diff --git a/k8s/apps/vaultwarden/app.yaml b/k8s/apps/vaultwarden/app.yaml new file mode 100644 index 0000000..f8f882d --- /dev/null +++ b/k8s/apps/vaultwarden/app.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vaultwarden + namespace: argocd +spec: + project: homelab + destination: + namespace: vaultwarden + server: https://kubernetes.default.svc + source: + repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git + targetRevision: HEAD + path: k8s/apps/vaultwarden + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true + diff --git a/k8s/apps/vaultwarden/deployment.yaml b/k8s/apps/vaultwarden/deployment.yaml new file mode 100644 index 0000000..450c522 --- /dev/null +++ b/k8s/apps/vaultwarden/deployment.yaml @@ -0,0 +1,54 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vaultwarden + namespace: vaultwarden + labels: + app: vaultwarden +spec: + selector: + matchLabels: + app: vaultwarden + replicas: 1 + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + template: + metadata: + labels: + app: vaultwarden + spec: + nodeSelector: + kubernetes.io/hostname: master.tail2fe2d.ts.net + volumes: + - name: storage + hostPath: + path: /k8s/vaultwarden + type: Directory + containers: + - name: vaultwarden + image: 'vaultwarden/server:latest' + imagePullPolicy: Always + env: + - name: DOMAIN + value: https://vw.hexor.cy + - name: ORG_GROUPS_ENABLED + value: 'true' + - name: WEBSOCKET_ENABLED + value: 'true' + - name: ADMIN_TOKEN + valueFrom: + secretKeyRef: + name: admin-token + key: ADMIN_TOKEN + ports: + - name: http + containerPort: 80 + protocol: TCP + volumeMounts: + - name: storage + mountPath: /data + diff --git a/k8s/apps/vaultwarden/external-secrets.yaml b/k8s/apps/vaultwarden/external-secrets.yaml new file mode 100644 index 0000000..3668616 --- /dev/null +++ b/k8s/apps/vaultwarden/external-secrets.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: admin-token + namespace: vaultwarden +spec: + target: + name: admin-token + deletionPolicy: Delete + template: + type: Opaque + data: + ADMIN_TOKEN: |- + {{ .token }} + data: + - secretKey: token + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 0d7a022f-d821-4819-9935-841126c39150 + property: fields[0].value diff --git a/k8s/apps/vaultwarden/ingress.yaml b/k8s/apps/vaultwarden/ingress.yaml new file mode 100644 index 0000000..f4efe91 --- /dev/null +++ b/k8s/apps/vaultwarden/ingress.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: vaultwarden-tls-ingress + namespace: vaultwarden + annotations: + ingressClassName: traefik + cert-manager.io/cluster-issuer: letsencrypt + traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd + acme.cert-manager.io/http01-edit-in-place: "true" +spec: + rules: + - host: vw.hexor.cy + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: vaultwarden + port: + number: 80 + - host: vw.hexor.ru + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: vaultwarden + port: + number: 80 + tls: + - secretName: vaultwarden-tls + hosts: + - vw.hexor.cy + - vw.hexor.ru + diff --git a/k8s/apps/vaultwarden/kustomization.yaml b/k8s/apps/vaultwarden/kustomization.yaml new file mode 100644 index 0000000..ba3a372 --- /dev/null +++ b/k8s/apps/vaultwarden/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - app.yaml + - external-secrets.yaml + - deployment.yaml + - service.yaml + - ingress.yaml diff --git a/k8s/apps/vaultwarden/service.yaml b/k8s/apps/vaultwarden/service.yaml new file mode 100644 index 0000000..09a2d40 --- /dev/null +++ b/k8s/apps/vaultwarden/service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: vaultwarden + namespace: vaultwarden +spec: + selector: + app: vaultwarden + ports: + - protocol: TCP + port: 80 + targetPort: 80