bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vault: sync harbor pulls

Browse Source
This commit is contained in:
Brad Stein 2026-01-14 10:07:31 -03:00
parent b8e50bb0a6
commit b1f9df4d83
46 changed files with 254 additions and 141 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
services/bstein-dev-home/backend-deployment.yaml
View File

@ -21,7 +21,7 @@ spec:
kubernetes.io/arch: arm64
node-role.kubernetes.io/worker: "true"
imagePullSecrets:
- name: harbor-bstein-robot
- name: harbor-regcred
containers:
- name: backend
image: registry.bstein.dev/bstein/bstein-dev-home-backend:0.1.1-92 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend"}

2
services/bstein-dev-home/frontend-deployment.yaml
View File

@ -19,7 +19,7 @@ spec:
kubernetes.io/arch: arm64
node-role.kubernetes.io/worker: "true"
imagePullSecrets:
- name: harbor-bstein-robot
- name: harbor-regcred
containers:
- name: frontend
image: registry.bstein.dev/bstein/bstein-dev-home-frontend:0.1.1-92 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-frontend"}

2
services/bstein-dev-home/kustomization.yaml
View File

@ -6,7 +6,9 @@ resources:
- namespace.yaml
- image.yaml
- rbac.yaml
- vault-serviceaccount.yaml
- secretproviderclass.yaml
- vault-sync-deployment.yaml
- chat-ai-gateway-deployment.yaml
- chat-ai-gateway-service.yaml
- frontend-deployment.yaml

17
services/bstein-dev-home/secretproviderclass.yaml
View File

@ -11,16 +11,16 @@ spec:
roleName: "bstein-dev-home"
objects: |
- objectName: "atlas-portal-db__PORTAL_DATABASE_URL"
secretPath: "kv/data/atlas/bstein-dev-home/atlas-portal-db"
secretPath: "kv/data/atlas/portal/atlas-portal-db"
secretKey: "PORTAL_DATABASE_URL"
- objectName: "bstein-dev-home-keycloak-admin__client_secret"
secretPath: "kv/data/atlas/bstein-dev-home/bstein-dev-home-keycloak-admin"
secretPath: "kv/data/atlas/portal/bstein-dev-home-keycloak-admin"
secretKey: "client_secret"
- objectName: "chat-ai-keys__homepage"
secretPath: "kv/data/atlas/bstein-dev-home/chat-ai-keys"
secretPath: "kv/data/atlas/portal/chat-ai-keys"
secretKey: "homepage"
- objectName: "chat-ai-keys__matrix"
secretPath: "kv/data/atlas/bstein-dev-home/chat-ai-keys"
secretPath: "kv/data/atlas/portal/chat-ai-keys"
secretKey: "matrix"
- objectName: "chat-ai-keys-runtime__homepage"
secretPath: "kv/data/atlas/shared/chat-ai-keys-runtime"
@ -34,3 +34,12 @@ spec:
- objectName: "portal-e2e-client__client_secret"
secretPath: "kv/data/atlas/shared/portal-e2e-client"
secretKey: "client_secret"
- objectName: "harbor-pull__dockerconfigjson"
secretPath: "kv/data/atlas/harbor-pull/bstein-dev-home"
secretKey: "dockerconfigjson"
secretObjects:
- secretName: harbor-regcred
type: kubernetes.io/dockerconfigjson
data:
- objectName: harbor-pull__dockerconfigjson
key: .dockerconfigjson

6
services/bstein-dev-home/vault-serviceaccount.yaml Normal file
View File

@ -0,0 +1,6 @@
# services/bstein-dev-home/vault-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: bstein-dev-home-vault-sync
namespace: bstein-dev-home

34
services/bstein-dev-home/vault-sync-deployment.yaml Normal file
View File

@ -0,0 +1,34 @@
# services/bstein-dev-home/vault-sync-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: bstein-dev-home-vault-sync
namespace: bstein-dev-home
spec:
replicas: 1
selector:
matchLabels:
app: bstein-dev-home-vault-sync
template:
metadata:
labels:
app: bstein-dev-home-vault-sync
spec:
serviceAccountName: bstein-dev-home-vault-sync
containers:
- name: sync
image: alpine:3.20
command: ["/bin/sh", "-c"]
args:
- "sleep infinity"
volumeMounts:
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
volumes:
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: bstein-dev-home-vault

2
services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml
View File

@ -20,7 +20,7 @@ spec:
kubernetes.io/arch: arm64
node-role.kubernetes.io/worker: "true"
imagePullSecrets:
- name: harbor-bstein-robot
- name: harbor-regcred
containers:
- name: sync
image: registry.bstein.dev/bstein/bstein-dev-home-backend:0.1.1-92 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend"}

2
services/comms/comms-secrets-ensure-rbac.yaml
View File

@ -4,6 +4,8 @@ kind: ServiceAccount
metadata:
name: comms-secrets-ensure
namespace: comms
imagePullSecrets:
- name: harbor-regcred
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole

2
services/comms/mas-admin-client-secret-ensure-job.yaml
View File

@ -4,6 +4,8 @@ kind: ServiceAccount
metadata:
name: mas-admin-client-secret-writer
namespace: comms
imagePullSecrets:
- name: harbor-regcred
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role

2
services/comms/mas-db-ensure-rbac.yaml
View File

@ -4,6 +4,8 @@ kind: ServiceAccount
metadata:
name: mas-db-ensure
namespace: comms
imagePullSecrets:
- name: harbor-regcred
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole

8
services/comms/secretproviderclass.yaml
View File

@ -61,6 +61,9 @@ spec:
- objectName: "synapse-oidc__client-secret"
secretPath: "kv/data/atlas/comms/synapse-oidc"
secretKey: "client-secret"
- objectName: "harbor-pull__dockerconfigjson"
secretPath: "kv/data/atlas/harbor-pull/comms"
secretKey: "dockerconfigjson"
secretObjects:
- secretName: turn-shared-secret
type: Opaque
@ -132,3 +135,8 @@ spec:
data:
- objectName: synapse-oidc__client-secret
key: client-secret
- secretName: harbor-regcred
type: kubernetes.io/dockerconfigjson
data:
- objectName: harbor-pull__dockerconfigjson
key: .dockerconfigjson

2
services/comms/synapse-signingkey-ensure-rbac.yaml
View File

@ -4,6 +4,8 @@ kind: ServiceAccount
metadata:
name: othrys-synapse-signingkey-job
namespace: comms
imagePullSecrets:
- name: harbor-regcred
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role

2
services/crypto/monerod/deployment.yaml
View File

@ -18,6 +18,8 @@ spec:
fsGroupChangePolicy: OnRootMismatch
nodeSelector:
node-role.kubernetes.io/worker: "true"
imagePullSecrets:
- name: harbor-regcred
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:

8
services/crypto/xmr-miner/secretproviderclass.yaml
View File

@ -13,9 +13,17 @@ spec:
- objectName: "xmr-payout__address"
secretPath: "kv/data/atlas/crypto/xmr-payout"
secretKey: "address"
- objectName: "harbor-pull__dockerconfigjson"
secretPath: "kv/data/atlas/harbor-pull/crypto"
secretKey: "dockerconfigjson"
secretObjects:
- secretName: xmr-payout
type: Opaque
data:
- objectName: xmr-payout__address
key: address
- secretName: harbor-regcred
type: kubernetes.io/dockerconfigjson
data:
- objectName: harbor-pull__dockerconfigjson
key: .dockerconfigjson

2
services/harbor/helmrelease.yaml
View File

@ -29,6 +29,8 @@ spec:
values:
externalURL: https://registry.bstein.dev
imagePullPolicy: IfNotPresent
imagePullSecrets:
- name: harbor-regcred
expose:
type: ingress
tls:

8
services/harbor/secretproviderclass.yaml
View File

@ -49,6 +49,9 @@ spec:
- objectName: "harbor-oidc__CONFIG_OVERWRITE_JSON"
secretPath: "kv/data/atlas/harbor/harbor-oidc"
secretKey: "CONFIG_OVERWRITE_JSON"
- objectName: "harbor-pull__dockerconfigjson"
secretPath: "kv/data/atlas/harbor-pull/harbor"
secretKey: "dockerconfigjson"
secretObjects:
- secretName: harbor-core
type: Opaque
@ -85,3 +88,8 @@ spec:
data:
- objectName: harbor-oidc__CONFIG_OVERWRITE_JSON
key: CONFIG_OVERWRITE_JSON
- secretName: harbor-regcred
type: kubernetes.io/dockerconfigjson
data:
- objectName: harbor-pull__dockerconfigjson
key: .dockerconfigjson

5
services/keycloak/kustomization.yaml
View File

@ -6,7 +6,9 @@ resources:
- namespace.yaml
- pvc.yaml
- serviceaccount.yaml
- vault-serviceaccount.yaml
- secretproviderclass.yaml
- vault-sync-deployment.yaml
- deployment.yaml
- realm-settings-job.yaml
- portal-e2e-client-job.yaml
@ -33,9 +35,6 @@ configMapGenerator:
files:
- test_portal_token_exchange.py=scripts/tests/test_portal_token_exchange.py
- test_keycloak_execute_actions_email.py=scripts/tests/test_keycloak_execute_actions_email.py
- name: portal-e2e-client-secret-sync-script
files:
- sso_portal_e2e_client_secret_sync.sh=scripts/sso_portal_e2e_client_secret_sync.sh
- name: harbor-oidc-secret-ensure-script
files:
- harbor_oidc_secret_ensure.sh=scripts/harbor_oidc_secret_ensure.sh

2
services/keycloak/mas-secrets-ensure-job.yaml
View File

@ -4,6 +4,8 @@ kind: ServiceAccount
metadata:
name: mas-secrets-ensure
namespace: sso
imagePullSecrets:
- name: harbor-regcred
---
apiVersion: batch/v1
kind: Job

32
services/keycloak/portal-e2e-client-secret-sync-cronjob.yaml
View File

@ -1,32 +0,0 @@
# services/keycloak/portal-e2e-client-secret-sync-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
name: portal-e2e-client-secret-sync
namespace: sso
spec:
schedule: "*/10 * * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 3
jobTemplate:
spec:
backoffLimit: 1
template:
spec:
serviceAccountName: portal-e2e-client-secret-sync
restartPolicy: Never
containers:
- name: sync
image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
command: ["/usr/bin/env", "bash"]
args: ["/scripts/sso_portal_e2e_client_secret_sync.sh"]
volumeMounts:
- name: script
mountPath: /scripts
readOnly: true
volumes:
- name: script
configMap:
name: portal-e2e-client-secret-sync-script
defaultMode: 0555

31
services/keycloak/portal-e2e-client-secret-sync-rbac.yaml
View File

@ -1,31 +0,0 @@
# services/keycloak/portal-e2e-client-secret-sync-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: portal-e2e-client-secret-sync
namespace: sso
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: portal-e2e-client-secret-sync-source
namespace: sso
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["portal-e2e-client"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: portal-e2e-client-secret-sync-source
namespace: sso
subjects:
- kind: ServiceAccount
name: portal-e2e-client-secret-sync
namespace: sso
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: portal-e2e-client-secret-sync-source

16
services/keycloak/realm-settings-job.yaml
View File

@ -2,7 +2,7 @@
apiVersion: batch/v1
kind: Job
metadata:
name: keycloak-realm-settings-17
name: keycloak-realm-settings-18
namespace: sso
spec:
backoffLimit: 0
@ -29,15 +29,15 @@ spec:
- name: KEYCLOAK_REALM
value: atlas
- name: KEYCLOAK_SMTP_HOST
value: mailu-front.mailu-mailserver.svc.cluster.local
value: smtp.postmarkapp.com
- name: KEYCLOAK_SMTP_PORT
value: "25"
value: "587"
- name: KEYCLOAK_SMTP_FROM
value: no-reply@bstein.dev
value: no-reply-sso@bstein.dev
- name: KEYCLOAK_SMTP_FROM_NAME
value: Atlas SSO
- name: KEYCLOAK_SMTP_REPLY_TO
value: no-reply@bstein.dev
value: no-reply-sso@bstein.dev
- name: KEYCLOAK_SMTP_REPLY_TO_NAME
value: Atlas SSO
command: ["/bin/sh", "-c"]
@ -118,8 +118,10 @@ spec:
"fromDisplayName": os.environ["KEYCLOAK_SMTP_FROM_NAME"],
"replyTo": os.environ["KEYCLOAK_SMTP_REPLY_TO"],
"replyToDisplayName": os.environ["KEYCLOAK_SMTP_REPLY_TO_NAME"],
"auth": "false",
"starttls": "false",
"user": os.environ["KEYCLOAK_SMTP_USER"],
"password": os.environ["KEYCLOAK_SMTP_PASSWORD"],
"auth": "true",
"starttls": "true",
"ssl": "false",
}
)

3
services/keycloak/scripts/keycloak_vault_env.sh
View File

@ -24,3 +24,6 @@ export PORTAL_E2E_CLIENT_SECRET="$(read_secret portal-e2e-client__client_secret)
export LDAP_ADMIN_PASSWORD="$(read_secret openldap-admin__LDAP_ADMIN_PASSWORD)"
export LDAP_CONFIG_PASSWORD="$(read_secret openldap-admin__LDAP_CONFIG_PASSWORD)"
export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
export KEYCLOAK_SMTP_USER="$(read_secret postmark-relay__relay-username)"
export KEYCLOAK_SMTP_PASSWORD="$(read_secret postmark-relay__relay-password)"

20
services/keycloak/scripts/sso_portal_e2e_client_secret_sync.sh
View File

@ -1,20 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
SOURCE_NAMESPACE="${SOURCE_NAMESPACE:-sso}"
DEST_NAMESPACE="${DEST_NAMESPACE:-bstein-dev-home}"
SECRET_NAME="${SECRET_NAME:-portal-e2e-client}"
client_id="$(kubectl -n "${SOURCE_NAMESPACE}" get secret "${SECRET_NAME}" -o jsonpath='{.data.client_id}')"
client_secret="$(kubectl -n "${SOURCE_NAMESPACE}" get secret "${SECRET_NAME}" -o jsonpath='{.data.client_secret}')"
cat <<EOF | kubectl -n "${DEST_NAMESPACE}" apply -f - >/dev/null
apiVersion: v1
kind: Secret
metadata:
name: ${SECRET_NAME}
type: Opaque
data:
client_id: ${client_id}
client_secret: ${client_secret}
EOF

14
services/keycloak/secretproviderclass.yaml
View File

@ -46,6 +46,15 @@ spec:
- objectName: "oauth2-proxy-oidc__cookie_secret"
secretPath: "kv/data/atlas/sso/oauth2-proxy-oidc"
secretKey: "cookie_secret"
- objectName: "postmark-relay__relay-username"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-username"
- objectName: "postmark-relay__relay-password"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-password"
- objectName: "harbor-pull__dockerconfigjson"
secretPath: "kv/data/atlas/harbor-pull/sso"
secretKey: "dockerconfigjson"
secretObjects:
- secretName: openldap-admin
type: Opaque
@ -63,3 +72,8 @@ spec:
key: client_secret
- objectName: oauth2-proxy-oidc__cookie_secret
key: cookie_secret
- secretName: harbor-regcred
type: kubernetes.io/dockerconfigjson
data:
- objectName: harbor-pull__dockerconfigjson
key: .dockerconfigjson

2
services/keycloak/serviceaccount.yaml
View File

@ -4,3 +4,5 @@ kind: ServiceAccount
metadata:
name: sso-vault
namespace: sso
imagePullSecrets:
- name: harbor-regcred

6
services/keycloak/vault-serviceaccount.yaml Normal file
View File

@ -0,0 +1,6 @@
# services/keycloak/vault-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: sso-vault-sync
namespace: sso

34
services/keycloak/vault-sync-deployment.yaml Normal file
View File

@ -0,0 +1,34 @@
# services/keycloak/vault-sync-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: sso-vault-sync
namespace: sso
spec:
replicas: 1
selector:
matchLabels:
app: sso-vault-sync
template:
metadata:
labels:
app: sso-vault-sync
spec:
serviceAccountName: sso-vault-sync
containers:
- name: sync
image: alpine:3.20
command: ["/bin/sh", "-c"]
args:
- "sleep infinity"
volumeMounts:
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
volumes:
- name: vault-secrets
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: sso-vault

2
services/logging/data-prepper-helmrelease.yaml
View File

@ -22,7 +22,7 @@ spec:
repository: registry.bstein.dev/streaming/data-prepper
tag: "2.8.0"
imagePullSecrets:
- name: harbor-robot-pipeline
- name: harbor-regcred
config:
data-prepper-config.yaml: |
ssl: false

8
services/logging/secretproviderclass.yaml
View File

@ -19,6 +19,9 @@ spec:
- objectName: "oauth2-proxy-logs-oidc__cookie_secret"
secretPath: "kv/data/atlas/logging/oauth2-proxy-logs-oidc"
secretKey: "cookie_secret"
- objectName: "harbor-pull__dockerconfigjson"
secretPath: "kv/data/atlas/harbor-pull/logging"
secretKey: "dockerconfigjson"
secretObjects:
- secretName: oauth2-proxy-logs-oidc
type: Opaque
@ -29,3 +32,8 @@ spec:
key: client_secret
- objectName: oauth2-proxy-logs-oidc__cookie_secret
key: cookie_secret
- secretName: harbor-regcred
type: kubernetes.io/dockerconfigjson
data:
- objectName: harbor-pull__dockerconfigjson
key: .dockerconfigjson

8
services/mailu/secretproviderclass.yaml
View File

@ -40,6 +40,9 @@ spec:
- objectName: "mailu-sync-credentials__client-secret"
secretPath: "kv/data/atlas/mailu/mailu-sync-credentials"
secretKey: "client-secret"
- objectName: "harbor-pull__dockerconfigjson"
secretPath: "kv/data/atlas/harbor-pull/mailu-mailserver"
secretKey: "dockerconfigjson"
secretObjects:
- secretName: mailu-secret
type: Opaque
@ -76,3 +79,8 @@ spec:
key: client-id
- objectName: mailu-sync-credentials__client-secret
key: client-secret
- secretName: harbor-regcred
type: kubernetes.io/dockerconfigjson
data:
- objectName: harbor-pull__dockerconfigjson
key: .dockerconfigjson

2
services/mailu/vip-controller.yaml
View File

@ -5,6 +5,8 @@ kind: ServiceAccount
metadata:
name: vip-controller
namespace: mailu-mailserver
imagePullSecrets:
- name: harbor-regcred
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role

2
services/monitoring/dcgm-exporter.yaml
View File

@ -22,6 +22,8 @@ spec:
prometheus.io/port: "9400"
spec:
serviceAccountName: default
imagePullSecrets:
- name: harbor-regcred
runtimeClassName: nvidia
affinity:
nodeAffinity:

4
services/monitoring/helmrelease.yaml
View File

@ -275,8 +275,8 @@ spec:
GF_AUTH_ANONYMOUS_ORG_ROLE: "Viewer"
GF_SMTP_ENABLED: "true"
GF_SMTP_HOST: "smtp.postmarkapp.com:587"
GF_SMTP_FROM: "alerts@bstein.dev"
GF_SMTP_FROM_NAME: "Atlas Alerts"
GF_SMTP_FROM: "no-reply-grafana@bstein.dev"
GF_SMTP_FROM_NAME: "Atlas Grafana"
GRAFANA_ALERT_EMAILS: "alerts@bstein.dev"
GF_SECURITY_ALLOW_EMBEDDING: "true"
GF_AUTH_GENERIC_OAUTH_ENABLED: "true"

8
services/monitoring/secretproviderclass.yaml
View File

@ -31,6 +31,9 @@ spec:
- objectName: "postmark-relay__relay-password"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-password"
- objectName: "harbor-pull__dockerconfigjson"
secretPath: "kv/data/atlas/harbor-pull/monitoring"
secretKey: "dockerconfigjson"
secretObjects:
- secretName: grafana-admin
type: Opaque
@ -55,3 +58,8 @@ spec:
key: username
- objectName: postmark-relay__relay-password
key: password
- secretName: harbor-regcred
type: kubernetes.io/dockerconfigjson
data:
- objectName: harbor-pull__dockerconfigjson
key: .dockerconfigjson

4
services/nextcloud/configmap.yaml
View File

@ -18,13 +18,13 @@ data:
'default_phone_region' => 'US',
'mail_smtpmode' => 'smtp',
'mail_sendmailmode' => 'smtp',
'mail_smtphost' => 'mail.bstein.dev',
'mail_smtphost' => 'smtp.postmarkapp.com',
'mail_smtpport' => '587',
'mail_smtpsecure' => 'tls',
'mail_smtpauth' => true,
'mail_smtpauthtype' => 'LOGIN',
'mail_domain' => 'bstein.dev',
'mail_from_address' => 'no-reply',
'mail_from_address' => 'no-reply-nextcloud',
'datadirectory' => '/var/www/html/data',
'apps_paths' =>
array (

4
services/nextcloud/deployment.yaml
View File

@ -194,13 +194,13 @@ spec:
value: https://cloud.bstein.dev
# SMTP (external secret: nextcloud-smtp with keys username, password)
- name: SMTP_HOST
value: mail.bstein.dev
value: smtp.postmarkapp.com
- name: SMTP_PORT
value: "587"
- name: SMTP_SECURE
value: tls
- name: MAIL_FROM_ADDRESS
value: no-reply
value: no-reply-nextcloud
- name: MAIL_DOMAIN
value: bstein.dev
# OIDC (external secret: nextcloud-oidc with keys client-id, client-secret)

8
services/nextcloud/secretproviderclass.yaml
View File

@ -32,11 +32,11 @@ spec:
secretPath: "kv/data/atlas/nextcloud/nextcloud-oidc"
secretKey: "client-secret"
- objectName: "nextcloud-smtp__smtp-username"
secretPath: "kv/data/atlas/nextcloud/nextcloud-smtp"
secretKey: "smtp-username"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-username"
- objectName: "nextcloud-smtp__smtp-password"
secretPath: "kv/data/atlas/nextcloud/nextcloud-smtp"
secretKey: "smtp-password"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-password"
- objectName: "keycloak-admin__username"
secretPath: "kv/data/atlas/shared/keycloak-admin"
secretKey: "username"

2
services/outline/deployment.yaml
View File

@ -71,7 +71,7 @@ spec:
- name: SMTP_SECURE
value: "false"
- name: SMTP_PORT
value: "25"
value: "587"
volumeMounts:
- name: user-data
mountPath: /var/lib/outline/data

8
services/outline/secretproviderclass.yaml
View File

@ -44,11 +44,11 @@ spec:
secretPath: "kv/data/atlas/outline/outline-smtp"
secretKey: "SMTP_HOST"
- objectName: "SMTP_PASSWORD"
secretPath: "kv/data/atlas/outline/outline-smtp"
secretKey: "SMTP_PASSWORD"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-password"
- objectName: "SMTP_USERNAME"
secretPath: "kv/data/atlas/outline/outline-smtp"
secretKey: "SMTP_USERNAME"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-username"
- objectName: "AWS_ACCESS_KEY_ID"
secretPath: "kv/data/atlas/outline/outline-s3"
secretKey: "AWS_ACCESS_KEY_ID"

2
services/pegasus/deployment.yaml
View File

@ -19,6 +19,8 @@ spec:
nodeSelector:
kubernetes.io/arch: arm64
node-role.kubernetes.io/worker: "true"
imagePullSecrets:
- name: harbor-regcred
securityContext:
runAsNonRoot: true
runAsUser: 65532

8
services/pegasus/secretproviderclass.yaml
View File

@ -19,6 +19,9 @@ spec:
- objectName: "pegasus-secrets__JELLYFIN_API_KEY"
secretPath: "kv/data/atlas/pegasus/pegasus-secrets"
secretKey: "JELLYFIN_API_KEY"
- objectName: "harbor-pull__dockerconfigjson"
secretPath: "kv/data/atlas/harbor-pull/jellyfin"
secretKey: "dockerconfigjson"
secretObjects:
- secretName: pegasus-secrets
type: Opaque
@ -29,3 +32,8 @@ spec:
key: JELLYFIN_URL
- objectName: pegasus-secrets__JELLYFIN_API_KEY
key: JELLYFIN_API_KEY
- secretName: harbor-regcred
type: kubernetes.io/dockerconfigjson
data:
- objectName: harbor-pull__dockerconfigjson
key: .dockerconfigjson

8
services/planka/secretproviderclass.yaml
View File

@ -44,8 +44,8 @@ spec:
secretPath: "kv/data/atlas/planka/planka-smtp"
secretKey: "SMTP_HOST"
- objectName: "SMTP_PASSWORD"
secretPath: "kv/data/atlas/planka/planka-smtp"
secretKey: "SMTP_PASSWORD"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-password"
- objectName: "SMTP_PORT"
secretPath: "kv/data/atlas/planka/planka-smtp"
secretKey: "SMTP_PORT"
@ -56,5 +56,5 @@ spec:
secretPath: "kv/data/atlas/planka/planka-smtp"
secretKey: "SMTP_TLS_REJECT_UNAUTHORIZED"
- objectName: "SMTP_USER"
secretPath: "kv/data/atlas/planka/planka-smtp"
secretKey: "SMTP_USER"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-username"

30
services/vault/scripts/vault_k8s_auth_configure.sh
View File

@ -76,35 +76,35 @@ path \"kv/metadata/atlas/${path}\" {
}
write_policy_and_role "outline" "outline" "outline-vault" \
"outline/*" ""
"outline/* shared/postmark-relay" ""
write_policy_and_role "planka" "planka" "planka-vault" \
"planka/*" ""
write_policy_and_role "bstein-dev-home" "bstein-dev-home" "bstein-dev-home" \
"bstein-dev-home/* shared/chat-ai-keys-runtime shared/portal-e2e-client" ""
"planka/* shared/postmark-relay" ""
write_policy_and_role "bstein-dev-home" "bstein-dev-home" "bstein-dev-home,bstein-dev-home-vault-sync" \
"portal/* shared/chat-ai-keys-runtime shared/portal-e2e-client harbor-pull/bstein-dev-home" ""
write_policy_and_role "gitea" "gitea" "gitea-vault" \
"gitea/*" ""
write_policy_and_role "vaultwarden" "vaultwarden" "vaultwarden-vault" \
"vaultwarden/*" ""
write_policy_and_role "sso" "sso" "sso-vault,mas-secrets-ensure" \
"sso/* shared/keycloak-admin shared/portal-e2e-client" ""
"vaultwarden/* shared/postmark-relay" ""
write_policy_and_role "sso" "sso" "sso-vault,sso-vault-sync,mas-secrets-ensure" \
"sso/* shared/keycloak-admin shared/portal-e2e-client shared/postmark-relay harbor-pull/sso" ""
write_policy_and_role "mailu-mailserver" "mailu-mailserver" "mailu-vault-sync" \
"mailu/* shared/postmark-relay" ""
"mailu/* shared/postmark-relay harbor-pull/mailu-mailserver" ""
write_policy_and_role "harbor" "harbor" "harbor-vault-sync" \
"harbor/*" ""
"harbor/* harbor-pull/harbor" ""
write_policy_and_role "nextcloud" "nextcloud" "nextcloud-vault" \
"nextcloud/* shared/keycloak-admin" ""
"nextcloud/* shared/keycloak-admin shared/postmark-relay" ""
write_policy_and_role "comms" "comms" "comms-vault,atlasbot" \
"comms/* shared/chat-ai-keys-runtime" ""
"comms/* shared/chat-ai-keys-runtime harbor-pull/comms" ""
write_policy_and_role "jenkins" "jenkins" "jenkins-vault-sync" \
"jenkins/*" ""
write_policy_and_role "monitoring" "monitoring" "monitoring-vault-sync" \
"monitoring/* shared/postmark-relay" ""
"monitoring/* shared/postmark-relay harbor-pull/monitoring" ""
write_policy_and_role "logging" "logging" "logging-vault-sync" \
"logging/*" ""
"logging/* harbor-pull/logging" ""
write_policy_and_role "pegasus" "jellyfin" "pegasus-vault-sync" \
"pegasus/*" ""
"pegasus/* harbor-pull/jellyfin" ""
write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \
"crypto/*" ""
"crypto/* harbor-pull/crypto" ""
write_policy_and_role "sso-secrets" "sso" "mas-secrets-ensure" \
"shared/keycloak-admin" \

12
services/vaultwarden/deployment.yaml
View File

@ -36,19 +36,19 @@ spec:
- name: DOMAIN
value: "https://vault.bstein.dev"
- name: SMTP_HOST
value: "mailu-front.mailu-mailserver.svc.cluster.local"
value: "smtp.postmarkapp.com"
- name: SMTP_PORT
value: "25"
value: "587"
- name: SMTP_SECURITY
value: "starttls"
- name: SMTP_ACCEPT_INVALID_HOSTNAMES
value: "true"
value: "false"
- name: SMTP_ACCEPT_INVALID_CERTS
value: "true"
value: "false"
- name: SMTP_FROM
value: "postmaster@bstein.dev"
value: "no-reply-vaultwarden@bstein.dev"
- name: SMTP_FROM_NAME
value: "Atlas Vaultwarden"
value: "Vaultwarden"
ports:
- name: http
containerPort: 80

3
services/vaultwarden/scripts/vaultwarden_vault_env.sh
View File

@ -9,3 +9,6 @@ read_secret() {
export DATABASE_URL="$(read_secret vaultwarden-db-url__DATABASE_URL)"
export ADMIN_TOKEN="$(read_secret vaultwarden-admin__ADMIN_TOKEN)"
export SMTP_USERNAME="$(read_secret postmark-relay__relay-username)"
export SMTP_PASSWORD="$(read_secret postmark-relay__relay-password)"

6
services/vaultwarden/secretproviderclass.yaml
View File

@ -16,3 +16,9 @@ spec:
- objectName: "vaultwarden-admin__ADMIN_TOKEN"
secretPath: "kv/data/atlas/vaultwarden/vaultwarden-admin"
secretKey: "ADMIN_TOKEN"
- objectName: "postmark-relay__relay-username"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-username"
- objectName: "postmark-relay__relay-password"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-password"