Skip to content

Commit

Permalink
[VDEVOPS-000]: Support for vault ext secrets
Browse files Browse the repository at this point in the history 
Signed-off-by: adobrodey <[email protected]>
  • Loading branch information
@ADobrodey
ADobrodey committed Jun 3, 2024
1 parent a1ea2d6 commit e89cf36
Show file tree
Hide file tree
Showing 4 changed files with 83 additions and 4 deletions.
2 changes: 1 addition & 1 deletion stable/deployment/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
name: deployment
version: 1.8.3
version: 1.8.5
description: Typical microservice chart. Supports Ingress controller, horizontal-scalable containers
type: application
dependencies:
Expand Down
42 changes: 41 additions & 1 deletion stable/deployment/templates/external-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ spec:
{{ end -}}
{{ end -}}

{{- range (concat .Values.sidecarContainers .Values.initContainers ) }}
{{- range .Values.sidecarContainers }}
{{- $values := dict "Values" . "Release" $.Release "Template" $.Template -}}
{{ if and (hasKey $values.Values "env") (hasKey $values.Values.env "vaultSecret") }}
{{ $name := default $.Release.Name $values.Values.global.serviceName }}
Expand Down Expand Up @@ -72,6 +72,46 @@ spec:
{{ end -}}
{{ end -}}

{{- range .Values.initContainers }}
{{- $values := dict "Values" . "Release" $.Release "Template" $.Template -}}
{{ if and (hasKey $values.Values "env") (hasKey $values.Values.env "vaultSecret") }}
{{ $name := default $.Release.Name $values.Values.global.serviceName }}
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: {{ include "k8s-common.names.fullname" $values }}-vault
namespace: {{ $.Release.Namespace }}
labels: {{ include "k8s-common.labels.standard" $ | nindent 4 }}
spec:
secretStoreRef:
name: default
kind: ClusterSecretStore
refreshInterval: "3m"
target:
name: {{ include "k8s-common.names.fullname" $values }}-vault
template:
metadata:
annotations:
external-secret: "true"
data:
{{- $allVaultSecrets := default (dict) $values.Values.env.vaultSecret -}}
{{- range $key, $value := $allVaultSecrets }}
- secretKey: {{ $key }}
remoteRef:
key: {{ if $value.fullPath -}}
{{- $value.fullPath -}}
{{- else -}}
secret-{{ $.Values.global.product }}/data/
{{- $.Values.global.environment -}}
/k8s/{{ $.Release.Namespace}}/{{ $value.path }}
{{- end }}
property: {{ default $key $value.secret }}
{{ end -}}
{{ end -}}
{{ end -}}


{{- if .Values.vaultVolumesSupport -}}
{{- $allVolumes := default (dict) .Values.volumes -}}
{{- range $key, $value := $allVolumes }}
Expand Down
2 changes: 1 addition & 1 deletion stable/statefulset/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
name: statefulset
version: 1.8.4
version: 1.8.5
description: Typical StateFul Set application
type: application
dependencies:
Expand Down
41 changes: 40 additions & 1 deletion stable/statefulset/templates/external-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ spec:
{{ end -}}
{{ end -}}

{{- range (concat .Values.sidecarContainers .Values.initContainers ) }}
{{- range .Values.sidecarContainers }}
{{- $values := dict "Values" . "Release" $.Release "Template" $.Template -}}
{{ if and (hasKey $values.Values "env") (hasKey $values.Values.env "vaultSecret") }}
{{ $name := default $.Release.Name $values.Values.global.serviceName }}
Expand Down Expand Up @@ -72,6 +72,45 @@ spec:
{{ end -}}
{{ end -}}

{{- range .Values.initContainers }}
{{- $values := dict "Values" . "Release" $.Release "Template" $.Template -}}
{{ if and (hasKey $values.Values "env") (hasKey $values.Values.env "vaultSecret") }}
{{ $name := default $.Release.Name $values.Values.global.serviceName }}
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: {{ include "k8s-common.names.fullname" $values }}-vault
namespace: {{ $.Release.Namespace }}
labels: {{ include "k8s-common.labels.standard" $ | nindent 4 }}
spec:
secretStoreRef:
name: default
kind: ClusterSecretStore
refreshInterval: "3m"
target:
name: {{ include "k8s-common.names.fullname" $values }}-vault
template:
metadata:
annotations:
external-secret: "true"
data:
{{- $allVaultSecrets := default (dict) $values.Values.env.vaultSecret -}}
{{- range $key, $value := $allVaultSecrets }}
- secretKey: {{ $key }}
remoteRef:
key: {{ if $value.fullPath -}}
{{- $value.fullPath -}}
{{- else -}}
secret-{{ $.Values.global.product }}/data/
{{- $.Values.global.environment -}}
/k8s/{{ $.Release.Namespace}}/{{ $value.path }}
{{- end }}
property: {{ default $key $value.secret }}
{{ end -}}
{{ end -}}
{{ end -}}

{{- if .Values.vaultVolumesSupport -}}
{{- $allVolumes := default (dict) .Values.volumes -}}
{{- range $key, $value := $allVolumes }}
Expand Down

0 comments on commit e89cf36

Please sign in to comment.