Overview The tooling namespace hosts developer and operational tools that support the cluster and team workflows. These applications are managed by Flux and deployed in the overlays/kimawesome/applications/tooling/ directory.
n8n Workflow automation platform for building integrations and automations
Yopass Secure secret sharing tool with time-limited access
n8n Workflow Automation Overview n8n is a workflow automation tool that allows you to build integrations between different services and automate tasks. It’s deployed using a Helm chart and exposed via an internal HTTPRoute.
Deployment The n8n application is deployed via HelmRelease at overlays/base/n8n/helm-release.yaml:1:
apiVersion : helm.toolkit.fluxcd.io/v2 kind : HelmRelease metadata : name : n8n spec : releaseName : n8n interval : 5m chart : spec : chart : n8n version : "=2.0.1" sourceRef : kind : HelmRepository name : n8n values : {}
The Helm chart version is pinned to 2.0.1 to ensure consistent deployments.
Configuration The kimawesome overlay applies additional configuration at overlays/kimawesome/applications/tooling/n8n/helm-release.patch.yaml:1:
apiVersion : helm.toolkit.fluxcd.io/v2 kind : HelmRelease metadata : name : n8n spec : values : main : config : N8N_SECURE_COOKIE : false
N8N_SECURE_COOKIE is set to false because the application is accessed via HTTP internally. If exposing externally, enable HTTPS and set this to true.
Accessing n8n The n8n web interface is accessible via the internal gateway at overlays/kimawesome/applications/tooling/n8n/httproute.yaml:1:
apiVersion : gateway.networking.k8s.io/v1beta1 kind : HTTPRoute metadata : name : n8n spec : parentRefs : - name : internal-gateway namespace : kube-system hostnames : - n8n.internal.kim.tec.br rules : - backendRefs : - name : n8n port : 80
Access the Web UI
Navigate to the n8n interface: http://n8n.internal.kim.tec.br
Or use the DNS record:
Create Your First Workflow
Click “Create new workflow”
Add trigger nodes (webhook, schedule, etc.)
Add action nodes (HTTP request, email, etc.)
Configure connections between nodes
Test and activate your workflow
Set Up Credentials
Add credentials for external services in Settings → Credentials. Credentials are encrypted and stored in n8n’s database.
Common Use Cases Webhook Automation
Scheduled Tasks
Integration Examples
Create a webhook trigger to receive events from external services: // Webhook URL format http : //n8n.internal.kim.tec.br/webhook/your-webhook-id // Example: Trigger on GitHub push { "event" : "push" , "repository" : "myrepo" , "branch" : "main" }
Run workflows on a schedule:
Every hour: 0 * * * *
Daily at 9 AM: 0 9 * * *
Every Monday: 0 0 * * 1
Monitor Git repositories and notify on changes
Sync data between databases
Process files from cloud storage
Send notifications to Slack/Discord
Automate deployment workflows
Yopass Secret Sharing Overview Yopass is a secure way to share secrets with time-limited access. Secrets are encrypted in the browser and stored temporarily in memcached.
Deployment The Yopass deployment is defined at overlays/base/yopass/deployment.yaml:1:
apiVersion : apps/v1 kind : Deployment metadata : name : yopass spec : replicas : 1 selector : matchLabels : app.kubernetes.io/name : yopass template : metadata : labels : app.kubernetes.io/name : yopass spec : containers : - name : yopass image : jhaals/yopass args : - "--memcached=localhost:11211" ports : - name : http containerPort : 1337 resources : limits : cpu : 100m memory : 50Mi requests : cpu : 100m memory : 50Mi - name : yopass-memcached image : memcached resources : limits : cpu : 100m memory : 100Mi requests : cpu : 100m memory : 100Mi args : - "-m 64" ports : - name : memcached containerPort : 11211
Yopass uses a sidecar memcached container for temporary secret storage. Secrets are automatically deleted after expiration.
Service Configuration The Yopass service is defined at overlays/base/yopass/service.yaml:1:
kind : Service apiVersion : v1 metadata : name : yopass spec : selector : app.kubernetes.io/name : yopass type : ClusterIP ports : - name : http port : 1337
Accessing Yopass Yopass is exposed via HTTPRoute at overlays/kimawesome/applications/tooling/yopass/httproute.yaml:1:
apiVersion : gateway.networking.k8s.io/v1 kind : HTTPRoute metadata : name : yopass-route spec : parentRefs : - name : https-gateway namespace : kube-system sectionName : https-yopass hostnames : - "yopass.kim.tec.br" rules : - matches : - path : type : PathPrefix value : / backendRefs : - name : yopass port : 1337
Access Yopass at:
https://yopass.kim.tec.br
Using Yopass
Share a Secret
Navigate to https://yopass.kim.tec.br
Enter your secret (password, token, etc.)
Choose expiration time (1 hour, 1 day, 1 week)
Optionally set one-time download
Click “Encrypt & Share”
Copy the Link
You’ll receive a unique URL like: https://yopass.kim.tec.br/#/s/abc123def456
Share this link via your preferred communication channel.
Recipient Access
The recipient clicks the link and can view the secret once (or until expiration). The secret is automatically deleted after viewing if one-time download is enabled.
Security Features
Client-Side Encryption Secrets are encrypted in the browser before being sent to the server
Time-Limited Secrets automatically expire after the configured time period
One-Time Access Optional one-time download ensures secrets can only be viewed once
No Persistence Secrets are stored in memcached (memory) and never written to disk
Best Practices
Use the shortest reasonable expiration time
Enable one-time download
Notify the recipient through a separate channel
Don’t share the link via email if possible
Set expiration to match expected usage window
Consider rotating keys after sharing
Use one-time download for production keys
Monitor key usage after sharing
Bundle related secrets together
Document what each secret is for
Set appropriate expiration (24h for dev, 1h for prod)
Revoke and regenerate if link is compromised
The tooling applications are managed via Kustomize at overlays/kimawesome/applications/tooling/kustomization.yaml:1:
namespace : tooling resources : - namespace.yaml - yopass - no/ - n8n
Create Base Manifests
Add your tool’s manifests to overlays/base/your-tool/: # overlays/base/your-tool/deployment.yaml # overlays/base/your-tool/service.yaml # overlays/base/your-tool/kustomization.yaml
Create Overlay
Create an overlay in the tooling directory: mkdir overlays/kimawesome/applications/tooling/your-tool
Add HTTPRoute
Create an HTTPRoute for external access: # overlays/kimawesome/applications/tooling/your-tool/httproute.yaml apiVersion : gateway.networking.k8s.io/v1 kind : HTTPRoute metadata : name : your-tool-route spec : parentRefs : - name : internal-gateway namespace : kube-system hostnames : - your-tool.internal.kim.tec.br
Update Kustomization
Add your tool to the tooling kustomization: resources : - namespace.yaml - yopass - n8n - your-tool # Add this line
Commit and Deploy
git add overlays/ git commit -m "Add your-tool to tooling namespace" git push # Flux will automatically deploy flux reconcile kustomization applications
Troubleshooting
Check the HelmRelease status: kubectl get helmrelease -n tooling n8n flux logs --kind=HelmRelease --name=n8n --namespace=tooling
Verify the HTTPRoute: kubectl get httproute -n tooling n8n kubectl describe httproute -n tooling n8n
Yopass secrets not persisting
This is expected behavior. Yopass uses memcached which stores secrets in memory only. Check the memcached sidecar: kubectl get pods -n tooling -l app.kubernetes.io/name=yopass kubectl logs -n tooling -l app.kubernetes.io/name=yopass -c yopass-memcached
Verify the Gateway is running and accepting routes: kubectl get gateway -n kube-system kubectl get httproute -n tooling
Check Gateway API resources: kubectl describe gateway -n kube-system internal-gateway
Resource Usage The tooling applications are configured with conservative resource limits:
Application CPU Request Memory Request CPU Limit Memory Limit n8n (Helm default) (Helm default) (Helm default) (Helm default) Yopass 100m 50Mi 100m 50Mi Memcached 100m 100Mi 100m 100Mi
Adjust these limits based on actual usage patterns and monitoring data.