diff --git a/cluster/applications/firecrawl/SECRETS_SETUP.md b/cluster/applications/firecrawl/SECRETS_SETUP.md new file mode 100644 index 0000000..046d3af --- /dev/null +++ b/cluster/applications/firecrawl/SECRETS_SETUP.md @@ -0,0 +1,59 @@ +# Firecrawl Secrets for 1Password + +## Action Required: Manual Secret Creation in 1Password + +The 1Password Connect token is READ-ONLY for security. These secrets must be manually added to 1Password. + +### Vault Information +- **Vault Name:** mk-labs +- **Vault ID:** mnefk7klz35qqvv2eucygh4pzm + +### Item to Create +- **Item Name:** firecrawl +- **Item Type:** Server / API Credential + +### Fields to Add + +#### 1. postgres-password +- **Label:** postgres-password +- **Type:** Password (concealed) +- **Value:** `ll1fTJSer8h0Bwq7PBmkTcRbAlFKGzbV` +- **Purpose:** PostgreSQL database authentication + +#### 2. bull-auth-key +- **Label:** bull-auth-key +- **Type:** Password (concealed) +- **Value:** `fCHhkTNeplAwI2scqGo0C4cwJGA33FBpmyIVxlbzkodRbFKy5WlroxJeezjYg1UQ` +- **Purpose:** Redis Bull queue admin UI authentication + +## Instructions + +1. Open 1Password desktop app or web interface +2. Navigate to the "mk-labs" vault +3. Create a new item: + - Name: `firecrawl` + - Type: `Server` or `Password` +4. Add custom fields: + - Field 1: Label = `postgres-password`, Value = (32-char password above) + - Field 2: Label = `bull-auth-key`, Value = (64-char key above) +5. Save the item + +## Verification + +After creating the item in 1Password, verify it's accessible: + +```bash +# Port-forward to 1Password Connect (if not already running) +kubectl port-forward -n onepassword-connect svc/onepassword-connect 8080:8080 & + +# Test retrieval (read-only access should work) +curl -s -H "Authorization: Bearer *** kubectl get secret -n onepassword-connect connect-token -o jsonpath='{.data.token}' | base64 -d)" \ + "http://localhost:8080/v1/vaults/mnefk7klz35qqvv2eucygh4pzm/items" | \ + jq -r '.[] | select(.title == "firecrawl") | .title' +``` + +Expected output: `firecrawl` + +## Next Steps + +Once the item is created in 1Password, the ExternalSecret manifest will automatically sync these values to Kubernetes. diff --git a/cluster/applications/firecrawl/externalsecret.yaml b/cluster/applications/firecrawl/externalsecret.yaml new file mode 100644 index 0000000..73f55b6 --- /dev/null +++ b/cluster/applications/firecrawl/externalsecret.yaml @@ -0,0 +1,34 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: firecrawl-secrets + namespace: firecrawl + labels: + app.kubernetes.io/name: firecrawl + app.kubernetes.io/component: secrets + app.kubernetes.io/part-of: firecrawl +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: firecrawl-secrets + creationPolicy: Owner + template: + engineVersion: v2 + type: Opaque + data: + # PostgreSQL database password + POSTGRES_PASSWORD: "{{ .postgresPassword }}" + # Redis Bull queue admin UI authentication key + BULL_AUTH_KEY: "{{ .bullAuthKey }}" + data: + - secretKey: postgresPassword + remoteRef: + key: firecrawl + property: postgres-password + - secretKey: bullAuthKey + remoteRef: + key: firecrawl + property: bull-auth-key