diff --git a/gitops/components/argo/externalsecrets.yaml b/gitops/components/argo/externalsecrets.yaml index ce37bbcdf..d8586a088 100644 --- a/gitops/components/argo/externalsecrets.yaml +++ b/gitops/components/argo/externalsecrets.yaml @@ -1,53 +1,65 @@ -apiVersion: "kubernetes-client.io/v1" +apiVersion: "external-secrets.io/v1alpha1" kind: ExternalSecret metadata: name: ci-secrets spec: - backendType: vault - vaultMountPoint: kubernetes/kubefirst - vaultRole: external-secrets - kvVersion: 2 + target: + name: ci-secrets + secretStoreRef: + kind: ClusterSecretStore + name: vault-secrets-backend + refreshInterval: 10s data: # username used for accessing git - this is the name of the personal access token, default is kubefirst - - name: USERNAME - key: secret/data/ci-secrets - property: USERNAME + - remoteRef: + key: ci-secrets + property: USERNAME + secretKey: USERNAME # personal access token associated with username above - - name: PERSONAL_ACCESS_TOKEN - key: secret/data/ci-secrets - property: PERSONAL_ACCESS_TOKEN + - remoteRef: + key: ci-secrets + property: PERSONAL_ACCESS_TOKEN + secretKey: PERSONAL_ACCESS_TOKEN # access key id to connect to aws - - name: AWS_ACCESS_KEY_ID - key: secret/data/ci-secrets - property: AWS_ACCESS_KEY_ID + - remoteRef: + key: ci-secrets + property: AWS_ACCESS_KEY_ID + secretKey: AWS_ACCESS_KEY_ID # access key to connect to aws - - name: AWS_SECRET_ACCESS_KEY - key: secret/data/ci-secrets - property: AWS_SECRET_ACCESS_KEY + - remoteRef: + key: ci-secrets + property: AWS_SECRET_ACCESS_KEY + secretKey: AWS_SECRET_ACCESS_KEY # chartmuseum admin username - - name: BASIC_AUTH_USER - key: secret/data/ci-secrets - property: BASIC_AUTH_USER + - remoteRef: + key: ci-secrets + property: BASIC_AUTH_USER + secretKey: BASIC_AUTH_USER # chartmuseum admin password - - name: BASIC_AUTH_PASS - key: secret/data/ci-secrets - property: BASIC_AUTH_PASS + - remoteRef: + key: ci-secrets + property: BASIC_AUTH_PASS + secretKey: BASIC_AUTH_PASS --- - apiVersion: "kubernetes-client.io/v1" - kind: ExternalSecret - metadata: +apiVersion: "external-secrets.io/v1alpha1" +kind: ExternalSecret +metadata: + name: argo-secrets +spec: + target: name: argo-secrets - spec: - backendType: vault - vaultMountPoint: kubernetes/kubefirst - vaultRole: external-secrets - kvVersion: 2 - data: - # client-id used for oidc auth with keycloak - - name: client-id - key: secret/data/admin/oidc/argo + secretStoreRef: + kind: ClusterSecretStore + name: vault-secrets-backend + refreshInterval: 10s + data: + # client-id used for oidc auth with keycloak + - remoteRef: + key: admin/oidc/argo property: application_id - # client-id used for oidc auth with keycloak - - name: client-secret - key: secret/data/admin/oidc/argo - property: secret \ No newline at end of file + secretKey: client-id + # client-id used for oidc auth with keycloak + - remoteRef: + key: admin/oidc/argo + property: secret + secretKey: client-secret diff --git a/gitops/components/atlantis/externalsecret.yaml b/gitops/components/atlantis/externalsecret.yaml index 036530bb5..3f8b1e1eb 100644 --- a/gitops/components/atlantis/externalsecret.yaml +++ b/gitops/components/atlantis/externalsecret.yaml @@ -1,155 +1,204 @@ -apiVersion: "kubernetes-client.io/v1" +apiVersion: "external-secrets.io/v1alpha1" kind: ExternalSecret metadata: name: atlantis-secrets - namespace: atlantis spec: - backendType: vault - vaultMountPoint: kubernetes/kubefirst - vaultRole: external-secrets - kvVersion: 2 + target: + name: atlantis-secrets + secretStoreRef: + kind: ClusterSecretStore + name: vault-secrets-backend + refreshInterval: 10s data: - - name: ARGOCD_AUTH_PASSWORD - key: secret/data/atlantis - property: ARGOCD_AUTH_PASSWORD - - name: ARGOCD_AUTH_USERNAME - key: secret/data/atlantis - property: ARGOCD_AUTH_USERNAME - - name: ARGOCD_INSECURE - key: secret/data/atlantis - property: ARGOCD_INSECURE - - name: ARGOCD_SERVER - key: secret/data/atlantis - property: ARGOCD_SERVER - - name: ARGO_SERVER_URL - key: secret/data/atlantis - property: ARGO_SERVER_URL - - name: ATLANTIS_GITLAB_TOKEN - key: secret/data/atlantis - property: ATLANTIS_GITLAB_TOKEN - - name: ATLANTIS_GITLAB_WEBHOOK_SECRET - key: secret/data/atlantis - property: ATLANTIS_GITLAB_WEBHOOK_SECRET - - name: ATLANTIS_GITLAB_USER - key: secret/data/atlantis - property: ATLANTIS_GITLAB_USER - - name: ATLANTIS_GITLAB_HOSTNAME - key: secret/data/atlantis - property: ATLANTIS_GITLAB_HOSTNAME - - name: AWS_ACCESS_KEY_ID - key: secret/data/atlantis - property: AWS_ACCESS_KEY_ID - - name: AWS_DEFAULT_REGION - key: secret/data/atlantis - property: AWS_DEFAULT_REGION - - name: AWS_ROLE_TO_ASSUME - key: secret/data/atlantis - property: AWS_ROLE_TO_ASSUME - - name: AWS_SECRET_ACCESS_KEY - key: secret/data/atlantis - property: AWS_SECRET_ACCESS_KEY - - name: AWS_SESSION_NAME - key: secret/data/atlantis - property: AWS_SESSION_NAME - - name: GITLAB_BASE_URL - key: secret/data/atlantis - property: GITLAB_BASE_URL - - name: GITLAB_TOKEN - key: secret/data/atlantis - property: GITLAB_TOKEN - - name: KEYCLOAK_CLIENT_ID - key: secret/data/atlantis - property: KEYCLOAK_CLIENT_ID - - name: KEYCLOAK_PASSWORD - key: secret/data/atlantis - property: KEYCLOAK_PASSWORD - - name: KEYCLOAK_REALM - key: secret/data/atlantis - property: KEYCLOAK_REALM - - name: KEYCLOAK_URL - key: secret/data/atlantis - property: KEYCLOAK_URL - - name: KEYCLOAK_USER - key: secret/data/atlantis - property: KEYCLOAK_USER - - name: KUBECONFIG - key: secret/data/atlantis - property: KUBECONFIG - - name: TF_VAR_argo_redirect_uris - key: secret/data/atlantis - property: TF_VAR_argo_redirect_uris - - name: TF_VAR_argocd_auth_password - key: secret/data/atlantis - property: TF_VAR_argocd_auth_password - - name: TF_VAR_argocd_redirect_uris - key: secret/data/atlantis - property: TF_VAR_argocd_redirect_uris - - name: TF_VAR_atlantis_gitlab_token - key: secret/data/atlantis - property: TF_VAR_atlantis_gitlab_token - - name: TF_VAR_atlantis_gitlab_webhook_secret - key: secret/data/atlantis - property: TF_VAR_atlantis_gitlab_webhook_secret - - name: TF_VAR_aws_access_key_id - key: secret/data/atlantis - property: TF_VAR_aws_access_key_id - - name: TF_VAR_aws_account_id - key: secret/data/atlantis - property: TF_VAR_aws_account_id - - name: TF_VAR_aws_secret_access_key - key: secret/data/atlantis - property: TF_VAR_aws_secret_access_key - - name: TF_VAR_aws_region - key: secret/data/atlantis - property: TF_VAR_aws_region - - name: TF_VAR_email_address - key: secret/data/atlantis - property: TF_VAR_email_address - - name: TF_VAR_email_domain - key: secret/data/atlantis - property: TF_VAR_email_domain - - name: TF_VAR_gitlab_bot_root_password - key: secret/data/atlantis - property: TF_VAR_gitlab_bot_root_password - - name: TF_VAR_gitlab_redirect_uris - key: secret/data/atlantis - property: TF_VAR_gitlab_redirect_uris - - name: TF_VAR_gitlab_runner_token - key: secret/data/atlantis - property: TF_VAR_gitlab_runner_token - - name: TF_VAR_gitlab_token - key: secret/data/atlantis - property: TF_VAR_gitlab_token - - name: TF_VAR_gitlab_url - key: secret/data/atlantis - property: TF_VAR_gitlab_url - - name: TF_VAR_hosted_zone_id - key: secret/data/atlantis - property: TF_VAR_hosted_zone_id - - name: TF_VAR_hosted_zone_name - key: secret/data/atlantis - property: TF_VAR_hosted_zone_name - - name: TF_VAR_iam_user_arn - key: secret/data/atlantis - property: TF_VAR_iam_user_arn - - name: TF_VAR_keycloak_admin_password - key: secret/data/atlantis - property: TF_VAR_keycloak_admin_password - - name: TF_VAR_keycloak_password - key: secret/data/atlantis - property: TF_VAR_keycloak_password - - name: TF_VAR_vault_addr - key: secret/data/atlantis - property: TF_VAR_vault_addr - - name: TF_VAR_vault_redirect_uris - key: secret/data/atlantis - property: TF_VAR_vault_redirect_uris - - name: TF_VAR_vault_token - key: secret/data/atlantis - property: TF_VAR_vault_token - - name: VAULT_TOKEN - key: secret/data/atlantis - property: VAULT_TOKEN - - name: VAULT_ADDR - key: secret/data/atlantis - property: VAULT_ADDR \ No newline at end of file + - remoteRef: + key: atlantis + property: ARGOCD_AUTH_PASSWORD + secretKey: ARGOCD_AUTH_PASSWORD + - remoteRef: + key: atlantis + property: ARGOCD_AUTH_USERNAME + secretKey: ARGOCD_AUTH_USERNAME + - remoteRef: + key: atlantis + property: ARGOCD_INSECURE + secretKey: ARGOCD_INSECURE + - remoteRef: + key: atlantis + property: ARGOCD_SERVER + secretKey: ARGOCD_SERVER + - remoteRef: + key: atlantis + property: ARGO_SERVER_URL + secretKey: ARGO_SERVER_URL + - remoteRef: + key: atlantis + property: ATLANTIS_GITLAB_TOKEN + secretKey: ATLANTIS_GITLAB_TOKEN + - remoteRef: + key: atlantis + property: ATLANTIS_GITLAB_WEBHOOK_SECRET + secretKey: ATLANTIS_GITLAB_WEBHOOK_SECRET + - remoteRef: + key: atlantis + property: ATLANTIS_GITLAB_USER + secretKey: ATLANTIS_GITLAB_USER + - remoteRef: + key: atlantis + property: ATLANTIS_GITLAB_HOSTNAME + secretKey: ATLANTIS_GITLAB_HOSTNAME + - remoteRef: + key: atlantis + property: AWS_ACCESS_KEY_ID + secretKey: AWS_ACCESS_KEY_ID + - remoteRef: + key: atlantis + property: AWS_DEFAULT_REGION + secretKey: AWS_DEFAULT_REGION + - remoteRef: + key: atlantis + property: AWS_ROLE_TO_ASSUME + secretKey: AWS_ROLE_TO_ASSUME + - remoteRef: + key: atlantis + property: AWS_SECRET_ACCESS_KEY + secretKey: AWS_SECRET_ACCESS_KEY + - remoteRef: + key: atlantis + property: AWS_SESSION_NAME + secretKey: AWS_SESSION_NAME + - remoteRef: + key: atlantis + property: GITLAB_BASE_URL + secretKey: GITLAB_BASE_URL + - remoteRef: + key: atlantis + property: GITLAB_TOKEN + secretKey: GITLAB_TOKEN + - remoteRef: + key: atlantis + property: KEYCLOAK_CLIENT_ID + secretKey: KEYCLOAK_CLIENT_ID + - remoteRef: + key: atlantis + property: KEYCLOAK_PASSWORD + secretKey: KEYCLOAK_PASSWORD + - remoteRef: + key: atlantis + property: KEYCLOAK_REALM + secretKey: KEYCLOAK_REALM + - remoteRef: + key: atlantis + property: KEYCLOAK_URL + secretKey: KEYCLOAK_URL + - remoteRef: + key: atlantis + property: KEYCLOAK_USER + secretKey: KEYCLOAK_USER + - remoteRef: + key: atlantis + property: KUBECONFIG + secretKey: KUBECONFIG + - remoteRef: + key: atlantis + property: TF_VAR_argo_redirect_uris + secretKey: TF_VAR_argo_redirect_uris + - remoteRef: + key: atlantis + property: TF_VAR_argocd_auth_password + secretKey: TF_VAR_argocd_auth_password + - remoteRef: + key: atlantis + property: TF_VAR_argocd_redirect_uris + secretKey: TF_VAR_argocd_redirect_uris + - remoteRef: + key: atlantis + property: TF_VAR_atlantis_gitlab_token + secretKey: TF_VAR_atlantis_gitlab_token + - remoteRef: + key: atlantis + property: TF_VAR_atlantis_gitlab_webhook_secret + secretKey: TF_VAR_atlantis_gitlab_webhook_secret + - remoteRef: + key: atlantis + property: TF_VAR_aws_access_key_id + secretKey: TF_VAR_aws_access_key_id + - remoteRef: + key: atlantis + property: TF_VAR_aws_account_id + secretKey: TF_VAR_aws_account_id + - remoteRef: + key: atlantis + property: TF_VAR_aws_secret_access_key + secretKey: TF_VAR_aws_secret_access_key + - remoteRef: + key: atlantis + property: TF_VAR_aws_region + secretKey: TF_VAR_aws_region + - remoteRef: + key: atlantis + property: TF_VAR_email_address + secretKey: TF_VAR_email_address + - remoteRef: + key: atlantis + property: TF_VAR_email_domain + secretKey: TF_VAR_email_domain + - remoteRef: + key: atlantis + property: TF_VAR_gitlab_bot_root_password + secretKey: TF_VAR_gitlab_bot_root_password + - remoteRef: + key: atlantis + property: TF_VAR_gitlab_redirect_uris + secretKey: TF_VAR_gitlab_redirect_uris + - remoteRef: + key: atlantis + property: TF_VAR_gitlab_runner_token + secretKey: TF_VAR_gitlab_runner_token + - remoteRef: + key: atlantis + property: TF_VAR_gitlab_token + secretKey: TF_VAR_gitlab_token + - remoteRef: + key: atlantis + property: TF_VAR_gitlab_url + secretKey: TF_VAR_gitlab_url + - remoteRef: + key: atlantis + property: TF_VAR_hosted_zone_id + secretKey: TF_VAR_hosted_zone_id + - remoteRef: + key: atlantis + property: TF_VAR_hosted_zone_name + secretKey: TF_VAR_hosted_zone_name + - remoteRef: + key: atlantis + property: TF_VAR_iam_user_arn + secretKey: TF_VAR_iam_user_arn + - remoteRef: + key: atlantis + property: TF_VAR_keycloak_admin_password + secretKey: TF_VAR_keycloak_admin_password + - remoteRef: + key: atlantis + property: TF_VAR_keycloak_password + secretKey: TF_VAR_keycloak_password + - remoteRef: + key: atlantis + property: TF_VAR_vault_addr + secretKey: TF_VAR_vault_addr + - remoteRef: + key: atlantis + property: TF_VAR_vault_redirect_uris + secretKey: TF_VAR_vault_redirect_uris + - remoteRef: + key: atlantis + property: TF_VAR_vault_token + secretKey: TF_VAR_vault_token + - remoteRef: + key: atlantis + property: VAULT_TOKEN + secretKey: VAULT_TOKEN + - remoteRef: + key: atlantis + property: VAULT_ADDR + secretKey: VAULT_ADDR diff --git a/gitops/components/chartmuseum/externalsecret.yaml b/gitops/components/chartmuseum/externalsecret.yaml index 4cd0445dc..4615d60be 100644 --- a/gitops/components/chartmuseum/externalsecret.yaml +++ b/gitops/components/chartmuseum/externalsecret.yaml @@ -1,24 +1,28 @@ -apiVersion: kubernetes-client.io/v1 +apiVersion: "external-secrets.io/v1alpha1" kind: ExternalSecret metadata: name: chartmuseum-secrets - annotations: - argocd.argoproj.io/sync-wave: "1" spec: - backendType: vault - vaultMountPoint: kubernetes/kubefirst - vaultRole: external-secrets - kvVersion: 2 + target: + name: chartmuseum-secrets + secretStoreRef: + kind: ClusterSecretStore + name: vault-secrets-backend + refreshInterval: 10s data: - - name: AWS_ACCESS_KEY_ID - key: secret/data/chartmuseum - property: AWS_ACCESS_KEY_ID - - name: AWS_SECRET_ACCESS_KEY - key: secret/data/chartmuseum - property: AWS_SECRET_ACCESS_KEY - - name: BASIC_AUTH_USER - key: secret/data/chartmuseum - property: BASIC_AUTH_USER - - name: BASIC_AUTH_PASS - key: secret/data/chartmuseum - property: BASIC_AUTH_PASS + - remoteRef: + key: chartmuseum + property: AWS_ACCESS_KEY_ID + secretKey: AWS_ACCESS_KEY_ID + - remoteRef: + key: chartmuseum + property: AWS_SECRET_ACCESS_KEY + secretKey: AWS_SECRET_ACCESS_KEY + - remoteRef: + key: chartmuseum + property: BASIC_AUTH_USER + secretKey: BASIC_AUTH_USER + - remoteRef: + key: chartmuseum + property: BASIC_AUTH_PASS + secretKey: BASIC_AUTH_PASS diff --git a/gitops/components/external-secrets-operator/auth-delegator-crb.yaml b/gitops/components/external-secrets-operator/auth-delegator-crb.yaml new file mode 100644 index 000000000..d5f28aeae --- /dev/null +++ b/gitops/components/external-secrets-operator/auth-delegator-crb.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: eso-kubernetes-external-secrets-auth +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 'system:auth-delegator' +subjects: + - kind: ServiceAccount + name: external-secrets + namespace: external-secrets-operator diff --git a/gitops/components/external-secrets-operator/external-secrets-operator.yaml b/gitops/components/external-secrets-operator/external-secrets-operator.yaml new file mode 100644 index 000000000..17aaa0833 --- /dev/null +++ b/gitops/components/external-secrets-operator/external-secrets-operator.yaml @@ -0,0 +1,40 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-secrets-operator + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + annotations: + argocd.argoproj.io/sync-wave: "5" +spec: + project: default + source: + repoURL: 'https://charts.external-secrets.io' + targetRevision: 0.5.6 + helm: + values: |- + serviceAccount: + name: external-secrets + chart: external-secrets + destination: + server: https://kubernetes.default.svc + namespace: external-secrets-operator + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - RespectIgnoreDifferences=true + ignoreDifferences: + - group: apiextensions.k8s.io + kind: CustomResourceDefinition + jqPathExpressions: + - .spec.conversion.webhook.clientConfig.caBundle + - .spec.conversion.webhook.clientConfig.service.name + - .spec.conversion.webhook.clientConfig.service.namespace + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + jqPathExpressions: + - .webhooks[]?.clientConfig.caBundle diff --git a/gitops/components/external-secrets-store/vault-cluster-secret-store-secret.yaml b/gitops/components/external-secrets-store/vault-cluster-secret-store-secret.yaml new file mode 100644 index 000000000..521b39128 --- /dev/null +++ b/gitops/components/external-secrets-store/vault-cluster-secret-store-secret.yaml @@ -0,0 +1,20 @@ +apiVersion: external-secrets.io/v1alpha1 +kind: ClusterSecretStore +metadata: + name: vault-secrets-backend +spec: + provider: + vault: + server: "http://vault.vault.svc:8200" + # Path is the mount path of the Vault KV backend endpoint + path: "secret" + version: "v2" + auth: + kubernetes: + # Path where the Kubernetes authentication backend is mounted in Vault + mountPath: "kubernetes/kubefirst" + # A required field containing the Vault Role to assume. + role: "external-secrets" + serviceAccountRef: + name: "external-secrets" + namespace: "external-secrets-operator" diff --git a/gitops/components/gitlab-runner/externalsecret.yaml b/gitops/components/gitlab-runner/externalsecret.yaml index 00abd8bbc..93fcff351 100644 --- a/gitops/components/gitlab-runner/externalsecret.yaml +++ b/gitops/components/gitlab-runner/externalsecret.yaml @@ -1,18 +1,20 @@ -apiVersion: kubernetes-client.io/v1 +apiVersion: "external-secrets.io/v1alpha1" kind: ExternalSecret metadata: name: gitlab-runner - annotations: - argocd.argoproj.io/sync-wave: "1" spec: - backendType: vault - vaultMountPoint: kubernetes/kubefirst # todo: kubefirst -> kubefirst - vaultRole: external-secrets - kvVersion: 2 + target: + name: gitlab-runner + secretStoreRef: + kind: ClusterSecretStore + name: vault-secrets-backend + refreshInterval: 10s data: - - name: runner-token - key: secret/data/gitlab-runner - property: RUNNER_TOKEN - - name: runner-registration-token - key: secret/data/gitlab-runner - property: RUNNER_REGISTRATION_TOKEN + - remoteRef: + key: gitlab-runner + property: RUNNER_TOKEN + secretKey: runner-token + - remoteRef: + key: gitlab-runner + property: RUNNER_REGISTRATION_TOKEN + secretKey: runner-registration-token diff --git a/gitops/components/keycloak/application.yaml b/gitops/components/keycloak/application.yaml deleted file mode 100644 index 131da7879..000000000 --- a/gitops/components/keycloak/application.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: keycloak - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io - annotations: - argocd.argoproj.io/sync-wave: "2" -spec: - destination: - server: https://kubernetes.default.svc - namespace: keycloak - project: default - source: - repoURL: 'https://charts.bitnami.com/bitnami' - targetRevision: 2.4.8 - helm: - values: |- - auth: - adminUser: gitlab-bot - proxyAddressForwarding: true - extraEnvVars: - - name: PROXY_ADDRESS_FORWARDING - value: 'true' - chart: keycloak - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/gitops/components/keycloak/externalsecret.yaml b/gitops/components/keycloak/externalsecret.yaml deleted file mode 100644 index b88ca4a8d..000000000 --- a/gitops/components/keycloak/externalsecret.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: kubernetes-client.io/v1 -kind: ExternalSecret -metadata: - name: keycloak-secrets - annotations: - argocd.argoproj.io/sync-wave: "1" -spec: - backendType: vault - vaultMountPoint: kubernetes/kubefirst - vaultRole: external-secrets - kvVersion: 2 - data: - - name: KEYCLOAK_ADMIN_PASSWORD - key: secret/data/keycloak - property: KEYCLOAK_ADMIN_PASSWORD - - name: KEYCLOAK_MANAGEMENT_PASSWORD - key: secret/data/keycloak - property: KEYCLOAK_MANAGEMENT_PASSWORD - - name: KEYCLOAK_DATABASE_PASSWORD - key: secret/data/keycloak - property: KEYCLOAK_DATABASE_PASSWORD diff --git a/gitops/components/keycloak/ingress.yaml b/gitops/components/keycloak/ingress.yaml deleted file mode 100644 index 8f89341bf..000000000 --- a/gitops/components/keycloak/ingress.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - kubernetes.io/tls-acme: "true" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - argocd.argoproj.io/sync-wave: "3" - name: keycloak -spec: - rules: - - host: keycloak. - http: - paths: - - backend: - serviceName: keycloak - servicePort: http - path: / - tls: - - hosts: - - keycloak. - secretName: keycloak-tls diff --git a/gitops/registry/argo.yaml b/gitops/registry/argo.yaml index 9200d916f..c1b4ce89f 100644 --- a/gitops/registry/argo.yaml +++ b/gitops/registry/argo.yaml @@ -28,7 +28,7 @@ kind: Job metadata: name: k-add-argocd-permissions annotations: - argocd.argoproj.io/sync-wave: "7" + argocd.argoproj.io/sync-wave: "8" argocd.argoproj.io/hook: PostSync # argocd.argoproj.io/hook-delete-policy: HookSucceeded spec: @@ -57,7 +57,7 @@ kind: Job metadata: name: k-add-argo-permissions annotations: - argocd.argoproj.io/sync-wave: "8" + argocd.argoproj.io/sync-wave: "9" spec: template: spec: diff --git a/gitops/registry/external-dns.yaml b/gitops/registry/external-dns.yaml index 04e7aa452..c17b8dffe 100644 --- a/gitops/registry/external-dns.yaml +++ b/gitops/registry/external-dns.yaml @@ -15,7 +15,7 @@ spec: source: chart: external-dns repoURL: https://charts.bitnami.com/bitnami - targetRevision: 6.0.2 + targetRevision: 6.5.4 helm: releaseName: external-dns values: | diff --git a/gitops/registry/external-secrets-operator.yaml b/gitops/registry/external-secrets-operator.yaml new file mode 100644 index 000000000..5708c8438 --- /dev/null +++ b/gitops/registry/external-secrets-operator.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-secrets-operator-components + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + annotations: + argocd.argoproj.io/sync-wave: "5" +spec: + project: default + source: + repoURL: https://gitlab./kubefirst/gitops.git + path: components/external-secrets-operator + targetRevision: HEAD + destination: + server: https://kubernetes.default.svc + namespace: external-secrets-operator + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true \ No newline at end of file diff --git a/gitops/registry/external-secrets-store.yaml b/gitops/registry/external-secrets-store.yaml new file mode 100644 index 000000000..359cd8004 --- /dev/null +++ b/gitops/registry/external-secrets-store.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: external-secrets-store + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + annotations: + argocd.argoproj.io/sync-wave: "7" +spec: + project: default + source: + repoURL: https://gitlab./kubefirst/gitops.git + path: components/external-secrets-store + targetRevision: HEAD + destination: + server: https://kubernetes.default.svc + namespace: external-secrets-operator + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/gitops/registry/external-secrets.yaml b/gitops/registry/external-secrets.yaml deleted file mode 100644 index 1939861f8..000000000 --- a/gitops/registry/external-secrets.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: external-secrets - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io - annotations: - argocd.argoproj.io/sync-wave: "5" -spec: - project: default - source: - repoURL: 'https://external-secrets.github.io/kubernetes-external-secrets' - targetRevision: 8.5.0 - helm: - values: |- - env: - AWS_REGION: - AWS_DEFAULT_REGION: - VAULT_ADDR: https://vault. - serviceAccount: - name: external-secrets - chart: kubernetes-external-secrets - destination: - server: https://kubernetes.default.svc - namespace: external-secrets - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true \ No newline at end of file diff --git a/gitops/registry/vault.yaml b/gitops/registry/vault.yaml index fbb2c343d..251c97aa6 100644 --- a/gitops/registry/vault.yaml +++ b/gitops/registry/vault.yaml @@ -6,7 +6,7 @@ metadata: finalizers: - resources-finalizer.argocd.argoproj.io annotations: - argocd.argoproj.io/sync-wave: "9" + argocd.argoproj.io/sync-wave: "6" spec: destination: server: https://kubernetes.default.svc @@ -92,7 +92,7 @@ kind: Job metadata: name: unseal-vault annotations: - argocd.argoproj.io/sync-wave: "9" + argocd.argoproj.io/sync-wave: "6" # argocd.argoproj.io/hook: PostSync # don't PostSync, vault doesn't finish sync while waiting for pods to be running which requires this job # argocd.argoproj.io/hook-delete-policy: HookSucceeded spec: diff --git a/gitops/terraform/vault/bootstrap/k8s-auth-backend.tf b/gitops/terraform/vault/bootstrap/k8s-auth-backend.tf index a0c067d3a..b86f2ff0f 100644 --- a/gitops/terraform/vault/bootstrap/k8s-auth-backend.tf +++ b/gitops/terraform/vault/bootstrap/k8s-auth-backend.tf @@ -29,14 +29,14 @@ resource "vault_auth_backend" "k8s" { data "kubernetes_service_account" "external_secrets" { metadata { name = "external-secrets" - namespace = "external-secrets" + namespace = "external-secrets-operator" } } data "kubernetes_secret" "external_secrets_token_secret" { metadata { name = data.kubernetes_service_account.external_secrets.default_secret_name - namespace = "external-secrets" + namespace = "external-secrets-operator" } } diff --git a/metaphor/charts/metaphor/templates/external-secrets.yaml b/metaphor/charts/metaphor/templates/external-secrets.yaml index 19ba44abf..8decd141f 100644 --- a/metaphor/charts/metaphor/templates/external-secrets.yaml +++ b/metaphor/charts/metaphor/templates/external-secrets.yaml @@ -1,18 +1,22 @@ -apiVersion: kubernetes-client.io/v1 +apiVersion: "external-secrets.io/v1alpha1" kind: ExternalSecret metadata: name: {{ template "metaphor.fullname" . }} labels: chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" spec: - backendType: vault - vaultMountPoint: "kubernetes/{{ .Values.vaultMountPoint}}" - vaultRole: external-secrets - kvVersion: 2 + target: + name: {{ template "metaphor.fullname" . }} + secretStoreRef: + kind: ClusterSecretStore + name: vault-secrets-backend + refreshInterval: "10s" data: - - name: SECRET_ONE - key: "secret/data/{{ .Values.vaultSecretPath }}" - property: SECRET_ONE - - name: SECRET_TWO - key: "secret/data/{{ .Values.vaultSecretPath }}" - property: SECRET_TWO + - remoteRef: + key: {{ .Values.vaultSecretPath }} + property: SECRET_ONE + secretKey: SECRET_ONE + - remoteRef: + key: {{ .Values.vaultSecretPath }} + property: SECRET_TWO + secretKey: SECRET_TWO diff --git a/scripts/nebulous/init.sh b/scripts/nebulous/init.sh index 4bc8713d8..49eb98860 100755 --- a/scripts/nebulous/init.sh +++ b/scripts/nebulous/init.sh @@ -338,6 +338,8 @@ echo '########################################' echo echo "creating argocd in kubefirst cluster" +kubectl create namespace external-secrets-operator --dry-run=true -o yaml | kubectl apply -f - +kubectl create namespace argo --dry-run=true -o yaml | kubectl apply -f - kubectl create namespace argocd --dry-run -oyaml | kubectl apply -f - kubectl create secret -n argocd generic aws-creds --from-literal=AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} --from-literal=AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} --dry-run -oyaml | kubectl apply -f - # kubectl create namespace argocd --dry-run=client -o yaml | kubectl apply -f - # TODO: kubernetes 1.19 and above @@ -451,6 +453,8 @@ fi # the following comnmand is a bit fickle as the vault dns propagates, # a retry attempts to make this a bit more fault tolerant to that +echo "argocd app sync of external-secrets-store" +for i in 1 2 3 4 5 6 7 8; do argocd app sync external-secrets-store && break || echo "sync of external-secrets-store did not complete successfully. this is often due to delays in dns propagation. sleeping for 60s before retry" && sleep 60; done echo "argocd app sync of gitlab-runner" for i in 1 2 3 4 5 6 7 8; do argocd app sync gitlab-runner-components && break || echo "sync of gitlab-runner did not complete successfully. this is often due to delays in dns propagation. sleeping for 60s before retry" && sleep 60; done echo "argocd app sync of chartmuseum" @@ -458,6 +462,9 @@ for i in 1 2 3 4 5 6 7 8; do argocd app sync chartmuseum-components && break || echo "argocd app sync of atlantis" for i in 1 2 3 4 5 6 7 8; do argocd app sync atlantis-components && break || echo "sync of atlantis did not complete successfully. this is often due to delays in dns propagation. sleeping for 60s before retry" && sleep 60; done +echo "awaiting successful sync of external-secrets-store" +argocd app wait external-secrets-store + echo "awaiting successful sync of gitlab-runner" argocd app wait gitlab-runner-components argocd app wait gitlab-runner @@ -730,7 +737,7 @@ echo "" echo "" echo "" echo "WARNING: Test your connection to Kubernetes, GitLab, and Vault BEFORE CLOSING THIS WINDOW. Connection details follow." -echo "Docs to install the tools mentioned: https://docs.kubefirst.com/tooling/tooling-overview/" +echo "Docs to install the tools mentioned: https://docs.kubefirst.com/tooling/tooling-overview.html" echo "" echo "" echo ""