switch from kustomize plugin to external-secret

.gitmodules

@@ -1,3 +0,0 @@
-[submodule "plugins"]
-	path = plugins
-	url = https://github.com/badjware/kustomize-plugins

kustomize/bases/drone-server/drone-server-externalsecret.yaml

@@ -0,0 +1,35 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: drone-secret
+spec:
+  secretStoreRef:
+    name: aws-parameters-store
+    kind: ClusterSecretStore
+  target:
+    name: drone-secret
+  data:
+    - secretKey: rpc_secret
+      remoteRef:
+        key: /k3s/prod/drone/gitea/rpc_secret
+    - secretKey: database_secret
+      remoteRef:
+        key: /k3s/prod/drone/gitea/database_secret
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: drone-gitea-oauth-secret
+spec:
+  secretStoreRef:
+    name: aws-parameters-store
+    kind: ClusterSecretStore
+  target:
+    name: drone-gitea-oauth-secret
+  data:
+    - secretKey: client_id
+      remoteRef:
+        key: /k3s/prod/drone/gitea/client_id
+    - secretKey: client_secret
+      remoteRef:
+        key: /k3s/prod/drone/gitea/client_secret

kustomize/bases/drone-server/kustomization.yaml

@@ -1,19 +1,8 @@
 resources:
   - drone-server-deployment.yaml
   - drone-server-ingress.yaml
+  - drone-server-externalsecret.yaml
 
 commonLabels:
   app.kubernetes.io/name: drone
   app.kubernetes.io/component: server
-
-secretGenerator:
-  - name: drone-secret
-    type: Opaque
-    literals:
-      - rpc_secret=changeme
-      - database_secret=changeme
-  - name: drone-gitea-oauth-secret
-    type: Opaque
-    literals:
-      - client_id=changeme
-      - client_secret=changeme

kustomize/bases/grafana-agent/grafana-agent-externalsecret.yaml

@@ -0,0 +1,14 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: grafana-agent
+spec:
+  secretStoreRef:
+    name: aws-parameters-store
+    kind: ClusterSecretStore
+  target:
+    name: grafana-agent
+  data:
+    - secretKey: agent.yaml
+      remoteRef:
+        key: /k3s/prod/grafana-agent/config

kustomize/bases/grafana-agent/kustomization.yaml

@@ -1,16 +1,11 @@
 resources:
   - https://raw.githubusercontent.com/grafana/agent/v0.24.2/production/kubernetes/agent-bare.yaml
+  - grafana-agent-externalsecret.yaml
 
 commonLabels:
   app.kubernetes.io/name: grafana-agent
   app.kubernetes.io/part-of: monitoring
 
-secretGenerator:
-  - name: grafana-agent
-    behavior: create
-    literals:
-      - agent.yaml=
-
 patchesJson6902:
   - target:
       version: v1

kustomize/bases/grafana/grafana-externalsecret.yaml

@@ -0,0 +1,14 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: grafana-config
+spec:
+  secretStoreRef:
+    name: aws-parameters-store
+    kind: ClusterSecretStore
+  target:
+    name: grafana-config
+  data:
+    - secretKey: custom.ini
+      remoteRef:
+        key: /k3s/prod/grafana/config

kustomize/bases/grafana/kustomization.yaml

@@ -1,6 +1,7 @@
 resources:
   - grafana-deployment.yaml
   - grafana-ingress.yaml
+  - grafana-externalsecret.yaml
 
 commonLabels:
   app.kubernetes.io/name: grafana
@@ -11,12 +12,6 @@ configMapGenerator:
     files:
       - datasources.yaml=provision/datasources.yaml
 
-secretGenerator:
-  - name: grafana-config
-    type: Opaque
-    literals:
-      - custom.ini=
-
 # secretGenerator:
 #   - name: postgres-credentials
 #     type: Opaque

kustomize/bases/longhorn/kustomization.yaml

@@ -2,17 +2,7 @@ resources:
   - longhorn-namespace.yaml
   - longhorn-helmchart.yaml
   - longhorn-recurringjob.yaml
+  - longhorn-externalsecret.yaml
 
 commonLabels:
   app.kubernetes.io/name: longhorn
-
-secretGenerator:
-  - name: s3-backupstore-credentials
-    type: Opaque
-    namespace: longhorn-system
-    literals:
-      - AWS_ACCESS_KEY_ID=changeme
-      - AWS_SECRET_ACCESS_KEY=changeme
-
-generatorOptions:
-  disableNameSuffixHash: true

kustomize/bases/longhorn/longhorn-externalsecret.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: s3-backupstore-credentials
+  namespace: longhorn-system
+spec:
+  secretStoreRef:
+    name: aws-parameters-store
+    kind: ClusterSecretStore
+  target:
+    name: s3-backupstore-credentials
+  data:
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        key: /k3s/prod/longhorn/s3_access_key_id
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        key: /k3s/prod/longhorn/s3_secret_access_key
+    - secretKey: AWS_ENDPOINTS
+      remoteRef:
+        key: /k3s/prod/longhorn/s3_endpoint

kustomize/bases/nextcloud/kustomization.yaml

@@ -6,3 +6,31 @@ resources:
 
 commonLabels:
   app.kubernetes.io/name: nextcloud
+
+patchesStrategicMerge:
+  - |-
+    apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+      name: postgres-credentials
+    spec:
+      data:
+        - secretKey: database
+          remoteRef:
+            key: /k3s/prod/nextcloud/postgres/database
+        - secretKey: username
+          remoteRef:
+            key: /k3s/prod/nextcloud/postgres/username
+        - secretKey: password
+          remoteRef:
+            key: /k3s/prod/nextcloud/postgres/password
+  - |-
+    apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+      name: redis-credentials
+    spec:
+      data:
+        - secretKey: password
+          remoteRef:
+            key: /k3s/prod/nextcloud/redis/password

kustomize/bases/postgres/kustomization.yaml

@@ -1,14 +1,6 @@
 resources:
   - postgres-statefulset.yaml
+  - postgres-externalsecret.yaml
 
 commonLabels:
   app.kubernetes.io/component: postgres
-
-secretGenerator:
-  - name: postgres-credentials
-    type: Opaque
-    behavior: create
-    literals:
-      - database=changeme
-      - username=changeme
-      - password=changeme

kustomize/bases/postgres/postgres-externalsecret.yaml

@@ -0,0 +1,20 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: postgres-credentials
+spec:
+  secretStoreRef:
+    name: aws-parameters-store
+    kind: ClusterSecretStore
+  target:
+    name: postgres-credentials
+  data:
+    - secretKey: database
+      remoteRef:
+        key: changeme
+    - secretKey: username
+      remoteRef:
+        key: changeme
+    - secretKey: password
+      remoteRef:
+        key: changeme

kustomize/bases/redis/kustomization.yaml

@@ -1,12 +1,6 @@
 resources:
   - redis-deployment.yaml
+  - redis-externalsecret.yaml
 
 commonLabels:
   app.kubernetes.io/component: redis
-
-secretGenerator:
-  - name: redis-credentials
-    type: Opaque
-    behavior: create
-    literals:
-      - password=changeme

kustomize/bases/redis/redis-externalsecret.yaml

@@ -0,0 +1,14 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: redis-credentials
+spec:
+  secretStoreRef:
+    name: aws-parameters-store
+    kind: ClusterSecretStore
+  target:
+    name: redis-credentials
+  data:
+    - secretKey: password
+      remoteRef:
+        key: changeme

kustomize/overlays/prod-cluster/kustomization.yaml

@@ -8,9 +8,6 @@ buildMetadata:
 commonLabels:
   app.kubernetes.io/managed-by: kustomize-cluster
 
-transformers:
-  - transformers/ssm-secrets.yaml
-
 configMapGenerator:
   - name: cluster-replacements
     namespace: default
@@ -18,16 +15,6 @@ configMapGenerator:
       - TRAEFIK_EXTERNAL_HOST=traefik.badjnet.home
       - LONGHORN_EXTERNAL_HOST=longhorn.badjnet.home
 
-secretGenerator:
-  - name: s3-backupstore-credentials
-    type: Opaque
-    namespace: longhorn-system
-    behavior: replace
-    literals:
-      - AWS_ACCESS_KEY_ID=${ssm:/k3s/prod/longhorn/s3_access_key_id}
-      - AWS_SECRET_ACCESS_KEY=${ssm:/k3s/prod/longhorn/s3_secret_access_key}
-      - AWS_ENDPOINTS=https://s3.badjware.dev
-
 replacements:
   - source:
       kind: ConfigMap

kustomize/overlays/prod/configurations/grafana-agent/agent.yaml

@@ -1,88 +0,0 @@
-metrics:
-  wal_directory: /var/lib/agent/wal
-  global:
-    scrape_interval: 60s
-    external_labels:
-      cluster: cloud
-  # configs:
-  #   - name: integrations
-  #     remote_write:
-  #       - url: https://prometheus-prod-10-prod-us-central-0.grafana.net/api/prom/push
-  #         basic_auth:
-  #           username: 443422
-  #           password: ${ssm:/k3s/prod/monitoring/grafana-cloud/password}
-  #     scrape_configs:
-  #       - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-  #         job_name: integrations/kubernetes/cadvisor
-  #         kubernetes_sd_configs:
-  #           - role: node
-  #         metric_relabel_configs:
-  #           - source_labels: [__name__]
-  #             regex: namespace_memory:kube_pod_container_resource_requests:sum|kubelet_running_containers|container_cpu_usage_seconds_total|kube_pod_container_info|container_network_receive_packets_dropped_total|kube_pod_status_phase|kubelet_pod_start_duration_seconds_count|kubelet_cgroup_manager_duration_seconds_bucket|kube_horizontalpodautoscaler_status_desired_replicas|cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits|node_namespace_pod_container:container_memory_swap|kube_statefulset_status_replicas_ready|kube_horizontalpodautoscaler_spec_max_replicas|cluster:namespace:pod_memory:active:kube_pod_container_resource_requests|process_cpu_seconds_total|process_resident_memory_bytes|kubelet_server_expiration_renew_errors|kube_daemonset.*|container_fs_reads_total|machine_memory_bytes|kubelet_volume_stats_inodes_used|volume_manager_total_volumes|kube_statefulset_status_replicas|namespace_cpu:kube_pod_container_resource_limits:sum|kube_pod_container_resource_requests|kube_pod_container_resource_limits|kubelet_pod_worker_duration_seconds_count|namespace_workload_pod:kube_pod_owner:relabel|kubelet_cgroup_manager_duration_seconds_count|container_cpu_cfs_throttled_periods_total|kube_node_spec_taint|container_fs_reads_bytes_total|kubelet_certificate_manager_client_ttl_seconds|container_network_receive_bytes_total|kubelet_running_container_count|kube_daemonset_status_number_available|kube_node_status_allocatable|container_fs_writes_total|kube_namespace_status_phase|kubelet_volume_stats_available_bytes|kubelet_pleg_relist_duration_seconds_bucket|kubelet_runtime_operations_errors_total|kube_pod_container_status_waiting_reason|kube_replicaset_owner|kube_resourcequota|kube_pod_info|kubelet_pleg_relist_duration_seconds_count|kube_deployment_status_replicas_available|cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests|kubelet_running_pods|kube_statefulset_status_replicas_updated|kube_deployment_status_replicas_updated|kube_job_spec_completions|kube_daemonset_status_number_misscheduled|kubelet_certificate_manager_server_ttl_seconds|container_network_transmit_bytes_total|container_memory_cache|kubelet_volume_stats_capacity_bytes|node_namespace_pod_container:container_memory_cache|container_memory_rss|container_memory_swap|storage_operation_duration_seconds_count|kube_replicaset.*|kube_pod_owner|cluster:namespace:pod_memory:active:kube_pod_container_resource_limits|kubelet_volume_stats_inodes|kube_daemonset_status_desired_number_scheduled|kube_daemonset_status_updated_number_scheduled|kube_statefulset.*|kube_node_info|go_goroutines|kubelet_pod_worker_duration_seconds_bucket|kubelet_node_config_error|container_cpu_cfs_periods_total|kubelet_pleg_relist_interval_seconds_bucket|kube_job.*|container_network_receive_packets_total|container_fs_writes_bytes_total|kubelet_running_pod_count|kube_deployment_spec_replicas|up|kube_node_status_capacity|namespace_cpu:kube_pod_container_resource_requests:sum|node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate|container_memory_working_set_bytes|kubelet_node_name|node_namespace_pod_container:container_memory_rss|storage_operation_errors_total|kube_statefulset_metadata_generation|container_network_transmit_packets_total|kubelet_runtime_operations_total|kube_statefulset_status_observed_generation|kube_horizontalpodautoscaler_status_current_replicas|kubernetes_build_info|kubelet_certificate_manager_client_expiration_renew_errors|kube_job_failed|namespace_workload_pod|node_namespace_pod_container:container_memory_working_set_bytes|kube_statefulset_replicas|kube_deployment_status_observed_generation|kube_pod_container_status_restarts_total|kube_daemonset_status_current_number_scheduled|kube_pod_start_time|namespace_memory:kube_pod_container_resource_limits:sum|container_network_transmit_packets_dropped_total|rest_client_requests_total|kube_deployment_metadata_generation|kube_statefulset_status_update_revision|kube_job_status_succeeded|kube_horizontalpodautoscaler_spec_min_replicas|kube_statefulset_status_current_revision|node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile|kube_node_status_condition
-  #             action: keep
-  #         relabel_configs:
-  #           - replacement: kubernetes.default.svc.cluster.local:443
-  #             target_label: __address__
-  #           - regex: (.+)
-  #             replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
-  #             source_labels:
-  #               - __meta_kubernetes_node_name
-  #             target_label: __metrics_path__
-  #         scheme: https
-  #         tls_config:
-  #           ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-  #           insecure_skip_verify: false
-  #           server_name: kubernetes
-  #       - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-  #         job_name: integrations/kubernetes/kubelet
-  #         kubernetes_sd_configs:
-  #           - role: node
-  #         metric_relabel_configs:
-  #           - source_labels: [__name__]
-  #             regex: namespace_memory:kube_pod_container_resource_requests:sum|kubelet_running_containers|container_cpu_usage_seconds_total|kube_pod_container_info|container_network_receive_packets_dropped_total|kube_pod_status_phase|kubelet_pod_start_duration_seconds_count|kubelet_cgroup_manager_duration_seconds_bucket|kube_horizontalpodautoscaler_status_desired_replicas|cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits|node_namespace_pod_container:container_memory_swap|kube_statefulset_status_replicas_ready|kube_horizontalpodautoscaler_spec_max_replicas|cluster:namespace:pod_memory:active:kube_pod_container_resource_requests|process_cpu_seconds_total|process_resident_memory_bytes|kubelet_server_expiration_renew_errors|kube_daemonset.*|container_fs_reads_total|machine_memory_bytes|kubelet_volume_stats_inodes_used|volume_manager_total_volumes|kube_statefulset_status_replicas|namespace_cpu:kube_pod_container_resource_limits:sum|kube_pod_container_resource_requests|kube_pod_container_resource_limits|kubelet_pod_worker_duration_seconds_count|namespace_workload_pod:kube_pod_owner:relabel|kubelet_cgroup_manager_duration_seconds_count|container_cpu_cfs_throttled_periods_total|kube_node_spec_taint|container_fs_reads_bytes_total|kubelet_certificate_manager_client_ttl_seconds|container_network_receive_bytes_total|kubelet_running_container_count|kube_daemonset_status_number_available|kube_node_status_allocatable|container_fs_writes_total|kube_namespace_status_phase|kubelet_volume_stats_available_bytes|kubelet_pleg_relist_duration_seconds_bucket|kubelet_runtime_operations_errors_total|kube_pod_container_status_waiting_reason|kube_replicaset_owner|kube_resourcequota|kube_pod_info|kubelet_pleg_relist_duration_seconds_count|kube_deployment_status_replicas_available|cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests|kubelet_running_pods|kube_statefulset_status_replicas_updated|kube_deployment_status_replicas_updated|kube_job_spec_completions|kube_daemonset_status_number_misscheduled|kubelet_certificate_manager_server_ttl_seconds|container_network_transmit_bytes_total|container_memory_cache|kubelet_volume_stats_capacity_bytes|node_namespace_pod_container:container_memory_cache|container_memory_rss|container_memory_swap|storage_operation_duration_seconds_count|kube_replicaset.*|kube_pod_owner|cluster:namespace:pod_memory:active:kube_pod_container_resource_limits|kubelet_volume_stats_inodes|kube_daemonset_status_desired_number_scheduled|kube_daemonset_status_updated_number_scheduled|kube_statefulset.*|kube_node_info|go_goroutines|kubelet_pod_worker_duration_seconds_bucket|kubelet_node_config_error|container_cpu_cfs_periods_total|kubelet_pleg_relist_interval_seconds_bucket|kube_job.*|container_network_receive_packets_total|container_fs_writes_bytes_total|kubelet_running_pod_count|kube_deployment_spec_replicas|up|kube_node_status_capacity|namespace_cpu:kube_pod_container_resource_requests:sum|node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate|container_memory_working_set_bytes|kubelet_node_name|node_namespace_pod_container:container_memory_rss|storage_operation_errors_total|kube_statefulset_metadata_generation|container_network_transmit_packets_total|kubelet_runtime_operations_total|kube_statefulset_status_observed_generation|kube_horizontalpodautoscaler_status_current_replicas|kubernetes_build_info|kubelet_certificate_manager_client_expiration_renew_errors|kube_job_failed|namespace_workload_pod|node_namespace_pod_container:container_memory_working_set_bytes|kube_statefulset_replicas|kube_deployment_status_observed_generation|kube_pod_container_status_restarts_total|kube_daemonset_status_current_number_scheduled|kube_pod_start_time|namespace_memory:kube_pod_container_resource_limits:sum|container_network_transmit_packets_dropped_total|rest_client_requests_total|kube_deployment_metadata_generation|kube_statefulset_status_update_revision|kube_job_status_succeeded|kube_horizontalpodautoscaler_spec_min_replicas|kube_statefulset_status_current_revision|node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile|kube_node_status_condition
-  #             action: keep
-  #         relabel_configs:
-  #           - replacement: kubernetes.default.svc.cluster.local:443
-  #             target_label: __address__
-  #           - regex: (.+)
-  #             replacement: /api/v1/nodes/${1}/proxy/metrics
-  #             source_labels:
-  #               - __meta_kubernetes_node_name
-  #             target_label: __metrics_path__
-  #         scheme: https
-  #         tls_config:
-  #           ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-  #           insecure_skip_verify: false
-  #           server_name: kubernetes
-  #       - job_name: integrations/kubernetes/kube-state-metrics
-  #         kubernetes_sd_configs:
-  #           - role: pod
-  #         metric_relabel_configs:
-  #           - source_labels: [__name__]
-  #             regex: namespace_memory:kube_pod_container_resource_requests:sum|kubelet_running_containers|container_cpu_usage_seconds_total|kube_pod_container_info|container_network_receive_packets_dropped_total|kube_pod_status_phase|kubelet_pod_start_duration_seconds_count|kubelet_cgroup_manager_duration_seconds_bucket|kube_horizontalpodautoscaler_status_desired_replicas|cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits|node_namespace_pod_container:container_memory_swap|kube_statefulset_status_replicas_ready|kube_horizontalpodautoscaler_spec_max_replicas|cluster:namespace:pod_memory:active:kube_pod_container_resource_requests|process_cpu_seconds_total|process_resident_memory_bytes|kubelet_server_expiration_renew_errors|kube_daemonset.*|container_fs_reads_total|machine_memory_bytes|kubelet_volume_stats_inodes_used|volume_manager_total_volumes|kube_statefulset_status_replicas|namespace_cpu:kube_pod_container_resource_limits:sum|kube_pod_container_resource_requests|kube_pod_container_resource_limits|kubelet_pod_worker_duration_seconds_count|namespace_workload_pod:kube_pod_owner:relabel|kubelet_cgroup_manager_duration_seconds_count|container_cpu_cfs_throttled_periods_total|kube_node_spec_taint|container_fs_reads_bytes_total|kubelet_certificate_manager_client_ttl_seconds|container_network_receive_bytes_total|kubelet_running_container_count|kube_daemonset_status_number_available|kube_node_status_allocatable|container_fs_writes_total|kube_namespace_status_phase|kubelet_volume_stats_available_bytes|kubelet_pleg_relist_duration_seconds_bucket|kubelet_runtime_operations_errors_total|kube_pod_container_status_waiting_reason|kube_replicaset_owner|kube_resourcequota|kube_pod_info|kubelet_pleg_relist_duration_seconds_count|kube_deployment_status_replicas_available|cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests|kubelet_running_pods|kube_statefulset_status_replicas_updated|kube_deployment_status_replicas_updated|kube_job_spec_completions|kube_daemonset_status_number_misscheduled|kubelet_certificate_manager_server_ttl_seconds|container_network_transmit_bytes_total|container_memory_cache|kubelet_volume_stats_capacity_bytes|node_namespace_pod_container:container_memory_cache|container_memory_rss|container_memory_swap|storage_operation_duration_seconds_count|kube_replicaset.*|kube_pod_owner|cluster:namespace:pod_memory:active:kube_pod_container_resource_limits|kubelet_volume_stats_inodes|kube_daemonset_status_desired_number_scheduled|kube_daemonset_status_updated_number_scheduled|kube_statefulset.*|kube_node_info|go_goroutines|kubelet_pod_worker_duration_seconds_bucket|kubelet_node_config_error|container_cpu_cfs_periods_total|kubelet_pleg_relist_interval_seconds_bucket|kube_job.*|container_network_receive_packets_total|container_fs_writes_bytes_total|kubelet_running_pod_count|kube_deployment_spec_replicas|up|kube_node_status_capacity|namespace_cpu:kube_pod_container_resource_requests:sum|node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate|container_memory_working_set_bytes|kubelet_node_name|node_namespace_pod_container:container_memory_rss|storage_operation_errors_total|kube_statefulset_metadata_generation|container_network_transmit_packets_total|kubelet_runtime_operations_total|kube_statefulset_status_observed_generation|kube_horizontalpodautoscaler_status_current_replicas|kubernetes_build_info|kubelet_certificate_manager_client_expiration_renew_errors|kube_job_failed|namespace_workload_pod|node_namespace_pod_container:container_memory_working_set_bytes|kube_statefulset_replicas|kube_deployment_status_observed_generation|kube_pod_container_status_restarts_total|kube_daemonset_status_current_number_scheduled|kube_pod_start_time|namespace_memory:kube_pod_container_resource_limits:sum|container_network_transmit_packets_dropped_total|rest_client_requests_total|kube_deployment_metadata_generation|kube_statefulset_status_update_revision|kube_job_status_succeeded|kube_horizontalpodautoscaler_spec_min_replicas|kube_statefulset_status_current_revision|node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile|kube_node_status_condition
-  #             action: keep
-  #         relabel_configs:
-  #           - action: keep
-  #             regex: kube-state-metrics
-  #             source_labels:
-  #               - __meta_kubernetes_pod_label_app_kubernetes_io_name
-
-integrations:
-  eventhandler:
-    cache_path: /var/lib/agent/eventhandler.cache
-    logs_instance: integrations
-logs:
-  configs:
-    - name: integrations
-      clients:
-        - url: https://logs-prod3.grafana.net/loki/api/v1/push
-          basic_auth:
-            username: 220681
-            password: ${ssm:/k3s/prod/monitoring/grafana-cloud/password}
-          external_labels:
-            cluster: cloud
-            job: integrations/kubernetes/eventhandler
-      positions:
-        filename: /tmp/positions.yaml
-      target_config:
-        sync_period: 10s

kustomize/overlays/prod/configurations/grafana/custom.ini

@@ -1,9 +0,0 @@
-[auth.generic_oauth]
-enabled = true
-allow_sign_up = false
-client_id = 5yCpX9YovdrEuBpy69438S8GzCUJZLxqFl4rOcIpjBHICRpJzjv56VMxslKj7iqm
-client_secret = ${ssm:/k3s/prod/nextcloud/oidc/grafana/client_secret}
-scopes = openid profile email
-auth_url = https://cloud.badjware.dev/apps/oidc/authorize
-token_url = https://cloud.badjware.dev/apps/oidc/token
-api_url = https://cloud.badjware.dev/apps/oidc/userinfo

kustomize/overlays/prod/kustomization.yaml

@@ -39,9 +39,11 @@ configMapGenerator:
       - GITEA_EXTERNAL_HOST=code.badjware.dev
       - GITEA_EXTERNAL_URL=https://code.badjware.dev
 
+      - GRAFANA_EXTERNAL_HOST=grafana.badjware.dev
+      - GRAFANA_EXTERNAL_URL=https://grafana.badjware.dev
+
       - DRONE_EXTERNAL_HOST=drone.badjware.dev
       - NEXTCLOUD_EXTERNAL_HOST=cloud.badjware.dev
-      - GRAFANA_EXTERNAL_HOST=grafana.badjware.dev
       - PROMETHEUS_EXTERNAL_HOST=prometheus.badjnet.home
   # - name: ecommerce-exporter-config
   #   namespace: monitoring
@@ -50,53 +52,6 @@ configMapGenerator:
   #     - ecommerce-exporter.yml=configurations/ecommerce-exporter/ecommerce-exporter.yml
 
 secretGenerator:
-  - name: drone-secret
-    type: Opaque
-    namespace: gitea
-    behavior: replace
-    literals:
-      - rpc_secret=${ssm:/k3s/prod/drone/gitea/rpc_secret}
-      - database_secret=${ssm:/k3s/prod/drone/gitea/database_secret}
-  # https://docs.drone.io/server/provider/gitea/
-  - name: drone-gitea-oauth-secret
-    type: Opaque
-    namespace: gitea
-    behavior: replace
-    literals:
-      - client_id=${ssm:/k3s/prod/drone/gitea/client_id}
-      - client_secret=${ssm:/k3s/prod/drone/gitea/client_secret}
-  - name: postgres-credentials
-    type: Opaque
-    namespace: nextcloud
-    behavior: replace
-    literals:
-      - database=nextcloud
-      - username=nextcloud
-      - password=${ssm:/k3s/prod/nextcloud/postgres/password}
-  - name: redis-credentials
-    type: Opaque
-    namespace: nextcloud
-    behavior: replace
-    literals:
-      - password=${ssm:/k3s/prod/nextcloud/redis/password}
-  - name: grafana-agent
-    namespace: monitoring
-    behavior: replace
-    files:
-      - agent.yaml=configurations/grafana-agent/agent.yaml
-  - name: grafana-config
-    type: Opaque
-    namespace: monitoring
-    behavior: replace
-    files:
-      - custom.ini=configurations/grafana/custom.ini
-  # - name: grafana-cloud-credentials
-  #   type: Opaque
-  #   namespace: monitoring
-  #   behavior: replace
-  #   literals:
-  #     - username=${ssm:/k3s/prod/monitoring/grafana-cloud/username}
-  #     - password=${ssm:/k3s/prod/monitoring/grafana-cloud/password}
   - name: additional-scrape-configs
     type: Opaque
     namespace: monitoring
@@ -108,9 +63,6 @@ secretGenerator:
 commonLabels:
   app.kubernetes.io/managed-by: kustomize
 
-transformers:
-  - transformers/ssm-secrets.yaml
-
 patchesJson6902:
   - target: 
       version: v1
@@ -157,6 +109,36 @@ replacements:
           namespace: gitea
         fieldPaths:
           - spec.template.spec.containers.0.env.0.value
+  - source:
+      kind: ConfigMap
+      name: replacements
+      namespace: default
+      fieldPath: data.GRAFANA_EXTERNAL_HOST
+    targets:
+      - select:
+          kind: Ingress
+          name: grafana
+          namespace: monitoring
+        fieldPaths:
+          - spec.rules.0.host
+      - select:
+          kind: Deployment
+          name: grafana
+          namespace: monitoring
+        fieldPaths:
+          - spec.template.spec.containers.0.env.0.value
+  - source:
+      kind: ConfigMap
+      name: replacements
+      namespace: default
+      fieldPath: data.GRAFANA_EXTERNAL_URL
+    targets:
+      - select:
+          kind: Deployment
+          name: grafana
+          namespace: monitoring
+        fieldPaths:
+          - spec.template.spec.containers.0.env.1.value
   - source:
       kind: ConfigMap
       name: replacements
@@ -199,18 +181,6 @@ replacements:
           namespace: nextcloud
         fieldPaths:
           - spec.rules.0.host
-  - source:
-      kind: ConfigMap
-      name: replacements
-      namespace: default
-      fieldPath: data.GRAFANA_EXTERNAL_HOST
-    targets:
-      - select:
-          kind: Ingress
-          name: grafana
-          namespace: monitoring
-        fieldPaths:
-          - spec.rules.0.host
   - source:
       kind: ConfigMap
       name: replacements

kustomize/overlays/prod/transformers/ssm-secrets.yaml

@@ -1,6 +0,0 @@
-apiVersion: badjware/v1
-kind: SSMParameterPlaceholderTransformer
-metadata:
-  name: ssm-parameter
-resourceSelectors:
-  - kind: Secret

plugins

@@ -1 +0,0 @@
-Subproject commit 323a2f9a62df1215b3bb4d60a0ebdd1a0bc15c0f

terraform/modules/aws-parameters-external-secrets/iam-policies/parameters-external-secrets-policy.json

@@ -4,6 +4,7 @@
       {
         "Effect": "Allow",
         "Action": [
+          "ssm:GetParameter",
           "ssm:GetParameterWithContext",
           "ssm:ListTagsForResourceWithContext",
           "ssm:DescribeParametersWithContext"