feat(downloadarr): set api keys & security context

kid · Aug 25, 2024 · 2fe13c6 · 2fe13c6
1 parent 4f864f6
commit 2fe13c6
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 0 deletions.
diff --git a/clusters/base/apps/downloadarr/api-keys.sops.yaml b/clusters/base/apps/downloadarr/api-keys.sops.yaml
@@ -0,0 +1,29 @@
+#ENC[AES256_GCM,data:Q4/1pw58A6XljmMYmZOxBiQTwj8mIm3NhDXz1DDHHX45oO8j4PtvEfRO9G6NiYIlp7nbtUlGlSl7zQ==,iv:OUPgRwQMIykAjl+ua2sscTqeB5PnoZw/CRq2LderT/A=,tag:+Qw99ZIaTKjvdQI3i9WKxQ==,type:comment]
+apiVersion: ENC[AES256_GCM,data:fHk=,iv:1pN8A8WpeCg3h/9AoysJmp/CUjseL1iEtqB9GmRAVKY=,tag:UaOdlflT4k/GpR6fYLflBw==,type:str]
+kind: ENC[AES256_GCM,data:x6QpGGC2,iv:0z0NUUYr+EFQ7WkpOp1QIb42Tdd+bpI3Llli4z8/Nc8=,tag:D1gZBwBADFEvrqPOX2NVIg==,type:str]
+metadata:
+    name: ENC[AES256_GCM,data:SMXCiuUCkuk=,iv:OP/ybJyQGSqk/h08L2ecNlEvoD2+5c43yIvEaRBe3dY=,tag:ChT6VN1upn6E6xcCZXCvkA==,type:str]
+type: ENC[AES256_GCM,data:heFlloKI,iv:dIFPBYvhnLgipbvYr7TZhrFX7HTjfL4Ynt7vfzGJSiU=,tag:oX8gPbig6F+1pk3vvMHGLg==,type:str]
+stringData:
+    SONARR__AUTH__APIKEY: ENC[AES256_GCM,data:+NiCZ2CxHRFkj6GRGF9BLKl1uW4=,iv:2EDdmlkHrk+hubCXDLdK7TSXV6jlWCM5tUzWZVlSSRU=,tag:nl96KjRo8AXj2ahZ+7Z0YQ==,type:str]
+    PROWLARR__AUTH__APIKEY: ENC[AES256_GCM,data:WikH55UmjZKcci4W25FvVnPR710=,iv:Qs6SSsm4Vz+x2Jqvr84VV2WLy6si+838BlGJ7kwCbPI=,tag:XL0cUBLQ+BJvdrOUSJK7NA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1dghfu7sxwlkf4626eywmgr63y2g7m4x8zs8a6xt2zay3x7dclpnsw776dd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBualVRQWpsMU1ONlpMcjhp
+            UXg0UkFoNGF6NFBDVjlySE9ac2grOGZoc0ZrCm9JYWM5RVd4dFR0THlHODJlSkdX
+            MkZMY1EyMGZURzk2aC9rblpCYVFPSVUKLS0tIDdUWHBSSm5jSFZ2MXlQczBldlda
+            cXU2RGdGTTZYUDNEclNNbUJRRUVVNDgKf5sP/YkayUtANNotk90V9aksIk3Vxfan
+            RqxfMSQcwyTWQvpjnpxi2FlTVBVLJlBtsnuHGbLEaDKt5nhes85bEQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-25T15:48:32Z"
+    mac: ENC[AES256_GCM,data:Ju2jFjzx35AZ0ejqebfFFCdcKJ8yWbkv7ickVyzkaawSJOQwUvfQeuN+KxprQG17Nn3qDEI8xGkOT/z7aqkkibIMmzFulfLViCVx03M9I719gjelJ8fNR/4T+pQ3W6geRXCX51Zd1eY8VNATbX3IWN0PEBAyhyzum4JP5gyB30c=,iv:Yl6AFeHoJWyQl8R+gnkckrAK9jRFD7lxEUzxAXupBB0=,tag:mL58XRbg6guqaH7Jw4uDkg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0
diff --git a/clusters/base/apps/downloadarr/kustomization.yaml b/clusters/base/apps/downloadarr/kustomization.yaml
@@ -4,6 +4,7 @@ kind: Kustomization
 namespace: downloadarr
 resources:
   - ./namespace.yaml
+  - ./api-keys.sops.yaml
   - ./pv-series.yaml
   - ./gateway.yaml
   - ./prowlarr.yaml

diff --git a/clusters/base/apps/downloadarr/prowlarr.yaml b/clusters/base/apps/downloadarr/prowlarr.yaml
@@ -33,6 +33,9 @@ spec:
       labels:
         app: prowlarr
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
       containers:
         - name: prowlarr
           image: ghcr.io/linuxserver/prowlarr:1.21.2
@@ -61,6 +64,10 @@ spec:
               value: External
             - name: PROWLARR__AUTH__REQUIRED
               value: DisabledForLocalAddresses
+            - name: PROWLARR__AUTH__APIKEY
+              valueFrom:
+                secretKeyRef:
+                  name: api-keys
             - name: PROWLARR__LOG__ANALYTICSENABLED
               value: "False"
             - name: PROWLARR__LOG__CONSOLEFORMAT

diff --git a/clusters/base/apps/downloadarr/sonarr.yaml b/clusters/base/apps/downloadarr/sonarr.yaml
@@ -71,6 +71,10 @@ spec:
               value: External
             - name: SONARR__AUTH__REQUIRED
               value: DisabledForLocalAddresses
+            - name: SONARR__AUTH__APIKEY
+              valueFrom:
+                secretKeyRef:
+                  name: api-keys
             - name: SONARR__LOG__ANALYTICSENABLED
               value: "False"
             - name: SONARR__LOG__CONSOLEFORMAT