diff --git a/apps/base/vso-system/clusterrole_vault-service-account-admin.yaml b/apps/base/vso-system/clusterrole_vault-service-account-admin.yaml new file mode 100644 index 0000000..f5dca6a --- /dev/null +++ b/apps/base/vso-system/clusterrole_vault-service-account-admin.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: vault-service-account-admin + app.kubernetes.io/part-of: vault-secrets-system + name: vso-system-vault-service-account-admin +rules: + - apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] diff --git a/apps/base/vso-system/clusterrolebindings.yaml b/apps/base/vso-system/clusterrolebindings.yaml new file mode 100644 index 0000000..06d3ef9 --- /dev/null +++ b/apps/base/vso-system/clusterrolebindings.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/part-of: vault-secrets-operator + name: vso-system-vault-secrets-operator-auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: vault-secrets-operator-controller-manager + namespace: vso-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: vso-system-vault-admin-binding + app.kubernetes.io/part-of: vault-secrets-system + name: vso-system-vault-admin-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: vso-system-vault-service-account-admin +subjects: + - kind: ServiceAccount + name: vso-system-vault-admin + namespace: vso-system diff --git a/apps/base/vso-system/kustomization.yaml b/apps/base/vso-system/kustomization.yaml new file mode 100644 index 0000000..77fa903 --- /dev/null +++ b/apps/base/vso-system/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - serviceaccount_vault-admin.yaml + - clusterrole_vault-service-account-admin.yaml + - clusterrolebindings.yaml diff --git a/apps/base/vso-system/namespace.yaml b/apps/base/vso-system/namespace.yaml new file mode 100644 index 0000000..e7aeb24 --- /dev/null +++ b/apps/base/vso-system/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/name: vso-system + name: vso-system diff --git a/apps/base/vso-system/serviceaccount_vault-admin.yaml b/apps/base/vso-system/serviceaccount_vault-admin.yaml new file mode 100644 index 0000000..c7ad609 --- /dev/null +++ b/apps/base/vso-system/serviceaccount_vault-admin.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: vault-admin + app.kubernetes.io/part-of: vault-secrets-system + name: vso-system-vault-admin + namespace: vso-system diff --git a/apps/overlays/au-syd1/vso-system/kustomization.yaml b/apps/overlays/au-syd1/vso-system/kustomization.yaml new file mode 100644 index 0000000..83aceaa --- /dev/null +++ b/apps/overlays/au-syd1/vso-system/kustomization.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: vso-system + +resources: + - ../../../base/vso-system + +helmCharts: + - name: vault-secrets-operator + repo: https://helm.releases.hashicorp.com + version: "1.2.0" + releaseName: vault-secrets-operator + namespace: vso-system + valuesFile: values.yaml + +patches: + - path: patch_vaultauth-remove-namespace.yaml + target: + group: secrets.hashicorp.com + version: v1beta1 + kind: VaultAuth + name: default diff --git a/apps/overlays/au-syd1/vso-system/patch_vaultauth-remove-namespace.yaml b/apps/overlays/au-syd1/vso-system/patch_vaultauth-remove-namespace.yaml new file mode 100644 index 0000000..77cc952 --- /dev/null +++ b/apps/overlays/au-syd1/vso-system/patch_vaultauth-remove-namespace.yaml @@ -0,0 +1,2 @@ +- op: remove + path: /spec/namespace diff --git a/apps/overlays/au-syd1/vso-system/values.yaml b/apps/overlays/au-syd1/vso-system/values.yaml new file mode 100644 index 0000000..ac9ca57 --- /dev/null +++ b/apps/overlays/au-syd1/vso-system/values.yaml @@ -0,0 +1,28 @@ +defaultVaultConnection: + enabled: true + address: "https://vault.service.consul:8200" + skipTLSVerify: false + caCertSecret: "vault-ca-cert" + +defaultAuthMethod: + enabled: true + method: "kubernetes" + mount: "k8s/au/syd1" + namespace: "" + kubernetes: + role: "default" + serviceAccount: "vault-secrets-operator-controller-manager" + tokenAudiences: ["vault"] + +controller: + replicas: 3 + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + +globalVaultAuth: + enabled: true diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index 85813a2..ad9b3b0 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -25,6 +25,7 @@ spec: - path: apps/overlays/*/reloader-system - path: apps/overlays/*/reposync - path: apps/overlays/*/vm-system + - path: apps/overlays/*/vso-system - path: apps/overlays/*/woodpecker template: metadata: diff --git a/argocd/projects/platform.yaml b/argocd/projects/platform.yaml index d427bbe..97e0bb9 100644 --- a/argocd/projects/platform.yaml +++ b/argocd/projects/platform.yaml @@ -11,6 +11,7 @@ spec: - https://charts.jetstack.io - https://cloudnative-pg.github.io/charts - https://helm.elastic.co + - https://helm.releases.hashicorp.com - https://intel.github.io/helm-charts/ - https://kubernetes-sigs.github.io/external-dns/ - https://releases.rancher.com/server-charts/stable