From e88f1de69e0ee6d41684ecb446f43fa75f9e1729 Mon Sep 17 00:00:00 2001 From: Ludovic Ortega Date: Tue, 18 Jun 2024 22:15:54 +0000 Subject: [PATCH] feat: use postgresql for media applications when possible --- ansible/group_vars/kubernetes_master/all.yml | 44 +++++++++ .../kubernetes_master/secrets.example | 24 +++++ argocd/media/bazarr/kustomization.yaml | 4 +- .../bazarr/manifests/01_external_secret.yaml | 92 +++++++++++++++++++ .../manifests/{01_pvc.yaml => 02_pvc.yaml} | 0 .../media/bazarr/manifests/03_postgres.yaml | 23 +++++ argocd/media/bazarr/values.yaml | 11 +++ argocd/media/joal/values.yaml | 3 + argocd/media/prowlarr/kustomization.yaml | 4 + .../manifests/01_external_secret.yaml | 92 +++++++++++++++++++ .../media/prowlarr/manifests/02_postgres.yaml | 23 +++++ argocd/media/prowlarr/values.yaml | 22 ++++- argocd/media/qbittorrent/values.yaml | 3 + argocd/media/radarr/kustomization.yaml | 4 +- .../radarr/manifests/01_external_secret.yaml | 92 +++++++++++++++++++ .../manifests/{01_pvc.yaml => 02_pvc.yaml} | 0 .../media/radarr/manifests/03_postgres.yaml | 23 +++++ argocd/media/radarr/values.yaml | 20 ++++ argocd/media/sonarr/kustomization.yaml | 4 +- .../sonarr/manifests/01_external_secret.yaml | 92 +++++++++++++++++++ .../manifests/{01_pvc.yaml => 02_pvc.yaml} | 0 .../media/sonarr/manifests/03_postgres.yaml | 23 +++++ argocd/media/sonarr/values.yaml | 20 ++++ .../manifests/01_external_secret.yaml | 4 + 24 files changed, 623 insertions(+), 4 deletions(-) create mode 100644 argocd/media/bazarr/manifests/01_external_secret.yaml rename argocd/media/bazarr/manifests/{01_pvc.yaml => 02_pvc.yaml} (100%) create mode 100644 argocd/media/bazarr/manifests/03_postgres.yaml create mode 100644 argocd/media/prowlarr/manifests/01_external_secret.yaml create mode 100644 argocd/media/prowlarr/manifests/02_postgres.yaml create mode 100644 argocd/media/radarr/manifests/01_external_secret.yaml rename argocd/media/radarr/manifests/{01_pvc.yaml => 02_pvc.yaml} (100%) create mode 100644 argocd/media/radarr/manifests/03_postgres.yaml create mode 100644 argocd/media/sonarr/manifests/01_external_secret.yaml rename argocd/media/sonarr/manifests/{01_pvc.yaml => 02_pvc.yaml} (100%) create mode 100644 argocd/media/sonarr/manifests/03_postgres.yaml diff --git a/ansible/group_vars/kubernetes_master/all.yml b/ansible/group_vars/kubernetes_master/all.yml index 25415091e..5f6d40436 100644 --- a/ansible/group_vars/kubernetes_master/all.yml +++ b/ansible/group_vars/kubernetes_master/all.yml @@ -142,6 +142,26 @@ vault_policies: - path: secret/data/homelab/prod/hyperglass capabilities: - read + - name: bazarr + rules: + - path: secret/data/homelab/prod/bazarr + capabilities: + - read + - name: prowlarr + rules: + - path: secret/data/homelab/prod/prowlarr + capabilities: + - read + - name: radarr + rules: + - path: secret/data/homelab/prod/radarr + capabilities: + - read + - name: sonarr + rules: + - path: secret/data/homelab/prod/sonarr + capabilities: + - read - name: qbittorrent rules: - path: secret/data/homelab/prod/qbittorrent @@ -266,6 +286,30 @@ public_vault_datas: bound_service_account_namespaces: qbittorrent policies: qbittorrent ttl: 1h + - path: auth/kubernetes/role/bazarr + data: + bound_service_account_names: bazarr-vault + bound_service_account_namespaces: bazarr + policies: bazarr + ttl: 1h + - path: auth/kubernetes/role/prowlarr + data: + bound_service_account_names: prowlarr-vault + bound_service_account_namespaces: prowlarr + policies: prowlarr + ttl: 1h + - path: auth/kubernetes/role/radarr + data: + bound_service_account_names: radarr-vault + bound_service_account_namespaces: radarr + policies: radarr + ttl: 1h + - path: auth/kubernetes/role/sonarr + data: + bound_service_account_names: sonarr-vault + bound_service_account_namespaces: sonarr + policies: sonarr + ttl: 1h vault_datas: "{{ public_vault_datas + secret_vault_datas }}" external_secrets_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}" cert_manager_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}" diff --git a/ansible/group_vars/kubernetes_master/secrets.example b/ansible/group_vars/kubernetes_master/secrets.example index 38c99a812..e7cd60cff 100644 --- a/ansible/group_vars/kubernetes_master/secrets.example +++ b/ansible/group_vars/kubernetes_master/secrets.example @@ -85,6 +85,30 @@ secret_vault_datas: data: REDIS_PASSWORD: devices.yaml: "{{ hyperglass_device_config }}" + - path: secret/data/homelab/prod/bazarr + data: + data: + API_KEY: + POSTGRES_USER: + POSTGRES_PASSWORD: + - path: secret/data/homelab/prod/prowlarr + data: + data: + API_KEY: + POSTGRES_USER: + POSTGRES_PASSWORD: + - path: secret/data/homelab/prod/radarr + data: + data: + API_KEY: + POSTGRES_USER: + POSTGRES_PASSWORD: + - path: secret/data/homelab/prod/sonarr + data: + data: + API_KEY: + POSTGRES_USER: + POSTGRES_PASSWORD: - path: secret/data/homelab/prod/qbittorrent data: data: diff --git a/argocd/media/bazarr/kustomization.yaml b/argocd/media/bazarr/kustomization.yaml index a492d704d..e5d795214 100644 --- a/argocd/media/bazarr/kustomization.yaml +++ b/argocd/media/bazarr/kustomization.yaml @@ -6,7 +6,9 @@ kind: Kustomization namespace: &namespace bazarr resources: - - manifests/01_pvc.yaml + - manifests/01_external_secret.yaml + - manifests/02_pvc.yaml + - manifests/03_postgres.yaml helmCharts: - name: bazarr diff --git a/argocd/media/bazarr/manifests/01_external_secret.yaml b/argocd/media/bazarr/manifests/01_external_secret.yaml new file mode 100644 index 000000000..5fc1cb4d5 --- /dev/null +++ b/argocd/media/bazarr/manifests/01_external_secret.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bazarr-vault +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/secretstore_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: vault +spec: + provider: + vault: + server: "https://vault.vault.svc:8200" + path: "secret" + version: "v2" + auth: + kubernetes: + mountPath: "kubernetes" + role: "bazarr" + serviceAccountRef: + name: "bazarr-vault" + caProvider: + type: "ConfigMap" + name: "homelab-ca" + key: "ca.crt" +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: bazarr-vault +spec: + refreshInterval: "1m" + target: + creationPolicy: "Owner" + deletionPolicy: "Retain" + secretStoreRef: + kind: SecretStore + name: vault + data: + - secretKey: RADARR__AUTH__APIKEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/bazarr + property: API_KEY + - secretKey: POSTGRES_USERNAME + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/bazarr + property: POSTGRES_USER + - secretKey: POSTGRES_PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/bazarr + property: POSTGRES_PASSWORD +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: postgres-vault +spec: + refreshInterval: "1m" + target: + creationPolicy: "Owner" + deletionPolicy: "Retain" + secretStoreRef: + kind: SecretStore + name: vault + data: + - secretKey: username + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/bazarr + property: POSTGRES_USER + - secretKey: password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/bazarr + property: POSTGRES_PASSWORD \ No newline at end of file diff --git a/argocd/media/bazarr/manifests/01_pvc.yaml b/argocd/media/bazarr/manifests/02_pvc.yaml similarity index 100% rename from argocd/media/bazarr/manifests/01_pvc.yaml rename to argocd/media/bazarr/manifests/02_pvc.yaml diff --git a/argocd/media/bazarr/manifests/03_postgres.yaml b/argocd/media/bazarr/manifests/03_postgres.yaml new file mode 100644 index 000000000..453fa8e2d --- /dev/null +++ b/argocd/media/bazarr/manifests/03_postgres.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: bazarr-cluster +spec: + instances: 1 + + primaryUpdateStrategy: unsupervised + + enableSuperuserAccess: false + + bootstrap: + initdb: + database: bazarr + owner: bazarr + secret: + name: postgres-vault + dataChecksums: true + encoding: 'UTF8' + + storage: + size: 2Gi \ No newline at end of file diff --git a/argocd/media/bazarr/values.yaml b/argocd/media/bazarr/values.yaml index e1bba09d4..a0ebf6f20 100644 --- a/argocd/media/bazarr/values.yaml +++ b/argocd/media/bazarr/values.yaml @@ -1,7 +1,18 @@ --- +strategy: + type: RollingUpdate + extraEnv: - name: TZ value: Europe/Paris + - name: POSTGRES_ENABLED + value: "True" + - name: POSTGRES_HOST + value: "bazarr-cluster-rw" + - name: POSTGRES_PORT + value: "5432" + - name: POSTGRES_DATABASE + value: bazarr volumes: - name: data persistentVolumeClaim: diff --git a/argocd/media/joal/values.yaml b/argocd/media/joal/values.yaml index 6a42a871f..b33011c53 100644 --- a/argocd/media/joal/values.yaml +++ b/argocd/media/joal/values.yaml @@ -1,4 +1,7 @@ --- +strategy: + type: RollingUpdate + volumes: - name: &volume-config joal-config configMap: diff --git a/argocd/media/prowlarr/kustomization.yaml b/argocd/media/prowlarr/kustomization.yaml index 15376c6bc..182d25aa7 100644 --- a/argocd/media/prowlarr/kustomization.yaml +++ b/argocd/media/prowlarr/kustomization.yaml @@ -5,6 +5,10 @@ kind: Kustomization namespace: &namespace prowlarr +resources: + - manifests/01_external_secret.yaml + - manifests/02_postgres.yaml + helmCharts: - name: prowlarr releaseName: prowlarr diff --git a/argocd/media/prowlarr/manifests/01_external_secret.yaml b/argocd/media/prowlarr/manifests/01_external_secret.yaml new file mode 100644 index 000000000..e8482088e --- /dev/null +++ b/argocd/media/prowlarr/manifests/01_external_secret.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: prowlarr-vault +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/secretstore_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: vault +spec: + provider: + vault: + server: "https://vault.vault.svc:8200" + path: "secret" + version: "v2" + auth: + kubernetes: + mountPath: "kubernetes" + role: "prowlarr" + serviceAccountRef: + name: "prowlarr-vault" + caProvider: + type: "ConfigMap" + name: "homelab-ca" + key: "ca.crt" +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: prowlarr-vault +spec: + refreshInterval: "1m" + target: + creationPolicy: "Owner" + deletionPolicy: "Retain" + secretStoreRef: + kind: SecretStore + name: vault + data: + - secretKey: PROWLARR__AUTH__APIKEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/prowlarr + property: API_KEY + - secretKey: PROWLARR__POSTGRES__USER + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/prowlarr + property: POSTGRES_USER + - secretKey: PROWLARR__POSTGRES__PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/prowlarr + property: POSTGRES_PASSWORD +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: postgres-vault +spec: + refreshInterval: "1m" + target: + creationPolicy: "Owner" + deletionPolicy: "Retain" + secretStoreRef: + kind: SecretStore + name: vault + data: + - secretKey: username + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/prowlarr + property: POSTGRES_USER + - secretKey: password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/prowlarr + property: POSTGRES_PASSWORD diff --git a/argocd/media/prowlarr/manifests/02_postgres.yaml b/argocd/media/prowlarr/manifests/02_postgres.yaml new file mode 100644 index 000000000..16ba7b90d --- /dev/null +++ b/argocd/media/prowlarr/manifests/02_postgres.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: prowlarr-cluster +spec: + instances: 1 + + primaryUpdateStrategy: unsupervised + + enableSuperuserAccess: false + + bootstrap: + initdb: + database: prowlarr + owner: prowlarr + secret: + name: postgres-vault + dataChecksums: true + encoding: 'UTF8' + + storage: + size: 2Gi \ No newline at end of file diff --git a/argocd/media/prowlarr/values.yaml b/argocd/media/prowlarr/values.yaml index c78fa2290..856b6fee2 100644 --- a/argocd/media/prowlarr/values.yaml +++ b/argocd/media/prowlarr/values.yaml @@ -1,4 +1,24 @@ --- +strategy: + type: RollingUpdate + extraEnv: - name: TZ - value: Europe/Paris \ No newline at end of file + value: Europe/Paris + - name: PROWLARR__APP__INSTANCENAME + value: Prowlarr + - name: PROWLARR__APP__THEME + value: dark + - name: PROWLARR__LOG__DBENABLED + value: "False" + - name: PROWLARR__LOG__LEVEL + value: info + - name: PROWLARR__POSTGRES__HOST + value: "prowlarr-cluster-rw" + - name: PROWLARR__POSTGRES__PORT + value: "5432" + - name: PROWLARR__POSTGRES__MAINDB + value: prowlarr +extraEnvFrom: + - secretRef: + name: prowlarr-vault diff --git a/argocd/media/qbittorrent/values.yaml b/argocd/media/qbittorrent/values.yaml index d99ef58e2..3d8f10af6 100644 --- a/argocd/media/qbittorrent/values.yaml +++ b/argocd/media/qbittorrent/values.yaml @@ -1,4 +1,7 @@ --- +strategy: + type: RollingUpdate + extraEnv: - name: QBT_BitTorrent__Session__MaxActiveDownloads value: "5" diff --git a/argocd/media/radarr/kustomization.yaml b/argocd/media/radarr/kustomization.yaml index a56056d77..d638cbd16 100644 --- a/argocd/media/radarr/kustomization.yaml +++ b/argocd/media/radarr/kustomization.yaml @@ -6,7 +6,9 @@ kind: Kustomization namespace: &namespace radarr resources: - - manifests/01_pvc.yaml + - manifests/01_external_secret.yaml + - manifests/02_pvc.yaml + - manifests/03_postgres.yaml helmCharts: - name: radarr diff --git a/argocd/media/radarr/manifests/01_external_secret.yaml b/argocd/media/radarr/manifests/01_external_secret.yaml new file mode 100644 index 000000000..7cdd107ae --- /dev/null +++ b/argocd/media/radarr/manifests/01_external_secret.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: radarr-vault +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/secretstore_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: vault +spec: + provider: + vault: + server: "https://vault.vault.svc:8200" + path: "secret" + version: "v2" + auth: + kubernetes: + mountPath: "kubernetes" + role: "radarr" + serviceAccountRef: + name: "radarr-vault" + caProvider: + type: "ConfigMap" + name: "homelab-ca" + key: "ca.crt" +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: radarr-vault +spec: + refreshInterval: "1m" + target: + creationPolicy: "Owner" + deletionPolicy: "Retain" + secretStoreRef: + kind: SecretStore + name: vault + data: + - secretKey: RADARR__AUTH__APIKEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/radarr + property: API_KEY + - secretKey: RADARR__POSTGRES__USER + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/radarr + property: POSTGRES_USER + - secretKey: RADARR__POSTGRES__PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/radarr + property: POSTGRES_PASSWORD +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: postgres-vault +spec: + refreshInterval: "1m" + target: + creationPolicy: "Owner" + deletionPolicy: "Retain" + secretStoreRef: + kind: SecretStore + name: vault + data: + - secretKey: username + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/radarr + property: POSTGRES_USER + - secretKey: password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/radarr + property: POSTGRES_PASSWORD diff --git a/argocd/media/radarr/manifests/01_pvc.yaml b/argocd/media/radarr/manifests/02_pvc.yaml similarity index 100% rename from argocd/media/radarr/manifests/01_pvc.yaml rename to argocd/media/radarr/manifests/02_pvc.yaml diff --git a/argocd/media/radarr/manifests/03_postgres.yaml b/argocd/media/radarr/manifests/03_postgres.yaml new file mode 100644 index 000000000..289d4b14c --- /dev/null +++ b/argocd/media/radarr/manifests/03_postgres.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: radarr-cluster +spec: + instances: 1 + + primaryUpdateStrategy: unsupervised + + enableSuperuserAccess: false + + bootstrap: + initdb: + database: radarr + owner: radarr + secret: + name: postgres-vault + dataChecksums: true + encoding: 'UTF8' + + storage: + size: 2Gi \ No newline at end of file diff --git a/argocd/media/radarr/values.yaml b/argocd/media/radarr/values.yaml index 1a74a32e6..2c21bf5b9 100644 --- a/argocd/media/radarr/values.yaml +++ b/argocd/media/radarr/values.yaml @@ -1,7 +1,27 @@ --- +strategy: + type: RollingUpdate + extraEnv: - name: TZ value: Europe/Paris + - name: RADARR__APP__INSTANCENAME + value: Bazarr + - name: RADARR__APP__THEME + value: dark + - name: RADARR__LOG__DBENABLED + value: "False" + - name: RADARR__LOG__LEVEL + value: info + - name: RADARR__POSTGRES__HOST + value: "radarr-cluster-rw" + - name: RADARR__POSTGRES__PORT + value: "5432" + - name: RADARR__POSTGRES__MAINDB + value: radarr +extraEnvFrom: + - secretRef: + name: radarr-vault volumes: - name: &volume-data data persistentVolumeClaim: diff --git a/argocd/media/sonarr/kustomization.yaml b/argocd/media/sonarr/kustomization.yaml index 9cd462f01..9374fe23b 100644 --- a/argocd/media/sonarr/kustomization.yaml +++ b/argocd/media/sonarr/kustomization.yaml @@ -6,7 +6,9 @@ kind: Kustomization namespace: &namespace sonarr resources: - - manifests/01_pvc.yaml + - manifests/01_external_secret.yaml + - manifests/02_pvc.yaml + - manifests/03_postgres.yaml helmCharts: - name: sonarr diff --git a/argocd/media/sonarr/manifests/01_external_secret.yaml b/argocd/media/sonarr/manifests/01_external_secret.yaml new file mode 100644 index 000000000..d834e2f1c --- /dev/null +++ b/argocd/media/sonarr/manifests/01_external_secret.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sonarr-vault +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/secretstore_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: vault +spec: + provider: + vault: + server: "https://vault.vault.svc:8200" + path: "secret" + version: "v2" + auth: + kubernetes: + mountPath: "kubernetes" + role: "sonarr" + serviceAccountRef: + name: "sonarr-vault" + caProvider: + type: "ConfigMap" + name: "homelab-ca" + key: "ca.crt" +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: sonarr-vault +spec: + refreshInterval: "1m" + target: + creationPolicy: "Owner" + deletionPolicy: "Retain" + secretStoreRef: + kind: SecretStore + name: vault + data: + - secretKey: SONARR__AUTH__APIKEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/sonarr + property: API_KEY + - secretKey: SONARR__POSTGRES__USER + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/sonarr + property: POSTGRES_USER + - secretKey: SONARR__POSTGRES__PASSWORD + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/sonarr + property: POSTGRES_PASSWORD +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: postgres-vault +spec: + refreshInterval: "1m" + target: + creationPolicy: "Owner" + deletionPolicy: "Retain" + secretStoreRef: + kind: SecretStore + name: vault + data: + - secretKey: username + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/sonarr + property: POSTGRES_USER + - secretKey: password + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: secret/data/homelab/prod/sonarr + property: POSTGRES_PASSWORD diff --git a/argocd/media/sonarr/manifests/01_pvc.yaml b/argocd/media/sonarr/manifests/02_pvc.yaml similarity index 100% rename from argocd/media/sonarr/manifests/01_pvc.yaml rename to argocd/media/sonarr/manifests/02_pvc.yaml diff --git a/argocd/media/sonarr/manifests/03_postgres.yaml b/argocd/media/sonarr/manifests/03_postgres.yaml new file mode 100644 index 000000000..a97fd2f1a --- /dev/null +++ b/argocd/media/sonarr/manifests/03_postgres.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: sonarr-cluster +spec: + instances: 1 + + primaryUpdateStrategy: unsupervised + + enableSuperuserAccess: false + + bootstrap: + initdb: + database: sonarr + owner: sonarr + secret: + name: postgres-vault + dataChecksums: true + encoding: 'UTF8' + + storage: + size: 2Gi \ No newline at end of file diff --git a/argocd/media/sonarr/values.yaml b/argocd/media/sonarr/values.yaml index c13e2fc83..b44e10dd1 100644 --- a/argocd/media/sonarr/values.yaml +++ b/argocd/media/sonarr/values.yaml @@ -1,7 +1,27 @@ --- +strategy: + type: RollingUpdate + extraEnv: - name: TZ value: Europe/Paris + - name: SONARR__APP__INSTANCENAME + value: Sonarr + - name: SONARR__APP__THEME + value: dark + - name: SONARR__LOG__DBENABLED + value: "False" + - name: SONARR__LOG__LEVEL + value: info + - name: SONARR__POSTGRES__HOST + value: "sonarr-cluster-rw" + - name: SONARR__POSTGRES__PORT + value: "5432" + - name: SONARR__POSTGRES__MAINDB + value: sonarr +extraEnvFrom: + - secretRef: + name: sonarr-vault volumes: - name: &volume-data data persistentVolumeClaim: diff --git a/argocd/misc/authentik/manifests/01_external_secret.yaml b/argocd/misc/authentik/manifests/01_external_secret.yaml index 504d20b18..a484179fe 100644 --- a/argocd/misc/authentik/manifests/01_external_secret.yaml +++ b/argocd/misc/authentik/manifests/01_external_secret.yaml @@ -4,6 +4,7 @@ kind: ServiceAccount metadata: name: authentik-vault --- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: @@ -25,6 +26,7 @@ spec: name: "homelab-ca" key: "ca.crt" --- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: @@ -74,6 +76,7 @@ spec: key: secret/data/homelab/prod/authentik property: AUTHENTIK_BOOTSTRAP_PASSWORD --- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: @@ -102,6 +105,7 @@ spec: key: secret/data/homelab/prod/authentik property: POSTGRES_PASSWORD --- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: