From 2a1df4d35c78e1ad5c3ed261a68c8ce827a86ecb Mon Sep 17 00:00:00 2001 From: Arthur Date: Fri, 16 Feb 2024 16:35:23 -0500 Subject: [PATCH] feat: Fix Secrets --- .vscode/settings.json | 1 + kubernetes/argocd/applications/grafana.yaml | 5 +++ kubernetes/argocd/applications/homelab.yaml | 2 + .../argocd/applications/keep-alive.yaml | 2 + .../argocd/applications/longhorn-system.yaml | 5 +++ .../applications/openshift-monitoring.yaml | 2 + kubernetes/argocd/applications/quay.yaml | 2 + kubernetes/argocd/applications/vault.yaml | 2 + kubernetes/argocd/base/kustomization.yaml | 1 + .../argocd/base/notifications/configmap.yaml | 2 +- .../base/notifications/network-policy.yaml | 23 ++++++++++ kubernetes/eclipse-che/base/github.yaml | 45 ++++++++++++++----- kubernetes/grafana/base/secret.yaml | 30 ++++++------- kubernetes/influxdb/base/secret.yaml | 25 ++++++++++- .../base/secret.yaml | 35 ++++++++++++--- kubernetes/zitadel/base/secret.yaml | 32 ++++++------- 16 files changed, 164 insertions(+), 50 deletions(-) create mode 100644 kubernetes/argocd/base/notifications/network-policy.yaml diff --git a/.vscode/settings.json b/.vscode/settings.json index 6bac67d9f..24b0d8ef2 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -176,6 +176,7 @@ "errexit", "etab", "eventlisteners", + "externalsecrets", "ezservermonitor", "ezweb", "fdisk", diff --git a/kubernetes/argocd/applications/grafana.yaml b/kubernetes/argocd/applications/grafana.yaml index 260277a80..763aa12c4 100644 --- a/kubernetes/argocd/applications/grafana.yaml +++ b/kubernetes/argocd/applications/grafana.yaml @@ -24,3 +24,8 @@ spec: syncPolicy: syncOptions: - CreateNamespace=true + ignoreDifferences: + - group: "" + kind: "Secret" + managedFieldsManagers: + - externalsecrets.external-secrets.io/database diff --git a/kubernetes/argocd/applications/homelab.yaml b/kubernetes/argocd/applications/homelab.yaml index 479e87ca4..ddaf5f52e 100644 --- a/kubernetes/argocd/applications/homelab.yaml +++ b/kubernetes/argocd/applications/homelab.yaml @@ -21,6 +21,8 @@ spec: path: tekton/overlays/okd repoURL: https://git.arthurvardevanyan.com/ArthurVardevanyan/HomeLab targetRevision: HEAD + plugin: + name: argocd-vault-plugin-kustomize syncPolicy: syncOptions: - CreateNamespace=true diff --git a/kubernetes/argocd/applications/keep-alive.yaml b/kubernetes/argocd/applications/keep-alive.yaml index e7206128d..a24d8ba41 100644 --- a/kubernetes/argocd/applications/keep-alive.yaml +++ b/kubernetes/argocd/applications/keep-alive.yaml @@ -21,6 +21,8 @@ spec: path: kubernetes/keep-alive/overlays/okd repoURL: https://git.arthurvardevanyan.com/ArthurVardevanyan/HomeLab targetRevision: HEAD + plugin: + name: argocd-vault-plugin-kustomize syncPolicy: syncOptions: - CreateNamespace=true diff --git a/kubernetes/argocd/applications/longhorn-system.yaml b/kubernetes/argocd/applications/longhorn-system.yaml index 0efabe94b..57d157b97 100644 --- a/kubernetes/argocd/applications/longhorn-system.yaml +++ b/kubernetes/argocd/applications/longhorn-system.yaml @@ -24,3 +24,8 @@ spec: syncPolicy: syncOptions: - CreateNamespace=true + ignoreDifferences: + - group: "" + kind: "Secret" + managedFieldsManagers: + - externalsecrets.external-secrets.io/truenas-secret diff --git a/kubernetes/argocd/applications/openshift-monitoring.yaml b/kubernetes/argocd/applications/openshift-monitoring.yaml index 993a1ef6e..b91ec7c75 100644 --- a/kubernetes/argocd/applications/openshift-monitoring.yaml +++ b/kubernetes/argocd/applications/openshift-monitoring.yaml @@ -21,3 +21,5 @@ spec: path: okd/openshift-monitoring/base repoURL: https://git.arthurvardevanyan.com/ArthurVardevanyan/HomeLab targetRevision: HEAD + plugin: + name: argocd-vault-plugin-kustomize diff --git a/kubernetes/argocd/applications/quay.yaml b/kubernetes/argocd/applications/quay.yaml index fcf715ff1..2d63834de 100644 --- a/kubernetes/argocd/applications/quay.yaml +++ b/kubernetes/argocd/applications/quay.yaml @@ -21,6 +21,8 @@ spec: path: kubernetes/quay/overlays/okd repoURL: https://git.arthurvardevanyan.com/ArthurVardevanyan/HomeLab targetRevision: HEAD + plugin: + name: argocd-vault-plugin-kustomize syncPolicy: syncOptions: - CreateNamespace=true diff --git a/kubernetes/argocd/applications/vault.yaml b/kubernetes/argocd/applications/vault.yaml index 021361218..c0437459a 100644 --- a/kubernetes/argocd/applications/vault.yaml +++ b/kubernetes/argocd/applications/vault.yaml @@ -21,6 +21,8 @@ spec: path: kubernetes/vault/overlays/okd repoURL: https://git.arthurvardevanyan.com/ArthurVardevanyan/HomeLab targetRevision: HEAD + plugin: + name: argocd-vault-plugin-kustomize syncPolicy: syncOptions: - CreateNamespace=true diff --git a/kubernetes/argocd/base/kustomization.yaml b/kubernetes/argocd/base/kustomization.yaml index c4f7ddf22..5e76415c5 100644 --- a/kubernetes/argocd/base/kustomization.yaml +++ b/kubernetes/argocd/base/kustomization.yaml @@ -15,4 +15,5 @@ resources: - installplan-approver.yaml - notifications/configmap.yaml - notifications/secret.yaml + - notifications/network-policy.yaml - k3s-cluster.yaml diff --git a/kubernetes/argocd/base/notifications/configmap.yaml b/kubernetes/argocd/base/notifications/configmap.yaml index d50a16a77..66071f89e 100644 --- a/kubernetes/argocd/base/notifications/configmap.yaml +++ b/kubernetes/argocd/base/notifications/configmap.yaml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/part-of: argocd data: context: |- - environmentName: homelab + environmentName: HomeLab service.github: |- appID: installationID: diff --git a/kubernetes/argocd/base/notifications/network-policy.yaml b/kubernetes/argocd/base/notifications/network-policy.yaml new file mode 100644 index 000000000..7a87f8e59 --- /dev/null +++ b/kubernetes/argocd/base/notifications/network-policy.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-internet-egress-notifications + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "0" + labels: + app.kubernetes.io/instance: argocd +spec: + policyTypes: + - Egress + podSelector: + matchLabels: + app.kubernetes.io/name: argocd-notifications-controller + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 diff --git a/kubernetes/eclipse-che/base/github.yaml b/kubernetes/eclipse-che/base/github.yaml index 875da4360..39f971140 100644 --- a/kubernetes/eclipse-che/base/github.yaml +++ b/kubernetes/eclipse-che/base/github.yaml @@ -1,14 +1,37 @@ -kind: Secret -apiVersion: v1 +# kind: Secret +# apiVersion: v1 +# metadata: +# name: github-oauth-config +# namespace: eclipse-che-operator +# labels: +# app.kubernetes.io/part-of: che.eclipse.org +# app.kubernetes.io/component: oauth-scm-configuration +# annotations: +# che.eclipse.org/oauth-scm-server: github +# type: Opaque +# data: +# id: +# secret: +# --- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret metadata: name: github-oauth-config namespace: eclipse-che-operator - labels: - app.kubernetes.io/part-of: che.eclipse.org - app.kubernetes.io/component: oauth-scm-configuration - annotations: - che.eclipse.org/oauth-scm-server: github -type: Opaque -data: - id: - secret: +spec: + refreshInterval: "1h" + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: github-oauth-config + #creationPolicy: "Merge" + data: + - secretKey: id + remoteRef: + key: homelab/che/github + property: id + - secretKey: secret + remoteRef: + key: homelab/che/github + property: secret diff --git a/kubernetes/grafana/base/secret.yaml b/kubernetes/grafana/base/secret.yaml index 5e404f746..9e3d273f0 100644 --- a/kubernetes/grafana/base/secret.yaml +++ b/kubernetes/grafana/base/secret.yaml @@ -1,18 +1,18 @@ -# https://blog.ramon-gordillo.dev/2021/03/gitops-with-argocd-and-hashicorp-vault-on-kubernetes/ -kind: Secret -apiVersion: v1 -metadata: - name: database - namespace: grafana - labels: - app.kubernetes.io/instance: grafana -type: Opaque -stringData: - GF_DATABASE_TYPE: postgres - GF_DATABASE_HOST: grafana-primary.postgres.svc - GF_DATABASE_NAME: grafana - GF_DATABASE_USER: grafana - #GF_DATABASE_PASSWORD: +# # https://blog.ramon-gordillo.dev/2021/03/gitops-with-argocd-and-hashicorp-vault-on-kubernetes/ +# kind: Secret +# apiVersion: v1 +# metadata: +# name: database +# namespace: grafana +# labels: +# app.kubernetes.io/instance: grafana +# type: Opaque +# stringData: +# GF_DATABASE_TYPE: postgres +# GF_DATABASE_HOST: grafana-primary.postgres.svc +# GF_DATABASE_NAME: grafana +# GF_DATABASE_USER: grafana +# #GF_DATABASE_PASSWORD: --- apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret diff --git a/kubernetes/influxdb/base/secret.yaml b/kubernetes/influxdb/base/secret.yaml index 5ec3edec1..c2f24ab1a 100644 --- a/kubernetes/influxdb/base/secret.yaml +++ b/kubernetes/influxdb/base/secret.yaml @@ -8,5 +8,28 @@ metadata: app.kubernetes.io/instance: influxdb type: Opaque stringData: - INFLUXDB_ADMIN_USER: + INFLUXDB_ADMIN_USER: INFLUXDB_ADMIN_PASSWORD: +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: influxdb-creds + namespace: influxdb +spec: + refreshInterval: "1h" + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: influxdb-creds + #creationPolicy: "Merge" + data: + - secretKey: INFLUXDB_ADMIN_USER + remoteRef: + key: homelab/influxdb + property: INFLUXDB_ADMIN_PASSWORD + - secretKey: INFLUXDB_ADMIN_USER + remoteRef: + key: homelab/influxdb + property: INFLUXDB_ADMIN_PASSWORD diff --git a/kubernetes/unifi-network-application/base/secret.yaml b/kubernetes/unifi-network-application/base/secret.yaml index 643ea0333..71abb941e 100644 --- a/kubernetes/unifi-network-application/base/secret.yaml +++ b/kubernetes/unifi-network-application/base/secret.yaml @@ -1,9 +1,32 @@ -apiVersion: v1 -kind: Secret +# apiVersion: v1 +# kind: Secret +# metadata: +# name: internal-cert +# namespace: unifi-network-application +# data: +# tls.crt: +# tls.key: +# type: Opaque +# --- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret metadata: name: internal-cert namespace: unifi-network-application -data: - tls.crt: - tls.key: -type: Opaque +spec: + refreshInterval: "1h" + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: internal-cert + #creationPolicy: "Merge" + data: + - secretKey: tls.crt + remoteRef: + key: homelab/unifi + property: tls.crt + - secretKey: tls.key + remoteRef: + key: homelab/unifi + property: tls.key diff --git a/kubernetes/zitadel/base/secret.yaml b/kubernetes/zitadel/base/secret.yaml index fe89fedc0..a0a2c714b 100644 --- a/kubernetes/zitadel/base/secret.yaml +++ b/kubernetes/zitadel/base/secret.yaml @@ -1,19 +1,19 @@ -# Source: zitadel/templates/secret_zitadel-masterkey.yaml -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: zitadel-masterkey - namespace: zitadel - labels: - helm.sh/chart: zitadel-6.2.0 - app.kubernetes.io/name: zitadel - app.kubernetes.io/instance: zitadel - app.kubernetes.io/version: "v2.43.5" - app.kubernetes.io/managed-by: Helm -stringData: - masterkey: ---- +# # Source: zitadel/templates/secret_zitadel-masterkey.yaml +# apiVersion: v1 +# kind: Secret +# type: Opaque +# metadata: +# name: zitadel-masterkey +# namespace: zitadel +# labels: +# helm.sh/chart: zitadel-6.2.0 +# app.kubernetes.io/name: zitadel +# app.kubernetes.io/instance: zitadel +# app.kubernetes.io/version: "v2.43.5" +# app.kubernetes.io/managed-by: Helm +# stringData: +# masterkey: +# --- apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: