diff --git a/.githooks/pre-commit b/.githooks/pre-commit new file mode 100755 index 0000000..36130b9 --- /dev/null +++ b/.githooks/pre-commit @@ -0,0 +1,17 @@ +#!/bin/bash +# Reject commits that contain REDACTED in YAML files. +# "REDACTED" is valid base64 — if ArgoCD applies it, it corrupts secrets. + +REDACTED_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep '\.ya\?ml$' | xargs grep -l 'REDACTED' 2>/dev/null) + +if [ -n "$REDACTED_FILES" ]; then + echo "" + echo "ERROR: los siguientes archivos contienen 'REDACTED':" + echo "$REDACTED_FILES" | sed 's/^/ /' + echo "" + echo "Los secrets con datos sensibles NO deben ir en este repo." + echo "Elimina el campo 'data:' del manifest o borra el archivo." + echo "Ver README.md para instrucciones de gestión de secrets." + echo "" + exit 1 +fi diff --git a/README.md b/README.md new file mode 100644 index 0000000..c3ee49b --- /dev/null +++ b/README.md @@ -0,0 +1,64 @@ +# k8s-manifests + +Manifests de Kubernetes gestionados por ArgoCD para el cluster chemavx. + +## Regla crítica: secrets en git + +**Los secrets con datos sensibles NO se guardan en este repo.** + +Los archivos de secret en este repo sólo contienen metadata (name, namespace, labels, annotations). Los campos `data` / `stringData` se gestionan manualmente fuera de git. + +### Por qué + +Un valor placeholder como `REDACTED` es base64 válido que decodifica a bytes no-UTF-8. Si ArgoCD aplica ese manifest, corrompe el secret en el cluster, lo que puede: +- Romper certificados TLS (ERR_CERT_AUTHORITY_INVALID) +- Impedir que pods arranquen (`grpc: error while marshaling: string field contains invalid UTF-8`) +- Cifrar credenciales con una clave incorrecta + +### Secrets TLS (cert-manager) + +Los secrets TLS los gestiona **cert-manager** automáticamente a partir del recurso `Certificate`. **No crear archivos secret-*-tls.yaml con datos**. + +### Secrets de aplicación — crear manualmente antes del primer deploy + +| Namespace | Secret | Comando | +|---|---|---| +| `n8n` | `n8n-secret` | `kubectl create secret generic n8n-secret --from-literal=encryption-key='' -n n8n` | +| `authentik` | `authentik-secret` | Ver Vaultwarden → "authentik" | +| `cloudflare-ddns` | `cloudflare-ddns-secret` | Ver Vaultwarden → "cloudflare-ddns" | +| `vaultwarden` | `vaultwarden-secret` | Ver Vaultwarden → "vaultwarden" | +| `openclaw` | `openclaw-token` | Ver Vaultwarden → "openclaw" | +| `argocd` | `argocd-secret` | Gestionado por ArgoCD bootstrap | +| `argocd` | `argocd-redis` | Gestionado por ArgoCD bootstrap | +| `monitoring` | `kube-prometheus-stack-grafana` | Ver Vaultwarden → "grafana" | +| `monitoring` | `kube-prometheus-stack-admission` | Generado por helm (webhook TLS) | + +### ArgoCD ignoreDifferences para secrets + +Toda ArgoCD Application que gestione un namespace con secrets debe incluir `ignoreDifferences` para el campo `/data`: + +```yaml +spec: + ignoreDifferences: + - group: "" + kind: Secret + name: + namespace: + jsonPointers: + - /data + syncPolicy: + syncOptions: + - RespectIgnoreDifferences=true +``` + +Ver `n8n` ArgoCD Application como referencia. + +## Pre-commit hook + +Este repo incluye un pre-commit hook que rechaza commits con `REDACTED` en archivos `.yaml`. +Instalar con: + +```bash +cp .githooks/pre-commit .git/hooks/pre-commit +chmod +x .git/hooks/pre-commit +``` diff --git a/argocd/secret-argocd-redis.yaml b/argocd/secret-argocd-redis.yaml deleted file mode 100644 index bcdaadf..0000000 --- a/argocd/secret-argocd-redis.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -data: - auth: REDACTED -kind: Secret -metadata: - name: argocd-redis - namespace: argocd -type: Opaque - diff --git a/argocd/secret-argocd-secret.yaml b/argocd/secret-argocd-secret.yaml deleted file mode 100644 index 1103827..0000000 --- a/argocd/secret-argocd-secret.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -data: - admin.password: REDACTED - admin.passwordMtime: REDACTED - server.secretkey: REDACTED - tls.crt: REDACTED - tls.key: REDACTED -kind: Secret -metadata: - annotations: - kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"argocd-secret","app.kubernetes.io/part-of":"argocd"},"name":"argocd-secret","namespace":"argocd"},"type":"Opaque"} - - ' - labels: - app.kubernetes.io/name: argocd-secret - app.kubernetes.io/part-of: argocd - name: argocd-secret - namespace: argocd -type: Opaque - diff --git a/argocd/secret-argocd-tls.yaml b/argocd/secret-argocd-tls.yaml deleted file mode 100644 index a7934d4..0000000 --- a/argocd/secret-argocd-tls.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -data: - tls.crt: REDACTED - tls.key: REDACTED -kind: Secret -metadata: - annotations: - cert-manager.io/alt-names: argocd.chemavx.xyz - cert-manager.io/certificate-name: argocd-tls - cert-manager.io/common-name: argocd.chemavx.xyz - cert-manager.io/ip-sans: '' - cert-manager.io/issuer-group: cert-manager.io - cert-manager.io/issuer-kind: ClusterIssuer - cert-manager.io/issuer-name: letsencrypt-prod - cert-manager.io/uri-sans: '' - labels: - controller.cert-manager.io/fao: 'true' - name: argocd-tls - namespace: argocd -type: kubernetes.io/tls - diff --git a/argocd/secret-gitea-k8s-manifests.yaml b/argocd/secret-gitea-k8s-manifests.yaml deleted file mode 100644 index 92a53b4..0000000 --- a/argocd/secret-gitea-k8s-manifests.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -data: - insecure: REDACTED - password: REDACTED - type: REDACTED - url: REDACTED - username: REDACTED -kind: Secret -metadata: - annotations: - kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"labels":{"argocd.argoproj.io/secret-type":"repository"},"name":"gitea-k8s-manifests","namespace":"argocd"},"stringData":{"insecure":"true","password":"GitAdmin2026x","type":"git","url":"https://git.chemavx.xyz/chemavx/k8s-manifests","username":"chemavx"},"type":"Opaque"} - - ' - labels: - argocd.argoproj.io/secret-type: repository - name: gitea-k8s-manifests - namespace: argocd -type: Opaque - diff --git a/authentik/secret-auth-tls.yaml b/authentik/secret-auth-tls.yaml deleted file mode 100644 index 1d089c7..0000000 --- a/authentik/secret-auth-tls.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -data: - tls.crt: REDACTED - tls.key: REDACTED -kind: Secret -metadata: - annotations: - cert-manager.io/alt-names: auth.chemavx.xyz - cert-manager.io/certificate-name: auth-tls - cert-manager.io/common-name: auth.chemavx.xyz - cert-manager.io/ip-sans: '' - cert-manager.io/issuer-group: cert-manager.io - cert-manager.io/issuer-kind: ClusterIssuer - cert-manager.io/issuer-name: letsencrypt-prod - cert-manager.io/uri-sans: '' - labels: - controller.cert-manager.io/fao: 'true' - name: auth-tls - namespace: authentik -type: kubernetes.io/tls - diff --git a/authentik/secret-authentik-secrets.yaml b/authentik/secret-authentik-secrets.yaml deleted file mode 100644 index 8330427..0000000 --- a/authentik/secret-authentik-secrets.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -data: - AUTHENTIK_POSTGRESQL__PASSWORD: REDACTED - AUTHENTIK_SECRET_KEY: REDACTED - POSTGRES_PASSWORD: REDACTED -kind: Secret -metadata: - annotations: - kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"authentik-secrets","namespace":"authentik"},"stringData":{"AUTHENTIK_POSTGRESQL__PASSWORD":"authentik","AUTHENTIK_SECRET_KEY":"PLACEHOLDER_WILL_UPDATE","POSTGRES_PASSWORD":"authentik"},"type":"Opaque"} - - ' - name: authentik-secrets - namespace: authentik -type: Opaque - diff --git a/authentik/secret-authentik-tls.yaml b/authentik/secret-authentik-tls.yaml deleted file mode 100644 index 896b36f..0000000 --- a/authentik/secret-authentik-tls.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -data: - tls.crt: REDACTED - tls.key: REDACTED -kind: Secret -metadata: - annotations: - cert-manager.io/alt-names: authentik.chemavx.xyz - cert-manager.io/certificate-name: authentik-tls - cert-manager.io/common-name: authentik.chemavx.xyz - cert-manager.io/ip-sans: '' - cert-manager.io/issuer-group: cert-manager.io - cert-manager.io/issuer-kind: ClusterIssuer - cert-manager.io/issuer-name: letsencrypt-prod - cert-manager.io/uri-sans: '' - labels: - controller.cert-manager.io/fao: 'true' - name: authentik-tls - namespace: authentik -type: kubernetes.io/tls - diff --git a/cloudflare-ddns/secret-cloudflare-ddns-secret.yaml b/cloudflare-ddns/secret-cloudflare-ddns-secret.yaml deleted file mode 100644 index 3cd2ff3..0000000 --- a/cloudflare-ddns/secret-cloudflare-ddns-secret.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -data: - CF_API_TOKEN: REDACTED -kind: Secret -metadata: - annotations: - kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"cloudflare-ddns-secret","namespace":"cloudflare-ddns"},"stringData":{"CF_API_TOKEN":"SMDp7QpoGiM_5JVeq4IXCGCv5oKAWQK5MfsBt3n_"},"type":"Opaque"} - - ' - name: cloudflare-ddns-secret - namespace: cloudflare-ddns -type: Opaque - diff --git a/default/secret-wildcard-chemavx-xyz-tls.yaml b/default/secret-wildcard-chemavx-xyz-tls.yaml deleted file mode 100644 index 5cc0b3a..0000000 --- a/default/secret-wildcard-chemavx-xyz-tls.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -data: - tls.crt: REDACTED - tls.key: REDACTED -kind: Secret -metadata: - annotations: - cert-manager.io/alt-names: '*.chemavx.xyz,chemavx.xyz' - cert-manager.io/certificate-name: wildcard-chemavx-xyz - cert-manager.io/common-name: chemavx.xyz - cert-manager.io/ip-sans: '' - cert-manager.io/issuer-group: '' - cert-manager.io/issuer-kind: ClusterIssuer - cert-manager.io/issuer-name: letsencrypt-prod - cert-manager.io/uri-sans: '' - labels: - controller.cert-manager.io/fao: 'true' - name: wildcard-chemavx-xyz-tls - namespace: default -type: kubernetes.io/tls - diff --git a/gitea/secret-gitea-tls.yaml b/gitea/secret-gitea-tls.yaml deleted file mode 100644 index 36f8712..0000000 --- a/gitea/secret-gitea-tls.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -data: - tls.crt: REDACTED - tls.key: REDACTED -kind: Secret -metadata: - annotations: - cert-manager.io/alt-names: git.chemavx.xyz - cert-manager.io/certificate-name: gitea-tls - cert-manager.io/common-name: git.chemavx.xyz - cert-manager.io/ip-sans: '' - cert-manager.io/issuer-group: cert-manager.io - cert-manager.io/issuer-kind: ClusterIssuer - cert-manager.io/issuer-name: letsencrypt-prod - cert-manager.io/uri-sans: '' - labels: - controller.cert-manager.io/fao: 'true' - name: gitea-tls - namespace: gitea -type: kubernetes.io/tls - diff --git a/homarr/secret-homarr-tls.yaml b/homarr/secret-homarr-tls.yaml deleted file mode 100644 index a086316..0000000 --- a/homarr/secret-homarr-tls.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -data: - tls.crt: REDACTED - tls.key: REDACTED -kind: Secret -metadata: - annotations: - cert-manager.io/alt-names: homarr.chemavx.xyz - cert-manager.io/certificate-name: homarr-tls - cert-manager.io/common-name: homarr.chemavx.xyz - cert-manager.io/ip-sans: '' - cert-manager.io/issuer-group: cert-manager.io - cert-manager.io/issuer-kind: ClusterIssuer - cert-manager.io/issuer-name: letsencrypt-prod - cert-manager.io/uri-sans: '' - labels: - controller.cert-manager.io/fao: 'true' - name: homarr-tls - namespace: homarr -type: kubernetes.io/tls - diff --git a/homarr/secret-home-tls.yaml b/homarr/secret-home-tls.yaml deleted file mode 100644 index 83acd35..0000000 --- a/homarr/secret-home-tls.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -data: - tls.crt: REDACTED - tls.key: REDACTED -kind: Secret -metadata: - annotations: - cert-manager.io/alt-names: home.chemavx.xyz - cert-manager.io/certificate-name: home-tls - cert-manager.io/common-name: home.chemavx.xyz - cert-manager.io/ip-sans: '' - cert-manager.io/issuer-group: cert-manager.io - cert-manager.io/issuer-kind: ClusterIssuer - cert-manager.io/issuer-name: letsencrypt-prod - cert-manager.io/uri-sans: '' - labels: - controller.cert-manager.io/fao: 'true' - name: home-tls - namespace: homarr -type: kubernetes.io/tls - diff --git a/monitoring/secret-grafana-tls.yaml b/monitoring/secret-grafana-tls.yaml deleted file mode 100644 index e556e87..0000000 --- a/monitoring/secret-grafana-tls.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -data: - tls.crt: REDACTED - tls.key: REDACTED -kind: Secret -metadata: - annotations: - cert-manager.io/alt-names: grafana.chemavx.xyz - cert-manager.io/certificate-name: grafana-tls - cert-manager.io/common-name: grafana.chemavx.xyz - cert-manager.io/ip-sans: '' - cert-manager.io/issuer-group: cert-manager.io - cert-manager.io/issuer-kind: ClusterIssuer - cert-manager.io/issuer-name: letsencrypt-prod - cert-manager.io/uri-sans: '' - labels: - controller.cert-manager.io/fao: 'true' - name: grafana-tls - namespace: monitoring -type: kubernetes.io/tls - diff --git a/monitoring/secret-kube-prometheus-stack-admission.yaml b/monitoring/secret-kube-prometheus-stack-admission.yaml deleted file mode 100644 index 30c24a4..0000000 --- a/monitoring/secret-kube-prometheus-stack-admission.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: - ca: REDACTED - cert: REDACTED - key: REDACTED -kind: Secret -metadata: - name: kube-prometheus-stack-admission - namespace: monitoring -type: Opaque - diff --git a/monitoring/secret-kube-prometheus-stack-grafana.yaml b/monitoring/secret-kube-prometheus-stack-grafana.yaml deleted file mode 100644 index 1a1aa34..0000000 --- a/monitoring/secret-kube-prometheus-stack-grafana.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -data: - admin-password: REDACTED - admin-user: REDACTED - ldap-toml: REDACTED -kind: Secret -metadata: - annotations: - meta.helm.sh/release-name: kube-prometheus-stack - meta.helm.sh/release-namespace: monitoring - labels: - app.kubernetes.io/component: admin-secret - app.kubernetes.io/instance: kube-prometheus-stack - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: grafana - app.kubernetes.io/version: 12.4.2 - helm.sh/chart: grafana-11.5.0 - name: kube-prometheus-stack-grafana - namespace: monitoring -type: Opaque - diff --git a/monitoring/secret-prometheus-kube-prometheus-stack-prometheus-thanos-prometheus-http-client-file.yaml b/monitoring/secret-prometheus-kube-prometheus-stack-prometheus-thanos-prometheus-http-client-file.yaml deleted file mode 100644 index 528d24b..0000000 --- a/monitoring/secret-prometheus-kube-prometheus-stack-prometheus-thanos-prometheus-http-client-file.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -data: - prometheus.http-client-file.yaml: REDACTED -kind: Secret -metadata: - labels: - app.kubernetes.io/managed-by: prometheus-operator - managed-by: prometheus-operator - name: prometheus-kube-prometheus-stack-prometheus-thanos-prometheus-http-client-file - namespace: monitoring - ownerReferences: - - apiVersion: monitoring.coreos.com/v1 - blockOwnerDeletion: true - controller: true - kind: Prometheus - name: kube-prometheus-stack-prometheus - uid: f0355616-4bfa-4409-8b5f-c1c815ee7a2a -type: Opaque - diff --git a/monitoring/secret-prometheus-kube-prometheus-stack-prometheus-tls-assets-0.yaml b/monitoring/secret-prometheus-kube-prometheus-stack-prometheus-tls-assets-0.yaml deleted file mode 100644 index 4537a02..0000000 --- a/monitoring/secret-prometheus-kube-prometheus-stack-prometheus-tls-assets-0.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -data: - 0_monitoring_kube-prometheus-stack-admission_ca: REDACTED -kind: Secret -metadata: - labels: - app.kubernetes.io/managed-by: prometheus-operator - managed-by: prometheus-operator - name: prometheus-kube-prometheus-stack-prometheus-tls-assets-0 - namespace: monitoring - ownerReferences: - - apiVersion: monitoring.coreos.com/v1 - blockOwnerDeletion: true - controller: true - kind: Prometheus - name: kube-prometheus-stack-prometheus - uid: f0355616-4bfa-4409-8b5f-c1c815ee7a2a -type: Opaque - diff --git a/monitoring/secret-prometheus-kube-prometheus-stack-prometheus-web-config.yaml b/monitoring/secret-prometheus-kube-prometheus-stack-prometheus-web-config.yaml deleted file mode 100644 index c7adfcc..0000000 --- a/monitoring/secret-prometheus-kube-prometheus-stack-prometheus-web-config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -data: - web-config.yaml: REDACTED -kind: Secret -metadata: - labels: - app.kubernetes.io/managed-by: prometheus-operator - managed-by: prometheus-operator - name: prometheus-kube-prometheus-stack-prometheus-web-config - namespace: monitoring - ownerReferences: - - apiVersion: monitoring.coreos.com/v1 - blockOwnerDeletion: true - controller: true - kind: Prometheus - name: kube-prometheus-stack-prometheus - uid: f0355616-4bfa-4409-8b5f-c1c815ee7a2a -type: Opaque - diff --git a/monitoring/secret-prometheus-kube-prometheus-stack-prometheus.yaml b/monitoring/secret-prometheus-kube-prometheus-stack-prometheus.yaml deleted file mode 100644 index acc1687..0000000 --- a/monitoring/secret-prometheus-kube-prometheus-stack-prometheus.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -data: - prometheus.yaml.gz: REDACTED -kind: Secret -metadata: - labels: - app.kubernetes.io/managed-by: prometheus-operator - managed-by: prometheus-operator - name: prometheus-kube-prometheus-stack-prometheus - namespace: monitoring - ownerReferences: - - apiVersion: monitoring.coreos.com/v1 - blockOwnerDeletion: true - controller: true - kind: Prometheus - name: kube-prometheus-stack-prometheus - uid: f0355616-4bfa-4409-8b5f-c1c815ee7a2a -type: Opaque - diff --git a/monitoring/secret-prometheus-tls.yaml b/monitoring/secret-prometheus-tls.yaml deleted file mode 100644 index 87f9c35..0000000 --- a/monitoring/secret-prometheus-tls.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -data: - tls.crt: REDACTED - tls.key: REDACTED -kind: Secret -metadata: - annotations: - cert-manager.io/alt-names: prometheus.chemavx.xyz - cert-manager.io/certificate-name: prometheus-tls - cert-manager.io/common-name: prometheus.chemavx.xyz - cert-manager.io/ip-sans: '' - cert-manager.io/issuer-group: cert-manager.io - cert-manager.io/issuer-kind: ClusterIssuer - cert-manager.io/issuer-name: letsencrypt-prod - cert-manager.io/uri-sans: '' - labels: - controller.cert-manager.io/fao: 'true' - name: prometheus-tls - namespace: monitoring -type: kubernetes.io/tls - diff --git a/monitoring/secret-uptime-kuma-redirect-tls.yaml b/monitoring/secret-uptime-kuma-redirect-tls.yaml deleted file mode 100644 index 7011c11..0000000 --- a/monitoring/secret-uptime-kuma-redirect-tls.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -data: - tls.crt: REDACTED - tls.key: REDACTED -kind: Secret -metadata: - annotations: - cert-manager.io/alt-names: uptime.chemavx.xyz - cert-manager.io/certificate-name: uptime-kuma-redirect-tls - cert-manager.io/common-name: uptime.chemavx.xyz - cert-manager.io/ip-sans: '' - cert-manager.io/issuer-group: cert-manager.io - cert-manager.io/issuer-kind: ClusterIssuer - cert-manager.io/issuer-name: letsencrypt-prod - cert-manager.io/uri-sans: '' - labels: - controller.cert-manager.io/fao: 'true' - name: uptime-kuma-redirect-tls - namespace: monitoring -type: kubernetes.io/tls - diff --git a/monitoring/secret-uptime-kuma-tls.yaml b/monitoring/secret-uptime-kuma-tls.yaml deleted file mode 100644 index 9c06246..0000000 --- a/monitoring/secret-uptime-kuma-tls.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -data: - tls.crt: REDACTED - tls.key: REDACTED -kind: Secret -metadata: - annotations: - cert-manager.io/alt-names: home.chemavx.xyz,status.chemavx.xyz - cert-manager.io/certificate-name: uptime-kuma-tls - cert-manager.io/common-name: status.chemavx.xyz - cert-manager.io/ip-sans: '' - cert-manager.io/issuer-group: cert-manager.io - cert-manager.io/issuer-kind: ClusterIssuer - cert-manager.io/issuer-name: letsencrypt-prod - cert-manager.io/uri-sans: '' - labels: - controller.cert-manager.io/fao: 'true' - name: uptime-kuma-tls - namespace: monitoring -type: kubernetes.io/tls - diff --git a/openclaw/secret-openclaw-tls.yaml b/openclaw/secret-openclaw-tls.yaml deleted file mode 100644 index acb1ff6..0000000 --- a/openclaw/secret-openclaw-tls.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -data: - tls.crt: REDACTED - tls.key: REDACTED -kind: Secret -metadata: - annotations: - cert-manager.io/alt-names: openclaw.chemavx.xyz - cert-manager.io/certificate-name: openclaw-tls - cert-manager.io/common-name: openclaw.chemavx.xyz - cert-manager.io/ip-sans: '' - cert-manager.io/issuer-group: cert-manager.io - cert-manager.io/issuer-kind: ClusterIssuer - cert-manager.io/issuer-name: letsencrypt-prod - cert-manager.io/uri-sans: '' - labels: - controller.cert-manager.io/fao: 'true' - name: openclaw-tls - namespace: openclaw -type: kubernetes.io/tls - diff --git a/openclaw/secret-openclaw-token.yaml b/openclaw/secret-openclaw-token.yaml deleted file mode 100644 index 48f666b..0000000 --- a/openclaw/secret-openclaw-token.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -data: - OPENCLAW_TOKEN: REDACTED -kind: Secret -metadata: - name: openclaw-token - namespace: openclaw -type: Opaque - diff --git a/vaultwarden/secret-vaultwarden-secret.yaml b/vaultwarden/secret-vaultwarden-secret.yaml deleted file mode 100644 index 745376f..0000000 --- a/vaultwarden/secret-vaultwarden-secret.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -data: - ADMIN_TOKEN: REDACTED - DOMAIN: REDACTED - SIGNUPS_ALLOWED: REDACTED -kind: Secret -metadata: - annotations: - kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"vaultwarden-secret","namespace":"vaultwarden"},"stringData":{"DOMAIN":"https://vaultwarden.chemavx.xyz","SIGNUPS_ALLOWED":"false"},"type":"Opaque"} - - ' - name: vaultwarden-secret - namespace: vaultwarden -type: Opaque - diff --git a/vaultwarden/secret-vaultwarden-tls.yaml b/vaultwarden/secret-vaultwarden-tls.yaml deleted file mode 100644 index 2886fd6..0000000 --- a/vaultwarden/secret-vaultwarden-tls.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -data: - tls.crt: REDACTED - tls.key: REDACTED -kind: Secret -metadata: - annotations: - cert-manager.io/alt-names: vaultwarden.chemavx.xyz - cert-manager.io/certificate-name: vaultwarden-tls - cert-manager.io/common-name: vaultwarden.chemavx.xyz - cert-manager.io/ip-sans: '' - cert-manager.io/issuer-group: cert-manager.io - cert-manager.io/issuer-kind: ClusterIssuer - cert-manager.io/issuer-name: letsencrypt-prod - cert-manager.io/uri-sans: '' - labels: - controller.cert-manager.io/fao: 'true' - name: vaultwarden-tls - namespace: vaultwarden -type: kubernetes.io/tls -