From 8e6c1091d85e7b08ad133a173d540b10ebc2aa39 Mon Sep 17 00:00:00 2001
From: Ultradesu <ultradesu@hexor.cy>
Date: Sat, 5 Apr 2025 23:14:53 +0100
Subject: [PATCH] Added external-secrets

---
 .../external-secrets.yaml                     | 148 ++++++++++++++++++
 k8s/state/apps/external-secrets-extra.yaml    |  21 +++
 2 files changed, 169 insertions(+)
 create mode 100644 k8s/core/external-secrets-extra/external-secrets.yaml
 create mode 100644 k8s/state/apps/external-secrets-extra.yaml

diff --git a/k8s/core/external-secrets-extra/external-secrets.yaml b/k8s/core/external-secrets-extra/external-secrets.yaml
new file mode 100644
index 0000000..7e74304
--- /dev/null
+++ b/k8s/core/external-secrets-extra/external-secrets.yaml
@@ -0,0 +1,148 @@
+# ---
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: bitwarden-cli
+#   namespace: external-secrets
+# data:
+#   BW_HOST: base64(url)
+#   BW_USERNAME: base64(name)
+#   BW_PASSWORD: base64(pass)
+# 81212111-6350-4069-8bcf-19a67d3964a5
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bitwarden-cli
+  namespace: external-secrets
+  labels:
+    reloader.stakater.com/auto: "true"
+    app.kubernetes.io/instance: bitwarden-cli
+    app.kubernetes.io/name: bitwarden-cli
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: bitwarden-cli
+      app.kubernetes.io/instance: bitwarden-cli
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: bitwarden-cli
+        app.kubernetes.io/instance: bitwarden-cli
+    spec:
+      nodeSelector:
+        kubernetes.io/arch: amd64
+        kubernetes.io/hostname: master.tail2fe2d.ts.net
+      containers:
+        - name: bitwarden-cli
+          image: ultradesu/bitwarden-client:2024.7.2
+          imagePullPolicy: Always
+          env:
+            - name: BW_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: bitwarden-cli
+                  key: BW_HOST
+            - name: BW_USER
+              valueFrom:
+                secretKeyRef:
+                  name: bitwarden-cli
+                  key: BW_USERNAME
+            - name: BW_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: bitwarden-cli
+                  key: BW_PASSWORD
+          ports:
+            - name: http
+              containerPort: 8087
+              protocol: TCP
+          livenessProbe:
+            exec:
+              command:
+                - wget
+                - -q
+                - http://127.0.0.1:8087/sync
+                - --post-data=''
+            initialDelaySeconds: 20
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 120
+          readinessProbe:
+            tcpSocket:
+              port: 8087
+            initialDelaySeconds: 20
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          startupProbe:
+            tcpSocket:
+              port: 8087
+            initialDelaySeconds: 10
+            failureThreshold: 30
+            timeoutSeconds: 1
+            periodSeconds: 5
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bitwarden-cli
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/instance: bitwarden-cli
+    app.kubernetes.io/name: bitwarden-cli
+  annotations:
+spec:
+  type: ClusterIP
+  ports:
+    - port: 8087
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: bitwarden-cli
+    app.kubernetes.io/instance: bitwarden-cli
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  namespace: external-secrets
+  name: external-secret-2-bw-cli
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: bitwarden-cli
+      app.kubernetes.io/name: bitwarden-cli
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/instance: external-secrets
+              app.kubernetes.io/name: external-secrets
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vaultwarden-login
+spec:
+  provider:
+    webhook:
+      url: "http://bitwarden-cli:8087/object/item/{{ .remoteRef.key }}"
+      headers:
+        Content-Type: application/json
+      result:
+        jsonPath: "$.data.{{ .remoteRef.property }}"
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vaultwarden-fields
+spec:
+  provider:
+    webhook:
+      url: "http://bitwarden-cli:8087/object/item/{{ .remoteRef.key }}"
+      result:
+        jsonPath: "$.data.fields[?@.name==\"{{ .remoteRef.property }}\"].value"
diff --git a/k8s/state/apps/external-secrets-extra.yaml b/k8s/state/apps/external-secrets-extra.yaml
new file mode 100644
index 0000000..422cf8c
--- /dev/null
+++ b/k8s/state/apps/external-secrets-extra.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-secrets-extras
+  namespace: argocd
+spec:
+  project: homelab
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/core/external-secrets-extra
+    directory:
+      recurse: true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: external-secrets
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+