feat: add external secrets to platform-extensions

Author: bsgrigorov

charts/platform-extensions/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: platform-extensions
 description: Cluster-scoped Kubernetes resources for platform teams (requires cluster-admin)
 type: application
-version: 1.2.1
+version: 1.3.0
 appVersion: "1.0.0"
 kubeVersion: ">=1.22.0-0"
 home: https://github.com/synkube/

charts/platform-extensions/templates/secrets/external-secrets.yaml

@@ -0,0 +1,80 @@
+{{- range $name, $externalSecret := .Values.externalSecrets }}
+{{- if include "common.hasApi" (list "external-secrets.io/v1/ExternalSecret" $) }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ $name }}
+  {{- with $externalSecret.namespace }}
+  namespace: {{ . }}
+  {{- end }}
+  labels:
+    {{- include "platform-extensions.labels" $ | nindent 4 }}
+  {{- with $externalSecret.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  refreshInterval: {{ $externalSecret.refreshInterval | default "1h" }}
+  secretStoreRef:
+    name: {{ $externalSecret.secretStoreRef.name }}
+    kind: {{ $externalSecret.secretStoreRef.kind | default "ClusterSecretStore" }}
+  target:
+    name: {{ $externalSecret.target.name | default $name }}
+    creationPolicy: {{ $externalSecret.target.creationPolicy | default "Owner" }}
+    {{- with $externalSecret.target.deletionPolicy }}
+    deletionPolicy: {{ . }}
+    {{- end }}
+    {{- if $externalSecret.target.template }}
+    template:
+      {{- toYaml $externalSecret.target.template | nindent 6 }}
+    {{- end }}
+  {{- if $externalSecret.data }}
+  data:
+    {{- range $externalSecret.data }}
+    - secretKey: {{ .secretKey }}
+      remoteRef:
+        key: {{ .remoteRef.key }}
+        {{- if .remoteRef.property }}
+        property: {{ .remoteRef.property }}
+        {{- end }}
+        {{- if .remoteRef.version }}
+        version: {{ .remoteRef.version }}
+        {{- end }}
+        {{- if .remoteRef.conversionStrategy }}
+        conversionStrategy: {{ .remoteRef.conversionStrategy }}
+        {{- end }}
+        {{- if .remoteRef.decodingStrategy }}
+        decodingStrategy: {{ .remoteRef.decodingStrategy }}
+        {{- end }}
+    {{- end }}
+  {{- end }}
+  {{- if $externalSecret.dataFrom }}
+  dataFrom:
+    {{- range $externalSecret.dataFrom }}
+    - extract:
+        key: {{ .extract.key }}
+        {{- if .extract.property }}
+        property: {{ .extract.property }}
+        {{- end }}
+        {{- if .extract.version }}
+        version: {{ .extract.version }}
+        {{- end }}
+        {{- if .extract.conversionStrategy }}
+        conversionStrategy: {{ .extract.conversionStrategy }}
+        {{- end }}
+        {{- if .extract.decodingStrategy }}
+        decodingStrategy: {{ .extract.decodingStrategy }}
+        {{- end }}
+      {{- if .rewrite }}
+      rewrite:
+        {{- range .rewrite }}
+        - regexp:
+            source: {{ .regexp.source }}
+            target: {{ .regexp.target }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}

charts/platform-extensions/values.yaml

@@ -13,20 +13,85 @@ clusterSecretStores: {}
   #     infisical:
   #       auth:
   #         universalAuthCredentials:
-  #           secretsPath: "/k8s/platform"
   #           clientId:
-  #             secretRef:
-  #               secretName: infisical-auth
-  #               key: clientId
+  #             key: clientId
+  #             namespace: argocd
+  #             name: infisical-auth
   #           clientSecret:
-  #             secretRef:
-  #               secretName: infisical-auth
-  #               key: clientSecret
-  #       hostAPI: "https://app.infisical.com/api"
-  #   conditions:
-  #     - namespaceSelector:
-  #         matchLabels:
-  #           platform-secrets: "enabled"
+  #             key: clientSecret
+  #             namespace: argocd
+  #             name: infisical-auth
+  #       hostAPI: "https://app.infisical.com"
+  #       secretsScope:
+  #         projectSlug: "my-project"
+  #         environmentSlug: "prod"
+  #         secretsPath: "/k8s/platform"
+  #         recursive: true
+
+# External Secrets - Platform-wide secrets synced from external providers
+# These create secrets in specific namespaces for platform services
+externalSecrets: {}
+  # oauth2-proxy-credentials:
+  #   namespace: network
+  #   refreshInterval: "5m"
+  #   secretStoreRef:
+  #     name: infisical-platform
+  #     kind: ClusterSecretStore
+  #   target:
+  #     name: oauth2-proxy-credentials
+  #     creationPolicy: Owner
+  #   data:
+  #     - secretKey: client-id
+  #       remoteRef:
+  #         key: /k8s/platform/oauth2_proxy_github_client_id
+  #     - secretKey: client-secret
+  #       remoteRef:
+  #         key: /k8s/platform/oauth2_proxy_github_client_secret
+  #     - secretKey: cookie-secret
+  #       remoteRef:
+  #         key: /k8s/platform/oauth2_proxy_cookie_secret
+  #
+  # cloudflare-cert-manager:
+  #   namespace: cert-manager
+  #   refreshInterval: "5m"
+  #   secretStoreRef:
+  #     name: infisical-platform
+  #     kind: ClusterSecretStore
+  #   target:
+  #     name: cloudflare
+  #     creationPolicy: Owner
+  #   data:
+  #     - secretKey: api-token
+  #       remoteRef:
+  #         key: /k8s/platform/cloudflare_api_token
+  #
+  # cloudflare-network:
+  #   namespace: network
+  #   refreshInterval: "5m"
+  #   secretStoreRef:
+  #     name: infisical-platform
+  #     kind: ClusterSecretStore
+  #   target:
+  #     name: cloudflare
+  #     creationPolicy: Owner
+  #   data:
+  #     - secretKey: api-token
+  #       remoteRef:
+  #         key: /k8s/platform/cloudflare_api_token
+  #
+  # api-basic-auth:
+  #   namespace: network
+  #   refreshInterval: "5m"
+  #   secretStoreRef:
+  #     name: infisical-platform
+  #     kind: ClusterSecretStore
+  #   target:
+  #     name: api-basic-auth
+  #     creationPolicy: Owner
+  #   data:
+  #     - secretKey: users
+  #       remoteRef:
+  #         key: /k8s/platform/api_basic_auth_users
 
 # Cluster Roles - Cluster-wide permissions
 clusterRoles: {}
@@ -38,10 +103,6 @@ clusterRoles: {}
   #     - apiGroups: ["external-secrets.io"]
   #       resources: ["externalsecrets", "secretstores"]
   #       verbs: ["*"]
-  #   aggregationRule:
-  #     clusterRoleSelectors:
-  #       - matchLabels:
-  #           rbac.platform/aggregate-to-operator: "true"
 
 # Cluster Role Bindings - Cluster-wide permission assignments
 clusterRoleBindings: {}