diff --git a/apps/guacamole/guacamole.yaml b/apps/guacamole/guacamole.yaml index a70a36d..4a48ca2 100644 --- a/apps/guacamole/guacamole.yaml +++ b/apps/guacamole/guacamole.yaml @@ -1,10 +1,8 @@ # Apache Guacamole - Remote Desktop Gateway # MySQL 8 + guacd + guacamole web # ArgoCD managed - BlueJay Lab -# DB credentials sourced from 1Password via OnePasswordItem CRD (guacamole-credentials) -# Note: guacamole-credentials contains Guacamole admin UI creds (username/password), -# not MySQL DB creds. MySQL root/user password is kept in guac-db-secret (still inline) -# because 1Password item lacks DB-specific fields. See gap notes below. +# ALL credentials sourced from 1Password via OnePasswordItem CRD (guacamole-credentials) +# Fields: username, password, DB-User, DB-Password, DB-Root-Password, DB-Name, URL --- apiVersion: v1 kind: Namespace @@ -13,18 +11,6 @@ metadata: labels: app.kubernetes.io/part-of: bluejay-infra --- -apiVersion: v1 -kind: Secret -metadata: - name: guac-db-secret - namespace: guacamole -type: Opaque -stringData: - MYSQL_ROOT_PASSWORD: BlueJay-Guac-DB-2026 - MYSQL_DATABASE: guacamole_db - MYSQL_USER: guacamole - MYSQL_PASSWORD: BlueJay-Guac-DB-2026 ---- # MySQL 8 StatefulSet apiVersion: apps/v1 kind: StatefulSet @@ -50,9 +36,27 @@ spec: ports: - containerPort: 3306 name: mysql - envFrom: - - secretRef: - name: guac-db-secret + env: + - name: MYSQL_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: guacamole-credentials + key: DB-Root-Password + - name: MYSQL_DATABASE + valueFrom: + secretKeyRef: + name: guacamole-credentials + key: DB-Name + - name: MYSQL_USER + valueFrom: + secretKeyRef: + name: guacamole-credentials + key: DB-User + - name: MYSQL_PASSWORD + valueFrom: + secretKeyRef: + name: guacamole-credentials + key: DB-Password volumeMounts: - name: guac-mysql-data mountPath: /var/lib/mysql @@ -145,13 +149,13 @@ spec: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: - name: guac-db-secret - key: MYSQL_ROOT_PASSWORD + name: guacamole-credentials + key: DB-Root-Password - name: MYSQL_DATABASE valueFrom: secretKeyRef: - name: guac-db-secret - key: MYSQL_DATABASE + name: guacamole-credentials + key: DB-Name --- # guacd (Guacamole daemon) apiVersion: apps/v1 @@ -239,18 +243,18 @@ spec: - name: MYSQL_DATABASE valueFrom: secretKeyRef: - name: guac-db-secret - key: MYSQL_DATABASE + name: guacamole-credentials + key: DB-Name - name: MYSQL_USER valueFrom: secretKeyRef: - name: guac-db-secret - key: MYSQL_USER + name: guacamole-credentials + key: DB-User - name: MYSQL_PASSWORD valueFrom: secretKeyRef: - name: guac-db-secret - key: MYSQL_PASSWORD + name: guacamole-credentials + key: DB-Password resources: requests: memory: 256Mi @@ -330,11 +334,7 @@ spec: secretName: guacamole-tls --- # 1Password secret sync — creates guacamole-credentials K8s Secret -# Fields: username, password, URL, Note -# NOTE: This secret contains Guacamole admin UI credentials only. -# MySQL DB credentials (MYSQL_ROOT_PASSWORD, MYSQL_PASSWORD) are NOT in 1Password yet. -# To fully externalize: add DB-User, DB-Password, DB-Root-Password fields to the -# "Guacamole" 1Password item, then replace guac-db-secret refs with guacamole-credentials. +# Fields: username, password, DB-User, DB-Password, DB-Root-Password, DB-Name, URL apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: