diff --git a/1password/1password.ts b/1password/1password.ts new file mode 100644 index 0000000..329f2c1 --- /dev/null +++ b/1password/1password.ts @@ -0,0 +1,46 @@ +import * as fs from "fs"; +import { Construct } from "constructs"; +import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest"; +import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider"; + +type OnePasswordSecret = { + name: string; + namespace: string; + itemPath: string; +}; + +type OnePasswordOptions = { + provider: KubernetesProvider; +}; + +export class OnePassword extends Construct { + constructor(scope: Construct, id: string, options: OnePasswordOptions) { + super(scope, id); + + const secrets: OnePasswordSecret[] = JSON.parse( + fs.readFileSync("1password/secrets.json", { + encoding: "utf8", + }), + ); + + secrets.forEach((secret) => { + new Manifest(this, secret.name, { + provider: options.provider, + manifest: { + apiVersion: "onepassword.com/v1", + kind: "OnePasswordItem", + metadata: { + name: secret.name, + namespace: secret.namespace, + annotations: { + "operator.1password.io/auto-restart": "true", + }, + }, + spec: { + itemPath: secret.itemPath, + }, + }, + }); + }); + } +} diff --git a/1password/secrets.json b/1password/secrets.json new file mode 100644 index 0000000..ae7a87a --- /dev/null +++ b/1password/secrets.json @@ -0,0 +1,77 @@ +[ + { + "name": "gitea-admin", + "namespace": "gitea-system", + "itemPath": "vaults/Lab/items/gitea-admin" + }, + { + "name": "gitea-postgres", + "namespace": "gitea-system", + "itemPath": "vaults/Lab/items/gitea-postgres" + }, + { + "name": "pihole-admin", + "namespace": "pihole-system", + "itemPath": "vaults/Lab/items/pihole" + }, + { + "name": "postgres-password", + "namespace": "postgres-system", + "itemPath": "vaults/Lab/items/Postgres" + }, + { + "name": "runner-secret", + "namespace": "gitea-system", + "itemPath": "vaults/Lab/items/Gitea" + }, + { + "name": "cloudflare-token", + "namespace": "cert-manager", + "itemPath": "vaults/Lab/items/Cloudflare" + }, + { + "name": "authentik-postgres", + "namespace": "authentik-system", + "itemPath": "vaults/Lab/items/authentik-postgres" + }, + { + "name": "redis", + "namespace": "redis-system", + "itemPath": "vaults/Lab/items/redis" + }, + { + "name": "authentik-redis", + "namespace": "authentik-system", + "itemPath": "vaults/Lab/items/redis" + }, + { + "name": "gitea-oauth", + "namespace": "gitea-system", + "itemPath": "vaults/Lab/items/gitea-oauth" + }, + { + "name": "gitea-elasticsearch", + "namespace": "gitea-system", + "itemPath": "vaults/Lab/items/gitea-elasticsearch" + }, + { + "name": "gitea-redis", + "namespace": "gitea-system", + "itemPath": "vaults/Lab/items/gitea-redis" + }, + { + "name": "smtp-token", + "namespace": "gitea-system", + "itemPath": "vaults/Lab/items/smtp-token" + }, + { + "name": "longhorn-encryption", + "namespace": "longhorn-system", + "itemPath": "vaults/Lab/items/longhorn-encryption" + }, + { + "name": "longhorn-backup", + "namespace": "longhorn-system", + "itemPath": "vaults/Lab/items/longhorn-backup" + } +] diff --git a/1password/secrets.yaml b/1password/secrets.yaml deleted file mode 100644 index 5b75e65..0000000 --- a/1password/secrets.yaml +++ /dev/null @@ -1,160 +0,0 @@ ---- -apiVersion: onepassword.com/v1 -kind: OnePasswordItem -metadata: - name: gitea-admin - namespace: gitea-system - annotations: - operator.1password.io/auto-restart: "true" -spec: - itemPath: "vaults/Lab/items/gitea-admin" ---- -apiVersion: onepassword.com/v1 -kind: OnePasswordItem -metadata: - name: gitea-postgres - namespace: gitea-system - annotations: - operator.1password.io/auto-restart: "true" -spec: - itemPath: "vaults/Lab/items/gitea-postgres" ---- -apiVersion: onepassword.com/v1 -kind: OnePasswordItem -metadata: - name: pihole-admin - namespace: pihole-system - annotations: - operator.1password.io/auto-restart: "true" -spec: - itemPath: "vaults/Lab/items/pihole" ---- -apiVersion: onepassword.com/v1 -kind: OnePasswordItem -metadata: - name: postgres-password - namespace: postgres-system - annotations: - operator.1password.io/auto-restart: "true" -spec: - itemPath: "vaults/Lab/items/Postgres" ---- -apiVersion: onepassword.com/v1 -kind: OnePasswordItem -metadata: - name: runner-secret - namespace: gitea-system - annotations: - operator.1password.io/auto-restart: "true" -spec: - itemPath: "vaults/Lab/items/Gitea" ---- -apiVersion: onepassword.com/v1 -kind: OnePasswordItem -metadata: - name: cloudflare-token - namespace: cert-manager - annotations: - operator.1password.io/auto-restart: "true" -spec: - itemPath: "vaults/Lab/items/Cloudflare" ---- -apiVersion: onepassword.com/v1 -kind: OnePasswordItem -metadata: - name: authentik-postgres - namespace: authentik-system - annotations: - operator.1password.io/auto-restart: "true" -spec: - itemPath: "vaults/Lab/items/authentik-postgres" ---- -apiVersion: onepassword.com/v1 -kind: OnePasswordItem -metadata: - name: redis - namespace: redis-system - annotations: - operator.1password.io/auto-restart: "true" -spec: - itemPath: "vaults/Lab/items/redis" ---- -apiVersion: onepassword.com/v1 -kind: OnePasswordItem -metadata: - name: authentik-redis - namespace: authentik-system - annotations: - operator.1password.io/auto-restart: "true" -spec: - itemPath: "vaults/Lab/items/redis" ---- -apiVersion: onepassword.com/v1 -kind: OnePasswordItem -metadata: - name: gitea-oauth - namespace: gitea-system - annotations: - operator.1password.io/auto-restart: "true" -spec: - itemPath: "vaults/Lab/items/gitea-oauth" ---- -apiVersion: onepassword.com/v1 -kind: OnePasswordItem -metadata: - name: gitea-elasticsearch - namespace: gitea-system - annotations: - operator.1password.io/auto-restart: "true" -spec: - itemPath: "vaults/Lab/items/gitea-elasticsearch" ---- -apiVersion: onepassword.com/v1 -kind: OnePasswordItem -metadata: - name: gitea-redis - namespace: gitea-system - annotations: - operator.1password.io/auto-restart: "true" -spec: - itemPath: "vaults/Lab/items/gitea-redis" ---- -apiVersion: onepassword.com/v1 -kind: OnePasswordItem -metadata: - name: smtp-token - namespace: gitea-system - annotations: - operator.1password.io/auto-restart: "true" -spec: - itemPath: "vaults/Lab/items/smtp-token" ---- -apiVersion: onepassword.com/v1 -kind: OnePasswordItem -metadata: - name: longhorn-encryption - namespace: longhorn-system - annotations: - operator.1password.io/auto-restart: "true" -spec: - itemPath: "vaults/Lab/items/longhorn-encryption" ---- -apiVersion: onepassword.com/v1 -kind: OnePasswordItem -metadata: - name: longhorn-backup - namespace: longhorn-system - annotations: - operator.1password.io/auto-restart: "true" -spec: - itemPath: "vaults/Lab/items/longhorn-backup" ---- -apiVersion: onepassword.com/v1 -kind: OnePasswordItem -metadata: - name: cloudflare-token - namespace: cloudflare-system - annotations: - operator.1password.io/auto-restart: "true" -spec: - itemPath: "vaults/Lab/items/Cloudflare" diff --git a/main.ts b/main.ts index f53cf21..d244955 100644 --- a/main.ts +++ b/main.ts @@ -3,9 +3,12 @@ import { cleanEnv, str } from "envalid"; import { Construct } from "constructs"; import { App, TerraformStack, S3Backend } from "cdktf"; import { HelmProvider } from "@cdktf/provider-helm/lib/provider"; +import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider"; import { GiteaServer } from "./gitea/server"; +import { OnePassword } from "./1password/1password"; + dotenv.config(); const env = cleanEnv(process.env, { @@ -19,6 +22,10 @@ class Homelab extends TerraformStack { constructor(scope: Construct, id: string) { super(scope, id); + const kubernetes = new KubernetesProvider(this, "kubernetes", { + configPath: "~/.kube/config", + }); + const helm = new HelmProvider(this, "helm", { kubernetes: { configPath: "~/.kube/config", @@ -31,6 +38,10 @@ class Homelab extends TerraformStack { provider: helm, version: "10.4.0", }); + + new OnePassword(this, "one-password", { + provider: kubernetes, + }); } }