From c43f6e8f708aeae09b778702a9e8233d1e315757 Mon Sep 17 00:00:00 2001 From: ansible Date: Tue, 10 Mar 2026 18:29:23 +0800 Subject: [PATCH] Update k8s manifests --- k8s/apps/vaultwarden/helmrelease.yaml | 9 ++++++ .../observability/kube-prometheus-stack.yaml | 13 +++++++++ .../sops/grafana-oidc-secret.yaml | 28 +++++++++++++++++++ k8s/infrastructure/sops/kustomization.yaml | 2 ++ .../sops/vaultwarden-oidc-secret.yaml | 28 +++++++++++++++++++ 5 files changed, 80 insertions(+) create mode 100644 k8s/infrastructure/sops/grafana-oidc-secret.yaml create mode 100644 k8s/infrastructure/sops/vaultwarden-oidc-secret.yaml diff --git a/k8s/apps/vaultwarden/helmrelease.yaml b/k8s/apps/vaultwarden/helmrelease.yaml index e93ba02..2769c83 100644 --- a/k8s/apps/vaultwarden/helmrelease.yaml +++ b/k8s/apps/vaultwarden/helmrelease.yaml @@ -18,6 +18,15 @@ spec: type: postgresql existingSecret: vaultwarden-db-secret existingSecretKey: DATABASE_URL + sso: + enabled: true + authority: https://keycloak.n0ball.tw/realms/homelab + existingSecret: vaultwarden-oidc-secret + clientId: + existingSecretKey: SSO_CLIENT_ID + clientSecret: + existingSecretKey: SSO_CLIENT_SECRET + signupsMatchEmail: true ingress: enabled: true class: traefik diff --git a/k8s/infrastructure/observability/kube-prometheus-stack.yaml b/k8s/infrastructure/observability/kube-prometheus-stack.yaml index 6444447..a467ca1 100644 --- a/k8s/infrastructure/observability/kube-prometheus-stack.yaml +++ b/k8s/infrastructure/observability/kube-prometheus-stack.yaml @@ -44,6 +44,19 @@ spec: existingSecret: grafana-admin-secret userKey: admin-user passwordKey: admin-password + envFromSecret: grafana-oidc-secret + grafana.ini: + server: + root_url: https://grafana.n0ball.tw + auth.generic_oauth: + enabled: true + name: Keycloak + allow_sign_up: true + scopes: openid email profile + auth_url: https://keycloak.n0ball.tw/realms/homelab/protocol/openid-connect/auth + token_url: https://keycloak.n0ball.tw/realms/homelab/protocol/openid-connect/token + api_url: https://keycloak.n0ball.tw/realms/homelab/protocol/openid-connect/userinfo + role_attribute_path: "contains(realm_access.roles[*], 'admin') && 'Admin' || 'Viewer'" ingress: enabled: true ingressClassName: traefik diff --git a/k8s/infrastructure/sops/grafana-oidc-secret.yaml b/k8s/infrastructure/sops/grafana-oidc-secret.yaml new file mode 100644 index 0000000..74112c8 --- /dev/null +++ b/k8s/infrastructure/sops/grafana-oidc-secret.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: grafana-oidc-secret + namespace: observability +stringData: + GF_AUTH_GENERIC_OAUTH_CLIENT_ID: ENC[AES256_GCM,data:bhyVGB1e/A==,iv:R9XIDtOmeXU8rWOEP2RxmROI7YCqblfE5CW1ZQd3jlM=,tag:jaD3DbE9HrtsrU1WxEi/Eg==,type:str] + GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:g1y/QQbZxs4enuAghoH9GgGr+SVZgO65lVIjWyz0srw=,iv:DW8rxat3vPKdrE4q2yLOinFEXbCsslXGhsiSPxCgHlk=,tag:JCcwCCTBN1gZT1Mch8dhaQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1y5rw08wm2s2hemapzf43c0l4xass7fhc55qh3n4cxtuxzrj8q3cqtydy7m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2b0F1M01md3lSQ2FhVXRC + Y0QyMmQyMDNNbDlNOUVlT2VEZXh1U3lmUEFNCjJlWlVidDFaM3ZiM3BtZmRtbVZx + V3NuSEV6RTR2YlFYRmxnZ1hvMWNReEkKLS0tIE0zTFFhQ00zZWRKMVljKzRKellu + aU43UWhhTGZ1STFsS2dQR0lhR1c2UGsKRl5Ov3hML+6scbjxG+rBaL3Ipj2ps9em + 9f82eb5fYmcDhOSEgOzTnNbuCT8ZK/lIta5Ta4pgJ+yOCiTUWMvx7A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-10T10:25:23Z" + mac: ENC[AES256_GCM,data:rDA3B6jCnkAQw/AgT6vGu5w/3zDpQ8p5jwgCq68RvGsYWDaYPvQTCnDV7oFBVZ1HoU3HxxqkhinpHgX/cOy1BdeO6kAyU4ZXDTGBHBL6T5eeiRnIL82L9dZo9lY2LYdyy0CrB50UmeVv5xCJd8AMB6WKKrVXF3RlVQ/c34xprbM=,iv:aQNsNWZv7KsLmtUahjSEQOmP8Mv5ibIv8fPQoprd1JU=,tag:BxjJXQIVkt55MXCIQbAyeA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.4 diff --git a/k8s/infrastructure/sops/kustomization.yaml b/k8s/infrastructure/sops/kustomization.yaml index 33a1f18..bb91e2f 100644 --- a/k8s/infrastructure/sops/kustomization.yaml +++ b/k8s/infrastructure/sops/kustomization.yaml @@ -6,3 +6,5 @@ resources: - keycloak-secrets.yaml - openldap-admin-secret.yaml - vaultwarden-db-secret.yaml + - grafana-oidc-secret.yaml + - vaultwarden-oidc-secret.yaml diff --git a/k8s/infrastructure/sops/vaultwarden-oidc-secret.yaml b/k8s/infrastructure/sops/vaultwarden-oidc-secret.yaml new file mode 100644 index 0000000..330cc1a --- /dev/null +++ b/k8s/infrastructure/sops/vaultwarden-oidc-secret.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: vaultwarden-oidc-secret + namespace: vaultwarden +stringData: + SSO_CLIENT_ID: ENC[AES256_GCM,data:al29aDaBitn+d+8=,iv:eGkdS/9EF1x5ZU9jD7c/mbRDPHwnUzNC3QlafQkF3Vg=,tag:qBQ2RDpXMcVBxYyuk7VDVQ==,type:str] + SSO_CLIENT_SECRET: ENC[AES256_GCM,data:y2X1NMtDOF0Mx9O5/4HNXSvA4FJLLDICjGh/MtXJGpE=,iv:yOX+VEs9Prnw8c2QtiKlC7/xQof5rPwStA+oAWPGEo4=,tag:54gC2Y3gqNfmi9C0MO0gHg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1y5rw08wm2s2hemapzf43c0l4xass7fhc55qh3n4cxtuxzrj8q3cqtydy7m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlQTA5bVZXUXBMbml5VUJj + ZlhsM0RYL2trRUdZcHhickFKQjZhYThBT1FnCk1FQlpGeDlGRDdMaG43TFZ0ZlNM + QVltV0JmVVZkYk14Skx6b0MvNkowU0UKLS0tIFVFU1VaSnJTK01rVmNQOVZMdkFn + bVFsMVdtVDhyTEJFUmdLMEVnajlCZlkKMnkDbLjZ/iZUGFE0RKbfN3LvE13l552j + Knf31Bkb/HX1rm+qHxd3sCEvwHQqT/Q8sqKXucT6OEsqds2NeGXtWg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-10T10:26:41Z" + mac: ENC[AES256_GCM,data:b3Wr2mTjmlIES6FXyzz1zGZhg/Ps+D+lX+M9lyTUEcpQWYv0ym1GkqivbrV/mkJGeYS6nZVOpirf+mr/Kw5gilBhGCFCr9z/8lOm/cxdIUEByhNrHggwQl+Dk4CRPFshiTQ7dHrvVpcInkATsRL4ij9ORvlEYYw5rjjfoH32pks=,iv:Q33i5HXxk5uVVW9A8Hi9pL5B8s3yJX2jsrHOCHA5q8o=,tag:wOxFQKv1SXkFuL2zA2K33g==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.4