Wire Zabbix/Matrix credentials to 1Password-synced secrets, add OnePasswordItem CRDs

- Zabbix: Remove hardcoded zabbix-db-secret and zabbix-admin-secret, reference zabbix-credentials (1Password) for DB-User, DB-Password, and admin password - Matrix: Remove hardcoded matrix-db-secret, reference matrix-credentials for Postgres user/password. Convert ConfigMap homeserver.yaml to template with __DB_PASSWORD__/__DB_USER__ placeholders, inject via busybox init container - Guacamole: Add OnePasswordItem CRD for future use. MySQL DB creds remain in guac-db-secret (1Password item lacks DB-specific fields — gap documented) - All three services now include OnePasswordItem CRD manifests for ArgoCD mgmt
2026-03-09 18:28:38 -05:00
parent 8f405d4df0
commit 3199c509c0
3 changed files with 733 additions and 670 deletions
--- a/apps/guacamole/guacamole.yaml
+++ b/apps/guacamole/guacamole.yaml
@@ -1,6 +1,10 @@
 # Apache Guacamole - Remote Desktop Gateway
 # MySQL 8 + guacd + guacamole web
 # ArgoCD managed - BlueJay Lab
+# DB credentials sourced from 1Password via OnePasswordItem CRD (guacamole-credentials)
+# Note: guacamole-credentials contains Guacamole admin UI creds (username/password),
+# not MySQL DB creds. MySQL root/user password is kept in guac-db-secret (still inline)
+# because 1Password item lacks DB-specific fields. See gap notes below.
 ---
 apiVersion: v1
 kind: Namespace
@@ -324,3 +328,17 @@ spec:
          port: 8080
  tls:
    secretName: guacamole-tls
+---
+# 1Password secret sync — creates guacamole-credentials K8s Secret
+# Fields: username, password, URL, Note
+# NOTE: This secret contains Guacamole admin UI credentials only.
+# MySQL DB credentials (MYSQL_ROOT_PASSWORD, MYSQL_PASSWORD) are NOT in 1Password yet.
+# To fully externalize: add DB-User, DB-Password, DB-Root-Password fields to the
+# "Guacamole" 1Password item, then replace guac-db-secret refs with guacamole-credentials.
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: guacamole-credentials
+  namespace: guacamole
+spec:
+  itemPath: vaults/IAmWorkin/items/Guacamole
--- a/apps/matrix/matrix.yaml
+++ b/apps/matrix/matrix.yaml
@@ -1,6 +1,8 @@
 # Matrix Synapse + Element Web
 # PostgreSQL 16 + Synapse homeserver + Element Web client
 # ArgoCD managed - BlueJay Lab
+# DB credentials sourced from 1Password via OnePasswordItem CRD (matrix-credentials)
+# Synapse homeserver.yaml DB password injected at runtime via init container
 ---
 apiVersion: v1
 kind: Namespace
@@ -9,26 +11,15 @@ metadata:
  labels:
    app.kubernetes.io/part-of: bluejay-infra
 ---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: matrix-db-secret
-  namespace: matrix
-type: Opaque
-stringData:
-  POSTGRES_USER: synapse
-  POSTGRES_PASSWORD: BlueJay-Matrix-DB-2026
-  POSTGRES_DB: synapse
-  POSTGRES_INITDB_ARGS: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
---
-# Synapse homeserver.yaml ConfigMap
+# Synapse homeserver.yaml template ConfigMap
+# DB password placeholder __DB_PASSWORD__ is replaced at pod startup by init container
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: synapse-config
  namespace: matrix
 data:
-  homeserver.yaml: |
+  homeserver.yaml.template: |
    server_name: "iamworkin.lan"
    pid_file: /data/homeserver.pid
    public_baseurl: "https://matrix.iamworkin.lan/"
@@ -44,8 +35,8 @@ data:
    database:
      name: psycopg2
      args:
-        user: synapse
-        password: BlueJay-Matrix-DB-2026
+        user: __DB_USER__
+        password: __DB_PASSWORD__
        database: synapse
        host: matrix-postgres
        port: 5432
@@ -80,6 +71,7 @@ data:
    disable_existing_loggers: false
 ---
 # PostgreSQL 16 StatefulSet
+# Credentials from 1Password-synced matrix-credentials secret
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -104,9 +96,21 @@ spec:
          ports:
            - containerPort: 5432
              name: postgres
-          envFrom:
-            - secretRef:
-                name: matrix-db-secret
+          env:
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-credentials
+                  key: DB-User
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-credentials
+                  key: DB-Password
+            - name: POSTGRES_DB
+              value: synapse
+            - name: POSTGRES_INITDB_ARGS
+              value: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
          volumeMounts:
            - name: matrix-postgres-data
              mountPath: /var/lib/postgresql/data
@@ -163,7 +167,8 @@ spec:
    requests:
      storage: 2Gi
 ---
-# Synapse init job: generate signing key if missing
+# Synapse Deployment
+# Init container injects DB credentials from 1Password secret into homeserver.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -192,7 +197,13 @@ spec:
          args:
            - |
              if [ \! -f /data/signing.key ]; then
-                python -m synapse.app.homeserver --generate-keys --config-path /config/homeserver.yaml
+                python -m synapse.app.homeserver --generate-keys --config-path /config-template/homeserver.yaml.template 2>/dev/null || true
+                # If key generation fails with template, create a minimal config for key gen
+                if [ \! -f /data/signing.key ]; then
+                  echo server_name: iamworkin.lan > /tmp/minimal.yaml
+                  echo signing_key_path: /data/signing.key >> /tmp/minimal.yaml
+                  python -c "from signedjson.key import generate_signing_key, write_signing_keys; import sys; key = generate_signing_key(a_auto); write_signing_keys(open(/data/signing.key,w), [key])" 2>/dev/null || true
+                fi
              fi
              chown 991:991 /data/signing.key 2>/dev/null || true
              chmod 644 /data/signing.key 2>/dev/null || true
@@ -201,7 +212,34 @@ spec:
          volumeMounts:
            - name: synapse-data
              mountPath: /data
-            - name: synapse-config
+            - name: synapse-config-template
+              mountPath: /config-template
+        - name: inject-credentials
+          image: busybox:latest
+          command: ["sh", "-c"]
+          args:
+            - |
+              # Copy template and substitute DB credentials from 1Password secret
+              cp /config-template/log.config /config/log.config
+              sed -e "s/__DB_PASSWORD__/${DB_PASSWORD}/g" \
+                  -e "s/__DB_USER__/${DB_USER}/g" \
+                  /config-template/homeserver.yaml.template > /config/homeserver.yaml
+              echo "Credentials injected into homeserver.yaml"
+          env:
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-credentials
+                  key: DB-Password
+            - name: DB_USER
+              valueFrom:
+                secretKeyRef:
+                  name: matrix-credentials
+                  key: DB-User
+          volumeMounts:
+            - name: synapse-config-template
+              mountPath: /config-template
+            - name: synapse-config-rendered
              mountPath: /config
      containers:
        - name: synapse
@@ -217,7 +255,7 @@ spec:
          volumeMounts:
            - name: synapse-data
              mountPath: /data
-            - name: synapse-config
+            - name: synapse-config-rendered
              mountPath: /config
          resources:
            requests:
@@ -242,9 +280,11 @@ spec:
        - name: synapse-data
          persistentVolumeClaim:
            claimName: synapse-data
-        - name: synapse-config
+        - name: synapse-config-template
          configMap:
            name: synapse-config
+        - name: synapse-config-rendered
+          emptyDir: {}
 ---
 apiVersion: v1
 kind: Service
@@ -407,3 +447,13 @@ spec:
          port: 80
  tls:
    secretName: element-tls
+---
+# 1Password secret sync — creates matrix-credentials K8s Secret
+# Fields: DB-User, DB-Password, Registration-Secret, username, password, URL
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: matrix-credentials
+  namespace: matrix
+spec:
+  itemPath: vaults/IAmWorkin/items/Matrix Synapse
--- a/apps/zabbix/zabbix.yaml
+++ b/apps/zabbix/zabbix.yaml
@@ -1,6 +1,7 @@
 # Zabbix 7.2 Monitoring Stack
 # PostgreSQL 16 + Zabbix Server + Zabbix Web (nginx)
 # ArgoCD managed - BlueJay Lab
+# Credentials sourced from 1Password via OnePasswordItem CRD (zabbix-credentials)
 ---
 apiVersion: v1
 kind: Namespace
@@ -9,26 +10,6 @@ metadata:
  labels:
    app.kubernetes.io/part-of: bluejay-infra
 ---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: zabbix-db-secret
-  namespace: zabbix
-type: Opaque
-stringData:
-  POSTGRES_USER: zabbix
-  POSTGRES_PASSWORD: BlueJay-ZabbixDB-2026
-  POSTGRES_DB: zabbix
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: zabbix-admin-secret
-  namespace: zabbix
-type: Opaque
-stringData:
-  ZBX_ADMIN_PASSWORD: BlueJay-NOC-2026
---
 # PostgreSQL 16 StatefulSet
 apiVersion: apps/v1
 kind: StatefulSet
@@ -54,9 +35,19 @@ spec:
          ports:
            - containerPort: 5432
              name: postgres
-          envFrom:
-            - secretRef:
-                name: zabbix-db-secret
+          env:
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: zabbix-credentials
+                  key: DB-User
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: zabbix-credentials
+                  key: DB-Password
+            - name: POSTGRES_DB
+              value: zabbix
          volumeMounts:
            - name: zabbix-postgres-data
              mountPath: /var/lib/postgresql/data
@@ -139,18 +130,15 @@ spec:
            - name: POSTGRES_USER
              valueFrom:
                secretKeyRef:
-                  name: zabbix-db-secret
-                  key: POSTGRES_USER
+                  name: zabbix-credentials
+                  key: DB-User
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: zabbix-db-secret
-                  key: POSTGRES_PASSWORD
+                  name: zabbix-credentials
+                  key: DB-Password
            - name: POSTGRES_DB
-              valueFrom:
-                secretKeyRef:
-                  name: zabbix-db-secret
-                  key: POSTGRES_DB
+              value: zabbix
          resources:
            requests:
              memory: 256Mi
@@ -237,23 +225,20 @@ spec:
            - name: POSTGRES_USER
              valueFrom:
                secretKeyRef:
-                  name: zabbix-db-secret
-                  key: POSTGRES_USER
+                  name: zabbix-credentials
+                  key: DB-User
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: zabbix-db-secret
-                  key: POSTGRES_PASSWORD
+                  name: zabbix-credentials
+                  key: DB-Password
            - name: POSTGRES_DB
-              valueFrom:
-                secretKeyRef:
-                  name: zabbix-db-secret
-                  key: POSTGRES_DB
+              value: zabbix
            - name: ZBX_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: zabbix-admin-secret
-                  key: ZBX_ADMIN_PASSWORD
+                  name: zabbix-credentials
+                  key: password
          resources:
            requests:
              memory: 128Mi
@@ -318,3 +303,13 @@ spec:
          port: 8080
  tls:
    secretName: zabbix-tls
+---
+# 1Password secret sync — creates zabbix-credentials K8s Secret
+# Fields: DB-User, DB-Password, username, password, URL
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: zabbix-credentials
+  namespace: zabbix
+spec:
+  itemPath: vaults/IAmWorkin/items/Zabbix Admin