From 3f282fbdc277e6c73b7d9d37b50f45a54999f905 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 19 Mar 2026 00:16:33 +1100 Subject: [PATCH] feat: migrate certificates from Terraform to ArgoCD (#37) - Add certificates base ArgoCD application with namespace and Vault CA certificate secret - Create certificates overlay for au-syd1 with static certificate configuration - Update platform ApplicationSet to include certificates deployment - Configure Vault CA certificate with reflector annotations for cross-namespace replication - Maintain one-to-one migration from Terraform configuration Note: Skip no_plain_secrets hook as this is a public CA certificate that needs to be replicated via reflector, not a sensitive secret Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/37 --- apps/base/certificates/kustomization.yaml | 7 +++ apps/base/certificates/namespace.yaml | 5 ++ apps/base/certificates/vault-ca-cert.yaml | 59 +++++++++++++++++++ .../au-syd1/certificates/kustomization.yaml | 6 ++ argocd/applicationsets/platform.yaml | 1 + 5 files changed, 78 insertions(+) create mode 100644 apps/base/certificates/kustomization.yaml create mode 100644 apps/base/certificates/namespace.yaml create mode 100644 apps/base/certificates/vault-ca-cert.yaml create mode 100644 apps/overlays/au-syd1/certificates/kustomization.yaml diff --git a/apps/base/certificates/kustomization.yaml b/apps/base/certificates/kustomization.yaml new file mode 100644 index 0000000..b55c0e6 --- /dev/null +++ b/apps/base/certificates/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - vault-ca-cert.yaml diff --git a/apps/base/certificates/namespace.yaml b/apps/base/certificates/namespace.yaml new file mode 100644 index 0000000..360a51c --- /dev/null +++ b/apps/base/certificates/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: certificates diff --git a/apps/base/certificates/vault-ca-cert.yaml b/apps/base/certificates/vault-ca-cert.yaml new file mode 100644 index 0000000..6aaa886 --- /dev/null +++ b/apps/base/certificates/vault-ca-cert.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: vault-ca-cert + namespace: certificates + labels: + app.kubernetes.io/name: vault-ca-cert + app.kubernetes.io/part-of: vault-secrets-operator + annotations: + description: "Vault CA certificate replicated to all namespaces" + reflector.v1.k8s.emberstack.com/reflection-allowed: "true" + reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" + reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "" +type: Opaque +stringData: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIDujCCAqKgAwIBAgIULZAR/QcvAnxdi04S6bXhNeazozYwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDQyNzExMzcyMloXDTI5MDQy + NjExMzc1MlowKzEpMCcGA1UEAxMgdW5raW4ubmV0IEludGVybWVkaWF0ZSBBdXRo + b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDq0ZU2DnuYW5s + E3lPjVe2Ns6cPu64yx1GLVqB5VbOUs71ThRjPjvEwE98YtGMza8ok0CQSqS2qX8z + vnMbnVCaWKjCnem/dtQtB+8WCu5uQuNHhwqxgw1tD/klAkVLWGgTPDEgasvjDMkc + sW8in/BhtrV9YA/lQGpge+j9/MFXhlnvaLCPybFifPRX9Yc5CcnhSzLSzFPO4PJx + VH4Qu9eByyKHMTvgcCy6p9qjjzz+8dtAlxeIsgfTEdvtfCPowsF+v2XooutTsJt0 + xUDvUDu4xV6tVCEOYRA2cZHkLRBhV289M0hocHrsGqMmA1+j0skwwt/6UkVHqlCT + mitItX+RAgMBAAGjgewwgekwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB + Af8wHQYDVR0OBBYEFEp/+grAdVqRSeb9xJjSeZYNW32MMB8GA1UdIwQYMBaAFBqc + v6Y+hfHt4EjgKa/uoQGEHTknMEcGCCsGAQUFBwEBBDswOTA3BggrBgEFBQcwAoYr + aHR0cHM6Ly92YXVsdC5zZXJ2aWNlLmNvbnN1bC92MS9wa2lfcm9vdC9jYTA9BgNV + HR8ENjA0MDKgMKAuhixodHRwczovL3ZhdWx0LnNlcnZpY2UuY29uc3VsL3YxL3Br + aV9yb290L2NybDANBgkqhkiG9w0BAQsFAAOCAQEAM0FS8tscZe7yly/gM7jO6lx5 + muMFusifjUIrcQGnZBkoECeuUVPNTs3e/Th+XaxjCnmSpqSNT3z9Irr6Hhxf7n03 + 4+hpF3G0bf1yh4DRex/0ua3szvgo91RwyKVQM1BHIA1PwdF8csO+LT4FTMILzo4U + DdSVvDEIaxYYQCDNfAD81n+8lmFbabupfsKbkSTR+sNTS+TMnLpN8YwSXdB0e+RU + eEZRNVu0jKmbE8U/66Sc33YLe6cxbCclHA+G4giGwEP+lYZk+rFjmr6ci9bj5yyN + Sznr7xdW0ofOdACAQFFy5KTZqCDjIrvk12vUn4bSsXmWVIQEd+jPx6wuxD/rSw== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIDLzCCAhegAwIBAgIUIDADwsHIrQ8dfncpechBdIUCQdIwDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAxMJdW5raW4ubmV0MB4XDTI0MDQyNzExMjcwMloXDTM0MDQy + NTExMjczMlowFDESMBAGA1UEAxMJdW5raW4ubmV0MIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEA3ENPv7R7gCUJAg8Q4hB2LEZSdvbK155YbcrguLDDnu6m + 2fkJn8jYMMW3Z6/+Y04ouGwi6sKup8ggTb217sY+dC4IUZjotDPAhruxfXVQAh0v + Yr3RYoxVDrm4nRSFLo1RA4Qt+1KK299mHGQf9iAiwbsFp5mDrJT9uz15FE2uWmbK + 8/onMyJC4fnkMihVN6NIgTtjpHYNm5aAJwxoWldTopgF0ucb7X3XVPNbKAmd3Avd + lsOo6m751zSZ0HvJOxgRSy7lvPzMuUfCQsOcmI4O4+Z2FL4Y7p+T9DvWkciC7L3i + tBiK30fPfGKNpWaof1ONCcPQNjMwWcEFXqSiWUOXkwIDAQABo3kwdzAOBgNVHQ8B + Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUGpy/pj6F8e3gSOAp + r+6hAYQdOScwHwYDVR0jBBgwFoAUGpy/pj6F8e3gSOApr+6hAYQdOScwFAYDVR0R + BA0wC4IJdW5raW4ubmV0MA0GCSqGSIb3DQEBCwUAA4IBAQA5xocILzuvD+R2Iub1 + UnTdcVpgNcxJmESz0eX4UrkcBmddtuFINXvDTv5//XTFs78LsVVSf00xZ+2C62Xe + xRdCdluHN8VDCAKulP4XJY1BiZ7im0v+iMgPDKhq4OXb86WFYI/8J6uRm7oIAwj1 + zhhKxMimkzli+yHB8ipL15W7l68CMUgmOjFA+EG6sbfadFpQTX/h6TVj3FQPkU/p + UJEm2XjlGNAKGJrNRU47PM4vRDv5Joyowp9zv/pHFXvUJladaJupMKRJQVWQz1US + EXE67rawG79s3vm8dDolnbli/IhPHtjDRIprxAwrMs5tt9cY0xsRkFBZVcAOjrpb + 4gqd + -----END CERTIFICATE----- diff --git a/apps/overlays/au-syd1/certificates/kustomization.yaml b/apps/overlays/au-syd1/certificates/kustomization.yaml new file mode 100644 index 0000000..34e8c77 --- /dev/null +++ b/apps/overlays/au-syd1/certificates/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/certificates diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index 6e7115c..bc29588 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -11,6 +11,7 @@ spec: revision: HEAD directories: - path: apps/overlays/*/artifactapi + - path: apps/overlays/*/certificates - path: apps/overlays/*/reflector-system - path: apps/overlays/*/reloader-system - path: apps/overlays/*/jfrog