studio/meet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

♻️(helm) refactor clusterSecretStore and ExternalSecret deployments

Browse Source 
Refactored ClusterSecretStore and ExternalSecret deployment to support
VaultWarden custom fields beyond login/password, including multi-line
values via file input. Also made the secret template name configurable
for added flexibility.

ClusterSecretStore are supposed to be cluster-wide objects, it's useless
to precise any namespace.
This commit is contained in:
lebaudantoine
2025-01-13 12:20:35 +01:00
committed by aleb_the_flash
parent 6d08e318a7
commit 9972692dac
4 changed files with 31 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bin/install-external-secrets.sh
View File

@@ -3,7 +3,7 @@ set -o errexit
CURRENT_DIR=$(pwd)
NAMESPACE=${1:-meet}
SECRET_NAME=${2:-bitwarden-cli-visio}
SECRET_NAME=${2:-bitwarden-cli-meet}
TEMP_SECRET_FILE=$(mktemp)

4
src/helm/env.d/dev/values.meet.yaml.gotmpl
View File

@@ -3,12 +3,12 @@ secrets:
itemId: a25effec-eaea-4ce1-9ed8-3a3cc1c734db
field: username
podVariable: OIDC_RP_CLIENT_ID
clusterSecretStore: bitwarden-login-visio
clusterSecretStore: bitwarden-login-meet
- name: oidcPass
itemId: a25effec-eaea-4ce1-9ed8-3a3cc1c734db
field: password
podVariable: OIDC_RP_CLIENT_SECRET
clusterSecretStore: bitwarden-login-visio
clusterSecretStore: bitwarden-login-meet
image:
repository: localhost:5001/meet-backend
pullPolicy: Always

26
src/helm/extra/templates/clustersecretstore.yaml
View File

@@ -1,13 +1,33 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: bitwarden-login-visio
namespace: {{ $.Release.Namespace | quote }}
name: bitwarden-login-{{ $.Release.Namespace }}
spec:
provider:
webhook:
url: "http://bitwarden-cli-visio.meet.svc.cluster.local:8087/object/item/{{`{{ .remoteRef.key }}`}}"
url: "http://bitwarden-cli-{{ $.Release.Namespace }}.{{ $.Release.Namespace }}.svc.cluster.local:8087/object/item/{{`{{ .remoteRef.key }}`}}"
headers:
Content-Type: application/json
result:
jsonPath: "$.data.login.{{`{{ .remoteRef.property }}`}}"
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: bitwarden-fields-{{ $.Release.Namespace }}
spec:
provider:
webhook:
url: "http://bitwarden-cli-{{ $.Release.Namespace }}.{{ $.Release.Namespace }}.svc.cluster.local:8087/object/item/{{`{{ .remoteRef.key }}`}}"
result:
jsonPath: "$.data.fields[?@.name==\"{{`{{ .remoteRef.property }}`}}\"].value"
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: bitwarden-attachments-{{ $.Release.Namespace }}
spec:
provider:
webhook:
url: "http://bitwarden-cli-{{ $.Release.Namespace }}.{{ $.Release.Namespace }}.svc.cluster.local:8087/object/attachment/{{`{{ .remoteRef.property }}`}}?itemid={{`{{ .remoteRef.key }}`}}"
result: {}

10
src/helm/extra/templates/external_secret_deployment.yaml
View File

@@ -2,7 +2,7 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: bitwarden-cli-visio
name: bitwarden-cli-{{ $.Release.Namespace }}
namespace: {{ $.Release.Namespace | quote }}
labels:
app.kubernetes.io/instance: bitwarden-cli
@@ -29,17 +29,17 @@ spec:
- name: BW_HOST
valueFrom:
secretKeyRef:
name: bitwarden-cli-visio
name: bitwarden-cli-{{ $.Release.Namespace }}
key: BW_HOST
- name: BW_USER
valueFrom:
secretKeyRef:
name: bitwarden-cli-visio
name: bitwarden-cli-{{ $.Release.Namespace }}
key: BW_USERNAME
- name: BW_PASSWORD
valueFrom:
secretKeyRef:
name: bitwarden-cli-visio
name: bitwarden-cli-{{ $.Release.Namespace }}
key: BW_PASSWORD
ports:
- name: http
@@ -74,7 +74,7 @@ spec:
apiVersion: v1
kind: Service
metadata:
name: bitwarden-cli-visio
name: bitwarden-cli-{{ $.Release.Namespace }}
namespace: {{ $.Release.Namespace | quote }}
labels:
app.kubernetes.io/instance: bitwarden-cli