From ed14d747388f1b227d3c69bbbdb3e9423f7aa58a Mon Sep 17 00:00:00 2001 From: Jan Novak Date: Wed, 7 Jan 2026 19:43:39 +0100 Subject: [PATCH] gitops/external-secrets: add helmrelease + some coredns config for vault resolving --- .../external-secrets/helmrelease.yaml | 63 +++++++++++++++++++ .../external-secrets/helmrepository.yaml | 8 +++ .../external-secrets/namespace.yaml | 4 ++ .../external-secrets/secret-approle.yaml | 10 +++ .../external-secrets/secretstore-vault.yaml | 18 ++++++ .../flux-system/extra-kustomizations.yaml | 13 ++++ .../configmap_coredns.yaml | 34 ++++++++++ 7 files changed, 150 insertions(+) create mode 100644 gitops/home-kubernetes/external-secrets/helmrelease.yaml create mode 100644 gitops/home-kubernetes/external-secrets/helmrepository.yaml create mode 100644 gitops/home-kubernetes/external-secrets/namespace.yaml create mode 100644 gitops/home-kubernetes/external-secrets/secret-approle.yaml create mode 100644 gitops/home-kubernetes/external-secrets/secretstore-vault.yaml create mode 100644 gitops/home-kubernetes/kube-system-overrides/configmap_coredns.yaml diff --git a/gitops/home-kubernetes/external-secrets/helmrelease.yaml b/gitops/home-kubernetes/external-secrets/helmrelease.yaml new file mode 100644 index 0000000..70491cc --- /dev/null +++ b/gitops/home-kubernetes/external-secrets/helmrelease.yaml @@ -0,0 +1,63 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: external-secrets + namespace: external-secrets +spec: + interval: 30m + chart: + spec: + chart: external-secrets + version: "1.2.1" # latest stable 1.x + sourceRef: + kind: HelmRepository + name: external-secrets + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + values: + replicaCount: 2 + leaderElect: true + + # Resources (adjust to your cluster) + resources: + requests: + cpu: 50m + memory: 128Mi + limits: + memory: 256Mi + + webhook: + replicaCount: 2 + resources: + requests: + cpu: 25m + memory: 64Mi + limits: + memory: 128Mi + podDisruptionBudget: + enabled: true + minAvailable: 1 + + certController: + replicaCount: 2 + resources: + requests: + cpu: 25m + memory: 64Mi + limits: + memory: 128Mi + + # Metrics (enable if prometheus-operator is present) + serviceMonitor: + enabled: false + + # Pod disruption budgets + podDisruptionBudget: + enabled: true + minAvailable: 1 \ No newline at end of file diff --git a/gitops/home-kubernetes/external-secrets/helmrepository.yaml b/gitops/home-kubernetes/external-secrets/helmrepository.yaml new file mode 100644 index 0000000..774aea0 --- /dev/null +++ b/gitops/home-kubernetes/external-secrets/helmrepository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: external-secrets + namespace: flux-system +spec: + interval: 1h + url: https://charts.external-secrets.io \ No newline at end of file diff --git a/gitops/home-kubernetes/external-secrets/namespace.yaml b/gitops/home-kubernetes/external-secrets/namespace.yaml new file mode 100644 index 0000000..55ff7cd --- /dev/null +++ b/gitops/home-kubernetes/external-secrets/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: external-secrets \ No newline at end of file diff --git a/gitops/home-kubernetes/external-secrets/secret-approle.yaml b/gitops/home-kubernetes/external-secrets/secret-approle.yaml new file mode 100644 index 0000000..8e7d633 --- /dev/null +++ b/gitops/home-kubernetes/external-secrets/secret-approle.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: vault-approle + namespace: external-secrets + annotations: + kustomize.toolkit.fluxcd.io/reconcile: disabled +type: Opaque +data: + secret-id: --- find me in keepass bro --- \ No newline at end of file diff --git a/gitops/home-kubernetes/external-secrets/secretstore-vault.yaml b/gitops/home-kubernetes/external-secrets/secretstore-vault.yaml new file mode 100644 index 0000000..d8f02b2 --- /dev/null +++ b/gitops/home-kubernetes/external-secrets/secretstore-vault.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: vault-backend + namespace: external-secrets +spec: + provider: + vault: + server: "https://vault.hrajfrisbee.cz:8200" + path: "secret" + version: "v2" + auth: + appRole: + path: "approle" + roleId: "8833d0f8-d35d-d7ea-658b-c27837d121ab" # or reference a secret + secretRef: + name: vault-approle + key: secret-id \ No newline at end of file diff --git a/gitops/home-kubernetes/flux-system/extra-kustomizations.yaml b/gitops/home-kubernetes/flux-system/extra-kustomizations.yaml index 9418587..709821a 100644 --- a/gitops/home-kubernetes/flux-system/extra-kustomizations.yaml +++ b/gitops/home-kubernetes/flux-system/extra-kustomizations.yaml @@ -27,6 +27,19 @@ spec: --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization +metadata: + name: external-secrets + namespace: flux-system +spec: + interval: 10m0s + path: ./gitops/home-kubernetes/external-secrets + prune: true + sourceRef: + kind: GitRepository + name: flux-system +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization metadata: name: kube-prometheus namespace: flux-system diff --git a/gitops/home-kubernetes/kube-system-overrides/configmap_coredns.yaml b/gitops/home-kubernetes/kube-system-overrides/configmap_coredns.yaml new file mode 100644 index 0000000..feb3dda --- /dev/null +++ b/gitops/home-kubernetes/kube-system-overrides/configmap_coredns.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns + namespace: kube-system +data: + Corefile: | + .:53 { + errors + health { + lameduck 5s + } + ready + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + fallthrough in-addr.arpa ip6.arpa + ttl 30 + } + hosts { + 192.168.0.30 vault.hrajfrisbee.cz + fallthrough + } + prometheus :9153 + forward . /etc/resolv.conf { + max_concurrent 1000 + } + cache 30 { + disable success cluster.local + disable denial cluster.local + } + loop + reload + loadbalance + }