HomeInfra/HetznerTerra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: sync runtime secrets from doppler
All checks were successful
Deploy Cluster / Terraform (push) Successful in 45s
Details
Deploy Cluster / Ansible (push) Successful in 9m56s
Details

Browse Source
This commit is contained in:
MichaelFisher1997
2026-03-09 00:25:41 +00:00
parent e10a70475f
commit 6f2e056b98
20 changed files with 180 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
infrastructure/addons/external-secrets/clustersecretstore-doppler-hetznerterra.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
name: doppler-hetznerterra
spec:
provider:
doppler:
auth:
secretRef:
dopplerToken:
name: doppler-hetznerterra-service-token
key: dopplerToken
namespace: external-secrets

27
infrastructure/addons/external-secrets/helmrelease-external-secrets.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: external-secrets
namespace: flux-system
spec:
interval: 10m
targetNamespace: external-secrets
chart:
spec:
chart: external-secrets
version: 2.1.0
sourceRef:
kind: HelmRepository
name: external-secrets
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
installCRDs: true
serviceMonitor:
enabled: false

8
infrastructure/addons/external-secrets/helmrepository-external-secrets.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: external-secrets
namespace: flux-system
spec:
interval: 1h
url: https://charts.external-secrets.io

7
infrastructure/addons/external-secrets/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- helmrepository-external-secrets.yaml
- helmrelease-external-secrets.yaml
- clustersecretstore-doppler-hetznerterra.yaml

4
infrastructure/addons/external-secrets/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: external-secrets

25
infrastructure/addons/flux-ui/cluster-user-auth-externalsecret.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: cluster-user-auth
namespace: flux-system
spec:
refreshInterval: 1h
secretStoreRef:
name: doppler-hetznerterra
kind: ClusterSecretStore
target:
name: cluster-user-auth
creationPolicy: Owner
template:
type: Opaque
data:
username: "{{ .fluxAdminUsername }}"
password: "{{ .fluxAdminPasswordHash }}"
data:
- secretKey: fluxAdminUsername
remoteRef:
key: WEAVE_GITOPS_ADMIN_USERNAME
- secretKey: fluxAdminPasswordHash
remoteRef:
key: WEAVE_GITOPS_ADMIN_PASSWORD_BCRYPT_HASH

3
infrastructure/addons/flux-ui/helmrelease-weave-gitops.yaml
View File

@@ -27,9 +27,8 @@ spec:
adminUser:
create: true
createClusterRole: true
createSecret: true
createSecret: false
username: admin
passwordHash: "$2b$12$iVSpwZxP98Y1T4AOwj.TAeMsrOuQ6vWfhXfG4Gan9ay.qGMaRNdrC"
rbac:
create: true
impersonationResourceNames:

1
infrastructure/addons/flux-ui/kustomization.yaml
View File

@@ -1,6 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cluster-user-auth-externalsecret.yaml
- gitrepository-weave-gitops.yaml
- helmrelease-weave-gitops.yaml
- traefik-helmchartconfig-flux-entrypoint.yaml

15
infrastructure/addons/kustomization-external-secrets.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: addon-external-secrets
namespace: flux-system
spec:
interval: 10m
prune: true
sourceRef:
kind: GitRepository
name: platform
path: ./infrastructure/addons/external-secrets
wait: true
timeout: 5m
suspend: false

2
infrastructure/addons/kustomization-flux-ui.yaml
View File

@@ -10,6 +10,8 @@ spec:
kind: GitRepository
name: platform
path: ./infrastructure/addons/flux-ui
dependsOn:
- name: addon-external-secrets
wait: true
timeout: 5m
suspend: false

2
infrastructure/addons/kustomization-observability.yaml
View File

@@ -10,6 +10,8 @@ spec:
kind: GitRepository
name: platform
path: ./infrastructure/addons/observability
dependsOn:
- name: addon-external-secrets
wait: true
timeout: 5m
suspend: false

1
infrastructure/addons/kustomization.yaml
View File

@@ -3,6 +3,7 @@ kind: Kustomization
resources:
- kustomization-ccm.yaml
- kustomization-csi.yaml
- kustomization-external-secrets.yaml
- kustomization-flux-ui.yaml
- kustomization-tailscale-operator.yaml
- kustomization-observability.yaml

22
infrastructure/addons/observability/grafana-admin-externalsecret.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: grafana-admin
namespace: observability
spec:
refreshInterval: 1h
secretStoreRef:
name: doppler-hetznerterra
kind: ClusterSecretStore
target:
name: grafana-admin-credentials
creationPolicy: Owner
template:
type: Opaque
data:
admin-user: admin
admin-password: "{{ .grafanaAdminPassword }}"
data:
- secretKey: grafanaAdminPassword
remoteRef:
key: GRAFANA_ADMIN_PASSWORD

4
infrastructure/addons/observability/helmrelease-kube-prometheus-stack.yaml
View File

@@ -24,6 +24,10 @@ spec:
values:
grafana:
enabled: true
admin:
existingSecret: grafana-admin-credentials
userKey: admin-user
passwordKey: admin-password
grafana.ini:
server:
root_url: http://observability/grafana/

1
infrastructure/addons/observability/kustomization.yaml
View File

@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- grafana-admin-externalsecret.yaml
- traefik-tailscale-service.yaml
- grafana-ingress.yaml
- prometheus-ingress.yaml