firecrawl: Day 4 - Add ExternalSecret for 1Password integration
- Add ExternalSecret manifest to sync firecrawl secrets from 1Password - Configure POSTGRES_PASSWORD and BULL_AUTH_KEY from mk-labs vault - Add comprehensive SECRETS_SETUP.md documentation - Verified ExternalSecrets Operator successfully synced secrets - All 18 deployment manifests validated with dry-run Status: firecrawl-secrets Secret created and populated correctly
This commit is contained in:
59
cluster/applications/firecrawl/SECRETS_SETUP.md
Normal file
59
cluster/applications/firecrawl/SECRETS_SETUP.md
Normal file
@@ -0,0 +1,59 @@
|
||||
# Firecrawl Secrets for 1Password
|
||||
|
||||
## Action Required: Manual Secret Creation in 1Password
|
||||
|
||||
The 1Password Connect token is READ-ONLY for security. These secrets must be manually added to 1Password.
|
||||
|
||||
### Vault Information
|
||||
- **Vault Name:** mk-labs
|
||||
- **Vault ID:** mnefk7klz35qqvv2eucygh4pzm
|
||||
|
||||
### Item to Create
|
||||
- **Item Name:** firecrawl
|
||||
- **Item Type:** Server / API Credential
|
||||
|
||||
### Fields to Add
|
||||
|
||||
#### 1. postgres-password
|
||||
- **Label:** postgres-password
|
||||
- **Type:** Password (concealed)
|
||||
- **Value:** `ll1fTJSer8h0Bwq7PBmkTcRbAlFKGzbV`
|
||||
- **Purpose:** PostgreSQL database authentication
|
||||
|
||||
#### 2. bull-auth-key
|
||||
- **Label:** bull-auth-key
|
||||
- **Type:** Password (concealed)
|
||||
- **Value:** `fCHhkTNeplAwI2scqGo0C4cwJGA33FBpmyIVxlbzkodRbFKy5WlroxJeezjYg1UQ`
|
||||
- **Purpose:** Redis Bull queue admin UI authentication
|
||||
|
||||
## Instructions
|
||||
|
||||
1. Open 1Password desktop app or web interface
|
||||
2. Navigate to the "mk-labs" vault
|
||||
3. Create a new item:
|
||||
- Name: `firecrawl`
|
||||
- Type: `Server` or `Password`
|
||||
4. Add custom fields:
|
||||
- Field 1: Label = `postgres-password`, Value = (32-char password above)
|
||||
- Field 2: Label = `bull-auth-key`, Value = (64-char key above)
|
||||
5. Save the item
|
||||
|
||||
## Verification
|
||||
|
||||
After creating the item in 1Password, verify it's accessible:
|
||||
|
||||
```bash
|
||||
# Port-forward to 1Password Connect (if not already running)
|
||||
kubectl port-forward -n onepassword-connect svc/onepassword-connect 8080:8080 &
|
||||
|
||||
# Test retrieval (read-only access should work)
|
||||
curl -s -H "Authorization: Bearer *** kubectl get secret -n onepassword-connect connect-token -o jsonpath='{.data.token}' | base64 -d)" \
|
||||
"http://localhost:8080/v1/vaults/mnefk7klz35qqvv2eucygh4pzm/items" | \
|
||||
jq -r '.[] | select(.title == "firecrawl") | .title'
|
||||
```
|
||||
|
||||
Expected output: `firecrawl`
|
||||
|
||||
## Next Steps
|
||||
|
||||
Once the item is created in 1Password, the ExternalSecret manifest will automatically sync these values to Kubernetes.
|
||||
34
cluster/applications/firecrawl/externalsecret.yaml
Normal file
34
cluster/applications/firecrawl/externalsecret.yaml
Normal file
@@ -0,0 +1,34 @@
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: firecrawl-secrets
|
||||
namespace: firecrawl
|
||||
labels:
|
||||
app.kubernetes.io/name: firecrawl
|
||||
app.kubernetes.io/component: secrets
|
||||
app.kubernetes.io/part-of: firecrawl
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: onepassword-connect
|
||||
target:
|
||||
name: firecrawl-secrets
|
||||
creationPolicy: Owner
|
||||
template:
|
||||
engineVersion: v2
|
||||
type: Opaque
|
||||
data:
|
||||
# PostgreSQL database password
|
||||
POSTGRES_PASSWORD: "{{ .postgresPassword }}"
|
||||
# Redis Bull queue admin UI authentication key
|
||||
BULL_AUTH_KEY: "{{ .bullAuthKey }}"
|
||||
data:
|
||||
- secretKey: postgresPassword
|
||||
remoteRef:
|
||||
key: firecrawl
|
||||
property: postgres-password
|
||||
- secretKey: bullAuthKey
|
||||
remoteRef:
|
||||
key: firecrawl
|
||||
property: bull-auth-key
|
||||
Reference in New Issue
Block a user