Read hcloud secret from vault secrets

2023-11-07 09:20:26 +01:00 · 2023-11-07 09:20:26 +01:00 · ab6a0e1de1
parent 12d08adc1a
commit ab6a0e1de1
13 changed files with 210 additions and 10 deletions
--- a/argocd/hcloud-csi/Chart.yaml
+++ b/argocd/hcloud-csi/Chart.yaml
--- a/argocd/hcloud-csi/templates/_helpers.tpl
+++ b/argocd/hcloud-csi/templates/_helpers.tpl
@ -0,0 +1,73 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "template.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "template.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "template.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "template.labels" -}}
+helm.sh/chart: {{ include "template.chart" . }}
+{{ include "template.selectorLabels" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "template.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "template.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "template.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "template.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- /*
+template.util.merge will merge two YAML templates and output the result.
+This takes an array of three values:
+- the top context
+- the template name of the overrides (destination)
+- the template name of the base (source)
+*/}}
+{{- define "template.util.merge" -}}
+{{- $top := first . -}}
+{{- $overrides := fromYaml (include (index . 1) $top) | default (dict ) -}}
+{{- $tpl := fromYaml (include (index . 2) $top) | default (dict ) -}}
+{{- toYaml (merge $overrides $tpl) -}}
+{{- end -}}
--- a/argocd/hcloud-csi/templates/vault-secrets-app.yaml
+++ b/argocd/hcloud-csi/templates/vault-secrets-app.yaml
@ -0,0 +1,19 @@
+{{- if .Values.vault.enabled }}
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: HCPVaultSecretsApp
+metadata:
+  name: {{ include "template.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "template.labels" . | nindent 4 }}
+spec:
+  appName: {{ .Values.vault.applicationName }}
+  hcpAuthRef: {{ .Values.vault.operatorNamespace | default "vault-secrets-operator-system" }}/hcp-auth
+  destination:
+    create: true
+    labels:
+      {{- include "template.labels" . | nindent 6 }}
+      hvs: "true"
+    name: {{ include "template.fullname" . }}
+  refreshAfter: 1h
+{{- end }}
--- a/argocd/hcloud-csi/test/argocd_values.yaml
+++ b/argocd/hcloud-csi/test/argocd_values.yaml
@ -0,0 +1,13 @@
+hcloud-csi:
+  storageClasses:
+  - name: hcloud-volumes
+    defaultStorageClass: true
+    reclaimPolicy: Retain
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+      namespace: observability
+vault:
+  enabled: true
+  applicationName: hcloud
--- a/argocd/hcloud-csi/test/templates
+++ b/argocd/hcloud-csi/test/templates
@ -0,0 +1 @@
+../templates
--- a/argocd/hcloud-csi/test/values.yaml
+++ b/argocd/hcloud-csi/test/values.yaml
@ -1,10 +0,0 @@
-hcloud-csi:
-  storageClasses:
-  - name: hcloud-volumes
-    defaultStorageClass: true
-    reclaimPolicy: Retain
-  metrics:
-    enabled: true
-    serviceMonitor:
-      enabled: true
-      namespace: observability
--- a/argocd/hcloud-csi/test/values.yaml
+++ b/argocd/hcloud-csi/test/values.yaml
@ -0,0 +1 @@
+../values.yaml
--- a/argocd/hcloud-csi/values.yaml
+++ b/argocd/hcloud-csi/values.yaml
@ -0,0 +1,4 @@
+vault:
+  enabled: false
+  applicationName: ""
+  operatorNamespace: ""
--- a/argocd/prometheus/Chart.yaml
+++ b/argocd/prometheus/Chart.yaml
@ -0,0 +1 @@
+# only there for correct syntax highlighting in IDE
--- a/argocd/prometheus/templates/_helpers.tpl
+++ b/argocd/prometheus/templates/_helpers.tpl
@ -0,0 +1,73 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "template.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "template.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "template.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "template.labels" -}}
+helm.sh/chart: {{ include "template.chart" . }}
+{{ include "template.selectorLabels" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "template.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "template.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "template.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "template.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- /*
+template.util.merge will merge two YAML templates and output the result.
+This takes an array of three values:
+- the top context
+- the template name of the overrides (destination)
+- the template name of the base (source)
+*/}}
+{{- define "template.util.merge" -}}
+{{- $top := first . -}}
+{{- $overrides := fromYaml (include (index . 1) $top) | default (dict ) -}}
+{{- $tpl := fromYaml (include (index . 2) $top) | default (dict ) -}}
+{{- toYaml (merge $overrides $tpl) -}}
+{{- end -}}
--- a/argocd/prometheus/templates/vault-secrets-app.yaml
+++ b/argocd/prometheus/templates/vault-secrets-app.yaml
@ -0,0 +1,19 @@
+{{- if .Values.vault.enabled }}
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: HCPVaultSecretsApp
+metadata:
+  name: {{ include "template.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "template.labels" . | nindent 4 }}
+spec:
+  appName: {{ .Values.vault.applicationName }}
+  hcpAuthRef: {{ .Values.vault.operatorNamespace | default "vault-secrets-operator-system" }}/hcp-auth
+  destination:
+    create: true
+    labels:
+      {{- include "template.labels" . | nindent 6 }}
+      hvs: "true"
+    name: {{ include "template.fullname" . }}
+  refreshAfter: 1h
+{{- end }}
--- a/argocd/prometheus/test/templates
+++ b/argocd/prometheus/test/templates
@ -0,0 +1 @@
+../templates
--- a/argocd/prometheus/test/values.yaml
+++ b/argocd/prometheus/test/values.yaml
@ -0,0 +1 @@
+../values.yaml
--- a/argocd/prometheus/values.yaml
+++ b/argocd/prometheus/values.yaml
@ -0,0 +1,4 @@
+vault:
+  enabled: false
+  applicationName: ""
+  operatorNamespace: ""
				`@ -0,0 +1 @@`
				`# only there for correct syntax highlighting in IDE`