dvirlabs/dev-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add secret for n8n

Browse Source
This commit is contained in:
dvirlabs 2026-05-26 15:22:52 +03:00
parent 6499168693
commit dbe8b8e401
20 changed files with 11 additions and 562 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
argocd-apps/cluster-secret-store-creator.yaml
View File

@ -1,19 +0,0 @@
# apiVersion: argoproj.io/v1alpha1
# kind: Application
# metadata:
# name: cluster-secret-store-creator
# namespace: argocd
# spec:
# project: dev-tools
# source:
# repoURL: ssh://git@gitea-ssh.dev-tools.svc.cluster.local:2222/dvirlabs/dev-tools.git
# targetRevision: HEAD
# path: manifests/cluster-secret-store
# directory:
# recurse: true
# destination:
# server: https://kubernetes.default.svc
# namespace: dev-tools
# syncPolicy:
# syncOptions:
# - CreateNamespace=true

19
argocd-apps/external-secrets-dev-tools.yaml
View File

@ -1,19 +0,0 @@
# apiVersion: argoproj.io/v1alpha1
# kind: Application
# metadata:
# name: external-secrets-dev-tools
# namespace: argocd
# spec:
# project: dev-tools
# source:
# repoURL: ssh://git@gitea-ssh.dev-tools.svc.cluster.local:2222/dvirlabs/dev-tools.git
# targetRevision: HEAD
# path: manifests/external-secrets-dev-tools
# directory:
# recurse: true
# destination:
# server: https://kubernetes.default.svc
# namespace: dev-tools
# syncPolicy:
# syncOptions:
# - CreateNamespace=true

18
argocd-apps/external-secrets.yaml
View File

@ -1,18 +0,0 @@
# apiVersion: argoproj.io/v1alpha1
# kind: Application
# metadata:
# name: external-secrets
# namespace: argocd
# spec:
# project: dev-tools
# source:
# repoURL: 'ssh://git@gitea-ssh.dev-tools.svc.cluster.local:2222/dvirlabs/dev-tools.git'
# targetRevision: HEAD
# path: charts/external-secrets
# helm:
# valueFiles:
# - ../../manifests/external-secrets/values.yaml
# destination:
# server: https://kubernetes.default.svc
# namespace: dev-tools
# syncPolicy: {}

17
argocd-apps/vault-config.yaml
View File

@ -1,17 +0,0 @@
# apiVersion: argoproj.io/v1alpha1
# kind: Application
# metadata:
# name: vault-config
# namespace: argocd
# spec:
# project: dev-tools
# source:
# repoURL: ssh://git@gitea-ssh.dev-tools.svc.cluster.local:2222/dvirlabs/dev-tools.git
# targetRevision: HEAD
# path: manifests/vault
# directory:
# recurse: true
# destination:
# server: https://kubernetes.default.svc
# namespace: dev-tools
# syncPolicy: {}

29
argocd-apps/vault.yaml
View File

@ -1,29 +0,0 @@
# apiVersion: argoproj.io/v1alpha1
# kind: Application
# metadata:
# name: vault
# namespace: argocd
# spec:
# project: dev-tools
# source:
# repoURL: ssh://git@gitea-ssh.dev-tools.svc.cluster.local:2222/dvirlabs/dev-tools.git
# targetRevision: HEAD
# path: charts/vault
# helm:
# valueFiles:
# - ../../manifests/vault/values.yaml
# destination:
# server: https://kubernetes.default.svc
# namespace: dev-tools
# syncPolicy: {}
# ignoreDifferences:
# - group: admissionregistration.k8s.io
# kind: MutatingWebhookConfiguration
# name: vault-agent-injector-cfg
# jsonPointers:
# - /webhooks/0/clientConfig/caBundle
# - group: apps
# kind: Deployment
# name: vault-agent-injector
# jsonPointers:
# - /spec/template/metadata/annotations

4
charts/n8n/templates/deployment.yaml
View File

@ -65,11 +65,11 @@ spec:
configMapKeyRef:
name: {{ include "n8n.fullname" . }}
key: DB_SQLITE_FILE
# Sensitive values from Secret
# Sensitive values from Secret created by ExternalSecret
- name: N8N_ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret | default (include "n8n.fullname" .) }}
name: n8n-secrets
key: N8N_ENCRYPTION_KEY
{{- if .Values.env }}
{{- range $key, $value := .Values.env }}

4
charts/n8n/values.yaml
View File

@ -58,10 +58,6 @@ envFrom: []
# - secretRef:
# name: n8n-tokens
# Reference to an existing Secret for sensitive values
# If not provided, Secret with the same name as the release will be used
existingSecret: ""
resources:
requests:
cpu: 100m

76
manifests/cluster-secret-store/cicd/bootstrap-job.disable
View File

@ -1,76 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: vault-bootstrap-cicd
namespace: dev-tools
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
argocd.argoproj.io/sync-wave: "1"
spec:
backoffLimit: 2
ttlSecondsAfterFinished: 60
template:
spec:
restartPolicy: OnFailure
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: vault
image: hashicorp/vault:1.16
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
env:
- name: VAULT_ADDR
value: "http://vault.dev-tools.svc.cluster.local:8200"
- name: VAULT_TOKEN
valueFrom:
secretKeyRef:
name: vault-admin-token
key: token
command:
- /bin/sh
- -c
args:
- |
set -e
echo "[bootstrap for scope cicd]"
i=0
until vault status >/dev/null 2>&1; do
i=$((i+1))
if [ "$i" -gt 30 ]; then
echo "Vault is not ready after 30 attempts"; exit 1
fi
echo "Waiting for Vault... ($i/30)"
sleep 2
done
cat >/tmp/policy.hcl <<'EOF'
path "cicd/metadata/*" { capabilities = ["list"] }
path "cicd/data/*" { capabilities = ["read"] }
EOF
vault policy write eso-cicd-read /tmp/policy.hcl || true
vault write auth/kubernetes/role/eso-cicd \
bound_service_account_names="external-secrets" \
bound_service_account_namespaces="dev-tools" \
bound_audiences="https://kubernetes.default.svc" \
policies="eso-cicd-read" \
ttl=1h

19
manifests/cluster-secret-store/cicd/clustersecretstore.yaml
View File

@ -1,19 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault-cicd
annotations:
argocd.argoproj.io/sync-wave: "0"
spec:
provider:
vault:
server: "http://vault.dev-tools.svc.cluster.local:8200"
path: "cicd"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "eso-cicd"
serviceAccountRef:
name: "external-secrets"
namespace: "dev-tools"

76
manifests/cluster-secret-store/internal-users/bootstrap-job.disable
View File

@ -1,76 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: vault-bootstrap-internal-users
namespace: dev-tools
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
argocd.argoproj.io/sync-wave: "1"
spec:
backoffLimit: 2
ttlSecondsAfterFinished: 60
template:
spec:
restartPolicy: OnFailure
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: vault
image: hashicorp/vault:1.16
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
env:
- name: VAULT_ADDR
value: "http://vault.dev-tools.svc.cluster.local:8200"
- name: VAULT_TOKEN
valueFrom:
secretKeyRef:
name: vault-admin-token
key: token
command:
- /bin/sh
- -c
args:
- |
set -e
echo "[bootstrap for scope internal-users]"
i=0
until vault status >/dev/null 2>&1; do
i=$((i+1))
if [ "$i" -gt 30 ]; then
echo "Vault is not ready after 30 attempts"; exit 1
fi
echo "Waiting for Vault... ($i/30)"
sleep 2
done
cat >/tmp/policy.hcl <<'EOF'
path "internal-users/metadata/*" { capabilities = ["list"] }
path "internal-users/data/*" { capabilities = ["read"] }
EOF
vault policy write eso-internal-users-read /tmp/policy.hcl || true
vault write auth/kubernetes/role/eso-internal-users \
bound_service_account_names="external-secrets" \
bound_service_account_namespaces="dev-tools" \
bound_audiences="https://kubernetes.default.svc" \
policies="eso-internal-users-read" \
ttl=1h

19
manifests/cluster-secret-store/internal-users/clustersecretstore.yaml
View File

@ -1,19 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault-internal-users
annotations:
argocd.argoproj.io/sync-wave: "0"
spec:
provider:
vault:
server: "http://vault.dev-tools.svc.cluster.local:8200"
path: "internal-users"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "eso-internal-users"
serviceAccountRef:
name: "external-secrets"
namespace: "dev-tools"

76
manifests/cluster-secret-store/oidc/bootstrap-job.disable
View File

@ -1,76 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: vault-bootstrap-oidc
namespace: dev-tools
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
argocd.argoproj.io/sync-wave: "1"
spec:
backoffLimit: 2
ttlSecondsAfterFinished: 60
template:
spec:
restartPolicy: OnFailure
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: vault
image: hashicorp/vault:1.16
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
env:
- name: VAULT_ADDR
value: "http://vault.dev-tools.svc.cluster.local:8200"
- name: VAULT_TOKEN
valueFrom:
secretKeyRef:
name: vault-admin-token
key: token
command:
- /bin/sh
- -c
args:
- |
set -e
echo "[bootstrap for scope oidc-secrets]"
i=0
until vault status >/dev/null 2>&1; do
i=$((i+1))
if [ "$i" -gt 30 ]; then
echo "Vault is not ready after 30 attempts"; exit 1
fi
echo "Waiting for Vault... ($i/30)"
sleep 2
done
cat >/tmp/policy.hcl <<'EOF'
path "oidc-secrets/metadata/*" { capabilities = ["list"] }
path "oidc-secrets/data/*" { capabilities = ["read"] }
EOF
vault policy write eso-oidc-read /tmp/policy.hcl || true
vault write auth/kubernetes/role/eso-oidc \
bound_service_account_names="external-secrets" \
bound_service_account_namespaces="dev-tools" \
bound_audiences="https://kubernetes.default.svc" \
policies="eso-oidc-read" \
ttl=1h

19
manifests/cluster-secret-store/oidc/clustersecretstore.yaml
View File

@ -1,19 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault-oidc
annotations:
argocd.argoproj.io/sync-wave: "0"
spec:
provider:
vault:
server: "http://vault.dev-tools.svc.cluster.local:8200"
path: "oidc-clients"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "eso-oidc"
serviceAccountRef:
name: "external-secrets"
namespace: "dev-tools"

77
manifests/cluster-secret-store/vault-general-secrets/bootstrap-job.disable
View File

@ -1,77 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: vault-bootstrap-general
namespace: dev-tools
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
argocd.argoproj.io/sync-wave: "1"
spec:
backoffLimit: 2
ttlSecondsAfterFinished: 60
template:
spec:
restartPolicy: OnFailure
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: vault
image: hashicorp/vault:1.16
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
env:
- name: VAULT_ADDR
value: "http://vault.dev-tools.svc.cluster.local:8200"
- name: VAULT_TOKEN
valueFrom:
secretKeyRef:
name: vault-admin-token
key: token
command:
- /bin/sh
- -c
args:
- |
set -e
echo "[bootstrap for scope general-secrets]"
i=0
until vault status >/dev/null 2>&1; do
i=$((i+1))
if [ "$i" -gt 30 ]; then
echo "Vault is not ready after 30 attempts"; exit 1
fi
echo "Waiting for Vault... ($i/30)"
sleep 2
done
cat >/tmp/policy.hcl <<'EOF'
path "general-secrets/metadata/*" { capabilities = ["list"] }
path "general-secrets/data/*" { capabilities = ["read"] }
EOF
vault policy write eso-general-read /tmp/policy.hcl || true
vault write auth/kubernetes/role/eso-general \
bound_service_account_names="external-secrets" \
bound_service_account_namespaces="dev-tools" \
bound_audiences="https://kubernetes.default.svc" \
policies="eso-general-read" \
ttl=1h

19
manifests/cluster-secret-store/vault-general-secrets/clustersecretstore.yaml
View File

@ -1,19 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault-general-secrets
annotations:
argocd.argoproj.io/sync-wave: "0"
spec:
provider:
vault:
server: "http://vault.dev-tools.svc.cluster.local:8200"
path: "general-secrets"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "eso-general"
serviceAccountRef:
name: "external-secrets"
namespace: "dev-tools"

18
manifests/external-secrets-dev-tools/woodpecker/external-secret.yaml.disable
View File

@ -1,18 +0,0 @@
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: kaniko-docker-config
# namespace: dev-tools
# spec:
# refreshInterval: 1h
# secretStoreRef:
# name: vault-general-secrets
# kind: ClusterSecretStore
# target:
# name: kaniko-docker-config
# creationPolicy: Owner
# data:
# - secretKey: config.json
# remoteRef:
# key: general-secrets/woodpecker-kaniko
# property: config.json

22
manifests/external-secrets-dev-tools/woodpecker/externalsecret-woodpecker-harbor.yaml
View File

@ -1,22 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: woodpecker-harbor-creds
namespace: dev-tools
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-cicd # ClusterSecretStore for CICD secrets
kind: ClusterSecretStore
target:
name: woodpecker-harbor-secret # K8s Secret that will be created
creationPolicy: Owner
data:
- secretKey: docker_username
remoteRef:
key: harbor # relative to ClusterSecretStore's path (cicd)
property: docker_username
- secretKey: docker_password
remoteRef:
key: harbor
property: docker_password

28
manifests/external-secrets/values.yaml
View File

@ -1,28 +0,0 @@
installCRDs: true
image:
repository: ghcr.io/external-secrets/external-secrets
tag: v0.9.19
pullPolicy: IfNotPresent
flavour: default
webhook:
enabled: true
image:
repository: ghcr.io/external-secrets/external-secrets
tag: v0.9.19
flavour: webhook
certController:
enabled: true
image:
repository: ghcr.io/external-secrets/external-secrets
tag: v0.9.19
flavour: cert-controller
certs:
duration: 8760h
renewBefore: 720h
selfSigned: true
nodeSelector:
node-role.kubernetes.io/worker: "true"

4
manifests/n8n/values.yaml
View File

@ -36,10 +36,6 @@ persistence:
storageClass: nfs-client
size: 10Gi
# Reference to existing Secret for sensitive values like N8N_ENCRYPTION_KEY
# This Secret must be created in the dev-tools namespace before ArgoCD syncs
existingSecret: n8n-secrets
resources:
requests:
cpu: 100m

10
manifests/secrets-dev-tools/values.yaml
View File

@ -2,4 +2,12 @@ secretStore:
name: vault
kind: ClusterSecretStore
externalSecrets: []
externalSecrets:
- name: n8n-secrets
namespace: dev-tools
targetName: n8n-secrets
creationPolicy: Owner
data:
- secretKey: N8N_ENCRYPTION_KEY
remoteKey: dev-tools/n8n
property: encryption_key