✨ feat(deploy): chart Vault CRDs gated by vault.enabled (default false) (#97)
Co-authored-by: Gabriel Radureau <arcodange@gmail.com> Co-committed-by: Gabriel Radureau <arcodange@gmail.com>
This commit was merged in pull request #97.
This commit is contained in:
15
chart/templates/vaultauth.yaml
Normal file
15
chart/templates/vaultauth.yaml
Normal file
@@ -0,0 +1,15 @@
|
|||||||
|
{{- if .Values.vault.enabled }}
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: auth
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: kubernetes
|
||||||
|
kubernetes:
|
||||||
|
role: {{ .Values.vault.role }}
|
||||||
|
serviceAccount: {{ include "dance-lessons-coach.serviceAccountName" . }}
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
|
{{- end }}
|
||||||
17
chart/templates/vaultdynamicsecret.yaml
Normal file
17
chart/templates/vaultdynamicsecret.yaml
Normal file
@@ -0,0 +1,17 @@
|
|||||||
|
{{- if .Values.vault.enabled }}
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultDynamicSecret
|
||||||
|
metadata:
|
||||||
|
name: vso-db
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
spec:
|
||||||
|
mount: postgres
|
||||||
|
path: {{ .Values.vault.postgresPath }}
|
||||||
|
destination:
|
||||||
|
create: true
|
||||||
|
name: vso-db-credentials
|
||||||
|
rolloutRestartTargets:
|
||||||
|
- kind: Deployment
|
||||||
|
name: {{ include "dance-lessons-coach.fullname" . }}
|
||||||
|
vaultAuthRef: auth
|
||||||
|
{{- end }}
|
||||||
16
chart/templates/vaultsecret.yaml
Normal file
16
chart/templates/vaultsecret.yaml
Normal file
@@ -0,0 +1,16 @@
|
|||||||
|
{{- if .Values.vault.enabled }}
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: vault-kv-app
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
spec:
|
||||||
|
type: kv-v2
|
||||||
|
mount: kvv2
|
||||||
|
path: {{ .Values.vault.kvv2Path }}
|
||||||
|
destination:
|
||||||
|
name: secretkv
|
||||||
|
create: true
|
||||||
|
refreshAfter: 30s
|
||||||
|
vaultAuthRef: auth
|
||||||
|
{{- end }}
|
||||||
@@ -104,6 +104,15 @@ tolerations: []
|
|||||||
|
|
||||||
affinity: {}
|
affinity: {}
|
||||||
|
|
||||||
|
# Vault Secrets Operator integration. Disabled by default ; set vault.enabled=true
|
||||||
|
# to render the VaultAuth / VaultStaticSecret / VaultDynamicSecret CRDs (requires
|
||||||
|
# VSO operator + Vault prereqs, cf. iac/ once shipped).
|
||||||
|
vault:
|
||||||
|
enabled: false
|
||||||
|
role: dance-lessons-coach # k8s auth backend role name (matches iac/main.tf)
|
||||||
|
kvv2Path: dance-lessons-coach/config # KVv2 secret path
|
||||||
|
postgresPath: creds/dance-lessons-coach # postgres dynamic creds path
|
||||||
|
|
||||||
# DLC-specific configuration
|
# DLC-specific configuration
|
||||||
config:
|
config:
|
||||||
DLC_LOGGING_JSON: "true"
|
DLC_LOGGING_JSON: "true"
|
||||||
|
|||||||
Reference in New Issue
Block a user