DeveloperDurp/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
DeveloperDurp
2025-01-24 05:06:33 -06:00
parent c5077c097d
commit 9276abe7cc
2 changed files with 38 additions and 443 deletions
Download Patch File Download Diff File Expand all files Collapse all files

467
infra/external-secrets/values.yaml
View File

@@ -1,463 +1,44 @@
external-secrets: external-secrets:
replicaCount: 3 replicaCount: 3
revisionHistoryLimit: 1
# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
revisionHistoryLimit: 10
image: image:
repository: ghcr.io/external-secrets/external-secrets repository: ghcr.io/external-secrets/external-secrets
pullPolicy: Always pullPolicy: Always
# -- The image tag to use. The default is the chart appVersion.
# There are different image flavours available, like distroless and ubi.
# Please see GitHub release notes for image tags for these flavors.
# By default the distroless image is used.
tag: ""
# -- If set, install and upgrade CRDs through helm chart. resources:
installCRDs: true requests:
memory: 32Mi
crds: cpu: 10m
# -- If true, create CRDs for Cluster External Secret. limits:
createClusterExternalSecret: true memory: 32Mi
# -- If true, create CRDs for Cluster Secret Store. cpu: 10m
createClusterSecretStore: true
# -- If true, create CRDs for Push Secret.
createPushSecret: true
annotations: {}
conversion:
enabled: true
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
# -- If true, external-secrets will perform leader election between instances to ensure no more
# than one instance of external-secrets operates at a time.
leaderElect: true
# -- If set external secrets will filter matching
# Secret Stores with the appropriate controller values.
controllerClass: ""
# -- If true external secrets will use recommended kubernetes
# annotations as prometheus metric labels.
extendedMetricLabels: false
# -- If set external secrets are only reconciled in the
# provided namespace
scopedNamespace: ""
# -- Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace
# and implicitly disable cluster stores and cluster external secrets
scopedRBAC: false
# -- if true, the operator will process cluster external secret. Else, it will ignore them.
processClusterExternalSecret: true
# -- if true, the operator will process cluster store. Else, it will ignore them.
processClusterStore: true
# -- Specifies whether an external secret operator deployment be created.
createOperator: true
# -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at
# a time.
concurrent: 1
serviceAccount:
# -- Specifies whether a service account should be created.
create: true
# -- Automounts the service account token in all containers of the pod
automount: true
# -- Annotations to add to the service account.
annotations: {}
# -- Extra Labels to add to the service account.
extraLabels: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
rbac:
# -- Specifies whether role and rolebinding resources should be created.
create: true
## -- Extra environment variables to add to container.
extraEnv: []
## -- Map of extra arguments to pass to container.
extraArgs: {}
## -- Extra volumes to pass to pod.
extraVolumes: []
## -- Extra volumes to mount to the container.
extraVolumeMounts: []
## -- Extra containers to add to the pod.
extraContainers: []
# -- Annotations to add to Deployment
deploymentAnnotations: {}
# -- Annotations to add to Pod
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
prometheus:
# -- deprecated. will be removed with 0.7.0, use serviceMonitor instead.
enabled: false
service:
# -- deprecated. will be removed with 0.7.0, use serviceMonitor instead.
port: 8080
serviceMonitor:
# -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
enabled: false
# -- namespace where you want to install ServiceMonitors
namespace: ""
# -- Additional labels
additionalLabels: {}
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
# -- Let prometheus add an exported_ prefix to conflicting labels
honorLabels: false
# -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
metricRelabelings: []
# - action: replace
# regex: (.*)
# replacement: $1
# sourceLabels:
# - exported_namespace
# targetLabel: namespace
# -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
relabelings: []
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# targetLabel: nodename
# replacement: $1
# action: replace
metrics:
service:
# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
enabled: false
# -- Metrics service port to scrape
port: 8080
# -- Additional service annotations
annotations: {}
nodeSelector: {}
tolerations: []
topologySpreadConstraints: []
affinity: {}
# -- Pod priority class name.
priorityClassName: ""
# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
# -- Run the controller on the host network
hostNetwork: false
webhook: webhook:
# -- Specifies whether a webhook deployment be created.
create: true
# -- Specifices the time to check if the cert is valid
certCheckInterval: "5m"
# -- Specifices the lookaheadInterval for certificate validity
lookaheadInterval: ""
replicaCount: 1
# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
revisionHistoryLimit: 10
certDir: /tmp/certs
# -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
failurePolicy: Fail
# -- Specifies if webhook pod should use hostNetwork or not.
hostNetwork: false
image: image:
repository: ghcr.io/external-secrets/external-secrets repository: ghcr.io/external-secrets/external-secrets
pullPolicy: IfNotPresent pullPolicy: Always
# -- The image tag to use. The default is the chart appVersion.
tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
# -- The port the webhook will listen to
port: 10250
rbac:
# -- Specifies whether role and rolebinding resources should be created.
create: true
serviceAccount:
# -- Specifies whether a service account should be created.
create: true
# -- Automounts the service account token in all containers of the pod
automount: true
# -- Annotations to add to the service account.
annotations: {}
# -- Extra Labels to add to the service account.
extraLabels: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
nodeSelector: {}
tolerations: [] resources:
requests:
topologySpreadConstraints: [] memory: 32Mi
cpu: 10m
affinity: {} limits:
memory: 32Mi
# -- Pod priority class name. cpu: 10m
priorityClassName: ""
# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
prometheus:
# -- deprecated. will be removed with 0.7.0, use serviceMonitor instead
enabled: false
service:
# -- deprecated. will be removed with 0.7.0, use serviceMonitor instead
port: 8080
serviceMonitor:
# -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
enabled: false
# -- Additional labels
additionalLabels: {}
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
metrics:
service:
# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
enabled: false
# -- Metrics service port to scrape
port: 8080
# -- Additional service annotations
annotations: {}
readinessProbe:
# -- Address for readiness probe
address: ""
# -- ReadinessProbe port for kubelet
port: 8081
## -- Extra environment variables to add to container.
extraEnv: []
## -- Map of extra arguments to pass to container.
extraArgs: {}
## -- Extra volumes to pass to pod.
extraVolumes: []
## -- Extra volumes to mount to the container.
extraVolumeMounts: []
# -- Annotations to add to Secret
secretAnnotations: {}
# -- Annotations to add to Deployment
deploymentAnnotations: {}
# -- Annotations to add to Pod
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
certController: certController:
# -- Specifies whether a certificate controller deployment be created. revisionHistoryLimit: 1
create: true
requeueInterval: "5m"
replicaCount: 1
# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
revisionHistoryLimit: 10
image: image:
repository: ghcr.io/external-secrets/external-secrets repository: ghcr.io/external-secrets/external-secrets
pullPolicy: Always pullPolicy: Always
tag: "" tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
rbac:
# -- Specifies whether role and rolebinding resources should be created.
create: true
serviceAccount:
# -- Specifies whether a service account should be created.
create: true
# -- Automounts the service account token in all containers of the pod
automount: true
# -- Annotations to add to the service account.
annotations: {}
# -- Extra Labels to add to the service account.
extraLabels: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
nodeSelector: {}
tolerations: [] resources:
requests:
topologySpreadConstraints: [] memory: 32Mi
cpu: 10m
affinity: {} limits:
memory: 32Mi
# -- Run the certController on the host network cpu: 10m
hostNetwork: false
# -- Pod priority class name.
priorityClassName: ""
# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
prometheus:
# -- deprecated. will be removed with 0.7.0, use serviceMonitor instead
enabled: false
service:
# -- deprecated. will be removed with 0.7.0, use serviceMonitor instead
port: 8080
serviceMonitor:
# -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
enabled: false
# -- Additional labels
additionalLabels: {}
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
metrics:
service:
# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
enabled: false
# -- Metrics service port to scrape
port: 8080
# -- Additional service annotations
annotations: {}
## -- Extra environment variables to add to container.
extraEnv: []
## -- Map of extra arguments to pass to container.
extraArgs: {}
## -- Extra volumes to pass to pod.
extraVolumes: []
## -- Extra volumes to mount to the container.
extraVolumeMounts: []
# -- Annotations to add to Deployment
deploymentAnnotations: {}
# -- Annotations to add to Pod
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
# -- Specifies `dnsOptions` to deployment
dnsConfig: {}

14
infra/vault/templates/secret-store.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault
spec:
provider:
vault:
server: "https://vault.vault.svc.cluster.local:8200"
path: "secrets"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "external-secrets"