create helm charts for snapshot and unseal jobs

2024-07-01 19:31:00 -05:00
parent 534ee414ff
commit 835005d221
4 changed files with 403 additions and 65 deletions
--- a/clusters/cl01tl/platform/vault/templates/external-secret.yaml
+++ b/clusters/cl01tl/platform/vault/templates/external-secret.yaml
@@ -0,0 +1,243 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: vault-snapshot-agent-token
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-snapshot-agent-token
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: snapshot
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: VAULT_APPROLE_ROLE_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/snapshot/approle
+        metadataPolicy: None
+        property: role-id
+    - secretKey: VAULT_APPROLE_SECRET_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/snapshot/approle
+        metadataPolicy: None
+        property: secret-id
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: vault-snapshot-s3
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-snapshot-s3
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: snapshot
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/approle/job
+        metadataPolicy: None
+        property: AWS_ACCESS_KEY_ID
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/approle/job
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ENDPOINT_URL
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/approle/job
+        metadataPolicy: None
+        property: AWS_ENDPOINT_URL
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/approle/job
+        metadataPolicy: None
+        property: AWS_SECRET_ACCESS_KEY
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: vault-unseal-agent-token
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-unseal-agent-token
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: unseal
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: VAULT_APPROLE_ROLE_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/unseal/approle
+        metadataPolicy: None
+        property: role-id
+    - secretKey: VAULT_APPROLE_SECRET_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/unseal/approle
+        metadataPolicy: None
+        property: secret-id
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: vault-unseal-config-1
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-unseal-key-1
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: unseal
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: vault-unseal.yaml
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/unseal/config
+        metadataPolicy: None
+        property: vault-unseal.yaml-1
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: vault-unseal-config-2
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-unseal-key-2
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: unseal
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: vault-unseal.yaml
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/unseal/config
+        metadataPolicy: None
+        property: vault-unseal.yaml-2
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: vault-unseal-config-3
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-unseal-config-3
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: unseal
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: vault-unseal.yaml
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/unseal/config
+        metadataPolicy: None
+        property: vault-unseal.yaml-3
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: vault-token
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault-token
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: token
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/token
+        metadataPolicy: None
+        property: token
+    - secretKey: unseal_key_1
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/token
+        metadataPolicy: None
+        property: unseal_key_1
+    - secretKey: unseal_key_2
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/token
+        metadataPolicy: None
+        property: unseal_key_2
+    - secretKey: unseal_key_3
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/token
+        metadataPolicy: None
+        property: unseal_key_3
+    - secretKey: unseal_key_4
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/token
+        metadataPolicy: None
+        property: unseal_key_4
+    - secretKey: unseal_key_5
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/token
+        metadataPolicy: None
+        property: unseal_key_5