db"
secretKey: "DATABASE_URL"
- objectName: "SECRET_KEY"
secretPath: "kv/data/atlas/outline/outline-secrets"
secretKey: "SECRET_KEY"
- objectName: "UTILS_SECRET"
secretPath: "kv/data/atlas/outline/outline-secrets"
secretKey: "UTILS_SECRET"
- objectName: "OIDC_AUTH_URI"
secretPath: "kv/data/atlas/outline/outline-oidc"
secretKey: "OIDC_AUTH_URI"
- objectName: "OIDC_CLIENT_ID"
secretPath: "kv/data/atlas/outline/outline-oidc"
secretKey: "OIDC_CLIENT_ID"
- objectName: "OIDC_CLIENT_SECRET"
secretPath: "kv/data/atlas/outline/outline-oidc"
secretKey: "OIDC_CLIENT_SECRET"
- objectName: "OIDC_LOGOUT_URI"
secretPath: "kv/data/atlas/outline/outline-oidc"
secretKey: "OIDC_LOGOUT_URI"
- objectName: "OIDC_TOKEN_URI"
secretPath: "kv/data/atlas/outline/outline-oidc"
secretKey: "OIDC_TOKEN_URI"
- objectName: "OIDC_USERINFO_URI"
secretPath: "kv/data/atlas/outline/outline-oidc"
secretKey: "OIDC_USERINFO_URI"
- objectName: "SMTP_FROM_EMAIL"
secretPath: "kv/data/atlas/outline/outline-smtp"
secretKey: "SMTP_FROM_EMAIL"
- objectName: "SMTP_HOST"
secretPath: "kv/data/atlas/outline/outline-smtp"
secretKey: "SMTP_HOST"
- objectName: "SMTP_PASSWORD"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-password"
- objectName: "SMTP_USERNAME"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-username"
- objectName: "AWS_ACCESS_KEY_ID"
secretPath: "kv/data/atlas/outline/outline-s3"
secretKey: "AWS_ACCESS_KEY_ID"
- objectName: "AWS_SECRET_ACCESS_KEY"
secretPath: "kv/data/atlas/outline/outline-s3"
secretKey: "AWS_SECRET_ACCESS_KEY"
- objectName: "AWS_S3_UPLOAD_BUCKET_NAME"
secretPath: "kv/data/atlas/outline/outline-s3"
secretKey: "AWS_S3_UPLOAD_BUCKET_NAME"
- objectName: "AWS_S3_UPLOAD_BUCKET_URL"
secretPath: "kv/data/atlas/outline/outline-s3"
secretKey: "AWS_S3_UPLOAD_BUCKET_URL"

49
services/planka/deployment.yaml
View File

@ -20,6 +20,37 @@ spec:
metadata: metadata:
labels: labels:
app: planka app: planka
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "planka"
vault.hashicorp.com/agent-inject-secret-planka-env.sh: "kv/data/atlas/planka/planka-db"
vault.hashicorp.com/agent-inject-template-planka-env.sh: |
{{- with secret "kv/data/atlas/planka/planka-db" -}}
export DATABASE_URL="{{ .Data.data.DATABASE_URL }}"
{{- end }}
{{- with secret "kv/data/atlas/planka/planka-secrets" -}}
export SECRET_KEY="{{ .Data.data.SECRET_KEY }}"
{{- end }}
{{- with secret "kv/data/atlas/planka/planka-oidc" -}}
export OIDC_CLIENT_ID="{{ .Data.data.OIDC_CLIENT_ID }}"
export OIDC_CLIENT_SECRET="{{ .Data.data.OIDC_CLIENT_SECRET }}"
export OIDC_ENFORCED="{{ .Data.data.OIDC_ENFORCED }}"
export OIDC_IGNORE_ROLES="{{ .Data.data.OIDC_IGNORE_ROLES }}"
export OIDC_ISSUER="{{ .Data.data.OIDC_ISSUER }}"
export OIDC_SCOPES="{{ .Data.data.OIDC_SCOPES }}"
export OIDC_USE_OAUTH_CALLBACK="{{ .Data.data.OIDC_USE_OAUTH_CALLBACK }}"
{{- end }}
{{- with secret "kv/data/atlas/planka/planka-smtp" -}}
export SMTP_FROM="{{ .Data.data.SMTP_FROM }}"
export SMTP_HOST="{{ .Data.data.SMTP_HOST }}"
export SMTP_PORT="{{ .Data.data.SMTP_PORT }}"
export SMTP_SECURE="{{ .Data.data.SMTP_SECURE }}"
export SMTP_TLS_REJECT_UNAUTHORIZED="{{ .Data.data.SMTP_TLS_REJECT_UNAUTHORIZED }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/postmark-relay" -}}
export SMTP_USER="{{ index .Data.data "relay-username" }}"
export SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
{{- end }}
spec: spec:
serviceAccountName: planka-vault serviceAccountName: planka-vault
nodeSelector: nodeSelector:
@ -63,7 +94,7 @@ spec:
- /bin/sh - /bin/sh
- -c - -c
args: args:
- . /vault/scripts/planka_vault_env.sh && exec node app.js --prod - . /vault/secrets/planka-env.sh && exec node app.js --prod
ports: ports:
- name: http - name: http
containerPort: 1337 containerPort: 1337
@ -90,12 +121,6 @@ spec:
subPath: private/attachments subPath: private/attachments
- name: app-data - name: app-data
mountPath: /app/.tmp mountPath: /app/.tmp
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
readinessProbe: readinessProbe:
httpGet: httpGet:
path: / path: /
@ -126,13 +151,3 @@ spec:
- name: app-data - name: app-data
persistentVolumeClaim: persistentVolumeClaim:
claimName: planka-app-data claimName: planka-app-data
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: planka-vault
- name: vault-scripts
configMap:
name: planka-vault-env
defaultMode: 0555

7
services/planka/kustomization.yaml
View File

@ -5,15 +5,8 @@ namespace: planka
resources: resources:
- namespace.yaml - namespace.yaml
- serviceaccount.yaml - serviceaccount.yaml
- secretproviderclass.yaml
- user-data-pvc.yaml - user-data-pvc.yaml
- app-pvc.yaml - app-pvc.yaml
- deployment.yaml - deployment.yaml
- service.yaml - service.yaml
- ingress.yaml - ingress.yaml
generatorOptions:
disableNameSuffixHash: true
configMapGenerator:
- name: planka-vault-env
files:
- planka_vault_env.sh=scripts/planka_vault_env.sh

27
services/planka/scripts/planka_vault_env.sh
View File

@ -1,27 +0,0 @@
#!/usr/bin/env sh
set -eu
vault_dir="/vault/secrets"
read_secret() {
cat "${vault_dir}/$1"
}
export DATABASE_URL="$(read_secret DATABASE_URL)"
export SECRET_KEY="$(read_secret SECRET_KEY)"
export OIDC_CLIENT_ID="$(read_secret OIDC_CLIENT_ID)"
export OIDC_CLIENT_SECRET="$(read_secret OIDC_CLIENT_SECRET)"
export OIDC_ENFORCED="$(read_secret OIDC_ENFORCED)"
export OIDC_IGNORE_ROLES="$(read_secret OIDC_IGNORE_ROLES)"
export OIDC_ISSUER="$(read_secret OIDC_ISSUER)"
export OIDC_SCOPES="$(read_secret OIDC_SCOPES)"
export OIDC_USE_OAUTH_CALLBACK="$(read_secret OIDC_USE_OAUTH_CALLBACK)"
export SMTP_FROM="$(read_secret SMTP_FROM)"
export SMTP_HOST="$(read_secret SMTP_HOST)"
export SMTP_PASSWORD="$(read_secret SMTP_PASSWORD)"
export SMTP_PORT="$(read_secret SMTP_PORT)"
export SMTP_SECURE="$(read_secret SMTP_SECURE)"
export SMTP_TLS_REJECT_UNAUTHORIZED="$(read_secret SMTP_TLS_REJECT_UNAUTHORIZED)"
export SMTP_USER="$(read_secret SMTP_USER)"

60
services/planka/secretproviderclass.yaml
View File

@ -1,60 +0,0 @@
# services/planka/secretproviderclass.yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: planka-vault
namespace: planka
spec:
provider: vault
parameters:
vaultAddress: "http://vault.vault.svc.cluster.local:8200"
roleName: "planka"
objects: |
- objectName: "DATABASE_URL"
secretPath: "kv/data/atlas/planka/planka-db"
secretKey: "DATABASE_URL"
- objectName: "SECRET_KEY"
secretPath: "kv/data/atlas/planka/planka-secrets"
secretKey: "SECRET_KEY"
- objectName: "OIDC_CLIENT_ID"
secretPath: "kv/data/atlas/planka/planka-oidc"
secretKey: "OIDC_CLIENT_ID"
- objectName: "OIDC_CLIENT_SECRET"
secretPath: "kv/data/atlas/planka/planka-oidc"
secretKey: "OIDC_CLIENT_SECRET"
- objectName: "OIDC_ENFORCED"
secretPath: "kv/data/atlas/planka/planka-oidc"
secretKey: "OIDC_ENFORCED"
- objectName: "OIDC_IGNORE_ROLES"
secretPath: "kv/data/atlas/planka/planka-oidc"
secretKey: "OIDC_IGNORE_ROLES"
- objectName: "OIDC_ISSUER"
secretPath: "kv/data/atlas/planka/planka-oidc"
secretKey: "OIDC_ISSUER"
- objectName: "OIDC_SCOPES"
secretPath: "kv/data/atlas/planka/planka-oidc"
secretKey: "OIDC_SCOPES"
- objectName: "OIDC_USE_OAUTH_CALLBACK"
secretPath: "kv/data/atlas/planka/planka-oidc"
secretKey: "OIDC_USE_OAUTH_CALLBACK"
- objectName: "SMTP_FROM"
secretPath: "kv/data/atlas/planka/planka-smtp"
secretKey: "SMTP_FROM"
- objectName: "SMTP_HOST"
secretPath: "kv/data/atlas/planka/planka-smtp"
secretKey: "SMTP_HOST"
- objectName: "SMTP_PASSWORD"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-password"
- objectName: "SMTP_PORT"
secretPath: "kv/data/atlas/planka/planka-smtp"
secretKey: "SMTP_PORT"
- objectName: "SMTP_SECURE"
secretPath: "kv/data/atlas/planka/planka-smtp"
secretKey: "SMTP_SECURE"
- objectName: "SMTP_TLS_REJECT_UNAUTHORIZED"
secretPath: "kv/data/atlas/planka/planka-smtp"
secretKey: "SMTP_TLS_REJECT_UNAUTHORIZED"
- objectName: "SMTP_USER"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-username"

33
services/vaultwarden/deployment.yaml
View File

@ -18,6 +18,21 @@ spec:
metadata: metadata:
labels: labels:
app: vaultwarden app: vaultwarden
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "vaultwarden"
vault.hashicorp.com/agent-inject-secret-vaultwarden-env.sh: "kv/data/atlas/vaultwarden/vaultwarden-db-url"
vault.hashicorp.com/agent-inject-template-vaultwarden-env.sh: |
{{- with secret "kv/data/atlas/vaultwarden/vaultwarden-db-url" -}}
export DATABASE_URL="{{ .Data.data.DATABASE_URL }}"
{{- end }}
{{- with secret "kv/data/atlas/vaultwarden/vaultwarden-admin" -}}
export ADMIN_TOKEN="{{ .Data.data.ADMIN_TOKEN }}"
{{- end }}
{{- with secret "kv/data/atlas/shared/postmark-relay" -}}
export SMTP_USERNAME="{{ index .Data.data "relay-username" }}"
export SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
{{- end }}
spec: spec:
serviceAccountName: vaultwarden-vault serviceAccountName: vaultwarden-vault
containers: containers:
@ -26,7 +41,7 @@ spec:
command: ["/bin/sh", "-c"] command: ["/bin/sh", "-c"]
args: args:
- >- - >-
. /vault/scripts/vaultwarden_vault_env.sh . /vault/secrets/vaultwarden-env.sh
&& exec /start.sh && exec /start.sh
env: env:
- name: SIGNUPS_ALLOWED - name: SIGNUPS_ALLOWED
@ -56,23 +71,7 @@ spec:
volumeMounts: volumeMounts:
- name: vaultwarden-data - name: vaultwarden-data
mountPath: /data mountPath: /data
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
- name: vault-scripts
mountPath: /vault/scripts
readOnly: true
volumes: volumes:
- name: vaultwarden-data - name: vaultwarden-data
persistentVolumeClaim: persistentVolumeClaim:
claimName: vaultwarden-data claimName: vaultwarden-data
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: vaultwarden-vault
- name: vault-scripts
configMap:
name: vaultwarden-vault-env
defaultMode: 0555

8
services/vaultwarden/kustomization.yaml
View File

@ -6,14 +6,6 @@ resources:
- namespace.yaml - namespace.yaml
- serviceaccount.yaml - serviceaccount.yaml
- pvc.yaml - pvc.yaml
- secretproviderclass.yaml
- deployment.yaml - deployment.yaml
- service.yaml - service.yaml
- ingress.yaml - ingress.yaml
configMapGenerator:
- name: vaultwarden-vault-env
namespace: vaultwarden
files:
- vaultwarden_vault_env.sh=scripts/vaultwarden_vault_env.sh
options:
disableNameSuffixHash: true

14
services/vaultwarden/scripts/vaultwarden_vault_env.sh
View File

@ -1,14 +0,0 @@
#!/usr/bin/env sh
set -eu
vault_dir="/vault/secrets"
read_secret() {
cat "${vault_dir}/$1"
}
export DATABASE_URL="$(read_secret vaultwarden-db-url__DATABASE_URL)"
export ADMIN_TOKEN="$(read_secret vaultwarden-admin__ADMIN_TOKEN)"
export SMTP_USERNAME="$(read_secret postmark-relay__relay-username)"
export SMTP_PASSWORD="$(read_secret postmark-relay__relay-password)"

24
services/vaultwarden/secretproviderclass.yaml
View File

@ -1,24 +0,0 @@
# services/vaultwarden/secretproviderclass.yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: vaultwarden-vault
namespace: vaultwarden
spec:
provider: vault
parameters:
vaultAddress: "http://vault.vault.svc.cluster.local:8200"
roleName: "vaultwarden"
objects: |
- objectName: "vaultwarden-db-url__DATABASE_URL"
secretPath: "kv/data/atlas/vaultwarden/vaultwarden-db-url"
secretKey: "DATABASE_URL"
- objectName: "vaultwarden-admin__ADMIN_TOKEN"
secretPath: "kv/data/atlas/vaultwarden/vaultwarden-admin"
secretKey: "ADMIN_TOKEN"
- objectName: "postmark-relay__relay-username"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-username"
- objectName: "postmark-relay__relay-password"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-password"