feat: Fix Secrets

.vscode/settings.json

@@ -176,6 +176,7 @@
     "errexit",
     "etab",
     "eventlisteners",
+    "externalsecrets",
     "ezservermonitor",
     "ezweb",
     "fdisk",

kubernetes/argocd/applications/grafana.yaml

@@ -24,3 +24,8 @@ spec:
   syncPolicy:
     syncOptions:
       - CreateNamespace=true
+  ignoreDifferences:
+    - group: ""
+      kind: "Secret"
+      managedFieldsManagers:
+        - externalsecrets.external-secrets.io/database

kubernetes/argocd/applications/homelab.yaml

@@ -21,6 +21,8 @@ spec:
     path: tekton/overlays/okd
     repoURL: https://git.arthurvardevanyan.com/ArthurVardevanyan/HomeLab
     targetRevision: HEAD
+    plugin:
+      name: argocd-vault-plugin-kustomize
   syncPolicy:
     syncOptions:
       - CreateNamespace=true

kubernetes/argocd/applications/keep-alive.yaml

@@ -21,6 +21,8 @@ spec:
     path: kubernetes/keep-alive/overlays/okd
     repoURL: https://git.arthurvardevanyan.com/ArthurVardevanyan/HomeLab
     targetRevision: HEAD
+    plugin:
+      name: argocd-vault-plugin-kustomize
   syncPolicy:
     syncOptions:
       - CreateNamespace=true

kubernetes/argocd/applications/longhorn-system.yaml

@@ -24,3 +24,8 @@ spec:
   syncPolicy:
     syncOptions:
       - CreateNamespace=true
+  ignoreDifferences:
+    - group: ""
+      kind: "Secret"
+      managedFieldsManagers:
+        - externalsecrets.external-secrets.io/truenas-secret

kubernetes/argocd/applications/openshift-monitoring.yaml

@@ -21,3 +21,5 @@ spec:
     path: okd/openshift-monitoring/base
     repoURL: https://git.arthurvardevanyan.com/ArthurVardevanyan/HomeLab
     targetRevision: HEAD
+    plugin:
+      name: argocd-vault-plugin-kustomize

kubernetes/argocd/applications/quay.yaml

@@ -21,6 +21,8 @@ spec:
     path: kubernetes/quay/overlays/okd
     repoURL: https://git.arthurvardevanyan.com/ArthurVardevanyan/HomeLab
     targetRevision: HEAD
+    plugin:
+      name: argocd-vault-plugin-kustomize
   syncPolicy:
     syncOptions:
       - CreateNamespace=true

kubernetes/argocd/applications/vault.yaml

@@ -21,6 +21,8 @@ spec:
     path: kubernetes/vault/overlays/okd
     repoURL: https://git.arthurvardevanyan.com/ArthurVardevanyan/HomeLab
     targetRevision: HEAD
+    plugin:
+      name: argocd-vault-plugin-kustomize
   syncPolicy:
     syncOptions:
       - CreateNamespace=true

kubernetes/argocd/base/kustomization.yaml

@@ -15,4 +15,5 @@ resources:
   - installplan-approver.yaml
   - notifications/configmap.yaml
   - notifications/secret.yaml
+  - notifications/network-policy.yaml
   - k3s-cluster.yaml

kubernetes/argocd/base/notifications/configmap.yaml

@@ -9,7 +9,7 @@ metadata:
     app.kubernetes.io/part-of: argocd
 data:
   context: |-
-    environmentName: homelab
+    environmentName: HomeLab
   service.github: |-
     appID: <path:secret/data/homelab/tekton#github_app>
     installationID: <path:secret/data/homelab/tekton#github_app_installation>

kubernetes/argocd/base/notifications/network-policy.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-internet-egress-notifications
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  labels:
+    app.kubernetes.io/instance: argocd
+spec:
+  policyTypes:
+    - Egress
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-notifications-controller
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+            except:
+              - 10.0.0.0/8
+              - 172.16.0.0/12
+              - 192.168.0.0/16

kubernetes/eclipse-che/base/github.yaml

@@ -1,14 +1,37 @@
-kind: Secret
-apiVersion: v1
+# kind: Secret
+# apiVersion: v1
+# metadata:
+#   name: github-oauth-config
+#   namespace: eclipse-che-operator
+#   labels:
+#     app.kubernetes.io/part-of: che.eclipse.org
+#     app.kubernetes.io/component: oauth-scm-configuration
+#   annotations:
+#     che.eclipse.org/oauth-scm-server: github
+# type: Opaque
+# data:
+#   id: <path:secret/data/homelab/che/github#id | base64encode>
+#   secret: <path:secret/data/homelab/che/github#secret | base64encode>
+# ---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
 metadata:
   name: github-oauth-config
   namespace: eclipse-che-operator
-  labels:
-    app.kubernetes.io/part-of: che.eclipse.org
-    app.kubernetes.io/component: oauth-scm-configuration
-  annotations:
-    che.eclipse.org/oauth-scm-server: github
-type: Opaque
-data:
-  id: <path:secret/data/homelab/che/github#id | base64encode>
-  secret: <path:secret/data/homelab/che/github#secret | base64encode>
+spec:
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: github-oauth-config
+    #creationPolicy: "Merge"
+  data:
+    - secretKey: id
+      remoteRef:
+        key: homelab/che/github
+        property: id
+    - secretKey: secret
+      remoteRef:
+        key: homelab/che/github
+        property: secret

kubernetes/grafana/base/secret.yaml

@@ -1,18 +1,18 @@
-# https://blog.ramon-gordillo.dev/2021/03/gitops-with-argocd-and-hashicorp-vault-on-kubernetes/
-kind: Secret
-apiVersion: v1
-metadata:
-  name: database
-  namespace: grafana
-  labels:
-    app.kubernetes.io/instance: grafana
-type: Opaque
-stringData:
-  GF_DATABASE_TYPE: postgres
-  GF_DATABASE_HOST: grafana-primary.postgres.svc
-  GF_DATABASE_NAME: grafana
-  GF_DATABASE_USER: grafana
-  #GF_DATABASE_PASSWORD: <path:secret/data/homelab/postgres#grafana_password>
+# # https://blog.ramon-gordillo.dev/2021/03/gitops-with-argocd-and-hashicorp-vault-on-kubernetes/
+# kind: Secret
+# apiVersion: v1
+# metadata:
+#   name: database
+#   namespace: grafana
+#   labels:
+#     app.kubernetes.io/instance: grafana
+# type: Opaque
+# stringData:
+#   GF_DATABASE_TYPE: postgres
+#   GF_DATABASE_HOST: grafana-primary.postgres.svc
+#   GF_DATABASE_NAME: grafana
+#   GF_DATABASE_USER: grafana
+#   #GF_DATABASE_PASSWORD: <path:secret/data/homelab/postgres#grafana_password>
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret

kubernetes/influxdb/base/secret.yaml

@@ -8,5 +8,28 @@ metadata:
     app.kubernetes.io/instance: influxdb
 type: Opaque
 stringData:
-  INFLUXDB_ADMIN_USER: <path:secret/data/homelab/influxdb#INFLUXDB_ADMIN_PASSWORD>
+  INFLUXDB_ADMIN_USER: <path:secret/data/influxdb#INFLUXDB_ADMIN_PASSWORD>
   INFLUXDB_ADMIN_PASSWORD: <path:secret/data/homelab/influxdb#INFLUXDB_ADMIN_USER>
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: influxdb-creds
+  namespace: influxdb
+spec:
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: influxdb-creds
+    #creationPolicy: "Merge"
+  data:
+    - secretKey: INFLUXDB_ADMIN_USER
+      remoteRef:
+        key: homelab/influxdb
+        property: INFLUXDB_ADMIN_PASSWORD
+    - secretKey: INFLUXDB_ADMIN_USER
+      remoteRef:
+        key: homelab/influxdb
+        property: INFLUXDB_ADMIN_PASSWORD

kubernetes/unifi-network-application/base/secret.yaml

@@ -1,9 +1,32 @@
-apiVersion: v1
-kind: Secret
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: internal-cert
+#   namespace: unifi-network-application
+# data:
+#   tls.crt: <path:secret/data/homelab/unifi#tls.crt | base64encode>
+#   tls.key: <path:secret/data/homelab/unifi#tls.key | base64encode>
+# type: Opaque
+# ---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
 metadata:
   name: internal-cert
   namespace: unifi-network-application
-data:
-  tls.crt: <path:secret/data/homelab/unifi#tls.crt | base64encode>
-  tls.key: <path:secret/data/homelab/unifi#tls.key | base64encode>
-type: Opaque
+spec:
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: internal-cert
+    #creationPolicy: "Merge"
+  data:
+    - secretKey: tls.crt
+      remoteRef:
+        key: homelab/unifi
+        property: tls.crt
+    - secretKey: tls.key
+      remoteRef:
+        key: homelab/unifi
+        property: tls.key

kubernetes/zitadel/base/secret.yaml

@@ -1,19 +1,19 @@
-# Source: zitadel/templates/secret_zitadel-masterkey.yaml
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: zitadel-masterkey
-  namespace: zitadel
-  labels:
-    helm.sh/chart: zitadel-6.2.0
-    app.kubernetes.io/name: zitadel
-    app.kubernetes.io/instance: zitadel
-    app.kubernetes.io/version: "v2.43.5"
-    app.kubernetes.io/managed-by: Helm
-stringData:
-  masterkey: <path:secret/data/homelab/zitadel/config#masterkey>
----
+# # Source: zitadel/templates/secret_zitadel-masterkey.yaml
+# apiVersion: v1
+# kind: Secret
+# type: Opaque
+# metadata:
+#   name: zitadel-masterkey
+#   namespace: zitadel
+#   labels:
+#     helm.sh/chart: zitadel-6.2.0
+#     app.kubernetes.io/name: zitadel
+#     app.kubernetes.io/instance: zitadel
+#     app.kubernetes.io/version: "v2.43.5"
+#     app.kubernetes.io/managed-by: Helm
+# stringData:
+#   masterkey: <path:secret/data/homelab/zitadel/config#masterkey>
+# ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata: