diff --git a/clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml b/clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml index d5e499669..e088fbfab 100644 --- a/clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml +++ b/clusters/cl01tl/manifests/blocky/ConfigMap-blocky.yaml @@ -130,6 +130,7 @@ data: objects IN CNAME traefik-cl01tl ollama IN CNAME traefik-cl01tl omni-tools IN CNAME traefik-cl01tl + openbao IN CNAME traefik-cl01tl paperless-ngx IN CNAME traefik-cl01tl plex IN CNAME traefik-cl01tl postiz-spotlight IN CNAME traefik-cl01tl diff --git a/clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml b/clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml index 60401eddf..b4a57fa32 100644 --- a/clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml +++ b/clusters/cl01tl/manifests/blocky/Deployment-blocky.yaml @@ -22,7 +22,7 @@ spec: template: metadata: annotations: - checksum/configMaps: f8de88b5a9037f61f1dd5bd0dae68035d99dc8758c173b69f06a55a2b1d93304 + checksum/configMaps: c09d68cf84d75e9c363e3663d97d8cccc831b88e7dd6e6cd79b2ac6c85369339 labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: blocky diff --git a/clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml b/clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml index 125bb9f93..327e57cb1 100644 --- a/clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml +++ b/clusters/cl01tl/manifests/gatus/ConfigMap-gatus.yaml @@ -483,6 +483,15 @@ data: interval: 30s name: vault url: https://vault.alexlebens.net + - alerts: + - type: ntfy + conditions: + - '[STATUS] == 200' + - '[CERTIFICATE_EXPIRATION] > 240h' + group: core + interval: 30s + name: openbao + url: https://openbao.alexlebens.net - alerts: - type: ntfy conditions: diff --git a/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml b/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml index 66ce348df..3cc291f04 100644 --- a/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml +++ b/clusters/cl01tl/manifests/gatus/Deployment-gatus.yaml @@ -26,7 +26,7 @@ spec: app.kubernetes.io/name: gatus app.kubernetes.io/instance: gatus annotations: - checksum/config: fa939ee3306d395924758008b12352f8785d18da1ed5c5728b9a62facdfed267 + checksum/config: 2e9a8befb2caa928dbe6f8c2ea3f9a85f1d98354adeb28580e90fc18413fb127 spec: serviceAccountName: default automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/grafana-operator/GrafanaDashboard-grafana-dashboard-openbao.yaml b/clusters/cl01tl/manifests/grafana-operator/GrafanaDashboard-grafana-dashboard-openbao.yaml new file mode 100644 index 000000000..a6b01be23 --- /dev/null +++ b/clusters/cl01tl/manifests/grafana-operator/GrafanaDashboard-grafana-dashboard-openbao.yaml @@ -0,0 +1,17 @@ +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDashboard +metadata: + name: grafana-dashboard-openbao + namespace: grafana-operator + labels: + app.kubernetes.io/name: grafana-dashboard-openbao + app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/part-of: grafana-operator +spec: + instanceSelector: + matchLabels: + app: grafana-main + contentCacheDuration: 6h + folderUID: grafana-folder-platform + resyncPeriod: 6h + url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/platform/openbao.json diff --git a/clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml b/clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml index 63774ba9e..cea5aebf6 100644 --- a/clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml +++ b/clusters/cl01tl/manifests/homepage/ConfigMap-homepage.yaml @@ -567,6 +567,18 @@ data: app.kubernetes.io/instance in ( vault ) + - Secrets: + icon: sh-openbao.webp + description: OpenBao + href: https://openbao.alexlebens.net + siteMonitor: http://openbao.openbao:8200 + statusStyle: dot + namespace: openbao + app: openbao + podSelector: >- + app.kubernetes.io/instance in ( + openbao + ) - Backups: icon: sh-backrest-light.webp description: Backrest diff --git a/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml b/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml index 6df14b7ac..bf60549a4 100644 --- a/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml +++ b/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml @@ -24,7 +24,7 @@ spec: template: metadata: annotations: - checksum/configMaps: 1191af1b56a3c06d7cc4f5ddf91144a1c682e9c3ca13a4d0eea26e148e2c6d50 + checksum/configMaps: 23a5c8ee073c4b2443acd207d4b960c17b431a3ff0bdea1a44a8a179ff788c89 checksum/secrets: d3ba83f111cd32f92c909268c55ad8bbd4f9e299b74b35b33c1a011180d8b378 labels: app.kubernetes.io/controller: main diff --git a/clusters/cl01tl/manifests/openbao/ClusterRole-openbao-csi-provider-clusterrole.yaml b/clusters/cl01tl/manifests/openbao/ClusterRole-openbao-csi-provider-clusterrole.yaml new file mode 100644 index 000000000..24458547f --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/ClusterRole-openbao-csi-provider-clusterrole.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: openbao-csi-provider-clusterrole + labels: + app.kubernetes.io/name: openbao-csi-provider + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create diff --git a/clusters/cl01tl/manifests/openbao/ClusterRoleBinding-openbao-csi-provider-clusterrolebinding.yaml b/clusters/cl01tl/manifests/openbao/ClusterRoleBinding-openbao-csi-provider-clusterrolebinding.yaml new file mode 100644 index 000000000..97da8c8bb --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/ClusterRoleBinding-openbao-csi-provider-clusterrolebinding.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: openbao-csi-provider-clusterrolebinding + labels: + app.kubernetes.io/name: openbao-csi-provider + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: openbao-csi-provider-clusterrole +subjects: + - kind: ServiceAccount + name: openbao-csi-provider + namespace: openbao diff --git a/clusters/cl01tl/manifests/openbao/ClusterRoleBinding-openbao-server-binding.yaml b/clusters/cl01tl/manifests/openbao/ClusterRoleBinding-openbao-server-binding.yaml new file mode 100644 index 000000000..7de837d8c --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/ClusterRoleBinding-openbao-server-binding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: openbao-server-binding + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: openbao + namespace: openbao diff --git a/clusters/cl01tl/manifests/openbao/ConfigMap-openbao-config.yaml b/clusters/cl01tl/manifests/openbao/ConfigMap-openbao-config.yaml new file mode 100644 index 000000000..cf85f03a2 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/ConfigMap-openbao-config.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: openbao-config + namespace: openbao + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm +data: + extraconfig-from-values.hcl: |2- + + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + telemetry { + unauthenticated_metrics_access = "true" + } + } + + storage "raft" { + path = "/openbao/data" + retry_join { + leader_api_addr = "http://openbao-0.openbao-internal:8201" + } + retry_join { + leader_api_addr = "http://openbao-1.openbao-internal:8201" + } + retry_join { + leader_api_addr = "http://openbao-2.openbao-internal:8201" + } + } + + service_registration "kubernetes" {} + + telemetry { + prometheus_retention_time = "30s" + disable_hostname = true + } diff --git a/clusters/cl01tl/manifests/openbao/ConfigMap-openbao-csi-provider-agent-config.yaml b/clusters/cl01tl/manifests/openbao/ConfigMap-openbao-csi-provider-agent-config.yaml new file mode 100644 index 000000000..92e303106 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/ConfigMap-openbao-csi-provider-agent-config.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: openbao-csi-provider-agent-config + namespace: openbao + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao-csi-provider + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm +data: + config.hcl: | + vault { + "address" = "http://openbao.openbao.svc:8200" + } + + cache {} + + listener "unix" { + address = "/var/run/vault/agent.sock" + tls_disable = true + } diff --git a/clusters/cl01tl/manifests/openbao/ConfigMap-openbao-snapshot.yaml b/clusters/cl01tl/manifests/openbao/ConfigMap-openbao-snapshot.yaml new file mode 100644 index 000000000..1c00b5746 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/ConfigMap-openbao-snapshot.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: openbao-snapshot + namespace: openbao + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm +data: + S3_HOST: garage-main.garage:3900 + S3_BUCKET: openbao-backups + S3CMD_EXTRA_FLAG: -v + S3_URI: s3://openbao-backups + S3_EXPIRE_DAYS: "30" + BAO_AUTH_PATH: kubernetes + BAO_ROLE: bao-snapshot + BAO_ADDR: http://openbao-active.openbao.svc:8200 diff --git a/clusters/cl01tl/manifests/openbao/CronJob-openbao-snapshot.yaml b/clusters/cl01tl/manifests/openbao/CronJob-openbao-snapshot.yaml new file mode 100644 index 000000000..e9a37aa8d --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/CronJob-openbao-snapshot.yaml @@ -0,0 +1,63 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + labels: + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + name: openbao-snapshot + namespace: openbao +spec: + schedule: "0 4 * * *" + jobTemplate: + metadata: + labels: + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + component: snapshot-agent + spec: + template: + metadata: + labels: + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + component: snapshot-agent + spec: + restartPolicy: OnFailure + serviceAccountName: openbao-snapshot + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + containers: + - name: bao-snapshot + envFrom: + - configMapRef: + name: openbao-snapshot + env: + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: AWS_SECRET_ACCESS_KEY + name: openbao-snapshot-secret + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: AWS_ACCESS_KEY_ID + name: openbao-snapshot-secret + image: ghcr.io/openbao/openbao-snapshot-agent:0.3.0@sha256:d7a8ca9d26b12cf226ce093b9051f243c53aefbb8a419b3dc0b554e7575c931c + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumeMounts: + - name: snapshot-dir + mountPath: /bao-snapshots + imagePullPolicy: IfNotPresent + volumes: + - name: snapshot-dir + emptyDir: {} diff --git a/clusters/cl01tl/manifests/openbao/DaemonSet-openbao-csi-provider.yaml b/clusters/cl01tl/manifests/openbao/DaemonSet-openbao-csi-provider.yaml new file mode 100644 index 000000000..011809a40 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/DaemonSet-openbao-csi-provider.yaml @@ -0,0 +1,105 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: openbao-csi-provider + namespace: openbao + labels: + app.kubernetes.io/name: openbao-csi-provider + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: openbao-csi-provider + app.kubernetes.io/instance: openbao + template: + metadata: + labels: + app.kubernetes.io/name: openbao-csi-provider + app.kubernetes.io/instance: openbao + spec: + serviceAccountName: openbao-csi-provider + containers: + - name: openbao-csi-provider + resources: + requests: + cpu: 50m + memory: 100Mi + image: "quay.io/openbao/openbao-csi-provider:2.0.1@sha256:a3bd5e8183da778b5dc79ee1a3d7313ac77dc599b623b4106a91b19362674f27" + imagePullPolicy: IfNotPresent + args: + - --endpoint=/provider/openbao.sock + - --debug=false + - --hmac-secret-name=openbao-csi-provider-hmac-key + env: + - name: VAULT_ADDR + value: "unix:///var/run/vault/agent.sock" + volumeMounts: + - name: providervol + mountPath: "/provider" + - name: agent-unix-socket + mountPath: /var/run/vault + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + - name: openbao-agent + image: "quay.io/openbao/openbao:2.5.2@sha256:6c75c97223873807260352f269640935a07db0c26b3dbf12a98a36ec43ad9878" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 10m + memory: 100Mi + command: + - bao + args: + - agent + - -config=/etc/vault/config.hcl + ports: + - containerPort: 8200 + env: + - name: BAO_LOG_LEVEL + value: "info" + - name: BAO_LOG_FORMAT + value: "standard" + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 100 + runAsGroup: 1000 + volumeMounts: + - name: agent-config + mountPath: /etc/vault/config.hcl + subPath: config.hcl + readOnly: true + - name: agent-unix-socket + mountPath: /var/run/vault + volumes: + - name: providervol + hostPath: + path: /etc/kubernetes/secrets-store-csi-providers + - name: agent-config + configMap: + name: openbao-csi-provider-agent-config + - name: agent-unix-socket + emptyDir: + medium: Memory diff --git a/clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-1.yaml b/clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-1.yaml new file mode 100644 index 000000000..e912d6a74 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-1.yaml @@ -0,0 +1,45 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openbao-unseal-unseal-1 + labels: + app.kubernetes.io/controller: unseal-1 + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao + helm.sh/chart: unseal-4.6.2 + namespace: openbao +spec: + revisionHistoryLimit: 3 + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/controller: unseal-1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + template: + metadata: + labels: + app.kubernetes.io/controller: unseal-1 + app.kubernetes.io/instance: openbao + app.kubernetes.io/name: openbao + spec: + enableServiceLinks: false + serviceAccountName: default + automountServiceAccountToken: true + hostIPC: false + hostNetwork: false + hostPID: false + dnsPolicy: ClusterFirst + containers: + - envFrom: + - secretRef: + name: openbao-unseal-config-1 + image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef + name: main + resources: + requests: + cpu: 1m + memory: 10Mi diff --git a/clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-2.yaml b/clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-2.yaml new file mode 100644 index 000000000..8836c62e6 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-2.yaml @@ -0,0 +1,45 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openbao-unseal-unseal-2 + labels: + app.kubernetes.io/controller: unseal-2 + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao + helm.sh/chart: unseal-4.6.2 + namespace: openbao +spec: + revisionHistoryLimit: 3 + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/controller: unseal-2 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + template: + metadata: + labels: + app.kubernetes.io/controller: unseal-2 + app.kubernetes.io/instance: openbao + app.kubernetes.io/name: openbao + spec: + enableServiceLinks: false + serviceAccountName: default + automountServiceAccountToken: true + hostIPC: false + hostNetwork: false + hostPID: false + dnsPolicy: ClusterFirst + containers: + - envFrom: + - secretRef: + name: openbao-unseal-config-2 + image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef + name: main + resources: + requests: + cpu: 1m + memory: 10Mi diff --git a/clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-3.yaml b/clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-3.yaml new file mode 100644 index 000000000..9a4199e10 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/Deployment-openbao-unseal-unseal-3.yaml @@ -0,0 +1,45 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openbao-unseal-unseal-3 + labels: + app.kubernetes.io/controller: unseal-3 + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao + helm.sh/chart: unseal-4.6.2 + namespace: openbao +spec: + revisionHistoryLimit: 3 + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/controller: unseal-3 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + template: + metadata: + labels: + app.kubernetes.io/controller: unseal-3 + app.kubernetes.io/instance: openbao + app.kubernetes.io/name: openbao + spec: + enableServiceLinks: false + serviceAccountName: default + automountServiceAccountToken: true + hostIPC: false + hostNetwork: false + hostPID: false + dnsPolicy: ClusterFirst + containers: + - envFrom: + - secretRef: + name: openbao-unseal-config-3 + image: ghcr.io/lrstanley/vault-unseal:1.0.0@sha256:24ca9bceccdb0a22ae57574346dee4bec107c9b849f836811972b8f7f1baa4ef + name: main + resources: + requests: + cpu: 1m + memory: 10Mi diff --git a/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-snapshot-secret.yaml b/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-snapshot-secret.yaml new file mode 100644 index 000000000..d282a40c7 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-snapshot-secret.yaml @@ -0,0 +1,30 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: openbao-snapshot-secret + namespace: openbao + labels: + app.kubernetes.io/name: openbao-snapshot-secret + app.kubernetes.io/instance: openbao + app.kubernetes.io/part-of: openbao +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/openbao-backups + property: ACCESS_KEY_ID + - secretKey: ACCESS_REGION + remoteRef: + key: /garage/home-infra/openbao-backups + property: ACCESS_REGION + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: /garage/home-infra/openbao-backups + property: ACCESS_SECRET_KEY + - secretKey: BUCKET + remoteRef: + key: /garage/home-infra/openbao-backups + property: BUCKET diff --git a/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-1.yaml b/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-1.yaml new file mode 100644 index 000000000..f4d00d7b4 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-1.yaml @@ -0,0 +1,30 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: openbao-unseal-config-1 + namespace: openbao + labels: + app.kubernetes.io/name: openbao-unseal-config-1 + app.kubernetes.io/instance: openbao + app.kubernetes.io/part-of: openbao +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ENVIRONMENT + remoteRef: + key: /cl01tl/openbao/unseal + property: ENVIRONMENT + - secretKey: NODES + remoteRef: + key: /cl01tl/openbao/unseal + property: NODES + - secretKey: TOKENS + remoteRef: + key: /cl01tl/openbao/unseal + property: TOKENS_1 + - secretKey: NOTIFY_QUEUE_URLS + remoteRef: + key: /cl01tl/openbao/unseal + property: NOTIFY_QUEUE_URLS diff --git a/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-2.yaml b/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-2.yaml new file mode 100644 index 000000000..f9394451a --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-2.yaml @@ -0,0 +1,30 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: openbao-unseal-config-2 + namespace: openbao + labels: + app.kubernetes.io/name: openbao-unseal-config-2 + app.kubernetes.io/instance: openbao + app.kubernetes.io/part-of: openbao +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ENVIRONMENT + remoteRef: + key: /cl01tl/openbao/unseal + property: ENVIRONMENT + - secretKey: NODES + remoteRef: + key: /cl01tl/openbao/unseal + property: NODES + - secretKey: TOKENS + remoteRef: + key: /cl01tl/openbao/unseal + property: TOKENS_2 + - secretKey: NOTIFY_QUEUE_URLS + remoteRef: + key: /cl01tl/openbao/unseal + property: NOTIFY_QUEUE_URLS diff --git a/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-3.yaml b/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-3.yaml new file mode 100644 index 000000000..e1ab3ddf1 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/ExternalSecret-openbao-unseal-config-3.yaml @@ -0,0 +1,30 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: openbao-unseal-config-3 + namespace: openbao + labels: + app.kubernetes.io/name: openbao-unseal-config-3 + app.kubernetes.io/instance: openbao + app.kubernetes.io/part-of: openbao +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ENVIRONMENT + remoteRef: + key: /cl01tl/openbao/unseal + property: ENVIRONMENT + - secretKey: NODES + remoteRef: + key: /cl01tl/openbao/unseal + property: NODES + - secretKey: TOKENS + remoteRef: + key: /cl01tl/openbao/unseal + property: TOKENS_3 + - secretKey: NOTIFY_QUEUE_URLS + remoteRef: + key: /cl01tl/openbao/unseal + property: NOTIFY_QUEUE_URLS diff --git a/clusters/cl01tl/manifests/openbao/Ingress-openbao-tailscale.yaml b/clusters/cl01tl/manifests/openbao/Ingress-openbao-tailscale.yaml new file mode 100644 index 000000000..4c34f2cfb --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/Ingress-openbao-tailscale.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: openbao-tailscale + namespace: openbao + labels: + app.kubernetes.io/name: openbao-tailscale + app.kubernetes.io/instance: openbao + app.kubernetes.io/part-of: openbao + tailscale.com/proxy-class: no-metrics + annotations: + tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" +spec: + ingressClassName: tailscale + tls: + - hosts: + - openbao-cl01tl + secretName: openbao-cl01tl + rules: + - host: openbao-cl01tl + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: openbao-active + port: + number: 8200 diff --git a/clusters/cl01tl/manifests/openbao/Pod-openbao-server-test.yaml b/clusters/cl01tl/manifests/openbao/Pod-openbao-server-test.yaml new file mode 100644 index 000000000..78b2b881f --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/Pod-openbao-server-test.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: openbao-server-test + namespace: openbao + annotations: + "helm.sh/hook": test +spec: + containers: + - name: openbao-server-test + image: quay.io/openbao/openbao:2.5.2@sha256:6c75c97223873807260352f269640935a07db0c26b3dbf12a98a36ec43ad9878 + imagePullPolicy: IfNotPresent + env: + - name: VAULT_ADDR + value: http://openbao.openbao.svc:8200 + command: + - /bin/sh + - -c + - | + echo "Checking for sealed info in 'bao status' output" + ATTEMPTS=10 + n=0 + until [ "$n" -ge $ATTEMPTS ] + do + echo "Attempt" $n... + bao status -format yaml | grep -E '^sealed: (true|false)' && break + n=$((n+1)) + sleep 5 + done + if [ $n -ge $ATTEMPTS ]; then + echo "timed out looking for sealed info in 'bao status' output" + exit 1 + fi + + exit 0 + volumeMounts: + volumes: + restartPolicy: Never diff --git a/clusters/cl01tl/manifests/openbao/PodDisruptionBudget-openbao.yaml b/clusters/cl01tl/manifests/openbao/PodDisruptionBudget-openbao.yaml new file mode 100644 index 000000000..5db4cca21 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/PodDisruptionBudget-openbao.yaml @@ -0,0 +1,17 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: openbao + namespace: openbao + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm +spec: + maxUnavailable: 1 + selector: + matchLabels: + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + component: server diff --git a/clusters/cl01tl/manifests/openbao/PrometheusRule-openbao.yaml b/clusters/cl01tl/manifests/openbao/PrometheusRule-openbao.yaml new file mode 100644 index 000000000..55b35087b --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/PrometheusRule-openbao.yaml @@ -0,0 +1,29 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: openbao + namespace: openbao + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + release: prometheus +spec: + groups: + - name: openbao + rules: + - alert: vault-HighResponseTime + annotations: + message: The response time of Vault is over 500ms on average over the last 5 minutes. + expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 + for: 5m + labels: + severity: warning + - alert: vault-HighResponseTime + annotations: + message: The response time of Vault is over 1s on average over the last 5 minutes. + expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 + for: 5m + labels: + severity: critical diff --git a/clusters/cl01tl/manifests/openbao/Role-openbao-csi-provider-role.yaml b/clusters/cl01tl/manifests/openbao/Role-openbao-csi-provider-role.yaml new file mode 100644 index 000000000..824f31fff --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/Role-openbao-csi-provider-role.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: openbao-csi-provider-role + namespace: openbao + labels: + app.kubernetes.io/name: openbao-csi-provider + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + resourceNames: + - openbao-csi-provider-hmac-key + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] diff --git a/clusters/cl01tl/manifests/openbao/Role-openbao-discovery-role.yaml b/clusters/cl01tl/manifests/openbao/Role-openbao-discovery-role.yaml new file mode 100644 index 000000000..399a93526 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/Role-openbao-discovery-role.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: openbao + name: openbao-discovery-role + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list", "update", "patch"] diff --git a/clusters/cl01tl/manifests/openbao/RoleBinding-openbao-csi-provider-rolebinding.yaml b/clusters/cl01tl/manifests/openbao/RoleBinding-openbao-csi-provider-rolebinding.yaml new file mode 100644 index 000000000..e58b1d06e --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/RoleBinding-openbao-csi-provider-rolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: openbao-csi-provider-rolebinding + namespace: openbao + labels: + app.kubernetes.io/name: openbao-csi-provider + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: openbao-csi-provider-role +subjects: + - kind: ServiceAccount + name: openbao-csi-provider + namespace: openbao diff --git a/clusters/cl01tl/manifests/openbao/RoleBinding-openbao-discovery-rolebinding.yaml b/clusters/cl01tl/manifests/openbao/RoleBinding-openbao-discovery-rolebinding.yaml new file mode 100644 index 000000000..fbe1f5f00 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/RoleBinding-openbao-discovery-rolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: openbao-discovery-rolebinding + namespace: openbao + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: openbao-discovery-role +subjects: + - kind: ServiceAccount + name: openbao + namespace: openbao diff --git a/clusters/cl01tl/manifests/openbao/Service-openbao-active.yaml b/clusters/cl01tl/manifests/openbao/Service-openbao-active.yaml new file mode 100644 index 000000000..da8073c96 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/Service-openbao-active.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Service +metadata: + name: openbao-active + namespace: openbao + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + openbao-active: "true" +spec: + publishNotReadyAddresses: true + ports: + - name: http + port: 8200 + targetPort: 8200 + appProtocol: HTTP + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + component: server + openbao-active: "true" diff --git a/clusters/cl01tl/manifests/openbao/Service-openbao-internal.yaml b/clusters/cl01tl/manifests/openbao/Service-openbao-internal.yaml new file mode 100644 index 000000000..0951f096e --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/Service-openbao-internal.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Service +metadata: + name: openbao-internal + namespace: openbao + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + openbao-internal: "true" +spec: + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: "http" + port: 8200 + targetPort: 8200 + appProtocol: HTTP + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + component: server diff --git a/clusters/cl01tl/manifests/openbao/Service-openbao-standby.yaml b/clusters/cl01tl/manifests/openbao/Service-openbao-standby.yaml new file mode 100644 index 000000000..3ec789a9e --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/Service-openbao-standby.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + name: openbao-standby + namespace: openbao + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm +spec: + publishNotReadyAddresses: true + ports: + - name: http + port: 8200 + targetPort: 8200 + appProtocol: HTTP + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + component: server + openbao-active: "false" diff --git a/clusters/cl01tl/manifests/openbao/Service-openbao.yaml b/clusters/cl01tl/manifests/openbao/Service-openbao.yaml new file mode 100644 index 000000000..86519a51b --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/Service-openbao.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + name: openbao + namespace: openbao + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm +spec: + publishNotReadyAddresses: true + ports: + - name: http + port: 8200 + targetPort: 8200 + appProtocol: HTTP + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + component: server diff --git a/clusters/cl01tl/manifests/openbao/ServiceAccount-openbao-csi-provider.yaml b/clusters/cl01tl/manifests/openbao/ServiceAccount-openbao-csi-provider.yaml new file mode 100644 index 000000000..482eb2d9b --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/ServiceAccount-openbao-csi-provider.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: openbao-csi-provider + namespace: openbao + labels: + app.kubernetes.io/name: openbao-csi-provider + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm diff --git a/clusters/cl01tl/manifests/openbao/ServiceAccount-openbao-snapshot.yaml b/clusters/cl01tl/manifests/openbao/ServiceAccount-openbao-snapshot.yaml new file mode 100644 index 000000000..bf76a550e --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/ServiceAccount-openbao-snapshot.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: openbao-snapshot + namespace: openbao + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm diff --git a/clusters/cl01tl/manifests/openbao/ServiceAccount-openbao.yaml b/clusters/cl01tl/manifests/openbao/ServiceAccount-openbao.yaml new file mode 100644 index 000000000..8c1fa1940 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/ServiceAccount-openbao.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: openbao + namespace: openbao + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm diff --git a/clusters/cl01tl/manifests/openbao/ServiceMonitor-openbao.yaml b/clusters/cl01tl/manifests/openbao/ServiceMonitor-openbao.yaml new file mode 100644 index 000000000..e8b8e5566 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/ServiceMonitor-openbao.yaml @@ -0,0 +1,31 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: openbao + namespace: openbao + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + release: prometheus +spec: + selector: + matchLabels: + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + openbao-active: "true" + endpoints: + - port: http + interval: 30s + scrapeTimeout: 10s + scheme: http + path: /v1/sys/metrics + params: + format: + - prometheus + tlsConfig: + insecureSkipVerify: true + namespaceSelector: + matchNames: + - openbao diff --git a/clusters/cl01tl/manifests/openbao/StatefulSet-openbao.yaml b/clusters/cl01tl/manifests/openbao/StatefulSet-openbao.yaml new file mode 100644 index 000000000..f318559be --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/StatefulSet-openbao.yaml @@ -0,0 +1,162 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: openbao + namespace: openbao + labels: + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm +spec: + serviceName: openbao-internal + podManagementPolicy: OrderedReady + replicas: 3 + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + component: server + template: + metadata: + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + component: server + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: "openbao" + component: server + topologyKey: kubernetes.io/hostname + terminationGracePeriodSeconds: 10 + serviceAccountName: openbao + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + hostNetwork: false + volumes: + - name: config + configMap: + name: openbao-config + - name: home + emptyDir: {} + containers: + - name: openbao + resources: + requests: + cpu: 50m + memory: 500Mi + image: "quay.io/openbao/openbao:2.5.2@sha256:6c75c97223873807260352f269640935a07db0c26b3dbf12a98a36ec43ad9878" + imagePullPolicy: IfNotPresent + command: + - "/bin/sh" + - "-ec" + args: + - "cp /openbao/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;\n[ -n \"${HOST_IP}\" ] && sed -Ei \"s|HOST_IP|${HOST_IP?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${POD_IP}\" ] && sed -Ei \"s|POD_IP|${POD_IP?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${HOSTNAME}\" ] && sed -Ei \"s|HOSTNAME|${HOSTNAME?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${API_ADDR}\" ] && sed -Ei \"s|API_ADDR|${API_ADDR?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${TRANSIT_ADDR}\" ] && sed -Ei \"s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g\" /tmp/storageconfig.hcl;\n[ -n \"${RAFT_ADDR}\" ] && sed -Ei \"s|RAFT_ADDR|${RAFT_ADDR?}|g\" /tmp/storageconfig.hcl;\n/usr/local/bin/docker-entrypoint.sh bao server -config=/tmp/storageconfig.hcl \n" + securityContext: + allowPrivilegeEscalation: false + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: BAO_K8S_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: BAO_K8S_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: BAO_ADDR + value: "http://127.0.0.1:8200" + - name: BAO_API_ADDR + value: "http://$(POD_IP):8200" + - name: SKIP_CHOWN + value: "true" + - name: SKIP_SETCAP + value: "true" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: BAO_CLUSTER_ADDR + value: "https://$(HOSTNAME).openbao-internal:8201" + - name: HOME + value: "/home/openbao" + volumeMounts: + - name: audit + mountPath: /openbao/audit + - name: data + mountPath: /openbao/data + - name: config + mountPath: /openbao/config + - name: home + mountPath: /home/openbao + ports: + - containerPort: 8200 + name: http + - containerPort: 8201 + name: https-internal + - containerPort: 8202 + name: http-rep + readinessProbe: + exec: + command: ["/bin/sh", "-ec", "bao status -tls-skip-verify"] + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + livenessProbe: + httpGet: + path: "/v1/sys/health?standbyok=true" + port: 8200 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 60 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "sleep 5 && kill -SIGTERM $(pidof bao)"] + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: ceph-block + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: audit + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + storageClassName: ceph-block diff --git a/clusters/cl01tl/manifests/openbao/TLSRoute-openbao.yaml b/clusters/cl01tl/manifests/openbao/TLSRoute-openbao.yaml new file mode 100644 index 000000000..e693dacc5 --- /dev/null +++ b/clusters/cl01tl/manifests/openbao/TLSRoute-openbao.yaml @@ -0,0 +1,22 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: TLSRoute +metadata: + name: openbao + namespace: openbao + labels: + helm.sh/chart: openbao-0.27.1 + app.kubernetes.io/name: openbao + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm +spec: + hostnames: + - "vault.alexlebens.net" + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: traefik-gateway + namespace: traefik + rules: + - backendRefs: + - name: openbao-active + port: 8200 diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/CSIDriver-secrets-store.csi.k8s.io.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/CSIDriver-secrets-store.csi.k8s.io.yaml new file mode 100644 index 000000000..b9ec8fe51 --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/CSIDriver-secrets-store.csi.k8s.io.yaml @@ -0,0 +1,16 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: secrets-store.csi.k8s.io + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6" +spec: + podInfoOnMount: true + attachRequired: false + volumeLifecycleModes: + - Ephemeral diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secretproviderclasses-admin-role.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secretproviderclasses-admin-role.yaml new file mode 100644 index 000000000..5e2d89576 --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secretproviderclasses-admin-role.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: secretproviderclasses-admin-role +rules: + - apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasses + verbs: + - get + - list + - watch + - create + - update + - patch + - delete diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secretproviderclasses-role.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secretproviderclasses-role.yaml new file mode 100644 index 000000000..afe4441b5 --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secretproviderclasses-role.yaml @@ -0,0 +1,65 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secretproviderclasses-role + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6" +rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasses + verbs: + - get + - list + - watch + - apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasspodstatuses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasspodstatuses/status + verbs: + - get + - patch + - update + - apiGroups: + - storage.k8s.io + resourceNames: + - secrets-store.csi.k8s.io + resources: + - csidrivers + verbs: + - get + - list + - watch diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secretproviderclasses-viewer-role.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secretproviderclasses-viewer-role.yaml new file mode 100644 index 000000000..e1d159524 --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secretproviderclasses-viewer-role.yaml @@ -0,0 +1,22 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6" + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: secretproviderclasses-viewer-role +rules: + - apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasses + verbs: + - get + - list + - watch diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secretproviderclasspodstatuses-viewer-role.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secretproviderclasspodstatuses-viewer-role.yaml new file mode 100644 index 000000000..23e1f03fb --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secretproviderclasspodstatuses-viewer-role.yaml @@ -0,0 +1,22 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6" + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: secretproviderclasspodstatuses-viewer-role +rules: + - apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasspodstatuses + verbs: + - get + - list + - watch diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secrets-store-csi-driver-keep-crds.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secrets-store-csi-driver-keep-crds.yaml new file mode 100644 index 000000000..1daaea0a6 --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secrets-store-csi-driver-keep-crds.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secrets-store-csi-driver-keep-crds + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6" + annotations: + helm.sh/hook: pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "2" +rules: + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "patch"] diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secrets-store-csi-driver-upgrade-crds.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secrets-store-csi-driver-upgrade-crds.yaml new file mode 100644 index 000000000..ae273ba24 --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRole-secrets-store-csi-driver-upgrade-crds.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secrets-store-csi-driver-upgrade-crds + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6" + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +rules: + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "create", "update", "patch"] diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRoleBinding-secretproviderclasses-rolebinding.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRoleBinding-secretproviderclasses-rolebinding.yaml new file mode 100644 index 000000000..e0b1370eb --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRoleBinding-secretproviderclasses-rolebinding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: secretproviderclasses-rolebinding + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secretproviderclasses-role +subjects: + - kind: ServiceAccount + name: secrets-store-csi-driver + namespace: secrets-store-csi-driver diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRoleBinding-secrets-store-csi-driver-keep-crds.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRoleBinding-secrets-store-csi-driver-keep-crds.yaml new file mode 100644 index 000000000..ce18634a9 --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRoleBinding-secrets-store-csi-driver-keep-crds.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: secrets-store-csi-driver-keep-crds + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6" + annotations: + helm.sh/hook: pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "2" +subjects: + - kind: ServiceAccount + name: secrets-store-csi-driver-keep-crds + namespace: secrets-store-csi-driver +roleRef: + kind: ClusterRole + name: secrets-store-csi-driver-keep-crds + apiGroup: rbac.authorization.k8s.io diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRoleBinding-secrets-store-csi-driver-upgrade-crds.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRoleBinding-secrets-store-csi-driver-upgrade-crds.yaml new file mode 100644 index 000000000..4e4691029 --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/ClusterRoleBinding-secrets-store-csi-driver-upgrade-crds.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: secrets-store-csi-driver-upgrade-crds + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6" + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +subjects: + - kind: ServiceAccount + name: secrets-store-csi-driver-upgrade-crds + namespace: secrets-store-csi-driver +roleRef: + kind: ClusterRole + name: secrets-store-csi-driver-upgrade-crds + apiGroup: rbac.authorization.k8s.io diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/CustomResourceDefinition-secretproviderclasses.secrets-store.csi.x-k8s.io.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/CustomResourceDefinition-secretproviderclasses.secrets-store.csi.x-k8s.io.yaml new file mode 100644 index 000000000..aef2dcd19 --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/CustomResourceDefinition-secretproviderclasses.secrets-store.csi.x-k8s.io.yaml @@ -0,0 +1,180 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: secretproviderclasses.secrets-store.csi.x-k8s.io +spec: + group: secrets-store.csi.x-k8s.io + names: + kind: SecretProviderClass + listKind: SecretProviderClassList + plural: secretproviderclasses + singular: secretproviderclass + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: SecretProviderClass is the Schema for the secretproviderclasses API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SecretProviderClassSpec defines the desired state of SecretProviderClass + properties: + parameters: + additionalProperties: + type: string + description: Configuration for specific provider + type: object + provider: + description: Configuration for provider name + type: string + secretObjects: + items: + description: SecretObject defines the desired state of synced K8s secret objects + properties: + annotations: + additionalProperties: + type: string + description: annotations of k8s secret object + type: object + data: + items: + description: SecretObjectData defines the desired state of synced K8s secret object data + properties: + key: + description: data field to populate + type: string + objectName: + description: name of the object to sync + type: string + type: object + type: array + labels: + additionalProperties: + type: string + description: labels of K8s secret object + type: object + secretName: + description: name of the K8s secret object + type: string + type: + description: type of K8s secret object + type: string + type: object + type: array + type: object + status: + description: SecretProviderClassStatus defines the observed state of SecretProviderClass + type: object + type: object + served: true + storage: true + - deprecated: true + deprecationWarning: secrets-store.csi.x-k8s.io/v1alpha1 is deprecated. Use secrets-store.csi.x-k8s.io/v1 instead. + name: v1alpha1 + schema: + openAPIV3Schema: + description: SecretProviderClass is the Schema for the secretproviderclasses API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: SecretProviderClassSpec defines the desired state of SecretProviderClass + properties: + parameters: + additionalProperties: + type: string + description: Configuration for specific provider + type: object + provider: + description: Configuration for provider name + type: string + secretObjects: + items: + description: SecretObject defines the desired state of synced K8s secret objects + properties: + annotations: + additionalProperties: + type: string + description: annotations of k8s secret object + type: object + data: + items: + description: SecretObjectData defines the desired state of synced K8s secret object data + properties: + key: + description: data field to populate + type: string + objectName: + description: name of the object to sync + type: string + type: object + type: array + labels: + additionalProperties: + type: string + description: labels of K8s secret object + type: object + secretName: + description: name of the K8s secret object + type: string + type: + description: type of K8s secret object + type: string + type: object + type: array + type: object + status: + description: SecretProviderClassStatus defines the observed state of SecretProviderClass + properties: + byPod: + items: + description: |- + ByPodStatus defines the state of SecretProviderClass as seen by + an individual controller + properties: + id: + description: id of the pod that wrote the status + type: string + namespace: + description: namespace of the pod that wrote the status + type: string + type: object + type: array + type: object + type: object + served: true + storage: false diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/CustomResourceDefinition-secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/CustomResourceDefinition-secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io.yaml new file mode 100644 index 000000000..821f904cd --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/CustomResourceDefinition-secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io.yaml @@ -0,0 +1,110 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io +spec: + group: secrets-store.csi.x-k8s.io + names: + kind: SecretProviderClassPodStatus + listKind: SecretProviderClassPodStatusList + plural: secretproviderclasspodstatuses + singular: secretproviderclasspodstatus + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: SecretProviderClassPodStatus is the Schema for the secretproviderclassespodstatus API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + status: + description: SecretProviderClassPodStatusStatus defines the observed state of SecretProviderClassPodStatus + properties: + mounted: + type: boolean + objects: + items: + description: SecretProviderClassObject defines the object fetched from external secrets store + properties: + id: + type: string + version: + type: string + type: object + type: array + podName: + type: string + secretProviderClassName: + type: string + targetPath: + type: string + type: object + type: object + served: true + storage: true + - deprecated: true + name: v1alpha1 + schema: + openAPIV3Schema: + description: SecretProviderClassPodStatus is the Schema for the secretproviderclassespodstatus API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + status: + description: SecretProviderClassPodStatusStatus defines the observed state of SecretProviderClassPodStatus + properties: + mounted: + type: boolean + objects: + items: + description: SecretProviderClassObject defines the object fetched from external secrets store + properties: + id: + type: string + version: + type: string + type: object + type: array + podName: + type: string + secretProviderClassName: + type: string + targetPath: + type: string + type: object + type: object + served: true + storage: false diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/DaemonSet-secrets-store-csi-driver.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/DaemonSet-secrets-store-csi-driver.yaml new file mode 100644 index 000000000..8ee32c929 --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/DaemonSet-secrets-store-csi-driver.yaml @@ -0,0 +1,153 @@ +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: secrets-store-csi-driver + namespace: secrets-store-csi-driver + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6" +spec: + selector: + matchLabels: + app: secrets-store-csi-driver + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6" + annotations: + kubectl.kubernetes.io/default-container: secrets-store + spec: + automountServiceAccountToken: true + serviceAccountName: secrets-store-csi-driver + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + containers: + - name: node-driver-registrar + image: "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.16.0@sha256:ab482308a4921e28a6df09a16ab99a457e9af9641ff44fb1be1a690d07ce8b70" + args: + - --v=5 + - --csi-address=/csi/csi.sock + - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-secrets-store/csi.sock + imagePullPolicy: IfNotPresent + volumeMounts: + - name: plugin-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: + limits: {} + requests: + cpu: 10m + memory: 20Mi + - name: secrets-store + image: "registry.k8s.io/csi-secrets-store/driver:v1.5.6@sha256:6df2b3b3817136d2ade3d53306dbbd98385c1c01e8b3c373192c0e5b8d183f7b" + args: + - "--endpoint=$(CSI_ENDPOINT)" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--provider-volume=/var/run/secrets-store-csi-providers" + - "--additional-provider-volume-paths=/etc/kubernetes/secrets-store-csi-providers" + - "--metrics-addr=:8095" + - "--provider-health-check-interval=2m" + - "--max-call-recv-msg-size=4194304" + env: + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + imagePullPolicy: IfNotPresent + securityContext: + privileged: true + ports: + - containerPort: 9808 + name: healthz + protocol: TCP + - containerPort: 8095 + name: metrics + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 15 + volumeMounts: + - name: plugin-dir + mountPath: /csi + - name: mountpoint-dir + mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + - name: providers-dir + mountPath: /var/run/secrets-store-csi-providers + - name: providers-dir-0 + mountPath: "/etc/kubernetes/secrets-store-csi-providers" + resources: + limits: {} + requests: + cpu: 10m + memory: 100Mi + - name: liveness-probe + image: "registry.k8s.io/sig-storage/livenessprobe:v2.18.0@sha256:c4cc074199c045dd73ab85f28897e2a32f4d6f38ffdba4f3b13b8007ccbd3570" + imagePullPolicy: IfNotPresent + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=0.0.0.0:9808 + - -v=2 + volumeMounts: + - name: plugin-dir + mountPath: /csi + resources: + limits: {} + requests: + cpu: 10m + memory: 20Mi + volumes: + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods + type: DirectoryOrCreate + - name: registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: Directory + - name: plugin-dir + hostPath: + path: /var/lib/kubelet/plugins/csi-secrets-store/ + type: DirectoryOrCreate + - name: providers-dir + hostPath: + path: /var/run/secrets-store-csi-providers + type: DirectoryOrCreate + - name: providers-dir-0 + hostPath: + path: "/etc/kubernetes/secrets-store-csi-providers" + type: DirectoryOrCreate + nodeSelector: + kubernetes.io/os: linux + tolerations: + - operator: Exists diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/Job-secrets-store-csi-driver-keep-crds.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/Job-secrets-store-csi-driver-keep-crds.yaml new file mode 100644 index 000000000..d66864f6b --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/Job-secrets-store-csi-driver-keep-crds.yaml @@ -0,0 +1,39 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: secrets-store-csi-driver-keep-crds + namespace: secrets-store-csi-driver + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6" + annotations: + helm.sh/hook: pre-upgrade + helm.sh/hook-weight: "20" + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" +spec: + backoffLimit: 3 + template: + metadata: + name: secrets-store-csi-driver-keep-crds + spec: + serviceAccountName: secrets-store-csi-driver-keep-crds + restartPolicy: Never + containers: + - name: crds-keep + image: "registry.k8s.io/csi-secrets-store/driver-crds:v1.5.6@sha256:d40d9212beb62ee0f9f09b75d024ed807816879f38e75eca309497c3df89568c" + args: + - patch + - crd + - secretproviderclasses.secrets-store.csi.x-k8s.io + - secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io + - -p + - '{"metadata":{"annotations": {"helm.sh/resource-policy": "keep"}}}' + imagePullPolicy: IfNotPresent + nodeSelector: + kubernetes.io/os: linux + tolerations: + - operator: Exists diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/Job-secrets-store-csi-driver-upgrade-crds.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/Job-secrets-store-csi-driver-upgrade-crds.yaml new file mode 100644 index 000000000..355692da1 --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/Job-secrets-store-csi-driver-upgrade-crds.yaml @@ -0,0 +1,36 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: secrets-store-csi-driver-upgrade-crds + namespace: secrets-store-csi-driver + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6" + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-weight: "10" + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" +spec: + backoffLimit: 3 + template: + metadata: + name: secrets-store-csi-driver-upgrade-crds + spec: + serviceAccountName: secrets-store-csi-driver-upgrade-crds + restartPolicy: Never + containers: + - name: crds-upgrade + image: "registry.k8s.io/csi-secrets-store/driver-crds:v1.5.6@sha256:d40d9212beb62ee0f9f09b75d024ed807816879f38e75eca309497c3df89568c" + args: + - apply + - -f + - crds/ + imagePullPolicy: IfNotPresent + nodeSelector: + kubernetes.io/os: linux + tolerations: + - operator: Exists diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/ServiceAccount-secrets-store-csi-driver-keep-crds.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/ServiceAccount-secrets-store-csi-driver-keep-crds.yaml new file mode 100644 index 000000000..ca1307baa --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/ServiceAccount-secrets-store-csi-driver-keep-crds.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: secrets-store-csi-driver-keep-crds + namespace: secrets-store-csi-driver + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6" + annotations: + helm.sh/hook: pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "2" diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/ServiceAccount-secrets-store-csi-driver-upgrade-crds.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/ServiceAccount-secrets-store-csi-driver-upgrade-crds.yaml new file mode 100644 index 000000000..c588b285d --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/ServiceAccount-secrets-store-csi-driver-upgrade-crds.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: secrets-store-csi-driver-upgrade-crds + namespace: secrets-store-csi-driver + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6" + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" diff --git a/clusters/cl01tl/manifests/secrets-store-csi-driver/ServiceAccount-secrets-store-csi-driver.yaml b/clusters/cl01tl/manifests/secrets-store-csi-driver/ServiceAccount-secrets-store-csi-driver.yaml new file mode 100644 index 000000000..f0babf8a1 --- /dev/null +++ b/clusters/cl01tl/manifests/secrets-store-csi-driver/ServiceAccount-secrets-store-csi-driver.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: secrets-store-csi-driver + namespace: secrets-store-csi-driver + labels: + app.kubernetes.io/instance: "secrets-store-csi-driver" + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/name: "secrets-store-csi-driver" + app.kubernetes.io/version: "1.5.6" + app: secrets-store-csi-driver + helm.sh/chart: "secrets-store-csi-driver-1.5.6"