site secrets helm chart

Author: syedhaseebahmed

apps/global/site-secrets.yaml

@@ -3,5 +3,10 @@ component: site-secrets
 sources:
   - ref: understack
     path: 'components/site-secrets'
-#  - ref: deploy
-#    path: '{{.name}}/manifests/site-secrets'
+    helm:
+      releaseName: site-secrets
+      valueFiles:
+        - $deploy/{{.name}}/helm-configs/secrets-sync-clusters.yaml
+      ignoreMissingValueFiles: true
+  - ref: deploy
+    path: '{{.name}}/manifests/site-secrets'

components/site-secrets/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

components/site-secrets/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: site-secrets
+description: Orchestrating secrets across kubernetes clusters (global-site) using External SecretStore
+type: application
+version: 0.1.0
+appVersion: "1.0"

components/site-secrets/clusterrole-sa.yaml

@@ -0,0 +1,7 @@
+{{- range .Values.clusters }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .name }}-secrets
+{{- end }}

components/site-secrets/templates/namespace.yaml.tmpl

@@ -0,0 +1,47 @@
+{{- range .Values.clusters }}
+{{- $cluster := .name }}
+{{- $secretStore := .secretStore }}
+{{- range .secrets }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ .name }}
+  namespace: {{ $cluster }}-secrets
+  annotations:
+    link.argocd.argoproj.io/external-link: {{ tpl .externalLinkAnnotationTemplate . }}
+spec:
+  refreshInterval: {{ .refreshInterval | default "1h" }}
+  secretStoreRef:
+    kind: {{ $secretStore.kind }}
+    name: {{ $secretStore.name }}
+  target:
+    name: {{ .name }}
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      type: {{ .templateType | default "Opaque" }}
+{{- if .templateData }}
+      data:
+{{- range $k, $v := .templateData }}
+        {{ $k }}: {{ $v | quote }}
+{{- end }}
+{{- end }}
+{{- if .data }}
+  data:
+{{- range .data }}
+    - secretKey: {{ .secretKey }}
+      remoteRef:
+        key: {{ .remoteRef.key }}
+        property: {{ .remoteRef.property }}
+        conversionStrategy: {{ .remoteRef.conversionStrategy | default "Default" }}
+        decodingStrategy: {{ .remoteRef.decodingStrategy | default "None" }}
+        metadataPolicy: {{ .remoteRef.metadataPolicy | default "None" }}
+{{- end }}
+{{- end }}
+{{- if .dataFrom }}
+  dataFrom:
+{{- toYaml .dataFrom | nindent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}

components/site-secrets/templates/secrets.yaml.tmpl

@@ -0,0 +1,56 @@
+{{- range .Values.clusters }}
+{{- if eq .role "site" }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .name }}-sa
+  namespace: {{ .name }}-secrets
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .name }}-sa-role
+  namespace: {{ .name }}-secrets
+rules:
+- apiGroups: [""]
+  resources:
+    - secrets
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+    - authorization.k8s.io
+  resources:
+    - selfsubjectrulesreviews
+  verbs:
+    - create
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .name }}-sa-rolebinding
+  namespace: {{ .name }}-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .name }}-sa-role
+subjects:
+- kind: ServiceAccount
+  name: {{ .name }}-sa
+  namespace: {{ .name }}-secrets
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: {{ .name }}-sa
+  name: {{ .name }}-sa-token
+  namespace: {{ .name }}-secrets
+type: kubernetes.io/service-account-token
+{{- end }}
+{{- end }}