From f7aca0f806de9fa8507ad8eab82bb18dc6207ed4 Mon Sep 17 00:00:00 2001 From: Julius de Jeu Date: Mon, 23 May 2022 00:02:30 +0200 Subject: [PATCH] Add external secrets --- flux/cluster/base/core.yaml | 2 ++ flux/cluster/base/crds.yaml | 13 +++++++++ .../charts/external-secrets-charts.yaml | 8 +++++ .../flux-system/charts/kustomization.yaml | 4 +++ .../base/flux-system/kustomization.yaml | 1 + flux/cluster/core/external-secrets/helm.yaml | 22 ++++++++++++++ .../core/external-secrets/kustomization.yaml | 5 ++++ .../external-secrets/vault-secret-store.yaml | 26 +++++++++++++++++ flux/cluster/core/kustomization.yaml | 1 + .../core/namespaces/external-secrets.yaml | 6 ++++ flux/cluster/crds/external-secrets/crds.yaml | 29 +++++++++++++++++++ .../crds/external-secrets/kustomization.yaml | 4 +++ flux/cluster/crds/kustomization.yaml | 4 +++ 13 files changed, 125 insertions(+) create mode 100644 flux/cluster/base/crds.yaml create mode 100644 flux/cluster/base/flux-system/charts/external-secrets-charts.yaml create mode 100644 flux/cluster/base/flux-system/charts/kustomization.yaml create mode 100644 flux/cluster/core/external-secrets/helm.yaml create mode 100644 flux/cluster/core/external-secrets/kustomization.yaml create mode 100644 flux/cluster/core/external-secrets/vault-secret-store.yaml create mode 100644 flux/cluster/core/namespaces/external-secrets.yaml create mode 100644 flux/cluster/crds/external-secrets/crds.yaml create mode 100644 flux/cluster/crds/external-secrets/kustomization.yaml create mode 100644 flux/cluster/crds/kustomization.yaml diff --git a/flux/cluster/base/core.yaml b/flux/cluster/base/core.yaml index 06ad67d..0f80aaa 100644 --- a/flux/cluster/base/core.yaml +++ b/flux/cluster/base/core.yaml @@ -7,6 +7,8 @@ metadata: spec: interval: 10m0s path: ./flux/cluster/core + dependsOn: + - name: crds prune: false sourceRef: kind: GitRepository diff --git a/flux/cluster/base/crds.yaml b/flux/cluster/base/crds.yaml new file mode 100644 index 0000000..cf080f8 --- /dev/null +++ b/flux/cluster/base/crds.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: crds + namespace: flux-system +spec: + interval: 10m0s + path: ./flux/cluster/crds + prune: false + sourceRef: + kind: GitRepository + name: flux-system diff --git a/flux/cluster/base/flux-system/charts/external-secrets-charts.yaml b/flux/cluster/base/flux-system/charts/external-secrets-charts.yaml new file mode 100644 index 0000000..f982d37 --- /dev/null +++ b/flux/cluster/base/flux-system/charts/external-secrets-charts.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: external-secrets-charts + namespace: flux-system +spec: + interval: 15m + url: https://charts.external-secrets.io \ No newline at end of file diff --git a/flux/cluster/base/flux-system/charts/kustomization.yaml b/flux/cluster/base/flux-system/charts/kustomization.yaml new file mode 100644 index 0000000..fe3979e --- /dev/null +++ b/flux/cluster/base/flux-system/charts/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - external-secrets-charts.yaml diff --git a/flux/cluster/base/flux-system/kustomization.yaml b/flux/cluster/base/flux-system/kustomization.yaml index a1eab17..4f8d51b 100644 --- a/flux/cluster/base/flux-system/kustomization.yaml +++ b/flux/cluster/base/flux-system/kustomization.yaml @@ -4,3 +4,4 @@ resources: - gotk-components.yaml - gotk-sync.yaml - notifications.yaml + - charts diff --git a/flux/cluster/core/external-secrets/helm.yaml b/flux/cluster/core/external-secrets/helm.yaml new file mode 100644 index 0000000..fb189b1 --- /dev/null +++ b/flux/cluster/core/external-secrets/helm.yaml @@ -0,0 +1,22 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: external-secrets + namespace: external-secrets +spec: + interval: 5m + chart: + spec: + chart: external-secrets + version: 0.5.3 + sourceRef: + kind: HelmRepository + name: external-secrets-charts + namespace: flux-system + interval: 5m + values: + installCRDs: false + install: + crds: Skip + upgrade: + crds: Skip \ No newline at end of file diff --git a/flux/cluster/core/external-secrets/kustomization.yaml b/flux/cluster/core/external-secrets/kustomization.yaml new file mode 100644 index 0000000..aa6afa0 --- /dev/null +++ b/flux/cluster/core/external-secrets/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helm.yaml + - vault-secret-store.yaml diff --git a/flux/cluster/core/external-secrets/vault-secret-store.yaml b/flux/cluster/core/external-secrets/vault-secret-store.yaml new file mode 100644 index 0000000..9011527 --- /dev/null +++ b/flux/cluster/core/external-secrets/vault-secret-store.yaml @@ -0,0 +1,26 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: vault + namespace: external-secrets +spec: + provider: + vault: + server: "http://10.42.42.6:8200" + path: "k8s" + version: "v2" + auth: + # VaultAppRole authenticates with Vault using the + # App Role auth mechanism + # https://www.vaultproject.io/docs/auth/approle + appRole: + # Path where the App Role authentication backend is mounted + path: "approle" + # RoleID configured in the App Role authentication backend + roleId: "48a0e39d-e7e8-4ac2-529c-db99ffa1f6b0" + # Reference to a key in a K8 Secret that contains the App Role SecretId + # (not commited in git) + secretRef: + name: "vault-secret-id" + namespace: "external-secrets" + key: "secret-id" diff --git a/flux/cluster/core/kustomization.yaml b/flux/cluster/core/kustomization.yaml index 4b61208..04ee4a1 100644 --- a/flux/cluster/core/kustomization.yaml +++ b/flux/cluster/core/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - namespaces + # - external-secrets diff --git a/flux/cluster/core/namespaces/external-secrets.yaml b/flux/cluster/core/namespaces/external-secrets.yaml new file mode 100644 index 0000000..5ddfc85 --- /dev/null +++ b/flux/cluster/core/namespaces/external-secrets.yaml @@ -0,0 +1,6 @@ +kind: Namespace +apiVersion: v1 +metadata: + name: external-secrets + labels: + name: external-secrets \ No newline at end of file diff --git a/flux/cluster/crds/external-secrets/crds.yaml b/flux/cluster/crds/external-secrets/crds.yaml new file mode 100644 index 0000000..c419c62 --- /dev/null +++ b/flux/cluster/crds/external-secrets/crds.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: GitRepository +metadata: + name: external-secrets-crd-source + namespace: flux-system +spec: + interval: 30m + url: https://github.com/external-secrets/external-secrets.git + ref: + tag: v0.5.3 + ignore: | + # exclude all + /* + # path to crds + !/deploy/crds/ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: external-secrets-crds + namespace: flux-system +spec: + interval: 15m + prune: false + wait: true + sourceRef: + kind: GitRepository + name: external-secrets-crd-source \ No newline at end of file diff --git a/flux/cluster/crds/external-secrets/kustomization.yaml b/flux/cluster/crds/external-secrets/kustomization.yaml new file mode 100644 index 0000000..2ed3b35 --- /dev/null +++ b/flux/cluster/crds/external-secrets/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - crds.yaml diff --git a/flux/cluster/crds/kustomization.yaml b/flux/cluster/crds/kustomization.yaml new file mode 100644 index 0000000..532bfd3 --- /dev/null +++ b/flux/cluster/crds/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - external-secrets