global-secrets-sync chart

Author: syedhaseebahmed

apps/appsets/project-understack.yaml

@@ -29,7 +29,7 @@ spec:
     server: '*'
   - namespace: 'kube-system'
     server: '*'
-  - namespace: 'projectsveltos'
+  - namespace: 'global-secrets-sync'
     server: '*'
   clusterResourceWhitelist:
   - group: '*'

apps/global/projectsveltos.yaml

@@ -1,13 +1,13 @@
----
-component: projectsveltos
-sources:
-  - repoURL: https://projectsveltos.github.io/helm-charts
-    chart: projectsveltos
-    targetRevision: "1.0.2"
-    helm:
-      releaseName: projectsveltos
-      valuesObject:
-        installCRDs: true
-  - ref: understack
-    path: 'components/projectsveltos'
-componentNamespace: projectsveltos
+#---
+#component: projectsveltos
+#sources:
+#  - repoURL: https://projectsveltos.github.io/helm-charts
+#    chart: projectsveltos
+#    targetRevision: "1.0.2"
+#    helm:
+#      releaseName: projectsveltos
+#      valuesObject:
+#        installCRDs: true
+#  - ref: understack
+#    path: 'components/projectsveltos'
+#componentNamespace: projectsveltos

apps/global/secrets-sync.yaml

@@ -0,0 +1,15 @@
+---
+component: secrets-sync
+sources:
+  - repoURL: https://github.com/rackerlabs/understack.git
+    chart: global-secretes-sync
+    helm:
+      releaseName: global-secretes-sync
+      valueFiles:
+        - $understack/components/global-secretes-sync/values.yaml
+        - $deploy/{{.name}}/helm-configs/global-secretes-sync.yaml
+      ignoreMissingValueFiles: true
+  - ref: understack
+    path: 'components/global-secretes-sync'
+  - ref: deploy
+    path: '{{.name}}/manifests/global-secretes-sync'

components/global-secrets-sync/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

components/global-secrets-sync/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: global-secrets-sync
+description: Helm chart to sync Kubernetes secrets between clusters using External Secrets
+type: application
+version: 0.1.0
+appVersion: "1.0"

components/global-secrets-sync/templates/global-rbac.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.global.createRBAC }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ .Values.global.targetNamespace }}
+  name: secrets-reader
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: secrets-reader-binding
+  namespace: {{ .Values.global.targetNamespace }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.global.serviceAccountName }}
+    namespace: {{ .Values.global.namespace }}
+roleRef:
+  kind: Role
+  name: secrets-reader
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

components/global-secrets-sync/templates/global-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.global.serviceAccountName }}
+  namespace: {{ .Values.global.namespace }}
+  annotations:
+    kubernetes.io/service-account.name: "{{ .Values.global.serviceAccountName }}"
+type: kubernetes.io/service-account-token

components/global-secrets-sync/templates/global-serviceaccount.yaml

@@ -0,0 +1,7 @@
+{{- if .Values.global.createServiceAccount }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.global.serviceAccountName }}
+  namespace: {{ .Values.global.namespace }}
+{{- end }}

components/global-secrets-sync/templates/site-clustersecretstore.yaml

@@ -0,0 +1,24 @@
+{{- range .Values.sites }}
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: secret-sync-{{ .name }}
+spec:
+  provider:
+    kubernetes:
+      remoteNamespace: {{ $.Values.global.targetNamespace }}
+      server:
+        url: {{ .apiServerURL | quote }}
+        caProvider:
+          type: Secret
+          name: {{ $.Values.global.serviceAccountName }}
+          key: ca.crt
+          namespace: {{ .namespace }}
+      auth:
+        token:
+          bearerToken:
+            name: {{ $.Values.global.serviceAccountName }}
+            key: token
+            namespace: {{ .namespace }}
+---
+{{- end }}

components/global-secrets-sync/templates/sync-job.yaml

@@ -0,0 +1,61 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: sync-secrets-job
+  namespace: {{ .Values.global.namespace }}
+spec:
+  template:
+    spec:
+      serviceAccountName: {{ .Values.global.serviceAccountName }}
+      restartPolicy: Never
+      containers:
+        - name: sync-secrets
+          image: bitnami/kubectl:latest
+          command:
+            - /bin/sh
+            - -c
+            - |
+              set -e
+              echo "Extracting ServiceAccount Secret from source..."
+              kubectl get secret {{ .Values.global.serviceAccountName }} -n {{ .Values.global.namespace }} -o yaml > /tmp/sa-secret.yaml
+
+            {{- range .Values.destinations }}
+              echo "Syncing credentials and ClusterSecretStore to {{ .name }}..."
+              KUBECONFIG=/kubeconfigs/{{ .name }}/config \
+                kubectl -n {{ .namespace }} apply -f /tmp/sa-secret.yaml
+
+              cat <<EOF | KUBECONFIG=/kubeconfigs/{{ .name }}/config kubectl apply -f -
+              apiVersion: external-secrets.io/v1
+              kind: ClusterSecretStore
+              metadata:
+                name: dex-sso-sync-{{ .name }}
+              spec:
+                provider:
+                  kubernetes:
+                    remoteNamespace: {{ $.Values.global.targetNamespace }}
+                    server:
+                      url: {{ .apiServerURL | quote }}
+                      caProvider:
+                        type: Secret
+                        name: {{ $.Values.global.serviceAccountName }}
+                        key: ca.crt
+                        namespace: {{ .namespace }}
+                    auth:
+                      token:
+                        bearerToken:
+                          name: {{ $.Values.global.serviceAccountName }}
+                          key: token
+                          namespace: {{ .namespace }}
+              EOF
+            {{- end }}
+          volumeMounts:
+        {{- range .Values.destinations }}
+            - name: kubeconfig-{{ .name }}
+              mountPath: /kubeconfigs/{{ .name }}
+        {{- end }}
+      volumes:
+      {{- range .Values.destinations }}
+        - name: kubeconfig-{{ .name }}
+          secret:
+            secretName: {{ .kubeconfigSecret }}
+      {{- end }}