Skip to content

Commit 245816b

Browse files
authored
Merge pull request #7964 from mkumatag/secret-rotator
Add secret rotator
2 parents 91767af + 52d24e4 commit 245816b

File tree

1 file changed

+54
-0
lines changed

1 file changed

+54
-0
lines changed

kubernetes/ibm-ppc64le/helm/external-secrets.yaml

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,60 @@ extraObjects:
5252
}
5353
}
5454
}
55+
- apiVersion: external-secrets.io/v1beta1
56+
kind: ExternalSecret
57+
metadata:
58+
name: secret-rotator-api-key
59+
spec:
60+
refreshInterval: 60m
61+
secretStoreRef:
62+
name: secretstore-ibm-k8s
63+
kind: ClusterSecretStore
64+
target:
65+
name: secret-rotator-api-key
66+
creationPolicy: Owner
67+
data:
68+
- secretKey: api-key
69+
remoteRef:
70+
key: iam_credentials/2067d245-e61c-11b2-2c5a-b2be281ea4b8
71+
- apiVersion: batch/v1
72+
kind: CronJob
73+
metadata:
74+
name: ibmcloud-secret-rotator
75+
labels:
76+
app: ibmcloud-secret-rotator
77+
spec:
78+
schedule: "0 */2 * * *"
79+
jobTemplate:
80+
spec:
81+
template:
82+
spec:
83+
containers:
84+
- name: rotator-container
85+
image: public.ecr.aws/docker/library/golang:1.24
86+
imagePullPolicy: Always
87+
command:
88+
- /bin/bash
89+
args:
90+
- -c
91+
- |
92+
set -o errexit
93+
set -o nounset
94+
set -o pipefail
95+
96+
go install sigs.k8s.io/provider-ibmcloud-test-infra/secret-manager@71ef4d8
97+
secret-manager rotate --instance-id 3297fd32-6322-45e2-af3f-00b1a5af3565 --labels rotate:true --confirm
98+
env:
99+
- name: IBMCLOUD_ENV_FILE
100+
value: "/home/.ibmcloud/api-key"
101+
volumeMounts:
102+
- name: credentials
103+
mountPath: /home/.ibmcloud
104+
restartPolicy: OnFailure
105+
volumes:
106+
- name: credentials
107+
secret:
108+
secretName: secret-rotator-api-key
55109

56110
extraVolumes:
57111
- name: google-iam-token

0 commit comments

Comments
 (0)