updating argocd example with sealed secrets

Author: mccullya

incubator/argo-cd/README.md

@@ -1 +1,27 @@
 kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo
+
+
+## Create a secret which will store our ldap user credentials
+kubectl create secret generic sealed-credential --dry-run=client --from-file=ldap.txt=./ldap.txt --from-file=bearer.txt=./bearer.txt --from-file=plain-jaas.conf=./plain-jaas.conf -o yaml > sealed-credential-source.yaml
+
+## Creat Sealed Secret (this must be created after sealed-secrets has been deployed)
+kubeseal --scope cluster-wide <sealed-credential-source.yaml> ./sealed-credential.yaml --controller-name=sealed-secrets --controller-namespace default
+
+kubeseal --scope cluster-wide <sealed-credential-source.yaml> ../environments/base/secrets/sealed-credential.yaml --controller-name=sealed-secrets --controller-namespace default
+
+kubectl apply -f sealed-credential.yaml 
+```
+sealedsecret.bitnami.com/sealed-credential created
+```
+
+
+
+## Sealed Secrets
+Install a local kubeseal CLI
+
+helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
+helm search repo confluent --versions
+helm template sealed-secrets/sealed-secrets --version 2.1.4 --include-crds --output-dir . 
+
+
+

incubator/argo-cd/argo-apps/confluent-dev.yaml

@@ -1,20 +1,21 @@
 ---
-apiVersion: argoproj.io/v1alpha1
-kind: Application
+kind: "Application"
+apiVersion: "argoproj.io/v1alpha1"
 metadata:
-  name: confluent-dev
-  namespace: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
+  creationTimestamp: "2022-02-28T09:23:24Z"
+  name: "confluent-dev"
+  namespace: "argocd"
+  resourceVersion: "131538"
+  uid: "df0737c5-50c9-4539-b5aa-1e42c5016017"
 spec:
-  project: default
-  source:
-    path: incubator/argo-cd/environments/dev
-    repoURL: https://github.com/osodevops/confluent-kubernetes-playground.git
-    targetRevision: HEAD
   destination:
-    namespace: dev
-    server: https://kubernetes.default.svc
+    namespace: "dev"
+    server: "https://kubernetes.default.svc"
+  project: "default"
+  source:
+    path: "incubator/argo-cd/environments/dev"
+    repoURL: "https://github.com/osodevops/confluent-kubernetes-playground.git"
+    targetRevision: "HEAD"
   syncPolicy:
     automated:
       prune: true

incubator/argo-cd/argo-apps/confluent-prod.yaml

@@ -1,20 +1,21 @@
 ---
-apiVersion: argoproj.io/v1alpha1
-kind: Application
+kind: "Application"
+apiVersion: "argoproj.io/v1alpha1"
 metadata:
-  name: confluent-prod
-  namespace: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
+  creationTimestamp: "2022-02-28T09:23:24Z"
+  name: "confluent-prod"
+  namespace: "argocd"
+  resourceVersion: "79200"
+  uid: "8a98c871-dde8-4b5a-85eb-5b9d7c8f85f7"
 spec:
-  project: default
-  source:
-    path: incubator/argo-cd/environments/prod
-    repoURL: https://github.com/osodevops/confluent-kubernetes-playground.git
-    targetRevision: HEAD
   destination:
-    namespace: prod
-    server: https://kubernetes.default.svc
+    namespace: "prod"
+    server: "https://kubernetes.default.svc"
+  project: "default"
+  source:
+    path: "incubator/argo-cd/environments/prod"
+    repoURL: "https://github.com/osodevops/confluent-kubernetes-playground.git"
+    targetRevision: "HEAD"
   syncPolicy:
     automated:
       prune: true

incubator/argo-cd/argo-apps/confluent-test.yaml

@@ -1,20 +1,22 @@
 ---
-apiVersion: argoproj.io/v1alpha1
-kind: Application
+kind: "Application"
+apiVersion: "argoproj.io/v1alpha1"
 metadata:
-  name: confluent-test
-  namespace: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
+  creationTimestamp: "2022-02-28T09:23:24Z"
+  generation: 1020
+  name: "confluent-test"
+  namespace: "argocd"
+  resourceVersion: "131537"
+  uid: "1c2d5e0e-4817-4f3b-aed0-dd804e101f84"
 spec:
-  project: default
-  source:
-    path: incubator/argo-cd/environments/test
-    repoURL: https://github.com/osodevops/confluent-kubernetes-playground.git
-    targetRevision: HEAD
   destination:
-    namespace: test
-    server: https://kubernetes.default.svc
+    namespace: "test"
+    server: "https://kubernetes.default.svc"
+  project: "default"
+  source:
+    path: "incubator/argo-cd/environments/test"
+    repoURL: "https://github.com/osodevops/confluent-kubernetes-playground.git"
+    targetRevision: "HEAD"
   syncPolicy:
     automated:
       prune: true

incubator/argo-cd/argo-apps/kustomization.yaml

@@ -2,9 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: argocd
 resources:
-- confluent-dev.yaml
-- confluent-prod.yaml
-- confluent-test.yaml
+#- confluent-dev.yaml
+#- confluent-prod.yaml
+#- confluent-test.yaml
 - ldap.yaml
 - operator.yaml
 - operator-repo.yaml
+- sealed-secrets.yaml

incubator/argo-cd/argo-apps/operator.yaml

@@ -2,12 +2,11 @@
 kind: "Application"
 apiVersion: "argoproj.io/v1alpha1"
 metadata:
-  creationTimestamp: "2022-02-25T13:02:35Z"
-  generation: 11
+  creationTimestamp: "2022-02-28T09:23:24Z"
   name: "cfk-operator"
   namespace: "argocd"
-  resourceVersion: "941"
-  uid: "88bd170e-eb1f-42da-a834-aca2ec622105"
+  resourceVersion: "79201"
+  uid: "82e1ff7e-fcf8-4b91-93fa-229435618f19"
 spec:
   destination:
     namespace: "argocd"
@@ -22,7 +21,7 @@ spec:
       valueFiles:
       - "values.yaml"
     repoURL: "https://packages.confluent.io/helm"
-    targetRevision: "0.304.17"
+    targetRevision: "0.304.2"
   syncPolicy:
     automated:
       prune: true

incubator/argo-cd/argo-apps/sealed-secrets.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: sealed-secrets
+  namespace: argocd
+spec:
+  project: default
+  source:
+    chart: sealed-secrets
+    repoURL: https://bitnami-labs.github.io/sealed-secrets
+    targetRevision: 2.1.4
+    helm:
+      releaseName: sealed-secrets
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

incubator/argo-cd/argo-cd/kustomization.yaml

@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: argocd
 resources:
-- namespace.yaml
 - argocd.yaml
 
 

incubator/argo-cd/argo-cd/namespace.yaml

@@ -0,0 +1,34 @@
+apiVersion: platform.confluent.io/v1beta1
+kind: Connect
+metadata:
+  name: connect
+spec:
+  replicas: 0
+  image:
+    application: confluentinc/cp-server-connect:7.0.1
+    init: confluentinc/confluent-init-container:2.2.0
+  tls:
+    autoGeneratedCerts: true
+  configOverrides:
+    server:
+      - offset.storage.replication.factor=1
+      - status.storage.replication.factor=1
+      - config.storage.replication.factor=1
+      - confluent.topic.replication.factor=1
+  authorization:
+    type: rbac
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka:9071
+      authentication:
+        type: mtls
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka:8090
+      tokenKeyPair:
+        secretRef: mds-public
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: sealed-credential