c670cb7118
Some checks failed
ci/woodpecker/push/default Pipeline failed
The API rewrite half of the ESO 0.12->2.6 migration (last k8s-1.35 compat-gate blocker). Done on chart 0.16.2, which serves BOTH external-secrets.io/v1beta1 and v1, so this is the safe window — MUST land before 0.17 removes v1beta1 (there is no conversion webhook). Pure apiVersion bump, schema is byte-identical: 106 occurrences (104 ExternalSecrets + 2 ClusterSecretStores vault-kv/vault-database) across 73 .tf files, v1beta1 -> v1, no other field changes. Validated live first on tandoor (single, non-coupled, synced ES): the kubernetes_manifest apiVersion bump forces a REPLACE; the target Secret is cascade-GC'd for ONE ~0.3s poll then ESO recreates it (identical value re-synced from Vault, new UID) and the ES returns SecretSynced=True on v1. Running pods keep their mounted copy through the sub-second blip. All 110 target Secrets were snapshotted to /tmp first as a backstop. CI applies the changed stacks serially (staged rollout); watching aggregate ES sync back to 108 synced (2 pre-existing dead: instagram-poster, payslip-ingest). Next: Phase 3 climb 0.16.2 -> 2.6.0. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
40 lines
1.2 KiB
HCL
40 lines
1.2 KiB
HCL
# SMTP password for Authentik's signup-verification + recovery email (tripit
|
|
# ADR-0020). Synced from Vault secret/authentik.smtp_password into the authentik
|
|
# namespace as the `authentik-email` Secret, referenced by
|
|
# AUTHENTIK_EMAIL__PASSWORD in values.yaml (server.env + worker.env). The sender
|
|
# account is noreply@viktorbarzin.me (a mailserver SASL account); host/port/from
|
|
# are non-secret and live in values.yaml. The reloader annotation rolls the
|
|
# authentik pods if the password ever changes.
|
|
resource "kubernetes_manifest" "authentik_email_secret" {
|
|
manifest = {
|
|
apiVersion = "external-secrets.io/v1"
|
|
kind = "ExternalSecret"
|
|
metadata = {
|
|
name = "authentik-email"
|
|
namespace = "authentik"
|
|
}
|
|
spec = {
|
|
refreshInterval = "1h"
|
|
secretStoreRef = {
|
|
name = "vault-kv"
|
|
kind = "ClusterSecretStore"
|
|
}
|
|
target = {
|
|
name = "authentik-email"
|
|
template = {
|
|
metadata = {
|
|
annotations = {
|
|
"reloader.stakater.com/match" = "true"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
data = [
|
|
{
|
|
secretKey = "AUTHENTIK_EMAIL__PASSWORD"
|
|
remoteRef = { key = "authentik", property = "smtp_password" }
|
|
},
|
|
]
|
|
}
|
|
}
|
|
}
|