From 832c8264c4b22a6cf8757159733380dd7bf460df Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Mon, 17 Feb 2025 13:40:31 -0600 Subject: [PATCH] add unseal --- clusters/cl01tl/platform/vault/Chart.yaml | 8 +- .../vault/templates/external-secret.yaml | 598 +++++++++--------- 2 files changed, 303 insertions(+), 303 deletions(-) diff --git a/clusters/cl01tl/platform/vault/Chart.yaml b/clusters/cl01tl/platform/vault/Chart.yaml index 275c195d7..acc64575c 100644 --- a/clusters/cl01tl/platform/vault/Chart.yaml +++ b/clusters/cl01tl/platform/vault/Chart.yaml @@ -20,9 +20,9 @@ dependencies: # alias: snapshot # repository: https://bjw-s.github.io/helm-charts/ # version: 3.6.1 - # - name: app-template - # alias: unseal - # repository: https://bjw-s.github.io/helm-charts/ - # version: 3.6.1 + - name: app-template + alias: unseal + repository: https://bjw-s.github.io/helm-charts/ + version: 3.6.1 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/vault.png appVersion: 1.18.4 diff --git a/clusters/cl01tl/platform/vault/templates/external-secret.yaml b/clusters/cl01tl/platform/vault/templates/external-secret.yaml index f6b4799cd..14e1f487d 100644 --- a/clusters/cl01tl/platform/vault/templates/external-secret.yaml +++ b/clusters/cl01tl/platform/vault/templates/external-secret.yaml @@ -75,305 +75,305 @@ # metadataPolicy: None # property: AWS_SECRET_ACCESS_KEY -# --- -# apiVersion: external-secrets.io/v1beta1 -# kind: ExternalSecret -# metadata: -# name: vault-unseal-config-1 -# namespace: {{ .Release.Namespace }} -# labels: -# app.kubernetes.io/name: vault-unseal-key-1 -# app.kubernetes.io/instance: {{ .Release.Name }} -# app.kubernetes.io/version: {{ .Chart.AppVersion }} -# app.kubernetes.io/component: unseal -# app.kubernetes.io/part-of: {{ .Release.Name }} -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: vault -# data: -# - secretKey: ENVIRONMENT -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: ENVIRONMENT -# - secretKey: CHECK_INTERVAL -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: CHECK_INTERVAL -# - secretKey: MAX_CHECK_INTERVAL -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: MAX_CHECK_INTERVAL -# - secretKey: NODES -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: NODES -# - secretKey: TLS_SKIP_VERIFY -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: TLS_SKIP_VERIFY -# - secretKey: TOKENS -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: TOKENS -# - secretKey: EMAIL_ENABLED -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: EMAIL_ENABLED -# - secretKey: NOTIFY_MAX_ELAPSED -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: NOTIFY_MAX_ELAPSED -# - secretKey: NOTIFY_QUEUE_DELAY -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-1 -# metadataPolicy: None -# property: NOTIFY_QUEUE_DELAY +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-unseal-config-1 + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: vault-unseal-key-1 + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: unseal + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ENVIRONMENT + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: ENVIRONMENT + - secretKey: CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: CHECK_INTERVAL + - secretKey: MAX_CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: MAX_CHECK_INTERVAL + - secretKey: NODES + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: NODES + - secretKey: TLS_SKIP_VERIFY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: TLS_SKIP_VERIFY + - secretKey: TOKENS + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: TOKENS + - secretKey: EMAIL_ENABLED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: EMAIL_ENABLED + - secretKey: NOTIFY_MAX_ELAPSED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: NOTIFY_MAX_ELAPSED + - secretKey: NOTIFY_QUEUE_DELAY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: NOTIFY_QUEUE_DELAY -# --- -# apiVersion: external-secrets.io/v1beta1 -# kind: ExternalSecret -# metadata: -# name: vault-unseal-config-2 -# namespace: {{ .Release.Namespace }} -# labels: -# app.kubernetes.io/name: vault-unseal-key-2 -# app.kubernetes.io/instance: {{ .Release.Name }} -# app.kubernetes.io/version: {{ .Chart.AppVersion }} -# app.kubernetes.io/component: unseal -# app.kubernetes.io/part-of: {{ .Release.Name }} -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: vault -# data: -# - secretKey: ENVIRONMENT -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: ENVIRONMENT -# - secretKey: CHECK_INTERVAL -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: CHECK_INTERVAL -# - secretKey: MAX_CHECK_INTERVAL -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: MAX_CHECK_INTERVAL -# - secretKey: NODES -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: NODES -# - secretKey: TLS_SKIP_VERIFY -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: TLS_SKIP_VERIFY -# - secretKey: TOKENS -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: TOKENS -# - secretKey: EMAIL_ENABLED -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: EMAIL_ENABLED -# - secretKey: NOTIFY_MAX_ELAPSED -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: NOTIFY_MAX_ELAPSED -# - secretKey: NOTIFY_QUEUE_DELAY -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-2 -# metadataPolicy: None -# property: NOTIFY_QUEUE_DELAY +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-unseal-config-2 + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: vault-unseal-key-2 + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: unseal + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ENVIRONMENT + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: ENVIRONMENT + - secretKey: CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: CHECK_INTERVAL + - secretKey: MAX_CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: MAX_CHECK_INTERVAL + - secretKey: NODES + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: NODES + - secretKey: TLS_SKIP_VERIFY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: TLS_SKIP_VERIFY + - secretKey: TOKENS + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: TOKENS + - secretKey: EMAIL_ENABLED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: EMAIL_ENABLED + - secretKey: NOTIFY_MAX_ELAPSED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: NOTIFY_MAX_ELAPSED + - secretKey: NOTIFY_QUEUE_DELAY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: NOTIFY_QUEUE_DELAY -# --- -# apiVersion: external-secrets.io/v1beta1 -# kind: ExternalSecret -# metadata: -# name: vault-unseal-config-3 -# namespace: {{ .Release.Namespace }} -# labels: -# app.kubernetes.io/name: vault-unseal-config-3 -# app.kubernetes.io/instance: {{ .Release.Name }} -# app.kubernetes.io/version: {{ .Chart.AppVersion }} -# app.kubernetes.io/component: unseal -# app.kubernetes.io/part-of: {{ .Release.Name }} -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: vault -# data: -# - secretKey: ENVIRONMENT -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: ENVIRONMENT -# - secretKey: CHECK_INTERVAL -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: CHECK_INTERVAL -# - secretKey: MAX_CHECK_INTERVAL -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: MAX_CHECK_INTERVAL -# - secretKey: NODES -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: NODES -# - secretKey: TLS_SKIP_VERIFY -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: TLS_SKIP_VERIFY -# - secretKey: TOKENS -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: TOKENS -# - secretKey: EMAIL_ENABLED -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: EMAIL_ENABLED -# - secretKey: NOTIFY_MAX_ELAPSED -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: NOTIFY_MAX_ELAPSED -# - secretKey: NOTIFY_QUEUE_DELAY -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/unseal/config-3 -# metadataPolicy: None -# property: NOTIFY_QUEUE_DELAY +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-unseal-config-3 + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: vault-unseal-config-3 + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: unseal + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ENVIRONMENT + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: ENVIRONMENT + - secretKey: CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: CHECK_INTERVAL + - secretKey: MAX_CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: MAX_CHECK_INTERVAL + - secretKey: NODES + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: NODES + - secretKey: TLS_SKIP_VERIFY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: TLS_SKIP_VERIFY + - secretKey: TOKENS + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: TOKENS + - secretKey: EMAIL_ENABLED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: EMAIL_ENABLED + - secretKey: NOTIFY_MAX_ELAPSED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: NOTIFY_MAX_ELAPSED + - secretKey: NOTIFY_QUEUE_DELAY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: NOTIFY_QUEUE_DELAY -# --- -# apiVersion: external-secrets.io/v1beta1 -# kind: ExternalSecret -# metadata: -# name: vault-token -# namespace: {{ .Release.Namespace }} -# labels: -# app.kubernetes.io/name: vault-token -# app.kubernetes.io/instance: {{ .Release.Name }} -# app.kubernetes.io/version: {{ .Chart.AppVersion }} -# app.kubernetes.io/component: token -# app.kubernetes.io/part-of: {{ .Release.Name }} -# spec: -# secretStoreRef: -# kind: ClusterSecretStore -# name: vault -# data: -# - secretKey: token -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/token -# metadataPolicy: None -# property: token -# - secretKey: unseal_key_1 -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/token -# metadataPolicy: None -# property: unseal_key_1 -# - secretKey: unseal_key_2 -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/token -# metadataPolicy: None -# property: unseal_key_2 -# - secretKey: unseal_key_3 -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/token -# metadataPolicy: None -# property: unseal_key_3 -# - secretKey: unseal_key_4 -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/token -# metadataPolicy: None -# property: unseal_key_4 -# - secretKey: unseal_key_5 -# remoteRef: -# conversionStrategy: Default -# decodingStrategy: None -# key: /cl01tl/vault/token -# metadataPolicy: None -# property: unseal_key_5 +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-token + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: vault-token + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: token + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: token + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/token + metadataPolicy: None + property: token + - secretKey: unseal_key_1 + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/token + metadataPolicy: None + property: unseal_key_1 + - secretKey: unseal_key_2 + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/token + metadataPolicy: None + property: unseal_key_2 + - secretKey: unseal_key_3 + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/token + metadataPolicy: None + property: unseal_key_3 + - secretKey: unseal_key_4 + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/token + metadataPolicy: None + property: unseal_key_4 + - secretKey: unseal_key_5 + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/token + metadataPolicy: None + property: unseal_key_5