external-secrets

kubernetes/apps/external-secrets/app/helmrelease.yaml

@@ -0,0 +1,39 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: external-secrets
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: external-secrets
+      version: 0.9.11
+      sourceRef:
+        kind: HelmRepository
+        name: external-secrets
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    installCRDs: true
+    replicaCount: 2
+    serviceMonitor:
+      enabled: true
+      interval: 1m
+    webhook:
+      serviceMonitor:
+        enabled: true
+        interval: 1m
+    certController:
+      serviceMonitor:
+        enabled: true
+        interval: 1m

kubernetes/apps/external-secrets/app/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
+  - ./onepassword-connect.secret.sops.yaml

kubernetes/apps/external-secrets/app/onepassword-connect.secret.sops.yaml

@@ -0,0 +1,28 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: onepassword-connect-secret
+stringData:
+    token: ENC[AES256_GCM,data:ZeYlp7BYVL9/7j6pZFywVZwlaXkJS5DXfdw=,iv:TPpzrv/uWTW4vLvJQVXV+nxVktyUhCF4KzQ5qrpO7vc=,tag:9PCHXhl/LlRDLhw0KhPpHA==,type:str]
+    1password-credentials.json: ENC[AES256_GCM,data:Rw/aVDOSI5oKjntNJewbYoHfZ4Omff2Wlgfp/O2/k6VxcHcZGTWAvpV4Y2mfn96v0IN17k9peeo5pQmTWFMsZTJT++Af5LmKoIiCW4URkz2j5aPkvcfL+ADejfJ/3h7Q9OpMthnoB5nr9D5uUKHEdqMUE1IwBSYP/zaYR09bBpk+GDPhZ1cCs+IFAm1OcPLli0jSJ2Lp3tBtr66Iti7WJOLmzJqQZ6yL4R+8XSTE1TzSyt40tuploewg1XigDOxfGaUnvLaxC1i597gH4f/RfawS0mt6wYrxyo5+Skvr5rX55zkxqKlu7swyk9HWPN3QNmzngz9xMWHMQgZv60RDegmnTxBZ/BxhFfnE2GLRT4j4r67EhNLGE3xlsNzf5z944z5/D6M9DjDRtReUVeBi2bv8GLh1iclkY/HFGq/FjbScNFPnrM/keZ08bnueiQfNMXsxNRPduaMwY/k80BjfVNftC2bGFrRPJWZRVKPYvBNM764kIy9vZnecCfJuilDwh09ZBw/L5+VZIYwFk707xKw3G0xemO15xJXY3jBnpqv2HhUxLsER+K6ZR+fCDnqYR2qhhLOzgPjlbXJjwTj6pJAjWdtmgcMx+KEvr9GHxtFgCrgXhitxygcmb+DAs9c2kD8LAA/VuY634ZY4jVkPB7VgRApN4D68NHOCXcAL7Bnb45Ts6Ln8+LpBLCpRMHdT/8QRCUkM02T3GsqCU8lO0hh/vIzlHQWgd8W4ZNJimfM0Duya7OUN/cFXgOLtLna9oe/nmDQL3DeOKy61TOt7kKU6dxrP5ucR1DwV1+210FNmNmdU2R0HpuWOyjSd23t2O9SY7vmqDgQjPwU9U0dCVedKWgfpY/McsquNiVwFYPyyH3KrGK9QI6+mQPOOXyyeVWb/L9DN06MMqw4gv3IDbdn7nCZjckXgj5VMHcultMitivOX60waN6Iuj7eexjiK7hnS7KFtGe/WFAg8YZe2ZaVwIfP/xitJF7P0uBTsil4r7AoDD1mPrp7XJ1MJ7rbEKaWx1mA3ReR7rQsUGx7FkL8+BeuPORMJQ1axD69hK10gtt6KWKe/MqYxZfW5uJ02qpNXxDCfOvrs8MwIbNtZ6so/4N8X4aOVfdrCDv2HZOvv1d6KcsPL2iO4YbdfkW4QTBQ3Ce9HWXTgKhKwfHWLFdo2hyKDOms/mpBsuEykiFEucFpn9JossCxqBBw5soKqMC9Y4K2O1ISTPLxqJXu29TmietQ3qE3YwFlJH0iEuBG+p6h6QaGUQWnSmmYtFKPQMvwvKCa4HqHkA4mxSr662q8EHK0GdT4Ce78u3vmOBMNGT/yT7ooZjHMGzIWffNK7EbN+HCOJqCgwQzhfnl6tS+dsee4AkXf+OBZcHOYWytP8n43d26nHf+z8jdiSD3WARYcnTVuUol30nC706iiMbFcIaiG7zkepROUzXca8c/8G7kWkosrSCyAP/lk+toj6IIlfhce3ctnTAGPPI1d5qTFHbafcwYfFpqo25pv8r43KfiR13t0Qfar61H/xdrYrmLURilCUjnVnURWdf92G6pdd4QCTPP/5u4wDP2TloNhryNpnVeuC/BYa+GhLFatSNDHEAgF4XoYmr7GbnF5ECLrhtvMx0c8dyTdTcQSFN/pWlY8NeJB//DpewA==,iv:TJMBmEP4cN0MbEEnJ82//Dozg1Xzv92XV4Dy2fo1iVo=,tag:7GS2YdGE9BuxZKKMKMdLgg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1rc6t0klkczsvnjhpl9aghvfphqpx6ue2xdwp8rk2c2hpcy3fgv3sh7cj9l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2djI1QzFFa1FrZDVKaDZz
+            TEkwS0NKNjdvZ2M3RTlRK3BkSU5SN1UybTFrCkk0ZHZtSjlrOFRxMWZxZG5Rd2tQ
+            TThvSkhOQUNMQkhnaWkzcTM4QVhaVVkKLS0tIDhndGoxZVBIcTNqYTVYNW1qeFRX
+            c1d6T2hZUXg0TFBoSTdoMUR2ZUQ0QU0KtUHNXNZctcCkvjpm1WGBBPlZ/Vs+dT6i
+            J0KXTt0dq2cuSttYxGJXVIHahDZAm3eX1n45YTWx2t5yM9sgDBMrxg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-27T11:51:41Z"
+    mac: ENC[AES256_GCM,data:eAJmwOCNkZ/4X6EssDQrruRjR8txG7iM4r3ZzpSJjmu7FREGoxWCgvBVNkO6ig+KEper358mgbGfGhnpmJaV5xTBKCTi9bjQkfDyROioIWaRvMK2bU2nGO+3Y0F2b0fdnCJW6MJrjArgruHWOIMsU585yf8MsP2yNxt/knZqsrE=,iv:HmHM5urkew0RemhjVgIufKF7Cc22H4DLE2aOXbsu8Hg=,tag:xt96ESe76Jvcs/6MRanfjQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

kubernetes/apps/external-secrets/ks.yaml

@@ -0,0 +1,44 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app external-secrets
+  namespace: flux-system
+spec:
+  targetNamespace: external-secrets
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/main/apps/external-secrets/external-secrets/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app external-secrets-stores
+  namespace: flux-system
+spec:
+  targetNamespace: external-secrets
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: external-secrets
+  path: ./kubernetes/main/apps/external-secrets/external-secrets/stores
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/apps/external-secrets/stores/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./onepassword

kubernetes/apps/external-secrets/stores/onepassword/clustersecretstore.yaml

@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/clustersecretstore_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: onepassword-connect
+spec:
+  provider:
+    onepassword:
+      connectHost: http://onepassword-connect.external-secrets.svc.cluster.local
+      vaults:
+        Kubernetes: 1
+      auth:
+        secretRef:
+          connectTokenSecretRef:
+            name: onepassword-connect-secret
+            key: token
+            namespace: external-secrets

kubernetes/apps/external-secrets/stores/onepassword/helmrelease.yaml

@@ -0,0 +1,145 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: onepassword-connect
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 2.5.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    controllers:
+      main:
+        strategy: RollingUpdate
+        annotations:
+          reloader.stakater.com/auto: "true"
+        containers:
+          main:
+            image:
+              repository: docker.io/1password/connect-api
+              tag: 1.7.2@sha256:0c5ae74396e3c18c3b65acb89cb76d31088968cf0c25deca3818c72b01586606
+            env:
+              XDG_DATA_HOME: &configDir /config
+              OP_HTTP_PORT: &apiPort 80
+              OP_BUS_PORT: 11220
+              OP_BUS_PEERS: localhost:11221
+              OP_SESSION:
+                valueFrom:
+                  secretKeyRef:
+                    name: onepassword-connect-secret
+                    key: 1password-credentials.json
+            probes:
+              liveness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /heartbeat
+                    port: *apiPort
+                  initialDelaySeconds: 15
+                  periodSeconds: 30
+                  failureThreshold: 3
+              readiness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /health
+                    port: *apiPort
+                  initialDelaySeconds: 15
+              startup:
+                enabled: false
+            securityContext: &securityContext
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+            resources: &resources
+              requests:
+                cpu: 10m
+              limits:
+                memory: 256M
+          sync:
+            image:
+              repository: docker.io/1password/connect-sync
+              tag: 1.7.2@sha256:ff5bf86187ac4da88224e63a5896b393b5a53f81434e8dbc5314e406a0f1db89
+            env:
+              XDG_DATA_HOME: *configDir
+              OP_HTTP_PORT: &syncPort 8081
+              OP_BUS_PORT: 11221
+              OP_BUS_PEERS: localhost:11220
+              OP_SESSION:
+                valueFrom:
+                  secretKeyRef:
+                    name: onepassword-connect-secret
+                    key: 1password-credentials.json
+            probes:
+              liveness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /heartbeat
+                    port: *syncPort
+                  initialDelaySeconds: 15
+                  periodSeconds: 30
+                  failureThreshold: 3
+              readiness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /health
+                    port: *syncPort
+                  initialDelaySeconds: 15
+              startup:
+                enabled: false
+              securityContext: *securityContext
+              resources: *resources
+        pod:
+          securityContext:
+            runAsUser: 999
+            runAsGroup: 999
+            runAsNonRoot: true
+            fsGroup: 999
+            fsGroupChangePolicy: OnRootMismatch
+    ingress:
+      main:
+        enabled: true
+        className: internal
+        hosts:
+          - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+            paths:
+              - path: /
+                service:
+                  name: main
+                  port: http
+        tls:
+          - hosts:
+              - *host
+    persistence:
+      config:
+        enabled: true
+        type: emptyDir
+        globalMounts:
+          - path: *configDir
+    service:
+      main:
+        ports:
+          http:
+            port: *apiPort

kubernetes/apps/external-secrets/stores/onepassword/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
+  - ./clustersecretstore.yaml