diff --git a/stacks/actualbudget/main.tf b/stacks/actualbudget/main.tf index db6c5bff..552f52a5 100644 --- a/stacks/actualbudget/main.tf +++ b/stacks/actualbudget/main.tf @@ -4,13 +4,43 @@ variable "tls_secret_name" { } variable "nfs_server" { type = string } -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "actualbudget" +resource "kubernetes_manifest" "external_secret" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "actualbudget-secrets" + namespace = "actualbudget" + } + spec = { + refreshInterval = "15m" + secretStoreRef = { + name = "vault-kv" + kind = "ClusterSecretStore" + } + target = { + name = "actualbudget-secrets" + } + dataFrom = [{ + extract = { + key = "actualbudget" + } + }] + } + } + depends_on = [kubernetes_namespace.actualbudget] +} + +data "kubernetes_secret" "eso_secrets" { + metadata { + name = "actualbudget-secrets" + namespace = kubernetes_namespace.actualbudget.metadata[0].name + } + depends_on = [kubernetes_manifest.external_secret] } locals { - credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["credentials"]) + credentials = jsondecode(data.kubernetes_secret.eso_secrets.data["credentials"]) } diff --git a/stacks/affine/main.tf b/stacks/affine/main.tf index 5b464e30..29b622cd 100644 --- a/stacks/affine/main.tf +++ b/stacks/affine/main.tf @@ -4,13 +4,43 @@ variable "tls_secret_name" { } variable "nfs_server" { type = string } -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "affine" +resource "kubernetes_manifest" "external_secret" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "affine-secrets" + namespace = "affine" + } + spec = { + refreshInterval = "15m" + secretStoreRef = { + name = "vault-kv" + kind = "ClusterSecretStore" + } + target = { + name = "affine-secrets" + } + dataFrom = [{ + extract = { + key = "affine" + } + }] + } + } + depends_on = [kubernetes_namespace.affine] +} + +data "kubernetes_secret" "eso_secrets" { + metadata { + name = "affine-secrets" + namespace = kubernetes_namespace.affine.metadata[0].name + } + depends_on = [kubernetes_manifest.external_secret] } locals { - mailserver_accounts = jsondecode(data.vault_kv_secret_v2.secrets.data["mailserver_accounts"]) + mailserver_accounts = jsondecode(data.kubernetes_secret.eso_secrets.data["mailserver_accounts"]) } variable "redis_host" { type = string } variable "postgresql_host" { type = string } @@ -36,7 +66,7 @@ locals { common_env = [ { name = "DATABASE_URL" - value = "postgresql://affine:${data.vault_kv_secret_v2.secrets.data["db_password"]}@${var.postgresql_host}:5432/affine" + value = "postgresql://affine:${data.kubernetes_secret.eso_secrets.data["db_password"]}@${var.postgresql_host}:5432/affine" }, { name = "REDIS_SERVER_HOST" @@ -99,6 +129,9 @@ resource "kubernetes_deployment" "affine" { app = "affine" tier = local.tiers.aux } + annotations = { + "reloader.stakater.com/auto" = "true" + } } spec { replicas = 1 diff --git a/stacks/audiobookshelf/main.tf b/stacks/audiobookshelf/main.tf index 8035c623..5b3466ca 100644 --- a/stacks/audiobookshelf/main.tf +++ b/stacks/audiobookshelf/main.tf @@ -3,16 +3,6 @@ variable "tls_secret_name" { sensitive = true } variable "nfs_server" { type = string } -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "audiobookshelf" -} - -locals { - homepage_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"]) -} - - resource "kubernetes_namespace" "audiobookshelf" { metadata { name = "audiobookshelf" @@ -23,6 +13,45 @@ resource "kubernetes_namespace" "audiobookshelf" { } } +resource "kubernetes_manifest" "external_secret" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "audiobookshelf-secrets" + namespace = "audiobookshelf" + } + spec = { + refreshInterval = "15m" + secretStoreRef = { + name = "vault-kv" + kind = "ClusterSecretStore" + } + target = { + name = "audiobookshelf-secrets" + } + dataFrom = [{ + extract = { + key = "audiobookshelf" + } + }] + } + } + depends_on = [kubernetes_namespace.audiobookshelf] +} + +data "kubernetes_secret" "eso_secrets" { + metadata { + name = "audiobookshelf-secrets" + namespace = kubernetes_namespace.audiobookshelf.metadata[0].name + } + depends_on = [kubernetes_manifest.external_secret] +} + +locals { + homepage_credentials = jsondecode(data.kubernetes_secret.eso_secrets.data["homepage_credentials"]) +} + module "tls_secret" { source = "../../modules/kubernetes/setup_tls_secret" namespace = kubernetes_namespace.audiobookshelf.metadata[0].name diff --git a/stacks/calibre/main.tf b/stacks/calibre/main.tf index 739fef17..d999e97e 100644 --- a/stacks/calibre/main.tf +++ b/stacks/calibre/main.tf @@ -4,16 +4,6 @@ variable "tls_secret_name" { } variable "nfs_server" { type = string } -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "calibre" -} - -locals { - homepage_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"]) -} - - resource "kubernetes_namespace" "calibre" { metadata { name = "calibre" @@ -26,6 +16,45 @@ resource "kubernetes_namespace" "calibre" { } } +resource "kubernetes_manifest" "external_secret" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "calibre-secrets" + namespace = "calibre" + } + spec = { + refreshInterval = "15m" + secretStoreRef = { + name = "vault-kv" + kind = "ClusterSecretStore" + } + target = { + name = "calibre-secrets" + } + dataFrom = [{ + extract = { + key = "calibre" + } + }] + } + } + depends_on = [kubernetes_namespace.calibre] +} + +data "kubernetes_secret" "eso_secrets" { + metadata { + name = "calibre-secrets" + namespace = kubernetes_namespace.calibre.metadata[0].name + } + depends_on = [kubernetes_manifest.external_secret] +} + +locals { + homepage_credentials = jsondecode(data.kubernetes_secret.eso_secrets.data["homepage_credentials"]) +} + module "tls_secret" { source = "../../modules/kubernetes/setup_tls_secret" namespace = kubernetes_namespace.calibre.metadata[0].name diff --git a/stacks/changedetection/main.tf b/stacks/changedetection/main.tf index 32e309a0..517b01ed 100644 --- a/stacks/changedetection/main.tf +++ b/stacks/changedetection/main.tf @@ -3,16 +3,6 @@ variable "tls_secret_name" { sensitive = true } variable "nfs_server" { type = string } -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "changedetection" -} - -locals { - homepage_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"]) -} - - resource "kubernetes_namespace" "changedetection" { metadata { name = "changedetection" @@ -23,6 +13,45 @@ resource "kubernetes_namespace" "changedetection" { } } +resource "kubernetes_manifest" "external_secret" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "changedetection-secrets" + namespace = "changedetection" + } + spec = { + refreshInterval = "15m" + secretStoreRef = { + name = "vault-kv" + kind = "ClusterSecretStore" + } + target = { + name = "changedetection-secrets" + } + dataFrom = [{ + extract = { + key = "changedetection" + } + }] + } + } + depends_on = [kubernetes_namespace.changedetection] +} + +data "kubernetes_secret" "eso_secrets" { + metadata { + name = "changedetection-secrets" + namespace = kubernetes_namespace.changedetection.metadata[0].name + } + depends_on = [kubernetes_manifest.external_secret] +} + +locals { + homepage_credentials = jsondecode(data.kubernetes_secret.eso_secrets.data["homepage_credentials"]) +} + module "tls_secret" { source = "../../modules/kubernetes/setup_tls_secret" namespace = kubernetes_namespace.changedetection.metadata[0].name diff --git a/stacks/coturn/main.tf b/stacks/coturn/main.tf index 4b31de2a..17b5ac5d 100644 --- a/stacks/coturn/main.tf +++ b/stacks/coturn/main.tf @@ -4,9 +4,39 @@ variable "tls_secret_name" { } variable "public_ip" { type = string } -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "coturn" +resource "kubernetes_manifest" "external_secret" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "coturn-secrets" + namespace = "coturn" + } + spec = { + refreshInterval = "15m" + secretStoreRef = { + name = "vault-kv" + kind = "ClusterSecretStore" + } + target = { + name = "coturn-secrets" + } + dataFrom = [{ + extract = { + key = "coturn" + } + }] + } + } + depends_on = [kubernetes_namespace.coturn] +} + +data "kubernetes_secret" "eso_secrets" { + metadata { + name = "coturn-secrets" + namespace = kubernetes_namespace.coturn.metadata[0].name + } + depends_on = [kubernetes_manifest.external_secret] } locals { @@ -45,7 +75,7 @@ resource "kubernetes_config_map" "coturn_config" { fingerprint lt-cred-mech use-auth-secret - static-auth-secret=${data.vault_kv_secret_v2.secrets.data["turn_secret"]} + static-auth-secret=${data.kubernetes_secret.eso_secrets.data["turn_secret"]} realm=${local.turn_realm} server-name=turn.${local.turn_realm} @@ -84,6 +114,9 @@ resource "kubernetes_deployment" "coturn" { app = "coturn" tier = local.tiers.edge } + annotations = { + "reloader.stakater.com/auto" = "true" + } } spec { diff --git a/stacks/freedify/main.tf b/stacks/freedify/main.tf index 7ce7e4f0..8ef62914 100644 --- a/stacks/freedify/main.tf +++ b/stacks/freedify/main.tf @@ -2,13 +2,43 @@ variable "tls_secret_name" { type = string sensitive = true } -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "freedify" +resource "kubernetes_manifest" "external_secret" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "freedify-secrets" + namespace = "freedify" + } + spec = { + refreshInterval = "15m" + secretStoreRef = { + name = "vault-kv" + kind = "ClusterSecretStore" + } + target = { + name = "freedify-secrets" + } + dataFrom = [{ + extract = { + key = "freedify" + } + }] + } + } + depends_on = [kubernetes_namespace.freedify] +} + +data "kubernetes_secret" "eso_secrets" { + metadata { + name = "freedify-secrets" + namespace = kubernetes_namespace.freedify.metadata[0].name + } + depends_on = [kubernetes_manifest.external_secret] } locals { - credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["credentials"]) + credentials = jsondecode(data.kubernetes_secret.eso_secrets.data["credentials"]) } diff --git a/stacks/freshrss/main.tf b/stacks/freshrss/main.tf index e988f6d8..f800e58a 100644 --- a/stacks/freshrss/main.tf +++ b/stacks/freshrss/main.tf @@ -3,22 +3,6 @@ variable "tls_secret_name" { sensitive = true } variable "nfs_server" { type = string } -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "freshrss" -} - -locals { - homepage_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"]) -} - - -module "tls_secret" { - source = "../../modules/kubernetes/setup_tls_secret" - namespace = "freshrss" - tls_secret_name = var.tls_secret_name -} - resource "kubernetes_namespace" "immich" { metadata { name = "freshrss" @@ -28,6 +12,51 @@ resource "kubernetes_namespace" "immich" { } } +resource "kubernetes_manifest" "external_secret" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "freshrss-secrets" + namespace = "freshrss" + } + spec = { + refreshInterval = "15m" + secretStoreRef = { + name = "vault-kv" + kind = "ClusterSecretStore" + } + target = { + name = "freshrss-secrets" + } + dataFrom = [{ + extract = { + key = "freshrss" + } + }] + } + } + depends_on = [kubernetes_namespace.immich] +} + +data "kubernetes_secret" "eso_secrets" { + metadata { + name = "freshrss-secrets" + namespace = kubernetes_namespace.immich.metadata[0].name + } + depends_on = [kubernetes_manifest.external_secret] +} + +locals { + homepage_credentials = jsondecode(data.kubernetes_secret.eso_secrets.data["homepage_credentials"]) +} + +module "tls_secret" { + source = "../../modules/kubernetes/setup_tls_secret" + namespace = "freshrss" + tls_secret_name = var.tls_secret_name +} + module "nfs_data" { source = "../../modules/kubernetes/nfs_volume" name = "freshrss-data" diff --git a/stacks/grampsweb/main.tf b/stacks/grampsweb/main.tf index 6ecf3163..013516e0 100644 --- a/stacks/grampsweb/main.tf +++ b/stacks/grampsweb/main.tf @@ -4,13 +4,43 @@ variable "tls_secret_name" { } variable "nfs_server" { type = string } -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "grampsweb" +resource "kubernetes_manifest" "external_secret" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "grampsweb-secrets" + namespace = "grampsweb" + } + spec = { + refreshInterval = "15m" + secretStoreRef = { + name = "vault-kv" + kind = "ClusterSecretStore" + } + target = { + name = "grampsweb-secrets" + } + dataFrom = [{ + extract = { + key = "grampsweb" + } + }] + } + } + depends_on = [kubernetes_namespace.grampsweb] +} + +data "kubernetes_secret" "eso_secrets" { + metadata { + name = "grampsweb-secrets" + namespace = kubernetes_namespace.grampsweb.metadata[0].name + } + depends_on = [kubernetes_manifest.external_secret] } locals { - mailserver_accounts = jsondecode(data.vault_kv_secret_v2.secrets.data["mailserver_accounts"]) + mailserver_accounts = jsondecode(data.kubernetes_secret.eso_secrets.data["mailserver_accounts"]) } variable "redis_host" { type = string } variable "ollama_host" { type = string } diff --git a/stacks/navidrome/main.tf b/stacks/navidrome/main.tf index 96d63828..37f88729 100644 --- a/stacks/navidrome/main.tf +++ b/stacks/navidrome/main.tf @@ -3,16 +3,6 @@ variable "tls_secret_name" { sensitive = true } variable "nfs_server" { type = string } -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "navidrome" -} - -locals { - homepage_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"]) -} - - resource "kubernetes_namespace" "navidrome" { metadata { name = "navidrome" @@ -23,6 +13,45 @@ resource "kubernetes_namespace" "navidrome" { } } +resource "kubernetes_manifest" "external_secret" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "navidrome-secrets" + namespace = "navidrome" + } + spec = { + refreshInterval = "15m" + secretStoreRef = { + name = "vault-kv" + kind = "ClusterSecretStore" + } + target = { + name = "navidrome-secrets" + } + dataFrom = [{ + extract = { + key = "navidrome" + } + }] + } + } + depends_on = [kubernetes_namespace.navidrome] +} + +data "kubernetes_secret" "eso_secrets" { + metadata { + name = "navidrome-secrets" + namespace = kubernetes_namespace.navidrome.metadata[0].name + } + depends_on = [kubernetes_manifest.external_secret] +} + +locals { + homepage_credentials = jsondecode(data.kubernetes_secret.eso_secrets.data["homepage_credentials"]) +} + module "tls_secret" { source = "../../modules/kubernetes/setup_tls_secret" namespace = kubernetes_namespace.navidrome.metadata[0].name diff --git a/stacks/novelapp/main.tf b/stacks/novelapp/main.tf index a2c0423b..5e2cd4a4 100644 --- a/stacks/novelapp/main.tf +++ b/stacks/novelapp/main.tf @@ -3,9 +3,31 @@ variable "tls_secret_name" { sensitive = true } -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "novelapp" +resource "kubernetes_manifest" "external_secret" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "novelapp-secrets" + namespace = "novelapp" + } + spec = { + refreshInterval = "15m" + secretStoreRef = { + name = "vault-kv" + kind = "ClusterSecretStore" + } + target = { + name = "novelapp-secrets" + } + dataFrom = [{ + extract = { + key = "novelapp" + } + }] + } + } + depends_on = [kubernetes_namespace.novelapp] } resource "kubernetes_namespace" "novelapp" { @@ -24,16 +46,6 @@ module "tls_secret" { tls_secret_name = var.tls_secret_name } -resource "kubernetes_secret" "novelapp_auth" { - metadata { - name = "novelapp-auth" - namespace = kubernetes_namespace.novelapp.metadata[0].name - } - data = { - "auth-secret" = data.vault_kv_secret_v2.secrets.data["auth_secret"] - } -} - resource "kubernetes_persistent_volume_claim" "novelapp-data" { metadata { name = "novelapp-data" @@ -58,6 +70,9 @@ resource "kubernetes_deployment" "novelapp" { app = "novelapp" tier = local.tiers.aux } + annotations = { + "reloader.stakater.com/auto" = "true" + } } lifecycle { ignore_changes = [ @@ -111,8 +126,8 @@ resource "kubernetes_deployment" "novelapp" { name = "AUTH_SECRET" value_from { secret_key_ref { - name = kubernetes_secret.novelapp_auth.metadata[0].name - key = "auth-secret" + name = "novelapp-secrets" + key = "auth_secret" } } } diff --git a/stacks/ollama/main.tf b/stacks/ollama/main.tf index 6ab444c7..1ece189c 100644 --- a/stacks/ollama/main.tf +++ b/stacks/ollama/main.tf @@ -5,13 +5,43 @@ variable "tls_secret_name" { variable "nfs_server" { type = string } variable "ollama_host" { type = string } -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "ollama" +resource "kubernetes_manifest" "external_secret" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "ollama-secrets" + namespace = "ollama" + } + spec = { + refreshInterval = "15m" + secretStoreRef = { + name = "vault-kv" + kind = "ClusterSecretStore" + } + target = { + name = "ollama-secrets" + } + dataFrom = [{ + extract = { + key = "ollama" + } + }] + } + } + depends_on = [kubernetes_namespace.ollama] +} + +data "kubernetes_secret" "eso_secrets" { + metadata { + name = "ollama-secrets" + namespace = kubernetes_namespace.ollama.metadata[0].name + } + depends_on = [kubernetes_manifest.external_secret] } locals { - api_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["api_credentials"]) + api_credentials = jsondecode(data.kubernetes_secret.eso_secrets.data["api_credentials"]) } diff --git a/stacks/owntracks/main.tf b/stacks/owntracks/main.tf index c3534aff..3e74be75 100644 --- a/stacks/owntracks/main.tf +++ b/stacks/owntracks/main.tf @@ -4,13 +4,43 @@ variable "tls_secret_name" { } variable "nfs_server" { type = string } -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "owntracks" +resource "kubernetes_manifest" "external_secret" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "owntracks-secrets" + namespace = "owntracks" + } + spec = { + refreshInterval = "15m" + secretStoreRef = { + name = "vault-kv" + kind = "ClusterSecretStore" + } + target = { + name = "owntracks-secrets" + } + dataFrom = [{ + extract = { + key = "owntracks" + } + }] + } + } + depends_on = [kubernetes_namespace.owntracks] +} + +data "kubernetes_secret" "eso_secrets" { + metadata { + name = "owntracks-secrets" + namespace = kubernetes_namespace.owntracks.metadata[0].name + } + depends_on = [kubernetes_manifest.external_secret] } locals { - credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["credentials"]) + credentials = jsondecode(data.kubernetes_secret.eso_secrets.data["credentials"]) } diff --git a/stacks/real-estate-crawler/main.tf b/stacks/real-estate-crawler/main.tf index 5ad6b2e4..6210bfdf 100644 --- a/stacks/real-estate-crawler/main.tf +++ b/stacks/real-estate-crawler/main.tf @@ -6,13 +6,43 @@ variable "nfs_server" { type = string } variable "redis_host" { type = string } variable "mysql_host" { type = string } -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "real-estate-crawler" +resource "kubernetes_manifest" "external_secret" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "real-estate-crawler-secrets" + namespace = "realestate-crawler" + } + spec = { + refreshInterval = "15m" + secretStoreRef = { + name = "vault-kv" + kind = "ClusterSecretStore" + } + target = { + name = "real-estate-crawler-secrets" + } + dataFrom = [{ + extract = { + key = "real-estate-crawler" + } + }] + } + } + depends_on = [kubernetes_namespace.realestate-crawler] +} + +data "kubernetes_secret" "eso_secrets" { + metadata { + name = "real-estate-crawler-secrets" + namespace = kubernetes_namespace.realestate-crawler.metadata[0].name + } + depends_on = [kubernetes_manifest.external_secret] } locals { - notification_settings = jsondecode(data.vault_kv_secret_v2.secrets.data["notification_settings"]) + notification_settings = jsondecode(data.kubernetes_secret.eso_secrets.data["notification_settings"]) } @@ -121,6 +151,9 @@ resource "kubernetes_deployment" "realestate-crawler-api" { app = "realestate-crawler-api" tier = local.tiers.aux } + annotations = { + "reloader.stakater.com/auto" = "true" + } } spec { replicas = 2 @@ -157,7 +190,7 @@ resource "kubernetes_deployment" "realestate-crawler-api" { } env { name = "DB_CONNECTION_STRING" - value = "mysql://wrongmove:${data.vault_kv_secret_v2.secrets.data["db_password"]}@${var.mysql_host}:3306/wrongmove" + value = "mysql://wrongmove:${data.kubernetes_secret.eso_secrets.data["db_password"]}@${var.mysql_host}:3306/wrongmove" } # env { @@ -299,6 +332,9 @@ resource "kubernetes_deployment" "realestate-crawler-celery" { app = "realestate-crawler-celery" tier = local.tiers.aux } + annotations = { + "reloader.stakater.com/auto" = "true" + } } spec { replicas = 1 @@ -349,7 +385,7 @@ resource "kubernetes_deployment" "realestate-crawler-celery" { } env { name = "DB_CONNECTION_STRING" - value = "mysql://wrongmove:${data.vault_kv_secret_v2.secrets.data["db_password"]}@${var.mysql_host}:3306/wrongmove" + value = "mysql://wrongmove:${data.kubernetes_secret.eso_secrets.data["db_password"]}@${var.mysql_host}:3306/wrongmove" } env { name = "CELERY_BROKER_URL" @@ -420,6 +456,9 @@ resource "kubernetes_deployment" "realestate-crawler-celery-beat" { app = "realestate-crawler-celery-beat" tier = local.tiers.aux } + annotations = { + "reloader.stakater.com/auto" = "true" + } } spec { replicas = 1 @@ -460,7 +499,7 @@ resource "kubernetes_deployment" "realestate-crawler-celery-beat" { } env { name = "DB_CONNECTION_STRING" - value = "mysql://wrongmove:${data.vault_kv_secret_v2.secrets.data["db_password"]}@${var.mysql_host}:3306/wrongmove" + value = "mysql://wrongmove:${data.kubernetes_secret.eso_secrets.data["db_password"]}@${var.mysql_host}:3306/wrongmove" } env { name = "CELERY_BROKER_URL" diff --git a/stacks/servarr/main.tf b/stacks/servarr/main.tf index 2f7e5c86..9acd350c 100644 --- a/stacks/servarr/main.tf +++ b/stacks/servarr/main.tf @@ -4,13 +4,43 @@ variable "tls_secret_name" { } variable "nfs_server" { type = string } -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "servarr" +resource "kubernetes_manifest" "external_secret" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "servarr-secrets" + namespace = "servarr" + } + spec = { + refreshInterval = "15m" + secretStoreRef = { + name = "vault-kv" + kind = "ClusterSecretStore" + } + target = { + name = "servarr-secrets" + } + dataFrom = [{ + extract = { + key = "servarr" + } + }] + } + } + depends_on = [kubernetes_namespace.servarr] +} + +data "kubernetes_secret" "eso_secrets" { + metadata { + name = "servarr-secrets" + namespace = kubernetes_namespace.servarr.metadata[0].name + } + depends_on = [kubernetes_manifest.external_secret] } locals { - homepage_credentials = jsondecode(data.vault_kv_secret_v2.secrets.data["homepage_credentials"]) + homepage_credentials = jsondecode(data.kubernetes_secret.eso_secrets.data["homepage_credentials"]) } @@ -80,7 +110,7 @@ module "listenarr" { module "aiostreams" { source = "./aiostreams" tls_secret_name = var.tls_secret_name - aiostreams_database_connection_string = data.vault_kv_secret_v2.secrets.data["aiostreams_database_connection_string"] + aiostreams_database_connection_string = data.kubernetes_secret.eso_secrets.data["aiostreams_database_connection_string"] tier = local.tiers.aux nfs_server = var.nfs_server } diff --git a/stacks/ytdlp/main.tf b/stacks/ytdlp/main.tf index 3e5f1a83..3c9d0a77 100644 --- a/stacks/ytdlp/main.tf +++ b/stacks/ytdlp/main.tf @@ -5,10 +5,33 @@ variable "tls_secret_name" { variable "slack_channel" { type = string } variable "nfs_server" { type = string } -data "vault_kv_secret_v2" "secrets" { - mount = "secret" - name = "ytdlp" +resource "kubernetes_manifest" "external_secret" { + manifest = { + apiVersion = "external-secrets.io/v1beta1" + kind = "ExternalSecret" + metadata = { + name = "ytdlp-secrets" + namespace = "ytdlp" + } + spec = { + refreshInterval = "15m" + secretStoreRef = { + name = "vault-kv" + kind = "ClusterSecretStore" + } + target = { + name = "ytdlp-secrets" + } + dataFrom = [{ + extract = { + key = "ytdlp" + } + }] + } + } + depends_on = [kubernetes_namespace.ytdlp] } + variable "redis_host" { type = string } variable "ollama_host" { type = string } @@ -164,26 +187,6 @@ module "ingress" { # yt-highlights service # ---------------------- -resource "kubernetes_secret" "openrouter" { - metadata { - name = "openrouter-credentials" - namespace = kubernetes_namespace.ytdlp.metadata[0].name - } - data = { - "api-key" = data.vault_kv_secret_v2.secrets.data["openrouter_api_key"] - } -} - -resource "kubernetes_secret" "slack" { - metadata { - name = "slack-credentials" - namespace = kubernetes_namespace.ytdlp.metadata[0].name - } - data = { - "bot-token" = data.vault_kv_secret_v2.secrets.data["slack_bot_token"] - "channel" = var.slack_channel - } -} resource "kubernetes_deployment" "yt_highlights" { metadata { @@ -194,7 +197,8 @@ resource "kubernetes_deployment" "yt_highlights" { tier = local.tiers.aux } annotations = { - "diun.enable" = "true" + "diun.enable" = "true" + "reloader.stakater.com/auto" = "true" } } spec { @@ -245,8 +249,8 @@ resource "kubernetes_deployment" "yt_highlights" { name = "OPENROUTER_API_KEY" value_from { secret_key_ref { - name = kubernetes_secret.openrouter.metadata[0].name - key = "api-key" + name = "ytdlp-secrets" + key = "openrouter_api_key" } } } @@ -258,19 +262,14 @@ resource "kubernetes_deployment" "yt_highlights" { name = "SLACK_BOT_TOKEN" value_from { secret_key_ref { - name = kubernetes_secret.slack.metadata[0].name - key = "bot-token" + name = "ytdlp-secrets" + key = "slack_bot_token" } } } env { - name = "SLACK_CHANNEL" - value_from { - secret_key_ref { - name = kubernetes_secret.slack.metadata[0].name - key = "channel" - } - } + name = "SLACK_CHANNEL" + value = var.slack_channel } env { name = "REDIS_URL"