add vaultwarden, self manage argo

infrastructure/passwords/configmap.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config
+data:
+  DOMAIN: "https://passwords.kluster.moll.re"
+  SIGNUPS_ALLOWED: "false"
+  INVITATIONS_ALLOWED: "true" # not sure about that?
+  ADMIN_TOKEN: null # not set in order to disable the admin interface
+  SHOW_PASSWORD_HINT: "false"
+
+  SSO_ENABLED: "true"
+  SSO_ONLY: "true" # disable email+Master password authentication
+  # remaining SSO_ variables are set in a secret

infrastructure/passwords/deployment.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: passwords
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: passwords
+  template:
+    metadata:
+      labels:
+        app: passwords
+    spec:
+      containers:
+        - name: passwords
+          image: vaultwarden
+          ports:
+            - containerPort: 80
+          envFrom:
+            - configMapRef:
+                name: config
+            - secretRef:
+                name: oidc-client-secret
+            - secretRef:
+                name: smtp-secret
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "200Mi"
+            limits:
+              cpu: "2"
+              memory: "4Gi"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: vaultwarden-data

infrastructure/passwords/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: passwords-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`passwords.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: passwords-web
+      port: 80
+
+  tls:
+    certResolver: default-tls

infrastructure/passwords/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - pvc.yaml
+  - configmap.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+  - oidc.sealedsecret.yaml
+  - smtp.sealedsecret.yaml
+
+namespace: passwords
+
+images:
+  - name: vaultwarden
+    newName: vaultwarden/server
+    newTag: testing # required for SSO support

infrastructure/passwords/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

infrastructure/passwords/oidc.sealedsecret.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: oidc-client-secret
+  namespace: passwords
+spec:
+  encryptedData:
+    SSO_AUTHORITY: AgCuaACGgTZhrOv5FDVbPIzVusjzvbwgrogCt1kZJsX7K3G1vCWZDRzPMJ06k0Ofb5Yvby/AcKx0UyPJwWDmhlk7geuYzG1G1pBk97fNTOzac7ZheCZ68LFshalT5F6dMJBSMTRz+uG3N+MztCyvCcKUxYUIkGbopf7is12FJhEIKNbrQe4C5H2SVHSIZ8udE4Nv2HqertLVKE9Z7CNmq4KV3UBAGqJEqBkITsN/qhgpHOjY1dQKK5myL89BYERQGBdoqKSUYJOZiEoINwj161QtG/H2Y9n6xlAVO4irsva/6m1BjA/7wfWAK8RJGX8N1e9axlxgIUH7HAA/bh+riLKvQea23NRqT9bsIOy+FRNEqTWXM4FiNxtmufi9gRHnLyQhrSQAB4Zuyzelsqn+aKDlCFGkE3NLuquychWly24pLtNa+9UPPOm0BZhbOzXOObXJOzbFIoBqxcKkwen3ca1YjyqOK1DryJevjczLVuWY+NprnjlH6BgdTyqPnI+FyXhLRa3nJCafkVfNaIJW8n1+P0hKiEwGVXiyU0fR40DaueBR8F8jr5MKlEFvdwJ8/IvkfMZUsccPVYIYw08Ama+vFrJidPvicM8gNpkqoU2TnSEEjBk0eX9jd6ahiwffE9s01uQFjcr6rNL+SiYXJCpp/Ti8v0iJ4C5ID9h0GS7v4IBOUYCGRYfWrYUlp3LFMB6Saq4a4DhTlxC3cORn0ini8dUPJLq0x8n1rzGt
+    SSO_CLIENT_ID: AgB1oES4V0P53fkAch+aDkCHd6seVExYMGCU72H8Slky0j4FZ5LjtBpzGxro8sxxr/Ri2wEc1f+TC2hHWbdtUNwE3SwA0McPODS0nmmxPkSj1ZRHlVQtG9TkFdEHEeWJnECHX0y6hp/qbdYxF+2Pgz9YQtbdi8r49H2iwqfD/8/ojMzlvpdOJRdE+K/aYQ8Q08GBZCusLm8vCW+bDn6U9+aj72SCH0i91xoPWI6P9v96mcWOipK0COhYl32ypz5GLaNpyIhDccJvrAzVKZ0tGX01t6+JT2f0lZc2jjVosTk0nPhLTQdLYJC1TboPtqwzaRWwV/lm+St07cSaaxMT0CHqmoxwiqazNNgkgPzddOaduTpbid2I1rH/2jYKD8uY5UKTZYa+wxXF8KQBMCyRw2k1bdebvc20z53T0UtmRkquKXVq1WyOTZEH4bhqVapuMjyAF9vzR7Juga6lF9P68Er8lYr5MGeimslyRUVfrqdA4VTFO6sALHyrpkuYdHIwEi5ZlNb2pRzqaBFeQaaJYgiXPZMhcIRIfEOU8JQ5FWu++OzM75RF2YA1Ww70SZxHANn/K/ksyAqhZNgNFRm++6YQKfBI6z+N6ObjJPJE3J/WCHGCmVCQRa7lg73THqPXeqvfoSDgH8nTHamg8AshAKWxJuTD9mPXN4TqbxBuXuQBa9UGu/HNBMpYo2hHEHYIr42XZwScpo5qvo4RUQ==
+    SSO_CLIENT_SECRET: AgBzGmskaj/eliwfsOzdRb1PdiSJC9vLr7CyCAqQ4QmxVXOSVbiJu39ud2alH+Rx8UZ51l5Wd9CkyizyVpD8AgREk8fpE8V0cRlDplj/OmGSJ5VtNyLLJko13PkPAB2scexapZ/PxZpJEkH5ONPvzvVKC8liUoz1XoEQEWAgDkSiRqgt1aVm4v1Fvl0Ift3eJtkWkU6xGrL7OwTnV/nCaNt6w7Fd/37uWYgosGvQivcy11/QoppgVARCWrFl9ZjjsimV5i2hfoRXvd+saUuMvRfD95+POB6+hRK0fvbnARXW0ePj7W9oWG9fAhSA7S/J0cnx3zFjpJ8QBvaHYXJ+rsDHsxlqRSFUVXgMGZ5cISTzIjPWaVRv5cU3WK0vEeT2gPHsebTX6JgguzT728rZA2r7BuMZF20f89GeV21iYksABWMC1MYwGfScBPHfyDqxhgc39wxZTdH5gz9/DhuHd5+0iLjwIwqsStqVu6W1SqpuFd0psfyVNFY0DkDS28gcliRPSNF0bJEA7QIsDl5NVAl1fXEG4QrJMQx6i5BTrfI6HDYW0nq3fT/fPlSipmbUf4OWQVTrEmot5UvFDowBemZNG2Z2+vgAE0bbnQKeqAifUr7KMUGf9bmj42r8x1TLiDAyI9h5iSU/y4WHLpzxg2GNgkLQ0mKcAJ/xHnaWNti/dr2pwzCSx2Apmvps8/AVuYP+unRxmlstYl1ko+esv4agfbg/43H2/dkNeA+5iQw=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: oidc-client-secret
+      namespace: passwords
+    type: Opaque

infrastructure/passwords/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: vaultwarden-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

infrastructure/passwords/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: passwords-web
+spec:
+  selector:
+    app: passwords
+  ports:
+  - port: 80
+    targetPort: 80

infrastructure/passwords/smtp.sealedsecret.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: smtp-secret
+  namespace: passwords
+spec:
+  encryptedData:
+    SMTP_FROM: AgA2bN0tkQhhsTtenjjECo2kSR1HJFS7bRhL8FMIsBb81gObN4EI2CnE38RE5R1RMsszsces7F9YH/husYY9Q3SAuLMPNgos6wHEB0cg8lY8tkXmXn2n9a5SnLy3+adnhAIMEJ+wPKpxELrhIjyE2Jgz4ZKX+s5WXWv8+mu1Sk1sMOqf2p0/MTpfRtOJtziShNmTyG9W4H4pckuE0uE5Fi1NGey9iSEN/g7FzlDCxujzSsLS7PkpKVqplUKtp/QLfH6afEcrmkZGIErdXfbg4jFGc/LWstuHDcBa9y7W+Wz2hWInQqWOeLlV54MlIYth4MMjNi1FHsxXuzQRkkmi0KTIXd0J4M/+C85KetQeFlOV+fhybRJWhtYVS46xUaf0jTaWeRTGsqlXU1fa8xPOFsN7nStQgyDh1Hk868CAR5K9lrbFcwTO/XOPs7ZyI33CGwHTbC07B9OK/Y+oENeYymdB5ICmJQ4fB1m5SDtElRu7hlf33C5Elu9aGFvECAJPsMpHE0t2HUqqfPUZtnQ1D78BJa7Coa8+J6prbubqmJTpw1sR7kFtHJR+SbTezPGbKVG8+NUmzwHzUQssz75jb4coqStRvx3tGA3q+ObC0KNn6AwUItH8R7ctVEd69qfFjdMTgRzJJwo2+thDQGVo5ZSENb8C+E7yL7xELK+FEkL6kt1Xo0FTIAIj6pWB6aTktu8a0hSIGho5rc0TI/49kYpfRekX9ZZByZtxwFdT64Y06Bo=
+    SMTP_HOST: AgA22D8NGJiVPrOHTet6X6hNabuYR3gPebOnmkYy2Lt5adufloo4ohvvkoQFVGYel5270OhIOQigFPZhqSurTRHZrQXMRFQ4R0X7q0WqkrrGJSFK22E/hI6jMpPUXcG+SI/rliYXV3jBAXKoUAuX7xPpvWjmU7ES5y3RGqj5lLfCmK+9+uDEYH1uY/EyZcjfwsJBkDYWVn5Zpl49L6wjgLp81307cYu0BndLznXPEFmRANDKzM3zIMFZFReXpi8SzUSiAZTXBppP5USWr6M5x88NrxB6K9v9kqJJNAgbCwxi7H2eO4IYd5lf+mLEyJm+AKt9u0QbUbE6IKkYxtoKN9d/OsHjyNmVEr1db+BGySRuoyEWPJWVUMtuMDLzxPX6syLqHrg9OJ9sF3iBIuTKerAEg7fKDQZ8dKGIUtMTKM82+Y1aJqJ+w++uO16faxeOhMeCdFUfPtenIKEFNvhxLv37rX6GLBsbqu33q/IKfBOikrhY/yua/SHr8okoRO9DyBLvC6uuUXwTsicamajC3h0lkaI56mxqwYBpNq9bXDCYqHgTm5uc3awKzbzGsd5AmBwff2gWvQuR8FfB4uWDqu19SR0DCIxFoUEhE2zKfBmuiOwXbbb2WeaxAAiTBqyoyJjrT+5Tb/9AdxOyNvNJ7Noaa/aSqRFtqrbU289dX7gZrcobag34zNp7bGV8/+5jucIBnlpaGBBLYhzHaiRgruOE
+    SMTP_PASSWORD: AgBv9A4w8hsjZCfodrNW0FIC2P+Tmd3Lo3bdY1Tdone2WeMKGEY/tvg66Nyn0P6LHAVMn3xZf4Fs3K3VlhMx53/uHWP5D/1PYVYNmbI08aJmrVUS5pop57KRW1abrUvf5eFwvtb0VYlmonZ1BDK+LIZEL/fqculkqelFmUXj0D1/Uq1dmz6/zfGK2Dpa71sjevY72pDedIhOwdavrwRkMvP1nd36hCYMrDaBodUpw6f0ZwyKucQThcT7UdgfBzR6ekvNfzkfIQnrgvVhmhDgUs5n6/KMkA5hC+ZztgLshF1+aBkM2VwVbrNjSDFbUJJguZnz6z4WlS/gGppeBj5ZWWeM01ARDlmbXZabz07hBApQ66/6H7gKW3AmMyaoAdbWnbK94XX+zapcNd5hPEYOIEx2q2/l4+ak6tSAPcuBSu048uTyUpf9/eUizhyWAmJQJ0FPsrVZ4ZYL8Yim8sGXx6Vgl6jJaT58HbnrimOINkEkqhu2Cuai3LAdHbN8nTFEu8F3qzWJkeYkBHAHxOrpJe/U5vVWLuMXywd8j3+rWWit7RFzZEEl4tdTsifFtF7Ml6pdqiwIOpH609Mn0Zr1Cz4iAgt3nU1i76X4g9YLRd4S3V93CmWQyaGBEgPjw8CswhEEKwcMUlkBD809QUx/4Ot655qA6F+i+NhCgeAujO58IL8V8+/EMSfK3sJ+XZFloRYyQrJ+adX6vL3C08dxSOXq
+    SMTP_PORT: AgARQ5le4SZE5gI+0sfUexHTI3xKtTp13xFj8NEAvZe5XBGWHbOqz0E/GGzNK0U31eKWi4hlDjy8oU0QyYnGiNdFwav2epqdLAFhUyGTwSAzV8ix6zS0B495imtYCxiNzdIAJWfHiVOV30CCn3IZTbjar5OIzf7FbCRx/qbqeIpTEYh73NnTLr1FueEe54yoBy0SxfAmgcAFIhBLd/dz9l1z/9jY/rvj4DSGYkZV4mdRaRusnoH9SrBBc52KIXbd1PMWPxltGQvzGtm/zbS9U82mLkJyDOPLhxhcP+z82O0NAKScfAzp7tq0p/PFooqyNmxaHiNFfUYjTxn6rDktZz3rBgST5cUFW3mUr3wSRKFdNTJQFe03GNVQM8n22KD+s8ZHErEsOCDa40ojcQihs3rOG03hKimcng6kW4MGZt90shPwoGWQqLEycY00MGNXCm6wtbIIHACGM9zdot8q3Adok3MrlT3wHZSloCpm5Vo4YuFNKSP7pN0l4MlrIq4scqMaEqNORtJGlwNHK/7LoOV7UbdYUsPx5QxkZYEaecviu+gFHZWT8bD5Do53i/cHl3TrL526qUphpFqoyjrOpDFgy8axQuSE5h/ARanDSaLrSiQKl+dn5p9V4h+baETNCSd2ebRGo4EuwrqbPCDM/Jxe+8vp5kK2xXLi1i4GW+7IVq8smXrYTxwSsme1xtFkR3mqjQQD
+    SMTP_SECURITY: AgCr84ATmegm4Bw4h8UVp3lARrSwy4DHuR59rlhf/il5pca/Z0rv478JQ2MW18e4LJSdtAHVIuEYb+PGbrFiJQ9gRTLGZAs3pBeWxKd6pyZyD1hMt376Q3kO2UaWrKBqJibTawItFmqCRraIZh84vCWNA41eddCbIZn1+JtSin8+9zwvLUScR2/7Y3iOkhhsi/dB6THXxKLMAHrr0lZGU0Mf2a3mhivqa6uHDkWZkLV4hWXTdXhhvK/VJlUekOXEgpg3zzFVESBcXGHno1Pj2ataVNUER6KGz1MzVXxF+DSVfem8pjeIHq1XTrQth0O2DQtifDP/smFGJvOMT4oghZsxKKY86uDzt4tKIswcR0bv+kbPBiepcnf1uUqJhoALlA4zeVaaQq25Dzhv550xM0XkW+ISgt64Er0qOAiI1V0sLeGBPazU+vUeEL7oa1nDr26K8CVk4Q6Hto8tuFACiVD0vh1NFw8FzR2tuILZmmoYUW4Imfwq6GWXw7ni5hRiZhUEYG2k0savVKyLLiPENfjlBLiLaA+TTAXcK7RtrDGY0M4y9qyHU/W3FG4BxReaF0lylhHaYFhMKRc/J3NCHlIIg+ob0mHEskvaexljf1pfdLUt3VvY9kHJSjGvJYBsHHkpeDU2xPvGF/usP0aDaa+Xy4IQCgQwXKmMadwplZv+FKV1ImZUayHhLxLfjZCMre9SfiqTr4968A==
+    SMTP_USERNAME: AgBDm7HojupWtK/s5yXKq/6y1aYsAzYkbfyuKQ6vujWaQZUUkm6pXHNlSW39si8KW8FG45tGAdZABl2Mv/nbNcsJ4bJzaICbcQzm3aGF8Bfv9NZKfO7Zrw3SmiZd+oXYkKGpPqtv2Nj9xMXIBYf1Ll4naBFCzLLgK6LJfKPiVChjEmVnX7XR1vDWJL5+BuXN3qb6ZAoEuzJ80RjUcKLSLfjeMxk7gNyUnxQSpyTZGMSK/XrkGLlkGTMdGDbuY9/vjNopeYpouGFiPFz5N6kaivUN9o2fKhP3SfBYSEpI2H3F/cbBPNWLGxfweokRbZZmjxC9K1N99UES8z268ZV9rv/6sri+Hf1FqdV9+2V38owAUByXUzKUBqs3Kb29kuv2+jDVDBm1FPQbkRWnK/6r3BHZQL4wJIg/3sKcjnWDXMwH79htcFF9bU7tcGVO1If4FHZYBbczUPdGeN59IIjHkvYqASVQBeew7JwhWRJkesbGcXW6EfUeIE6AwGoQudgRcHk140/0OupXnFwPcwy0EEg6vGNU4n2ejzavisA42gZGyrgO8Fr5boSqLnx2mSGi1jR3U3NR2ZEzh8dsOnbrjiffYIjnAOwMxTlvdF+x4le1DBOlHKwmVKeIgpFfab9KKG7I3s0VhMVILkeRMNPPy6P9G69k8HXvn+sDnVSOSno0/eiguz49iIt+JqzUbwLb0wWbp16S5NOc
+  template:
+    metadata:
+      creationTimestamp: null
+      name: smtp-secret
+      namespace: passwords
+    type: Opaque