♻️(helm) refactor clusterSecretStore and ExternalSecret deployments

Refactored ClusterSecretStore and ExternalSecret deployment to support
VaultWarden custom fields beyond login/password, including multi-line
values via file input. Also made the secret template name configurable
for added flexibility.

ClusterSecretStore are supposed to be cluster-wide objects, it's useless
to precise any namespace.

bin/install-external-secrets.sh

@@ -3,7 +3,7 @@ set -o errexit
 
 CURRENT_DIR=$(pwd)
 NAMESPACE=${1:-meet}
-SECRET_NAME=${2:-bitwarden-cli-visio}
+SECRET_NAME=${2:-bitwarden-cli-meet}
 TEMP_SECRET_FILE=$(mktemp)
 
 

src/helm/env.d/dev/values.meet.yaml.gotmpl

@@ -3,12 +3,12 @@ secrets:
     itemId: a25effec-eaea-4ce1-9ed8-3a3cc1c734db
     field: username
     podVariable: OIDC_RP_CLIENT_ID
-    clusterSecretStore: bitwarden-login-visio
+    clusterSecretStore: bitwarden-login-meet
   - name: oidcPass
     itemId: a25effec-eaea-4ce1-9ed8-3a3cc1c734db
     field: password
     podVariable: OIDC_RP_CLIENT_SECRET
-    clusterSecretStore: bitwarden-login-visio
+    clusterSecretStore: bitwarden-login-meet
 image:
   repository: localhost:5001/meet-backend
   pullPolicy: Always

src/helm/extra/templates/clustersecretstore.yaml

@@ -1,13 +1,33 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ClusterSecretStore
 metadata:
-  name: bitwarden-login-visio
+  name: bitwarden-login-{{ $.Release.Namespace }}
-  namespace: {{ $.Release.Namespace | quote }}
 spec:
   provider:
     webhook:
-      url: "http://bitwarden-cli-visio.meet.svc.cluster.local:8087/object/item/{{`{{ .remoteRef.key }}`}}"
+      url: "http://bitwarden-cli-{{ $.Release.Namespace }}.{{ $.Release.Namespace }}.svc.cluster.local:8087/object/item/{{`{{ .remoteRef.key }}`}}"
       headers:
         Content-Type: application/json
       result:
         jsonPath: "$.data.login.{{`{{ .remoteRef.property }}`}}"
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: bitwarden-fields-{{ $.Release.Namespace }}
+spec:
+  provider:
+    webhook:
+      url: "http://bitwarden-cli-{{ $.Release.Namespace }}.{{ $.Release.Namespace }}.svc.cluster.local:8087/object/item/{{`{{ .remoteRef.key }}`}}"
+      result:
+        jsonPath: "$.data.fields[?@.name==\"{{`{{ .remoteRef.property }}`}}\"].value"
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: bitwarden-attachments-{{ $.Release.Namespace }}
+spec:
+  provider:
+    webhook:
+      url: "http://bitwarden-cli-{{ $.Release.Namespace }}.{{ $.Release.Namespace }}.svc.cluster.local:8087/object/attachment/{{`{{ .remoteRef.property }}`}}?itemid={{`{{ .remoteRef.key }}`}}"
+      result: {}

src/helm/extra/templates/external_secret_deployment.yaml

@@ -2,7 +2,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: bitwarden-cli-visio
+  name: bitwarden-cli-{{ $.Release.Namespace }}
   namespace: {{ $.Release.Namespace | quote }}
   labels:
     app.kubernetes.io/instance: bitwarden-cli
@@ -29,17 +29,17 @@ spec:
             - name: BW_HOST
               valueFrom:
                 secretKeyRef:
-                  name: bitwarden-cli-visio
+                  name: bitwarden-cli-{{ $.Release.Namespace }}
                   key: BW_HOST
             - name: BW_USER
               valueFrom:
                 secretKeyRef:
-                  name: bitwarden-cli-visio
+                  name: bitwarden-cli-{{ $.Release.Namespace }}
                   key: BW_USERNAME
             - name: BW_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: bitwarden-cli-visio
+                  name: bitwarden-cli-{{ $.Release.Namespace }}
                   key: BW_PASSWORD
           ports:
             - name: http
@@ -74,7 +74,7 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: bitwarden-cli-visio
+  name: bitwarden-cli-{{ $.Release.Namespace }}
   namespace: {{ $.Release.Namespace | quote }}
   labels:
     app.kubernetes.io/instance: bitwarden-cli