Skip to content

feat: platform secrets as sealed secrets #2978

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ferruhcihan wants to merge 118 commits into
base: main
Choose a base branch
from
Open

feat: platform secrets as sealed secrets #2978

Show file tree
Hide file tree
Changes from 103 commits
Commits
Show all changes
118 commits
Select commit Hold shift + click to select a range
44191da
feat: get changes from the PoC (platform secrets as sealed secrest) b…
ferruhcihan Feb 18, 2026
8775f5a
feat: create core secrets in apl-secrets namespace
ferruhcihan Feb 18, 2026
45a1861
fix: add default value for the existingSecret
ferruhcihan Feb 18, 2026
cd503a9
fix: namespace changes
ferruhcihan Feb 18, 2026
edc8ffd
test: sealed secrets with eso
ferruhcihan Feb 18, 2026
0a4cc5a
fix: merge conflicts/changes
ferruhcihan Feb 19, 2026
c5b029f
fix: merge conflicts/changes
ferruhcihan Feb 19, 2026
4fd4dfe
fix: merge conflicts/changes
ferruhcihan Feb 19, 2026
0d8ca84
feat: waiting for sealed secrets
ferruhcihan Feb 19, 2026
431bc0f
feat: move function to k8s.ts
ferruhcihan Feb 19, 2026
8ac4c96
feat: use kubernetes package instead of kubectl
ferruhcihan Feb 20, 2026
1eaf457
Merge branch 'main' into APL-523
ferruhcihan Feb 20, 2026
16f6b27
fix: sealed secret tests
ferruhcihan Feb 20, 2026
9f62106
feat: remove init and prepare endpoints
ferruhcihan Feb 20, 2026
ea466f9
fix: harbor secrets
ferruhcihan Feb 20, 2026
db046ba
feat: update tools image and remove /apl/schema endpoint
ferruhcihan Feb 20, 2026
d48c3bb
fix: versions
ferruhcihan Feb 20, 2026
952a2d1
Merge branch 'main' into APL-523
ferruhcihan Feb 20, 2026
286faf3
test: tools image
ferruhcihan Feb 21, 2026
41a30f9
test: tools image
ferruhcihan Feb 21, 2026
1644634
feat: remove kms from bootstrap files
ferruhcihan Feb 21, 2026
f3755a6
test: tools image
ferruhcihan Feb 21, 2026
18d84ac
feat: remove kms and sops related code
ferruhcihan Feb 21, 2026
8cd84f7
test: tools image
ferruhcihan Feb 21, 2026
13f73c4
feat: update user management
ferruhcihan Feb 22, 2026
5dcded5
feat: update user management
ferruhcihan Feb 22, 2026
85d4a32
fix: create initial platform admin user
ferruhcihan Feb 22, 2026
4951838
fix: create initial platform admin user
ferruhcihan Feb 22, 2026
dfe9f7f
Merge branch 'main' into APL-523
ferruhcihan Feb 24, 2026
27bf17d
Merge branch 'main' into APL-523
svcAPLBot Feb 24, 2026
78a8c9a
Merge branch 'main' into APL-523
svcAPLBot Feb 24, 2026
b5ec54c
Merge branch 'main' into APL-523
svcAPLBot Feb 24, 2026
1e1c892
Merge branch 'main' into APL-523
svcAPLBot Feb 25, 2026
1fa5be8
revert: sops changes for the migration
ferruhcihan Feb 25, 2026
5ae5903
Merge branch 'main' into APL-523
svcAPLBot Feb 25, 2026
2723ef2
Merge branch 'main' into APL-523
svcAPLBot Feb 25, 2026
259adc7
Merge branch 'main' into APL-523
svcAPLBot Feb 25, 2026
df9af60
Merge branch 'main' into APL-523
svcAPLBot Feb 25, 2026
b576980
Merge branch 'main' into APL-523
svcAPLBot Feb 25, 2026
96a4cc1
Merge branch 'main' into APL-523
svcAPLBot Feb 25, 2026
bbdeaff
test: platform secrets migration
ferruhcihan Feb 25, 2026
81fee23
Merge branch 'main' into APL-523
svcAPLBot Feb 25, 2026
44781ee
fix: platform secrets migration
ferruhcihan Feb 25, 2026
d9a168a
fix: platform secrets migration
ferruhcihan Feb 25, 2026
c28e7d8
fix: platform secrets migration
ferruhcihan Feb 25, 2026
7b4574c
fix: platform secrets migration
ferruhcihan Feb 25, 2026
23b900f
test: versions
ferruhcihan Feb 25, 2026
1199673
fix: sealed secrets opaque type
ferruhcihan Feb 25, 2026
2c6bc1f
fix: sealed secrets opaque type test
ferruhcihan Feb 26, 2026
ecd8f7c
Merge branch 'main' into APL-523
svcAPLBot Feb 27, 2026
52c57b7
Merge branch 'main' into APL-523
svcAPLBot Feb 27, 2026
324b056
Merge branch 'main' into APL-523
svcAPLBot Feb 27, 2026
fbbfbc2
Merge branch 'main' into APL-523
svcAPLBot Feb 27, 2026
b988473
Merge branch 'main' into APL-523
ferruhcihan Feb 27, 2026
a0ed525
fix: installer tests
ferruhcihan Feb 27, 2026
aa3e3a1
feat: sealed secrets disaster recovery
ferruhcihan Feb 27, 2026
c75e87e
Merge branch 'main' into APL-523
svcAPLBot Mar 2, 2026
86f1dc2
Merge branch 'main' into APL-523
svcAPLBot Mar 2, 2026
beffad6
feat: improve users during bootstrap
ferruhcihan Mar 2, 2026
c16577e
fix: update sealed secret manifests path
ferruhcihan Mar 2, 2026
0f4d223
feat: update tests/fixtures for local dev env users
ferruhcihan Mar 2, 2026
6aa05e6
fix: update tests/fixtures for local dev env users
ferruhcihan Mar 2, 2026
09c9d0c
Merge branch 'main' into APL-523
svcAPLBot Mar 3, 2026
d3b24b9
Merge branch 'main' into APL-523
svcAPLBot Mar 3, 2026
1f5e7e0
fix: ci error
ferruhcihan Mar 3, 2026
f949522
Merge branch 'main' into APL-523
svcAPLBot Mar 4, 2026
ff2f81d
Merge branch 'main' into APL-523
svcAPLBot Mar 4, 2026
3219b39
Merge branch 'main' into APL-523
svcAPLBot Mar 4, 2026
504b0ee
Merge branch 'main' into APL-523
svcAPLBot Mar 4, 2026
9492266
Merge remote-tracking branch 'origin/main' into APL-523
ferruhcihan Mar 4, 2026
e5d7fed
feat: enhance sealed secrets management and update dependencies
ferruhcihan Mar 4, 2026
be165b2
feat: update sealed secrets handling to return applied secrets list
ferruhcihan Mar 4, 2026
526ee12
fix: secret data keys
ferruhcihan Mar 4, 2026
22143df
fix: values-schema x-secret fields
ferruhcihan Mar 5, 2026
b10418a
fix: restart sealed secrets controller
ferruhcihan Mar 5, 2026
20eb516
fix: remove x-secret field from customRootCA
ferruhcihan Mar 5, 2026
f2a8669
Merge branch 'main' into APL-523
svcAPLBot Mar 5, 2026
7f0a422
fix: create team settings secrets
ferruhcihan Mar 5, 2026
a0ac3f4
Merge branch 'main' into APL-523
svcAPLBot Mar 9, 2026
f333c23
fix: harbor push issues
ferruhcihan Mar 9, 2026
f49a5db
feat: use commands with cwd instead of cd
ferruhcihan Mar 9, 2026
db4524b
fix: use commands with cwd instead of cd
ferruhcihan Mar 9, 2026
e6f34cc
Merge branch 'main' into APL-523
ferruhcihan Mar 10, 2026
ba99c0d
Merge branch 'main' into APL-523
svcAPLBot Mar 10, 2026
d75feb0
Merge branch 'main' into APL-523
svcAPLBot Mar 10, 2026
bf1f4e1
Merge branch 'main' into APL-523
svcAPLBot Mar 10, 2026
c3069e8
Merge branch 'main' into APL-523
svcAPLBot Mar 10, 2026
567cc7f
Merge branch 'main' into APL-523
svcAPLBot Mar 10, 2026
01d1db2
Merge branch 'main' into APL-523
svcAPLBot Mar 10, 2026
e4f1fa9
Merge branch 'main' into APL-523
svcAPLBot Mar 10, 2026
7764233
Merge branch 'main' into APL-523
svcAPLBot Mar 10, 2026
b78add8
Merge branch 'main' into APL-523
svcAPLBot Mar 11, 2026
383c802
Merge branch 'main' into APL-523
svcAPLBot Mar 11, 2026
6c9f846
Merge branch 'main' into APL-523
svcAPLBot Mar 11, 2026
1f1d40f
Merge branch 'main' into APL-523
svcAPLBot Mar 11, 2026
0313ce2
Merge branch 'main' into APL-523
svcAPLBot Mar 11, 2026
8060c60
Merge branch 'main' into APL-523
svcAPLBot Mar 11, 2026
e963a94
Merge branch 'main' into APL-523
svcAPLBot Mar 12, 2026
76e1b74
Merge branch 'main' into APL-523
svcAPLBot Mar 12, 2026
e0ea02a
Merge branch 'main' into APL-523
ferruhcihan Mar 12, 2026
dd8419e
fix: update sealed secrets handling and improve deployment configurat…
ferruhcihan Mar 13, 2026
ace06e2
fix: update sealed secrets handling and rename secrets
ferruhcihan Mar 13, 2026
5ed6563
Merge branch 'main' into APL-523
svcAPLBot Mar 13, 2026
c7dc6e3
feat: remove deprecated secret files from tests/fixtures and replace …
ferruhcihan Mar 13, 2026
fe96078
Merge branch 'main' into APL-523
svcAPLBot Mar 13, 2026
55f60ac
Merge branch 'main' into APL-523
svcAPLBot Mar 13, 2026
346dad6
Merge branch 'main' into APL-523
svcAPLBot Mar 13, 2026
c0fea6e
fix: improve password retrieval logic in getRepo function
ferruhcihan Mar 16, 2026
3e4b181
Merge branch 'main' into APL-523
svcAPLBot Mar 16, 2026
9c2fd72
Merge branch 'main' into APL-523
svcAPLBot Mar 16, 2026
4c8ed82
fix: add new namespaces in core.yaml
ferruhcihan Mar 16, 2026
998b88b
Merge branch 'main' into APL-523
ferruhcihan Apr 1, 2026
1940575
fix: conditional rewrite rules for ingress
ferruhcihan Apr 1, 2026
48a2960
Merge branch 'main' into APL-523
svcAPLBot Apr 1, 2026
d6a9dd7
Merge branch 'main' into APL-523
svcAPLBot Apr 1, 2026
89e303c
Merge branch 'main' into APL-523
svcAPLBot Apr 1, 2026
8d0a018
fix: harbor registry username
ferruhcihan Apr 1, 2026
25bde58
Merge branch 'main' into APL-523
svcAPLBot Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .cspell.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@
"backoff",
"basepath",
"binzx",
"bitnami",
"blackbox",
"bootstrapper",
"calico",
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/integration.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ on:
options:
- age
- no_kms
default: age
default: no_kms
certificate:
type: choice
description: Select certificate issuer
Expand Down
4 changes: 0 additions & 4 deletions chart/apl/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,13 +77,9 @@ spec:
value: {{ .Values.operator.pollIntervalMs | default "30000" | quote }}
- name: RECONCILE_INTERVAL_MS
value: {{ .Values.operator.reconcileIntervalMs | default "300000" | quote }}
{{- if hasKey $kms "sops" }}
envFrom:
- secretRef:
name: apl-sops-secrets
- secretRef:
name: apl-git-credentials
{{- end }}
volumeMounts:
- name: otomi-values
mountPath: /home/app/stack/env
Expand Down
35 changes: 0 additions & 35 deletions chart/apl/templates/sops-secrets.yaml
View file
Open in desktop

This file was deleted.

3 changes: 3 additions & 0 deletions chart/chart-index/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ dependencies:
- name: external-dns
version: 1.20.0
repository: https://kubernetes-sigs.github.io/external-dns
- name: external-secrets
version: 0.14.3
repository: https://charts.external-secrets.io
- name: gitea
version: 12.5.0
repository: https://dl.gitea.io/charts
Expand Down
1 change: 1 addition & 0 deletions charts/apl-operator/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ spec:
envFrom:
- secretRef:
name: apl-sops-secrets
optional: true
- secretRef:
name: apl-git-credentials
livenessProbe:
Expand Down
16 changes: 16 additions & 0 deletions charts/external-secrets/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v2
appVersion: 0.14.3
description: External Secrets Operator for Kubernetes
home: https://external-secrets.io
keywords:
- secrets
- external-secrets
kubeVersion: '>=1.19.0-0'
maintainers:
- name: External Secrets Community
url: https://github.com/external-secrets/external-secrets
name: external-secrets
sources:
- https://github.com/external-secrets/external-secrets
type: application
version: 0.14.3
51 changes: 51 additions & 0 deletions charts/external-secrets/crds/clusterexternalsecrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterexternalsecrets.external-secrets.io
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
spec:
group: external-secrets.io
names:
categories:
- externalsecrets
kind: ClusterExternalSecret
listKind: ClusterExternalSecretList
plural: clusterexternalsecrets
shortNames:
- ces
singular: clusterexternalsecret
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.externalSecretSpec.secretStoreRef.name
name: Store
type: string
- jsonPath: .spec.refreshTime
name: Refresh Interval
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ClusterExternalSecret creates ExternalSecrets across namespaces
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}
48 changes: 48 additions & 0 deletions charts/external-secrets/crds/clustersecretstores.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clustersecretstores.external-secrets.io
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
spec:
group: external-secrets.io
names:
categories:
- externalsecrets
kind: ClusterSecretStore
listKind: ClusterSecretStoreList
plural: clustersecretstores
shortNames:
- css
singular: clustersecretstore
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ClusterSecretStore represents a cluster-wide secret store
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}
51 changes: 51 additions & 0 deletions charts/external-secrets/crds/externalsecrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: externalsecrets.external-secrets.io
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
spec:
group: external-secrets.io
names:
categories:
- externalsecrets
kind: ExternalSecret
listKind: ExternalSecretList
plural: externalsecrets
shortNames:
- es
singular: externalsecret
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.secretStoreRef.name
name: Store
type: string
- jsonPath: .spec.refreshInterval
name: Refresh Interval
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ExternalSecret reads secret data from external secret stores
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}
39 changes: 39 additions & 0 deletions charts/external-secrets/crds/generatorstates.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: generatorstates.generators.external-secrets.io
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
spec:
group: generators.external-secrets.io
names:
categories:
- externalsecrets
kind: GeneratorState
listKind: GeneratorStateList
plural: generatorstates
singular: generatorstate
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: GeneratorState tracks the state of generators
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}
43 changes: 43 additions & 0 deletions charts/external-secrets/crds/pushsecrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: pushsecrets.external-secrets.io
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
spec:
group: external-secrets.io
names:
categories:
- externalsecrets
kind: PushSecret
listKind: PushSecretList
plural: pushsecrets
singular: pushsecret
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: PushSecret pushes secrets to external secret stores
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}
48 changes: 48 additions & 0 deletions charts/external-secrets/crds/secretstores.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: secretstores.external-secrets.io
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
spec:
group: external-secrets.io
names:
categories:
- externalsecrets
kind: SecretStore
listKind: SecretStoreList
plural: secretstores
shortNames:
- ss
singular: secretstore
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: SecretStore represents a source of secrets
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}
Loading
Loading