feat: adds external secrets and rbac to hompage

axeII · Apr 29, 2024 · 4fab3f5 · 4fab3f5
1 parent b35c163
commit 4fab3f5
Show file tree

Hide file tree

Showing 3 changed files with 155 additions and 0 deletions.
diff --git a/kubernetes/apps/default/homepage/app/externalsecret.yaml b/kubernetes/apps/default/homepage/app/externalsecret.yaml
@@ -0,0 +1,90 @@
+---
+# yaml-language-server: $schema=https://lds-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name homepage-secret
+spec:
+  secretStoreRef:
+    name: bitwarden-secrets-manager
+    kind: ClusterSecretStore
+  refreshInterval: 15m
+  target:
+    name: *name
+    template:
+      engineVersion: v2
+      data:
+        ## Non Cluster resources
+        # HOMEPAGE_VAR_CLOUDFLARED_ACCOUNTID: "{{ .CLOUDFLARE_ACCOUNT_TAG }}"
+        # HOMEPAGE_VAR_CLOUDFLARED_TUNNELID: "{{ .CLUSTER_CLOUDFLARE_TUNNEL_ID }}"
+        # HOMEPAGE_VAR_CLOUDFLARED_API_TOKEN: "{{ .CLOUDFLARE_API_KEY }}"
+        # HOMEPAGE_VAR_NEXTDNS_ID: "{{ .NEXTDNS_ID }}"
+        # HOMEPAGE_VAR_NEXTDNS_API: "{{ .NEXTDNS_API }}"
+        # HOMEPAGE_VAR_PORTAINER_TOKEN: "{{ .PORTAINER_TOKEN }}"
+        # HOMEPAGE_VAR_UNIFI_USERNAME: "{{ .HOMEPAGE_UNIFI_USER }}"
+        # HOMEPAGE_VAR_UNIFI_PASSWORD: "{{ .HOMEPAGE_UNIFI_PASS }}"
+        ## Default
+        # HOMEPAGE_VAR_HASS_TOKEN: "{{ .HASS_TOKEN }}"
+        ## Downloads
+        HOMEPAGE_VAR_BAZARR_TOKEN: "{{ .BAZARR_API_KEY }}"
+        HOMEPAGE_VAR_KAPOWARR_TOKEN: "{{ .KAPOWARR_API_KEY }}"
+        HOMEPAGE_VAR_MYLAR_TOKEN: "{{ .MYLAR_API_KEY }}"
+        HOMEPAGE_VAR_PROWLARR_TOKEN: "{{ .PROWLARR_API_KEY }}"
+        HOMEPAGE_VAR_RADARR_TOKEN: "{{ .RADARR_API_KEY }}"
+        HOMEPAGE_VAR_READARR_TOKEN: "{{ .READARR_API_KEY }}"
+        HOMEPAGE_VAR_SABNZBD_TOKEN: "{{ .SABNZBD_API_KEY }}"
+        HOMEPAGE_VAR_SONARR_TOKEN: "{{ .SONARR_API_KEY }}"
+        ## Media
+        HOMEPAGE_VAR_OVERSEERR_TOKEN: "{{ .OVERSEERR_API_KEY }}"
+        HOMEPAGE_VAR_PLEX_TOKEN: "{{ .PLEX_TOKEN }}"
+        HOMEPAGE_VAR_TAUTULLI_TOKEN: "{{ .TAUTULLI_API_KEY }}"
+        HOMEPAGE_VAR_KAVITA_USERNAME: "{{ .KAVITA_USERNAME }}"
+        HOMEPAGE_VAR_KAVITA_PASSWORD: "{{ .KAVITA_PASSWORD }}"
+        # HOMEPAGE_VAR_KOMGA_USERNAME: "{{ .HOMEPAGE_VAR_KOMGA_USERNAME }}"
+        # HOMEPAGE_VAR_KOMGA_PASSWORD: "{{ .HOMEPAGE_VAR_KOMGA_PASSWORD }}"
+        ## Observability
+        HOMEPAGE_VAR_GRAFANA_USERNAME: "{{ .GRAFANA_ADMIN_USER }}"
+        HOMEPAGE_VAR_GRAFANA_PASSWORD: "{{ .GRAFANA_ADMIN_PASS }}"
+        HOMEPAGE_VAR_HEALTHCHECK_TOKEN: "{{ .HOMEPAGE_VAR_HEALTHCHECK_TOKEN }}"
+        HOMEPAGE_VAR_HEALTHCHECK_UUID: "{{ .HOMEPAGE_VAR_HEALTHCHECK_UUID }}"
+        ## Security
+        # HOMEPAGE_VAR_AUTHENTIK_TOKEN: "{{ .AUTHENTIK_TOKEN }}"
+  dataFrom:
+  - extract:
+      key: bazarr
+  # - extract:
+  #     key: cloudflare
+  - extract:
+      key: grafana
+  # - extract:
+  #     key: healthcheck
+  # - extract:
+  #     key: home-assistant
+  - extract:
+      key: kapowarr
+  - extract:
+      key: kavita
+  - extract:
+      key: komga
+  - extract:
+      key: nextdns
+  - extract:
+      key: overseerr
+  - extract:
+      key: plex
+  # - extract:
+  #     key: portainer
+  - extract:
+      key: prowlarr
+  - extract:
+      key: radarr
+  - extract:
+      key: readarr
+  - extract:
+      key: sabnzbd
+  - extract:
+      key: sonarr
+  - extract:
+      key: tautulli
+  - extract:
+      key: unifi
diff --git a/kubernetes/apps/default/homepage/app/kustomization.yaml b/kubernetes/apps/default/homepage/app/kustomization.yaml
@@ -3,3 +3,5 @@ kind: Kustomization
 resources:
   - ./helmrelease.yaml
   - ./config.yaml
+  - ./rbac.yaml
+  - ./externalsecret.yaml
diff --git a/kubernetes/apps/default/homepage/app/rbac.yaml b/kubernetes/apps/default/homepage/app/rbac.yaml
@@ -0,0 +1,63 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: &app homepage
+  labels:
+    app.kubernetes.io/instance: *app
+    app.kubernetes.io/name: *app
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+      - pods
+      - nodes
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - traefik.containo.us
+    resources:
+      - ingressroutes
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - metrics.k8s.io
+    resources:
+      - nodes
+      - pods
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions/status
+    verbs:
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: &app homepage
+  labels:
+    app.kubernetes.io/instance: *app
+    app.kubernetes.io/name: *app
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: *app
+subjects:
+  - kind: ServiceAccount
+    name: *app
+    namespace: default # keep