feat: OnePassword | migrate to CDKTF (#4)

Reviewed-on: #4

1password/1password.ts

@@ -0,0 +1,46 @@
+import * as fs from "fs";
+import { Construct } from "constructs";
+import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+
+type OnePasswordSecret = {
+  name: string;
+  namespace: string;
+  itemPath: string;
+};
+
+type OnePasswordOptions = {
+  provider: KubernetesProvider;
+};
+
+export class OnePassword extends Construct {
+  constructor(scope: Construct, id: string, options: OnePasswordOptions) {
+    super(scope, id);
+
+    const secrets: OnePasswordSecret[] = JSON.parse(
+      fs.readFileSync("1password/secrets.json", {
+        encoding: "utf8",
+      }),
+    );
+
+    secrets.forEach((secret) => {
+      new Manifest(this, secret.name, {
+        provider: options.provider,
+        manifest: {
+          apiVersion: "onepassword.com/v1",
+          kind: "OnePasswordItem",
+          metadata: {
+            name: secret.name,
+            namespace: secret.namespace,
+            annotations: {
+              "operator.1password.io/auto-restart": "true",
+            },
+          },
+          spec: {
+            itemPath: secret.itemPath,
+          },
+        },
+      });
+    });
+  }
+}

1password/secrets.json

@@ -0,0 +1,77 @@
+[
+  {
+    "name": "gitea-admin",
+    "namespace": "gitea-system",
+    "itemPath": "vaults/Lab/items/gitea-admin"
+  },
+  {
+    "name": "gitea-postgres",
+    "namespace": "gitea-system",
+    "itemPath": "vaults/Lab/items/gitea-postgres"
+  },
+  {
+    "name": "pihole-admin",
+    "namespace": "pihole-system",
+    "itemPath": "vaults/Lab/items/pihole"
+  },
+  {
+    "name": "postgres-password",
+    "namespace": "postgres-system",
+    "itemPath": "vaults/Lab/items/Postgres"
+  },
+  {
+    "name": "runner-secret",
+    "namespace": "gitea-system",
+    "itemPath": "vaults/Lab/items/Gitea"
+  },
+  {
+    "name": "cloudflare-token",
+    "namespace": "cert-manager",
+    "itemPath": "vaults/Lab/items/Cloudflare"
+  },
+  {
+    "name": "authentik-postgres",
+    "namespace": "authentik-system",
+    "itemPath": "vaults/Lab/items/authentik-postgres"
+  },
+  {
+    "name": "redis",
+    "namespace": "redis-system",
+    "itemPath": "vaults/Lab/items/redis"
+  },
+  {
+    "name": "authentik-redis",
+    "namespace": "authentik-system",
+    "itemPath": "vaults/Lab/items/redis"
+  },
+  {
+    "name": "gitea-oauth",
+    "namespace": "gitea-system",
+    "itemPath": "vaults/Lab/items/gitea-oauth"
+  },
+  {
+    "name": "gitea-elasticsearch",
+    "namespace": "gitea-system",
+    "itemPath": "vaults/Lab/items/gitea-elasticsearch"
+  },
+  {
+    "name": "gitea-redis",
+    "namespace": "gitea-system",
+    "itemPath": "vaults/Lab/items/gitea-redis"
+  },
+  {
+    "name": "smtp-token",
+    "namespace": "gitea-system",
+    "itemPath": "vaults/Lab/items/smtp-token"
+  },
+  {
+    "name": "longhorn-encryption",
+    "namespace": "longhorn-system",
+    "itemPath": "vaults/Lab/items/longhorn-encryption"
+  },
+  {
+    "name": "longhorn-backup",
+    "namespace": "longhorn-system",
+    "itemPath": "vaults/Lab/items/longhorn-backup"
+  }
+]

1password/secrets.yaml

@@ -1,160 +0,0 @@
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: gitea-admin
-  namespace: gitea-system
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/gitea-admin"
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: gitea-postgres
-  namespace: gitea-system
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/gitea-postgres"
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: pihole-admin
-  namespace: pihole-system
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/pihole"
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: postgres-password
-  namespace: postgres-system
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/Postgres"
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: runner-secret
-  namespace: gitea-system
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/Gitea"
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: cloudflare-token
-  namespace: cert-manager
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/Cloudflare"
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: authentik-postgres
-  namespace: authentik-system
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/authentik-postgres"
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: redis
-  namespace: redis-system
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/redis"
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: authentik-redis
-  namespace: authentik-system
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/redis"
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: gitea-oauth
-  namespace: gitea-system
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/gitea-oauth"
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: gitea-elasticsearch
-  namespace: gitea-system
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/gitea-elasticsearch"
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: gitea-redis
-  namespace: gitea-system
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/gitea-redis"
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: smtp-token
-  namespace: gitea-system
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/smtp-token"
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: longhorn-encryption
-  namespace: longhorn-system
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/longhorn-encryption"
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: longhorn-backup
-  namespace: longhorn-system
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/longhorn-backup"
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: cloudflare-token
-  namespace: cloudflare-system
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/Cloudflare"

main.ts

@@ -3,9 +3,12 @@ import { cleanEnv, str } from "envalid";
 import { Construct } from "constructs";
 import { App, TerraformStack, S3Backend } from "cdktf";
 import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
 
 import { GiteaServer } from "./gitea/server";
 
+import { OnePassword } from "./1password/1password";
+
 dotenv.config();
 
 const env = cleanEnv(process.env, {
@@ -19,6 +22,10 @@ class Homelab extends TerraformStack {
   constructor(scope: Construct, id: string) {
     super(scope, id);
 
+    const kubernetes = new KubernetesProvider(this, "kubernetes", {
+      configPath: "~/.kube/config",
+    });
+
     const helm = new HelmProvider(this, "helm", {
       kubernetes: {
         configPath: "~/.kube/config",
@@ -31,6 +38,10 @@ class Homelab extends TerraformStack {
       provider: helm,
       version: "10.4.0",
     });
+
+    new OnePassword(this, "one-password", {
+      provider: kubernetes,
+    });
   }
 }