Add: vault-secrets-operator

nold 1 year ago
parent 78abb67ac5
commit 05e1b80b5f
  1. 36
      templates/heqet-apps.yaml
  2. 5
      values.d/argocd.yaml
  3. 143
      values.d/vault-secrets-operator.yaml
  4. 10
      values.d/vault.yaml
  5. 24
      values.yaml

@ -49,20 +49,6 @@ spec:
{{- end }}
values: |
{{- $values := $.Files.Get (printf "values.d/%s.yaml" .name ) | fromYaml | default dict }}
{{- $context := . }}
{{- range $gen, $vals := $.Values.generators }}
{{- with $context }}
{{- with $values }}
{{- if not $context.noValues }}
{{- $patchValues := include (printf "heqet.%s" $gen) $context | fromYaml }}
{{- $root := pluck $gen $context | first }}
{{- $data := dict "root" $root "patchValues" $patchValues }}
{{- $tmp := (include "heqet.patch" $data) | fromYaml }}
{{- $_ := deepCopy $tmp | mergeOverwrite $values }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{ toYaml $values | indent 8 }}
syncPolicy:
automated:
@ -73,12 +59,28 @@ spec:
ignoreDifferences:
{{ .ignoreDifferences | indent 4 }}
{{- end }}
{{- if $.Values.generators.vault }}
{{- $context := . }}
{{- with $context }}
{{- range .secrets }}
---
apiVersion: v1
kind: ServiceAccount
apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
name: {{ .name }}-vault-ro
name: {{ .name }}
namespace: {{ $context.namespace | default $context.name | quote }}
labels:
app: {{ $context.name }}
spec:
keys:
{{- range .keys }}
- {{ . }}
{{- end }}
path: heqet/{{ $context.name }}/{{ .name }}
type: Opaque
{{ end }}
{{ end }}
{{ end }}
{{ end }}
{{ end }}

@ -796,11 +796,10 @@ configs:
# XG+bpHPF4SiCpAxthP5WNa17zuvk+CDsMZgZNuhYNMo=
# -----END RSA PRIVATE KEY-----
secret:
createSecret: true
createSecret: false
## Annotations to be added to argocd-secret
##
annotations:
sealedsecrets.bitnami.com/managed: true
annotations: {}
# Webhook Configs
githubSecret: ""

@ -0,0 +1,143 @@
replicaCount: 1
deploymentStrategy: {}
image:
repository: ricoberger/vault-secrets-operator
tag: 1.14.2
pullPolicy: IfNotPresent
volumeMounts: []
# - name: ca
# mountPath: "/etc/vault-secrets-operator"
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
environmentVars: []
# Set environment variables from a secret. This must be done, if you use the
# Token or AppRole Auth Methods of Vault.
# Token auth method:
# - name: VAULT_TOKEN
# valueFrom:
# secretKeyRef:
# name: vault-secrets-operator
# key: VAULT_TOKEN
# - name: VAULT_TOKEN_LEASE_DURATION
# value: "300"
# - name: VAULT_CACERT
# value: "/etc/vault-secrets-operator/ca.pem"
# - name: VAULT_TOKEN_RENEWAL_INTERVAL
# value: "43200"
# - name: VAULT_TOKEN_RENEWAL_RETRY_INTERVAL
# value: "30"
# AppRole auth method:
# - name: VAULT_ROLE_ID
# valueFrom:
# secretKeyRef:
# name: vault-secrets-operator
# key: VAULT_ROLE_ID
# - name: VAULT_SECRET_ID
# valueFrom:
# secretKeyRef:
# name: vault-secrets-operator
# key: VAULT_SECRET_ID
# - name: VAULT_TOKEN_RENEWAL_RETRY_INTERVAL
# value: "30"
# - name: VAULT_TOKEN_MAX_TTL
# value: "43200"
# Set the address for vault (by default we assume you are running a dev
# instance of vault in the same namespace as the operator) and specify the
# authentication method for the operator. Possible values are 'token',
# 'kubernetes', or 'approle'.
# If the authentication method is 'kubernetes' the Helm chart
# ensures that the Service Account included the needed rights. The default path
# for the Kubernets Auth method is 'auth/kubernetes', if you enabled it under
# another path you must change the 'kubernetesPath' value. You must also
# provide the role which should be used for the authentication.
#
# If the auth method is 'token' you can specify the 'tokenPath' to read the
# Vault token from a mounted volume instead of an environment variable.
#
# If the auth method is 'approle' you must specify a path for the AppRole Auth
# method with 'appRolePath', by default it is 'auth/approle'. Also
# 'VAULT_ROLE_ID' and 'VAULT_SECRET_ID' must be set for this auth method. With
# this method, the renewal interval is set by default to a half of the token
# lease duration (can be overwritten with 'VAULT_TOKEN_RENEWAL_INTERVAL'), the
# token maximum TTL is set by default to 1382400 seconds (16 days, can be
# overwritten with 'VAULT_TOKEN_MAX_TTL').
#
# The reconciliationTime value determines after which time the Vault secret is
# processed again. This can be used to update a the Kubernetes secret, when the
# Vault secret changes. A value of 0 will disable the automatic update.
# You can specify all namespaces the operator should watch. Therefore pass a
# comma separated list via the namespaces value. If the value is empty the operator
# will watch all namespaces. If the value is empty and rbac.namespaced is set to
# true, then the namespace of the release will be used.
vault:
address: "http://vault.vault.svc.cluster.local:8200"
authMethod: kubernetes
tokenPath: ""
kubernetesPath: auth/kubernetes
kubernetesRole: heqet-app
appRolePath: auth/approle
reconciliationTime: 0
namespaces: ""
crd:
create: true
rbac:
create: true
createrole: true
namespaced: false
serviceAccount:
create: true
name: vault-secrets-operator
# Annotations for vault-secrets-operator pod(s).
podAnnotations: {}
# Additional labels for the vault-secrets-operator pod(s).
podLabels: {}
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
volumes: []
# - name: ca
# secret:
# secretName: vault-secrets-operator-ca
# items:
# - key: ca.pem
# path: ca.pem
nodeSelector: {}
tolerations: []
affinity: {}
serviceMonitor:
enabled: false
labels: {}
interval: 10s
scrapeTimeout: 10s
honorLabels: true
relabelings: []
# A priority class can be optionally attached to the pod spec if one is needed
# priorityClassName: high

@ -25,7 +25,7 @@ global:
injector:
# True if you want to enable vault agent injection.
enabled: true
enabled: false
replicas: 1
@ -234,7 +234,7 @@ server:
# If deployment is on OpenShift, the following block is ignored.
# In order to expose the service, use the route section below
ingress:
enabled: false
enabled: true
labels: {}
# traffic: external
annotations: {}
@ -245,7 +245,7 @@ server:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
- host: vault.k3s
paths: []
## Extra paths to prepend to the host configuration. This is useful when working with annotation based services.
extraPaths: []
@ -501,7 +501,7 @@ server:
# use dev mode for anything other than experimenting.
# See https://www.vaultproject.io/docs/concepts/dev-server.html to know more
dev:
enabled: false
enabled: true
# Set VAULT_DEV_ROOT_TOKEN_ID value
devRootToken: "root"
@ -658,7 +658,7 @@ ui:
# serviceType can be used to control the type of service created. For
# example, setting this to "LoadBalancer" will create an external load
# balancer (for supported K8S installations) to access the UI.
enabled: false
enabled: true
publishNotReadyAddresses: true
# The service should only contain selectors for active Vault pod
activeVaultPodOnly: false

@ -27,6 +27,8 @@ generators:
#server: https://acme-v02.api.letsencrypt.org/directory
email: nold@gnu.one
# Vault Secret Injector
vault: true
# App Definitions that will be managed in ArgoCD
apps:
@ -38,22 +40,19 @@ apps:
targetRevision: k3s
vhost: hqt.k3s
# SealedSecrests - Store encrypted secrets in git
- name: sealed-secrets
repoURL: https://bitnami-labs.github.io/sealed-secrets/
chart: sealed-secrets
targetRevision: 1.15.0-r3
syncWave: "-1"
namespace: sealed-secrets
# ArgoCD - Continous Deployment from Git
- name: argocd
repoURL: https://argoproj.github.io/argo-helm
chart: argocd
targetRevision: 3.0.0
chart: argo-cd
targetRevision: 3.1.1
vhost: argocd.k3s
ingress: server
syncWave: "0"
secrets:
- name: argocd-secret
keys:
- admin.password
- server.secretkey
# Loki / Grafana / Promtail Stack for Logging & Metrics
- name: loki-stack
@ -91,6 +90,11 @@ apps:
- name: server.dev.enabled
value: true
- name: vault-secrets-operator
repoURL: https://ricoberger.github.io/helm-charts
chart: vault-secrets-operator
targetRevision: 1.14.2
# PiHole
- name: pihole
repoURL: https://mojo2600.github.io/pihole-kubernetes

Loading…
Cancel
Save