diff --git a/services/health/endurain-oidc-config-cronjob.yaml b/services/health/endurain-oidc-config-cronjob.yaml index 7930425..86b4d91 100644 --- a/services/health/endurain-oidc-config-cronjob.yaml +++ b/services/health/endurain-oidc-config-cronjob.yaml @@ -13,6 +13,22 @@ spec: spec: backoffLimit: 1 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/role: "health" + vault.hashicorp.com/agent-inject-secret-endurain-oidc-env: "kv/data/atlas/health/endurain-admin" + vault.hashicorp.com/agent-inject-template-endurain-oidc-env: | + {{- with secret "kv/data/atlas/health/endurain-admin" -}} + export ENDURAIN_ADMIN_USERNAME="{{ .Data.data.username }}" + export ENDURAIN_ADMIN_PASSWORD="{{ .Data.data.password }}" + {{- end }} + {{- with secret "kv/data/atlas/health/endurain-oidc" -}} + export ENDURAIN_OIDC_CLIENT_ID="{{ .Data.data.client_id }}" + export ENDURAIN_OIDC_CLIENT_SECRET="{{ .Data.data.client_secret }}" + export ENDURAIN_OIDC_ISSUER_URL="{{ .Data.data.issuer_url }}" + {{- end -}} spec: serviceAccountName: health-vault-sync restartPolicy: Never @@ -47,35 +63,11 @@ spec: - | set -euo pipefail apk add --no-cache bash curl jq >/dev/null + . /vault/secrets/endurain-oidc-env exec /scripts/endurain_oidc_configure.sh env: - name: ENDURAIN_BASE_URL value: http://endurain.health.svc.cluster.local - - name: ENDURAIN_ADMIN_USERNAME - valueFrom: - secretKeyRef: - name: endurain-admin - key: username - - name: ENDURAIN_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: endurain-admin - key: password - - name: ENDURAIN_OIDC_CLIENT_ID - valueFrom: - secretKeyRef: - name: endurain-oidc - key: client_id - - name: ENDURAIN_OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: endurain-oidc - key: client_secret - - name: ENDURAIN_OIDC_ISSUER_URL - valueFrom: - secretKeyRef: - name: endurain-oidc - key: issuer_url volumeMounts: - name: endurain-oidc-config-script mountPath: /scripts diff --git a/services/health/sparkyfitness-oidc-config-cronjob.yaml b/services/health/sparkyfitness-oidc-config-cronjob.yaml index a20c1f1..b3d4c52 100644 --- a/services/health/sparkyfitness-oidc-config-cronjob.yaml +++ b/services/health/sparkyfitness-oidc-config-cronjob.yaml @@ -13,6 +13,22 @@ spec: spec: backoffLimit: 1 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/role: "health" + vault.hashicorp.com/agent-inject-secret-sparky-oidc-env: "kv/data/atlas/health/sparkyfitness-admin" + vault.hashicorp.com/agent-inject-template-sparky-oidc-env: | + {{- with secret "kv/data/atlas/health/sparkyfitness-admin" -}} + export SPARKYFITNESS_ADMIN_EMAIL="{{ .Data.data.email }}" + export SPARKYFITNESS_ADMIN_PASSWORD="{{ .Data.data.password }}" + {{- end }} + {{- with secret "kv/data/atlas/health/sparkyfitness-oidc" -}} + export SPARKYFITNESS_OIDC_CLIENT_ID="{{ .Data.data.client_id }}" + export SPARKYFITNESS_OIDC_CLIENT_SECRET="{{ .Data.data.client_secret }}" + export SPARKYFITNESS_OIDC_ISSUER_URL="{{ .Data.data.issuer_url }}" + {{- end -}} spec: serviceAccountName: health-vault-sync restartPolicy: Never @@ -47,37 +63,13 @@ spec: - | set -euo pipefail apk add --no-cache bash curl jq >/dev/null + . /vault/secrets/sparky-oidc-env exec /scripts/sparkyfitness_oidc_configure.sh env: - name: SPARKYFITNESS_BASE_URL value: http://sparkyfitness-server.health.svc.cluster.local:3010 - name: SPARKYFITNESS_FRONTEND_URL value: https://sparkyfitness.bstein.dev - - name: SPARKYFITNESS_ADMIN_EMAIL - valueFrom: - secretKeyRef: - name: sparkyfitness-admin - key: email - - name: SPARKYFITNESS_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: sparkyfitness-admin - key: password - - name: SPARKYFITNESS_OIDC_CLIENT_ID - valueFrom: - secretKeyRef: - name: sparkyfitness-oidc - key: client_id - - name: SPARKYFITNESS_OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: sparkyfitness-oidc - key: client_secret - - name: SPARKYFITNESS_OIDC_ISSUER_URL - valueFrom: - secretKeyRef: - name: sparkyfitness-oidc - key: issuer_url volumeMounts: - name: sparkyfitness-oidc-config-script mountPath: /scripts diff --git a/services/monitoring/grafana-org-bootstrap.yaml b/services/monitoring/grafana-org-bootstrap.yaml index 0872f4a..a39d938 100644 --- a/services/monitoring/grafana-org-bootstrap.yaml +++ b/services/monitoring/grafana-org-bootstrap.yaml @@ -2,13 +2,25 @@ apiVersion: batch/v1 kind: Job metadata: - name: grafana-org-bootstrap-1 + name: grafana-org-bootstrap-2 namespace: monitoring spec: backoffLimit: 2 template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/role: "monitoring" + vault.hashicorp.com/agent-inject-secret-grafana-env: "kv/data/atlas/monitoring/grafana-admin" + vault.hashicorp.com/agent-inject-template-grafana-env: | + {{- with secret "kv/data/atlas/monitoring/grafana-admin" -}} + export GRAFANA_USER="{{ index .Data.data "admin-user" }}" + export GRAFANA_PASSWORD="{{ index .Data.data "admin-password" }}" + {{- end -}} spec: restartPolicy: OnFailure + serviceAccountName: monitoring-vault-sync containers: - name: bootstrap image: python:3.11-alpine @@ -17,20 +29,11 @@ spec: value: http://grafana - name: OVERVIEW_ORG_NAME value: Overview - - name: GRAFANA_USER - valueFrom: - secretKeyRef: - name: grafana-admin - key: admin-user - - name: GRAFANA_PASSWORD - valueFrom: - secretKeyRef: - name: grafana-admin - key: admin-password command: ["/bin/sh", "-c"] args: - | set -euo pipefail + . /vault/secrets/grafana-env python - <<'PY' import base64 import json diff --git a/services/monitoring/postmark-exporter-deployment.yaml b/services/monitoring/postmark-exporter-deployment.yaml index 646c455..5e6c837 100644 --- a/services/monitoring/postmark-exporter-deployment.yaml +++ b/services/monitoring/postmark-exporter-deployment.yaml @@ -16,8 +16,20 @@ spec: prometheus.io/scrape: "true" prometheus.io/port: "8000" prometheus.io/path: "/metrics" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "monitoring" + vault.hashicorp.com/agent-inject-secret-postmark-env: "kv/data/atlas/monitoring/postmark-exporter" + vault.hashicorp.com/agent-inject-template-postmark-env: | + {{- with secret "kv/data/atlas/monitoring/postmark-exporter" -}} + export POSTMARK_SERVER_TOKEN="{{ index .Data.data "relay-username" }}" + export POSTMARK_SERVER_TOKEN_FALLBACK="{{ index .Data.data "relay-password" }}" + {{- if index .Data.data "sending-limit" }} + export POSTMARK_SENDING_LIMIT="{{ index .Data.data "sending-limit" }}" + {{- end }} + {{- end -}} bstein.dev/restarted-at: "2026-01-06T00:00:00Z" spec: + serviceAccountName: monitoring-vault-sync containers: - name: exporter image: python:3.12-alpine @@ -26,25 +38,10 @@ spec: args: - | set -euo pipefail + . /vault/secrets/postmark-env pip install --no-cache-dir prometheus-client==0.22.1 requests==2.32.3 exec python /app/monitoring_postmark_exporter.py env: - - name: POSTMARK_SERVER_TOKEN - valueFrom: - secretKeyRef: - name: postmark-exporter - key: server-token - - name: POSTMARK_SERVER_TOKEN_FALLBACK - valueFrom: - secretKeyRef: - name: postmark-exporter - key: server-token-fallback - - name: POSTMARK_SENDING_LIMIT - valueFrom: - secretKeyRef: - name: postmark-exporter - key: sending-limit - optional: true - name: POSTMARK_SENDING_LIMIT_WINDOW value: "30d" - name: POLL_INTERVAL_SECONDS diff --git a/services/monitoring/secretproviderclass.yaml b/services/monitoring/secretproviderclass.yaml index 4f58ff0..3fab887 100644 --- a/services/monitoring/secretproviderclass.yaml +++ b/services/monitoring/secretproviderclass.yaml @@ -16,15 +16,6 @@ spec: - objectName: "grafana-admin__admin-password" secretPath: "kv/data/atlas/monitoring/grafana-admin" secretKey: "admin-password" - - objectName: "postmark-exporter__relay-username" - secretPath: "kv/data/atlas/monitoring/postmark-exporter" - secretKey: "relay-username" - - objectName: "postmark-exporter__relay-password" - secretPath: "kv/data/atlas/monitoring/postmark-exporter" - secretKey: "relay-password" - - objectName: "postmark-exporter__sending-limit" - secretPath: "kv/data/atlas/monitoring/postmark-exporter" - secretKey: "sending-limit" - objectName: "postmark-relay__relay-username" secretPath: "kv/data/atlas/shared/postmark-relay" secretKey: "relay-username" @@ -42,15 +33,6 @@ spec: key: admin-user - objectName: grafana-admin__admin-password key: admin-password - - secretName: postmark-exporter - type: Opaque - data: - - objectName: postmark-exporter__relay-username - key: server-token - - objectName: postmark-exporter__relay-password - key: server-token-fallback - - objectName: postmark-exporter__sending-limit - key: sending-limit - secretName: grafana-smtp type: Opaque data: