feat(external-secrets): setup and configure vault backend

kubernetes/talos-flux/apps/secops/external-secrets/app/helm-release.yaml

@@ -0,0 +1,22 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: &app external-secrets
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: external-secrets
+      version: 0.9.11
+      interval: 30m
+      sourceRef:
+        kind: HelmRepository
+        name: external-secrets-charts
+        namespace: flux-system
+  values:
+    installCRDs: true
+    replicaCount: 1
+    grafana:
+      enabled: false

kubernetes/talos-flux/apps/secops/external-secrets/app/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: secops
+resources:
+  - ./helm-release.yaml

kubernetes/talos-flux/apps/secops/external-secrets/flux-sync.yaml

@@ -0,0 +1,41 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: apps-external-secrets
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  interval: 30m
+  retryInterval: 15s
+  timeout: 3m
+  path: ./kubernetes/talos-flux/apps/secops/external-secrets/app
+  prune: true
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops
+
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: apps-external-secrets-stores
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  interval: 30m
+  retryInterval: 15s
+  timeout: 3m
+  path: ./kubernetes/talos-flux/apps/secops/external-secrets/stores
+  prune: true
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops
+  dependsOn:
+    - name: apps-external-secrets

kubernetes/talos-flux/apps/secops/external-secrets/stores/cluster-secret-store.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-backend
+spec:
+  provider:
+    vault:
+      server: https://vault.techtales.io
+      path: infra
+      version: v2
+      auth:
+        kubernetes:
+          role: homeops
+          path: kubernetes
+          mountPath: kubernetes
+          serviceAccount:
+            name: vault-auth
+            namespace: secops

kubernetes/talos-flux/apps/secops/external-secrets/stores/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: secops
+resources:
+  - ./cluster-secret-store.yaml

kubernetes/talos-flux/flux/repositories/helm/external-secrets-charts.yaml

@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: external-secrets-charts
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://charts.external-secrets.io