diff --git a/simple-with-vault-secrets/.kluctl.yml b/simple-with-vault-secrets/.kluctl.yml new file mode 100644 index 0000000..517515a --- /dev/null +++ b/simple-with-vault-secrets/.kluctl.yml @@ -0,0 +1,19 @@ +targets: + - name: simple + context: kind-kind + args: + environment: simple + sealingConfig: + secretSets: + - simple + +secretsConfig: + sealedSecrets: + namespace: simple + controllerName: sealed-secrets-controller + secretSets: + - name: simple + vars: + - vault: + address: http://localhost:8200 + path: secret/data/simple diff --git a/simple-with-vault-secrets/README.md b/simple-with-vault-secrets/README.md new file mode 100644 index 0000000..a2fa3b4 --- /dev/null +++ b/simple-with-vault-secrets/README.md @@ -0,0 +1,26 @@ +# start local vault + +For this example, we start a Vault service locally, which we equip with a secret + +```bash +VAULT_TOKEN=admintoken +docker run -p 8200:8200 --cap-add=IPC_LOCK -d -e "VAULT_DEV_ROOT_TOKEN_ID=${VAULT_TOKEN}" --name=dev-vault vault +curl \ + -H "X-Vault-Token: ${VAULT_TOKEN}" \ + -H "X-Vault-Request: true" \ + -H "Content-Type: application/json" \ + -X POST \ + -d '{"data":{"secrets": {"database": {"password": "password","username": "admin"}}}}' \ + http://127.0.0.1:8200/v1/secret/data/simple +``` +![vault-example.png](vault-example.png) +```json +{ + "secrets": { + "database": { + "password": "password", + "username": "admin" + } + } +} +``` \ No newline at end of file diff --git a/simple-with-vault-secrets/deployment.yml b/simple-with-vault-secrets/deployment.yml new file mode 100644 index 0000000..e7a9c29 --- /dev/null +++ b/simple-with-vault-secrets/deployment.yml @@ -0,0 +1,12 @@ +sealedSecrets: + outputPattern: "{{ target.name }}" + +deployments: + - include: deployment + +commonLabels: + examples.kluctl.io/environment: "{{ args.environment }}" + examples.kluctl.io/deployment-project: k8s-deployment-simple + +args: + - name: environment diff --git a/simple-with-vault-secrets/deployment/deployment.yml b/simple-with-vault-secrets/deployment/deployment.yml new file mode 100644 index 0000000..ce47c85 --- /dev/null +++ b/simple-with-vault-secrets/deployment/deployment.yml @@ -0,0 +1,6 @@ +deployments: + - path: sealed-secrets-operator + - barrier: true + - path: mongodb + +overrideNamespace: "{{ args.environment }}" diff --git a/simple-with-vault-secrets/deployment/mongodb/deploy.yml b/simple-with-vault-secrets/deployment/mongodb/deploy.yml new file mode 100644 index 0000000..f388626 --- /dev/null +++ b/simple-with-vault-secrets/deployment/mongodb/deploy.yml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mongodb-deployment + labels: + app: mongodb +spec: + replicas: 1 + selector: + matchLabels: + app: mongodb + template: + metadata: + labels: + app: mongodb + spec: + containers: + - name: mongodb + image: mongo:5 + ports: + - containerPort: 27017 + env: + - name: MONGO_INITDB_ROOT_USERNAME + valueFrom: + secretKeyRef: + name: db-secrets + key: DB_USERNAME + optional: false + - name: MONGO_INITDB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: db-secrets + key: DB_PASSWORD + optional: false + diff --git a/simple-with-vault-secrets/deployment/mongodb/kustomization.yml b/simple-with-vault-secrets/deployment/mongodb/kustomization.yml new file mode 100644 index 0000000..463cff1 --- /dev/null +++ b/simple-with-vault-secrets/deployment/mongodb/kustomization.yml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - mongo-secrets.yml + - namespace.yml + - deploy.yml diff --git a/simple-with-vault-secrets/deployment/mongodb/mongo-secrets.yml.sealme b/simple-with-vault-secrets/deployment/mongodb/mongo-secrets.yml.sealme new file mode 100644 index 0000000..540d7a5 --- /dev/null +++ b/simple-with-vault-secrets/deployment/mongodb/mongo-secrets.yml.sealme @@ -0,0 +1,8 @@ +kind: Secret +apiVersion: v1 +metadata: + name: db-secrets + namespace: {{ args.environment }} +stringData: + DB_USERNAME: {{ secrets.database.username }} + DB_PASSWORD: {{ secrets.database.password }} diff --git a/simple-with-vault-secrets/deployment/mongodb/namespace.yml b/simple-with-vault-secrets/deployment/mongodb/namespace.yml new file mode 100644 index 0000000..1b561a9 --- /dev/null +++ b/simple-with-vault-secrets/deployment/mongodb/namespace.yml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: "{{ args.environment }}" diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/.helmignore b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/Chart.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/Chart.yaml new file mode 100644 index 0000000..e666a41 --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/Chart.yaml @@ -0,0 +1,19 @@ +annotations: + category: DeveloperTools +apiVersion: v2 +appVersion: v0.17.5 +description: Helm chart for the sealed-secrets controller. +home: https://github.com/bitnami-labs/sealed-secrets +icon: https://bitnami.com/assets/stacks/sealed-secrets/img/sealed-secrets-stack-220x234.png +keywords: +- secrets +- sealed-secrets +kubeVersion: '>=1.16.0-0' +maintainers: +- email: containers@bitnami.com + name: Bitnami +- email: mmikulicic@gmail.com + name: mkmik +name: sealed-secrets +type: application +version: 2.1.6 diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/README.md b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/README.md new file mode 100644 index 0000000..7443544 --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/README.md @@ -0,0 +1,258 @@ +# Sealed Secrets + +Sealed Secrets are "one-way" encrypted K8s Secrets that can be created by anyone, but can only be decrypted by the controller running in the target cluster recovering the original object. + + + + +- [TL;DR](#tldr) +- [Introduction](#introduction) +- [Prerequisites](#prerequisites) +- [Installing the Chart](#installing-the-chart) +- [Uninstalling the Chart](#uninstalling-the-chart) +- [Parameters](#parameters) + - [Common parameters](#common-parameters) + - [Sealed Secrets Parameters](#sealed-secrets-parameters) + - [Traffic Exposure Parameters](#traffic-exposure-parameters) + - [Other Parameters](#other-parameters) + - [Metrics parameters](#metrics-parameters) +- [Using kubeseal](#using-kubeseal) +- [Configuration and installation details](#configuration-and-installation-details) +- [Troubleshooting](#troubleshooting) +- [Upgrading](#upgrading) + - [To 2.0.0](#to-200) + + + +## TL;DR + +```console +$ helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets +$ helm install my-release sealed-secrets/sealed-secrets +``` + +## Introduction + +Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads. + +This chart bootstraps a [Sealed Secret Controller](https://github.com/bitnami-labs/sealed-secrets) Deployment in [Kubernetes](http://kubernetes.io) using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.16+ +- Helm 3.1.0 + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +helm install my-release sealed-secrets/sealed-secrets +``` + +The command deploys the Sealed Secrets controller on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +### Common parameters + +| Name | Description | Value | +| ------------------ | ------------------------------------------------------- | ----- | +| `kubeVersion` | Override Kubernetes version | `""` | +| `nameOverride` | String to partially override sealed-secrets.fullname | `""` | +| `fullnameOverride` | String to fully override sealed-secrets.fullname | `""` | +| `namespace` | Namespace where to deploy the Sealed Secrets controller | `""` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | + + +### Sealed Secrets Parameters + +| Name | Description | Value | +| ------------------------------------------------- | ------------------------------------------------------------------------------------ | ----------------------------------- | +| `image.registry` | Sealed Secrets image registry | `docker.io` | +| `image.repository` | Sealed Secrets image repository | `bitnami/sealed-secrets-controller` | +| `image.tag` | Sealed Secrets image tag (immutable tags are recommended) | `v0.17.5` | +| `image.pullPolicy` | Sealed Secrets image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Sealed Secrets image pull secrets | `[]` | +| `createController` | Specifies whether the Sealed Secrets controller should be created | `true` | +| `secretName` | The name of an existing TLS secret containing the key used to encrypt secrets | `sealed-secrets-key` | +| `updateStatus` | Specifies whether the Sealed Secrets controller should update the status subresource | `true` | +| `keyrenewperiod` | Specifies key renewal period. Default 30 days | `""` | +| `command` | Override default container command | `[]` | +| `args` | Override default container args | `[]` | +| `livenessProbe.enabled` | Enable livenessProbe on Sealed Secret containers | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `0` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe on Sealed Secret containers | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `startupProbe.enabled` | Enable startupProbe on Sealed Secret containers | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `resources.limits` | The resources limits for the Sealed Secret containers | `{}` | +| `resources.requests` | The requested resources for the Sealed Secret containers | `{}` | +| `podSecurityContext.enabled` | Enabled Sealed Secret pods' Security Context | `true` | +| `podSecurityContext.fsGroup` | Set Sealed Secret pod's Security Context fsGroup | `65534` | +| `containerSecurityContext.enabled` | Enabled Sealed Secret containers' Security Context | `true` | +| `containerSecurityContext.readOnlyRootFilesystem` | Whether the Sealed Secret container has a read-only root filesystem | `true` | +| `containerSecurityContext.runAsNonRoot` | Indicates that the Sealed Secret container must run as a non-root user | `true` | +| `containerSecurityContext.runAsUser` | Set Sealed Secret containers' Security Context runAsUser | `1001` | +| `podLabels` | Extra labels for Sealed Secret pods | `{}` | +| `podAnnotations` | Annotations for Sealed Secret pods | `{}` | +| `priorityClassName` | Sealed Secret pods' priorityClassName | `""` | +| `affinity` | Affinity for Sealed Secret pods assignment | `{}` | +| `nodeSelector` | Node labels for Sealed Secret pods assignment | `{}` | +| `tolerations` | Tolerations for Sealed Secret pods assignment | `[]` | + + +### Traffic Exposure Parameters + +| Name | Description | Value | +| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `service.type` | Sealed Secret service type | `ClusterIP` | +| `service.port` | Sealed Secret service HTTP port | `8080` | +| `service.nodePort` | Node port for HTTP | `""` | +| `service.annotations` | Additional custom annotations for Sealed Secret service | `{}` | +| `ingress.enabled` | Enable ingress record generation for Sealed Secret | `false` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | +| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress | `""` | +| `ingress.hostname` | Default host for the ingress record | `sealed-secrets.local` | +| `ingress.path` | Default path for the ingress record | `/v1/cert.pem` | +| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | +| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `ingress.secrets` | Custom TLS certificates as secrets | `[]` | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `false` | + + +### Other Parameters + +| Name | Description | Value | +| ----------------------- | ---------------------------------------------------- | ------- | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `serviceAccount.labels` | Extra labels to be added to the ServiceAccount | `{}` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `rbac.create` | Specifies whether RBAC resources should be created | `true` | +| `rbac.labels` | Extra labels to be added to RBAC resources | `{}` | +| `rbac.pspEnabled` | PodSecurityPolicy | `false` | + + +### Metrics parameters + +| Name | Description | Value | +| ------------------------------------------ | -------------------------------------------------------------------------------------- | ------- | +| `metrics.serviceMonitor.enabled` | Specify if a ServiceMonitor will be deployed for Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace where Prometheus Operator is running in | `""` | +| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` | +| `metrics.serviceMonitor.annotations` | Extra annotations for the ServiceMonitor | `{}` | +| `metrics.serviceMonitor.interval` | How frequently to scrape metrics | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.metricRelabelings` | Specify additional relabeling of metrics | `[]` | +| `metrics.serviceMonitor.relabelings` | Specify general relabeling | `[]` | +| `metrics.dashboards.create` | Specifies whether a ConfigMap with a Grafana dashboard configuration should be created | `false` | +| `metrics.dashboards.labels` | Extra labels to be added to the Grafana dashboard ConfigMap | `{}` | +| `metrics.dashboards.namespace` | Namespace where Grafana dashboard ConfigMap is deployed | `""` | + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release \ + --set resources.requests.cpu=25m \ + sealed-secrets/sealed-secrets +``` + +The above command sets the `resources.requests.cpu` parameter to `25m`. + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```console +helm install my-release -f values.yaml sealed-secrets/sealed-secrets +``` + +## Using kubeseal + +Install the kubeseal CLI by downloading the binary from [sealed-secrets/releases](https://github.com/bitnami-labs/sealed-secrets/releases). + +Fetch the public key by passing the release name and namespace: + +```bash +kubeseal --fetch-cert \ +--controller-name=my-release \ +--controller-namespace=my-release-namespace \ +> pub-cert.pem +``` + +Read about kubeseal usage on [sealed-secrets docs](https://github.com/bitnami-labs/sealed-secrets#usage). + +NOTE: the helm chart by default installs the controller with the name `sealed-secrets`, while the `kubeseal` command line interface (CLI) tries to access the controller with the name `sealed-secrets-controller`. You can explicitly pass `--controller-name` to the CLI: + +```bash +kubeseal --controller-name sealed-secrets +``` + +Alternatively, you can override `fullnameOverride` on the helm chart install. + +## Configuration and installation details + +- In the case that **serviceAccount.create** is `false` and **rbac.create** is `true` it is expected for a ServiceAccount with the name **serviceAccount.name** to exist _in the same namespace as this chart_ before the installation. +- If **serviceAccount.create** is `true` there cannot be an existing service account with the name **serviceAccount.name**. +- If a secret with name **secretName** does not exist _in the same namespace as this chart_, then on install one will be created. If a secret already exists with this name the keys inside will be used. +- OpenShift: unset the runAsUser and fsGroup like this when installing in a custom namespace: + +```yaml +podSecurityContext: + fsGroup: + +containerSecurityContext: + runAsUser: +``` + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +### To 2.0.0 + +A major refactoring of the chart has been performed to adopt several common practices for Helm charts. Upgrades from previous chart versions should work, however, the values structure suffered several changes and you'll have to adapt your custom values/parameters so they're aligned with the new structure. For instance, these are a couple of examples: + +- `controller.create` renamed as `createController`. +- `securityContext.*` parameters are deprecated in favor of `podSecurityContext.*`, and `containerSecurityContext.*` ones. +- `image.repository` changed to `image.registry`/`image.repository`. +- `ingress.hosts[0]` changed to `ingress.hostname`. + +Consult the [Parameters](#parameters) section to obtain more info about the available parameters. + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this new major version is no longer compatible with Helm v2. diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/crds/sealedsecret-crd.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/crds/sealedsecret-crd.yaml new file mode 100644 index 0000000..062729e --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/crds/sealedsecret-crd.yaml @@ -0,0 +1,27 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: sealedsecrets.bitnami.com +spec: + group: bitnami.com + names: + kind: SealedSecret + listKind: SealedSecretList + plural: sealedsecrets + singular: sealedsecret + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + x-kubernetes-preserve-unknown-fields: true diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/dashboards/sealed-secrets-controller.json b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/dashboards/sealed-secrets-controller.json new file mode 100644 index 0000000..a01a7e1 --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/dashboards/sealed-secrets-controller.json @@ -0,0 +1,302 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Sealed Secrets Controller", + "editable": true, + "gnetId": null, + "graphTooltip": 0, + "id": 3, + "iteration": 1585599163503, + "links": [ + { + "icon": "external link", + "tags": [], + "title": "GitHub", + "tooltip": "View Project on GitHub", + "type": "link", + "url": "https://github.com/bitnami-labs/sealed-secrets" + } + ], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "$datasource", + "description": "Rate of requests to unseal a SealedSecret.\n\nThis can include non-obvious operations such as deleting a SealedSecret.", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 0 + }, + "hiddenSeries": false, + "id": 2, + "legend": { + "avg": true, + "current": false, + "max": true, + "min": true, + "show": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "options": { + "dataLinks": [] + }, + "percentage": false, + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(sealed_secrets_controller_unseal_requests_total{}[1m]))", + "format": "time_series", + "instant": false, + "intervalFactor": 1, + "legendFormat": "rps", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Unseal Request Rate/s", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "$datasource", + "description": "Rate of errors when unsealing a SealedSecret. \n\nReason for error included as label value, eg:\n- unseal = cryptography issue (key/namespace) or RBAC\n- unmanaged = destination Secret wasn't created by SealedSecrets\n- update = potentially RBAC\n- status = potentially RBAC\n- fetch = potentially RBAC\n", + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 0 + }, + "hiddenSeries": false, + "id": 3, + "legend": { + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "options": { + "dataLinks": [] + }, + "percentage": false, + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(sealed_secrets_controller_unseal_errors_total{pod=~\"$pod\"}[1m])) by (reason)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ reason }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Unseal Error Rate/s", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": false, + "schemaVersion": 22, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "text": "prometheus", + "value": "prometheus" + }, + "hide": 0, + "includeAll": false, + "label": null, + "multi": false, + "name": "datasource", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "allValue": null, + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": "$datasource", + "definition": "label_values(kube_pod_info, pod)", + "hide": 0, + "includeAll": true, + "label": null, + "multi": false, + "name": "pod", + "options": [], + "query": "label_values(kube_pod_info, pod)", + "refresh": 1, + "regex": "/^sealed-secrets-controller.*$/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Sealed Secrets Controller", + "uid": "UuEtZCVWz", + "version": 2 +} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/NOTES.txt b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/NOTES.txt new file mode 100644 index 0000000..269265f --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/NOTES.txt @@ -0,0 +1,46 @@ +{{ if .Values.createController -}} + +** Please be patient while the chart is being deployed ** + +You should now be able to create sealed secrets. + +1. Install the client-side tool (kubeseal) as explained in the docs below: + + https://github.com/bitnami-labs/sealed-secrets#installation-from-source + +2. Create a sealed secret file running the command below: + + kubectl create secret generic secret-name --dry-run=client --from-literal=foo=bar -o [json|yaml] | \ + kubeseal \ + --controller-name={{ include "sealed-secrets.fullname" . }} \ + --controller-namespace={{ include "sealed-secrets.namespace" . }} \ + --format yaml > mysealedsecret.[json|yaml] + +The file mysealedsecret.[json|yaml] is a commitable file. + +If you would rather not need access to the cluster to generate the sealed secret you can run: + + kubeseal \ + --controller-name={{ include "sealed-secrets.fullname" . }} \ + --controller-namespace={{ include "sealed-secrets.namespace" . }} \ + --fetch-cert > mycert.pem + +to retrieve the public cert used for encryption and store it locally. You can then run 'kubeseal --cert mycert.pem' instead to use the local cert e.g. + + kubectl create secret generic secret-name --dry-run=client --from-literal=foo=bar -o [json|yaml] | \ + kubeseal \ + --controller-name={{ include "sealed-secrets.fullname" . }} \ + --controller-namespace={{ include "sealed-secrets.namespace" . }} \ + --format [json|yaml] --cert mycert.pem > mysealedsecret.[json|yaml] + +3. Apply the sealed secret + + kubectl create -f mysealedsecret.[json|yaml] + +Running 'kubectl get secret secret-name -o [json|yaml]' will show the decrypted secret that was generated from the sealed secret. + +Both the SealedSecret and generated Secret must have the same name and namespace. +{{- else }} +Sealed Secrets controller not installed, You need to install controller before +sealed secrets can be created. +{{- end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/_helpers.tpl b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/_helpers.tpl new file mode 100644 index 0000000..3835d8b --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/_helpers.tpl @@ -0,0 +1,202 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "sealed-secrets.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "sealed-secrets.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Expand to the namespace sealed-secrets installs into. +*/}} +{{- define "sealed-secrets.namespace" -}} +{{- default .Release.Namespace .Values.namespace -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "sealed-secrets.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "sealed-secrets.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "sealed-secrets.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Kubernetes standard labels +*/}} +{{- define "sealed-secrets.labels" -}} +app.kubernetes.io/name: {{ include "sealed-secrets.name" . }} +helm.sh/chart: {{ include "sealed-secrets.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "sealed-secrets.matchLabels" -}} +app.kubernetes.io/name: {{ include "sealed-secrets.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +*/}} +{{- define "sealed-secrets.ingress.certManagerRequest" -}} +{{ if or (hasKey . "cert-manager.io/cluster-issuer") (hasKey . "cert-manager.io/issuer") }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Renders a value that contains template. +Usage: +{{ include "sealed-secrets.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "sealed-secrets.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "sealed-secrets.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "sealed-secrets.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "sealed-secrets.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "sealed-secrets.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "sealed-secrets.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "sealed-secrets.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "sealed-secrets.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "sealed-secrets.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "sealed-secrets.networkPolicy.apiVersion" -}} +{{- if semverCompare "<1.7-0" (include "sealed-secrets.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +Usage: +{{ include "sealed-secrets.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "sealed-secrets.backend" -}} +{{- $apiVersion := (include "sealed-secrets.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "sealed-secrets.supportsPathType" . }} +*/}} +{{- define "sealed-secrets.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "sealed-secrets.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "sealed-secrets.supportsIngressClassname" . }} +*/}} +{{- define "sealed-secrets.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "sealed-secrets.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/cluster-role-binding.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/cluster-role-binding.yaml new file mode 100644 index 0000000..1fd193e --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/cluster-role-binding.yaml @@ -0,0 +1,19 @@ +{{ if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "sealed-secrets.fullname" . }} + labels: {{- include "sealed-secrets.labels" . | nindent 4 }} + {{- if .Values.rbac.labels }} + {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secrets-unsealer +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "sealed-secrets.serviceAccountName" . }} + namespace: {{ include "sealed-secrets.namespace" . }} +{{ end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/cluster-role.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/cluster-role.yaml new file mode 100644 index 0000000..5fc3875 --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/cluster-role.yaml @@ -0,0 +1,42 @@ +{{ if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secrets-unsealer + labels: {{- include "sealed-secrets.labels" . | nindent 4 }} + {{- if .Values.rbac.labels }} + {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - bitnami.com + resources: + - sealedsecrets + verbs: + - get + - list + - watch + - apiGroups: + - bitnami.com + resources: + - sealedsecrets/status + verbs: + - update + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - create + - update + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{ end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/configmap-dashboards.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/configmap-dashboards.yaml new file mode 100644 index 0000000..7d0572c --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/configmap-dashboards.yaml @@ -0,0 +1,19 @@ +{{- if .Values.metrics.dashboards.create }} +{{- $namespace := .Values.metrics.dashboards.namespace | default $.Release.Namespace }} +{{- range $path, $_ := .Files.Glob "dashboards/*.json" }} +{{- $filename := trimSuffix (ext $path) (base $path) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" (include "sealed-secrets.fullname" $) $filename }} + namespace: {{ $namespace }} + labels: {{- include "sealed-secrets.labels" $ | nindent 4 }} + {{- if $.Values.metrics.dashboards.labels }} + {{- include "sealed-secrets.render" ( dict "value" $.Values.metrics.dashboards.labels "context" $) | nindent 4 }} + {{- end }} +data: + {{ base $path }}: |- +{{ $.Files.Get $path | indent 4 }} +--- +{{- end }} +{{- end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/deployment.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/deployment.yaml new file mode 100644 index 0000000..47f3804 --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/deployment.yaml @@ -0,0 +1,105 @@ +{{- if .Values.createController }} +apiVersion: {{ include "sealed-secrets.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ include "sealed-secrets.fullname" . }} + namespace: {{ include "sealed-secrets.namespace" . }} + labels: {{- include "sealed-secrets.labels" . | nindent 4 }} +spec: + selector: + matchLabels: {{- include "sealed-secrets.matchLabels" . | nindent 6 }} + template: + metadata: + {{- if .Values.podAnnotations }} + annotations: {{- toYaml .Values.podAnnotations | nindent 8 }} + {{- end }} + labels: {{- include "sealed-secrets.matchLabels" . | nindent 8 }} + {{- if .Values.podLabels }} + {{- toYaml .Values.podLabels | nindent 8 }} + {{- end }} + spec: + {{- if .Values.image.pullSecrets }} + imagePullSecrets: + {{- range .Values.image.pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "sealed-secrets.serviceAccountName" . }} + containers: + - name: controller + command: + {{- if .Values.command }} + {{- include "sealed-secrets.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- else }} + - controller + {{- end }} + args: + {{- if .Values.args }} + {{- include "sealed-secrets.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- else }} + {{- if .Values.updateStatus }} + - --update-status + {{- end }} + {{- if .Values.keyrenewperiod }} + - --key-renew-period + - {{ .Values.keyrenewperiod | quote }} + {{- end }} + - --key-prefix + - {{ .Values.secretName | quote }} + {{- end }} + image: {{ printf "%s/%s:%s" .Values.image.registry .Values.image.repository .Values.image.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - containerPort: 8080 + name: http + {{- if .Values.startupProbe.enabled }} + startupProbe: {{- include "sealed-secrets.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: http + {{- else if .Values.customStartupProbe }} + startupProbe: {{- include "sealed-secrets.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: {{- include "sealed-secrets.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: /healthz + port: http + {{- else if .Values.customLivenessProbe }} + livenessProbe: {{- include "sealed-secrets.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: {{- include "sealed-secrets.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: /healthz + port: http + {{- else if .Values.customReadinessProbe }} + readinessProbe: {{- include "sealed-secrets.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /tmp + name: tmp + volumes: + - name: tmp + emptyDir: {} +{{- end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/extra-list.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/extra-list.yaml new file mode 100644 index 0000000..dee3ab6 --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "sealed-secrets.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/ingress.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/ingress.yaml new file mode 100644 index 0000000..966a37e --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/ingress.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.createController .Values.ingress.enabled }} +apiVersion: {{ include "sealed-secrets.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ include "sealed-secrets.fullname" . }} + namespace: {{ include "sealed-secrets.namespace" . }} + labels: {{- include "sealed-secrets.labels" . | nindent 4 }} + {{- if .Values.ingress.annotations }} + annotations: + {{- if .Values.ingress.annotations }} + {{- include "sealed-secrets.render" ( dict "value" .Values.ingress.annotations "context" $) | nindent 4 }} + {{- end }} + {{- end }} +spec: + {{- if and .Values.ingress.ingressClassName (eq "true" (include "sealed-secrets.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.ingress.hostname }} + - host: {{ .Values.ingress.hostname }} + http: + paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.ingress.path }} + {{- if eq "true" (include "sealed-secrets.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "sealed-secrets.backend" (dict "serviceName" (include "sealed-secrets.fullname" .) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "sealed-secrets.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "sealed-secrets.backend" (dict "serviceName" (include "sealed-secrets.fullname" $) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- if or (and .Values.ingress.tls (or (include "sealed-secrets.ingress.certManagerRequest" .Values.ingress.annotations) .Values.ingress.selfSigned)) .Values.ingress.extraTls }} + tls: + {{- if and .Values.ingress.tls (or (include "sealed-secrets.ingress.certManagerRequest" .Values.ingress.annotations) .Values.ingress.selfSigned) }} + - hosts: + - {{ .Values.ingress.hostname | quote }} + secretName: {{ printf "%s-tls" .Values.ingress.hostname }} + {{- end }} + {{- if .Values.ingress.extraTls }} + {{- include "sealed-secrets.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/networkpolicy.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/networkpolicy.yaml new file mode 100644 index 0000000..4c31c1e --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/networkpolicy.yaml @@ -0,0 +1,14 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: {{ include "sealed-secrets.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ include "sealed-secrets.fullname" . }} + namespace: {{ include "sealed-secrets.namespace" . }} + labels: {{- include "sealed-secrets.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: {{- include "sealed-secrets.matchLabels" . | nindent 6 }} + ingress: + - ports: + - port: 8080 +{{- end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/psp-clusterrole.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/psp-clusterrole.yaml new file mode 100644 index 0000000..65b5555 --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/psp-clusterrole.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.pspEnabled }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ printf "%s-psp" (include "sealed-secrets.fullname" .) }} + labels: {{- include "sealed-secrets.labels" . | nindent 4 }} + {{- if .Values.rbac.labels }} + {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }} + {{- end }} +rules: + - apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ include "sealed-secrets.fullname" . }} +{{- end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/psp-clusterrolebinding.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/psp-clusterrolebinding.yaml new file mode 100644 index 0000000..4cd5188 --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/psp-clusterrolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.pspEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ printf "%s-psp" (include "sealed-secrets.fullname" .) }} + labels: {{- include "sealed-secrets.labels" . | nindent 4 }} + {{- if .Values.rbac.labels }} + {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }} + {{- end }} +rules: +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ printf "%s-psp" (include "sealed-secrets.fullname" .) }} +subjects: + - kind: ServiceAccount + name: {{ include "sealed-secrets.serviceAccountName" . }} + namespace: {{ include "sealed-secrets.namespace" . }} +{{- end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/psp.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/psp.yaml new file mode 100644 index 0000000..d9cda30 --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/psp.yaml @@ -0,0 +1,29 @@ +{{- if .Values.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "sealed-secrets.fullname" . }} + labels: {{- include "sealed-secrets.labels" . | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + allowedCapabilities: [] + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/role-binding.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/role-binding.yaml new file mode 100644 index 0000000..e73d30e --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/role-binding.yaml @@ -0,0 +1,38 @@ +{{ if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ printf "%s-key-admin" (include "sealed-secrets.fullname" .) }} + namespace: {{ include "sealed-secrets.namespace" . }} + labels: {{- include "sealed-secrets.labels" . | nindent 4 }} + {{- if .Values.rbac.labels }} + {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ printf "%s-key-admin" (include "sealed-secrets.fullname" .) }} +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "sealed-secrets.serviceAccountName" . }} + namespace: {{ include "sealed-secrets.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ printf "%s-service-proxier" (include "sealed-secrets.fullname" .) }} + namespace: {{ include "sealed-secrets.namespace" . }} + labels: {{- include "sealed-secrets.labels" . | nindent 4 }} + {{- if .Values.rbac.labels }} + {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ printf "%s-service-proxier" (include "sealed-secrets.fullname" .) }} +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated +{{ end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/role.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/role.yaml new file mode 100644 index 0000000..73fd8a7 --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/role.yaml @@ -0,0 +1,55 @@ +{{ if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ printf "%s-key-admin" (include "sealed-secrets.fullname" .) }} + namespace: {{ include "sealed-secrets.namespace" . }} + labels: {{- include "sealed-secrets.labels" . | nindent 4 }} + {{- if .Values.rbac.labels }} + {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resourceNames: + - {{ .Values.secretName }} + resources: + - secrets + verbs: + - get + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ printf "%s-service-proxier" (include "sealed-secrets.fullname" .) }} + namespace: {{ include "sealed-secrets.namespace" . }} + labels: {{- include "sealed-secrets.labels" . | nindent 4 }} + {{- if .Values.rbac.labels }} + {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - services + verbs: + - get + - apiGroups: + - "" + resourceNames: + - 'http:{{ include "sealed-secrets.fullname" . }}:' + - 'http:{{ include "sealed-secrets.fullname" . }}:http' + - {{ include "sealed-secrets.fullname" . }} + resources: + - services/proxy + verbs: + - create + - get +{{ end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/service-account.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/service-account.yaml new file mode 100644 index 0000000..ba09fb4 --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/service-account.yaml @@ -0,0 +1,11 @@ +{{ if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "sealed-secrets.serviceAccountName" . }} + namespace: {{ include "sealed-secrets.namespace" . }} + labels: {{- include "sealed-secrets.labels" . | nindent 4 }} + {{- if .Values.serviceAccount.labels }} + {{- include "sealed-secrets.render" ( dict "value" .Values.serviceAccount.labels "context" $) | nindent 4 }} + {{- end }} +{{ end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/service.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/service.yaml new file mode 100644 index 0000000..e388cf1 --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/service.yaml @@ -0,0 +1,23 @@ +{{- if .Values.createController -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "sealed-secrets.fullname" . }} + namespace: {{ include "sealed-secrets.namespace" . }} + labels: {{- include "sealed-secrets.labels" . | nindent 4 }} + {{- if .Values.service.labels }} + {{- include "sealed-secrets.render" ( dict "value" .Values.service.labels "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - name: http + port: {{ .Values.service.port }} + targetPort: http + {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePort)) }} + nodePort: {{ .Values.service.nodePort }} + {{- else if eq .Values.service.type "ClusterIP" }} + nodePort: null + {{- end }} + selector: {{- include "sealed-secrets.matchLabels" . | nindent 4 }} +{{- end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/servicemonitor.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/servicemonitor.yaml new file mode 100644 index 0000000..25410dd --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/servicemonitor.yaml @@ -0,0 +1,39 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "sealed-secrets.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- else }} + namespace: {{ include "sealed-secrets.namespace" . }} + {{- end }} + labels: {{- include "sealed-secrets.labels" . | nindent 4 }} + {{- if .Values.metrics.serviceMonitor.labels }} + {{- include "sealed-secrets.render" ( dict "value" .Values.metrics.serviceMonitor.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.annotations }} + annotations: {{- include "sealed-secrets.render" (dict "value" .Values.metrics.serviceMonitor.annotations "context" $) | nindent 4 }} + {{- end }} +spec: + endpoints: + - honorLabels: true + port: http + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{ toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 8 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{ toYaml .Values.metrics.serviceMonitor.relabelings | nindent 8 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ include "sealed-secrets.namespace" . }} + selector: + matchLabels: {{- include "sealed-secrets.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/tls-secret.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/tls-secret.yaml new file mode 100644 index 0000000..79bc5bd --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/templates/tls-secret.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.createController .Values.ingress.enabled }} +{{- if .Values.ingress.secrets }} +{{- range .Values.ingress.secrets }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .name }} + namespace: {{ include "sealed-secrets.namespace" $ | quote }} + labels: {{- include "sealed-secrets.labels" $ | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .certificate | b64enc }} + tls.key: {{ .key | b64enc }} +--- +{{- end }} +{{- end }} +{{- if and .Values.ingress.tls .Values.ingress.selfSigned }} +{{- $ca := genCA "sealed-secrets-ca" 365 }} +{{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-tls" .Values.ingress.hostname }} + namespace: {{ include "sealed-secrets.namespace" . }} + labels: {{- include "sealed-secrets.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/values.yaml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/values.yaml new file mode 100644 index 0000000..624c52d --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/charts/sealed-secrets/values.yaml @@ -0,0 +1,362 @@ +## @section Common parameters + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" +## @param nameOverride String to partially override sealed-secrets.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override sealed-secrets.fullname +## +fullnameOverride: "" +## @param namespace Namespace where to deploy the Sealed Secrets controller +## +namespace: "" +## @param extraDeploy [array] Array of extra objects to deploy with the release +## +extraDeploy: [] + +## @section Sealed Secrets Parameters + +## Sealed Secrets image +## ref: https://hub.docker.com/r/bitnami/sealed-secrets-controller/tags +## @param image.registry Sealed Secrets image registry +## @param image.repository Sealed Secrets image repository +## @param image.tag Sealed Secrets image tag (immutable tags are recommended) +## @param image.pullPolicy Sealed Secrets image pull policy +## @param image.pullSecrets [array] Sealed Secrets image pull secrets +## +image: + registry: docker.io + repository: bitnami/sealed-secrets-controller + tag: v0.17.5 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] +## @param createController Specifies whether the Sealed Secrets controller should be created +## +createController: true +## @param secretName The name of an existing TLS secret containing the key used to encrypt secrets +## +secretName: "sealed-secrets-key" +## @param updateStatus Specifies whether the Sealed Secrets controller should update the status subresource +## +updateStatus: true +## @param keyrenewperiod Specifies key renewal period. Default 30 days +## e.g +## keyrenewperiod: "720h30m" +## +keyrenewperiod: "" +## @param command Override default container command +## +command: [] +## @param args Override default container args +## +args: [] +## Configure extra options for Sealed Secret containers' liveness, readiness and startup probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes +## @param livenessProbe.enabled Enable livenessProbe on Sealed Secret containers +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 +## @param readinessProbe.enabled Enable readinessProbe on Sealed Secret containers +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 +## @param startupProbe.enabled Enable startupProbe on Sealed Secret containers +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 +## @param customLivenessProbe Custom livenessProbe that overrides the default one +## +customLivenessProbe: {} +## @param customReadinessProbe Custom readinessProbe that overrides the default one +## +customReadinessProbe: {} +## @param customStartupProbe Custom startupProbe that overrides the default one +## +customStartupProbe: {} +## Sealed Secret resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## @param resources.limits [object] The resources limits for the Sealed Secret containers +## @param resources.requests [object] The requested resources for the Sealed Secret containers +## +resources: + limits: {} + requests: {} +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled Sealed Secret pods' Security Context +## @param podSecurityContext.fsGroup Set Sealed Secret pod's Security Context fsGroup +## +podSecurityContext: + enabled: true + fsGroup: 65534 +## Configure Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param containerSecurityContext.enabled Enabled Sealed Secret containers' Security Context +## @param containerSecurityContext.readOnlyRootFilesystem Whether the Sealed Secret container has a read-only root filesystem +## @param containerSecurityContext.runAsNonRoot Indicates that the Sealed Secret container must run as a non-root user +## @param containerSecurityContext.runAsUser Set Sealed Secret containers' Security Context runAsUser +## +containerSecurityContext: + enabled: true + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1001 +## @param podLabels [object] Extra labels for Sealed Secret pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations [object] Annotations for Sealed Secret pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param priorityClassName Sealed Secret pods' priorityClassName +## +priorityClassName: "" +## @param affinity [object] Affinity for Sealed Secret pods assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} +## @param nodeSelector [object] Node labels for Sealed Secret pods assignment +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## @param tolerations [array] Tolerations for Sealed Secret pods assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] + +## @section Traffic Exposure Parameters + +## Sealed Secret service parameters +## +service: + ## @param service.type Sealed Secret service type + ## + type: ClusterIP + ## @param service.port Sealed Secret service HTTP port + ## + port: 8080 + ## @param service.nodePort Node port for HTTP + ## Specify the nodePort value for the LoadBalancer and NodePort service types + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## + nodePort: "" + ## @param service.annotations [object] Additional custom annotations for Sealed Secret service + ## + annotations: {} +## Sealed Secret ingress parameters +## ref: http://kubernetes.io/docs/user-guide/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress record generation for Sealed Secret + ## + enabled: false + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster. + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param ingress.hostname Default host for the ingress record + ## + hostname: sealed-secrets.local + ## @param ingress.path Default path for the ingress record + ## + path: /v1/cert.pem + ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: + ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}` + ## You can: + ## - Use the `ingress.secrets` parameter to create this TLS secret + ## - Relay on cert-manager to create it by setting the corresponding annotations + ## - Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## + tls: false + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.extraHosts [array] An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: sealed-secrets.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths [array] An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls [array] TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - sealed-secrets.local + ## secretName: sealed-secrets.local-tls + ## + extraTls: [] + ## @param ingress.secrets [array] Custom TLS certificates as secrets + ## NOTE: 'key' and 'certificate' are expected in PEM format + ## NOTE: 'name' should line up with a 'secretName' set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## secrets: + ## - name: sealed-secrets.local-tls + ## key: |- + ## -----BEGIN RSA PRIVATE KEY----- + ## ... + ## -----END RSA PRIVATE KEY----- + ## certificate: |- + ## -----BEGIN CERTIFICATE----- + ## ... + ## -----END CERTIFICATE----- + ## + secrets: [] +## Network policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: false + +## @section Other Parameters + +## ServiceAccount configuration +## +serviceAccount: + ## @param serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param serviceAccount.labels Extra labels to be added to the ServiceAccount + ## + labels: {} + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the sealed-secrets.fullname template + ## + name: "" +## RBAC configuration +## +rbac: + ## @param rbac.create Specifies whether RBAC resources should be created + ## + create: true + ## @param rbac.labels Extra labels to be added to RBAC resources + ## + labels: {} + ## @param rbac.pspEnabled PodSecurityPolicy + ## + pspEnabled: false + +## @section Metrics parameters + +metrics: + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Specify if a ServiceMonitor will be deployed for Prometheus Operator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace where Prometheus Operator is running in + ## + namespace: "" + ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor + ## + labels: {} + ## @param metrics.serviceMonitor.annotations Extra annotations for the ServiceMonitor + ## + annotations: {} + ## @param metrics.serviceMonitor.interval How frequently to scrape metrics + ## e.g: + ## interval: 10s + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 10s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.metricRelabelings [array] Specify additional relabeling of metrics + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.relabelings [array] Specify general relabeling + ## + relabelings: [] + ## Grafana dashboards configuration + ## + dashboards: + ## @param metrics.dashboards.create Specifies whether a ConfigMap with a Grafana dashboard configuration should be created + ## ref https://github.com/helm/charts/tree/master/stable/grafana#configuration + ## + create: false + ## @param metrics.dashboards.labels Extra labels to be added to the Grafana dashboard ConfigMap + ## + labels: {} + ## @param metrics.dashboards.namespace Namespace where Grafana dashboard ConfigMap is deployed + ## + namespace: "" diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/helm-chart.yml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/helm-chart.yml new file mode 100644 index 0000000..9b92aed --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/helm-chart.yml @@ -0,0 +1,6 @@ +helmChart: + repo: https://bitnami-labs.github.io/sealed-secrets + chartName: sealed-secrets + chartVersion: 2.1.6 + releaseName: sealed-secrets-controller + output: deploy.yml diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/helm-values.yml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/helm-values.yml new file mode 100644 index 0000000..8dfeb32 --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/helm-values.yml @@ -0,0 +1,22 @@ +podSecurityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + fsGroup: 65534 + seccompProfile: + type: RuntimeDefault + +containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - all + +resources: + limits: + cpu: 1 + memory: 256Mi + requests: + cpu: 1 + memory: 256Mi diff --git a/simple-with-vault-secrets/deployment/sealed-secrets-operator/kustomization.yml b/simple-with-vault-secrets/deployment/sealed-secrets-operator/kustomization.yml new file mode 100644 index 0000000..b24bc32 --- /dev/null +++ b/simple-with-vault-secrets/deployment/sealed-secrets-operator/kustomization.yml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - deploy.yml diff --git a/simple-with-vault-secrets/vault-example.png b/simple-with-vault-secrets/vault-example.png new file mode 100644 index 0000000..873b9be Binary files /dev/null and b/simple-with-vault-secrets/vault-example.png differ