bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vault: inject monitoring exporter and health jobs

Browse Source
This commit is contained in:
Brad Stein 2026-01-14 14:49:41 -03:00
parent 4f1fb62ab3
commit fb9578b624
5 changed files with 61 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
services/health/endurain-oidc-config-cronjob.yaml
View File

@ -13,6 +13,22 @@ spec:
spec:
backoffLimit: 1
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "health"
vault.hashicorp.com/agent-inject-secret-endurain-oidc-env: "kv/data/atlas/health/endurain-admin"
vault.hashicorp.com/agent-inject-template-endurain-oidc-env: |
{{- with secret "kv/data/atlas/health/endurain-admin" -}}
export ENDURAIN_ADMIN_USERNAME="{{ .Data.data.username }}"
export ENDURAIN_ADMIN_PASSWORD="{{ .Data.data.password }}"
{{- end }}
{{- with secret "kv/data/atlas/health/endurain-oidc" -}}
export ENDURAIN_OIDC_CLIENT_ID="{{ .Data.data.client_id }}"
export ENDURAIN_OIDC_CLIENT_SECRET="{{ .Data.data.client_secret }}"
export ENDURAIN_OIDC_ISSUER_URL="{{ .Data.data.issuer_url }}"
{{- end -}}
spec:
serviceAccountName: health-vault-sync
restartPolicy: Never
@ -47,35 +63,11 @@ spec:
- |
set -euo pipefail
apk add --no-cache bash curl jq >/dev/null
. /vault/secrets/endurain-oidc-env
exec /scripts/endurain_oidc_configure.sh
env:
- name: ENDURAIN_BASE_URL
value: http://endurain.health.svc.cluster.local
- name: ENDURAIN_ADMIN_USERNAME
valueFrom:
secretKeyRef:
name: endurain-admin
key: username
- name: ENDURAIN_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: endurain-admin
key: password
- name: ENDURAIN_OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: endurain-oidc
key: client_id
- name: ENDURAIN_OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: endurain-oidc
key: client_secret
- name: ENDURAIN_OIDC_ISSUER_URL
valueFrom:
secretKeyRef:
name: endurain-oidc
key: issuer_url
volumeMounts:
- name: endurain-oidc-config-script
mountPath: /scripts

42
services/health/sparkyfitness-oidc-config-cronjob.yaml
View File

@ -13,6 +13,22 @@ spec:
spec:
backoffLimit: 1
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "health"
vault.hashicorp.com/agent-inject-secret-sparky-oidc-env: "kv/data/atlas/health/sparkyfitness-admin"
vault.hashicorp.com/agent-inject-template-sparky-oidc-env: |
{{- with secret "kv/data/atlas/health/sparkyfitness-admin" -}}
export SPARKYFITNESS_ADMIN_EMAIL="{{ .Data.data.email }}"
export SPARKYFITNESS_ADMIN_PASSWORD="{{ .Data.data.password }}"
{{- end }}
{{- with secret "kv/data/atlas/health/sparkyfitness-oidc" -}}
export SPARKYFITNESS_OIDC_CLIENT_ID="{{ .Data.data.client_id }}"
export SPARKYFITNESS_OIDC_CLIENT_SECRET="{{ .Data.data.client_secret }}"
export SPARKYFITNESS_OIDC_ISSUER_URL="{{ .Data.data.issuer_url }}"
{{- end -}}
spec:
serviceAccountName: health-vault-sync
restartPolicy: Never
@ -47,37 +63,13 @@ spec:
- |
set -euo pipefail
apk add --no-cache bash curl jq >/dev/null
. /vault/secrets/sparky-oidc-env
exec /scripts/sparkyfitness_oidc_configure.sh
env:
- name: SPARKYFITNESS_BASE_URL
value: http://sparkyfitness-server.health.svc.cluster.local:3010
- name: SPARKYFITNESS_FRONTEND_URL
value: https://sparkyfitness.bstein.dev
- name: SPARKYFITNESS_ADMIN_EMAIL
valueFrom:
secretKeyRef:
name: sparkyfitness-admin
key: email
- name: SPARKYFITNESS_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: sparkyfitness-admin
key: password
- name: SPARKYFITNESS_OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: sparkyfitness-oidc
key: client_id
- name: SPARKYFITNESS_OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: sparkyfitness-oidc
key: client_secret
- name: SPARKYFITNESS_OIDC_ISSUER_URL
valueFrom:
secretKeyRef:
name: sparkyfitness-oidc
key: issuer_url
volumeMounts:
- name: sparkyfitness-oidc-config-script
mountPath: /scripts

25
services/monitoring/grafana-org-bootstrap.yaml
View File

@ -2,13 +2,25 @@
apiVersion: batch/v1
kind: Job
metadata:
name: grafana-org-bootstrap-1
name: grafana-org-bootstrap-2
namespace: monitoring
spec:
backoffLimit: 2
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/role: "monitoring"
vault.hashicorp.com/agent-inject-secret-grafana-env: "kv/data/atlas/monitoring/grafana-admin"
vault.hashicorp.com/agent-inject-template-grafana-env: |
{{- with secret "kv/data/atlas/monitoring/grafana-admin" -}}
export GRAFANA_USER="{{ index .Data.data "admin-user" }}"
export GRAFANA_PASSWORD="{{ index .Data.data "admin-password" }}"
{{- end -}}
spec:
restartPolicy: OnFailure
serviceAccountName: monitoring-vault-sync
containers:
- name: bootstrap
image: python:3.11-alpine
@ -17,20 +29,11 @@ spec:
value: http://grafana
- name: OVERVIEW_ORG_NAME
value: Overview
- name: GRAFANA_USER
valueFrom:
secretKeyRef:
name: grafana-admin
key: admin-user
- name: GRAFANA_PASSWORD
valueFrom:
secretKeyRef:
name: grafana-admin
key: admin-password
command: ["/bin/sh", "-c"]
args:
- |
set -euo pipefail
. /vault/secrets/grafana-env
python - <<'PY'
import base64
import json

29
services/monitoring/postmark-exporter-deployment.yaml
View File

@ -16,8 +16,20 @@ spec:
prometheus.io/scrape: "true"
prometheus.io/port: "8000"
prometheus.io/path: "/metrics"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "monitoring"
vault.hashicorp.com/agent-inject-secret-postmark-env: "kv/data/atlas/monitoring/postmark-exporter"
vault.hashicorp.com/agent-inject-template-postmark-env: |
{{- with secret "kv/data/atlas/monitoring/postmark-exporter" -}}
export POSTMARK_SERVER_TOKEN="{{ index .Data.data "relay-username" }}"
export POSTMARK_SERVER_TOKEN_FALLBACK="{{ index .Data.data "relay-password" }}"
{{- if index .Data.data "sending-limit" }}
export POSTMARK_SENDING_LIMIT="{{ index .Data.data "sending-limit" }}"
{{- end }}
{{- end -}}
bstein.dev/restarted-at: "2026-01-06T00:00:00Z"
spec:
serviceAccountName: monitoring-vault-sync
containers:
- name: exporter
image: python:3.12-alpine
@ -26,25 +38,10 @@ spec:
args:
- |
set -euo pipefail
. /vault/secrets/postmark-env
pip install --no-cache-dir prometheus-client==0.22.1 requests==2.32.3
exec python /app/monitoring_postmark_exporter.py
env:
- name: POSTMARK_SERVER_TOKEN
valueFrom:
secretKeyRef:
name: postmark-exporter
key: server-token
- name: POSTMARK_SERVER_TOKEN_FALLBACK
valueFrom:
secretKeyRef:
name: postmark-exporter
key: server-token-fallback
- name: POSTMARK_SENDING_LIMIT
valueFrom:
secretKeyRef:
name: postmark-exporter
key: sending-limit
optional: true
- name: POSTMARK_SENDING_LIMIT_WINDOW
value: "30d"
- name: POLL_INTERVAL_SECONDS

18
services/monitoring/secretproviderclass.yaml
View File

@ -16,15 +16,6 @@ spec:
- objectName: "grafana-admin__admin-password"
secretPath: "kv/data/atlas/monitoring/grafana-admin"
secretKey: "admin-password"
- objectName: "postmark-exporter__relay-username"
secretPath: "kv/data/atlas/monitoring/postmark-exporter"
secretKey: "relay-username"
- objectName: "postmark-exporter__relay-password"
secretPath: "kv/data/atlas/monitoring/postmark-exporter"
secretKey: "relay-password"
- objectName: "postmark-exporter__sending-limit"
secretPath: "kv/data/atlas/monitoring/postmark-exporter"
secretKey: "sending-limit"
- objectName: "postmark-relay__relay-username"
secretPath: "kv/data/atlas/shared/postmark-relay"
secretKey: "relay-username"
@ -42,15 +33,6 @@ spec:
key: admin-user
- objectName: grafana-admin__admin-password
key: admin-password
- secretName: postmark-exporter
type: Opaque
data:
- objectName: postmark-exporter__relay-username
key: server-token
- objectName: postmark-exporter__relay-password
key: server-token-fallback
- objectName: postmark-exporter__sending-limit
key: sending-limit
- secretName: grafana-smtp
type: Opaque
data: