✨ feat(deploy): chart Vault CRDs gated by vault.enabled (default false) (#97)
Co-authored-by: Gabriel Radureau <arcodange@gmail.com> Co-committed-by: Gabriel Radureau <arcodange@gmail.com>
This commit was merged in pull request #97.
This commit is contained in:
15
chart/templates/vaultauth.yaml
Normal file
15
chart/templates/vaultauth.yaml
Normal file
@@ -0,0 +1,15 @@
|
||||
{{- if .Values.vault.enabled }}
|
||||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: auth
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
||||
kubernetes:
|
||||
role: {{ .Values.vault.role }}
|
||||
serviceAccount: {{ include "dance-lessons-coach.serviceAccountName" . }}
|
||||
audiences:
|
||||
- vault
|
||||
{{- end }}
|
||||
17
chart/templates/vaultdynamicsecret.yaml
Normal file
17
chart/templates/vaultdynamicsecret.yaml
Normal file
@@ -0,0 +1,17 @@
|
||||
{{- if .Values.vault.enabled }}
|
||||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultDynamicSecret
|
||||
metadata:
|
||||
name: vso-db
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
mount: postgres
|
||||
path: {{ .Values.vault.postgresPath }}
|
||||
destination:
|
||||
create: true
|
||||
name: vso-db-credentials
|
||||
rolloutRestartTargets:
|
||||
- kind: Deployment
|
||||
name: {{ include "dance-lessons-coach.fullname" . }}
|
||||
vaultAuthRef: auth
|
||||
{{- end }}
|
||||
16
chart/templates/vaultsecret.yaml
Normal file
16
chart/templates/vaultsecret.yaml
Normal file
@@ -0,0 +1,16 @@
|
||||
{{- if .Values.vault.enabled }}
|
||||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: vault-kv-app
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
type: kv-v2
|
||||
mount: kvv2
|
||||
path: {{ .Values.vault.kvv2Path }}
|
||||
destination:
|
||||
name: secretkv
|
||||
create: true
|
||||
refreshAfter: 30s
|
||||
vaultAuthRef: auth
|
||||
{{- end }}
|
||||
@@ -104,6 +104,15 @@ tolerations: []
|
||||
|
||||
affinity: {}
|
||||
|
||||
# Vault Secrets Operator integration. Disabled by default ; set vault.enabled=true
|
||||
# to render the VaultAuth / VaultStaticSecret / VaultDynamicSecret CRDs (requires
|
||||
# VSO operator + Vault prereqs, cf. iac/ once shipped).
|
||||
vault:
|
||||
enabled: false
|
||||
role: dance-lessons-coach # k8s auth backend role name (matches iac/main.tf)
|
||||
kvv2Path: dance-lessons-coach/config # KVv2 secret path
|
||||
postgresPath: creds/dance-lessons-coach # postgres dynamic creds path
|
||||
|
||||
# DLC-specific configuration
|
||||
config:
|
||||
DLC_LOGGING_JSON: "true"
|
||||
|
||||
Reference in New Issue
Block a user