diff --git a/kubernetes/main/apps/home-automation/external-secrets/secrets/mqtt-secret.yaml b/kubernetes/main/apps/home-automation/external-secrets/secrets/emqx-secret.yaml similarity index 80% rename from kubernetes/main/apps/home-automation/external-secrets/secrets/mqtt-secret.yaml rename to kubernetes/main/apps/home-automation/external-secrets/secrets/emqx-secret.yaml index 18ee00a1..c1ee069f 100644 --- a/kubernetes/main/apps/home-automation/external-secrets/secrets/mqtt-secret.yaml +++ b/kubernetes/main/apps/home-automation/external-secrets/secrets/emqx-secret.yaml @@ -3,12 +3,12 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: mqtt-secret + name: emqx-secret spec: dataFrom: - extract: - key: mqtt-secret + key: emqx-secret sourceRef: storeRef: - name: mqtt-secret-store + name: emqx-secret-store kind: ClusterSecretStore diff --git a/kubernetes/main/apps/home-automation/external-secrets/secrets/kustomization.yaml b/kubernetes/main/apps/home-automation/external-secrets/secrets/kustomization.yaml index 239d4627..a84f6ee2 100644 --- a/kubernetes/main/apps/home-automation/external-secrets/secrets/kustomization.yaml +++ b/kubernetes/main/apps/home-automation/external-secrets/secrets/kustomization.yaml @@ -3,5 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./mqtt-secret.yaml + - ./emqx-secret.yaml - ./postgres-secret.yaml diff --git a/kubernetes/main/apps/home-automation/external-secrets/stores/rbac.yaml b/kubernetes/main/apps/home-automation/external-secrets/stores/rbac.yaml index 01aa1ae4..1a8e03d9 100644 --- a/kubernetes/main/apps/home-automation/external-secrets/stores/rbac.yaml +++ b/kubernetes/main/apps/home-automation/external-secrets/stores/rbac.yaml @@ -13,9 +13,10 @@ rules: resources: - secrets resourceNames: + - ebusd-emqx-secret - home-assistant-config-secret + - home-assistant-emqx-secret - home-assistant-postgres-dburl - - home-assistant-postgres-recorder-initdb - home-assistant-postgres-recorder-secret verbs: - get diff --git a/kubernetes/main/apps/home-automation/home-assistant/app/emqx-init-secret.yaml b/kubernetes/main/apps/home-automation/home-assistant/app/emqx-init-secret.yaml new file mode 100644 index 00000000..544b28d0 --- /dev/null +++ b/kubernetes/main/apps/home-automation/home-assistant/app/emqx-init-secret.yaml @@ -0,0 +1,40 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: home-assistant-emqx-init +spec: + target: + creationPolicy: Owner + template: + engineVersion: v2 + data: + INIT_EMQX_API_HOST: "{{ .emqx_api_host }}" + INIT_EMQX_API_PORT: "{{ .emqx_api_port }}" + INIT_EMQX_ACCESS_KEY: "{{ .emqx_username }}" + INIT_EMQX_SECRET_KEY: "{{ .emqx_password }}" + INIT_EMQX_USER: "{{ .hass_username }}" + INIT_EMQX_PASS: "{{ .hass_password }}" + INIT_EMQX_TOPIC: "homeassistant" + dataFrom: + - extract: + key: emqx-secret + rewrite: + - regexp: + source: "^(.*)$" + target: "emqx_$1" + sourceRef: + storeRef: + name: emqx-secret-store + kind: ClusterSecretStore + - extract: + key: home-assistant-emqx-secret + rewrite: + - regexp: + source: "^(.*)$" + target: "hass_$1" + sourceRef: + storeRef: + name: home-automation-secret-store + kind: SecretStore diff --git a/kubernetes/main/apps/home-automation/home-assistant/app/emqx-secret.sops.yaml b/kubernetes/main/apps/home-automation/home-assistant/app/emqx-secret.sops.yaml new file mode 100644 index 00000000..70c78028 --- /dev/null +++ b/kubernetes/main/apps/home-automation/home-assistant/app/emqx-secret.sops.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: home-assistant-emqx-secret +type: kubernetes.io/basic-auth +stringData: + username: ENC[AES256_GCM,data:JrjmN3cDemLsbUFDJYc=,iv:bxCy2V4IrvV0rdEV8UExkHe1CmwpQVMBXv7TQ7QzjEw=,tag:0qcVhv0Itg1uFZHGyq29wA==,type:str] + password: ENC[AES256_GCM,data:jahDMh6zO0mDmACZfKcy78wUCDecSRpoxvqUFuTd5/kLMqDkg7tk4A==,iv:KSgcyaqYMtDqfAhmgpZtrmldQz01jZYhDRwNBoKcakg=,tag:jDf8OVQa3XtlROwuIRpWgQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ve9kzacrwq7l9l0emvs326uk6t576d75r596e083r2tq6xu28qcsacy3s7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0alFUWTBleUFFZHJweFBu + VURqQUJVT1d0cmNJNE5ORG1lSjNqZzVuem1ZCitWRXhReWxoTUs0djJUNXJPSTVk + aUZZaUdoUlJaTVVnRlBmQVh3UzBZbDgKLS0tIFdha1h2UGI0L2FPSEgyeTIyVXJL + Y2JkSnVhL1o0dDBCOWpFb2ZyNEFkZ00KmGjxwrjRrnOBbEq3wPWCt79lMC2EwWd8 + 6IqaQW+pRzCh4Lzj3Nj4vu4YQw75HI0sx3W46HgyD33Qsya2Df6sxQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-26T23:57:04Z" + mac: ENC[AES256_GCM,data:45ypnfHFcMoJtcrpw3ApIDZKsdRpg5Dntc5BYgCWIt1nNCArhH2duW/TD2WsMf+cTmeqY8quMmoI/Q/H6blpOYPRM8EQfXL3spmDNrpWm39wt3ja5e+uneKX1eDMxhyYkt71IiuVZtERSr1sorIZk9SK6vZVWBWo53msan3XuUc=,iv:nrxNk0NAg/jMEuNqD4RULTYwDcOYL7vfuvDGXg6VbC8=,tag:ZSMvaJdyH98zLzKCEqkQ4Q==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/kubernetes/main/apps/home-automation/home-assistant/app/helmrelease.yaml b/kubernetes/main/apps/home-automation/home-assistant/app/helmrelease.yaml index edb5e5d9..5f559e09 100644 --- a/kubernetes/main/apps/home-automation/home-assistant/app/helmrelease.yaml +++ b/kubernetes/main/apps/home-automation/home-assistant/app/helmrelease.yaml @@ -47,7 +47,7 @@ spec: "namespace": "kube-system", "ips": ["192.168.101.254/24"] }] - reloader.stakater.com/auto: "true" + secret.reloader.stakater.com/reload: "home-assistant-emqx-init,home-assistant-secret" securityContext: runAsUser: 0 runAsGroup: 0 @@ -118,6 +118,13 @@ spec: apt install --yes net-tools ) > /tmp/postStart.log 2>&1 || true initContainers: + emqx-init: + image: + repository: ghcr.io/prehor/emqx-init + tag: 1.0.0 + envFrom: + - secretRef: + name: home-assistant-emqx-init recorder-initdb: image: repository: ghcr.io/onedr0p/postgres-init diff --git a/kubernetes/main/apps/home-automation/home-assistant/app/kustomization.yaml b/kubernetes/main/apps/home-automation/home-assistant/app/kustomization.yaml index fbf8426d..14b22439 100644 --- a/kubernetes/main/apps/home-automation/home-assistant/app/kustomization.yaml +++ b/kubernetes/main/apps/home-automation/home-assistant/app/kustomization.yaml @@ -6,8 +6,10 @@ resources: - ./helmrelease.yaml - ./config-deploy-key.sops.yaml - ./config-secret.sops.yaml - - ./config-secret.yaml + - ./emqx-init-secret.yaml + - ./emqx-secret.sops.yaml - ./postgres-dburl-secret.yaml - ./postgres-recorder-initdb-secret.yaml - ./postgres-recorder-secret.sops.yaml + - ./secret.yaml - ../../../../templates/volsync diff --git a/kubernetes/main/apps/home-automation/home-assistant/app/config-secret.yaml b/kubernetes/main/apps/home-automation/home-assistant/app/secret.yaml similarity index 76% rename from kubernetes/main/apps/home-automation/home-assistant/app/config-secret.yaml rename to kubernetes/main/apps/home-automation/home-assistant/app/secret.yaml index 5ac6442d..03110ebf 100644 --- a/kubernetes/main/apps/home-automation/home-assistant/app/config-secret.yaml +++ b/kubernetes/main/apps/home-automation/home-assistant/app/secret.yaml @@ -16,16 +16,6 @@ spec: storeRef: name: home-automation-secret-store kind: SecretStore - - extract: - key: mqtt-secret - rewrite: - - regexp: - source: "^(.*)$" - target: "mqtt_$1" - sourceRef: - storeRef: - name: mqtt-secret-store - kind: ClusterSecretStore - extract: key: home-assistant-postgres-dburl rewrite: