diff --git a/base/vso/kustomization.yaml b/base/vso/kustomization.yaml new file mode 100644 index 0000000..29dd0c5 --- /dev/null +++ b/base/vso/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: vault-secrets-operator + +resources: + - namespace.yaml + - test-rbac.yaml + +helmCharts: + # helm repo add hashicorp https://helm.releases.hashicorp.com + - name: vault-secrets-operator + repo: https://helm.releases.hashicorp.com + version: "0.9.0" + releaseName: vault-secrets-operator + namespace: vault-secrets-operator + valuesFile: vso-values.yaml diff --git a/base/vso/namespace.yaml b/base/vso/namespace.yaml new file mode 100644 index 0000000..cb02ce6 --- /dev/null +++ b/base/vso/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: vault-secrets-operator + annotations: + linkerd.io/inject: disabled diff --git a/base/vso/test-rbac.yaml b/base/vso/test-rbac.yaml new file mode 100644 index 0000000..d022a89 --- /dev/null +++ b/base/vso/test-rbac.yaml @@ -0,0 +1,30 @@ +--- +# Grant the default SA in vault-secrets-operator the permissions the Helm +# test pod needs. The test runs the VSO binary which initializes its Vault +# client cache by creating/reading a K8s Secret in this namespace. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vault-secrets-operator-test + namespace: vault-secrets-operator +rules: + - apiGroups: [""] + resources: ["secrets", "configmaps"] + verbs: ["create", "get", "update", "delete", "list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "get", "update", "delete", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: vault-secrets-operator-test + namespace: vault-secrets-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vault-secrets-operator-test +subjects: + - kind: ServiceAccount + name: default + namespace: vault-secrets-operator diff --git a/base/vso/vso-values.yaml b/base/vso/vso-values.yaml new file mode 100644 index 0000000..d55344a --- /dev/null +++ b/base/vso/vso-values.yaml @@ -0,0 +1,8 @@ +# Vault Secrets Operator Helm values +# chart: vault-secrets-operator from https://helm.releases.hashicorp.com +# Connects to OpenBao (Vault-compatible) running in the data namespace. + +defaultVaultConnection: + enabled: true + address: "http://openbao.data.svc.cluster.local:8200" + skipTLSVerify: false # OpenBao has TLS disabled (tlsDisable: true in openbao-values.yaml) diff --git a/overlays/local/kustomization.yaml b/overlays/local/kustomization.yaml index a094647..16c631f 100644 --- a/overlays/local/kustomization.yaml +++ b/overlays/local/kustomization.yaml @@ -19,15 +19,24 @@ resources: - ../../base/lasuite - ../../base/media - ../../base/devtools + - ../../base/vso images: - # Local dev: image is built and imported directly into k3s containerd. + # Local dev: sunbeam-proxy is built and imported directly into k3s containerd. # imagePullPolicy: Never is set in values-pingora.yaml so k3s never tries to pull. - # Production overlay points this at src.DOMAIN_SUFFIX/sunbeam/sunbeam-proxy:latest. + # Production overlay points this at src.DOMAIN_SUFFIX/studio/sunbeam-proxy:latest. - name: sunbeam-proxy newName: sunbeam-proxy newTag: dev + # amd64-only La Suite images — mirrored to our Gitea registry with a patched + # OCI index that adds an arm64 alias so Rosetta can run them on the Lima VM. + # DOMAIN_SUFFIX is substituted by local-up.py at deploy time (sed replacement). + - name: lasuite/people-backend + newName: src.DOMAIN_SUFFIX/studio/people-backend + - name: lasuite/people-frontend + newName: src.DOMAIN_SUFFIX/studio/people-frontend + patches: # Add hostPort for TURN relay range on Lima VM - path: values-pingora.yaml