diff --git a/services/crypto/xmr-miner/kustomization.yaml b/services/crypto/xmr-miner/kustomization.yaml index 46c9767..2ded8db 100644 --- a/services/crypto/xmr-miner/kustomization.yaml +++ b/services/crypto/xmr-miner/kustomization.yaml @@ -3,6 +3,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - configmap-sources.yaml + - vault-serviceaccount.yaml + - secretproviderclass.yaml - deployment.yaml + - vault-sync-deployment.yaml - service.yaml - xmrig-daemonset.yaml diff --git a/services/crypto/xmr-miner/secretproviderclass.yaml b/services/crypto/xmr-miner/secretproviderclass.yaml new file mode 100644 index 0000000..2d61854 --- /dev/null +++ b/services/crypto/xmr-miner/secretproviderclass.yaml @@ -0,0 +1,21 @@ +# services/crypto/xmr-miner/secretproviderclass.yaml +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: crypto-vault + namespace: crypto +spec: + provider: vault + parameters: + vaultAddress: "http://vault.vault.svc.cluster.local:8200" + roleName: "crypto" + objects: | + - objectName: "xmr-payout__address" + secretPath: "kv/data/atlas/crypto/xmr-payout" + secretKey: "address" + secretObjects: + - secretName: xmr-payout + type: Opaque + data: + - objectName: xmr-payout__address + key: address diff --git a/services/crypto/xmr-miner/vault-serviceaccount.yaml b/services/crypto/xmr-miner/vault-serviceaccount.yaml new file mode 100644 index 0000000..96a12c7 --- /dev/null +++ b/services/crypto/xmr-miner/vault-serviceaccount.yaml @@ -0,0 +1,6 @@ +# services/crypto/xmr-miner/vault-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: crypto-vault-sync + namespace: crypto diff --git a/services/crypto/xmr-miner/vault-sync-deployment.yaml b/services/crypto/xmr-miner/vault-sync-deployment.yaml new file mode 100644 index 0000000..fcd08c3 --- /dev/null +++ b/services/crypto/xmr-miner/vault-sync-deployment.yaml @@ -0,0 +1,34 @@ +# services/crypto/xmr-miner/vault-sync-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: crypto-vault-sync + namespace: crypto +spec: + replicas: 1 + selector: + matchLabels: + app: crypto-vault-sync + template: + metadata: + labels: + app: crypto-vault-sync + spec: + serviceAccountName: crypto-vault-sync + containers: + - name: sync + image: alpine:3.20 + command: ["/bin/sh", "-c"] + args: + - "sleep infinity" + volumeMounts: + - name: vault-secrets + mountPath: /vault/secrets + readOnly: true + volumes: + - name: vault-secrets + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: crypto-vault diff --git a/services/jenkins/kustomization.yaml b/services/jenkins/kustomization.yaml index acb6fb4..809f308 100644 --- a/services/jenkins/kustomization.yaml +++ b/services/jenkins/kustomization.yaml @@ -5,10 +5,13 @@ namespace: jenkins resources: - namespace.yaml - serviceaccount.yaml + - vault-serviceaccount.yaml + - secretproviderclass.yaml - pvc.yaml - configmap-jcasc.yaml - configmap-plugins.yaml - deployment.yaml + - vault-sync-deployment.yaml - service.yaml - ingress.yaml diff --git a/services/jenkins/secretproviderclass.yaml b/services/jenkins/secretproviderclass.yaml new file mode 100644 index 0000000..01cc66e --- /dev/null +++ b/services/jenkins/secretproviderclass.yaml @@ -0,0 +1,72 @@ +# services/jenkins/secretproviderclass.yaml +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: jenkins-vault + namespace: jenkins +spec: + provider: vault + parameters: + vaultAddress: "http://vault.vault.svc.cluster.local:8200" + roleName: "jenkins" + objects: | + - objectName: "jenkins-oidc__clientId" + secretPath: "kv/data/atlas/jenkins/jenkins-oidc" + secretKey: "clientId" + - objectName: "jenkins-oidc__clientSecret" + secretPath: "kv/data/atlas/jenkins/jenkins-oidc" + secretKey: "clientSecret" + - objectName: "jenkins-oidc__authorizationUrl" + secretPath: "kv/data/atlas/jenkins/jenkins-oidc" + secretKey: "authorizationUrl" + - objectName: "jenkins-oidc__tokenUrl" + secretPath: "kv/data/atlas/jenkins/jenkins-oidc" + secretKey: "tokenUrl" + - objectName: "jenkins-oidc__userInfoUrl" + secretPath: "kv/data/atlas/jenkins/jenkins-oidc" + secretKey: "userInfoUrl" + - objectName: "jenkins-oidc__logoutUrl" + secretPath: "kv/data/atlas/jenkins/jenkins-oidc" + secretKey: "logoutUrl" + - objectName: "harbor-robot-creds__username" + secretPath: "kv/data/atlas/jenkins/harbor-robot-creds" + secretKey: "username" + - objectName: "harbor-robot-creds__password" + secretPath: "kv/data/atlas/jenkins/harbor-robot-creds" + secretKey: "password" + - objectName: "gitea-pat__username" + secretPath: "kv/data/atlas/jenkins/gitea-pat" + secretKey: "username" + - objectName: "gitea-pat__token" + secretPath: "kv/data/atlas/jenkins/gitea-pat" + secretKey: "token" + secretObjects: + - secretName: jenkins-oidc + type: Opaque + data: + - objectName: jenkins-oidc__clientId + key: clientId + - objectName: jenkins-oidc__clientSecret + key: clientSecret + - objectName: jenkins-oidc__authorizationUrl + key: authorizationUrl + - objectName: jenkins-oidc__tokenUrl + key: tokenUrl + - objectName: jenkins-oidc__userInfoUrl + key: userInfoUrl + - objectName: jenkins-oidc__logoutUrl + key: logoutUrl + - secretName: harbor-robot-creds + type: Opaque + data: + - objectName: harbor-robot-creds__username + key: username + - objectName: harbor-robot-creds__password + key: password + - secretName: gitea-pat + type: Opaque + data: + - objectName: gitea-pat__username + key: username + - objectName: gitea-pat__token + key: token diff --git a/services/jenkins/vault-serviceaccount.yaml b/services/jenkins/vault-serviceaccount.yaml new file mode 100644 index 0000000..8d31400 --- /dev/null +++ b/services/jenkins/vault-serviceaccount.yaml @@ -0,0 +1,6 @@ +# services/jenkins/vault-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: jenkins-vault-sync + namespace: jenkins diff --git a/services/jenkins/vault-sync-deployment.yaml b/services/jenkins/vault-sync-deployment.yaml new file mode 100644 index 0000000..6de64f9 --- /dev/null +++ b/services/jenkins/vault-sync-deployment.yaml @@ -0,0 +1,34 @@ +# services/jenkins/vault-sync-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: jenkins-vault-sync + namespace: jenkins +spec: + replicas: 1 + selector: + matchLabels: + app: jenkins-vault-sync + template: + metadata: + labels: + app: jenkins-vault-sync + spec: + serviceAccountName: jenkins-vault-sync + containers: + - name: sync + image: alpine:3.20 + command: ["/bin/sh", "-c"] + args: + - "sleep infinity" + volumeMounts: + - name: vault-secrets + mountPath: /vault/secrets + readOnly: true + volumes: + - name: vault-secrets + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: jenkins-vault diff --git a/services/keycloak/secretproviderclass.yaml b/services/keycloak/secretproviderclass.yaml index 7015c12..7ca83ec 100644 --- a/services/keycloak/secretproviderclass.yaml +++ b/services/keycloak/secretproviderclass.yaml @@ -37,3 +37,29 @@ spec: - objectName: "openldap-admin__LDAP_CONFIG_PASSWORD" secretPath: "kv/data/atlas/sso/openldap-admin" secretKey: "LDAP_CONFIG_PASSWORD" + - objectName: "oauth2-proxy-oidc__client_id" + secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc" + secretKey: "client_id" + - objectName: "oauth2-proxy-oidc__client_secret" + secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc" + secretKey: "client_secret" + - objectName: "oauth2-proxy-oidc__cookie_secret" + secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc" + secretKey: "cookie_secret" + secretObjects: + - secretName: openldap-admin + type: Opaque + data: + - objectName: openldap-admin__LDAP_ADMIN_PASSWORD + key: LDAP_ADMIN_PASSWORD + - objectName: openldap-admin__LDAP_CONFIG_PASSWORD + key: LDAP_CONFIG_PASSWORD + - secretName: oauth2-proxy-oidc + type: Opaque + data: + - objectName: oauth2-proxy-oidc__client_id + key: client_id + - objectName: oauth2-proxy-oidc__client_secret + key: client_secret + - objectName: oauth2-proxy-oidc__cookie_secret + key: cookie_secret diff --git a/services/logging/kustomization.yaml b/services/logging/kustomization.yaml index fe010f6..d1c2852 100644 --- a/services/logging/kustomization.yaml +++ b/services/logging/kustomization.yaml @@ -8,6 +8,8 @@ resources: - node-log-rotation-serviceaccount.yaml - node-image-gc-rpi4-serviceaccount.yaml - node-image-prune-rpi5-serviceaccount.yaml + - vault-serviceaccount.yaml + - secretproviderclass.yaml - opensearch-pvc.yaml - opensearch-helmrelease.yaml - opensearch-dashboards-helmrelease.yaml @@ -22,6 +24,7 @@ resources: - node-image-gc-rpi4-daemonset.yaml - node-image-prune-rpi5-daemonset.yaml - oauth2-proxy.yaml + - vault-sync-deployment.yaml - ingress.yaml configMapGenerator: diff --git a/services/logging/secretproviderclass.yaml b/services/logging/secretproviderclass.yaml new file mode 100644 index 0000000..70ecb3d --- /dev/null +++ b/services/logging/secretproviderclass.yaml @@ -0,0 +1,31 @@ +# services/logging/secretproviderclass.yaml +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: logging-vault + namespace: logging +spec: + provider: vault + parameters: + vaultAddress: "http://vault.vault.svc.cluster.local:8200" + roleName: "logging" + objects: | + - objectName: "oauth2-proxy-logs-oidc__client_id" + secretPath: "kv/data/atlas/logging/oauth2-proxy-logs-oidc" + secretKey: "client_id" + - objectName: "oauth2-proxy-logs-oidc__client_secret" + secretPath: "kv/data/atlas/logging/oauth2-proxy-logs-oidc" + secretKey: "client_secret" + - objectName: "oauth2-proxy-logs-oidc__cookie_secret" + secretPath: "kv/data/atlas/logging/oauth2-proxy-logs-oidc" + secretKey: "cookie_secret" + secretObjects: + - secretName: oauth2-proxy-logs-oidc + type: Opaque + data: + - objectName: oauth2-proxy-logs-oidc__client_id + key: client_id + - objectName: oauth2-proxy-logs-oidc__client_secret + key: client_secret + - objectName: oauth2-proxy-logs-oidc__cookie_secret + key: cookie_secret diff --git a/services/logging/vault-serviceaccount.yaml b/services/logging/vault-serviceaccount.yaml new file mode 100644 index 0000000..9104c20 --- /dev/null +++ b/services/logging/vault-serviceaccount.yaml @@ -0,0 +1,6 @@ +# services/logging/vault-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: logging-vault-sync + namespace: logging diff --git a/services/logging/vault-sync-deployment.yaml b/services/logging/vault-sync-deployment.yaml new file mode 100644 index 0000000..41a4f7d --- /dev/null +++ b/services/logging/vault-sync-deployment.yaml @@ -0,0 +1,34 @@ +# services/logging/vault-sync-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: logging-vault-sync + namespace: logging +spec: + replicas: 1 + selector: + matchLabels: + app: logging-vault-sync + template: + metadata: + labels: + app: logging-vault-sync + spec: + serviceAccountName: logging-vault-sync + containers: + - name: sync + image: alpine:3.20 + command: ["/bin/sh", "-c"] + args: + - "sleep infinity" + volumeMounts: + - name: vault-secrets + mountPath: /vault/secrets + readOnly: true + volumes: + - name: vault-secrets + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: logging-vault diff --git a/services/monitoring/kustomization.yaml b/services/monitoring/kustomization.yaml index 0dafba7..66065cb 100644 --- a/services/monitoring/kustomization.yaml +++ b/services/monitoring/kustomization.yaml @@ -5,6 +5,8 @@ namespace: monitoring resources: - namespace.yaml - rbac.yaml + - secretproviderclass.yaml + - vault-serviceaccount.yaml - grafana-dashboard-overview.yaml - grafana-dashboard-pods.yaml - grafana-dashboard-nodes.yaml @@ -16,6 +18,7 @@ resources: - jetson-tegrastats-exporter.yaml - postmark-exporter-service.yaml - postmark-exporter-deployment.yaml + - vault-sync-deployment.yaml - grafana-alerting-config.yaml - grafana-smtp-sync-serviceaccount.yaml - grafana-smtp-sync-rbac.yaml diff --git a/services/monitoring/secretproviderclass.yaml b/services/monitoring/secretproviderclass.yaml new file mode 100644 index 0000000..fcb7967 --- /dev/null +++ b/services/monitoring/secretproviderclass.yaml @@ -0,0 +1,44 @@ +# services/monitoring/secretproviderclass.yaml +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: monitoring-vault + namespace: monitoring +spec: + provider: vault + parameters: + vaultAddress: "http://vault.vault.svc.cluster.local:8200" + roleName: "monitoring" + objects: | + - objectName: "grafana-admin__admin-user" + secretPath: "kv/data/atlas/monitoring/grafana-admin" + secretKey: "admin-user" + - objectName: "grafana-admin__admin-password" + secretPath: "kv/data/atlas/monitoring/grafana-admin" + secretKey: "admin-password" + - objectName: "postmark-exporter__relay-username" + secretPath: "kv/data/atlas/monitoring/postmark-exporter" + secretKey: "relay-username" + - objectName: "postmark-exporter__relay-password" + secretPath: "kv/data/atlas/monitoring/postmark-exporter" + secretKey: "relay-password" + - objectName: "postmark-exporter__sending-limit" + secretPath: "kv/data/atlas/monitoring/postmark-exporter" + secretKey: "sending-limit" + secretObjects: + - secretName: grafana-admin + type: Opaque + data: + - objectName: grafana-admin__admin-user + key: admin-user + - objectName: grafana-admin__admin-password + key: admin-password + - secretName: postmark-exporter + type: Opaque + data: + - objectName: postmark-exporter__relay-username + key: server-token + - objectName: postmark-exporter__relay-password + key: server-token-fallback + - objectName: postmark-exporter__sending-limit + key: sending-limit diff --git a/services/monitoring/vault-serviceaccount.yaml b/services/monitoring/vault-serviceaccount.yaml new file mode 100644 index 0000000..fa23093 --- /dev/null +++ b/services/monitoring/vault-serviceaccount.yaml @@ -0,0 +1,6 @@ +# services/monitoring/vault-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: monitoring-vault-sync + namespace: monitoring diff --git a/services/monitoring/vault-sync-deployment.yaml b/services/monitoring/vault-sync-deployment.yaml new file mode 100644 index 0000000..d335330 --- /dev/null +++ b/services/monitoring/vault-sync-deployment.yaml @@ -0,0 +1,34 @@ +# services/monitoring/vault-sync-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: monitoring-vault-sync + namespace: monitoring +spec: + replicas: 1 + selector: + matchLabels: + app: monitoring-vault-sync + template: + metadata: + labels: + app: monitoring-vault-sync + spec: + serviceAccountName: monitoring-vault-sync + containers: + - name: sync + image: alpine:3.20 + command: ["/bin/sh", "-c"] + args: + - "sleep infinity" + volumeMounts: + - name: vault-secrets + mountPath: /vault/secrets + readOnly: true + volumes: + - name: vault-secrets + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: monitoring-vault diff --git a/services/pegasus/kustomization.yaml b/services/pegasus/kustomization.yaml index 5902595..bef2b40 100644 --- a/services/pegasus/kustomization.yaml +++ b/services/pegasus/kustomization.yaml @@ -3,8 +3,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - configmap.yaml + - vault-serviceaccount.yaml + - secretproviderclass.yaml - service.yaml - deployment.yaml + - vault-sync-deployment.yaml - ingress.yaml patches: - target: { kind: Deployment, name: pegasus, namespace: jellyfin } diff --git a/services/pegasus/secretproviderclass.yaml b/services/pegasus/secretproviderclass.yaml new file mode 100644 index 0000000..fa7448b --- /dev/null +++ b/services/pegasus/secretproviderclass.yaml @@ -0,0 +1,31 @@ +# services/pegasus/secretproviderclass.yaml +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: pegasus-vault + namespace: jellyfin +spec: + provider: vault + parameters: + vaultAddress: "http://vault.vault.svc.cluster.local:8200" + roleName: "pegasus" + objects: | + - objectName: "pegasus-secrets__PEGASUS_SESSION_KEY" + secretPath: "kv/data/atlas/pegasus/pegasus-secrets" + secretKey: "PEGASUS_SESSION_KEY" + - objectName: "pegasus-secrets__JELLYFIN_URL" + secretPath: "kv/data/atlas/pegasus/pegasus-secrets" + secretKey: "JELLYFIN_URL" + - objectName: "pegasus-secrets__JELLYFIN_API_KEY" + secretPath: "kv/data/atlas/pegasus/pegasus-secrets" + secretKey: "JELLYFIN_API_KEY" + secretObjects: + - secretName: pegasus-secrets + type: Opaque + data: + - objectName: pegasus-secrets__PEGASUS_SESSION_KEY + key: PEGASUS_SESSION_KEY + - objectName: pegasus-secrets__JELLYFIN_URL + key: JELLYFIN_URL + - objectName: pegasus-secrets__JELLYFIN_API_KEY + key: JELLYFIN_API_KEY diff --git a/services/pegasus/vault-serviceaccount.yaml b/services/pegasus/vault-serviceaccount.yaml new file mode 100644 index 0000000..ed56930 --- /dev/null +++ b/services/pegasus/vault-serviceaccount.yaml @@ -0,0 +1,6 @@ +# services/pegasus/vault-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pegasus-vault-sync + namespace: jellyfin diff --git a/services/pegasus/vault-sync-deployment.yaml b/services/pegasus/vault-sync-deployment.yaml new file mode 100644 index 0000000..6128d8d --- /dev/null +++ b/services/pegasus/vault-sync-deployment.yaml @@ -0,0 +1,34 @@ +# services/pegasus/vault-sync-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pegasus-vault-sync + namespace: jellyfin +spec: + replicas: 1 + selector: + matchLabels: + app: pegasus-vault-sync + template: + metadata: + labels: + app: pegasus-vault-sync + spec: + serviceAccountName: pegasus-vault-sync + containers: + - name: sync + image: alpine:3.20 + command: ["/bin/sh", "-c"] + args: + - "sleep infinity" + volumeMounts: + - name: vault-secrets + mountPath: /vault/secrets + readOnly: true + volumes: + - name: vault-secrets + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: pegasus-vault diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh index 39577ba..c849461 100644 --- a/services/vault/scripts/vault_k8s_auth_configure.sh +++ b/services/vault/scripts/vault_k8s_auth_configure.sh @@ -95,6 +95,16 @@ write_policy_and_role "nextcloud" "nextcloud" "nextcloud-vault" \ "nextcloud/* shared/keycloak-admin" "" write_policy_and_role "comms" "comms" "comms-vault,atlasbot" \ "comms/* shared/chat-ai-keys-runtime" "" +write_policy_and_role "jenkins" "jenkins" "jenkins-vault-sync" \ + "jenkins/*" "" +write_policy_and_role "monitoring" "monitoring" "monitoring-vault-sync" \ + "monitoring/*" "" +write_policy_and_role "logging" "logging" "logging-vault-sync" \ + "logging/*" "" +write_policy_and_role "pegasus" "jellyfin" "pegasus-vault-sync" \ + "pegasus/*" "" +write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \ + "crypto/*" "" write_policy_and_role "sso-secrets" "sso" "mas-secrets-ensure" \ "shared/keycloak-admin" \