Move kubernetes manifests to folder

2026-02-04 01:37:57 +00:00 · 2025-12-24 03:02:53 +00:00
parent 585bbc4738
commit fff7312d7d
5 changed files with 0 additions and 0 deletions
--- a/kubernetes/deployment.yaml
+++ b/kubernetes/deployment.yaml
@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: secret-reader
+  labels:
+    app: secret-reader
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: secret-reader
+  template:
+    metadata:
+      labels:
+        app: secret-reader
+    spec:
+      serviceAccountName: secret-reader
+      containers:
+      - name: secret-reader
+        image: ultradesu/k8s-secrets:latest
+        imagePullPolicy: IfNotPresent
+        args:
+          - "--secrets"
+          - "openai-creds"
+          - "--port"
+          - "3000"
+        ports:
+        - containerPort: 3000
+          name: http
+        env:
+        - name: RUST_LOG
+          value: "info"
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "50m"
+          limits:
+            memory: "128Mi"
+            cpu: "100m"
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: http
+          initialDelaySeconds: 10
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: http
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 1000
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - ALL
--- a/kubernetes/external-secret.yaml
+++ b/kubernetes/external-secret.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: openai-creds
+spec:
+  target:
+    name: openai-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        USER: |-
+          {{ .user }}
+        PASS: |-
+          {{ .pass }}
+        TOTP: |-
+          {{ .totp }}
+  data:
+    - secretKey: user
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: a485f323-fd47-40ee-a5cf-40891b1f963c
+        property: login.username
+    - secretKey: pass
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: a485f323-fd47-40ee-a5cf-40891b1f963c
+        property: login.password
+    - secretKey: totp
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: a485f323-fd47-40ee-a5cf-40891b1f963c
+        property: login.totp
+
--- a/kubernetes/rbac.yaml
+++ b/kubernetes/rbac.yaml
@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secret-reader
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: secret-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: secret-reader
+subjects:
+- kind: ServiceAccount
+  name: secret-reader
--- a/kubernetes/service-account.yaml
+++ b/kubernetes/service-account.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: secret-reader
+  labels:
+    app: secret-reader
--- a/kubernetes/service.yaml
+++ b/kubernetes/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: secret-reader
+  labels:
+    app: secret-reader
+spec:
+  type: ClusterIP
+  selector:
+    app: secret-reader
+  ports:
+  - port: 80
+    targetPort: 3000
+    protocol: TCP
+    name: http