feat(vso): deploy Vault Secrets Operator; add test RBAC + amd64 image aliases

- Add base/vso/ with Helm chart (v0.9.0 from helm.releases.hashicorp.com), namespace, and test-rbac.yaml granting the Helm test pod's default SA permission to create/read/delete Secrets, ConfigMaps, and Leases so the bundled connectivity test passes. - Wire ../../base/vso into overlays/local/kustomization.yaml. - Add image aliases for lasuite/people-backend and lasuite/people-frontend so kustomize rewrites those pulls to our Gitea registry (amd64-only images that are patched and mirrored by sunbeam.py).
2026-03-02 18:31:50 +00:00
parent 6110c33b48
commit e3336ff2a9
5 changed files with 72 additions and 2 deletions
--- a/base/vso/kustomization.yaml
+++ b/base/vso/kustomization.yaml
@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: vault-secrets-operator
+
+resources:
+  - namespace.yaml
+  - test-rbac.yaml
+
+helmCharts:
+  # helm repo add hashicorp https://helm.releases.hashicorp.com
+  - name: vault-secrets-operator
+    repo: https://helm.releases.hashicorp.com
+    version: "0.9.0"
+    releaseName: vault-secrets-operator
+    namespace: vault-secrets-operator
+    valuesFile: vso-values.yaml
--- a/base/vso/namespace.yaml
+++ b/base/vso/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault-secrets-operator
+  annotations:
+    linkerd.io/inject: disabled
--- a/base/vso/test-rbac.yaml
+++ b/base/vso/test-rbac.yaml
@@ -0,0 +1,30 @@
+---
+# Grant the default SA in vault-secrets-operator the permissions the Helm
+# test pod needs. The test runs the VSO binary which initializes its Vault
+# client cache by creating/reading a K8s Secret in this namespace.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vault-secrets-operator-test
+  namespace: vault-secrets-operator
+rules:
+  - apiGroups: [""]
+    resources: ["secrets", "configmaps"]
+    verbs: ["create", "get", "update", "delete", "list", "watch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["create", "get", "update", "delete", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vault-secrets-operator-test
+  namespace: vault-secrets-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: vault-secrets-operator-test
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: vault-secrets-operator
--- a/base/vso/vso-values.yaml
+++ b/base/vso/vso-values.yaml
@@ -0,0 +1,8 @@
+# Vault Secrets Operator Helm values
+# chart: vault-secrets-operator from https://helm.releases.hashicorp.com
+# Connects to OpenBao (Vault-compatible) running in the data namespace.
+
+defaultVaultConnection:
+  enabled: true
+  address: "http://openbao.data.svc.cluster.local:8200"
+  skipTLSVerify: false  # OpenBao has TLS disabled (tlsDisable: true in openbao-values.yaml)