Add external secrets

2022-05-23 00:02:30 +02:00 · 2022-05-23 00:02:30 +02:00 · f7aca0f806
parent c98ba05772
commit f7aca0f806
13 changed files with 125 additions and 0 deletions
--- a/flux/cluster/base/core.yaml
+++ b/flux/cluster/base/core.yaml
@ -7,6 +7,8 @@ metadata:
 spec:
  interval: 10m0s
  path: ./flux/cluster/core
+  dependsOn:
+    - name: crds
  prune: false
  sourceRef:
    kind: GitRepository
--- a/flux/cluster/base/crds.yaml
+++ b/flux/cluster/base/crds.yaml
@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: crds
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./flux/cluster/crds
+  prune: false
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
--- a/flux/cluster/base/flux-system/charts/external-secrets-charts.yaml
+++ b/flux/cluster/base/flux-system/charts/external-secrets-charts.yaml
@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: external-secrets-charts
+  namespace: flux-system
+spec:
+  interval: 15m
+  url: https://charts.external-secrets.io
--- a/flux/cluster/base/flux-system/charts/kustomization.yaml
+++ b/flux/cluster/base/flux-system/charts/kustomization.yaml
@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - external-secrets-charts.yaml
--- a/flux/cluster/base/flux-system/kustomization.yaml
+++ b/flux/cluster/base/flux-system/kustomization.yaml
@ -4,3 +4,4 @@ resources:
  - gotk-components.yaml
  - gotk-sync.yaml
  - notifications.yaml
+  - charts
--- a/flux/cluster/core/external-secrets/helm.yaml
+++ b/flux/cluster/core/external-secrets/helm.yaml
@ -0,0 +1,22 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: external-secrets
+  namespace: external-secrets
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: external-secrets
+      version: 0.5.3
+      sourceRef:
+        kind: HelmRepository
+        name: external-secrets-charts
+        namespace: flux-system
+      interval: 5m
+  values:
+    installCRDs: false
+  install:
+    crds: Skip
+  upgrade:
+    crds: Skip
--- a/flux/cluster/core/external-secrets/kustomization.yaml
+++ b/flux/cluster/core/external-secrets/kustomization.yaml
@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm.yaml
+  - vault-secret-store.yaml
--- a/flux/cluster/core/external-secrets/vault-secret-store.yaml
+++ b/flux/cluster/core/external-secrets/vault-secret-store.yaml
@ -0,0 +1,26 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault
+  namespace: external-secrets
+spec:
+  provider:
+    vault:
+      server: "http://10.42.42.6:8200"
+      path: "k8s"
+      version: "v2"
+      auth:
+        # VaultAppRole authenticates with Vault using the
+        # App Role auth mechanism
+        # https://www.vaultproject.io/docs/auth/approle
+        appRole:
+          # Path where the App Role authentication backend is mounted
+          path: "approle"
+          # RoleID configured in the App Role authentication backend
+          roleId: "48a0e39d-e7e8-4ac2-529c-db99ffa1f6b0"
+          # Reference to a key in a K8 Secret that contains the App Role SecretId
+          # (not commited in git)
+          secretRef:
+            name: "vault-secret-id"
+            namespace: "external-secrets"
+            key: "secret-id"
--- a/flux/cluster/core/kustomization.yaml
+++ b/flux/cluster/core/kustomization.yaml
@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespaces
+  # - external-secrets
--- a/flux/cluster/core/namespaces/external-secrets.yaml
+++ b/flux/cluster/core/namespaces/external-secrets.yaml
@ -0,0 +1,6 @@
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: external-secrets
+  labels:
+    name: external-secrets
--- a/flux/cluster/crds/external-secrets/crds.yaml
+++ b/flux/cluster/crds/external-secrets/crds.yaml
@ -0,0 +1,29 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: external-secrets-crd-source
+  namespace: flux-system
+spec:
+  interval: 30m
+  url: https://github.com/external-secrets/external-secrets.git
+  ref:
+    tag: v0.5.3
+  ignore: |
+    # exclude all
+    /*
+    # path to crds
+    !/deploy/crds/    
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: external-secrets-crds
+  namespace: flux-system
+spec:
+  interval: 15m
+  prune: false
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: external-secrets-crd-source
--- a/flux/cluster/crds/external-secrets/kustomization.yaml
+++ b/flux/cluster/crds/external-secrets/kustomization.yaml
@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - crds.yaml
--- a/flux/cluster/crds/kustomization.yaml
+++ b/flux/cluster/crds/kustomization.yaml
@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - external-secrets