feat: добавлены аддоны SMTP Relay, HashiCorp Vault, External Secrets Operator

- SMTP Relay (bokysan/mail): Postfix relay через Yandex SMTP, порт 465 с TLS wrappermode, trusted networks only (pod/service CIDR), без аутентификации внутри кластера — поды отправляют на smtp-relay:25 - HashiCorp Vault (hashicorp/vault): standalone и HA (Raft) режимы, auto-unseal: k8s Secret (homelab), AWS KMS, GCP CKMS, Azure Key Vault, Transit; Vault Agent Injector по умолчанию; Job инициализации + Unsealer Deployment для k8s режима; README с полным гайдом по injection в YAML/Helm - External Secrets Operator (ESO): синхронизирует Vault секреты в k8s Secrets, ClusterSecretStore с AppRole auth, README с примерами ExternalSecret в YAML манифестах, Helm чартах и ArgoCD Обновлены: addons.yml (3 новых флага + секции), vault.yml.example (smtp_relay_password, aws_kms_*, eso_approle_secret_id), playbooks/addons.yml, Makefile
2026-04-25 18:31:06 +03:00
parent a209b8a9bf
commit 3765bc87b6
20 changed files with 1599 additions and 0 deletions
--- a/playbooks/addons.yml
+++ b/playbooks/addons.yml
@@ -231,3 +231,27 @@
  when: addon_vaultwarden | default(false) | bool
  roles:
    - role: "{{ playbook_dir }}/../addons/vaultwarden/role"
+
+- name: Install SMTP Relay
+  hosts: k3s_master[0]
+  gather_facts: false
+  become: true
+  when: addon_smtp_relay | default(false) | bool
+  roles:
+    - role: "{{ playbook_dir }}/../addons/smtp-relay/role"
+
+- name: Install HashiCorp Vault
+  hosts: k3s_master[0]
+  gather_facts: false
+  become: true
+  when: addon_vault | default(false) | bool
+  roles:
+    - role: "{{ playbook_dir }}/../addons/vault/role"
+
+- name: Install External Secrets Operator
+  hosts: k3s_master[0]
+  gather_facts: false
+  become: true
+  when: addon_external_secrets | default(false) | bool
+  roles:
+    - role: "{{ playbook_dir }}/../addons/external-secrets/role"