From 947dd68f39de102e0875c50854daac499f7e254d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nils=20M=C3=BCller?= Date: Wed, 27 Dec 2023 22:10:13 +0100 Subject: [PATCH] feat(external-secrets): setup and configure vault backend --- .../external-secrets/app/helm-release.yaml | 22 ++++++++++ .../external-secrets/app/kustomization.yaml | 7 ++++ .../secops/external-secrets/flux-sync.yaml | 41 +++++++++++++++++++ .../stores/cluster-secret-store.yaml | 19 +++++++++ .../stores/kustomization.yaml | 7 ++++ .../helm/external-secrets-charts.yaml | 10 +++++ 6 files changed, 106 insertions(+) create mode 100644 kubernetes/talos-flux/apps/secops/external-secrets/app/helm-release.yaml create mode 100644 kubernetes/talos-flux/apps/secops/external-secrets/app/kustomization.yaml create mode 100644 kubernetes/talos-flux/apps/secops/external-secrets/flux-sync.yaml create mode 100644 kubernetes/talos-flux/apps/secops/external-secrets/stores/cluster-secret-store.yaml create mode 100644 kubernetes/talos-flux/apps/secops/external-secrets/stores/kustomization.yaml create mode 100644 kubernetes/talos-flux/flux/repositories/helm/external-secrets-charts.yaml diff --git a/kubernetes/talos-flux/apps/secops/external-secrets/app/helm-release.yaml b/kubernetes/talos-flux/apps/secops/external-secrets/app/helm-release.yaml new file mode 100644 index 000000000..9d2b3c032 --- /dev/null +++ b/kubernetes/talos-flux/apps/secops/external-secrets/app/helm-release.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: &app external-secrets +spec: + interval: 30m + chart: + spec: + chart: external-secrets + version: 0.9.11 + interval: 30m + sourceRef: + kind: HelmRepository + name: external-secrets-charts + namespace: flux-system + values: + installCRDs: true + replicaCount: 1 + grafana: + enabled: false diff --git a/kubernetes/talos-flux/apps/secops/external-secrets/app/kustomization.yaml b/kubernetes/talos-flux/apps/secops/external-secrets/app/kustomization.yaml new file mode 100644 index 000000000..6a15b9305 --- /dev/null +++ b/kubernetes/talos-flux/apps/secops/external-secrets/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: secops +resources: + - ./helm-release.yaml diff --git a/kubernetes/talos-flux/apps/secops/external-secrets/flux-sync.yaml b/kubernetes/talos-flux/apps/secops/external-secrets/flux-sync.yaml new file mode 100644 index 000000000..87470a3da --- /dev/null +++ b/kubernetes/talos-flux/apps/secops/external-secrets/flux-sync.yaml @@ -0,0 +1,41 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1beta2.json +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: apps-external-secrets + namespace: flux-system + labels: + substitution.flux.home.arpa/enabled: "true" +spec: + interval: 30m + retryInterval: 15s + timeout: 3m + path: ./kubernetes/talos-flux/apps/secops/external-secrets/app + prune: true + wait: true + sourceRef: + kind: GitRepository + name: home-ops + +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1beta2.json +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: apps-external-secrets-stores + namespace: flux-system + labels: + substitution.flux.home.arpa/enabled: "true" +spec: + interval: 30m + retryInterval: 15s + timeout: 3m + path: ./kubernetes/talos-flux/apps/secops/external-secrets/stores + prune: true + wait: true + sourceRef: + kind: GitRepository + name: home-ops + dependsOn: + - name: apps-external-secrets diff --git a/kubernetes/talos-flux/apps/secops/external-secrets/stores/cluster-secret-store.yaml b/kubernetes/talos-flux/apps/secops/external-secrets/stores/cluster-secret-store.yaml new file mode 100644 index 000000000..435467e59 --- /dev/null +++ b/kubernetes/talos-flux/apps/secops/external-secrets/stores/cluster-secret-store.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: vault-backend +spec: + provider: + vault: + server: https://vault.techtales.io + path: infra + version: v2 + auth: + kubernetes: + role: homeops + path: kubernetes + mountPath: kubernetes + serviceAccount: + name: vault-auth + namespace: secops diff --git a/kubernetes/talos-flux/apps/secops/external-secrets/stores/kustomization.yaml b/kubernetes/talos-flux/apps/secops/external-secrets/stores/kustomization.yaml new file mode 100644 index 000000000..dc4439678 --- /dev/null +++ b/kubernetes/talos-flux/apps/secops/external-secrets/stores/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: secops +resources: + - ./cluster-secret-store.yaml diff --git a/kubernetes/talos-flux/flux/repositories/helm/external-secrets-charts.yaml b/kubernetes/talos-flux/flux/repositories/helm/external-secrets-charts.yaml new file mode 100644 index 000000000..9277c35e9 --- /dev/null +++ b/kubernetes/talos-flux/flux/repositories/helm/external-secrets-charts.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: external-secrets-charts + namespace: flux-system +spec: + interval: 1h + url: https://charts.external-secrets.io