Migrate secret to sealedSecret #3

This commit is contained in:
Danny Bessems 2022-01-09 21:12:30 +01:00
parent 287460bd30
commit 8a796571ad
4 changed files with 58 additions and 36 deletions

View File

@ -1,6 +1,8 @@
*TODO: Files with sensitive data; move to Vault*
*TODO: Files with sensitive data; migrate to SealedSecret*
```
# line 6-8: services/Guacamole/configMap_Guacamole.yml
# line ??: services/TfState/deploy-TfState.yml
# line ??: services/Mastodon/deploy-Mastodon.yml
# line ??: services/PVR/deploy-SpotWeb.yml
```
# Kubernetes.K3s.installLog
@ -179,24 +181,29 @@ kubectl apply -f services/Adminer/sealedSecret-Adminer.yml
kubectl apply -f services/Bitwarden/deploy-Bitwarden.yml
kubectl apply -f services/Bitwarden/sealedSecret-Bitwarden.yml
```
##### 4.3) [DroneCI](https://drone.io/) <small>(contineous delivery)</small>
##### 4.3) [DDclient](https://github.com/linuxserver/docker-ddclient) <small>(dynamic dns)</small>
```shell
kubectl apply -f services/DDclient/deploy-DDclient.yml
kubectl apply -f services/DDclient/sealedSecret-DDclient.yml
```
##### 4.4) [DroneCI](https://drone.io/) <small>(contineous delivery)</small>
```shell
kubectl apply -f services/DroneCI/deploy-DroneCI.yml
kubectl apply -f services/DroneCI/sealedSecret-DroneCI.yml
```
##### 4.4) [Gitea](https://gitea.io/) <small>(git repository)</small>
##### 4.5) [Gitea](https://gitea.io/) <small>(git repository)</small>
```shell
kubectl apply -f services/Gitea/deploy-Gitea.yml
```
##### 4.5) [Gotify](https://gotify.net/) <small>(notifications)</small>
##### 4.6) [Gotify](https://gotify.net/) <small>(notifications)</small>
```shell
kubectl apply -f services/Gotify/deploy-Gotify.yml
```
##### 4.6) [Guacamole](https://guacamole.apache.org/doc/gug/guacamole-docker.html) <small>(remote desktop gateway)</small>
##### 4.7) [Guacamole](https://guacamole.apache.org/doc/gug/guacamole-docker.html) <small>(remote desktop gateway)</small>
*Requires specifying a `uid` & `gid` in both the `securityContext` of the MySQL container and the `persistentVolume`*
```shell
kubectl apply -f services/Guacamole/configMap-Guacamole.yml
kubectl apply -f services/Guacamole/deploy-Guacamole.yml
kubectl apply -f services/Guacamole/sealedSecret-Guacamole.yml
```
Wait for the included containers to start, then perform the following commands to initialize the database:
```shell
@ -205,29 +212,25 @@ kubectl exec -i guacamole-<pod-id> --container mysql -- mysql -uguacamole -pguac
kubectl rollout restart deployment guacamole
```
##### 4.7) [Lighttpd](https://www.lighttpd.net/) <small>(webserver)</small>
##### 4.8) [Lighttpd](https://www.lighttpd.net/) <small>(webserver)</small>
*Serves various semi-containerized websites; respective webcontent is stored on fileshare*
```shell
kubectl apply -f services/Lighttpd/configMap-Lighttpd.yml
kubectl apply -f services/Lighttpd/deploy-Lighttpd.yml
kubectl apply -f services/Lighttpd/cronJob-Spotweb.yml
```
##### 4.8) PVR `namespace` <small>(automated media management)</small>
##### 4.9) PVR `namespace` <small>(automated media management)</small>
*Containers use shared resources to be able to interact with downloaded files*
```shell
kubectl create secret generic --type=mount/smb smb-secret --from-literal=username=<<omitted>> --from-literal=password=<<omitted>> -n pvr
kubectl apply -f services/PVR/persistentVolumeClaim-PVR.yml
kubectl apply -f services/PVR/storageClass-PVR.yml
```
###### 4.8.1) [NZBHydra](https://github.com/theotherp/nzbhydra2) <small>(index aggregator)</small>
```shell
kubectl apply -f services/PVR/deploy-NZBHydra.yml
```
###### 4.8.2) [Overseerr](https://overseerr.dev/) <small>(request management)</small>
###### 4.9.1) [Overseerr](https://overseerr.dev/) <small>(request management)</small>
```shell
kubectl apply -f services/PVR/deploy-Overseerr.yml
```
###### 4.8.3) [Plex](https://www.plex.tv/) <small>(media library)</small>
###### 4.9.2) [Plex](https://www.plex.tv/) <small>(media library)</small>
*Due to usage of symlinks, partially incompatible with SMB-share-backed storage*
```shell
kubectl apply -f services/PVR/deploy-Plex.yml
@ -237,31 +240,31 @@ After deploying, Plex server needs to be *claimed* (=assigned to Plex-account):
kubectl get endpoints Plex -n PVR
```
Browse to the respective IP address (http://<nodeipaddress>:32400/web) and follow instructions.
###### 4.8.4) [Radarr](https://radarr.video/) <small>(movie management)</small>
###### 4.9.3) [Prowlarr](https://github.com/Prowlarr/Prowlarr) <small>(indexer management)</small>
```shell
kubectl apply -f services/PVR/deploy-Prowlarr.yml
```
###### 4.9.4) [Radarr](https://radarr.video/) <small>(movie management)</small>
```shell
kubectl apply -f services/PVR/deploy-Radarr.yml
```
###### 4.8.5) [Readarr](https://readarr.com/) <small>(book management)</small>
###### 4.9.5) [Readarr](https://readarr.com/) <small>(book management)</small>
```shell
kubectl apply -f services/PVR/deploy-Readarr.yml
```
###### 4.8.6) [SABnzbd](https://sabnzbd.org/) <small>(download client)</small>
###### 4.9.6) [SABnzbd](https://sabnzbd.org/) <small>(download client)</small>
```shell
kubectl apply -f services/PVR/deploy-SABnzbd.yml
```
###### 4.8.7) [Sonarr](https://sonarr.tv/) <small>(tv management)</small>
###### 4.9.7) [Sonarr](https://sonarr.tv/) <small>(tv management)</small>
```shell
kubectl apply -f services/PVR/deploy-Sonarr.yml
```
##### 4.9) [Shaarli](https://github.com/shaarli/Shaarli) <small>(bookmarks/notes)</small>
##### 4.10) [Shaarli](https://github.com/shaarli/Shaarli) <small>(bookmarks/notes)</small>
```shell
kubectl apply -f services/Shaarli/deploy-Shaarli.yml
```
##### 4.10) [Theia](https://theia-ide.org/) <small>(web IDE)</small>
```shell
kubectl apply -f services/Theia/deploy-Theia.yml
```
##### 4.11) [Traefik-Certs-Dumper](https://github.com/ldez/traefik-certs-dumper) <small>(certificate tooling)</small>
```shell
kubectl apply -f services/TraefikCertsDumper/deploy-TraefikCertsDumper.yml

View File

@ -1,8 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: configmap-guacamole-mysql-conf
data:
MYSQL_DATABASE: 'guacamole'
MYSQL_PASSWORD: 'guacamole'
MYSQL_USER: 'guacamole'

View File

@ -44,8 +44,8 @@ spec:
- name: GUACAMOLE_HOME
value: '/etc/guacamole'
envFrom:
- configMapRef:
name: configmap-guacamole-mysql-conf
- secretRef:
name: secret-guacamole
volumeMounts:
- name: flexvolsmb-guacamole-home
mountPath: /etc/guacamole
@ -69,8 +69,8 @@ spec:
- name: MYSQL_RANDOM_ROOT_PASSWORD
value: 'true'
envFrom:
- configMapRef:
name: configmap-guacamole-mysql-conf
- secretRef:
name: secret-guacamole
volumeMounts:
- name: flexvolsmb-guacamole-db
mountPath: /var/lib/mysql

View File

@ -0,0 +1,27 @@
{
"kind": "SealedSecret",
"apiVersion": "bitnami.com/v1alpha1",
"metadata": {
"name": "secret-guacamole",
"namespace": "default",
"creationTimestamp": null
},
"spec": {
"template": {
"metadata": {
"name": "secret-guacamole",
"namespace": "default",
"creationTimestamp": null,
"labels": {
"app": "guacamole"
}
},
"data": null
},
"encryptedData": {
"MYSQL_DATABASE": "AgCNYEqUj7vsYObdSWOn71lLOzN3MVD2YdW9dpFFrxzMtfhEi33NR16HNFB8zuDZ7G9XscxVAUjMt2Bj9vOwm4IeQGT+paJofLEPNrEyz/1d4SdCv4/kDGnrApfEiwn97DNW6DDRqLQhakb5MPWHWuK+aJU6EnTtvC2L0LxFFnUWqfo9VxBmRqZqaR4PI+uI5M6GFnMAovDgCjPKxCCtY4ikzQmghAymiyepEJ0KBsk7OQQT/0GJf0OxJ1Es+0ancRZVnUtzVEVGk5BRTG2RloxEzKkWF9p/YQ+5DAv1PMkKoCJTX/3ZMUaB3gwIZ6lOwWcjbYJ2lnBz6O6U2hSOMpDLakPTYeLmntVm1osEbQaB9vVFNusMXhtVBZi/B76XFxY2P/5ROs6xRi69bqzQnP+gt3D1ABYTf4PWGmsg+2W3bXH1u5btTWBIxGpV5oaHU4MP5XyTP49zhLVmo4QkWmJ8i/+TEQumyxZKBQebeJXy/oRHy0Wk6PDZnSkkSDFasolB9GoVrT4u8BJZEs3QjAzWmdYbiH5tvbqkqStUiSS5+WKHVNn1ElY/53FkIHJTmStPfhIk/ufUp5POL9PU/ZR8uPrOaTVTFT4FvW9vpFpqYUWMTJeZLpcma4PEuvkyj74KTgJEf+4d7w/8ha9ju4Q2O0Lt1YLhymVE67M8EnxM9ZZSmU2cq9j+T5w9rapbESDZjPvXYLAg4aM=",
"MYSQL_PASSWORD": "AgAdsr4LSf5Q4ssEL4vQEsCMj3BJ++tDj81v3xpsK7H2Asb7Oe79RBw+aOm3GI+go0+U7MjoHLEDwbw6NiAas7kDTFpQH1+lJAY/qBY/os2srFwSRoBRnLz3D4usU3WraUzjyCzRTyblj3Va4uUsAtc4vf82+m1kAI4z65ADRfkgx1TpiT2+nmXgUHmzjJuBsHsXAI/+Xvhi2ukO+eyH17ddYa1OOHkpFgkPwgbUBy+rZi+5wpv+C43qkjQmkYzWmM9BOzJB/QXZiJXxgYBOshDAlX+DmJ53ZsuekE8bz3plvRpIIVhNdBFzDA3TMMIEjLLhpyO0vhodrqZR5e9ccd9diE6tbZjJyIYt1OmU2F0Kg7rTDcWtwBwwXr7CnQRlOcCESB/qbaCI3Ic1d03beHAhzcKN5132xW8Zz3ae92rznL3MLlRzv9228vs9980UKcBr2obFjYSTQf0mHmkFaSRqAW1P1eoNpVDIDkJ6Zyzf/6IK6fMx2b9ChkkGEgMVfu+6ZaXwgu5piVhyyNsdgmBQUNiQDKRb7Ie2Ro8HwtRDQM+zxB2sU7eCrg/rYQoDZWa8aMI86ITaEYlo/QNE0GxM5gZAeq7vAKoM8P54W9Bfpfnx9JQ5nyRT8xi58oqJp/hnf7JpZwcm546/65wRfVeP0UE7e5/Cd2z4qcrzIvmuUWzj3PoZCNPSQModMuZ3O8hRtzZ9MWNb8Lw=",
"MYSQL_USER": "AgA2esAjP463d4h5dmKOMOXPlBKs6XO0DcdyuPOyFKsbZ3r4Vwg/rrOjKtVQuCVB8iv2WcrDzpn2STtigmww2HWLFqkCWCD2W+5XfI1vRT086zVvFDtVRmzmeVSsZZ9RZy5vaabTg9e0NbN1Zr/mn31WjHaJAVHrFZpkTHgnQQFsqwZVHoHRl4p9oPl+SF5dSPx1l4sUWj+5VwvcyxFy4UN9la4dG1kx0sCuh9ek4iTfSg5R1k4RQGQ1vy0CAYa4JDkXx62s1FMLEmVmNI5o5GcPUWtxFcBNDKQ2FYS+2z/5RmD2nOFAxbVnvOpaolHa1sD6QTQtNY1HODjn/gbzKgXQO4AgGgJGDaRPd2ckXgzQjf3kxIl6sUAtqK9AJduXrxBpEndeT8zCOZbbqcXA/CPM1qW0ejGmZp+SV3lSBHqY5fzfQP4NF5u8tEDGhlxEop3WZvsXxSNuhxs3qDYwXQFDsuMUxzy5JYrXU0HuWQhlAP7cOrk6Oxi60lWaY5WO6U1hSWwVZHMgwNEfGdJ+mxBlvGnk+uhqRMS3xfKTcWrLGTo7dxism6p+EUZmrW6nZdEfVDfI1OQzE0mIz5ryx5woc8aSCLgxu/6vEe+8tvjOaa0yXZg1z5tdv6LTR+RxL7YWNTzCznnf0hN11ICh5cJzumdr3RxCq35My0jZKhAwuzUTomSjGhnODoLRse//TNONjiyowLCWlyg="
}
}
}