diff --git a/services/bstein-dev-home/backend-deployment.yaml b/services/bstein-dev-home/backend-deployment.yaml index 08f73f7..3266747 100644 --- a/services/bstein-dev-home/backend-deployment.yaml +++ b/services/bstein-dev-home/backend-deployment.yaml @@ -21,7 +21,7 @@ spec: kubernetes.io/arch: arm64 node-role.kubernetes.io/worker: "true" imagePullSecrets: - - name: harbor-bstein-robot + - name: harbor-regcred containers: - name: backend image: registry.bstein.dev/bstein/bstein-dev-home-backend:0.1.1-92 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend"} diff --git a/services/bstein-dev-home/frontend-deployment.yaml b/services/bstein-dev-home/frontend-deployment.yaml index 3092edb..478ebf9 100644 --- a/services/bstein-dev-home/frontend-deployment.yaml +++ b/services/bstein-dev-home/frontend-deployment.yaml @@ -19,7 +19,7 @@ spec: kubernetes.io/arch: arm64 node-role.kubernetes.io/worker: "true" imagePullSecrets: - - name: harbor-bstein-robot + - name: harbor-regcred containers: - name: frontend image: registry.bstein.dev/bstein/bstein-dev-home-frontend:0.1.1-92 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-frontend"} diff --git a/services/bstein-dev-home/kustomization.yaml b/services/bstein-dev-home/kustomization.yaml index 57228ed..a57c81a 100644 --- a/services/bstein-dev-home/kustomization.yaml +++ b/services/bstein-dev-home/kustomization.yaml @@ -6,7 +6,9 @@ resources: - namespace.yaml - image.yaml - rbac.yaml + - vault-serviceaccount.yaml - secretproviderclass.yaml + - vault-sync-deployment.yaml - chat-ai-gateway-deployment.yaml - chat-ai-gateway-service.yaml - frontend-deployment.yaml diff --git a/services/bstein-dev-home/secretproviderclass.yaml b/services/bstein-dev-home/secretproviderclass.yaml index 83e94c0..c153211 100644 --- a/services/bstein-dev-home/secretproviderclass.yaml +++ b/services/bstein-dev-home/secretproviderclass.yaml @@ -11,16 +11,16 @@ spec: roleName: "bstein-dev-home" objects: | - objectName: "atlas-portal-db__PORTAL_DATABASE_URL" - secretPath: "kv/data/atlas/bstein-dev-home/atlas-portal-db" + secretPath: "kv/data/atlas/portal/atlas-portal-db" secretKey: "PORTAL_DATABASE_URL" - objectName: "bstein-dev-home-keycloak-admin__client_secret" - secretPath: "kv/data/atlas/bstein-dev-home/bstein-dev-home-keycloak-admin" + secretPath: "kv/data/atlas/portal/bstein-dev-home-keycloak-admin" secretKey: "client_secret" - objectName: "chat-ai-keys__homepage" - secretPath: "kv/data/atlas/bstein-dev-home/chat-ai-keys" + secretPath: "kv/data/atlas/portal/chat-ai-keys" secretKey: "homepage" - objectName: "chat-ai-keys__matrix" - secretPath: "kv/data/atlas/bstein-dev-home/chat-ai-keys" + secretPath: "kv/data/atlas/portal/chat-ai-keys" secretKey: "matrix" - objectName: "chat-ai-keys-runtime__homepage" secretPath: "kv/data/atlas/shared/chat-ai-keys-runtime" @@ -34,3 +34,12 @@ spec: - objectName: "portal-e2e-client__client_secret" secretPath: "kv/data/atlas/shared/portal-e2e-client" secretKey: "client_secret" + - objectName: "harbor-pull__dockerconfigjson" + secretPath: "kv/data/atlas/harbor-pull/bstein-dev-home" + secretKey: "dockerconfigjson" + secretObjects: + - secretName: harbor-regcred + type: kubernetes.io/dockerconfigjson + data: + - objectName: harbor-pull__dockerconfigjson + key: .dockerconfigjson diff --git a/services/bstein-dev-home/vault-serviceaccount.yaml b/services/bstein-dev-home/vault-serviceaccount.yaml new file mode 100644 index 0000000..d3ea79a --- /dev/null +++ b/services/bstein-dev-home/vault-serviceaccount.yaml @@ -0,0 +1,6 @@ +# services/bstein-dev-home/vault-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bstein-dev-home-vault-sync + namespace: bstein-dev-home diff --git a/services/bstein-dev-home/vault-sync-deployment.yaml b/services/bstein-dev-home/vault-sync-deployment.yaml new file mode 100644 index 0000000..ad50f1e --- /dev/null +++ b/services/bstein-dev-home/vault-sync-deployment.yaml @@ -0,0 +1,34 @@ +# services/bstein-dev-home/vault-sync-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bstein-dev-home-vault-sync + namespace: bstein-dev-home +spec: + replicas: 1 + selector: + matchLabels: + app: bstein-dev-home-vault-sync + template: + metadata: + labels: + app: bstein-dev-home-vault-sync + spec: + serviceAccountName: bstein-dev-home-vault-sync + containers: + - name: sync + image: alpine:3.20 + command: ["/bin/sh", "-c"] + args: + - "sleep infinity" + volumeMounts: + - name: vault-secrets + mountPath: /vault/secrets + readOnly: true + volumes: + - name: vault-secrets + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: bstein-dev-home-vault diff --git a/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml b/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml index b531e7a..5d7531e 100644 --- a/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml +++ b/services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml @@ -20,7 +20,7 @@ spec: kubernetes.io/arch: arm64 node-role.kubernetes.io/worker: "true" imagePullSecrets: - - name: harbor-bstein-robot + - name: harbor-regcred containers: - name: sync image: registry.bstein.dev/bstein/bstein-dev-home-backend:0.1.1-92 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend"} diff --git a/services/comms/comms-secrets-ensure-rbac.yaml b/services/comms/comms-secrets-ensure-rbac.yaml index dfb4f21..47e41d4 100644 --- a/services/comms/comms-secrets-ensure-rbac.yaml +++ b/services/comms/comms-secrets-ensure-rbac.yaml @@ -4,6 +4,8 @@ kind: ServiceAccount metadata: name: comms-secrets-ensure namespace: comms +imagePullSecrets: + - name: harbor-regcred --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/services/comms/mas-admin-client-secret-ensure-job.yaml b/services/comms/mas-admin-client-secret-ensure-job.yaml index 4580634..07f59a6 100644 --- a/services/comms/mas-admin-client-secret-ensure-job.yaml +++ b/services/comms/mas-admin-client-secret-ensure-job.yaml @@ -4,6 +4,8 @@ kind: ServiceAccount metadata: name: mas-admin-client-secret-writer namespace: comms +imagePullSecrets: + - name: harbor-regcred --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/services/comms/mas-db-ensure-rbac.yaml b/services/comms/mas-db-ensure-rbac.yaml index 19691d7..c8093b5 100644 --- a/services/comms/mas-db-ensure-rbac.yaml +++ b/services/comms/mas-db-ensure-rbac.yaml @@ -4,6 +4,8 @@ kind: ServiceAccount metadata: name: mas-db-ensure namespace: comms +imagePullSecrets: + - name: harbor-regcred --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/services/comms/secretproviderclass.yaml b/services/comms/secretproviderclass.yaml index 971d408..ff3767f 100644 --- a/services/comms/secretproviderclass.yaml +++ b/services/comms/secretproviderclass.yaml @@ -61,6 +61,9 @@ spec: - objectName: "synapse-oidc__client-secret" secretPath: "kv/data/atlas/comms/synapse-oidc" secretKey: "client-secret" + - objectName: "harbor-pull__dockerconfigjson" + secretPath: "kv/data/atlas/harbor-pull/comms" + secretKey: "dockerconfigjson" secretObjects: - secretName: turn-shared-secret type: Opaque @@ -132,3 +135,8 @@ spec: data: - objectName: synapse-oidc__client-secret key: client-secret + - secretName: harbor-regcred + type: kubernetes.io/dockerconfigjson + data: + - objectName: harbor-pull__dockerconfigjson + key: .dockerconfigjson diff --git a/services/comms/synapse-signingkey-ensure-rbac.yaml b/services/comms/synapse-signingkey-ensure-rbac.yaml index c7f66bc..29387f1 100644 --- a/services/comms/synapse-signingkey-ensure-rbac.yaml +++ b/services/comms/synapse-signingkey-ensure-rbac.yaml @@ -4,6 +4,8 @@ kind: ServiceAccount metadata: name: othrys-synapse-signingkey-job namespace: comms +imagePullSecrets: + - name: harbor-regcred --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/services/crypto/monerod/deployment.yaml b/services/crypto/monerod/deployment.yaml index 40c9e24..9d64864 100644 --- a/services/crypto/monerod/deployment.yaml +++ b/services/crypto/monerod/deployment.yaml @@ -18,6 +18,8 @@ spec: fsGroupChangePolicy: OnRootMismatch nodeSelector: node-role.kubernetes.io/worker: "true" + imagePullSecrets: + - name: harbor-regcred affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/services/crypto/xmr-miner/secretproviderclass.yaml b/services/crypto/xmr-miner/secretproviderclass.yaml index 2d61854..00c72bd 100644 --- a/services/crypto/xmr-miner/secretproviderclass.yaml +++ b/services/crypto/xmr-miner/secretproviderclass.yaml @@ -13,9 +13,17 @@ spec: - objectName: "xmr-payout__address" secretPath: "kv/data/atlas/crypto/xmr-payout" secretKey: "address" + - objectName: "harbor-pull__dockerconfigjson" + secretPath: "kv/data/atlas/harbor-pull/crypto" + secretKey: "dockerconfigjson" secretObjects: - secretName: xmr-payout type: Opaque data: - objectName: xmr-payout__address key: address + - secretName: harbor-regcred + type: kubernetes.io/dockerconfigjson + data: + - objectName: harbor-pull__dockerconfigjson + key: .dockerconfigjson diff --git a/services/harbor/helmrelease.yaml b/services/harbor/helmrelease.yaml index 249a3f3..11244ff 100644 --- a/services/harbor/helmrelease.yaml +++ b/services/harbor/helmrelease.yaml @@ -29,6 +29,8 @@ spec: values: externalURL: https://registry.bstein.dev imagePullPolicy: IfNotPresent + imagePullSecrets: + - name: harbor-regcred expose: type: ingress tls: diff --git a/services/harbor/secretproviderclass.yaml b/services/harbor/secretproviderclass.yaml index 1e1a7f1..90fc876 100644 --- a/services/harbor/secretproviderclass.yaml +++ b/services/harbor/secretproviderclass.yaml @@ -49,6 +49,9 @@ spec: - objectName: "harbor-oidc__CONFIG_OVERWRITE_JSON" secretPath: "kv/data/atlas/harbor/harbor-oidc" secretKey: "CONFIG_OVERWRITE_JSON" + - objectName: "harbor-pull__dockerconfigjson" + secretPath: "kv/data/atlas/harbor-pull/harbor" + secretKey: "dockerconfigjson" secretObjects: - secretName: harbor-core type: Opaque @@ -85,3 +88,8 @@ spec: data: - objectName: harbor-oidc__CONFIG_OVERWRITE_JSON key: CONFIG_OVERWRITE_JSON + - secretName: harbor-regcred + type: kubernetes.io/dockerconfigjson + data: + - objectName: harbor-pull__dockerconfigjson + key: .dockerconfigjson diff --git a/services/keycloak/kustomization.yaml b/services/keycloak/kustomization.yaml index 82df213..c34aad4 100644 --- a/services/keycloak/kustomization.yaml +++ b/services/keycloak/kustomization.yaml @@ -6,7 +6,9 @@ resources: - namespace.yaml - pvc.yaml - serviceaccount.yaml + - vault-serviceaccount.yaml - secretproviderclass.yaml + - vault-sync-deployment.yaml - deployment.yaml - realm-settings-job.yaml - portal-e2e-client-job.yaml @@ -33,9 +35,6 @@ configMapGenerator: files: - test_portal_token_exchange.py=scripts/tests/test_portal_token_exchange.py - test_keycloak_execute_actions_email.py=scripts/tests/test_keycloak_execute_actions_email.py - - name: portal-e2e-client-secret-sync-script - files: - - sso_portal_e2e_client_secret_sync.sh=scripts/sso_portal_e2e_client_secret_sync.sh - name: harbor-oidc-secret-ensure-script files: - harbor_oidc_secret_ensure.sh=scripts/harbor_oidc_secret_ensure.sh diff --git a/services/keycloak/mas-secrets-ensure-job.yaml b/services/keycloak/mas-secrets-ensure-job.yaml index 42a78b0..75d8300 100644 --- a/services/keycloak/mas-secrets-ensure-job.yaml +++ b/services/keycloak/mas-secrets-ensure-job.yaml @@ -4,6 +4,8 @@ kind: ServiceAccount metadata: name: mas-secrets-ensure namespace: sso +imagePullSecrets: + - name: harbor-regcred --- apiVersion: batch/v1 kind: Job diff --git a/services/keycloak/portal-e2e-client-secret-sync-cronjob.yaml b/services/keycloak/portal-e2e-client-secret-sync-cronjob.yaml deleted file mode 100644 index 8bb7e55..0000000 --- a/services/keycloak/portal-e2e-client-secret-sync-cronjob.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# services/keycloak/portal-e2e-client-secret-sync-cronjob.yaml -apiVersion: batch/v1 -kind: CronJob -metadata: - name: portal-e2e-client-secret-sync - namespace: sso -spec: - schedule: "*/10 * * * *" - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: 1 - failedJobsHistoryLimit: 3 - jobTemplate: - spec: - backoffLimit: 1 - template: - spec: - serviceAccountName: portal-e2e-client-secret-sync - restartPolicy: Never - containers: - - name: sync - image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131 - command: ["/usr/bin/env", "bash"] - args: ["/scripts/sso_portal_e2e_client_secret_sync.sh"] - volumeMounts: - - name: script - mountPath: /scripts - readOnly: true - volumes: - - name: script - configMap: - name: portal-e2e-client-secret-sync-script - defaultMode: 0555 diff --git a/services/keycloak/portal-e2e-client-secret-sync-rbac.yaml b/services/keycloak/portal-e2e-client-secret-sync-rbac.yaml deleted file mode 100644 index e2d39bb..0000000 --- a/services/keycloak/portal-e2e-client-secret-sync-rbac.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# services/keycloak/portal-e2e-client-secret-sync-rbac.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: portal-e2e-client-secret-sync - namespace: sso ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: portal-e2e-client-secret-sync-source - namespace: sso -rules: - - apiGroups: [""] - resources: ["secrets"] - resourceNames: ["portal-e2e-client"] - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: portal-e2e-client-secret-sync-source - namespace: sso -subjects: - - kind: ServiceAccount - name: portal-e2e-client-secret-sync - namespace: sso -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: portal-e2e-client-secret-sync-source diff --git a/services/keycloak/realm-settings-job.yaml b/services/keycloak/realm-settings-job.yaml index 78d31d1..5cabe3c 100644 --- a/services/keycloak/realm-settings-job.yaml +++ b/services/keycloak/realm-settings-job.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: keycloak-realm-settings-17 + name: keycloak-realm-settings-18 namespace: sso spec: backoffLimit: 0 @@ -29,15 +29,15 @@ spec: - name: KEYCLOAK_REALM value: atlas - name: KEYCLOAK_SMTP_HOST - value: mailu-front.mailu-mailserver.svc.cluster.local + value: smtp.postmarkapp.com - name: KEYCLOAK_SMTP_PORT - value: "25" + value: "587" - name: KEYCLOAK_SMTP_FROM - value: no-reply@bstein.dev + value: no-reply-sso@bstein.dev - name: KEYCLOAK_SMTP_FROM_NAME value: Atlas SSO - name: KEYCLOAK_SMTP_REPLY_TO - value: no-reply@bstein.dev + value: no-reply-sso@bstein.dev - name: KEYCLOAK_SMTP_REPLY_TO_NAME value: Atlas SSO command: ["/bin/sh", "-c"] @@ -118,8 +118,10 @@ spec: "fromDisplayName": os.environ["KEYCLOAK_SMTP_FROM_NAME"], "replyTo": os.environ["KEYCLOAK_SMTP_REPLY_TO"], "replyToDisplayName": os.environ["KEYCLOAK_SMTP_REPLY_TO_NAME"], - "auth": "false", - "starttls": "false", + "user": os.environ["KEYCLOAK_SMTP_USER"], + "password": os.environ["KEYCLOAK_SMTP_PASSWORD"], + "auth": "true", + "starttls": "true", "ssl": "false", } ) diff --git a/services/keycloak/scripts/keycloak_vault_env.sh b/services/keycloak/scripts/keycloak_vault_env.sh index 62f7f38..dd68fc7 100644 --- a/services/keycloak/scripts/keycloak_vault_env.sh +++ b/services/keycloak/scripts/keycloak_vault_env.sh @@ -24,3 +24,6 @@ export PORTAL_E2E_CLIENT_SECRET="$(read_secret portal-e2e-client__client_secret) export LDAP_ADMIN_PASSWORD="$(read_secret openldap-admin__LDAP_ADMIN_PASSWORD)" export LDAP_CONFIG_PASSWORD="$(read_secret openldap-admin__LDAP_CONFIG_PASSWORD)" export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}" + +export KEYCLOAK_SMTP_USER="$(read_secret postmark-relay__relay-username)" +export KEYCLOAK_SMTP_PASSWORD="$(read_secret postmark-relay__relay-password)" diff --git a/services/keycloak/scripts/sso_portal_e2e_client_secret_sync.sh b/services/keycloak/scripts/sso_portal_e2e_client_secret_sync.sh deleted file mode 100755 index bf944ca..0000000 --- a/services/keycloak/scripts/sso_portal_e2e_client_secret_sync.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -SOURCE_NAMESPACE="${SOURCE_NAMESPACE:-sso}" -DEST_NAMESPACE="${DEST_NAMESPACE:-bstein-dev-home}" -SECRET_NAME="${SECRET_NAME:-portal-e2e-client}" - -client_id="$(kubectl -n "${SOURCE_NAMESPACE}" get secret "${SECRET_NAME}" -o jsonpath='{.data.client_id}')" -client_secret="$(kubectl -n "${SOURCE_NAMESPACE}" get secret "${SECRET_NAME}" -o jsonpath='{.data.client_secret}')" - -cat </dev/null -apiVersion: v1 -kind: Secret -metadata: - name: ${SECRET_NAME} -type: Opaque -data: - client_id: ${client_id} - client_secret: ${client_secret} -EOF diff --git a/services/keycloak/secretproviderclass.yaml b/services/keycloak/secretproviderclass.yaml index 7ca83ec..e78e57e 100644 --- a/services/keycloak/secretproviderclass.yaml +++ b/services/keycloak/secretproviderclass.yaml @@ -46,6 +46,15 @@ spec: - objectName: "oauth2-proxy-oidc__cookie_secret" secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc" secretKey: "cookie_secret" + - objectName: "postmark-relay__relay-username" + secretPath: "kv/data/atlas/shared/postmark-relay" + secretKey: "relay-username" + - objectName: "postmark-relay__relay-password" + secretPath: "kv/data/atlas/shared/postmark-relay" + secretKey: "relay-password" + - objectName: "harbor-pull__dockerconfigjson" + secretPath: "kv/data/atlas/harbor-pull/sso" + secretKey: "dockerconfigjson" secretObjects: - secretName: openldap-admin type: Opaque @@ -63,3 +72,8 @@ spec: key: client_secret - objectName: oauth2-proxy-oidc__cookie_secret key: cookie_secret + - secretName: harbor-regcred + type: kubernetes.io/dockerconfigjson + data: + - objectName: harbor-pull__dockerconfigjson + key: .dockerconfigjson diff --git a/services/keycloak/serviceaccount.yaml b/services/keycloak/serviceaccount.yaml index 59d710f..5f581c1 100644 --- a/services/keycloak/serviceaccount.yaml +++ b/services/keycloak/serviceaccount.yaml @@ -4,3 +4,5 @@ kind: ServiceAccount metadata: name: sso-vault namespace: sso +imagePullSecrets: + - name: harbor-regcred diff --git a/services/keycloak/vault-serviceaccount.yaml b/services/keycloak/vault-serviceaccount.yaml new file mode 100644 index 0000000..79fa47c --- /dev/null +++ b/services/keycloak/vault-serviceaccount.yaml @@ -0,0 +1,6 @@ +# services/keycloak/vault-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sso-vault-sync + namespace: sso diff --git a/services/keycloak/vault-sync-deployment.yaml b/services/keycloak/vault-sync-deployment.yaml new file mode 100644 index 0000000..a9afcd0 --- /dev/null +++ b/services/keycloak/vault-sync-deployment.yaml @@ -0,0 +1,34 @@ +# services/keycloak/vault-sync-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sso-vault-sync + namespace: sso +spec: + replicas: 1 + selector: + matchLabels: + app: sso-vault-sync + template: + metadata: + labels: + app: sso-vault-sync + spec: + serviceAccountName: sso-vault-sync + containers: + - name: sync + image: alpine:3.20 + command: ["/bin/sh", "-c"] + args: + - "sleep infinity" + volumeMounts: + - name: vault-secrets + mountPath: /vault/secrets + readOnly: true + volumes: + - name: vault-secrets + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: sso-vault diff --git a/services/logging/data-prepper-helmrelease.yaml b/services/logging/data-prepper-helmrelease.yaml index 8b27052..73984f5 100644 --- a/services/logging/data-prepper-helmrelease.yaml +++ b/services/logging/data-prepper-helmrelease.yaml @@ -22,7 +22,7 @@ spec: repository: registry.bstein.dev/streaming/data-prepper tag: "2.8.0" imagePullSecrets: - - name: harbor-robot-pipeline + - name: harbor-regcred config: data-prepper-config.yaml: | ssl: false diff --git a/services/logging/secretproviderclass.yaml b/services/logging/secretproviderclass.yaml index 70ecb3d..bbe6cfd 100644 --- a/services/logging/secretproviderclass.yaml +++ b/services/logging/secretproviderclass.yaml @@ -19,6 +19,9 @@ spec: - objectName: "oauth2-proxy-logs-oidc__cookie_secret" secretPath: "kv/data/atlas/logging/oauth2-proxy-logs-oidc" secretKey: "cookie_secret" + - objectName: "harbor-pull__dockerconfigjson" + secretPath: "kv/data/atlas/harbor-pull/logging" + secretKey: "dockerconfigjson" secretObjects: - secretName: oauth2-proxy-logs-oidc type: Opaque @@ -29,3 +32,8 @@ spec: key: client_secret - objectName: oauth2-proxy-logs-oidc__cookie_secret key: cookie_secret + - secretName: harbor-regcred + type: kubernetes.io/dockerconfigjson + data: + - objectName: harbor-pull__dockerconfigjson + key: .dockerconfigjson diff --git a/services/mailu/secretproviderclass.yaml b/services/mailu/secretproviderclass.yaml index 0ed32ba..11cc2fe 100644 --- a/services/mailu/secretproviderclass.yaml +++ b/services/mailu/secretproviderclass.yaml @@ -40,6 +40,9 @@ spec: - objectName: "mailu-sync-credentials__client-secret" secretPath: "kv/data/atlas/mailu/mailu-sync-credentials" secretKey: "client-secret" + - objectName: "harbor-pull__dockerconfigjson" + secretPath: "kv/data/atlas/harbor-pull/mailu-mailserver" + secretKey: "dockerconfigjson" secretObjects: - secretName: mailu-secret type: Opaque @@ -76,3 +79,8 @@ spec: key: client-id - objectName: mailu-sync-credentials__client-secret key: client-secret + - secretName: harbor-regcred + type: kubernetes.io/dockerconfigjson + data: + - objectName: harbor-pull__dockerconfigjson + key: .dockerconfigjson diff --git a/services/mailu/vip-controller.yaml b/services/mailu/vip-controller.yaml index 81cc96e..faa49ec 100644 --- a/services/mailu/vip-controller.yaml +++ b/services/mailu/vip-controller.yaml @@ -5,6 +5,8 @@ kind: ServiceAccount metadata: name: vip-controller namespace: mailu-mailserver +imagePullSecrets: + - name: harbor-regcred --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/services/monitoring/dcgm-exporter.yaml b/services/monitoring/dcgm-exporter.yaml index 7627420..8760c9f 100644 --- a/services/monitoring/dcgm-exporter.yaml +++ b/services/monitoring/dcgm-exporter.yaml @@ -22,6 +22,8 @@ spec: prometheus.io/port: "9400" spec: serviceAccountName: default + imagePullSecrets: + - name: harbor-regcred runtimeClassName: nvidia affinity: nodeAffinity: diff --git a/services/monitoring/helmrelease.yaml b/services/monitoring/helmrelease.yaml index 33abc9e..dbb41ef 100644 --- a/services/monitoring/helmrelease.yaml +++ b/services/monitoring/helmrelease.yaml @@ -275,8 +275,8 @@ spec: GF_AUTH_ANONYMOUS_ORG_ROLE: "Viewer" GF_SMTP_ENABLED: "true" GF_SMTP_HOST: "smtp.postmarkapp.com:587" - GF_SMTP_FROM: "alerts@bstein.dev" - GF_SMTP_FROM_NAME: "Atlas Alerts" + GF_SMTP_FROM: "no-reply-grafana@bstein.dev" + GF_SMTP_FROM_NAME: "Atlas Grafana" GRAFANA_ALERT_EMAILS: "alerts@bstein.dev" GF_SECURITY_ALLOW_EMBEDDING: "true" GF_AUTH_GENERIC_OAUTH_ENABLED: "true" diff --git a/services/monitoring/secretproviderclass.yaml b/services/monitoring/secretproviderclass.yaml index 3f94c08..4f58ff0 100644 --- a/services/monitoring/secretproviderclass.yaml +++ b/services/monitoring/secretproviderclass.yaml @@ -31,6 +31,9 @@ spec: - objectName: "postmark-relay__relay-password" secretPath: "kv/data/atlas/shared/postmark-relay" secretKey: "relay-password" + - objectName: "harbor-pull__dockerconfigjson" + secretPath: "kv/data/atlas/harbor-pull/monitoring" + secretKey: "dockerconfigjson" secretObjects: - secretName: grafana-admin type: Opaque @@ -55,3 +58,8 @@ spec: key: username - objectName: postmark-relay__relay-password key: password + - secretName: harbor-regcred + type: kubernetes.io/dockerconfigjson + data: + - objectName: harbor-pull__dockerconfigjson + key: .dockerconfigjson diff --git a/services/nextcloud/configmap.yaml b/services/nextcloud/configmap.yaml index 21098a2..7222320 100644 --- a/services/nextcloud/configmap.yaml +++ b/services/nextcloud/configmap.yaml @@ -18,13 +18,13 @@ data: 'default_phone_region' => 'US', 'mail_smtpmode' => 'smtp', 'mail_sendmailmode' => 'smtp', - 'mail_smtphost' => 'mail.bstein.dev', + 'mail_smtphost' => 'smtp.postmarkapp.com', 'mail_smtpport' => '587', 'mail_smtpsecure' => 'tls', 'mail_smtpauth' => true, 'mail_smtpauthtype' => 'LOGIN', 'mail_domain' => 'bstein.dev', - 'mail_from_address' => 'no-reply', + 'mail_from_address' => 'no-reply-nextcloud', 'datadirectory' => '/var/www/html/data', 'apps_paths' => array ( diff --git a/services/nextcloud/deployment.yaml b/services/nextcloud/deployment.yaml index 894484c..45f5e8f 100644 --- a/services/nextcloud/deployment.yaml +++ b/services/nextcloud/deployment.yaml @@ -194,13 +194,13 @@ spec: value: https://cloud.bstein.dev # SMTP (external secret: nextcloud-smtp with keys username, password) - name: SMTP_HOST - value: mail.bstein.dev + value: smtp.postmarkapp.com - name: SMTP_PORT value: "587" - name: SMTP_SECURE value: tls - name: MAIL_FROM_ADDRESS - value: no-reply + value: no-reply-nextcloud - name: MAIL_DOMAIN value: bstein.dev # OIDC (external secret: nextcloud-oidc with keys client-id, client-secret) diff --git a/services/nextcloud/secretproviderclass.yaml b/services/nextcloud/secretproviderclass.yaml index b5e6c37..1d9a104 100644 --- a/services/nextcloud/secretproviderclass.yaml +++ b/services/nextcloud/secretproviderclass.yaml @@ -32,11 +32,11 @@ spec: secretPath: "kv/data/atlas/nextcloud/nextcloud-oidc" secretKey: "client-secret" - objectName: "nextcloud-smtp__smtp-username" - secretPath: "kv/data/atlas/nextcloud/nextcloud-smtp" - secretKey: "smtp-username" + secretPath: "kv/data/atlas/shared/postmark-relay" + secretKey: "relay-username" - objectName: "nextcloud-smtp__smtp-password" - secretPath: "kv/data/atlas/nextcloud/nextcloud-smtp" - secretKey: "smtp-password" + secretPath: "kv/data/atlas/shared/postmark-relay" + secretKey: "relay-password" - objectName: "keycloak-admin__username" secretPath: "kv/data/atlas/shared/keycloak-admin" secretKey: "username" diff --git a/services/outline/deployment.yaml b/services/outline/deployment.yaml index 2cacceb..0c4825e 100644 --- a/services/outline/deployment.yaml +++ b/services/outline/deployment.yaml @@ -71,7 +71,7 @@ spec: - name: SMTP_SECURE value: "false" - name: SMTP_PORT - value: "25" + value: "587" volumeMounts: - name: user-data mountPath: /var/lib/outline/data diff --git a/services/outline/secretproviderclass.yaml b/services/outline/secretproviderclass.yaml index 2781c85..70891df 100644 --- a/services/outline/secretproviderclass.yaml +++ b/services/outline/secretproviderclass.yaml @@ -44,11 +44,11 @@ spec: secretPath: "kv/data/atlas/outline/outline-smtp" secretKey: "SMTP_HOST" - objectName: "SMTP_PASSWORD" - secretPath: "kv/data/atlas/outline/outline-smtp" - secretKey: "SMTP_PASSWORD" + secretPath: "kv/data/atlas/shared/postmark-relay" + secretKey: "relay-password" - objectName: "SMTP_USERNAME" - secretPath: "kv/data/atlas/outline/outline-smtp" - secretKey: "SMTP_USERNAME" + secretPath: "kv/data/atlas/shared/postmark-relay" + secretKey: "relay-username" - objectName: "AWS_ACCESS_KEY_ID" secretPath: "kv/data/atlas/outline/outline-s3" secretKey: "AWS_ACCESS_KEY_ID" diff --git a/services/pegasus/deployment.yaml b/services/pegasus/deployment.yaml index 7f8547f..94d8dfb 100644 --- a/services/pegasus/deployment.yaml +++ b/services/pegasus/deployment.yaml @@ -19,6 +19,8 @@ spec: nodeSelector: kubernetes.io/arch: arm64 node-role.kubernetes.io/worker: "true" + imagePullSecrets: + - name: harbor-regcred securityContext: runAsNonRoot: true runAsUser: 65532 diff --git a/services/pegasus/secretproviderclass.yaml b/services/pegasus/secretproviderclass.yaml index fa7448b..7513eee 100644 --- a/services/pegasus/secretproviderclass.yaml +++ b/services/pegasus/secretproviderclass.yaml @@ -19,6 +19,9 @@ spec: - objectName: "pegasus-secrets__JELLYFIN_API_KEY" secretPath: "kv/data/atlas/pegasus/pegasus-secrets" secretKey: "JELLYFIN_API_KEY" + - objectName: "harbor-pull__dockerconfigjson" + secretPath: "kv/data/atlas/harbor-pull/jellyfin" + secretKey: "dockerconfigjson" secretObjects: - secretName: pegasus-secrets type: Opaque @@ -29,3 +32,8 @@ spec: key: JELLYFIN_URL - objectName: pegasus-secrets__JELLYFIN_API_KEY key: JELLYFIN_API_KEY + - secretName: harbor-regcred + type: kubernetes.io/dockerconfigjson + data: + - objectName: harbor-pull__dockerconfigjson + key: .dockerconfigjson diff --git a/services/planka/secretproviderclass.yaml b/services/planka/secretproviderclass.yaml index e72d98c..028b2b5 100644 --- a/services/planka/secretproviderclass.yaml +++ b/services/planka/secretproviderclass.yaml @@ -44,8 +44,8 @@ spec: secretPath: "kv/data/atlas/planka/planka-smtp" secretKey: "SMTP_HOST" - objectName: "SMTP_PASSWORD" - secretPath: "kv/data/atlas/planka/planka-smtp" - secretKey: "SMTP_PASSWORD" + secretPath: "kv/data/atlas/shared/postmark-relay" + secretKey: "relay-password" - objectName: "SMTP_PORT" secretPath: "kv/data/atlas/planka/planka-smtp" secretKey: "SMTP_PORT" @@ -56,5 +56,5 @@ spec: secretPath: "kv/data/atlas/planka/planka-smtp" secretKey: "SMTP_TLS_REJECT_UNAUTHORIZED" - objectName: "SMTP_USER" - secretPath: "kv/data/atlas/planka/planka-smtp" - secretKey: "SMTP_USER" + secretPath: "kv/data/atlas/shared/postmark-relay" + secretKey: "relay-username" diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh index f7b61df..3ecbd3f 100644 --- a/services/vault/scripts/vault_k8s_auth_configure.sh +++ b/services/vault/scripts/vault_k8s_auth_configure.sh @@ -76,35 +76,35 @@ path \"kv/metadata/atlas/${path}\" { } write_policy_and_role "outline" "outline" "outline-vault" \ - "outline/*" "" + "outline/* shared/postmark-relay" "" write_policy_and_role "planka" "planka" "planka-vault" \ - "planka/*" "" -write_policy_and_role "bstein-dev-home" "bstein-dev-home" "bstein-dev-home" \ - "bstein-dev-home/* shared/chat-ai-keys-runtime shared/portal-e2e-client" "" + "planka/* shared/postmark-relay" "" +write_policy_and_role "bstein-dev-home" "bstein-dev-home" "bstein-dev-home,bstein-dev-home-vault-sync" \ + "portal/* shared/chat-ai-keys-runtime shared/portal-e2e-client harbor-pull/bstein-dev-home" "" write_policy_and_role "gitea" "gitea" "gitea-vault" \ "gitea/*" "" write_policy_and_role "vaultwarden" "vaultwarden" "vaultwarden-vault" \ - "vaultwarden/*" "" -write_policy_and_role "sso" "sso" "sso-vault,mas-secrets-ensure" \ - "sso/* shared/keycloak-admin shared/portal-e2e-client" "" + "vaultwarden/* shared/postmark-relay" "" +write_policy_and_role "sso" "sso" "sso-vault,sso-vault-sync,mas-secrets-ensure" \ + "sso/* shared/keycloak-admin shared/portal-e2e-client shared/postmark-relay harbor-pull/sso" "" write_policy_and_role "mailu-mailserver" "mailu-mailserver" "mailu-vault-sync" \ - "mailu/* shared/postmark-relay" "" + "mailu/* shared/postmark-relay harbor-pull/mailu-mailserver" "" write_policy_and_role "harbor" "harbor" "harbor-vault-sync" \ - "harbor/*" "" + "harbor/* harbor-pull/harbor" "" write_policy_and_role "nextcloud" "nextcloud" "nextcloud-vault" \ - "nextcloud/* shared/keycloak-admin" "" + "nextcloud/* shared/keycloak-admin shared/postmark-relay" "" write_policy_and_role "comms" "comms" "comms-vault,atlasbot" \ - "comms/* shared/chat-ai-keys-runtime" "" + "comms/* shared/chat-ai-keys-runtime harbor-pull/comms" "" write_policy_and_role "jenkins" "jenkins" "jenkins-vault-sync" \ "jenkins/*" "" write_policy_and_role "monitoring" "monitoring" "monitoring-vault-sync" \ - "monitoring/* shared/postmark-relay" "" + "monitoring/* shared/postmark-relay harbor-pull/monitoring" "" write_policy_and_role "logging" "logging" "logging-vault-sync" \ - "logging/*" "" + "logging/* harbor-pull/logging" "" write_policy_and_role "pegasus" "jellyfin" "pegasus-vault-sync" \ - "pegasus/*" "" + "pegasus/* harbor-pull/jellyfin" "" write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \ - "crypto/*" "" + "crypto/* harbor-pull/crypto" "" write_policy_and_role "sso-secrets" "sso" "mas-secrets-ensure" \ "shared/keycloak-admin" \ diff --git a/services/vaultwarden/deployment.yaml b/services/vaultwarden/deployment.yaml index 22a2c86..f102ea9 100644 --- a/services/vaultwarden/deployment.yaml +++ b/services/vaultwarden/deployment.yaml @@ -36,19 +36,19 @@ spec: - name: DOMAIN value: "https://vault.bstein.dev" - name: SMTP_HOST - value: "mailu-front.mailu-mailserver.svc.cluster.local" + value: "smtp.postmarkapp.com" - name: SMTP_PORT - value: "25" + value: "587" - name: SMTP_SECURITY value: "starttls" - name: SMTP_ACCEPT_INVALID_HOSTNAMES - value: "true" + value: "false" - name: SMTP_ACCEPT_INVALID_CERTS - value: "true" + value: "false" - name: SMTP_FROM - value: "postmaster@bstein.dev" + value: "no-reply-vaultwarden@bstein.dev" - name: SMTP_FROM_NAME - value: "Atlas Vaultwarden" + value: "Vaultwarden" ports: - name: http containerPort: 80 diff --git a/services/vaultwarden/scripts/vaultwarden_vault_env.sh b/services/vaultwarden/scripts/vaultwarden_vault_env.sh index 133faaa..7a80081 100644 --- a/services/vaultwarden/scripts/vaultwarden_vault_env.sh +++ b/services/vaultwarden/scripts/vaultwarden_vault_env.sh @@ -9,3 +9,6 @@ read_secret() { export DATABASE_URL="$(read_secret vaultwarden-db-url__DATABASE_URL)" export ADMIN_TOKEN="$(read_secret vaultwarden-admin__ADMIN_TOKEN)" + +export SMTP_USERNAME="$(read_secret postmark-relay__relay-username)" +export SMTP_PASSWORD="$(read_secret postmark-relay__relay-password)" diff --git a/services/vaultwarden/secretproviderclass.yaml b/services/vaultwarden/secretproviderclass.yaml index 6d4530b..63f864e 100644 --- a/services/vaultwarden/secretproviderclass.yaml +++ b/services/vaultwarden/secretproviderclass.yaml @@ -16,3 +16,9 @@ spec: - objectName: "vaultwarden-admin__ADMIN_TOKEN" secretPath: "kv/data/atlas/vaultwarden/vaultwarden-admin" secretKey: "ADMIN_TOKEN" + - objectName: "postmark-relay__relay-username" + secretPath: "kv/data/atlas/shared/postmark-relay" + secretKey: "relay-username" + - objectName: "postmark-relay__relay-password" + secretPath: "kv/data/atlas/shared/postmark-relay" + secretKey: "relay-password"