vault: add remaining secret syncs

services/crypto/xmr-miner/kustomization.yaml

@@ -3,6 +3,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - configmap-sources.yaml
+  - vault-serviceaccount.yaml
+  - secretproviderclass.yaml
   - deployment.yaml
+  - vault-sync-deployment.yaml
   - service.yaml
   - xmrig-daemonset.yaml

services/crypto/xmr-miner/secretproviderclass.yaml

@@ -0,0 +1,21 @@
+# services/crypto/xmr-miner/secretproviderclass.yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: crypto-vault
+  namespace: crypto
+spec:
+  provider: vault
+  parameters:
+    vaultAddress: "http://vault.vault.svc.cluster.local:8200"
+    roleName: "crypto"
+    objects: |
+      - objectName: "xmr-payout__address"
+        secretPath: "kv/data/atlas/crypto/xmr-payout"
+        secretKey: "address"
+  secretObjects:
+    - secretName: xmr-payout
+      type: Opaque
+      data:
+        - objectName: xmr-payout__address
+          key: address

services/crypto/xmr-miner/vault-serviceaccount.yaml

@@ -0,0 +1,6 @@
+# services/crypto/xmr-miner/vault-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: crypto-vault-sync
+  namespace: crypto

services/crypto/xmr-miner/vault-sync-deployment.yaml

@@ -0,0 +1,34 @@
+# services/crypto/xmr-miner/vault-sync-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: crypto-vault-sync
+  namespace: crypto
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: crypto-vault-sync
+  template:
+    metadata:
+      labels:
+        app: crypto-vault-sync
+    spec:
+      serviceAccountName: crypto-vault-sync
+      containers:
+        - name: sync
+          image: alpine:3.20
+          command: ["/bin/sh", "-c"]
+          args:
+            - "sleep infinity"
+          volumeMounts:
+            - name: vault-secrets
+              mountPath: /vault/secrets
+              readOnly: true
+      volumes:
+        - name: vault-secrets
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: crypto-vault

services/jenkins/kustomization.yaml

@@ -5,10 +5,13 @@ namespace: jenkins
 resources:
   - namespace.yaml
   - serviceaccount.yaml
+  - vault-serviceaccount.yaml
+  - secretproviderclass.yaml
   - pvc.yaml
   - configmap-jcasc.yaml
   - configmap-plugins.yaml
   - deployment.yaml
+  - vault-sync-deployment.yaml
   - service.yaml
   - ingress.yaml
 

services/jenkins/secretproviderclass.yaml

@@ -0,0 +1,72 @@
+# services/jenkins/secretproviderclass.yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: jenkins-vault
+  namespace: jenkins
+spec:
+  provider: vault
+  parameters:
+    vaultAddress: "http://vault.vault.svc.cluster.local:8200"
+    roleName: "jenkins"
+    objects: |
+      - objectName: "jenkins-oidc__clientId"
+        secretPath: "kv/data/atlas/jenkins/jenkins-oidc"
+        secretKey: "clientId"
+      - objectName: "jenkins-oidc__clientSecret"
+        secretPath: "kv/data/atlas/jenkins/jenkins-oidc"
+        secretKey: "clientSecret"
+      - objectName: "jenkins-oidc__authorizationUrl"
+        secretPath: "kv/data/atlas/jenkins/jenkins-oidc"
+        secretKey: "authorizationUrl"
+      - objectName: "jenkins-oidc__tokenUrl"
+        secretPath: "kv/data/atlas/jenkins/jenkins-oidc"
+        secretKey: "tokenUrl"
+      - objectName: "jenkins-oidc__userInfoUrl"
+        secretPath: "kv/data/atlas/jenkins/jenkins-oidc"
+        secretKey: "userInfoUrl"
+      - objectName: "jenkins-oidc__logoutUrl"
+        secretPath: "kv/data/atlas/jenkins/jenkins-oidc"
+        secretKey: "logoutUrl"
+      - objectName: "harbor-robot-creds__username"
+        secretPath: "kv/data/atlas/jenkins/harbor-robot-creds"
+        secretKey: "username"
+      - objectName: "harbor-robot-creds__password"
+        secretPath: "kv/data/atlas/jenkins/harbor-robot-creds"
+        secretKey: "password"
+      - objectName: "gitea-pat__username"
+        secretPath: "kv/data/atlas/jenkins/gitea-pat"
+        secretKey: "username"
+      - objectName: "gitea-pat__token"
+        secretPath: "kv/data/atlas/jenkins/gitea-pat"
+        secretKey: "token"
+  secretObjects:
+    - secretName: jenkins-oidc
+      type: Opaque
+      data:
+        - objectName: jenkins-oidc__clientId
+          key: clientId
+        - objectName: jenkins-oidc__clientSecret
+          key: clientSecret
+        - objectName: jenkins-oidc__authorizationUrl
+          key: authorizationUrl
+        - objectName: jenkins-oidc__tokenUrl
+          key: tokenUrl
+        - objectName: jenkins-oidc__userInfoUrl
+          key: userInfoUrl
+        - objectName: jenkins-oidc__logoutUrl
+          key: logoutUrl
+    - secretName: harbor-robot-creds
+      type: Opaque
+      data:
+        - objectName: harbor-robot-creds__username
+          key: username
+        - objectName: harbor-robot-creds__password
+          key: password
+    - secretName: gitea-pat
+      type: Opaque
+      data:
+        - objectName: gitea-pat__username
+          key: username
+        - objectName: gitea-pat__token
+          key: token

services/jenkins/vault-serviceaccount.yaml

@@ -0,0 +1,6 @@
+# services/jenkins/vault-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: jenkins-vault-sync
+  namespace: jenkins

services/jenkins/vault-sync-deployment.yaml

@@ -0,0 +1,34 @@
+# services/jenkins/vault-sync-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jenkins-vault-sync
+  namespace: jenkins
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: jenkins-vault-sync
+  template:
+    metadata:
+      labels:
+        app: jenkins-vault-sync
+    spec:
+      serviceAccountName: jenkins-vault-sync
+      containers:
+        - name: sync
+          image: alpine:3.20
+          command: ["/bin/sh", "-c"]
+          args:
+            - "sleep infinity"
+          volumeMounts:
+            - name: vault-secrets
+              mountPath: /vault/secrets
+              readOnly: true
+      volumes:
+        - name: vault-secrets
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: jenkins-vault

services/keycloak/secretproviderclass.yaml

@@ -37,3 +37,29 @@ spec:
       - objectName: "openldap-admin__LDAP_CONFIG_PASSWORD"
         secretPath: "kv/data/atlas/sso/openldap-admin"
         secretKey: "LDAP_CONFIG_PASSWORD"
+      - objectName: "oauth2-proxy-oidc__client_id"
+        secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc"
+        secretKey: "client_id"
+      - objectName: "oauth2-proxy-oidc__client_secret"
+        secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc"
+        secretKey: "client_secret"
+      - objectName: "oauth2-proxy-oidc__cookie_secret"
+        secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc"
+        secretKey: "cookie_secret"
+  secretObjects:
+    - secretName: openldap-admin
+      type: Opaque
+      data:
+        - objectName: openldap-admin__LDAP_ADMIN_PASSWORD
+          key: LDAP_ADMIN_PASSWORD
+        - objectName: openldap-admin__LDAP_CONFIG_PASSWORD
+          key: LDAP_CONFIG_PASSWORD
+    - secretName: oauth2-proxy-oidc
+      type: Opaque
+      data:
+        - objectName: oauth2-proxy-oidc__client_id
+          key: client_id
+        - objectName: oauth2-proxy-oidc__client_secret
+          key: client_secret
+        - objectName: oauth2-proxy-oidc__cookie_secret
+          key: cookie_secret

services/logging/kustomization.yaml

@@ -8,6 +8,8 @@ resources:
   - node-log-rotation-serviceaccount.yaml
   - node-image-gc-rpi4-serviceaccount.yaml
   - node-image-prune-rpi5-serviceaccount.yaml
+  - vault-serviceaccount.yaml
+  - secretproviderclass.yaml
   - opensearch-pvc.yaml
   - opensearch-helmrelease.yaml
   - opensearch-dashboards-helmrelease.yaml
@@ -22,6 +24,7 @@ resources:
   - node-image-gc-rpi4-daemonset.yaml
   - node-image-prune-rpi5-daemonset.yaml
   - oauth2-proxy.yaml
+  - vault-sync-deployment.yaml
   - ingress.yaml
 
 configMapGenerator:

services/logging/secretproviderclass.yaml

@@ -0,0 +1,31 @@
+# services/logging/secretproviderclass.yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: logging-vault
+  namespace: logging
+spec:
+  provider: vault
+  parameters:
+    vaultAddress: "http://vault.vault.svc.cluster.local:8200"
+    roleName: "logging"
+    objects: |
+      - objectName: "oauth2-proxy-logs-oidc__client_id"
+        secretPath: "kv/data/atlas/logging/oauth2-proxy-logs-oidc"
+        secretKey: "client_id"
+      - objectName: "oauth2-proxy-logs-oidc__client_secret"
+        secretPath: "kv/data/atlas/logging/oauth2-proxy-logs-oidc"
+        secretKey: "client_secret"
+      - objectName: "oauth2-proxy-logs-oidc__cookie_secret"
+        secretPath: "kv/data/atlas/logging/oauth2-proxy-logs-oidc"
+        secretKey: "cookie_secret"
+  secretObjects:
+    - secretName: oauth2-proxy-logs-oidc
+      type: Opaque
+      data:
+        - objectName: oauth2-proxy-logs-oidc__client_id
+          key: client_id
+        - objectName: oauth2-proxy-logs-oidc__client_secret
+          key: client_secret
+        - objectName: oauth2-proxy-logs-oidc__cookie_secret
+          key: cookie_secret

services/logging/vault-serviceaccount.yaml

@@ -0,0 +1,6 @@
+# services/logging/vault-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: logging-vault-sync
+  namespace: logging

services/logging/vault-sync-deployment.yaml

@@ -0,0 +1,34 @@
+# services/logging/vault-sync-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: logging-vault-sync
+  namespace: logging
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: logging-vault-sync
+  template:
+    metadata:
+      labels:
+        app: logging-vault-sync
+    spec:
+      serviceAccountName: logging-vault-sync
+      containers:
+        - name: sync
+          image: alpine:3.20
+          command: ["/bin/sh", "-c"]
+          args:
+            - "sleep infinity"
+          volumeMounts:
+            - name: vault-secrets
+              mountPath: /vault/secrets
+              readOnly: true
+      volumes:
+        - name: vault-secrets
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: logging-vault

services/monitoring/kustomization.yaml

@@ -5,6 +5,8 @@ namespace: monitoring
 resources:
   - namespace.yaml
   - rbac.yaml
+  - secretproviderclass.yaml
+  - vault-serviceaccount.yaml
   - grafana-dashboard-overview.yaml
   - grafana-dashboard-pods.yaml
   - grafana-dashboard-nodes.yaml
@@ -16,6 +18,7 @@ resources:
   - jetson-tegrastats-exporter.yaml
   - postmark-exporter-service.yaml
   - postmark-exporter-deployment.yaml
+  - vault-sync-deployment.yaml
   - grafana-alerting-config.yaml
   - grafana-smtp-sync-serviceaccount.yaml
   - grafana-smtp-sync-rbac.yaml

services/monitoring/secretproviderclass.yaml

@@ -0,0 +1,44 @@
+# services/monitoring/secretproviderclass.yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: monitoring-vault
+  namespace: monitoring
+spec:
+  provider: vault
+  parameters:
+    vaultAddress: "http://vault.vault.svc.cluster.local:8200"
+    roleName: "monitoring"
+    objects: |
+      - objectName: "grafana-admin__admin-user"
+        secretPath: "kv/data/atlas/monitoring/grafana-admin"
+        secretKey: "admin-user"
+      - objectName: "grafana-admin__admin-password"
+        secretPath: "kv/data/atlas/monitoring/grafana-admin"
+        secretKey: "admin-password"
+      - objectName: "postmark-exporter__relay-username"
+        secretPath: "kv/data/atlas/monitoring/postmark-exporter"
+        secretKey: "relay-username"
+      - objectName: "postmark-exporter__relay-password"
+        secretPath: "kv/data/atlas/monitoring/postmark-exporter"
+        secretKey: "relay-password"
+      - objectName: "postmark-exporter__sending-limit"
+        secretPath: "kv/data/atlas/monitoring/postmark-exporter"
+        secretKey: "sending-limit"
+  secretObjects:
+    - secretName: grafana-admin
+      type: Opaque
+      data:
+        - objectName: grafana-admin__admin-user
+          key: admin-user
+        - objectName: grafana-admin__admin-password
+          key: admin-password
+    - secretName: postmark-exporter
+      type: Opaque
+      data:
+        - objectName: postmark-exporter__relay-username
+          key: server-token
+        - objectName: postmark-exporter__relay-password
+          key: server-token-fallback
+        - objectName: postmark-exporter__sending-limit
+          key: sending-limit

services/monitoring/vault-serviceaccount.yaml

@@ -0,0 +1,6 @@
+# services/monitoring/vault-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: monitoring-vault-sync
+  namespace: monitoring

services/monitoring/vault-sync-deployment.yaml

@@ -0,0 +1,34 @@
+# services/monitoring/vault-sync-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: monitoring-vault-sync
+  namespace: monitoring
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: monitoring-vault-sync
+  template:
+    metadata:
+      labels:
+        app: monitoring-vault-sync
+    spec:
+      serviceAccountName: monitoring-vault-sync
+      containers:
+        - name: sync
+          image: alpine:3.20
+          command: ["/bin/sh", "-c"]
+          args:
+            - "sleep infinity"
+          volumeMounts:
+            - name: vault-secrets
+              mountPath: /vault/secrets
+              readOnly: true
+      volumes:
+        - name: vault-secrets
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: monitoring-vault

services/pegasus/kustomization.yaml

@@ -3,8 +3,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - configmap.yaml
+  - vault-serviceaccount.yaml
+  - secretproviderclass.yaml
   - service.yaml
   - deployment.yaml
+  - vault-sync-deployment.yaml
   - ingress.yaml
 patches:
   - target: { kind: Deployment, name: pegasus, namespace: jellyfin }

services/pegasus/secretproviderclass.yaml

@@ -0,0 +1,31 @@
+# services/pegasus/secretproviderclass.yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: pegasus-vault
+  namespace: jellyfin
+spec:
+  provider: vault
+  parameters:
+    vaultAddress: "http://vault.vault.svc.cluster.local:8200"
+    roleName: "pegasus"
+    objects: |
+      - objectName: "pegasus-secrets__PEGASUS_SESSION_KEY"
+        secretPath: "kv/data/atlas/pegasus/pegasus-secrets"
+        secretKey: "PEGASUS_SESSION_KEY"
+      - objectName: "pegasus-secrets__JELLYFIN_URL"
+        secretPath: "kv/data/atlas/pegasus/pegasus-secrets"
+        secretKey: "JELLYFIN_URL"
+      - objectName: "pegasus-secrets__JELLYFIN_API_KEY"
+        secretPath: "kv/data/atlas/pegasus/pegasus-secrets"
+        secretKey: "JELLYFIN_API_KEY"
+  secretObjects:
+    - secretName: pegasus-secrets
+      type: Opaque
+      data:
+        - objectName: pegasus-secrets__PEGASUS_SESSION_KEY
+          key: PEGASUS_SESSION_KEY
+        - objectName: pegasus-secrets__JELLYFIN_URL
+          key: JELLYFIN_URL
+        - objectName: pegasus-secrets__JELLYFIN_API_KEY
+          key: JELLYFIN_API_KEY

services/pegasus/vault-serviceaccount.yaml

@@ -0,0 +1,6 @@
+# services/pegasus/vault-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pegasus-vault-sync
+  namespace: jellyfin

services/pegasus/vault-sync-deployment.yaml

@@ -0,0 +1,34 @@
+# services/pegasus/vault-sync-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pegasus-vault-sync
+  namespace: jellyfin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pegasus-vault-sync
+  template:
+    metadata:
+      labels:
+        app: pegasus-vault-sync
+    spec:
+      serviceAccountName: pegasus-vault-sync
+      containers:
+        - name: sync
+          image: alpine:3.20
+          command: ["/bin/sh", "-c"]
+          args:
+            - "sleep infinity"
+          volumeMounts:
+            - name: vault-secrets
+              mountPath: /vault/secrets
+              readOnly: true
+      volumes:
+        - name: vault-secrets
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: pegasus-vault

services/vault/scripts/vault_k8s_auth_configure.sh

@@ -95,6 +95,16 @@ write_policy_and_role "nextcloud" "nextcloud" "nextcloud-vault" \
   "nextcloud/* shared/keycloak-admin" ""
 write_policy_and_role "comms" "comms" "comms-vault,atlasbot" \
   "comms/* shared/chat-ai-keys-runtime" ""
+write_policy_and_role "jenkins" "jenkins" "jenkins-vault-sync" \
+  "jenkins/*" ""
+write_policy_and_role "monitoring" "monitoring" "monitoring-vault-sync" \
+  "monitoring/*" ""
+write_policy_and_role "logging" "logging" "logging-vault-sync" \
+  "logging/*" ""
+write_policy_and_role "pegasus" "jellyfin" "pegasus-vault-sync" \
+  "pegasus/*" ""
+write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \
+  "crypto/*" ""
 
 write_policy_and_role "sso-secrets" "sso" "mas-secrets-ensure" \
   "shared/keycloak-admin" \