Skip to content

Commit 6da085b

Browse files
hugareshugares
committed
Create a ClusterSecretStore for RHEL
RHEL needs to extract secrets from same vault in more than one namespace. Create a cluster level store for them since user can only create namespace stores. This is similar to what we did for Insights. Since this store is on internal cluster, configure to extract directly from internal vault. To do so, inject the trusted-ca into the appsre-vault namespace and get the approle secret from our own vault. KFLUXINFRA-2706 Signed-off-by: Hugo Ares <[email protected]>
1 parent 481d011 commit 6da085b

File tree

6 files changed

+65
-0
lines changed

6 files changed

+65
-0
lines changed

argo-cd-apps/base/cluster-secret-store-rh/cluster-secret-store-rh.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@ spec:
2020
elements:
2121
- nameNormalized: stone-prd-rh01
2222
values.clusterDir: stone-prd-rh01
23+
- nameNormalized: kflux-rhel-p01
24+
values.clusterDir: kflux-rhel-p01
2325
template:
2426
metadata:
2527
name: cluster-secret-store-rh-{{nameNormalized}}

components/cluster-secret-store-rh/production/kflux-rhel-p01/kustomization.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
apiVersion: kustomize.config.k8s.io/v1beta1
2+
kind: Kustomization
3+
resources:
4+
- ../base
5+
- trusted-ca-configmap.yaml
6+
- rhel-secret-store.yaml
7+
- rhel-appsre-vault-approle.yaml
8+
commonAnnotations:
9+
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true

components/cluster-secret-store-rh/production/kflux-rhel-p01/rhel-appsre-vault-approle.yaml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
apiVersion: external-secrets.io/v1beta1
2+
kind: ExternalSecret
3+
metadata:
4+
name: rhel-appsre-vault-approle
5+
annotations:
6+
argocd.argoproj.io/sync-wave: "-1"
7+
spec:
8+
dataFrom:
9+
- extract:
10+
key: production/infrastructure/cluster-secret-store/rhel-appsre-vault-approle
11+
refreshInterval: 5m
12+
secretStoreRef:
13+
kind: ClusterSecretStore
14+
name: appsre-stonesoup-vault
15+
target:
16+
creationPolicy: Owner
17+
deletionPolicy: Delete
18+
name: rhel-appsre-vault-approle

components/cluster-secret-store-rh/production/kflux-rhel-p01/rhel-secret-store.yaml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
---
2+
apiVersion: external-secrets.io/v1beta1
3+
kind: ClusterSecretStore
4+
metadata:
5+
name: rhel-appsre-vault
6+
spec:
7+
provider:
8+
vault:
9+
# This store is only deployed to internal cluster, so we use the internal vault server instead of the external one
10+
server: "https://vault.corp.redhat.com:8200/"
11+
path: apps
12+
version: v2
13+
# Reference to the Red Hat internal CA certificates
14+
caProvider:
15+
type: ConfigMap
16+
name: trusted-ca
17+
namespace: appsre-vault
18+
key: ca-bundle.crt
19+
auth:
20+
appRole:
21+
path: approle
22+
roleId: osci
23+
secretRef:
24+
name: rhel-appsre-vault-approle
25+
key: secret-id
26+
namespace: appsre-vault

components/cluster-secret-store-rh/production/kflux-rhel-p01/trusted-ca-configmap.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
apiVersion: v1
2+
kind: ConfigMap
3+
metadata:
4+
name: trusted-ca
5+
namespace: appsre-vault
6+
annotations:
7+
argocd.argoproj.io/sync-wave: "-1"
8+
labels:
9+
config.openshift.io/inject-trusted-cabundle: "true"

components/cluster-secret-store/base/appsre-stonesoup-vault-secret-store.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ spec:
2727
namespace: appsre-vault
2828
conditions:
2929
- namespaces:
30+
- appsre-vault
3031
- dora-metrics
3132
- dynatrace
3233
- application-service

0 commit comments

Comments
 (0)