From a1c485feec34cbdb4b4186679b5676addbbc8b48 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Tue, 23 Jan 2024 10:15:40 +0800 Subject: [PATCH] feat(external-secrets): add 1Password --- .../biohazard/config/secrets.sops.env | 6 +- .../biohazard/flux/kustomization.yaml | 1 + .../core/secrets/external-secrets/app/hr.yaml | 5 +- .../core/secrets/external-secrets/ks.yaml | 13 +- .../stores/1password/clustersecretstore.yaml | 19 ++ .../stores/1password/secrets.yaml | 9 + .../stores/aws-ssm/secrets.yaml | 2 +- .../secrets/onepassword-connect/app/hr.yaml | 188 ++++++++++++++++++ .../onepassword-connect/app/netpol.yaml | 49 +++++ .../onepassword-connect/app/secrets.yaml | 10 + .../secrets/onepassword-connect/app/tls.yaml | 21 ++ .../core/secrets/onepassword-connect/ks.yaml | 14 ++ .../onepassword-connect/kustomization.yaml | 6 + .../core/secrets/onepassword-connect/ns.yaml | 10 + 14 files changed, 347 insertions(+), 6 deletions(-) create mode 100644 kube/deploy/core/secrets/external-secrets/stores/1password/clustersecretstore.yaml create mode 100644 kube/deploy/core/secrets/external-secrets/stores/1password/secrets.yaml create mode 100644 kube/deploy/core/secrets/onepassword-connect/app/hr.yaml create mode 100644 kube/deploy/core/secrets/onepassword-connect/app/netpol.yaml create mode 100644 kube/deploy/core/secrets/onepassword-connect/app/secrets.yaml create mode 100644 kube/deploy/core/secrets/onepassword-connect/app/tls.yaml create mode 100644 kube/deploy/core/secrets/onepassword-connect/ks.yaml create mode 100644 kube/deploy/core/secrets/onepassword-connect/kustomization.yaml create mode 100644 kube/deploy/core/secrets/onepassword-connect/ns.yaml diff --git a/kube/clusters/biohazard/config/secrets.sops.env b/kube/clusters/biohazard/config/secrets.sops.env index 77a22bfe..97b4c340 100644 --- a/kube/clusters/biohazard/config/secrets.sops.env +++ b/kube/clusters/biohazard/config/secrets.sops.env @@ -1,3 +1,5 @@ +SECRET_EXTERNAL_SECRETS_ONEPASSWORD_CONNECT_JSON=ENC[AES256_GCM,data:3MprYFqZQLyEzBX5oiJGFiPq0eL1FqL3CqsIK21Aw05LKEWZ+LibUDFL/U66rwLEZPFvlc+ijWAkAoYAZEFt/0e179RgMAIw9q7NsmfxiQTTK7JOTsxLaNBHu5GvLiK54HYEavrH7gUQlSqnt1XkalXle40QL6OoF50uiiC7fuL7y8RhoWoVZxAjDXEah9nI7razvJ8CSyaFistvyRep23/FZZBS05BGz9eKYMfG8x7sGqBZV1aLOgx7HUMB72mXysK+FOdBggUJzpMRixZ7L684vERfTrQVfvzjuuqkNBUPmyySyjxyJyLTzYkM7rjcSdgyEWuEAVSEKvu8Zu+63VrkFCDhHlpGEcW2fYW+AZkAvc0oIv9ghn2AyQYnDEHWRAUMQMqJ7d16QM58HBKh5l36Ki/9RFj0/7aqY/7SC+U6v0Hz/Yj95gpcDImGvcrDqkwM35riWKOlNOm9nVqxgTENmHpGcq9U1hMP+tbBctfItMfMrEO6a/g/2jCbHOShzZNhph/wsy9QP5SNvb8+qTvkuL4TL0b+k290lg6heGJRCLRoLR1x8lbKWgUnvtZJckTLuAXAqtX1ln0lwkdX7impClcqXlmOAx9bL+icOpflHeLfCIUzJEskTa468o1YDuTS2BdawC+hMC825dTarlnDLCK04x7XaV/CoKIRGn6dvIgik4oizlreeC6IXZZ13s0EfQseJ5d365limg3wTY5NYxvfclX3mcnDiK9M9Ev2bqG2Milg6vrB0puYemqCpd8WXDWFpGbL5FXaHfXYnl5BuIIlgdhKowRytG4ZENUDyhFcndXUVzjumhhyvwqt9AUZIq7jBALXZYtp46caxTwc5DrjHLmcq1fqdbsWw6ZnaARNFwUZTDKIWuSlsu3PUlwTMr41zBEe9F60vICDOm9+zaiNEJDNaJ4hEre70kg30K451KYVyIgpIRI8WzbbYIKBhVcCPItYOlDVucr35sQABFmffhG/WVFhmLOzQycKZh7/4kUB3u6TqNR4vzC9yYoPF+Lqocnk5TAfOCdogF3VOWoGRA9HMgQlL1nP9OryrJf7SMjLXgL38ANkXO4GGorCn/+LS6raihVNN72uLNwK+NHzlYNAYpcxQqbTuIe8Wt3N9Hh1FdfScF3N+qqzF3QZFLjLZl1wT9t5oF71VDp68V2gzSyjFL/vd6DO6uWAciVvcN4B/RAYD9rAgZqgdksiqOlcNUnJLAIz5JCT+eYwNX7eIiXghCAQVuCfv8Xe031pp8E9s7YsP3IvxO457M56NX46uIHzZQti5JoRAGILHecjFL1m/4IsErooLwgG1AKGbwYZpGYZthzW83xyi6LRotKKPlGMiPw0H3VWEtjhYjmBh8dAb3n27Jy19Zi3FuekSY3x7eBPcf21IhWCfVLn1pguAanFMvsXuAvfCm3F3ZIGwmhPknzO+o25Axd4vEvWFw==,iv:DS3kLG5JqO8d19o+A/j8JScZsWjkI1PlnfNFZKUi6lI=,tag:JGWINSjw27YjJhB+O5mydA==,type:str] +SECRET_EXTERNAL_SECRETS_ONEPASSWORD_CONNECT_TOKEN=ENC[AES256_GCM,data:TuvtIt0vA7mCNJVUpIEOmuly0UQ8s5mHYAGraDPfZtJwLPNp/B1P0mJ+l9784kov91mADOGItN59BiXcmYkuV+hOy33X8DFRjWJ9oP/rSH63mH9UVn+VKHb/zjLArFcocn5BYdFkksJ20btCCsNlD1r2xaGzdLomwDiBVeFdba8K1wygRe6dFmW9JI567yo8wnkV7iR4FNRVrNiaPc+LtBsacPkQbmAMxssmpZ0mTtirg72fcRbLFP2KDUxDVdg9QGX55Qq/wsov/3TR445CKV94yMQiD0/U1cVRA3CXvi3xGgJcLcYMoB+2LKIyxOlPzmHoEUvnby/8jmKW+MGC+eJpWeLcwqlARE5AUp4llkGUS0yHXOrKoQ+wEt7cBORF2xvPaIKCeyP8GitsNL7UoMfQtp6hjjZ98VMRdnRWfCcTWqhaYMnMRVZiQR//51ArvVkcUdKpB4HJTEIa92t7MFL74KZNBlRrBpX3jVvFL34e+bWlSLoz7NludUJFeSXIJo3e2H7CzcKZ+5+uZ5k0l2IWQPSGnmm6SNeJrxZcegAjzLz6oy8nxEyVN1P/0mrj8Pf1LMlCQtttTbFDZpHkRKFhm27XwVMYB+e4p98BWkXj1kA4ioWeb419t6GkqqAKlGuweXBncieu3m1upzsjLIANXIw5lTGu0CDDNPjaCHK1HPxudu4VcQBxGT4fTPVBqwNR0l6I8O0/SzSgcN3+C/jlsQn+a+tnElmBR7Ru+pd6PGGPoeMAixRgseAbNHmhR6Z9bW/Fqu1J7XW3BB8QoHQPtaKyQ+gDVB3Gia3iOqqvrdvh0FLNnHdeVpLY0pXtsMyhsUihgwN/iXP95cGHOaxt,iv:kFnrhWDlULUvYawYvRXIkONCWbffPoT/Tj6MFpk7Noc=,tag:Z+jsZe+mrMxzoa97CeQ3PQ==,type:str] SECRET_CILIUM_BGP_PASSWORD_ROUTER=ENC[AES256_GCM,data:byaasu6VH2deIyQM4zCu/W+k5W4xjlDAaKbwqScZ05uBjVETgBC15y7xA5FN8N5Z9M0W4mdpp0WRCh1yfKqsMkR7EFjSAn4YjhZKQ1trMOZd/yhAXl7uf/r92gFL/tYCjBBdwpPHcs4MB4Yu60JMQRzHRgimTnp2L3+E6/qmAcCglLGw0tsHx2A1dDApG1r/IzimYsQK3eWOO0S/Cy4348iwQ0zyvA5cTjz5J7+Q8ogGgaqkThETeAIWDEF9oS9K8JYDGsXbhwkfBRSZqg5JmwtNDGTkraU7K7n2TnlWuubNVMBYmQkYEwa3d+5ttexLi/c=,iv:lufpG1ufDBIaQ8/Mn5iiXD9SCZGgtbk5tQgtguHLZXQ=,tag:F70i0qbnEZSoOSzlUbJY1A==,type:str] SECRET_SANDSTORM_ADMIN_PASSWORD=ENC[AES256_GCM,data:eBh/GfUuZ3CwYbUMo2aP,iv:fH1xCn0YVffgmKaFAwyxnsBhw+DK2WJQ4BJkPvxdpYY=,tag:r64Jt+OlThR58oJRPTfVfg==,type:str] SECRET_FLUX_WEBHOOK_GITHUB=ENC[AES256_GCM,data:rN1JGPiLKJGZaPky7M7Wy2aujMvYJeHVKOz6gmZnSvn0OGmP7kyMyg==,iv:Bs4nBXkzUmeXPqYx4bggZT/BmJMDrb3STeal3Y7JUrE=,tag:38CcnMHf5EThZyf8AA3gJg==,type:str] @@ -178,8 +180,8 @@ SECRET_ELK_CF_KV_NS=ENC[AES256_GCM,data:NGwN9S0aFxLNBynHlkhnSVv0z5M6AXLukwh0VufE SECRET_RELOADER_ALERT_WEBHOOK_URL=ENC[AES256_GCM,data:EPXH2C0ZN+EjihlFRLzFseN73wJtoHQ8DcPrJ5STovPXTMor+4hspyhNhc3qUMZTUZj6w3beT/LVwU01pomp0Q8iDwwRLMvP+ZclREFx11T1vdkM69HxxduuO/0WA1EoRj1BcLDKhDU36wEhob6NlWaCfnFvIt505Q==,iv:t0gBgyEJS/gr/nybtbUqiZWWTLKPeeVSx+vWLVXa39M=,tag:dNE5oFGPG78s5Yfag+wCkg==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj -sops_lastmodified=2024-01-21T09:15:41Z -sops_mac=ENC[AES256_GCM,data:zBRfhOqyVv58eP+3kE6BxxsQza+IUre4MRxfk3ai1RlMGiq8b8zK1wJgnBK0hKdLVYqruV49PQGr4Aylg9Mqho0UxhzSj0n13KOi6rAWYSvdn1W8a1kV3l/stGkGLXHbmdhsgX/3uicD5p39rSIcuGbjeLFHJrx+46evA8TZZj8=,iv:gDbw2HDHViN1suie6oAfR8GDTqM6PHy6CO1M3evb9ag=,tag:fBWq4RFPwSoOkR7E9NWO0w==,type:str] +sops_lastmodified=2024-01-23T01:50:55Z +sops_mac=ENC[AES256_GCM,data:dDl+Jvi4RZh154zvYln0dWWLQG7CAzSjFpzk3CW/2qTJ4DY154whiD6gDKgQ+dqGEViv3Wa2ojTvuXC0X6PpXlQOArPwkS9csTCXczpED2bK7iMDiRgYD1dHpI5GZj8OPWdlTo/En6AKOIPc4HHlNlOM9bDAekVCh4/C/Xj3gkU=,iv:jVhBmzibhBAm/9ZHruGNbJSDUCXBMPJyUvdB746CmVg=,tag:X7vH1+GagPQnti2dj+hWMQ==,type:str] sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml index 6ba15d3d..4558c762 100644 --- a/kube/clusters/biohazard/flux/kustomization.yaml +++ b/kube/clusters/biohazard/flux/kustomization.yaml @@ -16,6 +16,7 @@ resources: - ../../../deploy/core/kyverno/_deps/ - ../../../deploy/core/kyverno/ - ../../../deploy/core/monitoring/_deps/ + - ../../../deploy/core/secrets/onepassword-connect/ - ../../../deploy/core/secrets/external-secrets/ - ../../../deploy/core/storage/_external-snapshotter/ - ../../../deploy/core/storage/_csi-addons/ diff --git a/kube/deploy/core/secrets/external-secrets/app/hr.yaml b/kube/deploy/core/secrets/external-secrets/app/hr.yaml index bd43eb6f..c946ba8e 100644 --- a/kube/deploy/core/secrets/external-secrets/app/hr.yaml +++ b/kube/deploy/core/secrets/external-secrets/app/hr.yaml @@ -5,6 +5,7 @@ metadata: name: &app external-secrets namespace: *app spec: + interval: 5m chart: spec: chart: *app @@ -17,7 +18,7 @@ spec: installCRDs: true podLabels: # netpols egress.home.arpa/apiserver: "allow" - egress.home.arpa/world-https: "allow" + egress.home.arpa/onepassword-connect: "allow" # scheduling replicaCount: 2 leaderElect: true @@ -43,4 +44,4 @@ spec: enabled: true interval: 1m podLabels: # netpols - ingress.home.arpa/apiserver: "allow" \ No newline at end of file + ingress.home.arpa/apiserver: "allow" diff --git a/kube/deploy/core/secrets/external-secrets/ks.yaml b/kube/deploy/core/secrets/external-secrets/ks.yaml index ce0713e1..2b98e93a 100644 --- a/kube/deploy/core/secrets/external-secrets/ks.yaml +++ b/kube/deploy/core/secrets/external-secrets/ks.yaml @@ -28,4 +28,15 @@ metadata: spec: path: ./kube/deploy/core/secrets/external-secrets/stores/k8s dependsOn: - - name: 1-core-secrets-external-secrets-app \ No newline at end of file + - name: 1-core-secrets-external-secrets-app +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + # I'm lazy to type the whole of `external-secrets`` in dependsOn, don't @ me + name: 1-core-secrets-es-1p + namespace: flux-system +spec: + path: ./kube/deploy/core/secrets/external-secrets/stores/1password + dependsOn: + - name: 1-core-secrets-external-secrets-app diff --git a/kube/deploy/core/secrets/external-secrets/stores/1password/clustersecretstore.yaml b/kube/deploy/core/secrets/external-secrets/stores/1password/clustersecretstore.yaml new file mode 100644 index 00000000..ebae76d7 --- /dev/null +++ b/kube/deploy/core/secrets/external-secrets/stores/1password/clustersecretstore.yaml @@ -0,0 +1,19 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/clustersecretstore_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: "1p" +spec: + provider: + onepassword: + connectHost: "https://${APP_DNS_ONEPASSWORD_CONNECT}" + vaults: + "${CLUSTER_NAME}": 1 + auth: + secretRef: + connectTokenSecretRef: + name: "onepassword-connect-secrets" + key: "token" + namespace: "external-secrets" + diff --git a/kube/deploy/core/secrets/external-secrets/stores/1password/secrets.yaml b/kube/deploy/core/secrets/external-secrets/stores/1password/secrets.yaml new file mode 100644 index 00000000..eba48e57 --- /dev/null +++ b/kube/deploy/core/secrets/external-secrets/stores/1password/secrets.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: "onepassword-connect-secrets" + namespace: "external-secrets" +type: Opaque +stringData: + token: "${SECRET_EXTERNAL_SECRETS_ONEPASSWORD_CONNECT_TOKEN}" diff --git a/kube/deploy/core/secrets/external-secrets/stores/aws-ssm/secrets.yaml b/kube/deploy/core/secrets/external-secrets/stores/aws-ssm/secrets.yaml index a98d1412..0c3048b8 100644 --- a/kube/deploy/core/secrets/external-secrets/stores/aws-ssm/secrets.yaml +++ b/kube/deploy/core/secrets/external-secrets/stores/aws-ssm/secrets.yaml @@ -7,4 +7,4 @@ metadata: type: Opaque stringData: access-key: "${SECRET_EXTERNAL_SECRETS_AWS_SSM_ACCESS_KEY}" - secret-key: "${SECRET_EXTERNAL_SECRETS_AWS_SSM_SECRET_KEY}" \ No newline at end of file + secret-key: "${SECRET_EXTERNAL_SECRETS_AWS_SSM_SECRET_KEY}" diff --git a/kube/deploy/core/secrets/onepassword-connect/app/hr.yaml b/kube/deploy/core/secrets/onepassword-connect/app/hr.yaml new file mode 100644 index 00000000..0661275b --- /dev/null +++ b/kube/deploy/core/secrets/onepassword-connect/app/hr.yaml @@ -0,0 +1,188 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app onepassword-connect + namespace: *app +spec: + interval: 5m + chart: + spec: + chart: app-template + version: "2.5.0" + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system + values: + controllers: + main: + type: deployment + replicas: 1 + containers: + main: &ct + image: + repository: "docker.io/1password/connect-api" + tag: "1.7.2@sha256:0c5ae74396e3c18c3b65acb89cb76d31088968cf0c25deca3818c72b01586606" + env: + TZ: "${CONFIG_TZ}" + XDG_DATA_HOME: &dir "/data" + OP_SESSION: &creds "/config/1password-credentials.json" + OP_LOG_LEVEL: "info" + OP_BUS_PORT: "60001" + OP_BUS_PEERS: "127.0.0.1:60002" + OP_HTTPS_PORT: &port "8443" + OP_TLS_CERT_FILE: &cert "/tls/fullchain.pem" + OP_TLS_KEY_FILE: &key "/tls/privkey.pem" + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "10m" + memory: "256Mi" + limits: + cpu: "3000m" + memory: "512Mi" + probes: + startup: + enabled: true + custom: true + spec: &probe + periodSeconds: 1 + failureThreshold: 120 + httpGet: &get + path: "/heartbeat" + port: *port + scheme: HTTPS + httpHeaders: + - name: Host + value: &host "${APP_DNS_ONEPASSWORD_CONNECT}" + readiness: + enabled: true + custom: true + spec: + <<: *probe + periodSeconds: 30 + httpGet: + <<: *get + path: "/health" + liveness: + enabled: true + custom: true + spec: + <<: *probe + periodSeconds: 30 + failureThreshold: 3 + sync: + <<: *ct + image: + repository: "docker.io/1password/connect-sync" + tag: "1.7.2@sha256:ff5bf86187ac4da88224e63a5896b393b5a53f81434e8dbc5314e406a0f1db89" + env: + TZ: "${CONFIG_TZ}" + XDG_DATA_HOME: *dir + OP_SESSION: *creds + OP_LOG_LEVEL: "info" + OP_HTTP_PORT: &port "57832" + OP_BUS_PORT: "60002" + OP_BUS_PEERS: "127.0.0.1:60001" + probes: + startup: + enabled: true + custom: true + spec: &probe + periodSeconds: 1 + failureThreshold: 120 + httpGet: + path: "/heartbeat" + port: *port + readiness: + enabled: true + custom: true + spec: + periodSeconds: 30 + httpGet: + path: "/health" + port: *port + liveness: + enabled: true + custom: true + spec: + <<: *probe + periodSeconds: 30 + failureThreshold: 3 + service: + main: + enabled: true + primary: true + controller: main + type: LoadBalancer + externalTrafficPolicy: Cluster + annotations: + coredns.io/hostname: *host + "io.cilium/lb-ipam-ips": "${APP_IP_ONEPASSWORD_CONNECT}" + ports: + http: + enabled: true + port: 443 + targetPort: 8443 + protocol: HTTPS + persistence: + config: + enabled: true + type: secret + name: "onepassword-connect-secrets" + advancedMounts: + main: + main: + - subPath: "1password-credentials.json" + path: *creds + readOnly: true + tmp: + enabled: true + type: emptyDir + medium: Memory + globalMounts: + - path: *dir + readOnly: false + tls: + enabled: true + type: secret + name: "onepassword-connect-tls" + defaultMode: 0400 + advancedMounts: + main: + main: + - subPath: "tls.crt" + path: "/tls/fullchain.pem" + readOnly: true + - subPath: "tls.key" + path: "/tls/privkey.pem" + readOnly: true + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + securityContext: + runAsNonRoot: true + runAsUser: &uid 999 + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: "Always" + seccompProfile: { type: "RuntimeDefault" } + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "kubernetes.io/hostname" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "fuckoff.home.arpa/onepassword-connect" + operator: "DoesNotExist" diff --git a/kube/deploy/core/secrets/onepassword-connect/app/netpol.yaml b/kube/deploy/core/secrets/onepassword-connect/app/netpol.yaml new file mode 100644 index 00000000..eb969777 --- /dev/null +++ b/kube/deploy/core/secrets/onepassword-connect/app/netpol.yaml @@ -0,0 +1,49 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/cilium.io/ciliumnetworkpolicy_v2.json +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: &app onepassword-connect + namespace: *app +spec: + endpointSelector: {} + ingress: + # same namespace + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + # external-secrets + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: external-secrets + toPorts: + - ports: + - port: "8443" + egress: + # same namespace + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + - toEntities: + - world + toPorts: + - ports: + - port: "8443" +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: &app onepassword-connect +spec: + endpointSelector: + matchLabels: + egress.home.arpa/onepassword-connect: allow + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + app.kubernetes.io/name: *app + toPorts: + - ports: + - port: "8443" diff --git a/kube/deploy/core/secrets/onepassword-connect/app/secrets.yaml b/kube/deploy/core/secrets/onepassword-connect/app/secrets.yaml new file mode 100644 index 00000000..60d95439 --- /dev/null +++ b/kube/deploy/core/secrets/onepassword-connect/app/secrets.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: "onepassword-connect-secrets" + namespace: "onepassword-connect" +type: Opaque +stringData: + 1password-credentials.json: | + ${SECRET_EXTERNAL_SECRETS_ONEPASSWORD_CONNECT_JSON} diff --git a/kube/deploy/core/secrets/onepassword-connect/app/tls.yaml b/kube/deploy/core/secrets/onepassword-connect/app/tls.yaml new file mode 100644 index 00000000..f46dbf2f --- /dev/null +++ b/kube/deploy/core/secrets/onepassword-connect/app/tls.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: &app onepassword-connect + namespace: *app +spec: + secretName: "onepassword-connect-tls" + additionalOutputFormats: + - type: CombinedPEM + - type: DER + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + privateKey: + algorithm: ECDSA + size: 384 + rotationPolicy: Always + dnsNames: + - "*.${DNS_SHORT}" + - "*.holycamoly.${DNS_SHORT}" diff --git a/kube/deploy/core/secrets/onepassword-connect/ks.yaml b/kube/deploy/core/secrets/onepassword-connect/ks.yaml new file mode 100644 index 00000000..73146973 --- /dev/null +++ b/kube/deploy/core/secrets/onepassword-connect/ks.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-secrets-onepassword-connect-app + namespace: flux-system + labels: &l + app.kubernetes.io/name: "onepassword-connect" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/core/secrets/onepassword-connect/app + targetNamespace: "onepassword-connect" + dependsOn: [] diff --git a/kube/deploy/core/secrets/onepassword-connect/kustomization.yaml b/kube/deploy/core/secrets/onepassword-connect/kustomization.yaml new file mode 100644 index 00000000..5eeb2657 --- /dev/null +++ b/kube/deploy/core/secrets/onepassword-connect/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml diff --git a/kube/deploy/core/secrets/onepassword-connect/ns.yaml b/kube/deploy/core/secrets/onepassword-connect/ns.yaml new file mode 100644 index 00000000..d63e3027 --- /dev/null +++ b/kube/deploy/core/secrets/onepassword-connect/ns.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: onepassword-connect + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps restricted + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps