From c6458f30e3671a8f719c92a944ab87ca94e7865b Mon Sep 17 00:00:00 2001 From: alexlebens Date: Tue, 2 Jul 2024 11:40:38 -0500 Subject: [PATCH] use env values --- .../vault/templates/external-secret.yaml | 186 +++++++++++++++++- clusters/cl01tl/platform/vault/values.yaml | 43 +--- 2 files changed, 186 insertions(+), 43 deletions(-) diff --git a/clusters/cl01tl/platform/vault/templates/external-secret.yaml b/clusters/cl01tl/platform/vault/templates/external-secret.yaml index bc8964df3..7248be339 100644 --- a/clusters/cl01tl/platform/vault/templates/external-secret.yaml +++ b/clusters/cl01tl/platform/vault/templates/external-secret.yaml @@ -92,13 +92,69 @@ spec: kind: ClusterSecretStore name: vault data: - - secretKey: vault-unseal.yaml + - secretKey: ENVIRONMENT remoteRef: conversionStrategy: Default decodingStrategy: None - key: /cl01tl/vault/unseal/config + key: /cl01tl/vault/unseal/config-1 metadataPolicy: None - property: vault-unseal.yaml-1 + property: ENVIRONMENT + - secretKey: CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: CHECK_INTERVAL + - secretKey: MAX_CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: MAX_CHECK_INTERVAL + - secretKey: NODES + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: NODES + - secretKey: TLS_SKIP_VERIFY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: TLS_SKIP_VERIFY + - secretKey: TOKENS + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: TOKENS + - secretKey: EMAIL_ENABLED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: EMAIL_ENABLED + - secretKey: NOTIFY_MAX_ELAPSED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: NOTIFY_MAX_ELAPSED + - secretKey: NOTIFY_QUEUE_DELAY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-1 + metadataPolicy: None + property: NOTIFY_QUEUE_DELAY --- apiVersion: external-secrets.io/v1beta1 @@ -117,13 +173,69 @@ spec: kind: ClusterSecretStore name: vault data: - - secretKey: vault-unseal.yaml + - secretKey: ENVIRONMENT remoteRef: conversionStrategy: Default decodingStrategy: None - key: /cl01tl/vault/unseal/config + key: /cl01tl/vault/unseal/config-2 metadataPolicy: None - property: vault-unseal.yaml-2 + property: ENVIRONMENT + - secretKey: CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: CHECK_INTERVAL + - secretKey: MAX_CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: MAX_CHECK_INTERVAL + - secretKey: NODES + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: NODES + - secretKey: TLS_SKIP_VERIFY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: TLS_SKIP_VERIFY + - secretKey: TOKENS + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: TOKENS + - secretKey: EMAIL_ENABLED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: EMAIL_ENABLED + - secretKey: NOTIFY_MAX_ELAPSED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: NOTIFY_MAX_ELAPSED + - secretKey: NOTIFY_QUEUE_DELAY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-2 + metadataPolicy: None + property: NOTIFY_QUEUE_DELAY --- apiVersion: external-secrets.io/v1beta1 @@ -142,13 +254,69 @@ spec: kind: ClusterSecretStore name: vault data: - - secretKey: vault-unseal.yaml + - secretKey: ENVIRONMENT remoteRef: conversionStrategy: Default decodingStrategy: None - key: /cl01tl/vault/unseal/config + key: /cl01tl/vault/unseal/config-3 metadataPolicy: None - property: vault-unseal.yaml-3 + property: ENVIRONMENT + - secretKey: CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config--3 + metadataPolicy: None + property: CHECK_INTERVAL + - secretKey: MAX_CHECK_INTERVAL + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: MAX_CHECK_INTERVAL + - secretKey: NODES + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: NODES + - secretKey: TLS_SKIP_VERIFY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: TLS_SKIP_VERIFY + - secretKey: TOKENS + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: TOKENS + - secretKey: EMAIL_ENABLED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: EMAIL_ENABLED + - secretKey: NOTIFY_MAX_ELAPSED + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: NOTIFY_MAX_ELAPSED + - secretKey: NOTIFY_QUEUE_DELAY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/vault/unseal/config-3 + metadataPolicy: None + property: NOTIFY_QUEUE_DELAY --- apiVersion: external-secrets.io/v1beta1 diff --git a/clusters/cl01tl/platform/vault/values.yaml b/clusters/cl01tl/platform/vault/values.yaml index fb9aca001..fdb9623a2 100644 --- a/clusters/cl01tl/platform/vault/values.yaml +++ b/clusters/cl01tl/platform/vault/values.yaml @@ -255,6 +255,9 @@ unseal: repository: ghcr.io/lrstanley/vault-unseal tag: 0.5.1 pullPolicy: IfNotPresent + envFrom: + - secretRef: + name: vault-unseal-config-1 resources: requests: cpu: 100m @@ -270,6 +273,9 @@ unseal: repository: ghcr.io/lrstanley/vault-unseal tag: 0.5.1 pullPolicy: IfNotPresent + envFrom: + - secretRef: + name: vault-unseal-config-2 resources: requests: cpu: 100m @@ -285,43 +291,12 @@ unseal: repository: ghcr.io/lrstanley/vault-unseal tag: 0.5.1 pullPolicy: IfNotPresent + envFrom: + - secretRef: + name: vault-unseal-config-3 resources: requests: cpu: 100m memory: 128Mi serviceAccount: create: true - persistence: - config-1: - enabled: true - type: secret - name: vault-unseal-config-1 - advancedMounts: - unseal-1: - main: - - path: /vault-unseal.yaml - readOnly: true - mountPropagation: None - subPath: vault-unseal.yaml - config-2: - enabled: true - type: secret - name: vault-unseal-config-2 - advancedMounts: - unseal-2: - main: - - path: /vault-unseal.yaml - readOnly: true - mountPropagation: None - subPath: vault-unseal.yaml - config-3: - enabled: true - type: secret - name: vault-unseal-config-3 - advancedMounts: - unseal-3: - main: - - path: /vault-unseal.yaml - readOnly: true - mountPropagation: None - subPath: vault-unseal.yaml