diff --git a/clusters/cl01tl/platform/vault/templates/external-secret.yaml b/clusters/cl01tl/platform/vault/templates/external-secret.yaml index 6a407174f..465a3d6e0 100644 --- a/clusters/cl01tl/platform/vault/templates/external-secret.yaml +++ b/clusters/cl01tl/platform/vault/templates/external-secret.yaml @@ -1,390 +1,390 @@ -# apiVersion: external-secrets.io/v1beta1 -# kind: ExternalSecret -# metadata: -# name: vault-snapshot-agent-token -# namespace: {{ .Release.Namespace }} -# labels: -# app.kubernetes.io/name: vault-snapshot-agent-token -# app.kubernetes.io/instance: {{ .Release.Name }} -# app.kubernetes.io/version: {{ .Chart.AppVersion }} -# app.kubernetes.io/component: snapshot -# app.kubernetes.io/part-of: {{ .Release.Name }} -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: vault -# data: -# - secretKey: VAULT_APPROLE_ROLE_ID -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/snapshot -# metadataPolicy: None -# property: VAULT_APPROLE_ROLE_ID -# - secretKey: VAULT_APPROLE_SECRET_ID -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/snapshot -# metadataPolicy: None -# property: VAULT_APPROLE_SECRET_ID +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-snapshot-agent-token + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: vault-snapshot-agent-token + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: snapshot + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: VAULT_APPROLE_ROLE_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/snapshot + metadataPolicy: None + property: VAULT_APPROLE_ROLE_ID + - secretKey: VAULT_APPROLE_SECRET_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/snapshot + metadataPolicy: None + property: VAULT_APPROLE_SECRET_ID -# --- -# apiVersion: external-secrets.io/v1beta1 -# kind: ExternalSecret -# metadata: -# name: vault-snapshot-s3 -# namespace: {{ .Release.Namespace }} -# labels: -# app.kubernetes.io/name: vault-snapshot-s3 -# app.kubernetes.io/instance: {{ .Release.Name }} -# app.kubernetes.io/version: {{ .Chart.AppVersion }} -# app.kubernetes.io/component: snapshot -# app.kubernetes.io/part-of: {{ .Release.Name }} -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: vault -# data: -# - secretKey: AWS_ACCESS_KEY_ID -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /digital-ocean/home-infra/vault-backup -# metadataPolicy: None -# property: AWS_ACCESS_KEY_ID -# - secretKey: AWS_SECRET_ACCESS_KEY -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /digital-ocean/home-infra/vault-backup -# metadataPolicy: None -# property: AWS_SECRET_ACCESS_KEY +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-snapshot-s3 + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: vault-snapshot-s3 + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: snapshot + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/vault-backup + metadataPolicy: None + property: AWS_ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/vault-backup + metadataPolicy: None + property: AWS_SECRET_ACCESS_KEY -# --- -# apiVersion: external-secrets.io/v1beta1 -# kind: ExternalSecret -# metadata: -# name: vault-s3cmd-config -# namespace: {{ .Release.Namespace }} -# labels: -# app.kubernetes.io/name: vault-snapshot-s3 -# app.kubernetes.io/instance: {{ .Release.Name }} -# app.kubernetes.io/version: {{ .Chart.AppVersion }} -# app.kubernetes.io/component: snapshot -# app.kubernetes.io/part-of: {{ .Release.Name }} -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: vault -# data: -# - secretKey: .s3cfg -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/snapshot -# metadataPolicy: None -# property: s3cfg +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-s3cmd-config + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: vault-snapshot-s3 + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: snapshot + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: .s3cfg + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/snapshot + metadataPolicy: None + property: s3cfg -# --- -# apiVersion: external-secrets.io/v1beta1 -# kind: ExternalSecret -# metadata: -# name: vault-unseal-config-1 -# namespace: {{ .Release.Namespace }} -# labels: -# app.kubernetes.io/name: vault-unseal-key-1 -# app.kubernetes.io/instance: {{ .Release.Name }} -# app.kubernetes.io/version: {{ .Chart.AppVersion }} -# app.kubernetes.io/component: unseal -# app.kubernetes.io/part-of: {{ .Release.Name }} -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: vault -# data: -# - secretKey: ENVIRONMENT -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: ENVIRONMENT -# - secretKey: CHECK_INTERVAL -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: CHECK_INTERVAL -# - secretKey: MAX_CHECK_INTERVAL -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: MAX_CHECK_INTERVAL -# - secretKey: NODES -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: NODES -# - secretKey: TLS_SKIP_VERIFY -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: TLS_SKIP_VERIFY -# - secretKey: TOKENS -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: TOKENS -# - secretKey: EMAIL_ENABLED -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: EMAIL_ENABLED -# - secretKey: NOTIFY_MAX_ELAPSED -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: NOTIFY_MAX_ELAPSED -# - secretKey: NOTIFY_QUEUE_DELAY -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: NOTIFY_QUEUE_DELAY +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-unseal-config-1 + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: vault-unseal-key-1 + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: unseal + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ENVIRONMENT + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: ENVIRONMENT + - secretKey: CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: CHECK_INTERVAL + - secretKey: MAX_CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: MAX_CHECK_INTERVAL + - secretKey: NODES + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: NODES + - secretKey: TLS_SKIP_VERIFY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: TLS_SKIP_VERIFY + - secretKey: TOKENS + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: TOKENS + - secretKey: EMAIL_ENABLED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: EMAIL_ENABLED + - secretKey: NOTIFY_MAX_ELAPSED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: NOTIFY_MAX_ELAPSED + - secretKey: NOTIFY_QUEUE_DELAY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: NOTIFY_QUEUE_DELAY -# --- -# apiVersion: external-secrets.io/v1beta1 -# kind: ExternalSecret -# metadata: -# name: vault-unseal-config-2 -# namespace: {{ .Release.Namespace }} -# labels: -# app.kubernetes.io/name: vault-unseal-key-2 -# app.kubernetes.io/instance: {{ .Release.Name }} -# app.kubernetes.io/version: {{ .Chart.AppVersion }} -# app.kubernetes.io/component: unseal -# app.kubernetes.io/part-of: {{ .Release.Name }} -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: vault -# data: -# - secretKey: ENVIRONMENT -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: ENVIRONMENT -# - secretKey: CHECK_INTERVAL -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: CHECK_INTERVAL -# - secretKey: MAX_CHECK_INTERVAL -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: MAX_CHECK_INTERVAL -# - secretKey: NODES -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: NODES -# - secretKey: TLS_SKIP_VERIFY -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: TLS_SKIP_VERIFY -# - secretKey: TOKENS -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: TOKENS -# - secretKey: EMAIL_ENABLED -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: EMAIL_ENABLED -# - secretKey: NOTIFY_MAX_ELAPSED -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: NOTIFY_MAX_ELAPSED -# - secretKey: NOTIFY_QUEUE_DELAY -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: NOTIFY_QUEUE_DELAY +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-unseal-config-2 + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: vault-unseal-key-2 + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: unseal + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ENVIRONMENT + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: ENVIRONMENT + - secretKey: CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: CHECK_INTERVAL + - secretKey: MAX_CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: MAX_CHECK_INTERVAL + - secretKey: NODES + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: NODES + - secretKey: TLS_SKIP_VERIFY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: TLS_SKIP_VERIFY + - secretKey: TOKENS + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: TOKENS + - secretKey: EMAIL_ENABLED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: EMAIL_ENABLED + - secretKey: NOTIFY_MAX_ELAPSED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: NOTIFY_MAX_ELAPSED + - secretKey: NOTIFY_QUEUE_DELAY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: NOTIFY_QUEUE_DELAY -# --- -# apiVersion: external-secrets.io/v1beta1 -# kind: ExternalSecret -# metadata: -# name: vault-unseal-config-3 -# namespace: {{ .Release.Namespace }} -# labels: -# app.kubernetes.io/name: vault-unseal-config-3 -# app.kubernetes.io/instance: {{ .Release.Name }} -# app.kubernetes.io/version: {{ .Chart.AppVersion }} -# app.kubernetes.io/component: unseal -# app.kubernetes.io/part-of: {{ .Release.Name }} -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: vault -# data: -# - secretKey: ENVIRONMENT -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: ENVIRONMENT -# - secretKey: CHECK_INTERVAL -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: CHECK_INTERVAL -# - secretKey: MAX_CHECK_INTERVAL -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: MAX_CHECK_INTERVAL -# - secretKey: NODES -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: NODES -# - secretKey: TLS_SKIP_VERIFY -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: TLS_SKIP_VERIFY -# - secretKey: TOKENS -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: TOKENS -# - secretKey: EMAIL_ENABLED -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: EMAIL_ENABLED -# - secretKey: NOTIFY_MAX_ELAPSED -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: NOTIFY_MAX_ELAPSED -# - secretKey: NOTIFY_QUEUE_DELAY -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: NOTIFY_QUEUE_DELAY +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-unseal-config-3 + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: vault-unseal-config-3 + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: unseal + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ENVIRONMENT + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: ENVIRONMENT + - secretKey: CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: CHECK_INTERVAL + - secretKey: MAX_CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: MAX_CHECK_INTERVAL + - secretKey: NODES + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: NODES + - secretKey: TLS_SKIP_VERIFY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: TLS_SKIP_VERIFY + - secretKey: TOKENS + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: TOKENS + - secretKey: EMAIL_ENABLED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: EMAIL_ENABLED + - secretKey: NOTIFY_MAX_ELAPSED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: NOTIFY_MAX_ELAPSED + - secretKey: NOTIFY_QUEUE_DELAY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: NOTIFY_QUEUE_DELAY -# --- -# apiVersion: external-secrets.io/v1beta1 -# kind: ExternalSecret -# metadata: -# name: vault-token -# namespace: {{ .Release.Namespace }} -# labels: -# app.kubernetes.io/name: vault-token -# app.kubernetes.io/instance: {{ .Release.Name }} -# app.kubernetes.io/version: {{ .Chart.AppVersion }} -# app.kubernetes.io/component: token -# app.kubernetes.io/part-of: {{ .Release.Name }} -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: vault -# data: -# - secretKey: token -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/token -# metadataPolicy: None -# property: token -# - secretKey: unseal_key_1 -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/token -# metadataPolicy: None -# property: unseal_key_1 -# - secretKey: unseal_key_2 -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/token -# metadataPolicy: None -# property: unseal_key_2 -# - secretKey: unseal_key_3 -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/token -# metadataPolicy: None -# property: unseal_key_3 -# - secretKey: unseal_key_4 -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/token -# metadataPolicy: None -# property: unseal_key_4 -# - secretKey: unseal_key_5 -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/token -# metadataPolicy: None -# property: unseal_key_5 +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-token + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: vault-token + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: token + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: token + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/token + metadataPolicy: None + property: token + - secretKey: unseal_key_1 + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/token + metadataPolicy: None + property: unseal_key_1 + - secretKey: unseal_key_2 + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/token + metadataPolicy: None + property: unseal_key_2 + - secretKey: unseal_key_3 + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/token + metadataPolicy: None + property: unseal_key_3 + - secretKey: unseal_key_4 + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/token + metadataPolicy: None + property: unseal_key_4 + - secretKey: unseal_key_5 + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/token + metadataPolicy: None + property: unseal_key_5 diff --git a/clusters/cl01tl/platform/vault/values.yaml b/clusters/cl01tl/platform/vault/values.yaml index 2ef1fd801..353837ec2 100644 --- a/clusters/cl01tl/platform/vault/values.yaml +++ b/clusters/cl01tl/platform/vault/values.yaml @@ -150,149 +150,149 @@ vault: for: 5m labels: severity: critical -# snapshot: -# global: -# fullnameOverride: vault-snapshot -# controllers: -# snapshot: -# type: cronjob -# cronjob: -# suspend: false -# concurrencyPolicy: Forbid -# timeZone: US/Central -# schedule: 0 4 * * * -# startingDeadlineSeconds: 90 -# successfulJobsHistory: 3 -# failedJobsHistory: 3 -# backoffLimit: 3 -# parallelism: 1 -# initContainers: -# snapshot: -# image: -# repository: hashicorp/vault -# tag: 1.18.5 -# pullPolicy: IfNotPresent -# command: -# - /bin/ash -# args: -# - -ec -# - | -# apk add --no-cache jq; -# export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token); -# vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap; -# cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; -# cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap; -# envFrom: -# - secretRef: -# name: vault-snapshot-agent-token -# env: -# - name: VAULT_ADDR -# value: http://vault-active.vault.svc.cluster.local:8200 -# resources: -# requests: -# cpu: 10m -# memory: 64Mi -# containers: -# backup: -# image: -# repository: d3fk/s3cmd -# tag: latest@sha256:4bdc8e5817cbdd048e6dc487f42e3d96a6b58af69b4be6f256de5e2416da90e9 -# pullPolicy: IfNotPresent -# command: -# - /bin/sh -# args: -# - -ec -# - | -# s3cmd put --no-check-md5 --no-check-certificate /opt/backup/vault-snapshot-s3.snap s3://vault-backups-bcc1e1433e0ce4be526561cb/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; -# rm -f /opt/backup/vault-snapshot-s3.snap; -# envFrom: -# - secretRef: -# name: vault-snapshot-s3 -# resources: -# requests: -# cpu: 10m -# memory: 64Mi -# serviceAccount: -# create: true -# persistence: -# config: -# existingClaim: vault-nfs-storage-backup -# advancedMounts: -# snapshot: -# snapshot: -# - path: /opt/backup -# readOnly: false -# backup: -# - path: /opt/backup -# readOnly: false -# s3cmd-config: -# enabled: true -# type: secret -# name: vault-s3cmd-config -# advancedMounts: -# snapshot: -# backup: -# - path: /root/.s3cfg -# readOnly: true -# mountPropagation: None -# subPath: .s3cfg -# unseal: -# global: -# fullnameOverride: vault-unseal -# controllers: -# unseal-1: -# type: deployment -# replicas: 1 -# strategy: Recreate -# revisionHistoryLimit: 3 -# containers: -# main: -# image: -# repository: ghcr.io/lrstanley/vault-unseal -# tag: 0.7.0 -# pullPolicy: IfNotPresent -# envFrom: -# - secretRef: -# name: vault-unseal-config-1 -# resources: -# requests: -# cpu: 10m -# memory: 24Mi -# unseal-2: -# type: deployment -# replicas: 1 -# strategy: Recreate -# revisionHistoryLimit: 3 -# containers: -# main: -# image: -# repository: ghcr.io/lrstanley/vault-unseal -# tag: 0.7.0 -# pullPolicy: IfNotPresent -# envFrom: -# - secretRef: -# name: vault-unseal-config-2 -# resources: -# requests: -# cpu: 10m -# memory: 24Mi -# unseal-3: -# type: deployment -# replicas: 1 -# strategy: Recreate -# revisionHistoryLimit: 3 -# containers: -# main: -# image: -# repository: ghcr.io/lrstanley/vault-unseal -# tag: 0.7.0 -# pullPolicy: IfNotPresent -# envFrom: -# - secretRef: -# name: vault-unseal-config-3 -# resources: -# requests: -# cpu: 10m -# memory: 24Mi -# serviceAccount: -# create: true +snapshot: + global: + fullnameOverride: vault-snapshot + controllers: + snapshot: + type: cronjob + cronjob: + suspend: false + concurrencyPolicy: Forbid + timeZone: US/Central + schedule: 0 4 * * * + startingDeadlineSeconds: 90 + successfulJobsHistory: 3 + failedJobsHistory: 3 + backoffLimit: 3 + parallelism: 1 + initContainers: + snapshot: + image: + repository: hashicorp/vault + tag: 1.18.5 + pullPolicy: IfNotPresent + command: + - /bin/ash + args: + - -ec + - | + apk add --no-cache jq; + export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token); + vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap; + cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; + cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap; + envFrom: + - secretRef: + name: vault-snapshot-agent-token + env: + - name: VAULT_ADDR + value: http://vault-active.vault.svc.cluster.local:8200 + resources: + requests: + cpu: 10m + memory: 64Mi + containers: + backup: + image: + repository: d3fk/s3cmd + tag: latest@sha256:4bdc8e5817cbdd048e6dc487f42e3d96a6b58af69b4be6f256de5e2416da90e9 + pullPolicy: IfNotPresent + command: + - /bin/sh + args: + - -ec + - | + s3cmd put --no-check-md5 --no-check-certificate /opt/backup/vault-snapshot-s3.snap s3://vault-backups-bcc1e1433e0ce4be526561cb/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; + rm -f /opt/backup/vault-snapshot-s3.snap; + envFrom: + - secretRef: + name: vault-snapshot-s3 + resources: + requests: + cpu: 10m + memory: 64Mi + serviceAccount: + create: true + persistence: + config: + existingClaim: vault-nfs-storage-backup + advancedMounts: + snapshot: + snapshot: + - path: /opt/backup + readOnly: false + backup: + - path: /opt/backup + readOnly: false + s3cmd-config: + enabled: true + type: secret + name: vault-s3cmd-config + advancedMounts: + snapshot: + backup: + - path: /root/.s3cfg + readOnly: true + mountPropagation: None + subPath: .s3cfg +unseal: + global: + fullnameOverride: vault-unseal + controllers: + unseal-1: + type: deployment + replicas: 1 + strategy: Recreate + revisionHistoryLimit: 3 + containers: + main: + image: + repository: ghcr.io/lrstanley/vault-unseal + tag: 0.7.0 + pullPolicy: IfNotPresent + envFrom: + - secretRef: + name: vault-unseal-config-1 + resources: + requests: + cpu: 10m + memory: 24Mi + unseal-2: + type: deployment + replicas: 1 + strategy: Recreate + revisionHistoryLimit: 3 + containers: + main: + image: + repository: ghcr.io/lrstanley/vault-unseal + tag: 0.7.0 + pullPolicy: IfNotPresent + envFrom: + - secretRef: + name: vault-unseal-config-2 + resources: + requests: + cpu: 10m + memory: 24Mi + unseal-3: + type: deployment + replicas: 1 + strategy: Recreate + revisionHistoryLimit: 3 + containers: + main: + image: + repository: ghcr.io/lrstanley/vault-unseal + tag: 0.7.0 + pullPolicy: IfNotPresent + envFrom: + - secretRef: + name: vault-unseal-config-3 + resources: + requests: + cpu: 10m + memory: 24Mi + serviceAccount: + create: true