Skip to content

Commit c3acfc7

Browse files
soerenschneidersoerenschneider
committed
Migrate sops secrets to Vault hosted external secrets
1 parent d5ddaba commit c3acfc7

File tree

67 files changed

+408
-1177
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

67 files changed

+408
-1177
lines changed

apps/bookstack/components/oidc/kustomization.yaml

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -12,13 +12,3 @@ configMapGenerator:
1212
- "OIDC_DUMP_USER_DETAILS=false"
1313
- "OIDC_USER_TO_GROUPS=true"
1414
- "OIDC_GROUPS_CLAIM=resource_access.bookstack.roles"
15-
patches:
16-
- target:
17-
kind: "Deployment"
18-
name: "bookstack"
19-
patch: |
20-
- op: "add"
21-
path: "/spec/template/spec/containers/0/envFrom/-"
22-
value:
23-
secretRef:
24-
name: "bookstack-oidc"

apps/bookstack/components/oidc/upsert-secret-bookstack-oidc.sh

Lines changed: 0 additions & 23 deletions
This file was deleted.

apps/grafana/components/database-mariadb/kustomization.yaml

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -9,13 +9,3 @@ configMapGenerator:
99
- "GF_DATABASE_TYPE=mysql"
1010
- "GF_DATABASE_SSL_MODE=true"
1111
- "GF_DATABASE_CA_CERT_PATH=/etc/ssl/certs/ca-certificates.crt"
12-
patches:
13-
- target:
14-
kind: "Deployment"
15-
name: "grafana"
16-
patch: |-
17-
- op: "add"
18-
path: "/spec/template/spec/containers/0/envFrom/-"
19-
value:
20-
secretRef:
21-
name: "grafana-database-mariadb"

apps/monitoring/prometheus-vault-token-sync/cronjob.yaml renamed to apps/monitoring/prometheus-vault-token-syncer/cronjob.yaml

File renamed without changes.

apps/monitoring/prometheus-vault-token-sync/kustomization.yaml renamed to apps/monitoring/prometheus-vault-token-syncer/kustomization.yaml

File renamed without changes.

apps/monitoring/prometheus-vault-token-sync/rbac.yaml renamed to apps/monitoring/prometheus-vault-token-syncer/rbac.yaml

File renamed without changes.

clusters/svc.dd.soeren.cloud/bookstack/external-secret-bookstack.yaml

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
---
2+
apiVersion: "external-secrets.io/v1beta1"
3+
kind: "ExternalSecret"
4+
metadata:
5+
name: "bookstack"
6+
spec:
7+
refreshInterval: "1h"
8+
secretStoreRef:
9+
name: "vault"
10+
kind: "ClusterSecretStore"
11+
target:
12+
name: "bookstack"
13+
creationPolicy: "Owner"
14+
data:
15+
- secretKey: "APP_KEY"
16+
remoteRef:
17+
key: "secret/soeren.cloud/env/prod/bookstack"
18+
property: "APP_KEY"
19+
- secretKey: "DB_PASSWORD"
20+
remoteRef:
21+
key: "secret/soeren.cloud/env/prod/bookstack"
22+
property: "DB_PASSWORD"
23+
- secretKey: "DB_USERNAME"
24+
remoteRef:
25+
key: "secret/soeren.cloud/env/prod/bookstack"
26+
property: "DB_USERNAME"
27+
- secretKey: "OIDC_CLIENT_ID"
28+
remoteRef:
29+
key: "secret/soeren.cloud/env/prod/bookstack"
30+
property: "OIDC_CLIENT_ID"
31+
- secretKey: "OIDC_CLIENT_SECRET"
32+
remoteRef:
33+
key: "secret/soeren.cloud/env/prod/bookstack"
34+
property: "OIDC_CLIENT_SECRET"

clusters/svc.dd.soeren.cloud/bookstack/kustomization.yaml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,7 @@ namespace: bookstack
55
resources:
66
- ../../../apps/bookstack
77
- namespace.yaml
8-
- sops-secret-bookstack.yaml
9-
- sops-secret-bookstack-oidc.yaml
8+
- external-secret-bookstack.yaml
109
components:
1110
- ../../../apps/bookstack/components/istio
1211
- ../../../apps/bookstack/components/oidc

clusters/svc.dd.soeren.cloud/bookstack/sops-secret-bookstack-oidc.yaml

Lines changed: 0 additions & 53 deletions
This file was deleted.

clusters/svc.dd.soeren.cloud/bookstack/sops-secret-bookstack.yaml

Lines changed: 0 additions & 54 deletions
This file was deleted.

0 commit comments

Comments
 (0)