From 057c301eba61e24a5f66e00cbcf77fc311bcc20b Mon Sep 17 00:00:00 2001 From: "AB from home.homenet" Date: Wed, 11 Feb 2026 21:49:12 +0200 Subject: [PATCH 1/2] Added secrets --- k8s/apps/mtproxy/kustomization.yaml | 3 +- k8s/apps/mtproxy/secret-reader.yaml | 63 +++++++++++++++++++++++++++++ k8s/apps/mtproxy/service.yaml | 18 ++++----- 3 files changed, 74 insertions(+), 10 deletions(-) create mode 100644 k8s/apps/mtproxy/secret-reader.yaml diff --git a/k8s/apps/mtproxy/kustomization.yaml b/k8s/apps/mtproxy/kustomization.yaml index 671eed9..9411c52 100644 --- a/k8s/apps/mtproxy/kustomization.yaml +++ b/k8s/apps/mtproxy/kustomization.yaml @@ -6,5 +6,6 @@ resources: - ./rbac.yaml - ./daemonset.yaml - ./external-secrets.yaml + - ./service.yaml + - ./secret-reader.yaml # - ./storage.yaml -# - ./service.yaml diff --git a/k8s/apps/mtproxy/secret-reader.yaml b/k8s/apps/mtproxy/secret-reader.yaml new file mode 100644 index 0000000..9ab04bb --- /dev/null +++ b/k8s/apps/mtproxy/secret-reader.yaml @@ -0,0 +1,63 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: secret-reader + labels: + app: secret-reader +spec: + replicas: 1 + selector: + matchLabels: + app: secret-reader + template: + metadata: + labels: + app: secret-reader + spec: + serviceAccountName: mtproxy + nodeSelector: + kubernetes.io/os: linux + containers: + - name: secret-reader + image: ultradesu/k8s-secrets:0.2.1 + imagePullPolicy: Always + args: + - "--secrets" + - "mtproxy-links" + - "--namespace" + - "mtproxy" + - "--port" + - "3000" + ports: + - containerPort: 3000 + name: http + env: + - name: RUST_LOG + value: "info" + resources: + requests: + memory: "64Mi" + cpu: "50m" + limits: + memory: "128Mi" + cpu: "150m" + livenessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL diff --git a/k8s/apps/mtproxy/service.yaml b/k8s/apps/mtproxy/service.yaml index 80b6539..2424610 100644 --- a/k8s/apps/mtproxy/service.yaml +++ b/k8s/apps/mtproxy/service.yaml @@ -2,15 +2,15 @@ apiVersion: v1 kind: Service metadata: - name: mtproxy + name: secret-reader + labels: + app: secret-reader spec: - type: LoadBalancer + type: ClusterIP selector: - app: mtproxy + app: secret-reader ports: - - name: proxy - port: 30443 - targetPort: 30443 - protocol: TCP - nodePort: 30443 - + - port: 80 + targetPort: 3000 + protocol: TCP + name: http From aaff1061cf387f5cf80f63b7fef8edb5f1c03b51 Mon Sep 17 00:00:00 2001 From: ab Date: Wed, 11 Feb 2026 19:51:07 +0000 Subject: [PATCH 2/2] Update terraform/authentik/proxy-apps.tfvars --- terraform/authentik/proxy-apps.tfvars | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/terraform/authentik/proxy-apps.tfvars b/terraform/authentik/proxy-apps.tfvars index 956b55f..09f0bfb 100644 --- a/terraform/authentik/proxy-apps.tfvars +++ b/terraform/authentik/proxy-apps.tfvars @@ -60,7 +60,23 @@ EOT create_group = true access_groups = ["admins"] } - + "mtproxy-links" = { + name = "mtproxy-links" + slug = "mtproxy-links" + group = "Core" + external_host = "https://proxy.hexor.cy" + internal_host = "http://secret-reader.mtproxy.svc:80" + internal_host_ssl_validation = false + meta_description = "" + skip_path_regex = <<-EOT +/webhook +EOT + meta_icon = "https://img.icons8.com/ios-filled/50/password.png" + mode = "proxy" + outpost = "kubernetes-outpost" + create_group = true + access_groups = ["admins"] + } # Tools applications "vpn" = { name = "VPN"