bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity

Wire Guacamole fully to 1Password: remove guac-db-secret, all DB creds from guacamole-credentials

Browse Source 
- MySQL StatefulSet, initdb Job, Guacamole web all reference guacamole-credentials
- DB-User, DB-Password, DB-Root-Password, DB-Name fields added to 1Password item
- Zero inline secrets remain in manifest
This commit is contained in:
Andrew Stoltz
2026-03-09 21:14:26 -05:00
parent 14519d47f5
commit 39e1c69e28
1 changed files with 34 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
apps/guacamole/guacamole.yaml
View File

@@ -1,10 +1,8 @@
# Apache Guacamole - Remote Desktop Gateway
# MySQL 8 + guacd + guacamole web
# ArgoCD managed - BlueJay Lab
# DB credentials sourced from 1Password via OnePasswordItem CRD (guacamole-credentials)
# Note: guacamole-credentials contains Guacamole admin UI creds (username/password),
# not MySQL DB creds. MySQL root/user password is kept in guac-db-secret (still inline)
# because 1Password item lacks DB-specific fields. See gap notes below.
# ALL credentials sourced from 1Password via OnePasswordItem CRD (guacamole-credentials)
# Fields: username, password, DB-User, DB-Password, DB-Root-Password, DB-Name, URL
---
apiVersion: v1
kind: Namespace
@@ -13,18 +11,6 @@ metadata:
labels:
app.kubernetes.io/part-of: bluejay-infra
---
apiVersion: v1
kind: Secret
metadata:
name: guac-db-secret
namespace: guacamole
type: Opaque
stringData:
MYSQL_ROOT_PASSWORD: BlueJay-Guac-DB-2026
MYSQL_DATABASE: guacamole_db
MYSQL_USER: guacamole
MYSQL_PASSWORD: BlueJay-Guac-DB-2026
---
# MySQL 8 StatefulSet
apiVersion: apps/v1
kind: StatefulSet
@@ -50,9 +36,27 @@ spec:
ports:
- containerPort: 3306
name: mysql
envFrom:
- secretRef:
name: guac-db-secret
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: guacamole-credentials
key: DB-Root-Password
- name: MYSQL_DATABASE
valueFrom:
secretKeyRef:
name: guacamole-credentials
key: DB-Name
- name: MYSQL_USER
valueFrom:
secretKeyRef:
name: guacamole-credentials
key: DB-User
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: guacamole-credentials
key: DB-Password
volumeMounts:
- name: guac-mysql-data
mountPath: /var/lib/mysql
@@ -145,13 +149,13 @@ spec:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: guac-db-secret
key: MYSQL_ROOT_PASSWORD
name: guacamole-credentials
key: DB-Root-Password
- name: MYSQL_DATABASE
valueFrom:
secretKeyRef:
name: guac-db-secret
key: MYSQL_DATABASE
name: guacamole-credentials
key: DB-Name
---
# guacd (Guacamole daemon)
apiVersion: apps/v1
@@ -239,18 +243,18 @@ spec:
- name: MYSQL_DATABASE
valueFrom:
secretKeyRef:
name: guac-db-secret
key: MYSQL_DATABASE
name: guacamole-credentials
key: DB-Name
- name: MYSQL_USER
valueFrom:
secretKeyRef:
name: guac-db-secret
key: MYSQL_USER
name: guacamole-credentials
key: DB-User
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: guac-db-secret
key: MYSQL_PASSWORD
name: guacamole-credentials
key: DB-Password
resources:
requests:
memory: 256Mi
@@ -330,11 +334,7 @@ spec:
secretName: guacamole-tls
---
# 1Password secret sync — creates guacamole-credentials K8s Secret
# Fields: username, password, URL, Note
# NOTE: This secret contains Guacamole admin UI credentials only.
# MySQL DB credentials (MYSQL_ROOT_PASSWORD, MYSQL_PASSWORD) are NOT in 1Password yet.
# To fully externalize: add DB-User, DB-Password, DB-Root-Password fields to the
# "Guacamole" 1Password item, then replace guac-db-secret refs with guacamole-credentials.
# Fields: username, password, DB-User, DB-Password, DB-Root-Password, DB-Name, URL
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata: