Merge pull request #7964 from mkumatag/secret-rotator

Add secret rotator

Author: k8s-ci-robot

kubernetes/ibm-ppc64le/helm/external-secrets.yaml

@@ -52,6 +52,60 @@ extraObjects:
             }
           }
         }
+  - apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+      name: secret-rotator-api-key
+    spec:
+      refreshInterval: 60m
+      secretStoreRef:
+        name: secretstore-ibm-k8s
+        kind: ClusterSecretStore
+      target:
+        name: secret-rotator-api-key
+        creationPolicy: Owner
+      data:
+        - secretKey: api-key
+          remoteRef:
+            key: iam_credentials/2067d245-e61c-11b2-2c5a-b2be281ea4b8
+  - apiVersion: batch/v1
+    kind: CronJob
+    metadata:
+      name: ibmcloud-secret-rotator
+      labels:
+        app: ibmcloud-secret-rotator
+    spec:
+      schedule: "0 */2 * * *"
+      jobTemplate:
+        spec:
+          template:
+            spec:
+              containers:
+              - name: rotator-container
+                image: public.ecr.aws/docker/library/golang:1.24
+                imagePullPolicy: Always
+                command:
+                - /bin/bash
+                args:
+                - -c
+                - |
+                  set -o errexit
+                  set -o nounset
+                  set -o pipefail
+
+                  go install sigs.k8s.io/provider-ibmcloud-test-infra/secret-manager@71ef4d8
+                  secret-manager rotate --instance-id 3297fd32-6322-45e2-af3f-00b1a5af3565 --labels rotate:true --confirm
+                env:
+                - name: IBMCLOUD_ENV_FILE
+                  value: "/home/.ibmcloud/api-key"
+                volumeMounts:
+                - name: credentials
+                  mountPath: /home/.ibmcloud
+              restartPolicy: OnFailure
+              volumes:
+              - name: credentials
+                secret:
+                  secretName: secret-rotator-api-key
 
 extraVolumes:
   - name: google-iam-token