Skip to content

External Secrets Operator DA #108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 52 commits into from
Jun 30, 2025
Merged

External Secrets Operator DA #108

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
52 commits
Select commit Hold shift + click to select a range
12e370a
feat: first draft of ESO DA
vbontempi May 10, 2025
5609c9e
fix: removed temp file
vbontempi May 10, 2025
d6707fb
fix: removed temp content
vbontempi May 10, 2025
30f8706
Merge branch 'main' of https://github.com/terraform-ibm-modules/terra…
vbontempi May 12, 2025
91ba45e
Merge branch 'main' of https://github.com/terraform-ibm-modules/terra…
vbontempi May 13, 2025
fcd1f15
fix: fixed linter issues
vbontempi May 13, 2025
e37ec0b
feat: added doc as example to create secrets
vbontempi May 13, 2025
1feed92
feat: added catalog onboarding elements
vbontempi May 13, 2025
4885ec5
fix: fixed output
vbontempi May 13, 2025
4062b18
fix: cleaned up code
vbontempi May 13, 2025
ae6009b
feat: fixed catalog.json
vbontempi May 15, 2025
d13a1e8
fix: SKIP UPGRADE TEST fixed catalog.json
vbontempi May 19, 2025
9b5edf6
fix: SKIP UPGRADE TEST fixed catalog.json
vbontempi May 19, 2025
65d1cde
fix: fixed catalog.json
vbontempi May 19, 2025
d82b412
Update common-dev-assets
vbontempi May 23, 2025
dd40adc
fix: adding common-dev-assets to resolve conflict
vbontempi May 23, 2025
1fcfb2e
fix: removed description from architecture catalog json
vbontempi May 23, 2025
6b5ed84
Merge branch 'main' of https://github.com/terraform-ibm-modules/terra…
vbontempi May 26, 2025
7022a48
fix: reviewed catalog json
vbontempi May 26, 2025
239d503
feat: added links to doc
vbontempi May 26, 2025
59a61d8
feat: added links to doc
vbontempi May 26, 2025
a89be5f
feat: adjusted doc format
vbontempi May 26, 2025
28f52c7
feat: adjusted doc format and fixed main readme
vbontempi May 26, 2025
a99b689
feat: adjusted doc format
vbontempi May 26, 2025
faa6ce5
feat: adjusted doc and fixed diagram
vbontempi May 26, 2025
b51ecc9
Merge branch 'main' into da_task_11723
vbontempi May 26, 2025
b0cab5b
Merge branch 'main' into da_task_11723
vbontempi Jun 3, 2025
52ef45a
Merge branch 'main' into da_task_11723
vbontempi Jun 4, 2025
9829869
chore: updated catalog json
vbontempi Jun 6, 2025
5b27e5e
Merge branch 'main' into da_task_11723
vbontempi Jun 12, 2025
94204e9
fix: fixed typos
vbontempi Jun 12, 2025
fabb55c
Merge branch 'da_task_11723' of https://github.com/terraform-ibm-modu…
vbontempi Jun 12, 2025
45c69ca
fix: fixed link to doc
vbontempi Jun 12, 2025
613cbf4
fix: addressed review comments
vbontempi Jun 12, 2025
c10379c
fix: addressed PR comments
vbontempi Jun 13, 2025
547ebc4
fix: addressed PR comments
vbontempi Jun 16, 2025
e7c2a92
fix: fixed PR comments
vbontempi Jun 16, 2025
14275d9
fix: added check
vbontempi Jun 16, 2025
ff9b4fd
fix: switched RH version for workers
vbontempi Jun 17, 2025
63cf787
fix: reviewed PR for design standards
vbontempi Jun 18, 2025
0376441
Merge branch 'main' into da_task_11723
vbontempi Jun 20, 2025
612c7c0
Merge branch 'main' into da_task_11723
vbontempi Jun 23, 2025
9beb1d8
fix: removed test comment
vbontempi Jun 24, 2025
c0e8859
Merge branch 'main' into da_task_11723
ocofaigh Jun 27, 2025
29bd5fa
Update .releaserc
ocofaigh Jun 28, 2025
4a813da
Merge branch 'main' into da_task_11723
ocofaigh Jun 28, 2025
dbd5161
Merge branch 'main' into da_task_11723
vbontempi Jun 30, 2025
e9072e2
fix: addressed PR comments
vbontempi Jun 30, 2025
1974860
docs: moved secrets example in a dedicated md
vbontempi Jun 30, 2025
65ec6bb
fix: fixed branch in link
vbontempi Jun 30, 2025
6b92094
fix: fixed catalog validation
vbontempi Jun 30, 2025
a1e47da
fix: fixed catalog pre validation
vbontempi Jun 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions .catalog-onboard-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
---
apiVersion: v1
offerings:
- name: deploy-arch-ibm-eso
kind: solution
catalog_id: 7df1e4ca-d54c-4fd0-82ce-3d13247308cd
offering_id: 70e68cb4-7026-4329-9faa-8a1e56444aba
variations:
- name: standard
mark_ready: true
install_type: fullstack
pre_validation: "tests/scripts/pre-validation-eso.sh"
post_validation: "tests/scripts/post-validation-eso.sh"
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -522,9 +522,9 @@ module "es_kubernetes_secret" {
| <a name="input_eso_enroll_in_servicemesh"></a> [eso\_enroll\_in\_servicemesh](#input\_eso\_enroll\_in\_servicemesh) | Flag to enroll ESO into istio servicemesh | `bool` | `false` | no |
| <a name="input_eso_image"></a> [eso\_image](#input\_eso\_image) | The External Secrets Operator image in the format of `[registry-url]/[namespace]/[image]`. | `string` | `"ghcr.io/external-secrets/external-secrets"` | no |
| <a name="input_eso_image_version"></a> [eso\_image\_version](#input\_eso\_image\_version) | The version or digest for the external secrets image to deploy. If changing the value, ensure it is compatible with the chart version set in eso\_chart\_version. | `string` | `"v0.17.0-ubi@sha256:5c9f7750fb922fb09cfc3b430d5916923b85f17ba5099b244173344ab3046b53"` | no |
| <a name="input_eso_namespace"></a> [eso\_namespace](#input\_eso\_namespace) | Namespace to create and be used to install ESO components including helm releases. If eso\_store\_scope == cluster, this will also be used to deploy ClusterSecretStore/cluster\_store in it | `string` | `null` | no |
| <a name="input_eso_namespace"></a> [eso\_namespace](#input\_eso\_namespace) | Namespace to create and be used to install ESO components including helm releases. | `string` | `null` | no |
| <a name="input_eso_pod_configuration"></a> [eso\_pod\_configuration](#input\_eso\_pod\_configuration) | Configuration to use to customise ESO deployment on specific pods. Setting appropriate values will result in customising ESO helm release. Default value is {} to keep ESO standard deployment. Ignore the key if not required. | <pre>object({<br/> annotations = optional(object({<br/> # The annotations for external secret controller pods.<br/> external_secrets = optional(map(string), {})<br/> # The annotations for external secret cert controller pods.<br/> external_secrets_cert_controller = optional(map(string), {})<br/> # The annotations for external secret controller pods.<br/> external_secrets_webhook = optional(map(string), {})<br/> }), {})<br/><br/> labels = optional(object({<br/> # The labels for external secret controller pods.<br/> external_secrets = optional(map(string), {})<br/> # The labels for external secret cert controller pods.<br/> external_secrets_cert_controller = optional(map(string), {})<br/> # The labels for external secret controller pods.<br/> external_secrets_webhook = optional(map(string), {})<br/> }), {})<br/> })</pre> | `{}` | no |
| <a name="input_existing_eso_namespace"></a> [existing\_eso\_namespace](#input\_existing\_eso\_namespace) | Existing Namespace to be used to install ESO components including helm releases. If eso\_store\_scope == cluster, this will also be used to deploy ClusterSecretStore/cluster\_store in it | `string` | `null` | no |
| <a name="input_existing_eso_namespace"></a> [existing\_eso\_namespace](#input\_existing\_eso\_namespace) | Existing Namespace to be used to install ESO components including helm releases. | `string` | `null` | no |
| <a name="input_reloader_chart_location"></a> [reloader\_chart\_location](#input\_reloader\_chart\_location) | The location of the Reloader Helm chart. | `string` | `"https://stakater.github.io/stakater-charts"` | no |
| <a name="input_reloader_chart_version"></a> [reloader\_chart\_version](#input\_reloader\_chart\_version) | The version of the Reloader Helm chart. Ensure that the chart version is compatible with the image version specified in reloader\_image\_version. | `string` | `"2.1.3"` | no |
| <a name="input_reloader_custom_values"></a> [reloader\_custom\_values](#input\_reloader\_custom\_values) | String containing custom values to be used for reloader helm chart. See https://github.com/stakater/Reloader/blob/master/deployments/kubernetes/chart/reloader/values.yaml | `string` | `null` | no |
Expand Down
2 changes: 1 addition & 1 deletion common-dev-assets
Open in desktop
Submodule common-dev-assets updated 5 files
+7 −6 commonRenovateConfig.json
+1 −1 examples/Dockerfile
+1 −1 module-assets/.pre-commit-config.yaml
+2 −2 module-assets/ci/install-deps.sh
+1 −1 stack-assets/.pre-commit-config.yaml
4 changes: 4 additions & 0 deletions deploy-arch-ibm-eso.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
199 changes: 199 additions & 0 deletions ibm_catalog.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,199 @@

{
"products": [
{
"name": "deploy-arch-ibm-eso",
"label": "Cloud automation for External Secrets Operator",
"product_kind": "solution",
"tags": [
"ibm_created",
"target_terraform",
"terraform",
"solution",
"security"
],
"keywords": [
"Secrets",
"Secrets Manager",
"IaC",
"infrastructure as code",
"terraform",
"solution"
],
"short_description": "Deploys the External Secrets Operator (ESO) on an IBM Cloud Kubernetes Service (IKS) OpenShift cluster.",
"long_description": "This architecture allows to deploy the External Secrets Operator (ESO) and the related configuration on an IBM Cloud OpenShift Cluster to manage the secrets deployed on the cluster through IBM Cloud Secrets Manager.",
"offering_docs_url": "https://github.com/terraform-ibm-modules/terraform-ibm-external-secrets-operator/blob/main/solutions/fully-configurable/README.md",
"offering_icon_url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-external-secrets-operator/refs/heads/da_task_11723/deploy-arch-ibm-eso.svg",
"provider_name": "IBM",
"features": [
{
"title": "Deploys the External Secrets Operator (ESO)",
"description": "This architecture allows to deploy [External Secrets Operator](https://external-secrets.io/latest/) (also known as ESO) on an existing IBM Cloud OpenShift Cluster."
},
{
"title": "Configures the External Secrets Operator (ESO) Cluster Secrets Stores and Secrets Stores with the related ServiceIDs and Secrets Groups",
"description": "Deploy and configure [ClusterSecretStore](https://external-secrets.io/latest/api/clustersecretstore/) resources for cluster scoped secrets store and [SecretStore](https://external-secrets.io/latest/api/secretstore/) resources for namespace scoped secrets store"
},
{
"title": "Deploys Stakater Reloader](https://github.com/stakater/Reloader] into the cluster to refresh the secrets in the cluster pods when needed",
"description": "The architecture allows to deploy optionally Stakater Reloader](https://github.com/stakater/Reloader) to configure automatic pod reloading"
}
],
"support_details": "This product is in the community registry, as such support is handled through the originated repo. If you experience issues please open an issue in this repository [https://github.com/terraform-ibm-modules/terraform-ibm-external-secrets-operator/issues). Please note this product is not supported via the IBM Cloud Support Center.",
"flavors": [
{
"label": "Fully configurable",
"name": "fully-configurable",
"install_type": "fullstack",
"working_directory": "solutions/fully-configurable",
"iam_permissions": [
{
"role_crns": [
"crn:v1:bluemix:public:iam::::role:Administrator"
],
"service_name": "iam-identity",
"notes": "[Optional] Required if Cloud automation for account configuration is enabled."
}
],
"configuration": [
{
"key": "ibmcloud_api_key"
},
{
"key": "prefix",
"required": true
},
{
"key": "existing_cluster_crn",
"required": true
},
{
"key": "existing_secrets_manager_crn",
"required": true
},
{
"key": "eso_namespace"
},
{
"key": "existing_eso_namespace"
},
{
"key": "eso_cluster_nodes_configuration"
},
{
"key": "eso_pod_configuration"
},
{
"key": "eso_image"
},
{
"key": "eso_image_version"
},
{
"key": "eso_chart_location"
},
{
"key": "eso_chart_version"
},
{
"key": "eso_enroll_in_servicemesh"
},
{
"key": "reloader_deployed"
},
{
"key": "reloader_reload_strategy"
},
{
"key": "reloader_namespaces_to_ignore"
},
{
"key": "reloader_resources_to_ignore"
},
{
"key": "reloader_namespaces_selector"
},
{
"key": "reloader_resource_label_selector"
},
{
"key": "reloader_ignore_secrets"
},
{
"key": "reloader_ignore_configmaps"
},
{
"key": "reloader_is_openshift"
},
{
"key": "reloader_is_argo_rollouts"
},
{
"key": "reloader_reload_on_create"
},
{
"key": "reloader_sync_after_restart"
},
{
"key": "reloader_pod_monitor_metrics"
},
{
"key": "reloader_log_format"
},
{
"key": "reloader_custom_values"
},
{
"key": "reloader_image"
},
{
"key": "reloader_image_version"
},
{
"key": "reloader_chart_location"
},
{
"key": "reloader_chart_version"
},
{
"key": "eso_secretsstores_configuration"
},
{
"key": "service_endpoints"
}
],
"architecture": {
"description": "This architecture supports deploying External Secrets Operator on IBM Cloud OpenShift cluster.",
"features": [
{
"title": "External Secrets Operator",
"description": "Deploys External Secrets Operator."
},
{
"title": "Configures External Secrets Operator Cluster Secrets Stores and Secrets Stores",
"description": "Creates and configures External Secrets Operator Cluster Secrets Stores and Secrets Stores."
},
{
"title": "Deploys Stakater Reloader",
"description": "Deploys Stakater Reloader to refresh the secrets in the cluster pods when needed."
}
],
"diagrams": [
{
"diagram": {
"caption": "External Secrets Operator architecture on IBM Cloud OpenShift cluster",
"url": "https://raw.githubusercontent.com/terraform-ibm-modules/terraform-ibm-external-secrets-operator/refs/heads/da_task_11723/reference-architecture/eso.svg",
"type": "image/svg+xml"
},
"description": "This architecture supports deploying External Secrets Operator on IBM Cloud OpenShift cluster."
}
]
},
"dependencies": [],
"dependency_version_2": true,
"terraform_version": "1.10.5"
}
]
}
]
}
Loading