From e3336ff2a9308dc5dec011633d65308eb552f06c Mon Sep 17 00:00:00 2001 From: Sienna Meridian Satterwhite Date: Mon, 2 Mar 2026 18:31:50 +0000 Subject: [PATCH] feat(vso): deploy Vault Secrets Operator; add test RBAC + amd64 image aliases - Add base/vso/ with Helm chart (v0.9.0 from helm.releases.hashicorp.com), namespace, and test-rbac.yaml granting the Helm test pod's default SA permission to create/read/delete Secrets, ConfigMaps, and Leases so the bundled connectivity test passes. - Wire ../../base/vso into overlays/local/kustomization.yaml. - Add image aliases for lasuite/people-backend and lasuite/people-frontend so kustomize rewrites those pulls to our Gitea registry (amd64-only images that are patched and mirrored by sunbeam.py). --- base/vso/kustomization.yaml | 17 +++++++++++++++++ base/vso/namespace.yaml | 6 ++++++ base/vso/test-rbac.yaml | 30 ++++++++++++++++++++++++++++++ base/vso/vso-values.yaml | 8 ++++++++ overlays/local/kustomization.yaml | 13 +++++++++++-- 5 files changed, 72 insertions(+), 2 deletions(-) create mode 100644 base/vso/kustomization.yaml create mode 100644 base/vso/namespace.yaml create mode 100644 base/vso/test-rbac.yaml create mode 100644 base/vso/vso-values.yaml diff --git a/base/vso/kustomization.yaml b/base/vso/kustomization.yaml new file mode 100644 index 0000000..29dd0c5 --- /dev/null +++ b/base/vso/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: vault-secrets-operator + +resources: + - namespace.yaml + - test-rbac.yaml + +helmCharts: + # helm repo add hashicorp https://helm.releases.hashicorp.com + - name: vault-secrets-operator + repo: https://helm.releases.hashicorp.com + version: "0.9.0" + releaseName: vault-secrets-operator + namespace: vault-secrets-operator + valuesFile: vso-values.yaml diff --git a/base/vso/namespace.yaml b/base/vso/namespace.yaml new file mode 100644 index 0000000..cb02ce6 --- /dev/null +++ b/base/vso/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: vault-secrets-operator + annotations: + linkerd.io/inject: disabled diff --git a/base/vso/test-rbac.yaml b/base/vso/test-rbac.yaml new file mode 100644 index 0000000..d022a89 --- /dev/null +++ b/base/vso/test-rbac.yaml @@ -0,0 +1,30 @@ +--- +# Grant the default SA in vault-secrets-operator the permissions the Helm +# test pod needs. The test runs the VSO binary which initializes its Vault +# client cache by creating/reading a K8s Secret in this namespace. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vault-secrets-operator-test + namespace: vault-secrets-operator +rules: + - apiGroups: [""] + resources: ["secrets", "configmaps"] + verbs: ["create", "get", "update", "delete", "list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "get", "update", "delete", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: vault-secrets-operator-test + namespace: vault-secrets-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vault-secrets-operator-test +subjects: + - kind: ServiceAccount + name: default + namespace: vault-secrets-operator diff --git a/base/vso/vso-values.yaml b/base/vso/vso-values.yaml new file mode 100644 index 0000000..d55344a --- /dev/null +++ b/base/vso/vso-values.yaml @@ -0,0 +1,8 @@ +# Vault Secrets Operator Helm values +# chart: vault-secrets-operator from https://helm.releases.hashicorp.com +# Connects to OpenBao (Vault-compatible) running in the data namespace. + +defaultVaultConnection: + enabled: true + address: "http://openbao.data.svc.cluster.local:8200" + skipTLSVerify: false # OpenBao has TLS disabled (tlsDisable: true in openbao-values.yaml) diff --git a/overlays/local/kustomization.yaml b/overlays/local/kustomization.yaml index a094647..16c631f 100644 --- a/overlays/local/kustomization.yaml +++ b/overlays/local/kustomization.yaml @@ -19,15 +19,24 @@ resources: - ../../base/lasuite - ../../base/media - ../../base/devtools + - ../../base/vso images: - # Local dev: image is built and imported directly into k3s containerd. + # Local dev: sunbeam-proxy is built and imported directly into k3s containerd. # imagePullPolicy: Never is set in values-pingora.yaml so k3s never tries to pull. - # Production overlay points this at src.DOMAIN_SUFFIX/sunbeam/sunbeam-proxy:latest. + # Production overlay points this at src.DOMAIN_SUFFIX/studio/sunbeam-proxy:latest. - name: sunbeam-proxy newName: sunbeam-proxy newTag: dev + # amd64-only La Suite images — mirrored to our Gitea registry with a patched + # OCI index that adds an arm64 alias so Rosetta can run them on the Lima VM. + # DOMAIN_SUFFIX is substituted by local-up.py at deploy time (sed replacement). + - name: lasuite/people-backend + newName: src.DOMAIN_SUFFIX/studio/people-backend + - name: lasuite/people-frontend + newName: src.DOMAIN_SUFFIX/studio/people-frontend + patches: # Add hostPort for TURN relay range on Lima VM - path: values-pingora.yaml