bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity

Wire Guacamole fully to 1Password: remove guac-db-secret, all DB creds from guacamole-credentials

Browse Source 
- MySQL StatefulSet, initdb Job, Guacamole web all reference guacamole-credentials
- DB-User, DB-Password, DB-Root-Password, DB-Name fields added to 1Password item
- Zero inline secrets remain in manifest
This commit is contained in:
Andrew Stoltz
2026-03-09 21:14:26 -05:00
parent 14519d47f5
commit 39e1c69e28
1 changed files with 34 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
apps/guacamole/guacamole.yaml
View File

@@ -1,10 +1,8 @@
# Apache Guacamole - Remote Desktop Gateway # Apache Guacamole - Remote Desktop Gateway
# MySQL 8 + guacd + guacamole web # MySQL 8 + guacd + guacamole web
# ArgoCD managed - BlueJay Lab # ArgoCD managed - BlueJay Lab
# DB credentials sourced from 1Password via OnePasswordItem CRD (guacamole-credentials) # ALL credentials sourced from 1Password via OnePasswordItem CRD (guacamole-credentials)
# Note: guacamole-credentials contains Guacamole admin UI creds (username/password), # Fields: username, password, DB-User, DB-Password, DB-Root-Password, DB-Name, URL
# not MySQL DB creds. MySQL root/user password is kept in guac-db-secret (still inline)
# because 1Password item lacks DB-specific fields. See gap notes below.
--- ---
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
@@ -13,18 +11,6 @@ metadata:
labels: labels:
app.kubernetes.io/part-of: bluejay-infra app.kubernetes.io/part-of: bluejay-infra
--- ---
apiVersion: v1
kind: Secret
metadata:
name: guac-db-secret
namespace: guacamole
type: Opaque
stringData:
MYSQL_ROOT_PASSWORD: BlueJay-Guac-DB-2026
MYSQL_DATABASE: guacamole_db
MYSQL_USER: guacamole
MYSQL_PASSWORD: BlueJay-Guac-DB-2026
---
# MySQL 8 StatefulSet # MySQL 8 StatefulSet
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
@@ -50,9 +36,27 @@ spec:
ports: ports:
- containerPort: 3306 - containerPort: 3306
name: mysql name: mysql
envFrom: env:
- secretRef: - name: MYSQL_ROOT_PASSWORD
name: guac-db-secret valueFrom:
secretKeyRef:
name: guacamole-credentials
key: DB-Root-Password
- name: MYSQL_DATABASE
valueFrom:
secretKeyRef:
name: guacamole-credentials
key: DB-Name
- name: MYSQL_USER
valueFrom:
secretKeyRef:
name: guacamole-credentials
key: DB-User
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: guacamole-credentials
key: DB-Password
volumeMounts: volumeMounts:
- name: guac-mysql-data - name: guac-mysql-data
mountPath: /var/lib/mysql mountPath: /var/lib/mysql
@@ -145,13 +149,13 @@ spec:
- name: MYSQL_ROOT_PASSWORD - name: MYSQL_ROOT_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: guac-db-secret name: guacamole-credentials
key: MYSQL_ROOT_PASSWORD key: DB-Root-Password
- name: MYSQL_DATABASE - name: MYSQL_DATABASE
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: guac-db-secret name: guacamole-credentials
key: MYSQL_DATABASE key: DB-Name
--- ---
# guacd (Guacamole daemon) # guacd (Guacamole daemon)
apiVersion: apps/v1 apiVersion: apps/v1
@@ -239,18 +243,18 @@ spec:
- name: MYSQL_DATABASE - name: MYSQL_DATABASE
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: guac-db-secret name: guacamole-credentials
key: MYSQL_DATABASE key: DB-Name
- name: MYSQL_USER - name: MYSQL_USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: guac-db-secret name: guacamole-credentials
key: MYSQL_USER key: DB-User
- name: MYSQL_PASSWORD - name: MYSQL_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: guac-db-secret name: guacamole-credentials
key: MYSQL_PASSWORD key: DB-Password
resources: resources:
requests: requests:
memory: 256Mi memory: 256Mi
@@ -330,11 +334,7 @@ spec:
secretName: guacamole-tls secretName: guacamole-tls
--- ---
# 1Password secret sync — creates guacamole-credentials K8s Secret # 1Password secret sync — creates guacamole-credentials K8s Secret
# Fields: username, password, URL, Note # Fields: username, password, DB-User, DB-Password, DB-Root-Password, DB-Name, URL
# NOTE: This secret contains Guacamole admin UI credentials only.
# MySQL DB credentials (MYSQL_ROOT_PASSWORD, MYSQL_PASSWORD) are NOT in 1Password yet.
# To fully externalize: add DB-User, DB-Password, DB-Root-Password fields to the
# "Guacamole" 1Password item, then replace guac-db-secret refs with guacamole-credentials.
apiVersion: onepassword.com/v1 apiVersion: onepassword.com/v1
kind: OnePasswordItem kind: OnePasswordItem
metadata: metadata: