Skip to content

Commit dd72162

Browse files
authored
Add External Secret to Kargo DevProd POC (redhat-appstudio#370)
1 parent 80fae4f commit dd72162

7 files changed

Lines changed: 94 additions & 0 deletions

File tree

components/cluster-secret-store/base/appsre-stonesoup-vault-secret-store.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,3 +34,5 @@ spec:
3434
- konflux-support-ops
3535
- rover-group-sync
3636
- argocd-local # Must be the namespace where ArgoCD is deployed
37+
- konflux-devprod-poc
38+

components/kargo/internal-staging/projects/base/kustomization.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ kind: Kustomization
33
resources:
44
- project.yaml
55
- ns.yaml
6+
- rbac.yaml
67

78
commonAnnotations:
89
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
---
2+
apiVersion: external-secrets.io/v1beta1
3+
kind: ExternalSecret
4+
metadata:
5+
name: konflux-devprod-poc-secrets
6+
annotations:
7+
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
8+
spec:
9+
dataFrom:
10+
- extract:
11+
conversionStrategy: Default
12+
decodingStrategy: None
13+
key: staging/devprod/kargo-secrets-stage
14+
refreshInterval: 15m
15+
secretStoreRef:
16+
kind: ClusterSecretStore
17+
name: appsre-stonesoup-vault
18+
target:
19+
creationPolicy: Owner
20+
deletionPolicy: Delete
21+
name: konflux-devprod-poc-secrets
22+
template:
23+
metadata:
24+
labels:
25+
kargo.akuity.io/cred-type: git
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
---
2+
apiVersion: kustomize.config.k8s.io/v1beta1
3+
kind: Kustomization
4+
5+
resources:
6+
- konflux-devprod-poc-secrets.yaml
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
apiVersion: kustomize.config.k8s.io/v1beta1
2+
kind: Kustomization
3+
resources:
4+
- ../base
5+
- rbac.yaml
6+
- external-secrets
7+
8+
replacements:
9+
- source:
10+
kind: Namespace
11+
fieldPath: metadata.name
12+
targets:
13+
- select:
14+
kind: Project
15+
fieldPaths:
16+
- metadata.name
17+
18+
namespace: konflux-devprod-poc
Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
---
2+
kind: Role
3+
apiVersion: rbac.authorization.k8s.io/v1
4+
metadata:
5+
name: konflux-devprod-kargo-resources-admin
6+
rules:
7+
- apiGroups:
8+
- kargo.akuity.io
9+
resources:
10+
- "*"
11+
verbs:
12+
- "*"
13+
- apiGroups:
14+
- external-secrets.io
15+
resources:
16+
- externalsecrets
17+
verbs:
18+
- get
19+
- list
20+
- watch
21+
- apiGroups:
22+
- ""
23+
resources:
24+
- secrets
25+
verbs:
26+
- get
27+
- list
28+
- watch
29+
---
30+
kind: RoleBinding
31+
apiVersion: rbac.authorization.k8s.io/v1
32+
metadata:
33+
name: konflux-devprod-kargo-resources-admin
34+
subjects:
35+
- apiGroup: rbac.authorization.k8s.io
36+
kind: Group
37+
name: konflux-devprod
38+
roleRef:
39+
apiGroup: rbac.authorization.k8s.io
40+
kind: Role
41+
name: konflux-devprod-kargo-resources-admin

components/kargo/internal-staging/projects/kustomization.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ resources:
44
- kargo-konflux-infra
55
- kargo-konflux-vanguard
66
- kargo-konflux
7+
- konflux-devprod-poc
78

89
commonAnnotations:
910
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true

0 commit comments

Comments
 (0)