kacerr/home-kubernetes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

gitops/external-secrets: add helmrelease + some coredns config for vault

Browse Source 
resolving
This commit is contained in:
Jan Novak
2026-01-07 19:43:39 +01:00
parent 060a24437b
commit ed14d74738
7 changed files with 150 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
gitops/home-kubernetes/external-secrets/helmrelease.yaml Normal file
View File

@@ -0,0 +1,63 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: external-secrets
namespace: external-secrets
spec:
interval: 30m
chart:
spec:
chart: external-secrets
version: "1.2.1" # latest stable 1.x
sourceRef:
kind: HelmRepository
name: external-secrets
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
replicaCount: 2
leaderElect: true
# Resources (adjust to your cluster)
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
memory: 256Mi
webhook:
replicaCount: 2
resources:
requests:
cpu: 25m
memory: 64Mi
limits:
memory: 128Mi
podDisruptionBudget:
enabled: true
minAvailable: 1
certController:
replicaCount: 2
resources:
requests:
cpu: 25m
memory: 64Mi
limits:
memory: 128Mi
# Metrics (enable if prometheus-operator is present)
serviceMonitor:
enabled: false
# Pod disruption budgets
podDisruptionBudget:
enabled: true
minAvailable: 1

8
gitops/home-kubernetes/external-secrets/helmrepository.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: external-secrets
namespace: flux-system
spec:
interval: 1h
url: https://charts.external-secrets.io

4
gitops/home-kubernetes/external-secrets/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: external-secrets

10
gitops/home-kubernetes/external-secrets/secret-approle.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: Secret
metadata:
name: vault-approle
namespace: external-secrets
annotations:
kustomize.toolkit.fluxcd.io/reconcile: disabled
type: Opaque
data:
secret-id: --- find me in keepass bro ---

18
gitops/home-kubernetes/external-secrets/secretstore-vault.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: vault-backend
namespace: external-secrets
spec:
provider:
vault:
server: "https://vault.hrajfrisbee.cz:8200"
path: "secret"
version: "v2"
auth:
appRole:
path: "approle"
roleId: "8833d0f8-d35d-d7ea-658b-c27837d121ab" # or reference a secret
secretRef:
name: vault-approle
key: secret-id

13
gitops/home-kubernetes/flux-system/extra-kustomizations.yaml
View File

@@ -27,6 +27,19 @@ spec:
--- ---
apiVersion: kustomize.toolkit.fluxcd.io/v1 apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization kind: Kustomization
metadata:
name: external-secrets
namespace: flux-system
spec:
interval: 10m0s
path: ./gitops/home-kubernetes/external-secrets
prune: true
sourceRef:
kind: GitRepository
name: flux-system
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata: metadata:
name: kube-prometheus name: kube-prometheus
namespace: flux-system namespace: flux-system

34
gitops/home-kubernetes/kube-system-overrides/configmap_coredns.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
data:
Corefile: |
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
hosts {
192.168.0.30 vault.hrajfrisbee.cz
fallthrough
}
prometheus :9153
forward . /etc/resolv.conf {
max_concurrent 1000
}
cache 30 {
disable success cluster.local
disable denial cluster.local
}
loop
reload
loadbalance
}