diff --git a/k8s/core/cert-manager.yaml b/k8s/core/cert-manager.yaml new file mode 100644 index 0000000..d0e60d0 --- /dev/null +++ b/k8s/core/cert-manager.yaml @@ -0,0 +1,109 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: cert-manager + namespace: kube-system +spec: + repo: https://charts.jetstack.io + chart: cert-manager + targetNamespace: cert-manager + createNamespace: true + valuesContent: |- + crds: + enabled: true +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: cloudflare-creds + namespace: cert-manager +spec: + target: + name: cloudflare-api-key-secret + deletionPolicy: Delete + template: + type: Opaque + data: + apiKey: |- + {{ .apiKey }} + data: + - secretKey: apiKey + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 8ae1dcb1-1182-48a1-8733-ca1144ea754b + property: fields[0].value +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: aws-creds + namespace: cert-manager +spec: + target: + name: aws-api-key-secret + deletionPolicy: Delete + template: + type: Opaque + data: + accessKey: |- + {{ .accessKey }} + secretKey: |- + {{ .secretKey }} + data: + - secretKey: accessKey + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 144f9aa9-d6bd-4272-bfc9-ce8ba6f4a515 + property: fields[0].value + - secretKey: secretKey + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 144f9aa9-d6bd-4272-bfc9-ce8ba6f4a515 + property: fields[1].value +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: k8s-master@hexor.cy + privateKeySecretRef: + name: tls-secret + solvers: + - dns01: + cloudflare: + email: ultradesu@hexor.ru + apiKeySecretRef: + name: cloudflare-api-key-secret + key: apiKey + selector: + dnsZones: + - "*.hexor.cy" + - "*.hexor.ru" + - "*.btwiusearch.net" + - "hexor.ru" + - "hexor.cy" + - "btwiusearch.net" + - dns01: + route53: + region: eu-north-1 + accessKeyIDSecretRef: + name: aws-api-key-secret + key: accessKey + secretAccessKeySecretRef: + name: aws-api-key-secret + key: secretKey + selector: + dnsZones: + - "of.hexor.cy" diff --git a/k8s/core/external-secrets.yaml b/k8s/core/external-secrets.yaml new file mode 100644 index 0000000..9dc78bb --- /dev/null +++ b/k8s/core/external-secrets.yaml @@ -0,0 +1,159 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: external-secrets + namespace: kube-system +spec: + repo: https://external-secrets.io + chart: external-secrets + targetNamespace: external-secrets + createNamespace: true + +# --- +# apiVersion: v1 +# kind: Secret +# metadata: +# name: bitwarden-cli +# namespace: external-secrets +# data: +# BW_HOST: base64(url) +# BW_USERNAME: base64(name) +# BW_PASSWORD: base64(pass) +# 81212111-6350-4069-8bcf-19a67d3964a5 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bitwarden-cli + namespace: external-secrets + labels: + reloader.stakater.com/auto: "true" + app.kubernetes.io/instance: bitwarden-cli + app.kubernetes.io/name: bitwarden-cli +spec: + replicas: 1 + strategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: bitwarden-cli + app.kubernetes.io/instance: bitwarden-cli + template: + metadata: + labels: + app.kubernetes.io/name: bitwarden-cli + app.kubernetes.io/instance: bitwarden-cli + spec: + nodeSelector: + kubernetes.io/arch: amd64 + kubernetes.io/hostname: master.tail2fe2d.ts.net + containers: + - name: bitwarden-cli + image: ultradesu/bitwarden-client:2024.7.2 + imagePullPolicy: Always + env: + - name: BW_HOST + valueFrom: + secretKeyRef: + name: bitwarden-cli + key: BW_HOST + - name: BW_USER + valueFrom: + secretKeyRef: + name: bitwarden-cli + key: BW_USERNAME + - name: BW_PASSWORD + valueFrom: + secretKeyRef: + name: bitwarden-cli + key: BW_PASSWORD + ports: + - name: http + containerPort: 8087 + protocol: TCP + livenessProbe: + exec: + command: + - wget + - -q + - http://127.0.0.1:8087/sync + - --post-data='' + initialDelaySeconds: 20 + failureThreshold: 3 + timeoutSeconds: 1 + periodSeconds: 120 + readinessProbe: + tcpSocket: + port: 8087 + initialDelaySeconds: 20 + failureThreshold: 3 + timeoutSeconds: 1 + periodSeconds: 10 + startupProbe: + tcpSocket: + port: 8087 + initialDelaySeconds: 10 + failureThreshold: 30 + timeoutSeconds: 1 + periodSeconds: 5 +--- +apiVersion: v1 +kind: Service +metadata: + name: bitwarden-cli + namespace: external-secrets + labels: + app.kubernetes.io/instance: bitwarden-cli + app.kubernetes.io/name: bitwarden-cli + annotations: +spec: + type: ClusterIP + ports: + - port: 8087 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: bitwarden-cli + app.kubernetes.io/instance: bitwarden-cli +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + namespace: external-secrets + name: external-secret-2-bw-cli +spec: + podSelector: + matchLabels: + app.kubernetes.io/instance: bitwarden-cli + app.kubernetes.io/name: bitwarden-cli + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/name: external-secrets +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: vaultwarden-login +spec: + provider: + webhook: + url: "http://bitwarden-cli:8087/object/item/{{ .remoteRef.key }}" + headers: + Content-Type: application/json + result: + jsonPath: "$.data.{{ .remoteRef.property }}" +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: vaultwarden-fields +spec: + provider: + webhook: + url: "http://bitwarden-cli:8087/object/item/{{ .remoteRef.key }}" + result: + jsonPath: "$.data.fields[?@.name==\"{{ .remoteRef.property }}\"].value"