From 05633e1f968a291a76a18238f3557b86f373781f Mon Sep 17 00:00:00 2001 From: Neko Date: Tue, 13 May 2025 16:10:43 -0500 Subject: [PATCH 01/40] create argocd app --- .../argocd/stacks/common/vaultwarden.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 kubernetes/argocd/stacks/common/vaultwarden.yml diff --git a/kubernetes/argocd/stacks/common/vaultwarden.yml b/kubernetes/argocd/stacks/common/vaultwarden.yml new file mode 100644 index 0000000..57188a6 --- /dev/null +++ b/kubernetes/argocd/stacks/common/vaultwarden.yml @@ -0,0 +1,26 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vaultwarden + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: vaultwarden + server: 'https://kubernetes.default.svc' + sources: + - path: kubernetes/argocd/stacks/vaultwarden + repoURL: 'git@github.com:acm-uic/IaC.git' + targetRevision: HEAD + directory: + recurse: true + include: '*.yml' + exclude: values.yml + project: vaultwarden + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true From 8774b2e672ad201c1d8dc7a1361152794be20d91 Mon Sep 17 00:00:00 2001 From: Neko Date: Tue, 13 May 2025 16:35:00 -0500 Subject: [PATCH 02/40] add deployment --- .../argocd/stacks/vaultwarden/vaultwarden.yml | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml new file mode 100644 index 0000000..307ddab --- /dev/null +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -0,0 +1,60 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: vaultwarden-pvc + namespace: vaultwarden +spec: + accessModes: + - ReadWriteOnce + storageClassName: nfs + resources: + requests: + storage: 20Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vaultwarden + namespace: vaultwarden +spec: + strategy: + type: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: vaultwarden + template: + metadata: + annotations: + labels: + app.kubernetes.io/name: vaultwarden + spec: + volumes: + - name: vaultwarden-data + persistentVolumeClaim: + claimName: vaultwarden-pvc + containers: + - name: vaultwarden + image: vaultwarden/server:latest + env: + - name: DOMAIN + value: 'https://bitwarden.acmuic.org' + volumeMounts: + - name: vaultwarden-data + mountPath: /data +--- +apiVersion: v1 +kind: Service +metadata: + name: vaultwarden + namespace: vaultwarden +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: vaultwarden From 158795a95c010f470db2f7b0d72eef842f2683aa Mon Sep 17 00:00:00 2001 From: Neko Date: Tue, 13 May 2025 17:19:18 -0500 Subject: [PATCH 03/40] use my branch for testing --- kubernetes/argocd/stacks/common/vaultwarden.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/argocd/stacks/common/vaultwarden.yml b/kubernetes/argocd/stacks/common/vaultwarden.yml index 57188a6..d0d0711 100644 --- a/kubernetes/argocd/stacks/common/vaultwarden.yml +++ b/kubernetes/argocd/stacks/common/vaultwarden.yml @@ -11,8 +11,8 @@ spec: server: 'https://kubernetes.default.svc' sources: - path: kubernetes/argocd/stacks/vaultwarden - repoURL: 'git@github.com:acm-uic/IaC.git' - targetRevision: HEAD + repoURL: 'git@github.com:lowpolyneko/IaC.git' + targetRevision: feature/vaultwarden directory: recurse: true include: '*.yml' From a8d57ac7a09882b95b0d9f9b3509481df169cc5a Mon Sep 17 00:00:00 2001 From: Neko Date: Tue, 13 May 2025 17:23:26 -0500 Subject: [PATCH 04/40] use default project --- kubernetes/argocd/stacks/common/vaultwarden.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/argocd/stacks/common/vaultwarden.yml b/kubernetes/argocd/stacks/common/vaultwarden.yml index d0d0711..b9d40c8 100644 --- a/kubernetes/argocd/stacks/common/vaultwarden.yml +++ b/kubernetes/argocd/stacks/common/vaultwarden.yml @@ -17,7 +17,7 @@ spec: recurse: true include: '*.yml' exclude: values.yml - project: vaultwarden + project: default syncPolicy: automated: prune: true From 0d05c0d8042a0bc7c69855684bb7b64c7846803c Mon Sep 17 00:00:00 2001 From: Neko Date: Tue, 13 May 2025 17:25:14 -0500 Subject: [PATCH 05/40] use https instead of ssh --- kubernetes/argocd/stacks/common/vaultwarden.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/argocd/stacks/common/vaultwarden.yml b/kubernetes/argocd/stacks/common/vaultwarden.yml index b9d40c8..3e24385 100644 --- a/kubernetes/argocd/stacks/common/vaultwarden.yml +++ b/kubernetes/argocd/stacks/common/vaultwarden.yml @@ -11,7 +11,7 @@ spec: server: 'https://kubernetes.default.svc' sources: - path: kubernetes/argocd/stacks/vaultwarden - repoURL: 'git@github.com:lowpolyneko/IaC.git' + repoURL: 'https://github.com/lowpolyneko/IaC' targetRevision: feature/vaultwarden directory: recurse: true From 76f42b5af5ce61597f2e2e198147cd4120bfc8b5 Mon Sep 17 00:00:00 2001 From: Neko Date: Tue, 13 May 2025 17:27:51 -0500 Subject: [PATCH 06/40] correct invalid indent --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 307ddab..fb3b722 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -27,8 +27,8 @@ spec: template: metadata: annotations: - labels: - app.kubernetes.io/name: vaultwarden + labels: + app.kubernetes.io/name: vaultwarden spec: volumes: - name: vaultwarden-data From cd638a9f02d3d8a18968fd130adc34f5b26c1306 Mon Sep 17 00:00:00 2001 From: Neko Date: Tue, 13 May 2025 17:44:09 -0500 Subject: [PATCH 07/40] add ingressroute --- .../argocd/stacks/vaultwarden/vaultwarden.yml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index fb3b722..fca36c7 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -1,4 +1,43 @@ --- +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: vaultwarden + namespace: vaultwarden + annotations: + external-dns.alpha.kubernetes.io/target: app.acmuic.org +spec: + entryPoints: + - websecure + routes: + - kind: Rule + match: "Host(`bitwarden.acmuic.org`)" + services: + - kind: Service + name: vaultwarden + namespace: vaultwarden + passHostHeader: true + port: http + responseForwarding: + flushInterval: 1ms + scheme: http + strategy: RoundRobin + weight: 10 + tls: + secretName: vaultwarden-tls +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: vaultwarden-tls +spec: + dnsNames: + - bitwarden.acmuic.org + secretName: vaultwarden-tls + issuerRef: + kind: ClusterIssuer + name: letsencrypt +--- apiVersion: v1 kind: PersistentVolumeClaim metadata: From 6f4958d956c0445e31fe858de1493561d5a57666 Mon Sep 17 00:00:00 2001 From: Neko Date: Tue, 13 May 2025 17:54:20 -0500 Subject: [PATCH 08/40] use self-signed CA --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index fca36c7..4105a82 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -36,7 +36,7 @@ spec: secretName: vaultwarden-tls issuerRef: kind: ClusterIssuer - name: letsencrypt + name: acmuic-self-ca --- apiVersion: v1 kind: PersistentVolumeClaim From d04b23f5881e460308dea918084d414c81e28e4c Mon Sep 17 00:00:00 2001 From: Neko Date: Tue, 13 May 2025 17:56:18 -0500 Subject: [PATCH 09/40] expose container port --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 4105a82..2247f1a 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -79,6 +79,8 @@ spec: env: - name: DOMAIN value: 'https://bitwarden.acmuic.org' + ports: + - containerPort: 80 volumeMounts: - name: vaultwarden-data mountPath: /data From cc9e8b5d08f8b8ca794972895007df468950bf79 Mon Sep 17 00:00:00 2001 From: Neko Date: Tue, 13 May 2025 18:06:35 -0500 Subject: [PATCH 10/40] add name to container port --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 2247f1a..9170b20 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -81,6 +81,7 @@ spec: value: 'https://bitwarden.acmuic.org' ports: - containerPort: 80 + name: http volumeMounts: - name: vaultwarden-data mountPath: /data From 07af0a831d262ae642af49c0c6ecdbc8218f5c2c Mon Sep 17 00:00:00 2001 From: Neko Date: Tue, 13 May 2025 21:33:24 -0500 Subject: [PATCH 11/40] admin_token secret --- .../argocd/stacks/vaultwarden/vaultwarden.yml | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 9170b20..f4af9fc 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -79,12 +79,60 @@ spec: env: - name: DOMAIN value: 'https://bitwarden.acmuic.org' + - name: ADMIN_TOKEN + valueFrom: + secretKeyRef: + name: vaultwarden-admin-token + key: admin_token ports: - containerPort: 80 name: http volumeMounts: - name: vaultwarden-data mountPath: /data + - name: vaultwarden-ldap + image: vividboarder/vaultwarden_ldap:latest + env: + - name: APP_VAULTWARDEN_URL + value: 'https://bitwarden.acmuic.org' + - name: APP_VAULTWARDEN_ADMIN_TOKEN + valueFrom: + secretKeyRef: + name: vaultwarden-admin-token + key: admin_token +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vaultwarden + namespace: vaultwarden +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vaultwarden-vault-static-auth + namespace: vaultwarden +spec: + method: kubernetes + mount: kubernetes + namespace: vaultwarden + kubernetes: + role: vaultwarden + serviceAccount: vaultwarden +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: vaultwarden-admin-token + namespace: vaultwarden +spec: + vaultAuthRef: vaultwarden-vault-static-auth + type: kv-v2 + mount: kv + path: vaultwarden + destination: + name: vaultwarden-admin-token + create: true --- apiVersion: v1 kind: Service From 275382cc0250c16f298d1761934269878aa82043 Mon Sep 17 00:00:00 2001 From: Neko Date: Wed, 14 May 2025 15:54:18 -0500 Subject: [PATCH 12/40] setup ldap sync --- .../argocd/stacks/vaultwarden/vaultwarden.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index f4af9fc..63906d1 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -100,6 +100,23 @@ spec: secretKeyRef: name: vaultwarden-admin-token key: admin_token + - name: APP_LDAP_HOST + value: 'activedirectory.acmuic.org' + - name: APP_LDAP_BIND_DN + secretKeyRef: + name: vaultwarden-admin-token + key: ldap_user + - name: APP_LDAP_BIND_PASSWORD + valueFrom: + secretKeyRef: + name: vaultwarden-admin-token + key: ldap_password + - name: APP_LDAP_SEARCH_BASE_DN + value: 'dc=acmuic,dc=org' + - name: APP_LDAP_SEARCH_FILTER + value: 'memberOf=CN=ACMLANAdmins,OU=ACMGroups,DC=acmuic,DC=org' + - name: APP_LDAP_MAIL_FIELD + value: 'userPrincipalName' --- apiVersion: v1 kind: ServiceAccount From 3f1de89069428cc98296c7318d825b49aa357ace Mon Sep 17 00:00:00 2001 From: Neko Date: Wed, 14 May 2025 15:57:54 -0500 Subject: [PATCH 13/40] missing valueFrom --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 63906d1..56dc372 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -103,6 +103,7 @@ spec: - name: APP_LDAP_HOST value: 'activedirectory.acmuic.org' - name: APP_LDAP_BIND_DN + valueFrom: secretKeyRef: name: vaultwarden-admin-token key: ldap_user From 36aca00f8a9f06a6a64ae8fa86c90936f21c2ee0 Mon Sep 17 00:00:00 2001 From: Neko Date: Wed, 14 May 2025 16:07:44 -0500 Subject: [PATCH 14/40] disable TLS verify --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 56dc372..c30a30a 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -95,6 +95,8 @@ spec: env: - name: APP_VAULTWARDEN_URL value: 'https://bitwarden.acmuic.org' + - name: APP_LDAP_NO_TLS_VERIFY + value: 'false' - name: APP_VAULTWARDEN_ADMIN_TOKEN valueFrom: secretKeyRef: From 6fa194e3b129f1e614f6a653b455249c33d452e5 Mon Sep 17 00:00:00 2001 From: Neko Date: Wed, 14 May 2025 16:24:18 -0500 Subject: [PATCH 15/40] use localhost to prevent SSL --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index c30a30a..b8daa82 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -94,9 +94,7 @@ spec: image: vividboarder/vaultwarden_ldap:latest env: - name: APP_VAULTWARDEN_URL - value: 'https://bitwarden.acmuic.org' - - name: APP_LDAP_NO_TLS_VERIFY - value: 'false' + value: 'http://localhost' - name: APP_VAULTWARDEN_ADMIN_TOKEN valueFrom: secretKeyRef: From 4c4a593e6cc131ab397859c6e8cadd7315e4f79f Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 16:43:49 -0500 Subject: [PATCH 16/40] use internal dns domain --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index b8daa82..0397bcc 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -94,7 +94,7 @@ spec: image: vividboarder/vaultwarden_ldap:latest env: - name: APP_VAULTWARDEN_URL - value: 'http://localhost' + value: 'https://vaultwarden.vaultwarden.svc.cluster.local' - name: APP_VAULTWARDEN_ADMIN_TOKEN valueFrom: secretKeyRef: From 039fc01dd19a30964eadb998c8719554d497a177 Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 17:05:16 -0500 Subject: [PATCH 17/40] use annotations instead of VaultStaticSecret --- .../argocd/stacks/vaultwarden/vaultwarden.yml | 44 +++++-------------- 1 file changed, 10 insertions(+), 34 deletions(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 0397bcc..72f0226 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -66,6 +66,16 @@ spec: template: metadata: annotations: + vault.hashicorp.com/agent-inject: 'true' + vault.hashicorp.com/role: 'vaultwarden' + vault.hashicorp.com/agent-inject-secret-config: 'kv/vaultwarden' + vault.hashicorp.com/agent-inject-template-config: | + {{- with secret 'kv/vaultwarden' -}} + export ADMIN_TOKEN='{{ .Data.data.admin_token }}' + export APP_VAULTWARDEN_ADMIN_TOKEN='{{ .Data.data.admin_token }}' + export APP_LDAP_BIND_DN='{{ .Data.data.ldap_user }}' + export APP_LDAP_BIND_PASSWORD='{{ .Data.data.ldap_password }}' + {{- end }} labels: app.kubernetes.io/name: vaultwarden spec: @@ -79,11 +89,6 @@ spec: env: - name: DOMAIN value: 'https://bitwarden.acmuic.org' - - name: ADMIN_TOKEN - valueFrom: - secretKeyRef: - name: vaultwarden-admin-token - key: admin_token ports: - containerPort: 80 name: http @@ -95,23 +100,8 @@ spec: env: - name: APP_VAULTWARDEN_URL value: 'https://vaultwarden.vaultwarden.svc.cluster.local' - - name: APP_VAULTWARDEN_ADMIN_TOKEN - valueFrom: - secretKeyRef: - name: vaultwarden-admin-token - key: admin_token - name: APP_LDAP_HOST value: 'activedirectory.acmuic.org' - - name: APP_LDAP_BIND_DN - valueFrom: - secretKeyRef: - name: vaultwarden-admin-token - key: ldap_user - - name: APP_LDAP_BIND_PASSWORD - valueFrom: - secretKeyRef: - name: vaultwarden-admin-token - key: ldap_password - name: APP_LDAP_SEARCH_BASE_DN value: 'dc=acmuic,dc=org' - name: APP_LDAP_SEARCH_FILTER @@ -138,20 +128,6 @@ spec: role: vaultwarden serviceAccount: vaultwarden --- -apiVersion: secrets.hashicorp.com/v1beta1 -kind: VaultStaticSecret -metadata: - name: vaultwarden-admin-token - namespace: vaultwarden -spec: - vaultAuthRef: vaultwarden-vault-static-auth - type: kv-v2 - mount: kv - path: vaultwarden - destination: - name: vaultwarden-admin-token - create: true ---- apiVersion: v1 kind: Service metadata: From 86557aa76fc5c2af3bb04762aa943fbfe79a1d5b Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 17:34:56 -0500 Subject: [PATCH 18/40] source injected template before running --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 72f0226..31e2f3a 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -86,6 +86,11 @@ spec: containers: - name: vaultwarden image: vaultwarden/server:latest + command: + - 'sh' + - '-c' + args: + - 'source /vault/secrets/config && ./start.sh' env: - name: DOMAIN value: 'https://bitwarden.acmuic.org' From 1f6d0456c112142efb2a94e7f115ab4579237f87 Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 17:44:44 -0500 Subject: [PATCH 19/40] pass self-signed CA to agent --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 31e2f3a..64cf5e7 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -67,8 +67,10 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: 'true' + vault.hashicorp.com/tls-secret: 'vaultwarden-tls' vault.hashicorp.com/role: 'vaultwarden' vault.hashicorp.com/agent-inject-secret-config: 'kv/vaultwarden' + vault.hashicorp.com/ca-cirt: '/vault/tls/ca.crt' vault.hashicorp.com/agent-inject-template-config: | {{- with secret 'kv/vaultwarden' -}} export ADMIN_TOKEN='{{ .Data.data.admin_token }}' From 7a22254c85f9c444b3953d5dd11a7683f77dfec5 Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 17:46:52 -0500 Subject: [PATCH 20/40] typo --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 64cf5e7..b5b3e9d 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -70,7 +70,7 @@ spec: vault.hashicorp.com/tls-secret: 'vaultwarden-tls' vault.hashicorp.com/role: 'vaultwarden' vault.hashicorp.com/agent-inject-secret-config: 'kv/vaultwarden' - vault.hashicorp.com/ca-cirt: '/vault/tls/ca.crt' + vault.hashicorp.com/ca-cert: '/vault/tls/ca.crt' vault.hashicorp.com/agent-inject-template-config: | {{- with secret 'kv/vaultwarden' -}} export ADMIN_TOKEN='{{ .Data.data.admin_token }}' From 291b5a966468bbf749925cba1df93b50d9a7e3d8 Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 17:52:47 -0500 Subject: [PATCH 21/40] Revert "typo" This reverts commit 7a22254c85f9c444b3953d5dd11a7683f77dfec5. --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index b5b3e9d..64cf5e7 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -70,7 +70,7 @@ spec: vault.hashicorp.com/tls-secret: 'vaultwarden-tls' vault.hashicorp.com/role: 'vaultwarden' vault.hashicorp.com/agent-inject-secret-config: 'kv/vaultwarden' - vault.hashicorp.com/ca-cert: '/vault/tls/ca.crt' + vault.hashicorp.com/ca-cirt: '/vault/tls/ca.crt' vault.hashicorp.com/agent-inject-template-config: | {{- with secret 'kv/vaultwarden' -}} export ADMIN_TOKEN='{{ .Data.data.admin_token }}' From 146603b8ab6f0f969be0ce44b0af2e38117f23df Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 17:52:50 -0500 Subject: [PATCH 22/40] Revert "pass self-signed CA to agent" This reverts commit 1f6d0456c112142efb2a94e7f115ab4579237f87. --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 64cf5e7..31e2f3a 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -67,10 +67,8 @@ spec: metadata: annotations: vault.hashicorp.com/agent-inject: 'true' - vault.hashicorp.com/tls-secret: 'vaultwarden-tls' vault.hashicorp.com/role: 'vaultwarden' vault.hashicorp.com/agent-inject-secret-config: 'kv/vaultwarden' - vault.hashicorp.com/ca-cirt: '/vault/tls/ca.crt' vault.hashicorp.com/agent-inject-template-config: | {{- with secret 'kv/vaultwarden' -}} export ADMIN_TOKEN='{{ .Data.data.admin_token }}' From 4de57c6ed1c3395a8bed1e06db3cb548394bd331 Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 17:52:52 -0500 Subject: [PATCH 23/40] Revert "source injected template before running" This reverts commit 86557aa76fc5c2af3bb04762aa943fbfe79a1d5b. --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 31e2f3a..72f0226 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -86,11 +86,6 @@ spec: containers: - name: vaultwarden image: vaultwarden/server:latest - command: - - 'sh' - - '-c' - args: - - 'source /vault/secrets/config && ./start.sh' env: - name: DOMAIN value: 'https://bitwarden.acmuic.org' From 0d07c3227c13d1f9fe90e7dd0012c4965f39a8b4 Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 17:52:53 -0500 Subject: [PATCH 24/40] Revert "use annotations instead of VaultStaticSecret" This reverts commit 039fc01dd19a30964eadb998c8719554d497a177. --- .../argocd/stacks/vaultwarden/vaultwarden.yml | 44 ++++++++++++++----- 1 file changed, 34 insertions(+), 10 deletions(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 72f0226..0397bcc 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -66,16 +66,6 @@ spec: template: metadata: annotations: - vault.hashicorp.com/agent-inject: 'true' - vault.hashicorp.com/role: 'vaultwarden' - vault.hashicorp.com/agent-inject-secret-config: 'kv/vaultwarden' - vault.hashicorp.com/agent-inject-template-config: | - {{- with secret 'kv/vaultwarden' -}} - export ADMIN_TOKEN='{{ .Data.data.admin_token }}' - export APP_VAULTWARDEN_ADMIN_TOKEN='{{ .Data.data.admin_token }}' - export APP_LDAP_BIND_DN='{{ .Data.data.ldap_user }}' - export APP_LDAP_BIND_PASSWORD='{{ .Data.data.ldap_password }}' - {{- end }} labels: app.kubernetes.io/name: vaultwarden spec: @@ -89,6 +79,11 @@ spec: env: - name: DOMAIN value: 'https://bitwarden.acmuic.org' + - name: ADMIN_TOKEN + valueFrom: + secretKeyRef: + name: vaultwarden-admin-token + key: admin_token ports: - containerPort: 80 name: http @@ -100,8 +95,23 @@ spec: env: - name: APP_VAULTWARDEN_URL value: 'https://vaultwarden.vaultwarden.svc.cluster.local' + - name: APP_VAULTWARDEN_ADMIN_TOKEN + valueFrom: + secretKeyRef: + name: vaultwarden-admin-token + key: admin_token - name: APP_LDAP_HOST value: 'activedirectory.acmuic.org' + - name: APP_LDAP_BIND_DN + valueFrom: + secretKeyRef: + name: vaultwarden-admin-token + key: ldap_user + - name: APP_LDAP_BIND_PASSWORD + valueFrom: + secretKeyRef: + name: vaultwarden-admin-token + key: ldap_password - name: APP_LDAP_SEARCH_BASE_DN value: 'dc=acmuic,dc=org' - name: APP_LDAP_SEARCH_FILTER @@ -128,6 +138,20 @@ spec: role: vaultwarden serviceAccount: vaultwarden --- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: vaultwarden-admin-token + namespace: vaultwarden +spec: + vaultAuthRef: vaultwarden-vault-static-auth + type: kv-v2 + mount: kv + path: vaultwarden + destination: + name: vaultwarden-admin-token + create: true +--- apiVersion: v1 kind: Service metadata: From f27dfdf53af5c2125e0fa04ef7ea1244cd78e58c Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 17:56:35 -0500 Subject: [PATCH 25/40] base64 decode ldap creds --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 0397bcc..3fe30d3 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -151,6 +151,12 @@ spec: destination: name: vaultwarden-admin-token create: true + transformation: + templates: + ldap_user: + text: '{{- get .Secrets "ldap_user" | b64dec -}}' + ldap_password: + text: '{{- get .Secrets "ldap_password" | b64dec -}}' --- apiVersion: v1 kind: Service From 5dab868e6bb6d8c64b60ab14de4a695c639fb6ff Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 17:57:24 -0500 Subject: [PATCH 26/40] templateSpecs not templates --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 3fe30d3..eef358f 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -152,7 +152,7 @@ spec: name: vaultwarden-admin-token create: true transformation: - templates: + templateSpecs: ldap_user: text: '{{- get .Secrets "ldap_user" | b64dec -}}' ldap_password: From 50a0e6b7d8f16381465077f7bc8cad020f712c1c Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 18:02:15 -0500 Subject: [PATCH 27/40] decode ADMIN_TOKEN --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index eef358f..8a39a6e 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -153,6 +153,8 @@ spec: create: true transformation: templateSpecs: + admin_token: + text: '{{- get .Secrets "admin_token" | b64dec -}}' ldap_user: text: '{{- get .Secrets "ldap_user" | b64dec -}}' ldap_password: From 23403216c9bd22bc1d79114667097f8f8103c2b5 Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 18:04:21 -0500 Subject: [PATCH 28/40] Revert "decode ADMIN_TOKEN" This reverts commit 50a0e6b7d8f16381465077f7bc8cad020f712c1c. --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 8a39a6e..eef358f 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -153,8 +153,6 @@ spec: create: true transformation: templateSpecs: - admin_token: - text: '{{- get .Secrets "admin_token" | b64dec -}}' ldap_user: text: '{{- get .Secrets "ldap_user" | b64dec -}}' ldap_password: From a8f77a9a7c4eeb41ba69cc5180275461b9c9f635 Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 18:04:57 -0500 Subject: [PATCH 29/40] http not https --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index eef358f..61c66c3 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -94,7 +94,7 @@ spec: image: vividboarder/vaultwarden_ldap:latest env: - name: APP_VAULTWARDEN_URL - value: 'https://vaultwarden.vaultwarden.svc.cluster.local' + value: 'http://vaultwarden.vaultwarden.svc.cluster.local' - name: APP_VAULTWARDEN_ADMIN_TOKEN valueFrom: secretKeyRef: From 6b796e421af4d8b5ddc9c8bd57dcfa309943ec4d Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 18:10:15 -0500 Subject: [PATCH 30/40] Revert "templateSpecs not templates" This reverts commit 5dab868e6bb6d8c64b60ab14de4a695c639fb6ff. --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 61c66c3..9bb1514 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -152,7 +152,7 @@ spec: name: vaultwarden-admin-token create: true transformation: - templateSpecs: + templates: ldap_user: text: '{{- get .Secrets "ldap_user" | b64dec -}}' ldap_password: From 4a2db87ffe58736442d3e0031e157e6131333098 Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 18:10:29 -0500 Subject: [PATCH 31/40] Revert "base64 decode ldap creds" This reverts commit f27dfdf53af5c2125e0fa04ef7ea1244cd78e58c. --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 9bb1514..ff778a1 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -151,12 +151,6 @@ spec: destination: name: vaultwarden-admin-token create: true - transformation: - templates: - ldap_user: - text: '{{- get .Secrets "ldap_user" | b64dec -}}' - ldap_password: - text: '{{- get .Secrets "ldap_password" | b64dec -}}' --- apiVersion: v1 kind: Service From f8b24fd87e4a905872b3cad247f104aea70203eb Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 18:12:18 -0500 Subject: [PATCH 32/40] case insensitive? --- .../argocd/stacks/vaultwarden/vaultwarden.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index ff778a1..0e3b5c0 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -93,30 +93,30 @@ spec: - name: vaultwarden-ldap image: vividboarder/vaultwarden_ldap:latest env: - - name: APP_VAULTWARDEN_URL + - name: APP_vaultwarden_url value: 'http://vaultwarden.vaultwarden.svc.cluster.local' - - name: APP_VAULTWARDEN_ADMIN_TOKEN + - name: APP_vaultwarden_admin_token valueFrom: secretKeyRef: name: vaultwarden-admin-token key: admin_token - - name: APP_LDAP_HOST + - name: APP_ldap_host value: 'activedirectory.acmuic.org' - - name: APP_LDAP_BIND_DN + - name: APP_ldap_bind_dn valueFrom: secretKeyRef: name: vaultwarden-admin-token key: ldap_user - - name: APP_LDAP_BIND_PASSWORD + - name: APP_ldap_bind_password valueFrom: secretKeyRef: name: vaultwarden-admin-token key: ldap_password - - name: APP_LDAP_SEARCH_BASE_DN + - name: APP_ldap_search_base_dn value: 'dc=acmuic,dc=org' - - name: APP_LDAP_SEARCH_FILTER + - name: APP_ldap_search_filter value: 'memberOf=CN=ACMLANAdmins,OU=ACMGroups,DC=acmuic,DC=org' - - name: APP_LDAP_MAIL_FIELD + - name: APP_ldap_mail_filter value: 'userPrincipalName' --- apiVersion: v1 From 5ab64628e3842adc938651ea0425f317c08b8e11 Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 18:13:39 -0500 Subject: [PATCH 33/40] field not filter --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 0e3b5c0..fbcce9b 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -116,7 +116,7 @@ spec: value: 'dc=acmuic,dc=org' - name: APP_ldap_search_filter value: 'memberOf=CN=ACMLANAdmins,OU=ACMGroups,DC=acmuic,DC=org' - - name: APP_ldap_mail_filter + - name: APP_ldap_mail_field value: 'userPrincipalName' --- apiVersion: v1 From 4be4e352ff1a5084a7e418c875b8b6ac8becf0dc Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 18:25:26 -0500 Subject: [PATCH 34/40] Revert "field not filter" This reverts commit 5ab64628e3842adc938651ea0425f317c08b8e11. --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index fbcce9b..0e3b5c0 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -116,7 +116,7 @@ spec: value: 'dc=acmuic,dc=org' - name: APP_ldap_search_filter value: 'memberOf=CN=ACMLANAdmins,OU=ACMGroups,DC=acmuic,DC=org' - - name: APP_ldap_mail_field + - name: APP_ldap_mail_filter value: 'userPrincipalName' --- apiVersion: v1 From ff7542f99f178432dea629d04bc573d47761aa1a Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 18:25:27 -0500 Subject: [PATCH 35/40] Revert "case insensitive?" This reverts commit f8b24fd87e4a905872b3cad247f104aea70203eb. --- .../argocd/stacks/vaultwarden/vaultwarden.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 0e3b5c0..ff778a1 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -93,30 +93,30 @@ spec: - name: vaultwarden-ldap image: vividboarder/vaultwarden_ldap:latest env: - - name: APP_vaultwarden_url + - name: APP_VAULTWARDEN_URL value: 'http://vaultwarden.vaultwarden.svc.cluster.local' - - name: APP_vaultwarden_admin_token + - name: APP_VAULTWARDEN_ADMIN_TOKEN valueFrom: secretKeyRef: name: vaultwarden-admin-token key: admin_token - - name: APP_ldap_host + - name: APP_LDAP_HOST value: 'activedirectory.acmuic.org' - - name: APP_ldap_bind_dn + - name: APP_LDAP_BIND_DN valueFrom: secretKeyRef: name: vaultwarden-admin-token key: ldap_user - - name: APP_ldap_bind_password + - name: APP_LDAP_BIND_PASSWORD valueFrom: secretKeyRef: name: vaultwarden-admin-token key: ldap_password - - name: APP_ldap_search_base_dn + - name: APP_LDAP_SEARCH_BASE_DN value: 'dc=acmuic,dc=org' - - name: APP_ldap_search_filter + - name: APP_LDAP_SEARCH_FILTER value: 'memberOf=CN=ACMLANAdmins,OU=ACMGroups,DC=acmuic,DC=org' - - name: APP_ldap_mail_filter + - name: APP_LDAP_MAIL_FIELD value: 'userPrincipalName' --- apiVersion: v1 From a519475a18751c8b0017d1bc907c2e329bdeadda Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 18:34:21 -0500 Subject: [PATCH 36/40] use SSL --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index ff778a1..c4d2200 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -102,6 +102,8 @@ spec: key: admin_token - name: APP_LDAP_HOST value: 'activedirectory.acmuic.org' + - name: APP_LDAP_SSL + value: 'true' - name: APP_LDAP_BIND_DN valueFrom: secretKeyRef: From 67954f25443ae64cc6679e18d294792f52d650ab Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 18:40:02 -0500 Subject: [PATCH 37/40] no tls verify --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index c4d2200..17e5101 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -104,6 +104,8 @@ spec: value: 'activedirectory.acmuic.org' - name: APP_LDAP_SSL value: 'true' + - name: APP_LDAP_NO_TLS_VERIFY + value: 'true' - name: APP_LDAP_BIND_DN valueFrom: secretKeyRef: From 59ba113315aefa33015bd2fc1f4227eca70791d4 Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 15 May 2025 18:42:03 -0500 Subject: [PATCH 38/40] fix search filter --- kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index 17e5101..e9fdafd 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -119,7 +119,7 @@ spec: - name: APP_LDAP_SEARCH_BASE_DN value: 'dc=acmuic,dc=org' - name: APP_LDAP_SEARCH_FILTER - value: 'memberOf=CN=ACMLANAdmins,OU=ACMGroups,DC=acmuic,DC=org' + value: '(&(objectClass=*)(sAMAccountName=*))' - name: APP_LDAP_MAIL_FIELD value: 'userPrincipalName' --- From 293fc21d5a702eb6484201c22a4fb55ac73932e1 Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 29 May 2025 20:56:46 -0500 Subject: [PATCH 39/40] give up on vaultwarden-ldap --- .../argocd/stacks/vaultwarden/vaultwarden.yml | 32 ------------------- 1 file changed, 32 deletions(-) diff --git a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml index e9fdafd..5a93b29 100644 --- a/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml +++ b/kubernetes/argocd/stacks/vaultwarden/vaultwarden.yml @@ -90,38 +90,6 @@ spec: volumeMounts: - name: vaultwarden-data mountPath: /data - - name: vaultwarden-ldap - image: vividboarder/vaultwarden_ldap:latest - env: - - name: APP_VAULTWARDEN_URL - value: 'http://vaultwarden.vaultwarden.svc.cluster.local' - - name: APP_VAULTWARDEN_ADMIN_TOKEN - valueFrom: - secretKeyRef: - name: vaultwarden-admin-token - key: admin_token - - name: APP_LDAP_HOST - value: 'activedirectory.acmuic.org' - - name: APP_LDAP_SSL - value: 'true' - - name: APP_LDAP_NO_TLS_VERIFY - value: 'true' - - name: APP_LDAP_BIND_DN - valueFrom: - secretKeyRef: - name: vaultwarden-admin-token - key: ldap_user - - name: APP_LDAP_BIND_PASSWORD - valueFrom: - secretKeyRef: - name: vaultwarden-admin-token - key: ldap_password - - name: APP_LDAP_SEARCH_BASE_DN - value: 'dc=acmuic,dc=org' - - name: APP_LDAP_SEARCH_FILTER - value: '(&(objectClass=*)(sAMAccountName=*))' - - name: APP_LDAP_MAIL_FIELD - value: 'userPrincipalName' --- apiVersion: v1 kind: ServiceAccount From ad732ea481ff7d0959f538c6da15ad9bb2660d8e Mon Sep 17 00:00:00 2001 From: Neko Date: Thu, 29 May 2025 21:02:21 -0500 Subject: [PATCH 40/40] switch branch to main --- kubernetes/argocd/stacks/common/vaultwarden.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/argocd/stacks/common/vaultwarden.yml b/kubernetes/argocd/stacks/common/vaultwarden.yml index 3e24385..bb2dd5f 100644 --- a/kubernetes/argocd/stacks/common/vaultwarden.yml +++ b/kubernetes/argocd/stacks/common/vaultwarden.yml @@ -11,8 +11,8 @@ spec: server: 'https://kubernetes.default.svc' sources: - path: kubernetes/argocd/stacks/vaultwarden - repoURL: 'https://github.com/lowpolyneko/IaC' - targetRevision: feature/vaultwarden + repoURL: 'git@github.com:acm-uic/IaC.git' + targetRevision: HEAD directory: recurse: true include: '*.yml'