mirror of
https://github.com/outbackdingo/Biohazard.git
synced 2026-01-28 02:18:24 +00:00
feat(external-secrets): add 1Password
This commit is contained in:
JJGadgets
@@ -1,3 +1,5 @@
|
||||
SECRET_EXTERNAL_SECRETS_ONEPASSWORD_CONNECT_JSON=ENC[AES256_GCM,data:3MprYFqZQLyEzBX5oiJGFiPq0eL1FqL3CqsIK21Aw05LKEWZ+LibUDFL/U66rwLEZPFvlc+ijWAkAoYAZEFt/0e179RgMAIw9q7NsmfxiQTTK7JOTsxLaNBHu5GvLiK54HYEavrH7gUQlSqnt1XkalXle40QL6OoF50uiiC7fuL7y8RhoWoVZxAjDXEah9nI7razvJ8CSyaFistvyRep23/FZZBS05BGz9eKYMfG8x7sGqBZV1aLOgx7HUMB72mXysK+FOdBggUJzpMRixZ7L684vERfTrQVfvzjuuqkNBUPmyySyjxyJyLTzYkM7rjcSdgyEWuEAVSEKvu8Zu+63VrkFCDhHlpGEcW2fYW+AZkAvc0oIv9ghn2AyQYnDEHWRAUMQMqJ7d16QM58HBKh5l36Ki/9RFj0/7aqY/7SC+U6v0Hz/Yj95gpcDImGvcrDqkwM35riWKOlNOm9nVqxgTENmHpGcq9U1hMP+tbBctfItMfMrEO6a/g/2jCbHOShzZNhph/wsy9QP5SNvb8+qTvkuL4TL0b+k290lg6heGJRCLRoLR1x8lbKWgUnvtZJckTLuAXAqtX1ln0lwkdX7impClcqXlmOAx9bL+icOpflHeLfCIUzJEskTa468o1YDuTS2BdawC+hMC825dTarlnDLCK04x7XaV/CoKIRGn6dvIgik4oizlreeC6IXZZ13s0EfQseJ5d365limg3wTY5NYxvfclX3mcnDiK9M9Ev2bqG2Milg6vrB0puYemqCpd8WXDWFpGbL5FXaHfXYnl5BuIIlgdhKowRytG4ZENUDyhFcndXUVzjumhhyvwqt9AUZIq7jBALXZYtp46caxTwc5DrjHLmcq1fqdbsWw6ZnaARNFwUZTDKIWuSlsu3PUlwTMr41zBEe9F60vICDOm9+zaiNEJDNaJ4hEre70kg30K451KYVyIgpIRI8WzbbYIKBhVcCPItYOlDVucr35sQABFmffhG/WVFhmLOzQycKZh7/4kUB3u6TqNR4vzC9yYoPF+Lqocnk5TAfOCdogF3VOWoGRA9HMgQlL1nP9OryrJf7SMjLXgL38ANkXO4GGorCn/+LS6raihVNN72uLNwK+NHzlYNAYpcxQqbTuIe8Wt3N9Hh1FdfScF3N+qqzF3QZFLjLZl1wT9t5oF71VDp68V2gzSyjFL/vd6DO6uWAciVvcN4B/RAYD9rAgZqgdksiqOlcNUnJLAIz5JCT+eYwNX7eIiXghCAQVuCfv8Xe031pp8E9s7YsP3IvxO457M56NX46uIHzZQti5JoRAGILHecjFL1m/4IsErooLwgG1AKGbwYZpGYZthzW83xyi6LRotKKPlGMiPw0H3VWEtjhYjmBh8dAb3n27Jy19Zi3FuekSY3x7eBPcf21IhWCfVLn1pguAanFMvsXuAvfCm3F3ZIGwmhPknzO+o25Axd4vEvWFw==,iv:DS3kLG5JqO8d19o+A/j8JScZsWjkI1PlnfNFZKUi6lI=,tag:JGWINSjw27YjJhB+O5mydA==,type:str]
|
||||
SECRET_EXTERNAL_SECRETS_ONEPASSWORD_CONNECT_TOKEN=ENC[AES256_GCM,data:TuvtIt0vA7mCNJVUpIEOmuly0UQ8s5mHYAGraDPfZtJwLPNp/B1P0mJ+l9784kov91mADOGItN59BiXcmYkuV+hOy33X8DFRjWJ9oP/rSH63mH9UVn+VKHb/zjLArFcocn5BYdFkksJ20btCCsNlD1r2xaGzdLomwDiBVeFdba8K1wygRe6dFmW9JI567yo8wnkV7iR4FNRVrNiaPc+LtBsacPkQbmAMxssmpZ0mTtirg72fcRbLFP2KDUxDVdg9QGX55Qq/wsov/3TR445CKV94yMQiD0/U1cVRA3CXvi3xGgJcLcYMoB+2LKIyxOlPzmHoEUvnby/8jmKW+MGC+eJpWeLcwqlARE5AUp4llkGUS0yHXOrKoQ+wEt7cBORF2xvPaIKCeyP8GitsNL7UoMfQtp6hjjZ98VMRdnRWfCcTWqhaYMnMRVZiQR//51ArvVkcUdKpB4HJTEIa92t7MFL74KZNBlRrBpX3jVvFL34e+bWlSLoz7NludUJFeSXIJo3e2H7CzcKZ+5+uZ5k0l2IWQPSGnmm6SNeJrxZcegAjzLz6oy8nxEyVN1P/0mrj8Pf1LMlCQtttTbFDZpHkRKFhm27XwVMYB+e4p98BWkXj1kA4ioWeb419t6GkqqAKlGuweXBncieu3m1upzsjLIANXIw5lTGu0CDDNPjaCHK1HPxudu4VcQBxGT4fTPVBqwNR0l6I8O0/SzSgcN3+C/jlsQn+a+tnElmBR7Ru+pd6PGGPoeMAixRgseAbNHmhR6Z9bW/Fqu1J7XW3BB8QoHQPtaKyQ+gDVB3Gia3iOqqvrdvh0FLNnHdeVpLY0pXtsMyhsUihgwN/iXP95cGHOaxt,iv:kFnrhWDlULUvYawYvRXIkONCWbffPoT/Tj6MFpk7Noc=,tag:Z+jsZe+mrMxzoa97CeQ3PQ==,type:str]
|
||||
SECRET_CILIUM_BGP_PASSWORD_ROUTER=ENC[AES256_GCM,data:byaasu6VH2deIyQM4zCu/W+k5W4xjlDAaKbwqScZ05uBjVETgBC15y7xA5FN8N5Z9M0W4mdpp0WRCh1yfKqsMkR7EFjSAn4YjhZKQ1trMOZd/yhAXl7uf/r92gFL/tYCjBBdwpPHcs4MB4Yu60JMQRzHRgimTnp2L3+E6/qmAcCglLGw0tsHx2A1dDApG1r/IzimYsQK3eWOO0S/Cy4348iwQ0zyvA5cTjz5J7+Q8ogGgaqkThETeAIWDEF9oS9K8JYDGsXbhwkfBRSZqg5JmwtNDGTkraU7K7n2TnlWuubNVMBYmQkYEwa3d+5ttexLi/c=,iv:lufpG1ufDBIaQ8/Mn5iiXD9SCZGgtbk5tQgtguHLZXQ=,tag:F70i0qbnEZSoOSzlUbJY1A==,type:str]
|
||||
SECRET_SANDSTORM_ADMIN_PASSWORD=ENC[AES256_GCM,data:eBh/GfUuZ3CwYbUMo2aP,iv:fH1xCn0YVffgmKaFAwyxnsBhw+DK2WJQ4BJkPvxdpYY=,tag:r64Jt+OlThR58oJRPTfVfg==,type:str]
|
||||
SECRET_FLUX_WEBHOOK_GITHUB=ENC[AES256_GCM,data:rN1JGPiLKJGZaPky7M7Wy2aujMvYJeHVKOz6gmZnSvn0OGmP7kyMyg==,iv:Bs4nBXkzUmeXPqYx4bggZT/BmJMDrb3STeal3Y7JUrE=,tag:38CcnMHf5EThZyf8AA3gJg==,type:str]
|
||||
@@ -178,8 +180,8 @@ SECRET_ELK_CF_KV_NS=ENC[AES256_GCM,data:NGwN9S0aFxLNBynHlkhnSVv0z5M6AXLukwh0VufE
|
||||
SECRET_RELOADER_ALERT_WEBHOOK_URL=ENC[AES256_GCM,data:EPXH2C0ZN+EjihlFRLzFseN73wJtoHQ8DcPrJ5STovPXTMor+4hspyhNhc3qUMZTUZj6w3beT/LVwU01pomp0Q8iDwwRLMvP+ZclREFx11T1vdkM69HxxduuO/0WA1EoRj1BcLDKhDU36wEhob6NlWaCfnFvIt505Q==,iv:t0gBgyEJS/gr/nybtbUqiZWWTLKPeeVSx+vWLVXa39M=,tag:dNE5oFGPG78s5Yfag+wCkg==,type:str]
|
||||
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n
|
||||
sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
|
||||
sops_lastmodified=2024-01-21T09:15:41Z
|
||||
sops_mac=ENC[AES256_GCM,data:zBRfhOqyVv58eP+3kE6BxxsQza+IUre4MRxfk3ai1RlMGiq8b8zK1wJgnBK0hKdLVYqruV49PQGr4Aylg9Mqho0UxhzSj0n13KOi6rAWYSvdn1W8a1kV3l/stGkGLXHbmdhsgX/3uicD5p39rSIcuGbjeLFHJrx+46evA8TZZj8=,iv:gDbw2HDHViN1suie6oAfR8GDTqM6PHy6CO1M3evb9ag=,tag:fBWq4RFPwSoOkR7E9NWO0w==,type:str]
|
||||
sops_lastmodified=2024-01-23T01:50:55Z
|
||||
sops_mac=ENC[AES256_GCM,data:dDl+Jvi4RZh154zvYln0dWWLQG7CAzSjFpzk3CW/2qTJ4DY154whiD6gDKgQ+dqGEViv3Wa2ojTvuXC0X6PpXlQOArPwkS9csTCXczpED2bK7iMDiRgYD1dHpI5GZj8OPWdlTo/En6AKOIPc4HHlNlOM9bDAekVCh4/C/Xj3gkU=,iv:jVhBmzibhBAm/9ZHruGNbJSDUCXBMPJyUvdB746CmVg=,tag:X7vH1+GagPQnti2dj+hWMQ==,type:str]
|
||||
sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z
|
||||
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n
|
||||
sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
|
||||
|
||||
@@ -16,6 +16,7 @@ resources:
|
||||
- ../../../deploy/core/kyverno/_deps/
|
||||
- ../../../deploy/core/kyverno/
|
||||
- ../../../deploy/core/monitoring/_deps/
|
||||
- ../../../deploy/core/secrets/onepassword-connect/
|
||||
- ../../../deploy/core/secrets/external-secrets/
|
||||
- ../../../deploy/core/storage/_external-snapshotter/
|
||||
- ../../../deploy/core/storage/_csi-addons/
|
||||
|
||||
@@ -5,6 +5,7 @@ metadata:
|
||||
name: &app external-secrets
|
||||
namespace: *app
|
||||
spec:
|
||||
interval: 5m
|
||||
chart:
|
||||
spec:
|
||||
chart: *app
|
||||
@@ -17,7 +18,7 @@ spec:
|
||||
installCRDs: true
|
||||
podLabels: # netpols
|
||||
egress.home.arpa/apiserver: "allow"
|
||||
egress.home.arpa/world-https: "allow"
|
||||
egress.home.arpa/onepassword-connect: "allow"
|
||||
# scheduling
|
||||
replicaCount: 2
|
||||
leaderElect: true
|
||||
@@ -43,4 +44,4 @@ spec:
|
||||
enabled: true
|
||||
interval: 1m
|
||||
podLabels: # netpols
|
||||
ingress.home.arpa/apiserver: "allow"
|
||||
ingress.home.arpa/apiserver: "allow"
|
||||
|
||||
@@ -28,4 +28,15 @@ metadata:
|
||||
spec:
|
||||
path: ./kube/deploy/core/secrets/external-secrets/stores/k8s
|
||||
dependsOn:
|
||||
- name: 1-core-secrets-external-secrets-app
|
||||
- name: 1-core-secrets-external-secrets-app
|
||||
---
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
# I'm lazy to type the whole of `external-secrets`` in dependsOn, don't @ me
|
||||
name: 1-core-secrets-es-1p
|
||||
namespace: flux-system
|
||||
spec:
|
||||
path: ./kube/deploy/core/secrets/external-secrets/stores/1password
|
||||
dependsOn:
|
||||
- name: 1-core-secrets-external-secrets-app
|
||||
|
||||
@@ -0,0 +1,19 @@
|
||||
---
|
||||
# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/clustersecretstore_v1beta1.json
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ClusterSecretStore
|
||||
metadata:
|
||||
name: "1p"
|
||||
spec:
|
||||
provider:
|
||||
onepassword:
|
||||
connectHost: "https://${APP_DNS_ONEPASSWORD_CONNECT}"
|
||||
vaults:
|
||||
"${CLUSTER_NAME}": 1
|
||||
auth:
|
||||
secretRef:
|
||||
connectTokenSecretRef:
|
||||
name: "onepassword-connect-secrets"
|
||||
key: "token"
|
||||
namespace: "external-secrets"
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "onepassword-connect-secrets"
|
||||
namespace: "external-secrets"
|
||||
type: Opaque
|
||||
stringData:
|
||||
token: "${SECRET_EXTERNAL_SECRETS_ONEPASSWORD_CONNECT_TOKEN}"
|
||||
@@ -7,4 +7,4 @@ metadata:
|
||||
type: Opaque
|
||||
stringData:
|
||||
access-key: "${SECRET_EXTERNAL_SECRETS_AWS_SSM_ACCESS_KEY}"
|
||||
secret-key: "${SECRET_EXTERNAL_SECRETS_AWS_SSM_SECRET_KEY}"
|
||||
secret-key: "${SECRET_EXTERNAL_SECRETS_AWS_SSM_SECRET_KEY}"
|
||||
|
||||
188
kube/deploy/core/secrets/onepassword-connect/app/hr.yaml
Normal file
188
kube/deploy/core/secrets/onepassword-connect/app/hr.yaml
Normal file
@@ -0,0 +1,188 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: &app onepassword-connect
|
||||
namespace: *app
|
||||
spec:
|
||||
interval: 5m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: "2.5.0"
|
||||
sourceRef:
|
||||
name: bjw-s
|
||||
kind: HelmRepository
|
||||
namespace: flux-system
|
||||
values:
|
||||
controllers:
|
||||
main:
|
||||
type: deployment
|
||||
replicas: 1
|
||||
containers:
|
||||
main: &ct
|
||||
image:
|
||||
repository: "docker.io/1password/connect-api"
|
||||
tag: "1.7.2@sha256:0c5ae74396e3c18c3b65acb89cb76d31088968cf0c25deca3818c72b01586606"
|
||||
env:
|
||||
TZ: "${CONFIG_TZ}"
|
||||
XDG_DATA_HOME: &dir "/data"
|
||||
OP_SESSION: &creds "/config/1password-credentials.json"
|
||||
OP_LOG_LEVEL: "info"
|
||||
OP_BUS_PORT: "60001"
|
||||
OP_BUS_PEERS: "127.0.0.1:60002"
|
||||
OP_HTTPS_PORT: &port "8443"
|
||||
OP_TLS_CERT_FILE: &cert "/tls/fullchain.pem"
|
||||
OP_TLS_KEY_FILE: &key "/tls/privkey.pem"
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
resources:
|
||||
requests:
|
||||
cpu: "10m"
|
||||
memory: "256Mi"
|
||||
limits:
|
||||
cpu: "3000m"
|
||||
memory: "512Mi"
|
||||
probes:
|
||||
startup:
|
||||
enabled: true
|
||||
custom: true
|
||||
spec: &probe
|
||||
periodSeconds: 1
|
||||
failureThreshold: 120
|
||||
httpGet: &get
|
||||
path: "/heartbeat"
|
||||
port: *port
|
||||
scheme: HTTPS
|
||||
httpHeaders:
|
||||
- name: Host
|
||||
value: &host "${APP_DNS_ONEPASSWORD_CONNECT}"
|
||||
readiness:
|
||||
enabled: true
|
||||
custom: true
|
||||
spec:
|
||||
<<: *probe
|
||||
periodSeconds: 30
|
||||
httpGet:
|
||||
<<: *get
|
||||
path: "/health"
|
||||
liveness:
|
||||
enabled: true
|
||||
custom: true
|
||||
spec:
|
||||
<<: *probe
|
||||
periodSeconds: 30
|
||||
failureThreshold: 3
|
||||
sync:
|
||||
<<: *ct
|
||||
image:
|
||||
repository: "docker.io/1password/connect-sync"
|
||||
tag: "1.7.2@sha256:ff5bf86187ac4da88224e63a5896b393b5a53f81434e8dbc5314e406a0f1db89"
|
||||
env:
|
||||
TZ: "${CONFIG_TZ}"
|
||||
XDG_DATA_HOME: *dir
|
||||
OP_SESSION: *creds
|
||||
OP_LOG_LEVEL: "info"
|
||||
OP_HTTP_PORT: &port "57832"
|
||||
OP_BUS_PORT: "60002"
|
||||
OP_BUS_PEERS: "127.0.0.1:60001"
|
||||
probes:
|
||||
startup:
|
||||
enabled: true
|
||||
custom: true
|
||||
spec: &probe
|
||||
periodSeconds: 1
|
||||
failureThreshold: 120
|
||||
httpGet:
|
||||
path: "/heartbeat"
|
||||
port: *port
|
||||
readiness:
|
||||
enabled: true
|
||||
custom: true
|
||||
spec:
|
||||
periodSeconds: 30
|
||||
httpGet:
|
||||
path: "/health"
|
||||
port: *port
|
||||
liveness:
|
||||
enabled: true
|
||||
custom: true
|
||||
spec:
|
||||
<<: *probe
|
||||
periodSeconds: 30
|
||||
failureThreshold: 3
|
||||
service:
|
||||
main:
|
||||
enabled: true
|
||||
primary: true
|
||||
controller: main
|
||||
type: LoadBalancer
|
||||
externalTrafficPolicy: Cluster
|
||||
annotations:
|
||||
coredns.io/hostname: *host
|
||||
"io.cilium/lb-ipam-ips": "${APP_IP_ONEPASSWORD_CONNECT}"
|
||||
ports:
|
||||
http:
|
||||
enabled: true
|
||||
port: 443
|
||||
targetPort: 8443
|
||||
protocol: HTTPS
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
type: secret
|
||||
name: "onepassword-connect-secrets"
|
||||
advancedMounts:
|
||||
main:
|
||||
main:
|
||||
- subPath: "1password-credentials.json"
|
||||
path: *creds
|
||||
readOnly: true
|
||||
tmp:
|
||||
enabled: true
|
||||
type: emptyDir
|
||||
medium: Memory
|
||||
globalMounts:
|
||||
- path: *dir
|
||||
readOnly: false
|
||||
tls:
|
||||
enabled: true
|
||||
type: secret
|
||||
name: "onepassword-connect-tls"
|
||||
defaultMode: 0400
|
||||
advancedMounts:
|
||||
main:
|
||||
main:
|
||||
- subPath: "tls.crt"
|
||||
path: "/tls/fullchain.pem"
|
||||
readOnly: true
|
||||
- subPath: "tls.key"
|
||||
path: "/tls/privkey.pem"
|
||||
readOnly: true
|
||||
defaultPodOptions:
|
||||
automountServiceAccountToken: false
|
||||
enableServiceLinks: false
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: &uid 999
|
||||
runAsGroup: *uid
|
||||
fsGroup: *uid
|
||||
fsGroupChangePolicy: "Always"
|
||||
seccompProfile: { type: "RuntimeDefault" }
|
||||
topologySpreadConstraints:
|
||||
- maxSkew: 1
|
||||
topologyKey: "kubernetes.io/hostname"
|
||||
whenUnsatisfiable: "DoNotSchedule"
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: *app
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: "fuckoff.home.arpa/onepassword-connect"
|
||||
operator: "DoesNotExist"
|
||||
49
kube/deploy/core/secrets/onepassword-connect/app/netpol.yaml
Normal file
49
kube/deploy/core/secrets/onepassword-connect/app/netpol.yaml
Normal file
@@ -0,0 +1,49 @@
|
||||
---
|
||||
# yaml-language-server: $schema=https://crds.jank.ing/cilium.io/ciliumnetworkpolicy_v2.json
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumNetworkPolicy
|
||||
metadata:
|
||||
name: &app onepassword-connect
|
||||
namespace: *app
|
||||
spec:
|
||||
endpointSelector: {}
|
||||
ingress:
|
||||
# same namespace
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
io.kubernetes.pod.namespace: *app
|
||||
# external-secrets
|
||||
- fromEndpoints:
|
||||
- matchLabels:
|
||||
io.kubernetes.pod.namespace: external-secrets
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "8443"
|
||||
egress:
|
||||
# same namespace
|
||||
- toEndpoints:
|
||||
- matchLabels:
|
||||
io.kubernetes.pod.namespace: *app
|
||||
- toEntities:
|
||||
- world
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "8443"
|
||||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
|
||||
apiVersion: cilium.io/v2
|
||||
kind: CiliumClusterwideNetworkPolicy
|
||||
metadata:
|
||||
name: &app onepassword-connect
|
||||
spec:
|
||||
endpointSelector:
|
||||
matchLabels:
|
||||
egress.home.arpa/onepassword-connect: allow
|
||||
egress:
|
||||
- toEndpoints:
|
||||
- matchLabels:
|
||||
io.kubernetes.pod.namespace: *app
|
||||
app.kubernetes.io/name: *app
|
||||
toPorts:
|
||||
- ports:
|
||||
- port: "8443"
|
||||
@@ -0,0 +1,10 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: "onepassword-connect-secrets"
|
||||
namespace: "onepassword-connect"
|
||||
type: Opaque
|
||||
stringData:
|
||||
1password-credentials.json: |
|
||||
${SECRET_EXTERNAL_SECRETS_ONEPASSWORD_CONNECT_JSON}
|
||||
21
kube/deploy/core/secrets/onepassword-connect/app/tls.yaml
Normal file
21
kube/deploy/core/secrets/onepassword-connect/app/tls.yaml
Normal file
@@ -0,0 +1,21 @@
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: &app onepassword-connect
|
||||
namespace: *app
|
||||
spec:
|
||||
secretName: "onepassword-connect-tls"
|
||||
additionalOutputFormats:
|
||||
- type: CombinedPEM
|
||||
- type: DER
|
||||
issuerRef:
|
||||
name: letsencrypt-production
|
||||
kind: ClusterIssuer
|
||||
privateKey:
|
||||
algorithm: ECDSA
|
||||
size: 384
|
||||
rotationPolicy: Always
|
||||
dnsNames:
|
||||
- "*.${DNS_SHORT}"
|
||||
- "*.holycamoly.${DNS_SHORT}"
|
||||
14
kube/deploy/core/secrets/onepassword-connect/ks.yaml
Normal file
14
kube/deploy/core/secrets/onepassword-connect/ks.yaml
Normal file
@@ -0,0 +1,14 @@
|
||||
---
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: 1-core-secrets-onepassword-connect-app
|
||||
namespace: flux-system
|
||||
labels: &l
|
||||
app.kubernetes.io/name: "onepassword-connect"
|
||||
spec:
|
||||
commonMetadata:
|
||||
labels: *l
|
||||
path: ./kube/deploy/core/secrets/onepassword-connect/app
|
||||
targetNamespace: "onepassword-connect"
|
||||
dependsOn: []
|
||||
@@ -0,0 +1,6 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ns.yaml
|
||||
- ks.yaml
|
||||
10
kube/deploy/core/secrets/onepassword-connect/ns.yaml
Normal file
10
kube/deploy/core/secrets/onepassword-connect/ns.yaml
Normal file
@@ -0,0 +1,10 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: onepassword-connect
|
||||
labels:
|
||||
kustomize.toolkit.fluxcd.io/prune: disabled
|
||||
pod-security.kubernetes.io/enforce: &ps restricted
|
||||
pod-security.kubernetes.io/audit: *ps
|
||||
pod-security.kubernetes.io/warn: *ps
|
||||
Reference in New Issue
Block a user