JankySolutions/infra
2
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages 12 Wiki Activity Actions

Use External Secrets

Browse source
This commit is contained in:
Finn 2024-08-20 11:13:23 -07:00
parent b1741057df
commit e69179cbb5
8 changed files with 14062 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
helm/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
charts/

11
helm/external-secrets/kustomization.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
helmCharts:
- name: external-secrets
valuesInline:
fullnameOverride: external-secrets # otherwise all resource names are inexplicably prefixed with "release-name-"
bitwarden-sdk-server:
enabled: false # default, bitwarden-sdk-server doesn't work with vaultwarden (https://github.com/external-secrets/bitwarden-sdk-server/issues/18)
namespace: external-secrets
version: v0.10.0
repo: https://charts.external-secrets.io

9
helm/render-all.sh Executable file
View file

@ -0,0 +1,9 @@
#!/bin/bash
# Usage: from the git root directory (../ relative to this file)
# podman run -v $(pwd):/repo --workdir /repo/helm nixery.dev/shell/kubectl/kubernetes-helm sh -c ./render-all.sh
set -exuo pipefail
header="# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten"
echo "${header}" > ../k8s/operators/external-secrets/bundle.yaml
kubectl kustomize --enable-helm external-secrets/ >> ../k8s/operators/external-secrets/bundle.yaml

1
k8s/operators/cert-manager/kustomization.yaml
View file

@ -3,7 +3,6 @@ kind: Kustomization
# namespace: cert-manager # namespace: cert-manager
resources: resources:
- https://github.com/cert-manager/cert-manager/releases/download/v1.15.2/cert-manager.yaml - https://github.com/cert-manager/cert-manager/releases/download/v1.15.2/cert-manager.yaml
- secrets.yaml
- pdns-hook.yaml - pdns-hook.yaml
- letsencrypt.yaml - letsencrypt.yaml
- selfsigned.yaml - selfsigned.yaml

132
k8s/operators/external-secrets/bitwarden.yaml Normal file
View file

@ -0,0 +1,132 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: bitwarden-cli
namespace: external-secrets
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: bitwarden-cli
template:
metadata:
labels:
app.kubernetes.io/name: bitwarden-cli
spec:
containers:
- name: bitwarden-cli
image: ghcr.io/charlesthomas/bitwarden-cli:2024.7.2
imagePullPolicy: IfNotPresent
envFrom:
- secretRef:
name: bitwarden
resources:
limits:
cpu: 500m
memory: 500Mi
ports:
- name: http
containerPort: 8087
protocol: TCP
livenessProbe:
exec:
command:
- wget
- -q
- http://127.0.0.1:8087/sync?force=true
- --post-data=''
initialDelaySeconds: 20
failureThreshold: 3
timeoutSeconds: 10
periodSeconds: 120
readinessProbe:
tcpSocket:
port: 8087
initialDelaySeconds: 20
failureThreshold: 3
timeoutSeconds: 1
periodSeconds: 10
startupProbe:
tcpSocket:
port: 8087
initialDelaySeconds: 10
failureThreshold: 30
timeoutSeconds: 1
periodSeconds: 5
---
apiVersion: v1
kind: Service
metadata:
name: bitwarden-cli
namespace: external-secrets
spec:
type: ClusterIP
ports:
- port: 8087
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: bitwarden-cli
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: external-secrets
name: external-secret-2-bw-cli
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: bitwarden-cli
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: external-secrets
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: bitwarden-login
spec:
provider:
webhook:
url: "http://bitwarden-cli:8087/object/item/{{ .remoteRef.key }}"
headers:
Content-Type: application/json
result:
jsonPath: "$.data.login.{{ .remoteRef.property }}"
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: bitwarden-fields
spec:
provider:
webhook:
url: "http://bitwarden-cli:8087/object/item/{{ .remoteRef.key }}"
result:
jsonPath: "$.data.fields[?@.name==\"{{ .remoteRef.property }}\"].value"
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: bitwarden-notes
spec:
provider:
webhook:
url: "http://bitwarden-cli:8087/object/item/{{ .remoteRef.key }}"
result:
jsonPath: "$.data.notes"
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: bitwarden-attachments
spec:
provider:
webhook:
url: "http://bitwarden-cli:8087/object/attachment/{{ .remoteRef.property }}?itemid={{ .remoteRef.key }}"
result: {}

13898
k8s/operators/external-secrets/bundle.yaml Normal file
View file

File diff suppressed because it is too large Load diff

7
k8s/operators/external-secrets/kustomization.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: external-secrets
resources:
- namespace.yaml
- bundle.yaml
- bitwarden.yaml

4
k8s/operators/external-secrets/namespace.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: external-secrets